diff --git a/policy-F13.patch b/policy-F13.patch
index ba9488d..a51a2d8 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -631,6 +631,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +optional_policy(`
 +	rpm_read_db(prelink_cron_system_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.8/policy/modules/admin/quota.te
+--- nsaserefpolicy/policy/modules/admin/quota.te	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/admin/quota.te	2010-02-11 15:13:50.000000000 -0500
+@@ -39,6 +39,7 @@
+ kernel_list_proc(quota_t)
+ kernel_read_proc_symlinks(quota_t)
+ kernel_read_kernel_sysctls(quota_t)
++kernel_setsched(quota_t)
+ 
+ dev_read_sysfs(quota_t)
+ dev_getattr_all_blk_files(quota_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.8/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-11-17 10:54:26.000000000 -0500
 +++ serefpolicy-3.7.8/policy/modules/admin/readahead.te	2010-02-08 15:48:06.000000000 -0500
@@ -3545,7 +3556,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.8/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te	2010-02-09 10:11:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/mozilla.te	2010-02-11 08:44:05.000000000 -0500
 @@ -91,6 +91,7 @@
  corenet_raw_sendrecv_generic_node(mozilla_t)
  corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3982,7 +3993,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.8/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/apps/nsplugin.te	2010-02-11 08:51:41.000000000 -0500
 @@ -0,0 +1,296 @@
 +
 +policy_module(nsplugin, 1.0.0)
@@ -5059,8 +5070,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.8/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if	2010-02-05 16:08:07.000000000 -0500
-@@ -0,0 +1,225 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.if	2010-02-11 15:07:54.000000000 -0500
+@@ -0,0 +1,230 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -5186,6 +5197,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	manage_fifo_files_pattern($1_t, $1_file_t, $1_file_t)
 +	manage_sock_files_pattern($1_t, $1_file_t, $1_file_t)
 +
++	type $1_devpts_t;
++	term_pty($1_devpts_t)
++	term_create_pty($1_t, $1_devpts_t)
++	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++
 +	# window manager
 +	miscfiles_setattr_fonts_cache_dirs($1_t)
 +	allow $1_t self:capability setuid;
@@ -5288,8 +5304,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.8/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te	2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,349 @@
++++ serefpolicy-3.7.8/policy/modules/apps/sandbox.te	2010-02-11 12:13:25.000000000 -0500
+@@ -0,0 +1,364 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -5392,9 +5408,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +## internal communication is often done using fifo and unix sockets.
 +allow sandbox_domain self:fifo_file manage_file_perms;
++allow sandbox_domain self:sem create_sem_perms;
++allow sandbox_domain self:shm create_shm_perms;
++allow sandbox_domain self:msgq create_msgq_perms;
 +allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
 +allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 +
++dev_rw_all_inherited_chr_files(sandbox_domain)
++dev_rw_all_inherited_blk_files(sandbox_domain)
++
 +gen_require(`
 +	type usr_t, lib_t, locale_t;
 +	attribute exec_type;
@@ -5414,8 +5436,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +#
 +# sandbox_x_domain local policy
 +#
-+## internal communication is often done using fifo and unix sockets.
 +allow sandbox_x_domain self:fifo_file manage_file_perms;
++allow sandbox_x_domain self:sem create_sem_perms;
++allow sandbox_x_domain self:shm create_shm_perms;
++allow sandbox_x_domain self:msgq create_msgq_perms;
++allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
++allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
++
 +allow sandbox_x_domain self:unix_stream_socket create_stream_socket_perms;
 +
 +allow sandbox_x_domain self:process { signal_perms getsched setpgid execstack execmem };
@@ -5554,10 +5581,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +corenet_tcp_sendrecv_ipp_port(sandbox_web_client_t)
 +corenet_tcp_connect_http_port(sandbox_web_client_t)
 +corenet_tcp_connect_http_cache_port(sandbox_web_client_t)
++corenet_tcp_connect_flash_port(sandbox_web_client_t)
 +corenet_tcp_connect_ftp_port(sandbox_web_client_t)
 +corenet_tcp_connect_ipp_port(sandbox_web_client_t)
++corenet_tcp_connect_streaming_port(sandbox_web_client_t)
++corenet_tcp_connect_pulseaudio_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
 +corenet_tcp_connect_generic_port(sandbox_web_client_t)
 +corenet_tcp_connect_soundd_port(sandbox_web_client_t)
++corenet_tcp_connect_speech_port(sandbox_web_client_t)
 +corenet_sendrecv_http_client_packets(sandbox_web_client_t)
 +corenet_sendrecv_http_cache_client_packets(sandbox_web_client_t)
 +corenet_sendrecv_ftp_client_packets(sandbox_web_client_t)
@@ -5566,7 +5598,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# Should not need other ports
 +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_client_t)
 +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_client_t)
-+corenet_tcp_connect_speech_port(sandbox_web_client_t)
 +
 +auth_use_nsswitch(sandbox_web_client_t)
 +
@@ -5791,30 +5822,167 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.8/policy/modules/apps/seunshare.if
 --- nsaserefpolicy/policy/modules/apps/seunshare.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if	2010-02-02 10:31:03.000000000 -0500
-@@ -44,6 +44,8 @@
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.if	2010-02-11 16:52:18.000000000 -0500
+@@ -2,59 +2,14 @@
+ 
+ ########################################
+ ## <summary>
+-##	Execute a domain transition to run seunshare.
++##	The role template for the seunshare module.
+ ## </summary>
+-## <param name="domain">
+-## <summary>
+-##	Domain allowed to transition.
+-## </summary>
+-## </param>
+-#
+-interface(`seunshare_domtrans',`
+-	gen_require(`
+-		type seunshare_t, seunshare_exec_t;
+-	')
+-
+-	domtrans_pattern($1, seunshare_exec_t, seunshare_t)
+-')
+-
+-########################################
+-## <summary>
+-##	Execute seunshare in the seunshare domain, and
+-##	allow the specified role the seunshare domain.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="role">
++## <param name="role_prefix">
+ ##	<summary>
+-##	Role allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
+ ##	</summary>
+ ## </param>
+-#
+-interface(`seunshare_run',`
+-	gen_require(`
+-		type seunshare_t;
+-	')
+-
+-	seunshare_domtrans($1)
+-	role $2 types seunshare_t;
+-
+-	allow $1 seunshare_t:process signal_perms;
+-
+-	ifdef(`hide_broken_symptoms', `
+-		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
+-		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+-		dontaudit seunshare_t $1:unix_stream_socket rw_socket_perms;
+-	')
+-')
+-
+-########################################
+-## <summary>
+-##	Role access for seunshare
+-## </summary>
+ ## <param name="role">
+ ##	<summary>
+ ##	Role allowed access.
+@@ -66,15 +21,28 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`seunshare_role',`
++interface(`seunshare_role_template',`
+ 	gen_require(`
+-		type seunshare_t;
++		attribute seunshare_domain;
++		type seunshare_exec_t;
+ 	')
  
- 	allow $1 seunshare_t:process signal_perms;
+-	role $2 types seunshare_t;
++	type $1_seunshare_t, seunshare_domain;
++	application_domain($1_seunshare_t, seunshare_exec_t)
++	role $2 types $1_seunshare_t;
  
-+	sandbox_transition(seunshare_t, $2)
+-	seunshare_domtrans($1)
++	domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
++	sandbox_transition($1_seunshare_t, $2)
+ 
+-	ps_process_pattern($2, seunshare_t)
+-	allow $2 seunshare_t:process signal;
++	ps_process_pattern($3, $1_seunshare_t)
++	allow $3 $1_seunshare_t:process signal_perms;
 +
- 	ifdef(`hide_broken_symptoms', `
- 		dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
- 		dontaudit seunshare_t $1:udp_socket rw_socket_perms;
++	allow $1_seunshare_t $3:process transition;
++	dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms;
++		dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms;
++		dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms;
++	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.8/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te	2010-02-02 10:31:03.000000000 -0500
-@@ -15,9 +15,8 @@
++++ serefpolicy-3.7.8/policy/modules/apps/seunshare.te	2010-02-11 16:49:25.000000000 -0500
+@@ -6,40 +6,39 @@
+ # Declarations
+ #
+ 
+-type seunshare_t;
++attribute seunshare_domain;
+ type seunshare_exec_t;
+-application_domain(seunshare_t, seunshare_exec_t)
+-role system_r types seunshare_t;
+ 
+ ########################################
  #
  # seunshare local policy
  #
--
- allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin };
++allow seunshare_domain self:process { fork setexec signal getcap setcap };
+ 
+-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
 -allow seunshare_t self:process { setexec signal getcap setcap };
-+allow seunshare_t self:process { fork setexec signal getcap setcap };
++allow seunshare_domain self:fifo_file rw_file_perms;
++allow seunshare_domain self:unix_stream_socket create_stream_socket_perms;
+ 
+-allow seunshare_t self:fifo_file rw_file_perms;
+-allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
++corecmd_exec_shell(seunshare_domain)
++corecmd_exec_bin(seunshare_domain)
+ 
+-corecmd_exec_shell(seunshare_t)
+-corecmd_exec_bin(seunshare_t)
++files_search_all(seunshare_domain)
++files_read_etc_files(seunshare_domain)
++files_mounton_all_poly_members(seunshare_domain)
+ 
+-files_read_etc_files(seunshare_t)
+-files_mounton_all_poly_members(seunshare_t)
++auth_use_nsswitch(seunshare_domain)
+ 
+-auth_use_nsswitch(seunshare_t)
++logging_send_syslog_msg(seunshare_domain)
+ 
+-logging_send_syslog_msg(seunshare_t)
++miscfiles_read_localization(seunshare_domain)
+ 
+-miscfiles_read_localization(seunshare_t)
+-
+-userdom_use_user_terminals(seunshare_t)
++userdom_use_user_terminals(seunshare_domain)
  
- allow seunshare_t self:fifo_file rw_file_perms;
- allow seunshare_t self:unix_stream_socket create_stream_socket_perms;
+ ifdef(`hide_broken_symptoms', `
+-	fs_dontaudit_rw_anon_inodefs_files(seunshare_t)
++	fs_dontaudit_rw_anon_inodefs_files(seunshare_domain)
++ 	fs_dontaudit_list_inotifyfs(seunshare_domain)
+ 
+ 	optional_policy(`
+-		mozilla_dontaudit_manage_user_home_files(seunshare_t)
++		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
+ 	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.8/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.7.8/policy/modules/apps/slocate.te	2010-02-02 10:31:03.000000000 -0500
@@ -6485,7 +6653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.8/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/devices.if	2010-02-09 16:10:20.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/devices.if	2010-02-11 11:47:56.000000000 -0500
 @@ -801,6 +801,24 @@
  
  ########################################
@@ -6536,7 +6704,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Create all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -1380,6 +1416,42 @@
+@@ -855,6 +891,42 @@
+ 
+ ########################################
+ ## <summary>
++##	rw all inherited character device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_all_inherited_chr_files',`
++	gen_require(`
++		attribute device_node;
++	')
++
++	allow $1 device_node:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
++##	rw all inherited blk device files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_all_inherited_blk_files',`
++	gen_require(`
++		attribute device_node;
++	')
++
++	allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Delete all block device files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1380,6 +1452,42 @@
  	rw_chr_files_pattern($1, device_t, crypt_device_t)
  ')
  
@@ -6579,7 +6790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ########################################
  ## <summary>
  ##	getattr the dri devices.
-@@ -1710,6 +1782,24 @@
+@@ -1710,6 +1818,24 @@
  
  ########################################
  ## <summary>
@@ -6604,7 +6815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Get the attributes of the ksm devices.
  ## </summary>
  ## <param name="domain">
-@@ -1999,6 +2089,24 @@
+@@ -1999,6 +2125,24 @@
  
  ########################################
  ## <summary>
@@ -6629,7 +6840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Read raw memory devices (e.g. /dev/mem).
  ## </summary>
  ## <param name="domain">
-@@ -2450,6 +2558,24 @@
+@@ -2450,6 +2594,24 @@
  
  ########################################
  ## <summary>
@@ -6654,7 +6865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Get the attributes of the network control device
  ## </summary>
  ## <param name="domain">
-@@ -3515,6 +3641,24 @@
+@@ -3515,6 +3677,24 @@
  
  ########################################
  ## <summary>
@@ -6679,7 +6890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3703,6 +3847,24 @@
+@@ -3703,6 +3883,24 @@
  	getattr_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
@@ -7177,7 +7388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.8/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/files.if	2010-02-09 14:24:24.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/files.if	2010-02-11 11:49:05.000000000 -0500
 @@ -932,10 +932,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7875,7 +8086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.8/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if	2010-02-08 15:48:31.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/filesystem.if	2010-02-11 14:13:24.000000000 -0500
 @@ -906,7 +906,7 @@
  		type cifs_t;
  	')
@@ -7911,7 +8122,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Create, read, write, and delete directories
  ##	on a FUSEFS filesystem.
  ## </summary>
-@@ -2047,7 +2066,7 @@
+@@ -1613,6 +1632,36 @@
+ 
+ ########################################
+ ## <summary>
++##	Create an object in a hugetlbfs filesystem, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++#
++interface(`fs_hugetlbfs_filetrans',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	allow $2 hugetlbfs_t:filesystem associate;
++	filetrans_pattern($1, hugetlbfs_t, $2, $3)
++')
++
++########################################
++## <summary>
+ ##	Search inotifyfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -1649,6 +1698,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Dontaudit List inotifyfs filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_list_inotifyfs',`
++	gen_require(`
++		type inotifyfs_t;
++	')
++
++	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Mount an iso9660 filesystem, which
+ ##	is usually used on CDs.
+ ## </summary>
+@@ -2047,7 +2114,7 @@
  		type nfs_t;
  	')
  
@@ -7920,7 +8193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ')
  
  ########################################
-@@ -2069,6 +2088,25 @@
+@@ -2069,6 +2136,25 @@
  	read_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
@@ -7946,7 +8219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #########################################
  ## <summary>
  ##	Read named sockets on a NFS filesystem.
-@@ -3458,6 +3496,24 @@
+@@ -3458,6 +3544,24 @@
  
  ########################################
  ## <summary>
@@ -7971,7 +8244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Read and write generic tmpfs files.
  ## </summary>
  ## <param name="domain">
-@@ -3684,6 +3740,24 @@
+@@ -3684,6 +3788,24 @@
  
  ########################################
  ## <summary>
@@ -7996,7 +8269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Mount a XENFS filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4181,3 +4255,214 @@
+@@ -4181,3 +4303,214 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
  ')
@@ -8273,7 +8546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  # nfs_t is the default type for NFS file systems
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/kernel/kernel.if	2010-02-11 08:05:42.000000000 -0500
 @@ -1849,7 +1849,7 @@
  	')
  
@@ -8814,7 +9087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.8/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/roles/sysadm.te	2010-02-11 12:30:41.000000000 -0500
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -8883,18 +9156,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -135,10 +129,6 @@
+@@ -135,7 +129,7 @@
  ')
  
  optional_policy(`
 -	dbus_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	dcc_run_cdcc(sysadm_t, sysadm_r)
- 	dcc_run_client(sysadm_t, sysadm_r)
- 	dcc_run_dbclean(sysadm_t, sysadm_r)
-@@ -166,10 +156,6 @@
++    daemonstools_run_start(sysadm_t, sysadm_r)
+ ')
+ 
+ optional_policy(`
+@@ -166,10 +160,6 @@
  ')
  
  optional_policy(`
@@ -8905,7 +9176,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	firstboot_run(sysadm_t, sysadm_r)
  ')
  
-@@ -178,22 +164,6 @@
+@@ -178,22 +168,6 @@
  ')
  
  optional_policy(`
@@ -8928,7 +9199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	hostname_run(sysadm_t, sysadm_r)
  ')
  
-@@ -205,6 +175,9 @@
+@@ -205,6 +179,9 @@
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -8938,7 +9209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -212,11 +185,7 @@
+@@ -212,11 +189,7 @@
  ')
  
  optional_policy(`
@@ -8951,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -228,10 +197,6 @@
+@@ -228,10 +201,6 @@
  ')
  
  optional_policy(`
@@ -8962,7 +9233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	logrotate_run(sysadm_t, sysadm_r)
  ')
  
-@@ -255,14 +220,6 @@
+@@ -255,14 +224,6 @@
  ')
  
  optional_policy(`
@@ -8977,7 +9248,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	mta_role(sysadm_r, sysadm_t)
  ')
  
-@@ -290,11 +247,6 @@
+@@ -290,11 +251,6 @@
  ')
  
  optional_policy(`
@@ -8989,7 +9260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	pcmcia_run_cardctl(sysadm_t, sysadm_r)
  ')
  
-@@ -308,7 +260,7 @@
+@@ -308,7 +264,7 @@
  ')
  
  optional_policy(`
@@ -8998,7 +9269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -320,10 +272,6 @@
+@@ -320,10 +276,6 @@
  ')
  
  optional_policy(`
@@ -9009,7 +9280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	rpc_domtrans_nfsd(sysadm_t)
  ')
  
-@@ -332,10 +280,6 @@
+@@ -332,10 +284,6 @@
  ')
  
  optional_policy(`
@@ -9020,7 +9291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	rsync_exec(sysadm_t)
  ')
  
-@@ -345,10 +289,6 @@
+@@ -345,10 +293,6 @@
  ')
  
  optional_policy(`
@@ -9031,7 +9302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	secadm_role_change(sysadm_r)
  ')
  
-@@ -358,35 +298,15 @@
+@@ -358,35 +302,15 @@
  ')
  
  optional_policy(`
@@ -9067,7 +9338,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +314,10 @@
+@@ -394,18 +318,10 @@
  ')
  
  optional_policy(`
@@ -9086,7 +9357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  	unconfined_domtrans(sysadm_t)
  ')
  
-@@ -418,17 +330,13 @@
+@@ -418,17 +334,13 @@
  ')
  
  optional_policy(`
@@ -9105,7 +9376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -440,13 +348,16 @@
+@@ -440,13 +352,16 @@
  ')
  
  optional_policy(`
@@ -13131,7 +13402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.
  	xserver_domtrans(apmd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.8/policy/modules/services/arpwatch.te
 --- nsaserefpolicy/policy/modules/services/arpwatch.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/arpwatch.te	2010-02-11 14:04:49.000000000 -0500
 @@ -34,6 +34,7 @@
  allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
  allow arpwatch_t self:udp_socket create_socket_perms;
@@ -13148,11 +13419,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
  kernel_read_kernel_sysctls(arpwatch_t)
  kernel_list_proc(arpwatch_t)
  kernel_read_proc_symlinks(arpwatch_t)
-@@ -62,6 +64,7 @@
+@@ -62,6 +64,8 @@
  corenet_udp_sendrecv_all_ports(arpwatch_t)
  
  dev_read_sysfs(arpwatch_t)
 +dev_read_usbmon_dev(arpwatch_t)
++dev_rw_generic_usb_dev(arpwatch_t)
  
  fs_getattr_all_fs(arpwatch_t)
  fs_search_auto_mountpoints(arpwatch_t)
@@ -15394,7 +15666,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.8/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/cron.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cron.te	2010-02-11 12:30:41.000000000 -0500
 @@ -38,8 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -15488,7 +15760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  ifdef(`distro_debian',`
  	# pam_limits is used
-@@ -241,8 +261,12 @@
+@@ -241,8 +261,17 @@
  	')
  ')
  
@@ -15500,10 +15772,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +
 +optional_policy(`
 +	apache_search_sys_content(crond_t)
++')
++
++optional_policy(`
++    djbdns_search_key_tinydns(crond_t)
++    djbdns_link_key_tinydns(crond_t)
  ')
  
  optional_policy(`
-@@ -251,6 +275,20 @@
+@@ -251,6 +280,20 @@
  ')
  
  optional_policy(`
@@ -15524,7 +15801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	amanda_search_var_lib(crond_t)
  ')
  
-@@ -260,6 +298,8 @@
+@@ -260,6 +303,8 @@
  
  optional_policy(`
  	hal_dbus_chat(crond_t)
@@ -15533,7 +15810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -302,10 +342,17 @@
+@@ -302,10 +347,17 @@
  
  # This is to handle /var/lib/misc directory.  Used currently
  # by prelink var/lib files for cron 
@@ -15552,7 +15829,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -325,6 +372,7 @@
+@@ -325,6 +377,7 @@
  allow system_cronjob_t crond_t:fd use;
  allow system_cronjob_t crond_t:fifo_file rw_file_perms;
  allow system_cronjob_t crond_t:process sigchld;
@@ -15560,7 +15837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  # Write /var/lock/makewhatis.lock.
  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +384,13 @@
+@@ -336,9 +389,13 @@
  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
  files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
  
@@ -15575,7 +15852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +413,7 @@
+@@ -361,6 +418,7 @@
  dev_getattr_all_blk_files(system_cronjob_t)
  dev_getattr_all_chr_files(system_cronjob_t)
  dev_read_urand(system_cronjob_t)
@@ -15583,7 +15860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  fs_getattr_all_fs(system_cronjob_t)
  fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +440,7 @@
+@@ -387,6 +445,7 @@
  # Access other spool directories like
  # /var/spool/anacron and /var/spool/slrnpull.
  files_manage_generic_spool(system_cronjob_t)
@@ -15591,7 +15868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  init_use_script_fds(system_cronjob_t)
  init_read_utmp(system_cronjob_t)
-@@ -411,6 +465,8 @@
+@@ -411,6 +470,8 @@
  
  ifdef(`distro_redhat', `
  	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -15600,7 +15877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# via redirection of standard out.
  	optional_policy(`
  		rpm_manage_log(system_cronjob_t)
-@@ -435,6 +491,7 @@
+@@ -435,6 +496,7 @@
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
@@ -15608,7 +15885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -442,6 +499,14 @@
+@@ -442,6 +504,14 @@
  ')
  
  optional_policy(`
@@ -15623,7 +15900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -456,11 +521,16 @@
+@@ -456,11 +526,16 @@
  ')
  
  optional_policy(`
@@ -15640,7 +15917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -476,7 +546,7 @@
+@@ -476,7 +551,7 @@
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -15649,7 +15926,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -491,6 +561,7 @@
+@@ -491,6 +566,7 @@
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -15657,7 +15934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -498,6 +569,9 @@
+@@ -498,6 +574,9 @@
  ')
  
  optional_policy(`
@@ -15718,7 +15995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/cups.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/cups.te	2010-02-11 13:29:01.000000000 -0500
 @@ -23,6 +23,9 @@
  type cupsd_initrc_exec_t;
  init_script_file(cupsd_initrc_exec_t)
@@ -15913,6 +16190,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  cups_stream_connect(cupsd_lpd_t)
  
+@@ -532,7 +572,7 @@
+ # cups_pdf local policy
+ #
+ 
+-allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
+ allow cups_pdf_t self:fifo_file rw_file_perms;
+ allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+ 
 @@ -542,6 +582,8 @@
  manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
  files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
@@ -16654,7 +16940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.8/policy/modules/services/djbdns.if
 --- nsaserefpolicy/policy/modules/services/djbdns.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/djbdns.if	2010-02-10 13:04:18.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.if	2010-02-11 12:30:41.000000000 -0500
 @@ -26,6 +26,8 @@
  	daemontools_read_svc(djbdns_$1_t)
  
@@ -16664,6 +16950,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
  	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
  	allow djbdns_$1_t self:udp_socket create_socket_perms;
  
+@@ -50,3 +52,39 @@
+ 
+ 	files_search_var(djbdns_$1_t)
+ ')
++
++#####################################
++## <summary>
++##  Allow search the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`djbdns_search_key_tinydns',`
++    gen_require(`
++        type djbdns_tinydns_t;
++    ')
++
++    allow $1 djbdns_tinydns_t:key search;
++')
++
++#####################################
++## <summary>
++##  Allow link to the djbdns-tinydns key ring.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`djbdns_link_key_tinydns',`
++    gen_require(`
++        type djbdns_tinydn_t;
++    ')
++
++    allow $1 djbdns_tinydn_t:key link;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.8/policy/modules/services/djbdns.te
+--- nsaserefpolicy/policy/modules/services/djbdns.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/djbdns.te	2010-02-11 12:30:41.000000000 -0500
+@@ -42,3 +42,11 @@
+ files_search_var(djbdns_axfrdns_t)
+ 
+ ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
++
++#####################################
++#
++# Local policy for djbdns_tinydns_t
++#
++
++init_dontaudit_use_script_fds(djbdns_tinydns_t)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc
 --- nsaserefpolicy/policy/modules/services/dnsmasq.fc	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.8/policy/modules/services/dnsmasq.fc	2010-02-02 10:31:03.000000000 -0500
@@ -24645,7 +24986,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ##	Read NFS exported content.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.8/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/rpc.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/rpc.te	2010-02-11 15:23:21.000000000 -0500
+@@ -8,7 +8,7 @@
+ 
+ ## <desc>
+ ## <p>
+-## Allow gssd to read temp directory.  For access to kerberos tgt.
++## Allow gssd to read tep directory.  For access to kerberos tgt.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_gssd_read_tmp, true)
 @@ -37,8 +37,14 @@
  # rpc_exec_t is the type of rpc daemon programs.
  rpc_domain_template(rpcd)
@@ -24671,7 +25021,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  allow rpcd_t self:fifo_file rw_fifo_file_perms;
  
  allow rpcd_t rpcd_var_run_t:dir setattr;
-@@ -67,6 +74,7 @@
+@@ -67,12 +74,14 @@
  kernel_read_network_state(rpcd_t)
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)
@@ -24679,7 +25029,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_rw_fs_sysctls(rpcd_t)
  kernel_dontaudit_getattr_core_if(rpcd_t)
  kernel_signal(rpcd_t) 
-@@ -91,14 +99,21 @@
+ 
+ corecmd_exec_bin(rpcd_t)
+ 
++files_read_default_files(rpcd_t)
+ files_manage_mounttab(rpcd_t)
+ files_getattr_all_dirs(rpcd_t)
+ 
+@@ -91,14 +100,21 @@
  
  seutil_dontaudit_search_config(rpcd_t)
  
@@ -24701,7 +25058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ########################################
  #
  # NFSD local policy
-@@ -127,6 +142,7 @@
+@@ -127,6 +143,7 @@
  files_getattr_tmp_dirs(nfsd_t) 
  # cjp: this should really have its own type
  files_manage_mounttab(nfsd_t)
@@ -24709,7 +25066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
-@@ -135,6 +151,7 @@
+@@ -135,6 +152,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -24717,7 +25074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +168,7 @@
+@@ -151,6 +169,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -24725,7 +25082,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +200,7 @@
+@@ -182,6 +201,7 @@
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)	
  kernel_search_network_sysctl(gssd_t)	
@@ -24733,7 +25090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  corecmd_exec_bin(gssd_t)
  
-@@ -189,8 +208,10 @@
+@@ -189,8 +209,10 @@
  fs_rw_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
  
@@ -24744,7 +25101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  auth_use_nsswitch(gssd_t)
  auth_manage_cache(gssd_t) 
-@@ -199,10 +220,14 @@
+@@ -199,10 +221,14 @@
  
  mount_signal(gssd_t)
  
@@ -27173,6 +27530,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
  dev_read_sysfs(tuned_t)
  # to allow cpu tuning
  dev_rw_netcontrol(tuned_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.8/policy/modules/services/ucspitcp.te
+--- nsaserefpolicy/policy/modules/services/ucspitcp.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/services/ucspitcp.te	2010-02-11 12:30:41.000000000 -0500
+@@ -92,3 +92,8 @@
+ 	daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
+ 	daemontools_read_svc(ucspitcp_t)
+ ')
++
++optional_policy(`
++    daemontools_sigchld_run(ucspitcp_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc
 --- nsaserefpolicy/policy/modules/services/usbmuxd.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.fc	2010-02-03 14:20:04.000000000 -0500
@@ -27226,8 +27595,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.8/policy/modules/services/usbmuxd.te
 --- nsaserefpolicy/policy/modules/services/usbmuxd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te	2010-02-02 10:31:03.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.7.8/policy/modules/services/usbmuxd.te	2010-02-11 13:37:45.000000000 -0500
+@@ -0,0 +1,47 @@
 +policy_module(usbmuxd,1.0.0)
 +
 +########################################
@@ -27264,6 +27633,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
 +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
 +
++kernel_read_system_state(usbmuxd_t)
++
++dev_rw_generic_usb_dev(usbmuxd_t)
++
 +files_read_etc_files(usbmuxd_t)
 +
 +miscfiles_read_localization(usbmuxd_t)
@@ -27660,7 +28033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.8/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/services/virt.if	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.if	2010-02-11 14:19:09.000000000 -0500
 @@ -136,7 +136,7 @@
  	')
  
@@ -27916,7 +28289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.8/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/services/virt.te	2010-02-02 10:31:03.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/services/virt.te	2010-02-11 14:17:16.000000000 -0500
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -28179,7 +28552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -196,8 +312,159 @@
+@@ -196,8 +312,162 @@
  
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
@@ -28208,6 +28581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +allow svirt_t svirt_image_t:dir search_dir_perms;
 +manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
 +manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
++fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
 +
 +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -28215,6 +28589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +dontaudit svirt_t virt_content_t:dir write;
 +
 +userdom_search_user_home_content(svirt_t)
++userdom_read_user_home_content_symlinks(svirt_t)
 +userdom_read_all_users_state(svirt_t)
 +
 +allow svirt_t self:udp_socket create_socket_perms;
@@ -28240,6 +28615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +
 +tunable_policy(`virt_use_fusefs',`
 +	fs_read_fusefs_files(svirt_t)
++	fs_read_fusefs_symlinks(svirt_t)
 +')
 +
 +tunable_policy(`virt_use_nfs',`
@@ -30188,10 +30564,113 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ########################################
  #
  # PAM local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.8/policy/modules/system/daemontools.if
+--- nsaserefpolicy/policy/modules/system/daemontools.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.if	2010-02-11 12:30:41.000000000 -0500
+@@ -71,6 +71,32 @@
+ 	domtrans_pattern($1, svc_start_exec_t, svc_start_t)
+ ')
+ 
++######################################
++## <summary>
++##  Execute svc_start in the svc_start domain, and
++##  allow the specified role the svc_start domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the svc_start domain.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`daemonstools_run_start',`
++    gen_require(`
++        type svc_start_t;
++    ')
++
++    daemontools_domtrans_start($1)
++    role $2 types svc_start_t;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute in the svc_run_t domain.
+@@ -127,6 +153,24 @@
+ 	allow $1 svc_svc_t:file read_file_perms;
+ ')
+ 
++######################################
++## <summary>
++##  Search svc_svc_t  directory.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`daemontools_search_svc_dir',`
++    gen_require(`
++        type svc_svc_t;
++    ')
++
++    allow $1 svc_svc_t:dir search_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow a domain to create svc_svc_t files.
+@@ -148,3 +192,21 @@
+ 	allow $1 svc_svc_t:file manage_file_perms;
+ 	allow $1 svc_svc_t:lnk_file { read create };
+ ')
++
++######################################
++## <summary>
++##  Send a SIGCHLD signal to svc_run domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`daemontools_sigchld_run',`
++    gen_require(`
++        type svc_run_t;
++    ')
++
++    allow $1 svc_run_t:process sigchld;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.8/policy/modules/system/daemontools.te
 --- nsaserefpolicy/policy/modules/system/daemontools.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/daemontools.te	2010-02-10 13:04:18.000000000 -0500
-@@ -65,6 +65,8 @@
++++ serefpolicy-3.7.8/policy/modules/system/daemontools.te	2010-02-11 12:30:41.000000000 -0500
+@@ -39,7 +39,10 @@
+ # multilog creates /service/*/log/status
+ manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
+ 
++term_write_console(svc_multilog_t)
++
+ init_use_fds(svc_multilog_t)
++init_dontaudit_use_script_fds(svc_multilog_t)
+ 
+ # writes to /var/log/*/*
+ logging_manage_generic_logs(svc_multilog_t)
+@@ -53,7 +56,7 @@
+ # ie. softlimit, setuidgid, envuidgid, envdir, fghack ..
+ #
+ 
+-allow svc_run_t self:capability { setgid setuid chown fsetid };
++allow svc_run_t self:capability { setgid setuid chown fsetid sys_resource };
+ allow svc_run_t self:process setrlimit;
+ allow svc_run_t self:fifo_file rw_fifo_file_perms;
+ allow svc_run_t self:unix_stream_socket create_stream_socket_perms;
+@@ -65,9 +68,13 @@
  
  kernel_read_system_state(svc_run_t)
  
@@ -30200,7 +30679,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
  corecmd_exec_bin(svc_run_t)
  corecmd_exec_shell(svc_run_t)
  
-@@ -93,10 +95,14 @@
++term_write_console(svc_run_t)
++
+ files_read_etc_files(svc_run_t)
+ files_read_etc_runtime_files(svc_run_t)
+ files_search_pids(svc_run_t)
+@@ -89,21 +96,36 @@
+ # ie svc, svscan, supervise ...
+ #
+ 
+-allow svc_start_t svc_run_t:process signal;
++allow svc_start_t svc_run_t:process { signal setrlimit };
  
  allow svc_start_t self:fifo_file rw_fifo_file_perms;
  allow svc_start_t self:capability kill;
@@ -30209,13 +30698,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
  
  can_exec(svc_start_t, svc_start_exec_t)
  
++mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
++
 +kernel_read_kernel_sysctls(svc_start_t)
 +kernel_read_system_state(svc_start_t)
 +
  corecmd_exec_bin(svc_start_t)
  corecmd_exec_shell(svc_start_t)
  
-@@ -105,5 +111,9 @@
++corenet_tcp_bind_generic_node(svc_start_t)
++corenet_tcp_bind_generic_port(svc_start_t)
++
++term_write_console(svc_start_t)
++
+ files_read_etc_files(svc_start_t)
+ files_read_etc_runtime_files(svc_start_t)
  files_search_var(svc_start_t)
  files_search_pids(svc_start_t)
  
@@ -32451,7 +32948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.8/policy/modules/system/logging.te	2010-02-09 08:53:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/logging.te	2010-02-11 12:30:41.000000000 -0500
 @@ -101,6 +101,7 @@
  
  kernel_read_kernel_sysctls(auditctl_t)
@@ -32575,6 +33072,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  	postgresql_stream_connect(syslogd_t)
  ')
  
+@@ -473,6 +502,10 @@
+ ')
+ 
+ optional_policy(`
++    daemontools_search_svc_dir(syslogd_t)
++')
++
++optional_policy(`
+ 	udev_read_db(syslogd_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.8/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2009-11-25 11:47:19.000000000 -0500
 +++ serefpolicy-3.7.8/policy/modules/system/lvm.te	2010-02-02 10:31:03.000000000 -0500
@@ -35304,7 +35812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-10 17:23:48.000000000 -0500
++++ serefpolicy-3.7.8/policy/modules/system/userdomain.if	2010-02-11 15:04:39.000000000 -0500
 @@ -30,8 +30,9 @@
  	')
  
@@ -36034,7 +36542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		seunshare_run($1_t, $1_r)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
  
  	optional_policy(`
@@ -37936,7 +38444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.8/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt	2010-02-08 12:51:47.000000000 -0500
++++ serefpolicy-3.7.8/policy/support/obj_perm_sets.spt	2010-02-11 12:08:23.000000000 -0500
 @@ -28,7 +28,7 @@
  #
  # All socket classes.
@@ -37982,7 +38490,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
  define(`create_fifo_file_perms',`{ getattr create open }')
  define(`rename_fifo_file_perms',`{ getattr rename }')
  define(`delete_fifo_file_perms',`{ getattr unlink }')
-@@ -305,7 +308,8 @@
+@@ -271,7 +274,8 @@
+ define(`read_blk_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_blk_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_blk_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_blk_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_blk_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_blk_file_perms',`{ open rw_inherited_blk_file_perms }')
+ define(`create_blk_file_perms',`{ getattr create }')
+ define(`rename_blk_file_perms',`{ getattr rename }')
+ define(`delete_blk_file_perms',`{ getattr unlink }')
+@@ -288,7 +292,8 @@
+ define(`read_chr_file_perms',`{ getattr open read lock ioctl }')
+ define(`append_chr_file_perms',`{ getattr open append lock ioctl }')
+ define(`write_chr_file_perms',`{ getattr open write append lock ioctl }')
+-define(`rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
++define(`rw_inherited_chr_file_perms',`{ getattr read write append ioctl lock }')
++define(`rw_chr_file_perms',`{ open rw_inherited_chr_file_perms }')
+ define(`create_chr_file_perms',`{ getattr create }')
+ define(`rename_chr_file_perms',`{ getattr rename }')
+ define(`delete_chr_file_perms',`{ getattr unlink }')
+@@ -305,7 +310,8 @@
  #
  # Use (read and write) terminals
  #
@@ -37992,7 +38520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
  
  #
  # Sockets
-@@ -317,3 +321,14 @@
+@@ -317,3 +323,14 @@
  # Keys
  #
  define(`manage_key_perms', `{ create link read search setattr view write } ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 075329c..4e40b6a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.8
-Release: 10%{?dist}
+Release: 11%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-11
+- Allow sandbox to work with MLS 
+
 * Tue Feb 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.8-9
 - Make Chrome work with staff user