diff --git a/policy-F13.patch b/policy-F13.patch
index 5fd3864..1210af1 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1536,7 +1536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/admin/tmpreaper.te 2009-12-22 10:55:03.000000000 -0500
@@ -42,6 +42,7 @@
cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
@@ -1545,20 +1545,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
userdom_delete_user_home_content_dirs(tmpreaper_t)
userdom_delete_user_home_content_files(tmpreaper_t)
userdom_delete_user_home_content_symlinks(tmpreaper_t)
-@@ -52,6 +53,12 @@
+@@ -52,6 +53,13 @@
')
optional_policy(`
+ apache_delete_sys_content_rw(tmpreaper_t)
+ apache_list_cache(tmpreaper_t)
+ apache_delete_cache(tmpreaper_t)
++ apache_setattr_cache_dirs(tmpreaper_t)
+')
+
+optional_policy(`
kismet_manage_log(tmpreaper_t)
')
-@@ -60,5 +67,9 @@
+@@ -60,5 +68,9 @@
')
optional_policy(`
@@ -3722,8 +3723,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.te 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,295 @@
++++ serefpolicy-3.7.5/policy/modules/apps/nsplugin.te 2009-12-22 10:16:59.000000000 -0500
+@@ -0,0 +1,296 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3917,6 +3918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
+ ')
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
+ xserver_rw_shm(nsplugin_t)
++ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
+ xserver_read_user_xauth(nsplugin_t)
+ xserver_read_user_iceauth(nsplugin_t)
@@ -4253,7 +4255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/apps/pulseaudio.te 2009-12-22 09:44:29.000000000 -0500
@@ -11,6 +11,9 @@
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
@@ -4311,6 +4313,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
+@@ -98,6 +111,8 @@
+ ')
+
+ optional_policy(`
++ xserver_stream_connect(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
++ xserver_read_xdm_pid(pulseaudio_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.5/policy/modules/apps/qemu.fc
--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/apps/qemu.fc 2009-12-21 13:07:09.000000000 -0500
@@ -4715,8 +4726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.5/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-21 13:07:09.000000000 -0500
-@@ -0,0 +1,186 @@
++++ serefpolicy-3.7.5/policy/modules/apps/sandbox.if 2009-12-22 11:04:52.000000000 -0500
+@@ -0,0 +1,222 @@
+
+## policy for sandbox
+
@@ -4903,6 +4914,42 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
+')
++
++########################################
++##
++## allow domain to delete sandbox files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`sandbox_delete_files',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_files_pattern($1, sandbox_file_type, sandbox_file_type)
++')
++
++########################################
++##
++## allow domain to delete sandbox files
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`sandbox_delete_dirs',`
++ gen_require(`
++ attribute sandbox_file_type;
++ ')
++
++ delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.5/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/apps/sandbox.te 2009-12-21 14:43:49.000000000 -0500
@@ -5249,17 +5296,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.5/policy/modules/apps/screen.if
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/apps/screen.if 2009-12-21 14:51:54.000000000 -0500
-@@ -141,6 +141,12 @@
++++ serefpolicy-3.7.5/policy/modules/apps/screen.if 2009-12-22 11:38:41.000000000 -0500
+@@ -141,6 +141,7 @@
userdom_create_user_pty($1_screen_t)
userdom_user_home_domtrans($1_screen_t, $3)
userdom_setattr_user_ptys($1_screen_t)
+ userdom_setattr_user_ttys($1_screen_t)
-+
-+ optional_policy(`
-+ dbus_system_bus_client($1_screen_t)
-+ fprintd_dbus_chat($1_screen_t)
-+ ')
tunable_policy(`use_samba_home_dirs',`
fs_cifs_domtrans($1_screen_t, $3)
@@ -5710,7 +5752,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.5/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/corecommands.if 2009-12-22 08:22:45.000000000 -0500
@@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t)
@@ -6927,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if 2009-12-22 10:30:40.000000000 -0500
@@ -906,7 +906,7 @@
type cifs_t;
')
@@ -6972,13 +7014,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
#########################################
##
## Read named sockets on a NFS filesystem.
-@@ -4181,3 +4200,60 @@
+@@ -4181,3 +4200,216 @@
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
')
+
+########################################
+##
++## Search dirs on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_search_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ allow $1 cgroup_t:dir search;
++')
++
++########################################
++##
++## list dirs on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_list_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ list_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+## Do not audit attempts to read
+## dirs on a CIFS or SMB filesystem.
+##
@@ -6998,6 +7080,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
+########################################
+##
++## create dirs on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_create_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ create_dirs_pattern($1, cgroup_t, cgroup_t)
++')
++
++########################################
++##
+## Manage dirs on cgroup file systems.
+##
+##
@@ -7033,6 +7134,103 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+
+ rw_files_pattern($1, cgroup_t, cgroup_t)
+')
++########################################
++##
++## Mount a cgroup filesystem.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_mount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem mount;
++')
++
++########################################
++##
++## Remount a cgroup filesystem This allows
++## some mount options to be changed.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_remount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem remount;
++')
++
++########################################
++##
++## Unmount a cgroup file system.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_unmount_cgroup_fs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ allow $1 cgroup_t:filesystem unmount;
++')
++
++########################################
++##
++## Set attributes of files on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_setattr_cgroup_files',`
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ setattr_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_cgroup_dirs($1)
++')
++
++########################################
++##
++## Write files on cgroup
++## file systems.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_write_cgroup_files', `
++ gen_require(`
++ type cgroup_t;
++
++ ')
++
++ write_files_pattern($1, cgroup_t, cgroup_t)
++ fs_search_cgroup_dirs($1)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-11-25 11:47:19.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.te 2009-12-21 13:07:09.000000000 -0500
@@ -9518,7 +9716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
## All of the rules required to administrate
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/abrt.te 2009-12-22 08:42:16.000000000 -0500
@@ -33,12 +33,24 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -9566,7 +9764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,33 @@
+@@ -75,18 +90,34 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -9585,6 +9783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
++files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
+files_read_generic_tmp_files(abrt_t)
+files_read_kernel_modules(abrt_t)
@@ -9600,7 +9799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
sysnet_read_config(abrt_t)
-@@ -96,22 +126,92 @@
+@@ -96,22 +127,92 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10093,7 +10292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.5/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/apache.if 2009-12-22 10:55:59.000000000 -0500
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -10441,7 +10640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## TCP sockets.
##
##
-@@ -503,6 +480,86 @@
+@@ -503,6 +480,105 @@
########################################
##
@@ -10484,6 +10683,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+########################################
+##
++## Allow domain to set the attributes
++## of the APACHE cache directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`apache_setattr_cache_dirs',`
++ gen_require(`
++ type httpd_cache_t;
++ ')
++
++ allow $1 httpd_cache_t:dir setattr;
++')
++
++########################################
++##
+## Allow the specified domain to read
+## apache tmp files.
+##
@@ -10528,7 +10746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Allow the specified domain to read
## apache configuration files.
##
-@@ -579,7 +636,7 @@
+@@ -579,7 +655,7 @@
##
##
##
@@ -10537,7 +10755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
##
##
##
-@@ -715,6 +772,7 @@
+@@ -715,6 +791,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -10545,7 +10763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -782,6 +840,32 @@
+@@ -782,6 +859,32 @@
########################################
##
@@ -10578,7 +10796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## Execute all web scripts in the system
## script domain.
##
-@@ -791,16 +875,18 @@
+@@ -791,16 +894,18 @@
##
##
#
@@ -10601,7 +10819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -859,6 +945,8 @@
+@@ -859,6 +964,8 @@
##
##
#
@@ -10610,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
interface(`apache_run_all_scripts',`
gen_require(`
attribute httpd_exec_scripts, httpd_script_domains;
-@@ -884,7 +972,7 @@
+@@ -884,7 +991,7 @@
type httpd_squirrelmail_t;
')
@@ -10619,7 +10837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1043,6 +1131,44 @@
+@@ -1043,6 +1150,44 @@
########################################
##
@@ -10664,7 +10882,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
## All of the rules required to administrate an apache environment
##
##
-@@ -1072,11 +1198,17 @@
+@@ -1072,11 +1217,17 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -10682,7 +10900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
apache_manage_all_content($1)
miscfiles_manage_public_files($1)
-@@ -1096,12 +1228,57 @@
+@@ -1096,12 +1247,57 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -12396,6 +12614,165 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
+optional_policy(`
+ unconfined_dbus_send(certmonger_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.5/policy/modules/services/cgroup.fc
+--- nsaserefpolicy/policy/modules/services/cgroup.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.fc 2009-12-22 11:06:28.000000000 -0500
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/cgconfig -- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
++/etc/rc\.d/init\.d/cgred -- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
++
++/sbin/cgrulesengd -- gen_context(system_u:object_r:cgred_exec_t, s0)
++/sbin/cgconfigparser -- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
++
++/var/run/cgred.* gen_context(system_u:object_r:cgred_var_run_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.5/policy/modules/services/cgroup.if
+--- nsaserefpolicy/policy/modules/services/cgroup.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.if 2009-12-22 11:07:12.000000000 -0500
+@@ -0,0 +1,52 @@
++## Control group rules engine daemon.
++##
++##
++## cgrulesengd is a daemon, which distributes processes
++## to control groups. When any process changes its
++## effective UID or GID, cgred inspects list of
++## rules loaded from cgrules.conf file and moves the
++## process to the appropriate control group.
++##
++##
++## The list of rules is read during the daemon startup and
++## are cached in daemon’s memory. The daemon reloads the
++## list of rules when it receives SIGUSR2 signal.
++##
++##
++
++########################################
++##
++## Read and write cgred sock file in /var/run.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cgroup_cgred_rw_pid_sock_file', `
++ gen_require(`
++ type cgred_var_run_t;
++ ')
++
++ rw_sock_files_pattern($1, cgred_var_run_t, cgred_var_run_t)
++ files_search_pids($1)
++')
++
++########################################
++##
++## Unix stream socket connect to cgred.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`cgroup_cgred_stream_connect', `
++ gen_require(`
++ type cgred_t;
++ ')
++
++ allow $1 cgred_t:unix_stream_socket connectto;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.5/policy/modules/services/cgroup.te
+--- nsaserefpolicy/policy/modules/services/cgroup.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cgroup.te 2009-12-22 11:05:59.000000000 -0500
+@@ -0,0 +1,88 @@
++policy_module(cgroup, 1.0.0)
++
++########################################
++#
++# cgred personal declarations.
++#
++
++type cgred_t;
++type cgred_exec_t;
++init_daemon_domain(cgred_t, cgred_exec_t)
++
++type cgred_initrc_exec_t;
++init_script_file(cgred_initrc_exec_t)
++
++type cgred_var_run_t;
++files_pid_file(cgred_var_run_t)
++
++permissive cgred_t;
++
++########################################
++#
++# cgconfig personal declarations.
++#
++
++type cgconfigparser_t;
++type cgconfigparser_exec_t;
++init_daemon_domain(cgconfigparser_t, cgconfigparser_exec_t)
++
++type cgconfig_initrc_exec_t;
++init_script_file(cgconfig_initrc_exec_t)
++
++permissive cgconfigparser_t;
++
++########################################
++#
++# cgred personal policy.
++#
++
++allow cgred_t self:capability { net_admin sys_ptrace dac_override };
++allow cgred_t self:netlink_socket { write bind create read };
++allow cgred_t self:unix_dgram_socket { write create connect };
++
++manage_sock_files_pattern(cgred_t, cgred_var_run_t,
++cgred_var_run_t)
++files_pid_filetrans(cgred_t, cgred_var_run_t, sock_file)
++
++domain_read_all_domains_state(cgred_t)
++
++files_read_etc_files(cgred_t)
++
++files_search_all(cgred_t)
++files_getattr_all_files(cgred_t)
++files_getattr_all_dirs(cgred_t)
++files_getattr_all_sockets(cgred_t)
++files_getattr_all_pipes(cgred_t)
++files_getattr_all_symlinks(cgred_t)
++# read all link files.
++
++kernel_read_system_state(cgred_t)
++
++logging_send_syslog_msg(cgred_t)
++
++miscfiles_read_localization(cgred_t)
++
++optional_policy(`
++ fs_write_cgroup_files(cgred_t)
++')
++
++########################################
++#
++# cgconfig personal policy.
++#
++
++optional_policy(`
++ fs_manage_cgroup_dirs(cgconfigparser_t)
++ fs_rw_cgroup_files(cgconfigparser_t)
++ fs_setattr_cgroup_files(cgconfigparser_t)
++ fs_mount_cgroup_fs(cgconfigparser_t)
++')
++
++files_mounton_mnt(cgconfigparser_t)
++files_manage_mnt_dirs(cgconfigparser_t)
++
++files_read_etc_files(cgconfigparser_t)
++
++# /mnt/cgroups/cpu
++kernel_list_unlabeled(cgconfigparser_t)
++kernel_read_system_state(cgconfigparser_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.5/policy/modules/services/chronyd.fc
--- nsaserefpolicy/policy/modules/services/chronyd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/chronyd.fc 2009-12-21 13:07:09.000000000 -0500
@@ -13731,7 +14108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.5/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/cups.fc 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/cups.fc 2009-12-22 09:33:25.000000000 -0500
@@ -13,10 +13,14 @@
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -13755,7 +14132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
-@@ -52,6 +57,8 @@
+@@ -52,13 +57,22 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13764,7 +14141,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
-@@ -61,4 +68,10 @@
+ /var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
++/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -14000,7 +14380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.5/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/dbus.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/dbus.if 2009-12-22 09:48:30.000000000 -0500
@@ -42,8 +42,10 @@
gen_require(`
class dbus { send_msg acquire_svc };
@@ -14052,18 +14432,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
userdom_read_user_home_content_files($1_dbusd_t)
ifdef(`hide_broken_symptoms', `
-@@ -153,6 +159,10 @@
+@@ -153,13 +159,13 @@
')
optional_policy(`
+- hal_dbus_chat($1_dbusd_t)
+ gnome_read_gconf_home_files($1_dbusd_t)
-+ ')
-+
-+ optional_policy(`
- hal_dbus_chat($1_dbusd_t)
')
-@@ -178,10 +188,12 @@
+ optional_policy(`
+- xserver_use_xdm_fds($1_dbusd_t)
+- xserver_rw_xdm_pipes($1_dbusd_t)
++ hal_dbus_chat($1_dbusd_t)
+ ')
++
+ ')
+
+ #######################################
+@@ -178,10 +184,12 @@
type system_dbusd_t, system_dbusd_t;
type system_dbusd_var_run_t, system_dbusd_var_lib_t;
class dbus send_msg;
@@ -14076,7 +14462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
files_search_var_lib($1)
-@@ -256,7 +268,7 @@
+@@ -256,7 +264,7 @@
########################################
##
@@ -14085,7 +14471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## for service (acquire_svc).
##
##
-@@ -364,6 +376,16 @@
+@@ -364,6 +372,16 @@
dbus_system_bus_client($1)
dbus_connect_system_bus($1)
@@ -14102,7 +14488,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
ifdef(`hide_broken_symptoms', `
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
-@@ -405,3 +427,24 @@
+@@ -405,3 +423,24 @@
typeattribute $1 dbusd_unconfined;
')
@@ -14129,7 +14515,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.5/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/dbus.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/dbus.te 2009-12-22 09:49:03.000000000 -0500
@@ -86,6 +86,7 @@
dev_read_sysfs(system_dbusd_t)
@@ -14163,7 +14549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
')
-@@ -156,5 +168,18 @@
+@@ -156,5 +168,24 @@
#
# Unconfined access to this module
#
@@ -14182,6 +14568,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
+allow session_bus_type dbusd_unconfined:dbus send_msg;
++
++optional_policy(`
++ xserver_use_xdm_fds(session_bus_type)
++ xserver_rw_xdm_pipes(session_bus_type)
++ xserver_append_xdm_home_files(session_bus_type)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.5/policy/modules/services/dcc.te
--- nsaserefpolicy/policy/modules/services/dcc.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/dcc.te 2009-12-21 13:07:09.000000000 -0500
@@ -14246,6 +14638,187 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddcl
## All of the rules required to administrate
## an ddclient environment
##
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.5/policy/modules/services/denyhosts.fc
+--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.fc 2009-12-22 10:13:51.000000000 -0500
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
++
++/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t, s0)
++
++/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
++/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
++/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
+--- nsaserefpolicy/policy/modules/services/denyhosts.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if 2009-12-22 10:13:51.000000000 -0500
+@@ -0,0 +1,91 @@
++## Deny Hosts.
++##
++##
++## DenyHosts is a script intended to be run by Linux
++## system administrators to help thwart SSH server attacks
++## (also known as dictionary based attacks and brute force
++## attacks).
++##
++##
++
++########################################
++##
++## Execute a domain transition to run denyhosts.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`denyhosts_domtrans', `
++ gen_require(`
++ type denyhosts_t, denyhosts_exec_t;
++ ')
++
++ domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
++')
++
++########################################
++##
++## Execute ksmtuned server in the ksmtuned domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`denyhosts_initrc_domtrans', `
++ gen_require(`
++ type denyhosts_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, denyhosts_initrc_exec_t)
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an denyhosts environment.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## Role allowed access.
++##
++##
++##
++#
++interface(`denyhosts_admin', `
++ gen_require(`
++ type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
++ type denyhosts_var_log_t;
++ ')
++
++ allow $1 denyhosts_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, denyhosts_t, denyhosts_t)
++
++ files_list_pids($1)
++ admin_pattern($1, denyhosts_var_run_t)
++
++ logging_search_logs($1)
++ admin_pattern($1, denyhosts_var_log_t)
++
++ files_search_locks($1)
++ admin_pattern($1, denyhosts_var_lock_t)
++
++ denyhosts_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 denyhosts_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ kernel_search_proc($1)
++ allow $1 denyhosts_t:dir list_dir_perms;
++ ps_process_pattern($1, denyhosts_t)
++ read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
+--- nsaserefpolicy/policy/modules/services/denyhosts.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te 2009-12-22 10:34:58.000000000 -0500
+@@ -0,0 +1,71 @@
++
++policy_module(denyhosts, 1.0.0)
++
++########################################
++#
++# DenyHosts personal declarations.
++#
++
++type denyhosts_t;
++type denyhosts_exec_t;
++init_daemon_domain(denyhosts_t, denyhosts_exec_t)
++
++type denyhosts_initrc_exec_t;
++init_script_file(denyhosts_initrc_exec_t)
++
++type denyhosts_var_lib_t;
++files_type(denyhosts_var_lib_t)
++
++type denyhosts_var_lock_t;
++files_lock_file(denyhosts_var_lock_t)
++
++type denyhosts_var_log_t;
++logging_log_file(denyhosts_var_log_t)
++
++########################################
++#
++# DenyHosts personal policy.
++#
++
++allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
++allow denyhosts_t self:tcp_socket create_socket_perms;
++allow denyhosts_t self:udp_socket create_socket_perms;
++
++manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
++files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
++
++manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
++manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
++files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
++
++append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
++logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
++
++corecmd_list_bin(denyhosts_t)
++corecmd_read_bin_symlinks(denyhosts_t)
++
++corenet_all_recvfrom_unlabeled(denyhosts_t)
++corenet_all_recvfrom_netlabel(denyhosts_t)
++corenet_tcp_sendrecv_generic_if(denyhosts_t)
++corenet_tcp_sendrecv_generic_node(denyhosts_t)
++corenet_tcp_bind_generic_node(denyhosts_t)
++corenet_sendrecv_smtp_client_packets(denyhosts_t)
++corenet_tcp_connect_smtp_port(denyhosts_t)
++
++dev_read_urand(denyhosts_t)
++
++kernel_read_system_state(denyhosts_t)
++
++# /var/log/secure
++logging_read_generic_logs(denyhosts_t)
++
++miscfiles_read_localization(denyhosts_t)
++
++sysnet_manage_config(denyhosts_t)
++
++optional_policy(`
++ cron_system_entry(denyhosts_t, denyhosts_exec_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.5/policy/modules/services/devicekit.fc
--- nsaserefpolicy/policy/modules/services/devicekit.fc 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/devicekit.fc 2009-12-21 13:07:09.000000000 -0500
@@ -18972,7 +19545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.5/policy/modules/services/portreserve.te
--- nsaserefpolicy/policy/modules/services/portreserve.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/portreserve.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/portreserve.te 2009-12-22 08:23:05.000000000 -0500
@@ -21,6 +21,7 @@
# Portreserve local policy
#
@@ -18981,6 +19554,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
allow portreserve_t self:fifo_file rw_fifo_file_perms;
allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -37,6 +38,8 @@
+ manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
+ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file })
+
++corecmd_getattr_bin_files(portreserve_t)
++
+ corenet_all_recvfrom_unlabeled(portreserve_t)
+ corenet_all_recvfrom_netlabel(portreserve_t)
+ corenet_tcp_bind_generic_node(portreserve_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/services/postfix.fc 2009-12-21 13:07:09.000000000 -0500
@@ -21471,7 +22053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/rpc.te 2009-12-21 17:42:16.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/rpc.te 2009-12-22 08:26:50.000000000 -0500
@@ -37,8 +37,14 @@
# rpc_exec_t is the type of rpc daemon programs.
rpc_domain_template(rpcd)
@@ -21497,7 +22079,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
allow rpcd_t self:fifo_file rw_fifo_file_perms;
allow rpcd_t rpcd_var_run_t:dir setattr;
-@@ -91,14 +98,21 @@
+@@ -67,6 +74,7 @@
+ kernel_read_network_state(rpcd_t)
+ # for rpc.rquotad
+ kernel_read_sysctl(rpcd_t)
++kernel_request_load_module(gssd_t)
+ kernel_rw_fs_sysctls(rpcd_t)
+ kernel_dontaudit_getattr_core_if(rpcd_t)
+ kernel_signal(rpcd_t)
+@@ -91,14 +99,21 @@
seutil_dontaudit_search_config(rpcd_t)
@@ -21519,7 +22109,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
########################################
#
# NFSD local policy
-@@ -127,6 +141,7 @@
+@@ -127,6 +142,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
@@ -21527,7 +22117,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -135,6 +150,7 @@
+@@ -135,6 +151,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -21535,7 +22125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +167,7 @@
+@@ -151,6 +168,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -21543,7 +22133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +199,7 @@
+@@ -182,6 +200,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -21551,7 +22141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corecmd_exec_bin(gssd_t)
-@@ -189,8 +207,10 @@
+@@ -189,8 +208,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -21562,7 +22152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +219,14 @@
+@@ -199,10 +220,14 @@
mount_signal(gssd_t)
@@ -25515,7 +26105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+/var/lib/nxserver/home/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/xserver.if 2009-12-21 14:42:35.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/xserver.if 2009-12-22 09:50:42.000000000 -0500
@@ -56,6 +56,13 @@
domtrans_pattern($2, iceauth_exec_t, iceauth_t)
@@ -25592,7 +26182,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -774,7 +786,7 @@
+@@ -567,6 +579,7 @@
+
+ allow $1 xauth_home_t:file read_file_perms;
+ userdom_search_user_home_dirs($1)
++ xserver_read_xdm_pid($1)
+ ')
+
+ ########################################
+@@ -774,7 +787,7 @@
')
files_search_pids($1)
@@ -25601,7 +26199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
########################################
-@@ -1219,3 +1231,278 @@
+@@ -1219,3 +1232,301 @@
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
@@ -25880,9 +26478,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+ xserver_domtrans_xauth($1)
+ role $2 types xauth_t;
+')
++########################################
++##
++## Read user homedir fonts.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`xserver_manage_home_fonts',`
++ gen_require(`
++ type user_fonts_t;
++ type user_fonts_config_t;
++ ')
++
++ manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++ manage_files_pattern($1, user_fonts_t, user_fonts_t)
++ manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++ manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.5/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-21 17:52:12.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/services/xserver.te 2009-12-22 09:44:04.000000000 -0500
@@ -36,6 +36,13 @@
##
@@ -26343,7 +26964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -520,12 +633,47 @@
+@@ -520,12 +633,48 @@
')
optional_policy(`
@@ -26352,6 +26973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
+ dontaudit xdm_dbusd_t xdm_var_lib_t:dir search_dir_perms;
+ xserver_xdm_append_log(xdm_dbusd_t)
++ xserver_read_xdm_pid(xdm_dbusd_t)
+
+ corecmd_bin_entry_type(xdm_t)
+
@@ -26391,7 +27013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
hostname_exec(xdm_t)
')
-@@ -543,9 +691,42 @@
+@@ -543,9 +692,42 @@
')
optional_policy(`
@@ -26434,7 +27056,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
-@@ -555,8 +736,9 @@
+@@ -555,8 +737,9 @@
')
optional_policy(`
@@ -26446,7 +27068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -565,7 +747,6 @@
+@@ -565,7 +748,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -26454,7 +27076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +757,10 @@
+@@ -576,6 +758,10 @@
')
optional_policy(`
@@ -26465,7 +27087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
xfs_stream_connect(xdm_t)
')
-@@ -600,10 +785,9 @@
+@@ -600,10 +786,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -26477,7 +27099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +799,18 @@
+@@ -615,6 +800,18 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -26496,7 +27118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +830,19 @@
+@@ -634,12 +831,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -26518,7 +27140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +876,6 @@
+@@ -673,7 +877,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -26526,7 +27148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -683,9 +885,12 @@
+@@ -683,9 +886,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -26540,7 +27162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +905,12 @@
+@@ -700,8 +906,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -26553,7 +27175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -723,6 +932,7 @@
+@@ -723,6 +933,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -26561,7 +27183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
modutils_domtrans_insmod(xserver_t)
-@@ -779,12 +989,20 @@
+@@ -779,12 +990,20 @@
')
optional_policy(`
@@ -26583,7 +27205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
unconfined_domtrans(xserver_t)
')
-@@ -811,7 +1029,7 @@
+@@ -811,7 +1030,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -26592,7 +27214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1050,14 @@
+@@ -832,9 +1051,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -26607,7 +27229,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1072,14 @@
+@@ -849,11 +1073,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -26624,7 +27246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
')
optional_policy(`
-@@ -1000,17 +1226,32 @@
+@@ -1000,17 +1227,32 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -27418,7 +28040,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/init.te 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/init.te 2009-12-22 10:22:45.000000000 -0500
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart, false)
@@ -27566,7 +28188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
-@@ -272,16 +317,63 @@
+@@ -272,16 +317,66 @@
dev_rw_sysfs(initrc_t)
dev_list_usbfs(initrc_t)
dev_read_framebuffer(initrc_t)
@@ -27598,6 +28220,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
++fs_rw_cgroup_files(initrc_t)
++fs_setattr_cgroup_files(initrc_t)
++fs_manage_cgroup_dirs(initrc_t)
+
+# initrc_t needs to do a pidof which requires ptrace
+mcs_ptrace_all(initrc_t)
@@ -27631,7 +28256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
-@@ -291,7 +383,7 @@
+@@ -291,7 +386,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -27640,7 +28265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -306,14 +398,15 @@
+@@ -306,14 +401,15 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -27658,7 +28283,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t)
-@@ -324,48 +417,16 @@
+@@ -324,48 +420,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -27711,7 +28336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -374,19 +435,22 @@
+@@ -374,19 +438,22 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -27735,7 +28360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -422,16 +486,12 @@
+@@ -422,16 +489,12 @@
# init scripts touch this
clock_dontaudit_write_adjtime(initrc_t)
@@ -27753,7 +28378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +510,9 @@
+@@ -450,11 +513,9 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -27766,7 +28391,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
-@@ -464,6 +522,7 @@
+@@ -464,6 +525,7 @@
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
@@ -27774,7 +28399,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory
-@@ -492,15 +551,22 @@
+@@ -492,15 +554,27 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -27782,6 +28407,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ ')
+
+ optional_policy(`
++ cgroup_cgrulesengd_rw_pid_sock_file(initrc_t)
++ cgroup_cgrulesengd_stream_connect(initrc_t)
++ ')
++
++ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
')
@@ -27797,7 +28427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -515,6 +581,33 @@
+@@ -515,6 +589,33 @@
')
')
@@ -27831,7 +28461,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -567,10 +660,19 @@
+@@ -567,10 +668,19 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -27851,7 +28481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -590,6 +692,10 @@
+@@ -590,6 +700,10 @@
')
optional_policy(`
@@ -27862,7 +28492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +752,20 @@
+@@ -646,20 +760,20 @@
')
optional_policy(`
@@ -27889,7 +28519,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ifdef(`distro_redhat',`
-@@ -668,6 +774,7 @@
+@@ -668,6 +782,7 @@
mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t)
@@ -27897,7 +28527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -700,7 +807,6 @@
+@@ -700,7 +815,6 @@
')
optional_policy(`
@@ -27905,7 +28535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -722,8 +828,6 @@
+@@ -722,8 +836,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -27914,7 +28544,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -736,13 +840,16 @@
+@@ -736,13 +848,16 @@
squid_manage_logs(initrc_t)
')
@@ -27931,7 +28561,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -751,6 +858,7 @@
+@@ -751,6 +866,7 @@
optional_policy(`
udev_rw_db(initrc_t)
@@ -27939,7 +28569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -758,6 +866,15 @@
+@@ -758,6 +874,15 @@
')
optional_policy(`
@@ -27955,7 +28585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
-@@ -768,6 +885,21 @@
+@@ -768,6 +893,21 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -27977,7 +28607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
-@@ -793,3 +925,31 @@
+@@ -793,3 +933,31 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -28342,7 +28972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
+permissive kdump_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-21 13:42:16.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/libraries.fc 2009-12-22 08:51:29.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -28669,7 +29299,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/chromium-browser/libsandbox\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
--- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.7.5/policy/modules/system/libraries.if 2009-12-21 13:07:09.000000000 -0500
@@ -29100,7 +29730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.5/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/system/miscfiles.if 2009-12-21 17:50:23.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/miscfiles.if 2009-12-22 12:15:10.000000000 -0500
@@ -73,7 +73,8 @@
#
interface(`miscfiles_read_fonts',`
@@ -29126,7 +29756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
manage_dirs_pattern($1, fonts_t, fonts_t)
manage_files_pattern($1, fonts_t, fonts_t)
manage_lnk_files_pattern($1, fonts_t, fonts_t)
-+ miscfiles_manage_fonts($1)
++ miscfiles_manage_fonts_cache($1)
+')
+
+########################################
@@ -29276,8 +29906,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.5/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-21 13:07:09.000000000 -0500
-@@ -84,9 +84,11 @@
++++ serefpolicy-3.7.5/policy/modules/system/mount.if 2009-12-22 09:40:26.000000000 -0500
+@@ -16,6 +16,7 @@
+ ')
+
+ domtrans_pattern($1, mount_exec_t, mount_t)
++ mount_domtrans_fusermount($1)
+ ')
+
+ ########################################
+@@ -84,9 +85,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
@@ -29289,7 +29927,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
########################################
-@@ -177,3 +179,57 @@
+@@ -177,3 +180,57 @@
mount_domtrans_unconfined($1)
role $2 types unconfined_mount_t;
')
@@ -30359,12 +30997,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc
--- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-21 13:07:09.000000000 -0500
-@@ -11,15 +11,20 @@
++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.fc 2009-12-22 11:49:02.000000000 -0500
+@@ -11,15 +11,22 @@
/etc/dhclient-script -- gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpc.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/dhcpd\.conf -- gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
++/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:net_conf_t, s0)
@@ -30382,7 +31022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
')
#
-@@ -51,9 +56,12 @@
+@@ -51,9 +58,12 @@
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -30397,7 +31037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.5/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.if 2009-12-21 13:07:09.000000000 -0500
++++ serefpolicy-3.7.5/policy/modules/system/sysnetwork.if 2009-12-22 10:35:23.000000000 -0500
@@ -43,6 +43,36 @@
sysnet_domtrans_dhcpc($1)