diff --git a/policy-F12.patch b/policy-F12.patch
index 16cfcc8..95fdb51 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1,6 +1,6 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.24/config/appconfig-mcs/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.25/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,15 +1,6 @@
 -system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 -system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -22,15 +22,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 -user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
 +system_r:xdm_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.25/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/failsafe_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/failsafe_context	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1 @@
 -sysadm_r:sysadm_t:s0
 +system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/root_default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/root_default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,11 +1,7 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 +system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -45,9 +45,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  #
 -#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 +system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.24/config/appconfig-mcs/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.25/config/appconfig-mcs/securetty_types
 --- nsaserefpolicy/config/appconfig-mcs/securetty_types	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/securetty_types	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/securetty_types	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1,6 @@
 +auditadm_tty_device_t
 +secadm_tty_device_t
@@ -55,18 +55,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +sysadm_tty_device_t
 +unconfined_tty_device_t
  user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.24/config/appconfig-mcs/seusers
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.25/config/appconfig-mcs/seusers
 --- nsaserefpolicy/config/appconfig-mcs/seusers	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/seusers	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/seusers	2009-07-29 21:34:35.000000000 -0400
 @@ -1,3 +1,3 @@
  system_u:system_u:s0-mcs_systemhigh
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0-mcs_systemhigh
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/staff_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/staff_u_default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/staff_u_default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,10 +1,12 @@
  system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
  system_r:remote_login_t:s0	staff_r:staff_t:s0
@@ -81,9 +81,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
  sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/unconfined_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/unconfined_u_default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/unconfined_u_default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,4 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 +system_r:crond_t:s0		unconfined_r:unconfined_t:s0
@@ -97,15 +97,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +system_r:initrc_su_t:s0		unconfined_r:unconfined_t:s0
 +unconfined_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
  system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.25/config/appconfig-mcs/userhelper_context
 --- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/userhelper_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/userhelper_context	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1 @@
 -system_u:sysadm_r:sysadm_t:s0
 +system_u:system_r:unconfined_t:s0	
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.25/config/appconfig-mcs/user_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mcs/user_u_default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/user_u_default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,8 +1,9 @@
  system_r:local_login_t:s0	user_r:user_t:s0
  system_r:remote_login_t:s0	user_r:user_t:s0
@@ -118,20 +118,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -
 +system_r:initrc_su_t:s0		user_r:user_t:s0
 +user_r:user_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.25/config/appconfig-mcs/virtual_domain_context
 --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_domain_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/virtual_domain_context	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1 @@
 +system_u:system_r:svirt_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.25/config/appconfig-mcs/virtual_image_context
 --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mcs/virtual_image_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mcs/virtual_image_context	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,2 @@
 +system_u:object_r:svirt_image_t:s0
 +system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.24/config/appconfig-mls/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.25/config/appconfig-mls/default_contexts
 --- nsaserefpolicy/config/appconfig-mls/default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mls/default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,15 +1,6 @@
 -system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 -system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -153,9 +153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 -user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
 +system_r:xdm_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.25/config/appconfig-mls/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mls/root_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-mls/root_default_contexts	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/root_default_contexts	2009-07-29 21:34:35.000000000 -0400
 @@ -1,11 +1,11 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 -system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -174,20 +174,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  #
 -#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 +#system_r:sshd_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.25/config/appconfig-mls/virtual_domain_context
 --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mls/virtual_domain_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/virtual_domain_context	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1 @@
 +system_u:system_r:qemu_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.25/config/appconfig-mls/virtual_image_context
 --- nsaserefpolicy/config/appconfig-mls/virtual_image_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/config/appconfig-mls/virtual_image_context	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-mls/virtual_image_context	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,2 @@
 +system_u:object_r:virt_image_t:s0
 +system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.24/config/appconfig-standard/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.25/config/appconfig-standard/securetty_types
 --- nsaserefpolicy/config/appconfig-standard/securetty_types	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/config/appconfig-standard/securetty_types	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/config/appconfig-standard/securetty_types	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1,6 @@
 +auditadm_tty_device_t
 +secadm_tty_device_t
@@ -195,9 +195,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +sysadm_tty_device_t
 +unconfined_tty_device_t
  user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.24/Makefile
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.25/Makefile
 --- nsaserefpolicy/Makefile	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/Makefile	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/Makefile	2009-07-29 21:34:35.000000000 -0400
 @@ -241,7 +241,7 @@
  appdir := $(contextpath)
  user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -260,9 +260,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
  $(appdir)/%: $(appconf)/%
  	@mkdir -p $(appdir)
  	$(verbose) $(INSTALL) -m 644 $< $@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.24/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.25/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/global_tunables	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/global_tunables	2009-07-29 21:34:35.000000000 -0400
 @@ -61,15 +61,6 @@
  
  ## <desc>
@@ -298,9 +298,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(mmap_low_allowed, false)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.24/policy/mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.25/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/mcs	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/mcs	2009-07-29 21:34:35.000000000 -0400
 @@ -66,8 +66,8 @@
  #
  # Note that getattr on files is always permitted.
@@ -334,9 +334,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mlsconstrain process { transition dyntransition }
  	(( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.24/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-3.6.25/policy/modules/admin/alsa.fc
+--- nsaserefpolicy/policy/modules/admin/alsa.fc	2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/alsa.fc	2009-07-29 15:16:12.000000000 -0400
+@@ -10,9 +10,4 @@
+ 
+ /usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
+ 
+-ifdef(`distro_debian', `
+-/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+-/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+-')
+-
+ /var/lib/alsa(/.*)?		gen_context(system_u:object_r:alsa_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.6.25/policy/modules/admin/alsa.te
+--- nsaserefpolicy/policy/modules/admin/alsa.te	2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/alsa.te	2009-07-29 15:16:12.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(alsa, 1.7.2)
++policy_module(alsa, 1.7.1)
+ 
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.25/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/anaconda.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/anaconda.te	2009-07-29 21:34:35.000000000 -0400
 @@ -31,6 +31,7 @@
  modutils_domtrans_insmod(anaconda_t)
  
@@ -345,9 +368,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.24/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.25/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/certwatch.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/certwatch.te	2009-07-29 21:34:35.000000000 -0400
 @@ -36,6 +36,7 @@
  miscfiles_read_localization(certwatch_t)
  
@@ -356,17 +379,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.24/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.25/policy/modules/admin/dmesg.fc
 --- nsaserefpolicy/policy/modules/admin/dmesg.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/dmesg.fc	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/dmesg.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,2 +1,4 @@
  
  /bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 +
 +/usr/sbin/mcelog	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.24/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.25/policy/modules/admin/dmesg.te
 --- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/dmesg.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/dmesg.te	2009-07-29 21:34:35.000000000 -0400
 @@ -9,6 +9,7 @@
  type dmesg_t;
  type dmesg_exec_t;
@@ -401,9 +424,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(dmesg_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.24/policy/modules/admin/kismet.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.25/policy/modules/admin/kismet.if
 --- nsaserefpolicy/policy/modules/admin/kismet.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/kismet.if	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/kismet.if	2009-07-29 21:34:35.000000000 -0400
 @@ -16,6 +16,7 @@
  	')
  
@@ -412,9 +435,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.24/policy/modules/admin/kismet.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.25/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/kismet.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/kismet.te	2009-07-29 21:34:35.000000000 -0400
 @@ -17,6 +17,9 @@
  type kismet_tmp_t;
  files_tmp_file(kismet_tmp_t)
@@ -457,9 +480,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		networkmanager_dbus_chat(kismet_t)
 +	')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.24/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.25/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/logrotate.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/logrotate.te	2009-07-29 21:34:35.000000000 -0400
 @@ -32,7 +32,7 @@
  # Change ownership on log files.
  allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -502,18 +525,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	slrnpull_manage_spool(logrotate_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.24/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.25/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/logwatch.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/logwatch.te	2009-07-29 21:34:35.000000000 -0400
 @@ -136,4 +136,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
 +	samba_read_share_files(logwatch_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.24/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.25/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/mrtg.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/mrtg.te	2009-07-29 21:34:35.000000000 -0400
 @@ -116,6 +116,9 @@
  userdom_use_user_terminals(mrtg_t)
  userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -524,9 +547,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`enable_mls',`
  	corenet_udp_sendrecv_lo_if(mrtg_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.24/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.25/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/prelink.if	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/prelink.if	2009-07-29 21:34:35.000000000 -0400
 @@ -140,3 +140,22 @@
  	files_search_var_lib($1)
  	manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -550,9 +573,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_search_var_lib($1)
 +	relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.24/policy/modules/admin/readahead.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.25/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/readahead.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/readahead.te	2009-07-29 21:34:35.000000000 -0400
 @@ -54,7 +54,10 @@
  files_dontaudit_getattr_all_sockets(readahead_t)
  files_list_non_security(readahead_t)
@@ -564,9 +587,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.24/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.25/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.fc	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -4,14 +4,12 @@
  
  /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -608,9 +631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # SuSE
  ifdef(`distro_suse', `
  /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.24/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.25/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.if	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.if	2009-07-29 21:34:35.000000000 -0400
 @@ -66,6 +66,11 @@
  	rpm_domtrans($1)
  	role $2 types rpm_t;
@@ -623,11 +646,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_run_loadpolicy(rpm_script_t, $2)
  	seutil_run_semanage(rpm_script_t, $2)
  	seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +151,24 @@
+@@ -146,6 +151,34 @@
  
  ########################################
  ## <summary>
-+##	dontaudit read and write an unnamed RPM pipe.
++##	dontaudit read and write an leaked file descriptors
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -635,12 +658,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`rpm_dontaudit_rw_pipes',`
++interface(`rpm_dontaudit_leaks',`
 +	gen_require(`
 +		type rpm_t;
++		type rpm_script_t;
++		type rpm_var_run_t;
++		type rpm_tmp_t;
++		type rpm_tmpfs_t;
 +	')
 +
 +	dontaudit $1 rpm_t:fifo_file rw_fifo_file_perms;
++	dontaudit $1 rpm_script_t:fd use;
++	dontaudit $1 rpm_var_run_t:file write_file_perms;
++	dontaudit $1 rpm_tmp_t:file rw_file_perms;
++	dontaudit $1 rpm_t:shm rw_shm_perms;
++ 	dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
++ 	dontaudit $1 rpm_tmpfs_t:file write_file_perms;
 +')
 +
 +########################################
@@ -648,7 +681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -167,6 +190,48 @@
+@@ -167,6 +200,48 @@
  
  ########################################
  ## <summary>
@@ -697,7 +730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -186,6 +251,24 @@
+@@ -186,6 +261,24 @@
  
  ########################################
  ## <summary>
@@ -722,32 +755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
-@@ -204,6 +287,24 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit and use file descriptors from RPM scripts.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_use_script_fds',`
-+	gen_require(`
-+		type rpm_script_t;
-+	')
-+
-+	dontaudit $1 rpm_script_t:fd use;
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete RPM
- ##	script temporary files.
- ## </summary>
-@@ -219,7 +320,29 @@
+@@ -219,7 +312,29 @@
  	')
  
  	files_search_tmp($1)
@@ -777,7 +785,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -245,6 +368,24 @@
+@@ -245,6 +360,24 @@
  
  ########################################
  ## <summary>
@@ -802,7 +810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete the RPM package database.
  ## </summary>
  ## <param name="domain">
-@@ -283,3 +424,166 @@
+@@ -283,3 +416,46 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -833,126 +841,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	allow domain to read, 
-+##	write RPM tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_rw_tmp_files',`
-+	gen_require(`
-+		type rpm_tmp_t;
-+	')
-+
-+	allow $1 rpm_tmp_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read, 
-+##	write RPM tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_rw_tmp_files',`
-+	gen_require(`
-+		type rpm_tmp_t;
-+	')
-+
-+	dontaudit $1 rpm_tmp_t:file rw_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Manage RPM tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_manage_tmp_files',`
-+	gen_require(`
-+		type rpm_tmp_t;
-+	')
-+
-+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read, 
-+##	write RPM shm
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_rw_shm',`
-+	gen_require(`
-+		type rpm_t;
-+	')
-+
-+	dontaudit $1 rpm_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read/write rpm tmpfs files.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Read/write rpm tmpfs files.
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_rw_tmpfs_files',`
-+	gen_require(`
-+		type rpm_tmpfs_t;
-+	')
-+
-+	fs_search_tmpfs($1)
-+	allow $1 rpm_tmpfs_t:dir list_dir_perms;
-+	rw_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
-+	read_lnk_files_pattern($1, rpm_tmpfs_t, rpm_tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to write, and delete the 
-+##	RPM var run files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`rpm_dontaudit_write_pid_files',`
-+	gen_require(`
-+		type rpm_var_run_t;
-+	')
-+
-+	dontaudit $1 rpm_var_run_t:file write_file_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Send a null signal to rpm.
 +## </summary>
 +## <param name="domain">
@@ -969,19 +857,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 rpm_t:process signull;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.24/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.25/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/rpm.te	2009-07-28 13:42:18.000000000 -0400
-@@ -9,6 +9,8 @@
- type rpm_t;
- type rpm_exec_t;
- init_system_domain(rpm_t, rpm_exec_t)
-+#application_domain(rpm_t, rpm_exec_t)
-+
- domain_obj_id_change_exemption(rpm_t)
- domain_role_change_exemption(rpm_t)
- domain_system_change_exemption(rpm_t)
-@@ -31,11 +33,15 @@
++++ serefpolicy-3.6.25/policy/modules/admin/rpm.te	2009-07-29 21:34:35.000000000 -0400
+@@ -31,11 +31,15 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
  
@@ -997,7 +876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_type(rpm_script_t)
  domain_entry_file(rpm_t, rpm_script_exec_t)
  domain_interactive_fd(rpm_script_t)
-@@ -52,8 +58,9 @@
+@@ -52,8 +56,9 @@
  # rpm Local policy
  #
  
@@ -1009,7 +888,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow rpm_t self:process { getattr setexec setfscreate setrlimit };
  allow rpm_t self:fd use;
  allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +75,8 @@
+@@ -68,6 +73,8 @@
  allow rpm_t self:sem create_sem_perms;
  allow rpm_t self:msgq create_msgq_perms;
  allow rpm_t self:msg { send receive };
@@ -1018,7 +897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow rpm_t rpm_log_t:file manage_file_perms;
  logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +96,13 @@
+@@ -87,8 +94,13 @@
  manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
  files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
  
@@ -1032,7 +911,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_all_executables(rpm_t)
  
-@@ -108,12 +122,14 @@
+@@ -108,12 +120,14 @@
  dev_list_sysfs(rpm_t)
  dev_list_usbfs(rpm_t)
  dev_read_urand(rpm_t)
@@ -1047,7 +926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(rpm_t)
  
  mls_file_read_all_levels(rpm_t)
-@@ -132,6 +148,8 @@
+@@ -132,6 +146,8 @@
  # for installing kernel packages
  storage_raw_read_fixed_disk(rpm_t)
  
@@ -1056,7 +935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_relabel_all_files_except_shadow(rpm_t)
  auth_manage_all_files_except_shadow(rpm_t)
  auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +173,7 @@
+@@ -155,6 +171,7 @@
  files_exec_etc_files(rpm_t)
  
  init_domtrans_script(rpm_t)
@@ -1064,7 +943,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  libs_exec_ld_so(rpm_t)
  libs_exec_lib_files(rpm_t)
-@@ -174,17 +193,28 @@
+@@ -174,17 +191,28 @@
  ')
  
  optional_policy(`
@@ -1094,7 +973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ifdef(`TODO',`
-@@ -210,8 +240,8 @@
+@@ -210,8 +238,8 @@
  # rpm-script Local policy
  #
  
@@ -1105,7 +984,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow rpm_script_t self:fd use;
  allow rpm_script_t self:fifo_file rw_fifo_file_perms;
  allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +252,15 @@
+@@ -222,12 +250,15 @@
  allow rpm_script_t self:sem create_sem_perms;
  allow rpm_script_t self:msgq create_msgq_perms;
  allow rpm_script_t self:msg { send receive };
@@ -1121,7 +1000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
  
  manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +272,9 @@
+@@ -239,6 +270,9 @@
  
  kernel_read_kernel_sysctls(rpm_script_t)
  kernel_read_system_state(rpm_script_t)
@@ -1131,7 +1010,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dev_list_sysfs(rpm_script_t)
  
-@@ -255,6 +291,7 @@
+@@ -255,6 +289,7 @@
  fs_mount_xattr_fs(rpm_script_t)
  fs_unmount_xattr_fs(rpm_script_t)
  fs_search_auto_mountpoints(rpm_script_t)
@@ -1139,7 +1018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mcs_killall(rpm_script_t)
  mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +309,19 @@
+@@ -272,14 +307,19 @@
  storage_raw_read_fixed_disk(rpm_script_t)
  storage_raw_write_fixed_disk(rpm_script_t)
  
@@ -1159,7 +1038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_read_all_domains_state(rpm_script_t)
  domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +333,7 @@
+@@ -291,6 +331,7 @@
  files_exec_etc_files(rpm_script_t)
  files_read_etc_runtime_files(rpm_script_t)
  files_exec_usr_files(rpm_script_t)
@@ -1167,7 +1046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  init_domtrans_script(rpm_script_t)
  
-@@ -308,12 +351,15 @@
+@@ -308,12 +349,15 @@
  seutil_domtrans_loadpolicy(rpm_script_t)
  seutil_domtrans_setfiles(rpm_script_t)
  seutil_domtrans_semanage(rpm_script_t)
@@ -1183,7 +1062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -326,13 +372,18 @@
+@@ -326,13 +370,18 @@
  ')
  
  optional_policy(`
@@ -1203,9 +1082,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.24/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.25/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/sudo.if	2009-07-28 13:52:41.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/sudo.if	2009-07-29 21:34:35.000000000 -0400
 @@ -66,8 +66,8 @@
  	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
  	allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1238,9 +1117,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_sudo_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.25/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/tmpreaper.te	2009-07-28 13:54:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/tmpreaper.te	2009-07-29 21:34:35.000000000 -0400
 @@ -52,6 +52,10 @@
  ')
  
@@ -1252,9 +1131,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kismet_manage_log(tmpreaper_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.24/policy/modules/admin/usermanage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.25/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/usermanage.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/usermanage.te	2009-07-29 21:34:35.000000000 -0400
 @@ -209,6 +209,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
@@ -1292,9 +1171,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.24/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.25/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/admin/vbetool.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/admin/vbetool.te	2009-07-29 21:34:35.000000000 -0400
 @@ -23,7 +23,11 @@
  dev_rwx_zero(vbetool_t)
  dev_read_sysfs(vbetool_t)
@@ -1317,9 +1196,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_write_pid(vbetool_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.24/policy/modules/apps/awstats.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.25/policy/modules/apps/awstats.te
 --- nsaserefpolicy/policy/modules/apps/awstats.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/awstats.te	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/awstats.te	2009-07-29 21:34:35.000000000 -0400
 @@ -51,6 +51,8 @@
  
  libs_read_lib_files(awstats_t)
@@ -1329,9 +1208,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(awstats_t)
  
  sysnet_dns_name_resolve(awstats_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.25/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/cpufreqselector.te	2009-07-28 13:57:37.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/cpufreqselector.te	2009-07-29 21:34:35.000000000 -0400
 @@ -8,7 +8,8 @@
  
  type cpufreqselector_t;
@@ -1350,17 +1229,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(cpufreqselector_t)
  	policykit_read_lib(cpufreqselector_t)
  	policykit_read_reload(cpufreqselector_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.24/policy/modules/apps/gitosis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.25/policy/modules/apps/gitosis.fc
 --- nsaserefpolicy/policy/modules/apps/gitosis.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.fc	2009-07-28 13:42:18.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
 +
 +/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.24/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.25/policy/modules/apps/gitosis.if
 --- nsaserefpolicy/policy/modules/apps/gitosis.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,96 @@
 +## <summary>gitosis interface</summary>
 +
@@ -1458,9 +1337,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.24/policy/modules/apps/gitosis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.25/policy/modules/apps/gitosis.te
 --- nsaserefpolicy/policy/modules/apps/gitosis.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/gitosis.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gitosis.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,43 @@
 +policy_module(gitosis,1.0.0)
 +
@@ -1505,9 +1384,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	ssh_rw_pipes(gitosis_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.24/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.25/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,8 +1,16 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
@@ -1527,9 +1406,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
 +
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.24/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.25/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.if	2009-07-29 21:34:35.000000000 -0400
 @@ -89,5 +89,175 @@
  
  	allow $1 gnome_home_t:dir manage_dir_perms;
@@ -1706,9 +1585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	# Connect to pulseaudit server
 +	stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.24/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.25/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gnome.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gnome.te	2009-07-29 21:34:35.000000000 -0400
 @@ -9,16 +9,18 @@
  attribute gnomedomain;
  
@@ -1837,9 +1716,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive gnomesystemmm_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.24/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.25/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/gpg.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/gpg.te	2009-07-29 21:34:35.000000000 -0400
 @@ -159,6 +159,19 @@
  	xserver_rw_xdm_pipes(gpg_t)
  ')
@@ -1867,9 +1746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	xserver_stream_connect(gpg_pinentry_t)
 +	xserver_common_app(gpg_pinentry_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.24/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.25/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -2,15 +2,16 @@
  # /opt
  #
@@ -1904,9 +1783,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.24/policy/modules/apps/java.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.25/policy/modules/apps/java.if
 --- nsaserefpolicy/policy/modules/apps/java.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.if	2009-07-29 21:34:35.000000000 -0400
 @@ -30,6 +30,7 @@
  
  	allow java_t $2:unix_stream_socket connectto;
@@ -2047,9 +1926,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		xserver_role($1_r, $1_java_t)
 +	')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.24/policy/modules/apps/java.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.25/policy/modules/apps/java.te
 --- nsaserefpolicy/policy/modules/apps/java.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/java.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/java.te	2009-07-29 21:34:35.000000000 -0400
 @@ -20,6 +20,8 @@
  typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
  typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2112,15 +1991,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.24/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.25/policy/modules/apps/livecd.fc
 --- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.24/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.25/policy/modules/apps/livecd.if
 --- nsaserefpolicy/policy/modules/apps/livecd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,50 @@
 +
 +## <summary>policy for livecd</summary>
@@ -2172,9 +2051,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	seutil_run_setfiles_mac(livecd_t, $2)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.24/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.25/policy/modules/apps/livecd.te
 --- nsaserefpolicy/policy/modules/apps/livecd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/livecd.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/livecd.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,26 @@
 +policy_module(livecd, 1.0.0)
 +
@@ -2202,9 +2081,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.24/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.25/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mono.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mono.if	2009-07-29 21:34:35.000000000 -0400
 @@ -21,6 +21,105 @@
  
  ########################################
@@ -2320,9 +2199,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.24/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.25/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mono.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mono.te	2009-07-29 21:34:35.000000000 -0400
 @@ -15,7 +15,7 @@
  # Local policy
  #
@@ -2346,9 +2225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	xserver_rw_shm(mono_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.24/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.25/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mozilla.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mozilla.if	2009-07-29 21:34:35.000000000 -0400
 @@ -45,6 +45,18 @@
  	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
  	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2376,9 +2255,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_search_user_home_dirs($1)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.24/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.25/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/mozilla.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/mozilla.te	2009-07-29 21:34:35.000000000 -0400
 @@ -59,6 +59,7 @@
  manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2453,9 +2332,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	thunderbird_domtrans(mozilla_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.25/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,12 @@
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -2469,9 +2348,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
 +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.24/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.25/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,313 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -2786,9 +2665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; 
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.24/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.25/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/nsplugin.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/nsplugin.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,287 @@
 +
 +policy_module(nsplugin, 1.0.0)
@@ -3077,16 +2956,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.24/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.25/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,3 @@
 +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.24/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.25/policy/modules/apps/openoffice.if
 --- nsaserefpolicy/policy/modules/apps/openoffice.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,93 @@
 +## <summary>Openoffice</summary>
 +
@@ -3181,9 +3060,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		xserver_common_x_domain_template($1, $1_openoffice_t)
 +	')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.24/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.25/policy/modules/apps/openoffice.te
 --- nsaserefpolicy/policy/modules/apps/openoffice.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/openoffice.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/openoffice.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,14 @@
 +
 +policy_module(openoffice, 1.0.0)
@@ -3199,18 +3078,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.24/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.25/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,2 +1,3 @@
 -/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 -/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.24/policy/modules/apps/qemu.if
---- nsaserefpolicy/policy/modules/apps/qemu.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.if	2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.25/policy/modules/apps/qemu.if
+--- nsaserefpolicy/policy/modules/apps/qemu.if	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.if	2009-07-29 21:34:35.000000000 -0400
 @@ -40,6 +40,93 @@
  
  	qemu_domtrans($1)
@@ -3424,29 +3303,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	type $1_t;
 -	domain_type($1_t)
-+interface(`qemu_manage_tmp_dirs',`
-+	gen_require(`
-+		type qemu_tmp_t;
-+	')
- 
+-
 -	type $1_tmp_t;
 -	files_tmp_file($1_tmp_t)
-+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+	')
- 
+-
 -	##############################
 -	#
 -	# Local Policy
-+########################################
-+## <summary>
-+##	Manage qemu temporary files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
- 	#
+-	#
 -
 -	allow $1_t self:capability { dac_read_search dac_override };
 -	allow $1_t self:process { execstack execmem signal getsched };
@@ -3496,17 +3360,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	userdom_use_user_terminals($1_t)
 -
--#	optional_policy(`
--#		samba_domtrans_smb($1_t)
--#	')
--
+-	optional_policy(`
+-		samba_domtrans_smbd($1_t)
++interface(`qemu_manage_tmp_dirs',`
++	gen_require(`
++		type qemu_tmp_t;
+ 	')
+ 
 -	optional_policy(`
 -		virt_manage_images($1_t)
 -		virt_read_config($1_t)
 -		virt_read_lib_files($1_t)
-+interface(`qemu_manage_tmp_files',`
-+	gen_require(`
-+		type qemu_tmp_t;
++	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
  	')
  
 -	optional_policy(`
@@ -3514,12 +3379,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -		xserver_read_xdm_tmp_files($1_t)
 -		xserver_read_xdm_pid($1_t)
 -#		xserver_xdm_rw_shm($1_t)
--	')
++########################################
++## <summary>
++##	Manage qemu temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++	#
++interface(`qemu_manage_tmp_files',`
++	gen_require(`
++		type qemu_tmp_t;
+ 	')
++
 +	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.24/policy/modules/apps/qemu.te
---- nsaserefpolicy/policy/modules/apps/qemu.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/qemu.te	2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.25/policy/modules/apps/qemu.te
+--- nsaserefpolicy/policy/modules/apps/qemu.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/qemu.te	2009-07-29 23:11:35.000000000 -0400
 @@ -13,28 +13,97 @@
  ## </desc>
  gen_tunable(qemu_full_network, false)
@@ -3607,7 +3486,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +optional_policy(`
-+	samba_domtrans_smb(qemu_t)
++	samba_domtrans_smbd(qemu_t)
 +')
 +
 +optional_policy(`
@@ -3636,23 +3515,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role unconfined_r types qemu_unconfined_t;
  	allow qemu_unconfined_t self:process { execstack execmem };
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.24/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.25/policy/modules/apps/sambagui.fc
 --- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,4 @@
 +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
 +
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.24/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.25/policy/modules/apps/sambagui.if
 --- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-samba policy</summary>
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.24/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.25/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sambagui.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sambagui.te	2009-07-29 23:11:23.000000000 -0400
 @@ -0,0 +1,57 @@
 +policy_module(sambagui,1.0.0)
 +
@@ -3678,8 +3557,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +samba_manage_config(sambagui_t)
 +samba_manage_var_files(sambagui_t)
 +samba_initrc_domtrans(sambagui_t)
-+samba_domtrans_smb(sambagui_t)
-+samba_domtrans_nmb(sambagui_t)
++samba_domtrans_smbd(sambagui_t)
++samba_domtrans_nmbd(sambagui_t)
 +
 +# execut apps of system-config-samba
 +corecmd_exec_shell(sambagui_t)
@@ -3711,14 +3590,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive sambagui_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.24/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.25/policy/modules/apps/sandbox.fc
 --- nsaserefpolicy/policy/modules/apps/sandbox.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1 @@
 +# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.24/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.25/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,145 @@
 +
 +## <summary>policy for sandbox</summary>
@@ -3865,9 +3744,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.24/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.25/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/apps/sandbox.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/sandbox.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,274 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
@@ -4143,9 +4022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	hal_dbus_chat(sandbox_net_client_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.24/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.25/policy/modules/apps/screen.if
 --- nsaserefpolicy/policy/modules/apps/screen.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/screen.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/screen.if	2009-07-29 21:34:35.000000000 -0400
 @@ -157,3 +157,24 @@
  		nscd_socket_use($1_screen_t)
  	')
@@ -4171,9 +4050,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.24/policy/modules/apps/vmware.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.25/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/vmware.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/vmware.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -18,6 +18,7 @@
  /usr/bin/vmnet-natd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmnet-netifup		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -4182,9 +4061,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.24/policy/modules/apps/vmware.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.25/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/vmware.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/vmware.te	2009-07-29 21:34:35.000000000 -0400
 @@ -157,8 +157,10 @@
  optional_policy(`
  	xserver_read_tmp_files(vmware_host_t)
@@ -4196,9 +4075,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`TODO',`
  # VMWare need access to pcmcia devices for network
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.24/policy/modules/apps/webalizer.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.25/policy/modules/apps/webalizer.te
 --- nsaserefpolicy/policy/modules/apps/webalizer.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/webalizer.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/webalizer.te	2009-07-29 21:34:35.000000000 -0400
 @@ -69,7 +69,6 @@
  fs_search_auto_mountpoints(webalizer_t)
  fs_getattr_xattr_fs(webalizer_t)
@@ -4207,9 +4086,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(webalizer_t)
  files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.24/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.25/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,21 @@
 -/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4235,9 +4114,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
 -/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.24/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.25/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.if	2009-07-29 21:34:35.000000000 -0400
 @@ -43,3 +43,63 @@
  	wine_domtrans($1)
  	role $2 types wine_t;
@@ -4302,9 +4181,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
 +
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.24/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.25/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/apps/wine.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/apps/wine.te	2009-07-29 21:34:35.000000000 -0400
 @@ -9,20 +9,35 @@
  type wine_t;
  type wine_exec_t;
@@ -4345,9 +4224,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        xserver_common_app(wine_t)
 +	xserver_rw_shm(wine_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.25/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corecommands.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -139,6 +139,9 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -4380,9 +4259,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.24/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.25/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corecommands.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corecommands.if	2009-07-29 21:34:35.000000000 -0400
 @@ -893,6 +893,7 @@
  
  	read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4391,9 +4270,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.25/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/corenetwork.te.in	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/corenetwork.te.in	2009-07-29 21:34:35.000000000 -0400
 @@ -65,6 +65,7 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -4499,9 +4378,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # network_node examples:
  #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.24/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.25/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -47,8 +47,10 @@
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4513,9 +4392,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.24/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.25/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.if	2009-07-29 21:34:35.000000000 -0400
 @@ -1655,6 +1655,78 @@
  
  ########################################
@@ -4683,9 +4562,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to the null device (/dev/null).
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.24/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.25/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/devices.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/devices.te	2009-07-29 21:34:35.000000000 -0400
 @@ -84,6 +84,13 @@
  dev_node(kmsg_device_t)
  
@@ -4713,9 +4592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Type for /dev/mapper/control
  #
  type lvm_control_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.24/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.25/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/domain.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/domain.if	2009-07-29 21:34:35.000000000 -0400
 @@ -44,34 +44,6 @@
  interface(`domain_type',`
  	# start with basic domain
@@ -4896,9 +4775,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 unconfined_domain_type:process signal;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.24/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.25/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/domain.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/domain.te	2009-07-29 21:34:35.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -4969,7 +4848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -153,3 +174,76 @@
+@@ -153,3 +174,67 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5008,26 +4887,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	cron_rw_system_job_pipes(domain)
 +
 +ifdef(`hide_broken_symptoms',`
-+	fs_list_inotifyfs(domain)
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
-+	dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
-+	cron_dontaudit_rw_tcp_sockets(domain)
 +')
 +')
 +
 +optional_policy(`
-+	rpm_rw_pipes(domain)
-+	rpm_dontaudit_use_script_fds(domain)
-+	rpm_dontaudit_write_pid_files(domain)
++	rpm_dontaudit_leaks(domain)
 +	rpm_read_script_tmp_files(domain)
 +')
 +
 +optional_policy(`
-+	rhgb_dontaudit_use_ptys(domain)
-+')
-+
-+optional_policy(`
 +	ssh_rw_pipes(domain)
 +')
 +
@@ -5046,9 +4916,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	userdom_relabelto_user_home_dirs(polydomain)
 +	userdom_relabelto_user_home_files(polydomain)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.24/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.25/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/files.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -5,10 +5,11 @@
  /.*				gen_context(system_u:object_r:default_t,s0)
  /			-d	gen_context(system_u:object_r:root_t,s0)
@@ -5079,9 +4949,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
  
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.24/policy/modules/kernel/files.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.25/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/files.if	2009-07-29 21:34:35.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -5454,10 +5324,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +	allow $1 file_type:file entrypoint;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.24/policy/modules/kernel/files.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.25/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/files.te	2009-07-28 13:42:19.000000000 -0400
-@@ -52,7 +52,9 @@
++++ serefpolicy-3.6.25/policy/modules/kernel/files.te	2009-07-29 23:56:24.000000000 -0400
+@@ -42,6 +42,7 @@
+ #
+ type boot_t;
+ files_mountpoint(boot_t)
++dev_node(boot_t)
+ 
+ # default_t is the default type for files that do not
+ # match any specification in the file_contexts configuration
+@@ -52,7 +53,9 @@
  #
  # etc_t is the type of the system etc directories.
  #
@@ -5468,15 +5346,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_type(etc_t)
  # compatibility aliases for removed types:
  typealias etc_t alias automount_etc_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.25/policy/modules/kernel/filesystem.fc
 --- nsaserefpolicy/policy/modules/kernel/filesystem.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/filesystem.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1 @@
 -# This module currently does not have any file contexts.
 +/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.24/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.25/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/filesystem.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/filesystem.if	2009-07-29 21:34:35.000000000 -0400
 @@ -3971,3 +3971,23 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
@@ -5501,9 +5379,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit $1 cifs_t:dir list_dir_perms;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.24/policy/modules/kernel/kernel.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.25/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/kernel.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/kernel.if	2009-07-29 21:34:35.000000000 -0400
 @@ -1807,7 +1807,7 @@
  	')
  
@@ -5562,9 +5440,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 kernel_t:unix_stream_socket connectto;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.24/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.25/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/kernel.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/kernel.te	2009-07-29 21:34:35.000000000 -0400
 @@ -63,6 +63,15 @@
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
@@ -5648,9 +5526,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_boot(kernel_t)
 +
 +permissive kernel_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.24/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.25/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/selinux.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/selinux.if	2009-07-29 21:34:35.000000000 -0400
 @@ -40,7 +40,7 @@
  
  	# because of this statement, any module which
@@ -5708,21 +5586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_type($1)
 +	mls_trusted_object($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.24/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/storage.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -57,7 +57,7 @@
- 
- /dev/cciss/[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- 
--/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
-+/dev/fuse		-c	gen_context(system_u:object_r:fuse_device_t,s0)
- /dev/floppy/[^/]*	-b	gen_context(system_u:object_r:removable_device_t,s0)
- 
- /dev/i2o/hd[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.24/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.25/policy/modules/kernel/terminal.fc
 --- nsaserefpolicy/policy/modules/kernel/terminal.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/terminal.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/terminal.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -13,6 +13,7 @@
  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
@@ -5731,9 +5597,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.24/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.25/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/kernel/terminal.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/kernel/terminal.if	2009-07-29 21:34:35.000000000 -0400
 @@ -173,7 +173,7 @@
  
  	dev_list_all_dev_nodes($1)
@@ -5805,9 +5671,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.24/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.25/policy/modules/roles/guest.te
 --- nsaserefpolicy/policy/modules/roles/guest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/guest.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/guest.te	2009-07-29 21:34:35.000000000 -0400
 @@ -16,7 +16,11 @@
  #
  
@@ -5822,9 +5688,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.24/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.25/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/staff.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/staff.te	2009-07-29 21:34:35.000000000 -0400
 @@ -15,156 +15,105 @@
  # Local policy
  #
@@ -6018,9 +5884,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	xserver_role(staff_r, staff_t)
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.24/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.25/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/sysadm.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/sysadm.te	2009-07-29 21:34:35.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6318,9 +6184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +init_script_role_transition(sysadm_r)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.25/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,37 @@
 +# Add programs here which should not be confined by SELinux
 +# e.g.:
@@ -6359,9 +6225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.25/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,638 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -7001,10 +6867,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 unconfined_r;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.25/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/roles/unconfineduser.te	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,410 @@
++++ serefpolicy-3.6.25/policy/modules/roles/unconfineduser.te	2009-07-29 22:23:43.000000000 -0400
+@@ -0,0 +1,395 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -7399,25 +7265,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# Unconfined mount local policy
 +#
 +
-+optional_policy(`
-+	gen_require(`
-+		type unconfined_mount_t;
-+	')
-+
-+	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
-+
-+	rpc_domtrans_rpcd(unconfined_mount_t)
-+
-+	unconfined_domain_noaudit(unconfined_mount_t)
-+	optional_policy(`
-+		hal_dbus_chat(unconfined_mount_t)
-+	')
-+')
-+
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.24/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.25/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/unprivuser.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/unprivuser.te	2009-07-29 21:34:35.000000000 -0400
 @@ -14,142 +14,21 @@
  userdom_unpriv_user_template(user)
  
@@ -7566,21 +7417,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	xserver_role(user_r, user_t)
 +	setroubleshoot_dontaudit_stream_connect(user_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.24/policy/modules/roles/webadm.te
---- nsaserefpolicy/policy/modules/roles/webadm.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/webadm.te	2009-07-28 13:42:19.000000000 -0400
-@@ -42,7 +42,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.6.25/policy/modules/roles/webadm.te
+--- nsaserefpolicy/policy/modules/roles/webadm.te	2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/webadm.te	2009-07-29 21:34:35.000000000 -0400
+@@ -1,5 +1,5 @@
  
- userdom_dontaudit_search_user_home_dirs(webadm_t)
+-policy_module(webadm, 1.0.1)
++policy_module(webadm, 1.0.0)
  
--#apache_admin(webadm_t, webadm_r)
-+apache_admin(webadm_t, webadm_r)
- 
- tunable_policy(`webadm_manage_user_files',`
- 	userdom_manage_user_home_content_files(webadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.24/policy/modules/roles/xguest.te
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.25/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/roles/xguest.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/roles/xguest.te	2009-07-29 21:34:35.000000000 -0400
 @@ -36,11 +36,17 @@
  # Local policy
  #
@@ -7627,9 +7476,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.24/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.25/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/amavis.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/amavis.te	2009-07-29 21:34:35.000000000 -0400
 @@ -103,6 +103,8 @@
  kernel_dontaudit_read_proc_symlinks(amavis_t)
  kernel_dontaudit_read_system_state(amavis_t)
@@ -7639,9 +7488,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # find perl
  corecmd_exec_bin(amavis_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.24/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.25/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -7735,9 +7584,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.24/policy/modules/services/apache.if
---- nsaserefpolicy/policy/modules/services/apache.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.if	2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.25/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if	2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.if	2009-07-29 23:18:25.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -8115,13 +7964,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1040,3 +1052,160 @@
+@@ -1043,6 +1055,44 @@
  
- 	allow httpd_t $1:process signal;
- ')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
 +##	Allow the specified domain to search 
 +##	apache bugzilla directories.
 +## </summary>
@@ -8160,79 +8006,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate an apache environment
-+## </summary>
-+## <param name="prefix">
-+##	<summary>
-+##	Prefix of the domain. Example, user would be
-+##	the prefix for the uder_t domain.
-+##	</summary>
-+## </param>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the apache domain.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`apache_admin',`
-+
-+	gen_require(`
-+		type httpd_t, httpd_initrc_exec_t, httpd_config_t;
-+		type httpd_log_t, httpd_modules_t, httpd_lock_t;
-+		type httpd_var_run_t;
-+		attribute httpdcontent;
-+		attribute httpd_script_exec_type;
-+		type httpd_bool_t;
-+		type httpd_php_tmp_t;
-+		type httpd_suexec_tmp_t;
-+		type httpd_tmp_t;
-+
-+	')
-+
-+	allow $1 httpd_t:process { getattr ptrace signal_perms };
-+	ps_process_pattern($1, httpd_t)
-+
+ ##	All of the rules required to administrate an apache environment
+ ## </summary>
+ ## <param name="prefix">
+@@ -1072,11 +1122,17 @@
+ 		type httpd_modules_t, httpd_lock_t;
+ 		type httpd_var_run_t, httpd_php_tmp_t;
+ 		type httpd_suexec_tmp_t, httpd_tmp_t;
++		type httpd_initrc_exec_t, httpd_bool_t;
+ 	')
+ 
+ 	allow $1 httpd_t:process { getattr ptrace signal_perms };
+ 	ps_process_pattern($1, httpd_t)
+ 
 +	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
 +	domain_system_change_exemption($1)
 +	role_transition $2 httpd_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
-+	apache_manage_all_content($1)
-+	miscfiles_manage_public_files($1)
-+
-+	files_search_etc($1)
-+	admin_pattern($1, httpd_config_t)
-+
-+	logging_search_logs($1)
-+	admin_pattern($1, httpd_log_t)
-+
-+	admin_pattern($1, httpd_modules_t)
-+
-+	admin_pattern($1, httpd_lock_t)
-+	files_lock_filetrans($1, httpd_lock_t, file)
-+
-+	admin_pattern($1, httpd_var_run_t)
-+	files_pid_filetrans($1, httpd_var_run_t, file)
-+
-+	kernel_search_proc($1)
-+	allow $1 httpd_t:dir list_dir_perms;
+ 	apache_manage_all_content($1)
+ 	miscfiles_manage_public_files($1)
+ 
+@@ -1096,12 +1152,57 @@
+ 
+ 	kernel_search_proc($1)
+ 	allow $1 httpd_t:dir list_dir_perms;
+-
 +	ps_process_pattern($1, httpd_t)
-+	read_lnk_files_pattern($1, httpd_t, httpd_t)
-+
-+	admin_pattern($1, httpdcontent)
-+	admin_pattern($1, httpd_script_exec_type)
+ 	read_lnk_files_pattern($1, httpd_t, httpd_t)
+ 
+ 	admin_pattern($1, httpdcontent)
+ 	admin_pattern($1, httpd_script_exec_type)
 +
 +	seutil_domtrans_setfiles($1)
 +
-+	admin_pattern($1, httpd_tmp_t)
-+	admin_pattern($1, httpd_php_tmp_t)
-+	admin_pattern($1, httpd_suexec_tmp_t)
+ 	admin_pattern($1, httpd_tmp_t)
+ 	admin_pattern($1, httpd_php_tmp_t)
+ 	admin_pattern($1, httpd_suexec_tmp_t)
 +	files_tmp_filetrans($1, httpd_tmp_t, { file dir })
 +
 +ifdef(`TODO',`
@@ -8275,10 +8085,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		attribute httpd_rw_content;
 +	')
 +	typeattribute $1  httpd_rw_content;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.24/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apache.te	2009-07-28 13:42:19.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.25/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te	2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apache.te	2009-07-29 21:34:35.000000000 -0400
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -9010,9 +8820,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.24/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.25/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/apm.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/apm.te	2009-07-29 21:34:35.000000000 -0400
 @@ -60,7 +60,7 @@
  # mknod: controlling an orderly resume of PCMCIA requires creating device
  # nodes 254,{0,1,2} for some reason.
@@ -9022,55 +8832,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow apmd_t self:process { signal_perms getsession };
  allow apmd_t self:fifo_file rw_fifo_file_perms;
  allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.24/policy/modules/services/automount.if
---- nsaserefpolicy/policy/modules/services/automount.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/automount.if	2009-07-28 13:42:19.000000000 -0400
-@@ -109,6 +109,25 @@
- 
- ########################################
- ## <summary>
-+##	Send automount a signal
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`automount_signal',`
-+	gen_require(`
-+		type automount_t;
-+	')
-+
-+	allow $1 automount_t:process signal;
-+')
-+
-+########################################
-+## <summary>
- ##	All of the rules required to administrate 
- ##	an automount environment
- ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.24/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/automount.te	2009-07-28 13:42:19.000000000 -0400
-@@ -71,6 +71,7 @@
- files_mounton_all_mountpoints(automount_t)
- files_mount_all_file_type_fs(automount_t)
- files_unmount_all_file_type_fs(automount_t)
-+files_manage_non_security_dirs(automount_t)
- 
- fs_mount_all_fs(automount_t)
- fs_unmount_all_fs(automount_t)
-@@ -100,6 +101,7 @@
- corenet_udp_bind_all_rpc_ports(automount_t)
- 
- dev_read_sysfs(automount_t)
-+dev_rw_autofs(automount_t)
- # for SSP
- dev_read_rand(automount_t)
- dev_read_urand(automount_t)
-@@ -127,6 +129,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.25/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/automount.te	2009-07-29 21:34:35.000000000 -0400
+@@ -129,6 +129,7 @@
  fs_unmount_autofs(automount_t)
  fs_mount_autofs(automount_t)
  fs_manage_autofs_symlinks(automount_t)
@@ -9078,26 +8843,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  storage_rw_fuse(automount_t)
  
-@@ -142,6 +145,7 @@
- 
- # Run mount in the mount_t domain.
- mount_domtrans(automount_t)
-+mount_signal(automount_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(automount_t)
- userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,7 +159,7 @@
- ')
- 
- optional_policy(`
--	kerberos_read_keytab(automount_t)
-+	kerberos_keytab_template(automount, automount_t)
- 	kerberos_read_config(automount_t)
- 	kerberos_dontaudit_write_config(automount_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.24/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.25/policy/modules/services/bind.if
 --- nsaserefpolicy/policy/modules/services/bind.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/bind.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/bind.if	2009-07-29 21:34:35.000000000 -0400
 @@ -287,6 +287,25 @@
  
  ########################################
@@ -9124,9 +8872,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an bind environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.24/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.25/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/bluetooth.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/bluetooth.te	2009-07-29 21:34:35.000000000 -0400
 @@ -64,6 +64,7 @@
  allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -9135,9 +8883,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.24/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.25/policy/modules/services/certmaster.te
 --- nsaserefpolicy/policy/modules/services/certmaster.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/certmaster.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/certmaster.te	2009-07-29 21:34:35.000000000 -0400
 @@ -30,7 +30,7 @@
  # certmaster local policy 
  #
@@ -9147,9 +8895,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow certmaster_t self:tcp_socket create_stream_socket_perms;
  
  # config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.24/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.25/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/clamav.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/clamav.te	2009-07-29 21:34:35.000000000 -0400
 @@ -117,9 +117,9 @@
  
  logging_send_syslog_msg(clamd_t)
@@ -9184,9 +8932,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	apache_read_sys_content(clamscan_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.24/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.25/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/consolekit.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/consolekit.if	2009-07-29 21:34:35.000000000 -0400
 @@ -57,3 +57,23 @@
  	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
  	files_search_pids($1)
@@ -9211,49 +8959,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.24/policy/modules/services/consolekit.te
---- nsaserefpolicy/policy/modules/services/consolekit.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/consolekit.te	2009-07-28 13:42:19.000000000 -0400
-@@ -11,7 +11,7 @@
- init_daemon_domain(consolekit_t, consolekit_exec_t)
- 
- type consolekit_log_t;
--files_pid_file(consolekit_log_t)
-+logging_log_file(consolekit_log_t)
- 
- type consolekit_var_run_t;
- files_pid_file(consolekit_var_run_t)
-@@ -50,6 +50,7 @@
- files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
- files_read_var_lib_files(consolekit_t)
-+files_search_all_mountpoints(consolekit_t)
- 
- fs_list_inotifyfs(consolekit_t)
- 
-@@ -61,12 +62,17 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.25/policy/modules/services/consolekit.te
+--- nsaserefpolicy/policy/modules/services/consolekit.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/consolekit.te	2009-07-29 21:34:35.000000000 -0400
+@@ -62,12 +62,15 @@
  
  init_telinit(consolekit_t)
  init_rw_utmp(consolekit_t)
 +init_chat(consolekit_t)
  
  logging_send_syslog_msg(consolekit_t)
-+logging_send_audit_msgs(consolekit_t)
+ logging_send_audit_msgs(consolekit_t)
  
  miscfiles_read_localization(consolekit_t)
  
 +# consolekit needs to be able to ptrace all logged in users 
 +userdom_ptrace_all_users(consolekit_t)
  userdom_dontaudit_read_user_home_content_files(consolekit_t)
-+userdom_read_user_tmp_files(consolekit_t)
+ userdom_read_user_tmp_files(consolekit_t)
  
- hal_ptrace(consolekit_t)
- 
-@@ -81,9 +87,12 @@
+@@ -84,9 +87,12 @@
  ')
  
  optional_policy(`
--	dbus_system_bus_client(consolekit_t)
+-	dbus_system_domain(consolekit_t, consolekit_exec_t)
 +	cron_read_system_job_lib_files(consolekit_t)
 +')
  
@@ -9263,39 +8992,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		hal_dbus_chat(consolekit_t)
  	')
  
-@@ -97,11 +106,28 @@
+@@ -100,6 +106,7 @@
  ')
  
  optional_policy(`
 +        policykit_dbus_chat(consolekit_t)
-+	policykit_domtrans_auth(consolekit_t)
-+	policykit_read_lib(consolekit_t)
-+	policykit_read_reload(consolekit_t)
-+')
-+
-+optional_policy(`
-+	xserver_read_xdm_pid(consolekit_t)
+ 	policykit_domtrans_auth(consolekit_t)
+ 	policykit_read_lib(consolekit_t)
+ 	policykit_read_reload(consolekit_t)
+@@ -108,10 +115,19 @@
+ optional_policy(`
+ 	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
--	xserver_stream_connect(consolekit_t)
 +        xserver_common_app(consolekit_t)
 +	xserver_ptrace_xdm(consolekit_t)
 +	xserver_common_app(consolekit_t)
-+	corenet_tcp_connect_xserver_port(consolekit_t)
-+')
-+
-+optional_policy(`
-+	udev_domtrans(consolekit_t)
+ 	corenet_tcp_connect_xserver_port(consolekit_t)
  ')
  
  optional_policy(`
++	udev_domtrans(consolekit_t)
++')
++
++optional_policy(`
  	#reading .Xauthity
 +	unconfined_ptrace(consolekit_t)
  	unconfined_stream_connect(consolekit_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.24/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.25/policy/modules/services/courier.if
 --- nsaserefpolicy/policy/modules/services/courier.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/courier.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/courier.if	2009-07-29 21:34:35.000000000 -0400
 @@ -179,6 +179,24 @@
  
  ########################################
@@ -9321,9 +9048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to courier spool pipes.
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.24/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.25/policy/modules/services/courier.te
 --- nsaserefpolicy/policy/modules/services/courier.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/courier.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/courier.te	2009-07-29 21:34:35.000000000 -0400
 @@ -10,6 +10,7 @@
  
  type courier_etc_t;
@@ -9332,9 +9059,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  courier_domain_template(pcp)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.24/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.25/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,3 +1,4 @@
 +/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
  
@@ -9366,9 +9093,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 +
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.24/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.25/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.if	2009-07-29 21:34:35.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -9670,9 +9397,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	init_labeled_script_domtrans($1, crond_initrc_exec_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.24/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.25/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cron.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cron.te	2009-07-29 21:34:35.000000000 -0400
 @@ -38,6 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -9918,7 +9645,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # prelink tells init to restart it self, we either need to allow or dontaudit
 -init_write_initctl(system_cronjob_t)
 +init_telinit(system_cronjob_t)
-+init_spec_domtrans_script(system_cronjob_t)
++init_domtrans_script(system_cronjob_t)
  
  auth_use_nsswitch(system_cronjob_t)
  
@@ -10024,288 +9751,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`fcron_crond', `
  	allow crond_t user_cron_spool_t:file manage_file_perms;
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.24/policy/modules/services/cups.fc
---- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -5,27 +5,38 @@
- /etc/cups/classes\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/cupsd\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/lpoptions.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/ppd(/.*)?		gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/cups/subscriptions.*  --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.25/policy/modules/services/cups.fc
+--- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cups.fc	2009-07-29 21:34:35.000000000 -0400
+@@ -13,6 +13,8 @@
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+/etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
-+
-+/etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
+ /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
  
++/etc/cups/interfaces(/.*)?	gen_context(system_u:object_r:cupsd_interface_t,s0)
++
  /etc/hp(/.*)?			gen_context(system_u:object_r:hplip_etc_t,s0)
  
  /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- 
-+/opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
- /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-+/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
- 
--/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
--/usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
--/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
-+/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
- 
- /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- 
- /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
- /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
-+# keep as separate lines to ensure proper sorting
-+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
-+
- /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
- /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
- /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-@@ -33,7 +44,7 @@
- 
- /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
- /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
--/usr/share/hplip/hpssd\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
- 
- /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +54,19 @@
- /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
- 
- /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
--/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
-+/var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
- 
-+/var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/cups(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
-+/var/ccpd(/.*)?			gen_context(system_u:object_r:cupsd_var_run_t,s0)
- /var/run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
- /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
+@@ -62,3 +64,8 @@
  /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
+ /var/turboprint(/.*)?		gen_context(system_u:object_r:cupsd_var_run_t,s0)
 +
 +/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-+
-+/usr/lib/cups/backend/cups-pdf	--	gen_context(system_u:object_r:cups_pdf_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.6.24/policy/modules/services/cups.if
---- nsaserefpolicy/policy/modules/services/cups.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.if	2009-07-28 13:42:19.000000000 -0400
-@@ -20,6 +20,30 @@
- 
- ########################################
- ## <summary>
-+##	Setup cups to transtion to the cups backend domain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`cups_backend',`
-+	gen_require(`
-+		type cupsd_t;
-+	')
-+
-+	domtrans_pattern(cupsd_t, $2, $1)
-+
-+	allow cupsd_t $1:process signal;
-+	allow $1 cupsd_t:unix_stream_socket connected_stream_socket_perms;
-+
-+	cups_read_config($1)
-+	cups_append_log($1)
-+')
-+
-+########################################
-+## <summary>
- ##	Connect to cupsd over an unix domain stream socket.
- ## </summary>
- ## <param name="domain">
-@@ -212,6 +236,25 @@
- 
- ########################################
- ## <summary>
-+##	Append cups log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cups_append_log',`
-+	gen_require(`
-+		type cupsd_log_t;
-+	')
-+
-+	logging_search_logs($1)
-+	append_files_pattern($1, cupsd_log_t, cupsd_log_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Write cups log files.
- ## </summary>
- ## <param name="domain">
-@@ -247,3 +290,66 @@
- 	files_search_pids($1)
- 	stream_connect_pattern($1, ptal_var_run_t, ptal_var_run_t, ptal_t)
- ')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an cups environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the cups domain.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`cups_admin',`
-+	gen_require(`
-+		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
-+		type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
-+		type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
-+		type cupsd_var_run_t, ptal_etc_t;
-+		type ptal_var_run_t, hplip_var_run_t;
-+		type cupsd_initrc_exec_t;
-+	')
-+
-+	allow $1 cupsd_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, cupsd_t)
-+	        
-+	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
-+	domain_system_change_exemption($1)
-+	role_transition $2 cupsd_initrc_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_tmp($1)
-+	admin_pattern($1, cupsd_tmp_t)
-+
-+	admin_pattern($1, cupsd_lpd_tmp_t)
-+
-+	files_list_etc($1)
-+	admin_pattern($1, cupsd_etc_t)
-+
-+	admin_pattern($1, ptal_etc_t)
-+
-+	files_list_spool($1)
-+	admin_pattern($1, cupsd_spool_t)
-+
-+	logging_list_logs($1)
-+	admin_pattern($1, cupsd_log_t)
-+
-+	files_list_pids($1)
-+	admin_pattern($1, cupsd_var_run_t)
-+
-+	admin_pattern($1, ptal_var_run_t)
-+
-+	admin_pattern($1, cupsd_config_var_run_t)
-+
-+	admin_pattern($1, cupsd_lpd_var_run_t)
-+
-+	admin_pattern($1, hplip_var_run_t)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.24/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cups.te	2009-07-28 13:42:19.000000000 -0400
-@@ -20,9 +20,18 @@
- type cupsd_etc_t;
- files_config_file(cupsd_etc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.25/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te	2009-07-28 15:51:13.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cups.te	2009-07-29 21:34:35.000000000 -0400
+@@ -23,6 +23,9 @@
+ type cupsd_initrc_exec_t;
+ init_script_file(cupsd_initrc_exec_t)
  
-+type cupsd_initrc_exec_t;
-+init_script_file(cupsd_initrc_exec_t)
-+
 +type cupsd_interface_t;
 +files_type(cupsd_interface_t)
 +
  type cupsd_rw_etc_t;
  files_config_file(cupsd_rw_etc_t)
  
-+type cupsd_lock_t;
-+files_lock_file(cupsd_lock_t)
-+
- type cupsd_log_t;
- logging_log_file(cupsd_log_t)
- 
-@@ -48,6 +57,10 @@
- type hplip_t;
- type hplip_exec_t;
- init_daemon_domain(hplip_t, hplip_exec_t)
-+# For CUPS to run as a backend
-+cups_backend(hplip_t, hplip_exec_t)
-+domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-+read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
- 
- type hplip_etc_t;
- files_config_file(hplip_etc_t)
-@@ -55,6 +68,9 @@
- type hplip_var_run_t;
- files_pid_file(hplip_var_run_t)
- 
-+type hplip_tmp_t;
-+files_tmp_file(hplip_tmp_t)
-+
- type ptal_t;
- type ptal_exec_t;
- init_daemon_domain(ptal_t, ptal_exec_t)
-@@ -65,6 +81,16 @@
- type ptal_var_run_t;
- files_pid_file(ptal_var_run_t)
- 
-+type cups_pdf_t;
-+type cups_pdf_exec_t;
-+domain_type(cups_pdf_t)
-+domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
-+cups_backend(cups_pdf_t, cups_pdf_exec_t)
-+role system_r types cups_pdf_t;
-+
-+type cups_pdf_tmp_t;
-+files_tmp_file(cups_pdf_tmp_t)
-+
- ifdef(`enable_mcs',`
- 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, s0 - mcs_systemhigh)
- ')
-@@ -79,13 +105,14 @@
- #
- 
- # /usr/lib/cups/backend/serial needs sys_admin(?!)
--allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
-+allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_rawio sys_resource sys_tty_config };
- dontaudit cupsd_t self:capability { sys_tty_config net_admin };
--allow cupsd_t self:process { setsched signal_perms };
--allow cupsd_t self:fifo_file rw_file_perms;
-+allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
-+allow cupsd_t self:fifo_file rw_fifo_file_perms;
- allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
- allow cupsd_t self:unix_dgram_socket create_socket_perms;
- allow cupsd_t self:netlink_selinux_socket create_socket_perms;
-+allow cupsd_t self:shm create_shm_perms;
- allow cupsd_t self:tcp_socket create_stream_socket_perms;
- allow cupsd_t self:udp_socket create_socket_perms;
- allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -97,6 +124,9 @@
+@@ -116,6 +119,9 @@
  read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
  files_search_etc(cupsd_t)
  
@@ -10315,244 +9795,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
  manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
  filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
-@@ -104,8 +134,11 @@
- 
- # allow cups to execute its backend scripts
- can_exec(cupsd_t, cupsd_exec_t)
--allow cupsd_t cupsd_exec_t:dir search;
--allow cupsd_t cupsd_exec_t:lnk_file read;
-+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
-+allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-+
-+allow cupsd_t cupsd_lock_t:file manage_file_perms;
-+files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
- 
- manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- allow cupsd_t cupsd_log_t:dir setattr;
-@@ -116,13 +149,20 @@
- manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
- files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
- 
-+# This whole section needs to be moved to a smbspool policy
-+# smbspool seems to be iterating through all existing tmp files.
-+# Looking for kerberos files
-+files_getattr_all_tmp_files(cupsd_t)
-+userdom_read_user_tmp_files(cupsd_t)
-+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
-+
- allow cupsd_t cupsd_var_run_t:dir setattr;
- manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
- manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
-+manage_fifo_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
- files_pid_filetrans(cupsd_t, cupsd_var_run_t, file)
- 
--read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
--
-+allow cupsd_t hplip_t:process {signal sigkill };
- allow cupsd_t hplip_var_run_t:file read_file_perms;
- 
- stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
-@@ -149,44 +189,49 @@
- corenet_tcp_bind_reserved_port(cupsd_t)
- corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
- corenet_tcp_connect_all_ports(cupsd_t)
-+corenet_tcp_connect_smbd_port(cupsd_t)
- corenet_sendrecv_hplip_client_packets(cupsd_t)
- corenet_sendrecv_ipp_client_packets(cupsd_t)
- corenet_sendrecv_ipp_server_packets(cupsd_t)
-+corenet_tcp_bind_all_rpc_ports(cupsd_t)
- 
- dev_rw_printer(cupsd_t)
- dev_read_urand(cupsd_t)
- dev_read_sysfs(cupsd_t)
--dev_read_usbfs(cupsd_t)
-+dev_rw_input_dev(cupsd_t)  #447878
-+dev_rw_generic_usb_dev(cupsd_t)
-+dev_rw_usbfs(cupsd_t)
- dev_getattr_printer_dev(cupsd_t)
- 
- domain_read_all_domains_state(cupsd_t)
- 
- fs_getattr_all_fs(cupsd_t)
- fs_search_auto_mountpoints(cupsd_t)
-+fs_read_anon_inodefs_files(cupsd_t)
- 
-+mls_fd_use_all_levels(cupsd_t)
- mls_file_downgrade(cupsd_t)
- mls_file_write_all_levels(cupsd_t)
- mls_file_read_all_levels(cupsd_t)
-+mls_rangetrans_target(cupsd_t)
- mls_socket_write_all_levels(cupsd_t)
- 
- term_use_unallocated_ttys(cupsd_t)
- term_search_ptys(cupsd_t)
- 
--auth_domtrans_chk_passwd(cupsd_t)
--auth_dontaudit_read_pam_pid(cupsd_t)
--
- # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
- corecmd_exec_shell(cupsd_t)
- corecmd_exec_bin(cupsd_t)
- 
- domain_use_interactive_fds(cupsd_t)
- 
-+files_list_spool(cupsd_t)
- files_read_etc_files(cupsd_t)
- files_read_etc_runtime_files(cupsd_t)
- # read python modules
- files_read_usr_files(cupsd_t)
- # for /var/lib/defoma
--files_search_var_lib(cupsd_t)
-+files_read_var_lib_files(cupsd_t)
- files_list_world_readable(cupsd_t)
- files_read_world_readable_files(cupsd_t)
- files_read_world_readable_symlinks(cupsd_t)
-@@ -195,19 +240,21 @@
- files_read_var_symlinks(cupsd_t)
- # for /etc/printcap
- files_dontaudit_write_etc_files(cupsd_t)
--# smbspool seems to be iterating through all existing tmp files.
--# redhat bug #214953
--# cjp: this might be a broken behavior
--files_dontaudit_getattr_all_tmp_files(cupsd_t)
- 
- selinux_compute_access_vector(cupsd_t)
-+selinux_validate_context(cupsd_t)
- 
- init_exec_script_files(cupsd_t)
-+init_read_utmp(cupsd_t)
- 
-+auth_domtrans_chk_passwd(cupsd_t)
-+auth_dontaudit_read_pam_pid(cupsd_t)
-+auth_rw_faillog(cupsd_t)
- auth_use_nsswitch(cupsd_t)
- 
- # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
- libs_read_lib_files(cupsd_t)
-+libs_exec_lib_files(cupsd_t)
- 
- logging_send_audit_msgs(cupsd_t)
- logging_send_syslog_msg(cupsd_t)
-@@ -215,19 +262,24 @@
+@@ -250,6 +256,7 @@
  miscfiles_read_localization(cupsd_t)
  # invoking ghostscript needs to read fonts
  miscfiles_read_fonts(cupsd_t)
 +miscfiles_setattr_fonts(cupsd_t)
  
  seutil_read_config(cupsd_t)
-+sysnet_exec_ifconfig(cupsd_t)
- 
--sysnet_read_config(cupsd_t)
--
-+files_dontaudit_list_home(cupsd_t)
- userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
- userdom_dontaudit_search_user_home_content(cupsd_t)
- 
- # Write to /var/spool/cups.
- lpd_manage_spool(cupsd_t)
-+lpd_read_config(cupsd_t)
-+lpd_exec_lpr(cupsd_t)
-+lpd_relabel_spool(cupsd_t)
- 
- ifdef(`enable_mls',`
--	lpd_relabel_spool(cupsd_t)
-+	mls_trusted_object(cupsd_var_run_t)
-+	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t,mls_systemhigh)
- ')
- 
- optional_policy(`
-@@ -244,8 +296,16 @@
- 	userdom_dbus_send_all_users(cupsd_t)
- 
- 	optional_policy(`
-+		avahi_dbus_chat(cupsd_t)
-+	')
-+
-+	optional_policy(`
- 		hal_dbus_chat(cupsd_t)
- 	')
-+
-+	optional_policy(`
-+		unconfined_dbus_chat(cupsd_t)
-+	')
- ')
- 
- optional_policy(`
-@@ -261,6 +321,10 @@
- ')
- 
- optional_policy(`
-+	mta_send_mail(cupsd_t)
-+')
-+
-+optional_policy(`
- 	# cups execs smbtool which reads samba_etc_t files
- 	samba_read_config(cupsd_t)
- 	samba_rw_var_files(cupsd_t)
-@@ -279,7 +343,7 @@
- # Cups configuration daemon local policy
- #
- 
--allow cupsd_config_t self:capability { chown sys_tty_config };
-+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
- dontaudit cupsd_config_t self:capability sys_tty_config;
- allow cupsd_config_t self:process signal_perms;
- allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -302,8 +366,10 @@
- 
- allow cupsd_config_t cupsd_log_t:file rw_file_perms;
- 
--allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
--files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
-+manage_lnk_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_files_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_dirs_pattern(cupsd_config_t, cupsd_tmp_t, cupsd_tmp_t)
-+files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
- 
- allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
- 
-@@ -311,7 +377,7 @@
- files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, file)
- 
- kernel_read_system_state(cupsd_config_t)
--kernel_read_kernel_sysctls(cupsd_config_t)
-+kernel_read_all_sysctls(cupsd_config_t)
- 
- corenet_all_recvfrom_unlabeled(cupsd_config_t)
- corenet_all_recvfrom_netlabel(cupsd_config_t)
-@@ -324,6 +390,7 @@
- dev_read_sysfs(cupsd_config_t)
- dev_read_urand(cupsd_config_t)
- dev_read_rand(cupsd_config_t)
-+dev_rw_generic_usb_dev(cupsd_config_t)
- 
- fs_getattr_all_fs(cupsd_config_t)
- fs_search_auto_mountpoints(cupsd_config_t)
-@@ -341,13 +408,14 @@
- files_read_var_symlinks(cupsd_config_t)
- 
- # Alternatives asks for this
--init_getattr_script_files(cupsd_config_t)
-+init_getattr_all_script_files(cupsd_config_t)
- 
- auth_use_nsswitch(cupsd_config_t)
- 
- logging_send_syslog_msg(cupsd_config_t)
- 
- miscfiles_read_localization(cupsd_config_t)
-+miscfiles_read_hwdata(cupsd_config_t)
- 
- seutil_dontaudit_search_config(cupsd_config_t)
- 
-@@ -359,14 +427,16 @@
- lpd_read_config(cupsd_config_t)
- 
- ifdef(`distro_redhat',`
--	init_getattr_script_files(cupsd_config_t)
--
- 	optional_policy(`
- 		rpm_read_db(cupsd_config_t)
- 	')
+ sysnet_exec_ifconfig(cupsd_t)
+@@ -419,6 +426,10 @@
  ')
  
  optional_policy(`
@@ -10563,125 +9814,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -382,6 +452,7 @@
- optional_policy(`
- 	hal_domtrans(cupsd_config_t)
- 	hal_read_tmp_files(cupsd_config_t)
-+	hal_dontaudit_use_fds(hplip_t)
- ')
- 
- optional_policy(`
-@@ -491,7 +562,10 @@
- allow hplip_t self:udp_socket create_socket_perms;
- allow hplip_t self:rawip_socket create_socket_perms;
- 
--allow hplip_t cupsd_etc_t:dir search;
-+allow hplip_t cupsd_etc_t:dir search_dir_perms;
-+manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-+manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
-+files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
- 
- cups_stream_connect(hplip_t)
- 
-@@ -500,6 +574,13 @@
- read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
- files_search_etc(hplip_t)
- 
-+fs_rw_anon_inodefs_files(hplip_t)
-+
-+read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
-+
-+manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
-+files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
-+
- manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
- files_pid_filetrans(hplip_t, hplip_var_run_t, file)
- 
-@@ -529,7 +610,8 @@
- dev_read_urand(hplip_t)
- dev_read_rand(hplip_t)
- dev_rw_generic_usb_dev(hplip_t)
--dev_read_usbfs(hplip_t)
-+dev_rw_usbfs(hplip_t)
-+
- 
- fs_getattr_all_fs(hplip_t)
- fs_search_auto_mountpoints(hplip_t)
-@@ -553,7 +635,9 @@
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
- 
--lpd_read_config(cupsd_t)
-+
-+lpd_read_config(hplip_t)
-+lpd_manage_spool(hplip_t)
+@@ -542,6 +553,8 @@
+ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
+ files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
  
- optional_policy(`
- 	dbus_system_bus_client(hplip_t)
-@@ -635,3 +719,51 @@
- optional_policy(`
- 	udev_read_db(ptal_t)
- ')
-+
-+########################################
-+#
-+# cups_pdf local policy
-+#
-+
-+allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
-+
-+allow cups_pdf_t self:fifo_file rw_file_perms;
-+allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_read_etc_files(cups_pdf_t)
-+files_read_usr_files(cups_pdf_t)
-+
 +fs_rw_anon_inodefs_files(cups_pdf_t)
 +
-+kernel_read_system_state(cups_pdf_t)
-+
-+auth_use_nsswitch(cups_pdf_t)
-+
-+corecmd_exec_shell(cups_pdf_t)
-+corecmd_exec_bin(cups_pdf_t)
-+
-+miscfiles_read_localization(cups_pdf_t)
-+
-+manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
-+manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
-+files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
-+
-+userdom_home_filetrans_user_home_dir(cups_pdf_t)
-+userdom_manage_user_home_content_dirs(cups_pdf_t)
-+userdom_manage_user_home_content_files(cups_pdf_t)
-+
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_manage_nfs_dirs(cups_pdf_t)
-+	fs_manage_nfs_files(cups_pdf_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_manage_cifs_dirs(cups_pdf_t)
-+	fs_manage_cifs_files(cups_pdf_t)
-+')
-+
-+lpd_manage_spool(cups_pdf_t)
-+
-+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-+miscfiles_read_fonts(cups_pdf_t)
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.24/policy/modules/services/cvs.te
+ kernel_read_system_state(cups_pdf_t)
+ 
+ files_read_etc_files(cups_pdf_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.25/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/cvs.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/cvs.te	2009-07-29 21:34:35.000000000 -0400
 @@ -112,4 +112,5 @@
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.24/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.25/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dbus.if	2009-07-28 14:03:30.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dbus.if	2009-07-29 21:34:35.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -10765,9 +9918,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	for service (acquire_svc).
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.24/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.25/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dbus.te	2009-07-28 14:06:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dbus.te	2009-07-29 21:34:35.000000000 -0400
 @@ -121,6 +121,8 @@
  
  init_use_fds(system_dbusd_t)
@@ -10793,7 +9946,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(system_dbusd_t)
  	policykit_search_lib(system_dbusd_t)
  ')
-@@ -156,5 +168,18 @@
+@@ -156,5 +167,18 @@
  #
  # Unconfined access to this module
  #
@@ -10812,9 +9965,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.24/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.25/policy/modules/services/dcc.te
 --- nsaserefpolicy/policy/modules/services/dcc.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dcc.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dcc.te	2009-07-29 21:34:35.000000000 -0400
 @@ -130,11 +130,13 @@
  
  # Access files in /var/dcc. The map file can be updated
@@ -10841,9 +9994,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	spamassassin_read_spamd_tmp_files(dcc_client_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.24/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.25/policy/modules/services/ddclient.if
 --- nsaserefpolicy/policy/modules/services/ddclient.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ddclient.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ddclient.if	2009-07-29 21:34:35.000000000 -0400
 @@ -21,6 +21,31 @@
  
  ########################################
@@ -10876,49 +10029,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an ddclient environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.24/policy/modules/services/devicekit.fc
---- nsaserefpolicy/policy/modules/services/devicekit.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,9 @@
-+
-+/usr/libexec/devkit-daemon	--	gen_context(system_u:object_r:devicekit_exec_t,s0)
-+/usr/libexec/devkit-power-daemon	--	gen_context(system_u:object_r:devicekit_power_exec_t,s0)
-+/usr/libexec/devkit-disks-daemon	--	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
-+
-+/var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
-+
-+/var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.25/policy/modules/services/devicekit.fc
+--- nsaserefpolicy/policy/modules/services/devicekit.fc	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.fc	2009-07-29 21:34:35.000000000 -0400
+@@ -5,4 +5,4 @@
+ /var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
+ 
+ /var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +/var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.24/policy/modules/services/devicekit.if
---- nsaserefpolicy/policy/modules/services/devicekit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.if	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,197 @@
-+
-+## <summary>policy for devicekit</summary>
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run devicekit.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`devicekit_domtrans',`
-+	gen_require(`
-+		type devicekit_t;
-+                type devicekit_exec_t;
-+	')
-+
-+	domtrans_pattern($1,devicekit_exec_t,devicekit_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+##	Read devicekit PID files.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.25/policy/modules/services/devicekit.if
+--- nsaserefpolicy/policy/modules/services/devicekit.if	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.if	2009-07-29 21:34:35.000000000 -0400
+@@ -139,6 +139,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Manage devicekit var_run files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10926,26 +10053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`devicekit_read_pid_files',`
-+	gen_require(`
-+		type devicekit_var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Manage devicekit var_run files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_manage_var_run',`
++interface(`devicekit_manage_var_run',`
 +	gen_require(`
 +		type devicekit_var_run_t;
 +	')
@@ -10955,396 +10063,175 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +         manage_lnk_files_pattern($1,devicekit_var_run_t,devicekit_var_run_t)
 +')
 +
-+
-+########################################
-+## <summary>
-+##	Send and receive messages from
-+##	devicekit over dbus.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_dbus_chat',`
-+	gen_require(`
-+		type devicekit_t;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 devicekit_t:dbus send_msg;
-+	allow devicekit_t $1:dbus send_msg;
-+')
-+
 +########################################
 +## <summary>
-+##	Send signal devicekit power
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_power_signal',`
-+	gen_require(`
-+		type devicekit_power_t;
-+	')
-+
-+	allow $1 devicekit_power_t:process signal;
-+')
-+
-+########################################
-+## <summary>
-+##	Send and receive messages from
-+##	devicekit power over dbus.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_power_dbus_chat',`
-+	gen_require(`
-+		type devicekit_power_t;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 devicekit_power_t:dbus send_msg;
-+	allow devicekit_power_t $1:dbus send_msg;
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an devicekit environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the devicekit domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`devicekit_admin',`
-+	gen_require(`
-+		type devicekit_t;
-+	')
-+
-+	allow $1 devicekit_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, devicekit_t, devicekit_t)
-+	        
-+
-+	devicekit_manage_var_run($1)
-+
-+')
-+
-+########################################
-+## <summary>
-+##	Send to devicekit over a unix domain
-+##	datagram socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_dgram_send',`
-+	gen_require(`
-+		type devicekit_t;
-+	')
-+
-+	allow $1 devicekit_t:unix_dgram_socket sendto;
-+')
-+
-+########################################
-+## <summary>
-+##	Send and receive messages from
-+##	devicekit disk over dbus.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`devicekit_disk_dbus_chat',`
-+	gen_require(`
-+		type devicekit_disk_t;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 devicekit_disk_t:dbus send_msg;
-+	allow devicekit_disk_t $1:dbus send_msg;
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.24/policy/modules/services/devicekit.te
---- nsaserefpolicy/policy/modules/services/devicekit.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/devicekit.te	2009-07-28 14:13:14.000000000 -0400
-@@ -0,0 +1,248 @@
-+policy_module(devicekit,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type devicekit_t;
-+type devicekit_exec_t;
-+dbus_system_domain(devicekit_t, devicekit_exec_t)
-+
-+type devicekit_power_t;
-+type devicekit_power_exec_t;
-+dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
-+
-+type devicekit_disk_t;
-+type devicekit_disk_exec_t;
-+dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
-+
-+type devicekit_tmp_t;
-+files_tmp_file(devicekit_tmp_t)
-+
-+type devicekit_var_run_t;
-+files_pid_file(devicekit_var_run_t)
-+
-+type devicekit_var_lib_t;
-+files_type(devicekit_var_lib_t)
-+
-+#
-+# DeviceKit local policy
-+#
-+allow devicekit_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_t, devicekit_var_run_t,  devicekit_var_run_t)
-+manage_files_pattern(devicekit_t, devicekit_var_run_t,  devicekit_var_run_t)
-+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+ ##	All of the rules required to administrate 
+ ##	an devicekit environment
+ ## </summary>
+@@ -162,7 +182,7 @@
+ interface(`devicekit_admin',`
+ 	gen_require(`
+ 		type devicekit_t, devicekit_disk_t, devicekit_power_t;
+-		type devicekit_var_run_t;
++		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ 	')
+ 
+ 	allow $1 devicekit_t:process { ptrace signal_perms getattr };
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.25/policy/modules/services/devicekit.te
+--- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/devicekit.te	2009-07-29 21:34:35.000000000 -0400
+@@ -36,12 +36,15 @@
+ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+ manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+ files_pid_filetrans(devicekit_t, devicekit_var_run_t, { file dir })
 +allow devicekit_disk_t devicekit_var_run_t:dir mounton;
-+
-+dev_read_sysfs(devicekit_t)
-+dev_read_urand(devicekit_t)
-+
-+files_read_etc_files(devicekit_t)
-+
+ 
+ dev_read_sysfs(devicekit_t)
+ dev_read_urand(devicekit_t)
+ 
+ files_read_etc_files(devicekit_t)
+ 
 +kernel_read_system_state(devicekit_t)
 +
-+miscfiles_read_localization(devicekit_t)
-+
-+optional_policy(`
-+	dbus_system_bus_client(devicekit_t)
-+')
-+
-+optional_policy(`
-+	udev_read_db(devicekit_t)
-+')
-+
-+#
-+# DeviceKit-Power local policy
-+#
-+allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
-+allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-+allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-+files_read_kernel_img(devicekit_power_t)
-+
-+corecmd_exec_bin(devicekit_power_t)
-+corecmd_exec_shell(devicekit_power_t)
-+
-+consoletype_exec(devicekit_power_t)
-+
-+domain_read_all_domains_state(devicekit_power_t)
-+
-+kernel_read_network_state(devicekit_power_t)
-+kernel_read_system_state(devicekit_power_t)
-+kernel_rw_hotplug_sysctls(devicekit_power_t)
-+kernel_rw_kernel_sysctl(devicekit_power_t)
-+kernel_write_proc_files(devicekit_power_t)
-+
-+dev_read_input(devicekit_power_t)
-+dev_rw_generic_usb_dev(devicekit_power_t)
-+dev_rw_netcontrol(devicekit_power_t)
-+dev_rw_sysfs(devicekit_power_t)
-+
-+files_read_etc_files(devicekit_power_t)
-+files_read_usr_files(devicekit_power_t)
-+
-+term_use_all_terms(devicekit_power_t)
-+
-+auth_use_nsswitch(devicekit_power_t)
-+
-+miscfiles_read_localization(devicekit_power_t)
-+
-+userdom_read_all_users_state(devicekit_power_t)
-+
-+optional_policy(`
-+	hal_domtrans_mac(devicekit_power_t)
-+	hal_manage_log(devicekit_power_t)
-+	hal_manage_pid_dirs(devicekit_power_t)
-+	hal_manage_pid_files(devicekit_power_t)
-+	hal_dbus_chat(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	cron_initrc_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	policykit_dbus_chat(devicekit_power_t)
-+	policykit_domtrans_auth(devicekit_power_t)
-+	policykit_read_lib(devicekit_power_t)
-+	policykit_read_reload(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	dbus_system_bus_client(devicekit_power_t)
-+	allow devicekit_power_t devicekit_t:dbus send_msg;
-+	allow devicekit_t devicekit_power_t:dbus send_msg;
-+
-+	optional_policy(`
-+		consolekit_dbus_chat(devicekit_power_t)
-+	')
-+
-+	optional_policy(`
-+		networkmanager_dbus_chat(devicekit_power_t)
-+	')
-+
-+	optional_policy(`
-+		rpm_dbus_chat(devicekit_power_t)
-+	')
-+')
-+
-+optional_policy(`
-+	bootloader_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	fstools_domtrans(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	udev_read_db(devicekit_power_t)
-+')
-+
-+optional_policy(`
-+	vbetool_domtrans(devicekit_power_t)
-+')
-+#
-+# DeviceKit disk local policy
-+#
-+
+ miscfiles_read_localization(devicekit_t)
+ 
+ optional_policy(`
+@@ -60,8 +63,11 @@
+ # DeviceKit disk local policy
+ #
+ 
+-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
 +allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
 +allow devicekit_disk_t self:process signal_perms;
 +
-+allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
 +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-+
-+manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-+manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-+files_tmp_filetrans(devicekit_disk_t, devicekit_tmp_t, { file dir })
-+
-+manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
-+files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
-+
-+corecmd_exec_bin(devicekit_disk_t)
-+
-+dev_rw_sysfs(devicekit_disk_t)
-+dev_read_urand(devicekit_disk_t)
-+dev_getattr_usbfs_dirs(devicekit_disk_t)
-+dev_manage_generic_files(devicekit_disk_t)
-+
+ 
+ manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+ manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
+@@ -72,6 +78,7 @@
+ files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
+ 
+ kernel_read_software_raid_state(devicekit_disk_t)
 +kernel_read_system_state(devicekit_disk_t)
-+kernel_read_software_raid_state(devicekit_disk_t)
-+kernel_setsched(devicekit_disk_t)
-+
-+files_manage_mnt_dirs(devicekit_disk_t)
-+files_read_etc_files(devicekit_disk_t)
-+files_read_etc_runtime_files(devicekit_disk_t)
-+files_read_usr_files(devicekit_disk_t)
+ kernel_setsched(devicekit_disk_t)
+ 
+ corecmd_exec_bin(devicekit_disk_t)
+@@ -79,11 +86,13 @@
+ dev_rw_sysfs(devicekit_disk_t)
+ dev_read_urand(devicekit_disk_t)
+ dev_getattr_usbfs_dirs(devicekit_disk_t)
++dev_manage_generic_files(devicekit_disk_t)
+ 
+ files_manage_mnt_dirs(devicekit_disk_t)
+ files_read_etc_files(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+ files_read_usr_files(devicekit_disk_t)
 +files_manage_isid_type_dirs(devicekit_disk_t)
-+
-+fs_mount_all_fs(devicekit_disk_t)
-+fs_unmount_all_fs(devicekit_disk_t)
-+fs_manage_fusefs_dirs(devicekit_disk_t)
-+
-+storage_raw_read_fixed_disk(devicekit_disk_t)
-+storage_raw_write_fixed_disk(devicekit_disk_t)
-+storage_raw_read_removable_device(devicekit_disk_t)
-+storage_raw_write_removable_device(devicekit_disk_t)
-+
+ 
+ fs_mount_all_fs(devicekit_disk_t)
+ fs_unmount_all_fs(devicekit_disk_t)
+@@ -94,6 +103,8 @@
+ storage_raw_read_removable_device(devicekit_disk_t)
+ storage_raw_write_removable_device(devicekit_disk_t)
+ 
 +term_use_all_terms(devicekit_disk_t)
 +
-+auth_use_nsswitch(devicekit_disk_t)
-+
-+miscfiles_read_localization(devicekit_disk_t)
-+
-+userdom_read_all_users_state(devicekit_disk_t)
-+userdom_search_user_home_dirs(devicekit_disk_t)
-+
-+optional_policy(`
-+	fstools_domtrans(devicekit_disk_t)
-+')
-+
-+optional_policy(`
-+	lvm_domtrans(devicekit_disk_t)
-+')
-+
-+optional_policy(`
+ auth_use_nsswitch(devicekit_disk_t)
+ 
+ miscfiles_read_localization(devicekit_disk_t)
+@@ -110,6 +121,7 @@
+ ')
+ 
+ optional_policy(`
 +	policykit_dbus_chat(devicekit_disk_t)
-+	policykit_domtrans_auth(devicekit_disk_t)
-+	policykit_read_lib(devicekit_disk_t)
-+	policykit_read_reload(devicekit_disk_t)
-+')
+ 	policykit_domtrans_auth(devicekit_disk_t)
+ 	policykit_read_lib(devicekit_disk_t)
+ 	policykit_read_reload(devicekit_disk_t)
+@@ -134,6 +146,19 @@
+ 	udev_read_db(devicekit_disk_t)
+ ')
+ 
 +
-+optional_policy(`
-+	mount_domtrans(devicekit_disk_t)
-+')
++#ifdef(`TESTING',`
++	permissive devicekit_t;
++	permissive devicekit_power_t;
++	permissive devicekit_disk_t;
++#',`
++#optional_policy(`
++#	unconfined_domain(devicekit_t)
++#	unconfined_domain(devicekit_power_t)
++#	unconfined_domain(devicekit_disk_t)
++#')
++#')
 +
+ ########################################
+ #
+ # DeviceKit-Power local policy
+@@ -142,6 +167,7 @@
+ allow devicekit_power_t self:capability { dac_override sys_tty_config sys_nice sys_ptrace };
+ allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
+ allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
++allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+ manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -151,6 +177,7 @@
+ kernel_read_system_state(devicekit_power_t)
+ kernel_rw_hotplug_sysctls(devicekit_power_t)
+ kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_write_proc_files(devicekit_power_t)
+ 
+ corecmd_exec_bin(devicekit_power_t)
+ corecmd_exec_shell(devicekit_power_t)
+@@ -159,6 +186,7 @@
+ 
+ domain_read_all_domains_state(devicekit_power_t)
+ 
++dev_read_input(devicekit_power_t)
+ dev_rw_generic_usb_dev(devicekit_power_t)
+ dev_rw_netcontrol(devicekit_power_t)
+ dev_rw_sysfs(devicekit_power_t)
+@@ -180,8 +208,11 @@
+ ')
+ 
+ optional_policy(`
+-	dbus_system_bus_client(devicekit_power_t)
++	cron_initrc_domtrans(devicekit_power_t)
++')
+ 
 +optional_policy(`
-+	dbus_system_bus_client(devicekit_disk_t)
-+	allow devicekit_disk_t devicekit_t:dbus send_msg;
-+	allow devicekit_t devicekit_disk_t:dbus send_msg;
-+
-+	optional_policy(`
-+		consolekit_dbus_chat(devicekit_disk_t)
-+	')
++	dbus_system_bus_client(devicekit_power_t)
+ 	allow devicekit_power_t devicekit_t:dbus send_msg;
+ 
+ 	optional_policy(`
+@@ -203,17 +234,23 @@
+ 
+ optional_policy(`
+ 	hal_domtrans_mac(devicekit_power_t)
++	hal_manage_log(devicekit_power_t)
+ 	hal_manage_pid_dirs(devicekit_power_t)
+ 	hal_manage_pid_files(devicekit_power_t)
+ 	hal_dbus_chat(devicekit_power_t)
+ ')
+ 
+ optional_policy(`
++	policykit_dbus_chat(devicekit_power_t)
+ 	policykit_domtrans_auth(devicekit_power_t)
+ 	policykit_read_lib(devicekit_power_t)
+ 	policykit_read_reload(devicekit_power_t)
+ ')
+ 
+ optional_policy(`
++	udev_read_db(devicekit_power_t)
 +')
 +
 +optional_policy(`
-+	udev_domtrans(devicekit_disk_t)
-+	udev_read_db(devicekit_disk_t)
-+')
-+
-+
-+#ifdef(`TESTING',`
-+	permissive devicekit_t;
-+	permissive devicekit_power_t;
-+	permissive devicekit_disk_t;
-+#',`
-+#optional_policy(`
-+#	unconfined_domain(devicekit_t)
-+#	unconfined_domain(devicekit_power_t)
-+#	unconfined_domain(devicekit_disk_t)
-+#')
-+#')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.24/policy/modules/services/dnsmasq.te
+ 	vbetool_domtrans(devicekit_power_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.25/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dnsmasq.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dnsmasq.te	2009-07-29 21:34:35.000000000 -0400
 @@ -83,6 +83,14 @@
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
@@ -11360,9 +10247,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(dnsmasq_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.24/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.25/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/dovecot.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/dovecot.te	2009-07-29 21:34:35.000000000 -0400
 @@ -103,6 +103,7 @@
  dev_read_urand(dovecot_t)
  
@@ -11387,9 +10274,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.24/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.25/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/exim.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/exim.te	2009-07-29 21:34:35.000000000 -0400
 @@ -191,6 +191,10 @@
  ')
  
@@ -11401,9 +10288,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	spamassassin_exec(exim_t)
  	spamassassin_exec_client(exim_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.24/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.25/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/fetchmail.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/fetchmail.te	2009-07-29 21:34:35.000000000 -0400
 @@ -47,6 +47,8 @@
  kernel_read_proc_symlinks(fetchmail_t)
  kernel_dontaudit_read_system_state(fetchmail_t)
@@ -11413,123 +10300,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(fetchmail_t)
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.fc serefpolicy-3.6.24/policy/modules/services/fprintd.fc
---- nsaserefpolicy/policy/modules/services/fprintd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,4 @@
-+
-+/usr/libexec/fprintd	--	gen_context(system_u:object_r:fprintd_exec_t,s0)
-+
-+/var/lib/fprint(/.*)?		gen_context(system_u:object_r:fprintd_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.24/policy/modules/services/fprintd.if
---- nsaserefpolicy/policy/modules/services/fprintd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.if	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,43 @@
-+
-+## <summary>policy for fprintd</summary>
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run fprintd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`fprintd_domtrans',`
-+	gen_require(`
-+		type fprintd_t;
-+                type fprintd_exec_t;
-+	')
-+
-+	domtrans_pattern($1,fprintd_exec_t,fprintd_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Send and receive messages from
-+##	fprintd over dbus.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fprintd_dbus_chat',`
-+	gen_require(`
-+		type fprintd_t;
-+		class dbus send_msg;
-+	')
-+
-+	allow $1 fprintd_t:dbus send_msg;
-+	allow fprintd_t $1:dbus send_msg;
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.24/policy/modules/services/fprintd.te
---- nsaserefpolicy/policy/modules/services/fprintd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/fprintd.te	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,55 @@
-+policy_module(fprintd,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type fprintd_t;
-+type fprintd_exec_t;
-+dbus_system_domain(fprintd_t, fprintd_exec_t)
-+
-+type fprintd_var_lib_t;
-+files_type(fprintd_var_lib_t)
-+
-+allow fprintd_t self:capability sys_ptrace;
-+allow fprintd_t self:fifo_file rw_fifo_file_perms;
-+allow fprintd_t self:process { getsched signal };
-+
-+manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-+manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-+files_var_lib_filetrans(fprintd_t, fprintd_var_lib_t, { dir file })
-+
-+corecmd_search_bin(fprintd_t)
-+
-+dev_list_usbfs(fprintd_t)
-+dev_rw_generic_usb_dev(fprintd_t)
-+dev_read_sysfs(fprintd_t)
-+
-+files_read_etc_files(fprintd_t)
-+files_read_usr_files(fprintd_t)
-+
-+fs_list_inotifyfs(fprintd_t)
-+
-+kernel_read_system_state(fprintd_t)
-+
-+auth_use_nsswitch(fprintd_t)
-+
-+miscfiles_read_localization(fprintd_t)
-+
-+userdom_use_user_ptys(fprintd_t)
-+userdom_read_all_users_state(fprintd_t)
-+
-+optional_policy(`
-+	consolekit_dbus_chat(fprintd_t)
-+')
-+
-+optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.25/policy/modules/services/fprintd.te
+--- nsaserefpolicy/policy/modules/services/fprintd.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/fprintd.te	2009-07-29 21:36:03.000000000 -0400
+@@ -51,5 +51,7 @@
+ optional_policy(`
+ 	policykit_read_reload(fprintd_t)
+ 	policykit_read_lib(fprintd_t)
 +	policykit_dbus_chat(fprintd_t)
-+	policykit_domtrans_auth(fprintd_t)
-+	policykit_read_lib(fprintd_t)
-+	policykit_read_reload(fprintd_t)
-+')
-+
-+permissive fprintd_t;
+ 	policykit_domtrans_auth(fprintd_t)
+ ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.24/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.25/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ftp.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ftp.te	2009-07-29 21:34:35.000000000 -0400
 @@ -41,6 +41,13 @@
  
  ## <desc>
@@ -11631,16 +10415,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(ftpd_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.25/policy/modules/services/gnomeclock.fc
 --- nsaserefpolicy/policy/modules/services/gnomeclock.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,3 @@
 +
 +/usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.24/policy/modules/services/gnomeclock.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.25/policy/modules/services/gnomeclock.if
 --- nsaserefpolicy/policy/modules/services/gnomeclock.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,69 @@
 +
 +## <summary>policy for gnomeclock</summary>
@@ -11711,9 +10495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 gnomeclock_t:dbus send_msg;
 +	allow gnomeclock_t $1:dbus send_msg;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.24/policy/modules/services/gnomeclock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.25/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/gnomeclock.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gnomeclock.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,50 @@
 +policy_module(gnomeclock, 1.0.0)
 +########################################
@@ -11765,9 +10549,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_read_reload(gnomeclock_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.24/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.25/policy/modules/services/gpsd.fc
 --- nsaserefpolicy/policy/modules/services/gpsd.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1 +1,6 @@
 +/etc/rc\.d/init\.d/gpsd         --      gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
 +
@@ -11775,9 +10559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/run/gpsd\.pid               --      gen_context(system_u:object_r:gpsd_var_run_t,s0)
 +/var/run/gpsd\.sock              -s      gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.24/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.25/policy/modules/services/gpsd.if
 --- nsaserefpolicy/policy/modules/services/gpsd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.if	2009-07-29 21:34:35.000000000 -0400
 @@ -33,11 +33,6 @@
  ##	The role to be allowed the gpsd domain.
  ##	</summary>
@@ -11823,9 +10607,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
 +        read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.24/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.25/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/gpsd.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/gpsd.te	2009-07-29 22:45:43.000000000 -0400
 @@ -11,9 +11,15 @@
  application_domain(gpsd_t, gpsd_exec_t)
  init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -11853,10 +10637,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(gpsd_t)
  corenet_all_recvfrom_netlabel(gpsd_t)
  corenet_tcp_sendrecv_generic_if(gpsd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.24/policy/modules/services/hal.if
+@@ -51,5 +61,5 @@
+ ')
+ 
+ optional_policy(`
+-	ntpd_rw_shm(gpsd_t)
++	ntp_rw_shm(gpsd_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.25/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/hal.if	2009-07-28 14:14:19.000000000 -0400
-@@ -413,3 +414,21 @@
++++ serefpolicy-3.6.25/policy/modules/services/hal.if	2009-07-29 21:34:35.000000000 -0400
+@@ -413,3 +413,21 @@
  	files_search_pids($1)
  	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
  ')
@@ -11878,9 +10669,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	dontaudit $1 hald_t:unix_dgram_socket { read write };
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.24/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.25/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/hal.te	2009-07-28 14:20:01.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/hal.te	2009-07-29 23:08:37.000000000 -0400
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -11919,19 +10710,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(hald_t)
  	policykit_domtrans_resolve(hald_t)
  	policykit_read_lib(hald_t)
-@@ -318,7 +328,11 @@
+@@ -321,6 +331,10 @@
+ 	virt_manage_images(hald_t)
  ')
  
- optional_policy(`
--	virt_manage_images(hald_t)
-+	virtual_manage_image(hald_t)
-+')
-+
 +optional_policy(`
 +	xserver_read_pid(hald_t)
- ')
- 
++')
++
  ########################################
+ #
+ # Hal acl local policy
 @@ -341,6 +355,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
@@ -11992,9 +10781,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive hald_dccm_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.24/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.25/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/kerberos.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/kerberos.te	2009-07-29 21:34:35.000000000 -0400
 @@ -277,6 +277,8 @@
  #
  
@@ -12034,9 +10823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  sysnet_dns_name_resolve(kpropd_t)
  
  kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.24/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.25/policy/modules/services/ktalk.te
 --- nsaserefpolicy/policy/modules/services/ktalk.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ktalk.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ktalk.te	2009-07-29 21:34:35.000000000 -0400
 @@ -69,6 +69,7 @@
  files_read_etc_files(ktalkd_t)
  
@@ -12045,10 +10834,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(ktalkd_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.24/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.25/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/lircd.te	2009-07-28 13:42:19.000000000 -0400
-@@ -42,7 +42,17 @@
++++ serefpolicy-3.6.25/policy/modules/services/lircd.te	2009-07-29 21:34:35.000000000 -0400
+@@ -42,7 +42,18 @@
  # /dev/lircd socket
  manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
  dev_filetrans(lircd_t, lircd_sock_t, sock_file )
@@ -12056,6 +10845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +dev_filetrans_lirc(lircd_t)
 +dev_rw_lirc(lircd_t)
++dev_rw_input_dev(lircd_t)
  
  logging_send_syslog_msg(lircd_t)
  
@@ -12066,9 +10856,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
  miscfiles_read_localization(lircd_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.24/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.25/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mailman.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mailman.te	2009-07-29 21:34:35.000000000 -0400
 @@ -78,6 +78,10 @@
  mta_dontaudit_rw_queue(mailman_mail_t)
  
@@ -12080,9 +10870,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_read_pipes(mailman_mail_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.24/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.25/policy/modules/services/memcached.te
 --- nsaserefpolicy/policy/modules/services/memcached.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/memcached.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/memcached.te	2009-07-29 21:34:35.000000000 -0400
 @@ -44,6 +44,8 @@
  
  files_read_etc_files(memcached_t)
@@ -12092,59 +10882,117 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(memcached_t)
  
  sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.24/policy/modules/services/mta.fc
---- nsaserefpolicy/policy/modules/services/mta.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -1,4 +1,4 @@
--/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
- /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
- /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
-@@ -10,10 +10,13 @@
- ')
- 
- /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
-+/usr/bin/esmtp    		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/usr/sbin/ssmtp 		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
- 
- /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
- 
-@@ -22,7 +25,5 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.25/policy/modules/services/modemmanager.fc
+--- nsaserefpolicy/policy/modules/services/modemmanager.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.fc	2009-07-29 23:31:22.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/sbin/modem-manager	--	gen_context(system_u:object_r:ModemManager_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.25/policy/modules/services/modemmanager.if
+--- nsaserefpolicy/policy/modules/services/modemmanager.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.if	2009-07-29 23:31:22.000000000 -0400
+@@ -0,0 +1,43 @@
++
++## <summary>policy for ModemManager</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run ModemManager.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ModemManager_domtrans',`
++	gen_require(`
++		type ModemManager_t;
++                type ModemManager_exec_t;
++	')
++
++	domtrans_pattern($1,ModemManager_exec_t,ModemManager_t)
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	ModemManager over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ModemManager_dbus_chat',`
++	gen_require(`
++		type ModemManager_t;
++		class dbus send_msg;
++	')
++
++	allow $1 ModemManager_t:dbus send_msg;
++	allow ModemManager_t $1:dbus send_msg;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.25/policy/modules/services/modemmanager.te
+--- nsaserefpolicy/policy/modules/services/modemmanager.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.25/policy/modules/services/modemmanager.te	2009-07-29 23:50:51.000000000 -0400
+@@ -0,0 +1,41 @@
++policy_module(ModemManager,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ModemManager_t;
++type ModemManager_exec_t;
++dbus_system_domain(ModemManager_t, ModemManager_exec_t)
++
++########################################
++#
++# ModemManager local policy
++#
++
++
++# Init script handling
++domain_use_interactive_fds(ModemManager_t)
++
++# internal communication is often done using fifo and unix sockets.
++allow ModemManager_t self:fifo_file rw_file_perms;
++allow ModemManager_t self:unix_stream_socket create_stream_socket_perms;
++allow ModemManager_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++kernel_read_system_state(ModemManager_t)
++
++dev_read_sysfs(ModemManager_t)
++
++files_read_etc_files(ModemManager_t)
++
++miscfiles_read_localization(ModemManager_t)
++
++logging_send_syslog_msg(ModemManager_t)
++
++optional_policy(`
++	networkmanager_dbus_chat(ModemManager_t)
++')
++
++permissive ModemManager_t;
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.25/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.fc	2009-07-29 21:34:35.000000000 -0400
+@@ -26,3 +26,5 @@
  /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
  /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
--
--#ifdef(`postfix.te', `', `
--#/var/spool/postfix(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
--#')
 +HOME_DIR/\.forward	--	gen_context(system_u:object_r:mail_forward_t,s0)
 +/root/\.forward		--	gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.24/policy/modules/services/mta.if
---- nsaserefpolicy/policy/modules/services/mta.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.if	2009-07-28 13:42:19.000000000 -0400
-@@ -130,6 +130,15 @@
- 		sendmail_create_log($1_mail_t)
- 	')
- 
-+	optional_policy(`
-+		exim_read_log($1_mail_t)
-+		exim_append_log($1_mail_t)
-+		exim_manage_spool_files($1_mail_t)
-+	')
-+
-+	optional_policy(`
-+		uucp_manage_spool($1_mail_t)
-+	')
- ')
- 
- ########################################
-@@ -302,11 +311,13 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.25/policy/modules/services/mta.if
+--- nsaserefpolicy/policy/modules/services/mta.if	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.if	2009-07-29 21:34:35.000000000 -0400
+@@ -311,6 +311,7 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1, mail_spool_t, mail_spool_t)
  	read_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -12152,13 +11000,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	create_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  
- 	optional_policy(`
- 		dovecot_manage_spool($1)
-+		dovecot_domtrans_deliver($1)
- 	')
- 
- 	optional_policy(`
-@@ -341,6 +352,7 @@
+@@ -351,6 +352,7 @@
  		# apache should set close-on-exec
  		apache_dontaudit_rw_stream_sockets($1)
  		apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -12166,54 +11008,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -446,6 +458,26 @@
+@@ -471,6 +473,7 @@
+ 	')
  
- ########################################
- ## <summary>
-+##	write mail server configuration.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`mta_write_config',`
-+	gen_require(`
-+		type etc_mail_t;
-+	')
-+
-+	write_files_pattern($1, etc_mail_t, etc_mail_t)
+ 	write_files_pattern($1, etc_mail_t, etc_mail_t)
 +	allow $1 etc_mail_t:file setattr;
-+')
-+
-+########################################
-+## <summary>
- ##	Read mail address aliases.
- ## </summary>
- ## <param name="domain">
-@@ -591,8 +623,8 @@
- 
- 	files_search_spool($1)
- 	allow $1 mail_spool_t:dir list_dir_perms;
--	allow $1 mail_spool_t:lnk_file read;
--	allow $1 mail_spool_t:file getattr;
-+	getattr_files_pattern($1, mail_spool_t, mail_spool_t)
-+	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
  ########################################
-@@ -612,7 +644,7 @@
- 	')
- 
- 	files_dontaudit_search_spool($1)
--	dontaudit $1 mail_spool_t:dir search;
-+	dontaudit $1 mail_spool_t:dir search_dir_perms;
- 	dontaudit $1 mail_spool_t:lnk_file read;
- 	dontaudit $1 mail_spool_t:file getattr;
- ')
-@@ -665,7 +697,7 @@
+@@ -694,7 +697,7 @@
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -12222,17 +11025,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -806,6 +838,7 @@
- 	')
- 
- 	files_search_spool($1)
-+	manage_dirs_pattern($1, mqueue_spool_t, mqueue_spool_t)
- 	manage_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
- ')
- 
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.24/policy/modules/services/mta.te
---- nsaserefpolicy/policy/modules/services/mta.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mta.te	2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.25/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mta.te	2009-07-29 21:34:35.000000000 -0400
 @@ -27,6 +27,9 @@
  type mail_spool_t;
  files_mountpoint(mail_spool_t)
@@ -12243,36 +11038,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type sendmail_exec_t;
  mta_agent_executable(sendmail_exec_t)
  
-@@ -47,34 +50,48 @@
- #
- 
- # newalias required this, not sure if it is needed in 'if' file
--allow system_mail_t self:capability { dac_override };
-+allow system_mail_t self:capability { dac_override fowner };
-+allow system_mail_t self:fifo_file rw_fifo_file_perms;
- 
- read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
-+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+@@ -57,6 +60,8 @@
  
- allow system_mail_t mta_exec_type:file entrypoint;
+ can_exec(system_mail_t, mta_exec_type)
  
--allow system_mail_t mailcontent_type:file read_file_perms;
-+can_exec(system_mail_t, mta_exec_type)
-+
 +files_read_all_tmp_files(system_mail_t)
- 
++
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
  
-+dev_read_sysfs(system_mail_t)
- dev_read_rand(system_mail_t)
- dev_read_urand(system_mail_t)
- 
-+fs_rw_anon_inodefs_files(system_mail_t)
-+
-+selinux_getattr_fs(system_mail_t)
-+
- init_use_script_ptys(system_mail_t)
+@@ -72,16 +77,21 @@
  
  userdom_use_user_terminals(system_mail_t)
  userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -12294,44 +11069,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -88,6 +105,13 @@
+@@ -93,13 +103,9 @@
+ ')
+ 
  optional_policy(`
+-	clamav_stream_connect(system_mail_t)
+-	clamav_append_log(system_mail_t)
+-')
+-
+-optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
 +	cron_rw_system_stream_sockets(system_mail_t)
-+')
-+
-+optional_policy(`
-+	courier_manage_spool_dirs(system_mail_t)
-+	courier_manage_spool_files(system_mail_t)
-+	courier_rw_spool_pipes(system_mail_t)
  ')
  
  optional_policy(`
-@@ -95,6 +119,11 @@
+@@ -118,10 +124,6 @@
  ')
  
  optional_policy(`
-+	exim_domtrans(system_mail_t)
-+	exim_manage_log(system_mail_t)
-+')
-+
-+optional_policy(`
- 	logrotate_read_tmp_files(system_mail_t)
- ')
- 
-@@ -132,10 +161,6 @@
- 		# compatability for old default main.cf
- 		postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
- 	')
+-	fail2ban_append_log(system_mail_t)
+-')
 -
--	optional_policy(`
--		cron_rw_tcp_sockets(system_mail_t)
--	')
+-optional_policy(`
+ 	logrotate_read_tmp_files(system_mail_t)
  ')
  
- optional_policy(`
-@@ -155,6 +180,19 @@
+@@ -178,6 +180,19 @@
  ')
  
  optional_policy(`
@@ -12351,7 +11115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -174,6 +212,25 @@
+@@ -197,6 +212,25 @@
  	')
  ')
  
@@ -12377,9 +11141,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.24/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.25/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/munin.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/munin.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -9,3 +9,6 @@
  /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
  /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
@@ -12387,9 +11151,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.24/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.25/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/munin.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/munin.te	2009-07-29 21:34:35.000000000 -0400
 @@ -33,7 +33,7 @@
  # Local policy
  #
@@ -12469,9 +11233,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 +manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.24/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.25/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/mysql.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/mysql.te	2009-07-29 21:34:35.000000000 -0400
 @@ -136,6 +136,8 @@
  
  domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -12490,9 +11254,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  mysql_read_config(mysqld_safe_t)
  mysql_search_pid_files(mysqld_safe_t)
  mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.24/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.25/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,16 +1,21 @@
  /etc/nagios(/.*)?			gen_context(system_u:object_r:nagios_etc_t,s0)
  /etc/nagios/nrpe\.cfg		--	gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -12518,9 +11282,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 +/usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 +/usr/lib(64)?/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.24/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.25/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.if	2009-07-29 21:34:35.000000000 -0400
 @@ -64,7 +64,7 @@
  
  ########################################
@@ -12620,9 +11384,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	admin_pattern($1, nrpe_etc_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.24/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.25/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nagios.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nagios.te	2009-07-29 21:34:35.000000000 -0400
 @@ -10,13 +10,12 @@
  type nagios_exec_t;
  init_daemon_domain(nagios_t, nagios_exec_t)
@@ -12718,9 +11482,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.24/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.25/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,12 +1,25 @@
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
 +/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -12747,9 +11511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.24/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.25/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.if	2009-07-29 21:34:35.000000000 -0400
 @@ -118,6 +118,24 @@
  
  ########################################
@@ -12806,9 +11570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types NetworkManager_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.24/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.25/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/networkmanager.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/networkmanager.te	2009-07-29 23:49:39.000000000 -0400
 @@ -19,6 +19,9 @@
  type NetworkManager_tmp_t;
  files_tmp_file(NetworkManager_tmp_t)
@@ -12819,7 +11583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type NetworkManager_var_run_t;
  files_pid_file(NetworkManager_var_run_t)
  
-@@ -33,9 +36,9 @@
+@@ -33,13 +36,14 @@
  
  # networkmanager will ptrace itself if gdb is installed
  # and it receives a unexpected signal (rh bug #204161) 
@@ -12831,7 +11595,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
  allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
  allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -51,8 +54,10 @@
+ allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
++allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
+ allow NetworkManager_t self:udp_socket create_socket_perms;
+ allow NetworkManager_t self:packet_socket create_socket_perms;
+@@ -51,8 +55,10 @@
  manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
@@ -12844,7 +11613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
-@@ -63,6 +68,8 @@
+@@ -63,6 +69,8 @@
  kernel_read_network_state(NetworkManager_t)
  kernel_read_kernel_sysctls(NetworkManager_t)
  kernel_load_module(NetworkManager_t)
@@ -12853,7 +11622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(NetworkManager_t)
  corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -81,13 +88,18 @@
+@@ -81,13 +89,18 @@
  corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
  corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
  corenet_sendrecv_all_client_packets(NetworkManager_t)
@@ -12872,7 +11641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mls_file_read_all_levels(NetworkManager_t)
  
-@@ -98,15 +110,20 @@
+@@ -98,15 +111,20 @@
  
  domain_use_interactive_fds(NetworkManager_t)
  domain_read_confined_domains_state(NetworkManager_t)
@@ -12894,7 +11663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(NetworkManager_t)
  
  miscfiles_read_localization(NetworkManager_t)
-@@ -116,25 +133,40 @@
+@@ -116,25 +134,40 @@
  
  seutil_read_config(NetworkManager_t)
  
@@ -12942,7 +11711,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -146,8 +178,25 @@
+@@ -146,8 +179,25 @@
  ')
  
  optional_policy(`
@@ -12970,7 +11739,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -155,23 +204,51 @@
+@@ -155,23 +205,51 @@
  ')
  
  optional_policy(`
@@ -13024,7 +11793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -179,12 +256,15 @@
+@@ -179,12 +257,15 @@
  ')
  
  optional_policy(`
@@ -13040,9 +11809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.24/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.25/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,7 @@
 -
 +/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -13052,9 +11821,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
  
  /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.24/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.25/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.if	2009-07-29 21:34:35.000000000 -0400
 @@ -28,7 +28,7 @@
  		type var_yp_t;
  	')
@@ -13196,9 +11965,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types ypbind_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.24/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.25/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nis.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nis.te	2009-07-29 21:34:35.000000000 -0400
 @@ -13,6 +13,9 @@
  type ypbind_exec_t;
  init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -13248,9 +12017,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_all_rpc_ports(ypxfr_t)
  corenet_udp_bind_all_rpc_ports(ypxfr_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.24/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.25/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nscd.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nscd.if	2009-07-29 21:34:35.000000000 -0400
 @@ -236,6 +236,24 @@
  
  ########################################
@@ -13276,9 +12045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an nscd environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.24/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.25/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nscd.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nscd.te	2009-07-29 21:34:35.000000000 -0400
 @@ -90,6 +90,7 @@
  selinux_compute_relabel_context(nscd_t)
  selinux_compute_user_contexts(nscd_t)
@@ -13300,17 +12069,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	samba_read_config(nscd_t)
 +	samba_read_var_files(nscd_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.24/policy/modules/services/nslcd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.25/policy/modules/services/nslcd.fc
 --- nsaserefpolicy/policy/modules/services/nslcd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,4 @@
 +/usr/sbin/nslcd	--	gen_context(system_u:object_r:nslcd_exec_t,s0)
 +/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
 +/etc/rc\.d/init\.d/nslcd	--	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
 +/var/run/nslcd(/.*)?			gen_context(system_u:object_r:nslcd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.24/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.25/policy/modules/services/nslcd.if
 --- nsaserefpolicy/policy/modules/services/nslcd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,142 @@
 +
 +## <summary>policy for nslcd</summary>
@@ -13454,9 +12223,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	nslcd_manage_var_run($1)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.24/policy/modules/services/nslcd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.25/policy/modules/services/nslcd.te
 --- nsaserefpolicy/policy/modules/services/nslcd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/nslcd.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nslcd.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,50 @@
 +policy_module(nslcd,1.0.0)
 +
@@ -13508,9 +12277,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_use_nsswitch(nslcd_t)
 +
 +logging_send_syslog_msg(nslcd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.24/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.25/policy/modules/services/ntp.if
 --- nsaserefpolicy/policy/modules/services/ntp.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ntp.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ntp.if	2009-07-29 21:43:08.000000000 -0400
 @@ -37,6 +37,32 @@
  
  ########################################
@@ -13544,74 +12313,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Execute ntp server in the ntpd domain.
  ## </summary>
  ## <param name="domain">
-@@ -56,7 +82,7 @@
- 
- ########################################
- ## <summary>    
--##	Read and write ntpd shared memory.
-+##	Execute ntp server in the ntpd domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -64,16 +90,51 @@
+@@ -64,7 +90,7 @@
  ##	</summary>
  ## </param>
  #
 -interface(`ntpd_rw_shm',`
-+interface(`ntp_initrc_domtrans',`
++interface(`ntp_rw_shm',`
  	gen_require(`
--		type ntpd_t, ntpd_tmpfs_t;
-+		type ntpd_initrc_exec_t;
+ 		type ntpd_t, ntpd_tmpfs_t;
  	')
+@@ -78,6 +104,24 @@
  
--	allow $1 ntpd_t:shm rw_shm_perms;
-+	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-+')
-+
-+#######################################
-+## <summary>
-+##      Read/write ntpdd tmpfs files.
+ ########################################
+ ## <summary>
++##	Execute ntp server in the ntpd domain.
 +## </summary>
 +## <param name="domain">
-+##      <summary>
-+##      The type of the process performing this action.
-+##      </summary>
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
 +## </param>
 +#
-+interface(`ntpd_rw_tmpfs_files',`
-+        gen_require(`
-+                type ntpd_tmpfs_t;
-+        ')
++interface(`ntp_initrc_domtrans',`
++	gen_require(`
++		type ntpd_initrc_exec_t;
++	')
 +
-+        fs_search_tmpfs($1)
- 	list_dirs_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
- 	rw_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
- 	read_lnk_files_pattern($1, ntpd_tmpfs_t, ntpd_tmpfs_t)
--	fs_search_tmpfs($1)
++	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 +')
 +
 +########################################
-+## <summary>    
-+##      Read and write to ntpd shared memory.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      The type of the process performing this action.
-+##      </summary>
-+## </param>
-+#
-+interface(`ntpd_rw_shm',`
-+        gen_require(`
-+                type ntpd_t;
-+        ')
-+
-+        allow $1 ntpd_t:shm rw_shm_perms;
- ')
- 
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.24/policy/modules/services/ntp.te
++## <summary>
+ ##	All of the rules required to administrate 
+ ##	an ntp environment
+ ## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.25/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ntp.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ntp.te	2009-07-29 21:34:35.000000000 -0400
 @@ -41,10 +41,11 @@
  
  # sys_resource and setrlimit is for locking memory
@@ -13650,9 +12388,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.24/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.25/policy/modules/services/nx.te
 --- nsaserefpolicy/policy/modules/services/nx.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/nx.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/nx.te	2009-07-29 21:34:35.000000000 -0400
 @@ -25,6 +25,9 @@
  type nx_server_var_run_t;
  files_pid_file(nx_server_var_run_t)
@@ -13673,9 +12411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_system_state(nx_server_t)
  kernel_read_kernel_sysctls(nx_server_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.24/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.25/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/oddjob.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/oddjob.if	2009-07-29 21:34:35.000000000 -0400
 @@ -44,6 +44,7 @@
  	')
  
@@ -13684,9 +12422,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.24/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.25/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/openvpn.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/openvpn.te	2009-07-29 21:34:35.000000000 -0400
 @@ -86,6 +86,7 @@
  corenet_udp_bind_openvpn_port(openvpn_t)
  corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -13695,9 +12433,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_rw_tun_tap_dev(openvpn_t)
  corenet_sendrecv_openvpn_server_packets(openvpn_t)
  corenet_sendrecv_openvpn_client_packets(openvpn_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.24/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.25/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pcscd.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pcscd.te	2009-07-29 21:34:35.000000000 -0400
 @@ -29,6 +29,7 @@
  
  manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -13715,9 +12453,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  term_use_unallocated_ttys(pcscd_t)
  term_dontaudit_getattr_pty_dirs(pcscd_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.24/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.25/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pegasus.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pegasus.te	2009-07-29 21:34:35.000000000 -0400
 @@ -30,7 +30,7 @@
  # Local policy
  #
@@ -13789,21 +12527,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_stream_connect(pegasus_t)
 +	xen_stream_connect_xenstore(pegasus_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.24/policy/modules/services/policykit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.25/policy/modules/services/policykit.fc
 --- nsaserefpolicy/policy/modules/services/policykit.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,7 +1,7 @@
  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
  /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
  /usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
 -/usr/libexec/polkitd			--	gen_context(system_u:object_r:policykit_exec_t,s0)
-+/usr/libexec/polkitd.*				gen_context(system_u:object_r:policykit_exec_t,s0)
++/usr/libexec/polkit.*				gen_context(system_u:object_r:policykit_exec_t,s0)
  
  /var/lib/misc/PolicyKit.reload			gen_context(system_u:object_r:policykit_reload_t,s0)
  /var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.24/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.25/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.if	2009-07-29 21:34:35.000000000 -0400
 @@ -17,6 +17,8 @@
  		class dbus send_msg;
  	')
@@ -13853,9 +12591,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_read_reload($2)
 +	policykit_dbus_chat($2)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.24/policy/modules/services/policykit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.25/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/policykit.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/policykit.te	2009-07-29 21:34:35.000000000 -0400
 @@ -38,9 +38,10 @@
  
  allow policykit_t self:capability { setgid setuid };
@@ -13951,9 +12689,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.24/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.25/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -29,12 +29,10 @@
  /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
  /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -13967,9 +12705,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
  /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.24/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.25/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.if	2009-07-29 21:34:35.000000000 -0400
 @@ -46,6 +46,7 @@
  
  	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -14216,9 +12954,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types postfix_postdrop_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.24/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.25/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postfix.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postfix.te	2009-07-29 21:34:35.000000000 -0400
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -14598,9 +13336,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_manage_user_home_content(postfix_virtual_t)
 +userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.24/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.25/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -2,6 +2,7 @@
  # /etc
  #
@@ -14609,9 +13347,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  #
  # /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.24/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.25/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.if	2009-07-29 21:34:35.000000000 -0400
 @@ -384,3 +384,46 @@
  
  	typeattribute $1 sepgsql_unconfined_type;
@@ -14659,9 +13397,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	admin_pattern($1, postgresql_tmp_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.24/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.25/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/postgresql.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/postgresql.te	2009-07-29 21:34:35.000000000 -0400
 @@ -32,6 +32,9 @@
  type postgresql_etc_t;
  files_config_file(postgresql_etc_t)
@@ -14700,9 +13438,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  miscfiles_read_localization(postgresql_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.24/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.25/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ppp.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ppp.if	2009-07-29 21:34:35.000000000 -0400
 @@ -177,10 +177,16 @@
  interface(`ppp_run',`
  	gen_require(`
@@ -14720,9 +13458,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.24/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.25/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ppp.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ppp.te	2009-07-29 21:34:35.000000000 -0400
 @@ -193,6 +193,8 @@
  
  optional_policy(`
@@ -14761,9 +13499,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_exec(pptp_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.24/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.25/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/privoxy.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/privoxy.te	2009-07-29 21:34:35.000000000 -0400
 @@ -47,9 +47,8 @@
  manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
  files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -14775,9 +13513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(privoxy_t)
  corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.24/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.25/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/procmail.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/procmail.te	2009-07-29 21:34:35.000000000 -0400
 @@ -22,7 +22,7 @@
  # Local policy
  #
@@ -14825,9 +13563,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.24/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.25/policy/modules/services/pyzor.fc
 --- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,6 +1,10 @@
  /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 +/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -14839,9 +13577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
  /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.24/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.25/policy/modules/services/pyzor.if
 --- nsaserefpolicy/policy/modules/services/pyzor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.if	2009-07-29 21:34:35.000000000 -0400
 @@ -88,3 +88,50 @@
  	corecmd_search_bin($1)
  	can_exec($1, pyzor_exec_t)
@@ -14893,9 +13631,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.24/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.25/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/pyzor.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/pyzor.te	2009-07-29 21:34:35.000000000 -0400
 @@ -6,6 +6,38 @@
  # Declarations
  #
@@ -14960,17 +13698,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_dontaudit_search_user_home_dirs(pyzor_t)
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.24/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.25/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,3 +1,4 @@
 +/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  
  /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.24/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.25/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.if	2009-07-29 21:34:35.000000000 -0400
 @@ -157,3 +157,45 @@
  
  	domtrans_pattern($1, razor_exec_t, razor_t)
@@ -15017,9 +13755,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.24/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.25/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/razor.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/razor.te	2009-07-29 21:34:35.000000000 -0400
 @@ -6,6 +6,32 @@
  # Declarations
  #
@@ -15071,9 +13809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.24/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.25/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ricci.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ricci.te	2009-07-29 21:34:35.000000000 -0400
 @@ -440,6 +440,10 @@
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
@@ -15085,9 +13823,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  storage_raw_read_fixed_disk(ricci_modstorage_t)
  
  term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.24/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.25/policy/modules/services/rpcbind.if
 --- nsaserefpolicy/policy/modules/services/rpcbind.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpcbind.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpcbind.if	2009-07-29 21:34:35.000000000 -0400
 @@ -97,6 +97,26 @@
  
  ########################################
@@ -15115,9 +13853,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an rpcbind environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.24/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.25/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpc.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpc.if	2009-07-29 21:34:35.000000000 -0400
 @@ -54,7 +54,7 @@
  	allow $1_t self:unix_dgram_socket create_socket_perms;
  	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -15138,51 +13876,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		seutil_sigchld_newrole($1_t)
  	')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.24/policy/modules/services/rpc.te
---- nsaserefpolicy/policy/modules/services/rpc.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rpc.te	2009-07-28 13:42:19.000000000 -0400
-@@ -23,7 +23,7 @@
- gen_tunable(allow_nfsd_anon_write, false)
- 
- type exports_t;
--files_type(exports_t)
-+files_config_file(exports_t)
- 
- rpc_domain_template(gssd)
- 
-@@ -69,15 +69,21 @@
- kernel_read_sysctl(rpcd_t)
- kernel_rw_fs_sysctls(rpcd_t)
- kernel_dontaudit_getattr_core_if(rpcd_t)
-+kernel_signal(rpcd_t) 
- 
- corecmd_exec_bin(rpcd_t)
- 
- files_manage_mounttab(rpcd_t)
-+files_getattr_all_dirs(rpcd_t)
- 
- fs_list_rpc(rpcd_t)
- fs_read_rpc_files(rpcd_t)
- fs_read_rpc_symlinks(rpcd_t)
- fs_rw_rpc_sockets(rpcd_t) 
-+fs_get_all_fs_quotas(rpcd_t) 
-+fs_getattr_all_fs(rpcd_t) 
-+
-+storage_getattr_fixed_disk_dev(rpcd_t)
- 
- selinux_dontaudit_read_fs(rpcd_t)
- 
-@@ -85,10 +91,20 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.25/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rpc.te	2009-07-29 21:34:35.000000000 -0400
+@@ -91,6 +91,8 @@
  
  seutil_dontaudit_search_config(rpcd_t)
  
 +userdom_signal_unpriv_users(rpcd_t)
 +
-+optional_policy(`
-+	automount_signal(rpcd_t)
-+')
-+
  optional_policy(`
+ 	automount_signal(rpcd_t)
+ ')
+@@ -99,6 +101,10 @@
  	nis_read_ypserv_config(rpcd_t)
  ')
  
@@ -15193,16 +13899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # NFSD local policy
-@@ -116,7 +132,7 @@
- # for exportfs and rpc.mountd
- files_getattr_tmp_dirs(nfsd_t) 
- # cjp: this should really have its own type
--files_manage_mounttab(rpcd_t)
-+files_manage_mounttab(nfsd_t)
- 
- fs_mount_nfsd_fs(nfsd_t) 
- fs_search_nfsd_fs(nfsd_t) 
-@@ -125,6 +141,7 @@
+@@ -135,6 +141,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -15210,7 +13907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -141,6 +158,7 @@
+@@ -151,6 +158,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -15218,33 +13915,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -183,9 +201,12 @@
- files_read_usr_symlinks(gssd_t) 
- 
- auth_use_nsswitch(gssd_t)
-+auth_manage_cache(gssd_t) 
- 
- miscfiles_read_certs(gssd_t)
- 
-+mount_signal(gssd_t)
-+
- tunable_policy(`allow_gssd_read_tmp',`
- 	userdom_list_user_tmp(gssd_t) 
- 	userdom_read_user_tmp_files(gssd_t) 
-@@ -193,6 +214,10 @@
- ')
- 
- optional_policy(`
-+	automount_signal(gssd_t)
-+')
-+
-+optional_policy(`
- 	kerberos_keytab_template(gssd, gssd_t) 
- ')
- 
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.24/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.25/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/rsync.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rsync.te	2009-07-29 21:34:35.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -15279,15 +13952,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
  auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.fc
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.if
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,64 @@
 +
 +## <summary>policy for rtkit_daemon</summary>
@@ -15353,9 +14026,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow rtkit_daemon_t $1:process { getsched setsched };
 +	rtkit_daemon_dbus_chat($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.te
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/rtkit_daemon.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/rtkit_daemon.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,36 @@
 +policy_module(rtkit_daemon,1.0.0)
 +
@@ -15393,28 +14066,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +        policykit_dbus_chat(rtkit_daemon_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.24/policy/modules/services/samba.fc
---- nsaserefpolicy/policy/modules/services/samba.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -2,6 +2,9 @@
- #
- # /etc
- #
-+/etc/rc\.d/init\.d/winbind	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/nmb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/smb		--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
- /etc/samba/MACHINE\.SID		--	gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba/passdb\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
- /etc/samba/secrets\.tdb		--	gen_context(system_u:object_r:samba_secrets_t,s0)
-@@ -15,6 +18,7 @@
- /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
- /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
- /usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
-+/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
- /usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
- 
- /usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
-@@ -47,3 +51,7 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.25/policy/modules/services/samba.fc
+--- nsaserefpolicy/policy/modules/services/samba.fc	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.fc	2009-07-29 21:34:35.000000000 -0400
+@@ -51,3 +51,7 @@
  /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
  
  /var/spool/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
@@ -15422,56 +14077,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +ifndef(`enable_mls',`
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.24/policy/modules/services/samba.if
---- nsaserefpolicy/policy/modules/services/samba.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.if	2009-07-28 13:42:19.000000000 -0400
-@@ -4,6 +4,45 @@
- ##	from Windows NT servers.
- ## </summary>
- 
-+
-+########################################
-+## <summary>
-+##	Execute smbd net in the smbd_t domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`samba_domtrans_smb',`
-+	gen_require(`
-+		type smbd_t, smbd_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, smbd_exec_t, smbd_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute nmbd net in the nmbd_t domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`samba_domtrans_nmb',`
-+	gen_require(`
-+		type nmbd_t, nmbd_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, nmbd_exec_t, nmbd_t)
-+')
-+
- ########################################
- ## <summary>
- ##	Execute samba net in the samba_net domain.
-@@ -25,6 +64,25 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.25/policy/modules/services/samba.if
+--- nsaserefpolicy/policy/modules/services/samba.if	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.if	2009-07-29 21:56:08.000000000 -0400
+@@ -62,6 +62,25 @@
  
  ########################################
  ## <summary>
@@ -15479,352 +14088,173 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`samba_domtrans_unconfined_net',`
-+	gen_require(`
-+		type samba_unconfined_net_t, samba_net_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute samba net in the samba_net domain, and
- ##	allow the specified role the samba_net domain.
- ## </summary>
-@@ -49,6 +107,50 @@
- 	role $2 types samba_net_t;
- ')
- 
-+#######################################
-+## <summary>
-+##	The role for the samba module.
-+## </summary>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the samba_net domain.
-+##	</summary>
-+## </param>
-+#
-+template(`samba_role_notrans',`
-+	gen_require(`
-+		type smbd_t;
-+	')
-+
-+	role $1 types smbd_t;
-+')
-+
-+########################################
-+## <summary>
-+##	Execute samba net in the samba_unconfined_net domain, and
-+##	allow the specified role the samba_unconfined_net domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the samba_unconfined_net domain.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_run_unconfined_net',`
-+	gen_require(`
-+		type samba_unconfined_net_t;
-+	')
-+
-+	samba_domtrans_unconfined_net($1)
-+	role $2 types samba_unconfined_net_t;
-+')
-+
- ########################################
- ## <summary>
- ##	Execute smbmount in the smbmount domain.
-@@ -138,6 +240,28 @@
- 
- ########################################
- ## <summary>
-+##	Allow the specified domain to read
-+##	and write samba configuration files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_manage_config',`
-+	gen_require(`
-+		type samba_etc_t;
-+	')
-+
-+	files_search_etc($1)
-+	manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
-+	manage_files_pattern($1, samba_etc_t, samba_etc_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Allow the specified domain to read samba's log files.
- ## </summary>
- ## <param name="domain">
-@@ -281,6 +405,25 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit the specified domain to
-+##	write samba /var files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`samba_dontaudit_write_var_files',`
-+	gen_require(`
-+		type samba_var_t;
-+	')
-+
-+	dontaudit $1 samba_var_t:file write;
-+')
-+
-+########################################
-+## <summary>
- ##	Allow the specified domain to
- ##	read and write samba /var files.
- ## </summary>
-@@ -298,6 +441,7 @@
- 	files_search_var($1)
- 	files_search_var_lib($1)
- 	manage_files_pattern($1, samba_var_t, samba_var_t)
-+	manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
- ')
- 
- ########################################
-@@ -370,6 +514,7 @@
- 	')
- 
- 	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
-+	allow $1 winbind_helper_t:process signal;
- ')
- 
- ########################################
-@@ -447,3 +592,202 @@
- 		stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
- 	')
- ')
-+
-+########################################
-+## <summary>
-+##	Create a set of derived types for apache
-+##	web content.
-+## </summary>
-+## <param name="prefix">
-+##	<summary>
-+##	The prefix to be used for deriving type names.
-+##	</summary>
-+## </param>
-+#
-+template(`samba_helper_template',`
-+	gen_require(`
-+		type smbd_t;
-+	')
-+	#This type is for samba helper scripts
-+	type samba_$1_script_t;
-+	domain_type(samba_$1_script_t)
-+	role system_r types samba_$1_script_t;
-+
-+	# This type is used for executable scripts files
-+	type samba_$1_script_exec_t;
-+	corecmd_shell_entry_type(samba_$1_script_t)
-+	domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
-+
-+	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
-+	allow smbd_t samba_$1_script_exec_t:file ioctl;
-+
-+')
-+
-+########################################
-+## <summary>
-+##	Allow the specified domain to read samba's shares
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
++##	The type of the process performing this action.
 +##	</summary>
 +## </param>
 +#
-+interface(`samba_read_share_files',`
++interface(`samba_domtrans_unconfined_net',`
 +	gen_require(`
-+		type samba_share_t;
++		type samba_unconfined_net_t, samba_net_exec_t;
 +	')
 +
-+	allow $1 samba_share_t:filesystem getattr;
-+	read_files_pattern($1, samba_share_t, samba_share_t)
++	corecmd_search_bin($1)
++	domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Execute a domain transition to run smbcontrol.
-+## </summary>
-+## <param name="domain">
+ ##	Execute samba net in the samba_net domain, and
+ ##	allow the specified role the samba_net domain.
+ ## </summary>
+@@ -86,6 +105,50 @@
+ 	role $2 types samba_net_t;
+ ')
+ 
++#######################################
 +## <summary>
-+##	Domain allowed to transition.
++##	The role for the samba module.
 +## </summary>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the samba_net domain.
++##	</summary>
 +## </param>
 +#
-+interface(`samba_domtrans_smbcontrol',`
++template(`samba_role_notrans',`
 +	gen_require(`
-+		type smbcontrol_t;
-+                type smbcontrol_exec_t;
++		type smbd_t;
 +	')
 +
-+	domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
++	role $1 types smbd_t;
 +')
 +
-+
 +########################################
 +## <summary>
-+##	Execute smbcontrol in the smbcontrol domain, and
-+##	allow the specified role the smbcontrol domain.
++##	Execute samba net in the samba_unconfined_net domain, and
++##	allow the specified role the samba_unconfined_net domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access
++##	The type of the process performing this action.
 +##	</summary>
 +## </param>
 +## <param name="role">
 +##	<summary>
-+##	The role to be allowed the smbcontrol domain.
++##	The role to be allowed the samba_unconfined_net domain.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`samba_run_smbcontrol',`
++interface(`samba_run_unconfined_net',`
 +	gen_require(`
-+		type smbcontrol_t;
++		type samba_unconfined_net_t;
 +	')
 +
-+	samba_domtrans_smbcontrol($1)
-+	role $2 types smbcontrol_t;
++	samba_domtrans_unconfined_net($1)
++	role $2 types samba_unconfined_net_t;
 +')
 +
-+########################################
-+## <summary>
-+##	Execute samba server in the samba domain.
+ ########################################
+ ## <summary>
+ ##	Execute smbmount in the smbmount domain.
+@@ -395,6 +458,7 @@
+ 	files_search_var($1)
+ 	files_search_var_lib($1)
+ 	manage_files_pattern($1, samba_var_t, samba_var_t)
++	manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
+ ')
+ 
+ ########################################
+@@ -530,6 +595,7 @@
+ 	')
+ 
+ 	domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
++	allow $1 winbind_helper_t:process signal;
+ ')
+ 
+ ########################################
+@@ -610,6 +676,36 @@
+ 
+ ########################################
+ ## <summary>
++##	Create a set of derived types for apache
++##	web content.
 +## </summary>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##	The type of the process performing this action.
++##	The prefix to be used for deriving type names.
 +##	</summary>
 +## </param>
 +#
-+interface(`samba_initrc_domtrans',`
++template(`samba_helper_template',`
 +	gen_require(`
-+		type samba_initrc_exec_t;
++		type smbd_t;
 +	')
++	#This type is for samba helper scripts
++	type samba_$1_script_t;
++	domain_type(samba_$1_script_t)
++	role system_r types samba_$1_script_t;
++
++	# This type is used for executable scripts files
++	type samba_$1_script_exec_t;
++	corecmd_shell_entry_type(samba_$1_script_t)
++	domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
++
++	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
++	allow smbd_t samba_$1_script_exec_t:file ioctl;
 +
-+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
 +')
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate 
-+##	an samba environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the samba domain.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`samba_admin',`
-+	gen_require(`
-+		type nmbd_t, nmbd_var_run_t;
-+		type smbd_t, smbd_tmp_t;
-+		type smbd_initrc_exec_t;
-+		type smbd_spool_t, smbd_var_run_t;
-+
-+		type samba_log_t, samba_var_t;
-+		type samba_etc_t, samba_share_t;
-+		type samba_secrets_t;
-+
-+		type swat_var_run_t, swat_tmp_t;
-+
-+		type winbind_var_run_t, winbind_tmp_t;
-+		type winbind_log_t;
-+
+ ##	All of the rules required to administrate 
+ ##	an samba environment
+ ## </summary>
+@@ -630,6 +726,7 @@
+ 		type nmbd_t, nmbd_var_run_t;
+ 		type smbd_t, smbd_tmp_t;
+ 		type smbd_var_run_t;
++		type smbd_initrc_exec_t, smbd_spool_t;
+ 
+ 		type samba_log_t, samba_var_t;
+ 		type samba_etc_t, samba_share_t;
+@@ -640,6 +737,7 @@
+ 		type winbind_var_run_t, winbind_tmp_t;
+ 		type winbind_log_t;
+ 
 +		type samba_unconfined_script_t, samba_unconfined_script_exec_t;
-+		type samba_initrc_exec_t;
-+	')
-+
-+	allow $1 smbd_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, smbd_t)
-+	        
-+	allow $1 nmbd_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, nmbd_t)
-+	        
+ 		type samba_initrc_exec_t;
+ 	')
+ 
+@@ -649,6 +747,9 @@
+ 	allow $1 nmbd_t:process { ptrace signal_perms };
+ 	ps_process_pattern($1, nmbd_t)
+ 
 +	allow $1 samba_unconfined_script_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, samba_unconfined_script_t, samba_unconfined_script_t)
 +	        
-+	samba_run_smbcontrol($1, $2, $3)
-+	samba_run_winbind_helper($1, $2, $3)
-+	samba_run_smbmount($1, $2, $3)
-+	samba_run_net($1, $2, $3)
-+
-+	init_labeled_script_domtrans($1, samba_initrc_exec_t)
-+	domain_system_change_exemption($1)
-+	role_transition $2 samba_initrc_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_tmp($1)
-+	admin_pattern($1, smbd_tmp_t)
-+	admin_pattern($1, swat_tmp_t)
-+	admin_pattern($1, winbind_tmp_t)
-+
-+	admin_pattern($1, samba_secrets_t)
-+
-+	files_list_etc($1)
-+	admin_pattern($1, samba_etc_t)
-+
-+	admin_pattern($1, samba_share_t)
-+
-+	logging_list_logs($1)
-+	admin_pattern($1, samba_log_t)
-+	admin_pattern($1, winbind_log_t)
-+
-+	files_list_spool($1)
+ 	samba_run_smbcontrol($1, $2, $3)
+ 	samba_run_winbind_helper($1, $2, $3)
+ 	samba_run_smbmount($1, $2, $3)
+@@ -674,6 +775,9 @@
+ 	admin_pattern($1, samba_var_t)
+ 	files_list_var($1)
+ 
 +	admin_pattern($1, smbd_spool_t)
++	files_list_spool($1)
 +
-+	files_list_var($1)
-+	admin_pattern($1, samba_var_t)
-+
-+	files_list_pids($1)
-+	admin_pattern($1, smbd_var_run_t)
-+	admin_pattern($1, nmbd_var_run_t)
-+	admin_pattern($1, swat_var_run_t)
-+	admin_pattern($1, winbind_var_run_t)
+ 	admin_pattern($1, smbd_var_run_t)
+ 	files_list_pids($1)
+ 
+@@ -689,4 +793,5 @@
+ 	admin_pattern($1, winbind_tmp_t)
+ 
+ 	admin_pattern($1, winbind_var_run_t)
 +	admin_pattern($1, samba_unconfined_script_exec_t)
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.24/policy/modules/services/samba.te
---- nsaserefpolicy/policy/modules/services/samba.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/samba.te	2009-07-28 13:42:19.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.25/policy/modules/services/samba.te
+--- nsaserefpolicy/policy/modules/services/samba.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/samba.te	2009-07-29 22:06:25.000000000 -0400
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -15839,73 +14269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type nmbd_t;
  type nmbd_exec_t;
  init_daemon_domain(nmbd_t, nmbd_exec_t)
-@@ -73,6 +80,9 @@
- type nmbd_var_run_t;
- files_pid_file(nmbd_var_run_t)
- 
-+type samba_initrc_exec_t;
-+init_script_file(samba_initrc_exec_t)
-+
- type samba_etc_t;
- files_config_file(samba_etc_t)
- 
-@@ -80,11 +90,9 @@
- logging_log_file(samba_log_t)
- 
- type samba_net_t;
--domain_type(samba_net_t)
--role system_r types samba_net_t;
--
- type samba_net_exec_t;
--domain_entry_file(samba_net_t, samba_net_exec_t)
-+role system_r types samba_net_t;
-+application_domain(samba_net_t, samba_net_exec_t)
- 
- type samba_net_tmp_t;
- files_tmp_file(samba_net_tmp_t)
-@@ -146,11 +154,17 @@
- type winbind_var_run_t;
- files_pid_file(winbind_var_run_t)
- 
-+type smbcontrol_t;
-+type smbcontrol_exec_t;
-+application_domain(smbcontrol_t, smbcontrol_exec_t)
-+role system_r types smbcontrol_t;
-+
- ########################################
- #
- # Samba net local policy
- #
--
-+allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
-+allow samba_net_t self:process { getsched setsched };
- allow samba_net_t self:unix_dgram_socket create_socket_perms;
- allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
- allow samba_net_t self:udp_socket create_socket_perms;
-@@ -165,11 +179,12 @@
- manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
- files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
- 
--allow samba_net_t samba_var_t:dir rw_dir_perms;
-+manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
- 
- kernel_read_proc_symlinks(samba_net_t)
-+kernel_read_system_state(samba_net_t)
- 
- corenet_all_recvfrom_unlabeled(samba_net_t)
- corenet_all_recvfrom_netlabel(samba_net_t)
-@@ -190,15 +205,23 @@
- domain_use_interactive_fds(samba_net_t)
- 
- files_read_etc_files(samba_net_t)
-+files_read_usr_symlinks(samba_net_t)
- 
- auth_use_nsswitch(samba_net_t)
-+auth_read_cache(samba_net_t)
- 
- logging_send_syslog_msg(samba_net_t)
+@@ -207,8 +214,10 @@
  
  miscfiles_read_localization(samba_net_t) 
  
@@ -15914,78 +14278,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_use_user_terminals(samba_net_t)
 -userdom_dontaudit_search_user_home_dirs(samba_net_t)
 +userdom_list_user_home_dirs(samba_net_t)
-+
-+optional_policy(`
-+	pcscd_read_pub_files(samba_net_t)
-+')
  
  optional_policy(`
- 	kerberos_use(samba_net_t)
-@@ -208,7 +231,7 @@
- #
- # smbd Local policy
- #
--allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
- dontaudit smbd_t self:capability sys_tty_config;
- allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow smbd_t self:process setrlimit;
-@@ -226,10 +249,8 @@
- 
- allow smbd_t samba_etc_t:file { rw_file_perms setattr };
- 
--create_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
-+manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
--allow smbd_t samba_log_t:dir setattr;
--dontaudit smbd_t samba_log_t:dir remove_name;
- 
- allow smbd_t samba_net_tmp_t:file getattr;
- 
-@@ -239,6 +260,7 @@
- manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
- manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
-+allow smbd_t samba_share_t:filesystem getattr;
- 
- manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -250,13 +272,14 @@
- files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
- 
- allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+allow smbd_t nmbd_t:process { signal signull };
- 
- manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
- files_pid_filetrans(smbd_t, smbd_var_run_t, file)
- 
--allow smbd_t winbind_var_run_t:sock_file { read write getattr };
-+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
- 
- kernel_getattr_core_if(smbd_t)
- kernel_getattr_message_if(smbd_t)
-@@ -298,6 +321,7 @@
+ 	pcscd_read_pub_files(samba_net_t)
+@@ -341,6 +350,8 @@
  
- auth_use_nsswitch(smbd_t)
- auth_domtrans_chk_passwd(smbd_t)
-+auth_domtrans_upd_passwd(smbd_t)
+ usermanage_read_crack_db(smbd_t)
  
- domain_use_interactive_fds(smbd_t)
- domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,6 +345,10 @@
- userdom_use_unpriv_users_fds(smbd_t)
- userdom_dontaudit_search_user_home_dirs(smbd_t)
- 
-+usermanage_read_crack_db(smbd_t)
-+
 +term_use_ptmx(smbd_t)
 +
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -332,26 +360,39 @@
+@@ -352,19 +363,19 @@
  ') 
  
  tunable_policy(`samba_domain_controller',`
@@ -15994,7 +14299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +
  	usermanage_domtrans_passwd(smbd_t)
-+	usermanage_kill_passwd(smbd_t)
+ 	usermanage_kill_passwd(smbd_t)
  	usermanage_domtrans_useradd(smbd_t)
  	usermanage_domtrans_groupadd(smbd_t)
 +	allow smbd_t self:passwd passwd;
@@ -16011,12 +14316,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  # Support Samba sharing of NFS mount points
- tunable_policy(`samba_share_nfs',`
- 	fs_manage_nfs_dirs(smbd_t)
- 	fs_manage_nfs_files(smbd_t)
-+	fs_manage_nfs_symlinks(smbd_t)
-+	fs_manage_nfs_named_pipes(smbd_t)
-+	fs_manage_nfs_named_sockets(smbd_t)
+@@ -376,6 +387,15 @@
+ 	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
 +# Support Samba sharing of ntfs/fusefs mount points
@@ -16031,24 +14332,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
-@@ -359,6 +400,16 @@
+@@ -391,6 +411,11 @@
+ ')
  
  optional_policy(`
- 	kerberos_use(smbd_t)
-+	kerberos_keytab_template(smbd, smbd_t)
-+')
-+
-+optional_policy(`
-+	lpd_exec_lpr(smbd_t)
++	qemu_manage_tmp_dirs(smbd_t)
++	qemu_manage_tmp_files(smbd_t)
 +')
 +
 +optional_policy(`
-+	qemu_manage_tmp_dirs(smbd_t)
-+	qemu_manage_tmp_files(smbd_t)
+ 	rpc_search_nfs_state_data(smbd_t)
  ')
  
- optional_policy(`
-@@ -376,13 +427,15 @@
+@@ -405,13 +430,15 @@
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -16065,7 +14361,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	auth_read_all_files_except_shadow(nmbd_t)
  ')
  
-@@ -391,8 +444,8 @@
+@@ -420,8 +447,8 @@
  	auth_manage_all_files_except_shadow(smbd_t)
  	fs_read_noxattr_fs_files(nmbd_t) 
  	auth_manage_all_files_except_shadow(nmbd_t)
@@ -16075,89 +14371,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-@@ -417,14 +470,11 @@
- files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
- 
- read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-+read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -525,6 +553,7 @@
  
- manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
- manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
+ allow smbcontrol_t winbind_t:process { signal signull };
  
--read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
--create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
--allow nmbd_t samba_log_t:dir setattr;
--
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
- 
- allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
-@@ -553,21 +603,36 @@
- userdom_use_user_terminals(smbmount_t)
- userdom_use_all_users_fds(smbmount_t)
++files_search_var_lib(smbcontrol_t)
+ samba_read_config(smbcontrol_t)
+ samba_rw_var_files(smbcontrol_t)
+ samba_search_var(smbcontrol_t)
+@@ -638,6 +667,10 @@
  
-+optional_policy(`
-+	cups_read_rw_config(smbmount_t)
-+')
-+
- ########################################
- #
- # SWAT Local policy
- #
+ allow swat_t smbd_var_run_t:file { lock unlink };
  
--allow swat_t self:capability { setuid setgid };
--allow swat_t self:process signal_perms;
--allow swat_t self:fifo_file rw_file_perms;
-+allow swat_t self:capability { setuid setgid sys_resource };
-+allow swat_t self:process { setrlimit signal_perms };
-+allow swat_t self:fifo_file rw_fifo_file_perms;
- allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- allow swat_t self:tcp_socket create_stream_socket_perms;
- allow swat_t self:udp_socket create_socket_perms;
- 
-+allow swat_t self:unix_stream_socket connectto;
-+samba_domtrans_smb(swat_t)
 +allow swat_t smbd_port_t:tcp_socket name_bind;
-+allow swat_t smbd_t:process { signal signull };
-+allow swat_t smbd_var_run_t:file { lock unlink };
 +
- allow swat_t nmbd_exec_t:file mmap_file_perms;
-+can_exec(swat_t, nmbd_exec_t)
 +allow swat_t nmbd_port_t:udp_socket name_bind;
-+allow swat_t nmbd_t:process { signal signull };
-+allow swat_t nmbd_var_run_t:file { lock read unlink };
- 
++
  rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-+read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
- 
- append_files_pattern(swat_t, samba_log_t, samba_log_t)
+ read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
  
-@@ -585,6 +650,9 @@
- files_pid_filetrans(swat_t, swat_var_run_t, file)
- 
- allow swat_t winbind_exec_t:file mmap_file_perms;
-+can_exec(swat_t, winbind_exec_t)
-+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
-+allow swat_t winbind_var_run_t:sock_file { create unlink };
- 
- kernel_read_kernel_sysctls(swat_t)
- kernel_read_system_state(swat_t)
-@@ -609,6 +677,7 @@
- 
- dev_read_urand(swat_t)
- 
-+files_list_var_lib(swat_t)
- files_read_etc_files(swat_t)
- files_search_home(swat_t)
- files_read_usr_files(swat_t)
-@@ -618,6 +687,7 @@
- auth_use_nsswitch(swat_t)
- 
- logging_send_syslog_msg(swat_t)
-+logging_send_audit_msgs(swat_t)
- logging_search_logs(swat_t)
- 
- miscfiles_read_localization(swat_t)
-@@ -635,14 +705,25 @@
+@@ -713,12 +746,23 @@
  	kerberos_use(swat_t)
  ')
  
@@ -16180,52 +14413,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow winbind_t self:capability { dac_override ipc_lock setuid };
 +allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid };
  dontaudit winbind_t self:capability sys_tty_config;
--allow winbind_t self:process signal_perms;
-+allow winbind_t self:process { signal_perms getsched setsched };
+ allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
- allow winbind_t self:unix_dgram_socket create_socket_perms;
- allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -683,9 +764,10 @@
- manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
- files_pid_filetrans(winbind_t, winbind_var_run_t, file)
- 
-+corecmd_exec_bin(winbind_t)
-+
- kernel_read_kernel_sysctls(winbind_t)
--kernel_list_proc(winbind_t)
--kernel_read_proc_symlinks(winbind_t)
-+kernel_read_system_state(winbind_t)
- 
- corenet_all_recvfrom_unlabeled(winbind_t)
- corenet_all_recvfrom_netlabel(winbind_t)
-@@ -709,10 +791,12 @@
- 
- auth_domtrans_chk_passwd(winbind_t)
- auth_use_nsswitch(winbind_t)
-+auth_rw_cache(winbind_t)
- 
- domain_use_interactive_fds(winbind_t)
- 
- files_read_etc_files(winbind_t)
-+files_read_usr_symlinks(winbind_t)
- 
- logging_send_syslog_msg(winbind_t)
- 
-@@ -768,8 +852,13 @@
- userdom_use_user_terminals(winbind_helper_t)
- 
- optional_policy(`
-+	apache_append_log(winbind_helper_t)
-+')
-+
-+optional_policy(`
- 	squid_read_log(winbind_helper_t)
- 	squid_append_log(winbind_helper_t)
-+	squid_rw_stream_sockets(winbind_helper_t)
- ')
- 
- ########################################
-@@ -778,6 +867,16 @@
+@@ -866,6 +910,16 @@
  #
  
  optional_policy(`
@@ -16242,7 +14432,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -788,9 +887,43 @@
+@@ -876,9 +930,12 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -16252,44 +14442,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	tunable_policy(`samba_run_unconfined',`
  		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+-	')
 +',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
- 	')
--')
-+
-+########################################
-+#
-+# smbcontrol local policy
-+#
-+
-+# internal communication is often done using fifo and unix sockets.
-+allow smbcontrol_t self:fifo_file rw_file_perms;
-+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
-+
-+files_read_etc_files(smbcontrol_t)
-+
-+miscfiles_read_localization(smbcontrol_t)
-+
-+files_search_var_lib(smbcontrol_t)
-+samba_read_config(smbcontrol_t)
-+samba_rw_var_files(smbcontrol_t)
-+samba_search_var(smbcontrol_t)
-+samba_read_winbind_pid(smbcontrol_t)
-+
-+allow smbcontrol_t smbd_t:process signal;
-+domain_use_interactive_fds(smbcontrol_t)
-+allow smbd_t smbcontrol_t:process { signal signull };
-+
-+allow nmbd_t smbcontrol_t:process signal;
-+allow smbcontrol_t nmbd_t:process { signal signull };
-+
-+allow smbcontrol_t winbind_t:process { signal signull };
-+allow winbind_t smbcontrol_t:process signal;
-+
-+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.24/policy/modules/services/sasl.te
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.25/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sasl.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sasl.te	2009-07-29 21:34:35.000000000 -0400
 @@ -31,7 +31,7 @@
  # Local policy
  #
@@ -16352,9 +14511,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(saslauthd_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.24/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.25/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sendmail.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sendmail.if	2009-07-29 21:34:35.000000000 -0400
 @@ -59,20 +59,20 @@
  
  ########################################
@@ -16527,9 +14686,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 sendmail_t:fifo_file rw_fifo_file_perms; 
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.24/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.25/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sendmail.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sendmail.te	2009-07-29 21:34:35.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -16705,18 +14864,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.25/policy/modules/services/setroubleshoot.fc
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -5,3 +5,5 @@
  /var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
  
  /var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
 +
 +/usr/share/setroubleshoot/SetroubleshootFixit\.py* 	--	gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.25/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.if	2009-07-29 21:34:35.000000000 -0400
 @@ -16,8 +16,8 @@
  	')
  
@@ -16793,9 +14952,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, setroubleshoot_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.25/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/setroubleshoot.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/setroubleshoot.te	2009-07-29 21:34:35.000000000 -0400
 @@ -22,13 +22,19 @@
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
@@ -16913,9 +15072,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive setroubleshoot_fixit_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.24/policy/modules/services/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.25/policy/modules/services/shorewall.fc
 --- nsaserefpolicy/policy/modules/services/shorewall.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,12 @@
 +
 +/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
@@ -16929,9 +15088,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
 +/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.24/policy/modules/services/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.25/policy/modules/services/shorewall.if
 --- nsaserefpolicy/policy/modules/services/shorewall.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.if	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,166 @@
 +## <summary>policy for shorewall</summary>
 +
@@ -17099,9 +15258,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        admin_pattern($1, shorewall_tmp_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.24/policy/modules/services/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.25/policy/modules/services/shorewall.te
 --- nsaserefpolicy/policy/modules/services/shorewall.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/services/shorewall.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/shorewall.te	2009-07-29 21:34:35.000000000 -0400
 @@ -0,0 +1,102 @@
 +policy_module(shorewall,1.0.0)
 +
@@ -17205,9 +15364,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive shorewall_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.24/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.25/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/smartmon.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/smartmon.te	2009-07-29 21:34:35.000000000 -0400
 @@ -19,6 +19,10 @@
  type fsdaemon_tmp_t;
  files_tmp_file(fsdaemon_tmp_t)
@@ -17265,9 +15424,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.24/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.25/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,15 +1,25 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -17296,9 +15455,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.24/policy/modules/services/spamassassin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.25/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.if	2009-07-29 21:34:35.000000000 -0400
 @@ -111,6 +111,7 @@
  	')
  
@@ -17385,9 +15544,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, spamd_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.24/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.25/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/spamassassin.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/spamassassin.te	2009-07-29 21:34:35.000000000 -0400
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -17680,9 +15839,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	udev_read_db(spamd_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.24/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.25/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/squid.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/squid.te	2009-07-29 21:34:35.000000000 -0400
 @@ -118,6 +118,8 @@
  
  fs_getattr_all_fs(squid_t)
@@ -17701,18 +15860,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#squid requires the following when run in diskd mode, the recommended setting
 -allow squid_t tmpfs_t:file { read write };
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.24/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.25/policy/modules/services/ssh.fc
 --- nsaserefpolicy/policy/modules/services/ssh.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -14,3 +14,5 @@
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
  
  /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
 +
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.24/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.25/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.if	2009-07-29 21:34:35.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -18013,9 +16172,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
 +	userdom_search_user_home_dirs($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.24/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.25/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/ssh.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/ssh.te	2009-07-29 21:34:35.000000000 -0400
 @@ -41,6 +41,9 @@
  files_tmp_file(sshd_tmp_t)
  files_poly_parent(sshd_tmp_t)
@@ -18187,18 +16346,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(ssh_keygen_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.24/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.25/policy/modules/services/sssd.fc
 --- nsaserefpolicy/policy/modules/services/sssd.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sssd.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sssd.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,4 @@
 -/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
  
  /usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.24/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.25/policy/modules/services/sssd.if
 --- nsaserefpolicy/policy/modules/services/sssd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/sssd.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/sssd.if	2009-07-29 21:34:35.000000000 -0400
 @@ -12,12 +12,32 @@
  #
  interface(`sssd_domtrans',`
@@ -18261,9 +16420,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	sssd over dbus.
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.24/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.25/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/uucp.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/uucp.te	2009-07-29 21:34:35.000000000 -0400
 @@ -95,6 +95,8 @@
  files_search_home(uucpd_t)
  files_search_spool(uucpd_t)
@@ -18281,9 +16440,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.24/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.25/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/virt.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -8,5 +8,16 @@
  
  /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -18301,39 +16460,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/libvirt(/.*)?	gen_context(system_u:object_r:svirt_cache_t,s0)
 +
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.24/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.25/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.if	2009-07-28 13:42:19.000000000 -0400
-@@ -2,28 +2,6 @@
++++ serefpolicy-3.6.25/policy/modules/services/virt.if	2009-07-29 23:18:44.000000000 -0400
+@@ -103,7 +103,7 @@
  
  ########################################
  ## <summary>
--##	Make the specified type usable as a virt image
--## </summary>
--## <param name="type">
--##	<summary>
--##	Type to be used as a virtual image
--##	</summary>
--## </param>
--#
--interface(`virt_image',`
--	gen_require(`
--		attribute virt_image_type;
--	')
--
--	typeattribute $1 virt_image_type;
--	files_type($1)
--
--	# virt images can be assigned to blk devices
--	dev_node($1)
--')
--
--########################################
--## <summary>
- ##	Execute a domain transition to run virt.
+-##	Read virt PID files.
++##	Read virt pid files.
  ## </summary>
  ## <param name="domain">
-@@ -117,12 +95,12 @@
+ ##	<summary>
+@@ -117,12 +117,12 @@
  	')
  
  	files_search_pids($1)
@@ -18348,7 +16487,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,6 +113,7 @@
+@@ -135,6 +135,7 @@
  		type virt_var_run_t;
  	')
  
@@ -18356,7 +16495,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
  ')
  
-@@ -272,11 +251,7 @@
+@@ -268,15 +269,16 @@
+ #
+ interface(`virt_manage_images',`
+ 	gen_require(`
+-		type virt_image_t, virt_var_lib_t;
++		type virt_var_lib_t;
++		attribute virt_image_type;
  	')
  
  	virt_search_lib($1)
@@ -18365,11 +16510,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	manage_files_pattern($1, virt_image_t, virt_image_t)
 -	read_lnk_files_pattern($1, virt_image_t, virt_image_t)
 -	rw_blk_files_pattern($1, virt_image_t, virt_image_t)
-+	virtual_manage_image($1)
++	allow $1 virt_image_type:dir list_dir_perms;
++	manage_dirs_pattern($1, virt_image_type, virt_image_type)
++	manage_files_pattern($1, virt_image_type, virt_image_type)
++	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
++	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
  
  	tunable_policy(`virt_use_nfs',`
  		fs_manage_nfs_dirs($1)
-@@ -293,6 +268,41 @@
+@@ -293,6 +295,41 @@
  
  ########################################
  ## <summary>
@@ -18411,7 +16560,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an virt environment
  ## </summary>
-@@ -327,3 +337,53 @@
+@@ -327,3 +364,54 @@
  
  	virt_manage_log($1)
  ')
@@ -18428,9 +16577,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </param>
 +#
 +template(`virt_domain_template',`
++	gen_require(`
++		attribute virt_image_type;
++		attribute virt_domain;
++	')
 +
-+	type $1_t;
-+	virtual_domain($1_t)
++	type $1_t, virt_domain;
++	domain_type($1_t)
++	role system_r types $1_t;
 +
 +	type $1_tmp_t;
 +	files_tmp_file($1_tmp_t)
@@ -18438,8 +16592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	type $1_tmpfs_t;
 +	files_tmpfs_file($1_tmpfs_t)
 +
-+	type $1_image_t;
-+	virtual_image($1_image_t)
++	type $1_image_t, virt_image_type;
 +
 +	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
 +	manage_files_pattern($1_t, $1_image_t, $1_image_t)
@@ -18455,78 +16608,62 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 +	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 +	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
-+	fs_getattr_tmpfs($1_t)
-+
-+	fs_read_noxattr_fs_files($1_t)
-+	fs_dontaudit_write_noxattr_fs_files($1_t)
 +
 +	optional_policy(`
++		xserver_rw_shm($1_t)
 +		xserver_common_app($1_t)
-+	')
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.24/policy/modules/services/virt.te
---- nsaserefpolicy/policy/modules/services/virt.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/virt.te	2009-07-28 13:42:19.000000000 -0400
-@@ -8,19 +8,38 @@
- 
- ## <desc>
- ## <p>
--## Allow virt to manage nfs files
-+## Allow svirt to manage nfs files
- ## </p>
- ## </desc>
- gen_tunable(virt_use_nfs, false)
- 
- ## <desc>
- ## <p>
--## Allow virt to manage cifs files
-+## Allow svirt to manage cifs files
- ## </p>
++	')
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.25/policy/modules/services/virt.te
+--- nsaserefpolicy/policy/modules/services/virt.te	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/virt.te	2009-07-29 23:52:17.000000000 -0400
+@@ -20,6 +20,28 @@
  ## </desc>
  gen_tunable(virt_use_samba, false)
  
--attribute virt_image_type;
 +## <desc>
 +## <p>
-+## Allow svirt to use usb devices
++## Allow virt to use usb devices
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_usb, true)
 +
 +## <desc>
 +## <p>
-+## Allow svirt to manage device configuration, (pci)
++## Allow virt to manage device configuration, (pci)
 +## </p>
 +## </desc>
 +gen_tunable(virt_manage_sysfs, false)
 +
 +## <desc>
 +## <p>
-+## Allow svirt to use serial/parallell communication ports
++## Allow virt to use serial/parallell communication ports
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_comm, false)
++
++attribute virt_domain;
+ attribute virt_image_type;
  
  type virt_etc_t;
- files_config_file(virt_etc_t)
-@@ -29,8 +48,13 @@
+@@ -29,9 +51,14 @@
  files_type(virt_etc_rw_t)
  
  # virt Image files
 -type virt_image_t, virt_image_type; # customizable
--virt_image(virt_image_t)
 +type virt_image_t; # customizable
-+virtual_image(virt_image_t)
-+
+ virt_image(virt_image_t)
+ 
 +# virt Image files
-+type virt_content_t;
-+virtual_image(virt_content_t)
++type virt_content_t; # customizable
++virt_image(virt_content_t)
 +userdom_user_home_content(virt_content_t)
- 
++
  type virt_log_t;
  logging_log_file(virt_log_t)
-@@ -48,17 +72,40 @@
+ 
+@@ -48,17 +75,37 @@
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -18561,28 +16698,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow virtd_t self:unix_stream_socket create_stream_socket_perms;
  allow virtd_t self:tcp_socket create_stream_socket_perms;
  
-+manage_files_pattern(virtd_t, virt_image_t, virt_image_t)
-+manage_blk_files_pattern(virtd_t, virt_image_t, virt_image_t)
-+allow virtd_t virt_image_t:file { relabelfrom relabelto };
-+allow virtd_t virt_image_t:blk_file { relabelfrom relabelto };
++allow virtd_t virt_domain:process { setsched transition signal signull sigkill };
 +
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  
-@@ -67,7 +114,11 @@
- manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -68,6 +115,12 @@
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
--manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
-+virtual_manage_image(virtd_t)
-+virtual_image_relabel(virtd_t)
+ manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
++allow virtd_t virt_image_type:file { relabelfrom relabelto };
++allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
 +
 +manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 +manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -86,6 +137,7 @@
+@@ -86,6 +139,7 @@
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
  kernel_load_module(virtd_t)
@@ -18590,7 +16724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -96,30 +148,51 @@
+@@ -96,30 +150,51 @@
  corenet_tcp_sendrecv_generic_node(virtd_t)
  corenet_tcp_sendrecv_all_ports(virtd_t)
  corenet_tcp_bind_generic_node(virtd_t)
@@ -18645,13 +16779,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
-@@ -129,7 +202,15 @@
+@@ -129,7 +204,14 @@
  
  logging_send_syslog_msg(virtd_t)
  
 +sysnet_domtrans_ifconfig(virtd_t)
-+
-+virtual_transition(virtd_t)
++sysnet_read_config(virtd_t)
 +
 +userdom_dontaudit_list_admin_dir(virtd_t)
 +userdom_getattr_all_users(virtd_t)
@@ -18661,7 +16794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -167,22 +248,35 @@
+@@ -167,22 +249,35 @@
  	dnsmasq_domtrans(virtd_t)
  	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
@@ -18680,9 +16813,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	kerberos_keytab_template(virtd, virtd_t)
 +')
- 
- optional_policy(`
--	qemu_domtrans(virtd_t)
++
++optional_policy(`
 +	lvm_domtrans(virtd_t)
 +')
 +
@@ -18692,8 +16824,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_domtrans_resolve(virtd_t)
 +	policykit_read_lib(virtd_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	qemu_domtrans(virtd_t)
 +	qemu_spec_domtrans(virtd_t, svirt_t)
  	qemu_read_state(virtd_t)
  	qemu_signal(virtd_t)
@@ -18702,7 +16835,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -195,8 +289,94 @@
+@@ -195,8 +290,152 @@
  
  	xen_stream_connect(virtd_t)
  	xen_stream_connect_xenstore(virtd_t)
@@ -18797,9 +16930,67 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_rw_image_files(svirt_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.24/policy/modules/services/w3c.te
++########################################
++#
++# virtual domains common policy
++#
++
++allow virt_domain self:capability { kill dac_read_search dac_override };
++allow virt_domain self:process { execstack execmem signal getsched signull };
++
++allow virt_domain self:fifo_file rw_file_perms;
++allow virt_domain self:shm create_shm_perms;
++allow virt_domain self:unix_stream_socket create_stream_socket_perms;
++allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
++allow virt_domain self:tcp_socket create_stream_socket_perms;
++
++kernel_read_system_state(virt_domain)
++
++corenet_all_recvfrom_unlabeled(virt_domain)
++corenet_all_recvfrom_netlabel(virt_domain)
++corenet_tcp_sendrecv_generic_if(virt_domain)
++corenet_tcp_sendrecv_generic_node(virt_domain)
++corenet_tcp_sendrecv_all_ports(virt_domain)
++corenet_tcp_bind_generic_node(virt_domain)
++corenet_tcp_bind_vnc_port(virt_domain)
++corenet_rw_tun_tap_dev(virt_domain)
++
++dev_read_sound(virt_domain)
++dev_write_sound(virt_domain)
++dev_rw_ksm(virt_domain)
++dev_rw_kvm(virt_domain)
++dev_rw_qemu(virt_domain)
++
++domain_use_interactive_fds(virt_domain)
++
++files_read_etc_files(virt_domain)
++files_read_usr_files(virt_domain)
++files_read_var_files(virt_domain)
++files_search_all(virt_domain)
++
++fs_getattr_tmpfs(virt_domain)
++fs_rw_anon_inodefs_files(virt_domain)
++fs_rw_tmpfs_files(virt_domain)
++
++term_use_all_terms(virt_domain)
++term_getattr_pty_fs(virt_domain)
++term_use_generic_ptys(virt_domain)
++term_use_ptmx(virt_domain)
++
++auth_use_nsswitch(virt_domain)
++
++logging_send_syslog_msg(virt_domain)
++
++miscfiles_read_localization(virt_domain)
++
++optional_policy(`
++	virt_read_config(virt_domain)
++	virt_read_lib_files(virt_domain)
++	virt_read_content(virt_domain)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.25/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/w3c.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/w3c.te	2009-07-29 21:34:35.000000000 -0400
 @@ -8,11 +8,18 @@
  
  apache_content_template(w3c_validator)
@@ -18819,9 +17010,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.24/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.25/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -3,12 +3,16 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -18892,9 +17083,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_suse',`
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.24/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.25/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.if	2009-07-29 21:34:35.000000000 -0400
 @@ -90,7 +90,7 @@
  	allow $2 xauth_home_t:file manage_file_perms;
  	allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -19568,9 +17759,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow xdm_t $1:dbus send_msg;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.24/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.25/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/services/xserver.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/services/xserver.te	2009-07-29 22:43:31.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -19968,8 +18159,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +
 +	optional_policy(`
-+		devicekit_power_dbus_chat(xdm_t)
-+		devicekit_disk_dbus_chat(xdm_t)
++		devicekit_dbus_chat_disk(xdm_t)
++		devicekit_dbus_chat_power(xdm_t)
 +	')
 +
 +	optional_policy(`
@@ -20166,7 +18357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-+	devicekit_power_signal(xserver_t)
++	devicekit_signal_power(xserver_t)
 +')
 +
 +optional_policy(`
@@ -20224,19 +18415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -856,6 +1027,11 @@
- 	rhgb_rw_tmpfs_files(xserver_t)
- ')
- 
-+optional_policy(`
-+	rpm_dontaudit_rw_shm(xserver_t)
-+	rpm_rw_tmpfs_files(xserver_t)
-+')
-+
- ########################################
- #
- # Rules common to all X window domains
-@@ -881,6 +1057,8 @@
+@@ -881,6 +1052,8 @@
  # X Server
  # can read server-owned resources
  allow x_domain xserver_t:x_resource read;
@@ -20245,7 +18424,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # can mess with own clients
  allow x_domain self:x_client { manage destroy };
  
-@@ -905,6 +1083,8 @@
+@@ -905,6 +1078,8 @@
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
  
@@ -20254,7 +18433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # X Colormaps
  # can use the default colormap
  allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1152,49 @@
+@@ -972,17 +1147,49 @@
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
  
@@ -20316,9 +18495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#
 -allow xdm_t user_home_type:file unlink;
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.24/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.25/policy/modules/system/application.if
 --- nsaserefpolicy/policy/modules/system/application.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/application.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/application.if	2009-07-29 21:34:35.000000000 -0400
 @@ -2,7 +2,7 @@
  
  ########################################
@@ -20350,9 +18529,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 application_domain_type:process signull;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.24/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.25/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/application.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/application.te	2009-07-29 21:34:35.000000000 -0400
 @@ -7,7 +7,18 @@
  # Executables to be run by user
  attribute application_exec_type;
@@ -20372,9 +18551,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	sudo_sigchld(application_domain_type)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.24/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.25/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -7,12 +7,10 @@
  /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
@@ -20400,9 +18579,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.24/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.25/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.if	2009-07-29 21:34:35.000000000 -0400
 @@ -40,17 +40,76 @@
  ##	</summary>
  ## </param>
@@ -20702,9 +18881,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.24/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.25/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/authlogin.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/authlogin.te	2009-07-29 21:34:35.000000000 -0400
 @@ -125,9 +125,18 @@
  ')
  
@@ -20724,9 +18903,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # PAM local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.24/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.25/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/fstools.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/fstools.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,3 @@
 -/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -20740,9 +18919,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.24/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.25/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/fstools.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/fstools.te	2009-07-29 21:34:35.000000000 -0400
 @@ -97,6 +97,10 @@
  fs_getattr_tmpfs_dirs(fsadm_t)
  fs_read_tmpfs_symlinks(fsadm_t)
@@ -20771,9 +18950,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_rw_image_files(fsadm_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.24/policy/modules/system/hostname.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.25/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/hostname.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/hostname.te	2009-07-29 21:34:35.000000000 -0400
 @@ -8,7 +8,9 @@
  
  type hostname_t;
@@ -20785,9 +18964,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  role system_r types hostname_t;
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.24/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.25/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -4,10 +4,10 @@
  /etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
  
@@ -20810,9 +18989,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
  # /var
  #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.24/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.25/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.if	2009-07-29 21:34:35.000000000 -0400
 @@ -174,6 +174,7 @@
  	role system_r types $1;
  
@@ -21021,9 +19200,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 init_t:unix_dgram_socket sendto;
 +	allow init_t $1:unix_dgram_socket sendto;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.24/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/init.te	2009-07-28 13:42:19.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.25/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2009-07-29 22:34:34.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/init.te	2009-07-29 21:34:35.000000000 -0400
+@@ -1,5 +1,5 @@
+ 
+-policy_module(init, 1.13.2)
++policy_module(init, 1.13.1)
+ 
+ gen_require(`
+ 	class passwd rootok;
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -21045,7 +19231,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # used for direct running of init scripts
  # by admin domains
  attribute direct_run_init;
-@@ -88,7 +102,7 @@
+@@ -64,6 +78,7 @@
+ # of the below init_upstart tunable
+ # but this has a typeattribute in it
+ corecmd_shell_entry_type(initrc_t)
++corecmd_bin_entry_type(initrc_t)
+ 
+ type initrc_devpts_t;
+ term_pty(initrc_devpts_t)
+@@ -88,7 +103,7 @@
  #
  
  # Use capabilities. old rule:
@@ -21054,7 +19248,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # is ~sys_module really needed? observed: 
  # sys_boot
  # sys_tty_config
-@@ -101,7 +115,7 @@
+@@ -101,7 +116,7 @@
  # Re-exec itself
  can_exec(init_t, init_exec_t)
  
@@ -21063,7 +19257,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # For /var/run/shutdown.pid.
  allow init_t init_var_run_t:file manage_file_perms;
-@@ -167,6 +181,8 @@
+@@ -167,6 +182,8 @@
  
  miscfiles_read_localization(init_t)
  
@@ -21072,7 +19266,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -189,6 +205,14 @@
+@@ -189,6 +206,14 @@
  ')
  
  optional_policy(`
@@ -21087,7 +19281,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	nscd_socket_use(init_t)
  ')
  
-@@ -202,9 +226,10 @@
+@@ -202,9 +227,10 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -21095,11 +19289,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
-+allow initrc_t self:key { search };
++allow initrc_t self:key manage_key_perms;
  
  # Allow IPC with self
  allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +242,8 @@
+@@ -217,7 +243,8 @@
  term_create_pty(initrc_t, initrc_devpts_t)
  
  # Going to single user mode
@@ -21109,7 +19303,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  can_exec(initrc_t, init_script_file_type)
  
-@@ -230,10 +256,16 @@
+@@ -230,10 +257,16 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -21128,7 +19322,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
  
  init_write_initctl(initrc_t)
-@@ -249,15 +281,19 @@
+@@ -249,15 +282,19 @@
  kernel_rw_all_sysctls(initrc_t)
  # for lsof which is used by alsa shutdown:
  kernel_dontaudit_getattr_message_if(initrc_t)
@@ -21152,7 +19346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -270,17 +306,22 @@
+@@ -270,17 +307,22 @@
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
@@ -21176,7 +19370,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
  fs_write_ramfs_pipes(initrc_t)
-@@ -328,7 +369,7 @@
+@@ -328,7 +370,7 @@
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -21185,7 +19379,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -343,14 +384,15 @@
+@@ -343,14 +385,15 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -21203,7 +19397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_exec_etc_files(initrc_t)
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
-@@ -366,7 +408,9 @@
+@@ -366,7 +409,9 @@
  
  libs_rw_ld_so_cache(initrc_t)
  libs_exec_lib_files(initrc_t)
@@ -21213,7 +19407,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -451,11 +495,9 @@
+@@ -425,8 +470,6 @@
+ 	# init scripts touch this
+ 	clock_dontaudit_write_adjtime(initrc_t)
+ 
+-	logging_send_audit_msgs(initrc_t)
+-
+ 	# for integrated run_init to read run_init_type.
+ 	# happens during boot (/sbin/rc execs init scripts)
+ 	seutil_read_default_contexts(initrc_t)
+@@ -453,11 +496,9 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -21226,7 +19429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	# These seem to be from the initrd
  	# during device initialization:
  	dev_create_generic_dirs(initrc_t)
-@@ -465,6 +507,7 @@
+@@ -467,6 +508,7 @@
  	storage_raw_read_fixed_disk(initrc_t)
  	storage_raw_write_fixed_disk(initrc_t)
  
@@ -21234,7 +19437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
  	# wants to read /.fonts directory
-@@ -498,6 +541,7 @@
+@@ -500,6 +542,7 @@
  	optional_policy(`
  		#for /etc/rc.d/init.d/nfs to create /etc/exports
  		rpc_write_exports(initrc_t)
@@ -21242,7 +19445,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	optional_policy(`
-@@ -516,6 +560,33 @@
+@@ -518,6 +561,33 @@
  	')
  ')
  
@@ -21276,7 +19479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +641,10 @@
+@@ -572,6 +642,10 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -21287,7 +19490,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		networkmanager_dbus_chat(initrc_t)
  	')
  ')
-@@ -591,6 +666,10 @@
+@@ -593,6 +667,10 @@
  ')
  
  optional_policy(`
@@ -21298,7 +19501,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	dev_read_usbfs(initrc_t)
  
  	# init scripts run /etc/hotplug/usb.rc
-@@ -647,20 +726,20 @@
+@@ -649,20 +727,20 @@
  ')
  
  optional_policy(`
@@ -21325,7 +19528,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -669,6 +748,7 @@
+@@ -671,6 +749,7 @@
  
  	mysql_stream_connect(initrc_t)
  	mysql_write_log(initrc_t)
@@ -21333,7 +19536,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -719,8 +799,6 @@
+@@ -699,7 +778,6 @@
+ ')
+ 
+ optional_policy(`
+-	corecmd_shell_entry_type(initrc_t)
+ 	fs_write_ramfs_sockets(initrc_t)
+ 	fs_search_ramfs(initrc_t)
+ 
+@@ -721,8 +799,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -21342,7 +19553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -733,10 +811,12 @@
+@@ -735,10 +811,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -21355,7 +19566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +834,11 @@
+@@ -756,6 +834,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -21367,7 +19578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -765,6 +850,13 @@
+@@ -767,6 +850,13 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -21381,7 +19592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -790,3 +882,35 @@
+@@ -792,3 +882,31 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -21399,10 +19610,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +
 +optional_policy(`
-+	rpm_dontaudit_rw_pipes(daemon)
-+')
-+
-+optional_policy(`
 +	xserver_rw_xdm_home_files(daemon)
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_dontaudit_rw_nfs_files(daemon)
@@ -21417,18 +19624,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	fail2ban_read_lib_files(daemon)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.24/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.25/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,3 +1,5 @@
 +/etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +
  /etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.24/policy/modules/system/ipsec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.25/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.if	2009-07-29 21:34:35.000000000 -0400
 @@ -229,3 +229,28 @@
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
@@ -21458,9 +19665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	ipsec_domtrans_racoon($1)
 +	role $2 types racoon_t;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.24/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.25/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/ipsec.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/ipsec.te	2009-07-29 21:34:35.000000000 -0400
 @@ -15,6 +15,9 @@
  type ipsec_conf_file_t;
  files_type(ipsec_conf_file_t)
@@ -21561,9 +19768,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.24/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.25/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iptables.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iptables.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,9 +1,10 @@
 -/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -21580,9 +19787,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  
 -/var/lib/shorewall(/.*)? --	gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.24/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.25/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iptables.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iptables.te	2009-07-29 21:34:35.000000000 -0400
 @@ -53,6 +53,7 @@
  mls_file_read_all_levels(iptables_t)
  
@@ -21602,9 +19809,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rhgb_dontaudit_use_ptys(iptables_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.24/policy/modules/system/iscsi.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.25/policy/modules/system/iscsi.if
 --- nsaserefpolicy/policy/modules/system/iscsi.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iscsi.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iscsi.if	2009-07-29 21:34:35.000000000 -0400
 @@ -17,3 +17,43 @@
  
  	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -21649,9 +19856,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.24/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.25/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/iscsi.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/iscsi.te	2009-07-29 21:34:35.000000000 -0400
 @@ -55,6 +55,7 @@
  files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
  
@@ -21675,9 +19882,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -sysnet_dns_name_resolve(iscsid_t)
 +miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.24/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.25/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.fc	2009-07-29 23:41:18.000000000 -0400
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -21719,7 +19926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /usr/(.*/)?java/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
-@@ -115,25 +121,35 @@
+@@ -115,25 +121,29 @@
  
  /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -21732,32 +19939,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib64/vlc/codec/libdmo_plugin\.so	   --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib64/vlc/codec/librealaudio_plugin\.so  --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
-+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
  /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libsipphoneapi\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/ati-fglrx/.+\.so(\..*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xulrunner-[^/]*/libxul\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
-@@ -169,11 +185,13 @@
+@@ -143,7 +153,6 @@
+ /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+-/usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -169,11 +178,13 @@
  # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
  # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
  /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21772,33 +19985,44 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/lib/maxima/[^/]+/binary-gcl/maxima	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/mozilla/plugins/libvlcplugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/nx/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -188,12 +206,15 @@
- /usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -185,15 +196,13 @@
+ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/codecs/[^/]*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libswscale\.so.*		 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xorg/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/modules/dri/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/dri/.+\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/X11R6/lib/libOSMesa\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/X11R6/lib/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/libfglrx_gamma\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/libfglrx_gamma\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libHermes\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/valgrind/hp2ps		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/valgrind/stage2		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -234,7 +255,7 @@
+@@ -228,31 +237,24 @@
+ /usr/lib(64)?/ladspa/sc3_1427\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/sc4_1882\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ladspa/se4_1883\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/httpd/modules/libphp5\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/php/modules/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
 -/usr/lib(64)?.*/libmpg123\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,12 +268,13 @@
+-/usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xine/plugins/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libgsm\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  # Flash plugin, Macromedia
  HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21814,7 +20038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # Jai, Sun Microsystems (Jpackage SPRM)
  /usr/lib(64)?/libmlib_jai\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,6 +290,9 @@
+@@ -268,6 +270,9 @@
  /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/vmware/(.*/)?VmPerl\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -21824,7 +20048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Java, Sun Microsystems (JPackage SRPM)
  /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -292,6 +317,8 @@
+@@ -292,6 +297,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21833,7 +20057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ') dnl end distro_redhat
  
  #
-@@ -304,10 +331,50 @@
+@@ -304,10 +311,74 @@
  
  /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
  
@@ -21849,7 +20073,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
 +
-+/usr/lib(64)?/libavdevice\.so.*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libmythavcodec-[^/]+\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21859,8 +20082,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/opt/novell/groupwise/client/lib/libgwapijni\.so\.1	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
-+/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
 +/usr/lib(64)?/sse2/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/i686/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/google-earth/.*\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21871,6 +20092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libnnz11.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/opt/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/matlab.*\.so(\.[^/]*)*		gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -21884,9 +20106,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/midori/.*\.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.24/policy/modules/system/libraries.if
++
++
++
++ifdef(`fixed',`
++/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavdevice\.so.*	 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libdv\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libgsm\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libImlib2\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libjackserver\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmp3lame\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/X11R6/lib/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libOSMesa.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libmpeg2\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libSDL-.*\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libswscale\.so.*		 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.25/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.if	2009-07-29 21:34:35.000000000 -0400
 @@ -60,7 +60,7 @@
  		type lib_t, ld_so_t, ld_so_cache_t;
  	')
@@ -21914,9 +20162,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 lib_t:dir list_dir_perms;
  	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
  	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.24/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.25/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/libraries.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/libraries.te	2009-07-29 21:34:35.000000000 -0400
 @@ -52,11 +52,11 @@
  # ldconfig local policy
  #
@@ -21962,20 +20210,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -116,4 +124,10 @@
- 	# and executes ldconfig on it. If you dont allow this kernel installs 
+@@ -117,3 +125,7 @@
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
-+	# smart package manager needs the following for the same reason
-+	rpm_rw_tmp_files(ldconfig_t)
-+')
+ ')
 +
 +optional_policy(`
 +	unconfined_domain(ldconfig_t) 
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.24/policy/modules/system/locallogin.te
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.25/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/locallogin.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/locallogin.te	2009-07-29 21:34:35.000000000 -0400
 @@ -67,6 +67,7 @@
  dev_setattr_power_mgmt_dev(local_login_t)
  dev_getattr_sound_dev(local_login_t)
@@ -22054,9 +20299,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	nscd_socket_use(sulogin_t)
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.24/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.25/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -53,15 +53,18 @@
  /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  ')
@@ -22080,9 +20325,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.24/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.25/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.if	2009-07-29 21:34:35.000000000 -0400
 @@ -623,7 +623,7 @@
  	')
  
@@ -22101,9 +20346,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.24/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.25/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/logging.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/logging.te	2009-07-29 21:34:35.000000000 -0400
 @@ -126,7 +126,7 @@
  allow auditd_t self:process { signal_perms setpgid setsched };
  allow auditd_t self:file rw_file_perms;
@@ -22196,9 +20441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.24/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.25/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/lvm.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/lvm.te	2009-07-29 21:34:35.000000000 -0400
 @@ -10,6 +10,9 @@
  type clvmd_exec_t;
  init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -22285,9 +20530,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.24/policy/modules/system/miscfiles.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.25/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/miscfiles.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/miscfiles.if	2009-07-29 21:34:35.000000000 -0400
 @@ -87,6 +87,25 @@
  
  ########################################
@@ -22314,9 +20559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to write fonts.
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.24/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.25/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/modutils.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/modutils.te	2009-07-29 21:34:35.000000000 -0400
 @@ -42,7 +42,7 @@
  # insmod local policy
  #
@@ -22399,15 +20644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hotplug_search_config(insmod_t)
  ')
  
-@@ -154,6 +168,7 @@
- 
- optional_policy(`
- 	rpm_rw_pipes(insmod_t)
-+	rpm_read_script_tmp_files(insmod_t)
- ')
- 
- optional_policy(`
-@@ -184,6 +199,7 @@
+@@ -184,6 +198,7 @@
  
  files_read_kernel_symbol_table(depmod_t)
  files_read_kernel_modules(depmod_t)
@@ -22415,7 +20652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -214,7 +230,13 @@
+@@ -214,7 +229,13 @@
  ')
  
  optional_policy(`
@@ -22429,9 +20666,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  #################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.24/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.25/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/mount.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,9 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -22443,66 +20680,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.24/policy/modules/system/mount.if
---- nsaserefpolicy/policy/modules/system/mount.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.if	2009-07-28 13:42:19.000000000 -0400
-@@ -43,9 +43,11 @@
- 
- 	mount_domtrans($1)
- 	role $2 types mount_t;
-+	#Leaked File Descriptors
-+	dontaudit mount_t $1:unix_stream_socket rw_socket_perms;
- 
- 	optional_policy(`
--		samba_run_smbmount($1, $2)
-+		samba_run_smbmount($1, $2, $3)
- 	')
- ')
- 
-@@ -159,3 +161,21 @@
- 	mount_domtrans_unconfined($1)
- 	role $2 types unconfined_mount_t;
- ')
-+
-+########################################
-+## <summary>
-+##	Send signal to mount process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`mount_signal',`
-+	gen_require(`
-+		type mount_t;
-+	')
-+
-+	allow $1 mount_t:process signal; 
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.24/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/mount.te	2009-07-28 14:16:41.000000000 -0400
-@@ -18,17 +18,22 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.25/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te	2009-07-29 15:15:33.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/mount.te	2009-07-29 22:27:56.000000000 -0400
+@@ -18,8 +18,12 @@
  init_system_domain(mount_t, mount_exec_t)
  role system_r types mount_t;
  
--type mount_loopback_t; # customizable
--files_type(mount_loopback_t)
 +typealias mount_t alias mount_ntfs_t;
 +typealias mount_exec_t alias mount_ntfs_exec_t;
 +
-+type mount_loop_t; # customizable
-+files_type(mount_loop_t)
-+typealias mount_loop_t alias mount_loopback_t;
+ type mount_loopback_t; # customizable
+ files_type(mount_loopback_t)
++typealias mount_loopback_t alias mount_loop_t;
  
  type mount_tmp_t;
  files_tmp_file(mount_tmp_t)
- 
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
+@@ -29,6 +33,10 @@
+ # policy--duplicate type declaration
  type unconfined_mount_t;
  application_domain(unconfined_mount_t, mount_exec_t)
 +role system_r types unconfined_mount_t;
@@ -22512,20 +20707,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-@@ -36,9 +41,10 @@
+@@ -36,7 +44,11 @@
  #
  
  # setuid/setgid needed to mount cifs 
 -allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
 +allow mount_t self:process { ptrace signal };
++allow mount_t self:fifo_file rw_fifo_file_perms;
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket create_socket_perms; 
  
--allow mount_t mount_loopback_t:file read_file_perms;
-+allow mount_t mount_loop_t:file read_file_perms;
+ allow mount_t mount_loopback_t:file read_file_perms;
  
- allow mount_t mount_tmp_t:file manage_file_perms;
- allow mount_t mount_tmp_t:dir manage_dir_perms;
-@@ -47,12 +53,25 @@
+@@ -47,12 +59,25 @@
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -22551,7 +20746,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_rw_lvm_control(mount_t)
  dev_dontaudit_getattr_all_chr_files(mount_t)
  dev_dontaudit_getattr_memory_dev(mount_t)
-@@ -62,16 +81,19 @@
+@@ -62,16 +87,19 @@
  storage_raw_write_fixed_disk(mount_t)
  storage_raw_read_removable_device(mount_t)
  storage_raw_write_removable_device(mount_t)
@@ -22574,7 +20769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  term_use_all_terms(mount_t)
  
-@@ -79,6 +101,7 @@
+@@ -79,6 +107,7 @@
  corecmd_exec_bin(mount_t)
  
  domain_use_interactive_fds(mount_t)
@@ -22582,7 +20777,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_search_all(mount_t)
  files_read_etc_files(mount_t)
-@@ -87,7 +110,7 @@
+@@ -87,7 +116,7 @@
  files_mounton_all_mountpoints(mount_t)
  files_unmount_rootfs(mount_t)
  # These rules need to be generalized.  Only admin, initrc should have it:
@@ -22591,7 +20786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_mount_all_file_type_fs(mount_t)
  files_unmount_all_file_type_fs(mount_t)
  # for when /etc/mtab loses its type
-@@ -100,6 +123,8 @@
+@@ -100,6 +129,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -22600,7 +20795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(mount_t)
  
-@@ -116,6 +141,7 @@
+@@ -116,6 +147,7 @@
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -22608,8 +20803,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -133,7 +159,7 @@
+@@ -131,9 +163,13 @@
+ 	')
+ ')
  
++corecmd_exec_shell(mount_t)
++
++modutils_domtrans_insmod(mount_t)
++
  tunable_policy(`allow_mount_anyfile',`
  	auth_read_all_dirs_except_shadow(mount_t)
 -	auth_read_all_files_except_shadow(mount_t)
@@ -22617,32 +20818,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	files_mounton_non_security(mount_t)
  ')
  
-@@ -141,16 +167,16 @@
- 	# for nfs
- 	corenet_all_recvfrom_unlabeled(mount_t)
- 	corenet_all_recvfrom_netlabel(mount_t)
--	corenet_tcp_sendrecv_all_if(mount_t)
--	corenet_raw_sendrecv_all_if(mount_t)
--	corenet_udp_sendrecv_all_if(mount_t)
--	corenet_tcp_sendrecv_all_nodes(mount_t)
--	corenet_raw_sendrecv_all_nodes(mount_t)
--	corenet_udp_sendrecv_all_nodes(mount_t)
-+	corenet_tcp_sendrecv_generic_if(mount_t)
-+	corenet_raw_sendrecv_generic_if(mount_t)
-+	corenet_udp_sendrecv_generic_if(mount_t)
-+	corenet_tcp_sendrecv_generic_node(mount_t)
-+	corenet_raw_sendrecv_generic_node(mount_t)
-+	corenet_udp_sendrecv_generic_node(mount_t)
- 	corenet_tcp_sendrecv_all_ports(mount_t)
- 	corenet_udp_sendrecv_all_ports(mount_t)
--	corenet_tcp_bind_all_nodes(mount_t)
--	corenet_udp_bind_all_nodes(mount_t)
-+	corenet_tcp_bind_generic_node(mount_t)
-+	corenet_udp_bind_generic_node(mount_t)
- 	corenet_tcp_bind_generic_port(mount_t)
- 	corenet_udp_bind_generic_port(mount_t)
- 	corenet_tcp_bind_reserved_port(mount_t)
-@@ -164,6 +190,8 @@
+@@ -164,6 +200,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -22651,7 +20827,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -171,6 +199,15 @@
+@@ -171,6 +209,21 @@
  ')
  
  optional_policy(`
@@ -22664,10 +20840,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +
 +optional_policy(`
++	hal_write_log(mount_t)
++	hal_use_fds(mount_t)
++	hal_dontaudit_rw_pipes(mount_t)
++')
++
++optional_policy(`
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -178,6 +215,11 @@
+@@ -178,6 +231,11 @@
  	')
  ')
  
@@ -22679,7 +20861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -185,14 +227,23 @@
+@@ -185,6 +243,7 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -22687,28 +20869,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
- #
--# Unconfined mount local policy
-+#  ntfs local policy
- #
-+allow mount_t self:fifo_file rw_fifo_file_perms;
-+allow mount_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_t self:unix_dgram_socket create_socket_perms; 
-+
-+corecmd_exec_shell(mount_t)
-+
-+modutils_domtrans_insmod(mount_t)
+@@ -194,5 +253,8 @@
  
  optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+ 	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
 -	unconfined_domain(unconfined_mount_t)
-+	hal_write_log(mount_t)
-+	hal_use_fds(mount_t)
-+	hal_dontaudit_rw_pipes(mount_t)
++	unconfined_domain_noaudit(unconfined_mount_t)
++
++	rpc_domtrans_rpcd(unconfined_mount_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.25/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -6,13 +6,13 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
@@ -22747,9 +20920,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.24/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.25/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.if	2009-07-29 21:34:35.000000000 -0400
 @@ -535,6 +535,53 @@
  
  ########################################
@@ -22882,7 +21055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1139,3 +1234,255 @@
+@@ -1139,3 +1234,251 @@
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -23018,10 +21191,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	userdom_dontaudit_write_user_home_content_files($1)
 +
-+	optional_policy(`
-+		rpm_dontaudit_rw_tmp_files($1)
-+		rpm_dontaudit_rw_pipes($1)
-+	')
 +')
 +
 +
@@ -23138,9 +21307,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	hotplug_use_fds($1)
 +')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.24/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.25/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/selinuxutil.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/selinuxutil.te	2009-07-29 21:34:35.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -23504,9 +21673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	hotplug_use_fds(setfiles_t)
 +	unconfined_domain(setfiles_mac_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.24/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.25/policy/modules/system/setrans.if
 --- nsaserefpolicy/policy/modules/system/setrans.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/setrans.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/setrans.if	2009-07-29 21:34:35.000000000 -0400
 @@ -21,3 +21,23 @@
  	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
  	files_list_pids($1)
@@ -23531,9 +21700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	init_labeled_script_domtrans($1, setrans_initrc_exec_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.25/policy/modules/system/sysnetwork.fc
 --- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -11,15 +11,20 @@
  /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
  /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -23562,9 +21731,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.24/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.25/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.if	2009-07-29 21:34:35.000000000 -0400
 @@ -43,6 +43,39 @@
  
  	sysnet_domtrans_dhcpc($1)
@@ -23733,9 +21902,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.24/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.25/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/sysnetwork.te	2009-07-28 14:15:06.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/sysnetwork.te	2009-07-29 21:34:35.000000000 -0400
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t, dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -23934,9 +22103,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	hal_dontaudit_rw_pipes(ifconfig_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.24/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.25/policy/modules/system/udev.fc
 --- nsaserefpolicy/policy/modules/system/udev.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/udev.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/udev.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -7,6 +7,9 @@
  /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
  
@@ -23947,9 +22116,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
  /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.24/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.25/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/udev.te	2009-07-28 14:15:17.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/udev.te	2009-07-29 21:34:35.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24061,9 +22230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_write_xen_state(udev_t)
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.24/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.25/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,16 +1 @@
  # Add programs here which should not be confined by SELinux
 -# e.g.:
@@ -24081,9 +22250,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -ifdef(`distro_gentoo',`
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.24/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.25/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.if	2009-07-29 21:34:35.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -24577,9 +22746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	allow $1 unconfined_t:dbus acquire_svc;
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.24/policy/modules/system/unconfined.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.25/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/unconfined.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/unconfined.te	2009-07-29 21:34:35.000000000 -0400
 @@ -1,231 +1,9 @@
  
 -policy_module(unconfined, 3.0.0)
@@ -24814,9 +22983,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -		hal_dbus_chat(unconfined_execmem_t)
 -	')
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.24/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.25/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,4 +1,7 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -24826,9 +22995,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.24/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.25/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.if	2009-07-28 14:32:30.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.if	2009-07-29 22:34:20.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -25423,8 +23592,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		optional_policy(`
 -			hal_dbus_chat($1_t)
 +			devicekit_dbus_chat($1_usertype)
-+			devicekit_power_dbus_chat($1_usertype)
-+			devicekit_disk_dbus_chat($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
  		')
  
  		optional_policy(`
@@ -25752,8 +23921,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	optional_policy(`
 +		devicekit_dbus_chat($1_usertype)
-+		devicekit_power_dbus_chat($1_usertype)
-+		devicekit_disk_dbus_chat($1_usertype)
++		devicekit_dbus_chat_disk($1_usertype)
++		devicekit_dbus_chat_power($1_usertype)
  	')
  
  	optional_policy(`
@@ -26683,9 +24852,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 user_home_dir_t:dir search_dir_perms;
 +	files_search_home($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.24/policy/modules/system/userdomain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.25/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/userdomain.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/userdomain.te	2009-07-29 21:34:35.000000000 -0400
 @@ -8,13 +8,6 @@
  
  ## <desc>
@@ -26771,216 +24940,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.fc serefpolicy-3.6.24/policy/modules/system/virtual.fc
---- nsaserefpolicy/policy/modules/system/virtual.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.fc	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1 @@
-+# No application file contexts.
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.24/policy/modules/system/virtual.if
---- nsaserefpolicy/policy/modules/system/virtual.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.if	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,119 @@
-+## <summary>Virtual machine emulator and virtualizer</summary>
-+
-+########################################
-+## <summary>
-+##	Make the specified type a virtual domain
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Make the specified type a virtual domain
-+##	</p>
-+##	<p>
-+##	Gives the basic access required for a virtual operatins system
-+##	</p>
-+## </desc>
-+## <param name="type">
-+##	<summary>
-+##	Type granted access
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_domain',`
-+	gen_require(`
-+		attribute virtualdomain;
-+	')
-+
-+	typeattribute $1 virtualdomain;
-+
-+	# start with basic domain
-+	domain_type($1)
-+
-+	# could be started by libvirt
-+	domain_user_exemption_target($1)
-+
-+	optional_policy(`
-+		xserver_common_app($1)
-+	')
-+
-+')
-+
-+########################################
-+## <summary>
-+##	Make the specified type usable as a virtual os image
-+## </summary>
-+## <param name="type">
-+##	<summary>
-+##	Type to be used as a virtual image
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_image',`
-+	gen_require(`
-+		attribute virtual_image_type;
-+	')
-+
-+	typeattribute $1 virtual_image_type;
-+	files_type($1)
-+
-+	# virt images can be assigned to blk devices
-+	dev_node($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow domain to manage virt image files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_manage_image',`
-+	gen_require(`
-+		attribute virtual_image_type;
-+	')
-+
-+	manage_dirs_pattern($1, virtual_image_type, virtual_image_type)
-+	manage_files_pattern($1, virtual_image_type, virtual_image_type)
-+	manage_lnk_files_pattern($1, virtual_image_type, virtual_image_type)
-+	rw_blk_files_pattern($1, virtual_image_type, virtual_image_type)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow domain to relabel virt image files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_image_relabel',`
-+	gen_require(`
-+		attribute virtual_image_type;
-+	')
-+
-+	allow $1 virtual_image_type:file { relabelfrom relabelto };
-+	allow $1 virtual_image_type:blk_file { relabelfrom relabelto };
-+')
-+
-+########################################
-+## <summary>
-+##	Allow domain to transition and control virtualdomain
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`virtual_transition',`
-+	gen_require(`
-+		attribute virtualdomain;
-+	')
-+
-+	allow $1 virtualdomain:process { setsched transition signal signull sigkill };
-+')
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.24/policy/modules/system/virtual.te
---- nsaserefpolicy/policy/modules/system/virtual.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.24/policy/modules/system/virtual.te	2009-07-28 13:42:19.000000000 -0400
-@@ -0,0 +1,75 @@
-+
-+policy_module(virtualization, 1.1.2)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+attribute virtualseparateddomain;
-+attribute virtualdomain;
-+attribute virtual_image_type;
-+
-+########################################
-+#
-+# qemu common policy
-+#
-+
-+allow virtualdomain self:capability { kill dac_read_search dac_override };
-+allow virtualdomain self:process { execstack execmem signal getsched signull };
-+
-+allow virtualdomain self:fifo_file rw_file_perms;
-+allow virtualdomain self:shm create_shm_perms;
-+allow virtualdomain self:unix_stream_socket create_stream_socket_perms;
-+allow virtualdomain self:unix_dgram_socket { create_socket_perms sendto };
-+allow virtualdomain self:tcp_socket create_stream_socket_perms;
-+
-+kernel_read_system_state(virtualdomain)
-+
-+corenet_all_recvfrom_unlabeled(virtualdomain)
-+corenet_all_recvfrom_netlabel(virtualdomain)
-+corenet_tcp_sendrecv_generic_if(virtualdomain)
-+corenet_tcp_sendrecv_generic_node(virtualdomain)
-+corenet_tcp_sendrecv_all_ports(virtualdomain)
-+corenet_tcp_bind_generic_node(virtualdomain)
-+corenet_tcp_bind_vnc_port(virtualdomain)
-+corenet_rw_tun_tap_dev(virtualdomain)
-+
-+dev_read_sound(virtualdomain)
-+dev_write_sound(virtualdomain)
-+dev_rw_ksm(virtualdomain)
-+dev_rw_kvm(virtualdomain)
-+dev_rw_qemu(virtualdomain)
-+
-+domain_use_interactive_fds(virtualdomain)
-+
-+files_read_etc_files(virtualdomain)
-+files_read_usr_files(virtualdomain)
-+files_read_var_files(virtualdomain)
-+files_search_all(virtualdomain)
-+
-+fs_rw_anon_inodefs_files(virtualdomain)
-+fs_rw_tmpfs_files(virtualdomain)
-+
-+term_use_all_terms(virtualdomain)
-+term_getattr_pty_fs(virtualdomain)
-+term_use_generic_ptys(virtualdomain)
-+term_use_ptmx(virtualdomain)
-+
-+auth_use_nsswitch(virtualdomain)
-+
-+logging_send_syslog_msg(virtualdomain)
-+
-+miscfiles_read_localization(virtualdomain)
-+
-+optional_policy(`
-+	virt_read_config(virtualdomain)
-+	virt_read_lib_files(virtualdomain)
-+	virt_read_content(virtualdomain)
-+')
-+
-+optional_policy(`
-+	xserver_read_xdm_tmp_files(virtualdomain)
-+	xserver_read_xdm_pid(virtualdomain)
-+	xserver_rw_shm(virtualdomain)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.24/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.25/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.fc	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.fc	2009-07-29 21:34:35.000000000 -0400
 @@ -1,5 +1,7 @@
  /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
  
@@ -27008,9 +24970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
  /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.24/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.25/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.if	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.if	2009-07-29 21:34:35.000000000 -0400
 @@ -71,6 +71,8 @@
  	')
  
@@ -27083,9 +25045,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        files_search_pids($1)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.24/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.25/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/modules/system/xen.te	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/modules/system/xen.te	2009-07-29 21:34:35.000000000 -0400
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -27380,9 +25342,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +libs_use_ld_so(evtchnd_t)
 +libs_use_shared_libs(evtchnd_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.24/policy/support/obj_perm_sets.spt
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.25/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/support/obj_perm_sets.spt	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/support/obj_perm_sets.spt	2009-07-29 21:34:35.000000000 -0400
 @@ -201,7 +201,7 @@
  define(`setattr_file_perms',`{ setattr }')
  define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -27415,9 +25377,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
 +
 +define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.24/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.25/policy/users
 --- nsaserefpolicy/policy/users	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/policy/users	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/policy/users	2009-07-29 21:34:35.000000000 -0400
 @@ -25,11 +25,8 @@
  # permit any access to such users, then remove this entry.
  #
@@ -27442,9 +25404,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.24/Rules.modular
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.25/Rules.modular
 --- nsaserefpolicy/Rules.modular	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/Rules.modular	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/Rules.modular	2009-07-29 21:34:35.000000000 -0400
 @@ -73,8 +73,8 @@
  $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
  	@echo "Compliling $(NAME) $(@F) module"
@@ -27474,9 +25436,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
  
  $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
  $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.24/support/Makefile.devel
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.25/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.24/support/Makefile.devel	2009-07-28 13:42:19.000000000 -0400
++++ serefpolicy-3.6.25/support/Makefile.devel	2009-07-29 21:34:35.000000000 -0400
 @@ -185,8 +185,7 @@
  tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
  	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"