diff --git a/policy-20090105.patch b/policy-20090105.patch
index 9b1a2e4..7c47559 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -3287,8 +3287,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.3/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te 2009-01-19 13:10:02.000000000 -0500
-@@ -11,21 +11,58 @@
++++ serefpolicy-3.6.3/policy/modules/apps/podsleuth.te 2009-01-30 08:03:36.000000000 -0500
+@@ -11,21 +11,59 @@
application_domain(podsleuth_t, podsleuth_exec_t)
role system_r types podsleuth_t;
@@ -3326,7 +3326,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_getattr_dos_fs(podsleuth_t)
+fs_read_dos_files(podsleuth_t)
+fs_search_dos(podsleuth_t)
-+
++fs_getattr_tmpfs(podsleuth_t)
++fs_list_tmpfs(podsleuth_t)
+fs_mount_nfs(podsleuth_t)
+fs_unmount_nfs(podsleuth_t)
+fs_getattr_nfs(podsleuth_t)
@@ -3685,7 +3686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.3/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/apps/qemu.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/apps/qemu.te 2009-01-30 09:14:38.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -3695,7 +3696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <desc>
## <p>
## Allow qemu to connect fully to the network
-@@ -13,28 +15,151 @@
+@@ -13,28 +15,153 @@
## </desc>
gen_tunable(qemu_full_network, false)
@@ -3800,6 +3801,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
++userdom_search_user_home_content(qemu_t)
++
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
@@ -5158,7 +5161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## all protocols (TCP, UDP, etc)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.3/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/domain.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/domain.te 2009-01-30 07:56:48.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -5220,7 +5223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
# act on all domains keys
-@@ -153,3 +170,39 @@
+@@ -153,3 +170,34 @@
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5234,15 +5237,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ cron_dontaudit_write_system_job_tmp_files(domain)
+ cron_rw_pipes(domain)
+ifdef(`hide_broken_symptoms',`
-+ cron_dontaudit_rw_tcp_sockets(domain)
+ allow domain domain:key { link search };
+')
+')
+
-+ifdef(`hide_broken_symptoms',`
-+ dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
-+')
-+
+optional_policy(`
+ rpm_rw_pipes(domain)
+ rpm_dontaudit_use_script_fds(domain)
@@ -17626,7 +17624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.3/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/postfix.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/postfix.if 2009-01-30 08:30:01.000000000 -0500
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -17647,7 +17645,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_etc($1)
')
-@@ -378,7 +378,7 @@
+@@ -232,6 +232,25 @@
+
+ ########################################
+ ## <summary>
++## Allow read/write postfix local pipes
++## TCP sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`postfix_rw_local_pipes',`
++ gen_require(`
++ type postfix_local_t;
++ ')
++
++ allow $1 postfix_local_t:fifo rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
+ ## Allow domain to read postfix local process state
+ ## </summary>
+ ## <param name="domain">
+@@ -378,7 +397,7 @@
## </summary>
## </param>
#
@@ -17656,7 +17680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
gen_require(`
type postfix_private_t;
')
-@@ -389,6 +389,25 @@
+@@ -389,6 +408,25 @@
########################################
## <summary>
@@ -17682,7 +17706,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -418,10 +437,10 @@
+@@ -418,10 +456,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -17695,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_search_spool($1)
')
-@@ -437,11 +456,30 @@
+@@ -437,11 +475,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
@@ -17728,7 +17752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -456,16 +494,16 @@
+@@ -456,16 +513,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -17748,7 +17772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
-@@ -475,11 +513,11 @@
+@@ -475,11 +532,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -17762,7 +17786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -500,3 +538,23 @@
+@@ -500,3 +557,23 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -21420,7 +21444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.3/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/spamassassin.te 2009-01-30 08:30:30.000000000 -0500
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -21532,7 +21556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,31 +323,34 @@
+@@ -265,31 +323,35 @@
sysnet_read_config(spamc_t)
@@ -21568,6 +21592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- nscd_socket_use(spamc_t)
+ postfix_domtrans_postdrop(spamc_t)
+ postfix_search_spool(spamc_t)
++ postfix_rw_local_pipes(spamc_t)
')
optional_policy(`
@@ -21579,7 +21604,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -301,7 +362,7 @@
+@@ -301,7 +363,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -21588,7 +21613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +378,13 @@
+@@ -317,10 +379,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -21603,7 +21628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +393,11 @@
+@@ -329,10 +394,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -21616,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +447,27 @@
+@@ -382,22 +448,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -21648,7 +21673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +485,7 @@
+@@ -415,6 +486,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -21656,7 +21681,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +495,6 @@
+@@ -424,10 +496,6 @@
')
optional_policy(`
@@ -21667,7 +21692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
postfix_read_config(spamd_t)
')
-@@ -442,6 +509,10 @@
+@@ -442,6 +510,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22363,10 +22388,80 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.3/policy/modules/services/virt.fc
+--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.fc 2009-01-30 09:09:00.000000000 -0500
+@@ -8,5 +8,10 @@
+
+ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+ /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_image_ro_t,s0)
++
+ /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
+ /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
++
++HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
++HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_image_ro_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.3/policy/modules/services/virt.if
+--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.if 2009-01-30 09:13:05.000000000 -0500
+@@ -293,6 +293,41 @@
+
+ ########################################
+ ## <summary>
++## Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`virt_read_ro_t',`
++ gen_require(`
++ type virt_image_ro_t;
++ ')
++
++ virt_search_lib($1)
++ allow $1 virt_image_ro_t:dir list_dir_perms;
++ read_dirs_pattern($1, virt_image_ro_t, virt_image_ro_t)
++ read_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++ read_lnk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++ rw_blk_files_pattern($1, virt_image_ro_t, virt_image_ro_t)
++
++ tunable_policy(`virt_use_nfs',`
++ fs_read_nfs_dirs($1)
++ fs_read_nfs_files($1)
++ fs_read_nfs_symlinks($1)
++ ')
++
++ tunable_policy(`virt_use_samba',`
++ fs_read_nfs_files($1)
++ fs_read_cifs_files($1)
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++## <summary>
+ ## All of the rules required to administrate
+ ## an virt environment
+ ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-21 16:53:49.000000000 -0500
-@@ -53,7 +53,7 @@
++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-30 09:10:13.000000000 -0500
+@@ -32,6 +32,10 @@
+ type virt_image_t, virt_image_type; # customizable
+ virt_image(virt_image_t)
+
++# virt Image files
++type virt_image_ro_t;
++virt_image(virt_image_ro_t)
++
+ type virt_log_t;
+ logging_log_file(virt_log_t)
+
+@@ -53,7 +57,7 @@
# virtd local policy
#
@@ -22375,7 +22470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow virtd_t self:process { getsched sigkill signal execmem };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -96,7 +96,7 @@
+@@ -96,7 +100,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t)
@@ -22384,7 +22479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_vnc_port(virtd_t)
corenet_tcp_connect_vnc_port(virtd_t)
corenet_tcp_connect_soundd_port(virtd_t)
-@@ -110,11 +110,13 @@
+@@ -110,11 +114,13 @@
files_read_usr_files(virtd_t)
files_read_etc_files(virtd_t)
@@ -22398,7 +22493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
storage_raw_write_removable_device(virtd_t)
storage_raw_read_removable_device(virtd_t)
-@@ -129,7 +131,10 @@
+@@ -129,7 +135,10 @@
logging_send_syslog_msg(virtd_t)
@@ -22409,7 +22504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -173,16 +178,17 @@
+@@ -173,16 +182,17 @@
iptables_domtrans(virtd_t)
')
@@ -28084,7 +28179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-28 10:48:13.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-30 09:14:16.000000000 -0500
@@ -30,8 +30,9 @@
')