diff --git a/policy-20070703.patch b/policy-20070703.patch
index 35be2e3..4ffab80 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -710,7 +710,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.4/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/admin/rpm.if 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/admin/rpm.if 2007-07-31 14:04:42.000000000 -0400
@@ -210,6 +210,24 @@
########################################
@@ -767,7 +767,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
')
########################################
-@@ -289,3 +328,65 @@
+@@ -289,3 +328,84 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -833,6 +833,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if
+
+ dontaudit $1 rpm_tmp_t:file rw_file_perms;
+')
++
++########################################
++##
++## Do not audit attempts to read,
++## write RPM shm
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`rpm_dontaudit_rw_shm',`
++ gen_require(`
++ type rpm_t;
++ ')
++
++ dontaudit $1 rpm_t:shm rw_shm_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.0.4/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/admin/rpm.te 2007-07-25 13:27:51.000000000 -0400
@@ -2697,7 +2716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-31 16:40:44.000000000 -0400
@@ -1192,6 +1192,24 @@
########################################
@@ -2723,9 +2742,61 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
## Search inotifyfs filesystem.
##
##
+@@ -2219,7 +2237,7 @@
+ ## Domain allowed access.
+ ##
+ ##
+-#
++
+ interface(`fs_dontaudit_read_ramfs_files',`
+ gen_require(`
+ type ramfs_t;
+@@ -3476,3 +3494,42 @@
+ relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
+ relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
+ ')
++
++########################################
++##
++## Read files of anon_inodefs file system files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_read_anon_inodefs_files',`
++ gen_require(`
++ type anon_inodefs_t;
++
++ ')
++
++ read_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
++')
++
++########################################
++##
++## Read/wrie files of anon_inodefs file system files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`fs_rw_anon_inodefs_files',`
++ gen_require(`
++ type anon_inodefs_t;
++
++ ')
++
++ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.4/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.te 2007-07-31 16:40:53.000000000 -0400
@@ -43,6 +43,12 @@
#
# Non-persistent/pseudo filesystems
@@ -2749,7 +2820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
# filesystem SID to label inodes in the following filesystem types,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.4/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-07-25 14:26:57.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/kernel/kernel.if 2007-07-31 16:22:36.000000000 -0400
@@ -108,6 +108,24 @@
########################################
@@ -3354,7 +3425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-26 13:46:18.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/apache.te 2007-07-31 16:48:18.000000000 -0400
@@ -30,6 +30,13 @@
##
@@ -3470,22 +3541,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +396,13 @@
+@@ -348,7 +396,9 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
-+optional_policy(`
-+ nscd_socket_use(httpd_t)
-+')
-+
+tunable_policy(`httpd_enable_homedirs',`
+ userdom_search_generic_user_home_dirs(httpd_t)
+')
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +414,7 @@
+@@ -360,6 +410,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -3493,7 +3560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -367,6 +422,16 @@
+@@ -367,6 +418,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -3510,7 +3577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +452,17 @@
+@@ -387,6 +448,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -3528,7 +3595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +480,21 @@
+@@ -404,11 +476,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -3550,7 +3617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +516,12 @@
+@@ -430,6 +512,12 @@
')
optional_policy(`
@@ -3563,7 +3630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
calamaris_read_www_files(httpd_t)
')
-@@ -512,10 +604,16 @@
+@@ -512,10 +600,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -3581,7 +3648,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -606,6 +704,10 @@
+@@ -567,7 +661,6 @@
+ allow httpd_suexec_t self:capability { setuid setgid };
+ allow httpd_suexec_t self:process signal_perms;
+ allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+-allow httpd_suexec_t self:netlink_route_socket r_netlink_socket_perms;
+
+ domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
+
+@@ -581,6 +674,8 @@
+ manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
+ files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
+
++auth_use_nsswitch(httpd_suexec_t)
++
+ kernel_read_kernel_sysctls(httpd_suexec_t)
+ kernel_list_proc(httpd_suexec_t)
+ kernel_read_proc_symlinks(httpd_suexec_t)
+@@ -606,6 +701,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -3592,7 +3676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +722,13 @@
+@@ -620,10 +719,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -3607,7 +3691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -634,6 +739,12 @@
+@@ -634,6 +736,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3620,7 +3704,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,7 +783,8 @@
+@@ -655,14 +763,6 @@
+ nagios_domtrans_cgi(httpd_suexec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(httpd_suexec_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(httpd_suexec_t)
+-')
+-
+ ########################################
+ #
+ # Apache system script local policy
+@@ -672,7 +772,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3630,7 +3729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +798,66 @@
+@@ -686,15 +787,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3646,15 +3745,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
+
+tunable_policy(`httpd_use_nfs', `
-+ fs_read_nfs_files(httpd_sys_script_t)
-+ fs_read_nfs_symlinks(httpd_sys_script_t)
-+')
-+
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
fs_read_nfs_files(httpd_sys_script_t)
fs_read_nfs_symlinks(httpd_sys_script_t)
')
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
++ fs_read_nfs_files(httpd_sys_script_t)
++ fs_read_nfs_symlinks(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -3698,7 +3797,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +874,19 @@
+@@ -711,6 +863,19 @@
########################################
#
@@ -3718,7 +3817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
# httpd_rotatelogs local policy
#
-@@ -728,3 +904,26 @@
+@@ -728,3 +893,26 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3795,7 +3894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:36.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-31 14:08:18.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@@ -3844,7 +3943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
-+files_etc_filetrans_etc_runtime(apcuspd_t,file)
++files_etc_filetrans_etc_runtime(apcupsd_t,file)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
@@ -4572,7 +4671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 12:58:26.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 16:41:22.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@@ -4596,7 +4695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -150,14 +149,17 @@
+@@ -150,20 +149,24 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -4615,7 +4714,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_getattr_printer_dev(cupsd_t)
domain_read_all_domains_state(cupsd_t)
-@@ -176,6 +178,7 @@
+
+ fs_getattr_all_fs(cupsd_t)
+ fs_search_auto_mountpoints(cupsd_t)
++fs_read_anon_inodefs_files(cupsd_t)
+
+ mls_fd_use_all_levels(cupsd_t)
+ mls_file_downgrade(cupsd_t)
+@@ -176,6 +179,7 @@
term_search_ptys(cupsd_t)
auth_domtrans_chk_passwd(cupsd_t)
@@ -4623,7 +4729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -189,7 +192,7 @@
+@@ -189,7 +193,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -4632,7 +4738,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -223,21 +226,45 @@
+@@ -223,21 +227,45 @@
sysnet_read_config(cupsd_t)
@@ -4678,7 +4784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_t, cupsd_exec_t)
')
-@@ -250,6 +277,10 @@
+@@ -250,6 +278,10 @@
optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -4689,7 +4795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -265,16 +296,16 @@
+@@ -265,16 +297,16 @@
')
optional_policy(`
@@ -4710,7 +4816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_sigchld_newrole(cupsd_t)
')
-@@ -379,6 +410,14 @@
+@@ -379,6 +411,14 @@
')
optional_policy(`
@@ -4725,7 +4831,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -562,7 +601,7 @@
+@@ -562,7 +602,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -4734,7 +4840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -589,8 +628,6 @@
+@@ -589,8 +629,6 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -6225,7 +6331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.4/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/postfix.if 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/postfix.if 2007-07-31 15:40:47.000000000 -0400
@@ -41,6 +41,8 @@
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -6235,7 +6341,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
-@@ -132,10 +134,8 @@
+@@ -66,6 +68,7 @@
+
+ fs_search_auto_mountpoints(postfix_$1_t)
+ fs_getattr_xattr_fs(postfix_$1_t)
++ fs_rw_anon_inodefs_files(postfix_$1_t)
+
+ term_dontaudit_use_console(postfix_$1_t)
+
+@@ -132,10 +135,8 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
@@ -6247,7 +6361,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
')
-@@ -269,6 +269,42 @@
+@@ -269,6 +270,42 @@
########################################
##
@@ -6290,7 +6404,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Do not audit attempts to use
## postfix master process file
## file descriptors.
-@@ -434,6 +470,25 @@
+@@ -434,6 +471,25 @@
########################################
##
@@ -6316,7 +6430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute postfix user mail programs
## in their respective domains.
##
-@@ -450,3 +505,22 @@
+@@ -450,3 +506,22 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -6677,7 +6791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-30 09:46:58.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/services/rpc.te 2007-07-31 14:16:40.000000000 -0400
@@ -59,10 +59,13 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7135,8 +7249,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te 2007-07-25 13:27:51.000000000 -0400
-@@ -76,6 +76,9 @@
++++ serefpolicy-3.0.4/policy/modules/services/setroubleshoot.te 2007-07-31 16:16:14.000000000 -0400
+@@ -33,7 +33,6 @@
+ allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
+ allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
+-allow setroubleshootd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # database files
+ allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
+@@ -51,6 +50,8 @@
+ manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
+ files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
+
++auth_use_nsswitch(setroubleshootd_t)
++
+ kernel_read_kernel_sysctls(setroubleshootd_t)
+ kernel_read_system_state(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
+@@ -76,6 +77,9 @@
files_getattr_all_dirs(setroubleshootd_t)
files_getattr_all_files(setroubleshootd_t)
@@ -7146,6 +7277,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
+@@ -108,6 +112,3 @@
+ rpm_use_script_fds(setroubleshootd_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(setroubleshootd_t)
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.0.4/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/smartmon.te 2007-07-25 13:27:51.000000000 -0400
@@ -10115,7 +10253,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.4/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te 2007-07-25 13:27:51.000000000 -0400
++++ serefpolicy-3.0.4/policy/modules/system/sysnetwork.te 2007-07-31 16:04:09.000000000 -0400
+@@ -45,7 +45,7 @@
+ dontaudit dhcpc_t self:capability sys_tty_config;
+ # for access("/etc/bashrc", X_OK) on Red Hat
+ dontaudit dhcpc_t self:capability { dac_read_search sys_module };
+-allow dhcpc_t self:process signal_perms;
++allow dhcpc_t self:process { ptrace signal_perms };
+ allow dhcpc_t self:fifo_file rw_file_perms;
+ allow dhcpc_t self:tcp_socket create_stream_socket_perms;
+ allow dhcpc_t self:udp_socket create_socket_perms;
@@ -159,6 +159,10 @@
dbus_connect_system_bus(dhcpc_t)
dbus_send_system_bus(dhcpc_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 235858a..644c05f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
%endif
%define POLICYVER 21
%define libsepolver 2.0.3-2
-%define POLICYCOREUTILSVER 2.0.21-1
+%define POLICYCOREUTILSVER 2.0.22-11
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy