diff --git a/.cvsignore b/.cvsignore
index 4c1f1a7..b668565 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -127,3 +127,4 @@ serefpolicy-3.0.6.tgz
 serefpolicy-3.0.7.tgz
 serefpolicy-3.0.8.tgz
 serefpolicy-3.1.0.tgz
+serefpolicy-3.1.1.tgz
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index eb70247..d122def 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -1,6 +1,6 @@
 # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
 # 
-allow_execmem = true
+allow_execmem = false
 
 # Allow making a modified private filemapping executable (text relocation).
 # 
@@ -8,7 +8,7 @@ allow_execmod = false
 
 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false
 
 # Allow ftpd to read cifs directories.
 # 
@@ -148,7 +148,7 @@ stunnel_is_daemon = false
 
 # Support NFS home directories
 # 
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
 
 # Support SAMBA home directories
 # 
diff --git a/modules-targeted.conf b/modules-targeted.conf
index ad634d3..bec5ec0 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -887,6 +887,13 @@ portmap = base
 # 
 postfix = base
 
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+# 
+postgrey = base
+
 # Layer: services
 # Module: ppp
 #
@@ -1500,6 +1507,13 @@ vmware = module
 guest = module
 
 # Layer: users
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+# 
+xguest = module
+
+# Layer: users
 # Module: logadm
 #
 # Minimally prived root role for managing logging system
diff --git a/policy-20071023.patch b/policy-20071023.patch
index 3cac7b8..0e8afd2 100644
--- a/policy-20071023.patch
+++ b/policy-20071023.patch
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.1.0/Changelog
+--- nsaserefpolicy/Changelog	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/Changelog	2007-11-06 09:28:26.000000000 -0500
+@@ -12,7 +12,6 @@
+   of confined and unconfined users.
+ - Added modules:
+ 	exim (Dan Walsh)
+-	postfixpolicyd (Jan-Frode Myklebust)
+ 
+ * Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
+ - Add support for setting the unknown permissions handling.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.1.0/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.1.0/config/appconfig-mcs/default_contexts	2007-11-06 09:28:35.000000000 -0500
@@ -283,7 +294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors 
  class key
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/global_tunables	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/global_tunables	2007-11-07 15:32:58.000000000 -0500
 @@ -6,38 +6,35 @@
  
  ## <desc>
@@ -328,7 +339,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
  ## </p>
  ## </desc>
  gen_tunable(allow_polyinstantiation,false)
-@@ -132,3 +129,12 @@
+@@ -64,23 +61,14 @@
+ 
+ ## <desc>
+ ## <p>
+-## Allow email client to various content.
+-## nfs, samba, removable devices, user temp
+-## and untrusted content files
+-## </p>
+-## </desc>
+-gen_tunable(mail_read_content,false)
+-
+-## <desc>
+-## <p>
+-## Allow nfs to be exported read/write.
++## Allow any files/directories to be exported read/write via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_rw,false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow nfs to be exported read only
++## Allow any files/directories to be exported read/only via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_ro,false)
+@@ -132,3 +120,12 @@
  ## </p>
  ## </desc>
  gen_tunable(write_untrusted_content,false)
@@ -1462,7 +1499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.1.0/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/su.if	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/su.if	2007-11-08 11:40:26.000000000 -0500
 @@ -41,12 +41,11 @@
  
  	allow $2 $1_su_t:process signal;
@@ -1580,7 +1617,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.1.0/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te	2007-11-08 13:57:59.000000000 -0500
 @@ -92,6 +92,7 @@
  dev_read_urand(chfn_t)
  
@@ -1589,7 +1626,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  auth_dontaudit_read_shadow(chfn_t)
  
  # allow checking if a shell is executable
-@@ -297,9 +298,11 @@
+@@ -123,13 +124,7 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(chfn_t)
+ 
+-optional_policy(`
+-	nis_use_ypbind(chfn_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(chfn_t)
+-')
++auth_use_nsswitch(chfn_t)
+ 
+ ########################################
+ #
+@@ -297,9 +292,11 @@
  term_use_all_user_ttys(passwd_t)
  term_use_all_user_ptys(passwd_t)
  
@@ -1601,7 +1653,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(passwd_t)
-@@ -533,6 +536,12 @@
+@@ -334,12 +331,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(passwd_t)
+ 
+-optional_policy(`
+-	nis_use_ypbind(passwd_t)
+-')
++auth_use_nsswitch(passwd_t)
+ 
+ optional_policy(`
+-	nscd_socket_use(passwd_t)
+ 	nscd_domtrans(passwd_t)
+ ')
+ 
+@@ -425,12 +419,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+ 
+-optional_policy(`
+-	nis_use_ypbind(sysadm_passwd_t)
+-')
++auth_use_nsswitch(sysadm_passwd_t)
+ 
+ optional_policy(`
+-	nscd_socket_use(sysadm_passwd_t)
+ 	nscd_domtrans(sysadm_passwd_t)
+ ')
+ 
+@@ -533,6 +524,12 @@
  ')
  
  optional_policy(`
@@ -2847,20 +2927,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/etc/apcupsd/offbattery  --    gen_context(system_u:object_r:bin_t,s0)
 +/etc/apcupsd/onbattery  --    gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-10-29 18:02:31.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-08 09:29:27.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in	2007-11-07 08:31:44.000000000 -0500
-@@ -132,6 +132,7 @@
+@@ -132,7 +132,7 @@
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
+-network_port(postfix_policyd, tcp,10031,s0)
 +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postgresql, tcp,5432,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.0/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc	2007-11-06 09:28:35.000000000 -0500
-@@ -20,6 +20,7 @@
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc	2007-11-10 07:48:09.000000000 -0500
+@@ -13,6 +13,7 @@
+ /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -20,6 +21,7 @@
  /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
  /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
@@ -2868,7 +2957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
-@@ -30,6 +31,7 @@
+@@ -30,6 +32,7 @@
  /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -2878,7 +2967,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.if	2007-11-08 14:28:51.000000000 -0500
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -2888,10 +2977,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  	relabelfrom_fifo_files_pattern($1,device_t,device_node)
  	relabelfrom_sock_files_pattern($1,device_t,device_node)
  	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -2787,6 +2787,78 @@
+@@ -2787,6 +2787,97 @@
  
  ########################################
  ## <summary>
++##	Read and write generic the USB fifo files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_pipes',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	allow $1 device_t:dir search_dir_perms;
++	allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
 +##	Get the attributes of the kvm devices.
 +## </summary>
 +## <param name="domain">
@@ -2967,7 +3075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3322,3 +3394,4 @@
+@@ -3322,3 +3413,4 @@
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -3008,7 +3116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  		selinux_dontaudit_read_fs($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.1.0/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/domain.te	2007-11-06 10:15:22.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/domain.te	2007-11-08 13:58:30.000000000 -0500
 @@ -145,3 +145,9 @@
  
  # act on all domains keys
@@ -3017,12 +3125,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +# Allow all domains to use fds past to them
 +allow domain domain:fd use;
 +optional_policy(`
-+	rpm_dontaudit_rw_pipes(domain)
++	rpm_rw_pipes(domain)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.1.0/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/files.if	2007-11-06 09:28:35.000000000 -0500
-@@ -4756,3 +4756,54 @@
++++ serefpolicy-3.1.0/policy/modules/kernel/files.if	2007-11-09 14:39:44.000000000 -0500
+@@ -3054,6 +3054,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Remove entries from the tmp directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_tmp_dir_entry',`
++	gen_require(`
++		type root_t;
++	')
++
++	allow $1 tmp_t:dir del_entry_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+@@ -4756,3 +4774,54 @@
  
  	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
  ')
@@ -3090,6 +3223,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  
  #
  # etc_runtime_t is the type of various
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.1.0/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-10-29 18:02:31.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/kernel/filesystem.te	2007-11-10 07:39:37.000000000 -0500
+@@ -25,6 +25,8 @@
+ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.1.0/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2007-06-21 09:32:03.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/kernel/selinux.if	2007-11-06 09:28:35.000000000 -0500
@@ -3255,7 +3400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.1.0/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.if	2007-11-07 12:47:31.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/apache.if	2007-11-08 09:03:24.000000000 -0500
 @@ -18,10 +18,6 @@
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3547,8 +3692,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.1.0/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/apache.te	2007-11-06 09:28:35.000000000 -0500
-@@ -20,16 +20,25 @@
++++ serefpolicy-3.1.0/policy/modules/services/apache.te	2007-11-07 15:26:15.000000000 -0500
+@@ -20,20 +20,22 @@
  # Declarations
  #
  
@@ -3565,20 +3710,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  ## <desc>
  ## <p>
+-## Allow Apache to use mod_auth_pam
 +## Allow Apache to communicate with avahi service via dbus
-+## </p>
-+## </desc>
-+gen_tunable(allow_httpd_dbus_avahi,false)
-+
-+## <desc>
-+## <p>
- ## Allow Apache to use mod_auth_pam
  ## </p>
  ## </desc>
-@@ -44,6 +53,13 @@
+-gen_tunable(allow_httpd_mod_auth_pam,false)
++gen_tunable(allow_httpd_dbus_avahi,false)
+ 
+ ## <desc>
+ ## <p>
+@@ -44,14 +46,21 @@
  
  ## <desc>
  ## <p>
+-## Allow http daemon to tcp connect
 +## Allow http daemon to send mail
 +## </p>
 +## </desc>
@@ -3586,23 +3731,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 +## <desc>
 +## <p>
- ## Allow http daemon to tcp connect
++## Allow HTTPD scripts and modules to connect to the network
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect,false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow httpd to connect to mysql/posgresql
++## Allow HTTPD scripts and modules to network connect to databases, mysql/posgresql
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_can_network_connect_db, false)
+@@ -87,25 +96,46 @@
+ 
+ ## <desc>
+ ## <p>
+-## Run SSI execs in system CGI script domain.
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts
+ ## </p>
+ ## </desc>
+ gen_tunable(httpd_ssi_exec,false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow http daemon to communicate with the TTY
++## Unify HTTPD to communicate with the terminal.  Needed for handling certificates
  ## </p>
  ## </desc>
-@@ -106,6 +122,27 @@
+ gen_tunable(httpd_tty_comm,false)
+ 
+ ## <desc>
+ ## <p>
+-## Run CGI in the main httpd domain
++## Unify HTTPD handling of all content files
+ ## </p>
  ## </desc>
  gen_tunable(httpd_unified,false)
  
 +## <desc>
 +## <p>
-+## Allow httpd to read nfs files
++## Allow httpd to access nfs file systems
 +## </p>
 +## </desc>
 +gen_tunable(httpd_use_nfs,false)
 +
 +## <desc>
 +## <p>
-+## Allow httpd to read cifs files
++## Allow httpd to access cifs file systems
 +## </p>
 +## </desc>
 +gen_tunable(httpd_use_cifs,false)
@@ -3617,7 +3793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  attribute httpdcontent;
  attribute httpd_user_content_type;
  
-@@ -144,6 +181,9 @@
+@@ -144,6 +174,9 @@
  type httpd_log_t;
  logging_log_file(httpd_log_t)
  
@@ -3627,7 +3803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  # httpd_modules_t is the type given to module files (libraries) 
  # that come with Apache /etc/httpd/modules and /usr/lib/apache
  type httpd_modules_t;
-@@ -204,7 +244,7 @@
+@@ -204,7 +237,7 @@
  # Apache server local policy
  #
  
@@ -3636,7 +3812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -246,6 +286,7 @@
+@@ -246,6 +279,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
  read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -3644,7 +3820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -286,6 +327,7 @@
+@@ -286,6 +320,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -3652,7 +3828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -332,6 +374,10 @@
+@@ -332,6 +367,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -3663,7 +3839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -346,12 +392,8 @@
+@@ -346,12 +385,8 @@
  
  seutil_dontaudit_search_config(httpd_t)
  
@@ -3676,8 +3852,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`allow_httpd_anon_write',`
  	miscfiles_manage_public_files(httpd_t)
  ') 
-@@ -362,6 +404,7 @@
+@@ -360,8 +395,16 @@
+ #
+ # We need optionals to be able to be within booleans to make this work
  #
++## <desc>
++## <p>
++## Allow Apache to use mod_auth_pam
++## </p>
++## </desc>
++gen_tunable(allow_httpd_mod_auth_pam,false)
++
  tunable_policy(`allow_httpd_mod_auth_pam',`
  	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_upd_passwd(httpd_t)
@@ -4111,7 +4296,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.1.0/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/bind.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/bind.te	2007-11-07 15:41:34.000000000 -0500
+@@ -9,7 +9,7 @@
+ ## <desc>
+ ## <p>
+ ## Allow BIND to write the master zone files.
+-## Generally this is used for dynamic DNS.
++## Generally this is used for dynamic DNS, or zone transfers
+ ## </p>
+ ## </desc>
+ gen_tunable(named_write_master_zones,false)
 @@ -156,6 +156,12 @@
  ')
  
@@ -4186,6 +4380,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 +optional_policy(`
 +	mailscanner_manage_spool(clamscan_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/comsat.te serefpolicy-3.1.0/policy/modules/services/comsat.te
+--- nsaserefpolicy/policy/modules/services/comsat.te	2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/comsat.te	2007-11-08 13:31:46.000000000 -0500
+@@ -57,6 +57,8 @@
+ files_search_spool(comsat_t)
+ files_search_home(comsat_t)
+ 
++auth_use_nsswitch(comsat_t)
++
+ init_read_utmp(comsat_t)
+ init_dontaudit_write_utmp(comsat_t)
+ 
+@@ -67,8 +69,6 @@
+ 
+ miscfiles_read_localization(comsat_t)
+ 
+-sysnet_read_config(comsat_t)
+-
+ userdom_dontaudit_getattr_sysadm_ttys(comsat_t)
+ 
+ mta_getattr_spool(comsat_t)
+@@ -77,10 +77,3 @@
+ 	kerberos_use(comsat_t)
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(comsat_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(comsat_t)
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.1.0/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2007-03-20 09:23:13.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/consolekit.if	2007-11-06 09:28:35.000000000 -0500
@@ -4738,7 +4964,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.1.0/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cups.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cups.te	2007-11-08 13:32:52.000000000 -0500
 @@ -48,9 +48,7 @@
  type hplip_t;
  type hplip_exec_t;
@@ -4817,7 +5043,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  mls_file_downgrade(cupsd_t)
  mls_file_write_all_levels(cupsd_t)
  mls_file_read_all_levels(cupsd_t)
-@@ -187,7 +189,7 @@
+@@ -173,6 +175,8 @@
+ term_use_unallocated_ttys(cupsd_t)
+ term_search_ptys(cupsd_t)
+ 
++auth_use_nsswitch(cupsd_t)
++
+ auth_domtrans_chk_passwd(cupsd_t)
+ auth_dontaudit_read_pam_pid(cupsd_t)
+ 
+@@ -187,7 +191,7 @@
  # read python modules
  files_read_usr_files(cupsd_t)
  # for /var/lib/defoma
@@ -4826,7 +5061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  files_list_world_readable(cupsd_t)
  files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
-@@ -196,12 +198,9 @@
+@@ -196,12 +200,9 @@
  files_read_var_symlinks(cupsd_t)
  # for /etc/printcap
  files_dontaudit_write_etc_files(cupsd_t)
@@ -4840,7 +5075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  init_exec_script_files(cupsd_t)
  
-@@ -221,17 +220,37 @@
+@@ -221,17 +222,37 @@
  
  sysnet_read_config(cupsd_t)
  
@@ -4878,7 +5113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	apm_domtrans_client(cupsd_t)
  ')
  
-@@ -262,16 +281,16 @@
+@@ -262,16 +283,16 @@
  ')
  
  optional_policy(`
@@ -4899,7 +5134,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	seutil_sigchld_newrole(cupsd_t)
  ')
  
-@@ -291,7 +310,9 @@
+@@ -291,7 +312,9 @@
  allow cupsd_config_t self:unix_stream_socket create_socket_perms;
  allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
  allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
@@ -4910,7 +5145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t,cupsd_t)
-@@ -330,6 +351,7 @@
+@@ -330,6 +353,7 @@
  dev_read_sysfs(cupsd_config_t)
  dev_read_urand(cupsd_config_t)
  dev_read_rand(cupsd_config_t)
@@ -4918,7 +5153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  fs_getattr_all_fs(cupsd_config_t)
  fs_search_auto_mountpoints(cupsd_config_t)
-@@ -354,6 +376,8 @@
+@@ -354,6 +378,8 @@
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -4927,7 +5162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  miscfiles_read_localization(cupsd_config_t)
  
  seutil_dontaudit_search_config(cupsd_config_t)
-@@ -376,6 +400,14 @@
+@@ -376,6 +402,14 @@
  ')
  
  optional_policy(`
@@ -4942,7 +5177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -391,6 +423,7 @@
+@@ -391,6 +425,7 @@
  optional_policy(`
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
@@ -4950,7 +5185,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ')
  
  optional_policy(`
-@@ -402,14 +435,6 @@
+@@ -402,14 +437,6 @@
  ')
  
  optional_policy(`
@@ -4965,7 +5200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  	rpm_read_db(cupsd_config_t)
  ')
  
-@@ -430,7 +455,6 @@
+@@ -430,7 +457,6 @@
  allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
  allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
  allow cupsd_lpd_t self:udp_socket create_socket_perms;
@@ -4973,7 +5208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  # for identd
  # cjp: this should probably only be inetd_child rules?
-@@ -480,6 +504,8 @@
+@@ -480,6 +506,8 @@
  
  files_read_etc_files(cupsd_lpd_t)
  
@@ -4982,7 +5217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  libs_use_ld_so(cupsd_lpd_t)
  libs_use_shared_libs(cupsd_lpd_t)
  
-@@ -495,14 +521,6 @@
+@@ -495,14 +523,6 @@
  	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
  ')
  
@@ -4997,7 +5232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  ########################################
  #
  # HPLIP local policy
-@@ -523,11 +541,9 @@
+@@ -523,11 +543,9 @@
  allow hplip_t cupsd_etc_t:dir search;
  
  cups_stream_connect(hplip_t)
@@ -5012,7 +5247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
  files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -558,7 +574,9 @@
+@@ -558,7 +576,9 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -5023,7 +5258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  fs_getattr_all_fs(hplip_t)
  fs_search_auto_mountpoints(hplip_t)
-@@ -585,8 +603,6 @@
+@@ -585,8 +605,6 @@
  userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
  userdom_dontaudit_search_all_users_home_content(hplip_t)
  
@@ -5032,7 +5267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  optional_policy(`
  	seutil_sigchld_newrole(hplip_t)
  ')
-@@ -666,3 +682,15 @@
+@@ -666,3 +684,15 @@
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -5050,7 +5285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.1.0/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-07-10 13:21:26.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/cvs.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/cvs.te	2007-11-08 11:58:06.000000000 -0500
 @@ -16,6 +16,7 @@
  type cvs_t;
  type cvs_exec_t;
@@ -5059,15 +5294,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  role system_r types cvs_t;
  
  type cvs_data_t; # customizable
-@@ -68,6 +69,7 @@
+@@ -67,7 +68,9 @@
+ 
  fs_getattr_xattr_fs(cvs_t)
  
++sysnet_dns_name_resolve(cvs_t)
  auth_domtrans_chk_passwd(cvs_t)
 +auth_domtrans_upd_passwd_chk(cvs_t)
  
  corecmd_exec_bin(cvs_t)
  corecmd_exec_shell(cvs_t)
-@@ -81,6 +83,7 @@
+@@ -81,6 +84,7 @@
  libs_use_shared_libs(cvs_t)
  
  logging_send_syslog_msg(cvs_t)
@@ -5075,6 +5312,66 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
  
  miscfiles_read_localization(cvs_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.1.0/policy/modules/services/cyrus.te
+--- nsaserefpolicy/policy/modules/services/cyrus.te	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/cyrus.te	2007-11-08 13:33:43.000000000 -0500
+@@ -41,7 +41,6 @@
+ allow cyrus_t self:unix_stream_socket connectto;
+ allow cyrus_t self:tcp_socket create_stream_socket_perms;
+ allow cyrus_t self:udp_socket create_socket_perms;
+-allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ manage_dirs_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+ manage_files_pattern(cyrus_t,cyrus_tmp_t,cyrus_tmp_t)
+@@ -95,6 +94,8 @@
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+ 
++auth_use_nsswitch(cyrus_t)
++
+ libs_use_ld_so(cyrus_t)
+ libs_use_shared_libs(cyrus_t)
+ libs_exec_lib_files(cyrus_t)
+@@ -122,14 +123,6 @@
+ ')
+ 
+ optional_policy(`
+-	ldap_stream_connect(cyrus_t)
+-')
+-
+-optional_policy(`
+-	nis_use_ypbind(cyrus_t)
+-')
+-
+-optional_policy(`
+ 	sasl_connect(cyrus_t)
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbskk.te serefpolicy-3.1.0/policy/modules/services/dbskk.te
+--- nsaserefpolicy/policy/modules/services/dbskk.te	2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/dbskk.te	2007-11-08 12:00:39.000000000 -0500
+@@ -63,6 +63,8 @@
+ 
+ files_read_etc_files(dbskkd_t)
+ 
++auth_use_nsswitch(dbskkd_t)
++
+ libs_use_ld_so(dbskkd_t)
+ libs_use_shared_libs(dbskkd_t)
+ 
+@@ -70,12 +72,3 @@
+ 
+ miscfiles_read_localization(dbskkd_t)
+ 
+-sysnet_read_config(dbskkd_t)
+-
+-optional_policy(`
+-	nis_use_ypbind(dbskkd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(dbskkd_t)
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.1.0/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-10-29 07:52:49.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/dbus.if	2007-11-06 09:28:35.000000000 -0500
@@ -5683,12 +5980,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.1.0/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/ftp.te	2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/ftp.te	2007-11-07 15:45:09.000000000 -0500
+@@ -8,8 +8,8 @@
+ 
  ## <desc>
  ## <p>
- ## Allow ftp servers to modify public files
+-## Allow ftp servers to modify public files
 -## used for public file transfer services.
++## Allow ftp servers to upload files, 
 +## used for public file transfer services. Directories must be labeled public_content_rw_t
  ## </p>
  ## </desc>
@@ -5764,7 +6063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.1.0/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/hal.fc	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/hal.fc	2007-11-10 08:16:03.000000000 -0500
 @@ -8,14 +8,18 @@
  /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
  /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
@@ -5857,7 +6156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.1.0/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/inetd.te	2007-11-07 10:34:39.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/inetd.te	2007-11-08 13:24:56.000000000 -0500
 @@ -84,6 +84,7 @@
  corenet_udp_bind_ftp_port(inetd_t)
  corenet_tcp_bind_inetd_child_port(inetd_t)
@@ -6074,6 +6373,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.1.0/policy/modules/services/ldap.te
+--- nsaserefpolicy/policy/modules/services/ldap.te	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/ldap.te	2007-11-08 13:18:08.000000000 -0500
+@@ -42,7 +42,6 @@
+ dontaudit slapd_t self:capability sys_tty_config;
+ allow slapd_t self:process setsched;
+ allow slapd_t self:fifo_file { read write };
+-allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+ allow slapd_t self:udp_socket create_socket_perms;
+ #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
+ allow slapd_t self:tcp_socket create_stream_socket_perms;
+@@ -104,6 +103,8 @@
+ files_read_usr_files(slapd_t)
+ files_list_var_lib(slapd_t)
+ 
++auth_use_nsswitch(slapd_t)
++
+ libs_use_ld_so(slapd_t)
+ libs_use_shared_libs(slapd_t)
+ 
+@@ -112,8 +113,6 @@
+ miscfiles_read_certs(slapd_t)
+ miscfiles_read_localization(slapd_t)
+ 
+-sysnet_read_config(slapd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(slapd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
+ 
+@@ -122,10 +121,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(slapd_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(slapd_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.1.0/policy/modules/services/lpd.fc
 --- nsaserefpolicy/policy/modules/services/lpd.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/services/lpd.fc	2007-11-06 09:28:35.000000000 -0500
@@ -6387,7 +6726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.1.0/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/mta.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/mta.te	2007-11-08 08:57:27.000000000 -0500
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -7151,7 +7490,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.1.0/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2007-10-29 07:52:49.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/openvpn.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/openvpn.te	2007-11-07 15:47:03.000000000 -0500
+@@ -8,7 +8,7 @@
+ 
+ ## <desc>
+ ## <p>
+-## Allow openvpn to read home directories
++## Allow openvpn service access to users home directories
+ ## </p>
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs,false)
 @@ -110,3 +110,12 @@
  
  	networkmanager_dbus_chat(openvpn_t)
@@ -7275,8 +7623,80 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.fc	1969-12-31 19:00:00.000000000 -0500
+@@ -1,5 +0,0 @@
+-/etc/policyd.conf		--	gen_context(system_u:object_r:postfix_policyd_conf_t, s0)
+-
+-/usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+-
+-/var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.if	1969-12-31 19:00:00.000000000 -0500
+@@ -1 +0,0 @@
+-## <summary>Postfix policy server</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postfixpolicyd.te	1969-12-31 19:00:00.000000000 -0500
+@@ -1,54 +0,0 @@
+-
+-policy_module(postfixpolicyd, 1.0.0)
+-
+-########################################
+-#
+-# Declarations
+-#
+-
+-type postfix_policyd_t;
+-type postfix_policyd_exec_t;
+-init_daemon_domain(postfix_policyd_t, postfix_policyd_exec_t)
+-
+-type postfix_policyd_conf_t;
+-files_config_file(postfix_policyd_conf_t)
+-
+-type postfix_policyd_var_run_t;
+-files_pid_file(postfix_policyd_var_run_t)
+-
+-########################################
+-#
+-# Local Policy
+-#
+-
+-allow postfix_policyd_t self:tcp_socket create_stream_socket_perms;
+-allow postfix_policyd_t self:capability { sys_resource sys_chroot setgid setuid };
+-allow postfix_policyd_t self:process setrlimit;
+-allow postfix_policyd_t self:unix_dgram_socket { connect create write};
+-
+-allow postfix_policyd_t postfix_policyd_conf_t:dir list_dir_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:file read_file_perms;
+-allow postfix_policyd_t postfix_policyd_conf_t:lnk_file { getattr read };
+-
+-manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
+-files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+-
+-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
+-corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_nodes(postfix_policyd_t)
+-corenet_tcp_sendrecv_all_ports(postfix_policyd_t)
+-corenet_tcp_bind_all_nodes(postfix_policyd_t)
+-corenet_tcp_bind_postfix_policyd_port(postfix_policyd_t)
+-corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+-
+-files_read_etc_files(postfix_policyd_t)
+-files_read_usr_files(postfix_policyd_t)
+-
+-libs_use_ld_so(postfix_policyd_t)
+-libs_use_shared_libs(postfix_policyd_t)
+-
+-logging_send_syslog_msg(postfix_policyd_t)
+-
+-miscfiles_read_localization(postfix_policyd_t)
+-
+-sysnet_dns_name_resolve(postfix_policyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.1.0/policy/modules/services/postfix.te
---- nsaserefpolicy/policy/modules/services/postfix.te	2007-10-12 08:56:07.000000000 -0400
+--- nsaserefpolicy/policy/modules/services/postfix.te	2007-11-08 09:29:27.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/services/postfix.te	2007-11-06 09:28:35.000000000 -0500
 @@ -6,6 +6,14 @@
  # Declarations
@@ -7404,7 +7824,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix smtp delivery local policy
-@@ -569,6 +581,10 @@
+@@ -547,9 +559,6 @@
+ # connect to master process
+ stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+ 
+-# Connect to policy server
+-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
+-
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+ allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
+@@ -572,6 +581,10 @@
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -7507,7 +7937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.1.0/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/postgresql.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/postgresql.te	2007-11-08 13:36:00.000000000 -0500
 @@ -27,6 +27,9 @@
  type postgresql_var_run_t;
  files_pid_file(postgresql_var_run_t)
@@ -7518,6 +7948,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # postgresql Local policy
+@@ -42,7 +45,6 @@
+ allow postgresql_t self:udp_socket create_stream_socket_perms;
+ allow postgresql_t self:unix_dgram_socket create_socket_perms;
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+-allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+ manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
+@@ -118,6 +120,8 @@
+ 
+ init_read_utmp(postgresql_t)
+ 
++auth_use_nsswitch(postgresql_t)
++
+ libs_use_ld_so(postgresql_t)
+ libs_use_shared_libs(postgresql_t)
+ 
+@@ -127,9 +131,6 @@
+ 
+ seutil_dontaudit_search_config(postgresql_t)
+ 
+-sysnet_read_config(postgresql_t)
+-sysnet_use_ldap(postgresql_t)
+-
+ userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
+ userdom_dontaudit_use_sysadm_ttys(postgresql_t)
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+@@ -158,10 +159,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(postgresql_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(postgresql_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.1.0/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/services/ppp.fc	2007-11-06 09:28:35.000000000 -0500
@@ -7914,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.1.0/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rpc.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rpc.te	2007-11-08 12:02:07.000000000 -0500
 @@ -8,7 +8,7 @@
  
  ## <desc>
@@ -7987,18 +8455,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -143,6 +159,9 @@
+@@ -143,6 +159,7 @@
  manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
-+auth_use_nsswitch(gssd_t)
-+
 +kernel_read_system_state(gssd_t)
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)	
  kernel_search_network_sysctl(gssd_t)	
-@@ -158,6 +177,9 @@
+@@ -156,8 +173,14 @@
+ files_list_tmp(gssd_t) 
+ files_read_usr_symlinks(gssd_t) 
  
++auth_read_cache(gssd_t) 
++auth_use_nsswitch(gssd_t)
++
  miscfiles_read_certs(gssd_t)
  
 +userdom_dontaudit_search_users_home_dirs(rpcd_t)
@@ -8083,12 +8554,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.1.0/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/rsync.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/rsync.te	2007-11-08 13:36:17.000000000 -0500
 @@ -8,8 +8,15 @@
  
  ## <desc>
  ## <p>
-+## Allow rsync export files read only
++## Allow rsync to export any files/directories read only
 +## </p>
 +## </desc>
 +gen_tunable(rsync_export_all_ro,false)
@@ -8101,15 +8572,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
  ## </p>
  ## </desc>
  gen_tunable(allow_rsync_anon_write,false)
-@@ -58,6 +65,8 @@
- manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
- files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+@@ -81,6 +88,8 @@
+ files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
  
 +auth_use_nsswitch(rsync_t)
 +
- kernel_read_kernel_sysctls(rsync_t)
- kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
+ libs_use_ld_so(rsync_t)
+ libs_use_shared_libs(rsync_t)
+ 
 @@ -90,8 +99,6 @@
  miscfiles_read_localization(rsync_t)
  miscfiles_read_public_files(rsync_t)
@@ -8296,8 +8767,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.1.0/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/samba.te	2007-11-06 09:28:35.000000000 -0500
-@@ -9,7 +9,7 @@
++++ serefpolicy-3.1.0/policy/modules/services/samba.te	2007-11-07 16:11:34.000000000 -0500
+@@ -9,14 +9,14 @@
  ## <desc>
  ## <p>
  ## Allow samba to modify public files
@@ -8306,6 +8777,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ## </p>
  ## </desc>
  gen_tunable(allow_smbd_anon_write,false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow samba to run as the domain controller; add machines to passwd file
++## Allow samba to act as the domain controller, add users, groups and change passwords
+ ## 
+ ## </p>
+ ## </desc>
+@@ -24,28 +24,28 @@
+ 
+ ## <desc>
+ ## <p>
+-## Allow samba to export user home directories.
++## Allow Samba to share users home directories
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_enable_home_dirs,false)
+ 
+ ## <desc>
+ ## <p>
+-## Export all files on system read only.
++## Allow Samba to share any file/directory read only
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_export_all_ro,false)
+ 
+ ## <desc>
+ ## <p>
+-## Export all files on system read-write.
++## Allow Samba to share any file/directory read/write
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_export_all_rw,false)
+ 
+ ## <desc>
+ ## <p>
+-## Allow samba to run unconfined scripts
++## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
+ ## </p>
+ ## </desc>
+ gen_tunable(samba_run_unconfined,false)
 @@ -137,6 +137,11 @@
  type winbind_var_run_t;
  files_pid_file(winbind_var_run_t)
@@ -8710,7 +9222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +allow smbcontrol_t nmbd_var_run_t:file { read lock };
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.1.0/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/sasl.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/sasl.te	2007-11-10 07:56:05.000000000 -0500
 @@ -64,6 +64,7 @@
  selinux_compute_access_vector(saslauthd_t)
  
@@ -8719,6 +9231,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
  auth_use_nsswitch(saslauthd_t)
  
  domain_use_interactive_fds(saslauthd_t)
+@@ -107,6 +108,10 @@
+ ')
+ 
+ optional_policy(`
++	nis_authenticate(saslauthd_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(saslauthd_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.1.0/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2007-08-27 13:57:20.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/sendmail.if	2007-11-06 09:28:35.000000000 -0500
@@ -8810,7 +9333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.1.0/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/sendmail.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/sendmail.te	2007-11-10 07:37:48.000000000 -0500
 @@ -20,19 +20,22 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -8845,7 +9368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
  corenet_tcp_sendrecv_all_if(sendmail_t)
-@@ -94,30 +99,28 @@
+@@ -94,30 +99,32 @@
  miscfiles_read_certs(sendmail_t)
  miscfiles_read_localization(sendmail_t)
  
@@ -8864,15 +9387,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  mta_manage_queue(sendmail_t)
  mta_manage_spool(sendmail_t)
 +mta_sendmail_exec(sendmail_t)
++
++optional_policy(`
++	cron_read_pipes(sendmail_t)
++')
  
  optional_policy(`
--	clamav_search_lib(sendmail_t)
-+	cron_read_pipes(sendmail_t)
+ 	clamav_search_lib(sendmail_t)
  ')
  
  optional_policy(`
 -	nis_use_ypbind(sendmail_t)
-+	clamav_search_lib(sendmail_t)
++	cyrus_stream_connect(sendmail_t)
  ')
  
  optional_policy(`
@@ -8881,7 +9407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
  
  optional_policy(`
-@@ -131,6 +134,10 @@
+@@ -131,6 +138,10 @@
  ')
  
  optional_policy(`
@@ -8892,7 +9418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  	seutil_sigchld_newrole(sendmail_t)
  ')
  
-@@ -156,3 +163,15 @@
+@@ -156,3 +167,15 @@
  
  dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
  ') dnl end TODO
@@ -9248,6 +9774,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	seutil_sigchld_newrole(ssh_keygen_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-3.1.0/policy/modules/services/stunnel.te
+--- nsaserefpolicy/policy/modules/services/stunnel.te	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/stunnel.te	2007-11-08 13:38:03.000000000 -0500
+@@ -68,6 +68,8 @@
+ 
+ fs_getattr_all_fs(stunnel_t)
+ 
++auth_use_nsswitch(stunnel_t)
++
+ libs_use_ld_so(stunnel_t)
+ libs_use_shared_libs(stunnel_t)
+ 
+@@ -112,14 +114,6 @@
+ 	optional_policy(`
+         	kerberos_use(stunnel_t)
+ 	')
+-
+-	optional_policy(`
+-        	nis_use_ypbind(stunnel_t)
+-	')
+-
+-	optional_policy(`
+-        	nscd_socket_use(stunnel_t)
+-	')
+ ')
+ 
+ # hack since this port has no interfaces since it doesnt
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.1.0/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2007-07-16 14:09:46.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/telnet.te	2007-11-06 09:28:35.000000000 -0500
@@ -9360,6 +9913,39 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  sysnet_read_config(tftpd_t)
  sysnet_use_ldap(tftpd_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.1.0/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.1.0/policy/modules/services/uucp.te	2007-11-08 13:41:35.000000000 -0500
+@@ -88,6 +88,8 @@
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+ 
++auth_use_nsswitch(uucpd_t)
++
+ libs_use_ld_so(uucpd_t)
+ libs_use_shared_libs(uucpd_t)
+ 
+@@ -95,20 +97,10 @@
+ 
+ miscfiles_read_localization(uucpd_t)
+ 
+-sysnet_read_config(uucpd_t)
+-
+ optional_policy(`
+ 	kerberos_use(uucpd_t)
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(uucpd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(uucpd_t)
+-')
+-
+ ########################################
+ #
+ # UUX Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.1.0/policy/modules/services/uwimap.te
 --- nsaserefpolicy/policy/modules/services/uwimap.te	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/services/uwimap.te	2007-11-06 09:28:35.000000000 -0500
@@ -9445,7 +10031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.1.0/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/services/xserver.if	2007-11-07 12:15:33.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/services/xserver.if	2007-11-08 14:26:18.000000000 -0500
 @@ -58,7 +58,6 @@
  	allow $1_xserver_t self:msg { send receive };
  	allow $1_xserver_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -9454,15 +10040,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $1_xserver_t self:tcp_socket create_stream_socket_perms;
  	allow $1_xserver_t self:udp_socket create_socket_perms;
  
-@@ -126,6 +125,7 @@
+@@ -126,6 +125,9 @@
  	# read events - the synaptics touchpad driver reads raw events
  	dev_rw_input_dev($1_xserver_t)
  	dev_rwx_zero($1_xserver_t)
 +	dev_read_urand($1_xserver_t)
++	dev_rw_generic_usb_dev($1_xserver_t)
++	dev_rw_generic_usb_pipes($1_xserver_t)
  
  	domain_mmap_low($1_xserver_t)
  
-@@ -141,10 +141,14 @@
+@@ -141,10 +143,14 @@
  	fs_getattr_xattr_fs($1_xserver_t)
  	fs_search_nfs($1_xserver_t)
  	fs_search_auto_mountpoints($1_xserver_t)
@@ -9478,7 +10066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	term_setattr_unallocated_ttys($1_xserver_t)
  	term_use_unallocated_ttys($1_xserver_t)
  
-@@ -160,8 +164,6 @@
+@@ -160,8 +166,6 @@
  
  	seutil_dontaudit_search_config($1_xserver_t)
  
@@ -9487,7 +10075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	ifndef(`distro_redhat',`
  		allow $1_xserver_t self:process { execmem execheap execstack };
  	')
-@@ -179,14 +181,6 @@
+@@ -179,14 +183,6 @@
  	')
  
  	optional_policy(`
@@ -9502,7 +10090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		rhgb_getpgid($1_xserver_t)
  		rhgb_signal($1_xserver_t)
  	')
-@@ -251,7 +245,7 @@
+@@ -251,7 +247,7 @@
  	userdom_user_home_content($1,$1_fonts_cache_t)
  
  	type $1_fonts_config_t, fonts_config_type;
@@ -9511,7 +10099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	type $1_iceauth_t;
  	domain_type($1_iceauth_t)
-@@ -282,11 +276,14 @@
+@@ -282,11 +278,14 @@
  	domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
  
  	allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -9526,7 +10114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
  	manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +313,7 @@
+@@ -316,6 +315,7 @@
  	userdom_use_user_ttys($1,$1_xserver_t)
  	userdom_setattr_user_ttys($1,$1_xserver_t)
  	userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -9534,7 +10122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	xserver_use_user_fonts($1,$1_xserver_t)
  	xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +351,6 @@
+@@ -353,12 +353,6 @@
  	# allow ps to show xauth
  	ps_process_pattern($2,$1_xauth_t)
  
@@ -9547,7 +10135,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	domain_use_interactive_fds($1_xauth_t)
  
  	files_read_etc_files($1_xauth_t)
-@@ -387,6 +379,14 @@
+@@ -387,6 +381,14 @@
  	')
  
  	optional_policy(`
@@ -9562,7 +10150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  		nis_use_ypbind($1_xauth_t)
  	')
  
-@@ -536,17 +536,15 @@
+@@ -536,17 +538,15 @@
  template(`xserver_user_client_template',`
  
  	gen_require(`
@@ -9586,7 +10174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -555,25 +553,53 @@
+@@ -555,25 +555,53 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -9644,11 +10232,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	')
 +
 +	optional_policy(`
-+		xserver_rw_session_template($1,$2,$3)
++		xserver_rw_session_template(xdm,$2,$3)
  	')
  ')
  
-@@ -626,6 +652,24 @@
+@@ -626,6 +654,24 @@
  
  ########################################
  ## <summary>
@@ -9673,7 +10261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -659,6 +703,73 @@
+@@ -659,6 +705,73 @@
  
  ########################################
  ## <summary>
@@ -9747,7 +10335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -927,6 +1038,7 @@
+@@ -927,6 +1040,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -9755,7 +10343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -987,6 +1099,37 @@
+@@ -987,6 +1101,37 @@
  
  ########################################
  ## <summary>
@@ -9793,7 +10381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1136,7 +1279,7 @@
+@@ -1136,7 +1281,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -9802,7 +10390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1325,3 +1468,45 @@
+@@ -1325,3 +1470,45 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -10065,7 +10653,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.1.0/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/authlogin.if	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/authlogin.if	2007-11-10 07:11:28.000000000 -0500
 @@ -169,6 +169,7 @@
  interface(`auth_login_pgm_domain',`
  	gen_require(`
@@ -10095,7 +10683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	# for SSP/ProPolice
  	dev_read_urand($1)
  	# for fingerprint readers
-@@ -221,11 +230,17 @@
+@@ -221,11 +230,22 @@
  
  	logging_send_audit_msgs($1)
  	logging_send_syslog_msg($1)
@@ -10106,6 +10694,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	seutil_read_default_contexts($1)
  
 +	userdom_set_rlimitnh($1)
++	userdom_unlink_unpriv_users_tmp_files($1)
++
++	optional_policy(`
++		mount_domtrans($1)
++	')
 +
 +	optional_policy(`
 +		nis_authenticate($1)
@@ -10114,7 +10707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -342,6 +357,8 @@
+@@ -342,6 +362,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -10123,7 +10716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
-@@ -440,6 +457,59 @@
+@@ -440,6 +462,59 @@
  
  ########################################
  ## <summary>
@@ -10183,7 +10776,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -1457,6 +1527,7 @@
+@@ -1457,6 +1532,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -10191,6 +10784,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  ')
  
+@@ -1491,3 +1567,23 @@
+ 	typeattribute $1 can_write_shadow_passwords;
+ 	typeattribute $1 can_relabelto_shadow_passwords;
+ ')
++
++########################################
++## <summary>
++##	Read authentication cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`auth_read_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	read_files_pattern($1, auth_cache_t,  auth_cache_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.1.0/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.1.0/policy/modules/system/authlogin.te	2007-11-06 09:28:35.000000000 -0500
@@ -10671,7 +11288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.1.0/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/init.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/init.te	2007-11-08 13:26:15.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -10749,7 +11366,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  
-@@ -201,10 +217,9 @@
+@@ -196,15 +212,13 @@
+ allow initrc_t self:tcp_socket create_stream_socket_perms;
+ allow initrc_t self:udp_socket create_socket_perms;
+ allow initrc_t self:fifo_file rw_file_perms;
+-allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
+ 
  allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
  term_create_pty(initrc_t,initrc_devpts_t)
  
@@ -10762,7 +11384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
  manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -283,7 +298,6 @@
+@@ -283,7 +297,6 @@
  mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
@@ -10770,7 +11392,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -497,6 +511,33 @@
+@@ -365,7 +378,7 @@
+ 
+ seutil_read_config(initrc_t)
+ 
+-sysnet_read_config(initrc_t)
++auth_use_nsswitch(initrc_t)
+ 
+ userdom_read_all_users_home_content_files(initrc_t)
+ # Allow access to the sysadm TTYs. Note that this will give access to the 
+@@ -497,6 +510,33 @@
  ')
  
  optional_policy(`
@@ -10804,7 +11435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
  ')
-@@ -631,12 +672,6 @@
+@@ -631,12 +671,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -10817,7 +11448,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -702,6 +737,9 @@
+@@ -648,15 +682,10 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(initrc_t)
+ 	nis_list_var_yp(initrc_t)
+ ')
+ 
+ optional_policy(`
+-	nscd_socket_use(initrc_t)
+-')
+-
+-optional_policy(`
+ 	openvpn_read_config(initrc_t)
+ ')
+ 
+@@ -702,6 +731,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -10827,7 +11474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -749,6 +787,10 @@
+@@ -749,6 +781,10 @@
  ')
  
  optional_policy(`
@@ -10937,8 +11584,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.1.0/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/libraries.fc	2007-11-06 09:28:35.000000000 -0500
-@@ -65,11 +65,12 @@
++++ serefpolicy-3.1.0/policy/modules/system/libraries.fc	2007-11-08 16:04:38.000000000 -0500
+@@ -65,11 +65,13 @@
  /opt/(.*/)?java/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
  /opt/(.*/)?jre.*/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /opt/(.*/)?jre/.+\.jar			--	gen_context(system_u:object_r:lib_t,s0)
@@ -10950,10 +11597,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 -/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Adobe(/.*?)/nppdf\.so 		-- 	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
  ifdef(`distro_gentoo',`
  # despite the extensions, they are actually libs
-@@ -135,6 +136,8 @@
+@@ -135,6 +137,8 @@
  /usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libXcomp\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/NX/lib/libjpeg\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10962,7 +11610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  
  /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -158,6 +161,7 @@
+@@ -158,6 +162,7 @@
  # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
  # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
  /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10970,7 +11618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -216,6 +220,7 @@
+@@ -216,6 +221,7 @@
  /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -10978,7 +11626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/xine/plugins/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,7 +241,9 @@
+@@ -236,7 +242,9 @@
  /usr/lib(64)?/libdivxdecore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libdivxencore\.so\.0	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  
@@ -10989,7 +11637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  
  # vmware 
  /usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -284,3 +291,10 @@
+@@ -284,3 +292,10 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -11761,7 +12409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.1.0/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2007-05-18 11:12:44.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if	2007-11-07 11:58:01.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.if	2007-11-10 07:25:19.000000000 -0500
 @@ -585,7 +585,7 @@
  		type selinux_config_t;
  	')
@@ -11893,7 +12541,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1058,3 +1134,138 @@
+@@ -1058,3 +1134,140 @@
  	files_search_etc($1)
  	rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
  ')
@@ -12027,6 +12675,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +	seutil_get_semanage_trans_lock($1)
 +	seutil_get_semanage_read_lock($1)
 +
++	userdom_dontaudit_write_unpriv_user_home_content_files($1)
++
 +	optional_policy(`
 +		rpm_dontaudit_rw_tmp_files($1)
 +		rpm_dontaudit_rw_pipes($1)
@@ -12034,7 +12684,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.1.0/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te	2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/selinuxutil.te	2007-11-09 14:28:06.000000000 -0500
 @@ -76,7 +76,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -12267,7 +12917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -519,7 +499,9 @@
+@@ -519,7 +499,12 @@
  
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir list_dir_perms;
  allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file read_file_perms;
@@ -12275,10 +12925,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock};
 +
 +logging_send_audit_msgs(setfiles_t)
++
++files_list_isid_type_dirs(setfiles_t)
++files_read_isid_type_files(setfiles_t)
  
  kernel_read_system_state(setfiles_t)
  kernel_relabelfrom_unlabeled_dirs(setfiles_t)
-@@ -537,6 +519,7 @@
+@@ -537,6 +522,7 @@
  
  fs_getattr_xattr_fs(setfiles_t)
  fs_list_all(setfiles_t)
@@ -12286,7 +12939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  fs_search_auto_mountpoints(setfiles_t)
  fs_relabelfrom_noxattr_fs(setfiles_t)
  
-@@ -590,8 +573,16 @@
+@@ -590,8 +576,16 @@
  	fs_relabel_tmpfs_chr_file(setfiles_t)
  ')
  
@@ -13008,7 +13661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.1.0/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-29 07:52:50.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/userdomain.if	2007-11-07 11:01:16.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/userdomain.if	2007-11-09 14:39:07.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  
@@ -14049,7 +14702,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3077,7 +3210,7 @@
+@@ -2706,6 +2839,25 @@
+ 
+ ########################################
+ ## <summary>
++##	unlink all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_unlink_unpriv_users_tmp_files',`
++	gen_require(`
++		attribute user_tmpfile;
++	')
++
++	files_delete_tmp_dir_entry($1)
++	allow $1 user_tmpfile:file unlink;
++')
++
++########################################
++## <summary>
+ ##	Read and write user temporary files.
+ ## </summary>
+ ## <desc>
+@@ -3077,7 +3229,7 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -14058,7 +14737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -3911,7 +4044,7 @@
+@@ -3911,7 +4063,7 @@
  		type sysadm_t;
  	')
  
@@ -14067,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow sysadm_t $1:fd use;
  	allow sysadm_t $1:fifo_file rw_file_perms;
  	allow sysadm_t $1:process sigchld;
-@@ -4201,11 +4334,11 @@
+@@ -4201,11 +4353,11 @@
  ## </param>
  #
  interface(`userdom_sigchld_sysadm',`
@@ -14083,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4571,8 +4704,8 @@
+@@ -4571,8 +4723,8 @@
  
  	files_search_home($1)
  	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
@@ -14094,7 +14773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4592,8 +4725,8 @@
+@@ -4592,8 +4744,8 @@
  
  	files_search_tmp($1)
  	allow $1 sysadm_tmp_t:dir list_dir_perms;
@@ -14105,7 +14784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4608,11 +4741,29 @@
+@@ -4608,11 +4760,29 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -14136,7 +14815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4632,6 +4783,14 @@
+@@ -4632,6 +4802,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -14151,7 +14830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4950,7 +5109,7 @@
+@@ -4950,7 +5128,7 @@
  #
  interface(`userdom_manage_generic_user_home_content_dirs',`
  	gen_require(`
@@ -14160,7 +14839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5068,7 +5227,7 @@
+@@ -5068,7 +5246,7 @@
  #
  interface(`userdom_manage_generic_user_home_content_symlinks',`
  	gen_require(`
@@ -14169,7 +14848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5088,7 +5247,7 @@
+@@ -5088,7 +5266,7 @@
  #
  interface(`userdom_manage_generic_user_home_content_pipes',`
  	gen_require(`
@@ -14178,7 +14857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5108,7 +5267,7 @@
+@@ -5108,7 +5286,7 @@
  #
  interface(`userdom_manage_generic_user_home_content_sockets',`
  	gen_require(`
@@ -14187,7 +14866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5322,7 +5481,7 @@
+@@ -5322,7 +5500,7 @@
  		attribute user_tmpfile;
  	')
  
@@ -14196,7 +14875,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -5528,6 +5687,24 @@
+@@ -5528,6 +5706,24 @@
  
  ########################################
  ## <summary>
@@ -14221,7 +14900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5558,3 +5735,379 @@
+@@ -5558,3 +5754,379 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -14603,7 +15282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te	2007-11-06 16:05:43.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/userdomain.te	2007-11-07 15:10:02.000000000 -0500
 @@ -17,20 +17,13 @@
  
  ## <desc>
@@ -15050,26 +15729,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.i
 +## <summary>Policy for guest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.1.0/policy/modules/users/guest.te
 --- nsaserefpolicy/policy/modules/users/guest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.1.0/policy/modules/users/guest.te	2007-11-06 09:28:35.000000000 -0500
-@@ -0,0 +1,18 @@
++++ serefpolicy-3.1.0/policy/modules/users/guest.te	2007-11-08 08:58:06.000000000 -0500
+@@ -0,0 +1,4 @@
 +policy_module(guest,1.0.0)
 +userdom_unpriv_login_user(guest)
 +userdom_unpriv_login_user(gadmin)
-+userdom_unpriv_xwindows_login_user(xguest)
-+mozilla_per_role_template(xguest, xguest_t, xguest_r)
 +
-+optional_policy(`
-+	consolekit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
-+	bluetooth_dbus_chat(xguest_t)
-+')
-+
-+# Allow mounting of file systems
-+optional_policy(`
-+	hal_dbus_chat(xguest_t)
-+')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.1.0/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.1.0/policy/modules/users/logadm.fc	2007-11-06 09:28:35.000000000 -0500
@@ -15156,9 +15821,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.
 +')
 +allow gadmin_t webadm_t:process transition;
 +allow webadm_t gadmin_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.1.0/policy/modules/users/xguest.fc
+--- nsaserefpolicy/policy/modules/users/xguest.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.fc	2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++# No xguest file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.1.0/policy/modules/users/xguest.if
+--- nsaserefpolicy/policy/modules/users/xguest.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.if	2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for xguest user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.1.0/policy/modules/users/xguest.te
+--- nsaserefpolicy/policy/modules/users/xguest.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.te	2007-11-08 08:59:49.000000000 -0500
+@@ -0,0 +1,11 @@
++policy_module(xguest,1.0.0)
++userdom_unpriv_xwindows_login_user(xguest)
++mozilla_per_role_template(xguest, xguest_t, xguest_r)
++# Allow mounting of file systems
++optional_policy(`
++	hal_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++	bluetooth_dbus_chat(xguest_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.1.0/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt	2007-11-06 09:28:36.000000000 -0500
++++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt	2007-11-09 14:33:41.000000000 -0500
 @@ -204,7 +204,7 @@
  define(`getattr_file_perms',`{ getattr }')
  define(`setattr_file_perms',`{ setattr }')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b92e76c..b6ab7fd 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -16,7 +16,7 @@
 %define CHECKPOLICYVER 2.0.3-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.1.0
+Version: 3.1.1
 Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
@@ -179,7 +179,7 @@ Based off of reference policy: Checked out revision 2483.
 # Build targeted policy
 %{__rm} -fR %{buildroot}
 mkdir -p %{buildroot}%{_mandir}
-cp -R  man %{buildroot}%{_mandir}
+cp -R  man/* %{buildroot}%{_mandir}
 mkdir -p %{buildroot}%{_sysconfdir}/selinux
 mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
 touch %{buildroot}%{_sysconfdir}/selinux/config
@@ -379,6 +379,9 @@ exit 0
 %endif
 
 %changelog
+* Sat Nov 10 2007 Dan Walsh <dwalsh@redhat.com> 3.1.1-1
+- Update to upstream
+
 * Mon Oct 22 2007 Dan Walsh <dwalsh@redhat.com> 3.1.0-1
 - Update to upstream
 
diff --git a/sources b/sources
index ef91975..9f90c78 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-31bbdec681a061d2589003b5715f7755  serefpolicy-3.1.0.tgz
+68f90a44c27dbe325fa27b88608da3b4  serefpolicy-3.1.1.tgz