diff --git a/policy-20071130.patch b/policy-20071130.patch
index 3d8af6f..cfd4375 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -6429,7 +6429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/apache.te 2008-02-05 13:01:09.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -7516,7 +7516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.2.6/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/avahi.te 2008-02-05 13:17:08.000000000 -0500
@@ -13,6 +13,9 @@
type avahi_var_run_t;
files_pid_file(avahi_var_run_t)
@@ -8223,7 +8223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
Binary files nsaserefpolicy/policy/modules/services/consolekit.pp and serefpolicy-3.2.6/policy/modules/services/consolekit.pp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.2.6/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-04 11:52:57.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/consolekit.te 2008-02-05 13:20:29.000000000 -0500
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -8261,7 +8261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
# needs to read /var/lib/dbus/machine-id
files_read_var_lib_files(consolekit_t)
-@@ -47,15 +56,31 @@
+@@ -47,16 +56,32 @@
auth_use_nsswitch(consolekit_t)
@@ -8282,18 +8282,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
-+optional_policy(`
+ optional_policy(`
+- dbus_system_bus_client_template(consolekit, consolekit_t)
+- dbus_connect_system_bus(consolekit_t)
+ cron_read_system_job_lib_files(consolekit_t)
+')
-+
- optional_policy(`
- dbus_system_bus_client_template(consolekit, consolekit_t)
- dbus_connect_system_bus(consolekit_t)
--
+
+- hal_dbus_chat(consolekit_t)
++optional_policy(`
+ dbus_system_domain(consolekit_t, consolekit_exec_t)
- hal_dbus_chat(consolekit_t)
++ optional_policy(`
++ hal_dbus_chat(consolekit_t)
++ ')
optional_policy(`
+ unconfined_dbus_chat(consolekit_t)
@@ -64,6 +89,33 @@
')
@@ -9659,7 +9662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
# Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.2.6/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/dbus.if 2008-02-05 13:18:08.000000000 -0500
@@ -53,6 +53,7 @@
gen_require(`
type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -9840,7 +9843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
## Read dbus configuration.
##
##
-@@ -366,3 +443,52 @@
+@@ -366,3 +443,55 @@
allow $1 system_dbusd_t:dbus *;
')
@@ -9892,10 +9895,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
+ domtrans_pattern(system_dbusd_t,$2,$1)
+
++ dbus_system_bus_client_template($1,$1)
++ dbus_connect_system_bus($1)
++
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.2.6/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/dbus.te 2008-02-05 13:15:48.000000000 -0500
@@ -9,6 +9,7 @@
#
# Delcarations
@@ -9921,6 +9927,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
+@@ -121,9 +123,20 @@
+ ')
+
+ optional_policy(`
++ polkit_domtrans_auth(system_dbusd_t)
++ polkit_search_lib(system_dbusd_t)
++')
++
++optional_policy(`
+ sysnet_domtrans_dhcpc(system_dbusd_t)
+ ')
+
+ optional_policy(`
+ udev_read_db(system_dbusd_t)
+ ')
++
++optional_policy(`
++ consolekit_dbus_chat(system_dbusd_t)
++')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.2.6/policy/modules/services/dcc.if
--- nsaserefpolicy/policy/modules/services/dcc.if 2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.6/policy/modules/services/dcc.if 2008-02-01 16:01:42.000000000 -0500
@@ -11510,6 +11537,146 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc
+--- nsaserefpolicy/policy/modules/services/gnomeclock.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.fc 2008-02-05 13:14:26.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.2.6/policy/modules/services/gnomeclock.if
+--- nsaserefpolicy/policy/modules/services/gnomeclock.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.if 2008-02-05 13:14:26.000000000 -0500
+@@ -0,0 +1,75 @@
++
++## policy for gnomeclock
++
++########################################
++##
++## Execute a domain transition to run gnomeclock.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`gnomeclock_domtrans',`
++ gen_require(`
++ type gnomeclock_t;
++ type gnomeclock_exec_t;
++ ')
++
++ domtrans_pattern($1,gnomeclock_exec_t,gnomeclock_t)
++')
++
++
++########################################
++##
++## Execute gnomeclock in the gnomeclock domain, and
++## allow the specified role the gnomeclock domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the gnomeclock domain.
++##
++##
++##
++##
++## The type of the role's terminal.
++##
++##
++#
++interface(`gnomeclock_run',`
++ gen_require(`
++ type gnomeclock_t;
++ ')
++
++ gnomeclock_domtrans($1)
++ role $2 types gnomeclock_t;
++ dontaudit gnomeclock_t $3:chr_file rw_term_perms;
++')
++
++
++########################################
++##
++## Send and receive messages from
++## gnomeclock over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnomeclock_dbus_chat',`
++ gen_require(`
++ type gnomeclock_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 gnomeclock_t:dbus send_msg;
++ allow gnomeclock_t $1:dbus send_msg;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.2.6/policy/modules/services/gnomeclock.te
+--- nsaserefpolicy/policy/modules/services/gnomeclock.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/gnomeclock.te 2008-02-05 13:21:34.000000000 -0500
+@@ -0,0 +1,51 @@
++policy_module(gnomeclock,1.0.0)
++########################################
++#
++# Declarations
++#
++
++type gnomeclock_t;
++type gnomeclock_exec_t;
++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++
++
++########################################
++#
++# gnomeclock local policy
++#
++allow gnomeclock_t self:capability sys_time;
++allow gnomeclock_t self:process getsched;
++
++## internal communication is often done using fifo and unix sockets.
++allow gnomeclock_t self:fifo_file rw_file_perms;
++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
++
++corecmd_search_bin(gnomeclock_t)
++
++files_read_etc_files(gnomeclock_t)
++files_read_usr_files(gnomeclock_t)
++
++fs_list_inotifyfs(gnomeclock_t)
++
++auth_use_nsswitch(gnomeclock_t)
++
++libs_use_ld_so(gnomeclock_t)
++libs_use_shared_libs(gnomeclock_t)
++
++miscfiles_read_localization(gnomeclock_t)
++
++userdom_read_all_users_state(gnomeclock_t)
++
++optional_policy(`
++ consolekit_dbus_chat(gnomeclock_t)
++')
++
++optional_policy(`
++ clock_domtrans(gnomeclock_t)
++')
++
++optional_policy(`
++ polkit_domtrans_auth(gnomeclock_t)
++ polkit_read_lib(gnomeclock_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.2.6/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/hal.fc 2008-02-01 16:01:42.000000000 -0500
@@ -12154,7 +12321,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.6/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-01 16:01:42.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/kerberos.te 2008-02-05 11:26:22.000000000 -0500
@@ -54,6 +54,12 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -12228,7 +12395,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,6 +246,7 @@
+@@ -233,8 +246,10 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -12236,6 +12403,185 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
')
optional_policy(`
+ udev_read_db(krb5kdc_t)
+ ')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.fc serefpolicy-3.2.6/policy/modules/services/kerneloops.fc
+--- nsaserefpolicy/policy/modules/services/kerneloops.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.fc 2008-02-05 13:14:34.000000000 -0500
+@@ -0,0 +1,4 @@
++
++/usr/sbin/kerneloops -- gen_context(system_u:object_r:kerneloops_exec_t,s0)
++
++/etc/rc.d/init.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.2.6/policy/modules/services/kerneloops.if
+--- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.if 2008-02-05 13:14:34.000000000 -0500
+@@ -0,0 +1,104 @@
++
++## policy for kerneloops
++
++########################################
++##
++## Execute a domain transition to run kerneloops.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`kerneloops_domtrans',`
++ gen_require(`
++ type kerneloops_t;
++ type kerneloops_exec_t;
++ ')
++
++ domtrans_pattern($1,kerneloops_exec_t,kerneloops_t)
++')
++
++
++########################################
++##
++## Execute kerneloops server in the kerneloops domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`kerneloops_script_domtrans',`
++ gen_require(`
++ type kerneloops_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,kerneloops_script_exec_t)
++')
++
++########################################
++##
++## Send and receive messages from
++## kerneloops over dbus.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`kerneloops_dbus_chat',`
++ gen_require(`
++ type kerneloops_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 kerneloops_t:dbus send_msg;
++ allow kerneloops_t $1:dbus send_msg;
++')
++
++########################################
++##
++## All of the rules required to administrate
++## an kerneloops environment
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed to manage the kerneloops domain.
++##
++##
++##
++##
++## The type of the user terminal.
++##
++##
++##
++#
++interface(`kerneloops_admin',`
++ gen_require(`
++ type kerneloops_t;
++ ')
++
++ allow $1 kerneloops_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, kerneloops_t, kerneloops_t)
++
++
++ gen_require(`
++ type kerneloops_script_exec_t;
++ ')
++
++ # Allow kerneloops_t to restart the apache service
++ kerneloops_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 kerneloops_script_exec_t system_r;
++ allow $2 system_r;
++
++')
+Binary files nsaserefpolicy/policy/modules/services/kerneloops.pp and serefpolicy-3.2.6/policy/modules/services/kerneloops.pp differ
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.2.6/policy/modules/services/kerneloops.te
+--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/services/kerneloops.te 2008-02-05 13:14:35.000000000 -0500
+@@ -0,0 +1,55 @@
++policy_module(kerneloops,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type kerneloops_t;
++type kerneloops_exec_t;
++domain_type(kerneloops_t)
++init_daemon_domain(kerneloops_t, kerneloops_exec_t)
++
++type kerneloops_script_exec_t;
++init_script_type(kerneloops_script_exec_t)
++
++########################################
++#
++# kerneloops local policy
++#
++allow kerneloops_t self:capability sys_nice;
++allow kerneloops_t self:process { setsched getsched };
++
++# Init script handling
++domain_use_interactive_fds(kerneloops_t)
++
++## internal communication is often done using fifo and unix sockets.
++allow kerneloops_t self:fifo_file rw_file_perms;
++allow kerneloops_t self:unix_stream_socket create_stream_socket_perms;
++
++corenet_all_recvfrom_unlabeled(kerneloops_t)
++corenet_all_recvfrom_netlabel(kerneloops_t)
++corenet_tcp_sendrecv_all_if(kerneloops_t)
++corenet_tcp_sendrecv_all_nodes(kerneloops_t)
++corenet_tcp_sendrecv_all_ports(kerneloops_t)
++corenet_tcp_bind_http_port(kerneloops_t)
++
++files_read_etc_files(kerneloops_t)
++
++kernel_read_ring_buffer(kerneloops_t)
++
++libs_use_ld_so(kerneloops_t)
++libs_use_shared_libs(kerneloops_t)
++
++logging_send_syslog_msg(kerneloops_t)
++logging_read_generic_logs(kerneloops_t)
++
++miscfiles_read_localization(kerneloops_t)
++
++sysnet_dns_name_resolve(kerneloops_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(kerneloops,kerneloops_t)
++ dbus_connect_system_bus(kerneloops_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.2.6/policy/modules/services/ldap.fc
--- nsaserefpolicy/policy/modules/services/ldap.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.6/policy/modules/services/ldap.fc 2008-02-01 16:01:42.000000000 -0500
@@ -14390,10 +14736,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.6/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,7 @@
++++ serefpolicy-3.2.6/policy/modules/services/polkit.fc 2008-02-05 13:14:51.000000000 -0500
+@@ -0,0 +1,8 @@
+
+/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
+/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
@@ -14401,8 +14748,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.6/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-04 11:48:36.000000000 -0500
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.2.6/policy/modules/services/polkit.if 2008-02-05 13:14:52.000000000 -0500
+@@ -0,0 +1,119 @@
+
+## policy for polkit_auth
+
@@ -14465,10 +14812,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+ # Broken placement
+ cron_read_system_job_lib_files($1)
+')
++
++########################################
++##
++## Execute a domain transition to run polkit_grant.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`polkit_domtrans_grant',`
++ gen_require(`
++ type polkit_grant_t;
++ type polkit_grant_exec_t;
++ ')
++
++ domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t)
++')
++
++########################################
++##
++## Execute a policy_grant in the policy_grant domain, and
++## allow the specified role the policy_grant domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the load_policy domain.
++##
++##
++##
++##
++## The type of the terminal allow the load_policy domain to use.
++##
++##
++##
++#
++interface(`polkit_run_grant',`
++ gen_require(`
++ type polkit_grant_t;
++ type polkit_auth_t;
++ ')
++
++ polkit_domtrans_grant($1)
++ role $2 types polkit_grant_t;
++ role $2 types polkit_auth_t;
++ allow polkit_grant_t $3:chr_file rw_term_perms;
++ allow $1 polkit_grant_t:process signal;
++ read_files_pattern(polkit_grant_t, $1, $1)
++ allow polkit_grant_t $1:process getattr;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.6/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-01 16:01:42.000000000 -0500
-@@ -0,0 +1,110 @@
++++ serefpolicy-3.2.6/policy/modules/services/polkit.te 2008-02-05 13:20:13.000000000 -0500
+@@ -0,0 +1,154 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
@@ -14478,12 +14882,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+
+type polkit_t;
+type polkit_exec_t;
-+domain_type(polkit_t)
+init_daemon_domain(polkit_t, polkit_exec_t)
+
++type polkit_grant_t;
++type polkit_grant_exec_t;
++init_system_domain(polkit_grant_t, polkit_grant_exec_t)
++
+type polkit_auth_t;
+type polkit_auth_exec_t;
-+domain_type(polkit_auth_t)
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_var_lib_t;
@@ -14528,9 +14934,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir })
+
+optional_policy(`
-+ dbus_system_bus_client_template(polkit, polkit_t)
-+ consolekit_dbus_chat(polkit_t)
+ dbus_system_domain(polkit_t, polkit_exec_t)
++ optional_policy(`
++ consolekit_dbus_chat(polkit_t)
++ ')
+')
+
+########################################
@@ -14579,6 +14986,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polk
+ hal_read_state(polkit_auth_t)
+')
+
++########################################
++#
++# polkit_grant local policy
++#
++
++allow polkit_grant_t self:capability setuid;
++allow polkit_grant_t self:process getattr;
++
++allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
++allow polkit_grant_t self:fifo_file rw_file_perms;
++allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_grant_t, polkit_grant_exec_t)
++corecmd_search_bin(polkit_grant_t)
++
++files_read_etc_files(polkit_grant_t)
++files_read_usr_files(polkit_grant_t)
++
++auth_use_nsswitch(polkit_grant_t)
++auth_domtrans_chk_passwd(polkit_grant_t)
++
++libs_use_ld_so(polkit_grant_t)
++libs_use_shared_libs(polkit_grant_t)
++
++miscfiles_read_localization(polkit_grant_t)
++
++logging_send_syslog_msg(polkit_grant_t)
++
++polkit_domtrans_auth(polkit_grant_t)
++
++manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
++ consolekit_dbus_chat(polkit_grant_t)
++')
++
++gen_require(`
++ type system_crond_var_lib_t;
++')
++manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.6/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.6/policy/modules/services/postfix.fc 2008-02-01 16:01:42.000000000 -0500
@@ -24828,7 +25276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-02 00:21:41.000000000 -0500
++++ serefpolicy-3.2.6/policy/modules/system/unconfined.te 2008-02-05 09:47:51.000000000 -0500
@@ -6,35 +6,59 @@
# Declarations
#
@@ -24949,7 +25397,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
optional_policy(`
init_dbus_chat_script(unconfined_t)
-@@ -107,6 +146,10 @@
+@@ -101,12 +140,20 @@
+ ')
+
+ optional_policy(`
++ kerneloops_dbus_chat(unconfined_t)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat(unconfined_t)
+ ')
+
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -24960,7 +25418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -118,11 +161,7 @@
+@@ -118,11 +165,7 @@
')
optional_policy(`
@@ -24973,7 +25431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -134,14 +173,6 @@
+@@ -134,14 +177,6 @@
')
optional_policy(`
@@ -24988,7 +25446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +185,32 @@
+@@ -154,38 +189,32 @@
')
optional_policy(`
@@ -25034,7 +25492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
optional_policy(`
-@@ -205,11 +230,30 @@
+@@ -205,11 +234,30 @@
')
optional_policy(`
@@ -25044,14 +25502,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+optional_policy(`
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++')
++
++optional_policy(`
++ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
-+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
@@ -25067,7 +25525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
')
########################################
-@@ -219,14 +263,34 @@
+@@ -219,14 +267,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -25087,7 +25545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
- ')
+optional_policy(`
+ avahi_dbus_chat(unconfined_execmem_t)
-+')
+ ')
+
+optional_policy(`
+ hal_dbus_chat(unconfined_execmem_t)
@@ -25095,7 +25553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+
+optional_policy(`
+ xserver_xdm_rw_shm(unconfined_execmem_t)
- ')
++')
+
+########################################
+#
@@ -28810,8 +29268,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
+## Policy for staff user
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.2.6/policy/modules/users/staff.te
--- nsaserefpolicy/policy/modules/users/staff.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-04 08:26:47.000000000 -0500
-@@ -0,0 +1,51 @@
++++ serefpolicy-3.2.6/policy/modules/users/staff.te 2008-02-05 09:47:25.000000000 -0500
+@@ -0,0 +1,55 @@
+policy_module(staff,1.0.1)
+userdom_unpriv_user_template(staff)
+
@@ -28843,6 +29301,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
+')
+
+optional_policy(`
++ kerneloops_dbus_chat(staff_t)
++')
++
++optional_policy(`
+ mono_per_role_template(staff, staff_t, staff_r)
+')
+