diff --git a/policy-F12.patch b/policy-F12.patch
index 96b3187..8f3d4db 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -1,6 +1,15 @@
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.27/config/appconfig-mcs/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.6.28/Changelog
+--- nsaserefpolicy/Changelog	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/Changelog	2009-08-18 13:23:29.000000000 -0400
+@@ -1,5 +1,3 @@
+-- Debian policykit fixes from Martin Orr.
+-- Fix unconfined_r use of unconfined_java_t.
+ - Add missing x_device rules for XI2 functions, from Eamon Walsh.
+ - Add missing rules to make unconfined_cronjob_t a valid cron job domain.
+ - Add btrfs and ext4 to labeling targets.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.6.28/config/appconfig-mcs/default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,15 +1,6 @@
 -system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 -system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -22,15 +31,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 -user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
 +system_r:xdm_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.27/config/appconfig-mcs/failsafe_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.6.28/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/failsafe_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/failsafe_context	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1 @@
 -sysadm_r:sysadm_t:s0
 +system_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/root_default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/root_default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,11 +1,7 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 +system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -45,9 +54,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  #
 -#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 +system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.27/config/appconfig-mcs/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/securetty_types serefpolicy-3.6.28/config/appconfig-mcs/securetty_types
 --- nsaserefpolicy/config/appconfig-mcs/securetty_types	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/securetty_types	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/securetty_types	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1,6 @@
 +auditadm_tty_device_t
 +secadm_tty_device_t
@@ -55,18 +64,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +sysadm_tty_device_t
 +unconfined_tty_device_t
  user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.27/config/appconfig-mcs/seusers
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/seusers serefpolicy-3.6.28/config/appconfig-mcs/seusers
 --- nsaserefpolicy/config/appconfig-mcs/seusers	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/seusers	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/seusers	2009-08-18 13:23:29.000000000 -0400
 @@ -1,3 +1,3 @@
  system_u:system_u:s0-mcs_systemhigh
 -root:root:s0-mcs_systemhigh
 -__default__:user_u:s0
 +root:unconfined_u:s0-mcs_systemhigh
 +__default__:unconfined_u:s0-mcs_systemhigh
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/staff_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/staff_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/staff_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/staff_u_default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/staff_u_default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,10 +1,12 @@
  system_r:local_login_t:s0	staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
  system_r:remote_login_t:s0	staff_r:staff_t:s0
@@ -81,9 +90,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
  sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/unconfined_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/unconfined_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/unconfined_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/unconfined_u_default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/unconfined_u_default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,4 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 unconfined_r:unconfined_cronjob_t:s0
 +system_r:crond_t:s0		unconfined_r:unconfined_t:s0
@@ -97,15 +106,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +system_r:initrc_su_t:s0		unconfined_r:unconfined_t:s0
 +unconfined_r:unconfined_t:s0	unconfined_r:unconfined_t:s0
  system_r:xdm_t:s0		unconfined_r:unconfined_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.27/config/appconfig-mcs/userhelper_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.6.28/config/appconfig-mcs/userhelper_context
 --- nsaserefpolicy/config/appconfig-mcs/userhelper_context	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/userhelper_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/userhelper_context	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1 @@
 -system_u:sysadm_r:sysadm_t:s0
 +system_u:system_r:unconfined_t:s0	
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.27/config/appconfig-mcs/user_u_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.6.28/config/appconfig-mcs/user_u_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mcs/user_u_default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/user_u_default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,8 +1,9 @@
  system_r:local_login_t:s0	user_r:user_t:s0
  system_r:remote_login_t:s0	user_r:user_t:s0
@@ -118,20 +127,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -
 +system_r:initrc_su_t:s0		user_r:user_t:s0
 +user_r:user_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.27/config/appconfig-mcs/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_domain_context serefpolicy-3.6.28/config/appconfig-mcs/virtual_domain_context
 --- nsaserefpolicy/config/appconfig-mcs/virtual_domain_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mcs/virtual_domain_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/virtual_domain_context	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1 @@
 +system_u:system_r:svirt_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.27/config/appconfig-mcs/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/virtual_image_context serefpolicy-3.6.28/config/appconfig-mcs/virtual_image_context
 --- nsaserefpolicy/config/appconfig-mcs/virtual_image_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mcs/virtual_image_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mcs/virtual_image_context	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +system_u:object_r:svirt_image_t:s0
 +system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.27/config/appconfig-mls/default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.6.28/config/appconfig-mls/default_contexts
 --- nsaserefpolicy/config/appconfig-mls/default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mls/default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,15 +1,6 @@
 -system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
 -system_r:local_login_t:s0	user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0 unconfined_r:unconfined_t:s0
@@ -153,9 +162,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 -user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
 +system_r:xdm_t:s0		user_r:user_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.27/config/appconfig-mls/root_default_contexts
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.6.28/config/appconfig-mls/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mls/root_default_contexts	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-mls/root_default_contexts	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/root_default_contexts	2009-08-18 13:23:29.000000000 -0400
 @@ -1,11 +1,11 @@
 -system_r:crond_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:cronjob_t:s0 staff_r:cronjob_t:s0 user_r:cronjob_t:s0
 -system_r:local_login_t:s0	unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
@@ -174,20 +183,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  #
 -#system_r:sshd_t:s0		unconfined_r:unconfined_t:s0 sysadm_r:sysadm_t:s0 staff_r:staff_t:s0 user_r:user_t:s0
 +#system_r:sshd_t:s0		sysadm_r:sysadm_t:s0 staff_r:staff_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.27/config/appconfig-mls/virtual_domain_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_domain_context serefpolicy-3.6.28/config/appconfig-mls/virtual_domain_context
 --- nsaserefpolicy/config/appconfig-mls/virtual_domain_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mls/virtual_domain_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/virtual_domain_context	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1 @@
 +system_u:system_r:qemu_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.27/config/appconfig-mls/virtual_image_context
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/virtual_image_context serefpolicy-3.6.28/config/appconfig-mls/virtual_image_context
 --- nsaserefpolicy/config/appconfig-mls/virtual_image_context	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/config/appconfig-mls/virtual_image_context	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-mls/virtual_image_context	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +system_u:object_r:virt_image_t:s0
 +system_u:object_r:virt_content_t:s0
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.27/config/appconfig-standard/securetty_types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/securetty_types serefpolicy-3.6.28/config/appconfig-standard/securetty_types
 --- nsaserefpolicy/config/appconfig-standard/securetty_types	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/config/appconfig-standard/securetty_types	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/config/appconfig-standard/securetty_types	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1,6 @@
 +auditadm_tty_device_t
 +secadm_tty_device_t
@@ -195,9 +204,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 +sysadm_tty_device_t
 +unconfined_tty_device_t
  user_tty_device_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.27/Makefile
---- nsaserefpolicy/Makefile	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/Makefile	2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.6.28/Makefile
+--- nsaserefpolicy/Makefile	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/Makefile	2009-08-18 13:23:29.000000000 -0400
 @@ -102,8 +102,6 @@
  comment_move_decl := $(SED) -r -f $(support)/comment_move_decl.sed
  gennetfilter := $(PYTHON) -E $(support)/gennetfilter.py
@@ -247,6 +256,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
  
  ########################################
  #
+@@ -541,7 +537,7 @@
+ #
+ install-headers: $(layerxml) $(tunxml) $(boolxml)
+ 	@mkdir -p $(headerdir)
+-	@echo "Installing $(NAME) policy headers."
++	@echo "Installing $(TYPE) policy headers."
+ 	$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
+ 	$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
+ 	$(verbose) mkdir -p $(headerdir)/support
 @@ -605,7 +601,7 @@
  # Filesystem labeling
  #
@@ -283,9 +301,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Mak
  	@if test -z "$(filesystems)"; then \
  		echo "No filesystems with extended attributes found!" ;\
  		false ;\
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/rsync_selinux.8 serefpolicy-3.6.27/man/man8/rsync_selinux.8
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/rsync_selinux.8 serefpolicy-3.6.28/man/man8/rsync_selinux.8
 --- nsaserefpolicy/man/man8/rsync_selinux.8	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/man/man8/rsync_selinux.8	2009-08-18 08:30:56.000000000 -0400
++++ serefpolicy-3.6.28/man/man8/rsync_selinux.8	2009-08-18 13:23:29.000000000 -0400
 @@ -21,10 +21,18 @@
  .TP
  chcon -t public_content_t /var/rsync
@@ -315,9 +333,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
  .SH "SEE ALSO"
 -selinux(8), rsync(1), chcon(1), setsebool(8)
 +selinux(8), rsync(1), chcon(1), setsebool(8), semanage(8)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.27/man/man8/samba_selinux.8
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.28/man/man8/samba_selinux.8
 --- nsaserefpolicy/man/man8/samba_selinux.8	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/man/man8/samba_selinux.8	2009-08-18 08:31:04.000000000 -0400
++++ serefpolicy-3.6.28/man/man8/samba_selinux.8	2009-08-18 13:23:29.000000000 -0400
 @@ -20,7 +20,7 @@
  .TP
  This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
@@ -333,9 +351,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
  .SH "SEE ALSO"
 -selinux(8), samba(7), chcon(1), setsebool(8)
 +selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.27/policy/flask/access_vectors
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.6.28/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/flask/access_vectors	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/flask/access_vectors	2009-08-18 13:23:29.000000000 -0400
 @@ -544,8 +544,6 @@
  	set_property
  	add
@@ -345,9 +363,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  }
  
  class x_server
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.27/policy/global_tunables
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.6.28/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/global_tunables	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/global_tunables	2009-08-18 13:23:29.000000000 -0400
 @@ -61,15 +61,6 @@
  
  ## <desc>
@@ -383,9 +401,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(mmap_low_allowed, false)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.27/policy/mcs
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.28/policy/mcs
 --- nsaserefpolicy/policy/mcs	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/mcs	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/mcs	2009-08-18 13:23:29.000000000 -0400
 @@ -66,8 +66,8 @@
  #
  # Note that getattr on files is always permitted.
@@ -419,9 +437,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mlsconstrain process { transition dyntransition }
  	(( h1 dom h2 ) or ( t1 == mcssetcats ));
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.27/policy/modules/admin/anaconda.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.6.28/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/anaconda.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/anaconda.te	2009-08-18 13:23:29.000000000 -0400
 @@ -31,6 +31,7 @@
  modutils_domtrans_insmod(anaconda_t)
  
@@ -430,9 +448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.27/policy/modules/admin/certwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.6.28/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/certwatch.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/certwatch.te	2009-08-18 13:23:29.000000000 -0400
 @@ -36,6 +36,7 @@
  miscfiles_read_localization(certwatch_t)
  
@@ -441,17 +459,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	apache_exec_modules(certwatch_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.27/policy/modules/admin/dmesg.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.28/policy/modules/admin/dmesg.fc
 --- nsaserefpolicy/policy/modules/admin/dmesg.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/dmesg.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/dmesg.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,2 +1,4 @@
  
  /bin/dmesg		--		gen_context(system_u:object_r:dmesg_exec_t,s0)
 +
 +/usr/sbin/mcelog	--		gen_context(system_u:object_r:dmesg_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.27/policy/modules/admin/dmesg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.6.28/policy/modules/admin/dmesg.te
 --- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/dmesg.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/dmesg.te	2009-08-18 13:23:29.000000000 -0400
 @@ -9,6 +9,7 @@
  type dmesg_t;
  type dmesg_exec_t;
@@ -486,9 +504,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(dmesg_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.27/policy/modules/admin/kismet.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.6.28/policy/modules/admin/kismet.if
 --- nsaserefpolicy/policy/modules/admin/kismet.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/kismet.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/kismet.if	2009-08-18 13:23:29.000000000 -0400
 @@ -16,6 +16,7 @@
  	')
  
@@ -497,9 +515,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.27/policy/modules/admin/kismet.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.28/policy/modules/admin/kismet.te
 --- nsaserefpolicy/policy/modules/admin/kismet.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/kismet.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/kismet.te	2009-08-18 13:23:29.000000000 -0400
 @@ -17,6 +17,9 @@
  type kismet_tmp_t;
  files_tmp_file(kismet_tmp_t)
@@ -542,9 +560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		networkmanager_dbus_chat(kismet_t)
 +	')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.27/policy/modules/admin/logrotate.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.28/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/logrotate.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/logrotate.te	2009-08-18 13:23:29.000000000 -0400
 @@ -32,7 +32,7 @@
  # Change ownership on log files.
  allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -587,18 +605,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	slrnpull_manage_spool(logrotate_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.27/policy/modules/admin/logwatch.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.6.28/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/logwatch.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/logwatch.te	2009-08-18 13:23:29.000000000 -0400
 @@ -136,4 +136,5 @@
  
  optional_policy(`
  	samba_read_log(logwatch_t)
 +	samba_read_share_files(logwatch_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.27/policy/modules/admin/mrtg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.28/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/mrtg.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/mrtg.te	2009-08-18 13:23:29.000000000 -0400
 @@ -116,6 +116,9 @@
  userdom_use_user_terminals(mrtg_t)
  userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -620,9 +638,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(mrtg_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.27/policy/modules/admin/prelink.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.6.28/policy/modules/admin/portage.te
+--- nsaserefpolicy/policy/modules/admin/portage.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/portage.te	2009-08-18 13:23:29.000000000 -0400
+@@ -195,7 +195,7 @@
+ # - for rsync and distfile fetching
+ #
+ 
+-allow portage_fetch_t self:capability { dac_override fowner fsetid };
++allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice };
+ allow portage_fetch_t self:process signal;
+ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+ allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.28/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/prelink.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/prelink.if	2009-08-18 13:23:29.000000000 -0400
 @@ -140,3 +140,22 @@
  	files_search_var_lib($1)
  	manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -646,9 +676,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_search_var_lib($1)
 +	relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.27/policy/modules/admin/readahead.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.28/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/readahead.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/readahead.te	2009-08-18 13:23:29.000000000 -0400
 @@ -54,7 +54,10 @@
  files_dontaudit_getattr_all_sockets(readahead_t)
  files_list_non_security(readahead_t)
@@ -660,9 +690,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.27/policy/modules/admin/rpm.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.28/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -4,14 +4,12 @@
  
  /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -704,9 +734,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # SuSE
  ifdef(`distro_suse', `
  /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.27/policy/modules/admin/rpm.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.28/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.if	2009-08-18 13:23:29.000000000 -0400
 @@ -66,6 +66,11 @@
  	rpm_domtrans($1)
  	role $2 types rpm_t;
@@ -930,9 +960,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 rpm_t:process signull;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.27/policy/modules/admin/rpm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.28/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/rpm.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/rpm.te	2009-08-18 13:23:29.000000000 -0400
 @@ -31,11 +31,15 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1159,9 +1189,92 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.27/policy/modules/admin/sudo.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.6.28/policy/modules/admin/smoltclient.fc
+--- nsaserefpolicy/policy/modules/admin/smoltclient.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.fc	2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1,4 @@
++
++/usr/share/smolt/client/sendProfile.py	--	gen_context(system_u:object_r:smoltclient_exec_t,s0)	
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.6.28/policy/modules/admin/smoltclient.if
+--- nsaserefpolicy/policy/modules/admin/smoltclient.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.if	2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1 @@
++## <summary>The Fedora hardware profiler client</summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.6.28/policy/modules/admin/smoltclient.te
+--- nsaserefpolicy/policy/modules/admin/smoltclient.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/policy/modules/admin/smoltclient.te	2009-08-18 13:23:29.000000000 -0400
+@@ -0,0 +1,66 @@
++policy_module(smoltclient,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type smoltclient_t;
++type smoltclient_exec_t;
++application_domain(smoltclient_t, smoltclient_exec_t)
++cron_system_entry(smoltclient_t, smoltclient_exec_t)
++
++type smoltclient_tmp_t;
++files_tmp_file(smoltclient_tmp_t)
++
++########################################
++#
++# Local policy
++#
++allow smoltclient_t self:process { setsched getsched }; 
++
++allow smoltclient_t self:fifo_file rw_fifo_file_perms;
++allow smoltclient_t self:tcp_socket create_socket_perms;
++allow smoltclient_t self:udp_socket create_socket_perms;
++allow smoltclient_t self:netlink_route_socket r_netlink_socket_perms;
++
++can_exec(smoltclient_t, smoltclient_tmp_t)
++manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
++manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
++files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
++
++kernel_read_system_state(smoltclient_t)
++kernel_read_network_state(smoltclient_t)
++kernel_read_kernel_sysctls(smoltclient_t)
++
++corecmd_exec_shell(smoltclient_t)
++
++corenet_tcp_connect_http_port(smoltclient_t)
++
++dev_read_urand(smoltclient_t)
++dev_read_sysfs(smoltclient_t)
++
++fs_getattr_all_fs(smoltclient_t)
++
++files_getattr_generic_locks(smoltclient_t)
++files_read_etc_files(smoltclient_t)
++files_read_usr_files(smoltclient_t)
++
++miscfiles_read_localization(smoltclient_t)
++
++sysnet_read_config(smoltclient_t)
++
++optional_policy(`
++	dbus_system_bus_client(smoltclient_t)
++')
++
++optional_policy(`
++	hal_dbus_chat(smoltclient_t)
++')
++
++optional_policy(`
++	rpm_exec(smoltclient_t)
++	rpm_read_db(smoltclient_t)
++')
++
++permissive smoltclient_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.28/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/sudo.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/sudo.if	2009-08-18 13:23:29.000000000 -0400
 @@ -66,8 +66,8 @@
  	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
  	allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -1245,9 +1358,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.27/policy/modules/admin/tmpreaper.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.28/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/tmpreaper.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/tmpreaper.te	2009-08-18 13:23:29.000000000 -0400
 @@ -52,6 +52,10 @@
  ')
  
@@ -1259,9 +1372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kismet_manage_log(tmpreaper_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.27/policy/modules/admin/usermanage.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.28/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/usermanage.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/usermanage.te	2009-08-18 13:23:29.000000000 -0400
 @@ -209,6 +209,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
@@ -1335,9 +1448,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.27/policy/modules/admin/vbetool.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.6.28/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/admin/vbetool.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/admin/vbetool.te	2009-08-18 13:23:29.000000000 -0400
 @@ -15,15 +15,20 @@
  # Local policy
  #
@@ -1370,9 +1483,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_exec_pid(vbetool_t)
 +	xserver_write_pid(vbetool_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.27/policy/modules/apps/awstats.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.28/policy/modules/apps/awstats.te
 --- nsaserefpolicy/policy/modules/apps/awstats.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/awstats.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/awstats.te	2009-08-18 13:23:29.000000000 -0400
 @@ -51,6 +51,8 @@
  
  libs_read_lib_files(awstats_t)
@@ -1382,9 +1495,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(awstats_t)
  
  sysnet_dns_name_resolve(awstats_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.27/policy/modules/apps/calamaris.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.28/policy/modules/apps/calamaris.te
 --- nsaserefpolicy/policy/modules/apps/calamaris.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/calamaris.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/calamaris.te	2009-08-18 13:23:29.000000000 -0400
 @@ -84,3 +84,7 @@
  optional_policy(`
  	nis_use_ypbind(calamaris_t)
@@ -1393,9 +1506,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	nscd_socket_use(calamaris_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.27/policy/modules/apps/cpufreqselector.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.6.28/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/cpufreqselector.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/cpufreqselector.te	2009-08-18 13:23:29.000000000 -0400
 @@ -8,7 +8,8 @@
  
  type cpufreqselector_t;
@@ -1414,17 +1527,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(cpufreqselector_t)
  	policykit_read_lib(cpufreqselector_t)
  	policykit_read_reload(cpufreqselector_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.27/policy/modules/apps/gitosis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.fc serefpolicy-3.6.28/policy/modules/apps/gitosis.fc
 --- nsaserefpolicy/policy/modules/apps/gitosis.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/usr/bin/gitosis-serve			--        gen_context(system_u:object_r:gitosis_exec_t,s0)
 +
 +/var/lib/gitosis(/.*)?                            gen_context(system_u:object_r:gitosis_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.27/policy/modules/apps/gitosis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.6.28/policy/modules/apps/gitosis.if
 --- nsaserefpolicy/policy/modules/apps/gitosis.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,96 @@
 +## <summary>gitosis interface</summary>
 +
@@ -1522,9 +1635,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.27/policy/modules/apps/gitosis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.te serefpolicy-3.6.28/policy/modules/apps/gitosis.te
 --- nsaserefpolicy/policy/modules/apps/gitosis.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/gitosis.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gitosis.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,36 @@
 +policy_module(gitosis,1.0.0)
 +
@@ -1562,9 +1675,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +files_search_var_lib(gitosis_t)
 +
 +miscfiles_read_localization(gitosis_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.27/policy/modules/apps/gnome.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.28/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,8 +1,16 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.config(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
@@ -1584,9 +1697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
 +
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.27/policy/modules/apps/gnome.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.28/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.if	2009-08-18 13:23:29.000000000 -0400
 @@ -89,5 +89,175 @@
  
  	allow $1 gnome_home_t:dir manage_dir_perms;
@@ -1763,9 +1876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	# Connect to pulseaudit server
 +	stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.27/policy/modules/apps/gnome.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.28/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gnome.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gnome.te	2009-08-18 13:23:29.000000000 -0400
 @@ -9,16 +9,18 @@
  attribute gnomedomain;
  
@@ -1887,10 +2000,30 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive gnomesystemmm_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.27/policy/modules/apps/gpg.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.28/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if	2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/gpg.if	2009-08-18 13:23:29.000000000 -0400
+@@ -30,7 +30,7 @@
+ 
+ 	# allow ps to show gpg
+ 	ps_process_pattern($2, gpg_t)
+-	allow $2 gpg_t:process { signal sigkill };
++	allow $2 gpg_t:process { signull sigstop signal sigkill };
+ 
+ 	# communicate with the user 
+ 	allow gpg_helper_t $2:fd use;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.28/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/gpg.te	2009-08-14 16:51:06.000000000 -0400
-@@ -159,6 +159,19 @@
++++ serefpolicy-3.6.28/policy/modules/apps/gpg.te	2009-08-18 13:23:29.000000000 -0400
+@@ -92,6 +92,7 @@
+ 
+ dev_read_rand(gpg_t)
+ dev_read_urand(gpg_t)
++dev_read_generic_usb_dev(gpg_t)
+ 
+ fs_getattr_xattr_fs(gpg_t)
+ 
+@@ -159,6 +160,19 @@
  	xserver_rw_xdm_pipes(gpg_t)
  ')
  
@@ -1910,16 +2043,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # GPG agent local policy
-@@ -250,5 +263,5 @@
+@@ -250,5 +264,5 @@
  ')
  
  optional_policy(`
 -	xserver_stream_connect(gpg_pinentry_t)
 +	xserver_common_app(gpg_pinentry_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.27/policy/modules/apps/java.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.6.28/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -2,15 +2,16 @@
  # /opt
  #
@@ -1954,9 +2087,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
 +/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.27/policy/modules/apps/java.if
---- nsaserefpolicy/policy/modules/apps/java.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.if	2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.6.28/policy/modules/apps/java.if
+--- nsaserefpolicy/policy/modules/apps/java.if	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.if	2009-08-18 13:23:29.000000000 -0400
 @@ -30,6 +30,7 @@
  
  	allow java_t $2:unix_stream_socket connectto;
@@ -1965,23 +2098,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -68,3 +69,131 @@
- 	domtrans_pattern($1, java_exec_t, unconfined_java_t)
- 	corecmd_search_bin($1)
- ')
-+
-+########################################
-+## <summary>
+@@ -71,24 +72,128 @@
+ 
+ ########################################
+ ## <summary>
+-##	Execute the java program in the unconfined java domain.
 +##	Execute java in the java domain, and
 +##	allow the specified role the java domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
+ ##	</summary>
+ ## </param>
+ ## <param name="role">
+ ##	<summary>
+-##	Role allowed access.
 +##	The role to be allowed the java domain.
 +##	</summary>
 +## </param>
@@ -2008,17 +2141,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## <param name="role">
 +##	<summary>
 +##	The role to be allowed the java domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`java_run_unconfined',`
-+	gen_require(`
-+		type unconfined_java_t;
+ ##	</summary>
+ ## </param>
+ #
+ interface(`java_run_unconfined',`
+ 	gen_require(`
+ 		type unconfined_java_t;
 +		type java_t;
-+	')
-+
-+	java_domtrans_unconfined($1)
-+	role $2 types unconfined_java_t;
+ 	')
+ 
+ 	java_domtrans_unconfined($1)
+ 	role $2 types unconfined_java_t;
 +	role $2 types java_t;
 +	nsplugin_role_notrans($2, unconfined_java_t)
 +')
@@ -2096,10 +2229,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		xserver_common_app($1_java_t)
 +		xserver_role($1_r, $1_java_t)
 +	')
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.27/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/java.te	2009-08-14 16:51:06.000000000 -0400
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.28/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/java.te	2009-08-18 13:23:29.000000000 -0400
 @@ -20,6 +20,8 @@
  typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
  typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
@@ -2109,15 +2242,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type java_tmp_t;
  files_tmp_file(java_tmp_t)
  ubac_constrained(java_tmp_t)
-@@ -40,7 +42,7 @@
- # Local policy
- #
- 
--allow java_t self:process { signal_perms getsched setsched execmem };
-+allow java_t self:process { signal_perms getsched execmem };
- allow java_t self:fifo_file rw_fifo_file_perms;
- allow java_t self:tcp_socket create_socket_perms;
- allow java_t self:udp_socket create_socket_perms;
 @@ -80,6 +82,7 @@
  dev_write_sound(java_t)
  dev_read_urand(java_t)
@@ -2126,22 +2250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(java_t)
  files_read_usr_files(java_t)
-@@ -116,12 +119,13 @@
- 
- 	allow java_t java_tmp_t:file execute;
- 
--	libs_legacy_use_shared_libs(java_t)
- 	libs_legacy_use_ld_so(java_t)
- 
- 	miscfiles_legacy_read_localization(java_t)
- ')
- 
-+libs_legacy_use_shared_libs(java_t)
-+
- optional_policy(`
- 	nis_use_ypbind(java_t)
- ')
-@@ -131,6 +135,7 @@
+@@ -131,6 +134,7 @@
  ')
  
  optional_policy(`
@@ -2149,7 +2258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
  ')
  
-@@ -147,4 +152,12 @@
+@@ -147,4 +151,12 @@
  
  	unconfined_domain_noaudit(unconfined_java_t)
  	unconfined_dbus_chat(unconfined_java_t)
@@ -2162,21 +2271,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.27/policy/modules/apps/kdumpgui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.6.28/policy/modules/apps/kdumpgui.fc
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.27/policy/modules/apps/kdumpgui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.6.28/policy/modules/apps/kdumpgui.if
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-kdump policy</summary>
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.27/policy/modules/apps/kdumpgui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.28/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/kdumpgui.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/kdumpgui.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,64 @@
 +policy_module(kdumpgui,1.0.0)
 +
@@ -2242,15 +2351,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive kdumpgui_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.27/policy/modules/apps/livecd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.6.28/policy/modules/apps/livecd.fc
 --- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.27/policy/modules/apps/livecd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.6.28/policy/modules/apps/livecd.if
 --- nsaserefpolicy/policy/modules/apps/livecd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,50 @@
 +
 +## <summary>policy for livecd</summary>
@@ -2302,9 +2411,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	seutil_run_setfiles_mac(livecd_t, $2)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.27/policy/modules/apps/livecd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.6.28/policy/modules/apps/livecd.te
 --- nsaserefpolicy/policy/modules/apps/livecd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/livecd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/livecd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,26 @@
 +policy_module(livecd, 1.0.0)
 +
@@ -2332,9 +2441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +seutil_domtrans_setfiles_mac(livecd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.27/policy/modules/apps/mono.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.28/policy/modules/apps/mono.if
 --- nsaserefpolicy/policy/modules/apps/mono.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mono.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mono.if	2009-08-18 13:23:29.000000000 -0400
 @@ -21,6 +21,105 @@
  
  ########################################
@@ -2450,9 +2559,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	corecmd_search_bin($1)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.27/policy/modules/apps/mono.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.6.28/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mono.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mono.te	2009-08-18 13:23:29.000000000 -0400
 @@ -15,7 +15,7 @@
  # Local policy
  #
@@ -2476,9 +2585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	xserver_rw_shm(mono_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.27/policy/modules/apps/mozilla.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.28/policy/modules/apps/mozilla.fc
 --- nsaserefpolicy/policy/modules/apps/mozilla.fc	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,6 +1,7 @@
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -2487,9 +2596,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.phoenix(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.27/policy/modules/apps/mozilla.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.28/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.if	2009-08-18 13:23:29.000000000 -0400
 @@ -45,6 +45,18 @@
  	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
  	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2517,9 +2626,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_search_user_home_dirs($1)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.27/policy/modules/apps/mozilla.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.28/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/mozilla.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/mozilla.te	2009-08-18 13:23:29.000000000 -0400
 @@ -59,6 +59,7 @@
  manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
  manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -2594,9 +2703,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	thunderbird_domtrans(mozilla_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.27/policy/modules/apps/nsplugin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.6.28/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,12 @@
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -2610,9 +2719,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
 +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.27/policy/modules/apps/nsplugin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.28/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,313 @@
 +
 +## <summary>policy for nsplugin</summary>
@@ -2927,9 +3036,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms; 
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.27/policy/modules/apps/nsplugin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.28/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/nsplugin.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/nsplugin.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,286 @@
 +
 +policy_module(nsplugin, 1.0.0)
@@ -3217,16 +3326,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.27/policy/modules/apps/openoffice.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.6.28/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,3 @@
 +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.27/policy/modules/apps/openoffice.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.6.28/policy/modules/apps/openoffice.if
 --- nsaserefpolicy/policy/modules/apps/openoffice.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,93 @@
 +## <summary>Openoffice</summary>
 +
@@ -3321,9 +3430,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +		xserver_common_x_domain_template($1, $1_openoffice_t)
 +	')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.27/policy/modules/apps/openoffice.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.6.28/policy/modules/apps/openoffice.te
 --- nsaserefpolicy/policy/modules/apps/openoffice.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/openoffice.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/openoffice.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,14 @@
 +
 +policy_module(openoffice, 1.0.0)
@@ -3339,15 +3448,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.27/policy/modules/apps/ptchown.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.fc serefpolicy-3.6.28/policy/modules/apps/ptchown.fc
 --- nsaserefpolicy/policy/modules/apps/ptchown.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/libexec/pt_chown	--	gen_context(system_u:object_r:ptchown_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.27/policy/modules/apps/ptchown.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.28/policy/modules/apps/ptchown.if
 --- nsaserefpolicy/policy/modules/apps/ptchown.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,22 @@
 +
 +## <summary>helper function for grantpt(3), changes ownship and permissions of pseudotty</summary>
@@ -3371,9 +3480,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	domtrans_pattern($1,ptchown_exec_t,ptchown_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.27/policy/modules/apps/ptchown.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.28/policy/modules/apps/ptchown.te
 --- nsaserefpolicy/policy/modules/apps/ptchown.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/ptchown.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/ptchown.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,38 @@
 +policy_module(ptchown,1.0.0)
 +
@@ -3413,9 +3522,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +term_setattr_all_user_ptys(ptchown_t)
 +
 +miscfiles_read_localization(ptchown_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.27/policy/modules/apps/pulseaudio.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/pulseaudio.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/pulseaudio.te	2009-08-18 13:23:29.000000000 -0400
 @@ -22,6 +22,7 @@
  allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
  allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
@@ -3450,17 +3559,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_common_app(pulseaudio_t)
  ')
 -
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.27/policy/modules/apps/qemu.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.28/policy/modules/apps/qemu.fc
 --- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,2 +1,2 @@
 -/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 -/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.27/policy/modules/apps/qemu.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.28/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.if	2009-08-18 13:23:29.000000000 -0400
 @@ -40,6 +40,93 @@
  
  	qemu_domtrans($1)
@@ -3767,9 +3876,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.27/policy/modules/apps/qemu.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.28/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/qemu.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/qemu.te	2009-08-18 13:23:29.000000000 -0400
 @@ -13,15 +13,46 @@
  ## </desc>
  gen_tunable(qemu_full_network, false)
@@ -3877,20 +3986,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role unconfined_r types qemu_unconfined_t;
  	allow qemu_unconfined_t self:process { execstack execmem };
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.27/policy/modules/apps/sambagui.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.6.28/policy/modules/apps/sambagui.fc
 --- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1 @@
 +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.27/policy/modules/apps/sambagui.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.6.28/policy/modules/apps/sambagui.if
 --- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-samba policy</summary>
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.27/policy/modules/apps/sambagui.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.6.28/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sambagui.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sambagui.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,55 @@
 +policy_module(sambagui,1.0.0)
 +
@@ -3947,14 +4056,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	policykit_dbus_chat(sambagui_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.27/policy/modules/apps/sandbox.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.6.28/policy/modules/apps/sandbox.fc
 --- nsaserefpolicy/policy/modules/apps/sandbox.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1 @@
 +# No types are sandbox_exec_t
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.27/policy/modules/apps/sandbox.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.28/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,143 @@
 +
 +## <summary>policy for sandbox</summary>
@@ -4099,9 +4208,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.27/policy/modules/apps/sandbox.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.28/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/apps/sandbox.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/sandbox.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,274 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
@@ -4377,9 +4486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	hal_dbus_chat(sandbox_net_client_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.27/policy/modules/apps/screen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.28/policy/modules/apps/screen.if
 --- nsaserefpolicy/policy/modules/apps/screen.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/screen.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/screen.if	2009-08-18 13:23:29.000000000 -0400
 @@ -61,6 +61,8 @@
  	manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
  	manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
@@ -4422,9 +4531,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +         manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +         manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.27/policy/modules/apps/vmware.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.6.28/policy/modules/apps/vmware.fc
 --- nsaserefpolicy/policy/modules/apps/vmware.fc	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/vmware.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/vmware.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -18,6 +18,7 @@
  /usr/bin/vmnet-natd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmnet-netifup		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
@@ -4433,9 +4542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
  /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.27/policy/modules/apps/vmware.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.28/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/vmware.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/vmware.te	2009-08-18 13:23:29.000000000 -0400
 @@ -157,6 +157,7 @@
  optional_policy(`
  	xserver_read_tmp_files(vmware_host_t)
@@ -4444,9 +4553,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ifdef(`TODO',`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.27/policy/modules/apps/webalizer.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.28/policy/modules/apps/webalizer.te
 --- nsaserefpolicy/policy/modules/apps/webalizer.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/webalizer.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/webalizer.te	2009-08-18 13:23:29.000000000 -0400
 @@ -69,7 +69,6 @@
  fs_search_auto_mountpoints(webalizer_t)
  fs_getattr_xattr_fs(webalizer_t)
@@ -4455,9 +4564,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_files(webalizer_t)
  files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.27/policy/modules/apps/wine.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.28/policy/modules/apps/wine.fc
 --- nsaserefpolicy/policy/modules/apps/wine.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,21 @@
 -/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
 +/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)
@@ -4483,9 +4592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
 -/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.27/policy/modules/apps/wine.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.6.28/policy/modules/apps/wine.if
 --- nsaserefpolicy/policy/modules/apps/wine.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.if	2009-08-18 13:23:29.000000000 -0400
 @@ -43,3 +43,63 @@
  	wine_domtrans($1)
  	role $2 types wine_t;
@@ -4550,9 +4659,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
 +
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.27/policy/modules/apps/wine.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.28/policy/modules/apps/wine.te
 --- nsaserefpolicy/policy/modules/apps/wine.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/apps/wine.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/apps/wine.te	2009-08-18 13:23:29.000000000 -0400
 @@ -9,20 +9,35 @@
  type wine_t;
  type wine_exec_t;
@@ -4593,9 +4702,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        xserver_common_app(wine_t)
 +	xserver_rw_shm(wine_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.27/policy/modules/kernel/corecommands.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corecommands.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -125,6 +125,7 @@
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
@@ -4636,9 +4745,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.27/policy/modules/kernel/corecommands.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.28/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corecommands.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corecommands.if	2009-08-18 13:23:29.000000000 -0400
 @@ -893,6 +893,7 @@
  
  	read_lnk_files_pattern($1, bin_t, bin_t)
@@ -4647,9 +4756,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.27/policy/modules/kernel/corenetwork.te.in
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.28/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/corenetwork.te.in	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/corenetwork.te.in	2009-08-18 13:23:29.000000000 -0400
 @@ -65,6 +65,7 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -4757,9 +4866,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # network_node examples:
  #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
  #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.27/policy/modules/kernel/devices.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.28/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -47,8 +47,10 @@
  /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
  /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4788,9 +4897,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
  /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.27/policy/modules/kernel/devices.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.28/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.if	2009-08-18 13:23:29.000000000 -0400
 @@ -1655,6 +1655,78 @@
  
  ########################################
@@ -4983,9 +5092,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write Xen devices.
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.27/policy/modules/kernel/devices.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.28/policy/modules/kernel/devices.te
 --- nsaserefpolicy/policy/modules/kernel/devices.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/devices.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/devices.te	2009-08-18 13:23:29.000000000 -0400
 @@ -84,6 +84,13 @@
  dev_node(kmsg_device_t)
  
@@ -5026,9 +5135,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type xen_device_t;
  dev_node(xen_device_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.27/policy/modules/kernel/domain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.28/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/domain.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/domain.if	2009-08-18 13:23:29.000000000 -0400
 @@ -44,34 +44,6 @@
  interface(`domain_type',`
  	# start with basic domain
@@ -5209,9 +5318,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 unconfined_domain_type:process signal;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.27/policy/modules/kernel/domain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.28/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/domain.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/domain.te	2009-08-18 13:39:39.000000000 -0400
 @@ -1,10 +1,17 @@
  
 -policy_module(domain, 1.7.0)
@@ -5287,7 +5396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -153,3 +174,67 @@
+@@ -153,3 +174,69 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -5302,6 +5411,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +init_signull(domain)
 +
 +ifdef(`distro_redhat',`
++	files_search_mnt(domain)
++	files_search_default(domain)
 +	optional_policy(`
 +		unconfined_use_fds(domain)
 +	')
@@ -5355,9 +5466,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	userdom_relabelto_user_home_dirs(polydomain)
 +	userdom_relabelto_user_home_files(polydomain)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.27/policy/modules/kernel/files.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.28/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -18,6 +18,7 @@
  /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -5375,9 +5486,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
  
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.27/policy/modules/kernel/files.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.28/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.if	2009-08-18 13:38:01.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -5750,9 +5861,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +	allow $1 file_type:file entrypoint;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.27/policy/modules/kernel/files.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.6.28/policy/modules/kernel/files.te
 --- nsaserefpolicy/policy/modules/kernel/files.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/files.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/files.te	2009-08-18 13:23:29.000000000 -0400
 @@ -42,6 +42,7 @@
  #
  type boot_t;
@@ -5780,15 +5891,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.27/policy/modules/kernel/filesystem.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.fc serefpolicy-3.6.28/policy/modules/kernel/filesystem.fc
 --- nsaserefpolicy/policy/modules/kernel/filesystem.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1 @@
 -# This module currently does not have any file contexts.
 +/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.27/policy/modules/kernel/filesystem.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.28/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.if	2009-08-18 18:27:42.000000000 -0400
 @@ -1537,6 +1537,24 @@
  
  ########################################
@@ -5839,7 +5950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write NFS server files.
  ## </summary>
  ## <param name="domain">
-@@ -3971,3 +4007,23 @@
+@@ -3971,3 +4007,122 @@
  	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
  	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
  ')
@@ -5863,9 +5974,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit $1 cifs_t:dir list_dir_perms;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.27/policy/modules/kernel/filesystem.te
++
++########################################
++## <summary>
++##	Mount a XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_mount_xenfs',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	allow $1 xenfs_t:filesystem mount;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete directories
++##	on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_xenfs_dirs',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	allow $1 xenfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create, read,
++##	write, and delete directories
++##	on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_xenfs_dirs',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	dontaudit $1 xenfs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete files
++##	on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_xenfs_files',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	manage_files_pattern($1, xenfs_t, xenfs_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a XENFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_dontaudit_manage_xenfs_files',`
++	gen_require(`
++		type xenfs_t;
++	')
++
++	dontaudit $1 xenfs_t:file manage_file_perms;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.28/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/filesystem.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/filesystem.te	2009-08-18 18:24:23.000000000 -0400
 @@ -93,7 +93,7 @@
  type hugetlbfs_t;
  fs_type(hugetlbfs_t)
@@ -5875,9 +6085,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.27/policy/modules/kernel/kernel.if
+@@ -250,9 +250,13 @@
+ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+-genfscon xenfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
+ 
++type xenfs_t;
++fs_noxattr_type(xenfs_t)
++files_mountpoint(xenfs_t)
++genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
++
+ ########################################
+ #
+ # Rules for all filesystem types
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.28/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/kernel.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/kernel.if	2009-08-18 13:23:29.000000000 -0400
 @@ -1807,7 +1807,7 @@
  	')
  
@@ -5935,9 +6160,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 kernel_t:unix_stream_socket connectto;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.27/policy/modules/kernel/kernel.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.28/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/kernel.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/kernel.te	2009-08-18 13:23:29.000000000 -0400
 @@ -63,6 +63,15 @@
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
@@ -6019,9 +6244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
 +
 +files_boot(kernel_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.27/policy/modules/kernel/selinux.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.28/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/selinux.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/selinux.if	2009-08-18 13:23:29.000000000 -0400
 @@ -40,7 +40,7 @@
  
  	# because of this statement, any module which
@@ -6079,9 +6304,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_type($1)
 +	mls_trusted_object($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.27/policy/modules/kernel/terminal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-3.6.28/policy/modules/kernel/terminal.fc
 --- nsaserefpolicy/policy/modules/kernel/terminal.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -13,6 +13,7 @@
  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
@@ -6090,9 +6315,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.27/policy/modules/kernel/terminal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.28/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.if	2009-08-18 13:23:29.000000000 -0400
 @@ -173,7 +173,7 @@
  
  	dev_list_all_dev_nodes($1)
@@ -6164,9 +6389,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  ## <summary>
  ##	Read and write the controlling
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.27/policy/modules/kernel/terminal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.te serefpolicy-3.6.28/policy/modules/kernel/terminal.te
 --- nsaserefpolicy/policy/modules/kernel/terminal.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/kernel/terminal.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/kernel/terminal.te	2009-08-18 13:23:29.000000000 -0400
 @@ -44,6 +44,7 @@
  type ptmx_t;
  dev_node(ptmx_t)
@@ -6175,9 +6400,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  #
  # tty_device_t is the type of /dev/*tty*
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.27/policy/modules/roles/guest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.6.28/policy/modules/roles/guest.te
 --- nsaserefpolicy/policy/modules/roles/guest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/guest.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/guest.te	2009-08-18 13:23:29.000000000 -0400
 @@ -16,7 +16,11 @@
  #
  
@@ -6192,9 +6417,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +gen_user(guest_u, user, guest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.27/policy/modules/roles/staff.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.28/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/staff.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/staff.te	2009-08-18 13:23:29.000000000 -0400
 @@ -15,156 +15,109 @@
  # Local policy
  #
@@ -6390,9 +6615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	xserver_role(staff_r, staff_t)
 +	virt_stream_connect(staff_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.27/policy/modules/roles/sysadm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.6.28/policy/modules/roles/sysadm.te
 --- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/sysadm.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/sysadm.te	2009-08-18 13:23:29.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -6696,9 +6921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +init_script_role_transition(sysadm_r)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.27/policy/modules/roles/unconfineduser.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,37 @@
 +# Add programs here which should not be confined by SELinux
 +# e.g.:
@@ -6737,9 +6962,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/opt/real/(.*/)?realplay\.bin --	gen_context(system_u:object_r:execmem_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.27/policy/modules/roles/unconfineduser.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,638 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -7379,9 +7604,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 unconfined_r;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.27/policy/modules/roles/unconfineduser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.28/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/roles/unconfineduser.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unconfineduser.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,395 @@
 +policy_module(unconfineduser, 1.0.0)
 +
@@ -7778,9 +8003,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.27/policy/modules/roles/unprivuser.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.6.28/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/unprivuser.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/unprivuser.te	2009-08-18 13:23:29.000000000 -0400
 @@ -14,142 +14,21 @@
  userdom_unpriv_user_template(user)
  
@@ -7929,9 +8154,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	xserver_role(user_r, user_t)
 +	setroubleshoot_dontaudit_stream_connect(user_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.27/policy/modules/roles/xguest.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.28/policy/modules/roles/xguest.te
 --- nsaserefpolicy/policy/modules/roles/xguest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/roles/xguest.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/roles/xguest.te	2009-08-18 13:23:29.000000000 -0400
 @@ -36,11 +36,17 @@
  # Local policy
  #
@@ -7978,9 +8203,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.27/policy/modules/services/amavis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.6.28/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/amavis.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/amavis.te	2009-08-18 13:23:29.000000000 -0400
 @@ -103,6 +103,8 @@
  kernel_dontaudit_read_proc_symlinks(amavis_t)
  kernel_dontaudit_read_system_state(amavis_t)
@@ -7990,9 +8215,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # find perl
  corecmd_exec_bin(amavis_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.27/policy/modules/services/apache.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.28/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -8086,9 +8311,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.27/policy/modules/services/apache.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.28/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.if	2009-08-18 13:23:29.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -8588,9 +8813,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +	typeattribute $1  httpd_rw_content;
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.27/policy/modules/services/apache.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.28/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apache.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apache.te	2009-08-18 13:23:29.000000000 -0400
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -9344,9 +9569,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.27/policy/modules/services/apm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.6.28/policy/modules/services/apm.te
 --- nsaserefpolicy/policy/modules/services/apm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/apm.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/apm.te	2009-08-18 13:23:29.000000000 -0400
 @@ -60,7 +60,7 @@
  # mknod: controlling an orderly resume of PCMCIA requires creating device
  # nodes 254,{0,1,2} for some reason.
@@ -9356,9 +9581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow apmd_t self:process { signal_perms getsession };
  allow apmd_t self:fifo_file rw_fifo_file_perms;
  allow apmd_t self:unix_dgram_socket create_socket_perms;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.27/policy/modules/services/automount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.6.28/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/automount.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/automount.te	2009-08-18 13:23:29.000000000 -0400
 @@ -129,6 +129,7 @@
  fs_unmount_autofs(automount_t)
  fs_mount_autofs(automount_t)
@@ -9367,9 +9592,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  storage_rw_fuse(automount_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.27/policy/modules/services/bind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.28/policy/modules/services/bind.if
 --- nsaserefpolicy/policy/modules/services/bind.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/bind.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/bind.if	2009-08-18 13:23:29.000000000 -0400
 @@ -287,6 +287,25 @@
  
  ########################################
@@ -9396,9 +9621,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an bind environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.27/policy/modules/services/bluetooth.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.28/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/bluetooth.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/bluetooth.te	2009-08-18 13:23:29.000000000 -0400
 @@ -64,6 +64,7 @@
  allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -9426,9 +9651,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		pulseaudio_dbus_chat(bluetooth_t)
  	')
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.27/policy/modules/services/certmaster.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.28/policy/modules/services/certmaster.te
 --- nsaserefpolicy/policy/modules/services/certmaster.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/certmaster.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/certmaster.te	2009-08-18 13:23:29.000000000 -0400
 @@ -30,7 +30,7 @@
  # certmaster local policy 
  #
@@ -9438,9 +9663,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow certmaster_t self:tcp_socket create_stream_socket_perms;
  
  # config files
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.27/policy/modules/services/clamav.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.6.28/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/clamav.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/clamav.te	2009-08-18 13:23:29.000000000 -0400
 @@ -117,9 +117,9 @@
  
  logging_send_syslog_msg(clamd_t)
@@ -9475,9 +9700,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	apache_read_sys_content(clamscan_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.27/policy/modules/services/consolekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.6.28/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/consolekit.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/consolekit.if	2009-08-18 13:23:29.000000000 -0400
 @@ -57,3 +57,42 @@
  	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
  	files_search_pids($1)
@@ -9521,9 +9746,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.27/policy/modules/services/consolekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.28/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/consolekit.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/consolekit.te	2009-08-18 13:23:29.000000000 -0400
 @@ -62,12 +62,15 @@
  
  init_telinit(consolekit_t)
@@ -9582,9 +9807,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	unconfined_stream_connect(consolekit_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.27/policy/modules/services/courier.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.if serefpolicy-3.6.28/policy/modules/services/courier.if
 --- nsaserefpolicy/policy/modules/services/courier.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/courier.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/courier.if	2009-08-18 13:23:29.000000000 -0400
 @@ -179,6 +179,24 @@
  
  ########################################
@@ -9610,9 +9835,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Read and write to courier spool pipes.
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.27/policy/modules/services/courier.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-3.6.28/policy/modules/services/courier.te
 --- nsaserefpolicy/policy/modules/services/courier.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/courier.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/courier.te	2009-08-18 13:23:29.000000000 -0400
 @@ -10,6 +10,7 @@
  
  type courier_etc_t;
@@ -9621,9 +9846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  courier_domain_template(pcp)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.27/policy/modules/services/cron.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.6.28/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,3 +1,4 @@
 +/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
  
@@ -9655,9 +9880,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 +
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.27/policy/modules/services/cron.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.28/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.if	2009-08-18 13:23:29.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -9959,9 +10184,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	init_labeled_script_domtrans($1, crond_initrc_exec_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.27/policy/modules/services/cron.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.28/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cron.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cron.te	2009-08-18 13:23:29.000000000 -0400
 @@ -38,6 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -10167,8 +10392,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
  allow system_cronjob_t self:passwd rootok;
  
-@@ -284,7 +339,14 @@
- allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
+@@ -281,10 +336,17 @@
+ 
+ # This is to handle /var/lib/misc directory.  Used currently
+ # by prelink var/lib files for cron 
+-allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
++allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabelfrom relabelto };
  files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
  
 +allow system_cronjob_t cron_var_run_t:file manage_file_perms;
@@ -10177,7 +10406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow system_cronjob_t system_cron_spool_t:file read_file_perms;
 +
 +# anacron forces the following
-+allow system_cronjob_t system_cron_spool_t:file { write setattr };
++manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
 +
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
@@ -10331,9 +10560,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
  	unconfined_domain(unconfined_cronjob_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.27/policy/modules/services/cups.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.28/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cups.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cups.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -13,10 +13,14 @@
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -10349,7 +10578,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /opt/gutenprint/ppds(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
  /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-@@ -52,6 +56,8 @@
+@@ -30,6 +34,7 @@
+ /usr/lib/cups/backend/hp.* --	gen_context(system_u:object_r:hplip_exec_t,s0)
+ /usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+ 
++/usr/libexec/cups-pk-helper-mechanism	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ 
+ /usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
+@@ -52,6 +57,8 @@
  /var/lib/cups/certs	-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /var/lib/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
@@ -10358,7 +10595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/log/cups(/.*)?		gen_context(system_u:object_r:cupsd_log_t,s0)
  /var/log/turboprint.*		gen_context(system_u:object_r:cupsd_log_t,s0)
  
-@@ -61,4 +67,10 @@
+@@ -61,4 +68,10 @@
  /var/run/hp.*\.port	--	gen_context(system_u:object_r:hplip_var_run_t,s0)
  /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -10369,9 +10606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.27/policy/modules/services/cups.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.28/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cups.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cups.te	2009-08-18 13:23:29.000000000 -0400
 @@ -23,6 +23,9 @@
  type cupsd_initrc_exec_t;
  init_script_file(cupsd_initrc_exec_t)
@@ -10417,7 +10654,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  seutil_read_config(cupsd_t)
  sysnet_exec_ifconfig(cupsd_t)
-@@ -419,6 +429,10 @@
+@@ -327,7 +337,7 @@
+ 
+ allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+-allow cupsd_config_t self:process signal_perms;
++allow cupsd_config_t self:process { getsched signal_perms };
+ allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+ allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+@@ -419,12 +429,15 @@
  ')
  
  optional_policy(`
@@ -10428,7 +10674,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
  ')
  
-@@ -542,6 +556,8 @@
+ optional_policy(`
+-	dbus_system_bus_client(cupsd_config_t)
+-	dbus_connect_system_bus(cupsd_config_t)
++	dbus_system_domain(cupsd_config_t, cupsd_config_exec_t)
+ 
+ 	optional_policy(`
+ 		hal_dbus_chat(cupsd_config_t)
+@@ -542,6 +555,8 @@
  manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
  files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
  
@@ -10437,7 +10690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_system_state(cups_pdf_t)
  
  files_read_etc_files(cups_pdf_t)
-@@ -601,6 +617,9 @@
+@@ -601,6 +616,9 @@
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -10447,18 +10700,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.27/policy/modules/services/cvs.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.28/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/cvs.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/cvs.te	2009-08-18 13:23:29.000000000 -0400
 @@ -112,4 +112,5 @@
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.27/policy/modules/services/dbus.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.6.28/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dbus.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dbus.if	2009-08-18 13:23:29.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -10550,9 +10803,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	for service (acquire_svc).
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.27/policy/modules/services/dbus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.6.28/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dbus.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dbus.te	2009-08-18 13:23:29.000000000 -0400
 @@ -86,6 +86,7 @@
  dev_read_sysfs(system_dbusd_t)
  
@@ -10605,9 +10858,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.27/policy/modules/services/dcc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.6.28/policy/modules/services/dcc.te
 --- nsaserefpolicy/policy/modules/services/dcc.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dcc.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dcc.te	2009-08-18 13:23:29.000000000 -0400
 @@ -130,11 +130,13 @@
  
  # Access files in /var/dcc. The map file can be updated
@@ -10634,9 +10887,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	spamassassin_read_spamd_tmp_files(dcc_client_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.27/policy/modules/services/ddclient.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ddclient.if serefpolicy-3.6.28/policy/modules/services/ddclient.if
 --- nsaserefpolicy/policy/modules/services/ddclient.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ddclient.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ddclient.if	2009-08-18 13:23:29.000000000 -0400
 @@ -21,6 +21,31 @@
  
  ########################################
@@ -10669,18 +10922,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an ddclient environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.27/policy/modules/services/devicekit.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.6.28/policy/modules/services/devicekit.fc
 --- nsaserefpolicy/policy/modules/services/devicekit.fc	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -5,4 +5,4 @@
  /var/lib/DeviceKit-.*			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
  
  /var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 -/var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +/var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.27/policy/modules/services/devicekit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.28/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.if	2009-08-18 13:23:29.000000000 -0400
 @@ -139,6 +139,26 @@
  
  ########################################
@@ -10717,9 +10970,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  
  	allow $1 devicekit_t:process { ptrace signal_perms getattr };
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.27/policy/modules/services/devicekit.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.28/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/devicekit.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/devicekit.te	2009-08-18 13:23:29.000000000 -0400
 @@ -36,12 +36,15 @@
  manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
  manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@@ -10893,9 +11146,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.27/policy/modules/services/dnsmasq.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.6.28/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dnsmasq.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dnsmasq.te	2009-08-18 13:23:29.000000000 -0400
 @@ -83,6 +83,14 @@
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
@@ -10911,9 +11164,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(dnsmasq_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.27/policy/modules/services/dovecot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.28/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/dovecot.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/dovecot.te	2009-08-18 13:23:29.000000000 -0400
 @@ -103,6 +103,7 @@
  dev_read_urand(dovecot_t)
  
@@ -10938,9 +11191,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # dovecot deliver local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.27/policy/modules/services/exim.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.28/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/exim.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/exim.te	2009-08-18 13:23:29.000000000 -0400
 @@ -191,6 +191,10 @@
  ')
  
@@ -10952,9 +11205,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	spamassassin_exec(exim_t)
  	spamassassin_exec_client(exim_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.27/policy/modules/services/fetchmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.6.28/policy/modules/services/fetchmail.te
 --- nsaserefpolicy/policy/modules/services/fetchmail.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/fetchmail.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/fetchmail.te	2009-08-18 13:23:29.000000000 -0400
 @@ -47,6 +47,8 @@
  kernel_read_proc_symlinks(fetchmail_t)
  kernel_dontaudit_read_system_state(fetchmail_t)
@@ -10964,9 +11217,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(fetchmail_t)
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.27/policy/modules/services/fprintd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.28/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/fprintd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/fprintd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -37,6 +37,8 @@
  files_read_etc_files(fprintd_t)
  files_read_usr_files(fprintd_t)
@@ -10984,9 +11237,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(fprintd_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.27/policy/modules/services/ftp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.28/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ftp.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ftp.te	2009-08-18 13:23:29.000000000 -0400
 @@ -41,6 +41,13 @@
  
  ## <desc>
@@ -11088,16 +11341,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(ftpd_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.27/policy/modules/services/gnomeclock.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.6.28/policy/modules/services/gnomeclock.fc
 --- nsaserefpolicy/policy/modules/services/gnomeclock.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,3 @@
 +
 +/usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.27/policy/modules/services/gnomeclock.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.6.28/policy/modules/services/gnomeclock.if
 --- nsaserefpolicy/policy/modules/services/gnomeclock.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,69 @@
 +
 +## <summary>policy for gnomeclock</summary>
@@ -11168,9 +11421,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 gnomeclock_t:dbus send_msg;
 +	allow gnomeclock_t $1:dbus send_msg;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.27/policy/modules/services/gnomeclock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.6.28/policy/modules/services/gnomeclock.te
 --- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/gnomeclock.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gnomeclock.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,50 @@
 +policy_module(gnomeclock, 1.0.0)
 +########################################
@@ -11222,9 +11475,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	policykit_read_reload(gnomeclock_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.27/policy/modules/services/gpsd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.fc serefpolicy-3.6.28/policy/modules/services/gpsd.fc
 --- nsaserefpolicy/policy/modules/services/gpsd.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1 +1,6 @@
 +/etc/rc\.d/init\.d/gpsd         --      gen_context(system_u:object_r:gpsd_initrc_exec_t,s0)
 +
@@ -11232,9 +11485,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/run/gpsd\.pid               --      gen_context(system_u:object_r:gpsd_var_run_t,s0)
 +/var/run/gpsd\.sock              -s      gen_context(system_u:object_r:gpsd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.27/policy/modules/services/gpsd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.if serefpolicy-3.6.28/policy/modules/services/gpsd.if
 --- nsaserefpolicy/policy/modules/services/gpsd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.if	2009-08-18 13:23:29.000000000 -0400
 @@ -33,11 +33,6 @@
  ##	The role to be allowed the gpsd domain.
  ##	</summary>
@@ -11280,9 +11533,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        rw_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
 +        read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.27/policy/modules/services/gpsd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.6.28/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/gpsd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/gpsd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -11,9 +11,15 @@
  application_domain(gpsd_t, gpsd_exec_t)
  init_daemon_domain(gpsd_t, gpsd_exec_t)
@@ -11317,9 +11570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	ntpd_rw_shm(gpsd_t)
 +	ntp_rw_shm(gpsd_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.27/policy/modules/services/hal.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.6.28/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -26,6 +26,7 @@
  /var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
  /var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
@@ -11328,9 +11581,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_gentoo',`
  /var/lib/cache/hald(/.*)?			gen_context(system_u:object_r:hald_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.27/policy/modules/services/hal.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.28/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.if	2009-08-18 13:23:29.000000000 -0400
 @@ -413,3 +413,21 @@
  	files_search_pids($1)
  	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -11353,9 +11606,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	dontaudit $1 hald_t:unix_dgram_socket { read write };
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.27/policy/modules/services/hal.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.28/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/hal.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hal.te	2009-08-18 13:23:29.000000000 -0400
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -11499,17 +11752,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	dbus_system_bus_client(hald_dccm_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.27/policy/modules/services/hddtemp.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.fc serefpolicy-3.6.28/policy/modules/services/hddtemp.fc
 --- nsaserefpolicy/policy/modules/services/hddtemp.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/etc/rc\.d/init\.d/hddtemp      --      gen_context(system_u:object_r:hddtemp_initrc_exec_t,s0)
 +
 +/usr/sbin/hddtemp             	--      gen_context(system_u:object_r:hddtemp_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.27/policy/modules/services/hddtemp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.if serefpolicy-3.6.28/policy/modules/services/hddtemp.if
 --- nsaserefpolicy/policy/modules/services/hddtemp.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,38 @@
 +## <summary>hddtemp hard disk temperature tool running as a daemon</summary>
 +
@@ -11549,9 +11802,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +        can_exec($1, hddtemp_exec_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.27/policy/modules/services/hddtemp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hddtemp.te serefpolicy-3.6.28/policy/modules/services/hddtemp.te
 --- nsaserefpolicy/policy/modules/services/hddtemp.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/hddtemp.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/hddtemp.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,40 @@
 +policy_module(hddtemp,1.0.0)
 +
@@ -11593,9 +11846,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive hddtemp_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.27/policy/modules/services/kerberos.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.28/policy/modules/services/kerberos.te
 --- nsaserefpolicy/policy/modules/services/kerberos.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/kerberos.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/kerberos.te	2009-08-18 13:23:29.000000000 -0400
 @@ -277,6 +277,8 @@
  #
  
@@ -11635,9 +11888,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  sysnet_dns_name_resolve(kpropd_t)
  
  kerberos_use(kpropd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.27/policy/modules/services/ktalk.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.te serefpolicy-3.6.28/policy/modules/services/ktalk.te
 --- nsaserefpolicy/policy/modules/services/ktalk.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ktalk.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ktalk.te	2009-08-18 13:23:29.000000000 -0400
 @@ -69,6 +69,7 @@
  files_read_etc_files(ktalkd_t)
  
@@ -11646,9 +11899,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(ktalkd_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.27/policy/modules/services/lircd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.28/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/lircd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/lircd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -42,7 +42,18 @@
  # /dev/lircd socket
  manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t)
@@ -11668,9 +11921,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
  miscfiles_read_localization(lircd_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.27/policy/modules/services/mailman.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.6.28/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mailman.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mailman.te	2009-08-18 13:23:29.000000000 -0400
 @@ -78,6 +78,10 @@
  mta_dontaudit_rw_queue(mailman_mail_t)
  
@@ -11682,9 +11935,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	cron_read_pipes(mailman_mail_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.27/policy/modules/services/memcached.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.6.28/policy/modules/services/memcached.te
 --- nsaserefpolicy/policy/modules/services/memcached.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/memcached.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/memcached.te	2009-08-18 13:23:29.000000000 -0400
 @@ -44,6 +44,8 @@
  
  files_read_etc_files(memcached_t)
@@ -11694,15 +11947,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(memcached_t)
  
  sysnet_dns_name_resolve(memcached_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.27/policy/modules/services/modemmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.fc serefpolicy-3.6.28/policy/modules/services/modemmanager.fc
 --- nsaserefpolicy/policy/modules/services/modemmanager.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/sbin/modem-manager	--	gen_context(system_u:object_r:ModemManager_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.27/policy/modules/services/modemmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.if serefpolicy-3.6.28/policy/modules/services/modemmanager.if
 --- nsaserefpolicy/policy/modules/services/modemmanager.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,43 @@
 +
 +## <summary>policy for ModemManager</summary>
@@ -11747,9 +12000,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 ModemManager_t:dbus send_msg;
 +	allow ModemManager_t $1:dbus send_msg;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.27/policy/modules/services/modemmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.28/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/modemmanager.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/modemmanager.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,46 @@
 +policy_module(ModemManager,1.0.0)
 +
@@ -11797,18 +12050,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive ModemManager_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.27/policy/modules/services/mta.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.28/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -26,3 +26,5 @@
  /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
  /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 +HOME_DIR/\.forward	--	gen_context(system_u:object_r:mail_forward_t,s0)
 +/root/\.forward		--	gen_context(system_u:object_r:mail_forward_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.27/policy/modules/services/mta.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.28/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.if	2009-08-18 13:23:29.000000000 -0400
 @@ -311,6 +311,7 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1, mail_spool_t, mail_spool_t)
@@ -11842,9 +12095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.27/policy/modules/services/mta.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.28/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mta.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mta.te	2009-08-18 13:23:29.000000000 -0400
 @@ -27,6 +27,9 @@
  type mail_spool_t;
  files_mountpoint(mail_spool_t)
@@ -11958,9 +12211,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # User send mail local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.27/policy/modules/services/munin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.6.28/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/munin.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/munin.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -9,3 +9,6 @@
  /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
  /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
@@ -11968,9 +12221,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.27/policy/modules/services/munin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.6.28/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/munin.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/munin.te	2009-08-18 13:23:29.000000000 -0400
 @@ -33,7 +33,7 @@
  # Local policy
  #
@@ -11988,9 +12241,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.27/policy/modules/services/mysql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.28/policy/modules/services/mysql.te
 --- nsaserefpolicy/policy/modules/services/mysql.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/mysql.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/mysql.te	2009-08-18 13:23:29.000000000 -0400
 @@ -136,7 +136,12 @@
  
  domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
@@ -12013,9 +12266,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  mysql_read_config(mysqld_safe_t)
  mysql_search_pid_files(mysqld_safe_t)
  mysql_write_log(mysqld_safe_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.27/policy/modules/services/nagios.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.28/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,16 +1,21 @@
  /etc/nagios(/.*)?			gen_context(system_u:object_r:nagios_etc_t,s0)
  /etc/nagios/nrpe\.cfg		--	gen_context(system_u:object_r:nrpe_etc_t,s0)
@@ -12041,9 +12294,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 +/usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 +/usr/lib(64)?/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.27/policy/modules/services/nagios.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.6.28/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.if	2009-08-18 13:23:29.000000000 -0400
 @@ -64,7 +64,7 @@
  
  ########################################
@@ -12143,9 +12396,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	admin_pattern($1, nrpe_etc_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.27/policy/modules/services/nagios.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.28/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nagios.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nagios.te	2009-08-18 13:23:29.000000000 -0400
 @@ -10,13 +10,12 @@
  type nagios_exec_t;
  init_daemon_domain(nagios_t, nagios_exec_t)
@@ -12241,9 +12494,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ########################################
  #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.27/policy/modules/services/networkmanager.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.6.28/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,12 +1,25 @@
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
 +/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -12270,9 +12523,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.27/policy/modules/services/networkmanager.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.28/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.if	2009-08-18 13:23:29.000000000 -0400
 @@ -118,6 +118,24 @@
  
  ########################################
@@ -12329,9 +12582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types NetworkManager_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.27/policy/modules/services/networkmanager.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.6.28/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/networkmanager.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/networkmanager.te	2009-08-18 13:23:29.000000000 -0400
 @@ -19,6 +19,9 @@
  type NetworkManager_tmp_t;
  files_tmp_file(NetworkManager_tmp_t)
@@ -12569,9 +12822,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.27/policy/modules/services/nis.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.6.28/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,7 @@
 -
 +/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -12581,9 +12834,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /etc/ypserv\.conf	--	gen_context(system_u:object_r:ypserv_conf_t,s0)
  
  /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.27/policy/modules/services/nis.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.6.28/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.if	2009-08-18 13:23:29.000000000 -0400
 @@ -28,7 +28,7 @@
  		type var_yp_t;
  	')
@@ -12725,9 +12978,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types ypbind_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.27/policy/modules/services/nis.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.6.28/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nis.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nis.te	2009-08-18 13:23:29.000000000 -0400
 @@ -13,6 +13,9 @@
  type ypbind_exec_t;
  init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -12777,9 +13030,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_all_rpc_ports(ypxfr_t)
  corenet_udp_bind_all_rpc_ports(ypxfr_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.27/policy/modules/services/nscd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.6.28/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nscd.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nscd.if	2009-08-18 13:23:29.000000000 -0400
 @@ -236,6 +236,24 @@
  
  ########################################
@@ -12805,9 +13058,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an nscd environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.27/policy/modules/services/nscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.6.28/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nscd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nscd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -65,6 +65,7 @@
  
  fs_getattr_all_fs(nscd_t)
@@ -12837,17 +13090,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	samba_read_config(nscd_t)
 +	samba_read_var_files(nscd_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.27/policy/modules/services/nslcd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.fc serefpolicy-3.6.28/policy/modules/services/nslcd.fc
 --- nsaserefpolicy/policy/modules/services/nslcd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,4 @@
 +/usr/sbin/nslcd	--	gen_context(system_u:object_r:nslcd_exec_t,s0)
 +/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
 +/etc/rc\.d/init\.d/nslcd	--	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
 +/var/run/nslcd(/.*)?			gen_context(system_u:object_r:nslcd_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.27/policy/modules/services/nslcd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.if serefpolicy-3.6.28/policy/modules/services/nslcd.if
 --- nsaserefpolicy/policy/modules/services/nslcd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,142 @@
 +
 +## <summary>policy for nslcd</summary>
@@ -12991,9 +13244,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	nslcd_manage_var_run($1)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.27/policy/modules/services/nslcd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nslcd.te serefpolicy-3.6.28/policy/modules/services/nslcd.te
 --- nsaserefpolicy/policy/modules/services/nslcd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/nslcd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nslcd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,48 @@
 +policy_module(nslcd,1.0.0)
 +
@@ -13043,9 +13296,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +auth_use_nsswitch(nslcd_t)
 +
 +logging_send_syslog_msg(nslcd_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.27/policy/modules/services/ntp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.6.28/policy/modules/services/ntp.if
 --- nsaserefpolicy/policy/modules/services/ntp.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ntp.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ntp.if	2009-08-18 13:23:29.000000000 -0400
 @@ -37,6 +37,32 @@
  
  ########################################
@@ -13113,9 +13366,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an ntp environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.27/policy/modules/services/ntp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.6.28/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ntp.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ntp.te	2009-08-18 13:23:29.000000000 -0400
 @@ -41,10 +41,11 @@
  
  # sys_resource and setrlimit is for locking memory
@@ -13154,9 +13407,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.27/policy/modules/services/nx.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.6.28/policy/modules/services/nx.te
 --- nsaserefpolicy/policy/modules/services/nx.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/nx.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/nx.te	2009-08-18 13:23:29.000000000 -0400
 @@ -25,6 +25,9 @@
  type nx_server_var_run_t;
  files_pid_file(nx_server_var_run_t)
@@ -13177,9 +13430,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  kernel_read_system_state(nx_server_t)
  kernel_read_kernel_sysctls(nx_server_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.27/policy/modules/services/oddjob.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.6.28/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/oddjob.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/oddjob.if	2009-08-18 13:23:29.000000000 -0400
 @@ -44,6 +44,7 @@
  	')
  
@@ -13188,9 +13441,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.27/policy/modules/services/openvpn.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.28/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/openvpn.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/openvpn.te	2009-08-18 13:23:29.000000000 -0400
 @@ -86,6 +86,7 @@
  corenet_udp_bind_openvpn_port(openvpn_t)
  corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -13216,9 +13469,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  optional_policy(`
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.27/policy/modules/services/pcscd.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.28/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pcscd.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pcscd.te	2009-08-18 13:23:29.000000000 -0400
 @@ -29,6 +29,7 @@
  
  manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
@@ -13236,9 +13489,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  term_use_unallocated_ttys(pcscd_t)
  term_dontaudit_getattr_pty_dirs(pcscd_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.27/policy/modules/services/pegasus.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.6.28/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pegasus.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pegasus.te	2009-08-18 13:23:29.000000000 -0400
 @@ -30,7 +30,7 @@
  # Local policy
  #
@@ -13310,10 +13563,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_stream_connect(pegasus_t)
 +	xen_stream_connect_xenstore(pegasus_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.27/policy/modules/services/policykit.fc
---- nsaserefpolicy/policy/modules/services/policykit.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.fc	2009-08-14 16:51:06.000000000 -0400
-@@ -1,10 +1,13 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.28/policy/modules/services/policykit.fc
+--- nsaserefpolicy/policy/modules/services/policykit.fc	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.fc	2009-08-18 13:23:29.000000000 -0400
+@@ -1,15 +1,13 @@
+-/usr/lib/policykit/polkit-read-auth-helper --	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
+-/usr/lib/policykit/polkit-grant-helper.*   --	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
+-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
+-/usr/lib/policykit/polkitd		--	gen_context(system_u:object_r:policykit_exec_t,s0)
+-
  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
  /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
  /usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
@@ -13328,9 +13586,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.27/policy/modules/services/policykit.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.28/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.if	2009-08-18 13:23:29.000000000 -0400
 @@ -17,6 +17,8 @@
  		class dbus send_msg;
  	')
@@ -13405,9 +13663,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 policykit_auth_t:process signal;
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.27/policy/modules/services/policykit.te
---- nsaserefpolicy/policy/modules/services/policykit.te	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/policykit.te	2009-08-14 16:51:06.000000000 -0400
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.28/policy/modules/services/policykit.te
+--- nsaserefpolicy/policy/modules/services/policykit.te	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/policykit.te	2009-08-18 13:23:29.000000000 -0400
 @@ -38,9 +38,10 @@
  
  allow policykit_t self:capability { setgid setuid };
@@ -13467,7 +13725,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -95,7 +111,10 @@
+@@ -92,12 +108,13 @@
+ manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+ files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
+ 
+-kernel_read_system_state(policykit_auth_t)
+-
  files_read_etc_files(policykit_auth_t)
  files_read_usr_files(policykit_auth_t)
  
@@ -13478,15 +13741,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  logging_send_syslog_msg(policykit_auth_t)
  
-@@ -104,6 +123,7 @@
+@@ -106,7 +123,7 @@
  userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
  
  optional_policy(`
+-	dbus_system_bus_client(policykit_auth_t)
 +	dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -116,6 +136,14 @@
+@@ -119,6 +136,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -13501,7 +13765,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # polkit_grant local policy
-@@ -123,7 +151,8 @@
+@@ -126,7 +151,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -13511,7 +13775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -153,9 +182,12 @@
+@@ -156,9 +182,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -13525,7 +13789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -167,7 +199,8 @@
+@@ -170,7 +199,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -13535,9 +13799,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.27/policy/modules/services/postfix.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.6.28/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -29,12 +29,10 @@
  /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
  /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -13551,9 +13815,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
  /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.27/policy/modules/services/postfix.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.28/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.if	2009-08-18 13:23:29.000000000 -0400
 @@ -46,6 +46,7 @@
  
  	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -13800,9 +14064,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	role $2 types postfix_postdrop_t;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.27/policy/modules/services/postfix.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.28/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postfix.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postfix.te	2009-08-18 13:23:29.000000000 -0400
 @@ -1,11 +1,20 @@
  
 -policy_module(postfix, 1.11.0)
@@ -14188,9 +14452,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_manage_user_home_content(postfix_virtual_t)
 +userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.27/policy/modules/services/postgresql.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.28/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -2,6 +2,7 @@
  # /etc
  #
@@ -14199,9 +14463,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  #
  # /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.27/policy/modules/services/postgresql.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.6.28/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.if	2009-08-18 13:23:29.000000000 -0400
 @@ -384,3 +384,46 @@
  
  	typeattribute $1 sepgsql_unconfined_type;
@@ -14249,9 +14513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	admin_pattern($1, postgresql_tmp_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.27/policy/modules/services/postgresql.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.6.28/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/postgresql.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/postgresql.te	2009-08-18 13:23:29.000000000 -0400
 @@ -32,6 +32,9 @@
  type postgresql_etc_t;
  files_config_file(postgresql_etc_t)
@@ -14290,9 +14554,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  miscfiles_read_localization(postgresql_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.27/policy/modules/services/ppp.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.6.28/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ppp.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ppp.if	2009-08-18 13:23:29.000000000 -0400
 @@ -177,10 +177,16 @@
  interface(`ppp_run',`
  	gen_require(`
@@ -14310,9 +14574,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.27/policy/modules/services/ppp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.28/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ppp.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ppp.te	2009-08-18 13:23:29.000000000 -0400
 @@ -193,6 +193,8 @@
  
  optional_policy(`
@@ -14337,9 +14601,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	hostname_exec(pptp_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.27/policy/modules/services/privoxy.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.6.28/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/privoxy.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/privoxy.te	2009-08-18 13:23:29.000000000 -0400
 @@ -47,9 +47,8 @@
  manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
  files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
@@ -14351,9 +14615,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(privoxy_t)
  corenet_all_recvfrom_netlabel(privoxy_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.27/policy/modules/services/procmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.6.28/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/procmail.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/procmail.te	2009-08-18 13:23:29.000000000 -0400
 @@ -22,7 +22,7 @@
  # Local policy
  #
@@ -14401,9 +14665,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.27/policy/modules/services/pyzor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.28/policy/modules/services/pyzor.fc
 --- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,6 +1,10 @@
  /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 +/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -14415,9 +14679,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
  /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.27/policy/modules/services/pyzor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.6.28/policy/modules/services/pyzor.if
 --- nsaserefpolicy/policy/modules/services/pyzor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.if	2009-08-18 13:23:29.000000000 -0400
 @@ -88,3 +88,50 @@
  	corecmd_search_bin($1)
  	can_exec($1, pyzor_exec_t)
@@ -14469,9 +14733,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.27/policy/modules/services/pyzor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.6.28/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/pyzor.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/pyzor.te	2009-08-18 13:23:29.000000000 -0400
 @@ -1,11 +1,43 @@
  
 -policy_module(pyzor, 2.1.0)
@@ -14542,17 +14806,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  userdom_dontaudit_search_user_home_dirs(pyzor_t)
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.27/policy/modules/services/razor.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.6.28/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,3 +1,4 @@
 +/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  
  /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.27/policy/modules/services/razor.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.28/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.if	2009-08-18 13:23:29.000000000 -0400
 @@ -157,3 +157,45 @@
  
  	domtrans_pattern($1, razor_exec_t, razor_t)
@@ -14599,9 +14863,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.27/policy/modules/services/razor.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.6.28/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/razor.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/razor.te	2009-08-18 13:23:29.000000000 -0400
 @@ -1,11 +1,37 @@
  
 -policy_module(razor, 2.1.0)
@@ -14659,9 +14923,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.27/policy/modules/services/ricci.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.28/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ricci.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ricci.te	2009-08-18 13:23:29.000000000 -0400
 @@ -264,6 +264,7 @@
  allow ricci_modclusterd_t self:socket create_socket_perms;
  
@@ -14681,9 +14945,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  storage_raw_read_fixed_disk(ricci_modstorage_t)
  
  term_dontaudit_use_console(ricci_modstorage_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.27/policy/modules/services/rpcbind.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.6.28/policy/modules/services/rpcbind.if
 --- nsaserefpolicy/policy/modules/services/rpcbind.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpcbind.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpcbind.if	2009-08-18 13:23:29.000000000 -0400
 @@ -97,6 +97,26 @@
  
  ########################################
@@ -14711,9 +14975,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
  ##	an rpcbind environment
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.27/policy/modules/services/rpc.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.6.28/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpc.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpc.if	2009-08-18 13:23:29.000000000 -0400
 @@ -54,7 +54,7 @@
  	allow $1_t self:unix_dgram_socket create_socket_perms;
  	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -14734,9 +14998,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		seutil_sigchld_newrole($1_t)
  	')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.27/policy/modules/services/rpc.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.28/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rpc.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rpc.te	2009-08-18 13:23:29.000000000 -0400
 @@ -91,6 +91,8 @@
  
  seutil_dontaudit_search_config(rpcd_t)
@@ -14784,9 +15048,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  auth_use_nsswitch(gssd_t)
  auth_manage_cache(gssd_t) 
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.27/policy/modules/services/rsync.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.28/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/rsync.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rsync.te	2009-08-18 13:23:29.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -14829,15 +15093,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
  auth_can_read_shadow_passwords(rsync_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.fc serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.fc
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/libexec/rtkit-daemon	--	gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,64 @@
 +
 +## <summary>policy for rtkit_daemon</summary>
@@ -14903,9 +15167,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow rtkit_daemon_t $1:process { getsched setsched };
 +	rtkit_daemon_dbus_chat($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.te serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.te
 --- nsaserefpolicy/policy/modules/services/rtkit_daemon.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/rtkit_daemon.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/rtkit_daemon.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,38 @@
 +policy_module(rtkit_daemon,1.0.0)
 +
@@ -14945,9 +15209,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +        policykit_dbus_chat(rtkit_daemon_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.27/policy/modules/services/samba.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.6.28/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -51,3 +51,7 @@
  /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
  
@@ -14956,9 +15220,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +ifndef(`enable_mls',`
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.27/policy/modules/services/samba.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.6.28/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.if	2009-08-18 13:23:29.000000000 -0400
 @@ -62,6 +62,25 @@
  
  ########################################
@@ -15131,9 +15395,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	admin_pattern($1, winbind_var_run_t)
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.27/policy/modules/services/samba.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.28/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/samba.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/samba.te	2009-08-18 13:23:29.000000000 -0400
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -15341,9 +15605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.27/policy/modules/services/sasl.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.28/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sasl.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sasl.te	2009-08-18 13:25:10.000000000 -0400
 @@ -31,7 +31,7 @@
  # Local policy
  #
@@ -15406,9 +15670,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(saslauthd_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.27/policy/modules/services/sendmail.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.28/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sendmail.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sendmail.if	2009-08-18 13:23:29.000000000 -0400
 @@ -59,20 +59,20 @@
  
  ########################################
@@ -15581,9 +15845,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 sendmail_t:fifo_file rw_fifo_file_perms; 
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.27/policy/modules/services/sendmail.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.28/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sendmail.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sendmail.te	2009-08-18 13:23:29.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -15759,18 +16023,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.27/policy/modules/services/setroubleshoot.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.6.28/policy/modules/services/setroubleshoot.fc
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -5,3 +5,5 @@
  /var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
  
  /var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
 +
 +/usr/share/setroubleshoot/SetroubleshootFixit\.py* 	--	gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.27/policy/modules/services/setroubleshoot.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.28/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.if	2009-08-18 13:23:29.000000000 -0400
 @@ -16,8 +16,8 @@
  	')
  
@@ -15847,9 +16111,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, setroubleshoot_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.27/policy/modules/services/setroubleshoot.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.28/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/setroubleshoot.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/setroubleshoot.te	2009-08-18 13:23:29.000000000 -0400
 @@ -22,13 +22,19 @@
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
@@ -15968,9 +16232,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +permissive setroubleshoot_fixit_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.27/policy/modules/services/shorewall.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.28/policy/modules/services/shorewall.fc
 --- nsaserefpolicy/policy/modules/services/shorewall.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,12 @@
 +
 +/etc/rc\.d/init\.d/shorewall        	--      gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
@@ -15984,9 +16248,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
 +/var/lib/shorewall-lite(/.*)?           	gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.27/policy/modules/services/shorewall.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.28/policy/modules/services/shorewall.if
 --- nsaserefpolicy/policy/modules/services/shorewall.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,166 @@
 +## <summary>policy for shorewall</summary>
 +
@@ -16154,9 +16418,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        admin_pattern($1, shorewall_tmp_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.27/policy/modules/services/shorewall.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.28/policy/modules/services/shorewall.te
 --- nsaserefpolicy/policy/modules/services/shorewall.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/services/shorewall.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/shorewall.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,95 @@
 +policy_module(shorewall,1.0.0)
 +
@@ -16253,9 +16517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	ulogd_search_log(shorewall_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.27/policy/modules/services/smartmon.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.28/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/smartmon.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/smartmon.te	2009-08-18 13:23:29.000000000 -0400
 @@ -19,6 +19,10 @@
  type fsdaemon_tmp_t;
  files_tmp_file(fsdaemon_tmp_t)
@@ -16313,9 +16577,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.27/policy/modules/services/spamassassin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.28/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,15 +1,25 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -16342,11 +16606,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
  /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
-+/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.27/policy/modules/services/spamassassin.if
++/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.6.28/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.if	2009-08-18 13:23:29.000000000 -0400
 @@ -111,6 +111,7 @@
  	')
  
@@ -16380,7 +16644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +#
 +interface(`spamd_stream_connect',`
 +	gen_require(`
-+		type spamd_t, spamd_var_run_t;
++		type spamd_t, spamd_var_run_t, spamd_spool_t;
 +	')
 +
 +	stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
@@ -16433,9 +16697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	files_list_pids($1)
 +	admin_pattern($1, spamd_var_run_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.27/policy/modules/services/spamassassin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.28/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/spamassassin.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/spamassassin.te	2009-08-18 13:23:29.000000000 -0400
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -16728,9 +16992,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	udev_read_db(spamd_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.27/policy/modules/services/squid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.28/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/squid.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/squid.te	2009-08-18 13:23:29.000000000 -0400
 @@ -118,6 +118,8 @@
  
  fs_getattr_all_fs(squid_t)
@@ -16749,18 +17013,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#squid requires the following when run in diskd mode, the recommended setting
 -allow squid_t tmpfs_t:file { read write };
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.27/policy/modules/services/ssh.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.6.28/policy/modules/services/ssh.fc
 --- nsaserefpolicy/policy/modules/services/ssh.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -14,3 +14,5 @@
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
  
  /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
 +
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.27/policy/modules/services/ssh.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.6.28/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.if	2009-08-18 13:23:29.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -17061,9 +17325,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	read_lnk_files_pattern($1, home_ssh_t, home_ssh_t)
 +	userdom_search_user_home_dirs($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.27/policy/modules/services/ssh.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.28/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/ssh.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/ssh.te	2009-08-18 13:23:29.000000000 -0400
 @@ -41,6 +41,9 @@
  files_tmp_file(sshd_tmp_t)
  files_poly_parent(sshd_tmp_t)
@@ -17235,18 +17499,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(ssh_keygen_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.27/policy/modules/services/sssd.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.28/policy/modules/services/sssd.fc
 --- nsaserefpolicy/policy/modules/services/sssd.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sssd.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sssd.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,4 @@
 -/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
  
  /usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.27/policy/modules/services/sssd.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.28/policy/modules/services/sssd.if
 --- nsaserefpolicy/policy/modules/services/sssd.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sssd.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sssd.if	2009-08-18 13:23:29.000000000 -0400
 @@ -12,12 +12,32 @@
  #
  interface(`sssd_domtrans',`
@@ -17309,9 +17573,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	sssd over dbus.
  ## </summary>
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.27/policy/modules/services/sysstat.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.6.28/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/sysstat.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/sysstat.te	2009-08-18 13:23:29.000000000 -0400
 @@ -19,7 +19,7 @@
  # Local policy
  #
@@ -17321,9 +17585,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit sysstat_t self:capability sys_admin;
  allow sysstat_t self:fifo_file rw_fifo_file_perms;
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.27/policy/modules/services/uucp.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.6.28/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/uucp.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/uucp.te	2009-08-18 13:23:29.000000000 -0400
 @@ -95,6 +95,8 @@
  files_search_home(uucpd_t)
  files_search_spool(uucpd_t)
@@ -17341,9 +17605,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.27/policy/modules/services/virt.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.28/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -8,5 +8,16 @@
  
  /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
@@ -17361,9 +17625,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/libvirt(/.*)?	gen_context(system_u:object_r:svirt_cache_t,s0)
 +
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.27/policy/modules/services/virt.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.28/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.if	2009-08-18 13:23:29.000000000 -0400
 @@ -103,7 +103,7 @@
  
  ########################################
@@ -17539,9 +17803,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
 +	manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.27/policy/modules/services/virt.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.28/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/virt.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/virt.te	2009-08-18 13:23:29.000000000 -0400
 @@ -20,6 +20,28 @@
  ## </desc>
  gen_tunable(virt_use_samba, false)
@@ -17921,9 +18185,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	virt_read_content(virt_domain)
 +	virt_stream_connect(virt_domain)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.27/policy/modules/services/w3c.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.28/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/w3c.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/w3c.te	2009-08-18 13:23:29.000000000 -0400
 @@ -8,11 +8,18 @@
  
  apache_content_template(w3c_validator)
@@ -17943,9 +18207,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.27/policy/modules/services/xserver.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.28/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -3,12 +3,17 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -18017,9 +18281,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_suse',`
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.27/policy/modules/services/xserver.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.28/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.if	2009-08-18 13:23:29.000000000 -0400
 @@ -90,7 +90,7 @@
  	allow $2 xauth_home_t:file manage_file_perms;
  	allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -18713,9 +18977,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow xdm_t $1:dbus send_msg;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.27/policy/modules/services/xserver.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.28/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/services/xserver.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/services/xserver.te	2009-08-18 13:23:29.000000000 -0400
 @@ -34,6 +34,13 @@
  
  ## <desc>
@@ -19437,9 +19701,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -#
 -allow xdm_t user_home_type:file unlink;
 -') dnl end TODO
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.27/policy/modules/system/application.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.6.28/policy/modules/system/application.if
 --- nsaserefpolicy/policy/modules/system/application.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/application.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/application.if	2009-08-18 13:23:29.000000000 -0400
 @@ -2,7 +2,7 @@
  
  ########################################
@@ -19471,9 +19735,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	allow $1 application_domain_type:process signull;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.27/policy/modules/system/application.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.28/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/application.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/application.te	2009-08-18 13:23:29.000000000 -0400
 @@ -7,7 +7,18 @@
  # Executables to be run by user
  attribute application_exec_type;
@@ -19493,9 +19757,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	sudo_sigchld(application_domain_type)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.27/policy/modules/system/authlogin.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.6.28/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -7,12 +7,10 @@
  /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
  /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
@@ -19521,9 +19785,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 +/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.27/policy/modules/system/authlogin.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.28/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.if	2009-08-18 13:23:29.000000000 -0400
 @@ -40,17 +40,76 @@
  ##	</summary>
  ## </param>
@@ -19831,9 +20095,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.27/policy/modules/system/authlogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.28/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/authlogin.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/authlogin.te	2009-08-18 13:23:29.000000000 -0400
 @@ -125,9 +125,18 @@
  ')
  
@@ -19925,9 +20189,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_use_interactive_fds(utempter_t)
  
  logging_search_logs(utempter_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-3.6.27/policy/modules/system/clock.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-3.6.28/policy/modules/system/clock.te
 --- nsaserefpolicy/policy/modules/system/clock.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/clock.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/clock.te	2009-08-18 13:23:29.000000000 -0400
 @@ -38,10 +38,6 @@
  dev_read_sysfs(hwclock_t)
  dev_rw_realtime_clock(hwclock_t)
@@ -19950,9 +20214,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_audit_msgs(hwclock_t)
  logging_send_syslog_msg(hwclock_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.27/policy/modules/system/fstools.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.28/policy/modules/system/fstools.fc
 --- nsaserefpolicy/policy/modules/system/fstools.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/fstools.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/fstools.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,3 @@
 -/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -19966,9 +20230,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.27/policy/modules/system/fstools.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.6.28/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/fstools.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/fstools.te	2009-08-18 13:23:29.000000000 -0400
 @@ -65,13 +65,7 @@
  kernel_rw_unlabeled_dirs(fsadm_t)
  kernel_rw_unlabeled_blk_files(fsadm_t)
@@ -20075,9 +20339,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xen_rw_image_files(fsadm_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.6.27/policy/modules/system/getty.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.6.28/policy/modules/system/getty.te
 --- nsaserefpolicy/policy/modules/system/getty.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/getty.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/getty.te	2009-08-18 13:23:29.000000000 -0400
 @@ -59,16 +59,8 @@
  kernel_list_proc(getty_t)
  kernel_read_proc_symlinks(getty_t)
@@ -20110,9 +20374,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_rw_utmp(getty_t)
  init_use_script_ptys(getty_t)
  init_dontaudit_use_script_ptys(getty_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.27/policy/modules/system/hostname.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.6.28/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/hostname.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/hostname.te	2009-08-18 13:23:29.000000000 -0400
 @@ -8,7 +8,9 @@
  
  type hostname_t;
@@ -20162,9 +20426,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
  	unconfined_dontaudit_rw_pipes(hostname_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.27/policy/modules/system/init.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.6.28/policy/modules/system/init.fc
 --- nsaserefpolicy/policy/modules/system/init.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -4,10 +4,10 @@
  /etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
  
@@ -20187,9 +20451,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  #
  # /var
  #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.27/policy/modules/system/init.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.28/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.if	2009-08-18 13:23:29.000000000 -0400
 @@ -174,6 +174,7 @@
  	role system_r types $1;
  
@@ -20427,9 +20691,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 init_t:unix_dgram_socket sendto;
 +	allow init_t $1:unix_dgram_socket sendto;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.27/policy/modules/system/init.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.28/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/init.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/init.te	2009-08-18 13:23:29.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -20931,18 +21195,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	fail2ban_read_lib_files(daemon)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.27/policy/modules/system/ipsec.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.6.28/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,3 +1,5 @@
 +/etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +
  /etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.27/policy/modules/system/ipsec.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.6.28/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.if	2009-08-18 13:23:29.000000000 -0400
 @@ -229,3 +229,28 @@
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
@@ -20972,10 +21236,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	ipsec_domtrans_racoon($1)
 +	role $2 types racoon_t;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.27/policy/modules/system/ipsec.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.28/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/ipsec.te	2009-08-14 16:51:06.000000000 -0400
-@@ -15,6 +15,9 @@
++++ serefpolicy-3.6.28/policy/modules/system/ipsec.te	2009-08-18 13:42:27.000000000 -0400
+@@ -6,6 +6,13 @@
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow racoon to read shadow
++## </p>
++## </desc>
++gen_tunable(racoon_read_shadow, false)
++
+ type ipsec_t;
+ type ipsec_exec_t;
+ init_daemon_domain(ipsec_t, ipsec_exec_t)
+@@ -15,6 +22,9 @@
  type ipsec_conf_file_t;
  files_type(ipsec_conf_file_t)
  
@@ -20985,7 +21263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # type for file(s) containing ipsec keys - RSA or preshared
  type ipsec_key_file_t;
  files_type(ipsec_key_file_t)
-@@ -53,21 +56,23 @@
+@@ -53,21 +63,23 @@
  # ipsec Local policy
  #
  
@@ -21012,7 +21290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
  
  manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -76,7 +81,7 @@
+@@ -76,7 +88,7 @@
  
  can_exec(ipsec_t, ipsec_mgmt_exec_t)
  
@@ -21021,7 +21299,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # a shell script, we need to find a way to make things work without
  # letting all sorts of stuff possibly be run...
  # so try flipping back into the ipsec_mgmt_t domain
-@@ -95,9 +100,6 @@
+@@ -95,9 +107,6 @@
  kernel_getattr_core_if(ipsec_t)
  kernel_getattr_message_if(ipsec_t)
  
@@ -21031,7 +21309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # Pluto needs network access
  corenet_all_recvfrom_unlabeled(ipsec_t)
  corenet_tcp_sendrecv_all_if(ipsec_t)
-@@ -118,21 +120,26 @@
+@@ -118,21 +127,26 @@
  dev_read_rand(ipsec_t)
  dev_read_urand(ipsec_t)
  
@@ -21063,7 +21341,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(ipsec_t)
  
  miscfiles_read_localization(ipsec_t)
-@@ -154,12 +161,12 @@
+@@ -154,12 +168,12 @@
  #
  
  allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -21078,7 +21356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
  files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
-@@ -209,15 +216,21 @@
+@@ -209,15 +223,21 @@
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
@@ -21103,7 +21381,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_use_interactive_fds(ipsec_mgmt_t)
  # denials when ps tries to search /proc. Do not audit these denials.
  domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
-@@ -232,12 +245,6 @@
+@@ -232,12 +252,6 @@
  files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
  files_dontaudit_getattr_default_files(ipsec_mgmt_t)
  
@@ -21116,15 +21394,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_use_script_ptys(ipsec_mgmt_t)
  init_exec_script_files(ipsec_mgmt_t)
  init_use_fds(ipsec_mgmt_t)
-@@ -280,6 +287,7 @@
+@@ -280,6 +294,9 @@
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
  allow racoon_t self:key_socket create_socket_perms;
 +allow racoon_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(racoon_t, setkey_exec_t)
  
  # manage pid file
  manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -297,6 +305,13 @@
+@@ -297,6 +314,13 @@
  kernel_read_system_state(racoon_t)
  kernel_read_network_state(racoon_t)
  
@@ -21138,7 +21418,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(racoon_t)
  corenet_tcp_sendrecv_all_if(racoon_t)
  corenet_udp_sendrecv_all_if(racoon_t)
-@@ -317,10 +332,10 @@
+@@ -314,13 +338,15 @@
+ 
+ files_read_etc_files(racoon_t)
+ 
++fs_dontaudit_getattr_xattr_fs(racoon_t) 
++
  # allow racoon to use avc_has_perm to check context on proposed SA
  selinux_compute_access_vector(racoon_t)
  
@@ -21151,7 +21436,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  locallogin_use_fds(racoon_t)
  
  logging_send_syslog_msg(racoon_t)
-@@ -347,6 +362,7 @@
+@@ -328,6 +354,11 @@
+ 
+ miscfiles_read_localization(racoon_t)
+ 
++auth_can_read_shadow_passwords(racoon_t)
++tunable_policy(`racoon_read_shadow',`
++	auth_tunable_read_shadow(racoon_t) 
++')
++
+ ########################################
+ #
+ # Setkey local policy
+@@ -347,6 +378,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -21159,9 +21456,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.27/policy/modules/system/iptables.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.28/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iptables.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iptables.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,9 +1,10 @@
 -/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -21178,9 +21475,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  
 -/var/lib/shorewall(/.*)? --	gen_context(system_u:object_r:iptables_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.27/policy/modules/system/iptables.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.28/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iptables.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iptables.te	2009-08-18 13:23:29.000000000 -0400
 @@ -53,6 +53,7 @@
  mls_file_read_all_levels(iptables_t)
  
@@ -21200,9 +21497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	rhgb_dontaudit_use_ptys(iptables_t)
  ')
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.27/policy/modules/system/iscsi.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.6.28/policy/modules/system/iscsi.if
 --- nsaserefpolicy/policy/modules/system/iscsi.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iscsi.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iscsi.if	2009-08-18 13:23:29.000000000 -0400
 @@ -17,3 +17,43 @@
  
  	domtrans_pattern($1, iscsid_exec_t, iscsid_t)
@@ -21247,9 +21544,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	stream_connect_pattern($1,iscsi_var_lib_t,iscsi_var_lib_t,iscsid_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.27/policy/modules/system/iscsi.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.28/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/iscsi.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/iscsi.te	2009-08-18 13:23:29.000000000 -0400
 @@ -55,6 +55,7 @@
  files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
  
@@ -21273,9 +21570,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 -sysnet_dns_name_resolve(iscsid_t)
 +miscfiles_read_localization(iscsid_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.27/policy/modules/system/kdump.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.fc serefpolicy-3.6.28/policy/modules/system/kdump.fc
 --- nsaserefpolicy/policy/modules/system/kdump.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,8 @@
 +
 +/etc/rc\.d/init\.d/kdump        --      gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
@@ -21285,9 +21582,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/etc/kdump\.conf                --      gen_context(system_u:object_r:kdump_etc_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.27/policy/modules/system/kdump.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.if serefpolicy-3.6.28/policy/modules/system/kdump.if
 --- nsaserefpolicy/policy/modules/system/kdump.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.if	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,111 @@
 +## <summary>kdump is kernel crash dumping mechanism</summary>
 +
@@ -21400,9 +21697,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +        files_search_etc($1)
 +        admin_pattern($1, kdump_etc_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.27/policy/modules/system/kdump.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.28/policy/modules/system/kdump.te
 --- nsaserefpolicy/policy/modules/system/kdump.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.27/policy/modules/system/kdump.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/kdump.te	2009-08-18 13:23:29.000000000 -0400
 @@ -0,0 +1,38 @@
 +policy_module(kdump,1.0.0)
 +
@@ -21442,9 +21739,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +permissive kdump_t;
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.27/policy/modules/system/libraries.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.28/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -21725,9 +22022,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.27/policy/modules/system/libraries.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.28/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.if	2009-08-18 13:23:29.000000000 -0400
 @@ -247,7 +247,7 @@
  		type lib_t;
  	')
@@ -21746,9 +22043,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 lib_t:dir list_dir_perms;
  	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
  	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.27/policy/modules/system/libraries.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.28/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/libraries.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/libraries.te	2009-08-18 13:23:29.000000000 -0400
 @@ -58,11 +58,11 @@
  # ldconfig local policy
  #
@@ -21802,9 +22099,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +	unconfined_domain(ldconfig_t) 
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.27/policy/modules/system/locallogin.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.28/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/locallogin.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/locallogin.te	2009-08-18 13:23:29.000000000 -0400
 @@ -61,19 +61,13 @@
  kernel_search_key(local_login_t)
  kernel_link_key(local_login_t)
@@ -21955,9 +22252,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -optional_policy(`
 -	nscd_socket_use(sulogin_t)
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.27/policy/modules/system/logging.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.28/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -53,15 +53,18 @@
  /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  ')
@@ -21981,9 +22278,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.27/policy/modules/system/logging.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.6.28/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.if	2009-08-18 13:23:29.000000000 -0400
 @@ -623,7 +623,7 @@
  	')
  
@@ -22002,9 +22299,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.27/policy/modules/system/logging.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.28/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/logging.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/logging.te	2009-08-18 13:23:29.000000000 -0400
 @@ -126,7 +126,7 @@
  allow auditd_t self:process { signal_perms setpgid setsched };
  allow auditd_t self:file rw_file_perms;
@@ -22097,9 +22394,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.27/policy/modules/system/lvm.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.28/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/lvm.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/lvm.te	2009-08-18 13:23:29.000000000 -0400
 @@ -10,6 +10,9 @@
  type clvmd_exec_t;
  init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -22216,9 +22513,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  optional_policy(`
  	modutils_domtrans_insmod(lvm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.27/policy/modules/system/miscfiles.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.28/policy/modules/system/miscfiles.if
 --- nsaserefpolicy/policy/modules/system/miscfiles.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/miscfiles.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/miscfiles.if	2009-08-18 13:23:29.000000000 -0400
 @@ -87,6 +87,25 @@
  
  ########################################
@@ -22245,9 +22542,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Do not audit attempts to write fonts.
  ## </summary>
  ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.27/policy/modules/system/modutils.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.28/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/modutils.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/modutils.te	2009-08-18 13:23:29.000000000 -0400
 @@ -39,59 +39,10 @@
  
  ########################################
@@ -22503,9 +22800,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  logging_send_syslog_msg(update_modules_t)
  
  miscfiles_read_localization(update_modules_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.27/policy/modules/system/mount.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.6.28/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/mount.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/mount.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,9 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -22517,9 +22814,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.27/policy/modules/system/mount.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.28/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/mount.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/mount.te	2009-08-18 13:23:29.000000000 -0400
 @@ -18,8 +18,12 @@
  init_system_domain(mount_t, mount_exec_t)
  role system_r types mount_t;
@@ -22755,9 +23052,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	rpc_domtrans_rpcd(unconfined_mount_t)
  ')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.te serefpolicy-3.6.27/policy/modules/system/pcmcia.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/pcmcia.te serefpolicy-3.6.28/policy/modules/system/pcmcia.te
 --- nsaserefpolicy/policy/modules/system/pcmcia.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/pcmcia.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/pcmcia.te	2009-08-18 13:23:29.000000000 -0400
 @@ -51,7 +51,7 @@
  kernel_read_kernel_sysctls(cardmgr_t)
  kernel_dontaudit_getattr_message_if(cardmgr_t)
@@ -22805,9 +23102,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  libs_exec_ld_so(cardmgr_t)
  libs_exec_lib_files(cardmgr_t)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.27/policy/modules/system/raid.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.28/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/raid.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/raid.te	2009-08-18 13:23:29.000000000 -0400
 @@ -32,10 +32,6 @@
  kernel_rw_software_raid_state(mdadm_t)
  kernel_getattr_core_if(mdadm_t)
@@ -22856,9 +23153,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_dontaudit_getattr_initctl(mdadm_t)
  
  logging_send_syslog_msg(mdadm_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.27/policy/modules/system/selinuxutil.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.28/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -6,13 +6,13 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
@@ -22897,9 +23194,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.27/policy/modules/system/selinuxutil.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.6.28/policy/modules/system/selinuxutil.if
 --- nsaserefpolicy/policy/modules/system/selinuxutil.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.if	2009-08-18 13:23:29.000000000 -0400
 @@ -535,6 +535,53 @@
  
  ########################################
@@ -23227,9 +23524,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	hotplug_use_fds($1)
 +')
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.27/policy/modules/system/selinuxutil.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.28/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/selinuxutil.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/selinuxutil.te	2009-08-18 13:23:29.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -23589,9 +23886,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	hotplug_use_fds(setfiles_t)
 +	unconfined_domain(setfiles_mac_t)
  ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.27/policy/modules/system/setrans.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.6.28/policy/modules/system/setrans.if
 --- nsaserefpolicy/policy/modules/system/setrans.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/setrans.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/setrans.if	2009-08-18 13:23:29.000000000 -0400
 @@ -21,3 +21,23 @@
  	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
  	files_list_pids($1)
@@ -23616,9 +23913,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	init_labeled_script_domtrans($1, setrans_initrc_exec_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.27/policy/modules/system/sysnetwork.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.6.28/policy/modules/system/sysnetwork.fc
 --- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -11,15 +11,20 @@
  /etc/dhclient-script	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
  /etc/dhcpc.*			gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -23647,9 +23944,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.27/policy/modules/system/sysnetwork.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.28/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.if	2009-08-18 13:23:29.000000000 -0400
 @@ -43,6 +43,39 @@
  
  	sysnet_domtrans_dhcpc($1)
@@ -23827,9 +24124,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	role_transition $1 dhcpc_exec_t system_r;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.27/policy/modules/system/sysnetwork.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.28/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/sysnetwork.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/sysnetwork.te	2009-08-18 13:23:29.000000000 -0400
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t, dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -24075,9 +24372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
 +	hal_dontaudit_rw_pipes(ifconfig_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.27/policy/modules/system/udev.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.6.28/policy/modules/system/udev.fc
 --- nsaserefpolicy/policy/modules/system/udev.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/udev.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/udev.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -7,6 +7,9 @@
  /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
  
@@ -24088,9 +24385,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
  /sbin/udev	--	gen_context(system_u:object_r:udev_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.27/policy/modules/system/udev.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.28/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/udev.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/udev.te	2009-08-18 13:23:29.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -24200,9 +24497,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	kernel_write_xen_state(udev_t)
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.27/policy/modules/system/unconfined.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.6.28/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,16 +1 @@
  # Add programs here which should not be confined by SELinux
 -# e.g.:
@@ -24220,9 +24517,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -ifdef(`distro_gentoo',`
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.27/policy/modules/system/unconfined.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.28/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.if	2009-08-18 13:23:29.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -24728,15 +25025,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -
 -	allow $1 unconfined_t:dbus acquire_svc;
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.27/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/unconfined.te	2009-08-14 16:51:06.000000000 -0400
-@@ -1,231 +1,9 @@
- 
--policy_module(unconfined, 3.0.0)
-+policy_module(unconfined, 3.0.1)
- 
- ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.6.28/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te	2009-08-18 11:41:14.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/unconfined.te	2009-08-18 13:23:29.000000000 -0400
+@@ -5,227 +5,5 @@
  #
  # Declarations
  #
@@ -24859,7 +25151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -')
 -
 -optional_policy(`
--	java_domtrans_unconfined(unconfined_t)
+-	java_run_unconfined(unconfined_t, unconfined_r)
 -')
 -
 -optional_policy(`
@@ -24965,9 +25257,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -		hal_dbus_chat(unconfined_execmem_t)
 -	')
 -')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.27/policy/modules/system/userdomain.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.28/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,4 +1,7 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
@@ -24977,9 +25269,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.27/policy/modules/system/userdomain.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.28/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.if	2009-08-18 13:23:29.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -26845,9 +27137,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 user_home_dir_t:dir search_dir_perms;
 +	files_search_home($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.27/policy/modules/system/userdomain.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.28/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/userdomain.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/userdomain.te	2009-08-18 13:23:29.000000000 -0400
 @@ -8,13 +8,6 @@
  
  ## <desc>
@@ -26933,9 +27225,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 +
 +allow userdomain userdomain:process signull;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.27/policy/modules/system/xen.fc
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.6.28/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.fc	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.fc	2009-08-18 13:23:29.000000000 -0400
 @@ -1,5 +1,7 @@
  /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
  
@@ -26963,9 +27255,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
  /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.27/policy/modules/system/xen.if
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.28/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.if	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.if	2009-08-18 13:23:29.000000000 -0400
 @@ -71,6 +71,8 @@
  	')
  
@@ -27016,9 +27308,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	allow $1 xend_var_lib_t:dir search_dir_perms;
 +	rw_files_pattern($1, xen_image_t, xen_image_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.27/policy/modules/system/xen.te
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.28/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/policy/modules/system/xen.te	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/modules/system/xen.te	2009-08-18 18:28:36.000000000 -0400
 @@ -1,11 +1,18 @@
  
 -policy_module(xen, 1.9.0)
@@ -27248,7 +27540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  files_read_etc_runtime_files(xm_t)
  files_read_usr_files(xm_t)
-@@ -339,15 +389,62 @@
+@@ -339,15 +389,69 @@
  
  storage_raw_read_fixed_disk(xm_t)
  
@@ -27312,9 +27604,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +manage_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
 +manage_sock_files_pattern(evtchnd_t,evtchnd_var_run_t,evtchnd_var_run_t)
 +files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.27/policy/support/obj_perm_sets.spt
++
++fs_manage_xenfs_dirs(xend_t)
++fs_manage_xenfs_files(xend_t)
++fs_manage_xenfs_dirs(xenstored_t)
++fs_manage_xenfs_files(xenstored_t)
++fs_manage_xenfs_dirs(xm_t)
++fs_manage_xenfs_files(xm_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.28/policy/support/obj_perm_sets.spt
 --- nsaserefpolicy/policy/support/obj_perm_sets.spt	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/support/obj_perm_sets.spt	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/support/obj_perm_sets.spt	2009-08-18 13:23:29.000000000 -0400
 @@ -201,7 +201,7 @@
  define(`setattr_file_perms',`{ setattr }')
  define(`read_file_perms',`{ getattr open read lock ioctl }')
@@ -27347,9 +27646,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
 +
 +define(`manage_key_perms', `{ create link read search setattr view write } ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.27/policy/users
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.28/policy/users
 --- nsaserefpolicy/policy/users	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/policy/users	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/policy/users	2009-08-18 13:23:29.000000000 -0400
 @@ -25,11 +25,8 @@
  # permit any access to such users, then remove this entry.
  #
@@ -27374,9 +27673,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.27/Rules.modular
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.6.28/Rules.modular
 --- nsaserefpolicy/Rules.modular	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/Rules.modular	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/Rules.modular	2009-08-18 13:23:29.000000000 -0400
 @@ -73,8 +73,8 @@
  $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
  	@echo "Compliling $(NAME) $(@F) module"
@@ -27406,15 +27705,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/Rul
  
  $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
  $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/divert.m4 serefpolicy-3.6.27/support/divert.m4
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/divert.m4 serefpolicy-3.6.28/support/divert.m4
 --- nsaserefpolicy/support/divert.m4	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/support/divert.m4	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/support/divert.m4	1969-12-31 19:00:00.000000000 -0500
 @@ -1 +0,0 @@
 -divert(`-1')
 \ No newline at end of file
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.27/support/Makefile.devel
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.6.28/support/Makefile.devel
 --- nsaserefpolicy/support/Makefile.devel	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.27/support/Makefile.devel	2009-08-14 16:51:06.000000000 -0400
++++ serefpolicy-3.6.28/support/Makefile.devel	2009-08-18 13:23:29.000000000 -0400
 @@ -185,8 +185,7 @@
  tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
  	@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
@@ -27425,9 +27724,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/sup
  	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
  
  tmp/%.mod.fc: $(m4support) %.fc
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/undivert.m4 serefpolicy-3.6.27/support/undivert.m4
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/undivert.m4 serefpolicy-3.6.28/support/undivert.m4
 --- nsaserefpolicy/support/undivert.m4	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.27/support/undivert.m4	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.28/support/undivert.m4	1969-12-31 19:00:00.000000000 -0500
 @@ -1 +0,0 @@
 -divert
 \ No newline at end of file