diff --git a/.cvsignore b/.cvsignore
index ef4def8..1cdef7f 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -201,3 +201,8 @@ serefpolicy-3.7.7.tgz
 serefpolicy-3.7.8.tgz
 setroubleshoot-2.2.58.tar.gz
 serefpolicy-3.7.9.tgz
+serefpolicy-3.7.11.tgz
+serefpolicy-3.7.12.tgz
+serefpolicy-3.7.13.tgz
+serefpolicy-3.7.14.tgz
+serefpolicy-3.7.15.tgz
diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index ed1af2d..da42381 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -258,3 +258,11 @@ init_upstart = true
 # Allow mount to mount any file/dir
 # 
 allow_mount_anyfile = true
+
+# Allow confined domains to communicate with ncsd via shared memory
+# 
+nscd_use_shm = true
+
+# Allow fenced domain to connect to the network using TCP.
+#
+fenced_can_network_connect=false
diff --git a/modules-minimum.conf b/modules-minimum.conf
index 95a5e3f..117ca3f 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
 # Layer: apps
 # Module: cpufreqselector 
 #
@@ -160,6 +167,13 @@ automount = module
 avahi = module
 
 # Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: services
 # Module: bind
 #
 # Berkeley internet name domain DNS server.
@@ -819,7 +833,6 @@ ktalk = module
 # 
 kudzu = base
 
-
 # Layer: services
 # Module: ldap
 #
@@ -827,6 +840,13 @@ kudzu = base
 # 
 ldap = module
 
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
 # Layer: system
 # Module: libraries
 #
@@ -1454,7 +1474,14 @@ seunshare = module
 # 
 shorewall = base
 
-# Layer: apps
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module
+
+# Layer: admin
 # Module: sectoolm
 #
 # Policy for sectool-mechanism
@@ -1497,10 +1524,17 @@ slocate = module
 # 
 smartmon = module
 
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
 # Layer: admin
 # Module: smoltclient
 #
-# The Fedora hardware profiler client
+#The Fedora hardware profiler client
 # 
 smoltclient = module
 
@@ -1956,6 +1990,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #
diff --git a/modules-mls.conf b/modules-mls.conf
index bb5cb43..236334f 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -33,11 +33,11 @@ alsa = base
 ada = module
 
 # Layer: services
-# Module: cgroup
+# Module: cachefilesd
 #
-# Tools and libraries to control and monitor control groups
+# CacheFiles userspace management daemon
 # 
-cgroup = module
+cachefilesd = module
 
 # Layer: apps
 # Module: cpufreqselector 
@@ -46,6 +46,13 @@ cgroup = module
 # 
 cpufreqselector = module
 
+# Layer: apps
+# Module: chrome
+#
+# chrome sandbox
+# 
+chrome = module
+
 # Layer: modules
 # Module: awstats
 #
@@ -139,6 +146,13 @@ automount = module
 avahi = module
 
 # Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: services
 # Module: bind
 #
 # Berkeley internet name domain DNS server.
@@ -219,13 +233,20 @@ certwatch = module
 certmaster = module
 
 # Layer: services
+# Module: certmonger
+#
+# Certificate status monitor and PKI enrollment client
+# 
+certmonger = module
+
+# Layer: services
 # Module: chronyd
 #
 # Daemon for maintaining clock time
 # 
 chronyd = module
 
-# Layer: services
+q# Layer: services
 # Module: cipe
 #
 # Encrypted tunnel daemon
@@ -433,12 +454,26 @@ domain = base
 # 
 dovecot = module
 
+# Layer: services
+# Module: git
+#
+# Policy for the stupid content tracker
+# 
+git = module
+
+# Layer: apps
+# Module: gitosis
+#
+# Policy for gitosis
+# 
+gitosis = module
+ 
 # Layer: apps
 # Module: gpg
 #
 # Policy for GNU Privacy Guard and related programs.
 # 
-gpg = off
+gpg = module
 
 # Layer: services
 # Module: gpsd
@@ -507,6 +542,20 @@ finger = module
 # 
 firstboot = base
 
+# Layer: apps
+# Module: firewallgui
+#
+# policy for system-config-firewall
+# 
+firewallgui = module
+
+# Layer: services
+# Module: fprintd
+#
+# finger print server
+# 
+fprintd = module
+
 # Layer: system
 # Module: fstools
 #
@@ -570,6 +619,13 @@ plymouthd = module
 # 
 policykit = module
 
+# Layer: apps
+# Module: ptchown
+#
+# helper function for grantpt(3), changes ownship and permissions of pseudotty
+# 
+ptchown = module
+
 # Layer: services
 # Module: psad
 #
@@ -693,6 +749,13 @@ kdump = module
 kdumpgui = module
 
 # Layer: services
+# Module: ksmtuned
+#
+#  Kernel Samepage Merging (KSM) Tuning Daemon
+# 
+ksmtuned = module
+
+# Layer: services
 # Module: kerberos
 #
 # MIT Kerberos admin and KDC
@@ -802,7 +865,7 @@ lvm = base
 # Layer: admin
 # Module: mcelog
 #
-# Policy for mcelog.
+# mcelog is a daemon that collects and decodes Machine Check Exception data on x86-64 machines. 
 # 
 mcelog = base
 
@@ -871,6 +934,20 @@ mount = base
 # 
 mozilla = module
 
+# Layer: services
+# Module: ntop
+#
+# Policy for ntop
+# 
+ntop = module
+
+# Layer: services
+# Module: nslcd
+#
+# Policy for nslcd
+# 
+nslcd = module
+
 # Layer: apps
 # Module: nsplugin
 #
@@ -1143,6 +1220,13 @@ razor = module
 readahead = base
 
 # Layer: services
+# Module: rgmanager
+#
+# Red Hat Resource Group Manager
+#
+rgmanager = module
+
+# Layer: services
 # Module: rhgb
 #
 # X windows login display manager
@@ -1214,6 +1298,13 @@ rshd = module
 rsync = module
 
 # Layer: services
+# Module: rtkit
+#
+# Real Time Kit Daemon
+# 
+rtkit = module
+
+# Layer: services
 # Module: rwho
 #
 # who is logged in on local machines
@@ -1234,6 +1325,13 @@ sasl = module
 # 
 sendmail = base
 
+# Layer: apps
+# Module: seunshare
+#
+# seunshare executable
+# 
+seunshare = module
+
 # Layer: services
 # Module: samba
 #
@@ -1244,6 +1342,13 @@ sendmail = base
 samba = module
 
 # Layer: apps
+# Module: sandbox
+#
+# Experimental policy for running apps within a sandbox
+# 
+sandbox = module
+
+# Layer: apps
 # Module: sambagui
 #
 # policy for system-config-samba
@@ -1527,6 +1632,13 @@ timidity = off
 tftp = module
 
 # Layer: services
+# Module: tuned
+#
+# Dynamic adaptive system tuning daemon
+#
+tuned = module
+
+# Layer: services
 # Module: uucp
 #
 # Unix to Unix Copy
@@ -1711,6 +1823,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #
@@ -1903,3 +2022,9 @@ rhcs = module
 # 
 shorewall = base
 
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 95a5e3f..117ca3f 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -32,6 +32,13 @@ alsa = base
 # 
 ada = module
 
+# Layer: services
+# Module: cachefilesd
+#
+# CacheFiles userspace management daemon
+# 
+cachefilesd = module
+
 # Layer: apps
 # Module: cpufreqselector 
 #
@@ -160,6 +167,13 @@ automount = module
 avahi = module
 
 # Layer: services
+# Module: boinc
+#
+# Berkeley Open Infrastructure for Network Computing
+#
+boinc = module
+
+# Layer: services
 # Module: bind
 #
 # Berkeley internet name domain DNS server.
@@ -819,7 +833,6 @@ ktalk = module
 # 
 kudzu = base
 
-
 # Layer: services
 # Module: ldap
 #
@@ -827,6 +840,13 @@ kudzu = base
 # 
 ldap = module
 
+# Layer: services
+# Module: likewise
+#
+# Likewise Active Directory support for UNIX
+# 
+likewise = module
+
 # Layer: system
 # Module: libraries
 #
@@ -1454,7 +1474,14 @@ seunshare = module
 # 
 shorewall = base
 
-# Layer: apps
+# Layer: admin
+# Module: shutdown
+#
+# Policy for shutdown
+# 
+shutdown = module
+
+# Layer: admin
 # Module: sectoolm
 #
 # Policy for sectool-mechanism
@@ -1497,10 +1524,17 @@ slocate = module
 # 
 smartmon = module
 
+# Layer: services 
+# Module: smokeping
+#
+# Latency Logging and Graphing System
+# 
+smokeping = module
+
 # Layer: admin
 # Module: smoltclient
 #
-# The Fedora hardware profiler client
+#The Fedora hardware profiler client
 # 
 smoltclient = module
 
@@ -1956,6 +1990,13 @@ munin = module
 # 
 bitlbee = module
 
+# Layer: system
+# Module: sosreport
+#
+# sosreport debuggin information generator
+# 
+sosreport = module
+
 # Layer: services
 # Module: soundserver
 #
diff --git a/nsadiff b/nsadiff
index 6cc0190..115cf3c 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.9 > /tmp/diff
+diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.15 > /tmp/diff
diff --git a/policy-F13.patch b/policy-F13.patch
index 2f5d1d0..5f9b2f0 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -1,16 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.7.9/Changelog
---- nsaserefpolicy/Changelog	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/Changelog	2010-02-16 15:08:37.000000000 -0500
-@@ -1,6 +1,5 @@
- - X object manager revisions from Eamon Walsh.
- - Added modules:
--	chronyd (Miroslav Grepl)
- 	cobbler (Dominick Grift)
- 	dbadm (KaiGai Kohei)
- 	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.9/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.15/Makefile
 --- nsaserefpolicy/Makefile	2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.9/Makefile	2010-02-16 15:36:04.000000000 -0500
++++ serefpolicy-3.7.15/Makefile	2010-03-18 10:44:42.000000000 -0400
 @@ -244,7 +244,7 @@
  appdir := $(contextpath)
  user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
@@ -20,9 +10,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.7.9/M
  net_contexts := $(builddir)net_contexts
  
  all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.9/policy/global_tunables
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.7.15/policy/global_tunables
 --- nsaserefpolicy/policy/global_tunables	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/global_tunables	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/global_tunables	2010-03-18 10:44:42.000000000 -0400
 @@ -61,15 +61,6 @@
  
  ## <desc>
@@ -58,51 +48,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +## </desc>
 +gen_tunable(mmap_low_allowed, false)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.if serefpolicy-3.7.9/policy/modules/admin/alsa.if
---- nsaserefpolicy/policy/modules/admin/alsa.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/alsa.if	2010-02-16 15:08:37.000000000 -0500
-@@ -76,6 +76,26 @@
- 
- ########################################
- ## <summary>
-+##	Manage alsa writable config files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`alsa_manage_rw_config',`
-+	gen_require(`
-+		type alsa_etc_rw_t;
-+	')
-+
-+	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-+	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read alsa lib files.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.7.9/policy/modules/admin/alsa.te
---- nsaserefpolicy/policy/modules/admin/alsa.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/alsa.te	2010-02-16 15:08:37.000000000 -0500
-@@ -51,6 +51,8 @@
- files_read_etc_files(alsa_t)
- files_read_usr_files(alsa_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-3.7.15/policy/modules/admin/acct.te
+--- nsaserefpolicy/policy/modules/admin/acct.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/acct.te	2010-03-18 10:44:42.000000000 -0400
+@@ -43,6 +43,7 @@
+ fs_getattr_xattr_fs(acct_t)
  
-+term_dontaudit_use_console(alsa_t)
-+
- auth_use_nsswitch(alsa_t)
+ term_dontaudit_use_console(acct_t)
++term_dontaudit_use_generic_ptys(acct_t)
  
- init_use_fds(alsa_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.9/policy/modules/admin/anaconda.te
+ corecmd_exec_bin(acct_t)
+ corecmd_exec_shell(acct_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.7.15/policy/modules/admin/anaconda.te
 --- nsaserefpolicy/policy/modules/admin/anaconda.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/anaconda.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/anaconda.te	2010-03-18 10:44:42.000000000 -0400
 @@ -31,6 +31,7 @@
  modutils_domtrans_insmod(anaconda_t)
  
@@ -120,21 +79,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.te serefpolicy-3.7.9/policy/modules/admin/brctl.te
---- nsaserefpolicy/policy/modules/admin/brctl.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/brctl.te	2010-02-16 15:08:37.000000000 -0500
-@@ -21,7 +21,7 @@
- allow brctl_t self:unix_dgram_socket create_socket_perms;
- allow brctl_t self:tcp_socket create_socket_perms;
- 
--kernel_load_module(brctl_t)
-+kernel_request_load_module(brctl_t)
- kernel_read_network_state(brctl_t)
- kernel_read_sysctl(brctl_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.9/policy/modules/admin/certwatch.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.15/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/certwatch.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/certwatch.te	2010-03-18 10:44:42.000000000 -0400
 @@ -36,7 +36,7 @@
  miscfiles_read_localization(certwatch_t)
  
@@ -144,9 +91,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
  
  optional_policy(`
  	apache_exec_modules(certwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.9/policy/modules/admin/consoletype.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.if serefpolicy-3.7.15/policy/modules/admin/consoletype.if
+--- nsaserefpolicy/policy/modules/admin/consoletype.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/consoletype.if	2010-03-18 10:44:42.000000000 -0400
+@@ -19,6 +19,9 @@
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, consoletype_exec_t, consoletype_t)
++	ifdef(`hide_broken_symptoms', `
++	        dontaudit consoletype_t $1:socket_class_set { read write };
++	')
+ ')
+ 
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.7.15/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/consoletype.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/consoletype.te	2010-03-18 10:44:42.000000000 -0400
 @@ -10,7 +10,6 @@
  type consoletype_exec_t;
  application_executable_file(consoletype_exec_t)
@@ -155,67 +115,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/console
  role system_r types consoletype_t;
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-3.7.9/policy/modules/admin/dmesg.te
---- nsaserefpolicy/policy/modules/admin/dmesg.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/dmesg.te	2010-02-16 15:08:37.000000000 -0500
-@@ -9,6 +9,7 @@
- type dmesg_t;
- type dmesg_exec_t;
- init_system_domain(dmesg_t, dmesg_exec_t)
-+cron_system_entry(dmesg_t, dmesg_exec_t)
- 
- ########################################
- #
-@@ -20,12 +21,16 @@
- 
- allow dmesg_t self:process signal_perms;
- 
-+kernel_read_system_state(dmesg_t)
- kernel_read_kernel_sysctls(dmesg_t)
- kernel_read_ring_buffer(dmesg_t)
- kernel_clear_ring_buffer(dmesg_t)
- kernel_change_ring_buffer_level(dmesg_t)
- kernel_list_proc(dmesg_t)
- kernel_read_proc_symlinks(dmesg_t)
-+dev_read_kmsg(dmesg_t)
-+
-+mls_process_read_all_levels(dmesg_t)
- 
- dev_read_sysfs(dmesg_t)
- 
-@@ -35,7 +40,7 @@
- 
- domain_use_interactive_fds(dmesg_t)
- 
--files_list_etc(dmesg_t)
-+files_read_etc_files(dmesg_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(dmesg_t)
- 
-@@ -57,3 +62,6 @@
- optional_policy(`
- 	udev_read_db(dmesg_t)
- ')
-+
-+#mcelog needs
-+dev_read_raw_memory(dmesg_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.9/policy/modules/admin/firstboot.te
---- nsaserefpolicy/policy/modules/admin/firstboot.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/firstboot.te	2010-02-16 15:08:37.000000000 -0500
-@@ -91,8 +91,12 @@
- userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
- 
- optional_policy(`
-+	dbus_system_bus_client(firstboot_t)
-+
-+	optional_policy(`
- 	hal_dbus_chat(firstboot_t)
- ')
-+')
- 
- optional_policy(`
- 	nis_use_ypbind(firstboot_t)
-@@ -105,7 +109,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.15/policy/modules/admin/firstboot.te
+--- nsaserefpolicy/policy/modules/admin/firstboot.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/firstboot.te	2010-03-18 10:44:42.000000000 -0400
+@@ -109,7 +109,7 @@
  optional_policy(`
  	unconfined_domtrans(firstboot_t)
  	# The big hammer
@@ -224,9 +127,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.9/policy/modules/admin/kismet.te
---- nsaserefpolicy/policy/modules/admin/kismet.te	2009-11-25 15:15:48.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/kismet.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.7.15/policy/modules/admin/kismet.te
+--- nsaserefpolicy/policy/modules/admin/kismet.te	2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/kismet.te	2010-03-18 10:44:42.000000000 -0400
 @@ -45,6 +45,7 @@
  manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
  manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
@@ -235,27 +138,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
  userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
  
  manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
-@@ -53,7 +54,8 @@
- 
- manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
- manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
--files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
-+manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
-+files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
- 
- manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
- manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
-@@ -69,6 +71,7 @@
- 
- kernel_search_debugfs(kismet_t)
- kernel_read_system_state(kismet_t)
-+kernel_read_network_state(kismet_t)
- 
- corecmd_exec_bin(kismet_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.9/policy/modules/admin/logrotate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.15/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/logrotate.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/logrotate.te	2010-03-18 10:44:42.000000000 -0400
 @@ -32,7 +32,7 @@
  # Change ownership on log files.
  allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -273,7 +158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  
  kernel_read_system_state(logrotate_t)
  kernel_read_kernel_sysctls(logrotate_t)
-@@ -116,8 +117,9 @@
+@@ -108,6 +109,7 @@
+ 
+ logging_manage_all_logs(logrotate_t)
+ logging_send_syslog_msg(logrotate_t)
++logging_send_audit_msgs(logrotate_t)
+ # cjp: why is this needed?
+ logging_exec_all_logs(logrotate_t)
+ 
+@@ -116,8 +118,9 @@
  seutil_dontaudit_read_config(logrotate_t)
  
  userdom_use_user_terminals(logrotate_t)
@@ -284,7 +177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  
  cron_system_entry(logrotate_t, logrotate_exec_t)
  cron_search_spool(logrotate_t)
-@@ -137,6 +139,10 @@
+@@ -137,6 +140,10 @@
  ')
  
  optional_policy(`
@@ -295,13 +188,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  	acct_domtrans(logrotate_t)
  	acct_manage_data(logrotate_t)
  	acct_exec_data(logrotate_t)
-@@ -149,6 +155,16 @@
+@@ -149,6 +156,14 @@
  ')
  
  optional_policy(`
-+	asterisk_exec(logrotate_t)
-+	asterisk_stream_connect(logrotate_t)
-+	asterisk_manage_lib_files(logrotate_t)
++	asterisk_domtrans(logrotate_t)
 +')
 +
 +optional_policy(`
@@ -312,7 +203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  	consoletype_exec(logrotate_t)
  ')
  
-@@ -157,11 +173,15 @@
+@@ -157,11 +172,15 @@
  ')
  
  optional_policy(`
@@ -329,7 +220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  ')
  
  optional_policy(`
-@@ -183,6 +203,15 @@
+@@ -183,6 +202,15 @@
  ')
  
  optional_policy(`
@@ -345,99 +236,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
  	slrnpull_manage_spool(logrotate_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.9/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/logwatch.te	2010-02-16 15:08:37.000000000 -0500
-@@ -93,6 +93,13 @@
- sysnet_exec_ifconfig(logwatch_t)
- 
- userdom_dontaudit_search_user_home_dirs(logwatch_t)
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_list_nfs(logwatch_t)
-+')
-+
-+tunable_policy(`use_samba_home_dirs',`
-+	fs_list_cifs(logwatch_t)
-+')
- 
- mta_send_mail(logwatch_t)
- 
-@@ -136,4 +143,5 @@
+@@ -191,5 +219,9 @@
+ ')
  
  optional_policy(`
- 	samba_read_log(logwatch_t)
-+	samba_read_share_files(logwatch_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.7.9/policy/modules/admin/mcelog.fc
---- nsaserefpolicy/policy/modules/admin/mcelog.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,2 @@
-+
-+/usr/sbin/mcelog	--	gen_context(system_u:object_r:mcelog_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.7.9/policy/modules/admin/mcelog.if
---- nsaserefpolicy/policy/modules/admin/mcelog.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,21 @@
-+
-+## <summary>policy for mcelog</summary>
-+
-+########################################
-+## <summary>
-+##	Execute a domain transition to run mcelog.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`mcelog_domtrans',`
-+	gen_require(`
-+		type mcelog_t, mcelog_exec_t;
-+	')
-+
-+	domtrans_pattern($1, mcelog_exec_t, mcelog_t)
++	su_exec(logrotate_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.7.9/policy/modules/admin/mcelog.te
---- nsaserefpolicy/policy/modules/admin/mcelog.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/mcelog.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,32 @@
-+
-+policy_module(mcelog,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mcelog_t;
-+type mcelog_exec_t;
-+application_domain(mcelog_t, mcelog_exec_t)
-+cron_system_entry(mcelog_t, mcelog_exec_t)
-+
-+permissive mcelog_t;
-+
-+########################################
-+#
-+# mcelog local policy
-+#
-+
-+allow mcelog_t self:capability sys_admin;
-+
-+kernel_read_system_state(mcelog_t)
-+
-+dev_read_raw_memory(mcelog_t)
-+dev_read_kmsg(mcelog_t)
-+
-+files_read_etc_files(mcelog_t)
-+
-+miscfiles_read_localization(mcelog_t)
-+
-+logging_send_syslog_msg(mcelog_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.9/policy/modules/admin/mrtg.te
++optional_policy(`
+ 	varnishd_manage_log(logrotate_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.7.15/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/mrtg.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/mrtg.te	2010-03-18 10:44:42.000000000 -0400
 @@ -116,6 +116,7 @@
  userdom_use_user_terminals(mrtg_t)
  userdom_dontaudit_read_user_home_content_files(mrtg_t)
@@ -446,9 +257,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
  
  netutils_domtrans_ping(mrtg_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.9/policy/modules/admin/netutils.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.15/policy/modules/admin/netutils.fc
+--- nsaserefpolicy/policy/modules/admin/netutils.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/admin/netutils.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -9,6 +9,7 @@
+ /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ 
++/usr/sbin/fping 		--	gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+ /usr/sbin/hping2		--	gen_context(system_u:object_r:ping_exec_t,s0)
+ /usr/sbin/tcpdump	--	gen_context(system_u:object_r:netutils_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.7.15/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/netutils.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/netutils.te	2010-03-18 10:44:42.000000000 -0400
 @@ -44,6 +44,7 @@
  allow netutils_t self:packet_socket create_socket_perms;
  allow netutils_t self:udp_socket create_socket_perms;
@@ -465,7 +287,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
  userdom_use_user_terminals(netutils_t)
  userdom_use_all_users_fds(netutils_t)
  
-@@ -146,6 +148,13 @@
+@@ -146,11 +148,22 @@
  	')
  ')
  
@@ -479,7 +301,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
  optional_policy(`
  	munin_append_log(ping_t)
  ')
-@@ -211,3 +220,10 @@
+ 
+ optional_policy(`
++	nagios_rw_inerited_tmp_files(ping_t)
++')
++
++optional_policy(`
+ 	pcmcia_use_cardmgr_fds(ping_t)
+ ')
+ 
+@@ -211,3 +224,10 @@
  dev_read_rand(traceroute_t)
  dev_read_urand(traceroute_t)
  files_read_usr_files(traceroute_t)
@@ -490,29 +321,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutil
 +	term_use_all_ttys(traceroute_t)
 +	term_use_all_ptys(traceroute_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.te serefpolicy-3.7.9/policy/modules/admin/portage.te
---- nsaserefpolicy/policy/modules/admin/portage.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/portage.te	2010-02-16 15:08:37.000000000 -0500
-@@ -196,7 +196,7 @@
- # - for rsync and distfile fetching
- #
- 
--allow portage_fetch_t self:capability { dac_override fowner fsetid };
-+allow portage_fetch_t self:capability { dac_override fowner fsetid sys_nice };
- allow portage_fetch_t self:process signal;
- allow portage_fetch_t self:unix_stream_socket create_socket_perms;
- allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.9/policy/modules/admin/prelink.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-3.7.15/policy/modules/admin/prelink.fc
 --- nsaserefpolicy/policy/modules/admin/prelink.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/prelink.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/prelink.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,3 +1,4 @@
 +/etc/cron\.daily/prelink	--      gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
  
  /etc/prelink\.cache		--	gen_context(system_u:object_r:prelink_cache_t,s0)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.9/policy/modules/admin/prelink.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.7.15/policy/modules/admin/prelink.if
 --- nsaserefpolicy/policy/modules/admin/prelink.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/prelink.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/prelink.if	2010-03-18 10:44:42.000000000 -0400
 @@ -21,6 +21,25 @@
  
  ########################################
@@ -553,9 +372,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 -	relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
 +	relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.9/policy/modules/admin/prelink.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.15/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/prelink.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/prelink.te	2010-03-18 10:44:42.000000000 -0400
 @@ -21,8 +21,21 @@
  type prelink_tmp_t;
  files_tmp_file(prelink_tmp_t)
@@ -620,7 +439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
  
  optional_policy(`
  	amanda_manage_lib(prelink_t)
-@@ -99,5 +118,58 @@
+@@ -99,5 +118,59 @@
  ')
  
  optional_policy(`
@@ -661,7 +480,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +files_read_etc_files(prelink_cron_system_t)
 +
 +files_search_var_lib(prelink_cron_system_t)
-+files_search_var_log(prelink_cron_system_t)
 +
 +init_chat(prelink_cron_system_t)
 +init_exec(prelink_cron_system_t)
@@ -670,6 +488,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +
 +libs_exec_ld_so(prelink_cron_system_t)
 +
++logging_search_logs(prelink_cron_system_t)
++
 +miscfiles_read_localization(prelink_cron_system_t)
 +
 +optional_policy(`
@@ -679,9 +499,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink
 +optional_policy(`
 +	rpm_read_db(prelink_cron_system_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.9/policy/modules/admin/quota.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.7.15/policy/modules/admin/quota.te
 --- nsaserefpolicy/policy/modules/admin/quota.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/quota.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/quota.te	2010-03-18 10:44:42.000000000 -0400
 @@ -39,6 +39,7 @@
  kernel_list_proc(quota_t)
  kernel_read_proc_symlinks(quota_t)
@@ -690,9 +510,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.t
  
  dev_read_sysfs(quota_t)
  dev_getattr_all_blk_files(quota_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.9/policy/modules/admin/readahead.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.7.15/policy/modules/admin/readahead.te
 --- nsaserefpolicy/policy/modules/admin/readahead.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/readahead.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/readahead.te	2010-03-18 10:44:42.000000000 -0400
 @@ -52,6 +52,7 @@
  
  files_list_non_security(readahead_t)
@@ -710,9 +530,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahe
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
  fs_dontaudit_search_ramfs(readahead_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.9/policy/modules/admin/rpm.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.7.15/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/rpm.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/rpm.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,18 +1,19 @@
  
  /bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -763,9 +583,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc 
  # SuSE
  ifdef(`distro_suse', `
  /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.9/policy/modules/admin/rpm.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.7.15/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/rpm.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/rpm.if	2010-03-18 10:44:42.000000000 -0400
 @@ -13,11 +13,36 @@
  interface(`rpm_domtrans',`
  	gen_require(`
@@ -951,7 +771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
  ##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
-@@ -219,7 +364,51 @@
+@@ -219,7 +364,71 @@
  	')
  
  	files_search_tmp($1)
@@ -960,6 +780,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
 +	manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 +')
 +
++#####################################
++## <summary>
++##      Allow the specified domain to append
++##      to rpm tmp files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`rpm_append_tmp',`
++        gen_require(`
++                type rpm_tmp_t;
++        ')
++
++        files_search_tmp($1)
++        append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
++')
++
 +########################################
 +## <summary>
 +##	Create, read, write, and delete RPM
@@ -1003,7 +843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
  ')
  
  ########################################
-@@ -241,6 +430,25 @@
+@@ -241,6 +450,25 @@
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1029,7 +869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
  ')
  
  ########################################
-@@ -265,6 +473,48 @@
+@@ -265,6 +493,48 @@
  
  ########################################
  ## <summary>
@@ -1078,7 +918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
  ##	Do not audit attempts to create, read, 
  ##	write, and delete the RPM package database.
  ## </summary>
-@@ -283,3 +533,120 @@
+@@ -283,3 +553,120 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -1190,7 +1030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
 +##	</summary>
 +## </param>
 +#
-+interface(`rpm_inerited_fifo',`
++interface(`rpm_inherited_fifo',`
 +	gen_require(`
 +		attribute rpm_transition_domain;
 +	')
@@ -1199,21 +1039,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if 
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.9/policy/modules/admin/rpm.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.7.15/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/rpm.te	2010-02-16 15:08:37.000000000 -0500
-@@ -14,6 +14,10 @@
- domain_system_change_exemption(rpm_t)
- domain_interactive_fd(rpm_t)
- role system_r types rpm_t;
++++ serefpolicy-3.7.15/policy/modules/admin/rpm.te	2010-03-18 10:44:42.000000000 -0400
+@@ -1,6 +1,8 @@
+ 
+ policy_module(rpm, 1.10.0)
+ 
 +attribute rpm_transition_domain;
 +
+ ########################################
+ #
+ # Declarations
+@@ -15,6 +17,9 @@
+ domain_interactive_fd(rpm_t)
+ role system_r types rpm_t;
+ 
 +type debuginfo_exec_t;
 +domain_entry_file(rpm_t, debuginfo_exec_t)
- 
++
  type rpm_file_t;
  files_type(rpm_file_t)
-@@ -31,11 +35,18 @@
+ 
+@@ -31,11 +36,18 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
  
@@ -1232,7 +1080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  domain_type(rpm_script_t)
  domain_entry_file(rpm_t, rpm_script_exec_t)
  domain_interactive_fd(rpm_script_t)
-@@ -52,8 +63,9 @@
+@@ -52,8 +64,9 @@
  # rpm Local policy
  #
  
@@ -1244,7 +1092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  allow rpm_t self:process { getattr setexec setfscreate setrlimit };
  allow rpm_t self:fd use;
  allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +80,8 @@
+@@ -68,6 +81,8 @@
  allow rpm_t self:sem create_sem_perms;
  allow rpm_t self:msgq create_msgq_perms;
  allow rpm_t self:msg { send receive };
@@ -1253,7 +1101,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  allow rpm_t rpm_log_t:file manage_file_perms;
  logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -83,12 +97,21 @@
+@@ -83,12 +98,21 @@
  manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  
@@ -1275,7 +1123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  corecmd_exec_all_executables(rpm_t)
  
-@@ -108,12 +131,15 @@
+@@ -108,12 +132,15 @@
  dev_list_sysfs(rpm_t)
  dev_list_usbfs(rpm_t)
  dev_read_urand(rpm_t)
@@ -1292,7 +1140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  fs_search_auto_mountpoints(rpm_t)
  
  mls_file_read_all_levels(rpm_t)
-@@ -132,6 +158,8 @@
+@@ -132,6 +159,8 @@
  # for installing kernel packages
  storage_raw_read_fixed_disk(rpm_t)
  
@@ -1301,7 +1149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  auth_relabel_all_files_except_shadow(rpm_t)
  auth_manage_all_files_except_shadow(rpm_t)
  auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +183,7 @@
+@@ -155,6 +184,7 @@
  files_exec_etc_files(rpm_t)
  
  init_domtrans_script(rpm_t)
@@ -1309,7 +1157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  libs_exec_ld_so(rpm_t)
  libs_exec_lib_files(rpm_t)
-@@ -174,7 +203,19 @@
+@@ -174,7 +204,19 @@
  ')
  
  optional_policy(`
@@ -1330,7 +1178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  ')
  
  optional_policy(`
-@@ -182,36 +223,19 @@
+@@ -182,36 +224,19 @@
  ')
  
  optional_policy(`
@@ -1371,7 +1219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  allow rpm_script_t self:fd use;
  allow rpm_script_t self:fifo_file rw_fifo_file_perms;
  allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +246,15 @@
+@@ -222,12 +247,15 @@
  allow rpm_script_t self:sem create_sem_perms;
  allow rpm_script_t self:msgq create_msgq_perms;
  allow rpm_script_t self:msg { send receive };
@@ -1387,7 +1235,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
  
  manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +266,9 @@
+@@ -239,6 +267,9 @@
  
  kernel_read_kernel_sysctls(rpm_script_t)
  kernel_read_system_state(rpm_script_t)
@@ -1397,7 +1245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  dev_list_sysfs(rpm_script_t)
  
-@@ -254,7 +284,9 @@
+@@ -254,7 +285,9 @@
  fs_getattr_xattr_fs(rpm_script_t)
  fs_mount_xattr_fs(rpm_script_t)
  fs_unmount_xattr_fs(rpm_script_t)
@@ -1407,7 +1255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  mcs_killall(rpm_script_t)
  mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +304,19 @@
+@@ -272,14 +305,19 @@
  storage_raw_read_fixed_disk(rpm_script_t)
  storage_raw_write_fixed_disk(rpm_script_t)
  
@@ -1427,7 +1275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  domain_read_all_domains_state(rpm_script_t)
  domain_getattr_all_domains(rpm_script_t)
-@@ -291,8 +328,10 @@
+@@ -291,8 +329,10 @@
  files_exec_etc_files(rpm_script_t)
  files_read_etc_runtime_files(rpm_script_t)
  files_exec_usr_files(rpm_script_t)
@@ -1438,7 +1286,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  libs_exec_ld_so(rpm_script_t)
  libs_exec_lib_files(rpm_script_t)
-@@ -308,12 +347,15 @@
+@@ -308,12 +348,15 @@
  seutil_domtrans_loadpolicy(rpm_script_t)
  seutil_domtrans_setfiles(rpm_script_t)
  seutil_domtrans_semanage(rpm_script_t)
@@ -1454,7 +1302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  	')
  ')
  
-@@ -326,13 +368,22 @@
+@@ -326,13 +369,22 @@
  ')
  
  optional_policy(`
@@ -1478,192 +1326,223 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.fc serefpolicy-3.7.9/policy/modules/admin/shorewall.fc
---- nsaserefpolicy/policy/modules/admin/shorewall.fc	2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -4,8 +4,11 @@
- /etc/shorewall(/.*)?				gen_context(system_u:object_r:shorewall_etc_t,s0)
- /etc/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_etc_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.15/policy/modules/admin/shorewall.te
+--- nsaserefpolicy/policy/modules/admin/shorewall.te	2010-03-08 14:49:44.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/shorewall.te	2010-03-18 10:44:42.000000000 -0400
+@@ -87,7 +87,7 @@
  
--/sbin/shorewall				--	gen_context(system_u:object_r:shorewall_exec_t,s0)
-+/sbin/shorewall6?			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
- /sbin/shorewall-lite			--	gen_context(system_u:object_r:shorewall_exec_t,s0)
+ sysnet_domtrans_ifconfig(shorewall_t)
  
- /var/lib/shorewall(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-+/var/lib/shorewall6(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
- /var/lib/shorewall-lite(/.*)?			gen_context(system_u:object_r:shorewall_var_lib_t,s0)
-+
-+/var/log/shorewall.*				gen_context(system_u:object_r:shorewall_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.if serefpolicy-3.7.9/policy/modules/admin/shorewall.if
---- nsaserefpolicy/policy/modules/admin/shorewall.if	2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.if	2010-02-16 15:08:37.000000000 -0500
-@@ -75,6 +75,46 @@
- 	rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
- ')
+-userdom_dontaudit_list_user_home_dirs(shorewall_t)
++userdom_dontaudit_list_admin_dir(shorewall_t)
  
-+######################################
+ optional_policy(`
+ 	iptables_domtrans(shorewall_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.7.15/policy/modules/admin/shutdown.fc
+--- nsaserefpolicy/policy/modules/admin/shutdown.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,5 @@
++/etc/nologin			--	gen_context(system_u:object_r:shutdown_etc_t,s0)
++
++/sbin/shutdown			--	gen_context(system_u:object_r:shutdown_exec_t,s0)
++
++/var/run/shutdown\.pid 	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.7.15/policy/modules/admin/shutdown.if
+--- nsaserefpolicy/policy/modules/admin/shutdown.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,118 @@
++
++## <summary>policy for shutdown</summary>
++
++########################################
 +## <summary>
-+##      Read shorewall /var/lib files.
++##	Execute a domain transition to run shutdown.
 +## </summary>
 +## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
++## <summary>
++##	Domain allowed to transition.
++## </summary>
 +## </param>
 +#
-+interface(`shorewall_read_var_lib',`
-+        gen_require(`
-+                type shorewall_t;
-+       ')
++interface(`shutdown_domtrans',`
++	gen_require(`
++		type shutdown_t, shutdown_exec_t;
++	')
 +
-+        files_search_var_lib($1)
-+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-+        read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++	domtrans_pattern($1, shutdown_exec_t, shutdown_t)
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit shutdown_t $1:socket_class_set { read write };
++		dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
++	')
 +')
 +
-+#######################################
++
++########################################
 +## <summary>
-+##      Read and write shorewall /var/lib files.
++##	Execute shutdown in the shutdown domain, and
++##	allow the specified role the shutdown domain.
 +## </summary>
 +## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the shutdown domain.
++##	</summary>
 +## </param>
 +#
-+interface(`shorewall_rw_var_lib',`
-+        gen_require(`
-+                type shorewall_t;
-+       ')
++interface(`shutdown_run',`
++	gen_require(`
++		type shutdown_t;
++	')
 +
-+        files_search_var_lib($1)
-+        search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
-+        rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++	shutdown_domtrans($1)
++	role $2 types shutdown_t;
 +')
 +
- #######################################
- ## <summary>
- ##	All of the rules required to administrate 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewall.te serefpolicy-3.7.9/policy/modules/admin/shorewall.te
---- nsaserefpolicy/policy/modules/admin/shorewall.te	2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/shorewall.te	2010-02-16 15:08:37.000000000 -0500
-@@ -29,6 +29,9 @@
- type shorewall_var_lib_t;
- files_type(shorewall_var_lib_t)
- 
-+type shorewall_log_t;
-+logging_log_file(shorewall_log_t)
++########################################
++## <summary>
++##	Role access for shutdown
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	User domain for the role
++##	</summary>
++## </param>
++#
++interface(`shutdown_role',`
++	gen_require(`
++              type shutdown_t;
++	')
 +
- ########################################
- #
- # shorewall local policy
-@@ -49,6 +52,10 @@
- manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
- files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
- 
-+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-+manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
-+logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
++	role $1 types shutdown_t;
 +
- manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
- manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
- files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
-@@ -80,6 +87,8 @@
- 
- sysnet_domtrans_ifconfig(shorewall_t)
- 
-+userdom_dontaudit_list_admin_dir(shorewall_t)
++	shutdown_domtrans($2)
 +
- optional_policy(`
- 	iptables_domtrans(shorewall_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.fc serefpolicy-3.7.9/policy/modules/admin/smoltclient.fc
---- nsaserefpolicy/policy/modules/admin/smoltclient.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,4 @@
++	ps_process_pattern($2, shutdown_t)
++	allow $2 shutdown_t:process signal;
++')
 +
-+/usr/share/smolt/client/sendProfile.py	--	gen_context(system_u:object_r:smoltclient_exec_t,s0)	
++########################################
++## <summary>
++##	Recieve sigchld from shutdown
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`shutdown_send_sigchld',`
++	gen_require(`
++              type shutdown_t;
++	')
 +
++	allow shutdown_t $1:process signal;
++')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.if serefpolicy-3.7.9/policy/modules/admin/smoltclient.if
---- nsaserefpolicy/policy/modules/admin/smoltclient.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1 @@
-+## <summary>The Fedora hardware profiler client</summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/smoltclient.te serefpolicy-3.7.9/policy/modules/admin/smoltclient.te
---- nsaserefpolicy/policy/modules/admin/smoltclient.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/smoltclient.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,66 @@
-+policy_module(smoltclient,1.0.0)
++########################################
++## <summary>
++##	Send and receive messages from
++##	shutdown over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`shutdown_dbus_chat',`
++	gen_require(`
++		type shutdown_t;
++		class dbus send_msg;
++	')
++
++	allow $1 shutdown_t:dbus send_msg;
++	allow shutdown_t $1:dbus send_msg;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.15/policy/modules/admin/shutdown.te
+--- nsaserefpolicy/policy/modules/admin/shutdown.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/shutdown.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,57 @@
++policy_module(shutdown,1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
 +
-+type smoltclient_t;
-+type smoltclient_exec_t;
-+application_domain(smoltclient_t, smoltclient_exec_t)
-+cron_system_entry(smoltclient_t, smoltclient_exec_t)
++type shutdown_t;
++type shutdown_exec_t;
++application_domain(shutdown_t, shutdown_exec_t)
++role system_r types shutdown_t;
 +
-+type smoltclient_tmp_t;
-+files_tmp_file(smoltclient_tmp_t)
++type shutdown_etc_t;
++files_config_file(shutdown_etc_t)
++
++type shutdown_var_run_t;
++files_pid_file(shutdown_var_run_t)
++
++permissive shutdown_t;
 +
 +########################################
 +#
-+# Local policy
++# shutdown local policy
 +#
-+allow smoltclient_t self:process { setsched getsched }; 
-+
-+allow smoltclient_t self:fifo_file rw_fifo_file_perms;
-+allow smoltclient_t self:tcp_socket create_socket_perms;
-+allow smoltclient_t self:udp_socket create_socket_perms;
 +
-+can_exec(smoltclient_t, smoltclient_tmp_t)
-+manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
-+manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
-+files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
++allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
++allow shutdown_t self:process { fork signal };
 +
-+kernel_read_system_state(smoltclient_t)
-+kernel_read_network_state(smoltclient_t)
-+kernel_read_kernel_sysctls(smoltclient_t)
++allow shutdown_t self:fifo_file manage_fifo_file_perms;
++allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
 +
-+corecmd_exec_bin(smoltclient_t)
-+corecmd_exec_shell(smoltclient_t)
++manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
++files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
 +
-+corenet_tcp_connect_http_port(smoltclient_t)
++manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
++files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
 +
-+dev_read_sysfs(smoltclient_t)
++files_read_etc_files(shutdown_t)
++files_read_generic_pids(shutdown_t)
 +
-+fs_getattr_all_fs(smoltclient_t)
-+fs_getattr_all_dirs(smoltclient_t)
++term_use_all_terms(shutdown_t)
 +
-+files_getattr_generic_locks(smoltclient_t)
-+files_read_etc_files(smoltclient_t)
-+files_read_usr_files(smoltclient_t)
++auth_use_nsswitch(shutdown_t)
++auth_write_login_records(shutdown_t)
 +
-+auth_use_nsswitch(smoltclient_t)
++init_dontaudit_write_utmp(shutdown_t)
++init_read_utmp(shutdown_t)
++init_telinit(shutdown_t)
 +
-+logging_send_syslog_msg(smoltclient_t)
-+
-+miscfiles_read_localization(smoltclient_t)
-+
-+optional_policy(`
-+	dbus_system_bus_client(smoltclient_t)
-+')
++logging_send_audit_msgs(shutdown_t)
 +
-+optional_policy(`
-+	hal_dbus_chat(smoltclient_t)
-+')
++miscfiles_read_localization(shutdown_t)
 +
 +optional_policy(`
-+	rpm_exec(smoltclient_t)
-+	rpm_read_db(smoltclient_t)
++	dbus_system_bus_client(shutdown_t)
++	dbus_connect_system_bus(shutdown_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.9/policy/modules/admin/sudo.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.7.15/policy/modules/admin/sudo.if
 --- nsaserefpolicy/policy/modules/admin/sudo.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/sudo.if	2010-02-16 15:08:37.000000000 -0500
-@@ -78,7 +78,7 @@
++++ serefpolicy-3.7.15/policy/modules/admin/sudo.if	2010-03-18 10:44:42.000000000 -0400
+@@ -73,12 +73,16 @@
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+ 
++	ifdef(`hide_broken_symptoms', `
++		dontaudit $1_sudo_t $3:socket_class_set { read write };
++	')
++
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t, $3)
  	corecmd_bin_domtrans($1_sudo_t, $3)
  	allow $3 $1_sudo_t:fd use;
  	allow $3 $1_sudo_t:fifo_file rw_file_perms;
@@ -1672,7 +1551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	kernel_read_kernel_sysctls($1_sudo_t)
  	kernel_read_system_state($1_sudo_t)
-@@ -135,6 +135,9 @@
+@@ -135,6 +139,9 @@
  	userdom_use_user_terminals($1_sudo_t)
  	# for some PAM modules and for cwd
  	userdom_dontaudit_search_user_home_content($1_sudo_t)
@@ -1682,9 +1561,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  
  	tunable_policy(`use_nfs_home_dirs',`
  		fs_manage_nfs_files($1_sudo_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.9/policy/modules/admin/tmpreaper.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.7.15/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/su.if	2010-03-18 10:44:42.000000000 -0400
+@@ -58,6 +58,10 @@
+ 	allow $2 $1_su_t:fifo_file rw_file_perms;
+ 	allow $2 $1_su_t:process sigchld;
+ 
++ifdef(`hide_broken_symptoms', `
++	dontaudit $1_su_t $2:socket_class_set { read write };
++')
++
+ 	kernel_read_system_state($1_su_t)
+ 	kernel_read_kernel_sysctls($1_su_t)
+ 	kernel_search_key($1_su_t)
+@@ -183,6 +187,10 @@
+ 
+ 	# Transition from the user domain to this domain.
+ 	domtrans_pattern($3, su_exec_t, $1_su_t)
++ifdef(`hide_broken_symptoms', `
++	dontaudit $1_su_t $3:socket_class_set { read write };
++')
++
+ 
+ 	ps_process_pattern($3, $1_su_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/tmpreaper.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/tmpreaper.te	2010-03-18 10:44:42.000000000 -0400
 @@ -42,6 +42,7 @@
  cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
  
@@ -1707,33 +1611,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
  	kismet_manage_log(tmpreaper_t)
  ')
  
-@@ -60,5 +68,9 @@
+@@ -60,5 +68,15 @@
  ')
  
  optional_policy(`
++	sandbox_list(tmpreaper_t)
++	sandbox_delete_dirs(tmpreaper_t)
++	sandbox_delete_files(tmpreaper_t)
++')
++
++optional_policy(`
 +	rpm_manage_cache(tmpreaper_t)
 +')
 +
 +optional_policy(`
  	unconfined_domain(tmpreaper_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.9/policy/modules/admin/usermanage.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.7.15/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/usermanage.if	2010-02-16 15:08:37.000000000 -0500
-@@ -113,6 +113,12 @@
++++ serefpolicy-3.7.15/policy/modules/admin/usermanage.if	2010-03-18 10:44:42.000000000 -0400
+@@ -18,6 +18,10 @@
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, chfn_exec_t, chfn_t)
++
++ifdef(`hide_broken_symptoms', `
++	dontaudit chfn_t $1:socket_class_set { read write };
++')
+ ')
+ 
+ ########################################
+@@ -63,6 +67,10 @@
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, groupadd_exec_t, groupadd_t)
++
++ifdef(`hide_broken_symptoms', `
++	dontaudit groupadd_t $1:socket_class_set { read write };
++')
+ ')
+ 
+ ########################################
+@@ -113,6 +121,10 @@
  	files_search_usr($1)
  	corecmd_search_bin($1)
  	domtrans_pattern($1, passwd_exec_t, passwd_t)
 +
 +ifdef(`hide_broken_symptoms', `
-+	dontaudit passwd_t $1:unix_stream_socket rw_socket_perms;
-+	dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms;
-+	dontaudit passwd_t $1:tcp_socket rw_socket_perms;
++	dontaudit passwd_t $1:socket_class_set { read write };
++')
+ ')
+ 
+ ########################################
+@@ -247,6 +259,9 @@
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, useradd_exec_t, useradd_t)
++ifdef(`hide_broken_symptoms', `
++	dontaudit useradd_t $1:socket_class_set { read write };
 +')
  ')
  
  ########################################
-@@ -274,6 +280,11 @@
+@@ -274,6 +289,11 @@
  	usermanage_domtrans_useradd($1)
  	role $2 types useradd_t;
  
@@ -1745,9 +1685,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	optional_policy(`
  		nscd_run(useradd_t, $2)
  	')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.9/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/usermanage.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.15/policy/modules/admin/usermanage.te
+--- nsaserefpolicy/policy/modules/admin/usermanage.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/usermanage.te	2010-03-18 10:44:42.000000000 -0400
 @@ -209,6 +209,7 @@
  files_manage_etc_files(groupadd_t)
  files_relabel_etc_files(groupadd_t)
@@ -1789,19 +1729,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  
  files_manage_etc_files(useradd_t)
  files_search_var_lib(useradd_t)
-@@ -498,10 +502,8 @@
+@@ -498,12 +502,8 @@
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
+-userdom_manage_user_home_dirs(useradd_t)
+ userdom_home_filetrans_user_home_dir(useradd_t)
 -userdom_manage_user_home_content_dirs(useradd_t)
 -userdom_manage_user_home_content_files(useradd_t)
- userdom_home_filetrans_user_home_dir(useradd_t)
+-userdom_home_filetrans_user_home_dir(useradd_t)
 -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 +userdom_manage_home_role(system_r, useradd_t)
  
  mta_manage_spool(useradd_t)
  
-@@ -525,6 +527,12 @@
+@@ -527,6 +527,12 @@
  ')
  
  optional_policy(`
@@ -1814,44 +1756,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman
  	puppet_rw_tmp(useradd_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.9/policy/modules/admin/vbetool.te
---- nsaserefpolicy/policy/modules/admin/vbetool.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/admin/vbetool.te	2010-02-16 15:08:37.000000000 -0500
-@@ -15,15 +15,20 @@
- # Local policy
- #
- 
--allow vbetool_t self:capability { sys_tty_config sys_admin };
-+allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
- allow vbetool_t self:process execmem;
- 
- dev_wx_raw_memory(vbetool_t)
- dev_read_raw_memory(vbetool_t)
- dev_rwx_zero(vbetool_t)
--dev_read_sysfs(vbetool_t)
-+dev_rw_sysfs(vbetool_t)
-+dev_rw_xserver_misc(vbetool_t)
-+dev_rw_mtrr(vbetool_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.7.15/policy/modules/admin/vbetool.te
+--- nsaserefpolicy/policy/modules/admin/vbetool.te	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/vbetool.te	2010-03-18 10:44:42.000000000 -0400
+@@ -25,7 +25,13 @@
+ dev_rw_xserver_misc(vbetool_t)
+ dev_rw_mtrr(vbetool_t)
  
 +domain_mmap_low_type(vbetool_t)
 +tunable_policy(`mmap_low_allowed',`
  domain_mmap_low(vbetool_t)
 +')
++
++mls_file_read_all_levels(vbetool_t)
++mls_file_write_all_levels(vbetool_t)
  
  term_use_unallocated_ttys(vbetool_t)
  
-@@ -34,3 +39,8 @@
- 	hal_write_log(vbetool_t)
- 	hal_dontaudit_append_lib_files(vbetool_t)
- ')
-+
-+optional_policy(`
-+	xserver_exec_pid(vbetool_t)
-+	xserver_write_pid(vbetool_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.9/policy/modules/admin/vpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.7.15/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/admin/vpn.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/admin/vpn.te	2010-03-18 10:44:42.000000000 -0400
+@@ -31,7 +31,7 @@
+ allow vpnc_t self:rawip_socket create_socket_perms;
+ allow vpnc_t self:unix_dgram_socket create_socket_perms;
+ allow vpnc_t self:unix_stream_socket create_socket_perms;
+-allow vpnc_t self:tun_socket create;
++allow vpnc_t self:tun_socket  { create_socket_perms };
+ # cjp: this needs to be fixed
+ allow vpnc_t self:socket create_socket_perms;
+ 
 @@ -46,6 +46,7 @@
  kernel_read_system_state(vpnc_t)
  kernel_read_network_state(vpnc_t)
@@ -1868,28 +1801,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te 
  
  optional_policy(`
  	dbus_system_bus_client(vpnc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cdrecord.te serefpolicy-3.7.9/policy/modules/apps/cdrecord.te
---- nsaserefpolicy/policy/modules/apps/cdrecord.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/cdrecord.te	2010-02-16 15:08:37.000000000 -0500
-@@ -32,6 +32,8 @@
- allow cdrecord_t self:unix_dgram_socket create_socket_perms;
- allow cdrecord_t self:unix_stream_socket create_stream_socket_perms;
- 
-+corecmd_exec_bin(cdrecord_t) 
-+
- # allow searching for cdrom-drive
- dev_list_all_dev_nodes(cdrecord_t) 
- dev_read_sysfs(cdrecord_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.9/policy/modules/apps/chrome.fc
+@@ -115,3 +117,7 @@
+ 		networkmanager_dbus_chat(vpnc_t)
+ 	')
+ ')
++
++optional_policy(`
++	networkmanager_attach_tun_iface(vpnc_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.fc serefpolicy-3.7.15/policy/modules/apps/chrome.fc
 --- nsaserefpolicy/policy/modules/apps/chrome.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/chrome.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/chrome.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/lib(64)?/chromium-browser/chrome-sandbox	--	gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.9/policy/modules/apps/chrome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.if serefpolicy-3.7.15/policy/modules/apps/chrome.if
 --- nsaserefpolicy/policy/modules/apps/chrome.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/chrome.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,86 @@
++++ serefpolicy-3.7.15/policy/modules/apps/chrome.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,90 @@
 +
 +## <summary>policy for chrome</summary>
 +
@@ -1910,6 +1839,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
 +
 +	domtrans_pattern($1,chrome_sandbox_exec_t,chrome_sandbox_t)
 +	ps_process_pattern(chrome_sandbox_t, $1)
++ifdef(`hide_broken_symptoms', `
++	dontaudit chrome_sandbox_t $1:socket_class_set { read write };
++	fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
++')
 +')
 +
 +
@@ -1976,10 +1909,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.i
 +	allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.9/policy/modules/apps/chrome.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.7.15/policy/modules/apps/chrome.te
 --- nsaserefpolicy/policy/modules/apps/chrome.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/chrome.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,82 @@
++++ serefpolicy-3.7.15/policy/modules/apps/chrome.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,84 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -2003,7 +1936,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +#
 +# chrome_sandbox local policy
 +#
-+allow chrome_sandbox_t self:capability { setuid sys_admin sys_ptrace dac_override sys_chroot chown fsetid setgid };
++allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
 +allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
 +allow chrome_sandbox_t self:fifo_file manage_file_perms;
 +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
@@ -2025,9 +1958,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
 +
 +dev_read_urand(chrome_sandbox_t)
++dev_read_sysfs(chrome_sandbox_t)
 +
 +files_read_etc_files(chrome_sandbox_t)
 +
++fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
++
 +userdom_rw_user_tmpfs_files(chrome_sandbox_t)
 +userdom_use_user_ptys(chrome_sandbox_t)
 +userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
@@ -2061,10 +1997,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.t
 +	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
 +	fs_dontaudit_read_cifs_files(chrome_sandbox_t)
 +')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.9/policy/modules/apps/cpufreqselector.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqselector.te serefpolicy-3.7.15/policy/modules/apps/cpufreqselector.te
 --- nsaserefpolicy/policy/modules/apps/cpufreqselector.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/cpufreqselector.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/cpufreqselector.te	2010-03-18 10:44:42.000000000 -0400
 @@ -26,7 +26,7 @@
  dev_rw_sysfs(cpufreqselector_t)
  
@@ -2074,11 +2009,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/cpufreqs
  
  optional_policy(`
  	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.9/policy/modules/apps/execmem.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.7.15/policy/modules/apps/execmem.fc
 --- nsaserefpolicy/policy/modules/apps/execmem.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/execmem.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,43 @@
++++ serefpolicy-3.7.15/policy/modules/apps/execmem.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,45 @@
++
 +/usr/bin/aticonfig	--	gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/bin/compiz		--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/bin/darcs 		--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/bin/haddock.*  	--	gen_context(system_u:object_r:execmem_exec_t,s0)
 +/usr/bin/hasktags   	--	gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2121,10 +2058,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +
 +/opt/google/chrome/chrome -- gen_context(system_u:object_r:execmem_exec_t,s0)
 +/opt/Komodo-Edit-5/lib/mozilla/komodo-bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.9/policy/modules/apps/execmem.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.7.15/policy/modules/apps/execmem.if
 --- nsaserefpolicy/policy/modules/apps/execmem.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/execmem.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,108 @@
++++ serefpolicy-3.7.15/policy/modules/apps/execmem.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,118 @@
 +## <summary>execmem domain</summary>
 +
 +########################################
@@ -2189,7 +2126,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +	allow $1_execmem_t self:process { execmem execstack };
 +	allow $3 $1_execmem_t:process { getattr ptrace noatsecure signal_perms };
 +	domtrans_pattern($3, execmem_exec_t, $1_execmem_t)
-+
++ifdef(`hide_broken_symptoms', `
++	dontaudit $1_execmem_t $3:socket_class_set { read write };
++')
 +	files_execmod_tmp($1_execmem_t)
 +
 +	optional_policy(`
@@ -2206,6 +2145,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +	')
 +
 +	optional_policy(`
++		mozilla_exec_domtrans($3, $1_execmem_t)
++	')
++
++	optional_policy(`
++		mplayer_exec_domtrans($3, $1_execmem_t)
++	')
++
++	optional_policy(`
 +		xserver_role($2, $1_execmem_t)
 +	')
 +')
@@ -2233,9 +2180,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +
 +	domtrans_pattern($1, execmem_exec_t, $2)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.9/policy/modules/apps/execmem.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.te serefpolicy-3.7.15/policy/modules/apps/execmem.te
 --- nsaserefpolicy/policy/modules/apps/execmem.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/execmem.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/execmem.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,11 @@
 +
 +policy_module(execmem, 1.0.0)
@@ -2248,16 +2195,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.
 +type execmem_exec_t alias unconfined_execmem_exec_t;
 +application_executable_file(execmem_exec_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.9/policy/modules/apps/firewallgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.fc serefpolicy-3.7.15/policy/modules/apps/firewallgui.fc
 --- nsaserefpolicy/policy/modules/apps/firewallgui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,3 @@
 +
 +/usr/share/system-config-firewall/system-config-firewall-mechanism.py	--	gen_context(system_u:object_r:firewallgui_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.9/policy/modules/apps/firewallgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.if serefpolicy-3.7.15/policy/modules/apps/firewallgui.if
 --- nsaserefpolicy/policy/modules/apps/firewallgui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,23 @@
 +
 +## <summary>policy for firewallgui</summary>
@@ -2282,9 +2229,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
 +	allow $1 firewallgui_t:dbus send_msg;
 +	allow firewallgui_t $1:dbus send_msg;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.9/policy/modules/apps/firewallgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.15/policy/modules/apps/firewallgui.te
 --- nsaserefpolicy/policy/modules/apps/firewallgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/firewallgui.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/firewallgui.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,66 @@
 +
 +policy_module(firewallgui,1.0.0)
@@ -2352,9 +2299,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall
 +        policykit_dbus_chat(firewallgui_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.9/policy/modules/apps/gitosis.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.if serefpolicy-3.7.15/policy/modules/apps/gitosis.if
 --- nsaserefpolicy/policy/modules/apps/gitosis.if	2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/gitosis.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gitosis.if	2010-03-18 10:44:42.000000000 -0400
 @@ -43,3 +43,47 @@
  	role $2 types gitosis_t;
  ')
@@ -2403,9 +2350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gitosis.
 +        manage_lnk_files_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +	manage_dirs_pattern($1, gitosis_var_lib_t, gitosis_var_lib_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.9/policy/modules/apps/gnome.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.7.15/policy/modules/apps/gnome.fc
 --- nsaserefpolicy/policy/modules/apps/gnome.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/gnome.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gnome.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,8 +1,28 @@
 -HOME_DIR/\.config/gtk-.*	gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.cache(/.*)?	gen_context(system_u:object_r:cache_home_t,s0)
@@ -2437,9 +2384,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 +
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.9/policy/modules/apps/gnome.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.15/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/gnome.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gnome.if	2010-03-18 10:44:42.000000000 -0400
 @@ -74,6 +74,24 @@
  
  ########################################
@@ -2465,7 +2412,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
  ##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="user_domain">
-@@ -84,10 +102,207 @@
+@@ -84,10 +102,246 @@
  #
  interface(`gnome_manage_config',`
  	gen_require(`
@@ -2600,6 +2547,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 +########################################
 +## <summary>
++##	Append gconf home files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_append_gconf_home_files',`
++	gen_require(`
++		type gconf_home_t;
++	')
++
++	append_files_pattern($1, gconf_home_t, gconf_home_t)
++')
++
++########################################
++## <summary>
 +##	manage gconf home files
 +## </summary>
 +## <param name="domain">
@@ -2676,9 +2641,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 +	allow $1 gnome_home_type:file rw_inherited_file_perms;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.9/policy/modules/apps/gnome.te
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	gconf system service over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_dbus_chat_gconfdefault',`
++	gen_require(`
++		type gconfdefaultsm_t;
++		class dbus send_msg;
++	')
++
++	allow $1 gconfdefaultsm_t:dbus send_msg;
++	allow gconfdefaultsm_t $1:dbus send_msg;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.7.15/policy/modules/apps/gnome.te
 --- nsaserefpolicy/policy/modules/apps/gnome.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/gnome.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gnome.te	2010-03-18 10:44:42.000000000 -0400
 @@ -7,18 +7,33 @@
  #
  
@@ -2827,18 +2813,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te
 +        policykit_read_lib(gnomesystemmm_t)
 +        policykit_read_reload(gnomesystemmm_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.9/policy/modules/apps/gpg.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc serefpolicy-3.7.15/policy/modules/apps/gpg.fc
 --- nsaserefpolicy/policy/modules/apps/gpg.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/gpg.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gpg.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,4 +1,5 @@
  HOME_DIR/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
 +/root/\.gnupg(/.+)?		gen_context(system_u:object_r:gpg_secret_t,s0)
  
  /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
  /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.9/policy/modules/apps/gpg.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.15/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if	2009-09-09 09:23:16.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/gpg.if	2010-03-18 10:44:42.000000000 -0400
+@@ -52,11 +52,8 @@
+ 
+ 	ifdef(`hide_broken_symptoms',`
+ 		#Leaked File Descriptors
++		dontaudit gpg_t $2:socket_class_set { read write };
+ 		dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
+-		dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+-		dontaudit gpg_t $2:udp_socket rw_socket_perms;
+-		dontaudit gpg_t $2:unix_stream_socket rw_socket_perms;
+-		dontaudit gpg_t $2:unix_dgram_socket rw_socket_perms;
+ 	')
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.15/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/gpg.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/gpg.te	2010-03-18 10:44:42.000000000 -0400
 @@ -20,6 +20,7 @@
  typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
  application_domain(gpg_t, gpg_exec_t)
@@ -2864,7 +2866,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
  allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
  
  allow gpg_t self:fifo_file rw_fifo_file_perms;
-@@ -130,10 +132,10 @@
+@@ -112,6 +114,7 @@
+ # sign/encrypt user files
+ userdom_manage_user_tmp_files(gpg_t)
+ userdom_manage_user_home_content_files(gpg_t)
++userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
+ 
+ mta_write_config(gpg_t)
+ 
+@@ -130,10 +133,10 @@
  	xserver_rw_xdm_pipes(gpg_t)
  ')
  
@@ -2879,257 +2889,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
  
  ########################################
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.9/policy/modules/apps/java.fc
---- nsaserefpolicy/policy/modules/apps/java.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/java.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -2,15 +2,17 @@
- # /opt
+@@ -184,6 +187,7 @@
  #
- /opt/(.*/)?bin/java[^/]* --	gen_context(system_u:object_r:java_exec_t,s0)
--/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
--/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
--/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/ibm/java.*/(bin|javaws)(/.*)?	-- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/opt/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
+ # GPG agent local policy
+ #
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
  
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow gpg_agent_t self:process setrlimit;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.15/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/java.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -9,6 +9,7 @@
  #
  # /usr
  #
 +/usr/Aptana[^/]*/AptanaStudio	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/(.*/)?bin/java.* 	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib/eclipse/eclipse --	gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/fastjar	--	gen_context(system_u:object_r:java_exec_t,s0)
  /usr/bin/frysk		--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gappletviewer	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gcj-dbtool	--	gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +22,16 @@
- /usr/bin/grmic		--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/grmiregistry	--	gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/jv-convert	--	gen_context(system_u:object_r:java_exec_t,s0)
--/usr/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
--/usr/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/bin/fastjar  	--	gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/matlab.*/bin.*/MATLAB.*      -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-+
-+/usr/bin/octave-[^/]*  	--	gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib/opera(/.*)?/opera	--	gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib/opera(/.*)?/works	--	gen_context(system_u:object_r:java_exec_t,s0)
+@@ -30,5 +31,9 @@
+ /usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ 
+ /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+-
+ /usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
 +
 +/opt/ibm/lotus/Symphony/framework/rcp/eclipse/plugins(/.*)?	--	gen_context(system_u:object_r:java_exec_t,s0)
 +
 +/usr/java/eclipse[^/]*/eclipse	--	gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.9/policy/modules/apps/java.if
---- nsaserefpolicy/policy/modules/apps/java.if	2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/java.if	2010-02-16 15:08:37.000000000 -0500
-@@ -30,6 +30,7 @@
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.7.15/policy/modules/apps/java.if
+--- nsaserefpolicy/policy/modules/apps/java.if	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/java.if	2010-03-18 10:44:42.000000000 -0400
+@@ -72,6 +72,7 @@
  
- 	allow java_t $2:unix_stream_socket connectto;
- 	allow java_t $2:unix_stream_socket { read write };
-+	allow java_t $2:tcp_socket { read write };
- ')
+ 	domain_interactive_fd($1_java_t)
  
- ########################################
-@@ -71,24 +72,130 @@
++	userdom_unpriv_usertype($1, $1_java_t)
+ 	userdom_manage_tmpfs_role($2, $1_java_t)
  
- ########################################
- ## <summary>
--##	Execute the java program in the unconfined java domain.
-+##	Execute java in the java domain, and
-+##	allow the specified role the java domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	The type of the process performing this action.
- ##	</summary>
- ## </param>
- ## <param name="role">
- ##	<summary>
--##	Role allowed access.
-+##	The role to be allowed the java domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`java_run',`
-+	gen_require(`
-+		type java_t;
-+	')
-+
-+	java_domtrans($1)
-+	role $2 types java_t;
-+')
-+
-+########################################
-+## <summary>
-+##	Execute java in the unconfined java domain, and
-+##	allow the specified role the unconfined java domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the java domain.
- ##	</summary>
- ## </param>
- #
- interface(`java_run_unconfined',`
- 	gen_require(`
- 		type unconfined_java_t;
-+		type java_t;
- 	')
+ 	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
+@@ -82,7 +83,7 @@
+ 
+ 	domtrans_pattern($3, java_exec_t, $1_java_t)
+ 
+-	corecmd_bin_domtrans($1_java_t, $3)
++	corecmd_bin_domtrans($1_java_t, $1_t)
+ 
+ 	dev_dontaudit_append_rand($1_java_t)
+ 
+@@ -179,6 +180,7 @@
  
  	java_domtrans_unconfined($1)
  	role $2 types unconfined_java_t;
-+	role $2 types java_t;
 +	nsplugin_role_notrans($2, unconfined_java_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute the java program in the java domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`java_exec',`
-+	gen_require(`
-+		type java_exec_t;
-+	')
-+
-+	can_exec($1, java_exec_t)
-+')
-+
-+#######################################
-+## <summary>
-+##	The role template for the java module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for java applications.
-+##	</p>
-+## </desc>
-+## <param name="role_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`java_role_template',`
-+	gen_require(`
-+		type java_exec_t;
-+	')
-+
-+	type $1_java_t;
-+	domain_type($1_java_t)
-+	domain_entry_file($1_java_t, java_exec_t)
-+	role $2 types $1_java_t;
-+
-+	domain_interactive_fd($1_java_t)
-+
-+	userdom_unpriv_usertype($1, $1_java_t)
-+	userdom_manage_tmpfs_role($2, $1_java_t)
-+
-+	allow $1_java_t self:process { ptrace signal getsched execmem execstack };
-+	allow $3 $1_java_t:process { getattr ptrace noatsecure signal_perms };
-+	dontaudit $1_java_t $3:tcp_socket { read write };
-+
-+	domtrans_pattern($3, java_exec_t, $1_java_t)
-+	dev_dontaudit_append_rand($1_java_t)
+ ')
+ 
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.15/policy/modules/apps/java.te
+--- nsaserefpolicy/policy/modules/apps/java.te	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/java.te	2010-03-18 10:44:42.000000000 -0400
+@@ -147,6 +147,14 @@
+ 
+ 	init_dbus_chat_script(unconfined_java_t)
+ 
++	files_execmod_all_files(unconfined_java_t)
 +
-+	fs_dontaudit_rw_tmpfs_files($1_java_t)
-+	corecmd_bin_domtrans($1_java_t, $1_t)
++	init_dbus_chat_script(unconfined_java_t)
 +
-+	files_execmod_all_files($1_java_t)
+ 	unconfined_domain_noaudit(unconfined_java_t)
+ 	unconfined_dbus_chat(unconfined_java_t)
 +
 +	optional_policy(`
-+		xserver_role($1_r, $1_java_t)
++		rpm_domtrans(unconfined_java_t)
 +	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.9/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/java.te	2010-02-16 15:08:37.000000000 -0500
-@@ -20,6 +20,8 @@
- typealias java_t alias { staff_javaplugin_t user_javaplugin_t sysadm_javaplugin_t };
- typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
- 
-+role system_r types java_t;
-+
- type java_tmp_t;
- files_tmp_file(java_tmp_t)
- ubac_constrained(java_tmp_t)
-@@ -32,9 +34,6 @@
- typealias java_tmpfs_t alias { staff_javaplugin_tmpfs_t user_javaplugin_tmpfs_t sysadm_javaplugin_tmpfs_t };
- typealias java_tmpfs_t alias { auditadm_tmpfs_javaplugin_t secadm_tmpfs_javaplugin_t };
- 
--type unconfined_java_t;
--init_system_domain(unconfined_java_t, java_exec_t)
--
- ########################################
- #
- # Local policy
-@@ -80,6 +79,7 @@
- dev_write_sound(java_t)
- dev_read_urand(java_t)
- dev_read_rand(java_t)
-+dev_dontaudit_append_rand(java_t)
- 
- files_read_etc_files(java_t)
- files_read_usr_files(java_t)
-@@ -134,17 +134,5 @@
- 	xserver_user_x_domain_template(java, java_t, java_tmpfs_t)
- ')
- 
--########################################
--#
--# Unconfined java local policy
--#
--
--optional_policy(`
--	# execheap is needed for itanium/BEA jrocket
--	allow unconfined_java_t self:process { execstack execmem execheap };
- 
--	init_dbus_chat_script(unconfined_java_t)
- 
--	unconfined_domain_noaudit(unconfined_java_t)
--	unconfined_dbus_chat(unconfined_java_t)
--')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.9/policy/modules/apps/kdumpgui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.fc serefpolicy-3.7.15/policy/modules/apps/kdumpgui.fc
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/share/system-config-kdump/system-config-kdump-backend.py -- gen_context(system_u:object_r:kdumpgui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.9/policy/modules/apps/kdumpgui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.if serefpolicy-3.7.15/policy/modules/apps/kdumpgui.if
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-kdump policy</summary>
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.9/policy/modules/apps/kdumpgui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.7.15/policy/modules/apps/kdumpgui.te
 --- nsaserefpolicy/policy/modules/apps/kdumpgui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/kdumpgui.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/kdumpgui.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,68 @@
 +policy_module(kdumpgui,1.0.0)
 +
@@ -3199,15 +3049,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui
 +optional_policy(`
 +        policykit_dbus_chat(kdumpgui_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.9/policy/modules/apps/livecd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.7.15/policy/modules/apps/livecd.fc
 --- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/livecd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/livecd.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,2 @@
 +
 +/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.9/policy/modules/apps/livecd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.7.15/policy/modules/apps/livecd.if
 --- nsaserefpolicy/policy/modules/apps/livecd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/livecd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/livecd.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,52 @@
 +
 +## <summary>policy for livecd</summary>
@@ -3261,9 +3111,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.i
 +	usermanage_run_chfn(livecd_t, $2)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.9/policy/modules/apps/livecd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.7.15/policy/modules/apps/livecd.te
 --- nsaserefpolicy/policy/modules/apps/livecd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/livecd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/livecd.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,27 @@
 +policy_module(livecd, 1.0.0)
 +
@@ -3292,11 +3142,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.t
 +
 +seutil_domtrans_setfiles_mac(livecd_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.9/policy/modules/apps/loadkeys.te
---- nsaserefpolicy/policy/modules/apps/loadkeys.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/loadkeys.te	2010-02-16 15:08:37.000000000 -0500
-@@ -40,8 +40,12 @@
- miscfiles_read_localization(loadkeys_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.if serefpolicy-3.7.15/policy/modules/apps/loadkeys.if
+--- nsaserefpolicy/policy/modules/apps/loadkeys.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/loadkeys.if	2010-03-18 10:44:42.000000000 -0400
+@@ -17,6 +17,9 @@
+ 
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, loadkeys_exec_t, loadkeys_t)
++ifdef(`hide_broken_symptoms', `
++	dontaudit loadkeys_t $1:socket_class_set { read write };
++')
+ ')
+ 
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.7.15/policy/modules/apps/loadkeys.te
+--- nsaserefpolicy/policy/modules/apps/loadkeys.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/loadkeys.te	2010-03-18 10:44:42.000000000 -0400
+@@ -40,8 +40,12 @@
+ miscfiles_read_localization(loadkeys_t)
  
  userdom_use_user_ttys(loadkeys_t)
 -userdom_list_user_home_dirs(loadkeys_t)
@@ -3309,159 +3172,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys
 +ifdef(`hide_broken_symptoms',`
 +	dev_dontaudit_rw_lvm_control(loadkeys_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.7.9/policy/modules/apps/mono.fc
---- nsaserefpolicy/policy/modules/apps/mono.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/mono.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1 +1 @@
--/usr/bin/mono	--	gen_context(system_u:object_r:mono_exec_t,s0)
-+/usr/bin/mono.*	--	gen_context(system_u:object_r:mono_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.9/policy/modules/apps/mono.if
---- nsaserefpolicy/policy/modules/apps/mono.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/mono.if	2010-02-16 15:08:37.000000000 -0500
-@@ -21,6 +21,105 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.7.15/policy/modules/apps/mono.if
+--- nsaserefpolicy/policy/modules/apps/mono.if	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/mono.if	2010-03-18 10:44:42.000000000 -0400
+@@ -40,10 +40,10 @@
+ 	domain_interactive_fd($1_mono_t)
+ 	application_type($1_mono_t)
  
- ########################################
- ## <summary>
-+##	Read and write to mono shared memory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`mono_rw_shm',`
-+	gen_require(`
-+		type mono_t;
-+	')
-+
-+	allow $1 mono_t:shm rw_shm_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Execute mono in the mono domain, and
-+##	allow the specified role the mono domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the mono domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`mono_run',`
-+	gen_require(`
-+		type mono_t;
-+	')
-+
-+	mono_domtrans($1)
-+	role $2 types mono_t;
-+')
-+
-+#######################################
-+## <summary>
-+##	The role template for the mono module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for mono applications.
-+##	</p>
-+## </desc>
-+## <param name="role_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`mono_role_template',`
-+	gen_require(`
-+		type mono_exec_t;
-+	')
-+
-+	type $1_mono_t;
-+	domain_type($1_mono_t)
-+	domain_entry_file($1_mono_t, mono_exec_t)
-+	role $2 types $1_mono_t;
-+
-+	domain_interactive_fd($1_mono_t)
-+	application_type($1_mono_t)
-+
 +	userdom_unpriv_usertype($1, $1_mono_t)
-+	userdom_manage_tmpfs_role($2, $1_mono_t)
-+
-+	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
-+	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
-+
-+	domtrans_pattern($3, mono_exec_t, $1_mono_t)
-+
-+	fs_dontaudit_rw_tmpfs_files($1_mono_t)
-+	corecmd_bin_domtrans($1_mono_t, $1_t)
-+
-+	optional_policy(`
-+		xserver_role($1_r, $1_mono_t)
-+	')
-+')
-+
-+########################################
-+## <summary>
- ##	Execute the mono program in the caller domain.
- ## </summary>
- ## <param name="domain">
-@@ -31,7 +130,7 @@
- #
- interface(`mono_exec',`
- 	gen_require(`
--		type mono_t, mono_exec_t;
-+		type mono_exec_t;
- 	')
- 
- 	corecmd_search_bin($1)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.7.9/policy/modules/apps/mono.te
---- nsaserefpolicy/policy/modules/apps/mono.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/mono.te	2010-02-16 15:08:37.000000000 -0500
-@@ -15,7 +15,7 @@
- # Local policy
- #
+ 	userdom_manage_tmpfs_role($2, $1_mono_t)
  
--allow mono_t self:process { execheap execmem };
-+allow mono_t self:process { ptrace signal getsched execheap execmem execstack };
- 
- init_dbus_chat_script(mono_t)
- 
-@@ -42,7 +42,12 @@
- ')
+ 	allow $1_mono_t self:process { ptrace signal getsched execheap execmem execstack };
+-
+ 	allow $3 $1_mono_t:process { getattr ptrace noatsecure signal_perms };
  
- optional_policy(`
--	unconfined_domain_noaudit(mono_t)
-+	unconfined_domain(mono_t)
- 	unconfined_dbus_chat(mono_t)
- 	unconfined_dbus_connect(mono_t)
-+	application_type(mono_t)
-+')
-+
-+optional_policy(`
-+	xserver_rw_shm(mono_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.9/policy/modules/apps/mozilla.fc
+ 	domtrans_pattern($3, mono_exec_t, $1_mono_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.7.15/policy/modules/apps/mozilla.fc
 --- nsaserefpolicy/policy/modules/apps/mozilla.fc	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,6 +1,7 @@
  HOME_DIR/\.galeon(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
  HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -3478,9 +3206,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  /usr/bin/mozilla-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  /usr/bin/mozilla-bin-[0-9].*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.9/policy/modules/apps/mozilla.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.7.15/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.if	2010-03-18 10:44:42.000000000 -0400
 @@ -48,6 +48,12 @@
  
  	mozilla_dbus_chat($2)
@@ -3503,7 +3231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ')
  
  ########################################
-@@ -186,3 +192,22 @@
+@@ -186,3 +192,57 @@
  
  	allow $1 mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -3526,9 +3254,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +	allow $1 mozilla_home_t:file execmod;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.9/policy/modules/apps/mozilla.te
++########################################
++## <summary>
++##	Execute mozilla_exec_t 
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a mozilla_exec_t
++##	in the specified domain.  
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`mozilla_exec_domtrans',`
++	gen_require(`
++		type mozilla_exec_t;
++	')
++
++	allow $2 mozilla_exec_t:file entrypoint;
++	domtrans_pattern($1, mozilla_exec_t, $2)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.7.15/policy/modules/apps/mozilla.te
 --- nsaserefpolicy/policy/modules/apps/mozilla.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/mozilla.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/mozilla.te	2010-03-18 10:44:42.000000000 -0400
 @@ -91,6 +91,7 @@
  corenet_raw_sendrecv_generic_node(mozilla_t)
  corenet_tcp_sendrecv_http_port(mozilla_t)
@@ -3587,9 +3350,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +optional_policy(`
  	thunderbird_domtrans(mozilla_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.9/policy/modules/apps/nsplugin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.7.15/policy/modules/apps/mplayer.if
+--- nsaserefpolicy/policy/modules/apps/mplayer.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/mplayer.if	2010-03-18 10:44:42.000000000 -0400
+@@ -102,3 +102,39 @@
+ 	read_files_pattern($1, mplayer_home_t, mplayer_home_t)
+ 	userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++## <summary>
++##	Execute mplayer_exec_t 
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a mplayer_exec_t
++##	in the specified domain.  
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`mplayer_exec_domtrans',`
++	gen_require(`
++		type mplayer_exec_t;
++	')
++
++	allow $2 mplayer_exec_t:file entrypoint;
++	domtrans_pattern($1, mplayer_exec_t, $2)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.15/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,10 @@
 +HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
 +HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
@@ -3601,10 +3407,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
 +/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.9/policy/modules/apps/nsplugin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.7.15/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,358 @@
++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,390 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -3706,16 +3512,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	can_exec($2, nsplugin_rw_t)
 +
 +	#Leaked File Descriptors
-+	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
-+	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
-+	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
-+	dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
-+	dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
-+	dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
-+	dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
-+	dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
-+	dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
-+	dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
++ifdef(`hide_broken_symptoms', `
++	dontaudit nsplugin_t $2:socket_class_set { read write };
++	dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
++	dontaudit nsplugin_config_t $2:socket_class_set { read write };
++	dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
++')
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
 +	allow nsplugin_t $2:sem rw_sem_perms;
@@ -3772,6 +3574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
 +	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
++
 +')
 +
 +#######################################
@@ -3963,10 +3766,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +        allow $1 nsplugin_t:sem rw_sem_perms;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.9/policy/modules/apps/nsplugin.te
++########################################
++## <summary>
++##	Execute nsplugin_exec_t 
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a nsplugin_exec_t
++##	in the specified domain.  
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`nsplugin_exec_domtrans',`
++	gen_require(`
++		type nsplugin_exec_t;
++	')
++
++	allow $2 nsplugin_exec_t:file entrypoint;
++	domtrans_pattern($1, nsplugin_exec_t, $2)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.7.15/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/nsplugin.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,296 @@
++++ serefpolicy-3.7.15/policy/modules/apps/nsplugin.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,295 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -4118,7 +3956,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +userdom_read_user_tmp_files(nsplugin_t)
 +userdom_write_user_tmp_sockets(nsplugin_t)
 +userdom_dontaudit_append_user_home_content_files(nsplugin_t)
-+userdom_dontaudit_delete_user_home_content_files(nsplugin_t)
 +
 +optional_policy(`
 +	alsa_read_rw_config(nsplugin_t)
@@ -4263,17 +4100,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.9/policy/modules/apps/openoffice.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.7.15/policy/modules/apps/openoffice.fc
 --- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,3 @@
 +/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.9/policy/modules/apps/openoffice.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.7.15/policy/modules/apps/openoffice.if
 --- nsaserefpolicy/policy/modules/apps/openoffice.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,92 @@
++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,129 @@
 +## <summary>Openoffice</summary>
 +
 +#######################################
@@ -4362,14 +4199,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +
 +	allow $3 $1_openoffice_t:process { signal sigkill };
 +	allow $1_openoffice_t $3:unix_stream_socket connectto;
-+	optional_policy(`	
-+		xserver_common_x_domain_template($1, $1_openoffice_t)
++
++	optional_policy(`
++		xserver_role($2, $1_openoffice_t)
++	')
++')
++
++########################################
++## <summary>
++##	Execute openoffice_exec_t 
++##	in the specified domain.
++## </summary>
++## <desc>
++##	<p>
++##	Execute a openoffice_exec_t
++##	in the specified domain.  
++##	</p>
++##	<p>
++##	No interprocess communication (signals, pipes,
++##	etc.) is provided by this interface since
++##	the domains are not owned by this module.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`openoffice_exec_domtrans',`
++	gen_require(`
++		type openoffice_exec_t;
 +	')
++
++	allow $2 openoffice_exec_t:file entrypoint;
++	domtrans_pattern($1, openoffice_exec_t, $2)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.9/policy/modules/apps/openoffice.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.7.15/policy/modules/apps/openoffice.te
 --- nsaserefpolicy/policy/modules/apps/openoffice.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/openoffice.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.7.15/policy/modules/apps/openoffice.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,17 @@
 +
 +policy_module(openoffice, 1.0.0)
 +
@@ -4381,9 +4255,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffi
 +type openoffice_t;
 +type openoffice_exec_t;
 +application_domain(openoffice_t, openoffice_exec_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.9/policy/modules/apps/podsleuth.te
++
++########################################
++#
++# Unconfined java local policy
++#
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.7.15/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/podsleuth.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/podsleuth.te	2010-03-18 10:44:42.000000000 -0400
 @@ -50,6 +50,7 @@
  fs_tmpfs_filetrans(podsleuth_t, podsleuth_tmpfs_t, { dir file lnk_file })
  
@@ -4407,51 +4287,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleut
  
  optional_policy(`
  	dbus_system_bus_client(podsleuth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.7.9/policy/modules/apps/ptchown.if
---- nsaserefpolicy/policy/modules/apps/ptchown.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/ptchown.if	2010-02-16 15:08:37.000000000 -0500
-@@ -18,3 +18,27 @@
- 	domtrans_pattern($1, ptchown_exec_t, ptchown_t)
- ')
- 
-+########################################
-+## <summary>
-+##	Execute ptchown in the ptchown domain, and
-+##	allow the specified role the ptchown domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the ptchown domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`ptchown_run',`
-+	gen_require(`
-+		type ptchown_t;
-+	')
-+
-+	ptchown_domtrans($1)
-+	role $2 types ptchown_t;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.9/policy/modules/apps/pulseaudio.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.7.15/policy/modules/apps/pulseaudio.fc
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1 +1,7 @@
++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -1 +1,9 @@
 +HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 +HOME_DIR/\.pulse-cookie		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 +
++/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
++
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
 +
  /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.9/policy/modules/apps/pulseaudio.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.7.15/policy/modules/apps/pulseaudio.if
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.if	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.if	2010-03-18 10:44:42.000000000 -0400
+@@ -18,7 +18,7 @@
+ interface(`pulseaudio_role',`
+ 	gen_require(`
+ 		type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+-		class dbus { send_msg };
++		class dbus { acquire_svc send_msg };
+ 	')
+ 
+ 	role $1 types pulseaudio_t;
 @@ -29,7 +29,7 @@
  	ps_process_pattern($2, pulseaudio_t)
  
@@ -4555,24 +4415,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
 -	allow $1 pulseaudio_t:unix_stream_socket connectto;
 +        stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.9/policy/modules/apps/pulseaudio.te
---- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/pulseaudio.te	2010-02-16 15:08:37.000000000 -0500
-@@ -11,6 +11,12 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.7.15/policy/modules/apps/pulseaudio.te
+--- nsaserefpolicy/policy/modules/apps/pulseaudio.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/pulseaudio.te	2010-03-18 10:44:42.000000000 -0400
+@@ -8,24 +8,52 @@
+ 
+ type pulseaudio_t;
+ type pulseaudio_exec_t;
++init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
  application_domain(pulseaudio_t, pulseaudio_exec_t)
  role system_r types pulseaudio_t;
  
-+type pulseaudio_var_run_t;
-+files_pid_file(pulseaudio_var_run_t)
-+
 +type pulseaudio_home_t;
 +userdom_user_home_content(pulseaudio_home_t)
 +
++type pulseaudio_tmpfs_t;
++files_tmpfs_file(pulseaudio_tmpfs_t)
++
++type pulseaudio_var_lib_t;
++files_type(pulseaudio_var_lib_t)
++
++type pulseaudio_var_run_t;
++files_pid_file(pulseaudio_var_run_t)
++
  ########################################
  #
  # pulseaudio local policy
-@@ -18,7 +24,7 @@
- 
+ #
+-
++allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
  allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
  allow pulseaudio_t self:fifo_file rw_file_perms;
 -allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
@@ -4580,40 +4451,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
  allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
  allow pulseaudio_t self:udp_socket create_socket_perms;
-@@ -26,6 +32,7 @@
- 
- can_exec(pulseaudio_t, pulseaudio_exec_t)
- 
-+kernel_getattr_proc(pulseaudio_t)
- kernel_read_system_state(pulseaudio_t)
- kernel_read_kernel_sysctls(pulseaudio_t)
- 
-@@ -63,12 +70,23 @@
- miscfiles_read_localization(pulseaudio_t)
- 
- optional_policy(`
--	gnome_manage_config(pulseaudio_t)
-+	bluetooth_stream_connect(pulseaudio_t)
- ')
+ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
  
++userdom_search_user_home_dirs(pulseaudio_t)
++userdom_search_admin_dir(pulseaudio_t)
++manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
++
++manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
++manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
++files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
++
 +manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 +manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 +manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 +files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
 +
-+userdom_search_user_home_dirs(pulseaudio_t)
-+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
-+
+ can_exec(pulseaudio_t, pulseaudio_exec_t)
+ 
++kernel_getattr_proc(pulseaudio_t)
+ kernel_read_system_state(pulseaudio_t)
+ kernel_read_kernel_sysctls(pulseaudio_t)
+ 
+@@ -67,10 +95,7 @@
+ ')
+ 
  optional_policy(`
+-	gnome_manage_config(pulseaudio_t)
+-')
+-
+-optional_policy(`
 +	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
  	dbus_system_bus_client(pulseaudio_t)
  	dbus_session_bus_client(pulseaudio_t)
-+	dbus_connect_session_bus(pulseaudio_t)
- 
- 	optional_policy(`
- 		consolekit_dbus_chat(pulseaudio_t)
-@@ -88,6 +106,10 @@
+ 	dbus_connect_session_bus(pulseaudio_t)
+@@ -93,6 +118,10 @@
  ')
  
  optional_policy(`
@@ -4624,7 +4496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  	policykit_domtrans_auth(pulseaudio_t)
  	policykit_read_lib(pulseaudio_t)
  	policykit_read_reload(pulseaudio_t)
-@@ -98,6 +120,8 @@
+@@ -103,6 +132,9 @@
  ')
  
  optional_policy(`
@@ -4632,126 +4504,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  	xserver_manage_xdm_tmp_files(pulseaudio_t)
  	xserver_read_xdm_lib_files(pulseaudio_t)
 +	xserver_read_xdm_pid(pulseaudio_t)
++	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.7.9/policy/modules/apps/qemu.fc
---- nsaserefpolicy/policy/modules/apps/qemu.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/qemu.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,2 +1,2 @@
--/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
--/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.9/policy/modules/apps/qemu.if
---- nsaserefpolicy/policy/modules/apps/qemu.if	2009-08-31 13:44:40.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/qemu.if	2010-02-16 15:08:37.000000000 -0500
-@@ -40,6 +40,10 @@
- 
- 	qemu_domtrans($1)
- 	role $2 types qemu_t;
-+
-+	optional_policy(`
-+		samba_run_smb(qemu_t, $2, $3)
-+	')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.15/policy/modules/apps/qemu.if
+--- nsaserefpolicy/policy/modules/apps/qemu.if	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/qemu.if	2010-03-18 10:44:42.000000000 -0400
+@@ -127,12 +127,14 @@
+ template(`qemu_role',`
+ 	gen_require(`
+ 		type qemu_t, qemu_exec_t;
++		type qemu_config_t, qemu_config_exec_t;
+ 	')
+ 
+ 	role $1 types { qemu_t qemu_config_t };
+ 
+ 	domtrans_pattern($2, qemu_exec_t, qemu_t)
+  	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
++	allow qemu_t $2:process signull;
  ')
  
  ########################################
-@@ -211,3 +215,188 @@
- #		xserver_xdm_rw_shm($1_t)
- 	')
- ')
-+
-+#######################################
-+## <summary>
-+##	The per role template for the qemu module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for qemu web browser.
-+##	</p>
-+##	<p>
-+##	This template is invoked automatically for each user, and
-+##	generally does not need to be invoked directly
-+##	by policy writers.
-+##	</p>
-+## </desc>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`qemu_role_notrans',`
-+	gen_require(`
-+		type qemu_t;
-+	')
-+
-+	role $1 types qemu_t;
-+')
-+
-+#######################################
-+## <summary>
-+##	The per role template for the qemu module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for qemu web browser.
-+##	</p>
-+##	<p>
-+##	This template is invoked automatically for each user, and
-+##	generally does not need to be invoked directly
-+##	by policy writers.
-+##	</p>
-+## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`qemu_role',`
-+	gen_require(`
-+		type qemu_exec_t;
-+	')
-+  
-+	qemu_role_notrans($1, $2, $3)
-+  
-+	domtrans_pattern($3, qemu_exec_t, qemu_t)
-+ 	domtrans_pattern($3, qemu_config_exec_t, qemu_config_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Set the schedule on qemu.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`qemu_setsched',`
-+	gen_require(`
-+		type qemu_t;
-+	')
-+  
-+	allow $1 qemu_t:process setsched;
-+')
-+
-+########################################
-+## <summary>
+@@ -273,6 +275,67 @@
+ 
+ ########################################
+ ## <summary>
 +##	Execute qemu_exec_t 
 +##	in the specified domain but do not
 +##	do it automatically. This is an explicit
@@ -4804,171 +4580,70 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
 +#
 +interface(`qemu_unconfined_role',`
 +	gen_require(`
-+		type qemu_unconfined_t;
++		type unconfined_qemu_t;
++		type qemu_t;
 +	')
-+	role $1 types qemu_unconfined_t;
++	role $1 types unconfined_qemu_t;
++	role $1 types qemu_t;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage qemu temporary dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`qemu_manage_tmp_dirs',`
-+	gen_require(`
-+		type qemu_tmp_t;
-+	')
-+
-+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+	')
-+
-+########################################
-+## <summary>
-+##	Manage qemu temporary files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+	#
-+interface(`qemu_manage_tmp_files',`
-+	gen_require(`
-+		type qemu_tmp_t;
-+	')
-+
-+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.9/policy/modules/apps/qemu.te
---- nsaserefpolicy/policy/modules/apps/qemu.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/qemu.te	2010-02-16 15:08:37.000000000 -0500
-@@ -13,15 +13,46 @@
- ## </desc>
- gen_tunable(qemu_full_network, false)
+ ##	Manage qemu temporary dirs.
+ ## </summary>
+ ## <param name="domain">
+@@ -306,3 +369,4 @@
  
-+## <desc>
-+## <p>
-+## Allow qemu to use usb devices
-+## </p>
-+## </desc>
-+gen_tunable(qemu_use_usb, true)
-+
-+## <desc>
-+## <p>
-+## Allow qemu to use nfs file systems
-+## </p>
-+## </desc>
-+gen_tunable(qemu_use_nfs, true)
-+
-+## <desc>
-+## <p>
-+## Allow qemu to use cifs/Samba file systems
-+## </p>
-+## </desc>
-+gen_tunable(qemu_use_cifs, true)
-+
-+## <desc>
-+## <p>
-+## Allow qemu to user serial/parallell communication ports
-+## </p>
-+## </desc>
-+gen_tunable(qemu_use_comm, false)
-+
+ 	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+ ')
 +
- type qemu_exec_t;
--qemu_domain_template(qemu)
-+virt_domain_template(qemu)
- application_domain(qemu_t, qemu_exec_t)
- role system_r types qemu_t;
- 
--########################################
--#
--# qemu local policy
--#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.15/policy/modules/apps/qemu.te
+--- nsaserefpolicy/policy/modules/apps/qemu.te	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/qemu.te	2010-03-18 10:44:42.000000000 -0400
+@@ -50,6 +50,8 @@
+ #
+ # qemu local policy
+ #
 +storage_raw_write_removable_device(qemu_t)
 +storage_raw_read_removable_device(qemu_t)
-+
-+userdom_search_user_home_content(qemu_t)
-+userdom_read_user_tmpfs_files(qemu_t)
-+userdom_signull_unpriv_users(qemu_t)
  
- tunable_policy(`qemu_full_network',`
- 	allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +66,44 @@
- 	corenet_tcp_connect_all_ports(qemu_t)
+ userdom_search_user_home_content(qemu_t)
+ userdom_read_user_tmpfs_files(qemu_t)
+@@ -100,6 +102,10 @@
+ 	xen_rw_image_files(qemu_t)
  ')
  
-+tunable_policy(`qemu_use_comm',`
-+	term_use_unallocated_ttys(qemu_t)
-+	dev_rw_printer(qemu_t)
-+')
-+
-+tunable_policy(`qemu_use_nfs',`
-+	fs_manage_nfs_dirs(qemu_t)
-+	fs_manage_nfs_files(qemu_t)
-+')
-+
-+tunable_policy(`qemu_use_cifs',`
-+	fs_manage_cifs_dirs(qemu_t)
-+	fs_manage_cifs_files(qemu_t)
-+')
-+
-+tunable_policy(`qemu_use_usb',`
-+	dev_rw_usbfs(qemu_t)
-+	fs_manage_dos_dirs(qemu_t)
-+	fs_manage_dos_files(qemu_t)
-+')
-+
-+optional_policy(`
-+	samba_domtrans_smbd(qemu_t)
-+')
-+
-+optional_policy(`
-+	virt_manage_images(qemu_t)
-+	virt_append_log(qemu_t)
-+')
-+
-+optional_policy(`
-+	xen_rw_image_files(qemu_t)
-+')
-+
 +optional_policy(`
 +	xen_rw_image_files(qemu_t)
 +')
 +
  ########################################
  #
- # qemu_unconfined local policy
-@@ -44,6 +113,10 @@
- 	type qemu_unconfined_t;
- 	domain_type(qemu_unconfined_t)
- 	unconfined_domain_noaudit(qemu_unconfined_t)
-+	userdom_manage_tmpfs_role(unconfined_r, qemu_unconfined_t)
+ # Unconfined qemu local policy
+@@ -110,6 +116,9 @@
+ 	typealias unconfined_qemu_t alias qemu_unconfined_t;
+ 	application_type(unconfined_qemu_t)
+ 	unconfined_domain_noaudit(unconfined_qemu_t)
++	userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
++	userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
  
-+	application_type(qemu_unconfined_t)
-+	role unconfined_r types qemu_unconfined_t;
- 	allow qemu_unconfined_t self:process { execstack execmem };
-+	allow qemu_unconfined_t qemu_exec_t:file execmod;
+ 	allow unconfined_qemu_t self:process { execstack execmem };
++	allow unconfined_qemu_t qemu_exec_t:file execmod;
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.9/policy/modules/apps/sambagui.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.7.15/policy/modules/apps/sambagui.fc
 --- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1 @@
 +/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.9/policy/modules/apps/sambagui.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.7.15/policy/modules/apps/sambagui.if
 --- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,2 @@
 +## <summary>system-config-samba policy</summary>
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.9/policy/modules/apps/sambagui.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.7.15/policy/modules/apps/sambagui.te
 --- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sambagui.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/sambagui.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,66 @@
 +policy_module(sambagui,1.0.0)
 +
@@ -5036,15 +4711,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui
 +optional_policy(`
 +	policykit_dbus_chat(sambagui_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.9/policy/modules/apps/sandbox.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.fc serefpolicy-3.7.15/policy/modules/apps/sandbox.fc
 --- nsaserefpolicy/policy/modules/apps/sandbox.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1 @@
 +# No types are sandbox_exec_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.9/policy/modules/apps/sandbox.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.15/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,230 @@
++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.if	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,250 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -5127,6 +4802,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	type $1_t, sandbox_domain;
 +	domain_type($1_t)
 +
++	mls_rangetrans_target($1_t)
++
 +	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
 +
@@ -5228,7 +4905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access
 +##	</summary>
 +## </param>
 +#
@@ -5246,7 +4923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access
 +##	</summary>
 +## </param>
 +#
@@ -5264,7 +4941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access
 +##	</summary>
 +## </param>
 +#
@@ -5275,10 +4952,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +	delete_dirs_pattern($1, sandbox_file_type, sandbox_file_type)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.9/policy/modules/apps/sandbox.te
++
++########################################
++## <summary>
++##	allow domain to list sandbox dirs
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`sandbox_list',`
++	gen_require(`
++		attribute sandbox_file_type;
++	')
++
++	allow $1 sandbox_file_type:dir list_dir_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.15/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sandbox.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,364 @@
++++ serefpolicy-3.7.15/policy/modules/apps/sandbox.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,365 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -5363,6 +5058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +logging_send_audit_msgs(sandbox_xserver_t)
 +
 +userdom_use_user_terminals(sandbox_xserver_t)
++userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
 +
 +xserver_entry_type(sandbox_xserver_t)
 +
@@ -5643,160 +5339,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +optional_policy(`
 +	hal_dbus_chat(sandbox_net_client_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.7.9/policy/modules/apps/screen.if
---- nsaserefpolicy/policy/modules/apps/screen.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/screen.if	2010-02-16 15:08:37.000000000 -0500
-@@ -141,6 +141,7 @@
- 	userdom_create_user_pty($1_screen_t)
- 	userdom_user_home_domtrans($1_screen_t, $3)
- 	userdom_setattr_user_ptys($1_screen_t)
-+	userdom_setattr_user_ttys($1_screen_t)
- 
- 	tunable_policy(`use_samba_home_dirs',`
- 		fs_cifs_domtrans($1_screen_t, $3)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.7.9/policy/modules/apps/sectoolm.fc
---- nsaserefpolicy/policy/modules/apps/sectoolm.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,6 @@
-+
-+/usr/libexec/sectool-mechanism\.py	--	gen_context(system_u:object_r:sectoolm_exec_t,s0)
-+
-+/var/lib/sectool(/.*)?				gen_context(system_u:object_r:sectool_var_lib_t,s0)
-+
-+/var/log/sectool\.log			--	gen_context(system_u:object_r:sectool_var_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.7.9/policy/modules/apps/sectoolm.if
---- nsaserefpolicy/policy/modules/apps/sectoolm.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,3 @@
-+
-+## <summary>policy for sectool-mechanism</summary>
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.7.9/policy/modules/apps/sectoolm.te
---- nsaserefpolicy/policy/modules/apps/sectoolm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/sectoolm.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,118 @@
-+
-+policy_module(sectoolm,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type sectoolm_t;
-+type sectoolm_exec_t;
-+dbus_system_domain(sectoolm_t, sectoolm_exec_t)
-+
-+# /var/lib files
-+type sectool_var_lib_t;
-+files_type(sectool_var_lib_t)
-+
-+# log files
-+type sectool_var_log_t;
-+logging_log_file(sectool_var_log_t)
-+
-+# tmp files
-+type sectool_tmp_t;
-+files_tmp_file(sectool_tmp_t)
-+
-+########################################
-+#
-+# sectool local policy
-+#
-+
-+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
-+allow sectoolm_t self:process { getcap getsched  signull setsched };
-+dontaudit sectoolm_t self:process { execstack execmem };
-+
-+allow sectoolm_t self:fifo_file rw_fifo_file_perms;
-+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
-+
-+# tmp files
-+manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
-+manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
-+files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
-+
-+# var/lib files
-+manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
-+manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
-+files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir })
-+
-+# log files
-+manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t)
-+logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file })
-+
-+corecmd_exec_bin(sectoolm_t)
-+corecmd_exec_shell(sectoolm_t)
-+
-+kernel_read_net_sysctls(sectoolm_t)
-+kernel_read_network_state(sectoolm_t)
-+kernel_read_kernel_sysctls(sectoolm_t)
-+
-+dev_read_sysfs(sectoolm_t)
-+dev_read_urand(sectoolm_t)
-+
-+dev_getattr_all_blk_files(sectoolm_t)
-+dev_getattr_all_chr_files(sectoolm_t)
-+
-+# selinux test
-+selinux_validate_context(sectoolm_t)
-+
-+fs_getattr_all_fs(sectoolm_t)
-+fs_list_noxattr_fs(sectoolm_t)
-+
-+files_getattr_all_pipes(sectoolm_t)
-+files_getattr_all_sockets(sectoolm_t)
-+files_read_all_files(sectoolm_t)
-+files_read_all_symlinks(sectoolm_t)
-+
-+auth_use_nsswitch(sectoolm_t)
-+
-+libs_exec_ld_so(sectoolm_t)
-+
-+logging_send_syslog_msg(sectoolm_t)
-+
-+# tcp_wrappers test
-+application_exec_all(sectoolm_t)
-+
-+domain_getattr_all_domains(sectoolm_t)
-+domain_read_all_domains_state(sectoolm_t)
-+
-+userdom_users_dgram_send(sectoolm_t)
-+userdom_dgram_send(sectoolm_t)
-+userdom_manage_user_tmp_sockets(sectoolm_t)
-+
-+# tests related to network
-+hostname_exec(sectoolm_t)
-+iptables_domtrans(sectoolm_t)
-+sysnet_domtrans_ifconfig(sectoolm_t)
-+
-+optional_policy(`
-+	mount_exec(sectoolm_t)
-+')
-+
-+optional_policy(`
-+        policykit_dbus_chat(sectoolm_t)
-+')
-+
-+# suid test using
-+# rpm -Vf option
-+optional_policy(`
-+	prelink_domtrans(sectoolm_t)
-+')
-+
-+optional_policy(`
-+	rpm_exec(sectoolm_t)
-+	rpm_append_log(sectoolm_t)
-+	rpm_manage_pid_files(sectoolm_t)
-+	rpm_pid_filetrans(sectoolm_t)
-+	rpm_dontaudit_manage_db(sectoolm_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.9/policy/modules/apps/seunshare.if
---- nsaserefpolicy/policy/modules/apps/seunshare.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/seunshare.if	2010-02-16 15:08:37.000000000 -0500
-@@ -2,59 +2,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.7.15/policy/modules/apps/seunshare.if
+--- nsaserefpolicy/policy/modules/apps/seunshare.if	2009-12-04 09:43:33.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/seunshare.if	2010-03-18 10:44:42.000000000 -0400
+@@ -2,30 +2,12 @@
  
  ########################################
  ## <summary>
@@ -5823,18 +5369,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 -##	allow the specified role the seunshare domain.
 -## </summary>
 -## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="role">
 +## <param name="role_prefix">
  ##	<summary>
--##	Role allowed access.
+-##	Domain allowed access.
 +##	The prefix of the user role (e.g., user
 +##	is the prefix for user_r).
  ##	</summary>
  ## </param>
+ ## <param name="role">
+@@ -33,48 +15,34 @@
+ ##	Role allowed access.
+ ##	</summary>
+ ## </param>
 -#
 -interface(`seunshare_run',`
 -	gen_require(`
@@ -5857,10 +5403,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 -## <summary>
 -##	Role access for seunshare
 -## </summary>
- ## <param name="role">
+-## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
+-## </param>
+ ## <param name="domain">
  ##	<summary>
- ##	Role allowed access.
-@@ -66,15 +21,28 @@
+ ##	User domain for the role.
  ##	</summary>
  ## </param>
  #
@@ -5876,6 +5426,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 +	type $1_seunshare_t, seunshare_domain;
 +	application_domain($1_seunshare_t, seunshare_exec_t)
 +	role $2 types $1_seunshare_t;
++
++	mls_process_set_level($1_seunshare_t)
  
 -	seunshare_domtrans($1)
 +	domtrans_pattern($3, seunshare_exec_t, $1_seunshare_t)
@@ -5890,14 +5442,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 +	dontaudit $1_seunshare_t $3:process { noatsecure siginh rlimitinh };
 +
 +	ifdef(`hide_broken_symptoms', `
-+		dontaudit $1_seunshare_t $3:tcp_socket rw_socket_perms;
-+		dontaudit $1_seunshare_t $3:udp_socket rw_socket_perms;
-+		dontaudit $1_seunshare_t $3:unix_stream_socket rw_socket_perms;
++		dontaudit $1_seunshare_t $3:socket_class_set { read write };
 +	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.9/policy/modules/apps/seunshare.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.15/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/seunshare.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/seunshare.te	2010-03-18 10:44:42.000000000 -0400
 @@ -6,40 +6,39 @@
  # Declarations
  #
@@ -5956,9 +5506,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
 +		mozilla_dontaudit_manage_user_home_files(seunshare_domain)
  	')
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.9/policy/modules/apps/slocate.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.7.15/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/slocate.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/slocate.te	2010-03-18 10:44:42.000000000 -0400
 @@ -30,6 +30,7 @@
  manage_files_pattern(locate_t, locate_var_lib_t, locate_var_lib_t)
  
@@ -5975,9 +5525,127 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.
  
  # getpwnam
  auth_use_nsswitch(locate_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.9/policy/modules/apps/vmware.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.fc serefpolicy-3.7.15/policy/modules/apps/userhelper.fc
+--- nsaserefpolicy/policy/modules/apps/userhelper.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -7,3 +7,4 @@
+ # /usr
+ #
+ /usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
++/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-3.7.15/policy/modules/apps/userhelper.if
+--- nsaserefpolicy/policy/modules/apps/userhelper.if	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.if	2010-03-18 10:44:42.000000000 -0400
+@@ -260,3 +260,51 @@
+ 
+ 	can_exec($1, userhelper_exec_t)
+ ')
++
++#######################################
++## <summary>
++##	The role template for the consolehelper module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for consolehelper applications.
++##	</p>
++## </desc>
++## <param name="role_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++#
++template(`userhelper_console_role_template',`
++	gen_require(`
++		type consolehelper_exec_t;
++		attribute consolehelper_domain;
++	')
++
++	type $1_consolehelper_t, consolehelper_domain;
++	domain_type($1_consolehelper_t)
++	domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
++	role $2 types $1_consolehelper_t;
++
++	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
++
++	auth_use_pam($1_consolehelper_t)
++
++	optional_policy(`
++		shutdown_run($1_consolehelper_t, $2)
++		shutdown_send_sigchld($3)
++	')
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.te serefpolicy-3.7.15/policy/modules/apps/userhelper.te
+--- nsaserefpolicy/policy/modules/apps/userhelper.te	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/userhelper.te	2010-03-18 10:44:42.000000000 -0400
+@@ -7,9 +7,51 @@
+ #
+ 
+ attribute userhelper_type;
++attribute consolehelper_domain;
+ 
+ type userhelper_conf_t;
+ files_type(userhelper_conf_t)
+ 
+ type userhelper_exec_t;
+ application_executable_file(userhelper_exec_t)
++
++type consolehelper_exec_t;
++application_executable_file(consolehelper_exec_t)
++
++########################################
++#
++# consolehelper local policy
++#
++
++allow consolehelper_domain self:capability { setgid setuid }; 
++
++dontaudit consolehelper_domain  userhelper_conf_t:file write;
++read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
++
++# Init script handling
++domain_use_interactive_fds(consolehelper_domain)
++
++# internal communication is often done using fifo and unix sockets.
++allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
++allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_kernel_sysctls(consolehelper_domain)
++
++corecmd_exec_bin(consolehelper_domain)
++
++files_read_etc_files(consolehelper_domain)
++
++auth_search_pam_console_data(consolehelper_domain)
++
++init_read_utmp(consolehelper_domain)
++
++miscfiles_read_localization(consolehelper_domain)
++
++userhelper_exec(consolehelper_domain)
++
++userdom_use_user_ptys(consolehelper_domain)
++userdom_use_user_ttys(consolehelper_domain)
++
++optional_policy(`
++	xserver_stream_connect(consolehelper_domain)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.7.15/policy/modules/apps/vmware.if
 --- nsaserefpolicy/policy/modules/apps/vmware.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/vmware.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/vmware.if	2010-03-18 10:44:42.000000000 -0400
 @@ -84,3 +84,22 @@
  	logging_search_logs($1)
  	append_files_pattern($1, vmware_log_t, vmware_log_t)
@@ -6001,9 +5669,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.i
 +	can_exec($1, vmware_host_exec_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.9/policy/modules/apps/vmware.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.7.15/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/apps/vmware.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/vmware.te	2010-03-18 10:44:42.000000000 -0400
 @@ -29,6 +29,10 @@
  type vmware_host_exec_t;
  init_daemon_domain(vmware_host_t, vmware_host_exec_t)
@@ -6015,178 +5683,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.t
  type vmware_host_pid_t alias vmware_var_run_t;
  files_pid_file(vmware_host_pid_t)
  
-@@ -80,6 +84,11 @@
+@@ -79,6 +83,12 @@
+ 
  # cjp: the ro and rw files should be split up
  manage_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
- 
++manage_lnk_files_pattern(vmware_host_t, vmware_sys_conf_t, vmware_sys_conf_t)
++
 +manage_dirs_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
 +manage_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
 +manage_sock_files_pattern(vmware_host_t, vmware_host_tmp_t, vmware_host_tmp_t)
 +files_tmp_filetrans(vmware_host_t, vmware_host_tmp_t, { file dir })
-+
+ 
  manage_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
  manage_sock_files_pattern(vmware_host_t, vmware_var_run_t, vmware_var_run_t)
- files_pid_filetrans(vmware_host_t, vmware_var_run_t, { file sock_file })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.7.9/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/wine.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,4 +1,22 @@
--/usr/bin/wine			--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/wine.*			--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/regsvr32		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/regedit		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/notepad		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/uninstaller		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/usr/bin/msiexec		--	gen_context(system_u:object_r:wine_exec_t,s0)
-+
-+/opt/cxoffice/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/picasa/wine/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+
-+/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/regsvr32           --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/regedit            --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/uninstaller        --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/msiexec            --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/progman            --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/notepad            --      gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/wdi                --      gen_context(system_u:object_r:wine_exec_t,s0)
-+
-+
-+HOME_DIR/cxoffice/bin/wine.+		--	gen_context(system_u:object_r:wine_exec_t,s0)
- 
--/opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
--/opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.9/policy/modules/apps/wine.if
---- nsaserefpolicy/policy/modules/apps/wine.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/wine.if	2010-02-16 15:08:37.000000000 -0500
-@@ -43,3 +43,121 @@
- 	wine_domtrans($1)
- 	role $2 types wine_t;
- ')
-+
-+#######################################
-+## <summary>
-+##	The per role template for the wine module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for wine applications.
-+##	</p>
-+## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`wine_role',`
-+	gen_require(`
-+		type wine_exec_t;
-+	')
-+
-+	role $1 types wine_t;
-+
-+	domain_auto_trans($2, wine_exec_t, wine_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.7.15/policy/modules/apps/wine.if
+--- nsaserefpolicy/policy/modules/apps/wine.if	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/wine.if	2010-03-18 10:44:42.000000000 -0400
+@@ -35,6 +35,8 @@
+ 	role $1 types wine_t;
+ 
+ 	domain_auto_trans($2, wine_exec_t, wine_t)
 +	# Unrestricted inheritance from the caller.
 +	allow $2 wine_t:process { noatsecure siginh rlimitinh };
-+	allow wine_t $2:fd use;
-+	allow wine_t $2:process { sigchld signull };
-+	allow wine_t $2:unix_stream_socket connectto;
-+
-+	# Allow the user domain to signal/ps.
-+	ps_process_pattern($2, wine_t)
-+	allow $2 wine_t:process signal_perms;
-+
-+	allow $2 wine_t:fd use;
-+	allow $2 wine_t:shm { associate getattr };
-+	allow $2 wine_t:shm { unix_read unix_write };
-+	allow $2 wine_t:unix_stream_socket connectto;
-+
-+	# X access, Home files
-+	manage_dirs_pattern($2, wine_home_t, wine_home_t)
-+	manage_files_pattern($2, wine_home_t, wine_home_t)
-+	manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
-+	relabel_dirs_pattern($2, wine_home_t, wine_home_t)
-+	relabel_files_pattern($2, wine_home_t, wine_home_t)
-+	relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
-+')
-+
-+#######################################
-+## <summary>
-+##	The role template for the wine module.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for wine applications.
-+##	</p>
-+## </desc>
-+## <param name="role_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+template(`wine_role_template',`
-+	gen_require(`
-+		type wine_exec_t;
-+	')
-+
-+	type $1_wine_t;
-+	domain_type($1_wine_t)
-+	domain_entry_file($1_wine_t, wine_exec_t)
-+	role $2 types $1_wine_t;
-+
-+	userdom_unpriv_usertype($1, $1_wine_t)
-+	userdom_manage_tmpfs_role($2, $1_wine_t)
-+
+ 	allow wine_t $2:fd use;
+ 	allow wine_t $2:process { sigchld signull };
+ 	allow wine_t $2:unix_stream_socket connectto;
+@@ -103,7 +105,14 @@
+ 	userdom_unpriv_usertype($1, $1_wine_t)
+ 	userdom_manage_tmpfs_role($2, $1_wine_t)
+ 
+-	domain_mmap_low($1_wine_t)
 +	domain_mmap_low_type($1_wine_t)
 +	tunable_policy(`mmap_low_allowed',`
 +		domain_mmap_low($1_wine_t)
 +	')
 +
-+	allow $1_wine_t self:process { execmem execstack };
-+	allow $3 $1_wine_t:process { getattr ptrace noatsecure signal_perms };
-+	domtrans_pattern($3, wine_exec_t, $1_wine_t)
-+	corecmd_bin_domtrans($1_wine_t, $1_t)
-+
-+	optional_policy(`
-+		xserver_role($1_r, $1_wine_t)
-+	')
-+
 +	tunable_policy(`wine_mmap_zero_ignore',`
 +		allow $1_wine_t self:memprotect mmap_zero;
 +	')
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.9/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/apps/wine.te	2010-02-16 15:08:37.000000000 -0500
+ 
+ 	optional_policy(`
+ 		xserver_role($1_r, $1_wine_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.7.15/policy/modules/apps/wine.te
+--- nsaserefpolicy/policy/modules/apps/wine.te	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/apps/wine.te	2010-03-18 10:44:42.000000000 -0400
 @@ -1,6 +1,14 @@
  
- policy_module(wine, 1.6.0)
+ policy_module(wine, 1.6.1)
  
 +## <desc>
 +## <p>
@@ -6199,96 +5742,88 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te 
  ########################################
  #
  # Declarations
-@@ -9,20 +17,48 @@
- type wine_t;
- type wine_exec_t;
- application_domain(wine_t, wine_exec_t)
-+role system_r types wine_t;
-+
-+type wine_tmp_t;
-+files_tmp_file(wine_tmp_t)
-+ubac_constrained(wine_tmp_t)
- 
- ########################################
- #
- # Local policy
- #
+@@ -30,7 +38,13 @@
+ manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+ files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
  
-+allow wine_t self:process { execstack execmem execheap };
-+allow wine_t self:fifo_file manage_fifo_file_perms;
-+
-+can_exec(wine_t, wine_exec_t)
-+
-+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
-+files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
-+
+-domain_mmap_low(wine_t)
 +domain_mmap_low_type(wine_t)
 +tunable_policy(`mmap_low_allowed',`
 +	domain_mmap_low(wine_t)
 +')
-+
-+files_execmod_all_files(wine_t)
-+
- userdom_use_user_terminals(wine_t)
++tunable_policy(`wine_mmap_zero_ignore',`
++	dontaudit wine_t self:memprotect mmap_zero;
++')
+ 
+ files_execmod_all_files(wine_t)
+ 
+@@ -41,6 +55,10 @@
+ ')
  
  optional_policy(`
--	allow wine_t self:process { execstack execmem execheap };
--	unconfined_domain_noaudit(wine_t)
--	files_execmod_all_files(wine_t)
--
-- 	optional_policy(`
-- 		hal_dbus_chat(wine_t)
-- 	')
-+	hal_dbus_chat(wine_t)
-+')
-+
-+optional_policy(`
-+	unconfined_domain(wine_t)
++	policykit_dbus_chat(wine_t)
 +')
 +
 +optional_policy(`
-+        xserver_read_xdm_pid(wine_t)
-+	xserver_rw_shm(wine_t)
-+')
-+
-+tunable_policy(`wine_mmap_zero_ignore',`
-+	allow wine_t self:memprotect mmap_zero;
+ 	unconfined_domain_noaudit(wine_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.9/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/corecommands.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -44,15 +44,17 @@
- /etc/apcupsd/offbattery		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/apcupsd/onbattery		--	gen_context(system_u:object_r:bin_t,s0)
  
-+/etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
-+
- /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
- /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.7.15/policy/modules/apps/wm.if
+--- nsaserefpolicy/policy/modules/apps/wm.if	2009-07-27 18:11:17.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/apps/wm.if	2010-03-18 10:44:42.000000000 -0400
+@@ -30,6 +30,7 @@
+ template(`wm_role_template',`
+ 	gen_require(`
+ 		type wm_exec_t;
++		class dbus send_msg;
+ 	')
  
- /etc/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+ 	type $1_wm_t;
+@@ -42,6 +43,12 @@
+ 	allow $1_wm_t self:shm create_shm_perms;
+ 
+ 	allow $1_wm_t $3:unix_stream_socket connectto;
++	allow $3 $1_wm_t:unix_stream_socket connectto;
++	allow $3 $1_wm_t:process signal;
++	allow $1_wm_t $3:process signull;
++
++	allow $1_wm_t $3:dbus send_msg;
++	allow $3 $1_wm_t:dbus send_msg;
  
--/etc/cron.daily/.*		--	gen_context(system_u:object_r:bin_t,s0)
--/etc/cron.hourly/.*		--	gen_context(system_u:object_r:bin_t,s0)
--/etc/cron.weekly/.*		--	gen_context(system_u:object_r:bin_t,s0)
--/etc/cron.monthly/.*		--	gen_context(system_u:object_r:bin_t,s0)
-+/etc/cron.daily(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-+/etc/cron.hourly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-+/etc/cron.weekly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-+/etc/cron.monthly(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 	domtrans_pattern($3, wm_exec_t, $1_wm_t)
  
- /etc/dhcp/dhclient\.d(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+@@ -55,6 +62,8 @@
+ 	files_read_etc_files($1_wm_t)
+ 	files_read_usr_files($1_wm_t)
  
-@@ -64,6 +66,7 @@
- /etc/init\.d/functions		--	gen_context(system_u:object_r:bin_t,s0)
++	fs_getattr_tmpfs($1_wm_t)
++
+ 	mls_file_read_all_levels($1_wm_t)
+ 	mls_file_write_all_levels($1_wm_t)
+ 	mls_xwin_read_all_levels($1_wm_t)
+@@ -72,11 +81,18 @@
  
- /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
-+/etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
+ 	optional_policy(`
+ 		dbus_system_bus_client($1_wm_t)
++		dbus_session_bus_client($1_wm_t)
++	')
++
++	optional_policy(`
++		pulseaudio_stream_connect($1_wm_t)
+ 	')
  
- /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
+ 	optional_policy(`
+ 		xserver_role($2, $1_wm_t)
++		xserver_manage_core_devices($1_wm_t)
+ 	')
++
+ ')
  
-@@ -144,6 +147,9 @@
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.15/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-03-05 17:14:56.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/corecommands.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -147,6 +147,9 @@
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -6298,31 +5833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  #
  # /usr
  #
-@@ -214,6 +220,7 @@
- /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/cluster/ocf-shellfuncs  --   gen_context(system_u:object_r:bin_t,s0)
- /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
-@@ -228,12 +235,15 @@
- /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/shorewall/compiler\.pl	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-perl(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
- 
- /usr/X11R6/lib(64)?/X11/xkb/xkbcomp --	gen_context(system_u:object_r:bin_t,s0)
- 
-@@ -323,3 +333,21 @@
+@@ -331,3 +334,21 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -6344,10 +5855,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 +
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.9/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/corecommands.if	2010-02-16 15:08:37.000000000 -0500
-@@ -893,6 +893,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.15/policy/modules/kernel/corecommands.if
+--- nsaserefpolicy/policy/modules/kernel/corecommands.if	2010-03-05 17:14:56.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/corecommands.if	2010-03-18 10:44:42.000000000 -0400
+@@ -931,6 +931,7 @@
  
  	read_lnk_files_pattern($1, bin_t, bin_t)
  	can_exec($1, chroot_exec_t)
@@ -6355,33 +5866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
  
  ########################################
-@@ -918,6 +919,25 @@
- 
- ########################################
- ## <summary>
-+##	Read all executable files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`corecmd_read_all_executables',`
-+	gen_require(`
-+		attribute exec_type;
-+	')
-+
-+	read_files_pattern($1, exec_type, exec_type)
-+')
-+
-+########################################
-+## <summary>
- ##	Execute all executable files.
- ## </summary>
- ## <param name="domain">
-@@ -973,6 +993,7 @@
+@@ -1030,6 +1031,7 @@
  		type bin_t;
  	')
  
@@ -6389,37 +5874,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  	manage_files_pattern($1, bin_t, exec_type)
  	manage_lnk_files_pattern($1, bin_t, bin_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.7.9/policy/modules/kernel/corenetwork.if.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/kernel/corenetwork.if.in	2010-02-16 15:08:37.000000000 -0500
-@@ -1705,6 +1705,24 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit Read and write the TUN/TAP virtual network device.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`corenet_dontaudit_rw_tun_tap_dev',`
-+	gen_require(`
-+		type tun_tap_device_t;
-+	')
-+
-+	dontaudit $1 tun_tap_device_t:chr_file { read write };
-+')
-+
-+########################################
-+## <summary>
- ##	Getattr the point-to-point device.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.9/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/corenetwork.te.in	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/corenetwork.te.in	2010-03-18 10:44:42.000000000 -0400
 @@ -65,6 +65,7 @@
  type server_packet_t, packet_type, server_packet_type;
  
@@ -6428,71 +5885,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
  network_port(afs_ka, udp,7004,s0)
  network_port(afs_pt, udp,7002,s0)
-@@ -81,23 +82,27 @@
+@@ -79,6 +80,7 @@
+ network_port(audit, tcp,60,s0)
+ network_port(auth, tcp,113,s0)
  network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++network_port(boinc, tcp,31416,s0)
  type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
  network_port(certmaster, tcp,51235,s0)
--network_port(chronyd, udp,323,s0)
- network_port(clamd, tcp,3310,s0)
+ network_port(chronyd, udp,323,s0)
+@@ -86,6 +88,7 @@
  network_port(clockspeed, udp,4041,s0)
  network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
  network_port(cobbler, tcp,25151,s0)
 +network_port(commplex, tcp,5000,s0, udp,5000,s0, tcp,5001,s0, udp,5001,s0)
  network_port(comsat, udp,512,s0)
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
- network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
-+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
- network_port(dbskkd, tcp,1178,s0)
- network_port(dcc, udp,6276,s0, udp,6277,s0)
- network_port(dccm, tcp,5679,s0, udp,5679,s0)
--network_port(dhcpc, udp,68,s0)
--network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
-+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
-+network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
- network_port(dict, tcp,2628,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
+@@ -98,7 +101,9 @@
  network_port(distccd, tcp,3632,s0)
  network_port(dns, udp,53,s0, tcp,53,s0)
-+network_port(epmap, udp,135,s0, tcp,135,s0)
+ network_port(epmap, tcp,135,s0, udp,135,s0)
 +network_port(festival, tcp,1314,s0)
  network_port(fingerd, tcp,79,s0)
 +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
  network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -110,12 +115,16 @@
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
- network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
-+network_port(chronyd, udp,323,s0)
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
- network_port(innd, tcp,119,s0)
- network_port(ipmi, udp,623,s0, udp,664,s0)
- network_port(ipp, tcp,631,s0, udp,631,s0)
-+portcon tcp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
-+portcon udp 8610-8614 gen_context(system_u:object_r:ipp_port_t, s0)
- network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
- network_port(ircd, tcp,6667,s0)
- network_port(isakmp, udp,500,s0)
-@@ -131,8 +140,9 @@
+@@ -132,32 +137,43 @@
  network_port(ktalkd, udp,517,s0, udp,518,s0)
  network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
  network_port(lmtp, tcp,24,s0, udp,24,s0)
 +network_port(lirc, tcp,8765,s0)
  type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
--network_port(mail, tcp,2000,s0)
-+network_port(mail, tcp,2000,s0, tcp,3905,s0)
+ network_port(mail, tcp,2000,s0, tcp,3905,s0)
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
  network_port(monopd, tcp,1234,s0)
-@@ -141,21 +151,29 @@
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(mssql, tcp,1433,s0, tcp,1434,s0, udp,1433,s0, udp,1434,s0)
+ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
  portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(mysqlmanagerd, tcp,2273,s0)
  network_port(nessus, tcp,1241,s0)
--network_port(netsupport, tcp,5405,s0, udp,5405,s0)
-+network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
++network_port(netport, tcp,3129,s0, udp,3129,s0)
+ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
  network_port(nmbd, udp,137,s0, udp,138,s0)
  network_port(ntp, udp,123,s0)
 +network_port(ntop, tcp,3000,s0, udp,3000,s0, tcp,3001,s0, udp,3001,s0)
@@ -6518,7 +5955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -175,33 +193,38 @@
+@@ -177,16 +193,18 @@
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
  network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -6526,8 +5963,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
  network_port(smbd, tcp,137-139,s0, tcp,445,s0)
  network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
--network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
++network_port(snmp, tcp,161,s0, udp,161,s0, tcp,162,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
  network_port(spamd, tcp,783,s0)
@@ -6538,75 +5975,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
  network_port(swat, tcp,901,s0)
  network_port(syslogd, udp,514,s0)
- network_port(telnetd, tcp,23,s0)
- network_port(tftp, udp,69,s0)
--network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
-+network_port(tor, tcp, 6969, s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
- network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
- network_port(transproxy, tcp,8081,s0)
--network_port(ups, tcp,3493,s0)
- type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
- network_port(uucpd, tcp,540,s0)
-+network_port(ups, tcp,3493,s0)
+@@ -201,7 +219,7 @@
  network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
- network_port(virt_migration, tcp,49152,s0)
-+portcon tcp 49153-49216 gen_context(system_u:object_r:virt_migration_port_t,s0)
- network_port(vnc, tcp,5900,s0)
-+# Reserve 100 ports for vnc/virt machines
-+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
+ network_port(virt_migration, tcp,49152-49216,s0)
+-network_port(vnc, tcp,5900,s0)
++network_port(vnc, tcp,5900-5999,s0)
  network_port(wccp, udp,2048,s0)
--network_port(whois, tcp,43,s0, udp,43,s0)
-+network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
+ network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
  network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
- network_port(xfs, tcp,7100,s0)
-@@ -230,6 +253,8 @@
- type node_t, node_type;
- sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
- 
-+typealias node_t alias { compat_ipv4_node_t lo_node_t link_local_node_t inaddr_any_node_t unspec_node_t };
-+
- # network_node examples:
- #network_node(lo, s0 - mls_systemhigh, 127.0.0.1, 255.255.255.255)
- #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.9/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc	2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/devices.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -16,13 +16,16 @@
- /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
- /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
- /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
- /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
- /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
- /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
-@@ -61,6 +64,7 @@
- /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/misc/dlm.*   	-c  gen_context(system_u:object_r:dlm_control_device_t,s0)
- /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
-@@ -80,6 +84,7 @@
- /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
- /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
-@@ -101,6 +106,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.15/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc	2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/devices.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -108,6 +108,7 @@
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
  /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
  /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
@@ -6614,124 +5995,90 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -142,6 +148,7 @@
- /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
- 
- /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
- 
-@@ -159,6 +166,8 @@
- /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/usb/scanner.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
- 
-+/dev/uio[0-9]+      -c  gen_context(system_u:object_r:userio_device_t,s0)
-+
- /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
- /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.9/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/devices.if	2010-02-16 15:08:37.000000000 -0500
-@@ -436,6 +436,24 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.15/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if	2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/devices.if	2010-03-18 10:44:42.000000000 -0400
+@@ -934,6 +934,42 @@
  
  ########################################
  ## <summary>
-+##	Dontaudit getattr for generic character device files.
++##	rw all inherited character device files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to dontaudit access.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_generic_chr_files',`
++interface(`dev_rw_all_inherited_chr_files',`
 +	gen_require(`
-+		type device_t;
++		attribute device_node;
 +	')
 +
-+	allow $1 device_t:chr_file rw_chr_file_perms;
++	allow $1 device_node:chr_file rw_inherited_chr_file_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Dontaudit setattr for generic character device files.
- ## </summary>
- ## <param name="domain">
-@@ -801,6 +819,24 @@
- 
- ########################################
- ## <summary>
-+##	Dontaudit write on all block file device nodes.
++##	rw all inherited blk device files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_write_all_blk_files',`
++interface(`dev_rw_all_inherited_blk_files',`
 +	gen_require(`
 +		attribute device_node;
 +	')
 +
-+	dontaudit $1 device_node:blk_file write;
++	allow $1 device_node:blk_file rw_inherited_blk_file_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Dontaudit read on all character file device nodes.
+ ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -819,6 +855,24 @@
+@@ -2597,6 +2633,7 @@
+ 		type mtrr_device_t;
+ 	')
+ 
++	dontaudit $1 mtrr_device_t:file write;
+ 	dontaudit $1 mtrr_device_t:chr_file write;
+ ')
+ 
+@@ -3440,6 +3477,24 @@
  
  ########################################
  ## <summary>
-+##	Dontaudit write on all character file device nodes.
++##	Associate a file to a sysfs filesystem.
 +## </summary>
-+## <param name="domain">
++## <param name="file_type">
 +##	<summary>
-+##	Domain to not audit.
++##	The type of the file to be associated to sysfs.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_write_all_chr_files',`
++interface(`dev_associate_sysfs',`
 +	gen_require(`
-+		attribute device_node;
++		type sysfs_t;
 +	')
 +
-+	dontaudit $1 device_node:chr_file write;
++	allow $1 sysfs_t:filesystem associate;
 +')
 +
 +########################################
 +## <summary>
- ##	Create all block device files.
+ ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -855,6 +909,42 @@
+@@ -3733,6 +3788,24 @@
  
  ########################################
  ## <summary>
-+##	rw all inherited character device files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_all_inherited_chr_files',`
-+	gen_require(`
-+		attribute device_node;
-+	')
-+
-+	allow $1 device_node:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	rw all inherited blk device files.
++##	Read USB monitor devices.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6739,117 +6086,116 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_all_inherited_blk_files',`
++interface(`dev_read_usbmon_dev',`
 +	gen_require(`
-+		attribute device_node;
++		type device_t, usbmon_device_t;
 +	')
 +
-+	allow $1 device_node:blk_file rw_inherited_blk_file_perms;
++	read_chr_files_pattern($1, device_t, usbmon_device_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Delete all block device files.
+ ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1380,6 +1470,42 @@
- 	rw_chr_files_pattern($1, device_t, crypt_device_t)
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.15/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te	2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/devices.te	2010-03-18 10:44:42.000000000 -0400
+@@ -210,7 +210,7 @@
+ files_mountpoint(sysfs_t)
+ fs_type(sysfs_t)
+ genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
+-
++ 
+ #
+ # Type for /dev/tpm
+ #
+@@ -239,6 +239,12 @@
+ dev_node(usb_device_t)
  
-+#######################################
-+## <summary>
-+##  Set the attributes of the dlm control devices.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
+ #
++# usb_device_t is the type for /dev/usbmon
 +#
-+interface(`dev_setattr_dlm_control',`
-+    gen_require(`
-+        type device_t, kvm_device_t;
-+    ')
-+
-+    setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
-+')
++type usbmon_device_t;
++dev_node(usbmon_device_t)
 +
-+#######################################
-+## <summary>
-+##  Read and write the the dlm control device
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
 +#
-+interface(`dev_rw_dlm_control',`
-+    gen_require(`
-+        type device_t, dlm_control_device_t;
-+    ')
-+
-+    rw_chr_files_pattern($1, device_t, dlm_control_device_t)
-+')
+ # userio_device_t is the type for /dev/uio[0-9]+
+ #
+ type userio_device_t;
+@@ -289,5 +295,6 @@
+ #
+ 
+ allow devices_unconfined_type self:capability sys_rawio;
+-allow devices_unconfined_type device_node:{ blk_file chr_file } *;
++allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
+ allow devices_unconfined_type mtrr_device_t:file *;
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.15/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/domain.if	2010-03-18 10:44:42.000000000 -0400
+@@ -611,7 +611,7 @@
+ 
  ########################################
  ## <summary>
- ##	getattr the dri devices.
-@@ -1710,6 +1836,24 @@
+-##	Get the attributes of all domains of all domains.
++##	Get the attributes of all domains.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -630,7 +630,7 @@
  
  ########################################
  ## <summary>
-+##	Write to the kernel messages device
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_write_kmsg',`
-+	gen_require(`
-+		type device_t, kmsg_device_t;
-+	')
-+
-+	write_chr_files_pattern($1, device_t, kmsg_device_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Get the attributes of the ksm devices.
+-##	Get the attributes of all domains of all domains.
++##	Dontaudit geting the attributes of all domains.
  ## </summary>
  ## <param name="domain">
-@@ -1999,6 +2143,24 @@
+ ##	<summary>
+@@ -1372,18 +1372,34 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`domain_mmap_low',`
++interface(`domain_mmap_low_type',`
+ 	gen_require(`
+ 		attribute mmap_low_domain_type;
+ 	')
+ 
+-	allow $1 self:memprotect mmap_zero;
+-
+ 	typeattribute $1 mmap_low_domain_type;
+ ')
  
  ########################################
  ## <summary>
-+##	dontaudit getattr raw memory devices (e.g. /dev/mem).
++##	Ability to mmap a low area of the address space,
++##      as configured by /proc/sys/kernel/mmap_min_addr.
++##      Preventing such mappings helps protect against
++##      exploiting null deref bugs in the kernel.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain allowed to mmap low memory.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_read_memory_dev',`
-+	gen_require(`
-+		type memory_device_t;
-+	')
++interface(`domain_mmap_low',`
 +
-+	dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
++	allow $1 self:memprotect mmap_zero;
 +')
 +
 +########################################
 +## <summary>
- ##	Read raw memory devices (e.g. /dev/mem).
- ## </summary>
- ## <param name="domain">
-@@ -2450,6 +2612,24 @@
+ ##	Allow specified type to receive labeled
+ ##	networking packets from all domains, over
+ ##	all protocols (TCP, UDP, etc)
+@@ -1422,6 +1438,24 @@
  
  ########################################
  ## <summary>
-+##	Dontaudit write the memory type range registers (MTRR).
++##	Polyinstatiated access to domains.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6857,24 +6203,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_write_mtrr',`
++interface(`domain_poly',`
 +	gen_require(`
-+		type mtrr_device_t;
++		attribute polydomain;
 +	')
 +
-+	dontaudit $1 mtrr_device_t:chr_file write;
++	typeattribute $1 polydomain;
 +')
 +
 +########################################
 +## <summary>
- ##	Get the attributes of the network control device
+ ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -3515,6 +3695,24 @@
- 
- ########################################
- ## <summary>
-+##	Read USB monitor devices.
+@@ -1445,3 +1479,22 @@
+ 	typeattribute $1 set_curr_context;
+ 	typeattribute $1 process_uncond_exempt;
+ ')
++
++########################################
++## <summary>
++##	Do not audit attempts to read or write
++##	all leaked sockets.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6882,369 +6232,81 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_usbmon_dev',`
++interface(`domain_dontaudit_leaks',`
 +	gen_require(`
-+		type device_t, usbmon_device_t;
++		attribute domain;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, usbmon_device_t)
++	dontaudit $1 domain:socket_class_set { read write };
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.15/policy/modules/kernel/domain.te
+--- nsaserefpolicy/policy/modules/kernel/domain.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/domain.te	2010-03-18 10:44:42.000000000 -0400
+@@ -5,6 +5,21 @@
+ #
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow all domains to use other domains file descriptors
++## </p>
++## </desc>
++#
++gen_tunable(allow_domain_fd_use, true)
 +
-+########################################
-+## <summary>
- ##	Mount a usbfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -3703,6 +3901,24 @@
- 	getattr_chr_files_pattern($1, device_t, v4l_device_t)
- ')
- 
-+######################################
-+## <summary>
-+##  Read or write userio device.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
++## <desc>
++## <p>
++## Allow all domains to have the kernel load modules
++## </p>
++## </desc>
 +#
-+interface(`dev_rw_userio_dev',`
-+    gen_require(`
-+        type device_t, userio_device_t;
-+    ')
++gen_tunable(domain_kernel_load_modules, false)
+ 
+ # Mark process types as domains
+ attribute domain;
+@@ -15,6 +30,8 @@
+ # Domains that are unconfined
+ attribute unconfined_domain_type;
+ 
++attribute polydomain;
 +
-+    rw_chr_files_pattern($1, device_t, userio_device_t)
-+')
+ # Domains that can mmap low memory.
+ attribute mmap_low_domain_type;
+ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
+@@ -80,14 +97,17 @@
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
 +
- ########################################
- ## <summary>
- ##	Do not audit attempts to get the attributes
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.9/policy/modules/kernel/devices.te
---- nsaserefpolicy/policy/modules/kernel/devices.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/devices.te	2010-02-16 15:08:37.000000000 -0500
-@@ -59,6 +59,12 @@
- type crypt_device_t;
- dev_node(crypt_device_t)
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++kernel_dontaudit_search_debugfs(domain)
  
-+#
-+# dlm_misc_device_t is the type of /dev/misc/dlm.*
-+#
-+type dlm_control_device_t;
-+dev_node(dlm_control_device_t)
-+
- type dri_device_t;
- dev_node(dri_device_t)
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { fork getsched sigchld };
  
-@@ -232,6 +238,18 @@
- type usb_device_t;
- dev_node(usb_device_t)
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
+@@ -97,6 +117,13 @@
+ # list the root directory
+ files_list_root(domain)
  
-+#
-+# usb_device_t is the type for /dev/usbmon
-+#
-+type usbmon_device_t;
-+dev_node(usbmon_device_t)
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
 +
-+#
-+# userio_device_t is the type for /dev/uio[0-9]+
-+#
-+type userio_device_t;
-+dev_node(userio_device_t)
-+
- type v4l_device_t;
- dev_node(v4l_device_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.9/policy/modules/kernel/domain.if
---- nsaserefpolicy/policy/modules/kernel/domain.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/kernel/domain.if	2010-02-16 15:08:37.000000000 -0500
-@@ -44,34 +44,6 @@
- interface(`domain_type',`
- 	# start with basic domain
- 	domain_base_type($1)
--
--	ifdef(`distro_redhat',`
--		optional_policy(`
--			unconfined_use_fds($1)
--		')
--	')
--
--	# send init a sigchld and signull
--	optional_policy(`
--		init_sigchld($1)
--		init_signull($1)
--	')
--
--	# these seem questionable:
--
--	optional_policy(`
--		rpm_use_fds($1)
--		rpm_read_pipes($1)
--	')
--
--	optional_policy(`
--		selinux_dontaudit_getattr_fs($1)
--		selinux_dontaudit_read_fs($1)
--	')
--
--	optional_policy(`
--		seutil_dontaudit_read_config($1)
--	')
- ')
- 
- ########################################
-@@ -746,10 +718,6 @@
- 	dontaudit $1 domain:dir list_dir_perms;
- 	dontaudit $1 domain:lnk_file read_lnk_file_perms;
- 	dontaudit $1 domain:file read_file_perms;
--
--	# cjp: these should be removed:
--	dontaudit $1 domain:sock_file read_sock_file_perms;
--	dontaudit $1 domain:fifo_file read_fifo_file_perms;
- ')
- 
- ########################################
-@@ -791,6 +759,24 @@
- 
- ########################################
- ## <summary>
-+##	Get the scheduler information of all domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_getsched_all_domains',`
-+	gen_require(`
-+		attribute domain;
-+	')
-+
-+	allow $1 domain:process getsched;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the
- ##	session ID of all domains.
- ## </summary>
-@@ -1039,6 +1025,54 @@
- 
- ########################################
- ## <summary>
-+##	Get the attributes
-+##	of all domains unix datagram sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_getattr_all_stream_sockets',`
-+	gen_require(`
-+		attribute domain;
-+	')
-+
-+	allow $1 domain:unix_stream_socket getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of all domains
-+##	unnamed pipes.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Get the attributes of all domains
-+##	unnamed pipes.
-+##	</p>
-+##	<p>
-+##	This is commonly used for domains
-+##	that can use lsof on all domains.
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_getattr_all_pipes',`
-+	gen_require(`
-+		attribute domain;
-+	')
-+
-+	allow $1 domain:fifo_file getattr;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the attributes
- ##	of all domains unnamed pipes.
- ## </summary>
-@@ -1248,18 +1282,34 @@
- ##	</summary>
- ## </param>
- #
--interface(`domain_mmap_low',`
-+interface(`domain_mmap_low_type',`
- 	gen_require(`
- 		attribute mmap_low_domain_type;
- 	')
- 
--	allow $1 self:memprotect mmap_zero;
--
- 	typeattribute $1 mmap_low_domain_type;
- ')
- 
- ########################################
- ## <summary>
-+##	Ability to mmap a low area of the address space,
-+##      as configured by /proc/sys/kernel/mmap_min_addr.
-+##      Preventing such mappings helps protect against
-+##      exploiting null deref bugs in the kernel.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to mmap low memory.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_mmap_low',`
-+
-+	allow $1 self:memprotect mmap_zero;
-+')
-+
-+########################################
-+## <summary>
- ##	Allow specified type to receive labeled
- ##	networking packets from all domains, over
- ##	all protocols (TCP, UDP, etc)
-@@ -1280,6 +1330,24 @@
- 
- ########################################
- ## <summary>
-+##	Polyinstatiated access to domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_poly',`
-+	gen_require(`
-+		attribute polydomain;
-+	')
-+
-+	typeattribute $1 polydomain;
-+')
-+
-+########################################
-+## <summary>
- ##	Unconfined access to domains.
- ## </summary>
- ## <param name="domain">
-@@ -1304,3 +1372,39 @@
- 	typeattribute $1 process_uncond_exempt;
- ')
- 
-+########################################
-+## <summary>
-+##	Send generic signals to the unconfined domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_unconfined_signal',`
-+	gen_require(`
-+		attribute unconfined_domain_type;
-+	')
-+
-+	allow $1 unconfined_domain_type:process signal;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read or write
-+##	all leaked sockets.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`domain_dontaudit_leaks',`
-+	gen_require(`
-+		attribute domain;
-+	')
-+
-+	dontaudit $1 domain:socket_class_set { read write };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.9/policy/modules/kernel/domain.te
---- nsaserefpolicy/policy/modules/kernel/domain.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/kernel/domain.te	2010-02-16 15:08:37.000000000 -0500
-@@ -5,6 +5,21 @@
- #
- # Declarations
- #
-+## <desc>
-+## <p>
-+## Allow all domains to use other domains file descriptors
-+## </p>
-+## </desc>
-+#
-+gen_tunable(allow_domain_fd_use, true)
-+
-+## <desc>
-+## <p>
-+## Allow all domains to have the kernel load modules
-+## </p>
-+## </desc>
-+#
-+gen_tunable(domain_kernel_load_modules, false)
- 
- # Mark process types as domains
- attribute domain;
-@@ -15,6 +30,8 @@
- # Domains that are unconfined
- attribute unconfined_domain_type;
- 
-+attribute polydomain;
-+
- # Domains that can mmap low memory.
- attribute mmap_low_domain_type;
- neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
-@@ -80,6 +97,8 @@
- allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
- allow domain self:file rw_file_perms;
- kernel_read_proc_symlinks(domain)
-+kernel_read_crypto_sysctls(domain)
-+
- # Every domain gets the key ring, so we should default
- # to no one allowed to look at it; afs kernel support creates
- # a keyring
-@@ -97,6 +116,13 @@
- # list the root directory
- files_list_root(domain)
- 
-+# All executables should be able to search the directory they are in
-+corecmd_search_bin(domain)
-+
-+tunable_policy(`domain_kernel_load_modules',`
-+	kernel_request_load_module(domain)
-+')
++tunable_policy(`domain_kernel_load_modules',`
++	kernel_request_load_module(domain)
++')
 +
  tunable_policy(`global_ssp',`
  	# enable reading of urandom for all domains:
  	# this should be enabled when all programs
-@@ -106,6 +132,10 @@
+@@ -106,6 +133,10 @@
  ')
  
  optional_policy(`
@@ -7255,7 +6317,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  	libs_use_ld_so(domain)
  	libs_use_shared_libs(domain)
  ')
-@@ -118,6 +148,7 @@
+@@ -118,6 +149,7 @@
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -7263,7 +6325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  ')
  
  ########################################
-@@ -136,6 +167,8 @@
+@@ -136,6 +168,8 @@
  allow unconfined_domain_type domain:fd use;
  allow unconfined_domain_type domain:fifo_file rw_file_perms;
  
@@ -7272,7 +6334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -153,3 +186,74 @@
+@@ -153,3 +187,76 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7306,9 +6368,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +optional_policy(`
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
++	rpm_search_log(domain)
++	rpm_append_tmp(domain)
 +	rpm_dontaudit_leaks(domain)
 +	rpm_read_script_tmp_files(domain)
-+	rpm_inerited_fifo(domain)
++	rpm_inherited_fifo(domain)
 +')
 +
 +
@@ -7347,9 +6411,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +	userdom_relabelto_user_home_dirs(polydomain)
 +	userdom_relabelto_user_home_files(polydomain)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.9/policy/modules/kernel/files.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.15/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/kernel/files.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/files.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -18,6 +18,7 @@
  /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
  /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7383,7 +6447,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
  
  /etc/ipsec\.d/examples(/.*)?	gen_context(system_u:object_r:etc_t,s0)
-@@ -229,6 +236,8 @@
+@@ -93,7 +100,7 @@
+ # HOME_ROOT
+ # expanded by genhomedircon
+ #
+-HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
++HOME_ROOT			gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
+ HOME_ROOT/\.journal		<<none>>
+ HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ HOME_ROOT/lost\+found/.*		<<none>>
+@@ -205,15 +212,19 @@
+ /usr/local/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /usr/local/lost\+found/.*	<<none>>
+ 
++ifndef(`distro_redhat',`
+ /usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
++')
+ 
+ /usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /usr/lost\+found/.*		<<none>>
+ 
+ /usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
+ 
++ifndef(`distro_redhat',`
+ /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
+ /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
++')
+ 
+ /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+ /usr/tmp/.*			<<none>>
+@@ -229,6 +240,8 @@
  
  /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
  
@@ -7392,10 +6485,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  /var/lib(/.*)?			gen_context(system_u:object_r:var_lib_t,s0)
  
  /var/lib/nfs/rpc_pipefs(/.*)?	<<none>>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.9/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/files.if	2010-02-16 15:08:37.000000000 -0500
-@@ -932,10 +932,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.15/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/files.if	2010-03-18 10:44:42.000000000 -0400
+@@ -1053,10 +1053,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7408,7 +6501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1307,6 +1305,24 @@
+@@ -1428,6 +1426,42 @@
  
  ########################################
  ## <summary>
@@ -7430,10 +6523,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +
 +########################################
 +## <summary>
++##	Write all mount points.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_write_all_mountpoints',`
++	gen_require(`
++		attribute mountpoint;
++	')
++
++	allow $1 mountpoint:dir write;
++')
++
++########################################
++## <summary>
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1431,6 +1447,24 @@
+@@ -1552,6 +1586,24 @@
  
  ########################################
  ## <summary>
@@ -7458,16 +6569,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Remove entries from the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -2125,6 +2159,8 @@
- 	allow $1 etc_t:dir list_dir_perms;
- 	read_files_pattern($1, etc_t, etc_t)
- 	read_lnk_files_pattern($1, etc_t, etc_t)
-+	files_read_etc_runtime_files($1)
-+	files_read_config_files($1)
- ')
+@@ -1697,6 +1749,24 @@
  
  ########################################
-@@ -2207,6 +2243,24 @@
+ ## <summary>
++##	manage directories in /boot
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_boot_dirs',`
++	gen_require(`
++		type boot_t;
++	')
++
++	allow $1 boot_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Create a private type object in boot
+ ##	with an automatic type transition
+ ## </summary>
+@@ -1740,7 +1810,7 @@
+ 		type boot_t;
+ 	')
+ 
+-	manage_files_pattern($1, boot_t, boot_t)
++	read_files_pattern($1, boot_t, boot_t)
+ ')
+ 
+ ########################################
+@@ -2209,6 +2279,24 @@
+ 	allow $1 etc_t:dir rw_dir_perms;
+ ')
+ 
++########################################
++## <summary>
++##	Do not audit attempts to write to /etc dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_write_etc_dirs',`
++	gen_require(`
++		type etc_t;
++	')
++
++	dontaudit $1 etc_t:dir write;
++')
++
+ ##########################################
+ ## <summary>
+ ## 	Manage generic directories in /etc
+@@ -2280,6 +2368,8 @@
+ 	allow $1 etc_t:dir list_dir_perms;
+ 	read_files_pattern($1, etc_t, etc_t)
+ 	read_lnk_files_pattern($1, etc_t, etc_t)
++	files_read_etc_runtime_files($1)
++	files_read_config_files($1)
+ ')
+ 
+ ########################################
+@@ -2362,6 +2452,24 @@
  
  ########################################
  ## <summary>
@@ -7492,19 +6662,157 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2612,6 +2666,11 @@
- 	')
+@@ -2789,6 +2897,101 @@
  
- 	delete_files_pattern($1, file_t, file_t)
+ ########################################
+ ## <summary>
++##	Delete lnk_files on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_isid_type_symlinks',`
++	gen_require(`
++		type file_t;
++	')
++
 +	delete_lnk_files_pattern($1, file_t, file_t)
++')
++
++########################################
++## <summary>
++##	Delete fifo files on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_isid_type_fifo_files',`
++	gen_require(`
++		type file_t;
++	')
++
 +	delete_fifo_files_pattern($1, file_t, file_t)
++')
++
++########################################
++## <summary>
++##	Delete sock files on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_isid_type_sock_files',`
++	gen_require(`
++		type file_t;
++	')
++
 +	delete_sock_files_pattern($1, file_t, file_t)
++')
++
++########################################
++## <summary>
++##	Delete blk files on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_isid_type_blk_files',`
++	gen_require(`
++		type file_t;
++	')
++
 +	delete_blk_files_pattern($1, file_t, file_t)
++')
++
++########################################
++## <summary>
++##	Delete chr files on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_isid_type_chr_files',`
++	gen_require(`
++		type file_t;
++	')
++
 +	delete_chr_files_pattern($1, file_t, file_t)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete files
+ ##	on new filesystems that have not yet been labeled.
+ ## </summary>
+@@ -2899,6 +3102,7 @@
+ 	')
+ 
+ 	allow $1 home_root_t:dir getattr;
++	allow $1 home_root_t:lnk_file getattr;
+ ')
+ 
+ ########################################
+@@ -2919,6 +3123,7 @@
+ 	')
+ 
+ 	dontaudit $1 home_root_t:dir getattr;
++	dontaudit $1 home_root_t:lnk_file getattr;
  ')
  
  ########################################
-@@ -3329,6 +3388,64 @@
+@@ -2937,6 +3142,7 @@
+ 	')
+ 
+ 	allow $1 home_root_t:dir search_dir_perms;
++	allow $1 home_root_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -2956,6 +3162,7 @@
+ 	')
+ 
+ 	dontaudit $1 home_root_t:dir search_dir_perms;
++	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -2975,6 +3182,7 @@
+ 	')
+ 
+ 	dontaudit $1 home_root_t:dir list_dir_perms;
++	dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -2993,6 +3201,7 @@
+ 	')
+ 
+ 	allow $1 home_root_t:dir list_dir_perms;
++	allow $1 home_root_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -3520,6 +3729,64 @@
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -7569,7 +6877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -3514,6 +3631,32 @@
+@@ -3705,6 +3972,32 @@
  
  ########################################
  ## <summary>
@@ -7602,38 +6910,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -3727,6 +3870,8 @@
+@@ -3918,6 +4211,13 @@
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
 +	files_delete_isid_type_dirs($1)
 +	files_delete_isid_type_files($1)
++	files_delete_isid_type_symlinks($1)
++	files_delete_isid_type_fifo_files($1)
++	files_delete_isid_type_sock_files($1)
++	files_delete_isid_type_blk_files($1)
++	files_delete_isid_type_chr_files($1)
  ')
  
  ########################################
-@@ -3835,7 +3980,12 @@
+@@ -4026,7 +4326,7 @@
  		type usr_t;
  	')
  
 -	allow $1 usr_t:file delete_file_perms;
 +	delete_files_pattern($1, usr_t, usr_t)
-+	delete_lnk_files_pattern($1, usr_t, usr_t)
-+	delete_fifo_files_pattern($1, usr_t, usr_t)
-+	delete_sock_files_pattern($1, usr_t, usr_t)
-+	delete_blk_files_pattern($1, usr_t, usr_t)
-+	delete_chr_files_pattern($1, usr_t, usr_t)
  ')
  
  ########################################
-@@ -3874,6 +4024,7 @@
- 	allow $1 usr_t:dir list_dir_perms;
- 	read_files_pattern($1, usr_t, usr_t)
- 	read_lnk_files_pattern($1, usr_t, usr_t)
-+	files_read_usr_src_files($1)
- ')
- 
- ########################################
-@@ -3898,6 +4049,24 @@
+@@ -4107,6 +4407,24 @@
  
  ########################################
  ## <summary>
@@ -7658,32 +6958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	dontaudit write of /usr files
  ## </summary>
  ## <param name="domain">
-@@ -4518,6 +4687,24 @@
- 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
-+########################################
-+## <summary>
-+##	Search the /var/log directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_search_var_log',`
-+	gen_require(`
-+		type var_t, var_log_t;
-+	')
-+
-+	search_dirs_pattern($1, var_t, var_log_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way.  They really neeed their own types.
- 
-@@ -4790,6 +4977,25 @@
+@@ -5032,6 +5350,25 @@
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
@@ -7709,7 +6984,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -4849,6 +5055,24 @@
+@@ -5091,6 +5428,24 @@
  
  ########################################
  ## <summary>
@@ -7731,10 +7006,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +
 +########################################
 +## <summary>
- ##	Create an object in the process ID directory, with a private
- ##	type using a type transition.
+ ##	Create an object in the process ID directory, with a private type.
  ## </summary>
-@@ -4898,6 +5122,24 @@
+ ## <desc>
+@@ -5166,6 +5521,24 @@
  
  ########################################
  ## <summary>
@@ -7759,7 +7034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Do not audit attempts to write to daemon runtime data files.
  ## </summary>
  ## <param name="domain">
-@@ -4951,6 +5193,7 @@
+@@ -5219,6 +5592,7 @@
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -7767,7 +7042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -5019,6 +5262,24 @@
+@@ -5287,6 +5661,24 @@
  
  ########################################
  ## <summary>
@@ -7792,7 +7067,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Search the contents of generic spool
  ##	directories (/var/spool).
  ## </summary>
-@@ -5207,12 +5468,15 @@
+@@ -5475,12 +5867,15 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -7809,7 +7084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  	')
  ')
  
-@@ -5233,3 +5497,212 @@
+@@ -5501,3 +5896,211 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -7830,7 +7105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +## </param>
 +## <rolecap/>
 +#
-+interface(`files_dump_core',`
++interface(`files_manage_root_files',`
 +	gen_require(`
 +		type root_t;
 +	')
@@ -7840,11 +7115,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +
 +########################################
 +## <summary>
-+##     Create a default directory in /
++##     Create a default directory
 +## </summary>
 +## <desc>
 +##     <p>
-+##     Create a default_t direcrory in /
++##     Create a default_t direcrory
 +##     </p>
 +## </desc>
 +## <param name="domain">
@@ -7856,30 +7131,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +#
 +interface(`files_create_default_dir',`
 +       gen_require(`
-+               type root_t, default_t;
++               type default_t;
 +       ')
 +
 +       allow $1 default_t:dir create;
-+       filetrans_pattern($1, root_t, default_t, dir)
 +')
 +
 +########################################
 +## <summary>
-+##	manage generic symbolic links
-+##	in the /var/run directory.
++##	Create, default_t objects with an automatic
++##	type transition.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <param name="object">
++##	<summary>
++##	The class of the object being created.
++##	</summary>
++## </param>
 +#
-+interface(`files_manage_generic_pids_symlinks',`
-+	gen_require(`
-+		type var_run_t;
-+	')
++interface(`files_root_filetrans_default',`
++       gen_require(`
++               type root_t, default_t;
++       ')
 +
-+	manage_lnk_files_pattern($1,var_run_t,var_run_t)
++       filetrans_pattern($1, root_t, default_t, $2)
 +')
 +
 +########################################
@@ -7893,17 +7172,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_boot',`
++interface(`files_manage_generic_pids_symlinks',`
 +	gen_require(`
-+		type root_t;
++		type var_run_t;
 +	')
 +
-+	allow $1 root_t:blk_file manage_blk_file_perms;
-+	allow $1 root_t:chr_file manage_chr_file_perms;
-+	manage_dirs_pattern($1, root_t, root_t)
-+	manage_files_pattern($1, root_t, root_t)
-+	manage_lnk_files_pattern($1, root_t, root_t)
-+	can_exec(kernel_t, root_t)
++	manage_lnk_files_pattern($1,var_run_t,var_run_t)
 +')
 +
 +########################################
@@ -8022,17 +7296,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +	dontaudit $1 file_type:file rw_inherited_file_perms;
 +	dontaudit $1 file_type:lnk_file { read };
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.9/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/files.te	2010-02-16 15:08:37.000000000 -0500
-@@ -43,6 +43,7 @@
- #
- type boot_t;
- files_mountpoint(boot_t)
-+dev_node(boot_t)
- 
- # default_t is the default type for files that do not
- # match any specification in the file_contexts configuration
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.7.15/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/files.te	2010-03-18 10:44:42.000000000 -0400
+@@ -12,6 +12,7 @@
+ attribute mountpoint;
+ attribute pidfile;
+ attribute configfile;
++attribute etcfile;
+ 
+ # For labeling types that are to be polyinstantiated
+ attribute polydir;
 @@ -59,6 +60,15 @@
  typealias etc_t alias automount_etc_t;
  typealias etc_t alias snmpd_etc_t;
@@ -8057,86 +7331,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  
  ########################################
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.9/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/filesystem.if	2010-02-16 15:08:37.000000000 -0500
-@@ -906,7 +906,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.15/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-03-12 11:48:14.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.if	2010-03-18 10:44:42.000000000 -0400
+@@ -1141,7 +1141,7 @@
  		type cifs_t;
  	')
  
--	dontaudit $1 cifs_t:file { read write };
+-	dontaudit $1 cifs_t:file rw_file_perms;
 +	dontaudit $1 cifs_t:file rw_inherited_file_perms;
  ')
  
  ########################################
-@@ -1459,6 +1459,25 @@
+@@ -1899,6 +1899,7 @@
+ 	')
+ 
+ 	allow $1 inotifyfs_t:dir list_dir_perms;
++	fs_read_anon_inodefs_files($1)
+ ')
  
  ########################################
- ## <summary>
-+##	Do not audit attempts to list the contents
-+##	of directories on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_list_fusefs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
-+
-+	dontaudit $1 fusefs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete directories
- ##	on a FUSEFS filesystem.
- ## </summary>
-@@ -1613,6 +1632,36 @@
+@@ -2349,7 +2350,7 @@
+ 		type nfs_t;
+ 	')
+ 
+-	dontaudit $1 nfs_t:file rw_file_perms;
++	dontaudit $1 nfs_t:file rw_inherited_file_perms;
+ ')
  
  ########################################
- ## <summary>
-+##	Create an object in a hugetlbfs filesystem, with a private
-+##	type using a type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="private type">
-+##	<summary>
-+##	The type of the object to be created.
-+##	</summary>
-+## </param>
-+## <param name="object">
-+##	<summary>
-+##	The object class of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_hugetlbfs_filetrans',`
-+	gen_require(`
-+		type hugetlbfs_t;
-+	')
-+
-+	allow $2 hugetlbfs_t:filesystem associate;
-+	filetrans_pattern($1, hugetlbfs_t, $2, $3)
-+')
+@@ -4549,3 +4550,24 @@
+ 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+ 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+ ')
 +
 +########################################
 +## <summary>
- ##	Search inotifyfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -1649,6 +1698,24 @@
- 
- ########################################
- ## <summary>
-+##	Dontaudit List inotifyfs filesystem.
++##	Do not audit attempts to read or write
++##	all leaked filesystems files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8144,340 +7376,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_list_inotifyfs',`
++interface(`fs_dontaudit_leaks',`
 +	gen_require(`
-+		type inotifyfs_t;
++		attribute filesystem_type;
 +	')
 +
-+	dontaudit $1 inotifyfs_t:dir list_dir_perms;
++	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
++	dontaudit $1 filesystem_type:lnk_file { read };
 +')
 +
-+########################################
-+## <summary>
- ##	Mount an iso9660 filesystem, which
- ##	is usually used on CDs.
- ## </summary>
-@@ -2047,7 +2114,7 @@
- 		type nfs_t;
- 	')
- 
--	dontaudit $1 nfs_t:file rw_file_perms;
-+	dontaudit $1 nfs_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
-@@ -2069,6 +2136,25 @@
- 	read_lnk_files_pattern($1, nfs_t, nfs_t)
- ')
- 
-+########################################
-+## <summary>
-+##	Dontaudit read symbolic links on a NFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_read_nfs_symlinks',`
-+	gen_require(`
-+		type nfs_t;
-+	')
-+
-+	allow $1 nfs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, nfs_t, nfs_t)
-+')
-+
- #########################################
- ## <summary>
- ##	Read named sockets on a NFS filesystem.
-@@ -3458,6 +3544,24 @@
- 
- ########################################
- ## <summary>
-+##	Read generic tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_read_tmpfs_files',`
-+	gen_require(`
-+		type tmpfs_t;
-+	')
-+
-+	read_files_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write generic tmpfs files.
- ## </summary>
- ## <param name="domain">
-@@ -3684,6 +3788,24 @@
- 
- ########################################
- ## <summary>
-+##	Search the XENFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_search_xenfs',`
-+	gen_require(`
-+		type xenfs_t;
-+	')
-+
-+	allow $1 xenfs_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Mount a XENFS filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -4181,3 +4303,214 @@
- 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
- 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
- ')
-+
-+########################################
-+## <summary>
-+##      list dirs on cgroup
-+##      file systems.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`fs_list_cgroup_dirs', `
-+        gen_require(`
-+                type cgroup_t;
-+
-+        ')
-+
-+        list_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read
-+##	dirs on a CIFS or SMB filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_list_cifs_dirs',`
-+	gen_require(`
-+		type cifs_t;
-+	')
-+
-+	dontaudit $1 cifs_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Manage dirs on cgroup file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_manage_cgroup_dirs',`
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+	manage_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read files on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_read_cgroup_files',`
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	read_files_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write files on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_rw_cgroup_files',`
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	rw_files_pattern($1, cgroup_t, cgroup_t)
-+')
-+########################################
-+## <summary>
-+##	Mount a cgroup filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_mount_cgroup_fs', `
-+	gen_require(`
-+		type cgroup_t;
-+	')
-+
-+	allow $1 cgroup_t:filesystem mount;
-+')
-+
-+########################################
-+## <summary>
-+##	Remount a cgroup filesystem  This allows
-+##	some mount options to be changed.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_remount_cgroup_fs', `
-+	gen_require(`
-+		type cgroup_t;
-+	')
-+
-+	allow $1 cgroup_t:filesystem remount;
-+')
-+
-+########################################
-+## <summary>
-+##	Unmount a cgroup file system.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_unmount_cgroup_fs', `
-+	gen_require(`
-+		type cgroup_t;
-+	')
-+
-+	allow $1 cgroup_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
-+##	Set attributes of files on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_setattr_cgroup_files',`
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	setattr_files_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Write files on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_write_cgroup_files', `
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	write_files_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read or write
-+##	all leaked filesystems files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_leaks',`
-+	gen_require(`
-+		attribute filesystem_type;
-+	')
-+
-+	dontaudit $1 filesystem_type:file rw_inherited_file_perms;
-+	dontaudit $1 filesystem_type:lnk_file { read };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.9/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/filesystem.te	2010-02-16 15:08:37.000000000 -0500
-@@ -29,6 +29,7 @@
- fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
-+fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
-@@ -93,6 +94,8 @@
- type hugetlbfs_t;
- fs_type(hugetlbfs_t)
- files_mountpoint(hugetlbfs_t)
-+files_type(hugetlbfs_t)
-+files_poly_parent(hugetlbfs_t)
- fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
- 
- type ibmasmfs_t;
-@@ -171,6 +174,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.15/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2010-03-12 11:48:14.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/filesystem.te	2010-03-18 10:44:42.000000000 -0400
+@@ -172,6 +172,7 @@
  fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
  fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
  fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
@@ -8485,42 +7396,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  
  allow tmpfs_t noxattrfs:filesystem associate;
  
-@@ -205,6 +209,7 @@
- #
- type dosfs_t;
- fs_noxattr_type(dosfs_t)
-+files_mountpoint(dosfs_t)
- allow dosfs_t fs_t:filesystem associate;
- genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
- genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
-@@ -216,6 +221,7 @@
- 
- type fusefs_t;
- fs_noxattr_type(fusefs_t)
-+files_mountpoint(fusefs_t)
- allow fusefs_t self:filesystem associate;
- allow fusefs_t fs_t:filesystem associate;
- genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
-@@ -228,6 +234,7 @@
- #
- type iso9660_t;
- fs_noxattr_type(iso9660_t)
-+files_mountpoint(iso9660_t)
- genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
- genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
- 
-@@ -238,6 +245,7 @@
+@@ -242,6 +243,7 @@
+ type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
- files_type(removable_t)
-+files_mountpoint(removable_t)
++files_type(removable_t)
+ files_mountpoint(removable_t)
  
  #
- # nfs_t is the default type for NFS file systems
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.9/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/kernel.if	2010-02-16 15:08:37.000000000 -0500
-@@ -1849,7 +1849,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.7.15/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/kernel.if	2010-03-18 10:44:42.000000000 -0400
+@@ -1959,7 +1959,7 @@
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -8529,33 +7416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ')
  
  ########################################
-@@ -1920,6 +1920,25 @@
- 
- ########################################
- ## <summary>
-+##	Mount a kernel unlabeled filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the domain mounting the filesystem.
-+##	</summary>
-+## </param>
-+#
-+interface(`kernel_mount_unlabeled',`
-+	gen_require(`
-+		type unlabeled_t;
-+	')
-+
-+	allow $1 unlabeled_t:filesystem mount;
-+')
-+
-+
-+########################################
-+## <summary>
- ##	Send general signals to unlabeled processes.
- ## </summary>
- ## <param name="domain">
-@@ -2663,6 +2682,24 @@
+@@ -2792,6 +2792,24 @@
  
  ########################################
  ## <summary>
@@ -8580,7 +7441,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2678,3 +2715,22 @@
+@@ -2807,3 +2825,22 @@
  
  	typeattribute $1 kern_unconfined;
  ')
@@ -8603,9 +7464,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
 +
 +	allow $1 kernel_t:unix_stream_socket connectto;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.9/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/kernel.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.7.15/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/kernel/kernel.te	2010-03-18 10:44:42.000000000 -0400
 @@ -64,6 +64,15 @@
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
@@ -8679,15 +7540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ########################################
  #
  # Unlabeled process local policy
-@@ -388,3 +411,5 @@
- allow kern_unconfined unlabeled_t:association *;
- allow kern_unconfined unlabeled_t:packet *;
- allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
-+
-+files_boot(kernel_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.9/policy/modules/kernel/selinux.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.15/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/kernel/selinux.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/selinux.if	2010-03-18 10:44:42.000000000 -0400
 @@ -40,7 +40,7 @@
  
  	# because of this statement, any module which
@@ -8745,78 +7600,111 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinu
 +	fs_type($1)
 +	mls_trusted_object($1)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.7.9/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc	2009-11-20 10:51:41.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/storage.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -14,6 +14,7 @@
- /dev/dasd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/dm-[0-9]+		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/drbd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/etherd/.+		-b		gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/fd[^/]+		-b	gen_context(system_u:object_r:removable_device_t,s0)
- /dev/flash[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/gscd		-b	gen_context(system_u:object_r:removable_device_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.7.9/policy/modules/kernel/storage.if
---- nsaserefpolicy/policy/modules/kernel/storage.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/storage.if	2010-02-16 15:08:37.000000000 -0500
-@@ -304,6 +304,7 @@
- 
- 	dev_list_all_dev_nodes($1)
- 	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
-+	dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms;
- ')
- 
- ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.9/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/kernel/terminal.if	2010-02-16 15:08:37.000000000 -0500
-@@ -273,9 +273,11 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.15/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/kernel/terminal.if	2010-03-18 10:44:42.000000000 -0400
+@@ -292,9 +292,11 @@
  interface(`term_dontaudit_use_console',`
  	gen_require(`
  		type console_device_t;
 +		type tty_device_t;
  	')
  
- 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
+-	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++	dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
++	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/dbadm.if serefpolicy-3.7.9/policy/modules/roles/dbadm.if
---- nsaserefpolicy/policy/modules/roles/dbadm.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/dbadm.if	2010-02-16 15:08:37.000000000 -0500
-@@ -12,8 +12,8 @@
- ## <rolecap/>
- #
- interface(`dbadm_role_change',`
--	get_require(`
--		role dbadm_r'
+@@ -672,6 +674,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to get attributes 
++##	on the pty multiplexor (/dev/ptmx).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process to not audit.
++##	</summary>
++## </param>
++#
++interface(`term_dontaudit_getattr_ptmx',`
 +	gen_require(`
-+		role dbadm_r;
++		type ptmx_t;
++	')
++
++	dontaudit $1 ptmx_t:chr_file getattr;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read and
+ ##	write the pty multiplexor (/dev/ptmx).
+ ## </summary>
+@@ -829,7 +850,7 @@
+ 		attribute ptynode;
  	')
  
- 	allow $1 dbadm_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.9/policy/modules/roles/guest.te
---- nsaserefpolicy/policy/modules/roles/guest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/roles/guest.te	2010-02-16 15:08:37.000000000 -0500
-@@ -16,7 +16,11 @@
- #
+-	dontaudit $1 ptynode:chr_file { rw_term_perms lock append };
++	dontaudit $1 ptynode:chr_file { rw_inherited_term_perms lock append };
+ ')
+ 
+ ########################################
+@@ -1196,7 +1217,7 @@
+ 		type tty_device_t;
+ 	')
+ 
+-	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+ 
+ ########################################
+@@ -1333,7 +1354,7 @@
+ 		attribute ttynode;
+ 	')
+ 
+-	dontaudit $1 ttynode:chr_file rw_chr_file_perms;
++	dontaudit $1 ttynode:chr_file rw_inherited_chr_file_perms;
+ ')
  
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditadm.te serefpolicy-3.7.15/policy/modules/roles/auditadm.te
+--- nsaserefpolicy/policy/modules/roles/auditadm.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/roles/auditadm.te	2010-03-18 10:44:42.000000000 -0400
+@@ -33,6 +33,8 @@
+ seutil_run_runinit(auditadm_t, auditadm_r)
+ seutil_read_bin_policy(auditadm_t)
+ 
++userdom_dontaudit_search_admin_dir(auditadm_t)
++
  optional_policy(`
--	java_role(guest_r, guest_t)
-+	java_role_template(guest, guest_r, guest_t)
+ 	consoletype_exec(auditadm_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.15/policy/modules/roles/guest.te
+--- nsaserefpolicy/policy/modules/roles/guest.te	2010-03-05 17:14:56.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/guest.te	2010-03-18 10:44:42.000000000 -0400
+@@ -16,6 +16,10 @@
+ #
  
--#gen_user(guest_u,, guest_r, s0, s0)
-+optional_policy(`
-+	mono_role_template(guest, guest_r, guest_t)
+ optional_policy(`
++	apache_role(guest_r, guest_t)
 +')
 +
++optional_policy(`
+ 	java_role_template(guest, guest_r, guest_t)
+ ')
+ 
+@@ -23,4 +27,4 @@
+ 	mono_role_template(guest, guest_r, guest_t)
+ ')
+ 
+-#gen_user(guest_u,, guest_r, s0, s0)
 +gen_user(guest_u, user, guest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.9/policy/modules/roles/staff.te
---- nsaserefpolicy/policy/modules/roles/staff.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/staff.te	2010-02-16 15:08:37.000000000 -0500
-@@ -10,165 +10,121 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.7.15/policy/modules/roles/staff.te
+--- nsaserefpolicy/policy/modules/roles/staff.te	2010-03-10 15:27:26.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/staff.te	2010-03-18 10:44:42.000000000 -0400
+@@ -10,24 +10,50 @@
  
  userdom_unpriv_user_template(staff)
  
@@ -8828,205 +7716,175 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
  # Local policy
  #
  
--optional_policy(`
--	apache_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	auth_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	auditadm_role_change(staff_r)
--')
--
--optional_policy(`
--	bluetooth_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	cdrecord_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	cron_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	dbus_role_template(staff, staff_r, staff_t)
--')
--
--optional_policy(`
--	ethereal_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	evolution_role(staff_r, staff_t)
--')
--
--optional_policy(`
--	games_role(staff_r, staff_t)
--')
 +kernel_read_ring_buffer(staff_t)
 +kernel_getattr_core_if(staff_t)
 +kernel_getattr_message_if(staff_t)
 +kernel_read_software_raid_state(staff_t)
- 
--optional_policy(`
--	gift_role(staff_r, staff_t)
--')
++
 +auth_domtrans_pam_console(staff_t)
- 
--optional_policy(`
--	gnome_role(staff_r, staff_t)
--')
++
++seutil_read_module_store(staff_t)
 +seutil_run_newrole(staff_t, staff_r)
 +netutils_run_ping(staff_t, staff_r)
++
+ optional_policy(`
+ 	apache_role(staff_r, staff_t)
+ ')
  
++ifndef(`distro_redhat',`
++
  optional_policy(`
--	gpg_role(staff_r, staff_t)
-+	auditadm_role_change(staff_r)
+ 	auth_role(staff_r, staff_t)
  ')
++')
  
  optional_policy(`
--	irc_role(staff_r, staff_t)
-+	kerneloops_manage_tmp_files(staff_t)
+ 	auditadm_role_change(staff_r)
  ')
  
  optional_policy(`
--	java_role(staff_r, staff_t)
++	kerneloops_manage_tmp_files(staff_t)
++')
++
++optional_policy(`
 +	logadm_role_change(staff_r)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	bluetooth_role(staff_r, staff_t)
+ ')
+ 
+@@ -99,12 +125,18 @@
+ 	oident_manage_user_content(staff_t)
+ 	oident_relabel_user_content(staff_t)
  ')
++')
  
  optional_policy(`
--	lockdev_role(staff_r, staff_t)
-+	postgresql_role(staff_r, staff_t)
+ 	postgresql_role(staff_r, staff_t)
  ')
  
  optional_policy(`
--	lpd_role(staff_r, staff_t)
 +	rtkit_daemon_system_domain(staff_t)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	pyzor_role(staff_r, staff_t)
  ')
  
+@@ -119,22 +151,27 @@
  optional_policy(`
--	mozilla_role(staff_r, staff_t)
-+	secadm_role_change(staff_r)
+ 	screen_role_template(staff, staff_r, staff_t)
  ')
++')
  
  optional_policy(`
--	mplayer_role(staff_r, staff_t)
-+	ssh_role_template(staff, staff_r, staff_t)
+ 	secadm_role_change(staff_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	mta_role(staff_r, staff_t)
-+	sudo_role_template(staff, staff_r, staff_t)
+ 	spamassassin_role(staff_r, staff_t)
  ')
++')
  
  optional_policy(`
--	oident_manage_user_content(staff_t)
--	oident_relabel_user_content(staff_t)
-+	sysadm_role_change(staff_r)
+ 	ssh_role_template(staff, staff_r, staff_t)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	postgresql_role(staff_r, staff_t)
-+	usernetctl_run(staff_t, staff_r)
+ 	su_role_template(staff, staff_r, staff_t)
  ')
++')
  
  optional_policy(`
--	pyzor_role(staff_r, staff_t)
-+	unconfined_role_change(staff_r)
+ 	sudo_role_template(staff, staff_r, staff_t)
+@@ -145,6 +182,7 @@
+ 	userdom_dontaudit_use_user_terminals(staff_t)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	razor_role(staff_r, staff_t)
-+	webadm_role_change(staff_r)
+ 	thunderbird_role(staff_r, staff_t)
+ ')
+@@ -169,6 +207,71 @@
+ 	wireshark_role(staff_r, staff_t)
  ')
  
--optional_policy(`
--	rssh_role(staff_r, staff_t)
--')
++')
++
++optional_policy(`
++	unconfined_role_change(staff_r)
++')
++
++optional_policy(`
++	webadm_role_change(staff_r)
++')
++
+ optional_policy(`
+ 	xserver_role(staff_r, staff_t)
+ ')
++
 +domain_read_all_domains_state(staff_usertype)
 +domain_getattr_all_domains(staff_usertype)
 +domain_obj_id_change_exemption(staff_t)
- 
--optional_policy(`
--	screen_role_template(staff, staff_r, staff_t)
--')
++
 +files_read_kernel_modules(staff_usertype)
- 
--optional_policy(`
--	secadm_role_change(staff_r)
--')
++
 +kernel_read_fs_sysctls(staff_usertype)
- 
--optional_policy(`
--	spamassassin_role(staff_r, staff_t)
--')
++
 +modutils_read_module_config(staff_usertype)
 +modutils_read_module_deps(staff_usertype)
- 
--optional_policy(`
--	ssh_role_template(staff, staff_r, staff_t)
--')
++
 +miscfiles_read_hwdata(staff_usertype)
- 
--optional_policy(`
--	su_role_template(staff, staff_r, staff_t)
--')
++
 +term_use_unallocated_ttys(staff_usertype)
- 
- optional_policy(`
--	sudo_role_template(staff, staff_r, staff_t)
++
++optional_policy(`
 +	gnomeclock_dbus_chat(staff_t)
- ')
- 
- optional_policy(`
--	sysadm_role_change(staff_r)
--	userdom_dontaudit_use_user_terminals(staff_t)
++')
++
++optional_policy(`
 +	firewallgui_dbus_chat(staff_t)
- ')
- 
- optional_policy(`
--	thunderbird_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	lpd_list_spool(staff_t)
- ')
- 
- optional_policy(`
--	tvtime_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	kerneloops_dbus_chat(staff_t)
- ')
- 
- optional_policy(`
--	uml_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	rpm_dbus_chat(staff_usertype)
- ')
- 
- optional_policy(`
--	userhelper_role_template(staff, staff_r, staff_t)
++')
++
++optional_policy(`
 +	sandbox_transition(staff_t, staff_r)
- ')
- 
- optional_policy(`
--	vmware_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	screen_role_template(staff, staff_r, staff_t)
- ')
- 
- optional_policy(`
--	wireshark_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	setroubleshoot_stream_connect(staff_t)
 +	setroubleshoot_dbus_chat(staff_t)
 +	setroubleshoot_dbus_chat_fixit(staff_t)
- ')
- 
- optional_policy(`
--	xserver_role(staff_r, staff_t)
++')
++
++optional_policy(`
 +	virt_stream_connect(staff_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.9/policy/modules/roles/sysadm.te
---- nsaserefpolicy/policy/modules/roles/sysadm.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/roles/sysadm.te	2010-02-16 15:08:37.000000000 -0500
++')
++
++userhelper_console_role_template(staff, staff_t, staff_usertype)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.7.15/policy/modules/roles/sysadm.te
+--- nsaserefpolicy/policy/modules/roles/sysadm.te	2010-02-17 10:37:39.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/sysadm.te	2010-03-18 10:44:42.000000000 -0400
 @@ -15,7 +15,7 @@
  
  role sysadm_r;
@@ -9036,66 +7894,97 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  
  ifndef(`enable_mls',`
  	userdom_security_admin_template(sysadm_t, sysadm_r)
-@@ -35,10 +35,13 @@
+@@ -28,17 +28,28 @@
+ 
+ corecmd_exec_shell(sysadm_t)
+ 
++domain_dontaudit_read_all_domains_state(sysadm_t)
++
+ mls_process_read_up(sysadm_t)
++mls_file_read_to_clearance(sysadm_t)
+ 
+ ubac_process_exempt(sysadm_t)
+ ubac_file_exempt(sysadm_t)
  ubac_fd_exempt(sysadm_t)
  
++application_exec(sysadm_t)
++
  init_exec(sysadm_t)
 +init_exec_script_files(sysadm_t)
  
  # Add/remove user home directories
  userdom_manage_user_home_dirs(sysadm_t)
  userdom_home_filetrans_user_home_dir(sysadm_t)
++userdom_manage_user_tmp_dirs(sysadm_t)
++userdom_manage_user_tmp_files(sysadm_t)
++userdom_manage_user_tmp_symlinks(sysadm_t)
 +userdom_manage_user_tmp_chr_files(sysadm_t)
 +userdom_manage_user_tmp_blk_files(sysadm_t)
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -70,7 +73,6 @@
+@@ -70,7 +81,9 @@
  	apache_run_helper(sysadm_t, sysadm_r)
  	#apache_run_all_scripts(sysadm_t, sysadm_r)
  	#apache_domtrans_sys_script(sysadm_t)
 -	apache_role(sysadm_r, sysadm_t)
++	ifndef(`distro_redhat',`
++		apache_role(sysadm_r, sysadm_t)
++	')
  ')
  
  optional_policy(`
-@@ -87,10 +89,6 @@
+@@ -86,9 +99,11 @@
+ 	auditadm_role_change(sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	auth_role(sysadm_r, sysadm_t)
+ ')
++')
+ 
  optional_policy(`
--	auth_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	backup_run(sysadm_t, sysadm_r)
+@@ -98,17 +113,25 @@
+ 	bind_run_ndc(sysadm_t, sysadm_r)
  ')
  
-@@ -99,15 +97,11 @@
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	bluetooth_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	bluetooth_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	bootloader_run(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	cdrecord_role(sysadm_r, sysadm_t)
-+	certmonger_dbus_chat(sysadm_t)
+ 	cdrecord_role(sysadm_r, sysadm_t)
  ')
++')
++
++optional_policy(`
++	certmonger_dbus_chat(sysadm_t)
++')
  
  optional_policy(`
-@@ -127,7 +121,7 @@
+ 	certwatch_run(sysadm_t, sysadm_r)
+@@ -126,16 +149,18 @@
+ 	consoletype_run(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	cron_admin_role(sysadm_r, sysadm_t)
-+	su_exec(sysadm_t)
+ 	cron_admin_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
-@@ -135,7 +129,7 @@
+-	cvs_exec(sysadm_t)
++	dbus_role_template(sysadm, sysadm_r, sysadm_t)
++')
  ')
  
  optional_policy(`
@@ -9104,41 +7993,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -166,10 +160,6 @@
+@@ -165,9 +190,11 @@
+ 	ethereal_run_tethereal(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	evolution_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	firstboot_run(sysadm_t, sysadm_r)
+ 	evolution_role(sysadm_r, sysadm_t)
  ')
++')
  
-@@ -178,22 +168,6 @@
+ optional_policy(`
+ 	firstboot_run(sysadm_t, sysadm_r)
+@@ -177,6 +204,7 @@
+ 	fstools_run(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	games_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	gift_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	gnome_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	gpg_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	hostname_run(sysadm_t, sysadm_r)
+ 	games_role(sysadm_r, sysadm_t)
+ ')
+@@ -192,6 +220,7 @@
+ optional_policy(`
+ 	gpg_role(sysadm_r, sysadm_t)
  ')
++')
  
-@@ -205,6 +179,9 @@
+ optional_policy(`
+ 	hostname_run(sysadm_t, sysadm_r)
+@@ -205,6 +234,9 @@
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -9148,196 +8031,217 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
  ')
  
  optional_policy(`
-@@ -212,11 +189,7 @@
+@@ -212,12 +244,18 @@
  ')
  
  optional_policy(`
--	irc_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	java_role(sysadm_r, sysadm_t)
 +	kerberos_exec_kadmind(sysadm_t)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	irc_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
-@@ -228,10 +201,6 @@
+ 	java_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	lockdev_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	logrotate_run(sysadm_t, sysadm_r)
+ 	kudzu_run(sysadm_t, sysadm_r)
+@@ -227,9 +265,11 @@
+ 	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
-@@ -255,14 +224,6 @@
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	lockdev_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	mozilla_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	mplayer_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	mta_role(sysadm_r, sysadm_t)
- ')
+ 	logrotate_run(sysadm_t, sysadm_r)
+@@ -252,8 +292,10 @@
  
-@@ -290,11 +251,6 @@
+ optional_policy(`
+ 	mount_run(sysadm_t, sysadm_r)
++	mount_run_showmount(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	oident_manage_user_content(sysadm_t)
--	oident_relabel_user_content(sysadm_t)
--')
--
--optional_policy(`
- 	pcmcia_run_cardctl(sysadm_t, sysadm_r)
+ 	mozilla_role(sysadm_r, sysadm_t)
+ ')
+@@ -261,6 +303,7 @@
+ optional_policy(`
+ 	mplayer_role(sysadm_r, sysadm_t)
  ')
++')
  
-@@ -308,7 +264,7 @@
+ optional_policy(`
+ 	mta_role(sysadm_r, sysadm_t)
+@@ -308,8 +351,14 @@
  ')
  
  optional_policy(`
--	pyzor_role(sysadm_r, sysadm_t)
 +	prelink_run(sysadm_t, sysadm_r)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	pyzor_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
-@@ -320,10 +276,6 @@
+ 	quota_run(sysadm_t, sysadm_r)
+@@ -319,9 +368,11 @@
+ 	raid_domtrans_mdadm(sysadm_t)
  ')
  
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	razor_role(sysadm_r, sysadm_t)
+ ')
++')
+ 
  optional_policy(`
--	razor_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	rpc_domtrans_nfsd(sysadm_t)
+@@ -331,9 +382,11 @@
+ 	rpm_run(sysadm_t, sysadm_r)
  ')
  
-@@ -332,10 +284,6 @@
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	rssh_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	rssh_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	rsync_exec(sysadm_t)
+@@ -358,8 +411,14 @@
  ')
  
-@@ -345,10 +293,6 @@
+ optional_policy(`
++	shutdown_run(sysadm_t, sysadm_r)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	spamassassin_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	screen_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	secadm_role_change(sysadm_r)
+ 	ssh_role_template(sysadm, sysadm_r, sysadm_t)
+@@ -369,6 +428,7 @@
+ 	staff_role_change(sysadm_r)
  ')
  
-@@ -358,35 +302,15 @@
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	su_role_template(sysadm, sysadm_r, sysadm_t)
  ')
- 
+@@ -376,15 +436,18 @@
  optional_policy(`
--	spamassassin_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	ssh_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
- 	staff_role_change(sysadm_r)
+ 	sudo_role_template(sysadm, sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	su_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
--	sudo_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	sysnet_run_ifconfig(sysadm_t, sysadm_r)
  	sysnet_run_dhcpc(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	thunderbird_role(sysadm_r, sysadm_t)
+ ')
++')
+ 
  optional_policy(`
--	thunderbird_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	tripwire_run_siggen(sysadm_t, sysadm_r)
- 	tripwire_run_tripwire(sysadm_t, sysadm_r)
- 	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -394,18 +318,10 @@
+@@ -393,17 +456,21 @@
+ 	tripwire_run_twprint(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	tvtime_role(sysadm_r, sysadm_t)
+ ')
++')
+ 
  optional_policy(`
--	tvtime_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	tzdata_domtrans(sysadm_t)
  ')
  
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	uml_role(sysadm_r, sysadm_t)
+ ')
++')
+ 
  optional_policy(`
--	uml_role(sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	unconfined_domtrans(sysadm_t)
+@@ -417,9 +484,11 @@
+ 	usbmodules_run(sysadm_t, sysadm_r)
  ')
  
-@@ -418,17 +334,13 @@
++ifndef(`distro_redhat',`
+ optional_policy(`
+ 	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	userhelper_role_template(sysadm, sysadm_r, sysadm_t)
--')
--
--optional_policy(`
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
- 	usermanage_run_groupadd(sysadm_t, sysadm_r)
+@@ -427,9 +496,15 @@
  	usermanage_run_useradd(sysadm_t, sysadm_r)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	vmware_role(sysadm_r, sysadm_t)
-+	vpn_run(sysadm_t, sysadm_r)
+ 	vmware_role(sysadm_r, sysadm_t)
  ')
++')
++
++optional_policy(`
++	vpn_run(sysadm_t, sysadm_r)
++')
  
  optional_policy(`
-@@ -440,13 +352,16 @@
+ 	vpn_run(sysadm_t, sysadm_r)
+@@ -440,13 +515,26 @@
  ')
  
  optional_policy(`
--	wireshark_role(sysadm_r, sysadm_t)
 +	virt_stream_connect(sysadm_t)
++')
++
++ifndef(`distro_redhat',`
++optional_policy(`
+ 	wireshark_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
--	xserver_role(sysadm_r, sysadm_t)
-+	yam_run(sysadm_t, sysadm_r)
+ 	xserver_role(sysadm_r, sysadm_t)
  ')
++')
  
  optional_policy(`
--	yam_run(sysadm_t, sysadm_r)
-+	zebra_stream_connect(sysadm_t)
+ 	yam_run(sysadm_t, sysadm_r)
  ')
 +
++optional_policy(`
++	zebra_stream_connect(sysadm_t)
++')
++
 +init_script_role_transition(sysadm_r)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.9/policy/modules/roles/unconfineduser.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.7.15/policy/modules/roles/unconfineduser.fc
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,10 @@
 +# Add programs here which should not be confined by SELinux
 +# e.g.:
@@ -9349,9 +8253,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 +/usr/sbin/xrdp   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.9/policy/modules/roles/unconfineduser.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.7.15/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,667 @@
 +## <summary>Unconfiend user role</summary>
 +
@@ -10020,10 +8924,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 +	allow $1 unconfined_r;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.9/policy/modules/roles/unconfineduser.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/unconfineduser.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,445 @@
++++ serefpolicy-3.7.15/policy/modules/roles/unconfineduser.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,417 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -10094,6 +8998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 +files_create_boot_flag(unconfined_t)
 +files_create_default_dir(unconfined_t)
++files_root_filetrans_default(unconfined_t, dir)
 +
 +mcs_killall(unconfined_t)
 +mcs_ptrace_all(unconfined_t)
@@ -10198,6 +9103,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	')
 +
 +	optional_policy(`
++		shutdown_run(unconfined_t, unconfined_r)
++	')
++
++	optional_policy(`
 +		tzdata_run(unconfined_usertype, unconfined_r)
 +	')
 +
@@ -10292,19 +9201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +')
 +
 +optional_policy(`
-+	java_role_template(unconfined, unconfined_r, unconfined_t)
-+	role system_r types unconfined_java_t;
-+
-+	files_execmod_all_files(unconfined_java_t)
-+
-+	init_dbus_chat_script(unconfined_java_t)
-+
-+	unconfined_domain_noaudit(unconfined_java_t)
-+	unconfined_dbus_chat(unconfined_java_t)
-+
-+	optional_policy(`
-+		rpm_domtrans(unconfined_java_t)
-+	')
++	java_run_unconfined(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
@@ -10342,7 +9239,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +#')
 +
 +optional_policy(`
-+	qemu_role_notrans(unconfined_r, unconfined_t)
 +	qemu_unconfined_role(unconfined_r)
 +
 +	tunable_policy(`allow_unconfined_qemu_transition',`
@@ -10420,31 +9316,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +	')
 +
 +	optional_policy(`
-+		gen_require(`
-+			type mplayer_exec_t;
-+			type unconfined_execmem_t;
-+		')
-+		domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
-+	')
-+
-+	optional_policy(`
 +		tunable_policy(`allow_unconfined_nsplugin_transition',`', `
-+			gen_require(`
-+				type mozilla_exec_t;
-+				type unconfined_execmem_t;
-+				type nsplugin_exec_t;
-+			')
-+			domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
-+			domtrans_pattern(unconfined_t, nsplugin_exec_t, unconfined_execmem_t)
++			nsplugin_exec_domtrans(unconfined_t, unconfined_execmem_t)
 +		')
 +	')
 +
 +	optional_policy(`
-+		gen_require(`
-+			type openoffice_exec_t;
-+			type unconfined_execmem_t;
-+		')
-+		domtrans_pattern(unconfined_t, openoffice_exec_t, unconfined_execmem_t)
++		openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
 +	')
 +')
 +
@@ -10467,166 +9345,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +#
 +
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.9/policy/modules/roles/unprivuser.te
---- nsaserefpolicy/policy/modules/roles/unprivuser.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/roles/unprivuser.te	2010-02-16 15:08:37.000000000 -0500
-@@ -14,100 +14,19 @@
- userdom_unpriv_user_template(user)
- 
- optional_policy(`
--	apache_role(user_r, user_t)
-+	kerneloops_dontaudit_dbus_chat(user_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.7.15/policy/modules/roles/unprivuser.te
+--- nsaserefpolicy/policy/modules/roles/unprivuser.te	2010-03-10 15:27:39.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/unprivuser.te	2010-03-18 10:44:42.000000000 -0400
+@@ -17,6 +17,7 @@
+ 	apache_role(user_r, user_t)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
--	auth_role(user_r, user_t)
-+	rpm_dontaudit_dbus_chat(user_t)
+ 	auth_role(user_r, user_t)
  ')
- 
+@@ -109,11 +110,25 @@
  optional_policy(`
--	bluetooth_role(user_r, user_t)
-+	rtkit_daemon_system_domain(user_t)
+ 	rssh_role(user_r, user_t)
  ')
++')
++
++optional_policy(`
++	rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	rtkit_daemon_system_domain(user_t)
++')
++
++optional_policy(`
++	sandbox_transition(user_t, user_r)
++')
  
  optional_policy(`
--	cdrecord_role(user_r, user_t)
--')
--
--optional_policy(`
--	cron_role(user_r, user_t)
--')
--
--optional_policy(`
--	dbus_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
--	ethereal_role(user_r, user_t)
--')
--
--optional_policy(`
--	evolution_role(user_r, user_t)
--')
--
--optional_policy(`
--	games_role(user_r, user_t)
--')
--
--optional_policy(`
--	gift_role(user_r, user_t)
--')
--
--optional_policy(`
--	gnome_role(user_r, user_t)
--')
--
--optional_policy(`
--	gpg_role(user_r, user_t)
--')
--
--optional_policy(`
--	irc_role(user_r, user_t)
--')
--
--optional_policy(`
--	java_role(user_r, user_t)
--')
--
--optional_policy(`
--	lockdev_role(user_r, user_t)
--')
--
--optional_policy(`
--	lpd_role(user_r, user_t)
--')
--
--optional_policy(`
--	mozilla_role(user_r, user_t)
--')
--
--optional_policy(`
--	mplayer_role(user_r, user_t)
--')
--
--optional_policy(`
--	mta_role(user_r, user_t)
--')
--
--optional_policy(`
--	oident_manage_user_content(user_t)
--	oident_relabel_user_content(user_t)
--')
--
--optional_policy(`
--	postgresql_role(user_r, user_t)
--')
--
--optional_policy(`
--	pyzor_role(user_r, user_t)
--')
--
--optional_policy(`
--	razor_role(user_r, user_t)
--')
--
--optional_policy(`
--	rssh_role(user_r, user_t)
-+	sandbox_transition(user_t, user_r)
+ 	screen_role_template(user, user_r, user_t)
  ')
  
++ifndef(`distro_redhat',`
  optional_policy(`
-@@ -115,45 +34,5 @@
+ 	spamassassin_role(user_r, user_t)
+ ')
+@@ -154,6 +169,12 @@
+ 	wireshark_role(user_r, user_t)
  ')
  
- optional_policy(`
--	spamassassin_role(user_r, user_t)
--')
--
--optional_policy(`
--	ssh_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
--	su_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
--	sudo_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
--	thunderbird_role(user_r, user_t)
--')
--
--optional_policy(`
--	tvtime_role(user_r, user_t)
--')
--
--optional_policy(`
--	uml_role(user_r, user_t)
--')
--
--optional_policy(`
--	userhelper_role_template(user, user_r, user_t)
--')
--
--optional_policy(`
--	vmware_role(user_r, user_t)
--')
--
--optional_policy(`
--	wireshark_role(user_r, user_t)
--')
--
--optional_policy(`
--	xserver_role(user_r, user_t)
++')
++
++optional_policy(`
 +	setroubleshoot_dontaudit_stream_connect(user_t)
++')
++
+ optional_policy(`
+ 	xserver_role(user_r, user_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.9/policy/modules/roles/xguest.te
---- nsaserefpolicy/policy/modules/roles/xguest.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/roles/xguest.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.7.15/policy/modules/roles/xguest.te
+--- nsaserefpolicy/policy/modules/roles/xguest.te	2010-03-10 15:28:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/roles/xguest.te	2010-03-18 10:44:42.000000000 -0400
 @@ -15,7 +15,7 @@
  
  ## <desc>
@@ -10636,7 +9407,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  ## </p>
  ## </desc>
  gen_tunable(xguest_connect_network, true)
-@@ -30,11 +30,33 @@
+@@ -30,12 +30,12 @@
  role xguest_r;
  
  userdom_restricted_xwindows_user_template(xguest)
@@ -10646,19 +9417,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  #
  # Local policy
  #
-+ifndef(`enable_mls',`
-+	fs_exec_noxattr(xguest_t)
-+
-+	tunable_policy(`user_rw_noexattrfile',`
-+		fs_manage_noxattr_fs_files(xguest_t)
-+		fs_manage_noxattr_fs_dirs(xguest_t)
-+		# Write floppies 
-+		storage_raw_read_removable_device(xguest_t)
-+		storage_raw_write_removable_device(xguest_t)
-+	',`
-+		storage_raw_read_removable_device(xguest_t)
-+	')
-+')
+-
+ ifndef(`enable_mls',`
+ 	fs_exec_noxattr(xguest_t)
+ 
+@@ -49,6 +49,14 @@
+ 		storage_raw_read_removable_device(xguest_t)
+ 	')
+ ')
 +# Dontaudit fusermount
 +mount_dontaudit_exec_fusermount(xguest_t)
 +
@@ -10670,7 +9436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  
  # Allow mounting of file systems
  optional_policy(`
-@@ -49,10 +71,9 @@
+@@ -63,10 +71,9 @@
  		fs_manage_noxattr_fs_dirs(xguest_t)
  		fs_getattr_noxattr_fs(xguest_t)
  		fs_read_noxattr_fs_symlinks(xguest_t)
@@ -10682,17 +9448,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  	')
  ')
  
-@@ -67,17 +88,60 @@
+@@ -81,19 +88,66 @@
  ')
  
  optional_policy(`
 -	java_role(xguest_r, xguest_t)
-+	java_role_template(xguest, xguest_r, xguest_t)
++	apache_role(xguest_r, xguest_t)
  ')
  
  optional_policy(`
 -	mozilla_role(xguest_r, xguest_t)
-+	mono_role_template(xguest, xguest_r, xguest_t)
++	java_role_template(xguest, xguest_r, xguest_t)
++')
++
++optional_policy(`
++	mono_role_template(xguest, xguest_r, xguest_t)
 +')
 +
 +optional_policy(`
@@ -10701,7 +9471,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  
  optional_policy(`
  	tunable_policy(`xguest_connect_network',`
++		kernel_read_network_state(xguest_usertype)
++
  		networkmanager_dbus_chat(xguest_t)
+-		corenet_tcp_connect_pulseaudio_port(xguest_t)
+-		corenet_tcp_connect_ipp_port(xguest_t)
 +		networkmanager_read_var_lib_files(xguest_t)
 +		corenet_tcp_connect_pulseaudio_port(xguest_usertype)
 +		corenet_all_recvfrom_unlabeled(xguest_usertype)
@@ -10746,9 +9520,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.
  
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.9/policy/modules/services/abrt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.7.15/policy/modules/services/abrt.fc
 --- nsaserefpolicy/policy/modules/services/abrt.fc	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/abrt.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/abrt.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -1,11 +1,17 @@
  /etc/abrt(/.*)?			 gen_context(system_u:object_r:abrt_etc_t,s0)
  /etc/rc\.d/init\.d/abrt		--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -10768,10 +9542,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  /var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)	
  /var/run/abrt\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 +/var/run/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.9/policy/modules/services/abrt.if
---- nsaserefpolicy/policy/modules/services/abrt.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/abrt.if	2010-02-16 15:08:37.000000000 -0500
-@@ -19,6 +19,29 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.if serefpolicy-3.7.15/policy/modules/services/abrt.if
+--- nsaserefpolicy/policy/modules/services/abrt.if	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/abrt.if	2010-03-18 10:44:42.000000000 -0400
+@@ -19,6 +19,28 @@
  	domtrans_pattern($1, abrt_exec_t, abrt_t)
  ')
  
@@ -10794,14 +9568,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +
 +ifdef(`hide_broken_symptoms', `
 +	dontaudit abrt_helper_t $1:socket_class_set { read write };
-+	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
 +')
 +')
 +
  ######################################
  ## <summary>
  ##	Execute abrt 
-@@ -56,6 +79,32 @@
+@@ -57,6 +79,32 @@
  	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
  ')
  
@@ -10834,7 +9607,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ######################################
  ## <summary>
  ##	Read abrt logs.
-@@ -75,6 +124,101 @@
+@@ -76,6 +124,101 @@
  	read_files_pattern($1, abrt_var_log_t, abrt_var_log_t)
  ')
  
@@ -10936,9 +9709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  #####################################
  ## <summary>
  ##	All of the rules required to administrate 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.9/policy/modules/services/abrt.te
---- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/abrt.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.15/policy/modules/services/abrt.te
+--- nsaserefpolicy/policy/modules/services/abrt.te	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/abrt.te	2010-03-18 10:44:42.000000000 -0400
 @@ -33,12 +33,24 @@
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
@@ -10986,26 +9759,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
  
  kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,37 @@
+@@ -75,25 +90,40 @@
  
  corecmd_exec_bin(abrt_t)
  corecmd_exec_shell(abrt_t)
 +corecmd_read_all_executables(abrt_t)
  
+-corenet_all_recvfrom_netlabel(abrt_t)
+-corenet_all_recvfrom_unlabeled(abrt_t)
+-corenet_sendrecv_http_client_packets(abrt_t)
+-corenet_tcp_bind_generic_node(abrt_t)
  corenet_tcp_connect_http_port(abrt_t)
+-corenet_tcp_sendrecv_generic_if(abrt_t)
+-corenet_tcp_sendrecv_generic_node(abrt_t)
+-corenet_tcp_sendrecv_generic_port(abrt_t)
 +corenet_tcp_connect_ftp_port(abrt_t)
 +corenet_tcp_connect_all_ports(abrt_t)
  
 +dev_getattr_all_chr_files(abrt_t)
  dev_read_urand(abrt_t)
 +dev_rw_sysfs(abrt_t)
-+dev_dontaudit_read_memory_dev(abrt_t)
++dev_dontaudit_read_raw_memory(abrt_t)
 +
++domain_getattr_all_domains(abrt_t)
 +domain_read_all_domains_state(abrt_t)
 +domain_signull_all_domains(abrt_t)
  
  files_getattr_all_files(abrt_t)
  files_read_etc_files(abrt_t)
++files_read_var_symlinks(abrt_t)
 +files_read_var_lib_files(abrt_t)
  files_read_usr_files(abrt_t)
 +files_read_generic_tmp_files(abrt_t)
@@ -11020,11 +9802,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +fs_read_fusefs_files(abrt_t)
 +fs_read_noxattr_fs_files(abrt_t)
 +fs_read_nfs_files(abrt_t)
++fs_read_nfs_symlinks(abrt_t)
 +fs_search_all(abrt_t)
  
  sysnet_read_config(abrt_t)
  
-@@ -96,22 +130,96 @@
+@@ -103,22 +133,102 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -11040,8 +9823,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +optional_policy(`
 +	nis_use_ypbind(abrt_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	dbus_connect_system_bus(abrt_t)
+-	dbus_system_bus_client(abrt_t)
 +	nsplugin_read_rw_files(abrt_t)
 +	nsplugin_read_home(abrt_t)
 +')
@@ -11052,10 +9837,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +	policykit_read_lib(abrt_t)
 +	policykit_read_reload(abrt_t)
 +')
- 
- optional_policy(`
--	dbus_connect_system_bus(abrt_t)
--	dbus_system_bus_client(abrt_t)
++
++optional_policy(`
 +	prelink_exec(abrt_t)
 +	libs_exec_ld_so(abrt_t)
 +	corecmd_exec_all_executables(abrt_t)
@@ -11079,6 +9862,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  ')
 +
 +optional_policy(`
++	sosreport_domtrans(abrt_t)
++')
++
++optional_policy(`
 +	sssd_stream_connect(abrt_t)
 +')
 +
@@ -11114,7 +9901,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +
 +miscfiles_read_localization(abrt_helper_t)
 +
-+userdom_dontaudit_use_user_terminals(abrt_helper_t)
++term_dontaudit_use_all_ttys(abrt_helper_t)
++term_dontaudit_use_all_ptys(abrt_helper_t)
 +
 +ifdef(`hide_broken_symptoms', `
 +	domain_dontaudit_leaks(abrt_helper_t)
@@ -11127,25 +9915,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +	dev_dontaudit_read_all_chr_files(abrt_helper_t)
 +	dev_dontaudit_write_all_chr_files(abrt_helper_t)
 +	dev_dontaudit_write_all_blk_files(abrt_helper_t)
++	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.7.9/policy/modules/services/afs.fc
---- nsaserefpolicy/policy/modules/services/afs.fc	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/afs.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -22,10 +22,10 @@
- 
- /usr/sbin/afsd		--	gen_context(system_u:object_r:afs_exec_t,s0)
- 
--/usr/vice/cache(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
- /usr/vice/etc/afsd	--	gen_context(system_u:object_r:afs_exec_t,s0)
- 
- /var/cache/afs(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
-+/usr/vice/cache(/.*)?		gen_context(system_u:object_r:afs_cache_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.if serefpolicy-3.7.15/policy/modules/services/afs.if
+--- nsaserefpolicy/policy/modules/services/afs.if	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/afs.if	2010-03-18 10:44:42.000000000 -0400
+@@ -94,7 +94,7 @@
+ #
+ interface(`afs_admin',`
+ 	gen_require(`
+-		type afs_t;
++		type afs_t, afs_initrc_exec_t;
+ 	')
  
- /vicepa				gen_context(system_u:object_r:afs_files_t,s0)
- /vicepb				gen_context(system_u:object_r:afs_files_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.9/policy/modules/services/afs.te
---- nsaserefpolicy/policy/modules/services/afs.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/afs.te	2010-02-16 15:08:37.000000000 -0500
+ 	allow $1 afs_t:process { ptrace signal_perms getattr };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.te serefpolicy-3.7.15/policy/modules/services/afs.te
+--- nsaserefpolicy/policy/modules/services/afs.te	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/afs.te	2010-03-18 10:44:42.000000000 -0400
 @@ -71,8 +71,8 @@
  # afs client local policy
  #
@@ -11153,7 +9939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
 -allow afs_t self:capability { sys_nice sys_tty_config };
 -allow afs_t self:process setsched;
 +allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
-+allow afs_t self:process { fork setsched signal };
++allow afs_t self:process { setsched signal };
  allow afs_t self:udp_socket create_socket_perms;
  allow afs_t self:fifo_file rw_file_perms;
  allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -11166,18 +9952,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.
  ########################################
  #
  # AFS bossserver local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.9/policy/modules/services/aiccu.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.fc serefpolicy-3.7.15/policy/modules/services/aiccu.fc
 --- nsaserefpolicy/policy/modules/services/aiccu.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aiccu.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/aiccu.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,5 @@
 +
 +/usr/sbin/aiccu	--	gen_context(system_u:object_r:aiccu_exec_t,s0)
 +
 +/etc/rc\.d/init\.d/aiccu	--	gen_context(system_u:object_r:aiccu_initrc_exec_t,s0)
 +/var/run/aiccu.pid		--	gen_context(system_u:object_r:aiccu_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.9/policy/modules/services/aiccu.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.if serefpolicy-3.7.15/policy/modules/services/aiccu.if
 --- nsaserefpolicy/policy/modules/services/aiccu.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aiccu.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/aiccu.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,119 @@
 +
 +## <summary>policy for aiccu</summary>
@@ -11298,9 +10084,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +	aiccu_manage_var_run($1)
 +
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.9/policy/modules/services/aiccu.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.7.15/policy/modules/services/aiccu.te
 --- nsaserefpolicy/policy/modules/services/aiccu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aiccu.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/aiccu.te	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,41 @@
 +policy_module(aiccu,1.0.0)
 +
@@ -11343,10 +10129,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +manage_dirs_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
 +manage_files_pattern(aiccu_t, aiccu_var_run_t,  aiccu_var_run_t)
 +files_pid_filetrans(aiccu_t, aiccu_var_run_t, { file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.9/policy/modules/services/aisexec.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.fc serefpolicy-3.7.15/policy/modules/services/aisexec.fc
 --- nsaserefpolicy/policy/modules/services/aisexec.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aisexec.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,12 @@
++++ serefpolicy-3.7.15/policy/modules/services/aisexec.fc	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,10 @@
 +
 +/etc/rc\.d/init\.d/openais             --      gen_context(system_u:object_r:aisexec_initrc_exec_t,s0)
 +
@@ -11357,11 +10143,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +/var/log/cluster/aisexec\.log          --      gen_context(system_u:object_r:aisexec_var_log_t,s0)
 +
 +/var/run/aisexec\.pid                  --      gen_context(system_u:object_r:aisexec_var_run_t,s0)
-+
-+/var/run/cman_.*                       -s      gen_context(system_u:object_r:aisexec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.9/policy/modules/services/aisexec.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.7.15/policy/modules/services/aisexec.if
 --- nsaserefpolicy/policy/modules/services/aisexec.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aisexec.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/aisexec.if	2010-03-18 10:44:42.000000000 -0400
 @@ -0,0 +1,106 @@
 +## <summary>SELinux policy for Aisexec Cluster Engine</summary>
 +
@@ -11469,10 +10253,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +
 +        admin_pattern($1, aisexec_tmpfs_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.9/policy/modules/services/aisexec.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.7.15/policy/modules/services/aisexec.te
 --- nsaserefpolicy/policy/modules/services/aisexec.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/aisexec.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,112 @@
++++ serefpolicy-3.7.15/policy/modules/services/aisexec.te	2010-03-18 10:44:42.000000000 -0400
+@@ -0,0 +1,115 @@
 +
 +policy_module(aisexec,1.0.0)
 +
@@ -11550,8 +10334,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +corenet_tcp_bind_reserved_port(aisexec_t)
 +corenet_udp_bind_cluster_port(aisexec_t)
 +
-+ccs_stream_connect(aisexec_t)
-+
 +corecmd_exec_bin(aisexec_t)
 +
 +kernel_read_system_state(aisexec_t)
@@ -11570,41 +10352,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +
 +logging_send_syslog_msg(aisexec_t)
 +
-+# to communication with RHCS
-+dlm_controld_manage_tmpfs_files(aisexec_t)
-+dlm_controld_rw_semaphores(aisexec_t)
++optional_policy(`
++	ccs_stream_connect(aisexec_t)
++')
 +
-+fenced_manage_tmpfs_files(aisexec_t)
-+fenced_rw_semaphores(aisexec_t)
++optional_policy(`
++	# to communication with RHCS
++	dlm_controld_manage_tmpfs_files(aisexec_t)
++	dlm_controld_rw_semaphores(aisexec_t)
 +
-+gfs_controld_manage_tmpfs_files(aisexec_t)
-+gfs_controld_rw_semaphores(aisexec_t)
-+gfs_controld_t_rw_shm(aisexec_t)
++	fenced_manage_tmpfs_files(aisexec_t)
++	fenced_rw_semaphores(aisexec_t)
 +
-+groupd_manage_tmpfs_files(aisexec_t)
-+groupd_rw_semaphores(aisexec_t)
-+groupd_rw_shm(aisexec_t)
++	gfs_controld_manage_tmpfs_files(aisexec_t)
++	gfs_controld_rw_semaphores(aisexec_t)
++	gfs_controld_t_rw_shm(aisexec_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.7.9/policy/modules/services/amavis.te
---- nsaserefpolicy/policy/modules/services/amavis.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/amavis.te	2010-02-16 15:08:37.000000000 -0500
-@@ -138,11 +138,13 @@
- 
- auth_dontaudit_read_shadow(amavis_t)
- 
-+init_read_utmp(amavis_t)
- init_stream_connect_script(amavis_t)
- 
- logging_send_syslog_msg(amavis_t)
- 
- miscfiles_read_localization(amavis_t)
-+miscfiles_read_certs(amavis_t)
- 
- sysnet_dns_name_resolve(amavis_t)
- sysnet_use_ldap(amavis_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.9/policy/modules/services/apache.fc
++	groupd_manage_tmpfs_files(aisexec_t)
++	groupd_rw_semaphores(aisexec_t)
++	groupd_rw_shm(aisexec_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.7.15/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/apache.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/apache.fc	2010-03-18 10:44:42.000000000 -0400
 @@ -2,12 +2,19 @@
  
  /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
@@ -11732,9 +10502,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.9/policy/modules/services/apache.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.15/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/apache.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/apache.if	2010-03-18 10:44:42.000000000 -0400
 @@ -13,21 +13,17 @@
  #
  template(`apache_content_template',`
@@ -12443,9 +11213,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +	dontaudit $1 httpd_t:unix_dgram_socket { read write };
 +	dontaudit $1 httpd_t:unix_stream_socket { read write };
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.9/policy/modules/services/apache.te
---- nsaserefpolicy/policy/modules/services/apache.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/apache.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.15/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te	2010-03-18 06:48:02.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/apache.te	2010-03-18 10:44:42.000000000 -0400
 @@ -19,6 +19,8 @@
  # Declarations
  #
@@ -12656,7 +11426,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +359,9 @@
+@@ -283,13 +359,14 @@
  
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
@@ -12669,7 +11439,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
  manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,9 +377,11 @@
+-files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir })
++manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
++files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file })
+ 
+ manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+ manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -301,9 +378,11 @@
  manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
  files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
  
@@ -12682,7 +11458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -312,18 +390,21 @@
+@@ -312,18 +391,21 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -12709,11 +11485,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  corenet_sendrecv_http_server_packets(httpd_t)
  # Signal self for shutdown
  corenet_tcp_connect_http_port(httpd_t)
-@@ -335,15 +416,15 @@
+@@ -335,15 +417,16 @@
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
 +fs_read_iso9660_files(httpd_t)
++fs_read_anon_inodefs_files(httpd_t)
  
  auth_use_nsswitch(httpd_t)
  
@@ -12728,7 +11505,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  files_read_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
-@@ -358,6 +439,10 @@
+@@ -358,6 +441,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12739,7 +11516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  libs_read_lib_files(httpd_t)
  
-@@ -372,18 +457,33 @@
+@@ -372,18 +459,33 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -12777,7 +11554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  ')
  
-@@ -391,32 +491,71 @@
+@@ -391,32 +493,71 @@
  	corenet_tcp_connect_all_ports(httpd_t)
  ')
  
@@ -12854,7 +11631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -424,11 +563,23 @@
+@@ -424,11 +565,23 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -12878,7 +11655,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,7 +602,18 @@
+@@ -451,7 +604,18 @@
  ')
  
  optional_policy(`
@@ -12897,7 +11674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -463,8 +625,24 @@
+@@ -463,8 +627,24 @@
  ')
  
  optional_policy(`
@@ -12924,7 +11701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -472,22 +650,19 @@
+@@ -472,22 +652,19 @@
  	mailman_domtrans_cgi(httpd_t)
  	# should have separate types for public and private archives
  	mailman_search_data(httpd_t)
@@ -12950,7 +11727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -498,12 +673,23 @@
+@@ -498,12 +675,23 @@
  ')
  
  optional_policy(`
@@ -12974,15 +11751,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -512,6 +698,7 @@
+@@ -512,6 +700,11 @@
  ')
  
  optional_policy(`
++	smokeping_getattr_lib_files(httpd_t)
++')
++
++optional_policy(`
 +	files_dontaudit_rw_usr_dirs(httpd_t)
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -539,6 +726,23 @@
+@@ -539,6 +732,23 @@
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -13006,7 +11787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -568,20 +772,25 @@
+@@ -568,20 +778,32 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -13025,6 +11806,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +	corenet_sendrecv_mysqld_client_packets(httpd_sys_script_t)
 +	corenet_tcp_connect_mysqld_port(httpd_suexec_t)
 +	corenet_sendrecv_mysqld_client_packets(httpd_suexec_t)
++
++	corenet_tcp_connect_mssql_port(httpd_t)
++	corenet_sendrecv_mssql_client_packets(httpd_t)
++	corenet_tcp_connect_mssql_port(httpd_sys_script_t)
++	corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
++	corenet_tcp_connect_mssql_port(httpd_suexec_t)
++	corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
  ')
  
 -optional_policy(`
@@ -13038,7 +11826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -599,23 +808,24 @@
+@@ -599,23 +821,24 @@
  append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
  
@@ -13067,7 +11855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +838,7 @@
+@@ -628,6 +851,7 @@
  logging_send_syslog_msg(httpd_suexec_t)
  
  miscfiles_read_localization(httpd_suexec_t)
@@ -13075,7 +11863,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  tunable_policy(`httpd_can_network_connect',`
  	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -635,22 +846,31 @@
+@@ -635,22 +859,31 @@
  
  	corenet_all_recvfrom_unlabeled(httpd_suexec_t)
  	corenet_all_recvfrom_netlabel(httpd_suexec_t)
@@ -13114,7 +11902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -676,16 +896,16 @@
+@@ -676,16 +909,16 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -13135,7 +11923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
-@@ -700,15 +920,29 @@
+@@ -700,15 +933,29 @@
  files_search_var_lib(httpd_sys_script_t)
  files_search_spool(httpd_sys_script_t)
  
@@ -13167,7 +11955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -716,6 +950,35 @@
+@@ -716,6 +963,35 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -13203,7 +11991,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -728,6 +991,10 @@
+@@ -728,6 +1004,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -13214,7 +12002,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -739,6 +1006,8 @@
+@@ -739,6 +1019,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -13223,7 +12011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -758,11 +1027,88 @@
+@@ -758,11 +1040,88 @@
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -13243,7 +12031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +	userdom_search_user_home_content(httpd_t)
 +	userdom_search_user_home_content(httpd_suexec_t)
 +	userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
 +
 +tunable_policy(`httpd_read_user_content',`
 +	userdom_read_user_home_content_files(httpd_user_script_t)
@@ -13293,7 +12081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +optional_policy(`
 +	mysql_search_db(httpd_bugzilla_script_t)
 +	mysql_stream_connect(httpd_bugzilla_script_t)
- ')
++')
 +
 +optional_policy(`
 +	postgresql_stream_connect(httpd_bugzilla_script_t)
@@ -13315,23 +12103,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +typealias httpd_sys_script_t      alias httpd_fastcgi_script_t;
 +typealias httpd_var_run_t         alias httpd_fastcgi_var_run_t;
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.7.9/policy/modules/services/apm.te
---- nsaserefpolicy/policy/modules/services/apm.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/apm.te	2010-02-16 15:08:37.000000000 -0500
-@@ -223,6 +223,10 @@
- 	unconfined_domain(apmd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.7.15/policy/modules/services/apcupsd.te
+--- nsaserefpolicy/policy/modules/services/apcupsd.te	2010-03-04 11:17:25.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/apcupsd.te	2010-03-18 10:44:42.000000000 -0400
+@@ -95,6 +95,10 @@
  ')
  
-+optional_policy(`
-+	vbetool_domtrans(apmd_t)
+ optional_policy(`
++	shutdown_domtrans(apcupsd_t)
 +')
 +
- # cjp: related to sleep/resume (?)
- optional_policy(`
- 	xserver_domtrans(apmd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.9/policy/modules/services/arpwatch.te
---- nsaserefpolicy/policy/modules/services/arpwatch.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/arpwatch.te	2010-02-16 15:08:37.000000000 -0500
++optional_policy(`
+ 	mta_send_mail(apcupsd_t)
+ 	mta_system_content(apcupsd_tmp_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.7.15/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te	2010-03-04 11:17:25.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/arpwatch.te	2010-03-18 10:44:42.000000000 -0400
 @@ -34,6 +34,7 @@
  allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
  allow arpwatch_t self:udp_socket create_socket_perms;
@@ -13357,73 +12145,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpw
  
  fs_getattr_all_fs(arpwatch_t)
  fs_search_auto_mountpoints(arpwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.9/policy/modules/services/asterisk.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.7.15/policy/modules/services/asterisk.if
 --- nsaserefpolicy/policy/modules/services/asterisk.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/asterisk.if	2010-02-16 15:08:37.000000000 -0500
-@@ -2,8 +2,28 @@
++++ serefpolicy-3.7.15/policy/modules/services/asterisk.if	2010-03-18 10:44:43.000000000 -0400
+@@ -1,5 +1,24 @@
+ ## <summary>Asterisk IP telephony server</summary>
  
- #####################################
- ## <summary>
--##	Connect to asterisk over a unix domain
--##	stream socket.
-+##      Connect to asterisk over a unix domain
-+##      stream socket.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`asterisk_stream_connect',`
-+        gen_require(`
-+                type asterisk_t, asterisk_var_run_t;
-+        ')
-+
-+        files_search_pids($1)
-+        stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete
-+##	asterisk lib files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -11,18 +31,18 @@
- ##	</summary>
- ## </param>
- #
--interface(`asterisk_stream_connect',`
-+interface(`asterisk_manage_lib_files',`
- 	gen_require(`
--		type asterisk_t, asterisk_var_run_t;
-+		type asterisk_var_lib_t;
- 	')
- 
--	files_search_pids($1)
--	stream_connect_pattern($1, asterisk_var_run_t, asterisk_var_run_t, asterisk_t)
-+	manage_files_pattern($1, asterisk_var_lib_t, asterisk_var_lib_t)
-+	files_search_var_lib($1)
- ')
- 
- ########################################
- ## <summary>
--##	All of the rules required to administrate
-+##	All of the rules required to administrate 
- ##	an asterisk environment
- ## </summary>
- ## <param name="domain">
-@@ -71,3 +91,22 @@
- 	files_list_pids($1)
- 	admin_pattern($1, asterisk_var_run_t)
- ')
-+
-+
 +######################################
 +## <summary>
-+##	Execute asterisk 
++##	Execute asterisk in the asterisk domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -13431,16 +12161,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
 +##	</summary>
 +## </param>
 +#
-+interface(`asterisk_exec',`
++interface(`asterisk_domtrans',`
 +	gen_require(`
-+		type asterisk_exec_t;
++		type asterisk_t, asterisk_exec_t;
 +	')
 +
-+	can_exec($1, asterisk_exec_t)
++	corecmd_search_bin($1)
++	domtrans_pattern($1, asterisk_exec_t, asterisk_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.9/policy/modules/services/asterisk.te
++
+ #####################################
+ ## <summary>
+ ##	Connect to asterisk over a unix domain
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.15/policy/modules/services/asterisk.te
 --- nsaserefpolicy/policy/modules/services/asterisk.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/asterisk.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/asterisk.te	2010-03-18 10:44:43.000000000 -0400
 @@ -40,12 +40,13 @@
  #
  
@@ -13488,14 +12223,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
  
  domain_use_interactive_fds(asterisk_t)
  
-@@ -119,18 +127,31 @@
+@@ -118,19 +126,33 @@
+ files_read_usr_files(asterisk_t)
  
  fs_getattr_all_fs(asterisk_t)
- fs_search_auto_mountpoints(asterisk_t)
++fs_list_inotifyfs(asterisk_t)
 +fs_read_anon_inodefs_files(asterisk_t)
-+
-+auth_use_nsswitch(asterisk_t)
+ fs_search_auto_mountpoints(asterisk_t)
  
++auth_use_nsswitch(asterisk_t)
++
  logging_send_syslog_msg(asterisk_t)
  
  miscfiles_read_localization(asterisk_t)
@@ -13523,7 +12260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
  ')
  
  optional_policy(`
-@@ -138,10 +159,11 @@
+@@ -138,10 +160,11 @@
  ')
  
  optional_policy(`
@@ -13539,37 +12276,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste
 +	udev_read_db(asterisk_t)
  ')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.7.9/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/automount.te	2010-02-16 15:08:37.000000000 -0500
-@@ -75,6 +75,7 @@
- 
- fs_mount_all_fs(automount_t)
- fs_unmount_all_fs(automount_t)
-+fs_search_all(automount_t)
- 
- corecmd_exec_bin(automount_t)
- corecmd_exec_shell(automount_t)
-@@ -129,6 +130,7 @@
- fs_unmount_autofs(automount_t)
- fs_mount_autofs(automount_t)
- fs_manage_autofs_symlinks(automount_t)
-+fs_read_nfs_files(automount_t)
- 
- storage_rw_fuse(automount_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.9/policy/modules/services/avahi.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.fc serefpolicy-3.7.15/policy/modules/services/avahi.fc
 --- nsaserefpolicy/policy/modules/services/avahi.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/avahi.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/avahi.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -6,4 +6,4 @@
  
  /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
  
 -/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
-+/var/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.9/policy/modules/services/avahi.te
++/var/lib/avahi-autoipd(/.*)?		gen_context(system_u:object_r:avahi_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.if serefpolicy-3.7.15/policy/modules/services/avahi.if
+--- nsaserefpolicy/policy/modules/services/avahi.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/avahi.if	2010-03-18 10:44:43.000000000 -0400
+@@ -90,6 +90,7 @@
+ 		class dbus send_msg;
+ 	')
+ 
++	allow avahi_t $1:file read;
+ 	allow $1 avahi_t:dbus send_msg;
+ 	allow avahi_t $1:dbus send_msg;
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.7.15/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/avahi.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/avahi.te	2010-03-18 10:44:43.000000000 -0400
 @@ -24,7 +24,7 @@
  # Local policy
  #
@@ -13611,109 +12340,586 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avah
 +sysnet_manage_config(avahi_t)
 +sysnet_etc_filetrans_config(avahi_t)
 +
- userdom_dontaudit_use_unpriv_user_fds(avahi_t)
- userdom_dontaudit_search_user_home_dirs(avahi_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.9/policy/modules/services/bind.if
---- nsaserefpolicy/policy/modules/services/bind.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/bind.if	2010-02-16 15:08:37.000000000 -0500
-@@ -253,7 +253,7 @@
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to set the attributes
-+##	Allow domain to  set the attributes
- ##	of the BIND pid directory.
- ## </summary>
- ## <param name="domain">
-@@ -272,6 +272,25 @@
- 
- ########################################
- ## <summary>
-+##	Allow domain to set attributes
-+##	of the BIND zone directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_user_home_dirs(avahi_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.7.15/policy/modules/services/bind.if
+--- nsaserefpolicy/policy/modules/services/bind.if	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/bind.if	2010-03-18 10:44:43.000000000 -0400
+@@ -253,7 +253,7 @@
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to set the attributes
++##	Allow domain to  set the attributes
+ ##	of the BIND pid directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -272,6 +272,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow domain to set attributes
++##	of the BIND zone directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bind_setattr_zone_dirs',`
++	gen_require(`
++		type named_zone_t;
++	')
++
++	allow $1 named_zone_t:dir setattr;
++')
++
++########################################
++## <summary>
+ ##	Read BIND zone files.
+ ## </summary>
+ ## <param name="domain">
+@@ -356,7 +375,7 @@
+ 
+ 	bind_run_ndc($1, $2)
+ 
+-	init_labeled_script_domtrans($1, bind_initrc_exec_t)
++	init_labeled_script_domtrans($1, named_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 named_initrc_exec_t system_r;
+ 	allow $2 system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.15/policy/modules/services/bind.te
+--- nsaserefpolicy/policy/modules/services/bind.te	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/bind.te	2010-03-18 10:44:43.000000000 -0400
+@@ -142,11 +142,11 @@
+ 
+ logging_send_syslog_msg(named_t)
+ 
++init_read_script_tmp_files(named_t)
++
+ miscfiles_read_localization(named_t)
+ miscfiles_read_certs(named_t)
+ 
+-sysnet_read_config(named_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(named_t)
+ userdom_dontaudit_search_user_home_dirs(named_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.15/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/bluetooth.te	2010-03-18 10:44:43.000000000 -0400
+@@ -54,7 +54,7 @@
+ # Bluetooth services local policy
+ #
+ 
+-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getcap setcap getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_fifo_file_perms;
+@@ -96,6 +96,7 @@
+ kernel_read_system_state(bluetooth_t)
+ kernel_read_network_state(bluetooth_t)
+ kernel_request_load_module(bluetooth_t)
++kernel_search_debugfs(bluetooth_t)
+ 
+ corenet_all_recvfrom_unlabeled(bluetooth_t)
+ corenet_all_recvfrom_netlabel(bluetooth_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.15/policy/modules/services/boinc.fc
+--- nsaserefpolicy/policy/modules/services/boinc.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/boinc.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/boinc_client		--  gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++
++/usr/bin/boinc_client				--	gen_context(system_u:object_r:boinc_exec_t,s0)
++
++/var/lib/boinc(/.*)?					gen_context(system_u:object_r:boinc_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.if serefpolicy-3.7.15/policy/modules/services/boinc.if
+--- nsaserefpolicy/policy/modules/services/boinc.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/boinc.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,151 @@
++
++## <summary>policy for boinc</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run boinc.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`boinc_domtrans',`
++	gen_require(`
++		type boinc_t, boinc_exec_t;
++	')
++
++	domtrans_pattern($1, boinc_exec_t, boinc_t)
++')
++
++#######################################
++## <summary>
++##  Execute boinc server in the boinc domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  The type of the process performing this action.
++##  </summary>
++## </param>
++#
++interface(`boinc_initrc_domtrans',`
++    gen_require(`
++        type boinc_initrc_exec_t;
++    ')
++
++    init_labeled_script_domtrans($1, boinc_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Search boinc lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`boinc_search_lib',`
++	gen_require(`
++		type boinc_var_lib_t;
++	')
++
++	allow $1 boinc_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read boinc lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`boinc_read_lib_files',`
++	gen_require(`
++		type boinc_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	boinc lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`boinc_manage_lib_files',`
++	gen_require(`
++		type boinc_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++        manage_files_pattern($1, boinc_var_lib_t,  boinc_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage boinc var_lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`boinc_manage_var_lib',`
++	gen_require(`
++		type boinc_var_lib_t;
++	')
++
++         manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++         manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++         manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an boinc environment.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`boinc_admin',`
++	gen_require(`
++		type boinc_t, boinc_initrc_exec_t;
++		type boinc_var_lib_t;
++	')
++
++	allow $1 boinc_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, boinc_t, boinc_t)
++
++	boinc_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 myboinc_initrc_exec_t system_r;
++	allow $2 system_r;
++	        
++	files_list_var_lib($1)
++	admin_pattern($1, boinc_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.15/policy/modules/services/boinc.te
+--- nsaserefpolicy/policy/modules/services/boinc.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/boinc.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,80 @@
++
++policy_module(boinc,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type boinc_t;
++type boinc_exec_t;
++init_daemon_domain(boinc_t, boinc_exec_t)
++
++permissive boinc_t;
++
++type boinc_initrc_exec_t;
++init_script_file(boinc_initrc_exec_t)
++
++type boinc_tmpfs_t;
++files_tmpfs_file(boinc_tmpfs_t)
++
++type boinc_var_lib_t;
++files_type(boinc_var_lib_t)
++
++########################################
++#
++# boinc local policy
++#
++
++allow boinc_t self:capability { kill };
++allow boinc_t self:process { execmem fork setsched signal };
++
++allow boinc_t self:fifo_file rw_fifo_file_perms;
++allow boinc_t self:unix_stream_socket create_stream_socket_perms;
++allow boinc_t self:tcp_socket create_stream_socket_perms;
++allow boinc_t self:shm create_shm_perms;
++
++manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
++fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t,file)
++
++exec_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
++manage_dirs_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
++manage_files_pattern(boinc_t, boinc_var_lib_t,  boinc_var_lib_t)
++files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } )
++
++kernel_read_system_state(boinc_t)
++kernel_read_kernel_sysctls(boinc_t)
++
++corecmd_exec_bin(boinc_t)
++corecmd_exec_shell(boinc_t)
++
++corenet_all_recvfrom_unlabeled(boinc_t)
++corenet_all_recvfrom_netlabel(boinc_t)
++corenet_tcp_sendrecv_generic_if(boinc_t)
++corenet_udp_sendrecv_generic_if(boinc_t)
++corenet_tcp_sendrecv_generic_node(boinc_t)
++corenet_udp_sendrecv_generic_node(boinc_t)
++corenet_tcp_sendrecv_all_ports(boinc_t)
++corenet_udp_sendrecv_all_ports(boinc_t)
++corenet_tcp_bind_generic_node(boinc_t)
++corenet_udp_bind_generic_node(boinc_t)
++corenet_tcp_bind_boinc_port(boinc_t)
++corenet_tcp_connect_http_port(boinc_t)
++
++dev_read_urand(boinc_t)
++
++domain_read_all_domains_state(boinc_t)
++
++files_read_etc_files(boinc_t)
++files_read_usr_files(boinc_t)
++
++fs_getattr_all_fs(boinc_t)
++
++term_dontaudit_getattr_ptmx(boinc_t)
++
++miscfiles_read_localization(boinc_t)
++
++logging_send_syslog_msg(boinc_t)
++
++sysnet_dns_name_resolve(boinc_t)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.fc serefpolicy-3.7.15/policy/modules/services/cachefilesd.fc
+--- nsaserefpolicy/policy/modules/services/cachefilesd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,28 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++#            Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the contexts to be assigned to various files and directories of
++# importance to the CacheFiles kernel module and userspace management daemon.
++#
++
++# cachefilesd executable will have:
++# label: system_u:object_r:cachefilesd_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++/sbin/cachefilesd	--	gen_context(system_u:object_r:cachefilesd_exec_t,s0)
++/dev/cachefiles		-c	gen_context(system_u:object_r:cachefiles_dev_t,s0)
++/var/fscache(/.*)?		gen_context(system_u:object_r:cachefiles_var_t,s0)
++
++/var/run/cachefilesd\.pid --	gen_context(system_u:object_r:cachefiles_var_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.if serefpolicy-3.7.15/policy/modules/services/cachefilesd.if
+--- nsaserefpolicy/policy/modules/services/cachefilesd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,41 @@
++###############################################################################
++#
++# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++#            Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# Define the policy interface for the CacheFiles userspace management daemon.
++#
++
++## <summary>policy for cachefilesd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run cachefilesd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`cachefilesd_domtrans',`
++	gen_require(`
++		type cachefilesd_t, cachefilesd_exec_t;
++	')
++
++	domain_auto_trans($1,cachefilesd_exec_t,cachefilesd_t)
++
++	allow $1 cachefilesd_t:fd use;
++	allow cachefilesd_t $1:fd use;
++	allow cachefilesd_t $1:fifo_file rw_file_perms;
++	allow cachefilesd_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cachefilesd.te serefpolicy-3.7.15/policy/modules/services/cachefilesd.te
+--- nsaserefpolicy/policy/modules/services/cachefilesd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cachefilesd.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,146 @@
++###############################################################################
++#
++# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
++# Written by David Howells (dhowells@redhat.com)
++#            Karl MacMillan (kmacmill@redhat.com)
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License
++# as published by the Free Software Foundation; either version
++# 2 of the License, or (at your option) any later version.
++#
++###############################################################################
++
++#
++# This security policy governs access by the CacheFiles kernel module and
++# userspace management daemon to the files and directories in the on-disk
++# cache, on behalf of the processes accessing the cache through a network
++# filesystem such as NFS
++#
++policy_module(cachefilesd,1.0.17)
++
++###############################################################################
++#
++# Declarations
++#
++require { type kernel_t; }
++
++#
++# Files in the cache are created by the cachefiles module with security ID
++# cachefiles_var_t
++#
++type cachefiles_var_t;
++files_type(cachefiles_var_t)
++
++#
++# The /dev/cachefiles character device has security ID cachefiles_dev_t
++#
++type cachefiles_dev_t;
++dev_node(cachefiles_dev_t)
++
++#
++# The cachefilesd daemon normally runs with security ID cachefilesd_t
++#
++type cachefilesd_t;
++type cachefilesd_exec_t;
++domain_type(cachefilesd_t)
++init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
++
++#
++# The cachefilesd daemon pid file context
++#
++type cachefilesd_var_run_t;
++files_pid_file(cachefilesd_var_run_t)
++
++#
++# The CacheFiles kernel module causes processes accessing the cache files to do
++# so acting as security ID cachefiles_kernel_t
++#
++type cachefiles_kernel_t;
++domain_type(cachefiles_kernel_t)
++domain_obj_id_change_exemption(cachefiles_kernel_t)
++role system_r types cachefiles_kernel_t;
++
++###############################################################################
++#
++# Permit RPM to deal with files in the cache
++#
++rpm_use_script_fds(cachefilesd_t)
++
++###############################################################################
++#
++# cachefilesd local policy
++#
++# These define what cachefilesd is permitted to do.  This doesn't include very
++# much: startup stuff, logging, pid file, scanning the cache superstructure and
++# deleting files from the cache.  It is not permitted to read/write files in
++# the cache.
++#
++# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
++# rules.
++#
++allow cachefilesd_t self : capability { setuid setgid sys_admin dac_override };
++
++# Basic access
++files_read_etc_files(cachefilesd_t)
++libs_use_ld_so(cachefilesd_t)
++libs_use_shared_libs(cachefilesd_t)
++miscfiles_read_localization(cachefilesd_t)
++logging_send_syslog_msg(cachefilesd_t)
++init_dontaudit_use_script_ptys(cachefilesd_t)
++term_dontaudit_use_generic_ptys(cachefilesd_t)
++term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
++
++# Allow manipulation of pid file
++allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
++manage_files_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++manage_dirs_pattern(cachefilesd_t,cachefilesd_var_run_t, cachefilesd_var_run_t)
++files_pid_file(cachefilesd_var_run_t)
++files_pid_filetrans(cachefilesd_t,cachefilesd_var_run_t,file)
++
++# Allow access to cachefiles device file
++allow cachefilesd_t cachefiles_dev_t : chr_file rw_file_perms;
++
++# Allow access to cache superstructure
++allow cachefilesd_t cachefiles_var_t : dir rw_dir_perms;
++allow cachefilesd_t cachefiles_var_t : file { getattr rename unlink };
++
++# Permit statfs on the backing filesystem
++fs_getattr_xattr_fs(cachefilesd_t)
++
++###############################################################################
 +#
-+interface(`bind_setattr_zone_dirs',`
-+	gen_require(`
-+		type named_zone_t;
-+	')
++# When cachefilesd invokes the kernel module to begin caching, it has to tell
++# the kernel module the security context in which it should act, and this
++# policy has to approve that.
++#
++# There are two parts to this:
++#
++#   (1) the security context used by the module to access files in the cache,
++#       as set by the 'secctx' command in /etc/cachefilesd.conf, and
++#
++allow cachefilesd_t cachefiles_kernel_t : kernel_service { use_as_override };
 +
-+	allow $1 named_zone_t:dir setattr;
-+')
++#
++#   (2) the label that will be assigned to new files and directories created in
++#       the cache by the module, which will be the same as the label on the
++#       directory pointed to by the 'dir' command.
++#
++allow cachefilesd_t cachefiles_var_t : kernel_service { create_files_as };
 +
-+########################################
-+## <summary>
- ##	Read BIND zone files.
- ## </summary>
- ## <param name="domain">
-@@ -356,7 +375,7 @@
- 
- 	bind_run_ndc($1, $2)
- 
--	init_labeled_script_domtrans($1, bind_initrc_exec_t)
-+	init_labeled_script_domtrans($1, named_initrc_exec_t)
- 	domain_system_change_exemption($1)
- 	role_transition $2 named_initrc_exec_t system_r;
- 	allow $2 system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.7.9/policy/modules/services/bind.te
---- nsaserefpolicy/policy/modules/services/bind.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/bind.te	2010-02-16 15:08:37.000000000 -0500
-@@ -142,11 +142,11 @@
- 
- logging_send_syslog_msg(named_t)
- 
-+init_read_script_tmp_files(named_t)
++###############################################################################
++#
++# cachefiles kernel module local policy
++#
++# This governs what the kernel module is allowed to do the contents of the
++# cache.
++#
++allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++allow cachefiles_kernel_t initrc_t:process sigchld;
 +
- miscfiles_read_localization(named_t)
- miscfiles_read_certs(named_t)
- 
--sysnet_read_config(named_t)
--
- userdom_dontaudit_use_unpriv_user_fds(named_t)
- userdom_dontaudit_search_user_home_dirs(named_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.9/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/bluetooth.te	2010-02-16 15:08:37.000000000 -0500
-@@ -96,6 +96,7 @@
- kernel_read_system_state(bluetooth_t)
- kernel_read_network_state(bluetooth_t)
- kernel_request_load_module(bluetooth_t)
-+kernel_search_debugfs(bluetooth_t)
- 
- corenet_all_recvfrom_unlabeled(bluetooth_t)
- corenet_all_recvfrom_netlabel(bluetooth_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.9/policy/modules/services/ccs.te
++manage_dirs_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++manage_files_pattern(cachefiles_kernel_t,cachefiles_var_t, cachefiles_var_t)
++
++fs_getattr_xattr_fs(cachefiles_kernel_t)
++
++dev_search_sysfs(cachefiles_kernel_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-3.7.15/policy/modules/services/ccs.te
 --- nsaserefpolicy/policy/modules/services/ccs.te	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ccs.te	2010-02-16 15:08:37.000000000 -0500
-@@ -73,6 +73,8 @@
- manage_sock_files_pattern(ccs_t, ccs_var_run_t, ccs_var_run_t)
- files_pid_filetrans(ccs_t, ccs_var_run_t, { dir file sock_file })
++++ serefpolicy-3.7.15/policy/modules/services/ccs.te	2010-03-18 10:44:43.000000000 -0400
+@@ -114,5 +114,10 @@
+ ')
  
-+aisexec_stream_connect(ccs_t)
+ optional_policy(`
++	aisexec_stream_connect(ccs_t)
++	corosync_stream_connect(ccs_t)
++')
 +
- kernel_read_kernel_sysctls(ccs_t)
- 
- corecmd_list_bin(ccs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.7.9/policy/modules/services/certmaster.fc
---- nsaserefpolicy/policy/modules/services/certmaster.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/certmaster.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -3,5 +3,6 @@
- 
- /usr/bin/certmaster		--	gen_context(system_u:object_r:certmaster_exec_t,s0)
- 
-+/var/lib/certmaster(/.*)?		gen_context(system_u:object_r:certmaster_var_lib_t,s0)
- /var/log/certmaster(/.*)?		gen_context(system_u:object_r:certmaster_var_log_t,s0)
- /var/run/certmaster.*			gen_context(system_u:object_r:certmaster_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.9/policy/modules/services/certmonger.fc
++optional_policy(`
+ 	unconfined_use_fds(ccs_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.fc serefpolicy-3.7.15/policy/modules/services/certmonger.fc
 --- nsaserefpolicy/policy/modules/services/certmonger.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/certmonger.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/certmonger.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,6 @@
 +/etc/rc\.d/init\.d/certmonger	--	gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
 +
@@ -13721,9 +12927,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +
 +/var/run/certmonger.pid		--	gen_context(system_u:object_r:certmonger_var_run_t,s0)
 +/var/lib/certmonger(/.*)?			gen_context(system_u:object_r:certmonger_var_lib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.9/policy/modules/services/certmonger.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.if serefpolicy-3.7.15/policy/modules/services/certmonger.if
 --- nsaserefpolicy/policy/modules/services/certmonger.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/certmonger.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/certmonger.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,217 @@
 +
 +## <summary>Certificate status monitor and PKI enrollment client</summary>
@@ -13942,9 +13148,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +	files_search_pids($1)
 +	admin_pattern($1, cermonger_var_run_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.9/policy/modules/services/certmonger.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmonger.te serefpolicy-3.7.15/policy/modules/services/certmonger.te
 --- nsaserefpolicy/policy/modules/services/certmonger.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/certmonger.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/certmonger.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,74 @@
 +policy_module(certmonger,1.0.0)
 +
@@ -14020,9 +13226,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
 +optional_policy(`
 +	unconfined_dbus_send(certmonger_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.9/policy/modules/services/cgroup.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.fc serefpolicy-3.7.15/policy/modules/services/cgroup.fc
 --- nsaserefpolicy/policy/modules/services/cgroup.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cgroup.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cgroup.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,7 @@
 +/etc/rc\.d/init\.d/cgconfig	-- gen_context(system_u:object_r:cgconfig_initrc_exec_t, s0)
 +/etc/rc\.d/init\.d/cgred	-- gen_context(system_u:object_r:cgred_initrc_exec_t, s0)
@@ -14031,9 +13237,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +/sbin/cgconfigparser		-- gen_context(system_u:object_r:cgconfigparser_exec_t, s0)
 +
 +/var/run/cgred.*		gen_context(system_u:object_r:cgred_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.9/policy/modules/services/cgroup.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.if serefpolicy-3.7.15/policy/modules/services/cgroup.if
 --- nsaserefpolicy/policy/modules/services/cgroup.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cgroup.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cgroup.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,35 @@
 +## <summary>Control group rules engine daemon.</summary>
 +## <desc>
@@ -14070,9 +13276,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +	stream_connect_pattern($1, cgred_var_run_t, cgred_var_run_t, cgred_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.9/policy/modules/services/cgroup.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.7.15/policy/modules/services/cgroup.te
 --- nsaserefpolicy/policy/modules/services/cgroup.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cgroup.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cgroup.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,87 @@
 +policy_module(cgroup, 1.0.0)
 +
@@ -14150,7 +13356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +	fs_manage_cgroup_dirs(cgconfigparser_t)
 +	fs_rw_cgroup_files(cgconfigparser_t)
 +	fs_setattr_cgroup_files(cgconfigparser_t)
-+	fs_mount_cgroup_fs(cgconfigparser_t)
++	fs_mount_cgroup(cgconfigparser_t)
 +')
 +
 +files_mounton_mnt(cgconfigparser_t)
@@ -14161,18 +13367,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
 +# /mnt/cgroups/cpu
 +kernel_list_unlabeled(cgconfigparser_t)
 +kernel_read_system_state(cgconfigparser_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.9/policy/modules/services/chronyd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.fc serefpolicy-3.7.15/policy/modules/services/chronyd.fc
 --- nsaserefpolicy/policy/modules/services/chronyd.fc	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/chronyd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/chronyd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,3 +1,5 @@
 +/etc/chrony\.keys		--	gen_context(system_u:object_r:chronyd_keys_t,s0)
 +
  /etc/rc\.d/init\.d/chronyd	--	gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
  
  /usr/sbin/chronyd		--	gen_context(system_u:object_r:chronyd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.9/policy/modules/services/chronyd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.7.15/policy/modules/services/chronyd.if
 --- nsaserefpolicy/policy/modules/services/chronyd.if	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/chronyd.if	2010-02-16 15:09:12.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/chronyd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -77,7 +77,7 @@
  	gen_require(`
  		type chronyd_t, chronyd_var_log_t;
@@ -14191,9 +13397,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
  	logging_search_logs($1)
  	admin_pattern($1, chronyd_var_log_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.9/policy/modules/services/chronyd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.te serefpolicy-3.7.15/policy/modules/services/chronyd.te
 --- nsaserefpolicy/policy/modules/services/chronyd.te	2010-02-16 14:58:22.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/chronyd.te	2010-02-16 15:12:44.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/chronyd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,9 @@
  type chronyd_initrc_exec_t;
  init_script_file(chronyd_initrc_exec_t)
@@ -14242,9 +13448,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro
 +optional_policy(`
 +	gpsd_rw_shm(chronyd_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.9/policy/modules/services/clamav.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.15/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/clamav.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/clamav.te	2010-03-18 10:44:43.000000000 -0400
 @@ -57,6 +57,7 @@
  #
  
@@ -14268,18 +13474,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  optional_policy(`
  	cron_system_entry(freshclam_t, freshclam_exec_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.9/policy/modules/services/clogd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.15/policy/modules/services/clogd.fc
 --- nsaserefpolicy/policy/modules/services/clogd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/clogd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/clogd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/usr/sbin/clogd			--	gen_context(system_u:object_r:clogd_exec_t,s0)
 +
 +/var/run/clogd\.pid             --      gen_context(system_u:object_r:clogd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.9/policy/modules/services/clogd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.if serefpolicy-3.7.15/policy/modules/services/clogd.if
 --- nsaserefpolicy/policy/modules/services/clogd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/clogd.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,98 @@
++++ serefpolicy-3.7.15/policy/modules/services/clogd.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,82 @@
 +## <summary>clogd - clustered mirror log server</summary>
 +
 +######################################
@@ -14324,26 +13530,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
 +
 +#####################################
 +## <summary>
-+##      Manage clogd tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      The type of the process performing this action.
-+##      </summary>
-+## </param>
-+#
-+interface(`clogd_manage_tmpfs_files',`
-+        gen_require(`
-+                type clogd_tmpfs_t;
-+        ')
-+
-+        fs_search_tmpfs($1)
-+        manage_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-+        manage_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
-+')
-+
-+#####################################
-+## <summary>
 +##      Allow read and write access to clogd semaphores.
 +## </summary>
 +## <param name="domain">
@@ -14376,12 +13562,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
 +        ')
 +
 +        allow $1 clogd_t:shm { rw_shm_perms destroy };
++		allow $1 clogd_tmpfs_t:dir list_dir_perms;
++        rw_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++        read_lnk_files_pattern($1, clogd_tmpfs_t, clogd_tmpfs_t)
++        fs_search_tmpfs($1)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.9/policy/modules/services/clogd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.te serefpolicy-3.7.15/policy/modules/services/clogd.te
 --- nsaserefpolicy/policy/modules/services/clogd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/clogd.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,62 @@
++++ serefpolicy-3.7.15/policy/modules/services/clogd.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,65 @@
 +
 +policy_module(clogd,1.0.0)
 +
@@ -14425,8 +13615,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
 +manage_sock_files_pattern(clogd_t, clogd_var_run_t, clogd_var_run_t)
 +files_pid_filetrans(clogd_t,clogd_var_run_t, { file })
 +
-+aisexec_stream_connect(clogd_t)
-+
 +dev_manage_generic_blk_files(clogd_t)
 +
 +storage_raw_read_fixed_disk(clogd_t)
@@ -14440,32 +13628,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clog
 +miscfiles_read_localization(clogd_t)
 +
 +optional_policy(`
-+        dev_read_lvm_control(clogd_t)
++	aisexec_stream_connect(clogd_t)
++	corosync_stream_connect(clogd_t)
 +')
 +
++optional_policy(`
++        dev_read_lvm_control(clogd_t)
++')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.9/policy/modules/services/cobbler.fc
---- nsaserefpolicy/policy/modules/services/cobbler.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cobbler.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -5,3 +5,5 @@
- 
- /var/lib/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_lib_t, s0)
- /var/log/cobbler(/.*)?		gen_context(system_u:object_r:cobbler_var_log_t, s0)
 +
-+/var/lib/cobbler/webui_sessions(/.*)?	gen_context(system_u:object_r:httpd_cobbler_content_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.9/policy/modules/services/cobbler.if
---- nsaserefpolicy/policy/modules/services/cobbler.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cobbler.if	2010-02-16 15:08:37.000000000 -0500
-@@ -162,6 +162,7 @@
- 	gen_require(`
- 		type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
- 		type cobbler_etc_t;
-+		type httpd_cobbler_content_rw_t;
- 	')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.15/policy/modules/services/cobbler.if
+--- nsaserefpolicy/policy/modules/services/cobbler.if	2010-03-05 10:46:32.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cobbler.if	2010-03-18 10:44:43.000000000 -0400
+@@ -173,9 +173,11 @@
+ 	files_list_var_lib($1)
+ 	admin_pattern($1, cobbler_var_lib_t)
  
- 	allow $1 cobblerd_t:process { ptrace signal_perms getattr };
-@@ -176,6 +177,8 @@
- 	files_search_var_log($1)
+-	files_search_var_log($1)
++	logging_search_logs($1)
  	admin_pattern($1, cobbler_var_log_t)
  
 +	admin_pattern($1, httpd_cobbler_content_rw_t)
@@ -14473,9 +13653,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  	cobblerd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 cobblerd_initrc_exec_t system_r;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.9/policy/modules/services/cobbler.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.15/policy/modules/services/cobbler.te
 --- nsaserefpolicy/policy/modules/services/cobbler.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cobbler.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cobbler.te	2010-03-18 10:44:43.000000000 -0400
 @@ -40,6 +40,7 @@
  allow cobblerd_t self:fifo_file rw_fifo_file_perms;
  allow cobblerd_t self:tcp_socket create_stream_socket_perms;
@@ -14506,9 +13686,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
 +apache_content_template(cobbler)
 +manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t,  httpd_cobbler_content_rw_t)
 +manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t,  httpd_cobbler_content_rw_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.9/policy/modules/services/consolekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.15/policy/modules/services/consolekit.fc
 --- nsaserefpolicy/policy/modules/services/consolekit.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/consolekit.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/consolekit.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -2,4 +2,5 @@
  
  /var/log/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_log_t,s0)
@@ -14516,9 +13696,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 -/var/run/ConsoleKit(/.*)?	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 +
 +/var/run/ConsoleKit(/.*)?		gen_context(system_u:object_r:consolekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.9/policy/modules/services/consolekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.15/policy/modules/services/consolekit.if
 --- nsaserefpolicy/policy/modules/services/consolekit.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/consolekit.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/consolekit.if	2010-03-18 10:44:43.000000000 -0400
 @@ -57,3 +57,42 @@
  	read_files_pattern($1, consolekit_log_t, consolekit_log_t)
  	files_search_pids($1)
@@ -14562,10 +13742,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.9/policy/modules/services/consolekit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.7.15/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/consolekit.te	2010-02-16 15:08:37.000000000 -0500
-@@ -21,7 +21,7 @@
++++ serefpolicy-3.7.15/policy/modules/services/consolekit.te	2010-03-18 10:44:43.000000000 -0400
+@@ -16,12 +16,15 @@
+ type consolekit_var_run_t;
+ files_pid_file(consolekit_var_run_t)
+ 
++type consolekit_tmpfs_t;
++files_tmpfs_file(consolekit_tmpfs_t)
++
+ ########################################
+ #
  # consolekit local policy
  #
  
@@ -14574,7 +13762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -59,28 +59,36 @@
+@@ -59,28 +62,36 @@
  term_use_all_terms(consolekit_t)
  
  auth_use_nsswitch(consolekit_t)
@@ -14615,7 +13803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  ')
  
  optional_policy(`
-@@ -100,6 +108,7 @@
+@@ -100,19 +111,33 @@
  ')
  
  optional_policy(`
@@ -14623,11 +13811,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
  	policykit_domtrans_auth(consolekit_t)
  	policykit_read_lib(consolekit_t)
  	policykit_read_reload(consolekit_t)
-@@ -110,9 +119,17 @@
+ ')
+ 
+ optional_policy(`
++	shutdown_domtrans(consolekit_t)
++')
++
++optional_policy(`
+ 	xserver_read_xdm_pid(consolekit_t)
  	xserver_read_user_xauth(consolekit_t)
  	xserver_non_drawing_client(consolekit_t)
  	corenet_tcp_connect_xserver_port(consolekit_t)
 +	xserver_stream_connect(consolekit_t)
++	xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
 +')
 +
 +optional_policy(`
@@ -14641,10 +13837,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cons
 +	unconfined_ptrace(consolekit_t)
  	unconfined_stream_connect(consolekit_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.9/policy/modules/services/corosync.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.fc serefpolicy-3.7.15/policy/modules/services/corosync.fc
 --- nsaserefpolicy/policy/modules/services/corosync.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/corosync.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,13 @@
++++ serefpolicy-3.7.15/policy/modules/services/corosync.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,14 @@
 +
 +/etc/rc\.d/init\.d/corosync     --      gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
 +
@@ -14656,11 +13852,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 +/var/log/cluster/corosync\.log  --      gen_context(system_u:object_r:corosync_var_log_t,s0)
 +
++/var/run/cman_.*                -s      gen_context(system_u:object_r:corosync_var_run_t,s0)
 +/var/run/corosync\.pid          --      gen_context(system_u:object_r:corosync_var_run_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.9/policy/modules/services/corosync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.if serefpolicy-3.7.15/policy/modules/services/corosync.if
 --- nsaserefpolicy/policy/modules/services/corosync.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/corosync.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/corosync.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,108 @@
 +## <summary>SELinux policy for Corosync Cluster Engine</summary>
 +
@@ -14770,10 +13967,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.9/policy/modules/services/corosync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.15/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/corosync.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,110 @@
++++ serefpolicy-3.7.15/policy/modules/services/corosync.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,115 @@
 +
 +policy_module(corosync,1.0.0)
 +
@@ -14870,23 +14067,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 +userdom_rw_user_tmpfs_files(corosync_t)
 +
-+# to communication with RHCS
-+dlm_controld_manage_tmpfs_files(corosync_t)
-+dlm_controld_rw_semaphores(corosync_t)
++optional_policy(`
++	ccs_read_config(corosync_t)
++')
 +
-+fenced_manage_tmpfs_files(corosync_t)
-+fenced_rw_semaphores(corosync_t)
++optional_policy(`
++	# to communication with RHCS
++	dlm_controld_manage_tmpfs_files(corosync_t)
++	dlm_controld_rw_semaphores(corosync_t)
 +
-+gfs_controld_manage_tmpfs_files(corosync_t)
-+gfs_controld_rw_semaphores(corosync_t)
++	fenced_manage_tmpfs_files(corosync_t)
++	fenced_rw_semaphores(corosync_t)
 +
-+optional_policy(`
-+        ccs_read_config(corosync_t)
++	gfs_controld_manage_tmpfs_files(corosync_t)
++	gfs_controld_rw_semaphores(corosync_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.9/policy/modules/services/cron.fc
++optional_policy(`
++	rgmanager_manage_tmpfs_files(corosync_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.15/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/cron.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cron.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -14,7 +14,7 @@
  /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
@@ -14904,9 +14106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 +
 +/var/log/mcelog.*		--	gen_context(system_u:object_r:cron_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.9/policy/modules/services/cron.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.15/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/cron.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cron.if	2010-03-18 10:44:43.000000000 -0400
 @@ -12,6 +12,10 @@
  ## </param>
  #
@@ -15057,9 +14259,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +
 +	manage_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.9/policy/modules/services/cron.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.15/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cron.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cron.te	2010-03-18 10:44:43.000000000 -0400
 @@ -38,8 +38,10 @@
  type cron_var_lib_t;
  files_type(cron_var_lib_t)
@@ -15100,21 +14302,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  type system_cronjob_lock_t alias system_crond_lock_t;
  files_lock_file(system_cronjob_lock_t)
-@@ -110,6 +117,13 @@
+@@ -109,6 +116,14 @@
+ typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
  files_type(user_cron_spool_t)
  ubac_constrained(user_cron_spool_t)
- 
++mta_system_content(user_cron_spool_t)
++
 +type system_cronjob_var_lib_t;
 +files_type(system_cronjob_var_lib_t)
 +typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
 +
 +type system_cronjob_var_run_t;
 +files_pid_file(system_cronjob_var_run_t)
-+
+ 
  ########################################
  #
- # Admin crontab local policy
-@@ -139,7 +153,7 @@
+@@ -139,7 +154,7 @@
  
  allow crond_t self:capability { dac_override setgid setuid sys_nice dac_read_search };
  dontaudit crond_t self:capability { sys_resource sys_tty_config };
@@ -15123,7 +14326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  allow crond_t self:process { setexec setfscreate };
  allow crond_t self:fd use;
  allow crond_t self:fifo_file rw_fifo_file_perms;
-@@ -194,6 +208,8 @@
+@@ -194,6 +209,8 @@
  corecmd_read_bin_symlinks(crond_t)
  
  domain_use_interactive_fds(crond_t)
@@ -15132,7 +14335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  files_read_usr_files(crond_t)
  files_read_etc_runtime_files(crond_t)
-@@ -209,7 +225,9 @@
+@@ -209,7 +226,9 @@
  
  auth_use_nsswitch(crond_t)
  
@@ -15142,7 +14345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
-@@ -220,8 +238,10 @@
+@@ -220,8 +239,10 @@
  userdom_use_unpriv_users_fds(crond_t)
  # Not sure why this is needed
  userdom_list_user_home_dirs(crond_t)
@@ -15153,7 +14356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  ifdef(`distro_debian',`
  	# pam_limits is used
-@@ -241,8 +261,17 @@
+@@ -241,8 +262,17 @@
  	')
  ')
  
@@ -15173,7 +14376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -251,6 +280,20 @@
+@@ -251,6 +281,20 @@
  ')
  
  optional_policy(`
@@ -15194,7 +14397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	amanda_search_var_lib(crond_t)
  ')
  
-@@ -260,6 +303,8 @@
+@@ -260,6 +304,8 @@
  
  optional_policy(`
  	hal_dbus_chat(crond_t)
@@ -15203,7 +14406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -302,10 +347,17 @@
+@@ -302,10 +348,17 @@
  
  # This is to handle /var/lib/misc directory.  Used currently
  # by prelink var/lib files for cron 
@@ -15222,7 +14425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -325,6 +377,7 @@
+@@ -325,6 +378,7 @@
  allow system_cronjob_t crond_t:fd use;
  allow system_cronjob_t crond_t:fifo_file rw_file_perms;
  allow system_cronjob_t crond_t:process sigchld;
@@ -15230,7 +14433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  # Write /var/lock/makewhatis.lock.
  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -336,9 +389,13 @@
+@@ -336,9 +390,13 @@
  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
  files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
  
@@ -15245,7 +14448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -361,6 +418,7 @@
+@@ -361,6 +419,7 @@
  dev_getattr_all_blk_files(system_cronjob_t)
  dev_getattr_all_chr_files(system_cronjob_t)
  dev_read_urand(system_cronjob_t)
@@ -15253,7 +14456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  fs_getattr_all_fs(system_cronjob_t)
  fs_getattr_all_files(system_cronjob_t)
-@@ -387,6 +445,7 @@
+@@ -387,6 +446,7 @@
  # Access other spool directories like
  # /var/spool/anacron and /var/spool/slrnpull.
  files_manage_generic_spool(system_cronjob_t)
@@ -15261,7 +14464,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  init_use_script_fds(system_cronjob_t)
  init_read_utmp(system_cronjob_t)
-@@ -411,6 +470,8 @@
+@@ -411,6 +471,8 @@
  
  ifdef(`distro_redhat', `
  	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
@@ -15270,7 +14473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# via redirection of standard out.
  	optional_policy(`
  		rpm_manage_log(system_cronjob_t)
-@@ -435,6 +496,7 @@
+@@ -435,6 +497,7 @@
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
@@ -15278,7 +14481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -442,6 +504,14 @@
+@@ -442,6 +505,14 @@
  ')
  
  optional_policy(`
@@ -15293,7 +14496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -456,11 +526,16 @@
+@@ -456,11 +527,16 @@
  ')
  
  optional_policy(`
@@ -15310,7 +14513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -476,7 +551,7 @@
+@@ -476,7 +552,7 @@
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -15319,7 +14522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -491,6 +566,7 @@
+@@ -491,6 +567,7 @@
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -15327,7 +14530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  optional_policy(`
-@@ -498,6 +574,9 @@
+@@ -498,6 +575,9 @@
  ')
  
  optional_policy(`
@@ -15337,9 +14540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	unconfined_domain(system_cronjob_t)
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.9/policy/modules/services/cups.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.15/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/cups.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cups.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -13,10 +13,14 @@
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/rc\.d/init\.d/cups	--	gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
@@ -15386,9 +14589,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +/usr/local/Printer/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +
 +/usr/local/linuxprinter/ppd(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.9/policy/modules/services/cups.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.15/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/cups.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cups.te	2010-03-18 10:44:43.000000000 -0400
 @@ -23,6 +23,9 @@
  type cupsd_initrc_exec_t;
  init_script_file(cupsd_initrc_exec_t)
@@ -15601,7 +14804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  kernel_read_system_state(cups_pdf_t)
  
  files_read_etc_files(cups_pdf_t)
-@@ -556,11 +598,15 @@
+@@ -556,13 +598,18 @@
  miscfiles_read_fonts(cups_pdf_t)
  
  userdom_home_filetrans_user_home_dir(cups_pdf_t)
@@ -15616,8 +14819,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 +')
  
  tunable_policy(`use_nfs_home_dirs',`
++	fs_search_auto_mountpoints(cups_pdf_t)
  	fs_manage_nfs_dirs(cups_pdf_t)
-@@ -601,6 +647,9 @@
+ 	fs_manage_nfs_files(cups_pdf_t)
+ ')
+@@ -601,6 +648,9 @@
  read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
  files_search_etc(hplip_t)
  
@@ -15627,7 +14833,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file )
  
-@@ -627,6 +676,7 @@
+@@ -627,6 +677,7 @@
  corenet_tcp_connect_ipp_port(hplip_t)
  corenet_sendrecv_hplip_client_packets(hplip_t)
  corenet_receive_hplip_server_packets(hplip_t)
@@ -15635,18 +14841,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  dev_read_sysfs(hplip_t)
  dev_rw_printer(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.9/policy/modules/services/cvs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.7.15/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/cvs.te	2010-02-16 15:08:37.000000000 -0500
-@@ -112,4 +112,5 @@
++++ serefpolicy-3.7.15/policy/modules/services/cvs.te	2010-03-18 10:44:43.000000000 -0400
+@@ -93,6 +93,7 @@
+ auth_can_read_shadow_passwords(cvs_t)
+ tunable_policy(`allow_cvs_read_shadow',`
+ 	auth_tunable_read_shadow(cvs_t)
++	allow cvs_t self:capability dac_override;
+ ')
+ 
+ optional_policy(`
+@@ -112,4 +113,5 @@
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.9/policy/modules/services/cyrus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-3.7.15/policy/modules/services/cyrus.te
 --- nsaserefpolicy/policy/modules/services/cyrus.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/cyrus.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/cyrus.te	2010-03-18 10:44:43.000000000 -0400
 @@ -75,6 +75,7 @@
  corenet_tcp_bind_mail_port(cyrus_t)
  corenet_tcp_bind_lmtp_port(cyrus_t)
@@ -15663,9 +14877,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  	snmp_read_snmp_var_lib_files(cyrus_t)
  	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
  	snmp_stream_connect(cyrus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.9/policy/modules/services/dbus.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.15/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/dbus.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dbus.if	2010-03-18 10:44:43.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -15756,13 +14970,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	for service (acquire_svc).
  ## </summary>
  ## <param name="domain">
-@@ -364,6 +372,18 @@
+@@ -364,6 +372,19 @@
  	dbus_system_bus_client($1)
  	dbus_connect_system_bus($1)
  
 +	ps_process_pattern(system_dbusd_t, $1)
 +
 +	userdom_dontaudit_search_admin_dir($1)
++	userdom_read_all_users_state($1)
 +
 +	optional_policy(`
 +		rpm_script_dbus_chat($1)
@@ -15775,7 +14990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	ifdef(`hide_broken_symptoms', `
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
-@@ -405,3 +425,24 @@
+@@ -405,3 +426,24 @@
  
  	typeattribute $1 dbusd_unconfined;
  ')
@@ -15800,9 +15015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.9/policy/modules/services/dbus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.15/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/dbus.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dbus.te	2010-03-18 10:44:43.000000000 -0400
 @@ -86,6 +86,7 @@
  dev_read_sysfs(system_dbusd_t)
  
@@ -15861,9 +15076,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +	xserver_rw_xdm_pipes(session_bus_type)
 +	xserver_append_xdm_home_files(session_bus_type)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.9/policy/modules/services/denyhosts.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.15/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te	2010-01-07 14:53:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dcc.te	2010-03-18 10:44:43.000000000 -0400
+@@ -81,7 +81,7 @@
+ # dcc daemon controller local policy
+ #
+ 
+-allow cdcc_t self:capability setuid;
++allow cdcc_t self:capability { setuid setgid };
+ allow cdcc_t self:unix_dgram_socket create_socket_perms;
+ allow cdcc_t self:udp_socket create_socket_perms;
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.15/policy/modules/services/denyhosts.fc
 --- nsaserefpolicy/policy/modules/services/denyhosts.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,7 @@
 +/etc/rc\.d/init\.d/denyhosts		--		gen_context(system_u:object_r:denyhosts_initrc_exec_t, s0)
 +
@@ -15872,9 +15099,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +/var/lib/denyhosts(/.*)?					gen_context(system_u:object_r:denyhosts_var_lib_t, s0)
 +/var/lock/subsys/denyhosts			--		gen_context(system_u:object_r:denyhosts_var_lock_t, s0)
 +/var/log/denyhosts(/.*)?					gen_context(system_u:object_r:denyhosts_var_log_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.9/policy/modules/services/denyhosts.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.15/policy/modules/services/denyhosts.if
 --- nsaserefpolicy/policy/modules/services/denyhosts.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,90 @@
 +## <summary>Deny Hosts.</summary>
 +## <desc>
@@ -15966,9 +15193,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +	ps_process_pattern($1, denyhosts_t)
 +	read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.9/policy/modules/services/denyhosts.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.15/policy/modules/services/denyhosts.te
 --- nsaserefpolicy/policy/modules/services/denyhosts.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/denyhosts.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/denyhosts.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,72 @@
 +
 +policy_module(denyhosts, 1.0.0) 
@@ -16042,9 +15269,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +optional_policy(`
 +	cron_system_entry(denyhosts_t, denyhosts_exec_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.9/policy/modules/services/devicekit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.fc serefpolicy-3.7.15/policy/modules/services/devicekit.fc
 --- nsaserefpolicy/policy/modules/services/devicekit.fc	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/devicekit.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/devicekit.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,8 +1,12 @@
  /usr/libexec/devkit-daemon	--	gen_context(system_u:object_r:devicekit_exec_t,s0)
  /usr/libexec/devkit-disks-daemon --	gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
@@ -16056,11 +15283,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
 +/var/lib/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_lib_t,s0)
  
  /var/run/devkit(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
- /var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
+-/var/run/DeviceKit-disk(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
++/var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 +/var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.9/policy/modules/services/devicekit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.7.15/policy/modules/services/devicekit.if
 --- nsaserefpolicy/policy/modules/services/devicekit.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/devicekit.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/devicekit.if	2010-03-18 10:44:43.000000000 -0400
 @@ -139,6 +139,26 @@
  
  ########################################
@@ -16088,9 +15316,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  ##	All of the rules required to administrate 
  ##	an devicekit environment
  ## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.9/policy/modules/services/devicekit.te
+@@ -162,7 +182,7 @@
+ interface(`devicekit_admin',`
+ 	gen_require(`
+ 		type devicekit_t, devicekit_disk_t, devicekit_power_t;
+-		type devicekit_var_run_t;
++		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
+ 	')
+ 
+ 	allow $1 devicekit_t:process { ptrace signal_perms getattr };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.15/policy/modules/services/devicekit.te
 --- nsaserefpolicy/policy/modules/services/devicekit.te	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/devicekit.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/devicekit.te	2010-03-18 10:44:43.000000000 -0400
 @@ -42,6 +42,8 @@
  
  files_read_etc_files(devicekit_t)
@@ -16112,7 +15349,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  
  manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
  manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t)
-@@ -71,29 +75,58 @@
+@@ -71,29 +75,62 @@
  manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
  files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
  
@@ -16150,6 +15387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
 +files_getattr_all_sockets(devicekit_disk_t)
 +files_getattr_all_mountpoints(devicekit_disk_t)
 +files_getattr_all_files(devicekit_disk_t)
++files_manage_boot_dirs(devicekit_disk_t)
 +files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
  files_read_etc_files(devicekit_disk_t)
@@ -16168,12 +15406,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
++mls_file_read_all_levels(devicekit_disk_t)
++mls_file_write_to_clearance(devicekit_disk_t)
++
 +term_use_all_terms(devicekit_disk_t)
 +
  auth_use_nsswitch(devicekit_disk_t)
  
  miscfiles_read_localization(devicekit_disk_t)
-@@ -102,6 +135,16 @@
+@@ -102,6 +139,16 @@
  userdom_search_user_home_dirs(devicekit_disk_t)
  
  optional_policy(`
@@ -16190,15 +15431,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  	fstools_domtrans(devicekit_disk_t)
  ')
  
-@@ -110,6 +153,7 @@
+@@ -110,28 +157,27 @@
  ')
  
  optional_policy(`
++	mount_domtrans(devicekit_disk_t)
++')
++
++optional_policy(`
 +	policykit_dbus_chat(devicekit_disk_t)
  	policykit_domtrans_auth(devicekit_disk_t)
  	policykit_read_lib(devicekit_disk_t)
  	policykit_read_reload(devicekit_disk_t)
-@@ -120,18 +164,12 @@
+ ')
+ 
+ optional_policy(`
+-	mount_domtrans(devicekit_disk_t)
++	raid_domtrans_mdadm(devicekit_disk_t)
  ')
  
  optional_policy(`
@@ -16220,7 +15469,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  ')
  
  ########################################
-@@ -139,9 +177,11 @@
+@@ -139,9 +185,11 @@
  # DeviceKit-Power local policy
  #
  
@@ -16233,15 +15482,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  
  manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
-@@ -151,6 +191,7 @@
+@@ -151,6 +199,8 @@
  kernel_read_system_state(devicekit_power_t)
  kernel_rw_hotplug_sysctls(devicekit_power_t)
  kernel_rw_kernel_sysctl(devicekit_power_t)
++kernel_search_debugfs(devicekit_power_t)
 +kernel_write_proc_files(devicekit_power_t)
  
  corecmd_exec_bin(devicekit_power_t)
  corecmd_exec_shell(devicekit_power_t)
-@@ -159,7 +200,9 @@
+@@ -159,7 +209,9 @@
  
  domain_read_all_domains_state(devicekit_power_t)
  
@@ -16251,7 +15501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  dev_rw_netcontrol(devicekit_power_t)
  dev_rw_sysfs(devicekit_power_t)
  
-@@ -167,12 +210,16 @@
+@@ -167,12 +219,17 @@
  files_read_etc_files(devicekit_power_t)
  files_read_usr_files(devicekit_power_t)
  
@@ -16264,11 +15514,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  miscfiles_read_localization(devicekit_power_t)
  
 +sysnet_read_config(devicekit_power_t)
++sysnet_domtrans_ifconfig(devicekit_power_t)
 +
  userdom_read_all_users_state(devicekit_power_t)
  
  optional_policy(`
-@@ -180,6 +227,10 @@
+@@ -180,6 +237,10 @@
  ')
  
  optional_policy(`
@@ -16279,7 +15530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -203,17 +254,23 @@
+@@ -203,17 +264,23 @@
  
  optional_policy(`
  	hal_domtrans_mac(devicekit_power_t)
@@ -16303,9 +15554,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi
 +optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.9/policy/modules/services/djbdns.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.15/policy/modules/services/dhcp.te
+--- nsaserefpolicy/policy/modules/services/dhcp.te	2010-02-12 10:33:09.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dhcp.te	2010-03-18 10:44:43.000000000 -0400
+@@ -112,6 +112,10 @@
+ ')
+ 
+ optional_policy(`
++	cobbler_dontaudit_rw_log(dhcpd_t)
++')
++
++optional_policy(`
+ 	dbus_system_bus_client(dhcpd_t)
+ 	dbus_connect_system_bus(dhcpd_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.if serefpolicy-3.7.15/policy/modules/services/djbdns.if
 --- nsaserefpolicy/policy/modules/services/djbdns.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/djbdns.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/djbdns.if	2010-03-18 10:44:43.000000000 -0400
 @@ -26,6 +26,8 @@
  	daemontools_read_svc(djbdns_$1_t)
  
@@ -16355,9 +15620,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
 +
 +    allow $1 djbdns_tinydn_t:key link;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.9/policy/modules/services/djbdns.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbdns.te serefpolicy-3.7.15/policy/modules/services/djbdns.te
 --- nsaserefpolicy/policy/modules/services/djbdns.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/djbdns.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/djbdns.te	2010-03-18 10:44:43.000000000 -0400
 @@ -42,3 +42,11 @@
  files_search_var(djbdns_axfrdns_t)
  
@@ -16370,9 +15635,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/djbd
 +
 +init_dontaudit_use_script_fds(djbdns_tinydns_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.9/policy/modules/services/dnsmasq.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.fc serefpolicy-3.7.15/policy/modules/services/dnsmasq.fc
 --- nsaserefpolicy/policy/modules/services/dnsmasq.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -6,5 +6,7 @@
  /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
  /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
@@ -16381,9 +15646,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
 +
  /var/run/dnsmasq\.pid		--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.9/policy/modules/services/dnsmasq.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.7.15/policy/modules/services/dnsmasq.if
 --- nsaserefpolicy/policy/modules/services/dnsmasq.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.if	2010-03-18 10:44:43.000000000 -0400
 @@ -111,7 +111,7 @@
  		type dnsmasq_etc_t;
  	')
@@ -16402,9 +15667,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  	files_search_etc($1)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.9/policy/modules/services/dnsmasq.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.15/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/dnsmasq.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dnsmasq.te	2010-03-18 10:44:43.000000000 -0400
 @@ -19,6 +19,9 @@
  type dnsmasq_lease_t;
  files_type(dnsmasq_lease_t)
@@ -16460,9 +15725,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm
  	seutil_sigchld_newrole(dnsmasq_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.9/policy/modules/services/dovecot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.7.15/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/dovecot.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dovecot.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -34,6 +34,7 @@
  
  /var/lib/dovecot(/.*)?			gen_context(system_u:object_r:dovecot_var_lib_t,s0)
@@ -16471,9 +15736,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  /var/log/dovecot\.log.*			gen_context(system_u:object_r:dovecot_var_log_t,s0)
  
  /var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.9/policy/modules/services/dovecot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.15/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/dovecot.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/dovecot.te	2010-03-18 10:44:43.000000000 -0400
 @@ -73,14 +73,21 @@
  
  can_exec(dovecot_t, dovecot_exec_t)
@@ -16536,18 +15801,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
  manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
  dovecot_stream_connect_auth(dovecot_auth_t)
-@@ -197,8 +205,9 @@
+@@ -197,8 +205,8 @@
  files_search_pids(dovecot_auth_t)
  files_read_usr_files(dovecot_auth_t)
  files_read_usr_symlinks(dovecot_auth_t)
 +files_read_var_lib_files(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
 -files_read_var_lib_files(dovecot_t)
-+files_search_var_log(dovecot_auth_t)
  
  init_rw_utmp(dovecot_auth_t)
  
-@@ -225,6 +234,7 @@
+@@ -225,6 +233,7 @@
  ')
  
  optional_policy(`
@@ -16555,7 +15819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -234,6 +244,8 @@
+@@ -234,6 +243,8 @@
  #
  allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
  
@@ -16564,6 +15828,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
  
+@@ -246,6 +257,7 @@
+ auth_use_nsswitch(dovecot_deliver_t)
+ 
+ logging_send_syslog_msg(dovecot_deliver_t)
++logging_search_logs(dovecot_auth_t)
+ 
+ miscfiles_read_localization(dovecot_deliver_t)
+ 
 @@ -263,11 +275,19 @@
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
@@ -16584,49 +15856,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	fs_manage_cifs_files(dovecot_t)
  	fs_manage_cifs_symlinks(dovecot_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.7.9/policy/modules/services/exim.te
---- nsaserefpolicy/policy/modules/services/exim.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/exim.te	2010-02-16 15:08:37.000000000 -0500
-@@ -192,6 +192,10 @@
- ')
- 
- optional_policy(`
-+	sendmail_manage_tmp_files(exim_t)
-+')
-+
-+optional_policy(`
- 	spamassassin_exec(exim_t)
- 	spamassassin_exec_client(exim_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.9/policy/modules/services/fail2ban.if
---- nsaserefpolicy/policy/modules/services/fail2ban.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/fail2ban.if	2010-02-16 15:08:37.000000000 -0500
-@@ -98,6 +98,46 @@
- 	allow $1 fail2ban_var_run_t:file read_file_perms;
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.15/policy/modules/services/fail2ban.if
+--- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/fail2ban.if	2010-03-18 10:44:43.000000000 -0400
+@@ -138,6 +138,26 @@
  
-+#####################################
-+## <summary>
-+##      Connect to fail2ban over a unix domain
-+##      stream socket.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`fail2ban_stream_connect',`
-+        gen_require(`
-+                type fail2ban_t, fail2ban_var_run_t;
-+        ')
-+
-+        files_search_pids($1)
-+        stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
 +##	dontaudit read and write an leaked file descriptors
 +## </summary>
 +## <param name="domain">
@@ -16645,45 +15881,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 +	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
 +')
 +
- ########################################
- ## <summary>
- ##	All of the rules required to administrate 
-@@ -135,3 +175,21 @@
- 	files_list_pids($1)
- 	admin_pattern($1, fail2ban_var_run_t)
- ')
-+
 +########################################
 +## <summary>
-+##	Read and write to an fail2ban unix stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fail2ban_rw_stream_sockets',`
-+	gen_require(`
-+		type fail2ban_t;
-+	')
-+
-+	allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.9/policy/modules/services/fetchmail.te
---- nsaserefpolicy/policy/modules/services/fetchmail.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/fetchmail.te	2010-02-16 15:08:37.000000000 -0500
-@@ -48,6 +48,7 @@
- kernel_dontaudit_read_system_state(fetchmail_t)
- 
- corecmd_exec_shell(fetchmail_t)
-+corecmd_exec_bin(fetchmail_t)
- 
- corenet_all_recvfrom_unlabeled(fetchmail_t)
- corenet_all_recvfrom_netlabel(fetchmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.9/policy/modules/services/fprintd.te
+ ##	All of the rules required to administrate 
+ ##	an fail2ban environment
+ ## </summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.7.15/policy/modules/services/fprintd.te
 --- nsaserefpolicy/policy/modules/services/fprintd.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/fprintd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/fprintd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -55,4 +55,6 @@
  	policykit_read_lib(fprintd_t)
  	policykit_dbus_chat(fprintd_t)
@@ -16691,9 +15896,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fpri
 +	policykit_dbus_chat_auth(fprintd_t)
  ')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.9/policy/modules/services/ftp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.fc serefpolicy-3.7.15/policy/modules/services/ftp.fc
 --- nsaserefpolicy/policy/modules/services/ftp.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ftp.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ftp.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -22,7 +22,7 @@
  #
  # /var
@@ -16703,9 +15908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  
  /var/log/muddleftpd\.log.* --	gen_context(system_u:object_r:xferlog_t,s0)
  /var/log/proftpd(/.*)?		gen_context(system_u:object_r:xferlog_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.9/policy/modules/services/ftp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.7.15/policy/modules/services/ftp.if
 --- nsaserefpolicy/policy/modules/services/ftp.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ftp.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ftp.if	2010-03-18 10:44:43.000000000 -0400
 @@ -115,6 +115,44 @@
  	role $2 types ftpdctl_t;
  ')
@@ -16751,9 +15956,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
  ########################################
  ## <summary>
  ##	All of the rules required to administrate 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.9/policy/modules/services/ftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.7.15/policy/modules/services/ftp.te
 --- nsaserefpolicy/policy/modules/services/ftp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ftp.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ftp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -41,11 +41,51 @@
  
  ## <desc>
@@ -17002,9 +16207,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.
 +	fs_read_nfs_files(sftpd_t)
 +	fs_read_nfs_symlinks(ftpd_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.9/policy/modules/services/git.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.7.15/policy/modules/services/git.fc
 --- nsaserefpolicy/policy/modules/services/git.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/git.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/git.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,3 +1,16 @@
 -/var/cache/cgit(/.*)?		gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
 -/var/lib/git(/.*)?		gen_context(system_u:object_r:httpd_git_content_t,s0)
@@ -17025,9 +16230,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +/var/lib/git(/.*)?				gen_context(system_u:object_r:git_system_content_t, s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.9/policy/modules/services/git.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.15/policy/modules/services/git.if
 --- nsaserefpolicy/policy/modules/services/git.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/git.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/git.if	2010-03-18 10:44:43.000000000 -0400
 @@ -1 +1,535 @@
 -## <summary>GIT revision control system</summary>
 +## <summary>Git - Fast Version Control System.</summary>
@@ -17565,9 +16770,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	userdom_search_user_home_dirs($1)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.9/policy/modules/services/git.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.15/policy/modules/services/git.te
 --- nsaserefpolicy/policy/modules/services/git.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/git.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/git.te	2010-03-18 10:44:43.000000000 -0400
 @@ -1,9 +1,182 @@
  
 -policy_module(git, 1.0)
@@ -17754,9 +16959,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 -apache_content_template(git)
 +#git_role_template(git_shell)
 +#gen_user(git_shell_u, user, git_shell_r, s0, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.9/policy/modules/services/gpsd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.15/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/gpsd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/gpsd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -25,7 +25,7 @@
  # gpsd local policy
  #
@@ -17766,9 +16971,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd
  allow gpsd_t self:process setsched;
  allow gpsd_t self:shm create_shm_perms;
  allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.9/policy/modules/services/hal.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.15/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/hal.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/hal.te	2010-03-18 10:44:43.000000000 -0400
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -17796,7 +17001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  kernel_setsched(hald_t)
  kernel_request_load_module(hald_t)
  
-@@ -161,6 +165,7 @@
+@@ -117,6 +121,7 @@
+ corenet_udp_sendrecv_all_ports(hald_t)
+ 
+ dev_rw_usbfs(hald_t)
++dev_read_rand(hald_t)
+ dev_read_urand(hald_t)
+ dev_read_input(hald_t)
+ dev_read_mouse(hald_t)
+@@ -161,6 +166,7 @@
  fs_unmount_dos_fs(hald_t)
  fs_manage_dos_files(hald_t)
  fs_manage_fusefs_dirs(hald_t)
@@ -17804,7 +17017,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  files_getattr_all_mountpoints(hald_t)
  
-@@ -295,6 +300,7 @@
+@@ -180,7 +186,7 @@
+ 
+ # hal_probe_serial causes these
+ term_setattr_unallocated_ttys(hald_t)
+-term_dontaudit_use_unallocated_ttys(hald_t)
++term_use_unallocated_ttys(hald_t)
+ 
+ auth_use_nsswitch(hald_t)
+ 
+@@ -266,6 +272,10 @@
+ ')
+ 
+ optional_policy(`
++	gnome_read_config(hald_t)
++')
++
++optional_policy(`
+ 	gpm_dontaudit_getattr_gpmctl(hald_t)
+ ')
+ 
+@@ -295,6 +305,7 @@
  ')
  
  optional_policy(`
@@ -17812,7 +17045,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	ppp_read_rw_config(hald_t)
  ')
  
-@@ -331,6 +337,10 @@
+@@ -315,11 +326,19 @@
+ ')
+ 
+ optional_policy(`
++	shutdown_domtrans(hald_t)
++')    
++
++optional_policy(`
+ 	udev_domtrans(hald_t)
+ 	udev_read_db(hald_t)
+ ')
+ 
+ optional_policy(`
++	usbmuxd_stream_connect(hald_t)
++')
++
++optional_policy(`
+ 	updfstab_domtrans(hald_t)
+ ')
+ 
+@@ -331,6 +350,10 @@
  	virt_manage_images(hald_t)
  ')
  
@@ -17823,7 +17076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ########################################
  #
  # Hal acl local policy
-@@ -351,6 +361,7 @@
+@@ -351,6 +374,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -17831,7 +17084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  corecmd_exec_bin(hald_acl_t)
  
-@@ -463,6 +474,10 @@
+@@ -463,6 +487,10 @@
  
  miscfiles_read_localization(hald_keymap_t)
  
@@ -17842,21 +17095,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ########################################
  #
  # Local hald dccm policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/howl.te serefpolicy-3.7.9/policy/modules/services/howl.te
---- nsaserefpolicy/policy/modules/services/howl.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/howl.te	2010-02-16 15:08:37.000000000 -0500
-@@ -30,7 +30,7 @@
- 
- kernel_read_network_state(howl_t)
- kernel_read_kernel_sysctls(howl_t)
--kernel_load_module(howl_t)
-+kernel_request_load_module(howl_t)
- kernel_list_proc(howl_t)
- kernel_read_proc_symlinks(howl_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.9/policy/modules/services/icecast.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.fc serefpolicy-3.7.15/policy/modules/services/icecast.fc
 --- nsaserefpolicy/policy/modules/services/icecast.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/icecast.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/icecast.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,7 @@
 +/etc/rc\.d/init\.d/icecast	--	gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
 +
@@ -17865,9 +17106,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
 +/var/log/icecast(/.*)?			gen_context(system_u:object_r:icecast_log_t,s0)
 +
 +/var/run/icecast(/.*)?			gen_context(system_u:object_r:icecast_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.9/policy/modules/services/icecast.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.if serefpolicy-3.7.15/policy/modules/services/icecast.if
 --- nsaserefpolicy/policy/modules/services/icecast.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/icecast.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/icecast.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,199 @@
 +
 +## <summary> ShoutCast compatible streaming media server</summary>
@@ -18068,9 +17309,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
 +	icecast_manage_log($1)
 +
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.9/policy/modules/services/icecast.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.15/policy/modules/services/icecast.te
 --- nsaserefpolicy/policy/modules/services/icecast.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/icecast.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/icecast.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,59 @@
 +policy_module(icecast,1.0.0)
 +
@@ -18131,9 +17372,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icec
 +optional_policy(`
 +         rtkit_daemon_system_domain(icecast_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.9/policy/modules/services/kerberos.if
---- nsaserefpolicy/policy/modules/services/kerberos.if	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/kerberos.if	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.7.15/policy/modules/services/inn.te
+--- nsaserefpolicy/policy/modules/services/inn.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/inn.te	2010-03-18 10:44:43.000000000 -0400
+@@ -106,6 +106,7 @@
+ 
+ userdom_dontaudit_use_unpriv_user_fds(innd_t)
+ userdom_dontaudit_search_user_home_dirs(innd_t)
++userdom_stream_connect(innd_t)
+ 
+ mta_send_mail(innd_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.15/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/kerberos.if	2010-03-18 10:44:43.000000000 -0400
 @@ -74,7 +74,7 @@
  	')
  
@@ -18154,9 +17406,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  	tunable_policy(`allow_kerberos',`
  		allow $1 self:tcp_socket create_socket_perms;
  		allow $1 self:udp_socket create_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.9/policy/modules/services/kerberos.te
---- nsaserefpolicy/policy/modules/services/kerberos.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/kerberos.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.15/policy/modules/services/kerberos.te
+--- nsaserefpolicy/policy/modules/services/kerberos.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/kerberos.te	2010-03-18 10:44:43.000000000 -0400
 @@ -112,6 +112,7 @@
  
  kernel_read_kernel_sysctls(kadmind_t)
@@ -18174,18 +17426,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
  
  allow kpropd_t krb5_keytab_t:file read_file_perms;
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.9/policy/modules/services/ksmtuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.15/policy/modules/services/ksmtuned.fc
 --- nsaserefpolicy/policy/modules/services/ksmtuned.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,5 @@
 +/etc/rc\.d/init\.d/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
 +
 +/usr/sbin/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
 +
 +/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.9/policy/modules/services/ksmtuned.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.15/policy/modules/services/ksmtuned.if
 --- nsaserefpolicy/policy/modules/services/ksmtuned.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,76 @@
 +
 +## <summary>policy for Kernel Samepage Merging (KSM) Tuning Daemon</summary>
@@ -18263,9 +17515,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
 +	allow $2 system_r;
 +
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.9/policy/modules/services/ksmtuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.te serefpolicy-3.7.15/policy/modules/services/ksmtuned.te
 --- nsaserefpolicy/policy/modules/services/ksmtuned.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ksmtuned.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ksmtuned.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,44 @@
 +policy_module(ksmtuned,1.0.0)
 +
@@ -18311,38 +17563,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmt
 +files_read_etc_files(ksmtuned_t)
 +
 +miscfiles_read_localization(ksmtuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.9/policy/modules/services/ldap.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.fc serefpolicy-3.7.15/policy/modules/services/ldap.fc
 --- nsaserefpolicy/policy/modules/services/ldap.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ldap.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,8 +1,12 @@
++++ serefpolicy-3.7.15/policy/modules/services/ldap.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -1,5 +1,7 @@
  
  /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 +/etc/openldap/slapd\.d(/.*)?	gen_context(system_u:object_r:slapd_db_t,s0)
 +
  /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
-+/etc/rc\.d/init\.d/dirsrv.* --	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
  
  /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
-+/usr/sbin/ns-slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
- 
- ifdef(`distro_debian',`
- /usr/lib/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
-@@ -10,8 +14,12 @@
- 
- /var/lib/ldap(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
- /var/lib/ldap/replog(/.*)?	gen_context(system_u:object_r:slapd_replog_t,s0)
-+/var/lib/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_db_t,s0)
-+
-+/var/log/dirsrv(/.*)?		gen_context(system_u:object_r:slapd_log_t,s0)
- 
- /var/run/ldapi		-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+@@ -15,3 +17,4 @@
  /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
  /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
  /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
-+/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.9/policy/modules/services/ldap.if
++#/var/run/slapd.*	-s	gen_context(system_u:object_r:slapd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.if serefpolicy-3.7.15/policy/modules/services/ldap.if
 --- nsaserefpolicy/policy/modules/services/ldap.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ldap.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ldap.if	2010-03-18 10:44:43.000000000 -0400
 @@ -1,5 +1,43 @@
  ## <summary>OpenLDAP directory server</summary>
  
@@ -18387,10 +17626,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
  ########################################
  ## <summary>
  ##	Read the contents of the OpenLDAP
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.9/policy/modules/services/ldap.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-3.7.15/policy/modules/services/ldap.te
 --- nsaserefpolicy/policy/modules/services/ldap.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ldap.te	2010-02-16 15:08:37.000000000 -0500
-@@ -28,6 +28,9 @@
++++ serefpolicy-3.7.15/policy/modules/services/ldap.te	2010-03-18 10:44:43.000000000 -0400
+@@ -28,9 +28,15 @@
  type slapd_replog_t;
  files_type(slapd_replog_t)
  
@@ -18400,7 +17639,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
  type slapd_tmp_t;
  files_tmp_file(slapd_tmp_t)
  
-@@ -68,6 +71,10 @@
++type slapd_tmpfs_t;
++files_tmpfs_file(slapd_tmpfs_t)
++
+ type slapd_var_run_t;
+ files_pid_file(slapd_var_run_t)
+ 
+@@ -68,10 +74,17 @@
  manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
  manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
  
@@ -18411,9 +17656,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap
  manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
  manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
  files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.9/policy/modules/services/lircd.te
+ 
++manage_files_pattern(slapd_t, slapd_tmpfs_t, slapd_tmpfs_t)
++fs_tmpfs_filetrans(slapd_t, slapd_tmpfs_t,file)
++
+ manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
+ files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.15/policy/modules/services/lircd.te
 --- nsaserefpolicy/policy/modules/services/lircd.te	2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/lircd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/lircd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -24,8 +24,11 @@
  # lircd local policy
  #
@@ -18462,33 +17714,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc
 +
 +sysnet_dns_name_resolve(lircd_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.7.9/policy/modules/services/mailman.fc
---- nsaserefpolicy/policy/modules/services/mailman.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/mailman.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,4 +1,4 @@
--/usr/lib/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib(64)?/mailman/bin/mailmanctl	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
- /usr/lib/mailman/cron/.*	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
- 
- /var/lib/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
-@@ -25,10 +25,10 @@
- ifdef(`distro_redhat', `
- /etc/mailman(/.*)?			gen_context(system_u:object_r:mailman_data_t,s0)
- 
--/usr/lib/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
--/usr/lib/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
--/usr/lib/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
--/usr/lib/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib(64)?/mailman/bin/qrunner	--	gen_context(system_u:object_r:mailman_queue_exec_t,s0)
-+/usr/lib(64)?/mailman/cgi-bin/.*	--	gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
-+/usr/lib(64)?/mailman/mail/mailman	--	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
-+/usr/lib(64)?/mailman/scripts/mailman --	gen_context(system_u:object_r:mailman_mail_exec_t,s0)
- 
- /var/spool/mailman(/.*)?		gen_context(system_u:object_r:mailman_data_t,s0)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.9/policy/modules/services/memcached.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memcached.te serefpolicy-3.7.15/policy/modules/services/memcached.te
 --- nsaserefpolicy/policy/modules/services/memcached.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/memcached.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/memcached.te	2010-03-18 10:44:43.000000000 -0400
 @@ -22,9 +22,12 @@
  #
  
@@ -18519,9 +17747,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/memc
 +term_dontaudit_use_all_ptys(memcached_t)
 +term_dontaudit_use_all_ttys(memcached_t)
 +term_dontaudit_use_console(memcached_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.9/policy/modules/services/modemmanager.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.15/policy/modules/services/modemmanager.te
 --- nsaserefpolicy/policy/modules/services/modemmanager.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/modemmanager.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/modemmanager.te	2010-03-18 10:44:43.000000000 -0400
 @@ -16,8 +16,8 @@
  #
  # ModemManager local policy
@@ -18541,9 +17769,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode
  term_use_unallocated_ttys(modemmanager_t)
  
  miscfiles_read_localization(modemmanager_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.9/policy/modules/services/mta.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.7.15/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/mta.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/mta.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,8 @@
  
  /usr/bin/esmtp			-- gen_context(system_u:object_r:sendmail_exec_t,s0)
@@ -18553,10 +17781,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/lib/courier/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.9/policy/modules/services/mta.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.7.15/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/mta.if	2010-02-16 15:08:37.000000000 -0500
-@@ -335,6 +335,7 @@
++++ serefpolicy-3.7.15/policy/modules/services/mta.if	2010-03-18 10:44:43.000000000 -0400
+@@ -220,6 +220,25 @@
+ 	application_executable_file($1)
+ ')
+ 
++######################################
++## <summary>
++##  Dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++##  <summary>
++##  The type of the process performing this action.
++##  </summary>
++## </param>
++#
++interface(`mta_dontaudit_leaks_system_mail',`
++    gen_require(`
++        type system_mail_t;
++    ')
++
++    dontaudit $1 system_mail_t:fifo_file write;
++    dontaudit $1 system_mail_t:tcp_socket { read write };
++')
++
+ ########################################
+ ## <summary>
+ ##	Make the specified type by a system MTA.
+@@ -335,6 +354,7 @@
  		# apache should set close-on-exec
  		apache_dontaudit_rw_stream_sockets($1)
  		apache_dontaudit_rw_sys_script_stream_sockets($1)
@@ -18564,10 +17818,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	')
  ')
  
-@@ -365,6 +366,25 @@
+@@ -356,11 +376,35 @@
+ 	')
+ 
+ 	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
++	corecmd_read_bin_symlinks($1)
+ 	domtrans_pattern($1, mta_exec_type, system_mail_t)
  
- ########################################
- ## <summary>
+ 	allow mta_user_agent $1:fd use;
+ 	allow mta_user_agent $1:process sigchld;
+ 	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
++
++	ifdef(`hide_broken_symptoms', `
++		dontaudit system_mail_t $1:socket_class_set { read write };
++	')
++')
++
++########################################
++## <summary>
 +##	Send mail client a signal
 +## </summary>
 +## <param name="domain">
@@ -18583,14 +17851,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +	')
 +
 +	allow $1 system_mail_t:process signal;
-+')
-+
-+########################################
-+## <summary>
- ##	Execute send mail in a specified domain.
- ## </summary>
- ## <desc>
-@@ -454,7 +474,8 @@
+ ')
+ 
+ ########################################
+@@ -454,7 +498,8 @@
  		type etc_mail_t;
  	')
  
@@ -18600,7 +17864,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  ########################################
-@@ -678,7 +699,7 @@
+@@ -678,7 +723,7 @@
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -18609,7 +17873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -765,6 +786,25 @@
+@@ -765,6 +810,25 @@
  
  #######################################
  ## <summary>
@@ -18635,19 +17899,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ##	Read the mail queue.
  ## </summary>
  ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.9/policy/modules/services/mta.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.7.15/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/mta.te	2010-02-16 15:08:37.000000000 -0500
-@@ -63,6 +63,8 @@
++++ serefpolicy-3.7.15/policy/modules/services/mta.te	2010-03-18 10:44:43.000000000 -0400
+@@ -63,6 +63,9 @@
  
  can_exec(system_mail_t, mta_exec_type)
  
 +files_read_all_tmp_files(system_mail_t)
++files_read_usr_files(system_mail_t)
 +
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
  kernel_request_load_module(system_mail_t)
-@@ -75,20 +77,27 @@
+@@ -75,20 +78,27 @@
  
  selinux_getattr_fs(system_mail_t)
  
@@ -18675,7 +17940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -107,6 +116,7 @@
+@@ -107,6 +117,7 @@
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
@@ -18683,7 +17948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -126,6 +136,7 @@
+@@ -126,6 +137,7 @@
  
  optional_policy(`
  	fail2ban_append_log(system_mail_t)
@@ -18691,7 +17956,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ')
  
  optional_policy(`
-@@ -185,6 +196,10 @@
+@@ -142,6 +154,10 @@
+ ')
+ 
+ optional_policy(`
++	munin_dontaudit_leaks(system_mail_t)
++')
++
++optional_policy(`
+ 	nagios_read_tmp_files(system_mail_t)
+ ')
+ 
+@@ -185,6 +201,10 @@
  ')
  
  optional_policy(`
@@ -18702,7 +17978,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -216,6 +231,7 @@
+@@ -216,6 +236,7 @@
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -18710,20 +17986,180 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
  
  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.9/policy/modules/services/munin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.7.15/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/munin.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -9,3 +9,6 @@
++++ serefpolicy-3.7.15/policy/modules/services/munin.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -6,6 +6,64 @@
+ /usr/share/munin/munin-.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
+ /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
+ 
++# disk plugins
++/usr/share/munin/plugins/diskstat.* --  gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
++/usr/share/munin/plugins/df.*		--	gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
++/usr/share/munin/plugins/hddtemp.*	--	gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
++/usr/share/munin/plugins/smart_.*	--	gen_context(system_u:object_r:munin_disk_plugin_exec_t,s0)
++
++# mail plugins
++/usr/share/munin/plugins/courier_mta_.*	--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/exim_mail.*	--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/mailman		--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/mailscanner	--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/postfix_mail.*	--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/sendmail_.*    --	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++/usr/share/munin/plugins/qmail.* 		--	gen_context(system_u:object_r:munin_mail_plugin_exec_t,s0)
++
++# services plugins
++/usr/share/munin/plugins/apache_.*		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/asterisk_.*	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/http_loadtime	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/fail2ban		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/lpstat			--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/mysql_.*		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/named			--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/ntp_.*			--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/nut.*         	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/openvpn		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/ping_ 	        --	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/postgres_.*	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/samba			--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/slapd_.*		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/snmp_.*     	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/squid_.*     	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/tomcat_.*     	--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++/usr/share/munin/plugins/varnish_.*		--	gen_context(system_u:object_r:munin_services_plugin_exec_t,s0)
++
++# system plugins
++/usr/share/munin/plugins/acpi		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/cpu.*		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/forks   	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/if_.* 		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/iostat.*   --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/interrupts --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/irqstats   --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/load	    --	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/memory		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/netstat	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/nfs.*	 	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/open_files	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/proc_pri	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/processes 	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/swap		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/threads 	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/uptime		--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/users	 	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++/usr/share/munin/plugins/yum      	--	gen_context(system_u:object_r:munin_system_plugin_exec_t,s0)
++
  /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
  /var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
  /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
 +/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.7.15/policy/modules/services/munin.if
+--- nsaserefpolicy/policy/modules/services/munin.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/munin.if	2010-03-18 10:44:43.000000000 -0400
+@@ -43,6 +43,24 @@
+ 	files_search_etc($1)
+ ')
+ 
++######################################
++## <summary>
++##  dontaudit read and write an leaked file descriptors
++## </summary>
++## <param name="domain">
++##  <summary>
++##  The type of the process performing this action.
++##  </summary>
++## </param>
++#
++interface(`munin_dontaudit_leaks',`
++    gen_require(`
++        type munin_t;
++    ')
++
++    dontaudit $1 munin_t:tcp_socket { read write };
++')
++
+ #######################################
+ ## <summary>
+ ##	Append to the munin log.
+@@ -102,6 +120,54 @@
+ 	dontaudit $1 munin_var_lib_t:dir search_dir_perms;
+ ')
+ 
++######################################
++## <summary>
++##  Create a set of derived types for various
++##  munin plugins,
++## </summary>
++## <param name="plugins_group_name">
++##  <summary>
++##  The name to be used for deriving type names.
++##  </summary>
++## </param>
++#
++template(`munin_plugin_template',`
++
++	gen_require(`
++		type munin_t, munin_exec_t;
++		type munin_etc_t;
++	')
++
++	type munin_$1_plugin_t;
++	type munin_$1_plugin_exec_t;
++	application_domain(munin_$1_plugin_t, munin_$1_plugin_exec_t)
++	role system_r types munin_$1_plugin_t;
++
++	type munin_$1_plugin_tmp_t;
++	files_tmp_file(munin_$1_plugin_tmp_t)
++
++	allow munin_$1_plugin_t self:fifo_file rw_fifo_file_perms;
++
++	manage_files_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
++	manage_dirs_pattern(munin_$1_plugin_t, munin_$1_plugin_tmp_t, munin_$1_plugin_tmp_t)
++	files_tmp_filetrans(munin_$1_plugin_t, munin_$1_plugin_tmp_t, { dir file })
++
++	# automatic transition rules from munin domain
++	# to specific munin plugin domain
++	domtrans_pattern(munin_t, munin_$1_plugin_exec_t, munin_$1_plugin_t)
++	
++	allow munin_$1_plugin_t munin_exec_t:file read_file_perms;
++	allow munin_$1_plugin_t munin_t:tcp_socket rw_socket_perms;
++	
++	read_lnk_files_pattern(munin_$1_plugin_t, munin_etc_t, munin_etc_t)
++
++	kernel_read_system_state(munin_$1_plugin_t)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.9/policy/modules/services/munin.te
++	corecmd_exec_bin(munin_$1_plugin_t)
++
++	miscfiles_read_localization(munin_$1_plugin_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	All of the rules required to administrate 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.15/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/munin.te	2010-02-16 15:08:37.000000000 -0500
-@@ -33,7 +33,7 @@
++++ serefpolicy-3.7.15/policy/modules/services/munin.te	2010-03-18 10:44:43.000000000 -0400
+@@ -28,12 +28,26 @@
+ type munin_var_run_t alias lrrd_var_run_t;
+ files_pid_file(munin_var_run_t)
+ 
++# munin plugins declaration
++
++munin_plugin_template(disk)
++permissive munin_disk_plugin_t;
++
++munin_plugin_template(mail)
++permissive munin_mail_plugin_t;
++
++munin_plugin_template(services)
++permissive munin_services_plugin_t;
++
++munin_plugin_template(system)
++permissive munin_system_plugin_t;
++
+ ########################################
+ #
  # Local policy
  #
  
@@ -18732,7 +18168,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  dontaudit munin_t self:capability sys_tty_config;
  allow munin_t self:process { getsched setsched signal_perms };
  allow munin_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -55,7 +55,8 @@
+@@ -55,7 +69,8 @@
  
  manage_dirs_pattern(munin_t, munin_tmp_t, munin_tmp_t)
  manage_files_pattern(munin_t, munin_tmp_t, munin_tmp_t)
@@ -18742,7 +18178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  
  # Allow access to the munin databases
  manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -131,8 +132,13 @@
+@@ -131,8 +146,13 @@
  ')
  
  optional_policy(`
@@ -18756,7 +18192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  	mta_read_queue(munin_t)
  ')
  
-@@ -147,6 +153,7 @@
+@@ -147,6 +167,7 @@
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -18764,132 +18200,176 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.9/policy/modules/services/mysql.if
---- nsaserefpolicy/policy/modules/services/mysql.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/mysql.if	2010-02-16 15:08:37.000000000 -0500
-@@ -1,5 +1,43 @@
- ## <summary>Policy for MySQL</summary>
- 
-+######################################
-+## <summary>
-+##      Execute MySQL in the mysql domain.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      The type of the process performing this action.
-+##      </summary>
-+## </param>
+@@ -164,3 +185,146 @@
+ optional_policy(`
+ 	udev_read_db(munin_t)
+ ')
++
++###################################
 +#
-+interface(`mysql_domtrans',`
-+        gen_require(`
-+                type mysqld_t, mysqld_exec_t;
-+        ')
++# local policy for disk plugins 
++#
++
++allow munin_disk_plugin_t self:tcp_socket create_stream_socket_perms;
 +
-+        domtrans_pattern($1,mysqld_exec_t,mysqld_t)
++rw_files_pattern(munin_disk_plugin_t, munin_var_lib_t, munin_var_lib_t)
 +
++corenet_tcp_connect_hddtemp_port(munin_disk_plugin_t)
++
++corecmd_exec_shell(munin_disk_plugin_t)
++
++files_read_etc_files(munin_disk_plugin_t)
++files_read_etc_runtime_files(munin_disk_plugin_t)
++
++fs_getattr_all_fs(munin_disk_plugin_t)
++
++dev_read_sysfs(munin_disk_plugin_t)
++dev_read_urand(munin_disk_plugin_t)
++
++storage_getattr_fixed_disk_dev(munin_disk_plugin_t)
++
++sysnet_read_config(munin_disk_plugin_t)
++
++optional_policy(`
++    hddtemp_exec(munin_disk_plugin_t)
 +')
 +
-+######################################
-+## <summary>
-+##      Execute MySQL server in the mysql domain.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      The type of the process performing this action.
-+##      </summary>
-+## </param>
++optional_policy(`
++    fstools_exec(munin_disk_plugin_t)
++')
++
++####################################
 +#
-+interface(`mysql_domtrans_mysql_safe',`
-+        gen_require(`
-+                type mysqld_safe_t, mysqld_safe_exec_t;
-+        ')
++# local policy for mail plugins 
++#
++
++allow munin_mail_plugin_t self:capability dac_override;
++
++rw_files_pattern(munin_mail_plugin_t, munin_var_lib_t, munin_var_lib_t)
++
++dev_read_urand(munin_mail_plugin_t)
++
++files_read_etc_files(munin_mail_plugin_t)
++
++fs_getattr_all_fs(munin_mail_plugin_t)
++
++logging_read_generic_logs(munin_mail_plugin_t)
++
++mta_read_config(munin_mail_plugin_t)
++mta_send_mail(munin_mail_plugin_t)
++mta_list_queue(munin_mail_plugin_t)
++mta_read_queue(munin_mail_plugin_t)
++
++optional_policy(`
++    postfix_read_config(munin_mail_plugin_t)
++    postfix_list_spool(munin_mail_plugin_t)
++    postfix_getattr_spool_files(munin_mail_plugin_t)
++')
 +
-+        domtrans_pattern($1,mysqld_safe_exec_t, mysqld_safe_t)
++optional_policy(`
++    sendmail_read_log(munin_mail_plugin_t)
 +')
 +
++###################################
++#
++# local policy for service plugins 
++#
 +
- ########################################
- ## <summary>
- ##	Send a generic signal to MySQL.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.9/policy/modules/services/mysql.te
---- nsaserefpolicy/policy/modules/services/mysql.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/mysql.te	2010-02-16 15:08:37.000000000 -0500
-@@ -1,6 +1,13 @@
- 
- policy_module(mysql, 1.11.1)
- 
-+## <desc>
-+## <p>
-+## Allow mysqld to connect to all ports
-+## </p>
-+## </desc>
-+gen_tunable(mysql_connect_any, false)
++allow munin_services_plugin_t self:tcp_socket create_stream_socket_perms;
++allow munin_services_plugin_t self:udp_socket create_socket_perms;
++allow munin_services_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +
- ########################################
- #
- # Declarations
-@@ -37,7 +44,7 @@
- # Local policy
- #
- 
--allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
-+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
- dontaudit mysqld_t self:capability sys_tty_config;
- allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
- allow mysqld_t self:fifo_file rw_fifo_file_perms;
-@@ -109,6 +116,11 @@
- # for /root/.my.cnf - should not be needed:
- userdom_read_user_home_content_files(mysqld_t)
- 
-+tunable_policy(`mysql_connect_any',`
-+	corenet_tcp_connect_all_ports(mysqld_t)
-+	corenet_sendrecv_all_client_packets(mysqld_t)
++corenet_tcp_connect_all_ports(munin_services_plugin_t)
++corenet_tcp_connect_http_port(munin_services_plugin_t)
++
++dev_read_urand(munin_services_plugin_t)
++dev_read_rand(munin_services_plugin_t)
++
++fs_getattr_all_fs(munin_services_plugin_t)
++
++files_read_etc_files(munin_services_plugin_t)
++
++sysnet_read_config(munin_services_plugin_t)
++
++optional_policy(`
++    cups_stream_connect(munin_services_plugin_t)
 +')
 +
- ifdef(`distro_redhat',`
- 	# because Fedora has the sock_file in the database directory
- 	type_transition mysqld_t mysqld_db_t:sock_file mysqld_var_run_t;
-@@ -131,20 +143,26 @@
- # Local mysqld_safe policy
- #
- 
--allow mysqld_safe_t self:capability { dac_override fowner chown };
-+allow mysqld_safe_t self:capability { chown dac_override fowner kill };
-+dontaudit mysqld_safe_t self:capability sys_ptrace;
- allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
- 
- domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
++optional_policy(`
++    lpd_exec_lpr(munin_services_plugin_t)
++')
++
++optional_policy(`
++    mysql_read_config(munin_services_plugin_t)
++    mysql_stream_connect(munin_services_plugin_t)
++')
++
++optional_policy(`
++    netutils_domtrans_ping(munin_services_plugin_t)
++')
++
++optional_policy(`
++    postgresql_stream_connect(munin_services_plugin_t)
++')
++
++optional_policy(`
++    snmp_read_snmp_var_lib_files(munin_services_plugin_t)
++')
++
++optional_policy(`
++    varnishd_read_lib_files(munin_services_plugin_t)
++')
++
++##################################
++#
++# local policy for system plugins 
++#
++
++allow munin_system_plugin_t self:udp_socket create_socket_perms;
++
++rw_files_pattern(munin_system_plugin_t, munin_var_lib_t, munin_var_lib_t)
++
++kernel_read_network_state(munin_system_plugin_t)
++kernel_read_all_sysctls(munin_system_plugin_t)
++
++corecmd_exec_shell(munin_system_plugin_t)
++
++fs_getattr_all_fs(munin_system_plugin_t)
++
++dev_read_sysfs(munin_system_plugin_t)
++dev_read_urand(munin_system_plugin_t)
++
++domain_read_all_domains_state(munin_system_plugin_t)
++
++# needed by users plugin
++init_read_utmp(munin_system_plugin_t)
++
++sysnet_exec_ifconfig(munin_system_plugin_t)
++
++term_getattr_unallocated_ttys(munin_system_plugin_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.7.15/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te	2010-03-12 11:48:14.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/mysql.te	2010-03-18 10:44:43.000000000 -0400
+@@ -65,6 +65,7 @@
  
- allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
+ manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
++manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+ files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
  
--allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
-+manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
-+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -176,6 +177,7 @@
  
  domain_read_all_domains_state(mysqld_safe_t)
  
 +files_dontaudit_search_all_mountpoints(mysqld_safe_t)
-+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+
- logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
- 
- kernel_read_system_state(mysqld_safe_t)
-+kernel_read_kernel_sysctls(mysqld_safe_t)
- 
- dev_list_sysfs(mysqld_safe_t)
- 
-@@ -158,6 +176,7 @@
- miscfiles_read_localization(mysqld_safe_t)
- 
- mysql_manage_db_files(mysqld_safe_t)
-+read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
- mysql_read_config(mysqld_safe_t)
- mysql_search_pid_files(mysqld_safe_t)
- mysql_write_log(mysqld_safe_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.9/policy/modules/services/nagios.fc
+ files_read_etc_files(mysqld_safe_t)
+ files_read_usr_files(mysqld_safe_t)
+ files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.7.15/policy/modules/services/nagios.fc
 --- nsaserefpolicy/policy/modules/services/nagios.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nagios.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,16 +1,87 @@
++++ serefpolicy-3.7.15/policy/modules/services/nagios.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -1,16 +1,89 @@
  /etc/nagios(/.*)?			gen_context(system_u:object_r:nagios_etc_t,s0)
  /etc/nagios/nrpe\.cfg		--	gen_context(system_u:object_r:nrpe_etc_t,s0)
 +/etc/rc\.d/init\.d/nagios	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
@@ -18921,7 +18401,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +/usr/lib(64)?/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 +
 +# admin plugins
-+/usr/lib(64)?/nagios/plugins/check_mailq        --      gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_file_age     --      gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
 +
 +# check disk plugins
 +/usr/lib(64)?/nagios/plugins/check_disk			--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
@@ -18929,10 +18409,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +/usr/lib(64)?/nagios/plugins/check_ide_smart		--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 +/usr/lib(64)?/nagios/plugins/check_linux_raid		--		gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
 +
++# mail plugins
++/usr/lib(64)?/nagios/plugins/check_mailq        --      gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++
 +# system plugins
 +/usr/lib(64)?/nagios/plugins/check_breeze		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
 +/usr/lib(64)?/nagios/plugins/check_dummy		--		gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
-+/usr/lib(64)?/nagios/plugins/check_file_age		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 +/usr/lib(64)?/nagios/plugins/check_flexlm		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 +/usr/lib(64)?/nagios/plugins/check_ifoperstatus	--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
 +/usr/lib(64)?/nagios/plugins/check_ifstatus		--		gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
@@ -18982,53 +18464,57 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +# unconfined plugins
 +/usr/lib(64)?/nagios/plugins/check_by_ssh       --      gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.9/policy/modules/services/nagios.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.15/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nagios.if	2010-02-16 15:08:37.000000000 -0500
-@@ -64,7 +64,7 @@
++++ serefpolicy-3.7.15/policy/modules/services/nagios.if	2010-03-18 10:44:43.000000000 -0400
+@@ -64,8 +64,8 @@
  
  ########################################
  ## <summary>
 -##	Execute the nagios CGI with
-+##	Execute the nagios NRPE with
- ##	a domain transition.
+-##	a domain transition.
++##	Allow the specified domain to read
++##	nagios temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -73,18 +73,17 @@
+ ##	<summary>
+@@ -73,12 +73,13 @@
  ##	</summary>
  ## </param>
  #
 -interface(`nagios_domtrans_cgi',`
-+interface(`nagios_domtrans_nrpe',`
++interface(`nagios_rw_inerited_tmp_files',`
  	gen_require(`
 -		type nagios_cgi_t, nagios_cgi_exec_t;
-+		type nrpe_t, nrpe_exec_t;
++		type nagios_tmp_t;
  	')
  
 -	domtrans_pattern($1, nagios_cgi_exec_t, nagios_cgi_t)
-+	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
++	allow $1 nagios_tmp_t:file rw_inherited_file_perms;
++	files_search_tmp($1)
  ')
  
  ########################################
- ## <summary>
--##	Execute the nagios NRPE with
--##	a domain transition.
+@@ -99,3 +100,134 @@
+ 
+ 	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
+ ')
++
++########################################
++## <summary>
 +##	Search nagios spool directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -92,10 +91,121 @@
- ##	</summary>
- ## </param>
- #
--interface(`nagios_domtrans_nrpe',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`nagios_search_spool',`
- 	gen_require(`
--		type nrpe_t, nrpe_exec_t;
-+		type nagios_spool_t;
- 	')
- 
--	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
++	gen_require(`
++		type nagios_spool_t;
++	')
++
 +	allow $1 nagios_spool_t:dir search_dir_perms;
 +	files_search_spool($1)
 +')
@@ -19067,6 +18553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +    	gen_require(`
 +        	type nagios_t, nrpe_t;
++		type nagios_log_t;
 +    	')
 +
 +	type nagios_$1_plugin_t;
@@ -19087,6 +18574,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +        # cjp: leaked file descriptor
 +        dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
++	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
 +
 +        miscfiles_read_localization(nagios_$1_plugin_t)
 +')
@@ -19141,10 +18629,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +	admin_pattern($1, nagios_var_run_t)
 +
 +	admin_pattern($1, nrpe_etc_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.9/policy/modules/services/nagios.te
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.15/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nagios.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nagios.te	2010-03-18 10:44:43.000000000 -0400
 @@ -6,17 +6,23 @@
  # Declarations
  #
@@ -19183,7 +18671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  type nrpe_t;
  type nrpe_exec_t;
  init_daemon_domain(nrpe_t, nrpe_exec_t)
-@@ -33,6 +42,38 @@
+@@ -33,6 +42,44 @@
  type nrpe_etc_t;
  files_config_file(nrpe_etc_t)
  
@@ -19198,6 +18686,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +# and nagios_checkdisk_plugin_t for domain
 +nagios_plugin_template(checkdisk)
 +
++# creates nagios_mail_plugin_exec_t for executable
++# and nagios_mail_plugin_t for domain
++nagios_plugin_template(mail)
++
 +# creates nagios_services_plugin_exec_t for executable
 +# and nagios_services_plugin_t for domain
 +nagios_plugin_template(services)
@@ -19210,29 +18702,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +files_tmp_file(nagios_system_plugin_tmp_t)
 +
 +nagios_plugin_template(unconfined)
++
 +optional_policy(`
 +	unconfined_domain(nagios_unconfined_plugin_t)
 +')
 +
-+permissive nagios_admin_plugin_t;
++permissive nagios_admin_plugin_t; 
 +permissive nagios_checkdisk_plugin_t;
++permissive nagios_mail_plugin_t;
 +permissive nagios_services_plugin_t;
 +permissive nagios_system_plugin_t;
 +
  ########################################
  #
  # Nagios local policy
-@@ -45,6 +86,9 @@
- allow nagios_t self:tcp_socket create_stream_socket_perms;
- allow nagios_t self:udp_socket create_socket_perms;
- 
-+# needed by command.cfg
-+can_exec(nagios_t, nagios_checkdisk_plugin_exec_t)
-+
- read_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
- read_lnk_files_pattern(nagios_t, nagios_etc_t, nagios_etc_t)
- allow nagios_t nagios_etc_t:dir list_dir_perms;
-@@ -60,6 +104,8 @@
+@@ -60,6 +107,8 @@
  manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
  files_pid_filetrans(nagios_t, nagios_var_run_t, file)
  
@@ -19241,17 +18725,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  kernel_read_system_state(nagios_t)
  kernel_read_kernel_sysctls(nagios_t)
  
-@@ -76,6 +122,9 @@
+@@ -76,6 +125,9 @@
  corenet_udp_sendrecv_all_ports(nagios_t)
  corenet_tcp_connect_all_ports(nagios_t)
  
 +corenet_dontaudit_tcp_bind_all_reserved_ports(nagios_t)
-+corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)
++corenet_dontaudit_udp_bind_all_reserved_ports(nagios_t)    
 +
  dev_read_sysfs(nagios_t)
  dev_read_urand(nagios_t)
  
-@@ -86,6 +135,7 @@
+@@ -86,6 +138,7 @@
  files_read_etc_files(nagios_t)
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -19259,7 +18743,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  
  fs_getattr_all_fs(nagios_t)
  fs_search_auto_mountpoints(nagios_t)
-@@ -118,61 +168,63 @@
+@@ -118,61 +171,63 @@
  	udev_read_db(nagios_t)
  ')
  
@@ -19355,7 +18839,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  kernel_read_system_state(nrpe_t)
  kernel_read_kernel_sysctls(nrpe_t)
  
-@@ -183,15 +235,21 @@
+@@ -183,11 +238,15 @@
  dev_read_urand(nrpe_t)
  
  domain_use_interactive_fds(nrpe_t)
@@ -19371,13 +18855,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  logging_send_syslog_msg(nrpe_t)
  
  miscfiles_read_localization(nrpe_t)
+@@ -199,6 +258,11 @@
+ ')
  
-+mta_send_mail(nrpe_t)
+ optional_policy(`
++	mta_send_mail(nrpe_t)
++	mta_dontaudit_leaks_system_mail(nrpe_t)
++')
 +
- userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
++optional_policy(`
+ 	seutil_sigchld_newrole(nrpe_t)
+ ')
  
- optional_policy(`
-@@ -209,3 +267,120 @@
+@@ -209,3 +273,149 @@
  optional_policy(`
  	udev_read_db(nrpe_t)
  ')
@@ -19387,14 +18877,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +# local policy for admin check plugins 
 +#
 +
-+allow nagios_admin_plugin_t self:capability { setuid setgid dac_override };
-+
-+allow nagios_admin_plugin_t self:tcp_socket create_stream_socket_perms;
-+allow nagios_admin_plugin_t self:udp_socket create_socket_perms;
-+
-+kernel_read_system_state(nagios_admin_plugin_t)
-+kernel_read_kernel_sysctls(nagios_admin_plugin_t)
-+
 +corecmd_read_bin_files(nagios_admin_plugin_t)
 +corecmd_read_bin_symlinks(nagios_admin_plugin_t)
 +
@@ -19402,20 +18884,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +files_read_etc_files(nagios_admin_plugin_t)
 +
-+libs_use_lib_files(nagios_admin_plugin_t)
-+libs_use_ld_so(nagios_admin_plugin_t)
++# for check_file_age plugin
++files_getattr_all_dirs(nagios_admin_plugin_t)
++files_getattr_all_files(nagios_admin_plugin_t)
++files_getattr_all_symlinks(nagios_admin_plugin_t)
++files_getattr_all_pipes(nagios_admin_plugin_t)
++files_getattr_all_sockets(nagios_admin_plugin_t)
++files_getattr_all_file_type_fs(nagios_admin_plugin_t)
++dev_getattr_all_chr_files(nagios_admin_plugin_t)
++dev_getattr_all_blk_files(nagios_admin_plugin_t)
++
++######################################
++#
++# local policy for mail check plugins 
++#
++
++allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
 +
-+logging_send_syslog_msg(nagios_admin_plugin_t)
++allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
++allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
++allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
 +
-+sysnet_read_config(nagios_admin_plugin_t)
++kernel_read_system_state(nagios_mail_plugin_t)
++kernel_read_kernel_sysctls(nagios_mail_plugin_t)
 +
-+nscd_dontaudit_search_pid(nagios_admin_plugin_t)
++corecmd_read_bin_files(nagios_mail_plugin_t)
++corecmd_read_bin_symlinks(nagios_mail_plugin_t)
++
++dev_read_urand(nagios_mail_plugin_t)
++
++files_read_etc_files(nagios_mail_plugin_t)
++
++libs_use_lib_files(nagios_mail_plugin_t)
++libs_use_ld_so(nagios_mail_plugin_t) 
++
++logging_send_syslog_msg(nagios_mail_plugin_t)
++
++sysnet_read_config(nagios_mail_plugin_t)
++
++nscd_dontaudit_search_pid(nagios_mail_plugin_t) 
++
++optional_policy(`
++	mta_send_mail(nagios_mail_plugin_t)
++') 
 +
 +optional_policy(`
-+    mta_read_config(nagios_admin_plugin_t)
-+    mta_list_queue(nagios_admin_plugin_t)
-+    mta_read_queue(nagios_admin_plugin_t)
-+    mta_sendmail_exec(nagios_admin_plugin_t)
++	postfix_stream_connect_master(nagios_mail_plugin_t)
++	posftix_exec_postqueue(nagios_mail_plugin_t)
 +')
 +
 +######################################
@@ -19468,6 +18983,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +	mysql_stream_connect(nagios_services_plugin_t)
 +')
 +
++optional_policy(`
++    snmp_read_snmp_var_lib_files(nagios_services_plugin_t)
++')
++
 +######################################
 +#
 +# local policy for system check plugins 
@@ -19498,9 +19017,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +optional_policy(`
 +	init_read_utmp(nagios_system_plugin_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.9/policy/modules/services/networkmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.15/policy/modules/services/networkmanager.fc
 --- nsaserefpolicy/policy/modules/services/networkmanager.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,12 +1,32 @@
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
 +/etc/NetworkManager/dispatcher\.d(/.*)	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
@@ -19534,9 +19053,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-dhclient.*			gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.9/policy/modules/services/networkmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.7.15/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.if	2010-03-18 10:44:43.000000000 -0400
 @@ -118,6 +118,24 @@
  
  ########################################
@@ -19562,7 +19081,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ##	Read NetworkManager PID files.
  ## </summary>
  ## <param name="domain">
-@@ -134,3 +152,50 @@
+@@ -134,3 +152,71 @@
  	files_search_pids($1)
  	allow $1 NetworkManager_var_run_t:file read_file_perms;
  ')
@@ -19613,9 +19132,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
 +	role $2 types NetworkManager_t;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.9/policy/modules/services/networkmanager.te
++
++#######################################
++## <summary>
++## Allow caller to relabel tun_socket
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_attach_tun_iface',`
++	gen_require(`
++		type NetworkManager_t;
++	')
++
++	allow $1 NetworkManager_t:tun_socket relabelfrom;    
++	allow $1 self:tun_socket relabelto;
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.15/policy/modules/services/networkmanager.te
 --- nsaserefpolicy/policy/modules/services/networkmanager.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/networkmanager.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/networkmanager.te	2010-03-18 10:44:43.000000000 -0400
 @@ -19,6 +19,9 @@
  type NetworkManager_tmp_t;
  files_tmp_file(NetworkManager_tmp_t)
@@ -19859,9 +19399,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.9/policy/modules/services/nis.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.7.15/policy/modules/services/nis.fc
 --- nsaserefpolicy/policy/modules/services/nis.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nis.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nis.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,4 +1,7 @@
 -
 +/etc/rc\.d/init\.d/ypbind	--	gen_context(system_u:object_r:ypbind_initrc_exec_t,s0)
@@ -19880,9 +19420,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 +/var/run/ypbind.*	--	gen_context(system_u:object_r:ypbind_var_run_t,s0)
 +/var/run/ypserv.*	--	gen_context(system_u:object_r:ypserv_var_run_t,s0)
 +/var/run/yppass.*	--	gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.9/policy/modules/services/nis.if
---- nsaserefpolicy/policy/modules/services/nis.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nis.if	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.7.15/policy/modules/services/nis.if
+--- nsaserefpolicy/policy/modules/services/nis.if	2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nis.if	2010-03-18 10:44:43.000000000 -0400
 @@ -28,7 +28,7 @@
  		type var_yp_t;
  	')
@@ -19892,7 +19432,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  
  	allow $1 self:tcp_socket create_stream_socket_perms;
  	allow $1 self:udp_socket create_socket_perms;
-@@ -76,6 +76,10 @@
+@@ -88,6 +88,10 @@
  ## <rolecap/>
  #
  interface(`nis_use_ypbind',`
@@ -19903,16 +19443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  	tunable_policy(`allow_ypbind',`
  		nis_use_ypbind_uncond($1)
  	')
-@@ -87,7 +91,7 @@
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	The type of the process performing this action.
- ##	</summary>
- ## </param>
- ## <rolecap/>
-@@ -262,6 +266,43 @@
+@@ -274,6 +278,43 @@
  
  ########################################
  ## <summary>
@@ -19956,29 +19487,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  ##	All of the rules required to administrate 
  ##	an nis environment
  ## </summary>
-@@ -272,16 +313,19 @@
- ## </param>
- ## <param name="role">
- ##	<summary>
--##	Role allowed access.
-+##	The role to be allowed to manage the nis domain.
- ##	</summary>
- ## </param>
- ## <rolecap/>
- #
- interface(`nis_admin',`
- 	gen_require(`
--		type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
-+		type ypbind_t, yppasswdd_t;
-+		type ypserv_t, ypxfr_t;
+@@ -294,6 +335,7 @@
+ 		type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
  		type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
  		type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
-+		type ypbind_initrc_exec_t;
-+		type nis_initrc_exec_t;
++		type ypbind_initrc_exec_t, nis_initrc_exec_t;
  	')
  
  	allow $1 ypbind_t:process { ptrace signal_perms };
-@@ -296,6 +340,13 @@
+@@ -308,6 +350,13 @@
  	allow $1 ypxfr_t:process { ptrace signal_perms };
  	ps_process_pattern($1, ypxfr_t)
  
@@ -19992,7 +19509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  	files_list_tmp($1)
  	admin_pattern($1, ypbind_tmp_t)
  
-@@ -311,3 +362,31 @@
+@@ -323,3 +372,30 @@
  
  	admin_pattern($1, ypserv_var_run_t)
  ')
@@ -20023,10 +19540,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 +	nis_domtrans_ypbind($1)
 +	role $2 types ypbind_t;
 +')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.9/policy/modules/services/nis.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.7.15/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nis.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nis.te	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,9 @@
  type ypbind_exec_t;
  init_daemon_domain(ypbind_t, ypbind_exec_t)
@@ -20098,9 +19614,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
  corenet_tcp_bind_all_rpc_ports(ypxfr_t)
  corenet_udp_bind_all_rpc_ports(ypxfr_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.9/policy/modules/services/nscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.7.15/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nscd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nscd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -121,6 +121,24 @@
  
  ########################################
@@ -20135,9 +19651,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.9/policy/modules/services/nscd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.7.15/policy/modules/services/nscd.te
 --- nsaserefpolicy/policy/modules/services/nscd.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/nscd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nscd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -1,10 +1,17 @@
  
 -policy_module(nscd, 1.10.0)
@@ -20182,9 +19698,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd
 +optional_policy(`
 +	unconfined_dontaudit_rw_packet_sockets(nscd_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.9/policy/modules/services/ntop.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.fc serefpolicy-3.7.15/policy/modules/services/ntop.fc
 --- nsaserefpolicy/policy/modules/services/ntop.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ntop.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ntop.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,7 +1,6 @@
  /etc/ntop(/.*)?			gen_context(system_u:object_r:ntop_etc_t,s0)
  
@@ -20193,9 +19709,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
  
  /var/lib/ntop(/.*)?		gen_context(system_u:object_r:ntop_var_lib_t,s0)
  /var/run/ntop\.pid	--	gen_context(system_u:object_r:ntop_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.9/policy/modules/services/ntop.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop.te serefpolicy-3.7.15/policy/modules/services/ntop.te
 --- nsaserefpolicy/policy/modules/services/ntop.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ntop.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ntop.te	2010-03-18 10:44:43.000000000 -0400
 @@ -11,12 +11,12 @@
  init_daemon_domain(ntop_t, ntop_exec_t)
  application_domain(ntop_t, ntop_exec_t)
@@ -20286,9 +19802,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntop
  	seutil_sigchld_newrole(ntop_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.9/policy/modules/services/ntp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.7.15/policy/modules/services/ntp.te
 --- nsaserefpolicy/policy/modules/services/ntp.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ntp.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ntp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -100,6 +100,8 @@
  
  fs_getattr_all_fs(ntpd_t)
@@ -20298,9 +19814,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
  
  term_use_ptmx(ntpd_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.9/policy/modules/services/nut.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.15/policy/modules/services/nut.te
 --- nsaserefpolicy/policy/modules/services/nut.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/nut.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nut.te	2010-03-18 10:44:43.000000000 -0400
 @@ -29,7 +29,8 @@
  # Local policy for upsd
  #
@@ -20319,17 +19835,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
  
  # /usr/bin/wall
  term_write_all_terms(nut_upsmon_t)
-@@ -123,7 +125,9 @@
+@@ -100,6 +102,12 @@
+ 
+ miscfiles_read_localization(nut_upsmon_t)
+ 
++mta_send_mail(nut_upsmon_t)
++
++optional_policy(`
++	shutdown_domtrans(nut_upsmon_t)
++')
++
+ ########################################
+ #
+ # Local policy for upsdrvctl
+@@ -123,6 +131,7 @@
  kernel_read_kernel_sysctls(nut_upsdrvctl_t)
  
  # /sbin/upsdrvctl executes other drivers
 +# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
  corecmd_exec_bin(nut_upsdrvctl_t)
-+corecmd_exec_sbin(nut_upsdrvctl_t)
  
  dev_read_urand(nut_upsdrvctl_t)
- dev_rw_generic_usb_dev(nut_upsdrvctl_t)
-@@ -149,5 +153,15 @@
+@@ -149,5 +158,15 @@
  
  	read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
  
@@ -20345,9 +19872,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.
 +
 +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.9/policy/modules/services/nx.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.7.15/policy/modules/services/nx.fc
 --- nsaserefpolicy/policy/modules/services/nx.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/nx.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nx.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,7 +1,15 @@
  /opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
  
@@ -20366,9 +19893,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.f
 +/var/lib/nxserver(/.*)? 		gen_context(system_u:object_r:nx_server_var_lib_t,s0)
 +
  /usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.9/policy/modules/services/nx.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.if serefpolicy-3.7.15/policy/modules/services/nx.if
 --- nsaserefpolicy/policy/modules/services/nx.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nx.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nx.if	2010-03-18 10:44:43.000000000 -0400
 @@ -17,3 +17,70 @@
  
  	spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
@@ -20440,9 +19967,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.i
 +
 +	filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.9/policy/modules/services/nx.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.te serefpolicy-3.7.15/policy/modules/services/nx.te
 --- nsaserefpolicy/policy/modules/services/nx.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/nx.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/nx.te	2010-03-18 10:44:43.000000000 -0400
 @@ -25,6 +25,12 @@
  type nx_server_var_run_t;
  files_pid_file(nx_server_var_run_t)
@@ -20477,9 +20004,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.t
  kernel_read_system_state(nx_server_t)
  kernel_read_kernel_sysctls(nx_server_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.9/policy/modules/services/oddjob.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.if serefpolicy-3.7.15/policy/modules/services/oddjob.if
 --- nsaserefpolicy/policy/modules/services/oddjob.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/oddjob.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/oddjob.if	2010-03-18 10:44:43.000000000 -0400
 @@ -44,6 +44,7 @@
  	')
  
@@ -20488,9 +20015,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.9/policy/modules/services/oddjob.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.7.15/policy/modules/services/oddjob.te
 --- nsaserefpolicy/policy/modules/services/oddjob.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/oddjob.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/oddjob.te	2010-03-18 10:44:43.000000000 -0400
 @@ -100,8 +100,7 @@
  
  # Add/remove user home directories
@@ -20502,9 +20029,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
 +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
 +userdom_manage_user_home_content(oddjob_mkhomedir_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.9/policy/modules/services/openvpn.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.15/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/openvpn.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/openvpn.te	2010-03-18 10:44:43.000000000 -0400
 @@ -41,7 +41,7 @@
  # openvpn local policy
  #
@@ -20540,9 +20067,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/open
  sysnet_etc_filetrans_config(openvpn_t)
  
  userdom_use_user_terminals(openvpn_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.9/policy/modules/services/pcscd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.if serefpolicy-3.7.15/policy/modules/services/pcscd.if
 --- nsaserefpolicy/policy/modules/services/pcscd.if	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/pcscd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/pcscd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -39,6 +39,44 @@
  
  ########################################
@@ -20588,9 +20115,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcsc
  ##	Connect to pcscd over an unix stream socket.
  ## </summary>
  ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.9/policy/modules/services/pegasus.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.7.15/policy/modules/services/pegasus.te
 --- nsaserefpolicy/policy/modules/services/pegasus.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/pegasus.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/pegasus.te	2010-03-18 10:44:43.000000000 -0400
 @@ -30,7 +30,7 @@
  # Local policy
  #
@@ -20662,9 +20189,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
 +	xen_stream_connect(pegasus_t)
 +	xen_stream_connect_xenstore(pegasus_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.9/policy/modules/services/plymouthd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.fc serefpolicy-3.7.15/policy/modules/services/plymouthd.fc
 --- nsaserefpolicy/policy/modules/services/plymouthd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,9 @@
 +/bin/plymouth				--	gen_context(system_u:object_r:plymouth_exec_t, s0)
 +
@@ -20675,9 +20202,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
 +/var/lib/plymouth(/.*)?				gen_context(system_u:object_r:plymouthd_var_lib_t, s0)
 +
 +/var/run/plymouth(/.*)?				gen_context(system_u:object_r:plymouthd_var_run_t, s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.9/policy/modules/services/plymouthd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.if serefpolicy-3.7.15/policy/modules/services/plymouthd.if
 --- nsaserefpolicy/policy/modules/services/plymouthd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,322 @@
 +## <summary>policy for plymouthd</summary>
 +
@@ -21001,9 +20528,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
 +
 +	allow $1 plymouthd_t:unix_stream_socket connectto;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.9/policy/modules/services/plymouthd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouthd.te serefpolicy-3.7.15/policy/modules/services/plymouthd.te
 --- nsaserefpolicy/policy/modules/services/plymouthd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/plymouthd.te	2010-02-16 15:20:46.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/plymouthd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,105 @@
 +policy_module(plymouthd, 1.0.0)
 +
@@ -21032,7 +20559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
 +
 +type plymouth_t;
 +type plymouth_exec_t;
-+init_daemon_domain(plymouth_t, plymouth_exec_t)
++application_domain(plymouth_t, plymouth_exec_t)
 +
 +########################################
 +#
@@ -21110,9 +20637,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plym
 +	hal_dontaudit_rw_pipes(plymouth_t)
 +')
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.9/policy/modules/services/policykit.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.7.15/policy/modules/services/policykit.fc
 --- nsaserefpolicy/policy/modules/services/policykit.fc	2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/policykit.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/policykit.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -6,10 +6,13 @@
  /usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:policykit_auth_exec_t,s0)
  /usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:policykit_grant_exec_t,s0)
@@ -21128,9 +20655,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  /var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:policykit_var_lib_t,s0)
  /var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:policykit_var_run_t,s0)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.9/policy/modules/services/policykit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.7.15/policy/modules/services/policykit.if
 --- nsaserefpolicy/policy/modules/services/policykit.if	2009-08-18 18:39:50.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/policykit.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/policykit.if	2010-03-18 10:44:43.000000000 -0400
 @@ -17,12 +17,37 @@
  		class dbus send_msg;
  	')
@@ -21227,9 +20754,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 +
 +	allow $1 policykit_auth_t:process signal;
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.9/policy/modules/services/policykit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.15/policy/modules/services/policykit.te
 --- nsaserefpolicy/policy/modules/services/policykit.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/policykit.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/policykit.te	2010-03-18 10:44:43.000000000 -0400
 @@ -36,11 +36,12 @@
  # policykit local policy
  #
@@ -21237,8 +20764,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 -allow policykit_t self:capability { setgid setuid };
 -allow policykit_t self:process getattr;
 -allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { setgid setuid sys_ptrace };
-+allow policykit_t self:process { getsched getattr };
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
++allow policykit_t self:process { getsched getattr signal };
 +allow policykit_t self:fifo_file rw_fifo_file_perms;
 +
  allow policykit_t self:unix_dgram_socket create_socket_perms;
@@ -21262,7 +20789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  auth_use_nsswitch(policykit_t)
  
-@@ -68,21 +73,42 @@
+@@ -68,21 +73,43 @@
  
  miscfiles_read_localization(policykit_t)
  
@@ -21295,7 +20822,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
 -allow policykit_auth_t self:process getattr;
 -allow policykit_auth_t self:fifo_file rw_file_perms;
 +allow policykit_auth_t self:capability { setgid setuid };
-+allow policykit_auth_t self:process { getattr getsched };
++dontaudit policykit_auth_t self:capability sys_tty_config;
++allow policykit_auth_t self:process { getattr getsched signal };
 +allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
 +
  allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
@@ -21309,7 +20837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -92,21 +118,29 @@
+@@ -92,21 +119,29 @@
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
@@ -21341,7 +20869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  	dbus_session_bus_client(policykit_auth_t)
  
  	optional_policy(`
-@@ -119,6 +153,14 @@
+@@ -119,6 +154,14 @@
  	hal_read_state(policykit_auth_t)
  ')
  
@@ -21356,7 +20884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  ########################################
  #
  # polkit_grant local policy
-@@ -126,7 +168,8 @@
+@@ -126,7 +169,8 @@
  
  allow policykit_grant_t self:capability setuid;
  allow policykit_grant_t self:process getattr;
@@ -21366,7 +20894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
  allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -156,9 +199,12 @@
+@@ -156,9 +200,12 @@
  userdom_read_all_users_state(policykit_grant_t)
  
  optional_policy(`
@@ -21380,7 +20908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  		consolekit_dbus_chat(policykit_grant_t)
  	')
  ')
-@@ -170,7 +216,8 @@
+@@ -170,7 +217,8 @@
  
  allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
  allow policykit_resolve_t self:process getattr;
@@ -21390,9 +20918,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
  allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
  allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.9/policy/modules/services/portreserve.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.7.15/policy/modules/services/portreserve.te
 --- nsaserefpolicy/policy/modules/services/portreserve.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/portreserve.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/portreserve.te	2010-03-18 10:44:43.000000000 -0400
 @@ -21,6 +21,7 @@
  # Portreserve local policy
  #
@@ -21410,9 +20938,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/port
  corenet_all_recvfrom_unlabeled(portreserve_t)
  corenet_all_recvfrom_netlabel(portreserve_t)
  corenet_tcp_bind_generic_node(portreserve_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.9/policy/modules/services/postfix.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.7.15/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/postfix.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postfix.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -29,12 +29,10 @@
  /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
  /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -21426,9 +20954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
  /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.9/policy/modules/services/postfix.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.15/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/postfix.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postfix.if	2010-03-18 10:44:43.000000000 -0400
 @@ -46,6 +46,7 @@
  
  	allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -21497,7 +21025,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Allow domain to read postfix local process state
  ## </summary>
  ## <param name="domain">
-@@ -378,7 +405,7 @@
+@@ -368,6 +395,25 @@
+ 	can_exec($1, postfix_master_exec_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Connect to postfix master process using a unix domain stream socket.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfix_stream_connect_master',`
++    gen_require(`
++        type postfix_master_t, postfix_public_t;
++    ')
++
++    stream_connect_pattern($1, postfix_public_t, postfix_public_t, postfix_master_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Create a named socket in a postfix private directory.
+@@ -378,7 +424,7 @@
  ##	</summary>
  ## </param>
  #
@@ -21506,7 +21060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	gen_require(`
  		type postfix_private_t;
  	')
-@@ -389,6 +416,25 @@
+@@ -389,6 +435,25 @@
  
  ########################################
  ## <summary>
@@ -21532,7 +21086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Execute the master postfix program in the
  ##	postfix_master domain.
  ## </summary>
-@@ -418,10 +464,10 @@
+@@ -418,10 +483,10 @@
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -21545,20 +21099,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	files_search_spool($1)
  ')
  
-@@ -437,11 +483,30 @@
+@@ -437,15 +502,34 @@
  #
  interface(`postfix_list_spool',`
  	gen_require(`
 -		type postfix_spool_t;
 +		attribute postfix_spool_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 postfix_spool_t:dir list_dir_perms;
 +	allow $1 postfix_spool_type:dir list_dir_perms;
-+	files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
+ 	files_search_spool($1)
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Getattr postfix mail spool files.
 +## </summary>
 +## <param name="domain">
@@ -21570,15 +21125,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +interface(`postfix_getattr_spool_files',`
 +	gen_require(`
 +		attribute postfix_spool_type;
- 	')
- 
--	allow $1 postfix_spool_t:dir list_dir_perms;
- 	files_search_spool($1)
++	')
++
++	files_search_spool($1)
 +	getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
- ')
- 
- ########################################
-@@ -456,16 +521,16 @@
++')
++
++########################################
++## <summary>
+ ##	Read postfix mail spool files.
+ ## </summary>
+ ## <param name="domain">
+@@ -456,16 +540,16 @@
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -21598,7 +21156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -475,11 +540,11 @@
+@@ -475,11 +559,11 @@
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -21612,7 +21170,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  ########################################
-@@ -500,3 +565,62 @@
+@@ -500,3 +584,80 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -21655,6 +21213,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +	domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
 +')
 +
++#######################################
++## <summary>
++##  Execute the master postqueue in the caller domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`posftix_exec_postqueue',`
++    gen_require(`
++        type postfix_postqueue_exec_t;
++    ')
++
++    can_exec($1, postfix_postqueue_exec_t)
++')
++
 +########################################
 +## <summary>
 +##	Execute the master postdrop in the
@@ -21675,9 +21251,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +	role $2 types postfix_postdrop_t;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.9/policy/modules/services/postfix.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.7.15/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/postfix.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postfix.te	2010-03-18 10:44:43.000000000 -0400
 @@ -6,6 +6,15 @@
  # Declarations
  #
@@ -21710,12 +21286,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  type postfix_exec_t;
  application_executable_file(postfix_exec_t)
-@@ -27,13 +36,17 @@
+@@ -27,13 +36,20 @@
  postfix_server_domain_template(local)
  mta_mailserver_delivery(postfix_local_t)
  
 -type postfix_local_tmp_t;
 -files_tmp_file(postfix_local_tmp_t)
++# Handle vacation script
++mta_send_mail(postfix_local_t)
++
 +userdom_read_user_home_content_files(postfix_local_t)
 +
 +tunable_policy(`allow_postfix_local_write_mail_spool',`
@@ -21730,7 +21309,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  type postfix_map_tmp_t;
  files_tmp_file(postfix_map_tmp_t)
-@@ -68,13 +81,13 @@
+@@ -68,13 +84,13 @@
  
  postfix_server_domain_template(smtpd)
  
@@ -21747,7 +21326,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  files_type(postfix_spool_flush_t)
  
  type postfix_public_t;
-@@ -90,9 +103,6 @@
+@@ -90,9 +106,6 @@
  postfix_server_domain_template(virtual)
  mta_mailserver_delivery(postfix_virtual_t)
  
@@ -21757,7 +21336,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix master process local policy
-@@ -103,6 +113,7 @@
+@@ -103,6 +116,7 @@
  allow postfix_master_t self:fifo_file rw_fifo_file_perms;
  allow postfix_master_t self:tcp_socket create_stream_socket_perms;
  allow postfix_master_t self:udp_socket create_socket_perms;
@@ -21765,7 +21344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_master_t postfix_etc_t:file rw_file_perms;
  
-@@ -132,6 +143,7 @@
+@@ -132,6 +146,7 @@
  # allow access to deferred queue and allow removing bogus incoming entries
  manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
@@ -21773,7 +21352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
  allow postfix_master_t postfix_spool_bounce_t:file getattr;
-@@ -142,6 +154,7 @@
+@@ -142,6 +157,7 @@
  
  delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -21781,7 +21360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  kernel_read_all_sysctls(postfix_master_t)
  
-@@ -153,6 +166,9 @@
+@@ -153,6 +169,9 @@
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -21791,7 +21370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  corenet_tcp_bind_generic_node(postfix_master_t)
  corenet_tcp_bind_amavisd_send_port(postfix_master_t)
  corenet_tcp_bind_smtp_port(postfix_master_t)
-@@ -170,6 +186,8 @@
+@@ -170,6 +189,8 @@
  domain_use_interactive_fds(postfix_master_t)
  
  files_read_usr_files(postfix_master_t)
@@ -21800,7 +21379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  term_dontaudit_search_ptys(postfix_master_t)
  
-@@ -181,6 +199,7 @@
+@@ -181,6 +202,7 @@
  
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
@@ -21808,7 +21387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  ifdef(`distro_redhat',`
  	# for newer main.cf that uses /etc/aliases
-@@ -193,6 +212,10 @@
+@@ -193,6 +215,10 @@
  ')
  
  optional_policy(`
@@ -21819,7 +21398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  #	for postalias
  	mailman_manage_data_files(postfix_master_t)
  ')
-@@ -202,6 +225,10 @@
+@@ -202,6 +228,10 @@
  ')
  
  optional_policy(`
@@ -21830,7 +21409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	sendmail_signal(postfix_master_t)
  ')
  
-@@ -219,6 +246,7 @@
+@@ -219,6 +249,7 @@
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
@@ -21838,7 +21417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
-@@ -240,11 +268,18 @@
+@@ -240,11 +271,18 @@
  manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
@@ -21857,7 +21436,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix local local policy
-@@ -253,10 +288,6 @@
+@@ -253,10 +291,6 @@
  allow postfix_local_t self:fifo_file rw_fifo_file_perms;
  allow postfix_local_t self:process { setsched setrlimit };
  
@@ -21868,7 +21447,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  # connect to master process
  stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
  
-@@ -270,18 +301,29 @@
+@@ -270,18 +304,31 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -21880,6 +21459,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  mta_read_config(postfix_local_t)
  
 +domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
++# Might be a leak, but I need a postfix expert to explain
++allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };    
 +
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
@@ -21898,7 +21479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  optional_policy(`
-@@ -292,8 +334,7 @@
+@@ -292,8 +339,7 @@
  #
  # Postfix map local policy
  #
@@ -21908,7 +21489,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
  allow postfix_map_t self:unix_dgram_socket create_socket_perms;
  allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -340,14 +381,15 @@
+@@ -340,14 +386,15 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -21928,7 +21509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix pickup local policy
-@@ -372,6 +414,7 @@
+@@ -372,6 +419,7 @@
  #
  
  allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21936,7 +21517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
  
-@@ -379,6 +422,12 @@
+@@ -379,6 +427,12 @@
  
  rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
  
@@ -21949,7 +21530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  optional_policy(`
  	procmail_domtrans(postfix_pipe_t)
  ')
-@@ -388,6 +437,16 @@
+@@ -388,6 +442,16 @@
  ')
  
  optional_policy(`
@@ -21966,7 +21547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -415,6 +474,10 @@
+@@ -415,6 +479,10 @@
  mta_rw_user_mail_stream_sockets(postfix_postdrop_t)
  
  optional_policy(`
@@ -21977,7 +21558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
-@@ -424,8 +487,11 @@
+@@ -424,8 +492,11 @@
  ')
  
  optional_policy(`
@@ -21991,7 +21572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ')
  
  #######################################
-@@ -451,6 +517,15 @@
+@@ -451,6 +522,15 @@
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
  
@@ -22007,7 +21588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  #
  # Postfix qmgr local policy
-@@ -464,6 +539,7 @@
+@@ -464,6 +544,7 @@
  manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
  manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
@@ -22015,7 +21596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-@@ -499,13 +575,14 @@
+@@ -499,13 +580,14 @@
  #
  
  # connect to master process
@@ -22031,7 +21612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
-@@ -535,9 +612,18 @@
+@@ -535,9 +617,18 @@
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -22050,7 +21631,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  	mailman_read_data_files(postfix_smtpd_t)
  ')
  
-@@ -559,20 +645,22 @@
+@@ -559,20 +650,22 @@
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
@@ -22078,9 +21659,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
 +userdom_manage_user_home_content(postfix_virtual_t)
 +userdom_home_filetrans_user_home_dir(postfix_virtual_t)
 +userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.9/policy/modules/services/postgresql.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.7.15/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/postgresql.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postgresql.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -3,6 +3,7 @@
  #
  /etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
@@ -22107,9 +21688,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 +
 +/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.9/policy/modules/services/postgresql.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.7.15/policy/modules/services/postgresql.if
 --- nsaserefpolicy/policy/modules/services/postgresql.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/postgresql.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postgresql.if	2010-03-18 10:44:43.000000000 -0400
 @@ -125,6 +125,23 @@
  	typeattribute $1 sepgsql_table_type;
  ')
@@ -22134,9 +21715,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ########################################
  ## <summary>
  ##	Marks as a SE-PostgreSQL system table/column/tuple object type
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.9/policy/modules/services/postgresql.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.7.15/policy/modules/services/postgresql.te
 --- nsaserefpolicy/policy/modules/services/postgresql.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/postgresql.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/postgresql.te	2010-03-18 10:44:43.000000000 -0400
 @@ -150,6 +150,7 @@
  dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
  allow postgresql_t self:process signal_perms;
@@ -22171,9 +21752,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  miscfiles_read_localization(postgresql_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.9/policy/modules/services/ppp.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.7.15/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ppp.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ppp.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -3,6 +3,7 @@
  #
  /etc/rc\.d/init\.d/ppp		--	gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
@@ -22182,9 +21763,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  /etc/ppp			-d	gen_context(system_u:object_r:pppd_etc_t,s0)
  /etc/ppp(/.*)?			--	gen_context(system_u:object_r:pppd_etc_rw_t,s0)
  /etc/ppp/peers(/.*)?			gen_context(system_u:object_r:pppd_etc_rw_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.9/policy/modules/services/ppp.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.7.15/policy/modules/services/ppp.if
 --- nsaserefpolicy/policy/modules/services/ppp.if	2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ppp.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ppp.if	2010-03-18 10:44:43.000000000 -0400
 @@ -182,6 +182,10 @@
  	ppp_domtrans($1)
  	role $2 types pppd_t;
@@ -22196,18 +21777,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.9/policy/modules/services/ppp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.7.15/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ppp.te	2010-02-16 15:08:37.000000000 -0500
-@@ -66,14 +66,17 @@
- type pptp_var_run_t;
- files_pid_file(pptp_var_run_t)
- 
-+type pppd_home_t;
-+files_type(pppd_secret_t)
-+
- ########################################
- #
++++ serefpolicy-3.7.15/policy/modules/services/ppp.te	2010-03-18 10:44:43.000000000 -0400
+@@ -71,9 +71,9 @@
  # PPPD Local policy
  #
  
@@ -22219,7 +21792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  allow pppd_t self:fifo_file rw_fifo_file_perms;
  allow pppd_t self:socket create_socket_perms;
  allow pppd_t self:unix_dgram_socket create_socket_perms;
-@@ -168,6 +171,7 @@
+@@ -168,6 +168,7 @@
  auth_use_nsswitch(pppd_t)
  
  logging_send_syslog_msg(pppd_t)
@@ -22227,7 +21800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  
  miscfiles_read_localization(pppd_t)
  
-@@ -193,6 +197,8 @@
+@@ -193,6 +194,8 @@
  
  optional_policy(`
  	mta_send_mail(pppd_t)
@@ -22236,7 +21809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  ')
  
  optional_policy(`
-@@ -289,6 +295,7 @@
+@@ -289,6 +292,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
  userdom_dontaudit_search_user_home_dirs(pptp_t)
@@ -22244,9 +21817,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
  
  optional_policy(`
  	consoletype_exec(pppd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.9/policy/modules/services/prelude.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.7.15/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/prelude.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/prelude.te	2010-03-18 10:44:43.000000000 -0400
 @@ -90,6 +90,7 @@
  corenet_tcp_bind_prelude_port(prelude_t)
  corenet_tcp_connect_prelude_port(prelude_t)
@@ -22264,9 +21837,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
  fs_rw_anon_inodefs_files(prelude_lml_t)
  
  auth_use_nsswitch(prelude_lml_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.9/policy/modules/services/procmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.7.15/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/procmail.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/procmail.te	2010-03-18 10:44:43.000000000 -0400
 @@ -22,7 +22,7 @@
  # Local policy
  #
@@ -22314,9 +21887,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.9/policy/modules/services/pyzor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.15/policy/modules/services/pyzor.fc
 --- nsaserefpolicy/policy/modules/services/pyzor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/pyzor.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/pyzor.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,6 +1,10 @@
  /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 +/etc/rc\.d/init\.d/pyzord	--	gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
@@ -22328,9 +21901,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  
  /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
  /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.9/policy/modules/services/pyzor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.7.15/policy/modules/services/pyzor.if
 --- nsaserefpolicy/policy/modules/services/pyzor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/pyzor.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/pyzor.if	2010-03-18 10:44:43.000000000 -0400
 @@ -88,3 +88,50 @@
  	corecmd_search_bin($1)
  	can_exec($1, pyzor_exec_t)
@@ -22382,9 +21955,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.9/policy/modules/services/pyzor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.7.15/policy/modules/services/pyzor.te
 --- nsaserefpolicy/policy/modules/services/pyzor.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/pyzor.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/pyzor.te	2010-03-18 10:44:43.000000000 -0400
 @@ -6,6 +6,38 @@
  # Declarations
  #
@@ -22449,9 +22022,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  userdom_dontaudit_search_user_home_dirs(pyzor_t)
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.9/policy/modules/services/radvd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.7.15/policy/modules/services/radvd.te
 --- nsaserefpolicy/policy/modules/services/radvd.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/radvd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/radvd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -22,9 +22,9 @@
  #
  # Local policy
@@ -22487,17 +22060,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radv
  	seutil_sigchld_newrole(radvd_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.9/policy/modules/services/razor.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.15/policy/modules/services/razor.fc
 --- nsaserefpolicy/policy/modules/services/razor.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/razor.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/razor.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,3 +1,4 @@
 +/root/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:razor_home_t,s0)
  
  /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.9/policy/modules/services/razor.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.7.15/policy/modules/services/razor.if
 --- nsaserefpolicy/policy/modules/services/razor.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/razor.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/razor.if	2010-03-18 10:44:43.000000000 -0400
 @@ -157,3 +157,45 @@
  
  	domtrans_pattern($1, razor_exec_t, razor_t)
@@ -22544,9 +22117,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 +	read_files_pattern($1, razor_var_lib_t, razor_var_lib_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.9/policy/modules/services/razor.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.7.15/policy/modules/services/razor.te
 --- nsaserefpolicy/policy/modules/services/razor.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/razor.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/razor.te	2010-03-18 10:44:43.000000000 -0400
 @@ -6,6 +6,32 @@
  # Declarations
  #
@@ -22598,9 +22171,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razo
 +')
 +
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.9/policy/modules/services/rdisc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdisc.if serefpolicy-3.7.15/policy/modules/services/rdisc.if
 --- nsaserefpolicy/policy/modules/services/rdisc.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rdisc.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rdisc.if	2010-03-18 10:44:43.000000000 -0400
 @@ -1 +1,20 @@
  ## <summary>Network router discovery daemon</summary>
 +
@@ -22619,12 +22192,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rdis
 +                type rdisc_exec_t;
 +        ')
 +
-+        corecmd_search_sbin($1)
++        corecmd_search_bin($1)
 +        can_exec($1,rdisc_exec_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.9/policy/modules/services/rgmanager.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.7.15/policy/modules/services/rgmanager.fc
 --- nsaserefpolicy/policy/modules/services/rgmanager.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,8 @@
 +
 +/usr/sbin/rgmanager                    --      gen_context(system_u:object_r:rgmanager_exec_t,s0)
@@ -22634,10 +22207,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +/var/run/rgmanager\.pid                --      gen_context(system_u:object_r:rgmanager_var_run_t,s0)
 +
 +/var/run/cluster/rgmanager\.sk        -s      gen_context(system_u:object_r:rgmanager_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.9/policy/modules/services/rgmanager.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.if serefpolicy-3.7.15/policy/modules/services/rgmanager.if
 --- nsaserefpolicy/policy/modules/services/rgmanager.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,59 @@
++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,98 @@
 +## <summary>SELinux policy for rgmanager</summary>
 +
 +#######################################
@@ -22697,10 +22270,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +	stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.9/policy/modules/services/rgmanager.te
++######################################
++## <summary>
++##      Allow manage rgmanager tmpfs files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      The type of the process performing this action.
++##      </summary>
++## </param>
++#
++interface(`rgmanager_manage_tmpfs_files',`
++    gen_require(`
++        type rgmanager_tmpfs_t;
++    ')
++
++    fs_search_tmpfs($1)
++	manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++    manage_lnk_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
++')
++
++######################################
++## <summary>
++##      Allow manage rgmanager tmp files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      The type of the process performing this action.
++##      </summary>
++## </param>
++#
++interface(`rgmanager_manage_tmp_files',`
++    gen_require(`
++        type rgmanager_tmp_t;
++    ')
++
++    files_search_tmp($1)
++    manage_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
++    manage_lnk_files_pattern($1, rgmanager_tmp_t, rgmanager_tmp_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.7.15/policy/modules/services/rgmanager.te
 --- nsaserefpolicy/policy/modules/services/rgmanager.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rgmanager.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,204 @@
++++ serefpolicy-3.7.15/policy/modules/services/rgmanager.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,223 @@
 +
 +policy_module(rgmanager,1.0.0)
 +
@@ -22741,7 +22353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +# rgmanager local policy
 +#
 +
-+allow rgmanager_t self:capability { sys_nice ipc_lock };
++allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
 +dontaudit rgmanager_t self:capability { sys_ptrace };
 +allow rgmanager_t self:process { setsched signal };
 +dontaudit rgmanager_t self:process { ptrace };
@@ -22770,12 +22382,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +files_pid_filetrans(rgmanager_t,rgmanager_var_run_t, { file sock_file })
 +
 +corecmd_exec_bin(rgmanager_t)
-+corecmd_exec_sbin(rgmanager_t)
 +corecmd_exec_shell(rgmanager_t)
 +consoletype_exec(rgmanager_t)
 +
++kernel_kill(rgmanager_t)
 +kernel_read_kernel_sysctls(rgmanager_t)
++kernel_read_rpc_sysctls(rgmanager_t)
++kernel_read_system_state(rgmanager_t)
++kernel_rw_rpc_sysctls(rgmanager_t)
 +kernel_search_debugfs(rgmanager_t)
++kernel_search_network_state(rgmanager_t)
 +
 +fs_getattr_xattr_fs(rgmanager_t)
 +
@@ -22788,16 +22404,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +domain_getattr_all_domains(rgmanager_t)
 +domain_dontaudit_ptrace_all_domains(rgmanager_t)
 +
++storage_getattr_fixed_disk_dev(rgmanager_t)
++
 +# needed by resources scripts
 +auth_read_all_files_except_shadow(rgmanager_t)
 +auth_dontaudit_getattr_shadow(rgmanager_t)
 +
 +files_list_all(rgmanager_t)
 +files_getattr_all_symlinks(rgmanager_t)
++files_manage_mnt_dirs(rgmanager_t)
++files_manage_isid_type_dirs(rgmanager_t)
 +
 +files_create_var_run_dirs(rgmanager_t)
 +
-+fs_getattr_xattr_fs(rgmanager_t)
++fs_getattr_all_fs(rgmanager_t)
 +
 +term_getattr_pty_fs(rgmanager_t)
 +#term_use_ptmx(rgmanager_t)
@@ -22811,15 +22431,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +
 +miscfiles_read_localization(rgmanager_t)
 +
++mount_domtrans(rgmanager_t)
++
 +tunable_policy(`rgmanager_can_network_connect',`
 +        corenet_tcp_connect_all_ports(rgmanager_t)
 +')
 +
 +# rgmanager can run resource scripts 
-+
-+
 +optional_policy(`
 +	aisexec_stream_connect(rgmanager_t)
++	corosync_stream_connect(rgmanager_t)
 +')
 +
 +optional_policy(`
@@ -22828,10 +22449,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +')
 +
 +optional_policy(`
-+	corosync_stream_connect(rgmanager_t)
-+')
-+
-+optional_policy(`
 +        fstools_domtrans(rgmanager_t)
 +')
 +
@@ -22878,11 +22495,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +')
 +
 +optional_policy(`
++    ricci_dontaudit_rw_modcluster_pipes(rgmanager_t)
++')
++
++optional_policy(`
 +	rpc_initrc_domtrans_nfsd(rgmanager_t)
 +	rpc_initrc_domtrans_rpcd(rgmanager_t)
 +
 +	rpc_domtrans_nfsd(rgmanager_t)
 +	rpc_domtrans_rpcd(rgmanager_t)
++	rpc_manage_nfs_state_data(rgmanager_t)
 +')
 +
 +optional_policy(`
@@ -22903,18 +22525,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma
 +	udev_read_db(rgmanager_t)
 +')
 +
++optional_policy(`
++       virt_stream_connect(rgmanager_t)
++')
 +
++optional_policy(`
++       unconfined_domain(rgmanager_t)
++')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.9/policy/modules/services/rhcs.fc
++optional_policy(`
++	xen_domtrans_xm(rgmanager_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.7.15/policy/modules/services/rhcs.fc
 --- nsaserefpolicy/policy/modules/services/rhcs.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rhcs.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,22 @@
++++ serefpolicy-3.7.15/policy/modules/services/rhcs.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,23 @@
 +/usr/sbin/dlm_controld                     --      gen_context(system_u:object_r:dlm_controld_exec_t,s0)
 +/var/log/cluster/dlm_controld\.log.*   --      gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
 +/var/run/dlm_controld\.pid             --      gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
 +
 +/usr/sbin/fenced                           --      gen_context(system_u:object_r:fenced_exec_t,s0)
 +/usr/sbin/fence_node                   --      gen_context(system_u:object_r:fenced_exec_t,s0)
++/var/lock/fence_manual\.lock  		   --	   gen_context(system_u:object_r:fenced_lock_t,s0)
 +/var/log/cluster/fenced\.log.*         --      gen_context(system_u:object_r:fenced_var_log_t,s0)
 +/var/run/fenced\.pid                   --      gen_context(system_u:object_r:fenced_var_run_t,s0)
 +/var/run/cluster/fenced_override       --      gen_context(system_u:object_r:fenced_var_run_t,s0)
@@ -22931,12 +22563,69 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +/var/log/cluster/qdiskd\.log.*         --      gen_context(system_u:object_r:qdiskd_var_log_t,s0)
 +/var/run/qdiskd\.pid                   --      gen_context(system_u:object_r:qdiskd_var_run_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.9/policy/modules/services/rhcs.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.15/policy/modules/services/rhcs.if
 --- nsaserefpolicy/policy/modules/services/rhcs.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rhcs.if	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,367 @@
++++ serefpolicy-3.7.15/policy/modules/services/rhcs.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,424 @@
 +## <summary>SELinux policy for RHCS - Red Hat Cluster Suite </summary>
 +
++#######################################
++## <summary>
++##  Creates types and rules for a basic
++##  rhcs init daemon domain.
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++template(`rhcs_domain_template',`
++
++    gen_require(`
++        attribute cluster_domain;        
++    ')
++
++	##############################
++	#   
++	#  $1_t declarations
++	#            
++
++	type $1_t, cluster_domain;
++	type $1_exec_t;
++	init_daemon_domain($1_t, $1_exec_t)
++
++	type $1_tmpfs_t;
++	files_tmpfs_file($1_tmpfs_t)
++
++	# log files
++	type $1_var_log_t;
++	logging_log_file($1_var_log_t)
++
++	# pid files
++	type $1_var_run_t;
++	files_pid_file($1_var_run_t)
++
++	##############################
++	#   
++	#  $1_t local policy
++	#            
++
++	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	fs_tmpfs_filetrans($1_t, $1_tmpfs_t,{ dir file })
++
++	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
++	files_pid_filetrans($1_t, $1_var_run_t, { file fifo_file })
++
++	manage_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
++	manage_sock_files_pattern($1_t, $1_var_log_t,$1_var_log_t)
++	logging_log_filetrans($1_t,$1_var_log_t,{ file sock_file })
++	
++')
++
 +######################################
 +## <summary>
 +##      Execute a domain transition to run groupd.
@@ -23302,12 +22991,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +')
 +
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.9/policy/modules/services/rhcs.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.15/policy/modules/services/rhcs.te
 --- nsaserefpolicy/policy/modules/services/rhcs.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rhcs.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,419 @@
++++ serefpolicy-3.7.15/policy/modules/services/rhcs.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,248 @@
 +
-+policy_module(rhcs,1.0.0)
++policy_module(rhcs,1.1.0)
 +
 +########################################
 +#
@@ -23321,122 +23010,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +## </desc>
 +gen_tunable(fenced_can_network_connect, false)
 +
-+type dlm_controld_t;
-+type dlm_controld_exec_t;
-+init_daemon_domain(dlm_controld_t, dlm_controld_exec_t)
-+
-+# log files
-+type dlm_controld_var_log_t; 
-+logging_log_file(dlm_controld_var_log_t)
-+
-+# pid files
-+type dlm_controld_var_run_t;
-+files_pid_file(dlm_controld_var_run_t)
++attribute cluster_domain;
 +
-+type dlm_controld_tmpfs_t;
-+files_tmpfs_file(dlm_controld_tmpfs_t)
++rhcs_domain_template(dlm_controld)
 +
-+type fenced_t;
-+type fenced_exec_t;
-+init_daemon_domain(fenced_t, fenced_exec_t)
++rhcs_domain_template(fenced)
 +
 +# tmp files
 +type fenced_tmp_t;
 +files_tmp_file(fenced_tmp_t)
 +
-+type fenced_tmpfs_t;
-+files_tmpfs_file(fenced_tmpfs_t)
-+
-+# log files
-+type fenced_var_log_t;
-+logging_log_file(fenced_var_log_t)
-+
-+# pid files
-+type fenced_var_run_t;
-+files_pid_file(fenced_var_run_t)
-+
-+type gfs_controld_t;
-+type gfs_controld_exec_t;
-+init_daemon_domain(gfs_controld_t, gfs_controld_exec_t)
-+
-+# log files
-+type gfs_controld_var_log_t;
-+logging_log_file(gfs_controld_var_log_t)
-+
-+# pid files
-+type gfs_controld_var_run_t;
-+files_pid_file(gfs_controld_var_run_t)
-+
-+type gfs_controld_tmpfs_t;
-+files_tmpfs_file(gfs_controld_tmpfs_t)
-+
-+
-+type groupd_t;
-+type groupd_exec_t;
-+init_daemon_domain(groupd_t, groupd_exec_t)
-+
-+# log files
-+type groupd_var_log_t;
-+logging_log_file(groupd_var_log_t)
-+
-+# pid files
-+type groupd_var_run_t;
-+files_pid_file(groupd_var_run_t)
++type fenced_lock_t;
++files_lock_file(fenced_lock_t)
 +
-+type groupd_tmpfs_t;
-+files_tmpfs_file(groupd_tmpfs_t)
++rhcs_domain_template(gfs_controld)
 +
-+type qdiskd_t;
-+type qdiskd_exec_t;
-+init_daemon_domain(qdiskd_t, qdiskd_exec_t)
++rhcs_domain_template(groupd)
 +
-+type qdiskd_tmpfs_t;
-+files_tmpfs_file(qdiskd_tmpfs_t)
++rhcs_domain_template(qdiskd)
 +
 +# var/lib files
 +type qdiskd_var_lib_t;
 +files_type(qdiskd_var_lib_t)
 +
-+# log files
-+type qdiskd_var_log_t;
-+logging_log_file(qdiskd_var_log_t)
-+
-+# pid files
-+type qdiskd_var_run_t;
-+files_pid_file(qdiskd_var_run_t)
-+
 +#####################################
 +#
 +# dlm_controld local policy
 +#
 +
-+allow dlm_controld_t self:capability { net_admin sys_admin sys_nice sys_resource };
-+allow dlm_controld_t self:process setsched;
++allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
 +
-+allow dlm_controld_t self:sem create_sem_perms;
-+allow dlm_controld_t self:fifo_file rw_fifo_file_perms;
-+allow dlm_controld_t self:unix_stream_socket create_stream_socket_perms;
-+allow dlm_controld_t self:unix_dgram_socket create_socket_perms;
 +allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
 +
-+manage_dirs_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-+manage_files_pattern(dlm_controld_t, dlm_controld_tmpfs_t, dlm_controld_tmpfs_t)
-+fs_tmpfs_filetrans(dlm_controld_t, dlm_controld_tmpfs_t,{ dir file })
-+
-+# log files
-+manage_files_pattern(dlm_controld_t, dlm_controld_var_log_t,dlm_controld_var_log_t)
-+logging_log_filetrans(dlm_controld_t,dlm_controld_var_log_t,{ file })
-+
-+# pid files
-+manage_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
-+manage_sock_files_pattern(dlm_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t)
-+files_pid_filetrans(dlm_controld_t,dlm_controld_var_run_t, { file })
-+
 +stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-+aisexec_stream_connect(dlm_controld_t)
-+ccs_stream_connect(dlm_controld_t)
-+corosync_stream_connect(dlm_controld_t)
-+groupd_stream_connect(dlm_controld_t)
++stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 +
 +kernel_read_system_state(dlm_controld_t)
 +
@@ -23448,15 +23055,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +
 +init_rw_script_tmp_files(dlm_controld_t)
 +
-+libs_use_ld_so(dlm_controld_t)
-+libs_use_shared_libs(dlm_controld_t)
-+
-+logging_send_syslog_msg(dlm_controld_t)
-+
-+miscfiles_read_localization(dlm_controld_t)
-+
 +optional_policy(`
-+	corosync_stream_connect(dlm_controld_t)
++	ccs_stream_connect(dlm_controld_t)
 +')
 +
 +#######################################
@@ -23464,13 +23064,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +# fenced local policy
 +#
 +
-+allow fenced_t self:capability { sys_nice sys_rawio sys_resource };
-+allow fenced_t self:process { setsched getsched };
++allow fenced_t self:capability { sys_rawio sys_resource };
++allow fenced_t self:process getsched;
 +
-+allow fenced_t self:fifo_file rw_fifo_file_perms;
-+allow fenced_t self:sem create_sem_perms;
-+allow fenced_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+allow fenced_t self:unix_dgram_socket create_socket_perms;
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
 +allow fenced_t self:udp_socket create_socket_perms;
 +
@@ -23479,25 +23075,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +# tmp files
 +manage_dirs_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
 +manage_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
-+files_tmp_filetrans(fenced_t, fenced_tmp_t, { file dir })
-+
-+manage_dirs_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
-+manage_files_pattern(fenced_t, fenced_tmpfs_t, fenced_tmpfs_t)
-+fs_tmpfs_filetrans(fenced_t, fenced_tmpfs_t,{ dir file })
-+
-+# log files
-+manage_files_pattern(fenced_t, fenced_var_log_t,fenced_var_log_t)
-+logging_log_filetrans(fenced_t,fenced_var_log_t,{ file })
++manage_fifo_files_pattern(fenced_t, fenced_tmp_t, fenced_tmp_t)
++files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
 +
-+# pid file
-+manage_files_pattern(fenced_t, fenced_var_run_t,fenced_var_run_t)
-+manage_sock_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
-+manage_fifo_files_pattern(fenced_t, fenced_var_run_t, fenced_var_run_t)
-+files_pid_filetrans(fenced_t,fenced_var_run_t, { file fifo_file })
++manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
++files_lock_filetrans(fenced_t,fenced_lock_t,file)
 +
 +stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
-+aisexec_stream_connect(fenced_t)
-+ccs_stream_connect(fenced_t)
 +
 +corecmd_exec_bin(fenced_t)
 +
@@ -23508,34 +23092,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +storage_raw_write_fixed_disk(fenced_t)
 +storage_raw_read_removable_device(fenced_t)
 +
++term_getattr_pty_fs(fenced_t)
 +term_use_ptmx(fenced_t)
 +
 +auth_use_nsswitch(fenced_t)
 +
 +files_read_usr_symlinks(fenced_t)
 +
-+libs_use_ld_so(fenced_t)
-+libs_use_shared_libs(fenced_t)
-+
-+logging_send_syslog_msg(fenced_t)
-+
-+miscfiles_read_localization(fenced_t)
-+
++corenet_tcp_connect_http_port(fenced_t)
 +tunable_policy(`fenced_can_network_connect',`
-+        corenet_tcp_connect_all_ports(fenced_t)
++	corenet_tcp_connect_all_ports(fenced_t)
 +')
 +
 +optional_policy(`
-+        ccs_read_config(fenced_t)
++	ccs_read_config(fenced_t)
++	ccs_stream_connect(fenced_t)
 +')
 +
 +optional_policy(`
-+	corosync_stream_connect(fenced_t)
-+')
-+
-+optional_policy(`
-+        lvm_domtrans(fenced_t)
-+        lvm_read_config(fenced_t)
++	lvm_domtrans(fenced_t)
++	lvm_read_config(fenced_t)
 +')
 +
 +######################################
@@ -23543,35 +23119,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +# gfs_controld local policy
 +#
 +
-+allow gfs_controld_t self:capability { net_admin sys_nice sys_resource };
-+allow gfs_controld_t self:process setsched;
++allow gfs_controld_t self:capability { net_admin sys_resource };
 +
-+allow gfs_controld_t self:sem create_sem_perms;
 +allow gfs_controld_t self:shm create_shm_perms;
-+allow gfs_controld_t self:fifo_file rw_fifo_file_perms;
-+allow gfs_controld_t self:unix_stream_socket { create_stream_socket_perms };
-+allow gfs_controld_t self:unix_dgram_socket { create_socket_perms };
 +allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
 +
-+manage_dirs_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-+manage_files_pattern(gfs_controld_t, gfs_controld_tmpfs_t, gfs_controld_tmpfs_t)
-+fs_tmpfs_filetrans(gfs_controld_t, gfs_controld_tmpfs_t,{ dir file })
-+
-+# log files
-+manage_files_pattern(gfs_controld_t, gfs_controld_var_log_t,gfs_controld_var_log_t)
-+logging_log_filetrans(gfs_controld_t,gfs_controld_var_log_t,{ file })
-+
-+# pid files
-+manage_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
-+manage_sock_files_pattern(gfs_controld_t, gfs_controld_var_run_t, gfs_controld_var_run_t)
-+files_pid_filetrans(gfs_controld_t,gfs_controld_var_run_t, { file })
-+
-+stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
 +stream_connect_pattern(gfs_controld_t, dlm_controld_var_run_t, dlm_controld_var_run_t, dlm_controld_t)
-+
-+aisexec_stream_connect(gfs_controld_t)
-+ccs_stream_connect(gfs_controld_t)
-+groupd_stream_connect(gfs_controld_t)
++stream_connect_pattern(gfs_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
++stream_connect_pattern(gfs_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
 +
 +kernel_read_system_state(gfs_controld_t)
 +
@@ -23579,24 +23134,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +
 +dev_rw_dlm_control(gfs_controld_t)
 +dev_setattr_dlm_control(gfs_controld_t)
++
 +dev_rw_sysfs(gfs_controld_t)
 +
 +init_rw_script_tmp_files(gfs_controld_t)
 +
-+libs_use_ld_so(gfs_controld_t)
-+libs_use_shared_libs(gfs_controld_t)
-+
-+logging_send_syslog_msg(gfs_controld_t)
-+
-+miscfiles_read_localization(gfs_controld_t)
-+
 +optional_policy(`
-+	corosync_stream_connect(gfs_controld_t)
++	ccs_stream_connect(gfs_controld_t)
 +')
 +
 +optional_policy(`
-+        lvm_exec(gfs_controld_t)
-+        dev_rw_lvm_control(gfs_controld_t)
++	lvm_exec(gfs_controld_t)
++	dev_rw_lvm_control(gfs_controld_t)
 +')
 +
 +#######################################
@@ -23607,79 +23156,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +allow groupd_t self:capability { sys_nice sys_resource };
 +allow groupd_t self:process setsched;
 +
-+allow groupd_t self:sem create_sem_perms;
 +allow groupd_t self:shm create_shm_perms;
-+allow groupd_t self:fifo_file rw_fifo_file_perms;
-+allow groupd_t self:unix_stream_socket create_stream_socket_perms;
-+allow groupd_t self:unix_dgram_socket create_socket_perms;
-+
-+manage_dirs_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
-+manage_files_pattern(groupd_t, groupd_tmpfs_t, groupd_tmpfs_t)
-+fs_tmpfs_filetrans(groupd_t, groupd_tmpfs_t,{ dir file })
-+
-+# log files
-+manage_files_pattern(groupd_t, groupd_var_log_t,groupd_var_log_t)
-+logging_log_filetrans(groupd_t,groupd_var_log_t,{ file })
-+
-+# pid files
-+manage_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
-+manage_sock_files_pattern(groupd_t, groupd_var_run_t,groupd_var_run_t)
-+files_pid_filetrans(groupd_t, groupd_var_run_t, { file })
-+
-+aisexec_stream_connect(groupd_t)
 +
 +dev_list_sysfs(groupd_t)
 +
 +files_read_etc_files(groupd_t)
 +
-+libs_use_ld_so(groupd_t)
-+libs_use_shared_libs(groupd_t)
-+
-+logging_send_syslog_msg(groupd_t)
-+
-+miscfiles_read_localization(groupd_t)
-+
 +init_rw_script_tmp_files(groupd_t)
 +
-+logging_send_syslog_msg(groupd_t)
-+
 +######################################
 +#
 +# qdiskd local policy
 +#
 +
-+allow qdiskd_t self:capability { sys_nice ipc_lock };
-+allow qdiskd_t self:process setsched;
++allow qdiskd_t self:capability ipc_lock;
 +
-+allow qdiskd_t self:sem create_sem_perms;
-+allow qdiskd_t self:udp_socket create_socket_perms;
++allow qdiskd_t self:tcp_socket create_stream_socket_perms;
 +allow qdiskd_t self:udp_socket create_socket_perms;
-+allow qdiskd_t self:unix_dgram_socket create_socket_perms;
-+allow qdiskd_t self:unix_stream_socket create_stream_socket_perms;
 +
 +manage_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
 +manage_dirs_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
 +manage_sock_files_pattern(qdiskd_t, qdiskd_var_lib_t,qdiskd_var_lib_t)
 +files_var_lib_filetrans(qdiskd_t,qdiskd_var_lib_t, { file dir sock_file })
 +
-+# log files
-+manage_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
-+manage_sock_files_pattern(qdiskd_t, qdiskd_var_log_t,qdiskd_var_log_t)
-+logging_log_filetrans(qdiskd_t,qdiskd_var_log_t,{ sock_file file })
-+
-+manage_dirs_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
-+manage_files_pattern(qdiskd_t, qdiskd_tmpfs_t, qdiskd_tmpfs_t)
-+fs_tmpfs_filetrans(qdiskd_t, qdiskd_tmpfs_t,{ dir file })
-+
-+# pid files
-+manage_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
-+manage_sock_files_pattern(qdiskd_t, qdiskd_var_run_t,qdiskd_var_run_t)
-+files_pid_filetrans(qdiskd_t,qdiskd_var_run_t, { file })
-+
-+aisexec_stream_connect(qdiskd_t)
-+ccs_stream_connect(qdiskd_t)
-+
-+corecmd_getattr_sbin_files(qdiskd_t)
++corecmd_getattr_bin_files(qdiskd_t)
 +corecmd_exec_shell(qdiskd_t)
 +
 +kernel_read_system_state(qdiskd_t)
@@ -23708,26 +23208,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +
 +files_read_etc_files(qdiskd_t)
 +
-+libs_use_ld_so(qdiskd_t)
-+libs_use_shared_libs(qdiskd_t)
-+
-+logging_send_syslog_msg(qdiskd_t)
-+
-+miscfiles_read_localization(qdiskd_t)
++optional_policy(`
++	ccs_stream_connect(qdiskd_t)
++')
 +
 +optional_policy(`
-+        netutils_domtrans_ping(qdiskd_t)
++	netutils_domtrans_ping(qdiskd_t)
 +')
 +
 +optional_policy(`
-+       udev_read_db(qdiskd_t)
++	udev_read_db(qdiskd_t)
 +')
 +
++#####################################
++#
++# rhcs domains common policy
++#
++
++allow cluster_domain self:capability { sys_nice };
++allow cluster_domain self:process setsched;
 +
++allow cluster_domain self:sem create_sem_perms;
++allow cluster_domain self:fifo_file rw_fifo_file_perms;
++allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
++allow cluster_domain self:unix_dgram_socket create_socket_perms;
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.9/policy/modules/services/ricci.te
++libs_use_ld_so(cluster_domain)
++libs_use_shared_libs(cluster_domain)
++
++logging_send_syslog_msg(cluster_domain)
++
++miscfiles_read_localization(cluster_domain)
++
++optional_policy(`
++    corosync_stream_connect(cluster_domain)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.15/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ricci.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ricci.te	2010-03-18 10:44:43.000000000 -0400
 @@ -194,10 +194,13 @@
  # ricci_modcluster local policy
  #
@@ -23743,18 +23261,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  kernel_read_kernel_sysctls(ricci_modcluster_t)
  kernel_read_system_state(ricci_modcluster_t)
  
-@@ -227,6 +230,10 @@
+@@ -227,6 +230,11 @@
  ricci_stream_connect_modclusterd(ricci_modcluster_t)
  
  optional_policy(`
-+        aisexec_stream_connect(ricci_modcluster_t)
++	aisexec_stream_connect(ricci_modcluster_t)
++	corosync_stream_connect(ricci_modcluster_t)
 +')
 +
 +optional_policy(`
  	ccs_stream_connect(ricci_modcluster_t)
  	ccs_domtrans(ricci_modcluster_t)
  	ccs_manage_config(ricci_modcluster_t)
-@@ -245,6 +252,10 @@
+@@ -245,6 +253,10 @@
  ')
  
  optional_policy(`
@@ -23765,7 +23284,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	# XXX This has got to go.
  	unconfined_domain(ricci_modcluster_t)
  ')
-@@ -264,6 +275,7 @@
+@@ -259,11 +271,11 @@
+ allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
+ allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
+-allow ricci_modclusterd_t self:netlink_route_socket r_netlink_socket_perms;
+ # cjp: this needs to be fixed for a specific socket type:
  allow ricci_modclusterd_t self:socket create_socket_perms;
  
  allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
@@ -23773,17 +23297,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  
  # log files
  allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -306,12 +318,20 @@
- sysnet_dns_name_resolve(ricci_modclusterd_t)
+@@ -294,6 +306,8 @@
  
- optional_policy(`
-+        aisexec_stream_connect(ricci_modclusterd_t)
-+')
+ fs_getattr_xattr_fs(ricci_modclusterd_t)
+ 
++auth_use_nsswitch(ricci_modclusterd_t)
++
+ init_stream_connect_script(ricci_modclusterd_t)
+ 
+ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
+@@ -303,7 +317,11 @@
+ miscfiles_read_localization(ricci_modclusterd_t)
+ 
+ sysnet_domtrans_ifconfig(ricci_modclusterd_t)
+-sysnet_dns_name_resolve(ricci_modclusterd_t)
 +
 +optional_policy(`
++	aisexec_stream_connect(ricci_modclusterd_t)
++	corosync_stream_connect(ricci_modclusterd_t)
++')
+ 
+ optional_policy(`
  	ccs_domtrans(ricci_modclusterd_t)
- 	ccs_stream_connect(ricci_modclusterd_t)
- 	ccs_read_config(ricci_modclusterd_t)
+@@ -312,6 +330,10 @@
  ')
  
  optional_policy(`
@@ -23794,11 +23330,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	unconfined_use_fds(ricci_modclusterd_t)
  ')
  
-@@ -440,6 +460,11 @@
+@@ -440,6 +462,12 @@
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
 +files_create_default_dir(ricci_modstorage_t)
++files_root_filetrans_default(ricci_modstorage_t, dir)
 +files_mounton_default(ricci_modstorage_t)
 +files_manage_default_dirs(ricci_modstorage_t)
 +files_manage_default_files(ricci_modstorage_t)
@@ -23806,20 +23343,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  storage_raw_read_fixed_disk(ricci_modstorage_t)
  
  term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +482,10 @@
+@@ -457,6 +485,11 @@
  mount_domtrans(ricci_modstorage_t)
  
  optional_policy(`
-+        aisexec_stream_connect(ricci_modstorage_t)
++	aisexec_stream_connect(ricci_modstorage_t)
++	corosync_stream_connect(ricci_modstorage_t)
 +')
 +
 +optional_policy(`
  	ccs_stream_connect(ricci_modstorage_t)
  	ccs_read_config(ricci_modstorage_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.9/policy/modules/services/rpc.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.fc serefpolicy-3.7.15/policy/modules/services/rpc.fc
 --- nsaserefpolicy/policy/modules/services/rpc.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rpc.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rpc.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,6 +1,10 @@
  #
  # /etc
@@ -23831,9 +23369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  /etc/exports		--	gen_context(system_u:object_r:exports_t,s0)
  
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.9/policy/modules/services/rpc.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.7.15/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rpc.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rpc.if	2010-03-18 10:44:43.000000000 -0400
 @@ -54,7 +54,7 @@
  	allow $1_t self:unix_dgram_socket create_socket_perms;
  	allow $1_t self:unix_stream_socket create_stream_socket_perms;
@@ -23921,9 +23459,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ########################################
  ## <summary>
  ##	Read NFS exported content.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.9/policy/modules/services/rpc.te
+@@ -373,4 +414,5 @@
+ 
+ 	files_search_var_lib($1)
+ 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
++	allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.15/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rpc.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rpc.te	2010-03-18 10:44:43.000000000 -0400
 @@ -8,7 +8,7 @@
  
  ## <desc>
@@ -23973,15 +23517,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  files_manage_mounttab(rpcd_t)
  files_getattr_all_dirs(rpcd_t)
  
-@@ -91,14 +100,21 @@
+@@ -91,14 +100,26 @@
  
  seutil_dontaudit_search_config(rpcd_t)
  
 +userdom_signal_unpriv_users(rpcd_t)
++userdom_read_user_home_content_files(rpcd_t)
 +
  optional_policy(`
  	automount_signal(rpcd_t)
 +	automount_dontaudit_write_pipes(rpcd_t)
++')
++
++optional_policy(`
++	domain_unconfined_signal(rpcd_t)
  ')
  
  optional_policy(`
@@ -23989,13 +23538,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
 +optional_policy(`
-+	domain_unconfined_signal(rpcd_t)
++	rgmanager_manage_tmp_files(rpcd_t)
 +')
 +
  ########################################
  #
  # NFSD local policy
-@@ -127,6 +143,7 @@
+@@ -127,6 +148,7 @@
  files_getattr_tmp_dirs(nfsd_t) 
  # cjp: this should really have its own type
  files_manage_mounttab(nfsd_t)
@@ -24003,7 +23552,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
-@@ -135,6 +152,7 @@
+@@ -135,6 +157,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -24011,7 +23560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +169,7 @@
+@@ -151,6 +174,7 @@
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -24019,7 +23568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +201,7 @@
+@@ -182,6 +206,7 @@
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)	
  kernel_search_network_sysctl(gssd_t)	
@@ -24027,7 +23576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  corecmd_exec_bin(gssd_t)
  
-@@ -189,8 +209,10 @@
+@@ -189,8 +214,10 @@
  fs_rw_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
  
@@ -24038,7 +23587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  auth_use_nsswitch(gssd_t)
  auth_manage_cache(gssd_t) 
-@@ -199,10 +221,14 @@
+@@ -199,10 +226,14 @@
  
  mount_signal(gssd_t)
  
@@ -24053,9 +23602,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
  
  optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.9/policy/modules/services/rsync.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.15/policy/modules/services/rsync.if
 --- nsaserefpolicy/policy/modules/services/rsync.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rsync.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rsync.if	2010-03-18 10:44:43.000000000 -0400
 @@ -119,7 +119,7 @@
  		type rsync_etc_t;
  	')
@@ -24073,9 +23622,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 +	write_files_pattern($1, rsync_etc_t, rsync_etc_t)
  	files_search_etc($1)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.9/policy/modules/services/rsync.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.15/policy/modules/services/rsync.te
 --- nsaserefpolicy/policy/modules/services/rsync.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/rsync.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rsync.te	2010-03-18 10:44:43.000000000 -0400
 @@ -8,6 +8,13 @@
  
  ## <desc>
@@ -24127,9 +23676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
 +')
 +
  auth_can_read_shadow_passwords(rsync_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.9/policy/modules/services/rtkit.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.if serefpolicy-3.7.15/policy/modules/services/rtkit.if
 --- nsaserefpolicy/policy/modules/services/rtkit.if	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rtkit.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rtkit.if	2010-03-18 10:44:43.000000000 -0400
 @@ -38,3 +38,23 @@
  	allow $1 rtkit_daemon_t:dbus send_msg;
  	allow rtkit_daemon_t $1:dbus send_msg;
@@ -24154,9 +23703,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
 +	allow rtkit_daemon_t $1:process { getsched setsched };
 +	rtkit_daemon_dbus_chat($1)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.9/policy/modules/services/rtkit.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.7.15/policy/modules/services/rtkit.te
 --- nsaserefpolicy/policy/modules/services/rtkit.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/rtkit.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/rtkit.te	2010-03-18 10:44:43.000000000 -0400
 @@ -17,9 +17,11 @@
  
  allow rtkit_daemon_t self:capability { dac_read_search setuid sys_chroot setgid sys_nice sys_ptrace };
@@ -24178,9 +23727,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
  
  optional_policy(`
  	policykit_dbus_chat(rtkit_daemon_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.9/policy/modules/services/samba.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.7.15/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/samba.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/samba.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -51,3 +51,7 @@
  /var/run/winbindd(/.*)?			gen_context(system_u:object_r:winbind_var_run_t,s0)
  
@@ -24189,9 +23738,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +ifndef(`enable_mls',`
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.9/policy/modules/services/samba.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.7.15/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/samba.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/samba.if	2010-03-18 10:44:43.000000000 -0400
 @@ -62,6 +62,25 @@
  
  ########################################
@@ -24405,9 +23954,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	admin_pattern($1, winbind_var_run_t)
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.9/policy/modules/services/samba.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.15/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/samba.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/samba.te	2010-03-18 10:44:43.000000000 -0400
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -24422,6 +23971,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  type nmbd_t;
  type nmbd_exec_t;
  init_daemon_domain(nmbd_t, nmbd_exec_t)
+@@ -156,7 +163,7 @@
+ #
+ # Samba net local policy
+ #
+-allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
++allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+ allow samba_net_t self:process { getsched setsched };
+ allow samba_net_t self:unix_dgram_socket create_socket_perms;
+ allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
 @@ -201,14 +208,16 @@
  files_read_usr_symlinks(samba_net_t)
  
@@ -24450,7 +24008,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
  kernel_read_network_state(smbd_t)
-@@ -316,6 +327,7 @@
+@@ -306,6 +317,8 @@
+ dev_read_urand(smbd_t)
+ dev_getattr_mtrr_dev(smbd_t)
+ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
++dev_getattr_all_blk_files(smbd_t)
++dev_getattr_all_chr_files(smbd_t)
+ 
+ fs_getattr_all_fs(smbd_t)
+ fs_get_xattr_fs_quotas(smbd_t)
+@@ -316,6 +329,7 @@
  auth_use_nsswitch(smbd_t)
  auth_domtrans_chk_passwd(smbd_t)
  auth_domtrans_upd_passwd(smbd_t)
@@ -24458,7 +24025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(smbd_t)
  domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +337,8 @@
+@@ -325,6 +339,8 @@
  files_read_etc_runtime_files(smbd_t)
  files_read_usr_files(smbd_t)
  files_search_spool(smbd_t)
@@ -24467,7 +24034,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  # Allow samba to list mnt_t for potential mounted dirs
  files_list_mnt(smbd_t)
  
-@@ -337,10 +351,13 @@
+@@ -337,10 +353,13 @@
  miscfiles_read_public_files(smbd_t)
  
  userdom_use_unpriv_users_fds(smbd_t)
@@ -24482,7 +24049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +369,19 @@
+@@ -352,19 +371,19 @@
  ') 
  
  tunable_policy(`samba_domain_controller',`
@@ -24508,7 +24075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
  
  # Support Samba sharing of NFS mount points
-@@ -376,6 +393,15 @@
+@@ -376,6 +395,15 @@
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -24524,7 +24091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(smbd_t)
  	cups_stream_connect(smbd_t)
-@@ -391,6 +417,11 @@
+@@ -391,6 +419,11 @@
  ')
  
  optional_policy(`
@@ -24536,7 +24103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	rpc_search_nfs_state_data(smbd_t)
  ')
  
-@@ -405,13 +436,15 @@
+@@ -405,13 +438,15 @@
  tunable_policy(`samba_create_home_dirs',`
  	allow smbd_t self:capability chown;
  	userdom_create_user_home_dirs(smbd_t)
@@ -24553,7 +24120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	auth_read_all_files_except_shadow(nmbd_t)
  ')
  
-@@ -420,8 +453,8 @@
+@@ -420,8 +455,8 @@
  	auth_manage_all_files_except_shadow(smbd_t)
  	fs_read_noxattr_fs_files(nmbd_t) 
  	auth_manage_all_files_except_shadow(nmbd_t)
@@ -24563,7 +24130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  ########################################
  #
-@@ -525,6 +558,7 @@
+@@ -525,6 +560,7 @@
  
  allow smbcontrol_t winbind_t:process { signal signull };
  
@@ -24571,7 +24138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -536,6 +570,8 @@
+@@ -536,6 +572,8 @@
  
  miscfiles_read_localization(smbcontrol_t)
  
@@ -24580,7 +24147,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # smbmount Local policy
-@@ -618,7 +654,7 @@
+@@ -618,7 +656,7 @@
  # SWAT Local policy
  #
  
@@ -24589,7 +24156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t self:process { setrlimit signal_perms };
  allow swat_t self:fifo_file rw_fifo_file_perms;
  allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +662,23 @@
+@@ -626,23 +664,23 @@
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:unix_stream_socket connectto;
  
@@ -24622,16 +24189,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
  allow swat_t smbd_t:process signull;
-@@ -657,7 +693,7 @@
+@@ -657,7 +695,8 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
 -can_exec(swat_t, winbind_exec_t)
 +domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
++allow swat_t winbind_t:process { signal signull };
  
  allow swat_t winbind_var_run_t:dir { write add_name remove_name };
  allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +736,8 @@
+@@ -700,6 +739,8 @@
  
  miscfiles_read_localization(swat_t)
  
@@ -24640,7 +24208,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -713,12 +751,23 @@
+@@ -713,12 +754,23 @@
  	kerberos_use(swat_t)
  ')
  
@@ -24665,7 +24233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -779,6 +828,9 @@
+@@ -779,6 +831,9 @@
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
@@ -24675,7 +24243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
-@@ -788,7 +840,7 @@
+@@ -788,7 +843,7 @@
  
  auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
@@ -24684,7 +24252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  domain_use_interactive_fds(winbind_t)
  
-@@ -866,6 +918,18 @@
+@@ -866,6 +921,18 @@
  #
  
  optional_policy(`
@@ -24703,7 +24271,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  	type samba_unconfined_script_t;
  	type samba_unconfined_script_exec_t;
  	domain_type(samba_unconfined_script_t)
-@@ -876,9 +940,12 @@
+@@ -876,9 +943,12 @@
  	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
  	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
  
@@ -24717,9 +24285,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +',`
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.9/policy/modules/services/sasl.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.15/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/sasl.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sasl.te	2010-03-18 10:44:43.000000000 -0400
 @@ -31,7 +31,7 @@
  # Local policy
  #
@@ -24782,9 +24350,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl
  	seutil_sigchld_newrole(saslauthd_t)
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.9/policy/modules/services/sendmail.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.15/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/sendmail.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sendmail.if	2010-03-18 10:44:43.000000000 -0400
 @@ -277,3 +277,22 @@
  	sendmail_domtrans_unconfined($1)
  	role $2 types unconfined_sendmail_t;
@@ -24808,9 +24376,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	domtrans_pattern($1, sendmail_exec_t, unconfined_sendmail_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.9/policy/modules/services/sendmail.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.15/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/sendmail.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sendmail.te	2010-03-18 10:44:43.000000000 -0400
 @@ -30,7 +30,7 @@
  #
  
@@ -24889,18 +24457,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +	unconfined_domain_noaudit(unconfined_sendmail_t)
  ')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.9/policy/modules/services/setroubleshoot.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-3.7.15/policy/modules/services/setroubleshoot.fc
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -5,3 +5,5 @@
  /var/log/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
  
  /var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
 +
 +/usr/share/setroubleshoot/SetroubleshootFixit\.py* 	--	gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.9/policy/modules/services/setroubleshoot.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.7.15/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.if	2010-03-18 10:44:43.000000000 -0400
 @@ -16,8 +16,8 @@
  	')
  
@@ -25038,9 +24606,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +	files_list_pids($1)
 +	admin_pattern($1, setroubleshoot_var_run_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.9/policy/modules/services/setroubleshoot.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.15/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/setroubleshoot.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/setroubleshoot.te	2010-03-18 10:44:43.000000000 -0400
 @@ -22,13 +22,19 @@
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
@@ -25102,7 +24670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,79 @@
+@@ -94,23 +113,81 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -25110,6 +24678,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  logging_send_syslog_msg(setroubleshootd_t)
  logging_stream_connect_dispatcher(setroubleshootd_t)
  
++modutils_read_module_config(setroubleshootd_t)
++
  seutil_read_config(setroubleshootd_t)
  seutil_read_file_contexts(setroubleshootd_t)
 -
@@ -25122,13 +24692,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 -	dbus_system_bus_client(setroubleshootd_t)
 -	dbus_connect_system_bus(setroubleshootd_t)
 +	locate_read_lib_files(setroubleshootd_t)
- ')
- 
- optional_policy(`
-+	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
 +')
 +
 +optional_policy(`
++	dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
+ ')
+ 
+ optional_policy(`
 +	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
  	rpm_dontaudit_manage_db(setroubleshootd_t)
@@ -25186,37 +24756,307 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +        policykit_dbus_chat(setroubleshoot_fixit_t)
 +	userdom_read_all_users_state(setroubleshoot_fixit_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.7.9/policy/modules/services/snmp.if
---- nsaserefpolicy/policy/modules/services/snmp.if	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/snmp.if	2010-02-16 15:08:37.000000000 -0500
-@@ -69,6 +69,24 @@
- 
- ########################################
- ## <summary>
-+##	Append snmpd libraries.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.fc serefpolicy-3.7.15/policy/modules/services/smokeping.fc
+--- nsaserefpolicy/policy/modules/services/smokeping.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/smokeping.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/smokeping	--	gen_context(system_u:object_r:smokeping_initrc_exec_t,s0)
++
++/usr/sbin/smokeping				--	gen_context(system_u:object_r:smokeping_exec_t,s0)
++
++/usr/share/smokeping/cgi(/.*)?		gen_context(system_u:object_r:httpd_smokeping_cgi_script_exec_t,s0)
++
++/var/lib/smokeping(/.*)?			gen_context(system_u:object_r:smokeping_var_lib_t,s0)
++
++/var/run/smokeping(/.*)?			gen_context(system_u:object_r:smokeping_var_run_t,s0)
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.if serefpolicy-3.7.15/policy/modules/services/smokeping.if
+--- nsaserefpolicy/policy/modules/services/smokeping.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/smokeping.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,193 @@
++
++## <summary>policy for smokeping</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run smokeping.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`smokeping_domtrans',`
++	gen_require(`
++		type smokeping_t, smokeping_exec_t;
++	')
++
++	domtrans_pattern($1, smokeping_exec_t, smokeping_t)
++')
++
++
++########################################
++## <summary>
++##	Execute smokeping server in the smokeping domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`smokeping_initrc_domtrans',`
++	gen_require(`
++		type smokeping_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, smokeping_initrc_exec_t)
++')
++
++########################################
++## <summary>
++##	Read smokeping PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_read_pid_files',`
++	gen_require(`
++		type smokeping_var_run_t;
++	')
++
++	files_search_pids($1)
++	allow $1 smokeping_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	Manage smokeping var_run files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_manage_var_run',`
++	gen_require(`
++		type smokeping_var_run_t;
++	')
++
++         manage_dirs_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
++         manage_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
++         manage_lnk_files_pattern($1, smokeping_var_run_t, smokeping_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	Search smokeping lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_getattr_lib_files',`
++	gen_require(`
++		type smokeping_var_lib_t;
++	')
++
++	getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read smokeping lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_read_lib_files',`
++	gen_require(`
++		type smokeping_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	smokeping lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_manage_lib_files',`
++	gen_require(`
++		type smokeping_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++    manage_files_pattern($1, smokeping_var_lib_t,  smokeping_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage smokeping var_lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`smokeping_manage_var_lib',`
++	gen_require(`
++		type smokeping_var_lib_t;
++	')
++
++         manage_dirs_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
++         manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
++         manage_lnk_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an smokeping environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`smokeping_admin',`
++	gen_require(`
++		type smokeping_t, smokeping_initrc_exec_t;
++	')
++
++	allow $1 smokeping_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, smokeping_t, smokeping_t)
++
++	smokeping_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 smokeping_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	smokeping_manage_var_run($1)
++
++	smokeping_manage_var_lib($1)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smokeping.te serefpolicy-3.7.15/policy/modules/services/smokeping.te
+--- nsaserefpolicy/policy/modules/services/smokeping.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/smokeping.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,81 @@
++
++policy_module(smokeping,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type smokeping_t;
++type smokeping_exec_t;
++init_daemon_domain(smokeping_t, smokeping_exec_t)
++
++permissive smokeping_t;
++
++type smokeping_initrc_exec_t;
++init_script_file(smokeping_initrc_exec_t)
++
++type smokeping_var_run_t;
++files_pid_file(smokeping_var_run_t)
++
++type smokeping_var_lib_t;
++files_type(smokeping_var_lib_t)
++
++########################################
++#
++# smokeping local policy
++#
++
++# to read /etc/shadow
++allow smokeping_t self:capability dac_override;
++
++allow smokeping_t self:fifo_file rw_fifo_file_perms;
++allow smokeping_t self:udp_socket create_socket_perms;
++allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(smokeping_t, smokeping_var_run_t,  smokeping_var_run_t)
++manage_files_pattern(smokeping_t, smokeping_var_run_t,  smokeping_var_run_t)
++files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
++
++manage_dirs_pattern(smokeping_t, smokeping_var_lib_t,  smokeping_var_lib_t)
++manage_files_pattern(smokeping_t, smokeping_var_lib_t,  smokeping_var_lib_t)
++files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
++
++corecmd_read_bin_symlinks(smokeping_t)
++
++dev_read_urand(smokeping_t)
++
++files_read_etc_files(smokeping_t)
++files_read_usr_files(smokeping_t)
++files_search_tmp(smokeping_t)
++
++auth_use_nsswitch(smokeping_t)
++auth_read_shadow(smokeping_t)
++
++logging_send_syslog_msg(smokeping_t)
++
++miscfiles_read_localization(smokeping_t)
++
++mta_send_mail(smokeping_t)
++
++netutils_domtrans_ping(smokeping_t)
++
++#######################################
++#
++# local policy for smokeping cgi scripts
 +#
-+interface(`snmp_append_snmp_var_lib_files',`
-+	gen_require(`
-+		type snmpd_var_lib_t;
-+	')
 +
-+	append_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
-+')
++optional_policy(`
++    apache_content_template(smokeping_cgi)
++	
++	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
 +
-+########################################
-+## <summary>
- ##	dontaudit Read snmpd libraries.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.9/policy/modules/services/snmp.te
++	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)
++
++	getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t)
++
++	files_search_tmp(httpd_smokeping_cgi_script_t)
++	files_search_var_lib(httpd_smokeping_cgi_script_t)
++
++	sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.7.15/policy/modules/services/snmp.te
 --- nsaserefpolicy/policy/modules/services/snmp.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/snmp.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/snmp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -25,7 +25,7 @@
  #
  # Local policy
@@ -25226,9 +25066,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp
  dontaudit snmpd_t self:capability { sys_module sys_tty_config };
  allow snmpd_t self:process { signal_perms getsched setsched };
  allow snmpd_t self:fifo_file rw_fifo_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.9/policy/modules/services/snort.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snort.te serefpolicy-3.7.15/policy/modules/services/snort.te
 --- nsaserefpolicy/policy/modules/services/snort.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/snort.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/snort.te	2010-03-18 10:44:43.000000000 -0400
 @@ -37,6 +37,7 @@
  allow snort_t self:tcp_socket create_stream_socket_perms;
  allow snort_t self:udp_socket create_socket_perms;
@@ -25262,9 +25102,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snor
  
  domain_use_interactive_fds(snort_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.9/policy/modules/services/spamassassin.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.7.15/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,15 +1,26 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -25294,9 +25134,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
  /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
 +/var/spool/MD-Quarantine(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 +/var/spool/MIMEDefang(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.9/policy/modules/services/spamassassin.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.7.15/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.if	2010-03-18 10:44:43.000000000 -0400
 @@ -111,6 +111,45 @@
  	')
  
@@ -25423,9 +25263,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +	files_list_pids($1)
 +	admin_pattern($1, spamd_var_run_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.9/policy/modules/services/spamassassin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.7.15/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/spamassassin.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/spamassassin.te	2010-03-18 10:44:43.000000000 -0400
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -25731,10 +25571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
 +optional_policy(`
  	udev_read_db(spamd_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.9/policy/modules/services/squid.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.15/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/squid.te	2010-02-16 15:08:37.000000000 -0500
-@@ -67,7 +67,9 @@
++++ serefpolicy-3.7.15/policy/modules/services/squid.te	2010-03-18 10:44:43.000000000 -0400
+@@ -14,6 +14,13 @@
+ ## </desc>
+ gen_tunable(squid_connect_any, false)
+ 
++## <desc>
++## <p>
++## Allow squid to run as a transparent proxy (TPROXY)
++## </p>
++## </desc>
++gen_tunable(squid_use_tproxy, false)
++
+ type squid_t;
+ type squid_exec_t;
+ init_daemon_domain(squid_t, squid_exec_t)
+@@ -67,7 +74,9 @@
  
  can_exec(squid_t, squid_exec_t)
  
@@ -25744,7 +25598,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
  manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
-@@ -118,6 +120,8 @@
+@@ -118,6 +127,8 @@
  
  fs_getattr_all_fs(squid_t)
  fs_search_auto_mountpoints(squid_t)
@@ -25753,7 +25607,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
  fs_list_inotifyfs(squid_t)
  
  selinux_dontaudit_getattr_dir(squid_t)
-@@ -186,8 +190,3 @@
+@@ -157,6 +168,11 @@
+ 	corenet_sendrecv_all_packets(squid_t)
+ ')
+ 
++tunable_policy(`squid_use_tproxy',`
++	allow squid_t self:capability net_admin;
++	corenet_tcp_bind_netport_port(squid_t)
++')
++
+ optional_policy(`
+ 	apache_content_template(squid)
+ 
+@@ -186,8 +202,3 @@
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -25762,18 +25628,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 -#squid requires the following when run in diskd mode, the recommended setting
 -allow squid_t tmpfs_t:file { read write };
 -') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.9/policy/modules/services/ssh.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.15/policy/modules/services/ssh.fc
 --- nsaserefpolicy/policy/modules/services/ssh.fc	2010-01-18 15:04:31.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ssh.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ssh.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -14,3 +14,5 @@
  /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
  
  /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
 +
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.9/policy/modules/services/ssh.if
---- nsaserefpolicy/policy/modules/services/ssh.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ssh.if	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.15/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ssh.if	2010-03-18 10:44:43.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -25829,15 +25695,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	dev_read_urand($1_ssh_t)
  
-@@ -181,7 +180,7 @@
+@@ -181,9 +180,9 @@
  	type $1_var_run_t;
  	files_pid_file($1_var_run_t)
  
 -	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+	allow $1_t self:capability { kill sys_chroot sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++	allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
  	allow $1_t self:fifo_file rw_fifo_file_perms;
- 	allow $1_t self:process { signal getsched setsched setrlimit setexec };
+-	allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
++	allow $1_t self:process { signal getsched setsched setrlimit setexec };
  	allow $1_t self:tcp_socket create_stream_socket_perms;
+ 	allow $1_t self:udp_socket create_socket_perms;
+ 	# ssh agent connections:
 @@ -206,6 +205,7 @@
  
  	kernel_read_kernel_sysctls($1_t)
@@ -25859,7 +25728,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	fs_dontaudit_getattr_all_fs($1_t)
  
-@@ -234,9 +239,11 @@
+@@ -234,17 +239,19 @@
  	corecmd_getattr_bin_files($1_t)
  
  	domain_interactive_fd($1_t)
@@ -25871,15 +25740,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	logging_search_logs($1_t)
  
-@@ -244,6 +251,7 @@
+ 	miscfiles_read_localization($1_t)
  
+-	userdom_create_all_users_keys($1_t)
  	userdom_dontaudit_relabelfrom_user_ptys($1_t)
  	userdom_search_user_home_dirs($1_t)
 +	userdom_read_user_home_content_files($1_t)
  
  	# Allow checking users mail at login
  	mta_getattr_spool($1_t)
-@@ -264,9 +272,12 @@
+@@ -265,9 +272,12 @@
  
  	optional_policy(`
  		files_read_var_lib_symlinks($1_t)
@@ -25893,7 +25763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  ########################################
-@@ -387,6 +398,7 @@
+@@ -388,6 +398,7 @@
  	logging_send_syslog_msg($1_ssh_agent_t)
  
  	miscfiles_read_localization($1_ssh_agent_t)
@@ -25901,7 +25771,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  
  	seutil_dontaudit_read_config($1_ssh_agent_t)
  
-@@ -394,6 +406,7 @@
+@@ -395,6 +406,7 @@
  	userdom_use_user_terminals($1_ssh_agent_t)
  
  	# for the transition back to normal privs upon exec
@@ -25909,7 +25779,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	userdom_user_home_domtrans($1_ssh_agent_t, $3)
  	allow $3 $1_ssh_agent_t:fd use;
  	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -695,6 +708,27 @@
+@@ -696,6 +708,27 @@
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
  
@@ -25937,9 +25807,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  #######################################
  ## <summary>
  ##	Delete from the ssh temp files.
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.9/policy/modules/services/ssh.te
---- nsaserefpolicy/policy/modules/services/ssh.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/ssh.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.15/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ssh.te	2010-03-18 10:44:43.000000000 -0400
 @@ -114,6 +114,7 @@
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -25992,11 +25862,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -291,23 +299,30 @@
- kernel_link_key(sshd_t)
+@@ -292,22 +300,30 @@
  
  term_use_all_ptys(sshd_t)
--term_setattr_all_ptys(sshd_t)
+ term_setattr_all_ptys(sshd_t)
 +term_setattr_all_ttys(sshd_t)
  term_relabelto_all_ptys(sshd_t)
  
@@ -26028,7 +25897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -315,7 +330,12 @@
+@@ -315,7 +331,12 @@
  ')
  
  optional_policy(`
@@ -26042,7 +25911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -323,6 +343,10 @@
+@@ -323,6 +344,10 @@
  ')
  
  optional_policy(`
@@ -26053,7 +25922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -333,10 +357,18 @@
+@@ -333,10 +358,18 @@
  ')
  
  optional_policy(`
@@ -26073,21 +25942,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ifdef(`TODO',`
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.9/policy/modules/services/sssd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.7.15/policy/modules/services/sssd.fc
 --- nsaserefpolicy/policy/modules/services/sssd.fc	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/sssd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sssd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -4,6 +4,8 @@
  
  /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
  
+-/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 +/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
 +
- /var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
++/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
  
  /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.9/policy/modules/services/sssd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.7.15/policy/modules/services/sssd.if
 --- nsaserefpolicy/policy/modules/services/sssd.if	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/sssd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sssd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -38,6 +38,25 @@
  
  ########################################
@@ -26166,9 +26036,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
 +
 +	admin_pattern($1, sssd_public_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.9/policy/modules/services/sssd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.7.15/policy/modules/services/sssd.te
 --- nsaserefpolicy/policy/modules/services/sssd.te	2010-01-07 14:53:53.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/sssd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sssd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,9 @@
  type sssd_initrc_exec_t;
  init_script_file(sssd_initrc_exec_t)
@@ -26196,7 +26066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
  manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
-@@ -49,6 +55,9 @@
+@@ -49,12 +55,17 @@
  
  dev_read_urand(sssd_t)
  
@@ -26206,7 +26076,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  files_list_tmp(sssd_t)
  files_read_etc_files(sssd_t)
  files_read_usr_files(sssd_t)
-@@ -66,6 +75,8 @@
+ 
+ fs_list_inotifyfs(sssd_t)
+ 
++mls_file_read_to_clearance(sssd_t)
++
+ auth_use_nsswitch(sssd_t)
+ auth_domtrans_chk_passwd(sssd_t)
+ auth_domtrans_upd_passwd(sssd_t)
+@@ -66,6 +77,8 @@
  
  miscfiles_read_localization(sssd_t)
  
@@ -26215,9 +26093,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
  	dbus_connect_system_bus(sssd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.9/policy/modules/services/sysstat.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sysstat.te serefpolicy-3.7.15/policy/modules/services/sysstat.te
 --- nsaserefpolicy/policy/modules/services/sysstat.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/sysstat.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/sysstat.te	2010-03-18 10:44:43.000000000 -0400
 @@ -19,14 +19,15 @@
  # Local policy
  #
@@ -26236,9 +26114,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss
  logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
  
  # get info from /proc
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.9/policy/modules/services/telnet.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.7.15/policy/modules/services/telnet.te
 --- nsaserefpolicy/policy/modules/services/telnet.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/telnet.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/telnet.te	2010-03-18 10:44:43.000000000 -0400
 @@ -85,6 +85,7 @@
  remotelogin_domtrans(telnetd_t)
  
@@ -26247,9 +26125,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln
  
  optional_policy(`
  	kerberos_keytab_template(telnetd, telnetd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.9/policy/modules/services/tftp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.7.15/policy/modules/services/tftp.te
 --- nsaserefpolicy/policy/modules/services/tftp.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/tftp.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/tftp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -50,9 +50,8 @@
  manage_files_pattern(tftpd_t, tftpd_var_run_t, tftpd_var_run_t)
  files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
@@ -26261,45 +26139,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp
  
  corenet_all_recvfrom_unlabeled(tftpd_t)
  corenet_all_recvfrom_netlabel(tftpd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.if serefpolicy-3.7.9/policy/modules/services/tgtd.if
---- nsaserefpolicy/policy/modules/services/tgtd.if	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/tgtd.if	2010-02-16 15:08:37.000000000 -0500
-@@ -9,3 +9,20 @@
- ##	</p>
- ## </desc>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.fc serefpolicy-3.7.15/policy/modules/services/tor.fc
+--- nsaserefpolicy/policy/modules/services/tor.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/tor.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -5,5 +5,8 @@
+ /usr/sbin/tor		--	gen_context(system_u:object_r:tor_exec_t,s0)
  
-+#####################################
-+## <summary>
-+##      Allow read and write access to tgtd semaphores.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`tgtd_rw_semaphores',`
-+        gen_require(`
-+                type tgtd_t;
-+        ')
+ /var/lib/tor(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
++/var/lib/tor-data(/.*)?		gen_context(system_u:object_r:tor_var_lib_t,s0)
 +
-+        allow $1 tgtd_t:sem { rw_sem_perms };
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.9/policy/modules/services/tgtd.te
---- nsaserefpolicy/policy/modules/services/tgtd.te	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/tgtd.te	2010-02-16 15:08:37.000000000 -0500
-@@ -60,7 +60,7 @@
- 
- files_read_etc_files(tgtd_t)
- 
--storage_getattr_fixed_disk_dev(tgtd_t)
-+storage_manage_fixed_disk(tgtd_t)
- 
- logging_send_syslog_msg(tgtd_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.9/policy/modules/services/tor.te
+ /var/log/tor(/.*)?		gen_context(system_u:object_r:tor_var_log_t,s0)
++
+ /var/run/tor(/.*)?		gen_context(system_u:object_r:tor_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.7.15/policy/modules/services/tor.te
 --- nsaserefpolicy/policy/modules/services/tor.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/tor.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/tor.te	2010-03-18 10:44:43.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -26331,9 +26185,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.
 +tunable_policy(`tor_bind_all_unreserved_ports', `
 +	corenet_tcp_bind_all_unreserved_ports(tor_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.9/policy/modules/services/tuned.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.7.15/policy/modules/services/tuned.fc
 --- nsaserefpolicy/policy/modules/services/tuned.fc	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/tuned.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/tuned.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -2,4 +2,7 @@
  
  /usr/sbin/tuned			--	gen_context(system_u:object_r:tuned_exec_t,s0)
@@ -26342,9 +26196,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
 +/var/log/tuned\.log     --  gen_context(system_u:object_r:tuned_log_t,s0)
 +
  /var/run/tuned\.pid		--	gen_context(system_u:object_r:tuned_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.9/policy/modules/services/tuned.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.7.15/policy/modules/services/tuned.te
 --- nsaserefpolicy/policy/modules/services/tuned.te	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/tuned.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/tuned.te	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,9 @@
  type tuned_initrc_exec_t;
  init_script_file(tuned_initrc_exec_t)
@@ -26398,9 +26252,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tune
  # to allow network interface tuning
  optional_policy(`
  	sysnet_domtrans_ifconfig(tuned_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.9/policy/modules/services/ucspitcp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.te serefpolicy-3.7.15/policy/modules/services/ucspitcp.te
 --- nsaserefpolicy/policy/modules/services/ucspitcp.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/ucspitcp.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/ucspitcp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -92,3 +92,8 @@
  	daemontools_service_domain(ucspitcp_t, ucspitcp_exec_t)
  	daemontools_read_svc(ucspitcp_t)
@@ -26410,17 +26264,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucsp
 +    daemontools_sigchld_run(ucspitcp_t)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.9/policy/modules/services/usbmuxd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.fc serefpolicy-3.7.15/policy/modules/services/usbmuxd.fc
 --- nsaserefpolicy/policy/modules/services/usbmuxd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,4 @@
 +
 +/usr/sbin/usbmuxd	--	gen_context(system_u:object_r:usbmuxd_exec_t,s0)
 +
 +/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.9/policy/modules/services/usbmuxd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.if serefpolicy-3.7.15/policy/modules/services/usbmuxd.if
 --- nsaserefpolicy/policy/modules/services/usbmuxd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,39 @@
 +## <summary>Daemon for communicating with Apple's iPod Touch and iPhone</summary>
 +
@@ -26461,10 +26315,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +        files_search_pids($1)
 +        stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.9/policy/modules/services/usbmuxd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.7.15/policy/modules/services/usbmuxd.te
 --- nsaserefpolicy/policy/modules/services/usbmuxd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/usbmuxd.te	2010-02-16 15:08:37.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.7.15/policy/modules/services/usbmuxd.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,50 @@
 +policy_module(usbmuxd,1.0.0)
 +
 +########################################
@@ -26475,6 +26329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +type usbmuxd_t;
 +type usbmuxd_exec_t;
 +application_domain(usbmuxd_t, usbmuxd_exec_t)
++role system_r types usbmuxd_t;
 +
 +type usbmuxd_var_run_t;
 +files_pid_file(usbmuxd_var_run_t)
@@ -26487,7 +26342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +#
 +
 +allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:process { fork };
++allow usbmuxd_t self:process { fork signal signull };
 +
 +# Init script handling
 +domain_use_interactive_fds(usbmuxd_t)
@@ -26501,8 +26356,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +manage_sock_files_pattern(usbmuxd_t, usbmuxd_var_run_t,  usbmuxd_var_run_t)
 +files_pid_filetrans(usbmuxd_t, usbmuxd_var_run_t, { file dir sock_file })
 +
++kernel_read_kernel_sysctls(usbmuxd_t)
 +kernel_read_system_state(usbmuxd_t)
 +
++dev_read_sysfs(usbmuxd_t)
 +dev_rw_generic_usb_dev(usbmuxd_t)
 +
 +files_read_etc_files(usbmuxd_t)
@@ -26512,16 +26369,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
 +auth_use_nsswitch(usbmuxd_t)
 +
 +logging_send_syslog_msg(usbmuxd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.9/policy/modules/services/uucp.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.15/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2010-01-11 09:40:36.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/uucp.te	2010-02-16 15:08:37.000000000 -0500
-@@ -1,5 +1,5 @@
- 
--policy_module(uucp, 1.10.1)
-+policy_module(uucp, 1.10.0)
- 
- ########################################
- #
++++ serefpolicy-3.7.15/policy/modules/services/uucp.te	2010-03-18 10:44:43.000000000 -0400
 @@ -90,6 +90,7 @@
  fs_getattr_xattr_fs(uucpd_t)
  
@@ -26539,9 +26389,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp
  optional_policy(`
  	cron_system_entry(uucpd_t, uucpd_exec_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.9/policy/modules/services/vhostmd.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.15/policy/modules/services/varnishd.if
+--- nsaserefpolicy/policy/modules/services/varnishd.if	2009-07-23 14:11:04.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/services/varnishd.if	2010-03-18 10:44:43.000000000 -0400
+@@ -56,6 +56,25 @@
+ 	read_files_pattern($1, varnishd_etc_t, varnishd_etc_t)
+ ')
+ 
++#####################################
++## <summary>
++##  Read varnish lib files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`varnishd_read_lib_files',`
++    gen_require(`
++        type varnishd_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    read_files_pattern($1, varnishd_var_lib_t, varnishd_var_lib_t)
++')
++
+ #######################################
+ ## <summary>
+ ##	Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.15/policy/modules/services/vhostmd.fc
 --- nsaserefpolicy/policy/modules/services/vhostmd.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,6 @@
 +
 +/usr/sbin/vhostmd	        --	gen_context(system_u:object_r:vhostmd_exec_t,s0)
@@ -26549,9 +26428,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
 +/etc/rc.d/init.d/vhostmd	--	gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
 +/var/run/vhostmd.pid		--	gen_context(system_u:object_r:vhostmd_var_run_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.9/policy/modules/services/vhostmd.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.if serefpolicy-3.7.15/policy/modules/services/vhostmd.if
 --- nsaserefpolicy/policy/modules/services/vhostmd.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.if	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,228 @@
 +
 +## <summary>policy for vhostmd</summary>
@@ -26781,9 +26660,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
 +	vhostmd_manage_var_run($1)
 +
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.9/policy/modules/services/vhostmd.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.te serefpolicy-3.7.15/policy/modules/services/vhostmd.te
 --- nsaserefpolicy/policy/modules/services/vhostmd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/vhostmd.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/vhostmd.te	2010-03-18 10:44:43.000000000 -0400
 @@ -0,0 +1,84 @@
 +
 +policy_module(vhostmd,1.0.0)
@@ -26869,9 +26748,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos
 +    xen_stream_connect_xenstore(vhostmd_t)
 +    xen_stream_connect_xm(vhostmd_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.9/policy/modules/services/virt.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.15/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/virt.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/virt.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -8,6 +8,10 @@
  /etc/libvirt/.*/.*		gen_context(system_u:object_r:virt_etc_rw_t,s0)
  /etc/rc\.d/init\.d/libvirtd --	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
@@ -26883,19 +26762,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
  
  /var/cache/libvirt(/.*)?	gen_context(system_u:object_r:svirt_cache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.9/policy/modules/services/virt.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.15/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/virt.if	2010-02-16 15:08:37.000000000 -0500
-@@ -22,6 +22,8 @@
++++ serefpolicy-3.7.15/policy/modules/services/virt.if	2010-03-18 10:44:43.000000000 -0400
+@@ -22,6 +22,11 @@
  	domain_type($1_t)
  	role system_r types $1_t;
  
++	type $1_devpts_t;
++	term_pty($1_devpts_t)
++
 +	domain_user_exemption_target($1_t)
 +
  	type $1_tmp_t;
  	files_tmp_file($1_tmp_t)
  
-@@ -62,6 +64,9 @@
+@@ -31,10 +36,14 @@
+ 	type $1_image_t, virt_image_type;
+ 	files_type($1_image_t)
+ 	dev_node($1_image_t)
++	dev_associate_sysfs($1_image_t)
+ 
+ 	type $1_var_run_t;
+ 	files_pid_file($1_var_run_t)
+ 
++	 allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr };
++	  term_create_pty($1_t, $1_devpts_t)
++
+ 	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+ 	manage_files_pattern($1_t, $1_image_t, $1_image_t)
+ 	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+@@ -62,6 +71,9 @@
  	files_pid_filetrans($1_t, $1_var_run_t, { dir file })
  	stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
  
@@ -26905,7 +26802,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -293,6 +298,7 @@
+@@ -293,6 +305,7 @@
  
  	files_search_var_lib($1)
  	read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
@@ -26913,7 +26810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -505,3 +511,32 @@
+@@ -505,3 +518,32 @@
  
  	virt_manage_log($1)
  ')
@@ -26946,9 +26843,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +		ptchown_run(svirt_t, $2)
 +	')
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.9/policy/modules/services/virt.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.15/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/virt.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/virt.te	2010-03-18 10:44:43.000000000 -0400
 @@ -15,6 +15,13 @@
  
  ## <desc>
@@ -27117,7 +27014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
-@@ -410,11 +447,17 @@
+@@ -410,11 +447,21 @@
  files_read_etc_files(virt_domain)
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
@@ -27127,6 +27024,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
  
++# I think we need these for now.
++miscfiles_read_public_files(virt_domain)
++storage_raw_read_removable_device(virt_domain)
++
 +term_use_all_terms(virt_domain)
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
@@ -27135,9 +27036,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  auth_use_nsswitch(virt_domain)
  
  logging_send_syslog_msg(virt_domain)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.9/policy/modules/services/w3c.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.15/policy/modules/services/w3c.te
 --- nsaserefpolicy/policy/modules/services/w3c.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/w3c.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/w3c.te	2010-03-18 10:44:43.000000000 -0400
 @@ -8,11 +8,18 @@
  
  apache_content_template(w3c_validator)
@@ -27157,9 +27058,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.
  corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t)
  corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.9/policy/modules/services/xserver.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.15/policy/modules/services/xserver.fc
 --- nsaserefpolicy/policy/modules/services/xserver.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/xserver.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/xserver.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -3,12 +3,21 @@
  #
  HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
@@ -27194,7 +27095,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  #
  # /opt
  #
-@@ -47,21 +51,22 @@
+@@ -47,21 +51,23 @@
  # /tmp
  #
  
@@ -27204,14 +27105,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -/tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 -/tmp/\.X11-unix/.*	-s	<<none>>
 +/tmp/\.X11-unix(/.*)?			gen_context(system_u:object_r:xdm_tmp_t,s0)
++/tmp/\.ICE-unix(/.*)?			gen_context(system_u:object_r:xdm_tmp_t,s0)
  
  #
  # /usr
  #
  
  /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/lxdm				gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/bin/lxdm-binary			gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lxdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lxdm-binary --	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -27221,7 +27123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
  /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
  ifdef(`distro_debian', `
-@@ -89,17 +94,42 @@
+@@ -89,17 +95,42 @@
  
  /var/[xgk]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
  
@@ -27267,10 +27169,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +/var/lib/pqsql/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.9/policy/modules/services/xserver.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.15/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/xserver.if	2010-02-16 15:08:37.000000000 -0500
-@@ -19,7 +19,7 @@
++++ serefpolicy-3.7.15/policy/modules/services/xserver.if	2010-03-18 10:44:43.000000000 -0400
+@@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
  		type xserver_t, xserver_exec_t, xserver_tmp_t, xserver_tmpfs_t;
@@ -27278,8 +27180,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t, xdm_tmp_t;
  		type iceauth_t, iceauth_exec_t, iceauth_home_t;
  		type xauth_t, xauth_exec_t, xauth_home_t;
++		class dbus send_msg;
  	')
-@@ -31,7 +31,7 @@
+ 
+ 	role $1 types { xserver_t xauth_t iceauth_t };
+@@ -31,7 +32,7 @@
  	allow xserver_t $2:shm rw_shm_perms;
  
  	domtrans_pattern($2, xserver_exec_t, xserver_t)
@@ -27288,7 +27193,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	allow xserver_t $2:shm rw_shm_perms;
  
-@@ -45,6 +45,7 @@
+@@ -45,6 +46,7 @@
  	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
  
  	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -27296,21 +27201,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	files_search_tmp($2)
  
  	# Communicate via System V shared memory.
-@@ -56,6 +57,13 @@
+@@ -56,6 +58,10 @@
  
  	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
  
 +ifdef(`hide_broken_symptoms', `
-+	dontaudit iceauth_t $2:unix_stream_socket rw_socket_perms;
-+	dontaudit iceauth_t $2:tcp_socket rw_socket_perms;
-+	dontaudit iceauth_t $2:udp_socket rw_socket_perms;
-+	fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
++	dontaudit iceauth_t $2:socket_class_set { read write };
 +')
 +
  	allow $2 iceauth_home_t:file read_file_perms;
  
  	domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +79,10 @@
+@@ -71,9 +77,13 @@
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
  	allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -27319,10 +27221,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
 +	dontaudit $2 xdm_tmp_t:dir setattr;
++
++	allow $2 xdm_t:dbus send_msg;
++	allow xdm_t  $2:dbus send_msg;
  
  	# Client read xserver shm
  	allow $2 xserver_t:fd use;
-@@ -94,9 +103,9 @@
+@@ -94,9 +104,9 @@
  	dev_rw_usbfs($2)
  
  	miscfiles_read_fonts($2)
@@ -27333,7 +27238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -197,7 +206,7 @@
+@@ -197,7 +207,7 @@
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -27342,7 +27247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -291,12 +300,12 @@
+@@ -291,12 +301,12 @@
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -27358,7 +27263,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $1 xdm_tmp_t:dir search;
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -476,6 +485,7 @@
+@@ -355,6 +365,11 @@
+ 		class x_property all_x_property_perms;
+ 		class x_event all_x_event_perms;
+ 		class x_synthetic_event all_x_synthetic_event_perms;
++		class x_client destroy;
++		class x_server manage;
++		class x_pointer manage;
++		class x_keyboard { read manage };
++		type xdm_t, xserver_t;
+ 	')
+ 
+ 	##############################
+@@ -386,6 +401,14 @@
+ 	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+ 	# dont audit send failures
+ 	dontaudit $2 input_xevent_type:x_event send;
++
++	allow $2 xdm_t:x_drawable { read add_child };
++	allow $2 xdm_t:x_client destroy;
++
++	allow $2 root_xdrawable_t:x_drawable write;
++	allow $2 xserver_t:x_server manage;
++	allow $2 xserver_t:x_pointer manage;
++	allow $2 xserver_t:x_keyboard { read manage };
+ ')
+ 
+ #######################################
+@@ -476,6 +499,7 @@
  	xserver_use_user_fonts($2)
  
  	xserver_read_xdm_tmp_files($2)
@@ -27366,20 +27298,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# X object manager
  	xserver_object_types_template($1)
-@@ -545,6 +555,12 @@
+@@ -545,6 +569,9 @@
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
 +ifdef(`hide_broken_symptoms', `
-+	dontaudit xauth_t $1:unix_stream_socket rw_socket_perms;
-+	dontaudit xauth_t $1:tcp_socket rw_socket_perms;
-+	dontaudit xauth_t $1:udp_socket rw_socket_perms;
-+	fs_dontaudit_rw_anon_inodefs_files(xauth_t)
++	dontaudit xauth_t $1:socket_class_set { read write };
 +')
  ')
  
  ########################################
-@@ -598,6 +614,7 @@
+@@ -598,6 +625,7 @@
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -27387,7 +27316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -805,7 +822,7 @@
+@@ -805,7 +833,7 @@
  	')
  
  	files_search_pids($1)
@@ -27396,7 +27325,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1250,3 +1267,329 @@
+@@ -1224,9 +1252,20 @@
+ 		class x_device all_x_device_perms;
+ 		class x_pointer all_x_pointer_perms;
+ 		class x_keyboard all_x_keyboard_perms;
++		class x_screen all_x_screen_perms;
++		class x_drawable { manage };
++		type root_xdrawable_t;
++		attribute x_domain;
++		class x_drawable { read manage setattr show };
++		class x_resource { write read };
+ 	')
+ 
+ 	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
++	allow $1 xserver_t:{ x_screen } setattr;
++	
++	allow $1 x_domain:x_drawable { read manage setattr show };
++	allow $1 x_domain:x_resource { write read };
++	allow $1 root_xdrawable_t:x_drawable manage;
+ ')
+ 
+ ########################################
+@@ -1250,3 +1289,329 @@
  	typeattribute $1 x_domain;
  	typeattribute $1 xserver_unconfined_type;
  ')
@@ -27726,9 +27676,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.9/policy/modules/services/xserver.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.15/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/services/xserver.te	2010-02-16 15:18:03.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/xserver.te	2010-03-18 10:44:43.000000000 -0400
 @@ -36,6 +36,13 @@
  
  ## <desc>
@@ -27892,7 +27842,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(iceauth_t)
-@@ -250,30 +283,57 @@
+@@ -250,30 +283,58 @@
  	fs_manage_cifs_files(iceauth_t)
  ')
  
@@ -27901,6 +27851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	dev_dontaudit_rw_dri(iceauth_t)
 +	dev_dontaudit_rw_generic_dev_nodes(iceauth_t)
 +	fs_list_inotifyfs(iceauth_t)
++	fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
 +        term_dontaudit_use_unallocated_ttys(iceauth_t)
 +
 +	optional_policy(`
@@ -27953,13 +27904,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  fs_search_auto_mountpoints(xauth_t)
  
  # cjp: why?
-@@ -283,17 +343,35 @@
+@@ -283,17 +344,36 @@
  
  userdom_use_user_terminals(xauth_t)
  userdom_read_user_tmp_files(xauth_t)
 +userdom_read_all_users_state(xauth_t)
 +
 +ifdef(`hide_broken_symptoms', `
++     fs_dontaudit_rw_anon_inodefs_files(xauth_t)
 +     userdom_manage_user_home_content_files(xauth_t)
 +     userdom_manage_user_tmp_files(xauth_t)
 +     dev_dontaudit_rw_generic_dev_nodes(xauth_t)
@@ -27989,7 +27941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  optional_policy(`
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
-@@ -305,20 +383,31 @@
+@@ -305,20 +385,31 @@
  # XDM Local policy
  #
  
@@ -28024,10 +27976,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -334,24 +423,42 @@
+@@ -332,26 +423,45 @@
+ 
+ manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
++manage_lnk_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
- files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
+-files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file lnk_file })
 +relabelfrom_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 +relabelfrom_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
  
@@ -28071,7 +28027,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xdm_t xserver_t:unix_stream_socket connectto;
  
  allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -363,6 +470,7 @@
+@@ -359,10 +469,13 @@
+ 
+ # transition to the xdm xserver
+ domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
++
++ps_process_pattern(xserver_t, xdm_t)
+ allow xserver_t xdm_t:process signal;
  allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
  
  allow xdm_t xserver_t:shm rw_shm_perms;
@@ -28079,7 +28041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -371,10 +479,14 @@
+@@ -371,10 +484,14 @@
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -28095,7 +28057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xdm_t)
  kernel_read_kernel_sysctls(xdm_t)
-@@ -394,11 +506,13 @@
+@@ -394,11 +511,13 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -28109,7 +28071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_read_rand(xdm_t)
  dev_read_sysfs(xdm_t)
  dev_getattr_framebuffer_dev(xdm_t)
-@@ -406,6 +520,7 @@
+@@ -406,6 +525,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -28117,7 +28079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -414,18 +529,21 @@
+@@ -414,18 +534,21 @@
  dev_getattr_misc_dev(xdm_t)
  dev_setattr_misc_dev(xdm_t)
  dev_dontaudit_rw_misc(xdm_t)
@@ -28142,7 +28104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -436,9 +554,15 @@
+@@ -436,9 +559,15 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -28158,15 +28120,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,6 +571,7 @@
+@@ -447,14 +576,19 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
 +storage_dontaudit_rw_fuse(xdm_t)
  
  term_setattr_console(xdm_t)
++term_use_console(xdm_t)
  term_use_unallocated_ttys(xdm_t)
-@@ -455,6 +580,7 @@
+ term_setattr_unallocated_ttys(xdm_t)
++term_relabel_all_ttys(xdm_t)
++term_relabel_unallocated_ttys(xdm_t)
+ 
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
  auth_manage_pam_console_data(xdm_t)
@@ -28174,7 +28140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -465,10 +591,12 @@
+@@ -465,10 +599,12 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -28189,7 +28155,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +605,11 @@
+@@ -477,6 +613,11 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -28201,7 +28167,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  xserver_rw_session(xdm_t, xdm_tmpfs_t)
  xserver_unconfined(xdm_t)
-@@ -509,10 +642,12 @@
+@@ -509,10 +650,12 @@
  
  optional_policy(`
  	alsa_domtrans(xdm_t)
@@ -28214,7 +28180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -520,12 +655,49 @@
+@@ -520,12 +663,50 @@
  ')
  
  optional_policy(`
@@ -28258,13 +28224,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  optional_policy(`
 +	gnome_read_gconf_config(xdm_t)
 +	gnome_read_config(xdm_t)
++	gnome_append_gconf_home_files(xdm_t)
 +')
 +
 +optional_policy(`
  	hostname_exec(xdm_t)
  ')
  
-@@ -543,9 +715,43 @@
+@@ -543,20 +724,59 @@
  ')
  
  optional_policy(`
@@ -28308,7 +28275,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  optional_policy(`
  	seutil_sigchld_newrole(xdm_t)
  ')
-@@ -555,8 +761,9 @@
+ 
+ optional_policy(`
++	shutdown_domtrans(xdm_t)
++')
++
++optional_policy(`
+ 	udev_read_db(xdm_t)
  ')
  
  optional_policy(`
@@ -28320,7 +28293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -565,7 +772,6 @@
+@@ -565,7 +785,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -28328,7 +28301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +782,10 @@
+@@ -576,6 +795,10 @@
  ')
  
  optional_policy(`
@@ -28339,7 +28312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -600,10 +810,9 @@
+@@ -600,10 +823,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -28351,7 +28324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +824,18 @@
+@@ -615,6 +837,18 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -28370,7 +28343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +855,19 @@
+@@ -634,12 +868,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -28392,7 +28365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +901,6 @@
+@@ -673,7 +914,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -28400,7 +28373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -683,9 +910,12 @@
+@@ -683,9 +923,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -28414,7 +28387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +930,12 @@
+@@ -700,8 +943,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -28424,10 +28397,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +mls_process_write_to_clearance(xserver_t)
 +mls_file_read_to_clearance(xserver_t)
 +mls_file_write_all_levels(xserver_t)
++mls_file_upgrade(xserver_t)
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -723,6 +957,7 @@
+@@ -723,11 +971,14 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -28435,7 +28409,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  modutils_domtrans_insmod(xserver_t)
  
-@@ -779,12 +1014,20 @@
+ # read x_contexts
+ seutil_read_default_contexts(xserver_t)
++seutil_read_config(xserver_t)
++seutil_read_file_contexts(xserver_t)
+ 
+ userdom_search_user_home_dirs(xserver_t)
+ userdom_use_user_ttys(xserver_t)
+@@ -779,12 +1030,24 @@
  ')
  
  optional_policy(`
@@ -28453,11 +28434,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 +
 +optional_policy(`
++	udev_read_db(xserver_t)
++')
++
++optional_policy(`
 +	unconfined_domain(xserver_t)
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -811,7 +1054,7 @@
+@@ -811,7 +1074,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -28466,7 +28451,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1075,14 @@
+@@ -832,9 +1095,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -28481,7 +28466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1097,14 @@
+@@ -849,11 +1117,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -28498,7 +28483,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -999,3 +1250,33 @@
+@@ -999,3 +1270,33 @@
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28532,9 +28517,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_append_cifs_files(xdmhomewriter)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.9/policy/modules/services/zebra.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.if serefpolicy-3.7.15/policy/modules/services/zebra.if
 --- nsaserefpolicy/policy/modules/services/zebra.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/services/zebra.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/services/zebra.if	2010-03-18 10:44:43.000000000 -0400
 @@ -24,6 +24,26 @@
  
  ########################################
@@ -28562,9 +28547,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
  ##	All of the rules required to administrate 
  ##	an zebra environment
  ## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.9/policy/modules/system/application.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.15/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/application.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/application.te	2010-03-18 10:44:43.000000000 -0400
 @@ -7,6 +7,17 @@
  # Executables to be run by user
  attribute application_exec_type;
@@ -28583,16 +28568,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/applic
  optional_policy(`
  	ssh_sigchld(application_domain_type)
  	ssh_rw_stream_sockets(application_domain_type)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.9/policy/modules/system/authlogin.fc
---- nsaserefpolicy/policy/modules/system/authlogin.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/authlogin.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -7,12 +7,10 @@
- /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
- /etc/shadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
- 
--/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
--/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
--
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.7.15/policy/modules/system/authlogin.fc
+--- nsaserefpolicy/policy/modules/system/authlogin.fc	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/authlogin.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -10,6 +10,7 @@
  /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -28600,74 +28579,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ifdef(`distro_suse', `
-@@ -42,6 +40,9 @@
- /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
- 
- /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
--
- /var/run/pam_mount(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
-+/var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
-+
- /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
-+/var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.9/policy/modules/system/authlogin.if
---- nsaserefpolicy/policy/modules/system/authlogin.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/authlogin.if	2010-02-16 15:08:37.000000000 -0500
-@@ -40,17 +40,76 @@
- ##	</summary>
- ## </param>
- #
-+interface(`auth_use_pam',`
-+
-+	# for SSP/ProPolice
-+	dev_read_urand($1)
-+	# for encrypted homedir
-+	dev_read_sysfs($1)
-+
-+	auth_domtrans_chk_passwd($1)
-+	auth_domtrans_upd_passwd($1)
-+	auth_dontaudit_read_shadow($1)
-+	auth_read_login_records($1)
-+	auth_append_login_records($1)
-+	auth_rw_lastlog($1)
-+	auth_rw_faillog($1)
-+	auth_exec_pam($1)
-+	auth_use_nsswitch($1)
-+
-+	logging_send_audit_msgs($1)
-+	logging_send_syslog_msg($1)
-+
-+	optional_policy(`
-+		dbus_system_bus_client($1)
-+		optional_policy(`
-+			consolekit_dbus_chat($1)
-+		')
-+	')
-+
-+	optional_policy(`
-+		kerberos_manage_host_rcache($1)
-+		kerberos_read_config($1)
-+	')
-+
-+	optional_policy(`
-+		nis_authenticate($1)
-+	')
-+')
-+
-+########################################
-+## <summary>
-+##	Make the specified domain used for a login program.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain type used for a login program domain.
-+##	</summary>
-+## </param>
-+#
- interface(`auth_login_pgm_domain',`
- 	gen_require(`
- 		type var_auth_t, auth_cache_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.7.15/policy/modules/system/authlogin.if
+--- nsaserefpolicy/policy/modules/system/authlogin.if	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/authlogin.if	2010-03-18 10:52:29.000000000 -0400
+@@ -94,6 +94,8 @@
  	')
  
  	domain_type($1)
@@ -28676,58 +28591,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	domain_subj_id_change_exemption($1)
  	domain_role_change_exemption($1)
  	domain_obj_id_change_exemption($1)
- 	role system_r types $1;
- 
-+	# Needed for pam_selinux_permit to cleanup properly
-+	domain_read_all_domains_state($1)
-+	domain_kill_all_domains($1)
-+
-+	# pam_keyring
-+	allow $1 self:capability ipc_lock;
-+	allow $1 self:process setkeycreate;
-+	allow $1 self:key manage_key_perms;
+@@ -107,6 +109,7 @@
+ 	allow $1 self:capability ipc_lock;
+ 	allow $1 self:process setkeycreate;
+ 	allow $1 self:key manage_key_perms;
 +	userdom_manage_all_users_keys($1)
-+
+ 
  	files_list_var_lib($1)
  	manage_files_pattern($1, var_auth_t, var_auth_t)
- 
-@@ -62,8 +121,6 @@
- 	manage_sock_files_pattern($1, auth_cache_t, auth_cache_t)
- 	files_var_filetrans($1, auth_cache_t, dir)
- 
--	# for SSP/ProPolice
--	dev_read_urand($1)
- 	# for fingerprint readers
- 	dev_rw_input_dev($1)
- 	dev_rw_generic_usb_dev($1)
-@@ -86,27 +143,45 @@
+@@ -141,6 +144,7 @@
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
--	auth_domtrans_chk_passwd($1)
--	auth_domtrans_upd_passwd($1)
--	auth_dontaudit_read_shadow($1)
--	auth_read_login_records($1)
--	auth_append_login_records($1)
--	auth_rw_lastlog($1)
--	auth_rw_faillog($1)
--	auth_exec_pam($1)
--	auth_use_nsswitch($1)
 +	auth_manage_pam_pid($1)
-+	auth_use_pam($1)
+ 	auth_use_pam($1)
  
  	init_rw_utmp($1)
- 
--	logging_send_audit_msgs($1)
--	logging_send_syslog_msg($1)
- 	logging_set_loginuid($1)
-+	logging_set_tty_audit($1)
- 
+@@ -151,6 +155,36 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
--	tunable_policy(`allow_polyinstantiation',`
--		files_polyinstantiate_all($1)
 +	userdom_set_rlimitnh($1)
 +	userdom_read_user_home_content_symlinks($1)
 +	userdom_delete_user_tmp_files($1)
@@ -28756,157 +28639,46 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +		ssh_agent_exec($1)
 +		ssh_read_user_home_files($1)
 +		userdom_read_user_home_content_files($1)
- 	')
- ')
- 
-@@ -258,6 +333,7 @@
- 		type auth_cache_t;
- 	')
- 
-+	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
- 	manage_files_pattern($1, auth_cache_t, auth_cache_t)
- ')
- 
-@@ -305,29 +381,50 @@
- 	dev_read_rand($1)
- 	dev_read_urand($1)
- 
-+	auth_use_nsswitch($1)
-+	auth_rw_faillog($1)
++	')
 +
- 	logging_send_audit_msgs($1)
- 
- 	miscfiles_read_certs($1)
- 
--	sysnet_dns_name_resolve($1)
--	sysnet_use_ldap($1)
--
- 	optional_policy(`
--		kerberos_use($1)
-+		kerberos_read_keytab($1)
-+		kerberos_connect_524($1)
+ 	tunable_policy(`allow_polyinstantiation',`
+ 		files_polyinstantiate_all($1)
  	')
- 
- 	optional_policy(`
--		nis_use_ypbind($1)
--	')
--
--	optional_policy(`
--		pcscd_read_pub_files($1)
-+		pcscd_manage_pub_files($1)
-+		pcscd_manage_pub_pipes($1)
- 		pcscd_stream_connect($1)
+@@ -365,13 +399,15 @@
  	')
  
  	optional_policy(`
- 		samba_stream_connect_winbind($1)
- 	')
-+	auth_domtrans_upd_passwd($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Run unix_chkpwd to check a password.
-+## 	Stripped down version to be called within boolean
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`auth_domtrans_chkpwd',`
-+	gen_require(`
-+		type chkpwd_t, chkpwd_exec_t, shadow_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, chkpwd_exec_t, chkpwd_t)
-+	dontaudit $1 shadow_t:file { getattr read };
-+	auth_domtrans_upd_passwd($1)
- ')
- 
- ########################################
-@@ -352,6 +449,7 @@
- 
- 	auth_domtrans_chk_passwd($1)
- 	role $2 types chkpwd_t;
-+	auth_run_upd_passwd($1, $2)
- ')
- 
- ########################################
-@@ -1129,6 +1227,32 @@
- 
- ########################################
- ## <summary>
-+##	rw all files on the filesystem, except
-+##	the shadow passwords and listed exceptions.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the domain perfoming this action.
-+##	</summary>
-+## </param>
-+## <param name="exception_types" optional="true">
-+##	<summary>
-+##	The types to be excluded.  Each type or attribute
-+##	must be negated by the caller.
-+##	</summary>
-+## </param>
-+#
-+
-+interface(`auth_rw_all_files_except_shadow',`
-+	gen_require(`
-+		type shadow_t;
-+	')
-+
-+	files_rw_all_files($1,$2 -shadow_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Manage all files on the filesystem, except
- ##	the shadow passwords and listed exceptions.
- ## </summary>
-@@ -1254,6 +1378,25 @@
- 
- ########################################
- ## <summary>
-+##	dontaudit read login records files (/var/log/wtmp).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`auth_dontaudit_read_login_records',`
-+	gen_require(`
-+		type wtmp_t;
-+	')
-+
-+	dontaudit $1 wtmp_t:file read_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to write to
- ##	login records files.
- ## </summary>
-@@ -1395,16 +1538,33 @@
+-		pcscd_read_pub_files($1)
++		pcscd_manage_pub_files($1)
++		pcscd_manage_pub_pipes($1)
+ 		pcscd_stream_connect($1)
  	')
  
  	optional_policy(`
-+		ldap_stream_connect($1)
-+	')
-+
-+	optional_policy(`
-+		kerberos_use($1)
-+	')
+ 		samba_stream_connect_winbind($1)
+ 	')
++	auth_domtrans_upd_passwd($1)
+ ')
+ 
+ ########################################
+@@ -418,6 +454,7 @@
+ 
+ 	auth_domtrans_chk_passwd($1)
+ 	role $2 types chkpwd_t;
++	auth_run_upd_passwd($1, $2)
+ ')
+ 
+ ########################################
+@@ -1500,6 +1537,8 @@
+ #
+ interface(`auth_use_nsswitch',`
+ 
++	allow $1 self:netlink_route_socket r_netlink_socket_perms;
 +
-+	optional_policy(`
- 		nis_use_ypbind($1)
+ 	files_list_var_lib($1)
+ 
+ 	# read /etc/nsswitch.conf
+@@ -1531,7 +1570,15 @@
  	')
  
  	optional_policy(`
@@ -28923,48 +28695,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
  	')
  
  	optional_policy(`
- 		samba_stream_connect_winbind($1)
- 		samba_read_var_files($1)
-+		samba_dontaudit_write_var_files($1)
- 	')
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.7.9/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/authlogin.te	2010-02-16 15:08:37.000000000 -0500
-@@ -103,8 +103,10 @@
- 
- fs_dontaudit_getattr_xattr_fs(chkpwd_t)
- 
-+term_dontaudit_use_console(chkpwd_t)
- term_dontaudit_use_unallocated_ttys(chkpwd_t)
- term_dontaudit_use_generic_ptys(chkpwd_t)
-+term_dontaudit_use_all_ptys(chkpwd_t)
- 
- auth_use_nsswitch(chkpwd_t)
- 
-@@ -125,9 +127,18 @@
- ')
- 
- optional_policy(`
-+	# apache leaks file descriptors
-+	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
-+')
-+
-+optional_policy(`
- 	kerberos_use(chkpwd_t)
- ')
- 
-+optional_policy(`
-+	nis_authenticate(chkpwd_t)
-+')
-+
- ########################################
- #
- # PAM local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.9/policy/modules/system/daemontools.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.if serefpolicy-3.7.15/policy/modules/system/daemontools.if
 --- nsaserefpolicy/policy/modules/system/daemontools.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/daemontools.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/daemontools.if	2010-03-18 10:44:43.000000000 -0400
 @@ -71,6 +71,32 @@
  	domtrans_pattern($1, svc_start_exec_t, svc_start_t)
  ')
@@ -29045,9 +28778,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
 +
 +    allow $1 svc_run_t:process sigchld;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.9/policy/modules/system/daemontools.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemontools.te serefpolicy-3.7.15/policy/modules/system/daemontools.te
 --- nsaserefpolicy/policy/modules/system/daemontools.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/daemontools.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/daemontools.te	2010-03-18 10:44:43.000000000 -0400
 @@ -39,7 +39,10 @@
  # multilog creates /service/*/log/status
  manage_files_pattern(svc_multilog_t, svc_svc_t, svc_svc_t)
@@ -29120,19 +28853,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/daemon
 +
  daemontools_domtrans_run(svc_start_t)
  daemontools_manage_svc(svc_start_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.9/policy/modules/system/fstools.fc
---- nsaserefpolicy/policy/modules/system/fstools.fc	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/fstools.fc	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.7.15/policy/modules/system/fstools.fc
+--- nsaserefpolicy/policy/modules/system/fstools.fc	2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/fstools.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,4 +1,3 @@
 -/sbin/badblocks		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blkid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/blockdev		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/cfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -19,10 +18,10 @@
- /sbin/make_reiser4	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
- /sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -23,7 +22,6 @@
  /sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -29140,9 +28869,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.9/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/fstools.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.15/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te	2010-03-09 15:39:06.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/fstools.te	2010-03-18 10:44:43.000000000 -0400
 @@ -118,6 +118,8 @@
  fs_search_tmpfs(fsadm_t)
  fs_getattr_tmpfs_dirs(fsadm_t)
@@ -29152,19 +28881,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
-@@ -148,8 +150,7 @@
+@@ -148,7 +150,7 @@
  
  seutil_read_config(fsadm_t)
  
 -userdom_use_user_terminals(fsadm_t)
--userdom_use_unpriv_users_fds(fsadm_t)
 +term_use_all_terms(fsadm_t)
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.9/policy/modules/system/getty.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.15/policy/modules/system/getty.te
 --- nsaserefpolicy/policy/modules/system/getty.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/getty.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/getty.te	2010-03-18 10:44:43.000000000 -0400
 @@ -56,11 +56,10 @@
  manage_files_pattern(getty_t, getty_var_run_t, getty_var_run_t)
  files_pid_filetrans(getty_t, getty_var_run_t, file)
@@ -29180,9 +28908,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.
  
  dev_read_sysfs(getty_t)
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.9/policy/modules/system/hostname.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-3.7.15/policy/modules/system/hostname.te
 --- nsaserefpolicy/policy/modules/system/hostname.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/hostname.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/hostname.te	2010-03-18 10:44:43.000000000 -0400
 @@ -27,15 +27,18 @@
  
  dev_read_sysfs(hostname_t)
@@ -29202,36 +28930,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna
  fs_dontaudit_use_tmpfs_chr_dev(hostname_t)
  
  term_dontaudit_use_console(hostname_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.9/policy/modules/system/hotplug.te
---- nsaserefpolicy/policy/modules/system/hotplug.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/hotplug.te	2010-02-16 15:08:37.000000000 -0500
-@@ -125,6 +125,10 @@
- ')
- 
- optional_policy(`
-+	brctl_domtrans(hotplug_t)
-+')
-+
-+optional_policy(`
- 	consoletype_exec(hotplug_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.9/policy/modules/system/init.fc
---- nsaserefpolicy/policy/modules/system/init.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/init.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -4,10 +4,10 @@
- /etc/init\.d/.*		--	gen_context(system_u:object_r:initrc_exec_t,s0)
- 
- /etc/rc\.d/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
--/etc/rc\.d/rc\.sysinit	--	gen_context(system_u:object_r:initrc_exec_t,s0)
--/etc/rc\.d/rc\.local	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-+/etc/rc\.d/rc\.[^/]+	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- 
- /etc/rc\.d/init\.d/.*	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-+/etc/sysconfig/network-scripts/ifup-ipsec  	--	gen_context(system_u:object_r:initrc_exec_t,s0)
- 
- /etc/X11/prefdm		--	gen_context(system_u:object_r:initrc_exec_t,s0)
- 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.15/policy/modules/system/init.fc
+--- nsaserefpolicy/policy/modules/system/init.fc	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/init.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -44,6 +44,9 @@
  
  /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -29242,10 +28943,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  
  #
  # /var
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.9/policy/modules/system/init.if
---- nsaserefpolicy/policy/modules/system/init.if	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/init.if	2010-02-16 15:08:37.000000000 -0500
-@@ -162,8 +162,10 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.7.15/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/init.if	2010-03-18 10:56:08.000000000 -0400
+@@ -193,8 +193,10 @@
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
  		type initrc_t;
@@ -29256,7 +28957,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  
  	typeattribute $1 daemon;
-@@ -174,6 +176,15 @@
+@@ -205,6 +207,15 @@
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
@@ -29272,7 +28973,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  
  	# daemons started from init will
  	# inherit fds from init for the console
-@@ -233,7 +244,7 @@
+@@ -285,7 +296,7 @@
  		type initrc_t;
  	')
  
@@ -29281,7 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  
  	ifdef(`enable_mcs',`
  		range_transition initrc_t $2:process $3;
-@@ -265,6 +276,7 @@
+@@ -338,6 +349,7 @@
  	gen_require(`
  		type initrc_t;
  		role system_r;
@@ -29289,7 +28990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  
  	application_domain($1,$2)
-@@ -272,6 +284,9 @@
+@@ -345,6 +357,9 @@
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
@@ -29299,7 +29000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -280,6 +295,36 @@
+@@ -353,6 +368,36 @@
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -29336,17 +29037,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -546,7 +591,8 @@
+@@ -681,7 +726,9 @@
  
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
 -		allow $1 init_t:unix_dgram_socket sendto;
++		allow $1 init_t:unix_stream_socket sendto;
 +		allow $1 init_t:unix_stream_socket connectto;
 +		init_chat($1)
  	')
  ')
  
-@@ -619,18 +665,19 @@
+@@ -754,18 +801,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -29370,7 +29072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  ')
  
-@@ -646,19 +693,39 @@
+@@ -781,23 +829,43 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -29391,11 +29093,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	ifdef(`enable_mls',`
 -		range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
 +		range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+	')
-+')
-+
-+########################################
-+## <summary>
+ 	')
+ ')
+ 
+ ########################################
+ ## <summary>
 +##	Execute a file in a bin directory
 +##	in the initrc_t domain 
 +## </summary>
@@ -29408,13 +29110,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +interface(`init_bin_domtrans_spec',`
 +	gen_require(`
 +		type initrc_t;
- 	')
++	')
 +
 +	corecmd_bin_domtrans($1, initrc_t)
- ')
- 
- ########################################
-@@ -714,8 +781,10 @@
++')
++
++########################################
++## <summary>
+ ##	Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -849,8 +917,10 @@
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -29425,67 +29131,63 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -923,6 +992,24 @@
- 	allow $1 init_script_file_type:file read_file_perms;
- ')
+@@ -1444,7 +1514,7 @@
  
-+#######################################
-+## <summary>
-+##      Dontaudit read all init script files.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`dontaudit_init_read_all_script_files',`
-+        gen_require(`
-+                attribute init_script_file_type;
-+        ')
-+
-+        dontaudit $1 init_script_file_type:file read_file_perms;
-+')
-+
  ########################################
  ## <summary>
- ##	Execute all init scripts in the caller domain.
-@@ -1142,7 +1229,7 @@
- 		type initrc_t;
+-##	Read init script temporary data.
++##	Read and write init script temporary data.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1452,18 +1522,18 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_read_script_tmp_files',`
++interface(`init_rw_script_tmp_files',`
+ 	gen_require(`
+ 		type initrc_tmp_t;
  	')
  
--	allow $1 initrc_t:unix_stream_socket { read write };
-+	allow $1 initrc_t:unix_stream_socket rw_socket_perms;
+ 	files_search_tmp($1)
+-	read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
++	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
  ')
  
  ########################################
-@@ -1310,6 +1397,25 @@
- 
- ########################################
  ## <summary>
+-##	Read and write init script temporary data.
 +##	Read init script temporary data.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1471,13 +1541,13 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_rw_script_tmp_files',`
 +interface(`init_read_script_tmp_files',`
-+	gen_require(`
-+		type initrc_tmp_t;
-+	')
-+
-+	files_search_tmp($1)
+ 	gen_require(`
+ 		type initrc_tmp_t;
+ 	')
+ 
+ 	files_search_tmp($1)
+-	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
 +	read_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Create files in a init script
- ##	temporary data directory.
- ## </summary>
-@@ -1540,3 +1646,76 @@
+ ')
+ 
+ ########################################
+@@ -1637,7 +1707,7 @@
+ 		type initrc_var_run_t;
+ 	')
+ 
+-	dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
++	dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ ')
+ 
+ ########################################
+@@ -1712,3 +1782,76 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -29562,9 +29264,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	init_dontaudit_use_script_fds($1)
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.9/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2009-11-12 12:51:51.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/init.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.7.15/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/init.te	2010-03-18 10:44:43.000000000 -0400
 @@ -17,6 +17,20 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -29631,15 +29333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # For /var/run/shutdown.pid.
  allow init_t init_var_run_t:file manage_file_perms;
-@@ -140,6 +158,7 @@
- files_dontaudit_rw_root_files(init_t)
- files_dontaudit_rw_root_chr_files(init_t)
- 
-+fs_list_inotifyfs(init_t)
- # cjp: this may be related to /dev/log
- fs_write_ramfs_sockets(init_t)
- 
-@@ -167,11 +186,14 @@
+@@ -169,6 +187,8 @@
  
  miscfiles_read_localization(init_t)
  
@@ -29648,13 +29342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
- 
- ifdef(`distro_redhat',`
-+	fs_read_tmpfs_symlinks(init_t)
- 	fs_rw_tmpfs_chr_files(init_t)
- 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
- ')
-@@ -189,10 +211,31 @@
+@@ -192,10 +212,23 @@
  ')
  
  optional_policy(`
@@ -29663,10 +29351,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +
 +optional_policy(`
 +	dbus_connect_system_bus(init_t)
-+	dbus_system_bus_client(init_t)
-+')
-+
-+optional_policy(`
+ 	dbus_system_bus_client(init_t)
+ ')
+ 
+ optional_policy(`
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
@@ -29678,15 +29366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	nscd_socket_use(init_t)
  ')
  
- optional_policy(`
-+	sssd_stream_connect(init_t)
-+')
-+
-+optional_policy(`
- 	unconfined_domain(init_t)
- ')
- 
-@@ -202,9 +245,10 @@
+@@ -213,7 +246,7 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -29694,36 +29374,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +allow initrc_t self:capability ~{ audit_control audit_write sys_admin sys_module };
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
-+allow initrc_t self:key manage_key_perms;
- 
- # Allow IPC with self
- allow initrc_t self:unix_dgram_socket create_socket_perms;
-@@ -217,7 +261,8 @@
- term_create_pty(initrc_t, initrc_devpts_t)
+ allow initrc_t self:key manage_key_perms;
+@@ -230,6 +263,7 @@
  
  # Going to single user mode
--init_exec(initrc_t)
-+init_telinit(initrc_t)
+ init_telinit(initrc_t)
 +init_chat(initrc_t)
  
  can_exec(initrc_t, init_script_file_type)
  
-@@ -230,10 +275,12 @@
+@@ -242,6 +276,7 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 +files_manage_generic_pids_symlinks(initrc_t)
  
  can_exec(initrc_t, initrc_tmp_t)
--allow initrc_t initrc_tmp_t:file manage_file_perms;
--allow initrc_t initrc_tmp_t:dir manage_dir_perms;
-+manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-+manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-+manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
- files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
- 
- init_write_initctl(initrc_t)
-@@ -246,13 +293,19 @@
+ manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
+@@ -259,13 +294,19 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -29745,38 +29413,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  corenet_all_recvfrom_unlabeled(initrc_t)
  corenet_all_recvfrom_netlabel(initrc_t)
-@@ -267,21 +320,29 @@
- 
- dev_read_rand(initrc_t)
- dev_read_urand(initrc_t)
-+dev_write_kmsg(initrc_t)
- dev_write_rand(initrc_t)
- dev_write_urand(initrc_t)
- dev_rw_sysfs(initrc_t)
- dev_list_usbfs(initrc_t)
- dev_read_framebuffer(initrc_t)
-+dev_write_framebuffer(initrc_t)
- dev_read_realtime_clock(initrc_t)
- dev_read_sound_mixer(initrc_t)
- dev_write_sound_mixer(initrc_t)
+@@ -293,12 +334,14 @@
  dev_setattr_all_chr_files(initrc_t)
--dev_read_lvm_control(initrc_t)
-+dev_rw_lvm_control(initrc_t)
+ dev_rw_lvm_control(initrc_t)
  dev_delete_lvm_control_dev(initrc_t)
 +dev_delete_null(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
  # Wants to remove udev.tbl:
  dev_delete_generic_symlinks(initrc_t)
-+dev_getattr_all_blk_files(initrc_t)
-+dev_getattr_all_chr_files(initrc_t)
+ dev_getattr_all_blk_files(initrc_t)
+ dev_getattr_all_chr_files(initrc_t)
 +dev_rw_xserver_misc(initrc_t)
-+
-+corecmd_exec_all_executables(initrc_t)
  
- domain_kill_all_domains(initrc_t)
- domain_signal_all_domains(initrc_t)
-@@ -291,7 +352,7 @@
+ corecmd_exec_all_executables(initrc_t)
+ 
+@@ -310,7 +353,7 @@
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -29785,7 +29437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -306,14 +367,15 @@
+@@ -325,8 +368,10 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -29797,24 +29449,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
- files_manage_etc_runtime_files(initrc_t)
- files_etc_filetrans_etc_runtime(initrc_t, file)
--files_manage_generic_locks(initrc_t)
- files_exec_etc_files(initrc_t)
- files_read_usr_files(initrc_t)
- files_manage_urandom_seed(initrc_t)
-@@ -324,7 +386,10 @@
+@@ -342,6 +387,8 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
 +files_manage_mnt_dirs(initrc_t)
 +files_manage_mnt_files(initrc_t)
  
-+fs_list_inotifyfs(initrc_t)
+ fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
- # rhgb-console writes to ramfs
- fs_write_ramfs_pipes(initrc_t)
-@@ -333,6 +398,11 @@
+@@ -352,6 +399,11 @@
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -29826,17 +29470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -365,7 +435,9 @@
- 
- libs_rw_ld_so_cache(initrc_t)
- libs_exec_lib_files(initrc_t)
-+libs_exec_ld_so(initrc_t)
- 
-+logging_send_audit_msgs(initrc_t)
- logging_send_syslog_msg(initrc_t)
- logging_manage_generic_logs(initrc_t)
- logging_read_all_logs(initrc_t)
-@@ -374,19 +446,22 @@
+@@ -395,19 +447,22 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -29850,7 +29484,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
 +userdom_read_admin_home_files(initrc_t)
  userdom_read_user_home_content_files(initrc_t)
- # Allow access to the sysadm TTYs. Note that this will give access to the 
+-# Allow access to the sysadm TTYs. Note that this will give access to the
++# Allow access to the sysadm TTYs. Note that this will give access to the 
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
  # started from init should be placed in their own domain.
  userdom_use_user_terminals(initrc_t)
@@ -29860,16 +29495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
  
-@@ -431,7 +506,7 @@
- 	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- 	sysnet_create_config(initrc_t)
- 	sysnet_write_config(initrc_t)
--	sysnet_setattr_config(initrc_t)	
-+	sysnet_setattr_config(initrc_t)
- 
- 	optional_policy(`
- 		arpwatch_manage_data_files(initrc_t)
-@@ -450,11 +525,9 @@
+@@ -471,7 +526,7 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -29877,35 +29503,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	kernel_use_fds(initrc_t)
  	files_dontaudit_read_root_files(initrc_t)
  
--	selinux_set_enforce_mode(initrc_t)
--
  	# These seem to be from the initrd
- 	# during device initialization:
- 	dev_create_generic_dirs(initrc_t)
-@@ -464,6 +537,7 @@
- 	storage_raw_read_fixed_disk(initrc_t)
- 	storage_raw_write_fixed_disk(initrc_t)
- 
-+	files_create_boot_dirs(initrc_t)
- 	files_create_boot_flag(initrc_t)
- 	files_rw_boot_symlinks(initrc_t)
- 	# wants to read /.fonts directory
-@@ -472,6 +546,7 @@
- 	# Needs to cp localtime to /var dirs
- 	files_write_var_dirs(initrc_t)
- 
-+	fs_read_tmpfs_symlinks(initrc_t)
- 	fs_rw_tmpfs_chr_files(initrc_t)
- 
- 	storage_manage_fixed_disk(initrc_t)
-@@ -490,17 +565,32 @@
- 	miscfiles_read_hwdata(initrc_t)
- 
+@@ -517,6 +572,15 @@
  	optional_policy(`
-+		alsa_manage_rw_config(initrc_t)
-+	')
-+
-+	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
 +		bind_setattr_zone_dirs(initrc_t)
@@ -29920,18 +29520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
- 		#for /etc/rc.d/init.d/nfs to create /etc/exports
- 		rpc_write_exports(initrc_t)
-+		rpc_manage_nfs_state_data(initrc_t)
- 	')
- 
- 	optional_policy(`
- 		sysnet_rw_dhcp_config(initrc_t)
-+		sysnet_manage_config(initrc_t)
- 	')
- 
- 	optional_policy(`
-@@ -515,6 +605,34 @@
+@@ -542,6 +606,34 @@
  	')
  ')
  
@@ -29954,7 +29543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 + 
 +# system-config-services causes avc messages that should be dontaudited
 +tunable_policy(`allow_daemons_dump_core',`
-+	files_dump_core(daemon)
++	files_manage_root_files(daemon)
 +')
 +
 +optional_policy(`
@@ -29966,7 +29555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -527,6 +645,8 @@
+@@ -554,6 +646,8 @@
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29975,38 +29564,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -567,10 +687,19 @@
+@@ -594,6 +688,7 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
 +	dbus_manage_lib_files(initrc_t)
-+
-+	optional_policy(`
-+		consolekit_dbus_chat(initrc_t)
-+	')
  
  	optional_policy(`
- 		networkmanager_dbus_chat(initrc_t)
- 	')
-+
-+	optional_policy(`
-+		policykit_dbus_chat(initrc_t)
-+	')
+ 		consolekit_dbus_chat(initrc_t)
+@@ -647,11 +742,6 @@
  ')
  
  optional_policy(`
-@@ -590,6 +719,10 @@
+-	iscsi_stream_connect(initrc_t)
+-	iscsi_read_lib_files(initrc_t)
+-')
+-
+-optional_policy(`
+ 	kerberos_use(initrc_t)
  ')
  
- optional_policy(`
-+	hal_write_log(initrc_t)
-+')
-+
-+optional_policy(`
- 	dev_read_usbfs(initrc_t)
- 
- 	# init scripts run /etc/hotplug/usb.rc
-@@ -646,20 +779,20 @@
+@@ -690,12 +780,18 @@
  ')
  
  optional_policy(`
@@ -30024,32 +29602,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	mta_write_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
--# cjp: require doesnt work in the else of optionals :\
--# this also would result in a type transition
--# conflict if sendmail is enabled
--#optional_policy(`',`
--#	mta_send_mail(initrc_t)
--#')
- 
- optional_policy(`
- 	ifdef(`distro_redhat',`
-@@ -668,6 +801,7 @@
- 
- 	mysql_stream_connect(initrc_t)
- 	mysql_write_log(initrc_t)
-+	mysql_read_config(initrc_t)
- ')
- 
- optional_policy(`
-@@ -700,7 +834,6 @@
- ')
- 
- optional_policy(`
--	corecmd_shell_entry_type(initrc_t)
- 	fs_write_ramfs_sockets(initrc_t)
- 	fs_search_ramfs(initrc_t)
  
-@@ -722,8 +855,6 @@
+@@ -760,8 +856,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -30058,7 +29612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -736,13 +867,16 @@
+@@ -774,10 +868,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -30071,37 +29625,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-+	ssh_setattr_key_files(initrc_t)
- ')
- 
- optional_policy(`
-@@ -751,6 +885,7 @@
- 
- optional_policy(`
- 	udev_rw_db(initrc_t)
-+	udev_manage_pid_files(initrc_t)
- ')
- 
- optional_policy(`
-@@ -758,7 +893,17 @@
+@@ -801,8 +897,14 @@
+ 	virt_manage_svirt_cache(initrc_t)
  ')
  
- optional_policy(`
-+	virt_manage_svirt_cache(initrc_t)
-+')
-+
 +# Cron jobs used to start and stop services
 +optional_policy(`
 +	cron_rw_pipes(daemon)
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	unconfined_domain(initrc_t)
 +	domain_role_change_exemption(initrc_t)
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -768,6 +913,25 @@
+@@ -812,6 +914,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -30127,191 +29666,72 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -793,3 +957,31 @@
+@@ -837,3 +958,34 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
 +
++# if I start an initrc script from an random director I can generate this avc
++files_dontaudit_search_all_dirs(daemon)
++
 +userdom_inherit_append_user_home_content_files(daemon)
 +userdom_inherit_append_user_tmp_files(daemon)
-+userdom_dontaudit_rw_stream(daemon)
-+
-+logging_append_all_logs(daemon)
-+
-+optional_policy(`
-+	# sudo service restart causes this 
-+	unconfined_signull(daemon)
-+')
-+
-+
-+optional_policy(`
-+	xserver_dontaudit_append_xdm_home_files(daemon)
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_dontaudit_rw_nfs_files(daemon)
-+	')
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_dontaudit_rw_cifs_files(daemon)
-+	')
-+')
-+
-+init_rw_script_stream_sockets(daemon)
-+
-+optional_policy(`
-+	fail2ban_read_lib_files(daemon)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.9/policy/modules/system/ipsec.fc
---- nsaserefpolicy/policy/modules/system/ipsec.fc	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/ipsec.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -37,6 +37,8 @@
- 
- /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
- 
-+/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
-+
- /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
-+/var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
- 
--/var/run/racoon.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.9/policy/modules/system/ipsec.if
---- nsaserefpolicy/policy/modules/system/ipsec.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/ipsec.if	2010-02-16 15:08:37.000000000 -0500
-@@ -39,6 +39,25 @@
- 
- ########################################
- ## <summary>
-+##	Connect to racoon using a unix domain stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+interface(`ipsec_stream_connect_racoon',`
-+	gen_require(`
-+		type racoon_t, ipsec_var_run_t;
-+	')
++userdom_dontaudit_rw_stream(daemon)
 +
-+	files_search_pids($1)
-+	stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, racoon_t)
++logging_append_all_logs(daemon)
++
++optional_policy(`
++	# sudo service restart causes this 
++	unconfined_signull(daemon)
 +')
 +
-+########################################
-+## <summary>
- ##	Get the attributes of an IPSEC key socket.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.9/policy/modules/system/ipsec.te
---- nsaserefpolicy/policy/modules/system/ipsec.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/ipsec.te	2010-02-16 15:08:37.000000000 -0500
-@@ -29,9 +29,15 @@
- type ipsec_key_file_t;
- files_type(ipsec_key_file_t)
- 
-+type ipsec_log_t;
-+logging_log_file(ipsec_log_t)
 +
- # Default type for IPSEC SPD entries
- type ipsec_spd_t;
- 
-+type ipsec_tmp_t;
-+files_tmp_file(ipsec_tmp_t)
++optional_policy(`
++	xserver_dontaudit_append_xdm_home_files(daemon)
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_dontaudit_rw_nfs_files(daemon)
++	')
++	tunable_policy(`use_samba_home_dirs',`
++		fs_dontaudit_rw_cifs_files(daemon)
++	')
++')
++
++init_rw_script_stream_sockets(daemon)
 +
- # type for runtime files, including pluto.ctl
- type ipsec_var_run_t;
- files_pid_file(ipsec_var_run_t)
-@@ -66,7 +72,7 @@
- # ipsec Local policy
++optional_policy(`
++	fail2ban_read_lib_files(daemon)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.15/policy/modules/system/ipsec.te
+--- nsaserefpolicy/policy/modules/system/ipsec.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/ipsec.te	2010-03-18 10:44:43.000000000 -0400
+@@ -73,7 +73,7 @@
  #
  
--allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice };
-+allow ipsec_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
- dontaudit ipsec_t self:capability sys_tty_config;
+ allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+-dontaudit ipsec_t self:capability sys_tty_config;
++dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
  allow ipsec_t self:process { getcap setcap getsched signal setsched };
  allow ipsec_t self:tcp_socket create_stream_socket_perms;
-@@ -85,6 +91,10 @@
- manage_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
- read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t)
- 
-+manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-+manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
-+files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file }) 
-+
- manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
- manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
- files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
-@@ -98,7 +108,9 @@
- corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
- allow ipsec_mgmt_t ipsec_t:fd use;
- allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
-+dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
- allow ipsec_mgmt_t ipsec_t:process sigchld;
-+sysnet_domtrans_ifconfig(ipsec_t)
- 
- kernel_read_kernel_sysctls(ipsec_t)
- kernel_list_proc(ipsec_t)
-@@ -171,8 +183,9 @@
- # ipsec_mgmt Local policy
- #
- 
--allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
--allow ipsec_mgmt_t self:process { signal setrlimit };
-+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
-+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
-+allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
+ allow ipsec_t self:udp_socket create_socket_perms;
+@@ -186,7 +186,7 @@
+ 
+ allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
+ dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
++allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
  allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -182,6 +195,13 @@
- allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
- files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
- 
-+manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
-+manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
-+files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file }) 
-+
-+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
-+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
-+
- allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
- files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
- 
-@@ -209,7 +229,6 @@
- # whack needs to connect to pluto
- stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
+@@ -258,7 +258,7 @@
  
--can_exec(ipsec_mgmt_t, ipsec_exec_t)
- can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
- allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
- 
-@@ -247,8 +266,10 @@
- files_read_etc_files(ipsec_mgmt_t)
- files_exec_etc_files(ipsec_mgmt_t)
- files_read_etc_runtime_files(ipsec_mgmt_t)
-+files_read_usr_files(ipsec_mgmt_t)
- files_dontaudit_getattr_default_dirs(ipsec_mgmt_t)
- files_dontaudit_getattr_default_files(ipsec_mgmt_t)
-+files_list_tmp(ipsec_mgmt_t)
- 
- fs_getattr_xattr_fs(ipsec_mgmt_t)
- fs_list_tmpfs(ipsec_mgmt_t)
-@@ -259,6 +280,7 @@
- init_use_script_ptys(ipsec_mgmt_t)
- init_exec_script_files(ipsec_mgmt_t)
- init_use_fds(ipsec_mgmt_t)
-+init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
- 
- logging_send_syslog_msg(ipsec_mgmt_t)
- 
-@@ -323,6 +345,7 @@
- 
- kernel_read_system_state(racoon_t)
- kernel_read_network_state(racoon_t)
-+kernel_request_load_module(racoon_t)
- 
- corecmd_exec_shell(racoon_t)
- corecmd_exec_bin(racoon_t)
-@@ -362,6 +385,8 @@
+ domain_use_interactive_fds(ipsec_mgmt_t)
+ # denials when ps tries to search /proc. Do not audit these denials.
+-domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
++domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
+ # suppress audit messages about unnecessary socket access
+ # cjp: this seems excessive
+ domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
+@@ -386,6 +386,8 @@
  
  sysnet_exec_ifconfig(racoon_t)
  
@@ -30320,15 +29740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -380,12 +405,15 @@
- read_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
- read_lnk_files_pattern(setkey_t, ipsec_conf_file_t, ipsec_conf_file_t)
- 
-+kernel_request_load_module(setkey_t)
-+
- # allow setkey utility to set contexts on SA's and policy
- domain_ipsec_setcontext_all_domains(setkey_t)
- 
+@@ -412,6 +414,7 @@
  files_read_etc_files(setkey_t)
  
  init_dontaudit_use_fds(setkey_t)
@@ -30336,14 +29748,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  # allow setkey to set the context for ipsec SAs and policy.
  ipsec_setcontext_default_spd(setkey_t)
-@@ -397,3 +425,4 @@
+@@ -423,3 +426,4 @@
  seutil_read_config(setkey_t)
  
  userdom_use_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.9/policy/modules/system/iptables.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.7.15/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2010-02-12 16:41:05.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/iptables.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/iptables.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -1,6 +1,4 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -30351,9 +29763,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.9/policy/modules/system/iptables.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.7.15/policy/modules/system/iptables.if
 --- nsaserefpolicy/policy/modules/system/iptables.if	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/iptables.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/iptables.if	2010-03-18 10:44:43.000000000 -0400
 @@ -17,6 +17,10 @@
  
  	corecmd_search_bin($1)
@@ -30365,9 +29777,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.9/policy/modules/system/iptables.te
---- nsaserefpolicy/policy/modules/system/iptables.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/iptables.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.15/policy/modules/system/iptables.te
+--- nsaserefpolicy/policy/modules/system/iptables.te	2010-03-18 10:35:11.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/iptables.te	2010-03-18 10:44:43.000000000 -0400
 @@ -14,9 +14,6 @@
  type iptables_initrc_exec_t;
  init_script_file(iptables_initrc_exec_t)
@@ -30378,10 +29790,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  type iptables_tmp_t;
  files_tmp_file(iptables_tmp_t)
  
-@@ -30,11 +27,12 @@
+@@ -30,12 +27,12 @@
  
  allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
  dontaudit iptables_t self:capability sys_tty_config;
+-allow iptables_t self:fifo_file rw_fifo_file_perms;
 +allow iptables_t self:fifo_file rw_file_perms;
  allow iptables_t self:process { sigchld sigkill sigstop signull signal };
  allow iptables_t self:rawip_socket create_socket_perms;
@@ -30393,11 +29806,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
  files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -53,8 +51,12 @@
- kernel_use_fds(iptables_t)
- 
- corenet_relabelto_all_packets(iptables_t)
-+corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+@@ -57,6 +54,9 @@
+ corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
 +ifdef(`hide_broken_symptoms',`
@@ -30406,7 +29816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -63,6 +65,7 @@
+@@ -65,6 +65,7 @@
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -30414,7 +29824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  domain_use_interactive_fds(iptables_t)
  
-@@ -76,6 +79,7 @@
+@@ -78,6 +79,7 @@
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -30422,7 +29832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  
  logging_send_syslog_msg(iptables_t)
  
-@@ -89,6 +93,7 @@
+@@ -91,6 +93,7 @@
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -30430,101 +29840,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl
  ')
  
  optional_policy(`
-@@ -122,5 +127,10 @@
- ')
- 
- optional_policy(`
-+	shorewall_rw_var_lib(iptables_t)
-+')
-+
-+optional_policy(`
- 	udev_read_db(iptables_t)
- ')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.9/policy/modules/system/iscsi.fc
---- nsaserefpolicy/policy/modules/system/iscsi.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/iscsi.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,5 +1,9 @@
- /sbin/iscsid		--	gen_context(system_u:object_r:iscsid_exec_t,s0)
-+/sbin/brcm_iscsiuio     --  gen_context(system_u:object_r:iscsid_exec_t,s0)
- 
- /var/lib/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_var_lib_t,s0)
- /var/lock/iscsi(/.*)?		gen_context(system_u:object_r:iscsi_lock_t,s0)
-+
-+/var/log/brcm-iscsi\.log -- 	gen_context(system_u:object_r:iscsi_log_t,s0)
-+
- /var/run/iscsid\.pid	--	gen_context(system_u:object_r:iscsi_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.9/policy/modules/system/iscsi.te
---- nsaserefpolicy/policy/modules/system/iscsi.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/iscsi.te	2010-02-16 15:08:37.000000000 -0500
-@@ -14,6 +14,9 @@
- type iscsi_lock_t;
- files_lock_file(iscsi_lock_t)
- 
-+type iscsi_log_t;
-+logging_log_file(iscsi_log_t)
-+
- type iscsi_tmp_t;
- files_tmp_file(iscsi_tmp_t)
- 
-@@ -36,15 +39,21 @@
- allow iscsid_t self:sem create_sem_perms;
- allow iscsid_t self:shm create_shm_perms;
- allow iscsid_t self:netlink_socket create_socket_perms;
-+allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; 
- allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
- allow iscsid_t self:tcp_socket create_stream_socket_perms;
- 
-+can_exec(iscsid_t, iscsid_exec_t)
-+
- manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
- files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
- 
--allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
--allow iscsid_t iscsi_tmp_t:file manage_file_perms;
--fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, file )
-+manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
-+logging_log_filetrans(iscsid_t, iscsi_log_t, file)
-+
-+manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
-+manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
-+fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file } )
- 
- allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
- read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
-@@ -54,6 +63,7 @@
- manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
- files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
- 
-+kernel_read_network_state(iscsid_t)
- kernel_read_system_state(iscsid_t)
- kernel_search_debugfs(iscsid_t)
- 
-@@ -67,13 +77,21 @@
- corenet_tcp_connect_isns_port(iscsid_t)
- 
- dev_rw_sysfs(iscsid_t)
-+dev_rw_userio_dev(iscsid_t)
- 
- domain_use_interactive_fds(iscsid_t)
-+domain_dontaudit_read_all_domains_state(iscsid_t)
- 
- files_read_etc_files(iscsid_t)
- 
-+init_stream_connect_script(iscsid_t)
-+
- logging_send_syslog_msg(iscsid_t)
- 
- auth_use_nsswitch(iscsid_t)
- 
- miscfiles_read_localization(iscsid_t)
-+
-+optional_policy(`
-+	tgtd_rw_semaphores(iscsid_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.9/policy/modules/system/libraries.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.15/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/libraries.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/libraries.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -30741,7 +30059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -307,10 +317,137 @@
+@@ -307,10 +317,143 @@
  
  /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
  
@@ -30813,8 +30131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +
 +/usr/lib(64)?/libswscale\.so.*		 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
-+/usr/lib/libADM5avformat\.so.*		 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/libADM_coreImage\.so.*		 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libADM.*\.so.*			 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30879,9 +30196,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/opt/Unify/SQLBase/libgptsblmsui11\.so.*	     --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/opt/real/RealPlayer/plugins(/.*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.9/policy/modules/system/libraries.if
++
++/opt/real/RealPlayer/codecs(/.*)?	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.*  --	gen_context(system_u:object_r:textrel_shlib_t,s0)	
++
++/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.15/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/libraries.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/libraries.if	2010-03-18 10:44:43.000000000 -0400
 @@ -17,6 +17,7 @@
  
  	corecmd_search_bin($1)
@@ -30908,9 +30232,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  	allow $1 lib_t:dir list_dir_perms;
  	read_lnk_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
  	mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.9/policy/modules/system/libraries.te
---- nsaserefpolicy/policy/modules/system/libraries.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/libraries.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.7.15/policy/modules/system/libraries.te
+--- nsaserefpolicy/policy/modules/system/libraries.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/libraries.te	2010-03-18 10:44:43.000000000 -0400
 @@ -58,11 +58,11 @@
  # ldconfig local policy
  #
@@ -30953,18 +30277,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  userdom_use_user_terminals(ldconfig_t)
  userdom_use_all_users_fds(ldconfig_t)
  
-@@ -100,6 +106,10 @@
+@@ -100,17 +106,11 @@
  	')
  ')
  
+-ifdef(`hide_broken_symptoms',`
+-	ifdef(`distro_gentoo',`
+-		# leaked fds from portage
+-		files_dontaudit_rw_var_files(ldconfig_t)
+-
+-		optional_policy(`
+-			portage_dontaudit_search_tmp(ldconfig_t)
+-			portage_dontaudit_rw_tmp_files(ldconfig_t)
+-		')
+-	')
 +userdom_manage_user_home_content_files(ldconfig_t)
 +userdom_manage_user_tmp_files(ldconfig_t)
 +userdom_manage_user_tmp_symlinks(ldconfig_t)
-+
- ifdef(`hide_broken_symptoms',`
+ 
++ifdef(`hide_broken_symptoms',`
  	optional_policy(`
  		unconfined_dontaudit_rw_tcp_sockets(ldconfig_t)
-@@ -127,3 +137,7 @@
+ 	')
+@@ -137,3 +137,7 @@
  	# blow up.
  	rpm_manage_script_tmp_files(ldconfig_t)
  ')
@@ -30972,19 +30307,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +optional_policy(`
 +	unconfined_domain(ldconfig_t) 
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.9/policy/modules/system/locallogin.te
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.7.15/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/locallogin.te	2010-02-16 15:08:37.000000000 -0500
-@@ -33,7 +33,7 @@
++++ serefpolicy-3.7.15/policy/modules/system/locallogin.te	2010-03-18 10:44:43.000000000 -0400
+@@ -33,9 +33,8 @@
  # Local login local policy
  #
  
 -allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+-allow local_login_t self:process { setrlimit setexec };
 +allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
- allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow local_login_t self:process { setrlimit setexec };
++allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
  allow local_login_t self:fd use;
-@@ -74,6 +74,8 @@
+ allow local_login_t self:fifo_file rw_fifo_file_perms;
+ allow local_login_t self:sock_file read_sock_file_perms;
+@@ -74,6 +73,8 @@
  dev_setattr_power_mgmt_dev(local_login_t)
  dev_getattr_sound_dev(local_login_t)
  dev_setattr_sound_dev(local_login_t)
@@ -30993,7 +30331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  dev_dontaudit_getattr_apm_bios_dev(local_login_t)
  dev_dontaudit_setattr_apm_bios_dev(local_login_t)
  dev_dontaudit_read_framebuffer(local_login_t)
-@@ -152,6 +154,11 @@
+@@ -152,6 +153,11 @@
  	fs_read_cifs_symlinks(local_login_t)
  ')
  
@@ -31005,7 +30343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  optional_policy(`
  	alsa_domtrans(local_login_t)
  ')
-@@ -181,7 +188,7 @@
+@@ -181,7 +187,7 @@
  ')
  
  optional_policy(`
@@ -31014,7 +30352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  ')
  
  optional_policy(`
-@@ -198,9 +205,10 @@
+@@ -198,9 +204,10 @@
  # Sulogin local policy
  #
  
@@ -31026,7 +30364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  allow sulogin_t self:unix_dgram_socket create_socket_perms;
  allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
  allow sulogin_t self:unix_dgram_socket sendto;
-@@ -220,6 +228,7 @@
+@@ -220,6 +227,7 @@
  files_dontaudit_search_isid_type_dirs(sulogin_t)
  
  auth_read_shadow(sulogin_t)
@@ -31034,17 +30372,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  
  init_getpgid_script(sulogin_t)
  
-@@ -233,11 +242,23 @@
+@@ -233,14 +241,23 @@
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
+-sysadm_shell_domtrans(sulogin_t)
 +term_use_console(sulogin_t)
 +term_use_unallocated_ttys(sulogin_t)
 +
 +ifdef(`enable_mls',`
- sysadm_shell_domtrans(sulogin_t)
++	sysadm_shell_domtrans(sulogin_t)
 +',`
-+        optional_policy(`
++	optional_policy(`
 +		unconfined_shell_domtrans(sulogin_t)
 +	')
 +')
@@ -31052,13 +30391,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  # suse and debian do not use pam with sulogin...
  ifdef(`distro_suse', `define(`sulogin_no_pam')')
  ifdef(`distro_debian', `define(`sulogin_no_pam')')
-+ifdef(`distro_redhat',`define(`sulogin_no_pam')
-+	selinux_compute_user_contexts(sulogin_t)
-+')
  
++allow sulogin_t self:capability sys_tty_config;
  ifdef(`sulogin_no_pam', `
- 	allow sulogin_t self:capability sys_tty_config;
-@@ -251,11 +272,3 @@
+-	allow sulogin_t self:capability sys_tty_config;
+ 	init_getpgid(sulogin_t)
+ ', `
+ 	allow sulogin_t self:process setexec;
+@@ -251,11 +268,3 @@
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -31070,9 +30410,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 -optional_policy(`
 -	nscd_socket_use(sulogin_t)
 -')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.9/policy/modules/system/logging.fc
---- nsaserefpolicy/policy/modules/system/logging.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/logging.fc	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.7.15/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/logging.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -17,6 +17,10 @@
  /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -31084,11 +30424,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
  /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
  /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
-@@ -51,17 +55,23 @@
- 
- ifdef(`distro_redhat',`
- /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
-+/var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
+@@ -54,10 +58,10 @@
+ /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
  ')
  
 -/var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -31102,41 +30439,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
  /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
  /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
- /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
- 
-+/var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
- /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
-+/var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
-+/var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
+@@ -69,3 +73,5 @@
+ /var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
  
  /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 +
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.9/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/logging.if	2010-02-16 15:08:37.000000000 -0500
-@@ -69,6 +69,20 @@
- 
- ########################################
- ## <summary>
-+##	Set tty auditing
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`logging_set_tty_audit',`
-+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
-+')
-+
-+########################################
-+## <summary>
- ##	Set up audit
- ## </summary>
- ## <param name="domain">
-@@ -624,7 +638,25 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.7.15/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/logging.if	2010-03-18 10:44:43.000000000 -0400
+@@ -715,7 +715,25 @@
  	')
  
  	files_search_var($1)
@@ -31163,7 +30475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-@@ -707,7 +739,9 @@
+@@ -798,7 +816,9 @@
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -31174,31 +30486,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.9/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/logging.te	2010-02-16 15:08:37.000000000 -0500
-@@ -101,6 +101,7 @@
- 
- kernel_read_kernel_sysctls(auditctl_t)
- kernel_read_proc_symlinks(auditctl_t)
-+kernel_setsched(auditctl_t)
- 
- domain_read_all_domains_state(auditctl_t)
- domain_use_interactive_fds(auditctl_t)
-@@ -123,10 +124,10 @@
- 
- allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
- dontaudit auditd_t self:capability sys_tty_config;
--allow auditd_t self:process { signal_perms setpgid setsched };
-+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
- allow auditd_t self:file rw_file_perms;
- allow auditd_t self:unix_dgram_socket create_socket_perms;
--allow auditd_t self:fifo_file rw_file_perms;
-+allow auditd_t self:fifo_file rw_fifo_file_perms;
- allow auditd_t self:tcp_socket create_stream_socket_perms;
- 
- allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -179,6 +180,8 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.7.15/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/logging.te	2010-03-18 10:44:43.000000000 -0400
+@@ -180,6 +180,8 @@
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -31207,280 +30498,137 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
  miscfiles_read_localization(auditd_t)
  
  mls_file_read_all_levels(auditd_t)
-@@ -215,9 +218,9 @@
- # audit dispatcher local policy
- #
- 
--allow audisp_t self:capability sys_nice;
--allow audisp_t self:process setsched;
--allow audisp_t self:fifo_file rw_file_perms;
-+allow audisp_t self:capability { dac_override setpcap sys_nice };
-+allow audisp_t self:process { getcap signal_perms setcap setsched };
-+allow audisp_t self:fifo_file rw_fifo_file_perms;
- allow audisp_t self:unix_stream_socket create_stream_socket_perms;
- allow audisp_t self:unix_dgram_socket create_socket_perms;
- 
-@@ -226,13 +229,18 @@
- manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
- files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
- 
--corecmd_search_bin(audisp_t)
-+corecmd_exec_bin(audisp_t)
-+corecmd_exec_shell(audisp_t)
- 
- domain_use_interactive_fds(audisp_t)
- 
+@@ -235,7 +237,11 @@
  files_read_etc_files(audisp_t)
-+files_read_etc_runtime_files(audisp_t)
+ files_read_etc_runtime_files(audisp_t)
  
++mls_file_read_all_levels(audisp_t)
  mls_file_write_all_levels(audisp_t)
 +mls_dbus_send_all_levels(audisp_t)
 +
-+auth_use_nsswitch(audisp_t)
- 
- logging_send_syslog_msg(audisp_t)
- 
-@@ -240,6 +248,14 @@
- 
- sysnet_dns_name_resolve(audisp_t)
- 
-+optional_policy(`
-+	dbus_system_bus_client(audisp_t)
-+
-+	optional_policy(`
-+		setroubleshoot_dbus_chat(audisp_t)
-+	')
-+')
-+
- ########################################
- #
- # Audit remote logger local policy
-@@ -253,11 +269,16 @@
- corenet_tcp_sendrecv_generic_node(audisp_remote_t)
- corenet_tcp_connect_audit_port(audisp_remote_t)
- corenet_sendrecv_audit_client_packets(audisp_remote_t)
-+corenet_tcp_bind_audit_port(audisp_remote_t)
-+corenet_tcp_sendrecv_all_ports(audisp_remote_t)
-+corenet_tcp_bind_generic_node(audisp_remote_t)
- 
- files_read_etc_files(audisp_remote_t)
- 
- logging_send_syslog_msg(audisp_remote_t)
- 
-+auth_use_nsswitch(audisp_remote_t)
-+
- miscfiles_read_localization(audisp_remote_t)
- 
- sysnet_dns_name_resolve(audisp_remote_t)
-@@ -337,7 +358,7 @@
- allow syslogd_t self:unix_dgram_socket create_socket_perms;
- allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
- allow syslogd_t self:unix_dgram_socket sendto;
--allow syslogd_t self:fifo_file rw_file_perms;
-+allow syslogd_t self:fifo_file rw_fifo_file_perms;
- allow syslogd_t self:udp_socket create_socket_perms;
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
- 
-@@ -461,10 +482,18 @@
- ')
- 
- optional_policy(`
-+	bind_search_cache(syslogd_t)
-+')
-+
-+optional_policy(`
- 	inn_manage_log(syslogd_t)
- ')
- 
- optional_policy(`
-+	mysql_stream_connect(syslogd_t)
-+')
-+
-+optional_policy(`
- 	postgresql_stream_connect(syslogd_t)
- ')
- 
-@@ -473,6 +502,10 @@
- ')
- 
- optional_policy(`
-+    daemontools_search_svc_dir(syslogd_t)
-+')
-+
-+optional_policy(`
- 	udev_read_db(syslogd_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.9/policy/modules/system/lvm.te
---- nsaserefpolicy/policy/modules/system/lvm.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/lvm.te	2010-02-16 15:08:37.000000000 -0500
-@@ -142,6 +142,10 @@
- ')
- 
- optional_policy(`
-+        aisexec_stream_connect(clvmd_t)
-+')
-+
-+optional_policy(`
- 	ccs_stream_connect(clvmd_t)
- ')
- 
-@@ -244,6 +248,7 @@
- dev_dontaudit_getattr_generic_blk_files(lvm_t)
- dev_dontaudit_getattr_generic_pipes(lvm_t)
- dev_create_generic_dirs(lvm_t)
-+dev_rw_generic_files(lvm_t)
- 
- domain_use_interactive_fds(lvm_t)
- domain_read_all_domains_state(lvm_t)
-@@ -253,6 +258,7 @@
- files_read_etc_runtime_files(lvm_t)
- # for when /usr is not mounted:
- files_dontaudit_search_isid_type_dirs(lvm_t)
-+files_dontaudit_getattr_tmpfs_files(lvm_t)
- 
- fs_getattr_xattr_fs(lvm_t)
- fs_search_auto_mountpoints(lvm_t)
-@@ -311,6 +317,10 @@
- ')
- 
- optional_policy(`
-+        aisexec_stream_connect(lvm_t)
-+')
-+
-+optional_policy(`
- 	bootloader_rw_tmp_files(lvm_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.9/policy/modules/system/miscfiles.fc
---- nsaserefpolicy/policy/modules/system/miscfiles.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -42,6 +42,7 @@
- /usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
- 
- /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
-+/usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
- /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
- /usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-@@ -70,7 +71,7 @@
- 
- /var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
- 
--/var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
-+/var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
- /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
- /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.9/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.if	2010-02-16 15:08:37.000000000 -0500
-@@ -73,7 +73,8 @@
- #
- interface(`miscfiles_read_fonts',`
- 	gen_require(`
--		type fonts_t;
-+		type fonts_t, fonts_cache_t;
-+
- 	')
- 
- 	# cjp: fonts can be in either of these dirs
-@@ -83,6 +84,10 @@
- 	allow $1 fonts_t:dir list_dir_perms;
- 	read_files_pattern($1, fonts_t, fonts_t)
- 	read_lnk_files_pattern($1, fonts_t, fonts_t)
-+
-+	allow $1 fonts_cache_t:dir list_dir_perms;
-+	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
-+	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
- ')
- 
- ########################################
-@@ -167,6 +172,68 @@
- 	manage_dirs_pattern($1, fonts_t, fonts_t)
- 	manage_files_pattern($1, fonts_t, fonts_t)
- 	manage_lnk_files_pattern($1, fonts_t, fonts_t)
-+	miscfiles_manage_fonts_cache($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Set the attributes on a fonts cache directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_setattr_fonts_cache_dirs',`
-+	gen_require(`
-+		type fonts_cache_t;
-+	')
-+
-+	allow $1 fonts_cache_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Dontaudit attempts to set the attributes on a fonts cache directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_dontaudit_setattr_fonts_cache_dirs',`
-+	gen_require(`
-+		type fonts_cache_t;
-+	')
-+
-+	allow $1 fonts_cache_t:dir setattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete fonts cache.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_manage_fonts_cache',`
-+	gen_require(`
-+		type fonts_cache_t;
-+	')
-+
-+	files_search_var($1)
++auth_use_nsswitch(audisp_t)
+ 
+ logging_send_syslog_msg(audisp_t)
+ 
+@@ -245,6 +251,10 @@
+ 
+ optional_policy(`
+ 	dbus_system_bus_client(audisp_t)
 +
-+	manage_dirs_pattern($1, fonts_cache_t, fonts_cache_t)
-+	manage_files_pattern($1, fonts_cache_t, fonts_cache_t)
-+	manage_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
++	optional_policy(`
++		setroubleshoot_dbus_chat(audisp_t)
++	')
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.7.9/policy/modules/system/miscfiles.te
---- nsaserefpolicy/policy/modules/system/miscfiles.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/miscfiles.te	2010-02-16 15:08:37.000000000 -0500
-@@ -19,6 +19,9 @@
- type fonts_t;
- files_type(fonts_t)
+@@ -268,6 +278,8 @@
+ 
+ logging_send_syslog_msg(audisp_remote_t)
+ 
++auth_use_nsswitch(audisp_remote_t)
++
+ miscfiles_read_localization(audisp_remote_t)
  
-+type fonts_cache_t;
-+files_type(fonts_cache_t)
+ sysnet_dns_name_resolve(audisp_remote_t)
+@@ -491,6 +503,10 @@
+ ')
+ 
+ optional_policy(`
++    daemontools_search_svc_dir(syslogd_t)
++')
 +
++optional_policy(`
+ 	udev_read_db(syslogd_t)
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.7.15/policy/modules/system/lvm.fc
+--- nsaserefpolicy/policy/modules/system/lvm.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/lvm.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -28,6 +28,7 @@
  #
- # type for /usr/share/hwdata
+ /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ /lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
++/lib/udev/udisks-lvm-pv-export	--	gen_context(system_u:object_r:lvm_exec_t,s0)
+ 
  #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.9/policy/modules/system/modutils.te
---- nsaserefpolicy/policy/modules/system/modutils.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/modutils.te	2010-02-16 15:08:37.000000000 -0500
+ # /sbin
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if serefpolicy-3.7.15/policy/modules/system/lvm.if
+--- nsaserefpolicy/policy/modules/system/lvm.if	2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/lvm.if	2010-03-18 10:44:43.000000000 -0400
+@@ -34,7 +34,7 @@
+ 		type lvm_exec_t;
+ 	')
+ 
+-	corecmd_search_sbin($1)
++	corecmd_search_bin($1)
+ 	can_exec($1, lvm_exec_t)
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.7.15/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te	2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/lvm.te	2010-03-18 10:44:43.000000000 -0400
+@@ -142,6 +142,11 @@
+ ')
+ 
+ optional_policy(`
++	aisexec_stream_connect(clvmd_t)
++	corosync_stream_connect(clvmd_t)
++')
++
++optional_policy(`
+ 	ccs_stream_connect(clvmd_t)
+ ')
+ 
+@@ -171,6 +176,7 @@
+ allow lvm_t self:process { sigchld sigkill sigstop signull signal };
+ # LVM will complain a lot if it cannot set its priority.
+ allow lvm_t self:process setsched;
++allow lvm_t self:sem create_sem_perms;
+ allow lvm_t self:file rw_file_perms;
+ allow lvm_t self:fifo_file manage_fifo_file_perms;
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+@@ -218,6 +224,7 @@
+ # it has no reason to need this
+ kernel_dontaudit_getattr_core_if(lvm_t)
+ kernel_use_fds(lvm_t)
++kernel_request_load_module(lvm_t)
+ kernel_search_debugfs(lvm_t)
+ 
+ corecmd_exec_bin(lvm_t)
+@@ -244,6 +251,7 @@
+ dev_dontaudit_getattr_generic_blk_files(lvm_t)
+ dev_dontaudit_getattr_generic_pipes(lvm_t)
+ dev_create_generic_dirs(lvm_t)
++dev_rw_generic_files(lvm_t)
+ 
+ domain_use_interactive_fds(lvm_t)
+ domain_read_all_domains_state(lvm_t)
+@@ -253,8 +261,9 @@
+ files_read_etc_runtime_files(lvm_t)
+ # for when /usr is not mounted:
+ files_dontaudit_search_isid_type_dirs(lvm_t)
++files_dontaudit_getattr_tmpfs_files(lvm_t)
+ 
+-fs_getattr_xattr_fs(lvm_t)
++fs_getattr_all_fs(lvm_t)
+ fs_search_auto_mountpoints(lvm_t)
+ fs_list_tmpfs(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+@@ -311,6 +320,11 @@
+ ')
+ 
+ optional_policy(`
++	aisexec_stream_connect(lvm_t)
++	corosync_stream_connect(lvm_t)
++')
++
++optional_policy(`
+ 	bootloader_rw_tmp_files(lvm_t)
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.15/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/modutils.te	2010-03-18 10:44:43.000000000 -0400
 @@ -19,6 +19,7 @@
  type insmod_exec_t;
  application_domain(insmod_t, insmod_exec_t)
@@ -31537,11 +30685,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -160,11 +166,15 @@
- files_write_kernel_modules(insmod_t)
+@@ -161,11 +167,14 @@
  
  fs_getattr_xattr_fs(insmod_t)
-+fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+ fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
 +fs_mount_rpc_pipefs(insmod_t)
  
  init_rw_initctl(insmod_t)
@@ -31553,7 +30700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -173,10 +183,13 @@
+@@ -174,8 +183,7 @@
  
  seutil_read_file_contexts(insmod_t)
  
@@ -31562,39 +30709,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 +term_use_all_terms(insmod_t)
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
-+optional_policy(`
-+	unconfined_domain(insmod_t)
-+')
-+
  if( ! secure_mode_insmod ) {
- 	kernel_domtrans_to(insmod_t, insmod_exec_t)
- }
-@@ -230,7 +243,7 @@
- ')
- 
- optional_policy(`
--	unconfined_domain(insmod_t)
-+	unconfined_dontaudit_rw_pipes(insmod_t)
- ')
- 
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.9/policy/modules/system/mount.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.7.15/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/mount.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,4 +1,9 @@
++++ serefpolicy-3.7.15/policy/modules/system/mount.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -1,4 +1,10 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
 +/usr/bin/fusermount		--	gen_context(system_u:object_r:fusermount_exec_t,s0)
++/usr/sbin/showmount		--  gen_context(system_u:object_r:showmount_exec_t,s0)
  
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/var/cache/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
 +/var/run/davfs2(/.*)?		gen_context(system_u:object_r:mount_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.9/policy/modules/system/mount.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.7.15/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2009-07-29 15:15:33.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/mount.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/mount.if	2010-03-18 10:44:43.000000000 -0400
 @@ -16,6 +16,14 @@
  	')
  
@@ -31619,7 +30752,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  	optional_policy(`
  		samba_run_smbmount($1, $2)
  	')
-@@ -84,9 +94,11 @@
+@@ -51,6 +61,35 @@
+ 
+ ########################################
+ ## <summary>
++##	Execute fusermount in the mount domain, and
++##	allow the specified role the mount domain,
++##	and use the caller's terminal.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the mount domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`mount_run_fusermount',`
++	gen_require(`
++		type mount_t;
++	')
++
++	mount_domtrans_fusermount($1)
++	role $2 types mount_t;
++
++	fstools_run(mount_t, $2)
++')
++
++########################################
++## <summary>
+ ##	Execute mount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -84,9 +123,11 @@
  interface(`mount_signal',`
  	gen_require(`
  		type mount_t;
@@ -31631,7 +30800,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  ########################################
-@@ -177,3 +189,57 @@
+@@ -177,3 +218,100 @@
  	mount_domtrans_unconfined($1)
  	role $2 types unconfined_mount_t;
  ')
@@ -31689,9 +30858,52 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +
 +	dontaudit $1 fusermount_exec_t:file exec_file_perms;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.9/policy/modules/system/mount.te
++
++######################################
++## <summary>
++##  Execute a domain transition to run showmount.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mount_domtrans_showmount',`
++    gen_require(`
++        type showmount_t, showmount_exec_t;
++    ')
++
++    domtrans_pattern($1, showmount_exec_t, showmount_t)
++')
++
++######################################
++## <summary>
++##  Execute showmount in the showmount domain, and
++##  allow the specified role the showmount domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  The role to be allowed the showmount domain.
++##  </summary>
++## </param>
++#
++interface(`mount_run_showmount',`
++    gen_require(`
++        type showmount_t;
++    ')
++
++    mount_domtrans_showmount($1)
++    role $2 types showmount_t;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.15/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/mount.te	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/mount.te	2010-03-18 10:44:43.000000000 -0400
 @@ -18,8 +18,15 @@
  init_system_domain(mount_t, mount_exec_t)
  role system_r types mount_t;
@@ -31708,7 +30920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  type mount_tmp_t;
  files_tmp_file(mount_tmp_t)
-@@ -29,6 +36,10 @@
+@@ -29,6 +36,19 @@
  # policy--duplicate type declaration
  type unconfined_mount_t;
  application_domain(unconfined_mount_t, mount_exec_t)
@@ -31716,10 +30928,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +
 +type mount_var_run_t;
 +files_pid_file(mount_var_run_t)
++
++# showmount - show mount information for an NFS server
++
++type showmount_t;
++type showmount_exec_t;
++application_domain(showmount_t, showmount_exec_t)
++role system_r types showmount_t;
++
++permissive showmount_t;
  
  ########################################
  #
-@@ -36,7 +47,11 @@
+@@ -36,7 +56,11 @@
  #
  
  # setuid/setgid needed to mount cifs 
@@ -31732,7 +30953,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -47,21 +62,38 @@
+@@ -47,30 +71,49 @@
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -31772,8 +30993,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  files_search_all(mount_t)
  files_read_etc_files(mount_t)
-@@ -70,7 +102,7 @@
+ files_manage_etc_runtime_files(mount_t)
+ files_etc_filetrans_etc_runtime(mount_t, file)
  files_mounton_all_mountpoints(mount_t)
++# ntfs-3g checks whether the mountpoint is writable before mounting
++files_write_all_mountpoints(mount_t)
  files_unmount_rootfs(mount_t)
  # These rules need to be generalized.  Only admin, initrc should have it:
 -files_relabelto_all_file_type_fs(mount_t)
@@ -31781,7 +31005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  files_mount_all_file_type_fs(mount_t)
  files_unmount_all_file_type_fs(mount_t)
  # for when /etc/mtab loses its type
-@@ -80,15 +112,18 @@
+@@ -80,15 +123,18 @@
  files_read_usr_files(mount_t)
  files_list_mnt(mount_t)
  
@@ -31803,7 +31027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  mls_file_read_all_levels(mount_t)
  mls_file_write_all_levels(mount_t)
-@@ -99,6 +134,7 @@
+@@ -99,6 +145,7 @@
  storage_raw_write_fixed_disk(mount_t)
  storage_raw_read_removable_device(mount_t)
  storage_raw_write_removable_device(mount_t)
@@ -31811,7 +31035,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  term_use_all_terms(mount_t)
  
-@@ -107,6 +143,8 @@
+@@ -107,6 +154,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -31820,7 +31044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  logging_send_syslog_msg(mount_t)
  
-@@ -117,6 +155,8 @@
+@@ -117,6 +166,8 @@
  seutil_read_config(mount_t)
  
  userdom_use_all_users_fds(mount_t)
@@ -31829,7 +31053,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -132,10 +172,17 @@
+@@ -132,10 +183,17 @@
  	')
  ')
  
@@ -31847,7 +31071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -165,6 +212,8 @@
+@@ -165,6 +223,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -31856,7 +31080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  optional_policy(`
-@@ -172,6 +221,25 @@
+@@ -172,6 +232,25 @@
  ')
  
  optional_policy(`
@@ -31882,7 +31106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +247,11 @@
+@@ -179,6 +258,11 @@
  	')
  ')
  
@@ -31894,7 +31118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -186,6 +259,19 @@
+@@ -186,6 +270,19 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -31914,7 +31138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
  ')
  
  ########################################
-@@ -195,5 +281,10 @@
+@@ -195,5 +292,41 @@
  
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
@@ -31926,16 +31150,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +	devicekit_dbus_chat_disk(unconfined_mount_t)
  ')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.9/policy/modules/system/raid.te
---- nsaserefpolicy/policy/modules/system/raid.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/raid.te	2010-02-16 15:08:37.000000000 -0500
-@@ -51,11 +51,13 @@
- dev_dontaudit_getattr_generic_chr_files(mdadm_t)
- dev_dontaudit_getattr_generic_blk_files(mdadm_t)
- dev_read_realtime_clock(mdadm_t)
-+dev_read_raw_memory(mdadm_t)
- 
- domain_use_interactive_fds(mdadm_t)
++######################################
++#
++# showmount local policy
++#
++
++allow showmount_t self:tcp_socket create_stream_socket_perms;
++allow showmount_t self:udp_socket create_socket_perms;
++
++kernel_read_system_state(showmount_t)
++
++corenet_all_recvfrom_unlabeled(showmount_t)
++corenet_all_recvfrom_netlabel(showmount_t)
++corenet_tcp_sendrecv_generic_if(showmount_t)
++corenet_udp_sendrecv_generic_if(showmount_t)
++corenet_tcp_sendrecv_generic_node(showmount_t)
++corenet_udp_sendrecv_generic_node(showmount_t)
++corenet_tcp_sendrecv_all_ports(showmount_t)
++corenet_udp_sendrecv_all_ports(showmount_t)
++corenet_tcp_bind_generic_node(showmount_t)
++corenet_udp_bind_generic_node(showmount_t)
++corenet_tcp_bind_all_rpc_ports(showmount_t)
++corenet_udp_bind_all_rpc_ports(showmount_t)
++corenet_tcp_connect_all_ports(showmount_t)
++
++files_read_etc_files(showmount_t)
++
++miscfiles_read_localization(showmount_t)
++
++sysnet_dns_name_resolve(showmount_t)
++
++userdom_use_user_terminals(showmount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.7.15/policy/modules/system/raid.te
+--- nsaserefpolicy/policy/modules/system/raid.te	2010-03-12 09:24:22.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/raid.te	2010-03-18 10:44:43.000000000 -0400
+@@ -58,6 +58,7 @@
  
  files_read_etc_files(mdadm_t)
  files_read_etc_runtime_files(mdadm_t)
@@ -31943,9 +31192,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
  
  fs_search_auto_mountpoints(mdadm_t)
  fs_dontaudit_list_tmpfs(mdadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.9/policy/modules/system/selinuxutil.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.7.15/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -6,13 +6,13 @@
  /etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
  /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
@@ -31985,10 +31234,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +
 +/etc/share/selinux/targeted(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 +/etc/share/selinux/mls(/.*)?		gen_context(system_u:object_r:semanage_store_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.9/policy/modules/system/selinuxutil.if
---- nsaserefpolicy/policy/modules/system/selinuxutil.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.if	2010-02-16 15:08:37.000000000 -0500
-@@ -351,6 +351,27 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.15/policy/modules/system/selinuxutil.if
+--- nsaserefpolicy/policy/modules/system/selinuxutil.if	2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.if	2010-03-18 10:44:43.000000000 -0400
+@@ -361,6 +361,27 @@
  
  ########################################
  ## <summary>
@@ -32016,7 +31265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Execute run_init in the run_init domain.
  ## </summary>
  ## <param name="domain">
-@@ -535,6 +556,53 @@
+@@ -545,6 +566,53 @@
  
  ########################################
  ## <summary>
@@ -32070,7 +31319,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Execute setfiles in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -680,6 +748,7 @@
+@@ -690,6 +758,7 @@
  	')
  
  	files_search_etc($1)
@@ -32078,7 +31327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  	manage_files_pattern($1, selinux_config_t, selinux_config_t)
  	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
  ')
-@@ -999,6 +1068,26 @@
+@@ -1009,6 +1078,26 @@
  
  ########################################
  ## <summary>
@@ -32105,7 +31354,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Execute semanage in the semanage domain, and
  ##	allow the specified role the semanage domain,
  ##	and use the caller's terminal.
-@@ -1010,7 +1099,7 @@
+@@ -1020,7 +1109,7 @@
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -32114,7 +31363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -1028,6 +1117,54 @@
+@@ -1038,6 +1127,54 @@
  
  ########################################
  ## <summary>
@@ -32160,7 +31409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +	')
 +
 +	files_search_etc($1)
-+	read_dirs_pattern($1, selinux_config_t, semanage_store_t)
++	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
 +	read_files_pattern($1, semanage_store_t, semanage_store_t)
 +')
 +
@@ -32169,7 +31418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  ##	Full management of the semanage
  ##	module store.
  ## </summary>
-@@ -1139,3 +1276,194 @@
+@@ -1149,3 +1286,194 @@
  	selinux_dontaudit_get_fs_mount($1)
  	seutil_dontaudit_read_config($1)
  ')
@@ -32364,9 +31613,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +	hotplug_use_fds($1)
 +')
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.9/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/selinuxutil.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.7.15/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/selinuxutil.te	2010-03-18 10:44:43.000000000 -0400
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -32612,7 +31861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,111 +485,43 @@
+@@ -499,112 +485,43 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -32656,6 +31905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 -files_read_etc_files(setfiles_t)
 -files_list_all(setfiles_t)
 -files_relabel_all_files(setfiles_t)
+-files_read_usr_symlinks(setfiles_t)
 -
 -fs_getattr_xattr_fs(setfiles_t)
 -fs_list_all(setfiles_t)
@@ -32728,31 +31978,248 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +# During boot in Rawhide
 +term_use_generic_ptys(setfiles_t)
 +
-+seutil_setfiles(setfiles_mac_t)
-+allow setfiles_mac_t self:capability2 mac_admin;
-+kernel_relabelto_unlabeled(setfiles_mac_t)
- 
- ifdef(`hide_broken_symptoms',`
- 	optional_policy(`
--		udev_dontaudit_rw_dgram_sockets(setfiles_t)
--	')
--
--	# cjp: cover up stray file descriptors.
--	optional_policy(`
--		unconfined_dontaudit_read_pipes(setfiles_t)
--		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
-+		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
-+		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
- 	')
- ')
- 
- optional_policy(`
--	hotplug_use_fds(setfiles_t)
-+	unconfined_domain(setfiles_mac_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.9/policy/modules/system/sysnetwork.fc
++seutil_setfiles(setfiles_mac_t)
++allow setfiles_mac_t self:capability2 mac_admin;
++kernel_relabelto_unlabeled(setfiles_mac_t)
+ 
+ ifdef(`hide_broken_symptoms',`
+ 	optional_policy(`
+-		udev_dontaudit_rw_dgram_sockets(setfiles_t)
+-	')
+-
+-	# cjp: cover up stray file descriptors.
+-	optional_policy(`
+-		unconfined_dontaudit_read_pipes(setfiles_t)
+-		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
++		setroubleshoot_fixit_dontaudit_leaks(setfiles_t)
++		setroubleshoot_fixit_dontaudit_leaks(setsebool_t)
+ 	')
+ ')
+ 
+ optional_policy(`
+-	hotplug_use_fds(setfiles_t)
++	unconfined_domain(setfiles_mac_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.fc serefpolicy-3.7.15/policy/modules/system/sosreport.fc
+--- nsaserefpolicy/policy/modules/system/sosreport.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sosreport.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,2 @@
++
++/usr/sbin/sosreport	--	gen_context(system_u:object_r:sosreport_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.if serefpolicy-3.7.15/policy/modules/system/sosreport.if
+--- nsaserefpolicy/policy/modules/system/sosreport.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sosreport.if	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,74 @@
++
++## <summary>policy for sosreport</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run sosreport.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sosreport_domtrans',`
++	gen_require(`
++		type sosreport_t, sosreport_exec_t;
++	')
++
++	domtrans_pattern($1, sosreport_exec_t, sosreport_t)
++')
++
++
++########################################
++## <summary>
++##	Execute sosreport in the sosreport domain, and
++##	allow the specified role the sosreport domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sosreport domain.
++##	</summary>
++## </param>
++#
++interface(`sosreport_run',`
++	gen_require(`
++		type sosreport_t;
++	')
++
++	sosreport_domtrans($1)
++	role $2 types sosreport_t;
++')
++
++########################################
++## <summary>
++##	Role access for sosreport
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	User domain for the role
++##	</summary>
++## </param>
++#
++interface(`sosreport_role',`
++	gen_require(`
++              type sosreport_t;
++	')
++
++	role $1 types sosreport_t;
++
++	sosreport_domtrans($2)
++
++	ps_process_pattern($2, sosreport_t)
++	allow $2 sosreport_t:process signal;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.7.15/policy/modules/system/sosreport.te
+--- nsaserefpolicy/policy/modules/system/sosreport.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sosreport.te	2010-03-18 10:44:43.000000000 -0400
+@@ -0,0 +1,129 @@
++
++policy_module(sosreport,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sosreport_t;
++type sosreport_exec_t;
++application_domain(sosreport_t, sosreport_exec_t)
++role system_r types sosreport_t;
++
++type sosreport_tmp_t;
++files_tmp_file(sosreport_tmp_t)
++
++type sosreport_tmpfs_t;
++files_tmpfs_file(sosreport_tmpfs_t)
++
++########################################
++#
++# sosreport local policy
++#
++
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_nice sys_ptrace dac_override };
++allow sosreport_t self:process { setsched signull };
++
++allow sosreport_t self:fifo_file rw_fifo_file_perms;
++allow sosreport_t self:tcp_socket create_stream_socket_perms;
++allow sosreport_t self:udp_socket create_socket_perms;
++allow sosreport_t self:unix_dgram_socket create_socket_perms;
++allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
++allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
++
++# sosreport tmp files 
++manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
++files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
++
++manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
++fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t,file)
++
++kernel_read_device_sysctls(sosreport_t)
++kernel_read_hotplug_sysctls(sosreport_t)
++kernel_read_kernel_sysctls(sosreport_t)
++kernel_read_modprobe_sysctls(sosreport_t)
++kernel_read_net_sysctls(sosreport_t)
++kernel_read_network_state(sosreport_t)
++kernel_read_rpc_sysctls(sosreport_t)
++kernel_read_software_raid_state(sosreport_t)
++kernel_read_unix_sysctls(sosreport_t)
++kernel_read_vm_sysctls(sosreport_t)
++kernel_search_debugfs(sosreport_t)
++
++corecmd_exec_all_executables(sosreport_t)
++
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
++
++dev_read_rand(sosreport_t)
++dev_read_urand(sosreport_t)
++dev_read_raw_memory(sosreport_t)
++dev_read_sysfs(sosreport_t)
++
++domain_getattr_all_domains(sosreport_t)
++domain_read_all_domains_state(sosreport_t)
++
++# for blkid.tab
++files_manage_etc_runtime_files(sosreport_t)
++files_etc_filetrans_etc_runtime(sosreport_t, file)
++
++files_exec_etc_files(sosreport_t)
++files_list_all(sosreport_t)
++files_read_config_files(sosreport_t)
++files_read_etc_files(sosreport_t)
++files_read_generic_tmp_files(sosreport_t)
++files_read_usr_files(sosreport_t)
++files_read_var_lib_files(sosreport_t)
++files_read_var_symlinks(sosreport_t)
++files_read_kernel_modules(sosreport_t)
++
++fs_getattr_all_fs(sosreport_t)
++
++# cjp: some config files do not have configfile attribute
++# sosreport needs to read various files on system
++auth_read_all_files_except_shadow(sosreport_t)
++auth_use_nsswitch(sosreport_t)
++
++init_domtrans_script(sosreport_t)
++
++libs_domtrans_ldconfig(sosreport_t)
++
++logging_read_all_logs(sosreport_t)
++logging_send_syslog_msg(sosreport_t)
++
++miscfiles_read_localization(sosreport_t)
++
++# needed by modinfo
++modutils_read_module_deps(sosreport_t)
++
++sysnet_read_config(sosreport_t)
++
++optional_policy(`
++	cups_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++    lvm_domtrans(sosreport_t)
++')
++
++optional_policy(`
++	pulseaudio_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++    rpm_exec(sosreport_t)
++    rpm_dontaudit_manage_db(sosreport_t)
++    rpm_read_db(sosreport_t)
++')
++
++optional_policy(`
++	xserver_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++	unconfined_domain_noaudit(sosreport_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.7.15/policy/modules/system/sysnetwork.fc
 --- nsaserefpolicy/policy/modules/system/sysnetwork.fc	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.fc	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.fc	2010-03-18 10:44:43.000000000 -0400
 @@ -13,6 +13,9 @@
  /etc/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
  /etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
@@ -32786,10 +32253,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.9/policy/modules/system/sysnetwork.if
---- nsaserefpolicy/policy/modules/system/sysnetwork.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.if	2010-02-16 15:08:37.000000000 -0500
-@@ -43,6 +43,36 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.15/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.if	2010-03-18 10:44:43.000000000 -0400
+@@ -43,6 +43,41 @@
  
  	sysnet_domtrans_dhcpc($1)
  	role $2 types dhcpc_t;
@@ -32799,15 +32266,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +	modutils_run_insmod(dhcpc_t, $2)
 +
 +	optional_policy(`
-+		hostname_run(dhcpc_t, $2)
++		consoletype_run(dhcpc_t, $2)
 +	')
 +
 +	optional_policy(`
-+		netutils_run_ping(dhcpc_t, $2)
++		hostname_run(dhcpc_t, $2)
 +	')
++
 +	optional_policy(`
 +		netutils_run(dhcpc_t, $2)
++		netutils_run_ping(dhcpc_t, $2)
 +	')
++
 +	optional_policy(`
 +		networkmanager_run(dhcpc_t, $2)
 +	')
@@ -32819,14 +32289,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +	optional_policy(`
 +		nscd_run(dhcpc_t, $2)
 +	')
++
 +	optional_policy(`
 +		ntp_run(dhcpc_t, $2)
 +	')
++
 +	seutil_run_setfiles(dhcpc_t, $2)
  ')
  
  ########################################
-@@ -192,7 +222,25 @@
+@@ -192,7 +227,25 @@
  		type dhcpc_state_t;
  	')
  
@@ -32853,7 +32325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  #######################################
-@@ -230,7 +278,8 @@
+@@ -251,7 +304,8 @@
  	')
  
  	files_search_etc($1)
@@ -32863,7 +32335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  #######################################
-@@ -323,7 +372,8 @@
+@@ -344,7 +398,8 @@
  		type net_conf_t;
  	')
  
@@ -32873,7 +32345,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  #######################################
-@@ -380,6 +430,10 @@
+@@ -401,6 +456,10 @@
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -32884,7 +32356,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -464,6 +518,7 @@
+@@ -485,6 +544,7 @@
  	')
  
  	files_search_etc($1)
@@ -32892,19 +32364,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
  ')
  
-@@ -541,6 +596,7 @@
+@@ -562,9 +622,9 @@
  		type net_conf_t;
  	')
  
 +	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  	allow $1 self:tcp_socket create_socket_perms;
  	allow $1 self:udp_socket create_socket_perms;
+-	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
-@@ -556,7 +612,15 @@
+ 	corenet_all_recvfrom_unlabeled($1)
+ 	corenet_all_recvfrom_netlabel($1)
+@@ -577,7 +637,16 @@
+ 	corenet_tcp_connect_dns_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
- 	files_search_etc($1)
--	allow $1 net_conf_t:file read_file_perms;
+-	sysnet_read_config($1)
++	files_search_etc($1)
 +	read_files_pattern($1, net_conf_t, net_conf_t)
 +
 +	optional_policy(`
@@ -32917,19 +32393,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -586,6 +650,8 @@
+@@ -605,7 +674,10 @@
+ 	corenet_tcp_connect_ldap_port($1)
+ 	corenet_sendrecv_ldap_client_packets($1)
  
- 	files_search_etc($1)
- 	allow $1 net_conf_t:file read_file_perms;
+-	sysnet_read_config($1)
++	files_search_etc($1)
++	allow $1 net_conf_t:file read_file_perms;
 +	# LDAP Configuration using encrypted requires
 +	dev_read_urand($1)
  ')
  
  ########################################
-@@ -620,3 +686,49 @@
- 	files_search_etc($1)
- 	allow $1 net_conf_t:file read_file_perms;
- ')
+@@ -637,5 +709,52 @@
+ 	corenet_tcp_connect_portmap_port($1)
+ 	corenet_sendrecv_portmap_client_packets($1)
+ 
+-	sysnet_read_config($1)
++	files_search_etc($1)
++	allow $1 net_conf_t:file read_file_perms;
++')
 +
 +########################################
 +## <summary>
@@ -32975,10 +32458,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +	')
 +
 +	role_transition $1 dhcpc_exec_t system_r;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.9/policy/modules/system/sysnetwork.te
---- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/sysnetwork.te	2010-02-16 15:08:37.000000000 -0500
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.7.15/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2010-02-18 14:06:31.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/sysnetwork.te	2010-03-18 10:44:43.000000000 -0400
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t, dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -33056,15 +32539,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  fs_getattr_all_fs(dhcpc_t)
  fs_search_auto_mountpoints(dhcpc_t)
-@@ -146,7 +158,7 @@
- ')
- 
- optional_policy(`
--	consoletype_domtrans(dhcpc_t)
-+	consoletype_exec(dhcpc_t)
- ')
- 
- optional_policy(`
 @@ -183,25 +195,23 @@
  ')
  
@@ -33135,17 +32609,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
  # for /sbin/ip
-@@ -260,7 +276,9 @@
+@@ -260,6 +276,7 @@
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
 +kernel_request_load_module(ifconfig_t)
  kernel_search_network_sysctl(ifconfig_t)
-+kernel_search_debugfs(ifconfig_t)
  kernel_rw_net_sysctls(ifconfig_t)
  
- corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -269,15 +287,23 @@
+@@ -269,15 +286,23 @@
  # for IPSEC setup:
  dev_read_urand(ifconfig_t)
  
@@ -33170,7 +32642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  
  files_dontaudit_read_root_files(ifconfig_t)
  
-@@ -294,6 +320,8 @@
+@@ -294,6 +319,8 @@
  
  seutil_use_runinit_fds(ifconfig_t)
  
@@ -33179,7 +32651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  userdom_use_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
-@@ -330,8 +358,22 @@
+@@ -330,8 +357,22 @@
  ')
  
  optional_policy(`
@@ -33202,10 +32674,43 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +	hal_dontaudit_rw_pipes(ifconfig_t)
 +	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.9/policy/modules/system/udev.if
---- nsaserefpolicy/policy/modules/system/udev.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/udev.if	2010-02-16 15:08:37.000000000 -0500
-@@ -186,6 +186,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.7.15/policy/modules/system/udev.fc
+--- nsaserefpolicy/policy/modules/system/udev.fc	2009-11-25 11:47:19.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/udev.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -22,3 +22,4 @@
+ /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
+ 
+ /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
++/var/run/libgpod(/.*)?	        gen_context(system_u:object_r:udev_var_run_t,s0)    
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.7.15/policy/modules/system/udev.if
+--- nsaserefpolicy/policy/modules/system/udev.if	2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/udev.if	2010-03-18 10:44:43.000000000 -0400
+@@ -20,6 +20,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Send kill signals to udev.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`udev_kill',`
++	gen_require(`
++		type udev_t;
++	')
++
++	allow $1 udev_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ##	Execute udev in the udev domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -192,6 +210,7 @@
  
  	dev_list_all_dev_nodes($1)
  	allow $1 udev_tbl_t:file rw_file_perms;
@@ -33213,9 +32718,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.9/policy/modules/system/udev.te
---- nsaserefpolicy/policy/modules/system/udev.te	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/udev.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.7.15/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te	2010-03-18 06:48:09.000000000 -0400
++++ serefpolicy-3.7.15/policy/modules/system/udev.te	2010-03-18 10:44:43.000000000 -0400
 @@ -50,6 +50,7 @@
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -33224,15 +32729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -99,6 +100,7 @@
- # udev_node.c/node_symlink() symlink labels are explicitly
- # preserved, instead of short circuiting the relabel
- dev_relabel_generic_symlinks(udev_t)
-+dev_manage_generic_symlinks(udev_t)
- 
- domain_read_all_domains_state(udev_t)
- domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
-@@ -210,6 +212,10 @@
+@@ -211,6 +212,10 @@
  ')
  
  optional_policy(`
@@ -33243,24 +32740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
  	consoletype_exec(udev_t)
  ')
  
-@@ -236,6 +242,7 @@
- 
- optional_policy(`
- 	hal_dgram_send(udev_t)
-+	hal_dontaudit_rw_dgram_sockets(udev_t)
- ')
- 
- optional_policy(`
-@@ -263,7 +270,7 @@
- ')
- 
- optional_policy(`
--	unconfined_signal(udev_t)
-+	rpm_search_log(udev_t)
- ')
- 
- optional_policy(`
-@@ -271,6 +278,14 @@
+@@ -268,6 +273,10 @@
  ')
  
  optional_policy(`
@@ -33268,22 +32748,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 +')
 +
 +optional_policy(`
-+	unconfined_signal(udev_t)
-+')
-+
-+optional_policy(`
- 	kernel_write_xen_state(udev_t)
- 	kernel_read_xen_state(udev_t)
- 	xen_manage_log(udev_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.9/policy/modules/system/unconfined.fc
---- nsaserefpolicy/policy/modules/system/unconfined.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/unconfined.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,16 +1 @@
+ 	unconfined_signal(udev_t)
+ ')
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.7.15/policy/modules/system/unconfined.fc
+--- nsaserefpolicy/policy/modules/system/unconfined.fc	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/unconfined.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -1,15 +1 @@
  # Add programs here which should not be confined by SELinux
 -# e.g.:
 -# /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 -# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
--/usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -/usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -/usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 -
@@ -33295,9 +32770,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -ifdef(`distro_gentoo',`
 -/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.9/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/unconfined.if	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.15/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if	2010-03-01 15:12:54.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/unconfined.if	2010-03-18 10:44:43.000000000 -0400
 @@ -12,14 +12,13 @@
  #
  interface(`unconfined_domain_noaudit',`
@@ -33369,7 +32844,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	')
  
  	optional_policy(`
-@@ -111,16 +123,15 @@
+@@ -122,6 +134,10 @@
  ## </param>
  #
  interface(`unconfined_domain',`
@@ -33380,17 +32855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  	unconfined_domain_noaudit($1)
  
  	tunable_policy(`allow_execheap',`
- 		auditallow $1 self:process execheap;
- 	')
--
--# Turn off this audit for FC5
--#	tunable_policy(`allow_execmem',`
--#		auditallow $1 self:process execmem;
--#	')
- ')
- 
- ########################################
-@@ -173,411 +184,3 @@
+@@ -179,411 +195,3 @@
  	refpolicywarn(`$0($1) has been deprecated.')
  ')
  
@@ -33802,9 +33267,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -
 -	allow $1 unconfined_t:dbus acquire_svc;
 -')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.9/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te	2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/unconfined.te	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.7.15/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te	2010-02-22 08:30:53.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/unconfined.te	2010-03-18 10:44:43.000000000 -0400
 @@ -5,227 +5,5 @@
  #
  # Declarations
@@ -34034,15 +33499,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 -		hal_dbus_chat(unconfined_execmem_t)
 -	')
 -')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.9/policy/modules/system/userdomain.fc
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.7.15/policy/modules/system/userdomain.fc
 --- nsaserefpolicy/policy/modules/system/userdomain.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/modules/system/userdomain.fc	2010-02-16 15:08:37.000000000 -0500
-@@ -1,4 +1,11 @@
++++ serefpolicy-3.7.15/policy/modules/system/userdomain.fc	2010-03-18 10:44:43.000000000 -0400
+@@ -1,4 +1,10 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 -
-+/tmp/\.ICE-unix(/.*)?		gen_context(system_u:object_r:user_tmp_t,s0)
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 +/dev/shm/pulse-shm.*	gen_context(system_u:object_r:user_tmpfs_t,s0)
@@ -34050,9 +33514,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.9/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/userdomain.if	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.15/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if	2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/userdomain.if	2010-03-18 10:44:43.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -34344,7 +33808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($1)
  ')
  
-@@ -368,51 +368,46 @@
+@@ -368,46 +368,41 @@
  
  #######################################
  ## <summary>
@@ -34411,91 +33875,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
- ## <summary>
--##	The template for creating a user xwindows client.  (Deprecated)
-+##	The template for creating a user xwindows client.
- ## </summary>
- ## <param name="userdomain_prefix">
- ##	<summary>
-@@ -420,35 +415,58 @@
- ##	is the prefix for user_t).
- ##	</summary>
- ## </param>
--## <rolebase/>
-+## <rolecap/>
- #
--template(`userdom_xwindows_client_template',`
--	refpolicywarn(`$0() has been deprecated, please use xserver_role() instead.')
-+interface(`userdom_xwindows_client',`
- 	gen_require(`
--		type $1_t, user_tmpfs_t;
-+		type user_tmpfs_t;
- 	')
- 
--	dev_rw_xserver_misc($1_t)
--	dev_rw_power_management($1_t)
--	dev_read_input($1_t)
--	dev_read_misc($1_t)
--	dev_write_misc($1_t)
-+	dev_rwx_zero($1)
-+	dev_rw_xserver_misc($1)
-+	dev_rw_power_management($1)
-+	dev_read_input($1)
-+	dev_read_misc($1)
-+	dev_write_misc($1)
- 	# open office is looking for the following
--	dev_getattr_agp_dev($1_t)
--	dev_dontaudit_rw_dri($1_t)
-+	dev_getattr_agp_dev($1)
-+
-+	tunable_policy(`user_direct_dri',`
-+		dev_rw_dri($1)
-+	',`
-+		dev_dontaudit_rw_dri($1)
-+	')
-+
+@@ -438,6 +433,7 @@
+ 	dev_dontaudit_rw_dri($1_t)
  	# GNOME checks for usb and other devices:
--	dev_rw_usbfs($1_t)
-+	dev_rw_usbfs($1)
-+	dev_rw_generic_usb_dev($1)
-+	dev_read_video_dev($1)
-+	dev_write_video_dev($1)
-+	dev_rw_wireless($1)
-+
-+	miscfiles_dontaudit_write_fonts($1)
-+
-+	optional_policy(`
-+		udev_read_db($1)
-+	')
-+
-+	optional_policy(`
-+		setroubleshoot_dontaudit_dbus_chat($1)
-+	')
- 
--	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
--	xserver_xsession_entry_type($1_t)
--	xserver_dontaudit_write_log($1_t)
--	xserver_stream_connect_xdm($1_t)
-+	optional_policy(`
-+		xserver_user_client($1, user_tmpfs_t)
-+		xserver_xsession_entry_type($1)
-+		xserver_dontaudit_write_log($1)
- 	# certain apps want to read xdm.pid file
--	xserver_read_xdm_pid($1_t)
-+		xserver_read_xdm_pid($1)
- 	# gnome-session creates socket under /tmp/.ICE-unix/
--	xserver_create_xdm_tmp_sockets($1_t)
-+		xserver_create_xdm_tmp_sockets($1)
- 	# Needed for escd, remove if we get escd policy
--	xserver_manage_xdm_tmp_files($1_t)
-+		xserver_manage_xdm_tmp_files($1)
-+		xserver_dbus_chat_xdm($1)
-+	')
-+
- ')
+ 	dev_rw_usbfs($1_t)
++	dev_rw_generic_usb_dev($1_t)
  
- #######################################
-@@ -498,7 +516,7 @@
+ 	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
+ 	xserver_xsession_entry_type($1_t)
+@@ -498,7 +494,7 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -34504,7 +33892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	##############################
  	#
-@@ -508,182 +526,213 @@
+@@ -508,71 +504,77 @@
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -34525,27 +33913,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
--
--	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
  
--	corenet_udp_bind_generic_node($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -34619,21 +34007,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		dev_read_mouse($1_usertype)
  	')
  
--	tunable_policy(`user_ttyfile_stat',`
--		term_getattr_all_ttys($1_t)
-+	optional_policy(`
-+		alsa_read_rw_config($1_usertype)
+ 	tunable_policy(`user_ttyfile_stat',`
+@@ -580,65 +582,100 @@
  	')
  
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
-+		# Allow graphical boot to check battery lifespan
-+		apm_stream_connect($1_usertype)
++		alsa_read_rw_config($1_usertype)
  	')
  
  	optional_policy(`
--		# Allow graphical boot to check battery lifespan
+ 		# Allow graphical boot to check battery lifespan
 -		apm_stream_connect($1_t)
++		apm_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
 +		canna_stream_connect($1_usertype)
  	')
  
@@ -34647,42 +34036,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		dbus_system_bus_client($1_usertype)
 +
 +		allow $1_usertype $1_usertype:dbus  send_msg;
- 
- 		optional_policy(`
--			bluetooth_dbus_chat($1_t)
++
++		optional_policy(`
 +			avahi_dbus_chat($1_usertype)
 +		')
 +
 +		optional_policy(`
++			policykit_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
 +			bluetooth_dbus_chat($1_usertype)
-+	')
++		')
 +
-+	optional_policy(`
++		optional_policy(`
 +			consolekit_dbus_chat($1_usertype)
 +			consolekit_read_log($1_usertype)
-+	')
++		')
 +
-+	optional_policy(`
-+		devicekit_dbus_chat($1_usertype)
-+		devicekit_dbus_chat_power($1_usertype)
-+		devicekit_dbus_chat_disk($1_usertype)
++		optional_policy(`
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++		')
+ 
+ 		optional_policy(`
+-			bluetooth_dbus_chat($1_t)
++			evolution_dbus_chat($1_usertype)
++			evolution_alarm_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1_t)
 -			evolution_alarm_dbus_chat($1_t)
-+		evolution_dbus_chat($1_usertype)
-+		evolution_alarm_dbus_chat($1_usertype)
++			gnome_dbus_chat_gconfdefault($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+		hal_dbus_chat($1_usertype)
++			hal_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+		networkmanager_dbus_chat($1_usertype)
++			networkmanager_dbus_chat($1_usertype)
 +			networkmanager_read_var_lib_files($1_usertype)
  		')
  
@@ -34730,12 +34127,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
--		tunable_policy(`allow_user_mysql_connect',`
--			mysql_stream_connect($1_t)
-+		tunable_policy(`allow_user_postgresql_connect',`
-+			postgresql_stream_connect($1_usertype)
- 		')
- 	')
+@@ -649,41 +686,50 @@
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -34751,58 +34143,64 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
--		tunable_policy(`allow_user_postgresql_connect',`
+ 		tunable_policy(`allow_user_postgresql_connect',`
 -			postgresql_stream_connect($1_t)
 -			postgresql_tcp_connect($1_t)
-+		resmgr_stream_connect($1_usertype)
++			postgresql_stream_connect($1_usertype)
++			postgresql_tcp_connect($1_usertype)
  		')
-+
-+	optional_policy(`
-+		rpc_dontaudit_getattr_exports($1_usertype)
-+		rpc_manage_nfs_rw_content($1_usertype)
  	')
  
  	optional_policy(`
 -		resmgr_stream_connect($1_t)
-+		rpcbind_stream_connect($1_usertype)
++		resmgr_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
++		rpc_dontaudit_getattr_exports($1_usertype)
++		rpc_manage_nfs_rw_content($1_usertype)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		sandbox_transition($1_usertype, $1_r)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		seunshare_role_template($1, $1_r, $1_t)
++		sandbox_transition($1_usertype, $1_r)
  	')
  
  	optional_policy(`
 -		usernetctl_run($1_t,$1_r)
-+		slrnpull_search_spool($1_usertype)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
 +
++	optional_policy(`
++		slrnpull_search_spool($1_usertype)
++	')
++
  ')
  
  #######################################
-@@ -711,13 +760,26 @@
+@@ -711,13 +757,26 @@
  
  	userdom_base_user_template($1)
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_manage_home_role($1_r, $1_usertype)
-+
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
++
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 +
@@ -34823,7 +34221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	userdom_change_password_template($1)
  
-@@ -735,70 +797,72 @@
+@@ -735,70 +794,73 @@
  
  	allow $1_t self:context contains;
  
@@ -34891,54 +34289,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
 -	seutil_read_config($1_t)
 +	seutil_read_config($1_usertype)
-+	optional_policy(`
-+		cups_read_config($1_usertype)
-+		cups_stream_connect($1_usertype)
-+		cups_stream_connect_ptal($1_usertype)
-+	')
  
  	optional_policy(`
 -		cups_read_config($1_t)
 -		cups_stream_connect($1_t)
 -		cups_stream_connect_ptal($1_t)
-+		kerberos_use($1_usertype)
-+		kerberos_connect_524($1_usertype)
++		cups_read_config($1_usertype)
++		cups_stream_connect($1_usertype)
++		cups_stream_connect_ptal($1_usertype)
  	')
  
  	optional_policy(`
 -		kerberos_use($1_t)
-+		mta_dontaudit_read_spool_symlinks($1_usertype)
++		kerberos_use($1_usertype)
++		kerberos_connect_524($1_usertype)
  	')
  
  	optional_policy(`
 -		mta_dontaudit_read_spool_symlinks($1_t)
-+		quota_dontaudit_getattr_db($1_usertype)
++		mta_dontaudit_read_spool_symlinks($1_usertype)
  	')
  
  	optional_policy(`
 -		quota_dontaudit_getattr_db($1_t)
-+		rpm_read_db($1_usertype)
-+		rpm_dontaudit_manage_db($1_usertype)
-+		rpm_read_cache($1_usertype)
++		quota_dontaudit_getattr_db($1_usertype)
  	')
  
  	optional_policy(`
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
++		rpm_read_db($1_usertype)
++		rpm_dontaudit_manage_db($1_usertype)
++		rpm_read_cache($1_usertype)
++	')
++
++	optional_policy(`
 +		oddjob_run_mkhomedir($1_t, $1_r)
  	')
  ')
  
-@@ -826,6 +890,8 @@
- 	')
+@@ -830,12 +892,35 @@
+ 	typeattribute $1_t unpriv_userdomain;
+ 	domain_interactive_fd($1_t)
  
- 	userdom_login_user_template($1)
 +	allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 +	dontaudit $1_t self:netlink_audit_socket create_socket_perms;
- 
- 	typeattribute $1_t unpriv_userdomain;
- 	domain_interactive_fd($1_t)
-@@ -836,6 +902,26 @@
++
+ 	##############################
+ 	#
+ 	# Local policy
  	#
  
  	optional_policy(`
@@ -34965,15 +34364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		loadkeys_run($1_t,$1_r)
  	')
  ')
-@@ -865,51 +951,83 @@
- 
- 	userdom_restricted_user_template($1)
- 
-+	userdom_xwindows_client($1_usertype)
-+
- 	##############################
- 	#
- 	# Local policy
+@@ -871,45 +956,80 @@
  	#
  
  	auth_role($1_r, $1_t)
@@ -34982,8 +34373,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
 -	dev_read_sound($1_t)
 -	dev_write_sound($1_t)
-+	xserver_role($1_r, $1_t)
-+
 +	dev_read_sound($1_usertype)
 +	dev_write_sound($1_usertype)
  	# gnome keyring wants to read this.
@@ -34991,11 +34380,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	dev_dontaudit_read_rand($1_usertype)
 +	# temporarily allow since openoffice requires this
 +	dev_read_rand($1_usertype)
- 
--	logging_send_syslog_msg($1_t)
++
 +	dev_read_video_dev($1_usertype)
 +	dev_write_video_dev($1_usertype)
-+
++	dev_rw_wireless($1_usertype)
+ 
+-	logging_send_syslog_msg($1_t)
 +	tunable_policy(`user_rw_noexattrfile',`
 +		fs_manage_noxattr_fs_files($1_usertype)
 +		fs_manage_noxattr_fs_dirs($1_usertype)
@@ -35015,37 +34405,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	seutil_read_file_contexts($1_t)
 +	seutil_read_default_contexts($1_t)
  
--	xserver_restricted_role($1_r, $1_t)
-+	optional_policy(`
-+		alsa_read_rw_config($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		apache_role($1_r, $1_usertype)
-+	')
+ 	xserver_restricted_role($1_r, $1_t)
  
  	optional_policy(`
 -		alsa_read_rw_config($1_t)
-+		devicekit_dbus_chat($1_usertype)
-+		devicekit_dbus_chat_disk($1_usertype)
-+		devicekit_dbus_chat_power($1_usertype)
++		alsa_read_rw_config($1_usertype)
  	')
  
  	optional_policy(`
 -		dbus_role_template($1, $1_r, $1_t)
 -		dbus_system_bus_client($1_t)
-+		fprintd_dbus_chat($1_t)
++		devicekit_dbus_chat($1_usertype)
++		devicekit_dbus_chat_disk($1_usertype)
++		devicekit_dbus_chat_power($1_usertype)
 +	')
  
- 		optional_policy(`
+-		optional_policy(`
 -			consolekit_dbus_chat($1_t)
-+		openoffice_role_template($1, $1_r, $1_usertype)
- 		')
+-		')
++	optional_policy(`
++		fprintd_dbus_chat($1_t)
++	')
  
- 		optional_policy(`
+-		optional_policy(`
 -			cups_dbus_chat($1_t)
+-		')
++	optional_policy(`
++		openoffice_role_template($1, $1_r, $1_usertype)
++	')
++
++	optional_policy(`
 +		policykit_role($1_r, $1_usertype)
- 		')
++	')
 +
 +	optional_policy(`
 +		pulseaudio_role($1_r, $1_usertype)
@@ -35057,22 +34448,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	optional_policy(`
--		setroubleshoot_dontaudit_stream_connect($1_t)
+ 		setroubleshoot_dontaudit_stream_connect($1_t)
++        ')
++
++	optional_policy(`
++		udev_read_db($1_usertype)
++        ')
++
++	optional_policy(`
 +		wm_role_template($1, $1_r, $1_t)
  	')
  ')
  
-@@ -943,8 +1061,8 @@
- 	# Declarations
+@@ -944,7 +1064,7 @@
  	#
  
-+	userdom_restricted_xwindows_user_template($1)
  	# Inherit rules for ordinary users.
 -	userdom_restricted_user_template($1)
++	userdom_restricted_xwindows_user_template($1)
  	userdom_common_user_template($1)
  
  	##############################
-@@ -953,54 +1071,71 @@
+@@ -953,54 +1073,73 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -35085,21 +34482,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	files_exec_usr_files($1_t)
 -	# cjp: why?
 -	files_read_kernel_symbol_table($1_t)
-+	storage_rw_fuse($1_t)
-+
-+	# Allow users to run TCP servers (bind to ports and accept connection from
-+	# the same domain and outside users) disabling this forces FTP passive mode
-+	# and may change other protocols
-+	tunable_policy(`user_tcp_server',`
-+		corenet_tcp_bind_all_unreserved_ports($1_usertype)
-+	')
- 
+-
 -	ifndef(`enable_mls',`
 -		fs_exec_noxattr($1_t)
-+	optional_policy(`
-+		cdrecord_role($1_r, $1_t)
-+		')
- 
+-
 -		tunable_policy(`user_rw_noexattrfile',`
 -			fs_manage_noxattr_fs_files($1_t)
 -			fs_manage_noxattr_fs_dirs($1_t)
@@ -35108,35 +34494,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -			storage_raw_write_removable_device($1_t)
 -		',`
 -			storage_raw_read_removable_device($1_t)
-+	optional_policy(`
-+		cron_role($1_r, $1_t)
- 		')
-+
-+	optional_policy(`
-+		games_rw_data($1_usertype)
- 	')
+-		')
+-	')
++	storage_rw_fuse($1_t)
  
 -	tunable_policy(`user_dmesg',`
 -		kernel_read_ring_buffer($1_t)
 -	',`
 -		kernel_dontaudit_read_ring_buffer($1_t)
-+	optional_policy(`
-+		gpg_role($1_r, $1_usertype)
- 	')
+-	')
++	miscfiles_read_hwdata($1_usertype)
  
--	# Allow users to run TCP servers (bind to ports and accept connection from
--	# the same domain and outside users) disabling this forces FTP passive mode
--	# and may change other protocols
--	tunable_policy(`user_tcp_server',`
+ 	# Allow users to run TCP servers (bind to ports and accept connection from
+ 	# the same domain and outside users) disabling this forces FTP passive mode
+ 	# and may change other protocols
+ 	tunable_policy(`user_tcp_server',`
 -		corenet_tcp_bind_generic_node($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
-+	optional_policy(`
-+		gnomeclock_dbus_chat($1_t)
++		corenet_tcp_bind_all_unreserved_ports($1_usertype)
  	')
  
  	optional_policy(`
 -		netutils_run_ping_cond($1_t,$1_r)
 -		netutils_run_traceroute_cond($1_t,$1_r)
++		cdrecord_role($1_r, $1_t)
++	')
++
++	optional_policy(`
++		cron_role($1_r, $1_t)
++	')
++
++	optional_policy(`
++		games_rw_data($1_usertype)
++	')
++
++	optional_policy(`
++		gpg_role($1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		gnomeclock_dbus_chat($1_t)
++	')
++
++	optional_policy(`
 +		gpm_stream_connect($1_usertype)
 +	')
 +
@@ -35153,27 +34553,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	optional_policy(`
-+		mount_run($1_t, $1_r)
-+	')
-+
-+	optional_policy(`
-+		wine_role_template($1, $1_r, $1_t)
++		mount_run_fusermount($1_t, $1_r)
  	')
  
 -	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		postfix_run_postdrop($1_t, $1_r)
++		wine_role_template($1, $1_r, $1_t)
  	')
  
-+	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
++		postfix_run_postdrop($1_t, $1_r)
++	')
++
++	# Run pppd in pppd_t by default for user
++	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
  	')
  ')
  
-@@ -1036,7 +1171,7 @@
+@@ -1036,7 +1175,7 @@
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -35182,17 +34582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	##############################
-@@ -1045,8 +1180,7 @@
- 	#
- 
- 	# Inherit rules for ordinary users.
--	userdom_login_user_template($1)
--	userdom_common_user_template($1)
-+	userdom_unpriv_user_template($1)
- 
- 	domain_obj_id_change_exemption($1_t)
- 	role system_r types $1_t;
-@@ -1071,6 +1205,9 @@
+@@ -1071,6 +1210,9 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -35202,7 +34592,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1085,6 +1222,7 @@
+@@ -1085,6 +1227,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -35210,16 +34600,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1092,8 +1230,6 @@
- 
- 	dev_getattr_generic_blk_files($1_t)
- 	dev_getattr_generic_chr_files($1_t)
--	# for lsof
--	dev_getattr_mtrr_dev($1_t)
- 	# Allow MAKEDEV to work
- 	dev_create_all_blk_files($1_t)
- 	dev_create_all_chr_files($1_t)
-@@ -1120,12 +1256,11 @@
+@@ -1120,6 +1263,8 @@
  	files_exec_usr_src_files($1_t)
  
  	fs_getattr_all_fs($1_t)
@@ -35228,42 +34609,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
--	storage_raw_read_removable_device($1_t)
--	storage_raw_write_removable_device($1_t)
--
- 	term_use_all_terms($1_t)
- 
- 	auth_getattr_shadow($1_t)
-@@ -1148,20 +1283,6 @@
- 	# But presently necessary for installing the file_contexts file.
- 	seutil_manage_bin_policy($1_t)
- 
--	userdom_manage_user_home_content_dirs($1_t)
--	userdom_manage_user_home_content_files($1_t)
--	userdom_manage_user_home_content_symlinks($1_t)
--	userdom_manage_user_home_content_pipes($1_t)
--	userdom_manage_user_home_content_sockets($1_t)
--	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
--
--	tunable_policy(`user_rw_noexattrfile',`
--		fs_manage_noxattr_fs_files($1_t)
--		fs_manage_noxattr_fs_dirs($1_t)
--	',`
--		fs_read_noxattr_fs_files($1_t)
--	')
--
- 	optional_policy(`
- 		postgresql_unconfined($1_t)
- 	')
-@@ -1207,6 +1328,7 @@
+@@ -1207,6 +1352,8 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
 +	files_create_default_dir($1)
++	files_root_filetrans_default($1, dir)
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1272,11 +1394,15 @@
+@@ -1272,11 +1419,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -35279,7 +34634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1387,12 +1513,13 @@
+@@ -1387,6 +1538,7 @@
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -35287,14 +34642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_home($1)
  ')
  
- ########################################
- ## <summary>
--##	Search user home directories.
-+##	dontaudit Search user home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1425,6 +1552,14 @@
+@@ -1433,6 +1585,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -35309,7 +34657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1440,9 +1575,11 @@
+@@ -1448,9 +1608,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -35321,7 +34669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1499,6 +1636,42 @@
+@@ -1507,6 +1669,42 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -35364,7 +34712,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1573,11 +1746,14 @@
+@@ -1581,6 +1779,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -35373,76 +34721,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
- ## <summary>
--##	List contents of users home directory.
-+##	Create, read, write, and delete directories
-+##	in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1585,18 +1761,18 @@
- ##	</summary>
- ## </param>
+@@ -1595,10 +1795,12 @@
  #
--interface(`userdom_list_user_home_content',`
-+interface(`userdom_manage_user_home_content_dirs',`
+ interface(`userdom_list_user_home_content',`
  	gen_require(`
 -		type user_home_t;
-+		type user_home_dir_t, user_home_t;
++		type user_home_dir_t;
++		attribute user_home_type;
  	')
  
 -	allow $1 user_home_t:dir list_dir_perms;
-+	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	files_search_home($1)
++	files_list_home($1)
++	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
  ')
  
  ########################################
- ## <summary>
--##	Create, read, write, and delete directories
--##	in a user home subdirectory.
-+##	Delete directories in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1604,18 +1780,17 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_user_home_content_dirs',`
-+interface(`userdom_delete_user_home_content_dirs',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		type user_home_t;
- 	')
- 
--	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--	files_search_home($1)
-+	allow $1 user_home_t:dir delete_dir_perms;
- ')
+@@ -1641,6 +1843,24 @@
  
  ########################################
  ## <summary>
--##	Delete directories in a user home subdirectory.
 +##	Set the attributes of user home files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -1623,12 +1798,12 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_delete_user_home_content_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_setattr_user_home_content_files',`
- 	gen_require(`
- 		type user_home_t;
- 	')
- 
--	allow $1 user_home_t:dir delete_dir_perms;
++	gen_require(`
++		type user_home_t;
++	')
++
 +	allow $1 user_home_t:file setattr;
- ')
- 
- ########################################
-@@ -1684,6 +1859,7 @@
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to set the
+ ##	attributes of user home files.
+ ## </summary>
+@@ -1692,6 +1912,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -35450,7 +34769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  	files_search_home($1)
  ')
-@@ -1700,11 +1876,14 @@
+@@ -1708,11 +1929,14 @@
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -35468,7 +34787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1811,19 +1990,32 @@
+@@ -1819,20 +2043,14 @@
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -35482,33 +34801,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
-+	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
-+	dontaudit $1 user_home_type:sock_file execute;
- 	')
- 
+-	')
+-
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_exec_cifs_files($1)
-+########################################
-+## <summary>
-+##	Dontaudit Delete files
-+##	in a user home subdirectory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_delete_user_home_content_files',`
-+	gen_require(`
-+		type user_home_t;
++	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
++	dontaudit $1 user_home_type:sock_file execute;
  	')
-+
-+	allow $1 user_home_t:dir delete_file_perms;
- ')
+-')
  
  ########################################
-@@ -1858,6 +2050,7 @@
+ ## <summary>
+@@ -1866,6 +2084,7 @@
  interface(`userdom_manage_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -35516,7 +34820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2094,6 +2287,25 @@
+@@ -2102,6 +2321,25 @@
  
  ########################################
  ## <summary>
@@ -35542,137 +34846,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to list user
  ##	temporary directories.
  ## </summary>
-@@ -2210,7 +2422,26 @@
+@@ -2218,6 +2456,25 @@
  
  ########################################
  ## <summary>
--##	Do not audit attempts to manage users
 +##	Do not audit attempts to write users
-+##	temporary files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dontaudit_write_user_tmp_files',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	dontaudit $1 user_tmp_t:file write;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to manage users
- ##	temporary files.
- ## </summary>
- ## <param name="domain">
-@@ -2290,6 +2521,46 @@
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
-+##	temporary chr files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_user_tmp_chr_files',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
-+	files_search_tmp($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Create, read, write, and delete user
-+##	temporary blk files.
++##	temporary files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_blk_files',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
-+	files_search_tmp($1)
++	dontaudit $1 user_tmp_t:file write;
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete user
- ##	temporary symbolic links.
- ## </summary>
- ## <param name="domain">
-@@ -2405,7 +2676,7 @@
- 
- ########################################
- ## <summary>
--##	Read user tmpfs files.
-+##	Read/Write user tmpfs files.
+ ##	Do not audit attempts to manage users
+ ##	temporary files.
  ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2413,19 +2684,21 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_user_tmpfs_files',`
-+interface(`userdom_rw_user_tmpfs_files',`
- 	gen_require(`
- 		type user_tmpfs_t;
+@@ -2427,13 +2684,14 @@
  	')
  
--	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ 	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 +	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
  	allow $1 user_tmpfs_t:dir list_dir_perms;
  	fs_search_tmpfs($1)
  ')
  
--########################################
-+
-+######################################
+ ########################################
  ## <summary>
 -##	Read user tmpfs files.
-+##  Manage user tmpfs files.
++##	Read/Write user tmpfs files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2433,15 +2706,14 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_rw_user_tmpfs_files',`
-+interface(`userdom_manage_user_tmpfs_files',`
- 	gen_require(`
- 		type user_tmpfs_t;
- 	')
- 
--	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
--	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
--	allow $1 user_tmpfs_t:dir list_dir_perms;
--	fs_search_tmpfs($1)
-+    manage_dirs_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+    manage_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+    manage_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- ')
- 
- ########################################
-@@ -2763,7 +3035,7 @@
+@@ -2787,7 +3045,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -35681,114 +34897,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2779,11 +3051,33 @@
+@@ -2803,11 +3061,13 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
 -		type user_home_dir_t, user_home_t;
 +		type user_home_dir_t;
 +		attribute user_home_type;
-+	')
-+
-+	files_list_home($1)
-+	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
-+	allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	List users home directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_list_user_home_content',`
-+	gen_require(`
-+		type user_home_dir_t;
-+		attribute user_home_type;
  	')
  
  	files_list_home($1)
 -	allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms;
-+	allow $1 { user_home_dir_t user_home_type }:dir list_dir_perms;
++	allow $1 { user_home_dir_t user_home_type }:dir search_dir_perms;
++	allow $1 { user_home_dir_t user_home_type }:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
-@@ -2898,6 +3192,25 @@
- 
- ########################################
- ## <summary>
-+##	Dontaudit search user temporary directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_dontaduit_search_user_tmp',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	dontaudit $1 user_tmp_t:dir search_dir_perms;
-+')
-+
-+
-+########################################
-+## <summary>
- ##	Write all users files in /tmp
- ## </summary>
- ## <param name="domain">
-@@ -2911,7 +3224,43 @@
+@@ -2944,7 +3204,7 @@
  		type user_tmp_t;
  	')
  
 -	allow $1 user_tmp_t:file write_file_perms;
 +	write_files_pattern($1, user_tmp_t, user_tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Write all inherited users files in /tmp
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_write_inherited_user_tmp_files',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	allow $1 user_tmp_t:file write;
-+')
-+
-+########################################
-+## <summary>
-+##	Delete all users files in /tmp
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_delete_user_tmp_files',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	allow $1 user_tmp_t:file delete_file_perms;
  ')
  
  ########################################
-@@ -2948,6 +3297,7 @@
+@@ -2981,6 +3241,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -35796,7 +34930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3078,3 +3428,674 @@
+@@ -3111,3 +3372,745 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
@@ -36279,27 +35413,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
-+##	Read user tmpfs files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_read_user_tmpfs_files',`
-+	gen_require(`
-+		type user_tmpfs_t;
-+	')
-+
-+	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+	allow $1 user_tmpfs_t:dir list_dir_perms;
-+	fs_search_tmpfs($1)
-+')
-+
-+########################################
-+## <summary>
 +##	Write all users files in /tmp
 +## </summary>
 +## <param name="domain">
@@ -36471,24 +35584,102 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	dontaudit $1 admin_home_t:file getattr;
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.9/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/userdomain.te	2010-02-16 15:08:37.000000000 -0500
-@@ -8,13 +8,6 @@
- 
- ## <desc>
- ## <p>
--## Allow users to connect to mysql
--## </p>
--## </desc>
--gen_tunable(allow_user_mysql_connect, false)
--
--## <desc>
--## <p>
- ## Allow users to connect to PostgreSQL
- ## </p>
- ## </desc>
-@@ -29,10 +22,10 @@
++########################################
++## <summary>
++##	Create, read, write, and delete user
++##	temporary chr files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++	files_search_tmp($1)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete user
++##	temporary blk files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++	files_search_tmp($1)
++')
++########################################
++## <summary>
++##	Dontaudit search user temporary directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaduit_search_user_tmp',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	dontaudit $1 user_tmp_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Write all inherited users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_write_inherited_user_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file write;
++')
++
++########################################
++## <summary>
++##	Delete all users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_user_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	allow $1 user_tmp_t:file delete_file_perms;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.15/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te	2010-03-03 23:26:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/userdomain.te	2010-03-18 10:44:43.000000000 -0400
+@@ -29,10 +29,10 @@
  
  ## <desc>
  ## <p>
@@ -36501,7 +35692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ## <desc>
  ## <p>
-@@ -54,11 +47,20 @@
+@@ -54,11 +54,20 @@
  # all user domains
  attribute userdomain;
  
@@ -36524,7 +35715,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +74,7 @@
+@@ -72,6 +81,7 @@
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -36532,7 +35723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  userdom_user_home_content(user_home_t)
  fs_associate_tmpfs(user_home_t)
  files_associate_tmp(user_home_t)
-@@ -97,3 +100,29 @@
+@@ -97,3 +107,29 @@
  type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
  dev_node(user_tty_device_t)
  ubac_constrained(user_tty_device_t)
@@ -36562,9 +35753,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 +
 +allow userdomain userdomain:process signull;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.9/policy/modules/system/xen.if
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.7.15/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/xen.if	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/modules/system/xen.if	2010-03-18 10:44:43.000000000 -0400
 @@ -180,6 +180,25 @@
  
  ########################################
@@ -36591,10 +35782,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if
  ##	Connect to xend over an unix domain stream socket.
  ## </summary>
  ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.9/policy/modules/system/xen.te
+@@ -213,7 +232,8 @@
+ interface(`xen_domtrans_xm',`
+ 	gen_require(`
+ 		type xm_t, xm_exec_t;
++		attribute xm_transition_domain;
+ 	')
+-
++	typeattribute $1 xm_transition_domain;
+ 	domtrans_pattern($1, xm_exec_t, xm_t)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.7.15/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.9/policy/modules/system/xen.te	2010-02-16 15:08:37.000000000 -0500
-@@ -85,6 +85,7 @@
++++ serefpolicy-3.7.15/policy/modules/system/xen.te	2010-03-18 10:44:43.000000000 -0400
+@@ -5,6 +5,7 @@
+ #
+ # Declarations
+ #
++attribute xm_transition_domain;
+ 
+ ## <desc>
+ ## <p>
+@@ -85,6 +86,7 @@
  type xenconsoled_t;
  type xenconsoled_exec_t;
  init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
@@ -36602,7 +35811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  
  # pid files
  type xenconsoled_var_run_t;
-@@ -209,6 +210,7 @@
+@@ -209,6 +211,7 @@
  files_manage_etc_runtime_files(xend_t)
  files_etc_filetrans_etc_runtime(xend_t, file)
  files_read_usr_files(xend_t)
@@ -36610,7 +35819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  
  storage_raw_read_fixed_disk(xend_t)
  storage_raw_write_fixed_disk(xend_t)
-@@ -259,6 +261,7 @@
+@@ -259,6 +262,7 @@
  #
  
  allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
@@ -36618,7 +35827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
  allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
  
-@@ -279,6 +282,7 @@
+@@ -279,6 +283,7 @@
  
  domain_dontaudit_ptrace_all_domains(xenconsoled_t)
  
@@ -36626,7 +35835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  files_read_usr_files(xenconsoled_t)
  
  fs_list_tmpfs(xenconsoled_t)
-@@ -297,6 +301,10 @@
+@@ -297,6 +302,10 @@
  xen_manage_log(xenconsoled_t)
  xen_stream_connect_xenstore(xenconsoled_t)
  
@@ -36637,7 +35846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  ########################################
  #
  # Xen store local policy
-@@ -340,6 +348,9 @@
+@@ -340,6 +349,9 @@
  
  files_read_usr_files(xenstored_t)
  
@@ -36647,33 +35856,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te
  storage_raw_read_fixed_disk(xenstored_t)
  storage_raw_write_fixed_disk(xenstored_t)
  storage_raw_read_removable_device(xenstored_t)
-@@ -421,7 +432,14 @@
+@@ -421,7 +433,22 @@
  xen_stream_connect_xenstore(xm_t)
  
  optional_policy(`
++	dbus_system_bus_client(xm_t)
++	optional_policy(`
++		hal_dbus_chat(xm_t)
++	')
++')
++
++optional_policy(`
 +	vhostmd_rw_tmpfs_files(xm_t)
 +    	vhostmd_stream_connect(xm_t)
 +	vhostmd_dontaudit_rw_stream_connect(xm_t)
 +')
 +
 +optional_policy(`
++	virt_domtrans(xm_t)
  	virt_manage_images(xm_t)
 +	virt_manage_config(xm_t)
  	virt_stream_connect(xm_t)
  ')
  
-@@ -438,6 +456,8 @@
+@@ -435,9 +462,14 @@
+ 	kernel_read_xen_state(xm_ssh_t)
+ 	kernel_write_xen_state(xm_ssh_t)
+ 
++	dontaudit xm_ssh_t xm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++	files_search_tmp(xm_ssh_t)
++
  	fs_manage_xenfs_dirs(xm_ssh_t)
  	fs_manage_xenfs_files(xm_ssh_t)
  
-+userdom_search_admin_dir(xm_ssh_t)
++	userdom_search_admin_dir(xm_ssh_t)
 +
  	#Should have a boolean wrapping these
  	fs_list_auto_mountpoints(xend_t)
  	files_search_mnt(xend_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.9/policy/support/misc_patterns.spt
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.7.15/policy/support/misc_patterns.spt
 --- nsaserefpolicy/policy/support/misc_patterns.spt	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.9/policy/support/misc_patterns.spt	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/support/misc_patterns.spt	2010-03-18 10:44:43.000000000 -0400
 @@ -15,7 +15,7 @@
  	domain_transition_pattern($1,$2,$3)
  
@@ -36692,9 +35915,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns
  	allow $3 $1:process sigchld;
  ')
  
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.9/policy/support/obj_perm_sets.spt
---- nsaserefpolicy/policy/support/obj_perm_sets.spt	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.9/policy/support/obj_perm_sets.spt	2010-02-16 15:08:37.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.7.15/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt	2010-03-04 11:44:07.000000000 -0500
++++ serefpolicy-3.7.15/policy/support/obj_perm_sets.spt	2010-03-18 10:44:43.000000000 -0400
 @@ -28,7 +28,7 @@
  #
  # All socket classes.
@@ -36725,7 +35948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
  define(`create_lnk_file_perms',`{ create getattr }')
  define(`rename_lnk_file_perms',`{ getattr rename }')
  define(`delete_lnk_file_perms',`{ getattr unlink }')
--define(`manage_lnk_file_perms',`{ create read getattr setattr link unlink rename }')
+-define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename }')
 +define(`manage_lnk_file_perms',`{ create getattr setattr read write append rename link unlink ioctl lock }')
  define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }')
  define(`relabelto_lnk_file_perms',`{ getattr relabelto }')
@@ -36785,9 +36008,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets
 +define(`all_dbus_perms', `{ acquire_svc send_msg } ')
 +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ')
 +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.9/policy/users
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.7.15/policy/users
 --- nsaserefpolicy/policy/users	2009-12-18 11:38:25.000000000 -0500
-+++ serefpolicy-3.7.9/policy/users	2010-02-16 15:08:37.000000000 -0500
++++ serefpolicy-3.7.15/policy/users	2010-03-18 10:44:43.000000000 -0400
 @@ -6,7 +6,7 @@
  #
  # gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
diff --git a/securetty_types-minimum b/securetty_types-minimum
index fe7ce17..7055096 100644
--- a/securetty_types-minimum
+++ b/securetty_types-minimum
@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
diff --git a/securetty_types-mls b/securetty_types-mls
index 242dffe..89bf54d 100644
--- a/securetty_types-mls
+++ b/securetty_types-mls
@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
diff --git a/securetty_types-targeted b/securetty_types-targeted
index fe7ce17..7055096 100644
--- a/securetty_types-targeted
+++ b/securetty_types-targeted
@@ -1,3 +1,4 @@
+console_device_t
 sysadm_tty_device_t
 user_tty_device_t
 staff_tty_device_t
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9f65478..3b87b5f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 %define CHECKPOLICYVER 2.0.21-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.7.9
+Version: 3.7.15
 Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
@@ -466,6 +466,91 @@ exit 0
 %endif
 
 %changelog
+* Thu Mar 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.15-1
+- Update to upstream
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-5
+- Allow boinc to read kernel sysctl
+- Fix snmp port definitions
+- Allow apache to read anon_inodefs
+
+* Sun Mar 14 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-4
+- Allow shutdown dac_override
+
+* Sat Mar 13 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-3
+- Add device_t as a file system
+- Fix sysfs association
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-2
+- Dontaudit ipsec_mgmt sys_ptrace
+- Allow at to mail its spool files
+- Allow nsplugin to search in .pulse directory
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.14-1
+- Update to upstream
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-4
+- Allow users to dbus chat with xdm
+- Allow users to r/w wireless_device_t
+- Dontaudit reading of process states by ipsec_mgmt
+
+* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-3
+- Fix openoffice from unconfined_t
+
+* Wed Mar 10 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-2
+- Add shutdown policy so consolekit can shutdown system
+
+* Tue Mar 9 2010 Dan Walsh <dwalsh@redhat.com> 3.7.13-1
+- Update to upstream
+
+* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.12-1
+- Update to upstream
+
+* Thu Mar 4 2010 Dan Walsh <dwalsh@redhat.com> 3.7.11-1
+- Update to upstream - These are merges of my patches
+- Remove 389 labeling conflicts
+- Add MLS fixes found in RHEL6 testing
+- Allow pulseaudio to run as a service
+- Add label for mssql and allow apache to connect to this database port if boolean set
+- Dontaudit searches of debugfs mount point
+- Allow policykit_auth to send signals to itself
+- Allow modcluster to call getpwnam
+- Allow swat to signal winbind
+- Allow usbmux to run as a system role
+- Allow svirt to create and use devpts
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-5
+- Add MLS fixes found in RHEL6 testing
+- Allow domains to append to rpm_tmp_t
+- Add cachefilesfd policy
+- Dontaudit leaks when transitioning
+
+* Wed Feb 23 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-4
+- Change allow_execstack and allow_execmem booleans to on
+- dontaudit acct using console
+- Add label for fping
+- Allow tmpreaper to delete sandbox_file_t
+- Fix wine dontaudit mmap_zero
+- Allow abrt to read var_t symlinks
+
+* Tue Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-3
+- Additional policy for rgmanager
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-2
+- Allow sshd to setattr on pseudo terms
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> 3.7.10-1
+- Update to upstream
+
+* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-4
+- Allow policykit to send itself signals
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-3
+- Fix duplicate cobbler definition
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-2
+- Fix file context of /var/lib/avahi-autoipd
+
 * Fri Feb 12 2010 Dan Walsh <dwalsh@redhat.com> 3.7.9-1
 - Merge with upstream
 
diff --git a/sources b/sources
index ee92df8..f23a132 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
 4c7d323036f1662a06a7a4f2a7da57a5  config.tgz
-87a01bd56d6fca0ae9bef4d35dad49ef  serefpolicy-3.7.9.tgz
+aaaf54fcfe4fe4e0a906dca6c21fa7ed  serefpolicy-3.7.15.tgz