diff --git a/policy-20071130.patch b/policy-20071130.patch
index 82d3eb7..959c394 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -8,6 +8,106 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.3.1/
  - Label /proc/kallsyms with system_map_t.
  - 64-bit capabilities from Stephen Smalley.
  - Labeled networking peer object class updates.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
+--- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
++++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
+@@ -235,7 +235,7 @@
+ appdir := $(contextpath)
+ user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
+ user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
+-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
++appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+ net_contexts := $(builddir)net_contexts
+ 
+ all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -309,20 +309,22 @@
+ 
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+-	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
+-		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++	echo "" >> $2
++#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
++#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+ 
+ # perrole-expansion modulename,outputfile
+ define perrole-expansion
+-	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
+-	$(call parse-rolemap,$1,$2)
+-	$(verbose) echo "')" >> $2
+-
+-	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
+-	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
+-	$(call parse-rolemap-compat,$1,$2)
+-	$(verbose) echo "')" >> $2
++	echo "No longer doing perrole-expansion"
++#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
++#	$(call parse-rolemap,$1,$2)
++#	$(verbose) echo "')" >> $2
++
++#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
++#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
++#	$(call parse-rolemap-compat,$1,$2)
++#	$(verbose) echo "')" >> $2
+ endef
+ 
+ # create-base-per-role-tmpl modulenames,outputfile
+@@ -521,6 +523,10 @@
+ 	@mkdir -p $(appdir)/users
+ 	$(verbose) $(INSTALL) -m 644 $^ $@
+ 
++$(appdir)/initrc_context: $(tmpdir)/initrc_context
++	@mkdir -p $(appdir)
++	$(verbose) $(INSTALL) -m 644 $< $@
++
+ $(appdir)/%: $(appconf)/%
+ 	@mkdir -p $(appdir)
+ 	$(verbose) $(INSTALL) -m 644 $< $@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
+--- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
++++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
+@@ -73,8 +73,8 @@
+ $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
+ 	@echo "Compliling $(NAME) $(@F) module"
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+-	$(call perrole-expansion,$(basename $(@F)),$@.role)
+-	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
++#	$(call perrole-expansion,$(basename $(@F)),$@.role)
++	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
+ 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+ 
+ $(tmpdir)/%.mod.fc: $(m4support) %.fc
+@@ -129,7 +129,7 @@
+ 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
+ # define all available object classes
+ 	$(verbose) $(genperm) $(avs) $(secclass) > $@
+-	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
++#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
+ 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
+ 
+ $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
+@@ -147,7 +147,7 @@
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
+ 	$(verbose) echo "" > $@
+-	$(call parse-rolemap,base,$@)
++#	$(call parse-rolemap,base,$@)
+ 
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
++++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
+@@ -96,7 +96,7 @@
+ #
+ # Load the binary policy
+ #
+-reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
++reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
+ 	@echo "Loading $(NAME) $(loadpath)"
+ 	$(verbose) $(LOADPOLICY) -q $(loadpath)
+ 	@touch $(tmpdir)/load
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/failsafe_context serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context
 --- nsaserefpolicy/config/appconfig-mcs/failsafe_context	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.3.1/config/appconfig-mcs/failsafe_context	2008-04-21 11:02:47.859787000 -0400
@@ -691,62 +791,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xg
 +system_r:sshd_t		xguest_r:xguest_t
 +system_r:crond_t	xguest_r:xguest_crond_t
 +system_r:xdm_t		xguest_r:xguest_t
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/Makefile
---- nsaserefpolicy/Makefile	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/Makefile	2008-04-21 11:02:47.842805000 -0400
-@@ -235,7 +235,7 @@
- appdir := $(contextpath)
- user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
- user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
--appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
-+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
- net_contexts := $(builddir)net_contexts
- 
- all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -309,20 +309,22 @@
- 
- # parse-rolemap modulename,outputfile
- define parse-rolemap
--	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
--		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
-+	echo "" >> $2
-+#	$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
-+#		$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
- endef
- 
- # perrole-expansion modulename,outputfile
- define perrole-expansion
--	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
--	$(call parse-rolemap,$1,$2)
--	$(verbose) echo "')" >> $2
--
--	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
--	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
--	$(call parse-rolemap-compat,$1,$2)
--	$(verbose) echo "')" >> $2
-+	echo "No longer doing perrole-expansion"
-+#	$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
-+#	$(call parse-rolemap,$1,$2)
-+#	$(verbose) echo "')" >> $2
-+
-+#	$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
-+#	$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
-+#	$(call parse-rolemap-compat,$1,$2)
-+#	$(verbose) echo "')" >> $2
- endef
- 
- # create-base-per-role-tmpl modulenames,outputfile
-@@ -521,6 +523,10 @@
- 	@mkdir -p $(appdir)/users
- 	$(verbose) $(INSTALL) -m 644 $^ $@
- 
-+$(appdir)/initrc_context: $(tmpdir)/initrc_context
-+	@mkdir -p $(appdir)
-+	$(verbose) $(INSTALL) -m 644 $< $@
-+
- $(appdir)/%: $(appconf)/%
- 	@mkdir -p $(appdir)
- 	$(verbose) $(INSTALL) -m 644 $< $@
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
 --- nsaserefpolicy/man/man8/httpd_selinux.8	2008-02-18 14:30:19.000000000 -0500
 +++ serefpolicy-3.3.1/man/man8/httpd_selinux.8	2008-04-21 11:02:47.931714000 -0400
@@ -2533,109 +2577,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te 
  	usermanage_domtrans_groupadd(rpm_script_t)
  	usermanage_domtrans_useradd(rpm_script_t)
  ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/sudo.if	2008-04-21 11:02:48.070575000 -0400
-@@ -55,7 +55,7 @@
- 	#
- 
- 	# Use capabilities.
--	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- 	allow $1_sudo_t self:process { setexec setrlimit };
- 	allow $1_sudo_t self:fd use;
-@@ -68,33 +68,35 @@
- 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- 	allow $1_sudo_t self:unix_dgram_socket sendto;
- 	allow $1_sudo_t self:unix_stream_socket connectto;
--	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
-+	allow $1_sudo_t self:key manage_key_perms;
-+	allow $1_sudo_t $1_t:key search;
- 
- 	# Enter this derived domain from the user domain
- 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
- 
- 	# By default, revert to the calling domain when a shell is executed.
- 	corecmd_shell_domtrans($1_sudo_t,$2)
-+	corecmd_bin_domtrans($1_sudo_t,$2)
- 	allow $2 $1_sudo_t:fd use;
- 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
- 	allow $2 $1_sudo_t:process sigchld;
- 
- 	kernel_read_kernel_sysctls($1_sudo_t)
- 	kernel_read_system_state($1_sudo_t)
--	kernel_search_key($1_sudo_t)
-+	kernel_link_key($1_sudo_t)
- 
- 	dev_read_urand($1_sudo_t)
- 
- 	fs_search_auto_mountpoints($1_sudo_t)
- 	fs_getattr_xattr_fs($1_sudo_t)
- 
--	auth_domtrans_chk_passwd($1_sudo_t)
-+	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- 	# sudo stores a token in the pam_pid directory
- 	auth_manage_pam_pid($1_sudo_t)
- 	auth_use_nsswitch($1_sudo_t)
- 
- 	corecmd_read_bin_symlinks($1_sudo_t)
--	corecmd_getattr_all_executables($1_sudo_t)
-+	corecmd_exec_all_executables($1_sudo_t)
- 
- 	domain_use_interactive_fds($1_sudo_t)
- 	domain_sigchld_interactive_fds($1_sudo_t)
-@@ -106,32 +108,42 @@
- 	files_getattr_usr_files($1_sudo_t)
- 	# for some PAM modules and for cwd
- 	files_dontaudit_search_home($1_sudo_t)
-+	files_list_tmp($1_sudo_t)
- 
- 	init_rw_utmp($1_sudo_t)
- 
- 	libs_use_ld_so($1_sudo_t)
- 	libs_use_shared_libs($1_sudo_t)
- 
-+	logging_send_audit_msgs($1_sudo_t)
- 	logging_send_syslog_msg($1_sudo_t)
- 
- 	miscfiles_read_localization($1_sudo_t)
- 
-+	mta_per_role_template($1, $1_sudo_t, $3)
-+
- 	userdom_manage_user_home_content_files($1,$1_sudo_t)
- 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
- 	userdom_manage_user_tmp_files($1,$1_sudo_t)
- 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
-+	userdom_exec_user_home_content_files($1,$1_sudo_t)
- 	userdom_use_user_terminals($1,$1_sudo_t)
- 	userdom_use_unpriv_users_fds($1_sudo_t)
- 	# for some PAM modules and for cwd
-+	userdom_search_sysadm_home_content_dirs($1_sudo_t)
- 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
- 
--	ifdef(`TODO',`
--	# for when the network connection is killed
--	dontaudit unpriv_userdomain $1_sudo_t:process signal;
--
--	ifdef(`mta.te', `
--	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
--	')
-+	domain_role_change_exemption($1_sudo_t)
-+	userdom_spec_domtrans_all_users($1_sudo_t)
- 
--	') dnl end TODO
-+	selinux_validate_context($1_sudo_t)
-+	selinux_compute_relabel_context($1_sudo_t)
-+	selinux_getattr_fs($1_sudo_t)
-+	seutil_read_config($1_sudo_t)
-+	seutil_search_default_contexts($1_sudo_t)
-+
-+	term_use_all_user_ttys($1_sudo_t)
-+	term_use_all_user_ptys($1_sudo_t)
-+	term_relabel_all_user_ttys($1_sudo_t)
-+	term_relabel_all_user_ptys($1_sudo_t)
- ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.3.1/policy/modules/admin/su.if
 --- nsaserefpolicy/policy/modules/admin/su.if	2007-10-12 08:56:09.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/su.if	2008-04-21 11:02:48.064582000 -0400
@@ -2766,6 +2707,109 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
  ')
  
  #######################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.3.1/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if	2007-12-04 11:02:51.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/sudo.if	2008-04-21 11:02:48.070575000 -0400
+@@ -55,7 +55,7 @@
+ 	#
+ 
+ 	# Use capabilities.
+-	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ 	allow $1_sudo_t self:process { setexec setrlimit };
+ 	allow $1_sudo_t self:fd use;
+@@ -68,33 +68,35 @@
+ 	allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ 	allow $1_sudo_t self:unix_dgram_socket sendto;
+ 	allow $1_sudo_t self:unix_stream_socket connectto;
+-	allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++	allow $1_sudo_t self:key manage_key_perms;
++	allow $1_sudo_t $1_t:key search;
+ 
+ 	# Enter this derived domain from the user domain
+ 	domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+ 
+ 	# By default, revert to the calling domain when a shell is executed.
+ 	corecmd_shell_domtrans($1_sudo_t,$2)
++	corecmd_bin_domtrans($1_sudo_t,$2)
+ 	allow $2 $1_sudo_t:fd use;
+ 	allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ 	allow $2 $1_sudo_t:process sigchld;
+ 
+ 	kernel_read_kernel_sysctls($1_sudo_t)
+ 	kernel_read_system_state($1_sudo_t)
+-	kernel_search_key($1_sudo_t)
++	kernel_link_key($1_sudo_t)
+ 
+ 	dev_read_urand($1_sudo_t)
+ 
+ 	fs_search_auto_mountpoints($1_sudo_t)
+ 	fs_getattr_xattr_fs($1_sudo_t)
+ 
+-	auth_domtrans_chk_passwd($1_sudo_t)
++	auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ 	# sudo stores a token in the pam_pid directory
+ 	auth_manage_pam_pid($1_sudo_t)
+ 	auth_use_nsswitch($1_sudo_t)
+ 
+ 	corecmd_read_bin_symlinks($1_sudo_t)
+-	corecmd_getattr_all_executables($1_sudo_t)
++	corecmd_exec_all_executables($1_sudo_t)
+ 
+ 	domain_use_interactive_fds($1_sudo_t)
+ 	domain_sigchld_interactive_fds($1_sudo_t)
+@@ -106,32 +108,42 @@
+ 	files_getattr_usr_files($1_sudo_t)
+ 	# for some PAM modules and for cwd
+ 	files_dontaudit_search_home($1_sudo_t)
++	files_list_tmp($1_sudo_t)
+ 
+ 	init_rw_utmp($1_sudo_t)
+ 
+ 	libs_use_ld_so($1_sudo_t)
+ 	libs_use_shared_libs($1_sudo_t)
+ 
++	logging_send_audit_msgs($1_sudo_t)
+ 	logging_send_syslog_msg($1_sudo_t)
+ 
+ 	miscfiles_read_localization($1_sudo_t)
+ 
++	mta_per_role_template($1, $1_sudo_t, $3)
++
+ 	userdom_manage_user_home_content_files($1,$1_sudo_t)
+ 	userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
+ 	userdom_manage_user_tmp_files($1,$1_sudo_t)
+ 	userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
++	userdom_exec_user_home_content_files($1,$1_sudo_t)
+ 	userdom_use_user_terminals($1,$1_sudo_t)
+ 	userdom_use_unpriv_users_fds($1_sudo_t)
+ 	# for some PAM modules and for cwd
++	userdom_search_sysadm_home_content_dirs($1_sudo_t)
+ 	userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+ 
+-	ifdef(`TODO',`
+-	# for when the network connection is killed
+-	dontaudit unpriv_userdomain $1_sudo_t:process signal;
+-
+-	ifdef(`mta.te', `
+-	domain_auto_trans($1_sudo_t, sendmail_exec_t, $1_mail_t)
+-	')
++	domain_role_change_exemption($1_sudo_t)
++	userdom_spec_domtrans_all_users($1_sudo_t)
+ 
+-	') dnl end TODO
++	selinux_validate_context($1_sudo_t)
++	selinux_compute_relabel_context($1_sudo_t)
++	selinux_getattr_fs($1_sudo_t)
++	seutil_read_config($1_sudo_t)
++	seutil_search_default_contexts($1_sudo_t)
++
++	term_use_all_user_ttys($1_sudo_t)
++	term_use_all_user_ptys($1_sudo_t)
++	term_relabel_all_user_ttys($1_sudo_t)
++	term_relabel_all_user_ptys($1_sudo_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2007-10-02 09:54:52.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te	2008-04-21 11:02:48.075572000 -0400
@@ -11562,7 +11606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if	2008-04-21 11:02:48.891913000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if	2008-04-24 15:33:13.461240000 -0400
 @@ -35,38 +35,23 @@
  #
  template(`cron_per_role_template',`
@@ -11754,7 +11798,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# create files in /var/spool/cron
  	manage_files_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t)
  	filetrans_pattern($1_crontab_t,cron_spool_t,$1_cron_spool_t,file)
-@@ -236,6 +129,7 @@
+@@ -226,16 +119,20 @@
+ 	# Run helper programs as the user domain
+ 	corecmd_bin_domtrans($1_crontab_t,$2)
+ 	corecmd_shell_domtrans($1_crontab_t,$2)
++	allow $2 $1_crontab_t:process sigchld;
+ 
+ 	domain_use_interactive_fds($1_crontab_t)
+ 
+ 	files_read_etc_files($1_crontab_t)
+ 	files_dontaudit_search_pids($1_crontab_t)
+ 
++	auth_use_nsswitch($1_crontab_t)
++
+ 	libs_use_ld_so($1_crontab_t)
  	libs_use_shared_libs($1_crontab_t)
  
  	logging_send_syslog_msg($1_crontab_t)
@@ -11762,7 +11819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  	miscfiles_read_localization($1_crontab_t)
  
-@@ -247,6 +141,7 @@
+@@ -247,6 +144,7 @@
  	userdom_use_user_terminals($1,$1_crontab_t)
  	# Read user crontabs
  	userdom_read_user_home_content_files($1,$1_crontab_t)
@@ -11770,7 +11827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
  	tunable_policy(`fcron_crond',`
  		# fcron wants an instant update of a crontab change for the administrator
-@@ -285,14 +180,12 @@
+@@ -285,14 +183,12 @@
  template(`cron_admin_template',`
  	gen_require(`
  		attribute cron_spool_type;
@@ -11786,7 +11843,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# Manipulate other users crontab.
  	selinux_get_fs_mount($1_crontab_t)
  	selinux_validate_context($1_crontab_t)
-@@ -438,6 +331,25 @@
+@@ -438,6 +334,25 @@
  
  ########################################
  ## <summary>
@@ -11812,7 +11869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ##	Read, and write cron daemon TCP sockets.
  ## </summary>
  ## <param name="domain">
-@@ -558,11 +470,14 @@
+@@ -558,11 +473,14 @@
  #
  interface(`cron_read_system_job_tmp_files',`
  	gen_require(`
@@ -11828,7 +11885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  ')
  
  ########################################
-@@ -583,3 +498,45 @@
+@@ -583,3 +501,45 @@
  
  	dontaudit $1 system_crond_tmp_t:file append;
  ')
@@ -19157,100 +19214,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  ##	Execute postfix user mail programs
  ##	in their respective domains.
  ## </summary>
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc	2008-04-21 11:02:49.588372000 -0400
-@@ -3,3 +3,5 @@
- /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
- 
- /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
-+
-+/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if	2008-04-21 11:02:49.593367000 -0400
-@@ -1 +1,68 @@
- ## <summary>Postfix policy server</summary>
-+
-+########################################
-+## <summary>
-+##	Execute postfixpolicyd server in the postfixpolicyd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`postfixpolicyd_script_domtrans',`
-+	gen_require(`
-+		type postfix_policyd_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an postfixpolicyd environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the postfixpolicyd domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`postfixpolicyd_admin',`
-+	gen_require(`
-+		type postfix_policyd_t;
-+		type postfix_policyd_script_exec_t;
-+		type postfix_policyd_conf_t;
-+		type postfix_policyd_var_run_t;
-+	')
-+
-+	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
-+	        
-+	# Allow postfix_policyd_t to restart the apache service
-+	postfixpolicyd_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 postfix_policyd_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_etc($1)
-+        manage_all_pattern($1,postfix_policyd_conf_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,postfix_policyd_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
---- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2007-11-08 09:29:27.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te	2008-04-21 11:02:49.598362000 -0400
-@@ -16,6 +16,9 @@
- type postfix_policyd_var_run_t;
- files_pid_file(postfix_policyd_var_run_t)
- 
-+type postfix_policyd_script_exec_t;
-+init_script_type(postfix_policyd_script_exec_t)
-+
- ########################################
- #
- # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-04-23 15:05:37.257075000 -0400
@@ -19443,6 +19406,100 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
  
  corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.fc serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.fc	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.fc	2008-04-21 11:02:49.588372000 -0400
+@@ -3,3 +3,5 @@
+ /usr/sbin/policyd		--	gen_context(system_u:object_r:postfix_policyd_exec_t, s0)
+ 
+ /var/run/policyd\.pid		--	gen_context(system_u:object_r:postfix_policyd_var_run_t, s0)
++
++/etc/rc.d/init.d/postfixpolicyd	--	gen_context(system_u:object_r:postfixpolicyd_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.if serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.if	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.if	2008-04-21 11:02:49.593367000 -0400
+@@ -1 +1,68 @@
+ ## <summary>Postfix policy server</summary>
++
++########################################
++## <summary>
++##	Execute postfixpolicyd server in the postfixpolicyd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`postfixpolicyd_script_domtrans',`
++	gen_require(`
++		type postfix_policyd_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,postfix_policyd_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an postfixpolicyd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the postfixpolicyd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`postfixpolicyd_admin',`
++	gen_require(`
++		type postfix_policyd_t;
++		type postfix_policyd_script_exec_t;
++		type postfix_policyd_conf_t;
++		type postfix_policyd_var_run_t;
++	')
++
++	allow $1 postfix_policyd_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, postfix_policyd_t, postfix_policyd_t)
++	        
++	# Allow postfix_policyd_t to restart the apache service
++	postfixpolicyd_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 postfix_policyd_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_etc($1)
++        manage_all_pattern($1,postfix_policyd_conf_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,postfix_policyd_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfixpolicyd.te serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te
+--- nsaserefpolicy/policy/modules/services/postfixpolicyd.te	2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfixpolicyd.te	2008-04-21 11:02:49.598362000 -0400
+@@ -16,6 +16,9 @@
+ type postfix_policyd_var_run_t;
+ files_pid_file(postfix_policyd_var_run_t)
+ 
++type postfix_policyd_script_exec_t;
++init_script_type(postfix_policyd_script_exec_t)
++
+ ########################################
+ #
+ # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.3.1/policy/modules/services/postgresql.fc
 --- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/postgresql.fc	2008-04-21 11:02:49.603357000 -0400
@@ -21130,123 +21187,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/roun
  ########################################
  #
  # Local policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
---- nsaserefpolicy/policy/modules/services/rpcbind.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc	2008-04-21 11:02:49.886076000 -0400
-@@ -5,3 +5,5 @@
- /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
- /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
-+
-+/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
---- nsaserefpolicy/policy/modules/services/rpcbind.if	2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if	2008-04-21 11:02:49.891070000 -0400
-@@ -95,3 +95,70 @@
- 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
- 	files_search_var_lib($1)
- ')
-+
-+########################################
-+## <summary>
-+##	Execute rpcbind server in the rpcbind domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
-+## </param>
-+#
-+#
-+interface(`rpcbind_script_domtrans',`
-+	gen_require(`
-+		type rpcbind_script_exec_t;
-+	')
-+
-+	init_script_domtrans_spec($1,rpcbind_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an rpcbind environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the rpcbind domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`rpcbind_admin',`
-+	gen_require(`
-+		type rpcbind_t;
-+		type rpcbind_script_exec_t;
-+		type rpcbind_var_lib_t;
-+		type rpcbind_var_run_t;
-+	')
-+
-+	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, rpcbind_t, rpcbind_t)
-+	        
-+	# Allow rpcbind_t to restart the apache service
-+	rpcbind_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 rpcbind_script_exec_t system_r;
-+	allow $2 system_r;
-+
-+	files_list_var_lib($1)
-+        manage_all_pattern($1,rpcbind_var_lib_t)
-+
-+	files_list_pids($1)
-+        manage_all_pattern($1,rpcbind_var_run_t)
-+')
-+
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te	2008-04-21 11:02:49.897064000 -0400
-@@ -16,16 +16,21 @@
- type rpcbind_var_lib_t;
- files_type(rpcbind_var_lib_t)
- 
-+type rpcbind_script_exec_t;
-+init_script_type(rpcbind_script_exec_t)
-+
- ########################################
- #
- # rpcbind local policy
- #
- 
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
- 
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +42,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
- 
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
- 
- corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.3.1/policy/modules/services/rpc.if
 --- nsaserefpolicy/policy/modules/services/rpc.if	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/rpc.if	2008-04-21 11:02:49.875087000 -0400
@@ -21383,6 +21323,123 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.fc serefpolicy-3.3.1/policy/modules/services/rpcbind.fc
+--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.fc	2008-04-21 11:02:49.886076000 -0400
+@@ -5,3 +5,5 @@
+ /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+ /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
++
++/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.if serefpolicy-3.3.1/policy/modules/services/rpcbind.if
+--- nsaserefpolicy/policy/modules/services/rpcbind.if	2007-07-16 14:09:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.if	2008-04-21 11:02:49.891070000 -0400
+@@ -95,3 +95,70 @@
+ 	manage_files_pattern($1,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ 	files_search_var_lib($1)
+ ')
++
++########################################
++## <summary>
++##	Execute rpcbind server in the rpcbind domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++#
++interface(`rpcbind_script_domtrans',`
++	gen_require(`
++		type rpcbind_script_exec_t;
++	')
++
++	init_script_domtrans_spec($1,rpcbind_script_exec_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an rpcbind environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the rpcbind domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`rpcbind_admin',`
++	gen_require(`
++		type rpcbind_t;
++		type rpcbind_script_exec_t;
++		type rpcbind_var_lib_t;
++		type rpcbind_var_run_t;
++	')
++
++	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
++	read_files_pattern($1, rpcbind_t, rpcbind_t)
++	        
++	# Allow rpcbind_t to restart the apache service
++	rpcbind_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 rpcbind_script_exec_t system_r;
++	allow $2 system_r;
++
++	files_list_var_lib($1)
++        manage_all_pattern($1,rpcbind_var_lib_t)
++
++	files_list_pids($1)
++        manage_all_pattern($1,rpcbind_var_run_t)
++')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.3.1/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/rpcbind.te	2008-04-21 11:02:49.897064000 -0400
+@@ -16,16 +16,21 @@
+ type rpcbind_var_lib_t;
+ files_type(rpcbind_var_lib_t)
+ 
++type rpcbind_script_exec_t;
++init_script_type(rpcbind_script_exec_t)
++
+ ########################################
+ #
+ # rpcbind local policy
+ #
+ 
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+ 
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +42,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+ 
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+ 
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.3.1/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/rshd.te	2008-04-21 11:02:49.902059000 -0400
@@ -31625,7 +31682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-23 10:15:18.704057000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-04-24 15:08:40.156331000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -32739,26 +32796,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# cjp: why?
  	files_read_kernel_symbol_table($1_t)
  
-@@ -1193,12 +1204,15 @@
+@@ -1193,12 +1204,11 @@
  	# and may change other protocols
  	tunable_policy(`user_tcp_server',`
  		corenet_tcp_bind_all_nodes($1_t)
 -		corenet_tcp_bind_generic_port($1_t)
 +		corenet_tcp_bind_all_unreserved_ports($1_t)
-+	')
-+
-+	optional_policy(`
-+		hal_dbus_chat($1_t)
  	')
  
  	optional_policy(`
 -		netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
 -		netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+		cron_per_role_template($1, $1_t, $1_r)
++		hal_dbus_chat($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1207,7 +1221,27 @@
+@@ -1207,7 +1217,27 @@
  	')
  
  	optional_policy(`
@@ -32787,7 +32840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1284,8 +1318,6 @@
+@@ -1284,8 +1314,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -32796,7 +32849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1307,8 +1339,6 @@
+@@ -1307,8 +1335,6 @@
  
  	dev_getattr_generic_blk_files($1_t)
  	dev_getattr_generic_chr_files($1_t)
@@ -32805,7 +32858,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	# Allow MAKEDEV to work
  	dev_create_all_blk_files($1_t)
  	dev_create_all_chr_files($1_t)
-@@ -1363,13 +1393,6 @@
+@@ -1363,13 +1389,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -32819,7 +32872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
  		userhelper_exec($1_t)
  	')
-@@ -1422,6 +1445,7 @@
+@@ -1422,6 +1441,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -32827,7 +32880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1787,10 +1811,14 @@
+@@ -1787,10 +1807,14 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -32843,7 +32896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1886,11 +1914,11 @@
+@@ -1886,11 +1910,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -32857,7 +32910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1920,11 +1948,11 @@
+@@ -1920,11 +1944,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -32871,7 +32924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1968,12 +1996,12 @@
+@@ -1968,12 +1992,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -32887,7 +32940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2003,10 +2031,11 @@
+@@ -2003,10 +2027,11 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -32901,7 +32954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2038,11 +2067,47 @@
+@@ -2038,11 +2063,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -32951,7 +33004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2074,10 +2139,10 @@
+@@ -2074,10 +2135,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -32964,7 +33017,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2107,11 +2172,11 @@
+@@ -2107,11 +2168,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -32978,7 +33031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2141,11 +2206,11 @@
+@@ -2141,11 +2202,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -32993,7 +33046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2175,10 +2240,14 @@
+@@ -2175,10 +2236,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -33010,7 +33063,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2208,11 +2277,11 @@
+@@ -2208,11 +2273,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -33024,7 +33077,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2242,11 +2311,11 @@
+@@ -2242,11 +2307,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -33038,7 +33091,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2276,10 +2345,10 @@
+@@ -2276,10 +2341,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -33051,7 +33104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2311,12 +2380,12 @@
+@@ -2311,12 +2376,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -33067,7 +33120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2348,10 +2417,10 @@
+@@ -2348,10 +2413,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -33080,7 +33133,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2383,12 +2452,12 @@
+@@ -2383,12 +2448,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -33096,7 +33149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2420,12 +2489,12 @@
+@@ -2420,12 +2485,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -33112,7 +33165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2457,12 +2526,12 @@
+@@ -2457,12 +2522,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -33128,7 +33181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2507,11 +2576,11 @@
+@@ -2507,11 +2572,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -33142,7 +33195,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2556,11 +2625,11 @@
+@@ -2556,11 +2621,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -33156,7 +33209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2600,11 +2669,11 @@
+@@ -2600,11 +2665,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -33170,7 +33223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2634,11 +2703,11 @@
+@@ -2634,11 +2699,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -33184,7 +33237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2668,11 +2737,11 @@
+@@ -2668,11 +2733,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -33198,7 +33251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2704,10 +2773,10 @@
+@@ -2704,10 +2769,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -33211,7 +33264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2739,10 +2808,10 @@
+@@ -2739,10 +2804,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -33224,7 +33277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2772,12 +2841,12 @@
+@@ -2772,12 +2837,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -33240,7 +33293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2809,10 +2878,10 @@
+@@ -2809,10 +2874,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -33253,7 +33306,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2844,10 +2913,48 @@
+@@ -2844,10 +2909,48 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -33304,7 +33357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2877,12 +2984,12 @@
+@@ -2877,12 +2980,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -33320,7 +33373,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2914,10 +3021,10 @@
+@@ -2914,10 +3017,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -33333,7 +33386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2949,12 +3056,12 @@
+@@ -2949,12 +3052,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -33349,7 +33402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2986,11 +3093,11 @@
+@@ -2986,11 +3089,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -33363,7 +33416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3022,11 +3129,11 @@
+@@ -3022,11 +3125,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -33377,7 +33430,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3058,11 +3165,11 @@
+@@ -3058,11 +3161,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -33391,7 +33444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3094,11 +3201,11 @@
+@@ -3094,11 +3197,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -33405,7 +33458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3130,11 +3237,11 @@
+@@ -3130,11 +3233,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -33419,7 +33472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3179,10 +3286,10 @@
+@@ -3179,10 +3282,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -33432,7 +33485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3330,10 @@
+@@ -3223,10 +3326,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -33445,7 +33498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3254,24 +3361,24 @@
+@@ -3254,24 +3357,24 @@
  ##	</summary>
  ## </param>
  #
@@ -33474,7 +33527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -3290,23 +3397,24 @@
+@@ -3290,23 +3393,24 @@
  ##	</summary>
  ## </param>
  #
@@ -33506,7 +33559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	</p>
  ##	<p>
  ##	This is a templated interface, and should only
-@@ -3321,13 +3429,84 @@
+@@ -3321,18 +3425,89 @@
  ## </param>
  ## <param name="domain">
  ##	<summary>
@@ -33520,8 +33573,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	gen_require(`
 -		type $1_untrusted_content_t;
 +		type $1_tmpfs_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
+-')
+-
 +	fs_search_tmpfs($2)
 +	allow $2 $1_tmpfs_t:dir list_dir_perms;
 +	delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
@@ -33591,10 +33647,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +template(`userdom_dontaudit_list_user_untrusted_content',`
 +	gen_require(`
 +		type $1_untrusted_content_t;
- 	')
- 
- 	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
-@@ -4231,11 +4410,11 @@
++	')
++
++	dontaudit $2 $1_untrusted_content_t:dir list_dir_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read user untrusted files.
+@@ -4231,11 +4406,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -33608,7 +33669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4430,10 @@
+@@ -4251,10 +4426,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -33621,7 +33682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4449,11 @@
+@@ -4270,11 +4445,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -33635,7 +33696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4468,16 @@
+@@ -4289,16 +4464,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -33655,7 +33716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4486,35 @@
+@@ -4307,12 +4482,35 @@
  ##	</summary>
  ## </param>
  #
@@ -33664,9 +33725,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	gen_require(`
 -		type staff_home_t;
 +		type user_home_t;
- 	')
- 
--	dontaudit $1 staff_home_t:file append;
++	')
++
 +	dontaudit $1 user_home_t:file append_file_perms;
 +
 +	tunable_policy(`use_nfs_home_dirs',`
@@ -33675,9 +33735,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_dontaudit_append_cifs_files($1)
-+	')
+ 	')
 +')
-+
+ 
+-	dontaudit $1 staff_home_t:file append;
 +########################################
 +## <summary>
 +##	Do not audit attempts to append to the staff
@@ -33694,7 +33755,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4529,13 @@
+@@ -4327,13 +4525,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -33712,7 +33773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4733,10 @@
+@@ -4531,10 +4729,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -33725,7 +33786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4753,10 @@
+@@ -4551,10 +4749,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -33738,7 +33799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4771,10 @@
+@@ -4569,10 +4767,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -33751,7 +33812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4790,10 @@
+@@ -4588,10 +4786,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -33764,7 +33825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4808,10 @@
+@@ -4606,10 +4804,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -33777,7 +33838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4827,10 @@
+@@ -4625,10 +4823,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -33790,7 +33851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4846,11 @@
+@@ -4644,12 +4842,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -33806,7 +33867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4676,10 +4877,10 @@
+@@ -4676,10 +4873,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -33819,7 +33880,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4895,10 @@
+@@ -4694,10 +4891,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -33832,7 +33893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4913,13 @@
+@@ -4712,13 +4909,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -33850,7 +33911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4955,49 @@
+@@ -4754,11 +4951,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -33901,22 +33962,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +5017,14 @@
+@@ -4778,6 +5013,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
 +
 +	tunable_policy(`use_nfs_home_dirs',`
-+		fs_list_nfs(crond_t)
++		fs_list_nfs($1)
 +	')
 +
 +	tunable_policy(`use_samba_home_dirs',`
-+		fs_list_cifs(crond_t)
++		fs_list_cifs($1)
 +	')
  ')
  
  ########################################
-@@ -4839,6 +5086,26 @@
+@@ -4839,6 +5082,26 @@
  
  ########################################
  ## <summary>
@@ -33943,7 +34004,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5126,25 @@
+@@ -4859,6 +5122,25 @@
  
  ########################################
  ## <summary>
@@ -33969,7 +34030,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5165,26 @@
+@@ -4879,6 +5161,26 @@
  
  ########################################
  ## <summary>
@@ -33996,7 +34057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5421,7 @@
+@@ -5115,7 +5417,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -34005,7 +34066,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5610,63 @@
+@@ -5304,6 +5606,63 @@
  
  ########################################
  ## <summary>
@@ -34069,7 +34130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,7 +5872,7 @@
+@@ -5509,7 +5868,7 @@
  
  ########################################
  ## <summary>
@@ -34078,7 +34139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,18 +5880,17 @@
+@@ -5517,18 +5876,17 @@
  ##	</summary>
  ## </param>
  #
@@ -34101,7 +34162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5536,17 +5898,17 @@
+@@ -5536,17 +5894,17 @@
  ##	</summary>
  ## </param>
  #
@@ -34123,7 +34184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5554,18 +5916,55 @@
+@@ -5554,12 +5912,49 @@
  ##	</summary>
  ## </param>
  #
@@ -34135,13 +34196,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
 -	read_files_pattern($1,userdomain,userdomain)
--	kernel_search_proc($1)
 +	allow $1 user_ttynode:chr_file rw_term_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of all user domains.
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to use unprivileged
 +##	user ttys.
 +## </summary>
@@ -34175,16 +34234,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	')
 +
 +	ps_process_pattern($1,userdomain)
-+	kernel_search_proc($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of all user domains.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5674,6 +6073,42 @@
+ 	kernel_search_proc($1)
+ ')
+ 
+@@ -5674,6 +6069,42 @@
  
  ########################################
  ## <summary>
@@ -34227,7 +34280,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6139,370 @@
+@@ -5704,3 +6135,370 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -35832,8 +35885,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-04-21 11:02:50.734385000 -0400
-@@ -0,0 +1,20 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-04-24 15:09:37.398476000 -0400
+@@ -0,0 +1,23 @@
 +policy_module(staff,1.0.1)
 +userdom_admin_login_user_template(staff)
 +
@@ -35847,13 +35900,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.t
 +	xserver_domtrans_xdm_xserver(staff_t)
 +')
 +
++optional_policy(`
++	cron_per_role_template(staff, staff_t, staff_r)
++')
++
 +ifndef(`enable_mls',`
 +optional_policy(`
 +userdom_role_change_template(staff, unconfined)
 +')
 +')
 +
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.3.1/policy/modules/users/user.fc
 --- nsaserefpolicy/policy/modules/users/user.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/user.fc	2008-04-21 11:02:50.738381000 -0400
@@ -35866,12 +35922,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.if
 +## <summary>Policy for user user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te serefpolicy-3.3.1/policy/modules/users/user.te
 --- nsaserefpolicy/policy/modules/users/user.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-04-21 11:02:50.746372000 -0400
-@@ -0,0 +1,17 @@
++++ serefpolicy-3.3.1/policy/modules/users/user.te	2008-04-24 15:09:03.056815000 -0400
+@@ -0,0 +1,18 @@
 +policy_module(user,1.0.1)
 +userdom_unpriv_user_template(user)
 +
 +optional_policy(`
++	cron_per_role_template(user, user_t, user_r)
++')
++
++optional_policy(`
 +	kerneloops_dontaudit_dbus_chat(user_t)
 +')
 +
@@ -35882,9 +35942,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.te
 +optional_policy(`
 +	setroubleshoot_dontaudit_stream_connect(user_t)
 +')
-+
-+
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.fc serefpolicy-3.3.1/policy/modules/users/webadm.fc
 --- nsaserefpolicy/policy/modules/users/webadm.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/webadm.fc	2008-04-21 11:02:50.749370000 -0400
@@ -36100,47 +36157,3 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.3
 -	gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
 -')
 +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.3.1/Rules.modular
---- nsaserefpolicy/Rules.modular	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.modular	2008-04-21 11:02:47.848797000 -0400
-@@ -73,8 +73,8 @@
- $(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
- 	@echo "Compliling $(NAME) $(@F) module"
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
--	$(call perrole-expansion,$(basename $(@F)),$@.role)
--	$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-+#	$(call perrole-expansion,$(basename $(@F)),$@.role)
-+	$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
- 	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
- 
- $(tmpdir)/%.mod.fc: $(m4support) %.fc
-@@ -129,7 +129,7 @@
- 	@test -d $(tmpdir) || mkdir -p $(tmpdir)
- # define all available object classes
- 	$(verbose) $(genperm) $(avs) $(secclass) > $@
--	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
-+#	$(verbose) $(call create-base-per-role-tmpl,$(patsubst %.te,%,$(base_mods)),$@)
- 	$(verbose) test -f $(booleans) && $(setbools) $(booleans) >> $@ || true
- 
- $(tmpdir)/global_bools.conf: M4PARAM += -D self_contained_policy
-@@ -147,7 +147,7 @@
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
- 	$(verbose) echo "" > $@
--	$(call parse-rolemap,base,$@)
-+#	$(call parse-rolemap,base,$@)
- 
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.3.1/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic	2007-11-20 06:55:20.000000000 -0500
-+++ serefpolicy-3.3.1/Rules.monolithic	2008-04-21 11:02:47.854791000 -0400
-@@ -96,7 +96,7 @@
- #
- # Load the binary policy
- #
--reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-+reload $(tmpdir)/load: $(loadpath) $(fcpath) $(ncpath) $(appfiles)
- 	@echo "Loading $(NAME) $(loadpath)"
- 	$(verbose) $(LOADPOLICY) -q $(loadpath)
- 	@touch $(tmpdir)/load
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 8f68461..6231f1c 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 39%{?dist}
+Release: 40%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,6 +385,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Apr 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-40 
+- Don't run crontab from unconfined_t
+
 * Wed Apr 23 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-39
 - Change etc files to config files to allow users to read them