diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7df1baa..26efedf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -40,6 +40,7 @@
 	games
 	mozilla
 	mplayer
+	nagios
 	nessus
 	postgrey
 	pxe
diff --git a/refpolicy/policy/modules/admin/netutils.if b/refpolicy/policy/modules/admin/netutils.if
index 65ae005..9fdfc1f 100644
--- a/refpolicy/policy/modules/admin/netutils.if
+++ b/refpolicy/policy/modules/admin/netutils.if
@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -30,7 +30,7 @@ interface(`netutils_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -60,7 +60,7 @@ interface(`netutils_run',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -78,7 +78,7 @@ interface(`netutils_exec',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -97,12 +97,48 @@ interface(`netutils_domtrans_ping',`
 
 ########################################
 ## <summary>
+##	Send a kill (SIGKILL) signal to ping.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_kill_ping',`
+	gen_require(`
+		type ping_t;
+	')
+
+	allow $1 ping_t:process sigkill;
+')
+
+########################################
+## <summary>
+##	Send generic signals to ping.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`netutils_signal_ping',`
+	gen_require(`
+		type ping_t;
+	')
+
+	allow $1 ping_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute ping in the ping domain, and
 ##	allow the specified role the ping domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -133,7 +169,7 @@ interface(`netutils_run_ping',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -167,7 +203,7 @@ interface(`netutils_run_ping_cond',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -185,7 +221,7 @@ interface(`netutils_exec_ping',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -209,7 +245,7 @@ interface(`netutils_domtrans_traceroute',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -240,7 +276,7 @@ interface(`netutils_run_traceroute',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -274,7 +310,7 @@ interface(`netutils_run_traceroute_cond',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 1145517..1437bac 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
 
-policy_module(netutils,1.1.0)
+policy_module(netutils,1.1.1)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index a2c59dd..97f3cde 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -126,6 +126,8 @@ ifdef(`distro_gentoo',`
 /usr/lib(64)?/ipsec/.*		--	gen_context(system_u:object_r:sbin_t,s0)
 /usr/lib(64)?/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/nagios/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index d166d62..675b909 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.7)
+policy_module(corecommands,1.3.8)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 4fb4c86..6e256bb 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -547,7 +547,7 @@ interface(`apache_read_log',`
 		type httpd_log_t;
 	')
 
-	files_search_var($1)
+	logging_search_logs($1)
 	allow $1 httpd_log_t:dir r_dir_perms;
 	allow $1 httpd_log_t:file r_file_perms;
 	allow $1 httpd_log_t:lnk_file { getattr read };
@@ -555,6 +555,27 @@ interface(`apache_read_log',`
 
 ########################################
 ## <summary>
+##	Allow the specified domain to append
+##	to apache log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_append_log',`
+	gen_require(`
+		type httpd_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 httpd_log_t:dir r_dir_perms;
+	allow $1 httpd_log_t:file append;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to append to the
 ##	Apache logs.
 ## </summary>
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index d7b1cce..7fd8891 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.4)
+policy_module(apache,1.3.5)
 
 #
 # NOTES: 
@@ -422,6 +422,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nagios_read_config(httpd_t)
+	nagios_domtrans_cgi(httpd_t)
+')
+
+optional_policy(`
 	nscd_socket_use(httpd_t)
 ')
 
@@ -650,6 +655,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nagios_domtrans_cgi(httpd_suexec_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(httpd_suexec_t)
 ')
 
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 369e0e8..b5f7e91 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.3.1)
+policy_module(mta,1.3.2)
 
 ########################################
 #
@@ -135,6 +135,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	nagios_read_tmp_files(system_mail_t)
+')
+
+optional_policy(`
 	allow system_mail_t etc_aliases_t:dir create_dir_perms;
 	allow system_mail_t etc_aliases_t:file create_file_perms;
 	allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
diff --git a/refpolicy/policy/modules/services/nagios.fc b/refpolicy/policy/modules/services/nagios.fc
new file mode 100644
index 0000000..255d9d1
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.fc
@@ -0,0 +1,16 @@
+
+
+/etc/nagios(/.*)?			gen_context(system_u:object_r:nagios_etc_t,s0)
+
+/usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
+
+/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+
+/var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
+/var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
+
+ifdef(`distro_debian',`
+/usr/sbin/nagios		--	gen_context(system_u:object_r:nagios_exec_t,s0)
+/usr/lib/cgi-bin/nagios/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+')
diff --git a/refpolicy/policy/modules/services/nagios.if b/refpolicy/policy/modules/services/nagios.if
new file mode 100644
index 0000000..503c260
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.if
@@ -0,0 +1,64 @@
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	nagios configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_read_config',`
+	gen_require(`
+		type nagios_etc_t;
+	')
+
+	allow $1 nagios_etc_t:dir list_dir_perms;
+	allow $1 nagios_etc_t:file r_file_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	nagios temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_read_tmp_files',`
+	gen_require(`
+		type nagios_tmp_t;
+	')
+
+	allow $1 nagios_tmp_t:file r_file_perms;
+	files_search_tmp($1)
+')
+
+########################################
+## <summary>
+##	Execute the nagios CGI with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nagios_domtrans_cgi',`
+	gen_require(`
+		type nagios_cgi_t, nagios_cgi_exec_t;
+	')
+
+	domain_auto_trans($1,nagios_cgi_exec_t,nagios_cgi_t)
+	allow nagios_cgi_t $1:fd use;
+	allow nagios_cgi_t $1:fifo_file rw_file_perms;
+	allow nagios_cgi_t $1:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/nagios.te b/refpolicy/policy/modules/services/nagios.te
new file mode 100644
index 0000000..92dc549
--- /dev/null
+++ b/refpolicy/policy/modules/services/nagios.te
@@ -0,0 +1,183 @@
+
+policy_module(nagios,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nagios_t;
+type nagios_exec_t;
+init_daemon_domain(nagios_t,nagios_exec_t)
+
+type nagios_cgi_t;
+type nagios_cgi_exec_t;
+init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+
+type nagios_etc_t;
+files_config_file(nagios_etc_t)
+
+type nagios_log_t;
+logging_log_file(nagios_log_t)
+
+type nagios_tmp_t;
+files_tmp_file(nagios_tmp_t)
+
+type nagios_var_run_t;
+files_pid_file(nagios_var_run_t)
+
+########################################
+#
+# Nagios local policy
+#
+
+allow nagios_t self:capability { dac_override setgid setuid };
+dontaudit nagios_t self:capability sys_tty_config;
+allow nagios_t self:process { setpgid signal_perms };
+allow nagios_t self:fifo_file rw_file_perms;
+allow nagios_t self:tcp_socket create_stream_socket_perms;
+allow nagios_t self:udp_socket create_socket_perms;
+
+allow nagios_t nagios_etc_t:file r_file_perms;
+allow nagios_t nagios_etc_t:dir r_dir_perms;
+allow nagios_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_t nagios_log_t:file manage_file_perms;
+allow nagios_t nagios_log_t:fifo_file manage_file_perms;
+allow nagios_t nagios_log_t:dir rw_dir_perms;
+logging_log_filetrans(nagios_t,nagios_log_t,{ file dir })
+
+allow nagios_t nagios_tmp_t:dir create_dir_perms;
+allow nagios_t nagios_tmp_t:file create_file_perms;
+files_tmp_filetrans(nagios_t, nagios_tmp_t, { file dir })
+
+allow nagios_t nagios_var_run_t:file create_file_perms;
+allow nagios_t nagios_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(nagios_t,nagios_var_run_t,file)
+
+kernel_read_system_state(nagios_t)
+kernel_read_kernel_sysctls(nagios_t)
+
+corecmd_exec_bin(nagios_t)
+corecmd_exec_shell(nagios_t)
+
+corenet_tcp_sendrecv_generic_if(nagios_t)
+corenet_udp_sendrecv_generic_if(nagios_t)
+corenet_raw_sendrecv_generic_if(nagios_t)
+corenet_tcp_sendrecv_all_nodes(nagios_t)
+corenet_udp_sendrecv_all_nodes(nagios_t)
+corenet_raw_sendrecv_all_nodes(nagios_t)
+corenet_tcp_sendrecv_all_ports(nagios_t)
+corenet_udp_sendrecv_all_ports(nagios_t)
+corenet_non_ipsec_sendrecv(nagios_t)
+corenet_tcp_bind_all_nodes(nagios_t)
+corenet_udp_bind_all_nodes(nagios_t)
+
+dev_read_sysfs(nagios_t)
+
+domain_use_interactive_fds(nagios_t)
+# for ps
+domain_read_all_domains_state(nagios_t)
+
+files_read_etc_files(nagios_t)
+files_read_etc_runtime_files(nagios_t)
+files_read_kernel_symbol_table(nagios_t)
+
+fs_getattr_all_fs(nagios_t)
+fs_search_auto_mountpoints(nagios_t)
+
+term_dontaudit_use_console(nagios_t)
+
+init_use_fds(nagios_t)
+init_use_script_ptys(nagios_t)
+# for who
+init_read_utmp(nagios_t)
+
+libs_use_ld_so(nagios_t)
+libs_use_shared_libs(nagios_t)
+
+logging_send_syslog_msg(nagios_t)
+
+miscfiles_read_localization(nagios_t)
+
+sysnet_read_config(nagios_t)
+
+userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
+
+mta_send_mail(nagios_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_ttys(nagios_t)
+	term_dontaudit_use_generic_ptys(nagios_t)
+	files_dontaudit_read_root_files(nagios_t)
+')
+
+optional_policy(`
+	netutils_domtrans_ping(nagios_t)
+	netutils_signal_ping(nagios_t)
+	netutils_kill_ping(nagios_t)
+
+	# cjp: leaked file descriptors:
+	#dontaudit ping_t nagios_etc_t:file read;
+	#dontaudit ping_t nagios_log_t:fifo_file read;
+')
+
+optional_policy(`
+	nis_use_ypbind(nagios_t)
+')
+
+optional_policy(`
+	seutil_sigchld_newrole(nagios_t)
+')
+
+optional_policy(`
+	udev_read_db(nagios_t)
+')
+
+# cjp: leaked file descriptors:
+# for open file handles
+#dontaudit system_mail_t nagios_etc_t:file read;
+#dontaudit system_mail_t nagios_log_t:fifo_file read;
+
+########################################
+#
+# Nagios CGI local policy
+#
+
+allow nagios_cgi_t self:process { fork signal_perms };
+allow nagios_cgi_t self:fifo_file rw_file_perms;
+
+allow nagios_cgi_t nagios_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_t:file r_file_perms;
+allow nagios_cgi_t nagios_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_etc_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_etc_t:file r_file_perms;
+allow nagios_cgi_t nagios_etc_t:lnk_file { getattr read };
+
+allow nagios_cgi_t nagios_log_t:dir r_dir_perms;
+allow nagios_cgi_t nagios_log_t:file r_file_perms;
+allow nagios_cgi_t nagios_log_t:lnk_file { getattr read };
+
+kernel_read_system_state(nagios_cgi_t)
+
+corecmd_exec_bin(nagios_cgi_t)
+
+domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+
+files_read_etc_files(nagios_cgi_t)
+files_read_etc_runtime_files(nagios_cgi_t)
+files_read_kernel_symbol_table(nagios_cgi_t)
+
+libs_use_ld_so(nagios_cgi_t)
+libs_use_shared_libs(nagios_cgi_t)
+
+logging_send_syslog_msg(nagios_cgi_t)
+logging_search_logs(nagios_cgi_t)
+
+miscfiles_read_localization(nagios_cgi_t)
+
+optional_policy(`
+	apache_append_log(nagios_cgi_t)
+')