libselinux/libselinux-rhat.patch

diff --exclude-from=exclude -N -u -r nsalibselinux/include/selinux/av_permissions.h libselinux-2.0.46/include/selinux/av_permissions.h
--- nsalibselinux/include/selinux/av_permissions.h	2007-11-15 15:52:46.000000000 -0500
+++ libselinux-2.0.46/include/selinux/av_permissions.h	2008-01-03 15:23:31.000000000 -0500
@@ -900,6 +900,8 @@
 #define PACKET__SEND                              0x00000001UL
 #define PACKET__RECV                              0x00000002UL
 #define PACKET__RELABELTO                         0x00000004UL
+#define PACKET__FLOW_IN                           0x00000008UL
+#define PACKET__FLOW_OUT                          0x00000010UL
 #define KEY__VIEW                                 0x00000001UL
 #define KEY__READ                                 0x00000002UL
 #define KEY__WRITE                                0x00000004UL
diff --exclude-from=exclude -N -u -r nsalibselinux/src/Makefile libselinux-2.0.46/src/Makefile
--- nsalibselinux/src/Makefile	2007-09-26 19:37:45.000000000 -0400
+++ libselinux-2.0.46/src/Makefile	2008-01-05 08:19:27.000000000 -0500
@@ -77,14 +77,14 @@
 
 install: all 
 	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
-	install -m 644 $(LIBA) $(LIBDIR)
 	test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
 	install -m 755 $(LIBSO) $(SHLIBDIR)
 	cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
 
 install-pywrap: pywrap
 	test -d $(PYTHONLIBDIR)/site-packages || install -m 755 -d $(PYTHONLIBDIR)/site-packages
-	install -m 755 $(SWIGFILES) $(PYTHONLIBDIR)/site-packages
+	install -m 755 $(SWIGSO) $(PYTHONLIBDIR)/site-packages
+	install -m 644  selinux.py $(PYTHONLIBDIR)/site-packages
 
 relabel:
 	/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.46/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2007-09-28 09:48:58.000000000 -0400
+++ libselinux-2.0.46/src/matchpathcon.c	2008-01-03 15:23:32.000000000 -0500
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
+#include <syslog.h>
 #include "selinux_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
@@ -57,7 +58,7 @@
 {
 	va_list ap;
 	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
+	vsyslog(LOG_ERR, fmt, ap);
 	va_end(ap);
 }
 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux.py libselinux-2.0.46/src/selinux.py
--- nsalibselinux/src/selinux.py	2007-10-05 13:09:54.000000000 -0400
+++ libselinux-2.0.46/src/selinux.py	2008-01-08 05:00:39.000000000 -0500
@@ -1,5 +1,5 @@
 # This file was automatically generated by SWIG (http://www.swig.org).
-# Version 1.3.31
+# Version 1.3.33
 #
 # Don't modify this file, modify the SWIG interface instead.
 # This file is compatible with both classic and new-style classes.
Binary files nsalibselinux/src/selinux.pyc and libselinux-2.0.46/src/selinux.pyc differ
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig.i libselinux-2.0.46/src/selinuxswig.i
--- nsalibselinux/src/selinuxswig.i	2007-10-01 09:54:35.000000000 -0400
+++ libselinux-2.0.46/src/selinuxswig.i	2008-01-08 05:00:22.000000000 -0500
@@ -10,6 +10,7 @@
 %apply int *OUTPUT { size_t * };
 
 %typedef unsigned mode_t;
+%typedef unsigned pid_t;
 
 %typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
 	$1 = &temp1;
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinuxswig_wrap.c libselinux-2.0.46/src/selinuxswig_wrap.c
--- nsalibselinux/src/selinuxswig_wrap.c	2007-10-05 13:09:54.000000000 -0400
+++ libselinux-2.0.46/src/selinuxswig_wrap.c	2008-01-08 05:00:39.000000000 -0500
@@ -1,6 +1,6 @@
 /* ----------------------------------------------------------------------------
  * This file was automatically generated by SWIG (http://www.swig.org).
- * Version 1.3.31
+ * Version 1.3.33
  * 
  * This file is not intended to be easily readable and contains a number of 
  * coding conventions designed to improve portability and efficiency. Do not make
@@ -17,14 +17,14 @@
 
 /* template workaround for compilers that cannot correctly implement the C++ standard */
 #ifndef SWIGTEMPLATEDISAMBIGUATOR
-# if defined(__SUNPRO_CC)
-#   if (__SUNPRO_CC <= 0x560)
-#     define SWIGTEMPLATEDISAMBIGUATOR template
-#   else
-#     define SWIGTEMPLATEDISAMBIGUATOR 
-#   endif
+# if defined(__SUNPRO_CC) && (__SUNPRO_CC <= 0x560)
+#  define SWIGTEMPLATEDISAMBIGUATOR template
+# elif defined(__HP_aCC)
+/* Needed even with `aCC -AA' when `aCC -V' reports HP ANSI C++ B3910B A.03.55 */
+/* If we find a maximum version that requires this, the test would be __HP_aCC <= 35500 for A.03.55 */
+#  define SWIGTEMPLATEDISAMBIGUATOR template
 # else
-#   define SWIGTEMPLATEDISAMBIGUATOR 
+#  define SWIGTEMPLATEDISAMBIGUATOR
 # endif
 #endif
 
@@ -107,6 +107,12 @@
 # define _CRT_SECURE_NO_DEPRECATE
 #endif
 
+/* Deal with Microsoft's attempt at deprecating methods in the standard C++ library */
+#if !defined(SWIG_NO_SCL_SECURE_NO_DEPRECATE) && defined(_MSC_VER) && !defined(_SCL_SECURE_NO_DEPRECATE)
+# define _SCL_SECURE_NO_DEPRECATE
+#endif
+
+
 
 /* Python.h has to appear first */
 #include <Python.h>
@@ -343,7 +349,7 @@
     while ((*f2 == ' ') && (f2 != l2)) ++f2;
     if (*f1 != *f2) return (*f1 > *f2) ? 1 : -1;
   }
-  return (l1 - f1) - (l2 - f2);
+  return (int)((l1 - f1) - (l2 - f2));
 }
 
 /*
@@ -1090,14 +1096,14 @@
 /* Unpack the argument tuple */
 
 SWIGINTERN int
-SWIG_Python_UnpackTuple(PyObject *args, const char *name, int min, int max, PyObject **objs)
+SWIG_Python_UnpackTuple(PyObject *args, const char *name, Py_ssize_t min, Py_ssize_t max, PyObject **objs)
 {
   if (!args) {
     if (!min && !max) {
       return 1;
     } else {
       PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got none", 
-		   name, (min == max ? "" : "at least "), min);
+		   name, (min == max ? "" : "at least "), (int)min);
       return 0;
     }
   }  
@@ -1105,14 +1111,14 @@
     PyErr_SetString(PyExc_SystemError, "UnpackTuple() argument list is not a tuple");
     return 0;
   } else {
-    register int l = PyTuple_GET_SIZE(args);
+    register Py_ssize_t l = PyTuple_GET_SIZE(args);
     if (l < min) {
       PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at least "), min, l);
+		   name, (min == max ? "" : "at least "), (int)min, (int)l);
       return 0;
     } else if (l > max) {
       PyErr_Format(PyExc_TypeError, "%s expected %s%d arguments, got %d", 
-		   name, (min == max ? "" : "at most "), max, l);
+		   name, (min == max ? "" : "at most "), (int)max, (int)l);
       return 0;
     } else {
       register int i;
@@ -1591,9 +1597,11 @@
     (unaryfunc)0,                 /*nb_float*/
     (unaryfunc)PySwigObject_oct,  /*nb_oct*/
     (unaryfunc)PySwigObject_hex,  /*nb_hex*/
-#if PY_VERSION_HEX >= 0x02020000
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */ 
-#elif PY_VERSION_HEX >= 0x02000000
+#if PY_VERSION_HEX >= 0x02050000 /* 2.5.0 */
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_index */
+#elif PY_VERSION_HEX >= 0x02020000 /* 2.2.0 */
+    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_true_divide */
+#elif PY_VERSION_HEX >= 0x02000000 /* 2.0.0 */
     0,0,0,0,0,0,0,0,0,0,0 /* nb_inplace_add -> nb_inplace_or */
 #endif
   };
@@ -2458,14 +2466,13 @@
 #define SWIGTYPE_p_int swig_types[7]
 #define SWIGTYPE_p_p_char swig_types[8]
 #define SWIGTYPE_p_p_p_char swig_types[9]
-#define SWIGTYPE_p_pid_t swig_types[10]
-#define SWIGTYPE_p_security_class_mapping swig_types[11]
-#define SWIGTYPE_p_selinux_callback swig_types[12]
-#define SWIGTYPE_p_selinux_opt swig_types[13]
-#define SWIGTYPE_p_unsigned_int swig_types[14]
-#define SWIGTYPE_p_unsigned_short swig_types[15]
-static swig_type_info *swig_types[17];
-static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0};
+#define SWIGTYPE_p_security_class_mapping swig_types[10]
+#define SWIGTYPE_p_selinux_callback swig_types[11]
+#define SWIGTYPE_p_selinux_opt swig_types[12]
+#define SWIGTYPE_p_unsigned_int swig_types[13]
+#define SWIGTYPE_p_unsigned_short swig_types[14]
+static swig_type_info *swig_types[16];
+static swig_module_info swig_module = {swig_types, 15, 0, 0, 0, 0};
 #define SWIG_TypeQuery(name) SWIG_TypeQueryModule(&swig_module, &swig_module, name)
 #define SWIG_MangledTypeQuery(name) SWIG_MangledTypeQueryModule(&swig_module, &swig_module, name)
 
@@ -2484,7 +2491,7 @@
 
 #define SWIG_name    "_selinux"
 
-#define SWIGVERSION 0x010331 
+#define SWIGVERSION 0x010333 
 #define SWIG_VERSION SWIGVERSION
 
 
@@ -2577,14 +2584,12 @@
 
 
 #include <limits.h>
-#ifndef LLONG_MIN
-# define LLONG_MIN	LONG_LONG_MIN
-#endif
-#ifndef LLONG_MAX
-# define LLONG_MAX	LONG_LONG_MAX
-#endif
-#ifndef ULLONG_MAX
-# define ULLONG_MAX	ULONG_LONG_MAX
+#if !defined(SWIG_NO_LLONG_MAX)
+# if !defined(LLONG_MAX) && defined(__GNUC__) && defined (__LONG_LONG_MAX__)
+#   define LLONG_MAX __LONG_LONG_MAX__
+#   define LLONG_MIN (-LLONG_MAX - 1LL)
+#   define ULLONG_MAX (LLONG_MAX * 2ULL + 1ULL)
+# endif
 #endif
 
 
@@ -2669,13 +2674,18 @@
 
 
 SWIGINTERN int
-SWIG_AsVal_long (PyObject *obj, long* val)
+SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) 
 {
   if (PyInt_Check(obj)) {
-    if (val) *val = PyInt_AsLong(obj);
-    return SWIG_OK;
+    long v = PyInt_AsLong(obj);
+    if (v >= 0) {
+      if (val) *val = v;
+      return SWIG_OK;
+    } else {
+      return SWIG_OverflowError;
+    }
   } else if (PyLong_Check(obj)) {
-    long v = PyLong_AsLong(obj);
+    unsigned long v = PyLong_AsUnsignedLong(obj);
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_OK;
@@ -2686,7 +2696,7 @@
 #ifdef SWIG_PYTHON_CAST_MODE
   {
     int dispatch = 0;
-    long v = PyInt_AsLong(obj);
+    unsigned long v = PyLong_AsUnsignedLong(obj);
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_AddCast(SWIG_OK);
@@ -2696,8 +2706,8 @@
     if (!dispatch) {
       double d;
       int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
-      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
-	if (val) *val = (long)(d);
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
+	if (val) *val = (unsigned long)(d);
 	return res;
       }
     }
@@ -2708,15 +2718,15 @@
 
 
 SWIGINTERN int
-SWIG_AsVal_int (PyObject * obj, int *val)
+SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val)
 {
-  long v;
-  int res = SWIG_AsVal_long (obj, &v);
+  unsigned long v;
+  int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
   if (SWIG_IsOK(res)) {
-    if ((v < INT_MIN || v > INT_MAX)) {
+    if ((v > UINT_MAX)) {
       return SWIG_OverflowError;
     } else {
-      if (val) *val = (int)(v);
+      if (val) *val = (unsigned int)(v);
     }
   }  
   return res;
@@ -2724,18 +2734,13 @@
 
 
 SWIGINTERN int
-SWIG_AsVal_unsigned_SS_long (PyObject *obj, unsigned long *val) 
+SWIG_AsVal_long (PyObject *obj, long* val)
 {
   if (PyInt_Check(obj)) {
-    long v = PyInt_AsLong(obj);
-    if (v >= 0) {
-      if (val) *val = v;
-      return SWIG_OK;
-    } else {
-      return SWIG_OverflowError;
-    }
+    if (val) *val = PyInt_AsLong(obj);
+    return SWIG_OK;
   } else if (PyLong_Check(obj)) {
-    unsigned long v = PyLong_AsUnsignedLong(obj);
+    long v = PyLong_AsLong(obj);
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_OK;
@@ -2746,7 +2751,7 @@
 #ifdef SWIG_PYTHON_CAST_MODE
   {
     int dispatch = 0;
-    unsigned long v = PyLong_AsUnsignedLong(obj);
+    long v = PyInt_AsLong(obj);
     if (!PyErr_Occurred()) {
       if (val) *val = v;
       return SWIG_AddCast(SWIG_OK);
@@ -2756,8 +2761,8 @@
     if (!dispatch) {
       double d;
       int res = SWIG_AddCast(SWIG_AsVal_double (obj,&d));
-      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, 0, ULONG_MAX)) {
-	if (val) *val = (unsigned long)(d);
+      if (SWIG_IsOK(res) && SWIG_CanCastAsInteger(&d, LONG_MIN, LONG_MAX)) {
+	if (val) *val = (long)(d);
 	return res;
       }
     }
@@ -2768,15 +2773,15 @@
 
 
 SWIGINTERN int
-SWIG_AsVal_unsigned_SS_int (PyObject * obj, unsigned int *val)
+SWIG_AsVal_int (PyObject * obj, int *val)
 {
-  unsigned long v;
-  int res = SWIG_AsVal_unsigned_SS_long (obj, &v);
+  long v;
+  int res = SWIG_AsVal_long (obj, &v);
   if (SWIG_IsOK(res)) {
-    if ((v > UINT_MAX)) {
+    if ((v < INT_MIN || v > INT_MAX)) {
       return SWIG_OverflowError;
     } else {
-      if (val) *val = (unsigned int)(v);
+      if (val) *val = (int)(v);
     }
   }  
   return res;
@@ -2986,24 +2991,18 @@
   pid_t arg1 ;
   security_context_t *arg2 = (security_context_t *) 0 ;
   int result;
-  void *argp1 ;
-  int res1 = 0 ;
+  unsigned int val1 ;
+  int ecode1 = 0 ;
   security_context_t temp2 = 0 ;
   PyObject * obj0 = 0 ;
   
   arg2 = &temp2;
   if (!PyArg_ParseTuple(args,(char *)"O:getpidcon",&obj0)) SWIG_fail;
-  {
-    res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t,  0 );
-    if (!SWIG_IsOK(res1)) {
-      SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'"); 
-    }  
-    if (!argp1) {
-      SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'");
-    } else {
-      arg1 = *((pid_t *)(argp1));
-    }
-  }
+  ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1);
+  if (!SWIG_IsOK(ecode1)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon" "', argument " "1"" of type '" "pid_t""'");
+  } 
+  arg1 = (pid_t)(val1);
   result = (int)getpidcon(arg1,arg2);
   resultobj = SWIG_From_int((int)(result));
   if (*arg2) {
@@ -3025,24 +3024,18 @@
   pid_t arg1 ;
   security_context_t *arg2 = (security_context_t *) 0 ;
   int result;
-  void *argp1 ;
-  int res1 = 0 ;
+  unsigned int val1 ;
+  int ecode1 = 0 ;
   security_context_t temp2 = 0 ;
   PyObject * obj0 = 0 ;
   
   arg2 = &temp2;
   if (!PyArg_ParseTuple(args,(char *)"O:getpidcon_raw",&obj0)) SWIG_fail;
-  {
-    res1 = SWIG_ConvertPtr(obj0, &argp1, SWIGTYPE_p_pid_t,  0 );
-    if (!SWIG_IsOK(res1)) {
-      SWIG_exception_fail(SWIG_ArgError(res1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'"); 
-    }  
-    if (!argp1) {
-      SWIG_exception_fail(SWIG_ValueError, "invalid null reference " "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'");
-    } else {
-      arg1 = *((pid_t *)(argp1));
-    }
-  }
+  ecode1 = SWIG_AsVal_unsigned_SS_int(obj0, &val1);
+  if (!SWIG_IsOK(ecode1)) {
+    SWIG_exception_fail(SWIG_ArgError(ecode1), "in method '" "getpidcon_raw" "', argument " "1"" of type '" "pid_t""'");
+  } 
+  arg1 = (pid_t)(val1);
   result = (int)getpidcon_raw(arg1,arg2);
   resultobj = SWIG_From_int((int)(result));
   if (*arg2) {
@@ -8149,7 +8142,7 @@
 /* -------- TYPE CONVERSION AND EQUIVALENCE RULES (BEGIN) -------- */
 
 static swig_type_info _swigt__p_SELboolean = {"_p_SELboolean", "SELboolean *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_av_decision = {"_p_av_decision", "struct av_decision *|av_decision *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_char = {"_p_char", "char *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_f_int_p_q_const__char_v_______int = {"_p_f_int_p_q_const__char_v_______int", "int (*)(int,char const *,...)", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_f_p_p_char__int = {"_p_f_p_p_char__int", "int (*)(char **)|int (*)(security_context_t *)", 0, 0, (void*)0, 0};
@@ -8158,12 +8151,11 @@
 static swig_type_info _swigt__p_int = {"_p_int", "int *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_p_char = {"_p_p_char", "char **|security_context_t *", 0, 0, (void*)0, 0};
 static swig_type_info _swigt__p_p_p_char = {"_p_p_p_char", "char ***|security_context_t **", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_pid_t = {"_p_pid_t", "pid_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "selinux_opt *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *", 0, 0, (void*)0, 0};
-static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "unsigned short *|security_class_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_security_class_mapping = {"_p_security_class_mapping", "struct security_class_mapping *|security_class_mapping *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_selinux_callback = {"_p_selinux_callback", "union selinux_callback *|selinux_callback *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_selinux_opt = {"_p_selinux_opt", "struct selinux_opt *|selinux_opt *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_int = {"_p_unsigned_int", "unsigned int *|access_vector_t *|mode_t *|pid_t *", 0, 0, (void*)0, 0};
+static swig_type_info _swigt__p_unsigned_short = {"_p_unsigned_short", "security_class_t *|unsigned short *", 0, 0, (void*)0, 0};
 
 static swig_type_info *swig_type_initial[] = {
   &_swigt__p_SELboolean,
@@ -8176,7 +8168,6 @@
   &_swigt__p_int,
   &_swigt__p_p_char,
   &_swigt__p_p_p_char,
-  &_swigt__p_pid_t,
   &_swigt__p_security_class_mapping,
   &_swigt__p_selinux_callback,
   &_swigt__p_selinux_opt,
@@ -8194,7 +8185,6 @@
 static swig_cast_info _swigc__p_int[] = {  {&_swigt__p_int, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_p_char[] = {  {&_swigt__p_p_char, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_p_p_char[] = {  {&_swigt__p_p_p_char, 0, 0, 0},{0, 0, 0, 0}};
-static swig_cast_info _swigc__p_pid_t[] = {  {&_swigt__p_pid_t, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_security_class_mapping[] = {  {&_swigt__p_security_class_mapping, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_selinux_callback[] = {  {&_swigt__p_selinux_callback, 0, 0, 0},{0, 0, 0, 0}};
 static swig_cast_info _swigc__p_selinux_opt[] = {  {&_swigt__p_selinux_opt, 0, 0, 0},{0, 0, 0, 0}};
@@ -8212,7 +8202,6 @@
   _swigc__p_int,
   _swigc__p_p_char,
   _swigc__p_p_p_char,
-  _swigc__p_pid_t,
   _swigc__p_security_class_mapping,
   _swigc__p_selinux_callback,
   _swigc__p_selinux_opt,
diff --exclude-from=exclude -N -u -r nsalibselinux/utils/matchpathcon.c libselinux-2.0.46/utils/matchpathcon.c
--- nsalibselinux/utils/matchpathcon.c	2007-07-16 14:20:45.000000000 -0400
+++ libselinux-2.0.46/utils/matchpathcon.c	2008-01-03 15:23:32.000000000 -0500
@@ -17,10 +17,24 @@
 	exit(1);
 }
 
+static void
+#ifdef __GNUC__
+    __attribute__ ((format(printf, 1, 2)))
+#endif
+    myprintf(const char *fmt, ...)
+{
+	va_list ap;
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+}
+
 int printmatchpathcon(char *path, int header, int mode)
 {
 	char *buf;
-	int rc = matchpathcon(path, mode, &buf);
+	int rc;
+	set_matchpathcon_printf(myprintf);
+	rc = matchpathcon(path, mode, &buf);
 	if (rc < 0) {
 		fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
 			strerror(errno));

--- nsaserefpolicy/policy/modules/services/inetd.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inetd.te	2007-12-19 05:38:09.000000000 -0500
@@ -30,6 +30,10 @@
 type inetd_child_var_run_t;
 files_pid_file(inetd_child_var_run_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
+')
+
 ########################################
 #
 # Local policy
@@ -84,6 +88,7 @@
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_inetd_child_port(inetd_t)
+corenet_tcp_bind_ircd_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
 corenet_udp_bind_rlogind_port(inetd_t)
@@ -137,6 +142,7 @@
 miscfiles_read_localization(inetd_t)
 
 # xinetd needs MLS override privileges to work
+mls_fd_use_all_levels(inetd_t)
 mls_fd_share_all_levels(inetd_t)
 mls_socket_read_to_clearance(inetd_t)
 mls_socket_write_to_clearance(inetd_t)
@@ -164,6 +170,7 @@
 ')
 
 optional_policy(`
+	unconfined_domain(inetd_t)
 	unconfined_domtrans(inetd_t)
 ')
 
@@ -180,6 +187,9 @@
 # for identd
 allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow inetd_child_t self:capability { setuid setgid };
+allow inetd_child_t self:dir search;
+allow inetd_child_t self:{ lnk_file file } { getattr read };
+
 files_search_home(inetd_child_t)
 
 manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
@@ -226,3 +236,7 @@
 optional_policy(`
 	unconfined_domain(inetd_child_t)
 ')
+
+optional_policy(`
+	inetd_service_domain(inetd_child_t,bin_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te
--- nsaserefpolicy/policy/modules/services/inn.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/inn.te	2007-12-19 15:36:20.000000000 -0500
@@ -22,7 +22,7 @@
 files_pid_file(innd_var_run_t)
 
 type news_spool_t;
-files_type(news_spool_t)
+files_mountpoint(news_spool_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc
--- nsaserefpolicy/policy/modules/services/kerberos.fc	2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc	2007-12-19 05:38:09.000000000 -0500
@@ -16,3 +16,4 @@
 
 /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
 /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
+/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if	2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.if	2007-12-19 05:38:09.000000000 -0500
@@ -43,7 +43,13 @@
 	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
 	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
 
+	#kerberos libraries are attempting to set the correct file context
+	dontaudit $1 self:process setfscreate;
+	seutil_dontaudit_read_file_contexts($1)
+
 	tunable_policy(`allow_kerberos',`
+		fs_rw_tmpfs_files($1)
+	
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;
 
@@ -61,11 +67,7 @@
 		corenet_tcp_connect_ocsp_port($1)
 		corenet_sendrecv_kerberos_client_packets($1)
 		corenet_sendrecv_ocsp_client_packets($1)
-
-		sysnet_read_config($1)
-		sysnet_dns_name_resolve($1)
 	')
-
 	optional_policy(`
 		tunable_policy(`allow_kerberos',`
 			pcscd_stream_connect($1)
@@ -172,3 +174,51 @@
 	allow $1 krb5kdc_conf_t:file read_file_perms;
 
 ')
+
+########################################
+## <summary>
+##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_manage_host_rcache',`
+	gen_require(`
+		type krb5_host_rcache_t;
+	')
+
+	tunable_policy(`allow_kerberos',`
+		files_search_tmp($1)
+		allow $1 self:process setfscreate;
+		selinux_validate_context($1)
+		seutil_read_file_contexts($1)
+		allow $1 krb5_host_rcache_t:file manage_file_perms;
+	')
+	# creates files as system_u no matter what the selinux user
+	domain_obj_id_change_exemption($1)
+')
+
+########################################
+## <summary>
+##	Connect to krb524 service
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kerberos_524_connect',`
+	tunable_policy(`allow_kerberos',`
+		allow $1 self:udp_socket create_socket_perms;
+                corenet_all_recvfrom_unlabeled($1)
+		corenet_udp_sendrecv_all_if($1)
+		corenet_udp_sendrecv_all_nodes($1)
+		corenet_udp_sendrecv_kerberos_master_port($1)
+		corenet_udp_bind_all_nodes($1)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/kerberos.te	2007-12-19 05:38:09.000000000 -0500
@@ -54,6 +54,9 @@
 type krb5kdc_var_run_t;
 files_pid_file(krb5kdc_var_run_t)
 
+type krb5_host_rcache_t;
+files_tmp_file(krb5_host_rcache_t)
+
 ########################################
 #
 # kadmind local policy
@@ -62,7 +65,7 @@
 # Use capabilities. Surplus capabilities may be allowed.
 allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
 dontaudit kadmind_t self:capability sys_tty_config;
-allow kadmind_t self:process signal_perms;
+allow kadmind_t self:process { setfscreate signal_perms };
 allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
 allow kadmind_t self:unix_dgram_socket { connect create write };
 allow kadmind_t self:tcp_socket connected_stream_socket_perms;
@@ -91,6 +94,7 @@
 kernel_read_kernel_sysctls(kadmind_t)
 kernel_list_proc(kadmind_t)
 kernel_read_proc_symlinks(kadmind_t)
+kernel_read_system_state(kadmind_t)
 
 corenet_all_recvfrom_unlabeled(kadmind_t)
 corenet_all_recvfrom_netlabel(kadmind_t)
@@ -118,6 +122,9 @@
 domain_use_interactive_fds(kadmind_t)
 
 files_read_etc_files(kadmind_t)
+files_read_usr_symlinks(kadmind_t)
+files_read_usr_files(kadmind_t)
+files_read_var_files(kadmind_t)
 
 libs_use_ld_so(kadmind_t)
 libs_use_shared_libs(kadmind_t)
@@ -127,6 +134,7 @@
 miscfiles_read_localization(kadmind_t)
 
 sysnet_read_config(kadmind_t)
+sysnet_use_ldap(kadmind_t)
 
 userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
 userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
@@ -137,6 +145,7 @@
 
 optional_policy(`
 	seutil_sigchld_newrole(kadmind_t)
+	seutil_read_file_contexts(kadmind_t)
 ')
 
 optional_policy(`
@@ -151,7 +160,7 @@
 # Use capabilities. Surplus capabilities may be allowed.
 allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
 dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process { setsched getsched signal_perms };
+allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
 allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
 allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
 allow krb5kdc_t self:udp_socket create_socket_perms;
@@ -223,6 +232,7 @@
 miscfiles_read_localization(krb5kdc_t)
 
 sysnet_read_config(krb5kdc_t)
+sysnet_use_ldap(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
 userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
@@ -233,6 +243,7 @@
 
 optional_policy(`
 	seutil_sigchld_newrole(krb5kdc_t)
+	seutil_read_file_contexts(krb5kdc_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.2.5/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if	2007-11-16 13:45:14.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/lpd.if	2007-12-31 06:40:50.000000000 -0500
@@ -336,10 +336,8 @@
 	')
 
 	files_search_spool($1)
+	manage_dirs_pattern($1,print_spool_t,print_spool_t)
 	manage_files_pattern($1,print_spool_t,print_spool_t)
-
-	# cjp: cups wants setattr
-	allow $1 print_spool_t:dir setattr;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.5/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if	2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.if	2007-12-31 14:18:13.000000000 -0500
@@ -211,6 +211,7 @@
 		type mailman_data_t;
 	')
 
+	manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
 	manage_files_pattern($1,mailman_data_t,mailman_data_t)
 ')
 
@@ -252,6 +253,25 @@
 
 #######################################
 ## <summary>
+##	read
+##	mailman logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailman_read_log',`
+	gen_require(`
+		type mailman_log_t;
+	')
+
+	read_files_pattern($1,mailman_log_t,mailman_log_t)
+')
+
+#######################################
+## <summary>
 ##	Append to mailman logs.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailman.te	2007-12-19 05:38:09.000000000 -0500
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
 	apache_search_sys_script_state(mailman_cgi_t)
+	apache_read_config(mailman_cgi_t)
+	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
 
-	optional_policy(`
-		nscd_socket_use(mailman_cgi_t)
-	')
 ')
 
 ########################################
@@ -65,6 +64,10 @@
 #
 
 allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
+allow mailman_mail_t initrc_t:process signal;
+allow mailman_mail_t self:capability { setuid setgid };
+
+files_search_spool(mailman_mail_t)
 
 mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.2.5/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.fc	2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,2 @@
+/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.2.5/policy/modules/services/mailscanner.if
--- nsaserefpolicy/policy/modules/services/mailscanner.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.if	2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,59 @@
+## <summary>Anti-Virus and Anti-Spam Filter</summary>
+
+########################################
+## <summary>
+##	Search mailscanner spool directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_search_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mailscanner_spool_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	read mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_read_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	mailscanner spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mailscanner_manage_spool',`
+	gen_require(`
+		type mailscanner_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1,mailscanner_spool_t,mailscanner_spool_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.2.5/policy/modules/services/mailscanner.te
--- nsaserefpolicy/policy/modules/services/mailscanner.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mailscanner.te	2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,5 @@
+
+policy_module(mailscanner,1.0.0)
+
+type mailscanner_spool_t;
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.2.5/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.if	2008-01-04 10:12:33.000000000 -0500
@@ -133,6 +133,12 @@
 		sendmail_create_log($1_mail_t)
 	')
 
+	optional_policy(`
+		exim_read_log($1_mail_t)
+		exim_append_log($1_mail_t)
+		exim_manage_spool_files($1_mail_t)
+	')
+
 ')
 
 #######################################
@@ -217,6 +223,15 @@
 	tunable_policy(`use_samba_home_dirs',`
 		fs_manage_cifs_files($1_mail_t)
 		fs_manage_cifs_symlinks($1_mail_t)
+		fs_manage_cifs_files(mailserver_delivery)
+		fs_manage_cifs_symlinks(mailserver_delivery)
+	')
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_manage_nfs_files($1_mail_t)
+		fs_manage_nfs_symlinks($1_mail_t)
+		fs_manage_nfs_files(mailserver_delivery)
+		fs_manage_nfs_symlinks(mailserver_delivery)
 	')
 
 	optional_policy(`
@@ -305,6 +320,42 @@
 
 ########################################
 ## <summary>
+##	Make the specified type usable for a mta_send_mail.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_mailclient',`
+	gen_require(`
+		attribute mailclient_exec_type;
+	')
+
+	typeattribute $1 mailclient_exec_type;
+')
+
+########################################
+## <summary>
+##	Make the specified type readable for a system_mail_t
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a mail client.
+##	</summary>
+## </param>
+#
+interface(`mta_mailcontent',`
+	gen_require(`
+		attribute mailcontent_type;
+	')
+
+	typeattribute $1 mailcontent_type;
+')
+
+########################################
+## <summary>
 ##	Modified mailserver interface for
 ##	sendmail daemon use.
 ## </summary>
@@ -383,11 +434,13 @@
 	allow $1 mail_spool_t:dir list_dir_perms;
 	create_files_pattern($1,mail_spool_t,mail_spool_t)
 	read_files_pattern($1,mail_spool_t,mail_spool_t)
+	append_files_pattern($1,mail_spool_t,mail_spool_t)
 	create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
 	read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
 
 	optional_policy(`
 		dovecot_manage_spool($1)
+		dovecot_domtrans_deliver($1)
 	')
 
 	optional_policy(`
@@ -422,6 +475,7 @@
 		# apache should set close-on-exec
 		apache_dontaudit_rw_stream_sockets($1)
 		apache_dontaudit_rw_sys_script_stream_sockets($1)
+		apache_append_log($1)
 	')
 ')
 
@@ -438,20 +492,18 @@
 interface(`mta_send_mail',`
 	gen_require(`
 		attribute mta_user_agent;
-		type system_mail_t, sendmail_exec_t;
+		type system_mail_t;
+		attribute mailclient_exec_type;
 	')
 
-	allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
-	domain_auto_trans($1, sendmail_exec_t, system_mail_t)
-
-	allow $1 system_mail_t:fd use;
-	allow system_mail_t $1:fd use;
-	allow system_mail_t $1:fifo_file rw_file_perms;
-	allow system_mail_t $1:process sigchld;
+	allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
+	domtrans_pattern($1, mailclient_exec_type, system_mail_t)
+	allow system_mail_t mailclient_exec_type:file entrypoint;
 
 	allow mta_user_agent $1:fd use;
 	allow mta_user_agent $1:process sigchld;
 	allow mta_user_agent $1:fifo_file { read write };
+
 ')
 
 ########################################
@@ -586,6 +638,25 @@
 	files_search_etc($1)
 	allow $1 etc_aliases_t:file { rw_file_perms setattr };
 ')
+########################################
+## <summary>
+##	manage mail aliases.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mta_manage_aliases',`
+	gen_require(`
+		type etc_aliases_t;
+	')
+
+	files_search_etc($1)
+	allow $1 etc_aliases_t:file manage_file_perms;
+')
 
 #######################################
 ## <summary>
@@ -837,6 +908,25 @@
 
 ########################################
 ## <summary>
+##	read mail queue files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_read_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	files_search_spool($1)
+	read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mail queue files.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mta.te	2007-12-19 05:38:09.000000000 -0500
@@ -6,6 +6,8 @@
 # Declarations
 #
 
+attribute mailcontent_type;
+attribute mailclient_exec_type;
 attribute mta_user_agent;
 attribute mailserver_delivery;
 attribute mailserver_domain;
@@ -27,6 +29,7 @@
 
 type sendmail_exec_t;
 application_executable_file(sendmail_exec_t)
+mta_mailclient(sendmail_exec_t)
 
 mta_base_mail_template(system)
 role system_r types system_mail_t;
@@ -40,27 +43,40 @@
 allow system_mail_t self:capability { dac_override };
 
 read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
 
 kernel_read_system_state(system_mail_t)
 kernel_read_network_state(system_mail_t)
 
+dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+fs_rw_anon_inodefs_files(system_mail_t)
+
+selinux_getattr_fs(system_mail_t)
+
 init_use_script_ptys(system_mail_t)
 
 userdom_use_sysadm_terms(system_mail_t)
 userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
+userdom_dontaudit_search_all_users_home_content(system_mail_t)
+
+optional_policy(`
+	apcupsd_read_tmp_files(system_mail_t)
+')
 
 optional_policy(`
 	apache_read_squirrelmail_data(system_mail_t)
 	apache_append_squirrelmail_data(system_mail_t)
+	apache_search_bugzilla_dirs(system_mail_t)
 
 	# apache should set close-on-exec
 	apache_dontaudit_append_log(system_mail_t)
 	apache_dontaudit_rw_stream_sockets(system_mail_t)
 	apache_dontaudit_rw_tcp_sockets(system_mail_t)
 	apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
+	apache_dontaudit_rw_bugzilla_script_stream_sockets(system_mail_t)
 ')
 
 optional_policy(`
@@ -73,6 +89,7 @@
 
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
+	cron_read_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
 ')
 
@@ -81,6 +98,11 @@
 ')
 
 optional_policy(`
+	exim_domtrans(system_mail_t)
+	exim_manage_log(system_mail_t)
+')
+
+optional_policy(`
 	logrotate_read_tmp_files(system_mail_t)
 ')
 
@@ -136,6 +158,14 @@
 ')
 
 optional_policy(`
+	clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	spamd_stream_connect(system_mail_t)
+')
+
+optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.5/policy/modules/services/munin.fc
--- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/munin.fc	2007-12-31 05:55:51.000000000 -0500
@@ -6,6 +6,7 @@
 /usr/share/munin/plugins/.*	--	gen_context(system_u:object_r:munin_exec_t,s0)
 
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
-/var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
+/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
-/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.5/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/munin.te	2007-12-31 06:15:20.000000000 -0500
@@ -37,14 +37,18 @@
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
+
+can_exec(munin_t, munin_exec_t)
 
 allow munin_t munin_etc_t:dir list_dir_perms;
 read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
 read_lnk_files_pattern(munin_t,munin_etc_t,munin_etc_t)
 files_search_etc(munin_t)
 
-allow munin_t munin_log_t:file manage_file_perms;
-logging_log_filetrans(munin_t,munin_log_t,file)
+manage_dirs_pattern(munin_t, munin_log_t,  munin_log_t)
+manage_files_pattern(munin_t, munin_log_t,  munin_log_t)
+logging_log_filetrans(munin_t,munin_log_t,{ file dir })
 
 manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
 manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
@@ -73,6 +77,7 @@
 corenet_udp_sendrecv_all_nodes(munin_t)
 corenet_tcp_sendrecv_all_ports(munin_t)
 corenet_udp_sendrecv_all_ports(munin_t)
+corenet_tcp_connect_munin_port(munin_t)
 
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
@@ -91,6 +96,7 @@
 
 logging_send_syslog_msg(munin_t)
 
+miscfiles_read_fonts(munin_t)
 miscfiles_read_localization(munin_t)
 
 sysnet_read_config(munin_t)
@@ -118,3 +124,9 @@
 optional_policy(`
 	udev_read_db(munin_t)
 ')
+
+#============= http munin policy ==============
+apache_content_template(munin)
+
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.5/policy/modules/services/mysql.fc
--- nsaserefpolicy/policy/modules/services/mysql.fc	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.fc	2007-12-19 05:38:09.000000000 -0500
@@ -22,3 +22,5 @@
 /var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
 
 /var/run/mysqld(/.*)?		gen_context(system_u:object_r:mysqld_var_run_t,s0)
+
+/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.2.5/policy/modules/services/mysql.if
--- nsaserefpolicy/policy/modules/services/mysql.if	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.if	2007-12-19 05:38:09.000000000 -0500
@@ -157,3 +157,79 @@
 	logging_search_logs($1)
 	allow $1 mysqld_log_t:file { write append setattr ioctl };
 ')
+
+########################################
+## <summary>
+##	Execute mysql server in the mysqld domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`mysql_script_domtrans',`
+	gen_require(`
+		type mysqld_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,mysqld_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an mysql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the mysql domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the mysql domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mysql_admin',`
+
+	gen_require(`
+		type mysqld_t;
+		type mysqld_var_run_t;
+		type mysqld_tmp_t; 
+		type mysqld_db_t;
+		type mysqld_etc_t;
+		type mysqld_log_t;
+		type mysqld_script_exec_t;
+	')
+
+	allow $1 mysqld_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, mysqld_t, mysqld_t)
+	
+	# Allow $1 to restart the apache service
+	mysql_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 mysqld_script_exec_t system_r;
+	allow $2 system_r;
+
+	manage_dirs_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+	manage_files_pattern($1,mysqld_var_run_t,mysqld_var_run_t)
+
+	manage_dirs_pattern($1,mysqld_db_t,mysqld_db_t)
+	manage_files_pattern($1,mysqld_db_t,mysqld_db_t)
+
+	manage_dirs_pattern($1,mysqld_etc_t,mysqld_etc_t)
+	manage_files_pattern($1,mysqld_etc_t,mysqld_etc_t)
+
+	manage_dirs_pattern($1,mysqld_log_t,mysqld_log_t)
+	manage_files_pattern($1,mysqld_log_t,mysqld_log_t)
+
+	manage_dirs_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+	manage_files_pattern($1,mysqld_tmp_t,mysqld_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.2.5/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/mysql.te	2007-12-31 16:45:48.000000000 -0500
@@ -1,4 +1,3 @@
-
 policy_module(mysql,1.6.0)
 
 ########################################
@@ -25,6 +24,9 @@
 type mysqld_tmp_t;
 files_tmp_file(mysqld_tmp_t)
 
+type mysqld_script_exec_t;
+init_script_type(mysqld_script_exec_t)
+
 ########################################
 #
 # Local policy
@@ -33,7 +35,8 @@
 allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
-allow mysqld_t self:fifo_file { read write };
+allow mysqld_t self:fifo_file rw_fifo_file_perms;
+allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
 allow mysqld_t self:tcp_socket create_stream_socket_perms;
 allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.2.5/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.fc	2007-12-19 05:38:09.000000000 -0500
@@ -4,13 +4,15 @@
 /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
 /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
 
-/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 
 /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
 /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
 
+/var/spool/nagios(/.*)?			gen_context(system_u:object_r:nagios_spool_t,s0)
+
 ifdef(`distro_debian',`
 /usr/sbin/nagios		--	gen_context(system_u:object_r:nagios_exec_t,s0)
-/usr/lib/cgi-bin/nagios/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
 ')
+/usr/lib(64)?/cgi-bin/nagios(/.+)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.2.5/policy/modules/services/nagios.if
--- nsaserefpolicy/policy/modules/services/nagios.if	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.if	2007-12-19 05:38:09.000000000 -0500
@@ -44,25 +44,6 @@
 
 ########################################
 ## <summary>
-##	Execute the nagios CGI with
-##	a domain transition.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`nagios_domtrans_cgi',`
-	gen_require(`
-		type nagios_cgi_t, nagios_cgi_exec_t;
-	')
-
-	domtrans_pattern($1,nagios_cgi_exec_t,nagios_cgi_t)
-')
-
-########################################
-## <summary>
 ##	Execute the nagios NRPE with
 ##	a domain transition.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.2.5/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nagios.te	2007-12-19 05:38:09.000000000 -0500
@@ -8,11 +8,7 @@
 
 type nagios_t;
 type nagios_exec_t;
-init_daemon_domain(nagios_t, nagios_exec_t)
-
-type nagios_cgi_t;
-type nagios_cgi_exec_t;
-init_system_domain(nagios_cgi_t, nagios_cgi_exec_t)
+init_daemon_domain(nagios_t,nagios_exec_t)
 
 type nagios_etc_t;
 files_config_file(nagios_etc_t)
@@ -26,9 +22,12 @@
 type nagios_var_run_t;
 files_pid_file(nagios_var_run_t)
 
+type nagios_spool_t;
+files_type(nagios_spool_t)
+
 type nrpe_t;
 type nrpe_exec_t;
-init_daemon_domain(nrpe_t, nrpe_exec_t)
+init_daemon_domain(nrpe_t,nrpe_exec_t)
 
 type nrpe_etc_t;
 files_config_file(nrpe_etc_t)
@@ -60,6 +59,8 @@
 manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
 files_pid_filetrans(nagios_t, nagios_var_run_t, file)
 
+rw_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
+
 kernel_read_system_state(nagios_t)
 kernel_read_kernel_sysctls(nagios_t)
 
@@ -130,42 +131,31 @@
 #
 # Nagios CGI local policy
 #
+apache_content_template(nagios)
+typealias httpd_nagios_script_t alias nagios_cgi_t;
+typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
 
-allow nagios_cgi_t self:process signal_perms;
-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
-
-read_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_t, nagios_t)
-
-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_etc_t)
+allow httpd_nagios_script_t self:process signal_perms;
 
-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
-read_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
-read_lnk_files_pattern(nagios_cgi_t, nagios_etc_t, nagios_log_t)
+read_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_t, nagios_t)
 
-kernel_read_system_state(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_etc_t)
 
-corecmd_exec_bin(nagios_cgi_t)
+allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
+read_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
+read_lnk_files_pattern(httpd_nagios_script_t, nagios_etc_t, nagios_log_t)
 
-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
+kernel_read_system_state(httpd_nagios_script_t)
 
-files_read_etc_files(nagios_cgi_t)
-files_read_etc_runtime_files(nagios_cgi_t)
-files_read_kernel_symbol_table(nagios_cgi_t)
+domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
 
-libs_use_ld_so(nagios_cgi_t)
-libs_use_shared_libs(nagios_cgi_t)
+files_read_etc_runtime_files(httpd_nagios_script_t)
+files_read_kernel_symbol_table(httpd_nagios_script_t)
 
-logging_send_syslog_msg(nagios_cgi_t)
-logging_search_logs(nagios_cgi_t)
-
-miscfiles_read_localization(nagios_cgi_t)
-
-optional_policy(`
-	apache_append_log(nagios_cgi_t)
-')
+logging_send_syslog_msg(httpd_nagios_script_t)
 
 ########################################
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.2.5/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc	2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.fc	2007-12-31 08:48:44.000000000 -0500
@@ -1,7 +1,9 @@
 /usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 /usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 
 /var/run/NetworkManager\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant\.log.*	--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.2.5/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-06-12 10:15:45.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.if	2007-12-31 08:55:52.000000000 -0500
@@ -97,3 +97,21 @@
 	allow $1 NetworkManager_t:dbus send_msg;
 	allow NetworkManager_t $1:dbus send_msg;
 ')
+
+########################################
+## <summary>
+##	Send a generic signal to NetworkManager
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_signal',`
+	gen_require(`
+		type NetworkManager_t;
+	')
+
+	allow $1 NetworkManager_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.2.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/networkmanager.te	2007-12-26 20:31:36.000000000 -0500
@@ -13,6 +13,9 @@
 type NetworkManager_var_run_t;
 files_pid_file(NetworkManager_var_run_t)
 
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
 ########################################
 #
 # Local policy
@@ -20,7 +23,7 @@
 
 # networkmanager will ptrace itself if gdb is installed
 # and it receives a unexpected signal (rh bug #204161) 
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
 dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
 allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
 allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -38,6 +41,9 @@
 manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
 
+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+
 kernel_read_system_state(NetworkManager_t)
 kernel_read_network_state(NetworkManager_t)
 kernel_read_kernel_sysctls(NetworkManager_t)
@@ -86,6 +92,8 @@
 init_read_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)
 
+auth_use_nsswitch(NetworkManager_t)
+
 libs_use_ld_so(NetworkManager_t)
 libs_use_shared_libs(NetworkManager_t)
 
@@ -129,8 +137,11 @@
 ')
 
 optional_policy(`
+	allow NetworkManager_t self:dbus send_msg;
+
 	dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
 	dbus_connect_system_bus(NetworkManager_t)
+	dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
 ')
 
 optional_policy(`
@@ -138,12 +149,9 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(NetworkManager_t)
-')
-
-optional_policy(`
-	nscd_socket_use(NetworkManager_t)
 	nscd_signal(NetworkManager_t)
+	nscd_script_domtrans(NetworkManager_t)
+	nscd_domtrans(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -155,6 +163,7 @@
 	ppp_domtrans(NetworkManager_t)
 	ppp_read_pid_files(NetworkManager_t)
 	ppp_signal(NetworkManager_t)
+	ppp_read_config(NetworkManager_t)
 ')
 
 optional_policy(`
@@ -166,11 +175,6 @@
 ')
 
 optional_policy(`
-	# Read gnome-keyring
-	unconfined_read_home_content_files(NetworkManager_t)
-')
-
-optional_policy(`
 	vpn_domtrans(NetworkManager_t)
 	vpn_signal(NetworkManager_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.2.5/policy/modules/services/nis.fc
--- nsaserefpolicy/policy/modules/services/nis.fc	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.fc	2007-12-19 05:38:09.000000000 -0500
@@ -4,6 +4,7 @@
 /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
 
 /usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+/usr/lib64/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 
 /usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
 /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.2.5/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if	2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nis.if	2007-12-19 05:38:09.000000000 -0500
@@ -49,8 +49,8 @@
 	corenet_udp_bind_all_nodes($1)
 	corenet_tcp_bind_generic_port($1)
 	corenet_udp_bind_generic_port($1)
-	corenet_tcp_bind_reserved_port($1)
-	corenet_udp_bind_reserved_port($1)
+	corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+	corenet_dontaudit_udp_bind_all_reserved_ports($1)
 	corenet_dontaudit_tcp_bind_all_ports($1)
 	corenet_dontaudit_udp_bind_all_ports($1)
 	corenet_tcp_connect_portmap_port($1)
@@ -87,6 +87,25 @@
 
 ########################################
 ## <summary>
+##	Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nis_authenticate',`
+	tunable_policy(`allow_ypbind',`
+		nis_use_ypbind_uncond($1)
+		corenet_tcp_bind_all_rpc_ports($1)
+		corenet_udp_bind_all_rpc_ports($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Execute ypbind in the ypbind domain.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.2.5/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nis.te	2007-12-19 05:38:09.000000000 -0500
@@ -113,6 +113,17 @@
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
 userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
 
+
+optional_policy(`
+	dbus_system_bus_client_template(ypbind,ypbind_t)
+	dbus_connect_system_bus(ypbind_t)
+	init_dbus_chat_script(ypbind_t)
+
+	optional_policy(`
+		networkmanager_dbus_chat(ypbind_t)
+	')
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
 ')
@@ -126,6 +137,7 @@
 # yppasswdd local policy
 #
 
+allow yppasswdd_t self:capability dac_override;
 dontaudit yppasswdd_t self:capability sys_tty_config;
 allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
 allow yppasswdd_t self:process { setfscreate signal_perms };
@@ -156,8 +168,8 @@
 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 corenet_tcp_bind_all_nodes(yppasswdd_t)
 corenet_udp_bind_all_nodes(yppasswdd_t)
-corenet_tcp_bind_reserved_port(yppasswdd_t)
-corenet_udp_bind_reserved_port(yppasswdd_t)
+corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
+corenet_udp_bind_all_rpc_ports(yppasswdd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
 corenet_sendrecv_generic_server_packets(yppasswdd_t)
@@ -247,6 +259,8 @@
 corenet_udp_bind_all_nodes(ypserv_t)
 corenet_tcp_bind_reserved_port(ypserv_t)
 corenet_udp_bind_reserved_port(ypserv_t)
+corenet_tcp_bind_all_rpc_ports(ypserv_t)
+corenet_udp_bind_all_rpc_ports(ypserv_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 corenet_sendrecv_generic_server_packets(ypserv_t)
@@ -315,6 +329,8 @@
 corenet_udp_bind_all_nodes(ypxfr_t)
 corenet_tcp_bind_reserved_port(ypxfr_t)
 corenet_udp_bind_reserved_port(ypxfr_t)
+corenet_tcp_bind_all_rpc_ports(ypxfr_t)
+corenet_udp_bind_all_rpc_ports(ypxfr_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
 corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.2.5/policy/modules/services/nscd.fc
--- nsaserefpolicy/policy/modules/services/nscd.fc	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.fc	2007-12-19 05:38:09.000000000 -0500
@@ -9,3 +9,5 @@
 /var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
 
 /var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
+
+/etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.2.5/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if	2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/nscd.if	2007-12-19 05:38:09.000000000 -0500
@@ -70,15 +70,14 @@
 interface(`nscd_socket_use',`
 	gen_require(`
 		type nscd_t, nscd_var_run_t;
-		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
 	')
 
 	allow $1 self:unix_stream_socket create_socket_perms;
 
 	allow $1 nscd_t:nscd { getpwd getgrp gethost };
 	dontaudit $1 nscd_t:fd use;
-	dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
-
+	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
 	files_search_pids($1)
 	stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
 	dontaudit $1 nscd_var_run_t:file { getattr read };
@@ -204,3 +203,22 @@
 	role $2 types nscd_t;
 	dontaudit nscd_t $3:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Execute nscd server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nscd_script_domtrans',`
+	gen_require(`
+		type nscd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,nscd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.2.5/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/nscd.te	2007-12-19 05:38:09.000000000 -0500
@@ -23,19 +23,22 @@
 type nscd_log_t;
 logging_log_file(nscd_log_t)
 
+type nscd_script_exec_t;
+init_script_type(nscd_script_exec_t)
+
 ########################################
 #
 # Local policy
 #
 
-allow nscd_t self:capability { kill setgid setuid audit_write };
+allow nscd_t self:capability { kill setgid setuid };
 dontaudit nscd_t self:capability sys_tty_config;
-allow nscd_t self:process { getattr setsched signal_perms };
+allow nscd_t self:process { getattr setcap setsched signal_perms };
 allow nscd_t self:fifo_file { read write };
 allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
-allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
 
@@ -50,6 +53,8 @@
 manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t)
 files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file })
 
+can_exec(nscd_t, nscd_exec_t)
+
 kernel_read_kernel_sysctls(nscd_t)
 kernel_list_proc(nscd_t)
 kernel_read_proc_symlinks(nscd_t)
@@ -73,6 +78,8 @@
 corenet_udp_sendrecv_all_nodes(nscd_t)
 corenet_tcp_sendrecv_all_ports(nscd_t)
 corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
 corenet_tcp_connect_all_ports(nscd_t)
 corenet_sendrecv_all_client_packets(nscd_t)
 corenet_rw_tun_tap_dev(nscd_t)
@@ -93,6 +100,7 @@
 libs_use_ld_so(nscd_t)
 libs_use_shared_libs(nscd_t)
 
+logging_send_audit_msgs(nscd_t)
 logging_send_syslog_msg(nscd_t)
 
 miscfiles_read_localization(nscd_t)
@@ -114,3 +122,12 @@
 	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
 	xen_append_log(nscd_t)
 ')
+
+optional_policy(`
+	tunable_policy(`samba_domain_controller',`
+		samba_append_log(nscd_t)
+		samba_dontaudit_use_fds(nscd_t)
+	')
+	samba_read_config(nscd_t)
+	samba_read_var_files(nscd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.2.5/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc	2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.fc	2007-12-19 05:38:09.000000000 -0500
@@ -17,3 +17,8 @@
 /var/log/xntpd.*		--	gen_context(system_u:object_r:ntpd_log_t,s0)
 
 /var/run/ntpd\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
+
+/etc/ntp/crypto(/.*)?         gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/keys              -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
+/etc/rc\.d/init\.d/ntpd	--	gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.2.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if	2007-03-26 10:39:05.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/ntp.if	2007-12-19 05:38:09.000000000 -0500
@@ -53,3 +53,22 @@
 	corecmd_search_bin($1)
 	domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
 ')
+
+########################################
+## <summary>
+##	Execute ntp server in the ntpd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`ntp_script_domtrans',`
+	gen_require(`
+		type ntpd_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,ntpd_script_exec_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.2.5/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ntp.te	2007-12-19 05:38:09.000000000 -0500
@@ -25,6 +25,12 @@
 type ntpdate_exec_t;
 init_system_domain(ntpd_t,ntpdate_exec_t)
 
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
+type ntpd_script_exec_t;
+init_script_type(ntpd_script_exec_t)
+
 ########################################
 #
 # Local policy
@@ -36,6 +42,7 @@
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
 allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
 allow ntpd_t self:fifo_file { read write getattr };
+allow ntpd_t self:shm create_shm_perms;
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
 allow ntpd_t self:tcp_socket create_stream_socket_perms;
@@ -49,6 +56,8 @@
 manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
 logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
 
+read_files_pattern(ntpd_t,ntpd_key_t,ntpd_key_t)
+
 # for some reason it creates a file in /tmp
 manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
 manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
@@ -82,6 +91,8 @@
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+# Necessary to communicate with gpsd devices
+fs_rw_tmpfs_files(ntpd_t)
 
 auth_use_nsswitch(ntpd_t)
 
@@ -105,6 +116,10 @@
 
 miscfiles_read_localization(ntpd_t)
 
+sysnet_dontaudit_dhcpc_use_fds(ntpd_t)
+
+term_use_ptmx(ntpd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_sysadm_home_dirs(ntpd_t)
 userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
@@ -120,6 +135,10 @@
 ')
 
 optional_policy(`
+	hal_dontaudit_write_log(ntpd_t)
+')
+
+optional_policy(`
 	logrotate_exec(ntpd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.te serefpolicy-3.2.5/policy/modules/services/oddjob.te
--- nsaserefpolicy/policy/modules/services/oddjob.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/oddjob.te	2008-01-04 12:24:30.000000000 -0500
@@ -15,6 +15,7 @@
 type oddjob_mkhomedir_t;
 type oddjob_mkhomedir_exec_t;
 domain_type(oddjob_mkhomedir_t)
+domain_obj_id_change_exemption(oddjob_mkhomedir_t)
 init_daemon_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
 
@@ -68,20 +69,38 @@
 # oddjob_mkhomedir local policy
 #
 
+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
+allow oddjob_mkhomedir_t self:process setfscreate;
 allow oddjob_mkhomedir_t self:fifo_file { read write };
 allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
 
 files_read_etc_files(oddjob_mkhomedir_t)
 
+kernel_read_system_state(oddjob_mkhomedir_t)
+
+auth_use_nsswitch(oddjob_mkhomedir_t)
+
 libs_use_ld_so(oddjob_mkhomedir_t)
 libs_use_shared_libs(oddjob_mkhomedir_t)
 
+logging_send_syslog_msg(oddjob_mkhomedir_t)
+
 miscfiles_read_localization(oddjob_mkhomedir_t)
 
+selinux_get_fs_mount(oddjob_mkhomedir_t)
+selinux_validate_context(oddjob_mkhomedir_t)
+selinux_compute_access_vector(oddjob_mkhomedir_t)
+selinux_compute_create_context(oddjob_mkhomedir_t)
+selinux_compute_relabel_context(oddjob_mkhomedir_t)
+selinux_compute_user_contexts(oddjob_mkhomedir_t)
+
+seutil_read_config(oddjob_mkhomedir_t)
+seutil_read_file_contexts(oddjob_mkhomedir_t)
+seutil_read_default_contexts(oddjob_mkhomedir_t)
+
 # Add/remove user home directories
+userdom_manage_unpriv_users_home_content_dirs(oddjob_mkhomedir_t)
 userdom_home_filetrans_generic_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_generic_user_home_dirs(oddjob_mkhomedir_t)
-userdom_manage_staff_home_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_dirs(oddjob_mkhomedir_t)
+userdom_manage_all_users_home_content_files(oddjob_mkhomedir_t)
 userdom_generic_user_home_dir_filetrans_generic_user_home_content(oddjob_mkhomedir_t,notdevfile_class_set)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.2.5/policy/modules/services/openct.te
--- nsaserefpolicy/policy/modules/services/openct.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openct.te	2007-12-19 05:38:09.000000000 -0500
@@ -22,6 +22,7 @@
 allow openct_t self:process signal_perms;
 
 manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
 files_pid_filetrans(openct_t,openct_var_run_t,file)
 
 kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.fc serefpolicy-3.2.5/policy/modules/services/openvpn.fc
--- nsaserefpolicy/policy/modules/services/openvpn.fc	2007-06-11 16:05:22.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.fc	2007-12-19 05:38:09.000000000 -0500
@@ -11,5 +11,5 @@
 #
 # /var
 #
-/var/log/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_log_t,s0)
+/var/log/openvpn.*		gen_context(system_u:object_r:openvpn_var_log_t,s0)
 /var/run/openvpn(/.*)?		gen_context(system_u:object_r:openvpn_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.2.5/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/openvpn.te	2007-12-19 05:38:09.000000000 -0500
@@ -8,7 +8,7 @@
 
 ## <desc>
 ## <p>
-## Allow openvpn to read home directories
+## Allow openvpn service access to users home directories
 ## </p>
 ## </desc>
 gen_tunable(openvpn_enable_homedirs,false)
@@ -35,7 +35,7 @@
 # openvpn local policy
 #
 
-allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_tty_config };
+allow openvpn_t self:capability { dac_read_search dac_override net_bind_service net_admin setgid setuid sys_chroot sys_tty_config };
 allow openvpn_t self:process { signal getsched };
 
 allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -110,3 +110,12 @@
 
 	networkmanager_dbus_chat(openvpn_t)
 ')
+
+
+# Need to interact with terminals if config option "auth-user-pass" is used
+userdom_use_sysadm_terms(openvpn_t)
+
+optional_policy(`
+	unconfined_use_terminals(openvpn_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.2.5/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pcscd.te	2007-12-19 05:38:09.000000000 -0500
@@ -45,6 +45,7 @@
 files_read_etc_files(pcscd_t)
 files_read_etc_runtime_files(pcscd_t)
 
+term_use_unallocated_ttys(pcscd_t)
 term_dontaudit_getattr_pty_dirs(pcscd_t)
 
 libs_use_ld_so(pcscd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-3.2.5/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pegasus.te	2007-12-19 05:38:09.000000000 -0500
@@ -42,6 +42,7 @@
 allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
 
+manage_dirs_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 manage_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 manage_lnk_files_pattern(pegasus_t,pegasus_data_t,pegasus_data_t)
 filetrans_pattern(pegasus_t,pegasus_conf_t,pegasus_data_t,{ file dir })
@@ -95,13 +96,12 @@
 
 auth_use_nsswitch(pegasus_t)
 auth_domtrans_chk_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
 
 domain_use_interactive_fds(pegasus_t)
 domain_read_all_domains_state(pegasus_t)
 
-files_read_etc_files(pegasus_t)
-files_list_var_lib(pegasus_t)
-files_read_var_lib_files(pegasus_t)
+files_read_all_files(pegasus_t)
 files_read_var_lib_symlinks(pegasus_t)
 
 hostname_exec(pegasus_t)
@@ -113,19 +113,16 @@
 libs_use_shared_libs(pegasus_t)
 
 logging_send_audit_msgs(pegasus_t)
+logging_send_syslog_msg(pegasus_t)
 
 miscfiles_read_localization(pegasus_t)
 
-sysnet_read_config(pegasus_t)
+sysnet_domtrans_ifconfig(pegasus_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
 userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
 
 optional_policy(`
-	logging_send_syslog_msg(pegasus_t)
-')
-
-optional_policy(`
 	rpm_exec(pegasus_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.2.5/policy/modules/services/polkit.fc
--- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.fc	2007-12-19 09:37:14.000000000 -0500
@@ -0,0 +1,6 @@
+
+/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
+
+/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
+/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
+/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.2.5/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.if	2007-12-19 05:38:09.000000000 -0500
@@ -0,0 +1,60 @@
+
+## <summary>policy for polkit_auth</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run polkit_auth.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`polkit_domtrans_auth',`
+	gen_require(`
+		type polkit_auth_t;
+                type polkit_auth_exec_t;
+	')
+
+	domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t)
+')
+
+########################################
+## <summary>
+##	Search polkit lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_search_lib',`
+	gen_require(`
+		type polkit_var_lib_t;
+	')
+
+	allow $1 polkit_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	read polkit lib files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`polkit_read_lib',`
+	gen_require(`
+		type polkit_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.2.5/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/polkit.te	2007-12-19 15:17:09.000000000 -0500
@@ -0,0 +1,63 @@
+policy_module(polkit_auth,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type polkit_auth_t;
+type polkit_auth_exec_t;
+domain_type(polkit_auth_t)
+init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
+
+type polkit_var_lib_t;
+files_type(polkit_var_lib_t)
+
+type polkit_var_run_t;
+files_pid_file(polkit_var_run_t)
+
+########################################
+#
+# polkit_auth local policy
+#
+
+allow polkit_auth_t self:process getattr;
+
+allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
+allow polkit_auth_t self:fifo_file rw_file_perms;
+allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
+
+can_exec(polkit_auth_t, polkit_auth_exec_t)
+corecmd_search_bin(polkit_auth_t)
+
+domain_use_interactive_fds(polkit_auth_t)
+
+files_read_etc_files(polkit_auth_t)
+files_read_usr_files(polkit_auth_t)
+
+auth_use_nsswitch(polkit_auth_t)
+
+libs_use_ld_so(polkit_auth_t)
+libs_use_shared_libs(polkit_auth_t)
+
+miscfiles_read_localization(polkit_auth_t)
+
+logging_send_syslog_msg(polkit_auth_t)
+
+manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
+
+# pid file
+manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
+files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
+
+optional_policy(`
+	dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
+	consolekit_dbus_chat(polkit_auth_t)
+')
+
+optional_policy(`
+	hal_getattr(polkit_auth_t)
+	hal_read_state(polkit_auth_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.2.5/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc	2007-09-12 10:34:18.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/postfix.fc	2007-12-19 05:38:09.000000000 -0500
@@ -29,12 +29,10 @@
 /usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
 /usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
 /usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
-/usr/lib/postfix/virtual --	gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
 /usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
-/usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.5/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if	2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.if	2007-12-19 05:38:09.000000000 -0500
@@ -416,7 +416,7 @@
 ##	</summary>
 ## </param>
 #
-interface(`postfix_create_pivate_sockets',`
+interface(`postfix_create_private_sockets',`
 	gen_require(`
 		type postfix_private_t;
 	')
@@ -427,6 +427,26 @@
 
 ########################################
 ## <summary>
+##	manage named socket in a postfix private directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`postfix_manage_private_sockets',`
+	gen_require(`
+		type postfix_private_t;
+	')
+
+	allow $1 postfix_private_t:dir list_dir_perms;
+	manage_sock_files_pattern($1,postfix_private_t,postfix_private_t)
+')
+
+
+########################################
+## <summary>
 ##	Execute the master postfix program in the
 ##	postfix_master domain.
 ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postfix.te	2007-12-31 14:18:01.000000000 -0500
@@ -6,6 +6,14 @@
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow postfix_local domain full write access to mail_spool directories
+## 
+## </p>
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool,false)
+
 attribute postfix_user_domains;
 # domains that transition to the
 # postfix user domains
@@ -27,6 +35,10 @@
 postfix_server_domain_template(local)
 mta_mailserver_delivery(postfix_local_t)
 
+tunable_policy(`allow_postfix_local_write_mail_spool', `
+	mta_rw_spool(postfix_local_t)
+')
+
 type postfix_local_tmp_t;
 files_tmp_file(postfix_local_tmp_t)
 
@@ -34,6 +46,7 @@
 type postfix_map_t;
 type postfix_map_exec_t;
 application_domain(postfix_map_t,postfix_map_exec_t)
+role system_r types postfix_map_t;
 
 type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
@@ -99,6 +112,7 @@
 allow postfix_master_t self:fifo_file rw_fifo_file_perms;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
 allow postfix_master_t self:udp_socket create_socket_perms;
+allow postfix_master_t self:process setrlimit;
 
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
 
@@ -174,6 +188,7 @@
 
 mta_rw_aliases(postfix_master_t)
 mta_read_sendmail_bin(postfix_master_t)
+mta_getattr_spool(postfix_master_t)
 
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
@@ -248,6 +263,10 @@
 
 corecmd_exec_bin(postfix_cleanup_t)
 
+optional_policy(`
+	mailman_read_data_files(postfix_cleanup_t)
+')
+
 ########################################
 #
 # Postfix local local policy
@@ -273,6 +292,8 @@
 
 files_read_etc_files(postfix_local_t)
 
+logging_dontaudit_search_logs(postfix_local_t)
+
 mta_read_aliases(postfix_local_t)
 mta_delete_spool(postfix_local_t)
 # For reading spamassasin
@@ -285,6 +306,8 @@
 optional_policy(`
 #	for postalias
 	mailman_manage_data_files(postfix_local_t)
+	mailman_append_log(postfix_local_t)
+	mailman_read_log(postfix_local_t)
 ')
 
 optional_policy(`
@@ -295,8 +318,7 @@
 #
 # Postfix map local policy
 #
-
-allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:capability { dac_override setgid setuid };
 allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
 allow postfix_map_t self:unix_dgram_socket create_socket_perms;
 allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -346,8 +368,6 @@
 
 miscfiles_read_localization(postfix_map_t)
 
-seutil_read_config(postfix_map_t)
-
 tunable_policy(`read_default_t',`
 	files_list_default(postfix_map_t)
 	files_read_default_files(postfix_map_t)
@@ -360,6 +380,11 @@
 	locallogin_dontaudit_use_fds(postfix_map_t)
 ')
 
+optional_policy(`
+#	for postalias
+	mailman_manage_data_files(postfix_map_t)
+')
+
 ########################################
 #
 # Postfix pickup local policy
@@ -392,6 +417,10 @@
 rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
 
 optional_policy(`
+	dovecot_domtrans_deliver(postfix_pipe_t)
+')
+
+optional_policy(`
 	procmail_domtrans(postfix_pipe_t)
 ')
 
@@ -400,6 +429,10 @@
 ')
 
 optional_policy(`
+	mta_manage_spool(postfix_pipe_t)
+')
+
+optional_policy(`
 	uucp_domtrans_uux(postfix_pipe_t)
 ')
 
@@ -532,9 +565,6 @@
 # connect to master process
 stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
 
-# Connect to policy server
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
-
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
@@ -557,6 +587,10 @@
 	sasl_connect(postfix_smtpd_t)
 ')
 
+optional_policy(`
+	dovecot_auth_stream_connect(postfix_smtpd_t)
+')
+
 ########################################
 #
 # Postfix virtual local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.2.5/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc	2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.fc	2007-12-19 05:38:09.000000000 -0500
@@ -38,3 +38,5 @@
 ')
 
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql	--	gen_context(system_u:object_r:postgresql_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.if serefpolicy-3.2.5/policy/modules/services/postgresql.if
--- nsaserefpolicy/policy/modules/services/postgresql.if	2007-11-29 13:29:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.if	2007-12-19 05:38:09.000000000 -0500
@@ -120,3 +120,77 @@
         # Some versions of postgresql put the sock file in /tmp
 	allow $1 postgresql_tmp_t:sock_file write;
 ')
+
+########################################
+## <summary>
+##	Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+	gen_require(`
+		type postgresql_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1,postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgresql domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the postgresql domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+	gen_require(`
+		type postgresql_t;
+		type postgresql_var_run_t;
+		type postgresql_tmp_t;
+		type postgresql_db_t;
+		type postgresql_etc_t;
+		type postgresql_log_t;
+	')
+
+	allow $1 postgresql_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, postgresql_t, postgresql_t)
+
+	# Allow $1 to restart the apache service
+	postgresql_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 postgresql_script_exec_t system_r;
+	allow $2 system_r;
+
+	manage_dirs_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+	manage_files_pattern($1,postgresql_var_run_t,postgresql_var_run_t)
+
+	manage_dirs_pattern($1,postgresql_db_t,postgresql_db_t)
+	manage_files_pattern($1,postgresql_db_t,postgresql_db_t)
+
+	manage_dirs_pattern($1,postgresql_etc_t,postgresql_etc_t)
+	manage_files_pattern($1,postgresql_etc_t,postgresql_etc_t)
+
+	manage_dirs_pattern($1,postgresql_log_t,postgresql_log_t)
+	manage_files_pattern($1,postgresql_log_t,postgresql_log_t)
+
+	manage_dirs_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+	manage_files_pattern($1,postgresql_tmp_t,postgresql_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.2.5/policy/modules/services/postgresql.te
--- nsaserefpolicy/policy/modules/services/postgresql.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/postgresql.te	2007-12-19 05:38:09.000000000 -0500
@@ -27,6 +27,9 @@
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
 ########################################
 #
 # postgresql Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.2.5/policy/modules/services/ppp.fc
--- nsaserefpolicy/policy/modules/services/ppp.fc	2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.fc	2007-12-19 05:38:09.000000000 -0500
@@ -25,7 +25,7 @@
 #
 # /var
 #
-/var/run/(i)?ppp.*pid		--	gen_context(system_u:object_r:pppd_var_run_t,s0)
+/var/run/(i)?ppp.*pid[^/]*	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
 /var/run/pppd[0-9]*\.tdb	--	gen_context(system_u:object_r:pppd_var_run_t,s0)
 /var/run/ppp(/.*)?			gen_context(system_u:object_r:pppd_var_run_t,s0)
 # Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.2.5/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/ppp.te	2007-12-31 17:30:15.000000000 -0500
@@ -162,6 +162,8 @@
 init_read_utmp(pppd_t)
 init_dontaudit_write_utmp(pppd_t)
 
+auth_use_nsswitch(pppd_t)
+
 libs_use_ld_so(pppd_t)
 libs_use_shared_libs(pppd_t)
 
@@ -194,14 +196,12 @@
 
 optional_policy(`
 	mta_send_mail(pppd_t)
+	mta_mailcontent(pppd_etc_t)
+	mta_mailcontent(pppd_etc_rw_t)
 ')
 
 optional_policy(`
-	nis_use_ypbind(pppd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(pppd_t)
+	networkmanager_signal(pppd_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.2.5/policy/modules/services/procmail.if
--- nsaserefpolicy/policy/modules/services/procmail.if	2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.if	2007-12-31 15:18:55.000000000 -0500
@@ -39,3 +39,22 @@
 	corecmd_search_bin($1)
 	can_exec($1,procmail_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read procmail tmp files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`procmail_read_tmp_files',`
+	gen_require(`
+		type procmail_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 procmail_tmp_t:file read_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/procmail.te	2008-01-03 10:56:43.000000000 -0500
@@ -129,7 +129,9 @@
 	corenet_udp_bind_generic_port(procmail_t)
 	corenet_dontaudit_udp_bind_all_ports(procmail_t)
 
-	spamassassin_exec(procmail_t)
-	spamassassin_exec_client(procmail_t)
-	spamassassin_read_lib_files(procmail_t)
+	spamassassin_domtrans(procmail_t)
+')
+
+optional_policy(`
+	mailscanner_read_spool(procmail_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.2.5/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.fc	2007-12-19 05:38:09.000000000 -0500
@@ -1,6 +1,6 @@
 /etc/pyzor(/.*)?		gen_context(system_u:object_r:pyzor_etc_t, s0)
 
-HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:user_pyzor_home_t,s0)
 
 /usr/bin/pyzor		--	gen_context(system_u:object_r:pyzor_exec_t,s0)
 /usr/bin/pyzord		--	gen_context(system_u:object_r:pyzord_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.if serefpolicy-3.2.5/policy/modules/services/pyzor.if
--- nsaserefpolicy/policy/modules/services/pyzor.if	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.if	2007-12-19 05:38:09.000000000 -0500
@@ -25,16 +25,18 @@
 #
 template(`pyzor_per_role_template',`
 	gen_require(`
-		type pyzord_t;
+		type pyzor_t;
+		type user_pyzor_home_t;
 	')
 
-	type $1_pyzor_home_t;
-	userdom_user_home_content($1, $1_pyzor_home_t)
+	ifelse(`$1',`user',`',`
+		typealias user_pyzor_home_t alias $1_pyzor_home_t;
+	')
 
-	manage_dirs_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	manage_lnk_files_pattern(pyzord_t, $1_pyzor_home_t, $1_pyzor_home_t)
-	userdom_user_home_dir_filetrans($1, pyzord_t, $1_pyzor_home_t, { dir file lnk_file })
+	manage_dirs_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+	manage_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+	manage_lnk_files_pattern(pyzor_t,user_pyzor_home_t,user_pyzor_home_t)
+	userdom_user_home_dir_filetrans($1,pyzor_t,user_pyzor_home_t,{ dir file lnk_file })
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.2.5/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/pyzor.te	2007-12-31 15:19:10.000000000 -0500
@@ -28,6 +28,9 @@
 type pyzor_var_lib_t;
 files_type(pyzor_var_lib_t)
 
+type user_pyzor_home_t;
+userdom_user_home_content(user,user_pyzor_home_t)
+
 ########################################
 #
 # Pyzor local policy
@@ -68,6 +71,8 @@
 
 miscfiles_read_localization(pyzor_t)
 
+mta_read_queue(pyzor_t)
+
 userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
 
 optional_policy(`
@@ -76,8 +81,13 @@
 ')
 
 optional_policy(`
+	procmail_read_tmp_files(pyzor_t)
+')
+
+optional_policy(`
 	spamassassin_signal_spamd(pyzor_t)
 	spamassassin_read_spamd_tmp_files(pyzor_t)
+	userdom_read_user_home_content_files(unconfined,pyzor_t)
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.2.5/policy/modules/services/qmail.te
--- nsaserefpolicy/policy/modules/services/qmail.te	2007-10-02 09:54:52.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/qmail.te	2008-01-07 16:36:33.000000000 -0500
@@ -85,6 +85,8 @@
 libs_use_ld_so(qmail_inject_t)
 libs_use_shared_libs(qmail_inject_t)
 
+miscfiles_read_localization(qmail_inject_t)
+
 qmail_read_config(qmail_inject_t)
 
 ########################################
@@ -106,15 +108,25 @@
 
 kernel_read_system_state(qmail_local_t)
 
+corecmd_exec_bin(qmail_local_t)
 corecmd_exec_shell(qmail_local_t)
+can_exec(qmail_local_t, qmail_local_exec_t)
 
 files_read_etc_files(qmail_local_t)
 files_read_etc_runtime_files(qmail_local_t)
 
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog(qmail_local_t)
+
 mta_append_spool(qmail_local_t)
 
 qmail_domtrans_queue(qmail_local_t)
 
+optional_policy(`
+	spamassassin_domtrans_spamc(qmail_local_t)
+')
+
 ########################################
 #
 # qmail-lspawn local policy
@@ -155,6 +167,10 @@
 manage_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
 rw_fifo_files_pattern(qmail_queue_t,qmail_spool_t,qmail_spool_t)
 
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog(qmail_queue_t)
+
 optional_policy(`
 	daemontools_ipc_domain(qmail_queue_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.2.5/policy/modules/services/razor.fc
--- nsaserefpolicy/policy/modules/services/razor.fc	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.fc	2007-12-19 05:38:09.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:ROLE_razor_home_t,s0)
+HOME_DIR/\.razor(/.*)?		gen_context(system_u:object_r:user_razor_home_t,s0)
 
 /etc/razor(/.*)?		gen_context(system_u:object_r:razor_etc_t,s0)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if	2007-07-16 14:09:46.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/razor.if	2007-12-19 05:38:09.000000000 -0500
@@ -137,6 +137,7 @@
 template(`razor_per_role_template',`
 	gen_require(`
 		type razor_exec_t;
+		type user_razor_home_t, user_razor_tmp_t;
 	')
 
 	type $1_razor_t;
@@ -145,12 +146,10 @@
 	razor_common_domain_template($1_razor)
 	role $3 types $1_razor_t;
 
-	type $1_razor_home_t alias $1_razor_rw_t;
-	files_poly_member($1_razor_home_t)
-	userdom_user_home_content($1,$1_razor_home_t)
-
-	type $1_razor_tmp_t;
-	files_tmp_file($1_razor_tmp_t)
+	ifelse(`$1',`user',`',`
+		typealias user_razor_home_t alias $1_razor_home_t;
+		typealias user_razor_tmp_t alias $1_razor_tmp_t;
+	')
 
 	##############################
 	#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/razor.te	2007-12-19 05:38:09.000000000 -0500
@@ -23,6 +23,12 @@
 
 razor_common_domain_template(razor)
 
+type user_razor_home_t;
+userdom_user_home_content(user,user_razor_home_t)
+
+type user_razor_tmp_t;
+files_tmp_file(user_razor_tmp_t)
+
 ########################################
 #
 # Local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.2.5/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if	2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.if	2007-12-19 05:38:09.000000000 -0500
@@ -18,3 +18,20 @@
 	auth_domtrans_login_program($1,remote_login_t)
 ')
 
+########################################
+## <summary>
+##	allow Domain to signal remote login domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`remotelogin_signal',`
+	gen_require(`
+		type remote_login_t;
+	')
+
+	allow $1 remote_login_t:process signal;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.2.5/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/remotelogin.te	2007-12-19 05:38:09.000000000 -0500
@@ -85,6 +85,7 @@
 
 miscfiles_read_localization(remote_login_t)
 
+userdom_read_all_users_home_dirs_symlinks(remote_login_t)
 userdom_use_unpriv_users_fds(remote_login_t)
 userdom_search_all_users_home_content(remote_login_t)
 # Only permit unprivileged user domains to be entered via rlogin,
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.2.5/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rlogin.te	2007-12-19 05:38:09.000000000 -0500
@@ -36,6 +36,8 @@
 allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(rlogind_t,rlogind_devpts_t)
 
+domain_interactive_fd(rlogind_t)
+
 # for /usr/lib/telnetlogin
 can_exec(rlogind_t, rlogind_exec_t)
 
@@ -82,23 +84,21 @@
 
 miscfiles_read_localization(rlogind_t)
 
-seutil_dontaudit_search_config(rlogind_t)
+seutil_read_config(rlogind_t)
 
 userdom_setattr_unpriv_users_ptys(rlogind_t)
 # cjp: this is egregious
 userdom_read_all_users_home_content_files(rlogind_t)
 
 remotelogin_domtrans(rlogind_t)
+remotelogin_signal(rlogind_t)
 
 optional_policy(`
+	kerberos_use(rlogind_t)
 	kerberos_read_keytab(rlogind_t)
+	kerberos_manage_host_rcache(rlogind_t)
 ')
 
 optional_policy(`
 	tcpd_wrapped_domain(rlogind_t, rlogind_exec_t)
 ')
-
-ifdef(`TODO',`
-# Allow krb5 rlogind to use fork and open /dev/tty for use
-allow rlogind_t userpty_type:chr_file setattr;
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.2.5/policy/modules/services/rpcbind.te
--- nsaserefpolicy/policy/modules/services/rpcbind.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpcbind.te	2007-12-19 05:38:09.000000000 -0500
@@ -21,11 +21,13 @@
 # rpcbind local policy
 #
 
-allow rpcbind_t self:capability setuid;
+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
 allow rpcbind_t self:fifo_file rw_file_perms;
 allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
 allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow rpcbind_t self:udp_socket create_socket_perms;
+# BROKEN ...
+dontaudit rpcbind_t self:udp_socket listen;
 allow rpcbind_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
@@ -37,6 +39,7 @@
 manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
 files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
 
+kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 
 corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.2.5/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if	2007-12-04 11:02:50.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.if	2007-12-19 05:38:09.000000000 -0500
@@ -88,8 +88,11 @@
 	# bind to arbitary unused ports
 	corenet_tcp_bind_generic_port($1_t)
 	corenet_udp_bind_generic_port($1_t)
-	corenet_udp_bind_reserved_port($1_t)
+	corenet_dontaudit_tcp_bind_all_ports($1_t)
+	corenet_dontaudit_udp_bind_all_ports($1_t)
 	corenet_sendrecv_generic_server_packets($1_t)
+	corenet_tcp_bind_all_rpc_ports($1_t)
+	corenet_udp_bind_all_rpc_ports($1_t)
 
 	fs_rw_rpc_named_pipes($1_t) 
 	fs_search_auto_mountpoints($1_t)
@@ -208,6 +211,24 @@
 
 ########################################
 ## <summary>
+##      Execute domain in nfsd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpc_domtrans_rpcd',`
+	gen_require(`
+		type rpcd_t, rpcd_exec_t;
+	')
+
+	domtrans_pattern($1,rpcd_exec_t,rpcd_t)
+')
+
+########################################
+## <summary>
 ##      Read NFS exported content.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.2.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rpc.te	2007-12-19 05:38:09.000000000 -0500
@@ -60,10 +60,14 @@
 manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
 files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
 
+corecmd_exec_bin(rpcd_t)
+
 kernel_read_system_state(rpcd_t) 
-kernel_search_network_state(rpcd_t) 
+kernel_read_network_state(rpcd_t) 
 # for rpc.rquotad
 kernel_read_sysctl(rpcd_t)  
+kernel_rw_fs_sysctls(rpcd_t)  
+kernel_getattr_core_if(nfsd_t)
 
 fs_list_rpc(rpcd_t)
 fs_read_rpc_files(rpcd_t)
@@ -77,11 +81,17 @@
 miscfiles_read_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
+selinux_dontaudit_read_fs(rpcd_t)
 
 optional_policy(`
 	nis_read_ypserv_config(rpcd_t)
 ')
 
+# automount -> mount -> rpcd
+optional_policy(`
+	automount_dontaudit_use_fds(rpcd_t)
+')
+
 ########################################
 #
 # NFSD local policy
@@ -92,9 +102,13 @@
 allow nfsd_t exports_t:file { getattr read };
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
+dev_dontaudit_getattr_all_blk_files(nfsd_t) 
+dev_dontaudit_getattr_all_chr_files(nfsd_t) 
+
 # for /proc/fs/nfs/exports - should we have a new type?
 kernel_read_system_state(nfsd_t) 
 kernel_read_network_state(nfsd_t) 
+kernel_dontaudit_getattr_core_if(nfsd_t) 
 
 corenet_tcp_bind_all_rpc_ports(nfsd_t)
 corenet_udp_bind_all_rpc_ports(nfsd_t)
@@ -124,6 +138,7 @@
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
+	userdom_generic_user_home_dir_filetrans_generic_user_home_content(nfsd_t, { file dir })
 ')
 
 tunable_policy(`nfs_export_all_ro',`
@@ -144,6 +159,7 @@
 manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
 files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
 
+kernel_read_system_state(gssd_t)
 kernel_read_network_state(gssd_t)
 kernel_read_network_state_symlinks(gssd_t)	
 kernel_search_network_sysctl(gssd_t)	
@@ -157,8 +173,13 @@
 files_list_tmp(gssd_t) 
 files_read_usr_symlinks(gssd_t) 
 
+auth_read_cache(gssd_t) 
+
 miscfiles_read_certs(gssd_t)
 
+userdom_dontaudit_search_users_home_dirs(rpcd_t)
+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
+
 tunable_policy(`allow_gssd_read_tmp',`
 	userdom_list_unpriv_users_tmp(gssd_t) 
 	userdom_read_unpriv_users_tmp_files(gssd_t) 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.2.5/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rshd.te	2007-12-19 05:38:09.000000000 -0500
@@ -16,7 +16,7 @@
 #
 # Local policy
 #
-allow rshd_t self:capability { setuid setgid fowner fsetid chown dac_override };
+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
 allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
 allow rshd_t self:fifo_file rw_fifo_file_perms;
 allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -33,6 +33,9 @@
 corenet_udp_sendrecv_all_ports(rshd_t)
 corenet_tcp_bind_all_nodes(rshd_t)
 corenet_tcp_bind_rsh_port(rshd_t)
+corenet_tcp_bind_all_rpc_ports(rshd_t)
+corenet_tcp_connect_all_ports(rshd_t)
+corenet_tcp_connect_all_rpc_ports(rshd_t)
 corenet_sendrecv_rsh_server_packets(rshd_t)
 
 dev_read_urand(rshd_t)
@@ -44,20 +47,22 @@
 selinux_compute_relabel_context(rshd_t)
 selinux_compute_user_contexts(rshd_t)
 
-auth_domtrans_chk_passwd(rshd_t)
+auth_login_pgm_domain(rshd_t)
+auth_write_login_records(rshd_t)
 
 corecmd_read_bin_symlinks(rshd_t)
 
 files_list_home(rshd_t)
 files_read_etc_files(rshd_t)
-files_search_tmp(rshd_t)
+files_manage_generic_tmp_dirs(rshd_t)
 
-auth_use_nsswitch(rshd_t)
+init_rw_utmp(rshd_t)
 
 libs_use_ld_so(rshd_t)
 libs_use_shared_libs(rshd_t)
 
 logging_send_syslog_msg(rshd_t)
+logging_search_logs(rshd_t)
 
 miscfiles_read_localization(rshd_t)
 
@@ -78,6 +83,8 @@
 
 optional_policy(`
 	kerberos_use(rshd_t)
+	kerberos_read_keytab(rshd_t)
+	kerberos_manage_host_rcache(rshd_t)
 ')
 
 optional_policy(`
@@ -86,4 +93,5 @@
 
 optional_policy(`
 	unconfined_shell_domtrans(rshd_t)
+	unconfined_signal(rshd_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.2.5/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc	2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.fc	2007-12-19 05:38:09.000000000 -0500
@@ -1,2 +1,4 @@
 
 /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.2.5/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/rsync.te	2007-12-19 05:38:09.000000000 -0500
@@ -31,6 +31,9 @@
 type rsync_data_t;
 files_type(rsync_data_t)
 
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
 type rsync_tmp_t;
 files_tmp_file(rsync_tmp_t)
 
@@ -42,7 +45,7 @@
 # Local policy
 #
 
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@
 # cjp: this should probably only be inetd_child_t rules?
 # search home and kerberos also.
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
 #end for identd
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@
 libs_use_shared_libs(rsync_t)
 
 logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
 
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@
 ')
 
 tunable_policy(`rsync_export_all_ro',`
-	allow rsync_t self:capability dac_override;
 	fs_read_noxattr_fs_files(rsync_t) 
 	auth_read_all_files_except_shadow(rsync_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.2.5/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.fc	2007-12-19 05:38:09.000000000 -0500
@@ -15,6 +15,7 @@
 /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
 /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
 /usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbcontrol		--	gen_context(system_u:object_r:smbcontrol_exec_t,s0)
 /usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
 
 /usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
@@ -30,6 +31,8 @@
 /var/lib/samba(/.*)?			gen_context(system_u:object_r:samba_var_t,s0)
 /var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
 
+/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
 /var/log/samba(/.*)?			gen_context(system_u:object_r:samba_log_t,s0)
 
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.2.5/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if	2007-10-12 08:56:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/samba.if	2007-12-19 05:38:09.000000000 -0500
@@ -331,6 +331,25 @@
 
 ########################################
 ## <summary>
+##	dontaudit the specified domain to
+##	write samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to
 ##	read and write samba /var files.
 ## </summary>
@@ -348,6 +367,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
 	manage_files_pattern($1,samba_var_t,samba_var_t)
+	manage_lnk_files_pattern($1,samba_var_t,samba_var_t)
 ')
 
 ########################################
@@ -492,3 +512,102 @@
 	allow $1 samba_var_t:dir search_dir_perms;
 	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
 ')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`samba_helper_template',`
+	gen_require(`
+		type smbd_t;
+	')
+	#This type is for samba helper scripts
+	type samba_$1_script_t;
+	domain_type(samba_$1_script_t)
+	role system_r types samba_$1_script_t;
+
+	# This type is used for executable scripts files
+	type samba_$1_script_exec_t;
+	corecmd_shell_entry_type(samba_$1_script_t)
+	domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t)
+
+	domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
+	allow smbd_t samba_$1_script_exec_t:file ioctl;
+
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's shares
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_read_share_files',`
+	gen_require(`
+		type samba_share_t;
+	')
+
+	read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run smbcontrol.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`samba_domtrans_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+                type smbcontrol_exec_t;
+	')
+
+	domtrans_pattern($1,smbcontrol_exec_t,smbcontrol_t)
+')
+
+
+########################################
+## <summary>
+##	Execute smbcontrol in the smbcontrol domain, and
+##	allow the specified role the smbcontrol domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the smbcontrol domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`samba_run_smbcontrol',`
+	gen_require(`
+		type smbcontrol_t;
+	')
+
+	samba_domtrans_smbcontrol($1)
+	role $2 types smbcontrol_t;
+	dontaudit smbcontrol_t $3:chr_file rw_term_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/samba.te	2007-12-19 05:38:09.000000000 -0500
@@ -26,28 +26,28 @@
 
 ## <desc>
 ## <p>
-## Allow samba to share users home directories.
+## Allow Samba to share users home directories
 ## </p>
 ## </desc>
 gen_tunable(samba_enable_home_dirs,false)
 
 ## <desc>
 ## <p>
-## Allow samba to share any file/directory read only.
+## Allow Samba to share any file/directory read only
 ## </p>
 ## </desc>
 gen_tunable(samba_export_all_ro,false)
 
 ## <desc>
 ## <p>
-## Allow samba to share any file/directory read/write.
+## Allow Samba to share any file/directory read/write
 ## </p>
 ## </desc>
 gen_tunable(samba_export_all_rw,false)
 
 ## <desc>
 ## <p>
-## Allow samba to run unconfined scripts
+## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
 ## </p>
 ## </desc>
 gen_tunable(samba_run_unconfined,false)
@@ -139,6 +139,11 @@
 type winbind_var_run_t;
 files_pid_file(winbind_var_run_t)
 
+type smbcontrol_t;
+type smbcontrol_exec_t;
+application_domain(smbcontrol_t, smbcontrol_exec_t)
+role system_r types smbcontrol_t;
+
 ########################################
 #
 # Samba net local policy
@@ -193,6 +198,8 @@
 
 miscfiles_read_localization(samba_net_t) 
 
+samba_read_var_files(samba_net_t) 
+
 userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
 
 optional_policy(`
@@ -213,7 +220,7 @@
 allow smbd_t self:msgq create_msgq_perms;
 allow smbd_t self:sem create_sem_perms;
 allow smbd_t self:shm create_shm_perms;
-allow smbd_t self:sock_file read_file_perms;
+allow smbd_t self:sock_file read_sock_file_perms;
 allow smbd_t self:tcp_socket create_stream_socket_perms;
 allow smbd_t self:udp_socket create_socket_perms;
 allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -221,10 +228,8 @@
 
 allow smbd_t samba_etc_t:file { rw_file_perms setattr };
 
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-allow smbd_t samba_log_t:dir setattr;
-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
 
 allow smbd_t samba_net_tmp_t:file getattr;
 
@@ -251,7 +256,7 @@
 manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
 files_pid_filetrans(smbd_t,smbd_var_run_t,file)
 
-allow smbd_t winbind_var_run_t:sock_file { read write getattr };
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -340,6 +345,17 @@
 tunable_policy(`samba_share_nfs',`
 	fs_manage_nfs_dirs(smbd_t)
 	fs_manage_nfs_files(smbd_t)
+	fs_manage_nfs_symlinks(smbd_t)
+	fs_manage_nfs_named_pipes(smbd_t)
+	fs_manage_nfs_named_sockets(smbd_t)
+')
+
+optional_policy(`
+	kerberos_read_keytab(smbd_t)
+')
+
+optional_policy(`
+	lpd_exec_lpr(smbd_t)
 ')
 
 optional_policy(`
@@ -391,7 +407,7 @@
 allow nmbd_t self:msgq create_msgq_perms;
 allow nmbd_t self:sem create_sem_perms;
 allow nmbd_t self:shm create_shm_perms;
-allow nmbd_t self:sock_file read_file_perms;
+allow nmbd_t self:sock_file read_sock_file_perms;
 allow nmbd_t self:tcp_socket create_stream_socket_perms;
 allow nmbd_t self:udp_socket create_socket_perms;
 allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -403,8 +419,7 @@
 read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
 
 manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
 
 read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
 create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -439,6 +454,7 @@
 dev_getattr_mtrr_dev(nmbd_t)
 
 fs_getattr_all_fs(nmbd_t)
+fs_list_inotifyfs(nmbd_t)
 fs_search_auto_mountpoints(nmbd_t)
 
 domain_use_interactive_fds(nmbd_t)
@@ -522,6 +538,7 @@
 storage_raw_write_fixed_disk(smbmount_t)
 
 term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
 
 corecmd_list_bin(smbmount_t)
 
@@ -546,28 +563,37 @@
 
 userdom_use_all_users_fds(smbmount_t)
 
+optional_policy(`
+	cups_read_rw_config(smbmount_t)
+')
+
 ########################################
 #
 # SWAT Local policy
 #
 
-allow swat_t self:capability { setuid setgid };
-allow swat_t self:process signal_perms;
+allow swat_t self:capability { setuid setgid sys_resource };
+allow swat_t self:process { setrlimit signal_perms };
 allow swat_t self:fifo_file rw_file_perms;
 allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
 allow swat_t self:tcp_socket create_stream_socket_perms;
 allow swat_t self:udp_socket create_socket_perms;
 
-allow swat_t nmbd_exec_t:file { execute read };
+allow swat_t self:unix_stream_socket connectto;
+can_exec(swat_t, smbd_exec_t)
+allow swat_t smbd_port_t:tcp_socket name_bind;
+allow swat_t smbd_t:process { signal signull };
+allow swat_t smbd_var_run_t:file { lock unlink };
+
+can_exec(swat_t, nmbd_exec_t)
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
 
 rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
 
 append_files_pattern(swat_t,samba_log_t,samba_log_t)
 
-allow swat_t smbd_exec_t:file execute ;
-
-allow swat_t smbd_t:process signull;
-
 allow swat_t smbd_var_run_t:file read;
 
 manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
@@ -577,7 +603,9 @@
 manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
 files_pid_filetrans(swat_t,swat_var_run_t,file)
 
-allow swat_t winbind_exec_t:file execute;
+can_exec(swat_t, winbind_exec_t)
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
+allow swat_t winbind_var_run_t:sock_file { create unlink };
 
 kernel_read_kernel_sysctls(swat_t)
 kernel_read_system_state(swat_t)
@@ -602,6 +630,7 @@
 
 dev_read_urand(swat_t)
 
+files_list_var_lib(swat_t)
 files_read_etc_files(swat_t)
 files_search_home(swat_t)
 files_read_usr_files(swat_t)
@@ -614,6 +643,7 @@
 libs_use_shared_libs(swat_t)
 
 logging_send_syslog_msg(swat_t)
+logging_send_audit_msgs(swat_t)
 logging_search_logs(swat_t)
 
 miscfiles_read_localization(swat_t)
@@ -631,6 +661,17 @@
 	kerberos_use(swat_t)
 ')
 
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
+manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
+create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)
+
+manage_files_pattern(swat_t,samba_var_t,samba_var_t)
+files_list_var_lib(swat_t)
+
 ########################################
 #
 # Winbind local policy
@@ -679,6 +720,8 @@
 manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
 files_pid_filetrans(winbind_t,winbind_var_run_t,file)
 
+corecmd_exec_bin(winbind_t)
+
 kernel_read_kernel_sysctls(winbind_t)
 kernel_list_proc(winbind_t)
 kernel_read_proc_symlinks(winbind_t)
@@ -766,6 +809,7 @@
 optional_policy(`
 	squid_read_log(winbind_helper_t)
 	squid_append_log(winbind_helper_t)
+	squid_rw_stream_sockets(winbind_helper_t)
 ')
 
 ########################################
@@ -790,3 +834,37 @@
 		domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
 	')
 ')
+
+########################################
+#
+# smbcontrol local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow smbcontrol_t self:fifo_file rw_file_perms;
+allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(smbcontrol_t)
+
+libs_use_ld_so(smbcontrol_t)
+libs_use_shared_libs(smbcontrol_t)
+
+miscfiles_read_localization(smbcontrol_t)
+
+files_search_var_lib(smbcontrol_t)
+samba_read_config(smbcontrol_t)
+samba_rw_var_files(smbcontrol_t)
+samba_search_var(smbcontrol_t)
+samba_read_winbind_pid(smbcontrol_t)
+
+allow smbcontrol_t smbd_t:process signal;
+domain_use_interactive_fds(smbcontrol_t)
+allow smbd_t smbcontrol_t:process { signal signull };
+
+allow nmbd_t smbcontrol_t:process signal;
+allow smbcontrol_t nmbd_t:process { signal signull };
+
+allow smbcontrol_t winbind_t:process { signal signull };
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.2.5/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sasl.te	2007-12-19 05:38:09.000000000 -0500
@@ -107,6 +107,10 @@
 ')
 
 optional_policy(`
+	nis_authenticate(saslauthd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(saslauthd_t)
 ')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.2.5/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if	2007-08-27 13:57:20.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.if	2007-12-19 05:38:09.000000000 -0500
@@ -149,3 +149,85 @@
 
 	logging_log_filetrans($1,sendmail_log_t,file)
 ')
+
+########################################
+## <summary>
+##	Execute the sendmail program in the sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the sendmail domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the sendmail domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run',`
+	gen_require(`
+		type sendmail_t;
+	')
+
+	sendmail_domtrans($1)
+	role $2 types sendmail_t;
+	allow sendmail_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t, sendmail_exec_t;
+	')
+
+	domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
+')
+
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain, and
+##	allow the specified role the unconfined sendmail domain,
+##	and use the caller's terminal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the unconfined sendmail domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the unconfined sendmail domain to use.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sendmail_run_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	sendmail_domtrans_unconfined($1)
+	role $2 types unconfined_sendmail_t;
+	allow unconfined_sendmail_t $3:chr_file rw_file_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te	2007-12-31 15:42:11.000000000 -0500
@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
 
+type unconfined_sendmail_t;
+application_domain(unconfined_sendmail_t,sendmail_exec_t)
+role system_r types unconfined_sendmail_t;
+
 ########################################
 #
 # Sendmail local policy
 #
 
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
+allow sendmail_t self:process { signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -47,6 +51,7 @@
 kernel_read_kernel_sysctls(sendmail_t)
 # for piping mail to a command
 kernel_read_system_state(sendmail_t)
+kernel_read_network_state(sendmail_t)
 
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
@@ -97,20 +102,35 @@
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
 userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
+userdom_read_all_users_home_content_files(sendmail_t)
 
 mta_read_config(sendmail_t)
 mta_etc_filetrans_aliases(sendmail_t)
 # Write to /etc/aliases and /etc/mail.
-mta_rw_aliases(sendmail_t)
+mta_manage_aliases(sendmail_t)
 # Write to /var/spool/mail and /var/spool/mqueue.
 mta_manage_queue(sendmail_t)
 mta_manage_spool(sendmail_t)
+mta_sendmail_exec(sendmail_t)
+
+optional_policy(`
+	cron_read_pipes(sendmail_t)
+')
 
 optional_policy(`
 	clamav_search_lib(sendmail_t)
 ')
 
 optional_policy(`
+	cyrus_stream_connect(sendmail_t)
+	clamav_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(sendmail_t)
+')
+
+optional_policy(`
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
@@ -125,24 +145,25 @@
 ')
 
 optional_policy(`
+	sasl_connect(sendmail_t)
+')
+
+optional_policy(`
+	spamd_stream_connect(sendmail_t)
+')
+
+optional_policy(`
 	udev_read_db(sendmail_t)
 ')
 
-ifdef(`TODO',`
-allow sendmail_t etc_mail_t:dir rw_dir_perms;
-allow sendmail_t etc_mail_t:file manage_file_perms;
-# for the start script to run make -C /etc/mail
-allow initrc_t etc_mail_t:dir rw_dir_perms;
-allow initrc_t etc_mail_t:file manage_file_perms;
-allow system_mail_t initrc_t:fd use;
-allow system_mail_t initrc_t:fifo_file write;
-
-# When sendmail runs as user_mail_domain, it needs some extra permissions
-# to update /etc/mail/statistics.
-allow user_mail_domain etc_mail_t:file rw_file_perms;
+########################################
+#
+# Unconfined sendmail local policy 
+# Allow unconfined domain to run newalias and have transitions work
+#
 
-# Silently deny attempts to access /root.
-dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
+optional_policy(`
+	mta_etc_filetrans_aliases(unconfined_sendmail_t)
+	unconfined_domain(unconfined_sendmail_t)
+')
 
-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te	2007-12-19 05:38:09.000000000 -0500
@@ -27,8 +27,8 @@
 # setroubleshootd local policy
 #
 
-allow setroubleshootd_t self:capability { dac_override sys_tty_config };
-allow setroubleshootd_t self:process { signull signal getattr getsched };
+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
+allow setroubleshootd_t self:process { getattr getsched  setsched sigkill signull signal };
 allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
 allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
 allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -52,7 +52,9 @@
 
 kernel_read_kernel_sysctls(setroubleshootd_t)
 kernel_read_system_state(setroubleshootd_t)
+kernel_read_net_sysctls(setroubleshootd_t)
 kernel_read_network_state(setroubleshootd_t)
+kernel_dontaudit_list_all_proc(setroubleshootd_t)
 
 corecmd_exec_bin(setroubleshootd_t)
 corecmd_exec_shell(setroubleshootd_t)
@@ -73,7 +75,7 @@
 
 files_read_usr_files(setroubleshootd_t)
 files_read_etc_files(setroubleshootd_t)
-files_getattr_all_dirs(setroubleshootd_t)
+files_list_all(setroubleshootd_t)
 files_getattr_all_files(setroubleshootd_t)
 
 fs_getattr_all_dirs(setroubleshootd_t)
@@ -110,6 +112,7 @@
 optional_policy(`
 	dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
 	dbus_connect_system_bus(setroubleshootd_t)
+	dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te	2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/snmp.te	2007-12-19 05:38:09.000000000 -0500
@@ -81,8 +81,7 @@
 files_read_usr_files(snmpd_t)
 files_read_etc_runtime_files(snmpd_t)
 files_search_home(snmpd_t)
-files_getattr_boot_dirs(snmpd_t)
-files_dontaudit_getattr_home_dir(snmpd_t)
+auth_read_all_dirs_except_shadow(snmpd_t)
 
 fs_getattr_all_dirs(snmpd_t)
 fs_getattr_all_fs(snmpd_t)