From dc7cee956591ee4da801d2de9ccf62180247ba40 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Jul 29 2008 20:55:03 +0000
Subject: - Add boolean httpd_execmem

- Add dontaudit for leaky pam_nssldap
- Dontaudit ptrace of domains for staff_t

---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index c7836c2..8936673 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -3102,8 +3102,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te	2008-07-15 14:02:51.000000000 -0400
-@@ -26,8 +26,10 @@
++++ serefpolicy-3.3.1/policy/modules/admin/tmpreaper.te	2008-07-28 08:40:30.000000000 -0400
+@@ -26,8 +26,12 @@
  files_read_etc_files(tmpreaper_t)
  files_read_var_lib_files(tmpreaper_t)
  files_purge_tmp(tmpreaper_t)
@@ -3111,10 +3111,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
  # why does it need setattr?
  files_setattr_all_tmp_dirs(tmpreaper_t)
 +files_getattr_lost_found_dirs(tmpreaper_t)
++files_getattr_all_dirs(tmpreaper_t)
++files_getattr_all_files(tmpreaper_t)
  
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
-@@ -42,6 +44,26 @@
+@@ -42,6 +46,26 @@
  
  cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
  
@@ -5118,7 +5120,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
 +/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if	2008-07-17 10:52:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if	2008-07-28 08:49:10.000000000 -0400
 @@ -35,7 +35,10 @@
  template(`mozilla_per_role_template',`
  	gen_require(`
@@ -5271,7 +5273,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  
  	# Browse the web, connect to printer
  	corenet_all_recvfrom_unlabeled($1_mozilla_t)
-@@ -151,6 +193,7 @@
+@@ -139,7 +181,6 @@
+ 	corenet_tcp_connect_http_cache_port($1_mozilla_t)
+ 	corenet_tcp_connect_ftp_port($1_mozilla_t)
+ 	corenet_tcp_connect_ipp_port($1_mozilla_t)
+-	corenet_tcp_connect_generic_port($1_mozilla_t)
+ 	corenet_sendrecv_http_client_packets($1_mozilla_t)
+ 	corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
+ 	corenet_sendrecv_ftp_client_packets($1_mozilla_t)
+@@ -151,6 +192,7 @@
  
  	dev_read_urand($1_mozilla_t)
  	dev_read_rand($1_mozilla_t)
@@ -5279,7 +5289,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	dev_write_sound($1_mozilla_t)
  	dev_read_sound($1_mozilla_t)
  	dev_dontaudit_rw_dri($1_mozilla_t)
-@@ -165,13 +208,28 @@
+@@ -165,13 +207,28 @@
  	files_read_var_files($1_mozilla_t)
  	files_read_var_symlinks($1_mozilla_t)
   	files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -5308,7 +5318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	libs_use_ld_so($1_mozilla_t)
  	libs_use_shared_libs($1_mozilla_t)
  
-@@ -180,18 +238,10 @@
+@@ -180,18 +237,10 @@
  	miscfiles_read_fonts($1_mozilla_t)
  	miscfiles_read_localization($1_mozilla_t)
  
@@ -5330,7 +5340,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
  	xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
  
-@@ -211,131 +261,8 @@
+@@ -211,131 +260,8 @@
  		fs_manage_cifs_symlinks($1_mozilla_t)
  	')
  
@@ -5464,7 +5474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  	')
  
  	optional_policy(`
-@@ -350,57 +277,58 @@
+@@ -350,57 +276,58 @@
  	optional_policy(`
  		cups_read_rw_config($1_mozilla_t)
  		cups_dbus_chat($1_mozilla_t)
@@ -5547,7 +5557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ')
  
  ########################################
-@@ -430,11 +358,11 @@
+@@ -430,11 +357,11 @@
  #
  template(`mozilla_read_user_home_files',`
  	gen_require(`
@@ -5562,7 +5572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ')
  
  ########################################
-@@ -464,11 +392,10 @@
+@@ -464,11 +391,10 @@
  #
  template(`mozilla_write_user_home_files',`
  	gen_require(`
@@ -5576,7 +5586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.
  ')
  
  ########################################
-@@ -573,3 +500,27 @@
+@@ -573,3 +499,27 @@
  
  	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -5819,8 +5829,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:user_nsplugin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.3.1/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,353 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.if	2008-07-29 16:19:53.000000000 -0400
+@@ -0,0 +1,356 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -5995,6 +6005,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	allow nsplugin_t $2:unix_stream_socket connectto;
 +	dontaudit nsplugin_t $2:process ptrace;
 +
++	# Connect to pulseaudit server
++	stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
++
 +	allow nsplugin_t $1_tmpfs_t:file { read getattr };
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -6176,8 +6189,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-07-15 14:02:51.000000000 -0400
-@@ -0,0 +1,211 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te	2008-07-29 13:22:00.000000000 -0400
+@@ -0,0 +1,227 @@
 +
 +policy_module(nsplugin,1.0.0)
 +
@@ -6331,6 +6344,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +	xserver_read_xdm_pid(nsplugin_t)
 +	xserver_read_user_xauth(user, nsplugin_t)
 +	xserver_use_user_fonts(user, nsplugin_t)
++	xserver_manage_home_fonts(nsplugin_t)
 +')
 +
 +########################################
@@ -6347,6 +6361,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +fs_list_inotifyfs(nsplugin_config_t)
 +
 +can_exec(nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++manage_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_config_t, user_nsplugin_home_t, user_nsplugin_home_t)
++
 +manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
 +manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
@@ -6363,6 +6381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +files_read_etc_files(nsplugin_config_t)
 +files_read_usr_files(nsplugin_config_t)
 +files_dontaudit_search_home(nsplugin_config_t)
++files_list_tmp(nsplugin_config_t)
 +
 +auth_use_nsswitch(nsplugin_config_t)
 +
@@ -6377,14 +6396,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin
 +
 +
 +tunable_policy(`use_nfs_home_dirs',`
-+	fs_search_nfs(nsplugin_config_t)
++	fs_manage_nfs_dirs(nsplugin_t)
++	fs_manage_nfs_files(nsplugin_t)
++	fs_manage_nfs_dirs(nsplugin_config_t)
++	fs_manage_nfs_files(nsplugin_config_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
-+	fs_search_cifs(nsplugin_config_t)
++	fs_manage_cifs_dirs(nsplugin_t)
++	fs_manage_cifs_files(nsplugin_t)
++	fs_manage_cifs_dirs(nsplugin_config_t)
++	fs_manage_cifs_files(nsplugin_config_t)
 +')
 +
-+nsplugin_domtrans(nsplugin_config_t)
++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
++
++optional_policy(`
++	xserver_read_home_fonts(nsplugin_config_t)
++')
 +
 +optional_policy(`
 +	mozilla_read_user_home_files(user, nsplugin_config_t)
@@ -7146,7 +7175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te 
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.fc	2008-07-29 15:03:44.000000000 -0400
 @@ -7,11 +7,11 @@
  /bin/d?ash			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/bash			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -7241,7 +7270,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig\.py --	gen_context(system_u:object_r:bin_t,s0)
-@@ -284,3 +292,13 @@
+@@ -223,7 +231,6 @@
+ /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper --	gen_context(system_u:object_r:bin_t,s0)
+-/usr/share/hplip/[^/]*		--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
+@@ -284,3 +291,12 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -7254,7 +7291,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
 +
 +/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 +/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.3.1/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/corecommands.if	2008-07-15 14:02:51.000000000 -0400
@@ -8018,7 +8054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type power_device_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.3.1/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.if	2008-07-29 16:29:47.000000000 -0400
 @@ -525,7 +525,7 @@
  	')
  
@@ -8068,7 +8104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  ##	all protocols (TCP, UDP, etc)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-07-28 08:35:53.000000000 -0400
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -8100,7 +8136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
  allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
  # act on all domains keys
-@@ -148,3 +156,32 @@
+@@ -148,3 +156,39 @@
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -8113,6 +8149,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +optional_policy(`
 +	cron_dontaudit_write_system_job_tmp_files(domain)
 +	cron_rw_pipes(domain)
++ifdef(`hide_broken_symptoms', `
++	cron_dontaudit_rw_tcp_sockets(domain)
++')
++')
++
++ifdef(`hide_broken_symptoms', `
++        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
 +')
 +
 +optional_policy(`
@@ -8146,7 +8189,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  # /emul
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-07-28 08:38:24.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -9301,8 +9344,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-3.3.1/policy/modules/services/amavis.fc
 --- nsaserefpolicy/policy/modules/services/amavis.fc	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/amavis.fc	2008-07-15 14:02:51.000000000 -0400
-@@ -14,3 +14,5 @@
++++ serefpolicy-3.3.1/policy/modules/services/amavis.fc	2008-07-29 11:14:40.000000000 -0400
+@@ -3,6 +3,7 @@
+ /etc/amavisd(/.*)?		--	gen_context(system_u:object_r:amavis_etc_t,s0)
+ 
+ /usr/sbin/amavisd.*		--	gen_context(system_u:object_r:amavis_exec_t,s0)
++/usr/lib(64)?/AntiVir/antivir --	gen_context(system_u:object_r:amavis_exec_t,s0)
+ 
+ ifdef(`distro_debian',`
+ /usr/sbin/amavisd-new-cronjob	--	gen_context(system_u:object_r:amavis_exec_t,s0)
+@@ -14,3 +15,5 @@
  /var/run/amavis(d)?(/.*)?		gen_context(system_u:object_r:amavis_var_run_t,s0)
  /var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
  /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
@@ -9384,7 +9435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-3.3.1/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/amavis.te	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/amavis.te	2008-07-29 11:14:58.000000000 -0400
 @@ -13,7 +13,7 @@
  
  # configuration files
@@ -9404,6 +9455,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  ########################################
  #
  # amavis local policy
+@@ -52,6 +55,8 @@
+ allow amavis_t self:tcp_socket { listen accept };
+ allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+ 
++can_exec(amavis_t, amavis_exec_t)
++
+ # configuration files
+ allow amavis_t amavis_etc_t:dir list_dir_perms;
+ read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/apache.fc	2008-07-15 14:02:51.000000000 -0400
@@ -10094,7 +10154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-07-15 14:02:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-07-29 13:26:28.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -10117,7 +10177,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  ## <desc>
  ## <p>
-@@ -45,7 +47,14 @@
+@@ -45,7 +47,21 @@
  
  ## <desc>
  ## <p>
@@ -10129,11 +10189,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 +## <desc>
 +## <p>
++## Allow httpd scripts and modules execmem/execstack
++## </p>
++## </desc>
++gen_tunable(httpd_execmem,false)
++
++## <desc>
++## <p>
 +## Allow HTTPD scripts and modules to connect to the network
  ## </p>
  ## </desc>
  gen_tunable(httpd_can_network_connect,false)
-@@ -95,8 +104,8 @@
+@@ -95,8 +111,8 @@
  
  ## <desc>
  ## <p>
@@ -10144,7 +10211,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ## the terminal.
  ## </p>
  ## </desc>
-@@ -109,14 +118,33 @@
+@@ -109,14 +125,33 @@
  ## </desc>
  gen_tunable(httpd_unified,false)
  
@@ -10180,7 +10247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  # user script domains
  attribute httpd_script_domains;
-@@ -147,6 +175,9 @@
+@@ -147,6 +182,9 @@
  type httpd_log_t;
  logging_log_file(httpd_log_t)
  
@@ -10190,7 +10257,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  # httpd_modules_t is the type given to module files (libraries) 
  # that come with Apache /etc/httpd/modules and /usr/lib/apache
  type httpd_modules_t;
-@@ -180,6 +211,9 @@
+@@ -180,6 +218,9 @@
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -10200,7 +10267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -202,12 +236,16 @@
+@@ -202,12 +243,16 @@
  	prelink_object_file(httpd_modules_t)
  ')
  
@@ -10218,7 +10285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -249,6 +287,7 @@
+@@ -249,6 +294,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
  read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -10226,7 +10293,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +328,7 @@
+@@ -289,6 +335,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -10234,7 +10301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +355,7 @@
+@@ -315,9 +362,7 @@
  
  auth_use_nsswitch(httpd_t)
  
@@ -10245,7 +10312,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -335,6 +373,10 @@
+@@ -335,6 +380,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10256,7 +10323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -351,25 +393,50 @@
+@@ -351,25 +400,50 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -10311,7 +10378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_relay',`
  	# allow httpd to work as a relay
  	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,12 +449,22 @@
+@@ -382,12 +456,22 @@
  	corenet_sendrecv_http_cache_client_packets(httpd_t)
  ')
  
@@ -10339,7 +10406,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +476,21 @@
+@@ -399,11 +483,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -10361,7 +10428,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +524,13 @@
+@@ -437,8 +531,13 @@
  ')
  
  optional_policy(`
@@ -10377,7 +10444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -450,19 +542,13 @@
+@@ -450,19 +549,13 @@
  ')
  
  optional_policy(`
@@ -10398,17 +10465,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -473,12 +559,15 @@
+@@ -472,13 +565,22 @@
+ 	openca_kill(httpd_t)
  ')
  
- optional_policy(`
++tunable_policy(`httpd_execmem',`
++	allow httpd_t self:process { execmem execstack };
++	allow httpd_sys_script_t self:process { execmem execstack };
++	allow httpd_suexec_t self:process { execmem execstack };
++') 
++
++optional_policy(`
 +tunable_policy(`httpd_can_network_connect_db',`
 +	postgresql_tcp_connect(httpd_t)
 +	postgresql_tcp_connect(httpd_sys_script_t)
 +')
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	# Allow httpd to work with postgresql
  	postgresql_stream_connect(httpd_t)
 -
@@ -10418,7 +10492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -486,6 +575,7 @@
+@@ -486,6 +588,7 @@
  ')
  
  optional_policy(`
@@ -10426,7 +10500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -521,6 +611,22 @@
+@@ -521,6 +624,22 @@
  	userdom_use_sysadm_terms(httpd_helper_t)
  ')
  
@@ -10449,7 +10523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -550,18 +656,26 @@
+@@ -550,18 +669,26 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -10479,7 +10553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -585,6 +699,8 @@
+@@ -585,6 +712,8 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -10488,7 +10562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +709,7 @@
+@@ -593,9 +722,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -10499,7 +10573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +742,7 @@
+@@ -628,6 +755,7 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -10507,7 +10581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -638,6 +753,12 @@
+@@ -638,6 +766,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -10520,7 +10594,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +776,6 @@
+@@ -655,10 +789,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -10531,7 +10605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -668,7 +785,8 @@
+@@ -668,7 +798,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -10541,7 +10615,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +800,44 @@
+@@ -682,15 +813,44 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -10553,15 +10627,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 +tunable_policy(`httpd_use_nfs', `
- 	fs_read_nfs_files(httpd_sys_script_t)
- 	fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
- 
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
 +	fs_read_nfs_files(httpd_sys_script_t)
 +	fs_read_nfs_symlinks(httpd_sys_script_t)
 +')
 +
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ 	fs_read_nfs_files(httpd_sys_script_t)
+ 	fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+ 
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -10587,7 +10661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +850,10 @@
+@@ -703,6 +863,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10598,7 +10672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -724,3 +875,60 @@
+@@ -724,3 +888,60 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -12475,7 +12549,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +/var/lib/misc(/.*)?			gen_context(system_u:object_r:system_crond_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
 --- nsaserefpolicy/policy/modules/services/cron.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if	2008-07-28 08:35:13.000000000 -0400
 @@ -35,38 +35,23 @@
  #
  template(`cron_per_role_template',`
@@ -12712,10 +12786,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  	# Manipulate other users crontab.
  	selinux_get_fs_mount($1_crontab_t)
  	selinux_validate_context($1_crontab_t)
-@@ -438,6 +334,25 @@
+@@ -438,7 +334,26 @@
  
  ########################################
  ## <summary>
+-##	Read, and write cron daemon TCP sockets.
 +##	Read temporary files from cron.
 +## </summary>
 +## <param name="domain">
@@ -12735,9 +12810,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 +
 +########################################
 +## <summary>
- ##	Read, and write cron daemon TCP sockets.
++##	dontaudit Read, and write cron daemon TCP sockets.
  ## </summary>
  ## <param name="domain">
+ ##	<summary>
+@@ -446,7 +361,7 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`cron_rw_tcp_sockets',`
++interface(`cron_dontaudit_rw_tcp_sockets',`
+ 	gen_require(`
+ 		type crond_t;
+ 	')
 @@ -558,11 +473,14 @@
  #
  interface(`cron_read_system_job_tmp_files',`
@@ -13088,7 +13173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.fc	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.fc	2008-07-29 15:03:03.000000000 -0400
 @@ -8,24 +8,28 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -13128,7 +13213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
  /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 -/usr/share/hplip/hpssd\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
-+/usr/share/hplip/[^/]*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/.*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
  
  /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14038,7 +14123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.3.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.if	2008-07-28 08:37:27.000000000 -0400
 @@ -53,6 +53,7 @@
  	gen_require(`
  		type system_dbusd_exec_t, system_dbusd_t, dbusd_etc_t;
@@ -14250,7 +14335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	Read dbus configuration.
  ## </summary>
  ## <param name="domain">
-@@ -366,3 +431,55 @@
+@@ -366,3 +431,73 @@
  
  	allow $1 system_dbusd_t:dbus *;
  ')
@@ -14306,6 +14391,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +	dbus_connect_system_bus($1)
 +
 +')
++
++########################################
++## <summary>
++##	Dontaudit Read, and write system dbus TCP sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
++	gen_require(`
++		type system_dbusd_t;
++	')
++
++	allow $1 system_dbusd_t:tcp_socket { read write };
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-07-15 14:02:52.000000000 -0400
@@ -18124,7 +18227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-07-28 08:35:21.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -18225,7 +18328,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +175,40 @@
+@@ -114,9 +153,6 @@
+ 		postfix_config_filetrans(system_mail_t,etc_aliases_t,{ dir file lnk_file sock_file fifo_file })
+ 	')
+ 
+-	optional_policy(`
+-		cron_rw_tcp_sockets(system_mail_t)
+-	')
+ ')
+ 
+ optional_policy(`
+@@ -136,11 +172,40 @@
  ')
  
  optional_policy(`
@@ -18247,7 +18360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  
 -# should break this up among sections:
 +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
- 
++
 +init_stream_connect_script(mailserver_delivery)
 +init_rw_script_stream_sockets(mailserver_delivery)
 +
@@ -18256,7 +18369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 +	fs_manage_cifs_files(mailserver_delivery)
 +	fs_manage_cifs_symlinks(mailserver_delivery)
 +')
-+
+ 
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_manage_nfs_dirs(mailserver_delivery)
 +	fs_manage_nfs_files(mailserver_delivery)
@@ -18267,7 +18380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +222,4 @@
+@@ -154,3 +219,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -23044,7 +23157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te	2008-07-29 11:05:12.000000000 -0400
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write,false)
  
@@ -23130,7 +23243,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)	
  kernel_search_network_sysctl(gssd_t)	
-@@ -157,8 +178,14 @@
+@@ -157,8 +178,15 @@
  files_list_tmp(gssd_t) 
  files_read_usr_symlinks(gssd_t) 
  
@@ -23141,11 +23254,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
 +userdom_dontaudit_search_users_home_dirs(rpcd_t)
 +userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
++userdom_dontaudit_write_user_tmp_files(user, rpcd_t)
 +
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-@@ -166,8 +193,7 @@
+@@ -166,8 +194,7 @@
  ')
  
  optional_policy(`
@@ -23873,7 +23987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-07-29 15:52:01.000000000 -0400
 @@ -59,6 +59,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs,false)
@@ -23928,6 +24042,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  optional_policy(`
  	kerberos_use(samba_net_t)
+@@ -203,7 +219,7 @@
+ #
+ # smbd Local policy
+ #
+-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search };
+ dontaudit smbd_t self:capability sys_tty_config;
+ allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow smbd_t self:process setrlimit;
 @@ -213,7 +229,7 @@
  allow smbd_t self:msgq create_msgq_perms;
  allow smbd_t self:sem create_sem_perms;
@@ -24430,7 +24553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.3.1/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/sendmail.te	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/sendmail.te	2008-07-25 07:32:08.000000000 -0400
 @@ -20,13 +20,17 @@
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -24459,7 +24582,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
  corenet_all_recvfrom_unlabeled(sendmail_t)
  corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,19 +74,23 @@
+@@ -64,24 +69,29 @@
+ 
+ fs_getattr_all_fs(sendmail_t)
+ fs_search_auto_mountpoints(sendmail_t)
++fs_rw_anon_inodefs_files(sendmail_t)
+ 
+ term_dontaudit_use_console(sendmail_t)
  
  # for piping mail to a command
  corecmd_exec_shell(sendmail_t)
@@ -24483,7 +24612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  
  auth_use_nsswitch(sendmail_t)
  
-@@ -91,26 +100,42 @@
+@@ -91,26 +101,42 @@
  libs_read_lib_files(sendmail_t)
  
  logging_send_syslog_msg(sendmail_t)
@@ -24527,7 +24656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  	postfix_exec_master(sendmail_t)
  	postfix_read_config(sendmail_t)
  	postfix_search_spool(sendmail_t)
-@@ -118,6 +143,7 @@
+@@ -118,6 +144,7 @@
  
  optional_policy(`
  	procmail_domtrans(sendmail_t)
@@ -24535,7 +24664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
  ')
  
  optional_policy(`
-@@ -125,24 +151,25 @@
+@@ -125,24 +152,25 @@
  ')
  
  optional_policy(`
@@ -27252,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-07-29 15:14:04.000000000 -0400
 @@ -12,9 +12,15 @@
  ##	</summary>
  ## </param>
@@ -27580,12 +27709,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -
 -	allow $1_xauth_t $1_xauth_home_t:file manage_file_perms;
 -	userdom_user_home_dir_filetrans($1,$1_xauth_t,$1_xauth_home_t,file)
-+	domtrans_pattern($2, xauth_exec_t, xauth_t)
- 
+-
 -	manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
 -	files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
--
++	domtrans_pattern($2, xauth_exec_t, xauth_t)
+ 
 -	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 -
 -	allow $2 $1_xauth_t:process signal;
@@ -27604,14 +27733,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 -
 -	files_read_etc_files($1_xauth_t)
 -	files_search_pids($1_xauth_t)
-+	ps_process_pattern($2,xauth_t)
- 
+-
 -	fs_getattr_xattr_fs($1_xauth_t)
 -	fs_search_auto_mountpoints($1_xauth_t)
 -
 -	# cjp: why?
 -	term_use_ptmx($1_xauth_t)
--
++	ps_process_pattern($2,xauth_t)
+ 
 -	auth_use_nsswitch($1_xauth_t)
 -
 -	libs_use_ld_so($1_xauth_t)
@@ -27660,34 +27789,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
 -	allow xdm_t $1_iceauth_home_t:file read_file_perms;
 +	userdom_use_user_terminals($1,iceauth_t)
-+
+ 
+-	fs_search_auto_mountpoints($1_iceauth_t)
 +	optional_policy(`
 +		xserver_read_user_iceauth($1, $2)
 +	')
  
--	fs_search_auto_mountpoints($1_iceauth_t)
+-	libs_use_ld_so($1_iceauth_t)
+-	libs_use_shared_libs($1_iceauth_t)
 +	##############################
 +	#
 +	# User X object manager local policy
 +	#
  
--	libs_use_ld_so($1_iceauth_t)
--	libs_use_shared_libs($1_iceauth_t)
+-	userdom_use_user_terminals($1,$1_iceauth_t)
 +	# Device rules
 +	allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
  
--	userdom_use_user_terminals($1,$1_iceauth_t)
-+	allow $2 { input_xevent_t }:x_event send;
-+	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- 
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_manage_nfs_files($1_iceauth_t)
 -	')
-+	mls_xwin_read_to_clearance($2)
++	allow $2 { input_xevent_t }:x_event send;
++	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
  
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_manage_cifs_files($1_iceauth_t)
 -	')
++	mls_xwin_read_to_clearance($2)
++
 +	xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
  ')
  
@@ -28320,9 +28449,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	gen_require(`
 -		type $1_xauth_t, xauth_exec_t;
 +		type xauth_exec_t, xauth_t;
- 	')
- 
--	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++	')
++
 +	domtrans_pattern($2, xauth_exec_t, xauth_t)
 +')
 +
@@ -28354,8 +28482,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +template(`xserver_read_user_xauth',`
 +	gen_require(`
 +		type user_xauth_home_t;
-+	')
-+
+ 	')
+ 
+-	domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
 +	allow $2 user_xauth_home_t:file { getattr read };
 +')
 +
@@ -28542,7 +28671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1312,3 +1978,120 @@
+@@ -1312,3 +1978,179 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -28663,6 +28792,65 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	files_search_pids($1)
 +	write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
 +')
++
++########################################
++## <summary>
++##	Read user homedir fonts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_manage_home_fonts',`
++	gen_require(`
++		type user_fonts_config_t;
++		type user_fonts_t;
++		type user_fonts_cache_t;
++	')
++
++	manage_dirs_pattern($1, user_fonts_t, user_fonts_t)
++	manage_files_pattern($1, user_fonts_t, user_fonts_t)
++	manage_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++	manage_dirs_pattern($1, user_fonts_config_t, user_fonts_config_t)
++	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++	manage_lnk_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++
++	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
++	manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
++	manage_lnk_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
++')
++
++########################################
++## <summary>
++##	Read user homedir fonts.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_read_home_fonts',`
++	gen_require(`
++		type user_fonts_config_t;
++		type user_fonts_t;
++		type user_fonts_cache_t;
++	')
++
++	read_files_pattern($1, user_fonts_t, user_fonts_t)
++	read_lnk_files_pattern($1, user_fonts_t, user_fonts_t)
++
++	read_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++	read_lnk_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
++
++	read_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
++	read_lnk_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2008-06-12 23:38:02.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/xserver.te	2008-07-15 14:02:52.000000000 -0400
@@ -31895,7 +32083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
  type hwdata_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.3.1/policy/modules/system/modutils.if
 --- nsaserefpolicy/policy/modules/system/modutils.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.if	2008-07-15 14:02:52.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.if	2008-07-25 07:26:45.000000000 -0400
 @@ -66,6 +66,25 @@
  
  ########################################
@@ -31922,6 +32110,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  ##	Unconditionally execute insmod in the insmod domain.
  ## </summary>
  ## <param name="domain">
+@@ -275,6 +294,7 @@
+ 	modutils_domtrans_update_mods($1)
+ 	role $2 types update_modules_t;
+ 	allow update_modules_t $3:chr_file rw_term_perms;
++	modutils_run_insmod(update_modules_t, $2, $3)
+ ')
+ 
+ ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-07-15 14:02:52.000000000 -0400
@@ -34337,8 +34533,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-07-16 10:25:35.000000000 -0400
-@@ -6,35 +6,71 @@
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-07-29 16:49:30.000000000 -0400
+@@ -6,35 +6,72 @@
  # Declarations
  #
  
@@ -34381,6 +34577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +allow system_r unconfined_r;
 +allow unconfined_r system_r;
 +init_script_role_transition(unconfined_r)
++role system_r types unconfined_t;
  
  type unconfined_execmem_t;
  type unconfined_execmem_exec_t;
@@ -34417,7 +34614,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  
  libs_run_ldconfig(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +78,44 @@
+@@ -42,37 +79,44 @@
  logging_run_auditctl(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
@@ -34472,7 +34669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -101,12 +144,24 @@
+@@ -101,12 +145,24 @@
  	')
  
  	optional_policy(`
@@ -34497,7 +34694,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -118,11 +173,7 @@
+@@ -118,11 +174,7 @@
  ')
  
  optional_policy(`
@@ -34510,7 +34707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  optional_policy(`
-@@ -134,82 +185,92 @@
+@@ -134,82 +186,92 @@
  ')
  
  optional_policy(`
@@ -34631,7 +34828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
  ')
  
  ########################################
-@@ -219,14 +280,36 @@
+@@ -219,14 +281,36 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -34688,7 +34885,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-07-17 08:47:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-07-29 11:04:46.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -36323,7 +36520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2809,10 +2872,10 @@
+@@ -2809,20 +2872,20 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -36336,87 +36533,222 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2844,10 +2907,48 @@
+ ## <summary>
+-##	Do not audit attempts to append users
++##	Do not audit attempts to write users
+ ##	temporary files.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Do not audit attempts to append users
++##	Do not audit attempts to write users
+ ##	temporary files.
+ ##	</p>
+ ##	<p>
+@@ -2842,21 +2905,23 @@
+ ##	</summary>
+ ## </param>
  #
- template(`userdom_dontaudit_append_user_tmp_files',`
+-template(`userdom_dontaudit_append_user_tmp_files',`
++template(`userdom_dontaudit_write_user_tmp_files',`
  	gen_require(`
 -		type $1_tmp_t;
 +		type user_tmp_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $2 $1_tmp_t:file append;
++	dontaudit $2 user_tmp_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write user temporary files.
++##	Do not audit attempts to append users
++##	temporary files.
+ ## </summary>
+ ## <desc>
+ ##	<p>
+-##	Read and write user temporary files.
++##	Do not audit attempts to append users
++##	temporary files.
+ ##	</p>
+ ##	<p>
+ ##	This is a templated interface, and should only
+@@ -2871,66 +2936,137 @@
+ ## </param>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_rw_user_tmp_files',`
++template(`userdom_dontaudit_append_user_tmp_files',`
+ 	gen_require(`
+-		type $1_tmp_t;
++		type user_tmp_t;
+ 	')
+ 
+-	files_search_tmp($2)
+-	allow $2 $1_tmp_t:dir list_dir_perms;
+-	rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
 +	dontaudit $2 user_tmp_t:file append;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to manage users
+-##	temporary files.
 +##	unlink all unprivileged users files in /tmp
-+## </summary>
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Do not audit attempts to manage users
+-##	temporary files.
+-##	</p>
+-##	<p>
+-##	This is a templated interface, and should only
+-##	be called from a per-userdomain template.
+-##	</p>
+-## </desc>
+-## <param name="userdomain_prefix">
+-##	<summary>
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
+-##	</summary>
+-## </param>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-template(`userdom_dontaudit_manage_user_tmp_files',`
++interface(`userdom_unlink_unpriv_users_tmp_files',`
+ 	gen_require(`
+-		type $1_tmp_t;
++		attribute user_tmpfile;
+ 	')
+ 
+-	dontaudit $2 $1_tmp_t:file manage_file_perms;
++	files_delete_tmp_dir_entry($1)
++	allow $1 user_tmpfile:file unlink;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read user
+-##	temporary symbolic links.
++##	Connect to unpriviledged users over an unix stream socket.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Read user
+-##	temporary symbolic links.
+-##	</p>
+-##	<p>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_unlink_unpriv_users_tmp_files',`
++interface(`userdom_unpriv_users_stream_connect',`
 +	gen_require(`
 +		attribute user_tmpfile;
++		attribute userdomain;
 +	')
 +
-+	files_delete_tmp_dir_entry($1)
-+	allow $1 user_tmpfile:file unlink;
++	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
 +')
 +
 +########################################
 +## <summary>
-+##	Connect to unpriviledged users over an unix stream socket.
++##	Read and write user temporary files.
 +## </summary>
++## <desc>
++##	<p>
++##	Read and write user temporary files.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_unpriv_users_stream_connect',`
++template(`userdom_rw_user_tmp_files',`
 +	gen_require(`
-+		attribute user_tmpfile;
-+		attribute userdomain;
- 	')
- 
--	dontaudit $2 $1_tmp_t:file append;
-+	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
- ')
- 
- ########################################
-@@ -2877,12 +2978,12 @@
- #
- template(`userdom_rw_user_tmp_files',`
- 	gen_require(`
--		type $1_tmp_t;
 +		type user_tmp_t;
- 	')
- 
- 	files_search_tmp($2)
--	allow $2 $1_tmp_t:dir list_dir_perms;
--	rw_files_pattern($2,$1_tmp_t,$1_tmp_t)
++	')
++
++	files_search_tmp($2)
 +	allow $2 user_tmp_t:dir list_dir_perms;
 +	rw_files_pattern($2,user_tmp_t,user_tmp_t)
- ')
- 
- ########################################
-@@ -2914,10 +3015,10 @@
- #
- template(`userdom_dontaudit_manage_user_tmp_files',`
- 	gen_require(`
--		type $1_tmp_t;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to manage users
++##	temporary files.
++## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to manage users
++##	temporary files.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++template(`userdom_dontaudit_manage_user_tmp_files',`
++	gen_require(`
 +		type user_tmp_t;
- 	')
- 
--	dontaudit $2 $1_tmp_t:file manage_file_perms;
++	')
++
 +	dontaudit $2 user_tmp_t:file manage_file_perms;
- ')
- 
- ########################################
-@@ -2949,12 +3050,12 @@
++')
++
++########################################
++## <summary>
++##	Read user
++##	temporary symbolic links.
++## </summary>
++## <desc>
++##	<p>
++##	Read user
++##	temporary symbolic links.
++##	</p>
++##	<p>
+ ##	This is a templated interface, and should only
+ ##	be called from a per-userdomain template.
+ ##	</p>
+@@ -2949,12 +3085,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -36432,7 +36764,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2986,11 +3087,11 @@
+@@ -2986,11 +3122,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -36446,7 +36778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3022,11 +3123,11 @@
+@@ -3022,11 +3158,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -36460,7 +36792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3058,11 +3159,11 @@
+@@ -3058,11 +3194,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -36474,7 +36806,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3094,11 +3195,11 @@
+@@ -3094,11 +3230,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -36488,7 +36820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3130,11 +3231,11 @@
+@@ -3130,11 +3266,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -36502,7 +36834,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3179,10 +3280,10 @@
+@@ -3179,10 +3315,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -36515,7 +36847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3324,10 @@
+@@ -3223,10 +3359,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -36528,56 +36860,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3254,24 +3355,24 @@
+@@ -3254,6 +3390,42 @@
  ##	</summary>
  ## </param>
  #
--template(`userdom_rw_user_tmpfs_files',`
 +template(`userdom_read_user_tmpfs_files',`
- 	gen_require(`
- 		type $1_tmpfs_t;
- 	')
- 
- 	fs_search_tmpfs($2)
- 	allow $2 $1_tmpfs_t:dir list_dir_perms;
--	rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+	read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- 	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	List users untrusted directories.
-+##	Read/write user tmpfs files.
- ## </summary>
- ## <desc>
- ##	<p>
--##	List users untrusted directories.
-+##	Read/write user tmpfs files.
- ##	</p>
- ##	<p>
- ##	This is a templated interface, and should only
-@@ -3290,12 +3391,84 @@
- ##	</summary>
- ## </param>
- #
--template(`userdom_list_user_untrusted_content',`
-+template(`userdom_rw_user_tmpfs_files',`
- 	gen_require(`
--		type $1_untrusted_content_t;
++	gen_require(`
 +		type $1_tmpfs_t;
- 	')
- 
--	allow $2 $1_untrusted_content_t:dir list_dir_perms;
++	')
++
 +	fs_search_tmpfs($2)
 +	allow $2 $1_tmpfs_t:dir list_dir_perms;
-+	rw_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++	read_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
 +	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Unlink user tmpfs files.
++##	Read/write user tmpfs files.
 +## </summary>
 +## <desc>
 +##	<p>
@@ -36600,24 +36900,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_delete_user_tmpfs_files',`
-+	gen_require(`
-+		type $1_tmpfs_t;
-+	')
-+
-+	fs_search_tmpfs($2)
-+	allow $2 $1_tmpfs_t:dir list_dir_perms;
-+	delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	List users untrusted directories.
+ template(`userdom_rw_user_tmpfs_files',`
+ 	gen_require(`
+ 		type $1_tmpfs_t;
+@@ -3267,6 +3439,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Unlink user tmpfs files.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	List users untrusted directories.
++##	Read/write user tmpfs files.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
@@ -36636,16 +36930,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+template(`userdom_list_user_untrusted_content',`
++template(`userdom_delete_user_tmpfs_files',`
 +	gen_require(`
-+		type $1_untrusted_content_t;
++		type $1_tmpfs_t;
 +	')
 +
-+	allow $2 $1_untrusted_content_t:dir list_dir_perms;
- ')
- 
- ########################################
-@@ -3962,6 +4135,24 @@
++	fs_search_tmpfs($2)
++	allow $2 $1_tmpfs_t:dir list_dir_perms;
++	delete_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++	read_lnk_files_pattern($2,$1_tmpfs_t,$1_tmpfs_t)
++')
++
++########################################
++## <summary>
+ ##	List users untrusted directories.
+ ## </summary>
+ ## <desc>
+@@ -3962,6 +4170,24 @@
  
  ########################################
  ## <summary>
@@ -36670,7 +36971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Manage unpriviledged user SysV shared
  ##	memory segments.
  ## </summary>
-@@ -4231,11 +4422,11 @@
+@@ -4231,11 +4457,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -36684,7 +36985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4442,10 @@
+@@ -4251,10 +4477,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -36697,7 +36998,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4461,11 @@
+@@ -4270,11 +4496,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -36711,7 +37012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4480,16 @@
+@@ -4289,16 +4515,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -36731,7 +37032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4498,35 @@
+@@ -4307,12 +4533,35 @@
  ##	</summary>
  ## </param>
  #
@@ -36770,7 +37071,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4541,13 @@
+@@ -4327,13 +4576,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -36788,7 +37089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4745,10 @@
+@@ -4531,10 +4780,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -36801,7 +37102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4765,10 @@
+@@ -4551,10 +4800,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -36814,7 +37115,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4783,10 @@
+@@ -4569,10 +4818,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -36827,7 +37128,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4802,10 @@
+@@ -4588,10 +4837,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -36840,7 +37141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4820,10 @@
+@@ -4606,10 +4855,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -36853,7 +37154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4839,10 @@
+@@ -4625,10 +4874,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -36866,17 +37167,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4858,29 @@
+@@ -4644,12 +4893,29 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
 -		type sysadm_home_dir_t, sysadm_home_t;
 +		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:file read_file_perms;
++	')
++
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
 +')
@@ -36894,13 +37192,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +interface(`userdom_dontaudit_read_sysadm_home_sym_links',`
 +	gen_require(`
 +		type admin_home_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:file read_file_perms;
 +	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
  ')
  
  ########################################
-@@ -4676,10 +4907,10 @@
+@@ -4676,10 +4942,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -36913,7 +37214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4925,10 @@
+@@ -4694,10 +4960,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -36926,7 +37227,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4943,13 @@
+@@ -4712,13 +4978,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -36944,7 +37245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4985,49 @@
+@@ -4754,11 +5020,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -36995,7 +37296,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +5047,14 @@
+@@ -4778,6 +5082,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -37010,7 +37311,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4815,6 +5092,8 @@
+@@ -4815,6 +5127,8 @@
  	')
  
  	dontaudit $1 { home_dir_type home_type }:dir search_dir_perms;
@@ -37019,11 +37320,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4839,6 +5118,26 @@
+@@ -4839,7 +5153,7 @@
  
  ########################################
  ## <summary>
+-##	Create, read, write, and delete all directories
 +##	delete all directories
+ ##	in all users home directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -4848,18 +5162,57 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_manage_all_users_home_content_dirs',`
++interface(`userdom_delete_all_users_home_content_dirs',`
+ 	gen_require(`
+ 		attribute home_type;
+ 	')
+ 
+ 	files_list_home($1)
+-	allow $1 home_type:dir manage_dir_perms;
++	delete_dirs_pattern($1, home_type, home_type)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete all files
++##	Create, read, write, and delete all directories
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
@@ -37032,24 +37356,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_delete_all_users_home_content_dirs',`
++interface(`userdom_manage_all_users_home_content_dirs',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	files_list_home($1)
-+	delete_dirs_pattern($1, home_type, home_type)
++	allow $1 home_type:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete all directories
- ##	in all users home directories.
- ## </summary>
-@@ -4859,6 +5158,25 @@
- 
- ########################################
- ## <summary>
 +##	Delete all files
 +##	in all users home directories.
 +## </summary>
@@ -37069,10 +37386,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete all files
++##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5197,26 @@
+ ## <param name="domain">
+@@ -4879,6 +5232,26 @@
  
  ########################################
  ## <summary>
@@ -37099,7 +37417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5453,7 @@
+@@ -5115,7 +5488,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -37108,29 +37426,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,8 +5642,8 @@
+@@ -5304,6 +5677,63 @@
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete directories in
--##	unprivileged users home directories.
 +##	append all unprivileged users home directory
 +##	files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5313,19 +5651,26 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_unpriv_users_home_content_dirs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`userdom_append_unpriv_users_home_content_files',`
- 	gen_require(`
- 		attribute user_home_dir_type, user_home_type;
- 	')
- 
- 	files_search_home($1)
--	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
++	gen_require(`
++		attribute user_home_dir_type, user_home_type;
++	')
++
++	files_search_home($1)
 +	allow $1 user_home_type:dir list_dir_perms;
 +	append_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +	tunable_policy(`use_nfs_home_dirs',`
@@ -37139,95 +37453,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	tunable_policy(`use_samba_home_dirs',`
 +		fs_append_cifs_files($1)
 +	')
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete files in
--##	unprivileged users home directories.
-+##	dontaudit Read all unprivileged users home directory
-+##	files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5333,18 +5678,29 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_unpriv_users_home_content_files',`
-+interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
- 	gen_require(`
- 		attribute user_home_dir_type, user_home_type;
- 	')
- 
- 	files_search_home($1)
--	manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
-+	dontaudit $1 user_home_type:dir list_dir_perms;
-+	dontaudit $1 user_home_type:file read_file_perms;
-+	dontaudit $1 user_home_type:file read_lnk_file_perms;
-+
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_dontaudit_read_nfs_files($1)
-+	')
-+
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_dontaudit_read_cifs_files($1)
-+	')
- ')
- 
- ########################################
- ## <summary>
--##	Set the attributes of user ptys.
-+##	Create, read, write, and delete directories in
-+##	unprivileged users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5352,17 +5708,19 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_setattr_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_dirs',`
- 	gen_require(`
--		attribute user_ptynode;
-+		attribute user_home_dir_type, user_home_type;
- 	')
- 
--	allow $1 user_ptynode:chr_file setattr;
-+	files_search_home($1)
-+	manage_dirs_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write unprivileged user ptys.
-+##	Create, read, write, and delete files in
-+##	unprivileged users home directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -5370,14 +5728,51 @@
- ##	</summary>
- ## </param>
- #
--interface(`userdom_use_unpriv_users_ptys',`
-+interface(`userdom_manage_unpriv_users_home_content_files',`
- 	gen_require(`
--		attribute user_ptynode;
-+		attribute user_home_dir_type, user_home_type;
- 	')
- 
--	term_search_ptys($1)
--	allow $1 user_ptynode:chr_file rw_file_perms;
--')
-+	files_search_home($1)
-+	manage_files_pattern($1,{ user_home_dir_type user_home_type },user_home_type)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of user ptys.
++##	dontaudit Read all unprivileged users home directory
++##	files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -37235,36 +37466,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_setattr_unpriv_users_ptys',`
++interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
 +	gen_require(`
-+		attribute user_ptynode;
++		attribute user_home_dir_type, user_home_type;
 +	')
 +
-+	allow $1 user_ptynode:chr_file setattr;
-+')
++	files_search_home($1)
++	dontaudit $1 user_home_type:dir list_dir_perms;
++	dontaudit $1 user_home_type:file read_file_perms;
++	dontaudit $1 user_home_type:file read_lnk_file_perms;
 +
-+########################################
-+## <summary>
-+##	Read and write unprivileged user ptys.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_use_unpriv_users_ptys',`
-+	gen_require(`
-+		attribute user_ptynode;
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_dontaudit_read_nfs_files($1)
 +	')
 +
-+	term_search_ptys($1)
-+	allow $1 user_ptynode:chr_file rw_file_perms;
++	tunable_policy(`use_samba_home_dirs',`
++		fs_dontaudit_read_cifs_files($1)
++	')
 +')
- 
- ########################################
- ## <summary>
-@@ -5509,6 +5904,43 @@
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete directories in
+ ##	unprivileged users home directories.
+ ## </summary>
+@@ -5509,6 +5939,43 @@
  
  ########################################
  ## <summary>
@@ -37308,7 +37534,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5559,7 +5991,7 @@
+@@ -5559,7 +6026,7 @@
  		attribute userdomain;
  	')
  
@@ -37317,7 +37543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -5674,6 +6106,42 @@
+@@ -5674,6 +6141,42 @@
  
  ########################################
  ## <summary>
@@ -37360,7 +37586,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6172,408 @@
+@@ -5704,3 +6207,408 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -39077,14 +39303,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.i
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-07-15 14:02:52.000000000 -0400
-@@ -0,0 +1,29 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-07-29 16:29:56.000000000 -0400
+@@ -0,0 +1,30 @@
 +policy_module(staff,1.0.1)
 +userdom_admin_login_user_template(staff)
 +
 +# only staff_r can change to sysadm_r
 +userdom_role_change_template(staff, sysadm)
 +userdom_dontaudit_use_sysadm_terms(staff_t)
++domain_dontaudit_ptrace_all_domains(staff_t)
 +
 +kernel_read_ring_buffer(staff_t)
 +
@@ -39207,8 +39434,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
 +## <summary>Policy for xguest user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.3.1/policy/modules/users/xguest.te
 --- nsaserefpolicy/policy/modules/users/xguest.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/xguest.te	2008-07-16 07:34:06.000000000 -0400
-@@ -0,0 +1,70 @@
++++ serefpolicy-3.3.1/policy/modules/users/xguest.te	2008-07-29 15:24:16.000000000 -0400
+@@ -0,0 +1,69 @@
 +policy_module(xguest,1.0.1)
 +
 +## <desc>
@@ -39278,7 +39505,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.
 +		bluetooth_dbus_chat(xguest_t)
 +	')
 +')
-+
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/file_patterns.spt serefpolicy-3.3.1/policy/support/file_patterns.spt
 --- nsaserefpolicy/policy/support/file_patterns.spt	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/support/file_patterns.spt	2008-07-15 14:02:52.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index a7a0fa7..dda05a5 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 80%{?dist}
+Release: 81%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,11 @@ exit 0
 %endif
 
 %changelog
+* Tue Jul 29 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-81
+- Add boolean httpd_execmem
+- Add dontaudit for leaky pam_nssldap 
+- Dontaudit ptrace of domains for staff_t
+
 * Thu Jul 24 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-80
 - Allow system_crond_t to restart init scripts
 - Allow dnsmasq to bind to any udp port