From fba8fcfac7ce103ee77a59a130d1e7c5d733d223 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 13 2008 23:48:05 +0000
Subject: - Change default boolean settings for xguest

- Allow mount to r/w image files
- Fix labes for several libraries that need textrel_shlib_t
- portreserve needs to be able to sendrecv unlabeled_t
- Fix Kerberos labeling
- Fix cups printing on hp printers
- Allow relabeling on blk devices on the homedir
- Allow nslpugin to r/w inodefs

---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 1a4a3d3..63bca70 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -124,6 +124,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 @@ -1 +1 @@
 -sysadm_r:sysadm_t:s0
 +system_r:unconfined_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/guest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mcs/guest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,6 @@
++system_r:local_login_t:s0	guest_r:guest_t:s0
++system_r:remote_login_t:s0	guest_r:guest_t:s0
++system_r:sshd_t:s0		guest_r:guest_t:s0
++system_r:crond_t:s0		guest_r:guest_t:s0
++system_r:initrc_su_t:s0		guest_r:guest_t:s0
++guest_r:guest_t:s0		guest_r:guest_t:s0
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/root_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mcs/root_default_contexts	2008-10-17 08:49:10.000000000 -0400
 +++ serefpolicy-3.5.13/config/appconfig-mcs/root_default_contexts	2008-11-11 16:22:02.000000000 -0500
@@ -198,6 +208,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 @@ -1 +1 @@
 -system_u:sysadm_r:sysadm_t:s0
 +system_u:system_r:unconfined_t:s0	
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mcs/xguest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,7 @@
++system_r:local_login_t	xguest_r:xguest_t:s0
++system_r:remote_login_t	xguest_r:xguest_t:s0
++system_r:sshd_t		xguest_r:xguest_t:s0
++system_r:crond_t	xguest_r:xguest_t:s0
++system_r:xdm_t		xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0	xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0	xguest_r:xguest_t:s0
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/default_contexts serefpolicy-3.5.13/config/appconfig-mls/default_contexts
 --- nsaserefpolicy/config/appconfig-mls/default_contexts	2008-10-17 08:49:10.000000000 -0400
 +++ serefpolicy-3.5.13/config/appconfig-mls/default_contexts	2008-11-11 16:22:02.000000000 -0500
@@ -222,6 +243,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
 -user_r:user_su_t:s0		user_r:user_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
 -user_r:user_sudo_t:s0		sysadm_r:sysadm_t:s0 user_r:user_t:s0
 +system_r:xdm_t:s0		user_r:user_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mls/guest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mls/guest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,4 @@
++system_r:local_login_t:s0	guest_r:guest_t:s0
++system_r:remote_login_t:s0	guest_r:guest_t:s0
++system_r:sshd_t:s0		guest_r:guest_t:s0
++system_r:crond_t:s0		guest_r:guest_t:s0
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/root_default_contexts serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts
 --- nsaserefpolicy/config/appconfig-mls/root_default_contexts	2008-10-17 08:49:10.000000000 -0400
 +++ serefpolicy-3.5.13/config/appconfig-mls/root_default_contexts	2008-11-11 16:22:02.000000000 -0500
@@ -267,6 +296,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  system_r:xdm_t:s0		user_r:user_t:s0
  user_r:user_su_t:s0		user_r:user_t:s0
  user_r:user_sudo_t:s0		user_r:user_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-mls/xguest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-mls/xguest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,7 @@
++system_r:local_login_t	xguest_r:xguest_t:s0
++system_r:remote_login_t	xguest_r:xguest_t:s0
++system_r:sshd_t		xguest_r:xguest_t:s0
++system_r:crond_t	xguest_r:xguest_t:s0
++system_r:xdm_t		xguest_r:xguest_t:s0
++system_r:initrc_su_t:s0	xguest_r:xguest_t:s0
++xguest_r:xguest_t:s0	xguest_r:xguest_t:s0
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/guest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-standard/guest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,4 @@
++system_r:local_login_t	guest_r:guest_t
++system_r:remote_login_t	guest_r:guest_t
++system_r:sshd_t		guest_r:guest_t
++system_r:crond_t	guest_r:guest_crond_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/root_default_contexts serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts
 --- nsaserefpolicy/config/appconfig-standard/root_default_contexts	2008-10-17 08:49:10.000000000 -0400
 +++ serefpolicy-3.5.13/config/appconfig-standard/root_default_contexts	2008-11-11 16:22:02.000000000 -0500
@@ -307,6 +355,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/con
  system_r:xdm_t			user_r:user_t
  user_r:user_su_t		user_r:user_t
  user_r:user_sudo_t		user_r:user_t
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts
+--- nsaserefpolicy/config/appconfig-standard/xguest_u_default_contexts	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/config/appconfig-standard/xguest_u_default_contexts	2008-11-11 16:22:02.000000000 -0500
+@@ -0,0 +1,5 @@
++system_r:local_login_t	xguest_r:xguest_t
++system_r:remote_login_t	xguest_r:xguest_t
++system_r:sshd_t		xguest_r:xguest_t
++system_r:crond_t	xguest_r:xguest_crond_t
++system_r:xdm_t		xguest_r:xguest_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.5.13/man/man8/samba_selinux.8
 --- nsaserefpolicy/man/man8/samba_selinux.8	2008-10-17 08:49:10.000000000 -0400
 +++ serefpolicy-3.5.13/man/man8/samba_selinux.8	2008-11-13 08:44:53.000000000 -0500
@@ -419,12 +476,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.5.13/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te	2008-11-11 16:22:02.000000000 -0500
-@@ -27,6 +27,8 @@
++++ serefpolicy-3.5.13/policy/modules/admin/certwatch.te	2008-11-13 18:30:48.000000000 -0500
+@@ -27,6 +27,9 @@
  
  fs_list_inotifyfs(certwatch_t)
  
-+auth_rw_cache(certwatch_t)
++auth_manage_cache(certwatch_t)
++auth_filetrans_cache(certwatch_t)
 +
  libs_use_ld_so(certwatch_t)
  libs_use_shared_libs(certwatch_t)
@@ -3116,6 +3174,102 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	xserver_rw_xdm_xserver_shm(java_t)
 +')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.fc serefpolicy-3.5.13/policy/modules/apps/livecd.fc
+--- nsaserefpolicy/policy/modules/apps/livecd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/bin/livecd-creator	--	gen_context(system_u:object_r:livecd_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.if serefpolicy-3.5.13/policy/modules/apps/livecd.if
+--- nsaserefpolicy/policy/modules/apps/livecd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,56 @@
++
++## <summary>policy for livecd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run livecd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`livecd_domtrans',`
++	gen_require(`
++		type livecd_t;
++                type livecd_exec_t;
++	')
++
++	domtrans_pattern($1, livecd_exec_t, livecd_t)
++')
++
++
++########################################
++## <summary>
++##	Execute livecd in the livecd domain, and
++##	allow the specified role the livecd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the livecd domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`livecd_run',`
++	gen_require(`
++		type livecd_t;
++	')
++
++	livecd_domtrans($1)
++	role $2 types livecd_t;
++	allow livecd_t $3:chr_file rw_term_perms;
++	
++	seutil_run_setfiles_mac(livecd_t, $2, $3)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/livecd.te serefpolicy-3.5.13/policy/modules/apps/livecd.te
+--- nsaserefpolicy/policy/modules/apps/livecd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/livecd.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,26 @@
++policy_module(livecd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type livecd_t;
++type livecd_exec_t;
++application_domain(livecd_t, livecd_exec_t)
++role system_r types livecd_t;
++
++########################################
++#
++# livecd local policy
++#
++dontaudit livecd_t self:capability2 mac_admin;
++
++unconfined_domain_noaudit(livecd_t)
++domain_ptrace_all_domains(livecd_t)
++
++optional_policy(`
++	hal_dbus_chat(livecd_t)
++')
++
++seutil_domtrans_setfiles_mac(livecd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/loadkeys.te serefpolicy-3.5.13/policy/modules/apps/loadkeys.te
 --- nsaserefpolicy/policy/modules/apps/loadkeys.te	2008-10-17 08:49:14.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/apps/loadkeys.te	2008-11-11 16:22:03.000000000 -0500
@@ -3992,140 +4146,76 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +type mplayer_home_t alias user_mplayer_rw_t;
 +userdom_user_home_content(user, mplayer_home_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc
---- nsaserefpolicy/policy/modules/apps/podsleuth.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,2 +1,4 @@
- 
- /usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
-+/usr/libexec/hal-podsleuth       --      gen_context(system_u:object_r:podsleuth_exec_t,s0)
-+/var/cache/podsleuth(/.*)?		gen_context(system_u:object_r:podsleuth_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if
---- nsaserefpolicy/policy/modules/apps/podsleuth.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if	2008-11-11 16:22:03.000000000 -0500
-@@ -16,4 +16,38 @@
- 	')
- 
- 	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
-+	allow $1 podsleuth_t:process signal;
- ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
+--- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,11 @@
++
++/usr/bin/nspluginscan	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib(64)?/nspluginwrapper/npviewer.bin	--	gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib(64)?/nspluginwrapper/plugin-config	--	gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
++/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
++
++HOME_DIR/\.adobe(/.*)?			gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.macromedia(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.gstreamer-.*			gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.config/totem(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
++HOME_DIR/\.gcjwebplugin(/.*)?		gen_context(system_u:object_r:nsplugin_home_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
+--- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,297 @@
 +
++## <summary>policy for nsplugin</summary>
 +
 +########################################
 +## <summary>
-+##	Execute podsleuth in the podsleuth domain, and
-+##	allow the specified role the podsleuth domain.
++##	Create, read, write, and delete
++##	nsplugin rw files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed the podsleuth domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="terminal">
++#
++interface(`nsplugin_manage_rw_files',`
++	gen_require(`
++		type nsplugin_rw_t;
++	')
++
++	allow $1 nsplugin_rw_t:file manage_file_perms;
++	allow $1 nsplugin_rw_t:dir rw_dir_perms;
++')
++
++########################################
++## <summary>
++##	Manage nsplugin rw files.
++## </summary>
++## <param name="domain">
 +##	<summary>
-+##	The type of the role's terminal.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`podsleuth_run',`
++interface(`nsplugin_manage_rw',`
 +	gen_require(`
-+		type podsleuth_t;
++		type nsplugin_rw_t;
 +	')
 +
-+	podsleuth_domtrans($1)
-+	role $2 types podsleuth_t;
-+	dontaudit podsleuth_t $3:chr_file rw_term_perms;
++         manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++         manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++         manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
---- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te	2008-11-11 16:22:03.000000000 -0500
-@@ -11,24 +11,55 @@
- application_domain(podsleuth_t, podsleuth_exec_t)
- role system_r types podsleuth_t;
- 
-+type podsleuth_tmp_t;
-+files_tmp_file(podsleuth_tmp_t)
-+
-+type podsleuth_cache_t;
-+files_type(podsleuth_cache_t)
-+
- ########################################
- #
- # podsleuth local policy
- #
--
--allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability { sys_admin sys_rawio };
-+allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
- allow podsleuth_t self:fifo_file rw_file_perms;
- allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
-+allow podsleuth_t self:sem create_sem_perms;
-+allow podsleuth_t self:tcp_socket create_stream_socket_perms;
-+allow podsleuth_t self:udp_socket create_socket_perms;
- 
- kernel_read_system_state(podsleuth_t)
- 
-+corecmd_exec_bin(podsleuth_t)
-+corenet_tcp_connect_http_port(podsleuth_t)
-+
- dev_read_urand(podsleuth_t)
- 
- files_read_etc_files(podsleuth_t)
- 
-+fs_mount_dos_fs(podsleuth_t)
-+fs_unmount_dos_fs(podsleuth_t)
-+fs_getattr_dos_fs(podsleuth_t)
-+fs_read_dos_files(podsleuth_t)
-+fs_search_dos(podsleuth_t)
-+
-+allow podsleuth_t podsleuth_tmp_t:dir mounton;
-+manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
-+files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
-+manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
-+
-+manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
-+manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
-+files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
-+
-+storage_raw_rw_fixed_disk(podsleuth_t)
-+
- libs_use_ld_so(podsleuth_t)
- libs_use_shared_libs(podsleuth_t)
- 
-+sysnet_dns_name_resolve(podsleuth_t)
-+
- miscfiles_read_localization(podsleuth_t)
- 
- dbus_system_bus_client_template(podsleuth, podsleuth_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc
---- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,2 +1,4 @@
- /usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
- /usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
-+
-+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
---- nsaserefpolicy/policy/modules/apps/qemu.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if	2008-11-11 16:22:03.000000000 -0500
-@@ -48,6 +48,91 @@
- 	allow qemu_t $3:chr_file rw_file_perms;
- ')
- 
 +#######################################
 +## <summary>
-+##	The per role template for the qemu module.
++##	The per role template for the nsplugin module.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a derived domains which are used
-+##	for qemu web browser.
++##	for nsplugin web browser.
 +##	</p>
 +##	<p>
 +##	This template is invoked automatically for each user, and
@@ -4150,24 +4240,66 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+template(`qemu_per_role_template_notrans',`
++template(`nsplugin_per_role_template_notrans',`
 +	gen_require(`
-+		type qemu_t;
++		type nsplugin_rw_t;
++		type nsplugin_home_t;
++		type nsplugin_exec_t;
++		type nsplugin_config_exec_t;
++		type nsplugin_t;
++		type nsplugin_config_t;
 +	')
 +
-+	role $3 types qemu_t;
++	role $3 types nsplugin_t;
++	role $3 types nsplugin_config_t;
 +
-+	xserver_common_app($1, qemu_t)
++	allow nsplugin_t $2:process signull;
++
++	list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++	read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++	read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
++	can_exec($2, nsplugin_rw_t)
++
++	#Leaked File Descriptors
++	dontaudit nsplugin_t $2:tcp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:udp_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:unix_stream_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:unix_dgram_socket rw_socket_perms;
++	dontaudit nsplugin_t $2:fifo_file rw_fifo_file_perms;
++	dontaudit nsplugin_config_t $2:tcp_socket rw_socket_perms;
++	dontaudit nsplugin_config_t $2:udp_socket rw_socket_perms;
++	dontaudit nsplugin_config_t $2:unix_stream_socket rw_socket_perms;
++	dontaudit nsplugin_config_t $2:unix_dgram_socket rw_socket_perms;
++	dontaudit nsplugin_config_t $2:fifo_file rw_fifo_file_perms;
++	allow nsplugin_t $2:unix_stream_socket connectto;
++	dontaudit nsplugin_t $2:process ptrace;
++
++	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
++	allow $2 nsplugin_t:unix_stream_socket connectto;
++
++	# Connect to pulseaudit server
++	stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
++	gnome_stream_connect(nsplugin_t, $2)
++
++	userdom_use_user_terminals($1, nsplugin_t)
++	userdom_use_user_terminals($1, nsplugin_config_t)
++	userdom_dontaudit_setattr_user_home_content_files($1, nsplugin_t)
++
++	optional_policy(`
++		dbus_dontaudit_connectto_user_bus($1, nsplugin_t)
++	')
++
++	xserver_common_app($1, nsplugin_t)
 +')
 +
 +#######################################
 +## <summary>
-+##	The per role template for the qemu module.
++##	The per role template for the nsplugin module.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a derived domains which are used
-+##	for qemu web browser.
++##	for nsplugin web browser.
 +##	</p>
 +##	<p>
 +##	This template is invoked automatically for each user, and
@@ -4192,906 +4324,738 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+template(`qemu_per_role_template',`
++template(`nsplugin_per_role_template',`
 +	gen_require(`
-+		type qemu_exec_t;
++		type nsplugin_exec_t;
++		type nsplugin_config_exec_t;
++		type nsplugin_t;
++		type nsplugin_config_t;
 +	')
-+  
-+	qemu_per_role_template_notrans($1, $2, $3)
-+  
-+	domtrans_pattern($2, qemu_exec_t, qemu_t)
-+ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
-+ ')
 +
- ########################################
- ## <summary>
- ##	Allow the domain to read state files in /proc.
-@@ -68,6 +153,64 @@
- 
- ########################################
- ## <summary>
-+##	Set the schedule on qemu.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`qemu_setsched',`
-+	gen_require(`
-+		type qemu_t;
-+	')
-+  
-+	allow $1 qemu_t:process setsched;
++	nsplugin_per_role_template_notrans($1, $2, $3)
++
++	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
++	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Execute qemu_exec_t 
-+##	in the specified domain but do not
-+##	do it automatically. This is an explicit
-+##	transition, requiring the caller to use setexeccon().
++##	The per role template for the nsplugin module.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Execute qemu_exec_t 
-+##	in the specified domain.  This allows
-+##	the specified domain to qemu programs
-+##	on these filesystems in the specified
-+##	domain.
++##	This template creates a derived domains which are used
++##	for nsplugin web browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
 +##	</p>
 +## </desc>
-+## <param name="domain">
++## <param name="userdomain_prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
 +##	</summary>
 +## </param>
-+## <param name="target_domain">
++## <param name="user_domain">
 +##	<summary>
-+##	The type of the new process.
++##	The type of the user domain.
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_spec_domtrans',`
++interface(`nsplugin_domtrans_user',`
 +	gen_require(`
-+		type qemu_exec_t;
++		type nsplugin_exec_t;
++		type nsplugin_t;
 +	')
-+  
-+	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
-+	domain_transition_pattern($1, qemu_exec_t, $2)
-+  
-+	allow $3 $1:fd use;
-+	allow $3 $1:fifo_file rw_fifo_file_perms;
-+	allow $3 $1:process sigchld;
-+')
 +
-+########################################
++	domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
++')
++#######################################
 +## <summary>
- ##	Send a signal to qemu.
- ## </summary>
- ## <param name="domain">
-@@ -104,7 +247,71 @@
- 
- ########################################
- ## <summary>
--##	Execute a domain transition to run qemu unconfined.
-+##	Execute qemu programs in the qemu domain.
++##	The per role template for the nsplugin module.
 +## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for nsplugin web browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
 +##	<summary>
-+##	The role to allow the PAM domain.
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
 +##	</summary>
 +## </param>
-+## <param name="terminal">
++## <param name="user_domain">
 +##	<summary>
-+##	The type of the terminal allow the PAM domain to use.
++##	The type of the user domain.
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_runas',`
++interface(`nsplugin_domtrans_user_config',`
 +	gen_require(`
-+		type qemu_t;
++		type nsplugin_config_exec_t;
++		type nsplugin_config_t;
 +	')
 +
-+	qemu_domtrans($1)
-+	allow qemu_t $3:chr_file rw_file_perms;
++	domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Execute qemu programs in the role.
++##	Search nsplugin rw directories.
 +## </summary>
-+## <param name="role">
++## <param name="domain">
 +##	<summary>
-+##	The role to allow the PAM domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_role',`
++interface(`nsplugin_search_rw_dir',`
 +	gen_require(`
-+		type qemu_t;
++		type nsplugin_rw_t;
 +	')
-+	role $1 types qemu_t;
++
++	allow $1 nsplugin_rw_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Execute qemu unconfined programs in the role.
++##	Read nsplugin rw files.
 +## </summary>
-+## <param name="role">
++## <param name="domain">
 +##	<summary>
-+##	The role to allow the PAM domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`qemu_unconfined_role',`
++interface(`nsplugin_read_rw_files',`
 +	gen_require(`
-+		type qemu_unconfined_t;
++		type nsplugin_rw_t;
 +	')
-+	role $1 types qemu_unconfined_t;
-+')
 +
++	read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
++')
 +
 +########################################
 +## <summary>
-+##	Execute a domain transition to run qemu.
- ## </summary>
- ## <param name="domain">
- ## <summary>
-@@ -122,6 +329,36 @@
- 
- ########################################
- ## <summary>
-+##	Execute qemu programs in the qemu unconfined domain.
++##	Exec nsplugin rw files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to allow the PAM domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the terminal allow the PAM domain to use.
-+##	</summary>
-+## </param>
 +#
-+interface(`qemu_runas_unconfined',`
++interface(`nsplugin_rw_exec',`
 +	gen_require(`
-+		type qemu_unconfined_t;
++		type nsplugin_rw_t;
 +	')
 +
-+	qemu_domtrans_unconfined($1)
-+	allow qemu_unconfined_t $3:chr_file rw_file_perms;
++	can_exec($1, nsplugin_rw_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
+--- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,274 @@
 +
++policy_module(nsplugin, 1.0.0)
 +
 +########################################
-+## <summary>
- ##	Creates types and rules for a basic
- ##	qemu process domain.
- ## </summary>
-@@ -133,85 +370,32 @@
- #
- template(`qemu_domain_template',`
- 
--	##############################
--	#
--	# Local Policy
--	#
-+	gen_require(`
-+		attribute qemutype;
-+	')
- 
--	type $1_t;
--	domain_type($1_t)
-+	type $1_t, qemutype;
- 
- 	type $1_tmp_t;
- 	files_tmp_file($1_tmp_t)
- 
--	##############################
--	#
--	# Local Policy
--	#
-+	type $1_tmpfs_t;
-+	files_tmpfs_file($1_tmpfs_t)
- 
--	allow $1_t self:capability { dac_read_search dac_override };
--	allow $1_t self:process { execstack execmem signal getsched };
--	allow $1_t self:fifo_file rw_file_perms;
--	allow $1_t self:shm create_shm_perms;
--	allow $1_t self:unix_stream_socket create_stream_socket_perms;
--	allow $1_t self:tcp_socket create_stream_socket_perms;
-+	type $1_image_t;
-+	virt_image($1_image_t)
-+
-+	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
-+	manage_files_pattern($1_t, $1_image_t, $1_image_t)
-+	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
-+	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
- 
- 	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
- 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
- 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
- 
--	kernel_read_system_state($1_t)
--
--	corenet_all_recvfrom_unlabeled($1_t)
--	corenet_all_recvfrom_netlabel($1_t)
--	corenet_tcp_sendrecv_all_if($1_t)
--	corenet_tcp_sendrecv_all_nodes($1_t)
--	corenet_tcp_sendrecv_all_ports($1_t)
--	corenet_tcp_bind_all_nodes($1_t)
--	corenet_tcp_bind_vnc_port($1_t)
--	corenet_rw_tun_tap_dev($1_t)
--
--#	dev_rw_kvm($1_t)
--
--	domain_use_interactive_fds($1_t)
--
--	files_read_etc_files($1_t)
--	files_read_usr_files($1_t)
--	files_read_var_files($1_t)
--	files_search_all($1_t)
--
--	fs_list_inotifyfs($1_t)
--	fs_rw_anon_inodefs_files($1_t)
--	fs_rw_tmpfs_files($1_t)
--
--	storage_raw_write_removable_device($1_t)
--	storage_raw_read_removable_device($1_t)
--
--	term_use_ptmx($1_t)
--	term_getattr_pty_fs($1_t)
--	term_use_generic_ptys($1_t)
--
--	libs_use_ld_so($1_t)
--	libs_use_shared_libs($1_t)
--
--	miscfiles_read_localization($1_t)
--
--	sysnet_read_config($1_t)
--
--#	optional_policy(`
--#		samba_domtrans_smb($1_t)
--#	')
--
--	optional_policy(`
--		virt_manage_images($1_t)
--		virt_read_config($1_t)
--		virt_read_lib_files($1_t)
--	')
--
--	optional_policy(`
--		xserver_stream_connect_xdm_xserver($1_t)
--		xserver_read_xdm_tmp_files($1_t)
--		xserver_read_xdm_pid($1_t)
--#		xserver_xdm_rw_shm($1_t)
--	')
-+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
-+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
---- nsaserefpolicy/policy/modules/apps/qemu.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2008-11-11 16:22:03.000000000 -0500
-@@ -6,6 +6,8 @@
- # Declarations
- #
- 
-+attribute qemutype;
++#
++# Declarations
++#
 +
- ## <desc>
- ## <p>
- ## Allow qemu to connect fully to the network
-@@ -13,16 +15,102 @@
- ## </desc>
- gen_tunable(qemu_full_network, false)
- 
 +## <desc>
 +## <p>
-+## Allow qemu to use nfs file systems
++## Allow nsplugin code to execmem/execstack
 +## </p>
 +## </desc>
-+gen_tunable(qemu_use_nfs, true)
++gen_tunable(allow_nsplugin_execmem, false)
 +
-+## <desc>
-+## <p>
-+## Allow qemu to use cifs/Samba file systems
-+## </p>
-+## </desc>
-+gen_tunable(qemu_use_cifs, true)
++type nsplugin_exec_t;
++application_executable_file(nsplugin_exec_t)
++
++type nsplugin_config_exec_t;
++application_executable_file(nsplugin_config_exec_t)
++
++type nsplugin_rw_t;
++files_type(nsplugin_rw_t)
++
++type nsplugin_tmp_t;
++files_tmp_file(nsplugin_tmp_t)
++
++type nsplugin_home_t;
++files_poly_member(nsplugin_home_t)
++userdom_user_home_content(user, nsplugin_home_t)
++typealias nsplugin_home_t alias user_nsplugin_home_t;
++
++type nsplugin_t;
++domain_type(nsplugin_t)
++domain_entry_file(nsplugin_t, nsplugin_exec_t)
++
++type nsplugin_config_t;
++domain_type(nsplugin_config_t)
++domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
++
++application_executable_file(nsplugin_exec_t)
++application_executable_file(nsplugin_config_exec_t)
 +
- type qemu_exec_t;
- qemu_domain_template(qemu)
- application_domain(qemu_t, qemu_exec_t)
- role system_r types qemu_t;
- 
-+type qemu_cache_t;
-+files_type(qemu_cache_t)
 +
 +########################################
 +#
-+# qemu common policy
++# nsplugin local policy
 +#
-+allow qemutype self:capability { dac_read_search dac_override };
-+allow qemutype self:process { execstack execmem signal getsched signull };
++dontaudit nsplugin_t self:capability sys_tty_config;
++allow nsplugin_t self:fifo_file rw_file_perms;
++allow nsplugin_t self:process { ptrace setpgid getsched setsched signal_perms };
 +
-+allow qemutype self:fifo_file rw_file_perms;
-+allow qemutype self:shm create_shm_perms;
-+allow qemutype self:unix_stream_socket create_stream_socket_perms;
-+allow qemutype self:tcp_socket create_stream_socket_perms;
++allow nsplugin_t self:sem create_sem_perms;
++allow nsplugin_t self:shm create_shm_perms;
++allow nsplugin_t self:msgq create_msgq_perms;
++allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow nsplugin_t self:unix_dgram_socket create_socket_perms;
 +
-+manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
-+manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
-+files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
++tunable_policy(`allow_nsplugin_execmem',`
++	allow nsplugin_t self:process { execstack execmem };
++	allow nsplugin_config_t self:process { execstack execmem };
++')
++	
++manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
++userdom_user_home_content_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
++unprivuser_dontaudit_write_home_content_files(nsplugin_t)
++userdom_manage_tmpfs(nsplugin_t)
++
++corecmd_exec_bin(nsplugin_t)
++corecmd_exec_shell(nsplugin_t)
++
++corenet_all_recvfrom_unlabeled(nsplugin_t)
++corenet_all_recvfrom_netlabel(nsplugin_t)
++corenet_tcp_connect_flash_port(nsplugin_t)
++corenet_tcp_connect_streaming_port(nsplugin_t)
++corenet_tcp_connect_pulseaudio_port(nsplugin_t)
++corenet_tcp_connect_http_port(nsplugin_t)
++corenet_tcp_connect_http_cache_port(nsplugin_t)
++corenet_tcp_sendrecv_generic_if(nsplugin_t)
++corenet_tcp_sendrecv_all_nodes(nsplugin_t)
++corenet_tcp_connect_ipp_port(nsplugin_t)
++
++domain_dontaudit_read_all_domains_state(nsplugin_t)
++
++dev_read_rand(nsplugin_t)
++dev_read_sound(nsplugin_t)
++dev_write_sound(nsplugin_t)
++dev_read_video_dev(nsplugin_t)
++dev_write_video_dev(nsplugin_t)
++dev_getattr_dri_dev(nsplugin_t)
++dev_rwx_zero(nsplugin_t)
++
++kernel_read_kernel_sysctls(nsplugin_t)
++kernel_read_system_state(nsplugin_t)
++
++files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
++files_dontaudit_list_home(nsplugin_t)
++files_read_usr_files(nsplugin_t)
++files_read_etc_files(nsplugin_t)
++files_read_config_files(nsplugin_t)
++
++fs_list_inotifyfs(nsplugin_t)
++fs_getattr_tmpfs(nsplugin_t)
++fs_getattr_xattr_fs(nsplugin_t)
++fs_search_auto_mountpoints(nsplugin_t)
++fs_rw_anon_inodefs_files(nsplugin_t)
++
++storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
++
++term_dontaudit_getattr_all_user_ptys(nsplugin_t)
++term_dontaudit_getattr_all_user_ttys(nsplugin_t)
++
++auth_use_nsswitch(nsplugin_t)
++
++libs_use_ld_so(nsplugin_t)
++libs_use_shared_libs(nsplugin_t)
++libs_exec_ld_so(nsplugin_t)
++
++miscfiles_read_localization(nsplugin_t)
++miscfiles_read_fonts(nsplugin_t)
++
++unprivuser_manage_tmp_dirs(nsplugin_t)
++unprivuser_manage_tmp_files(nsplugin_t)
++unprivuser_manage_tmp_sockets(nsplugin_t)
++userdom_tmp_filetrans_user_tmp(user, nsplugin_t, { file dir sock_file })
++unprivuser_read_tmpfs_files(nsplugin_t)
++unprivuser_rw_semaphores(nsplugin_t)
++unprivuser_delete_tmpfs_files(nsplugin_t)
++
++unprivuser_read_home_content_symlinks(nsplugin_t)
++unprivuser_read_home_content_files(nsplugin_t)
++unprivuser_read_tmp_files(nsplugin_t)
++userdom_write_user_tmp_sockets(user, nsplugin_t)
++unprivuser_dontaudit_append_home_content_files(nsplugin_t)
++userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
++userdom_dontaudit_manage_user_tmp_files(user, nsplugin_t)
 +
-+kernel_read_system_state(qemutype)
++optional_policy(`
++	alsa_read_rw_config(nsplugin_t)
++')
 +
-+corenet_all_recvfrom_unlabeled(qemutype)
-+corenet_all_recvfrom_netlabel(qemutype)
-+corenet_tcp_sendrecv_all_if(qemutype)
-+corenet_tcp_sendrecv_all_nodes(qemutype)
-+corenet_tcp_sendrecv_all_ports(qemutype)
-+corenet_tcp_bind_all_nodes(qemutype)
-+corenet_tcp_bind_vnc_port(qemutype)
-+corenet_rw_tun_tap_dev(qemutype)
-+
-+dev_read_sound(qemutype)
-+dev_write_sound(qemutype)
-+dev_rw_kvm(qemutype)
-+dev_rw_qemu(qemutype)
-+
-+domain_use_interactive_fds(qemutype)
-+
-+files_read_etc_files(qemutype)
-+files_read_usr_files(qemutype)
-+files_read_var_files(qemutype)
-+files_search_all(qemutype)
-+
-+fs_list_inotifyfs(qemutype)
-+fs_rw_anon_inodefs_files(qemutype)
-+fs_rw_tmpfs_files(qemutype)
++optional_policy(`
++	cups_stream_connect(nsplugin_t)
++')
 +
-+term_use_ptmx(qemutype)
-+term_getattr_pty_fs(qemutype)
-+term_use_generic_ptys(qemutype)
++optional_policy(`
++		dbus_system_bus_client_template(nsplugin, nsplugin_t)
++')
 +
-+auth_use_nsswitch(qemutype)
++optional_policy(`
++	gnome_exec_gconf(nsplugin_t)
++	gnome_manage_user_gnome_config(user, nsplugin_t)
++	gnome_read_gconf_home_files(nsplugin_t)
++	allow nsplugin_t gnome_home_t:sock_file write;
++')
 +
-+libs_use_ld_so(qemutype)
-+libs_use_shared_libs(qemutype)
++optional_policy(`
++	mozilla_read_user_home_files(user, nsplugin_t)
++	mozilla_write_user_home_files(user, nsplugin_t)
++')
 +
-+miscfiles_read_localization(qemutype)
++optional_policy(`
++	mplayer_exec(nsplugin_t)
++	mplayer_read_user_home_files(user, nsplugin_t)
++')
 +
 +optional_policy(`
-+	virt_read_config(qemutype)
-+	virt_read_lib_files(qemutype)
++	unconfined_execmem_signull(nsplugin_t)
++	unconfined_delete_tmpfs_files(nsplugin_t)
 +')
 +
 +optional_policy(`
-+	xserver_stream_connect_xdm_xserver(qemutype)
-+	xserver_read_xdm_tmp_files(qemutype)
-+	xserver_read_xdm_pid(qemutype)
-+	xserver_rw_xdm_xserver_shm(qemutype)
++	xserver_stream_connect_xdm(nsplugin_t)
++	xserver_stream_connect_xdm_xserver(nsplugin_t)
++	xserver_rw_xdm_xserver_shm(nsplugin_t)
++	xserver_read_xdm_tmp_files(nsplugin_t)
++	xserver_read_xdm_pid(nsplugin_t)
++	xserver_read_user_xauth(user, nsplugin_t)
++	xserver_read_user_iceauth(user, nsplugin_t)
++	xserver_use_user_fonts(user, nsplugin_t)
++	xserver_manage_home_fonts(nsplugin_t)
++	xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
 +')
 +
- ########################################
- #
- # qemu local policy
- #
- 
-+storage_raw_write_removable_device(qemu_t)
-+storage_raw_read_removable_device(qemu_t)
++########################################
++#
++# nsplugin_config local policy
++#
 +
- tunable_policy(`qemu_full_network',`
- 	allow qemu_t self:udp_socket create_socket_perms;
- 
-@@ -35,6 +123,30 @@
- 	corenet_tcp_connect_all_ports(qemu_t)
- ')
- 
-+tunable_policy(`qemu_use_nfs',`
-+	fs_manage_nfs_files(qemu_t)
++allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
++allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
++#execing pulseaudio
++dontaudit nsplugin_t self:process { getcap setcap };
++
++allow nsplugin_config_t self:fifo_file rw_file_perms;
++allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
++
++fs_list_inotifyfs(nsplugin_config_t)
++fs_search_auto_mountpoints(nsplugin_config_t)
++
++can_exec(nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++
++manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++
++corecmd_exec_bin(nsplugin_config_t)
++corecmd_exec_shell(nsplugin_config_t)
++
++kernel_read_system_state(nsplugin_config_t)
++
++files_read_etc_files(nsplugin_config_t)
++files_read_usr_files(nsplugin_config_t)
++files_dontaudit_search_home(nsplugin_config_t)
++files_list_tmp(nsplugin_config_t)
++
++auth_use_nsswitch(nsplugin_config_t)
++
++libs_use_ld_so(nsplugin_config_t)
++libs_use_shared_libs(nsplugin_config_t)
++
++miscfiles_read_localization(nsplugin_config_t)
++miscfiles_read_fonts(nsplugin_config_t)
++
++userdom_search_all_users_home_content(nsplugin_config_t)
++unprivuser_read_home_content_files(nsplugin_config_t)
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_manage_nfs_dirs(nsplugin_t)
++	fs_manage_nfs_files(nsplugin_t)
++	fs_read_nfs_symlinks(nsplugin_t)
++	fs_manage_nfs_named_pipes(nsplugin_t)
++	fs_manage_nfs_dirs(nsplugin_config_t)
++	fs_manage_nfs_files(nsplugin_config_t)
++	fs_manage_nfs_named_pipes(nsplugin_config_t)
++	fs_read_nfs_symlinks(nsplugin_config_t)
 +')
 +
-+tunable_policy(`qemu_use_cifs',`
-+	fs_manage_cifs_dirs(qemu_t)
++tunable_policy(`use_samba_home_dirs',`
++	fs_manage_cifs_dirs(nsplugin_t)
++	fs_manage_cifs_files(nsplugin_t)
++	fs_read_cifs_symlinks(nsplugin_t)
++	fs_manage_cifs_named_pipes(nsplugin_t)
++	fs_manage_cifs_dirs(nsplugin_config_t)
++	fs_manage_cifs_files(nsplugin_config_t)
++	fs_manage_cifs_named_pipes(nsplugin_config_t)
++	fs_read_cifs_symlinks(nsplugin_config_t)
 +')
 +
++domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
++
 +optional_policy(`
-+	samba_domtrans_smb(qemu_t)
++	xserver_read_home_fonts(nsplugin_config_t)
 +')
 +
 +optional_policy(`
-+	virt_manage_images(qemu_t)
++	mozilla_read_user_home_files(user, nsplugin_config_t)
 +')
 +
 +optional_policy(`
-+	xen_rw_image_files(qemu_t)
++	gen_require(`
++		type unconfined_mono_t;
++	')
++	allow nsplugin_t unconfined_mono_t:process signull;
 +')
 +
-+optional_policy(`
-+	xen_rw_image_files(qemu_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc
+--- nsaserefpolicy/policy/modules/apps/openoffice.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,3 @@
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.5.13/policy/modules/apps/openoffice.if
+--- nsaserefpolicy/policy/modules/apps/openoffice.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/openoffice.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,106 @@
++## <summary>Openoffice</summary>
++
++#######################################
++## <summary>
++##	The per role template for the openoffice module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for openoffice plugins that are executed by a browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++#
++interface(`openoffice_plugin_per_role_template',`
++	gen_require(`
++		type openoffice_exec_t;
++		type $1_openoffice_t;
++	')
++	
++	########################################
++	#
++	# Local policy
++	#
++
++	domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
++	allow $2  $1_openoffice_t:process { signal sigkill };
 +')
 +
- ########################################
- #
- # qemu_unconfined local policy
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
---- nsaserefpolicy/policy/modules/apps/screen.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,7 +1,7 @@
- #
- # /home
- #
--HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
-+HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:user_screen_ro_home_t,s0)
++#######################################
++## <summary>
++##	The per role template for the openoffice module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for openoffice applications.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++#
++template(`openoffice_per_role_template',`
++	gen_require(`
++		type openoffice_exec_t;
++	')
++
++	type $1_openoffice_t;
++	domain_type($1_openoffice_t)
++	domain_entry_file($1_openoffice_t, openoffice_exec_t)
++	role $3 types $1_openoffice_t;
++
++	domain_interactive_fd($1_openoffice_t)
++
++	userdom_unpriv_usertype($1, $1_openoffice_t)
++	userdom_exec_user_home_content_files($1, $1_openoffice_t)
++
++	allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
++
++	allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
++	allow $1_openoffice_t $2:tcp_socket { read write };
++
++	domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
++
++	dev_read_urand($1_openoffice_t)
++	dev_read_rand($1_openoffice_t)
++
++	fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
++
++	allow $2 $1_openoffice_t:process { signal sigkill };
++	allow $1_openoffice_t $2:unix_stream_socket connectto;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.5.13/policy/modules/apps/openoffice.te
+--- nsaserefpolicy/policy/modules/apps/openoffice.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/openoffice.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,14 @@
++
++policy_module(openoffice, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openoffice_t;
++type openoffice_exec_t;
++application_domain(openoffice_t, openoffice_exec_t)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.fc serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc
+--- nsaserefpolicy/policy/modules/apps/podsleuth.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,2 +1,4 @@
  
- #
- # /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if
---- nsaserefpolicy/policy/modules/apps/screen.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/screen.if	2008-11-11 16:22:03.000000000 -0500
-@@ -35,6 +35,7 @@
- template(`screen_per_role_template',`
- 	gen_require(`
- 		type screen_dir_t, screen_exec_t;
-+		type user_screen_ro_home_t;
+ /usr/bin/podsleuth	--	gen_context(system_u:object_r:podsleuth_exec_t,s0)
++/usr/libexec/hal-podsleuth       --      gen_context(system_u:object_r:podsleuth_exec_t,s0)
++/var/cache/podsleuth(/.*)?		gen_context(system_u:object_r:podsleuth_cache_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.if serefpolicy-3.5.13/policy/modules/apps/podsleuth.if
+--- nsaserefpolicy/policy/modules/apps/podsleuth.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.if	2008-11-11 16:22:03.000000000 -0500
+@@ -16,4 +16,38 @@
  	')
  
- 	########################################
-@@ -50,8 +51,9 @@
- 	type $1_screen_tmp_t;
- 	files_tmp_file($1_screen_tmp_t)
- 
--	type $1_screen_ro_home_t;
--	files_type($1_screen_ro_home_t)
-+	ifelse(`$1',`user',`',`
-+		typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
+ 	domtrans_pattern($1, podsleuth_exec_t, podsleuth_t)
++	allow $1 podsleuth_t:process signal;
+ ')
++
++
++########################################
++## <summary>
++##	Execute podsleuth in the podsleuth domain, and
++##	allow the specified role the podsleuth domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the podsleuth domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`podsleuth_run',`
++	gen_require(`
++		type podsleuth_t;
 +	')
++
++	podsleuth_domtrans($1)
++	role $2 types podsleuth_t;
++	dontaudit podsleuth_t $3:chr_file rw_term_perms;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.5.13/policy/modules/apps/podsleuth.te
+--- nsaserefpolicy/policy/modules/apps/podsleuth.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/podsleuth.te	2008-11-11 16:22:03.000000000 -0500
+@@ -11,24 +11,55 @@
+ application_domain(podsleuth_t, podsleuth_exec_t)
+ role system_r types podsleuth_t;
  
- 	type $1_screen_var_run_t;
- 	files_pid_file($1_screen_var_run_t)
-@@ -81,9 +83,9 @@
- 	filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
- 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
- 
--	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
--	read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
-+	allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms;
-+	read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
-+	read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
- 
- 	allow $1_screen_t $2:process signal;
- 
-@@ -91,12 +93,12 @@
- 	allow $2 $1_screen_t:process signal;
- 	allow $1_screen_t $2:process signal;
- 
--	manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
--	relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
-+	manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
-+	manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
-+	manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
-+	relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
-+	relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
-+	relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
- 	
- 	kernel_read_system_state($1_screen_t)
- 	kernel_read_kernel_sysctls($1_screen_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te
---- nsaserefpolicy/policy/modules/apps/screen.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/screen.te	2008-11-11 16:22:03.000000000 -0500
-@@ -11,3 +11,7 @@
- 
- type screen_exec_t;
- application_executable_file(screen_exec_t)
++type podsleuth_tmp_t;
++files_tmp_file(podsleuth_tmp_t)
 +
-+type user_screen_ro_home_t;
-+userdom_user_home_content(user, user_screen_ro_home_t)
++type podsleuth_cache_t;
++files_type(podsleuth_cache_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.13/policy/modules/apps/slocate.te
---- nsaserefpolicy/policy/modules/apps/slocate.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/slocate.te	2008-11-13 11:45:45.000000000 -0500
-@@ -22,7 +22,7 @@
+ ########################################
  #
- 
- allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
--allow locate_t self:process { execmem execheap execstack };
-+allow locate_t self:process { execmem execheap execstack signal };
- allow locate_t self:fifo_file rw_fifo_file_perms;
- allow locate_t self:unix_stream_socket create_socket_perms;
- 
-@@ -46,6 +46,8 @@
- 
- fs_getattr_all_fs(locate_t)
- fs_getattr_all_files(locate_t)
-+fs_getattr_all_pipes(locate_t)
-+fs_getattr_all_symlinks(locate_t)
- fs_list_all(locate_t)
- fs_list_inotifyfs(locate_t)
- 
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc
---- nsaserefpolicy/policy/modules/apps/thunderbird.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -3,4 +3,4 @@
+ # podsleuth local policy
  #
- /usr/bin/thunderbird.*			--	gen_context(system_u:object_r:thunderbird_exec_t,s0)
- 
--HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
-+HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:user_thunderbird_home_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if
---- nsaserefpolicy/policy/modules/apps/thunderbird.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if	2008-11-11 16:22:03.000000000 -0500
-@@ -43,9 +43,9 @@
- 	application_domain($1_thunderbird_t, thunderbird_exec_t)
- 	role $3 types $1_thunderbird_t;
- 
--	type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
--	files_poly_member($1_thunderbird_home_t)
--	userdom_user_home_content($1, $1_thunderbird_home_t)
-+	ifelse(`$1',`user',`',`
-+		typealias user_thunderbird_home_t alias $1_thunderbird_home_t;
-+	')
- 
- 	type $1_thunderbird_tmpfs_t;
- 	files_tmpfs_file($1_thunderbird_tmpfs_t)
-@@ -64,9 +64,9 @@
- 	allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
- 
- 	# Access ~/.thunderbird
--	manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
-+	manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
-+	manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
-+	manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
- 	userdom_search_user_home_dirs($1, $1_thunderbird_t)
+-
+-allow podsleuth_t self:process { signal getsched execheap execmem };
++allow podsleuth_t self:capability { sys_admin sys_rawio };
++allow podsleuth_t self:process { ptrace signal getsched execheap execmem };
+ allow podsleuth_t self:fifo_file rw_file_perms;
+ allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
++allow podsleuth_t self:sem create_sem_perms;
++allow podsleuth_t self:tcp_socket create_stream_socket_perms;
++allow podsleuth_t self:udp_socket create_socket_perms;
  
- 	manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
-@@ -87,13 +87,13 @@
- 	ps_process_pattern($2,$1_thunderbird_t)
+ kernel_read_system_state(podsleuth_t)
  
- 	# Access ~/.thunderbird
--	manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
--
--	relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
--	relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
-+	manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
-+	manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
-+	manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++corecmd_exec_bin(podsleuth_t)
++corenet_tcp_connect_http_port(podsleuth_t)
 +
-+	relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
-+	relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
-+	relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
- 	
- 	# Allow netstat
- 	kernel_read_network_state($1_thunderbird_t)
-@@ -153,10 +153,10 @@
- 	miscfiles_read_fonts($1_thunderbird_t)
- 	miscfiles_read_localization($1_thunderbird_t)
- 
--	userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
-+	unprivuser_manage_tmp_dirs($1_thunderbird_t)
- 	userdom_read_user_tmp_files($1, $1_thunderbird_t)
- 	userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
--	userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
-+	unprivuser_manage_tmp_sockets($1_thunderbird_t)
- 	# .kde/....gtkrc
- 	userdom_read_user_home_content_files($1, $1_thunderbird_t)
+ dev_read_urand(podsleuth_t)
  
-@@ -294,8 +294,8 @@
- 		files_search_home($1_thunderbird_t)
- 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
- 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
--		userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
--		userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
-+		unprivuser_manage_untrusted_content_files($1_thunderbird_t)
-+		unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t)
- 		userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
- 		userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
- 	',`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te
---- nsaserefpolicy/policy/modules/apps/thunderbird.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te	2008-11-11 16:22:03.000000000 -0500
-@@ -8,3 +8,7 @@
+ files_read_etc_files(podsleuth_t)
  
- type thunderbird_exec_t;
- application_executable_file(thunderbird_exec_t)
++fs_mount_dos_fs(podsleuth_t)
++fs_unmount_dos_fs(podsleuth_t)
++fs_getattr_dos_fs(podsleuth_t)
++fs_read_dos_files(podsleuth_t)
++fs_search_dos(podsleuth_t)
 +
-+type user_thunderbird_home_t alias user_thunderbird_rw_t;
-+userdom_user_home_content(user, user_thunderbird_home_t)
++allow podsleuth_t podsleuth_tmp_t:dir mounton;
++manage_files_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
++files_tmp_filetrans(podsleuth_t, podsleuth_tmp_t, { file dir })
++manage_dirs_pattern(podsleuth_t, podsleuth_tmp_t, podsleuth_tmp_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if
---- nsaserefpolicy/policy/modules/apps/tvtime.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if	2008-11-11 16:22:03.000000000 -0500
-@@ -35,6 +35,7 @@
- template(`tvtime_per_role_template',`
- 	gen_require(`
- 		type tvtime_exec_t;
-+		type user_tvtime_home_t, user_tvtime_tmp_t;
- 	')
- 
- 	########################################
-@@ -46,12 +47,10 @@
- 	application_domain($1_tvtime_t, tvtime_exec_t)
- 	role $3 types $1_tvtime_t;
- 
--	type $1_tvtime_home_t alias $1_tvtime_rw_t;
--	userdom_user_home_content($1, $1_tvtime_home_t)
--	files_poly_member($1_tvtime_home_t)
--
--	type $1_tvtime_tmp_t;
--	files_tmp_file($1_tvtime_tmp_t)
-+	ifelse(`$1',`user',`',`
-+		typealias user_tvtime_home_t alias $1_tvtime_home_t;
-+		typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t;
-+	')
- 
- 	type $1_tvtime_tmpfs_t;
- 	files_tmpfs_file($1_tvtime_tmpfs_t)
-@@ -67,14 +66,14 @@
- 	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
++manage_dirs_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
++manage_files_pattern(podsleuth_t, podsleuth_cache_t, podsleuth_cache_t)
++files_var_filetrans(podsleuth_t, podsleuth_cache_t, { file dir })
++
++storage_raw_rw_fixed_disk(podsleuth_t)
++
+ libs_use_ld_so(podsleuth_t)
+ libs_use_shared_libs(podsleuth_t)
  
- 	# X access, Home files
--	manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
--	manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
--	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
--	userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
--
--	manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
--	manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
--	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
-+	manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
-+	manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
-+	manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
-+	userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir)
++sysnet_dns_name_resolve(podsleuth_t)
 +
-+	manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
-+	manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
-+	files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir })
+ miscfiles_read_localization(podsleuth_t)
  
- 	manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
- 	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
-@@ -86,12 +85,12 @@
- 	domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
+ dbus_system_bus_client_template(podsleuth, podsleuth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.5.13/policy/modules/apps/qemu.fc
+--- nsaserefpolicy/policy/modules/apps/qemu.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,2 +1,4 @@
+ /usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
++
++/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
+--- nsaserefpolicy/policy/modules/apps/qemu.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if	2008-11-11 16:22:03.000000000 -0500
+@@ -48,6 +48,91 @@
+ 	allow qemu_t $3:chr_file rw_file_perms;
+ ')
  
- 	# X access, Home files
--	manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
--	manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
--	manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
--	relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
--	relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
--	relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
-+	manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
-+	manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
-+	manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
-+	relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
-+	relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
-+	relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
- 
- 	# Allow the user domain to signal/ps.
- 	ps_process_pattern($2,$1_tvtime_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te
---- nsaserefpolicy/policy/modules/apps/tvtime.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te	2008-11-11 16:22:03.000000000 -0500
-@@ -11,3 +11,9 @@
- 
- type tvtime_dir_t;
- files_pid_file(tvtime_dir_t)
-+
-+type user_tvtime_home_t alias user_tvtime_rw_t;
-+userdom_user_home_content(user, user_tvtime_home_t)
-+
-+type user_tvtime_tmp_t;
-+files_tmp_file(user_tvtime_tmp_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc
---- nsaserefpolicy/policy/modules/apps/uml.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/uml.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,7 +1,7 @@
- #
- # HOME_DIR/
- #
--HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
-+HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:user_uml_rw_t,s0)
- 
- #
- # /usr
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc
---- nsaserefpolicy/policy/modules/apps/vmware.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,9 +1,9 @@
- #
- # HOME_DIR/
- #
--HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
--HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
--HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
-+HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
-+HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_home_t,s0)
-+HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
- 
- #
- # /etc
-@@ -21,32 +21,26 @@
- /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-+/usr/sbin/vmware-guest.*		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
-+/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
- 
- /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
--/usr/lib/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
-+/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- 
--ifdef(`distro_redhat',`
--/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
--/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
--')
--
- /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
- /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
- /usr/lib64/vmware/bin/vmware-vmx --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- 
--/usr/sbin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
--/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
--
- ifdef(`distro_gentoo',`
- /opt/vmware/(workstation|player)/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
- /opt/vmware/(workstation|player)/bin/vmnet-dhcpd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-@@ -63,6 +57,7 @@
- ')
- 
- /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
--
- /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
- /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
-+/usr/lib/vmware-tools/sbin32/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-+/usr/lib/vmware-tools/sbin64/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if
---- nsaserefpolicy/policy/modules/apps/vmware.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/vmware.if	2008-11-11 16:22:03.000000000 -0500
-@@ -47,11 +47,8 @@
- 	domain_entry_file($1_vmware_t, vmware_exec_t)
- 	role $3 types $1_vmware_t;
- 
--	type $1_vmware_conf_t;
--	userdom_user_home_content($1, $1_vmware_conf_t)
--
--	type $1_vmware_file_t;
--	userdom_user_home_content($1, $1_vmware_file_t)
-+	typealias vmware_home_t alias $1_vmware_file_t;
-+	typealias vmware_home_t alias $1_vmware_conf_t;
- 
- 	type $1_vmware_tmp_t;
- 	files_tmp_file($1_vmware_tmp_t)
-@@ -84,12 +81,9 @@
- 
- 	can_exec($1_vmware_t, vmware_exec_t)
- 
--	# User configuration files
--	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
--
- 	# VMWare disks
--	manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
--	manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
-+	manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
-+	manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
- 
- 	allow $1_vmware_t $1_vmware_tmp_t:file execute;
- 	manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te
---- nsaserefpolicy/policy/modules/apps/vmware.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/vmware.te	2008-11-11 16:22:03.000000000 -0500
-@@ -10,6 +10,9 @@
- type vmware_exec_t;
- corecmd_executable_file(vmware_exec_t)
- 
-+type vmware_home_t;
-+userdom_user_home_content(user, vmware_home_t)
-+
- # VMWare host programs
- type vmware_host_t;
- type vmware_host_exec_t;
-@@ -32,7 +35,7 @@
- 
- allow vmware_host_t self:capability { setgid setuid net_raw };
- dontaudit vmware_host_t self:capability sys_tty_config;
--allow vmware_host_t self:process signal_perms;
-+allow vmware_host_t self:process { execstack execmem signal_perms };
- allow vmware_host_t self:fifo_file rw_fifo_file_perms;
- allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
- allow vmware_host_t self:rawip_socket create_socket_perms;
-@@ -48,6 +51,8 @@
- manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)	
- logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
- 
-+files_search_home(vmware_host_t)
-+
- kernel_read_kernel_sysctls(vmware_host_t)
- kernel_list_proc(vmware_host_t)
- kernel_read_proc_symlinks(vmware_host_t)
-@@ -108,3 +113,13 @@
- optional_policy(`
- 	udev_read_db(vmware_host_t)
- ')
++#######################################
++## <summary>
++##	The per role template for the qemu module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for qemu web browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++#
++template(`qemu_per_role_template_notrans',`
++	gen_require(`
++		type qemu_t;
++	')
 +
-+optional_policy(`
-+	unconfined_domain(vmware_host_t)
-+')
++	role $3 types qemu_t;
 +
-+optional_policy(`
-+	xserver_rw_xdm_xserver_shm(vmware_host_t)
++	xserver_common_app($1, qemu_t)
 +')
 +
-+
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te
---- nsaserefpolicy/policy/modules/apps/webalizer.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te	2008-11-12 09:04:37.000000000 -0500
-@@ -68,6 +68,8 @@
- 
- fs_search_auto_mountpoints(webalizer_t)
- fs_getattr_xattr_fs(webalizer_t)
-+fs_rw_anon_inodefs_files(webalizer_t)
-+fs_list_inotifyfs(webalizer_t)
- 
- files_read_etc_files(webalizer_t)
- files_read_etc_runtime_files(webalizer_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -2,3 +2,4 @@
- 
- /opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
- /opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
-+/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
---- nsaserefpolicy/policy/modules/apps/wine.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/wine.if	2008-11-11 16:22:03.000000000 -0500
-@@ -49,3 +49,53 @@
- 	role $2 types wine_t;
- 	allow wine_t $3:chr_file rw_term_perms;
- ')
-+
 +#######################################
 +## <summary>
-+##	The per role template for the wine module.
++##	The per role template for the qemu module.
 +## </summary>
 +## <desc>
 +##	<p>
 +##	This template creates a derived domains which are used
-+##	for wine applications.
++##	for qemu web browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
 +##	</p>
 +## </desc>
 +## <param name="userdomain_prefix">
@@ -5111,473 +5075,2348 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+template(`wine_per_role_template',`
++template(`qemu_per_role_template',`
 +	gen_require(`
-+		type wine_exec_t;
++		type qemu_exec_t;
 +	')
++  
++	qemu_per_role_template_notrans($1, $2, $3)
++  
++	domtrans_pattern($2, qemu_exec_t, qemu_t)
++ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
++ ')
 +
-+	type $1_wine_t;
-+	domain_type($1_wine_t)
-+	domain_entry_file($1_wine_t, wine_exec_t)
-+	role $3 types $1_wine_t;
-+
-+	domain_interactive_fd($1_wine_t)
+ ########################################
+ ## <summary>
+ ##	Allow the domain to read state files in /proc.
+@@ -68,6 +153,64 @@
+ 
+ ########################################
+ ## <summary>
++##	Set the schedule on qemu.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`qemu_setsched',`
++	gen_require(`
++		type qemu_t;
++	')
++  
++	allow $1 qemu_t:process setsched;
++')
 +
-+	userdom_unpriv_usertype($1, $1_wine_t)
++########################################
++## <summary>
++##	Execute qemu_exec_t 
++##	in the specified domain but do not
++##	do it automatically. This is an explicit
++##	transition, requiring the caller to use setexeccon().
++## </summary>
++## <desc>
++##	<p>
++##	Execute qemu_exec_t 
++##	in the specified domain.  This allows
++##	the specified domain to qemu programs
++##	on these filesystems in the specified
++##	domain.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="target_domain">
++##	<summary>
++##	The type of the new process.
++##	</summary>
++## </param>
++#
++interface(`qemu_spec_domtrans',`
++	gen_require(`
++		type qemu_exec_t;
++	')
++  
++	read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
++	domain_transition_pattern($1, qemu_exec_t, $2)
++  
++	allow $3 $1:fd use;
++	allow $3 $1:fifo_file rw_fifo_file_perms;
++	allow $3 $1:process sigchld;
++')
 +
-+	allow $1_wine_t self:process { execheap execmem };
++########################################
++## <summary>
+ ##	Send a signal to qemu.
+ ## </summary>
+ ## <param name="domain">
+@@ -104,7 +247,71 @@
+ 
+ ########################################
+ ## <summary>
+-##	Execute a domain transition to run qemu unconfined.
++##	Execute qemu programs in the qemu domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to allow the PAM domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the PAM domain to use.
++##	</summary>
++## </param>
++#
++interface(`qemu_runas',`
++	gen_require(`
++		type qemu_t;
++	')
 +
-+	domtrans_pattern($2, wine_exec_t, $1_wine_t)
++	qemu_domtrans($1)
++	allow qemu_t $3:chr_file rw_file_perms;
++')
 +
-+	optional_policy(`
-+		xserver_rw_xdm_xserver_shm($1_wine_t)
++########################################
++## <summary>
++##	Execute qemu programs in the role.
++## </summary>
++## <param name="role">
++##	<summary>
++##	The role to allow the PAM domain.
++##	</summary>
++## </param>
++#
++interface(`qemu_role',`
++	gen_require(`
++		type qemu_t;
 +	')
++	role $1 types qemu_t;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/wine.te	2008-11-11 16:22:03.000000000 -0500
-@@ -9,6 +9,7 @@
- type wine_t;
- type wine_exec_t;
- application_domain(wine_t, wine_exec_t)
-+role system_r types wine_t;
++
++########################################
++## <summary>
++##	Execute qemu unconfined programs in the role.
++## </summary>
++## <param name="role">
++##	<summary>
++##	The role to allow the PAM domain.
++##	</summary>
++## </param>
++#
++interface(`qemu_unconfined_role',`
++	gen_require(`
++		type qemu_unconfined_t;
++	')
++	role $1 types qemu_unconfined_t;
++')
++
++
++########################################
++## <summary>
++##	Execute a domain transition to run qemu.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -122,6 +329,36 @@
  
  ########################################
- #
-@@ -17,10 +18,17 @@
- 
- optional_policy(`
- 	allow wine_t self:process { execstack execmem execheap };
-+	domain_mmap_low_type(wine_t)
-+	domain_mmap_low(wine_t)
- 	unconfined_domain_noaudit(wine_t)
- 	files_execmod_all_files(wine_t)
- 
+ ## <summary>
++##	Execute qemu programs in the qemu unconfined domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to allow the PAM domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the PAM domain to use.
++##	</summary>
++## </param>
++#
++interface(`qemu_runas_unconfined',`
++	gen_require(`
++		type qemu_unconfined_t;
++	')
++
++	qemu_domtrans_unconfined($1)
++	allow qemu_unconfined_t $3:chr_file rw_file_perms;
 +')
 +
-  	optional_policy(`
-  		hal_dbus_chat(wine_t)
-  	')
 +
-+optional_policy(`
-+	xserver_rw_xdm_xserver_shm(wine_t)
- ')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if
---- nsaserefpolicy/policy/modules/apps/wireshark.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if	2008-11-11 16:22:03.000000000 -0500
-@@ -134,7 +134,7 @@
- 
- 	sysnet_read_config($1_wireshark_t)
++########################################
++## <summary>
+ ##	Creates types and rules for a basic
+ ##	qemu process domain.
+ ## </summary>
+@@ -133,85 +370,32 @@
+ #
+ template(`qemu_domain_template',`
  
--	userdom_manage_user_home_content_files($1, $1_wireshark_t)
-+	unprivuser_manage_home_content_files($1_wireshark_t)
- 	
- 	tunable_policy(`use_nfs_home_dirs',`
- 		fs_manage_nfs_dirs($1_wireshark_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
---- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -129,6 +129,8 @@
- /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
- ')
+-	##############################
+-	#
+-	# Local Policy
+-	#
++	gen_require(`
++		attribute qemutype;
++	')
  
-+/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+
- #
- # /usr
- #
-@@ -184,10 +186,8 @@
- /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+-	type $1_t;
+-	domain_type($1_t)
++	type $1_t, qemutype;
  
- /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
--/usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-+/usr/local/Printer(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
- /usr/local/linuxprinter/filters(/.*)?   gen_context(system_u:object_r:bin_t,s0)
+ 	type $1_tmp_t;
+ 	files_tmp_file($1_tmp_t)
  
- /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -292,3 +292,14 @@
- ifdef(`distro_suse',`
- /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
+-	##############################
+-	#
+-	# Local Policy
+-	#
++	type $1_tmpfs_t;
++	files_tmpfs_file($1_tmpfs_t)
+ 
+-	allow $1_t self:capability { dac_read_search dac_override };
+-	allow $1_t self:process { execstack execmem signal getsched };
+-	allow $1_t self:fifo_file rw_file_perms;
+-	allow $1_t self:shm create_shm_perms;
+-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+-	allow $1_t self:tcp_socket create_stream_socket_perms;
++	type $1_image_t;
++	virt_image($1_image_t)
++
++	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
++	manage_files_pattern($1_t, $1_image_t, $1_image_t)
++	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
++	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+ 
+ 	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ 	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+ 	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+ 
+-	kernel_read_system_state($1_t)
+-
+-	corenet_all_recvfrom_unlabeled($1_t)
+-	corenet_all_recvfrom_netlabel($1_t)
+-	corenet_tcp_sendrecv_all_if($1_t)
+-	corenet_tcp_sendrecv_all_nodes($1_t)
+-	corenet_tcp_sendrecv_all_ports($1_t)
+-	corenet_tcp_bind_all_nodes($1_t)
+-	corenet_tcp_bind_vnc_port($1_t)
+-	corenet_rw_tun_tap_dev($1_t)
+-
+-#	dev_rw_kvm($1_t)
+-
+-	domain_use_interactive_fds($1_t)
+-
+-	files_read_etc_files($1_t)
+-	files_read_usr_files($1_t)
+-	files_read_var_files($1_t)
+-	files_search_all($1_t)
+-
+-	fs_list_inotifyfs($1_t)
+-	fs_rw_anon_inodefs_files($1_t)
+-	fs_rw_tmpfs_files($1_t)
+-
+-	storage_raw_write_removable_device($1_t)
+-	storage_raw_read_removable_device($1_t)
+-
+-	term_use_ptmx($1_t)
+-	term_getattr_pty_fs($1_t)
+-	term_use_generic_ptys($1_t)
+-
+-	libs_use_ld_so($1_t)
+-	libs_use_shared_libs($1_t)
+-
+-	miscfiles_read_localization($1_t)
+-
+-	sysnet_read_config($1_t)
+-
+-#	optional_policy(`
+-#		samba_domtrans_smb($1_t)
+-#	')
+-
+-	optional_policy(`
+-		virt_manage_images($1_t)
+-		virt_read_config($1_t)
+-		virt_read_lib_files($1_t)
+-	')
+-
+-	optional_policy(`
+-		xserver_stream_connect_xdm_xserver($1_t)
+-		xserver_read_xdm_tmp_files($1_t)
+-		xserver_read_xdm_pid($1_t)
+-#		xserver_xdm_rw_shm($1_t)
+-	')
++	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
++	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  ')
-+/usr/lib(64)?/nspluginwrapper/npconfig	gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/nspluginwrapper/npviewer	gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
+--- nsaserefpolicy/policy/modules/apps/qemu.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te	2008-11-11 16:22:03.000000000 -0500
+@@ -6,6 +6,8 @@
+ # Declarations
+ #
+ 
++attribute qemutype;
 +
-+/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-+/etc/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+ ## <desc>
+ ## <p>
+ ## Allow qemu to connect fully to the network
+@@ -13,16 +15,102 @@
+ ## </desc>
+ gen_tunable(qemu_full_network, false)
+ 
++## <desc>
++## <p>
++## Allow qemu to use nfs file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_nfs, true)
 +
-+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
-+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
++## <desc>
++## <p>
++## Allow qemu to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_cifs, true)
 +
-+/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if
---- nsaserefpolicy/policy/modules/kernel/corecommands.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if	2008-11-11 16:22:03.000000000 -0500
-@@ -894,6 +894,7 @@
- 
- 	read_lnk_files_pattern($1, bin_t, bin_t)
- 	can_exec($1, chroot_exec_t)
-+	allow $1 self:capability sys_chroot;
- ')
+ type qemu_exec_t;
+ qemu_domain_template(qemu)
+ application_domain(qemu_t, qemu_exec_t)
+ role system_r types qemu_t;
  
++type qemu_cache_t;
++files_type(qemu_cache_t)
++
++########################################
++#
++# qemu common policy
++#
++allow qemutype self:capability { dac_read_search dac_override };
++allow qemutype self:process { execstack execmem signal getsched signull };
++
++allow qemutype self:fifo_file rw_file_perms;
++allow qemutype self:shm create_shm_perms;
++allow qemutype self:unix_stream_socket create_stream_socket_perms;
++allow qemutype self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
++manage_files_pattern(qemu_t, qemu_cache_t, qemu_cache_t)
++files_var_filetrans(qemu_t, qemu_cache_t, { file dir })
++
++kernel_read_system_state(qemutype)
++
++corenet_all_recvfrom_unlabeled(qemutype)
++corenet_all_recvfrom_netlabel(qemutype)
++corenet_tcp_sendrecv_all_if(qemutype)
++corenet_tcp_sendrecv_all_nodes(qemutype)
++corenet_tcp_sendrecv_all_ports(qemutype)
++corenet_tcp_bind_all_nodes(qemutype)
++corenet_tcp_bind_vnc_port(qemutype)
++corenet_rw_tun_tap_dev(qemutype)
++
++dev_read_sound(qemutype)
++dev_write_sound(qemutype)
++dev_rw_kvm(qemutype)
++dev_rw_qemu(qemutype)
++
++domain_use_interactive_fds(qemutype)
++
++files_read_etc_files(qemutype)
++files_read_usr_files(qemutype)
++files_read_var_files(qemutype)
++files_search_all(qemutype)
++
++fs_list_inotifyfs(qemutype)
++fs_rw_anon_inodefs_files(qemutype)
++fs_rw_tmpfs_files(qemutype)
++
++term_use_ptmx(qemutype)
++term_getattr_pty_fs(qemutype)
++term_use_generic_ptys(qemutype)
++
++auth_use_nsswitch(qemutype)
++
++libs_use_ld_so(qemutype)
++libs_use_shared_libs(qemutype)
++
++miscfiles_read_localization(qemutype)
++
++optional_policy(`
++	virt_read_config(qemutype)
++	virt_read_lib_files(qemutype)
++')
++
++optional_policy(`
++	xserver_stream_connect_xdm_xserver(qemutype)
++	xserver_read_xdm_tmp_files(qemutype)
++	xserver_read_xdm_pid(qemutype)
++	xserver_rw_xdm_xserver_shm(qemutype)
++')
++
  ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in	2008-11-11 16:22:03.000000000 -0500
-@@ -1441,10 +1441,11 @@
  #
- interface(`corenet_tcp_bind_all_unreserved_ports',`
- 	gen_require(`
--		attribute port_type, reserved_port_type;
-+		attribute port_type;
-+		type hi_reserved_port_t, reserved_port_t;
- 	')
+ # qemu local policy
+ #
  
--	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
-+	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
++storage_raw_write_removable_device(qemu_t)
++storage_raw_read_removable_device(qemu_t)
++
+ tunable_policy(`qemu_full_network',`
+ 	allow qemu_t self:udp_socket create_socket_perms;
+ 
+@@ -35,6 +123,30 @@
+ 	corenet_tcp_connect_all_ports(qemu_t)
  ')
  
++tunable_policy(`qemu_use_nfs',`
++	fs_manage_nfs_files(qemu_t)
++')
++
++tunable_policy(`qemu_use_cifs',`
++	fs_manage_cifs_dirs(qemu_t)
++')
++
++optional_policy(`
++	samba_domtrans_smb(qemu_t)
++')
++
++optional_policy(`
++	virt_manage_images(qemu_t)
++')
++
++optional_policy(`
++	xen_rw_image_files(qemu_t)
++')
++
++optional_policy(`
++	xen_rw_image_files(qemu_t)
++')
++
  ########################################
-@@ -1459,10 +1460,11 @@
  #
- interface(`corenet_udp_bind_all_unreserved_ports',`
- 	gen_require(`
--		attribute port_type, reserved_port_type;
-+		attribute port_type;
-+		type hi_reserved_port_t, reserved_port_t;
- 	')
- 
--	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
-+	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ # qemu_unconfined local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
+--- nsaserefpolicy/policy/modules/apps/sambagui.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,4 @@
++/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
+--- nsaserefpolicy/policy/modules/apps/sambagui.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++## <summary>system-config-samba policy</summary>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,60 @@
++policy_module(sambagui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sambagui_t;
++type sambagui_exec_t;
++
++dbus_system_domain(sambagui_t, sambagui_exec_t)
++
++########################################
++#
++# system-config-samba local policy
++#
++
++allow sambagui_t self:fifo_file rw_fifo_file_perms;
++
++# handling with samba conf files
++samba_append_log(sambagui_t)
++samba_manage_config(sambagui_t)
++samba_manage_var_files(sambagui_t)
++samba_initrc_domtrans(sambagui_t)
++samba_domtrans_smb(sambagui_t)
++samba_domtrans_nmb(sambagui_t)
++
++# execut apps of system-config-samba
++corecmd_exec_shell(sambagui_t)
++corecmd_exec_bin(sambagui_t)
++
++files_read_etc_files(sambagui_t)
++files_search_var_lib(sambagui_t)
++files_search_usr(sambagui_t)
++
++fs_list_inotifyfs(sambagui_t)
++
++libs_use_ld_so(sambagui_t)
++libs_use_shared_libs(sambagui_t)
++
++# reading shadow by pdbedit
++#auth_read_shadow(sambagui_t)
++
++miscfiles_read_localization(sambagui_t)
++
++# read meminfo
++kernel_read_system_state(sambagui_t)
++
++dev_dontaudit_read_urand(sambagui_t)
++nscd_dontaudit_search_pid(sambagui_t)
++
++optional_policy(`
++	consoletype_exec(sambagui_t)
++')
++
++optional_policy(`
++	polkit_dbus_chat(sambagui_t)
++')
++
++permissive sambagui_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
+--- nsaserefpolicy/policy/modules/apps/screen.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/screen.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,7 +1,7 @@
+ #
+ # /home
+ #
+-HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:ROLE_screen_ro_home_t,s0)
++HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:user_screen_ro_home_t,s0)
+ 
+ #
+ # /usr
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.5.13/policy/modules/apps/screen.if
+--- nsaserefpolicy/policy/modules/apps/screen.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/screen.if	2008-11-11 16:22:03.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`screen_per_role_template',`
+ 	gen_require(`
+ 		type screen_dir_t, screen_exec_t;
++		type user_screen_ro_home_t;
+ 	')
+ 
+ 	########################################
+@@ -50,8 +51,9 @@
+ 	type $1_screen_tmp_t;
+ 	files_tmp_file($1_screen_tmp_t)
+ 
+-	type $1_screen_ro_home_t;
+-	files_type($1_screen_ro_home_t)
++	ifelse(`$1',`user',`',`
++		typealias user_screen_ro_home_t alias $1_screen_ro_home_t;
++	')
+ 
+ 	type $1_screen_var_run_t;
+ 	files_pid_file($1_screen_var_run_t)
+@@ -81,9 +83,9 @@
+ 	filetrans_pattern($1_screen_t, screen_dir_t, $1_screen_var_run_t, fifo_file)
+ 	files_pid_filetrans($1_screen_t, screen_dir_t, dir)
+ 
+-	allow $1_screen_t $1_screen_ro_home_t:dir list_dir_perms;
+-	read_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	read_lnk_files_pattern($1_screen_t, $1_screen_ro_home_t, $1_screen_ro_home_t)
++	allow $1_screen_t user_screen_ro_home_t:dir list_dir_perms;
++	read_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
++	read_lnk_files_pattern($1_screen_t, user_screen_ro_home_t, user_screen_ro_home_t)
+ 
+ 	allow $1_screen_t $2:process signal;
+ 
+@@ -91,12 +93,12 @@
+ 	allow $2 $1_screen_t:process signal;
+ 	allow $1_screen_t $2:process signal;
+ 
+-	manage_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	manage_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	manage_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	relabel_dirs_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	relabel_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
+-	relabel_lnk_files_pattern($2, $1_screen_ro_home_t, $1_screen_ro_home_t)
++	manage_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
++	manage_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
++	manage_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
++	relabel_dirs_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
++	relabel_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
++	relabel_lnk_files_pattern($2, user_screen_ro_home_t, user_screen_ro_home_t)
+ 	
+ 	kernel_read_system_state($1_screen_t)
+ 	kernel_read_kernel_sysctls($1_screen_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.te serefpolicy-3.5.13/policy/modules/apps/screen.te
+--- nsaserefpolicy/policy/modules/apps/screen.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/screen.te	2008-11-11 16:22:03.000000000 -0500
+@@ -11,3 +11,7 @@
+ 
+ type screen_exec_t;
+ application_executable_file(screen_exec_t)
++
++type user_screen_ro_home_t;
++userdom_user_home_content(user, user_screen_ro_home_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-3.5.13/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/slocate.te	2008-11-13 11:45:45.000000000 -0500
+@@ -22,7 +22,7 @@
+ #
+ 
+ allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+-allow locate_t self:process { execmem execheap execstack };
++allow locate_t self:process { execmem execheap execstack signal };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
+ 
+@@ -46,6 +46,8 @@
+ 
+ fs_getattr_all_fs(locate_t)
+ fs_getattr_all_files(locate_t)
++fs_getattr_all_pipes(locate_t)
++fs_getattr_all_symlinks(locate_t)
+ fs_list_all(locate_t)
+ fs_list_inotifyfs(locate_t)
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.fc serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc
+--- nsaserefpolicy/policy/modules/apps/thunderbird.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -3,4 +3,4 @@
+ #
+ /usr/bin/thunderbird.*			--	gen_context(system_u:object_r:thunderbird_exec_t,s0)
+ 
+-HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:ROLE_thunderbird_home_t,s0)
++HOME_DIR/\.thunderbird(/.*)?			gen_context(system_u:object_r:user_thunderbird_home_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.if serefpolicy-3.5.13/policy/modules/apps/thunderbird.if
+--- nsaserefpolicy/policy/modules/apps/thunderbird.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.if	2008-11-11 16:22:03.000000000 -0500
+@@ -43,9 +43,9 @@
+ 	application_domain($1_thunderbird_t, thunderbird_exec_t)
+ 	role $3 types $1_thunderbird_t;
+ 
+-	type $1_thunderbird_home_t alias $1_thunderbird_rw_t;
+-	files_poly_member($1_thunderbird_home_t)
+-	userdom_user_home_content($1, $1_thunderbird_home_t)
++	ifelse(`$1',`user',`',`
++		typealias user_thunderbird_home_t alias $1_thunderbird_home_t;
++	')
+ 
+ 	type $1_thunderbird_tmpfs_t;
+ 	files_tmpfs_file($1_thunderbird_tmpfs_t)
+@@ -64,9 +64,9 @@
+ 	allow $1_thunderbird_t self:shm { read write create destroy unix_read unix_write };
+ 
+ 	# Access ~/.thunderbird
+-	manage_dirs_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	manage_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	manage_lnk_files_pattern($1_thunderbird_t, $1_thunderbird_home_t, $1_thunderbird_home_t)
++	manage_dirs_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
++	manage_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
++	manage_lnk_files_pattern($1_thunderbird_t, user_thunderbird_home_t, user_thunderbird_home_t)
+ 	userdom_search_user_home_dirs($1, $1_thunderbird_t)
+ 
+ 	manage_files_pattern($1_thunderbird_t, $1_thunderbird_tmpfs_t, $1_thunderbird_tmpfs_t)
+@@ -87,13 +87,13 @@
+ 	ps_process_pattern($2,$1_thunderbird_t)
+ 
+ 	# Access ~/.thunderbird
+-	manage_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	manage_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	manage_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-
+-	relabel_dirs_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	relabel_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
+-	relabel_lnk_files_pattern($2, $1_thunderbird_home_t, $1_thunderbird_home_t)
++	manage_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++	manage_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++	manage_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++
++	relabel_dirs_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++	relabel_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
++	relabel_lnk_files_pattern($2, user_thunderbird_home_t, user_thunderbird_home_t)
+ 	
+ 	# Allow netstat
+ 	kernel_read_network_state($1_thunderbird_t)
+@@ -153,10 +153,10 @@
+ 	miscfiles_read_fonts($1_thunderbird_t)
+ 	miscfiles_read_localization($1_thunderbird_t)
+ 
+-	userdom_manage_user_tmp_dirs($1, $1_thunderbird_t)
++	unprivuser_manage_tmp_dirs($1_thunderbird_t)
+ 	userdom_read_user_tmp_files($1, $1_thunderbird_t)
+ 	userdom_write_user_tmp_sockets($1, $1_thunderbird_t)
+-	userdom_manage_user_tmp_sockets($1, $1_thunderbird_t)
++	unprivuser_manage_tmp_sockets($1_thunderbird_t)
+ 	# .kde/....gtkrc
+ 	userdom_read_user_home_content_files($1, $1_thunderbird_t)
+ 
+@@ -294,8 +294,8 @@
+ 		files_search_home($1_thunderbird_t)
+ 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,file)
+ 		files_tmp_filetrans($1_thunderbird_t, $1_untrusted_content_tmp_t,dir)
+-		userdom_manage_user_untrusted_content_files($1, $1_thunderbird_t)
+-		userdom_manage_user_untrusted_content_tmp_files($1, $1_thunderbird_t)
++		unprivuser_manage_untrusted_content_files($1_thunderbird_t)
++		unprivuser_manage_untrusted_content_tmp_files($1_thunderbird_t)
+ 		userdom_user_home_dir_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
+ 		userdom_user_home_content_filetrans($1, $1_thunderbird_t, $1_untrusted_content_tmp_t, { file dir })
+ 	',`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/thunderbird.te serefpolicy-3.5.13/policy/modules/apps/thunderbird.te
+--- nsaserefpolicy/policy/modules/apps/thunderbird.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/thunderbird.te	2008-11-11 16:22:03.000000000 -0500
+@@ -8,3 +8,7 @@
+ 
+ type thunderbird_exec_t;
+ application_executable_file(thunderbird_exec_t)
++
++type user_thunderbird_home_t alias user_thunderbird_rw_t;
++userdom_user_home_content(user, user_thunderbird_home_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.if serefpolicy-3.5.13/policy/modules/apps/tvtime.if
+--- nsaserefpolicy/policy/modules/apps/tvtime.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/tvtime.if	2008-11-11 16:22:03.000000000 -0500
+@@ -35,6 +35,7 @@
+ template(`tvtime_per_role_template',`
+ 	gen_require(`
+ 		type tvtime_exec_t;
++		type user_tvtime_home_t, user_tvtime_tmp_t;
+ 	')
+ 
+ 	########################################
+@@ -46,12 +47,10 @@
+ 	application_domain($1_tvtime_t, tvtime_exec_t)
+ 	role $3 types $1_tvtime_t;
+ 
+-	type $1_tvtime_home_t alias $1_tvtime_rw_t;
+-	userdom_user_home_content($1, $1_tvtime_home_t)
+-	files_poly_member($1_tvtime_home_t)
+-
+-	type $1_tvtime_tmp_t;
+-	files_tmp_file($1_tvtime_tmp_t)
++	ifelse(`$1',`user',`',`
++		typealias user_tvtime_home_t alias $1_tvtime_home_t;
++		typealias user_tvtime_tmp_t alias $1_tvtime_tmp_t;
++	')
+ 
+ 	type $1_tvtime_tmpfs_t;
+ 	files_tmpfs_file($1_tvtime_tmpfs_t)
+@@ -67,14 +66,14 @@
+ 	allow $1_tvtime_t self:unix_stream_socket rw_stream_socket_perms;
+ 
+ 	# X access, Home files
+-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
+-	manage_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
+-	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_home_t, $1_tvtime_home_t)
+-	userdom_user_home_dir_filetrans($1, $1_tvtime_t, $1_tvtime_home_t, dir)
+-
+-	manage_dirs_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
+-	manage_files_pattern($1_tvtime_t, $1_tvtime_tmp_t, $1_tvtime_tmp_t)
+-	files_tmp_filetrans($1_tvtime_t, $1_tvtime_tmp_t, { file dir })
++	manage_dirs_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
++	manage_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
++	manage_lnk_files_pattern($1_tvtime_t, user_tvtime_home_t, user_tvtime_home_t)
++	userdom_user_home_dir_filetrans($1, $1_tvtime_t, user_tvtime_home_t, dir)
++
++	manage_dirs_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
++	manage_files_pattern($1_tvtime_t, user_tvtime_tmp_t, user_tvtime_tmp_t)
++	files_tmp_filetrans($1_tvtime_t, user_tvtime_tmp_t, { file dir })
+ 
+ 	manage_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
+ 	manage_lnk_files_pattern($1_tvtime_t, $1_tvtime_tmpfs_t, $1_tvtime_tmpfs_t)
+@@ -86,12 +85,12 @@
+ 	domtrans_pattern($2, tvtime_exec_t, $1_tvtime_t)
+ 
+ 	# X access, Home files
+-	manage_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+-	manage_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+-	manage_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+-	relabel_dirs_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+-	relabel_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
+-	relabel_lnk_files_pattern($2, $1_tvtime_home_t, $1_tvtime_home_t)
++	manage_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
++	manage_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
++	manage_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
++	relabel_dirs_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
++	relabel_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
++	relabel_lnk_files_pattern($2, user_tvtime_home_t, user_tvtime_home_t)
+ 
+ 	# Allow the user domain to signal/ps.
+ 	ps_process_pattern($2,$1_tvtime_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/tvtime.te serefpolicy-3.5.13/policy/modules/apps/tvtime.te
+--- nsaserefpolicy/policy/modules/apps/tvtime.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/tvtime.te	2008-11-11 16:22:03.000000000 -0500
+@@ -11,3 +11,9 @@
+ 
+ type tvtime_dir_t;
+ files_pid_file(tvtime_dir_t)
++
++type user_tvtime_home_t alias user_tvtime_rw_t;
++userdom_user_home_content(user, user_tvtime_home_t)
++
++type user_tvtime_tmp_t;
++files_tmp_file(user_tvtime_tmp_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.fc serefpolicy-3.5.13/policy/modules/apps/uml.fc
+--- nsaserefpolicy/policy/modules/apps/uml.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/uml.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,7 +1,7 @@
+ #
+ # HOME_DIR/
+ #
+-HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:ROLE_uml_rw_t,s0)
++HOME_DIR/\.uml(/.*)?		gen_context(system_u:object_r:user_uml_rw_t,s0)
+ 
+ #
+ # /usr
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.fc serefpolicy-3.5.13/policy/modules/apps/vmware.fc
+--- nsaserefpolicy/policy/modules/apps/vmware.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/vmware.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,9 +1,9 @@
+ #
+ # HOME_DIR/
+ #
+-HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
+-HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:ROLE_vmware_conf_t,s0)
+-HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:ROLE_vmware_file_t,s0)
++HOME_DIR/\.vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
++HOME_DIR/\.vmware[^/]*/.*\.cfg	--	gen_context(system_u:object_r:vmware_home_t,s0)
++HOME_DIR/vmware(/.*)?			gen_context(system_u:object_r:vmware_home_t,s0)
+ 
+ #
+ # /etc
+@@ -21,32 +21,26 @@
+ /usr/bin/vmware-nmbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-ping		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-smbd		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
++/usr/sbin/vmware-guest.*		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-smbpasswd	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-smbpasswd\.bin	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-vmx		--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/bin/vmware-wizard		--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/bin/vmware			--	gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ 
+ /usr/lib/vmware/config		--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+-/usr/lib/vmware/bin/vmplayer	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib/vmware/bin/vmware-mks	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib/vmware/bin/vmware-ui	--	gen_context(system_u:object_r:vmware_exec_t,s0)
++/usr/lib/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib/vmware/bin/vmware-vmx	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ 
+-ifdef(`distro_redhat',`
+-/usr/lib/vmware-tools/sbin32/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+-/usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+-')
+-
+ /usr/lib64/vmware/config	--	gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+ /usr/lib64/vmware/bin/vmware-mks --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib64/vmware/bin/vmware-ui --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib64/vmware/bin/vmplayer  --	gen_context(system_u:object_r:vmware_exec_t,s0)
+ /usr/lib64/vmware/bin/vmware-vmx --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ 
+-/usr/sbin/vmware-guest.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+-/usr/sbin/vmware-serverd	--	gen_context(system_u:object_r:vmware_exec_t,s0)
+-
+ ifdef(`distro_gentoo',`
+ /opt/vmware/(workstation|player)/bin/vmnet-bridge --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /opt/vmware/(workstation|player)/bin/vmnet-dhcpd --	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+@@ -63,6 +57,7 @@
+ ')
+ 
+ /var/log/vmware.* 		--	gen_context(system_u:object_r:vmware_log_t,s0)
+-
+ /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
+ /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
++/usr/lib/vmware-tools/sbin32/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
++/usr/lib/vmware-tools/sbin64/vmware.*	--	gen_context(system_u:object_r:vmware_host_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.if serefpolicy-3.5.13/policy/modules/apps/vmware.if
+--- nsaserefpolicy/policy/modules/apps/vmware.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/vmware.if	2008-11-11 16:22:03.000000000 -0500
+@@ -47,11 +47,8 @@
+ 	domain_entry_file($1_vmware_t, vmware_exec_t)
+ 	role $3 types $1_vmware_t;
+ 
+-	type $1_vmware_conf_t;
+-	userdom_user_home_content($1, $1_vmware_conf_t)
+-
+-	type $1_vmware_file_t;
+-	userdom_user_home_content($1, $1_vmware_file_t)
++	typealias vmware_home_t alias $1_vmware_file_t;
++	typealias vmware_home_t alias $1_vmware_conf_t;
+ 
+ 	type $1_vmware_tmp_t;
+ 	files_tmp_file($1_vmware_tmp_t)
+@@ -84,12 +81,9 @@
+ 
+ 	can_exec($1_vmware_t, vmware_exec_t)
+ 
+-	# User configuration files
+-	allow $1_vmware_t $1_vmware_conf_t:file manage_file_perms;
+-
+ 	# VMWare disks
+-	manage_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
+-	manage_lnk_files_pattern($1_vmware_t, $1_vmware_file_t, $1_vmware_file_t)
++	manage_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
++	manage_lnk_files_pattern($1_vmware_t, vmware_home_t, vmware_home_t)
+ 
+ 	allow $1_vmware_t $1_vmware_tmp_t:file execute;
+ 	manage_dirs_pattern($1_vmware_t, $1_vmware_tmp_t, $1_vmware_tmp_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.5.13/policy/modules/apps/vmware.te
+--- nsaserefpolicy/policy/modules/apps/vmware.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/vmware.te	2008-11-11 16:22:03.000000000 -0500
+@@ -10,6 +10,9 @@
+ type vmware_exec_t;
+ corecmd_executable_file(vmware_exec_t)
+ 
++type vmware_home_t;
++userdom_user_home_content(user, vmware_home_t)
++
+ # VMWare host programs
+ type vmware_host_t;
+ type vmware_host_exec_t;
+@@ -32,7 +35,7 @@
+ 
+ allow vmware_host_t self:capability { setgid setuid net_raw };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+-allow vmware_host_t self:process signal_perms;
++allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+ allow vmware_host_t self:rawip_socket create_socket_perms;
+@@ -48,6 +51,8 @@
+ manage_files_pattern(vmware_host_t, vmware_log_t, vmware_log_t)	
+ logging_log_filetrans(vmware_host_t, vmware_log_t, { file dir })
+ 
++files_search_home(vmware_host_t)
++
+ kernel_read_kernel_sysctls(vmware_host_t)
+ kernel_list_proc(vmware_host_t)
+ kernel_read_proc_symlinks(vmware_host_t)
+@@ -108,3 +113,13 @@
+ optional_policy(`
+ 	udev_read_db(vmware_host_t)
+ ')
++
++optional_policy(`
++	unconfined_domain(vmware_host_t)
++')
++
++optional_policy(`
++	xserver_rw_xdm_xserver_shm(vmware_host_t)
++')
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.5.13/policy/modules/apps/webalizer.te
+--- nsaserefpolicy/policy/modules/apps/webalizer.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/webalizer.te	2008-11-12 09:04:37.000000000 -0500
+@@ -68,6 +68,8 @@
+ 
+ fs_search_auto_mountpoints(webalizer_t)
+ fs_getattr_xattr_fs(webalizer_t)
++fs_rw_anon_inodefs_files(webalizer_t)
++fs_list_inotifyfs(webalizer_t)
+ 
+ files_read_etc_files(webalizer_t)
+ files_read_etc_runtime_files(webalizer_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.5.13/policy/modules/apps/wine.fc
+--- nsaserefpolicy/policy/modules/apps/wine.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/wine.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -2,3 +2,4 @@
+ 
+ /opt/cxoffice/bin/wine		--	gen_context(system_u:object_r:wine_exec_t,s0)
+ /opt/picasa/wine/bin/wine	--	gen_context(system_u:object_r:wine_exec_t,s0)
++/opt/google/picasa(/.*)?/bin/wine.*	--	gen_context(system_u:object_r:wine_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-3.5.13/policy/modules/apps/wine.if
+--- nsaserefpolicy/policy/modules/apps/wine.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/wine.if	2008-11-11 16:22:03.000000000 -0500
+@@ -49,3 +49,53 @@
+ 	role $2 types wine_t;
+ 	allow wine_t $3:chr_file rw_term_perms;
+ ')
++
++#######################################
++## <summary>
++##	The per role template for the wine module.
++## </summary>
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for wine applications.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="user_domain">
++##	<summary>
++##	The type of the user domain.
++##	</summary>
++## </param>
++## <param name="user_role">
++##	<summary>
++##	The role associated with the user domain.
++##	</summary>
++## </param>
++#
++template(`wine_per_role_template',`
++	gen_require(`
++		type wine_exec_t;
++	')
++
++	type $1_wine_t;
++	domain_type($1_wine_t)
++	domain_entry_file($1_wine_t, wine_exec_t)
++	role $3 types $1_wine_t;
++
++	domain_interactive_fd($1_wine_t)
++
++	userdom_unpriv_usertype($1, $1_wine_t)
++
++	allow $1_wine_t self:process { execheap execmem };
++
++	domtrans_pattern($2, wine_exec_t, $1_wine_t)
++
++	optional_policy(`
++		xserver_rw_xdm_xserver_shm($1_wine_t)
++	')
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.5.13/policy/modules/apps/wine.te
+--- nsaserefpolicy/policy/modules/apps/wine.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/wine.te	2008-11-11 16:22:03.000000000 -0500
+@@ -9,6 +9,7 @@
+ type wine_t;
+ type wine_exec_t;
+ application_domain(wine_t, wine_exec_t)
++role system_r types wine_t;
+ 
+ ########################################
+ #
+@@ -17,10 +18,17 @@
+ 
+ optional_policy(`
+ 	allow wine_t self:process { execstack execmem execheap };
++	domain_mmap_low_type(wine_t)
++	domain_mmap_low(wine_t)
+ 	unconfined_domain_noaudit(wine_t)
+ 	files_execmod_all_files(wine_t)
+ 
++')
++
+  	optional_policy(`
+  		hal_dbus_chat(wine_t)
+  	')
++
++optional_policy(`
++	xserver_rw_xdm_xserver_shm(wine_t)
+ ')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wireshark.if serefpolicy-3.5.13/policy/modules/apps/wireshark.if
+--- nsaserefpolicy/policy/modules/apps/wireshark.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/apps/wireshark.if	2008-11-11 16:22:03.000000000 -0500
+@@ -134,7 +134,7 @@
+ 
+ 	sysnet_read_config($1_wireshark_t)
+ 
+-	userdom_manage_user_home_content_files($1, $1_wireshark_t)
++	unprivuser_manage_home_content_files($1_wireshark_t)
+ 	
+ 	tunable_policy(`use_nfs_home_dirs',`
+ 		fs_manage_nfs_dirs($1_wireshark_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.fc serefpolicy-3.5.13/policy/modules/apps/wm.fc
+--- nsaserefpolicy/policy/modules/apps/wm.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/wm.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,3 @@
++/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
++/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
++/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if serefpolicy-3.5.13/policy/modules/apps/wm.if
+--- nsaserefpolicy/policy/modules/apps/wm.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/wm.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,178 @@
++## <summary>Window Manager.</summary>
++
++#######################################
++## <summary>
++##	Template to create types and rules common to
++##	any window manager domains.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix of the domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++## <param name="prefix">
++##	<summary>
++##	The prefix of the X server domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
++#
++template(`wm_domain_template',`
++	gen_require(`
++		type wm_exec_t;
++		type xserver_exec_t;
++		type tmpfs_t;
++		type proc_t;
++		type security_t, selinux_config_t;
++		type $1_t;
++		type $1_tmp_t;
++		type info_xproperty_t, xselection_t;
++		type $2_t, $2_xproperty_t, $2_input_xevent_t, $2_manage_xevent_t, $2_property_xevent_t;
++		type $2_focus_xevent_t, $2_client_xevent_t;
++		type $2_rootwindow_t, $2_xserver_t, $2_xserver_tmp_t;
++		type $1_xproperty_t;
++		type memory_device_t;
++		type output_xext_t;
++		type security_xext_t;
++		type $1_home_t;
++		type $1_tty_device_t;
++		type shell_exec_t;
++		type default_t;
++		type home_root_t;
++		type $1_home_dir_t;
++		type $2_home_t;
++
++		class x_colormap all_x_colormap_perms;
++		class x_device all_x_device_perms;
++		class x_drawable all_x_drawable_perms;
++		class x_property all_x_property_perms;
++		class x_server all_x_server_perms;
++		class x_resource all_x_resource_perms;
++		class x_screen all_x_screen_perms;
++		class x_synthetic_event all_x_synthetic_event_perms;
++		class x_event all_x_event_perms;
++		class x_selection all_x_selection_perms;
++		class x_extension all_x_extension_perms;
++		attribute $1_x_domain;
++	')
++
++	type $1_wm_t;
++	domain_type($1_wm_t)
++	domain_entry_file($1_wm_t,wm_exec_t)
++	role $1_r types $1_wm_t;
++
++	domtrans_pattern($1_t, wm_exec_t, $1_wm_t)
++
++	type $1_wm_tmpfs_t;
++#	xserver_use($2, $1, $1_wm_t)
++	xserver_user_x_domain_template($1, $1_wm, $1_wm_t, $1_wm_tmpfs_t)
++
++	files_read_etc_files($1_wm_t)
++
++	libs_use_ld_so($1_wm_t)
++	libs_use_shared_libs($1_wm_t)
++
++	nscd_dontaudit_search_pid($1_wm_t)
++
++	miscfiles_read_localization($1_wm_t)
++
++	dev_read_urand($1_wm_t)
++
++ 	files_list_tmp($1_wm_t)
++
++	allow $1_wm_t proc_t:file { read getattr };
++
++	allow $1_wm_t info_xproperty_t:x_property { write create };
++
++	allow $1_wm_t self:process getsched;
++	allow $1_wm_t self:x_drawable blend;
++
++	allow $1_wm_t tmpfs_t:file { read write };
++
++	allow $1_wm_t usr_t:file { read getattr };
++	allow $1_wm_t usr_t:lnk_file read;
++
++	allow $1_wm_t $1_tmp_t:dir { write search setattr remove_name getattr add_name };
++	allow $1_wm_t $1_tmp_t:sock_file { write create unlink };
++
++	allow $1_wm_t $1_t:unix_stream_socket connectto;
++	allow $1_wm_t self:fifo_file { write read };
++
++
++	allow $1_wm_t $2_client_xevent_t:x_synthetic_event send;
++	allow $1_wm_t $2_focus_xevent_t:x_event receive;
++	allow $1_wm_t $2_input_xevent_t:x_event receive;
++	allow $1_wm_t $2_manage_xevent_t:x_event receive;
++	allow $1_wm_t $2_manage_xevent_t:x_synthetic_event { receive send };
++	allow $1_wm_t $2_property_xevent_t:x_event receive;
++	allow $1_wm_t $2_xproperty_t:x_property { read write destroy };
++	allow $1_wm_t $2_rootwindow_t:x_colormap { install uninstall use add_color remove_color read };
++	allow $1_wm_t $2_rootwindow_t:x_drawable { read write manage setattr get_property hide show receive set_property create send add_child remove_child getattr list_property blend list_child destroy override };
++	allow $1_wm_t $2_xproperty_t:x_property { write read };
++	allow $1_wm_t $2_xserver_t:x_device { force_cursor setfocus use setattr grab manage getattr freeze write };
++	allow $1_wm_t $2_xserver_t:x_resource { read write };
++	allow $1_wm_t $2_xserver_t:x_screen setattr;
++	allow $1_wm_t xselection_t:x_selection setattr;
++
++	allow $1_wm_t $2_t:x_drawable { get_property setattr show receive manage send read getattr list_child set_property };
++        allow $1_wm_t $2_t:x_resource { read write };
++
++	ifdef(`enable_mls',`
++ 		mls_file_read_all_levels($1_wm_t)
++ 		mls_file_write_all_levels($1_wm_t)
++
++		mls_xwin_read_all_levels($1_wm_t)
++		mls_xwin_write_all_levels($1_wm_t)
++
++		mls_fd_use_all_levels($1_wm_t)
++	')
++
++	corecmd_exec_bin($1_wm_t)
++	can_exec($1_wm_t, { shell_exec_t })
++	domtrans_pattern($1_wm_t,bin_t,$1_t)
++
++	allow $1_t $1_wm_t:unix_stream_socket connectto;
++	allow $1_t $1_wm_t:x_drawable { receive get_property getattr list_child };
++
++	allow $1_t $1_wm_t:process signal;
++
++	optional_policy(`
++		dbus_system_bus_client_template($1_wm,$1_wm_t)
++		dbus_user_bus_client_template($1,$1_wm,$1_wm_t)
++	')
++	
++	allow $1_wm_t $1_home_t:dir { search getattr };
++	allow $1_wm_t $1_tty_device_t:chr_file { write read };
++	allow $1_wm_t $1_xproperty_t:x_property { read write destroy };
++	allow $1_wm_t default_t:dir search;
++	allow $1_wm_t home_root_t:dir search;
++	allow $1_wm_t $1_home_dir_t:dir search;
++	allow $1_wm_t $2_xserver_tmp_t:dir search;
++	allow $1_wm_t $2_xserver_tmp_t:lnk_file read;
++	allow $1_wm_t $1_home_dir_t:dir search_dir_perms;
++	manage_files_pattern($1_wm_t,$1_tmp_t,$1_tmp_t)
++	allow $1_wm_t $2_home_t:file { write read getattr };
++	allow $1_wm_t $2_xserver_t:unix_stream_socket connectto;
++	allow $1_wm_t $2_xserver_tmp_t:sock_file write;
++	manage_lnk_files_pattern($1_wm_t, $2_xserver_tmp_t, $2_xserver_tmp_t)
++	allow $1_wm_t security_xext_t:x_extension { query use };
++')
++
++########################################
++## <summary>
++##	Execute the wm program in the wm domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`wm_exec',`
++	gen_require(`
++		type wm_exec_t;
++	')
++
++	can_exec($1, wm_exec_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.te serefpolicy-3.5.13/policy/modules/apps/wm.te
+--- nsaserefpolicy/policy/modules/apps/wm.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/wm.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,10 @@
++policy_module(wm,0.0.4)
++
++########################################
++#
++# Declarations
++#
++
++type wm_exec_t;
++
++wm_domain_template(user,xdm)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -129,6 +129,8 @@
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
++/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
+@@ -184,10 +186,8 @@
+ /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/local/lib(64)?/ipsec/.*	-- 	gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)?/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Brother(/.*)?/lpd(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Printer(/.*)? 		gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/linuxprinter/filters(/.*)?   gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -292,3 +292,14 @@
+ ifdef(`distro_suse',`
+ /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
+ ')
++/usr/lib(64)?/nspluginwrapper/npconfig	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/nspluginwrapper/npviewer	gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib(64)?/ConsoleKit/scripts(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++/etc/ConsoleKit/run-session.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)
++
++/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
++/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/oracle/xe/apps(/.*)?  gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.5.13/policy/modules/kernel/corecommands.if
+--- nsaserefpolicy/policy/modules/kernel/corecommands.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.if	2008-11-11 16:22:03.000000000 -0500
+@@ -894,6 +894,7 @@
+ 
+ 	read_lnk_files_pattern($1, bin_t, bin_t)
+ 	can_exec($1, chroot_exec_t)
++	allow $1 self:capability sys_chroot;
+ ')
+ 
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in	2008-11-11 16:22:03.000000000 -0500
+@@ -1441,10 +1441,11 @@
+ #
+ interface(`corenet_tcp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute port_type;
++		type hi_reserved_port_t, reserved_port_t;
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
++	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
+ ')
+ 
+ ########################################
+@@ -1459,10 +1460,11 @@
+ #
+ interface(`corenet_udp_bind_all_unreserved_ports',`
+ 	gen_require(`
+-		attribute port_type, reserved_port_type;
++		attribute port_type;
++		type hi_reserved_port_t, reserved_port_t;
+ 	')
+ 
+-	allow $1 { port_type -reserved_port_type }:udp_socket name_bind;
++	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
+ ')
+ 
+ ########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-11-13 17:54:07.000000000 -0500
+@@ -79,26 +79,31 @@
+ network_port(auth, tcp,113,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
+ type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
++network_port(certmaster, tcp,51235,s0)
+ network_port(clamd, tcp,3310,s0)
+ network_port(clockspeed, udp,4041,s0)
+ network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
+ network_port(comsat, udp,512,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
++portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dhcpc, udp,68,s0)
+-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
++network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp, 7911,s0)
+ network_port(dict, tcp,2628,s0)
+ network_port(distccd, tcp,3632,s0)
+ network_port(dns, udp,53,s0, tcp,53,s0)
+ network_port(fingerd, tcp,79,s0)
++network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
+ network_port(ftp_data, tcp,20,s0)
+ network_port(ftp, tcp,21,s0)
+ network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+ network_port(giftd, tcp,1213,s0)
+ network_port(gopher, tcp,70,s0, udp,70,s0)
+ network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
++portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
++
+ network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+ network_port(howl, tcp,5335,s0, udp,5353,s0)
+ network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+@@ -117,6 +122,8 @@
+ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
++network_port(kismet, tcp,2501,s0)
++network_port(kprop, tcp,754,s0)
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
+ network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
+ type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+@@ -126,6 +133,7 @@
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+ portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(nessus, tcp,1241,s0)
+@@ -136,12 +144,20 @@
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
++network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
++network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
++network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
+ network_port(postfix_policyd, tcp,10031,s0)
++network_port(pulseaudio, tcp,4713,s0)
+ network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+ network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postgresql, tcp,5432,s0)
+ network_port(postgrey, tcp,60000,s0)
++network_port(prelude, tcp,4690,s0, udp,4690,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+ network_port(pxe, udp,4011,s0)
+@@ -159,9 +175,10 @@
+ network_port(rwho, udp,513,s0)
+ network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
++network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
+ network_port(spamd, tcp,783,s0)
+ network_port(ssh, tcp,22,s0)
++network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
+ network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
+ type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
+ type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
+@@ -170,13 +187,16 @@
+ network_port(syslogd, udp,514,s0)
+ network_port(telnetd, tcp,23,s0)
+ network_port(tftp, udp,69,s0)
+-network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
++network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
+ network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
+ network_port(transproxy, tcp,8081,s0)
+ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
+ network_port(uucpd, tcp,540,s0)
++network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+ network_port(vnc, tcp,5900,s0)
+ network_port(wccp, udp,2048,s0)
++# Reserve 100 ports for vnc/virt machines
++portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
+ network_port(whois, tcp,43,s0, udp,43,s0)
+ network_port(xdmcp, udp,177,s0, tcp,177,s0)
+ network_port(xen, tcp,8002,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -1,7 +1,7 @@
+ 
+ /dev			-d	gen_context(system_u:object_r:device_t,s0)
+ /dev/.*				gen_context(system_u:object_r:device_t,s0)
+-
++/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+@@ -12,42 +12,59 @@
+ /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
+ /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
+ /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
++/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
+ /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
+ /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
++/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
+ /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
++/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
++/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+ /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
++/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
++/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
++/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
+ /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+ /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
++/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
++/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
+ /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
++/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
+@@ -69,14 +86,14 @@
+ /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
+-/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+-/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
++/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ ifdef(`distro_suse', `
+ /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ ')
+ /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -91,6 +108,7 @@
+ 
+ /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
+ 
++/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+ /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+ /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
+ 
+@@ -98,13 +116,23 @@
+ 
+ /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ 
++/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
++/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/ucb1x00	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
++/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ 
+ /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ 
+ /dev/pts(/.*)?			<<none>>
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2008-11-11 16:22:03.000000000 -0500
+@@ -65,7 +65,7 @@
+ 
+ 	relabelfrom_dirs_pattern($1, device_t, device_node)
+ 	relabelfrom_files_pattern($1, device_t, device_node)
+-	relabelfrom_lnk_files_pattern($1, device_t, device_node)
++	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
+ 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
+ 	relabelfrom_sock_files_pattern($1, device_t, device_node)
+ 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
+@@ -167,6 +167,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Manage of directories in /dev.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to relabel.
++##	</summary>
++## </param>
++#
++interface(`dev_manage_generic_dirs',`
++	gen_require(`
++		type device_t;
++	')
++
++	manage_dirs_pattern($1, device_t, device_t)
++')
++
++
++########################################
++## <summary>
+ ##	Delete a directory in the device directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -667,6 +686,7 @@
+ 	')
+ 
+ 	dontaudit $1 device_node:blk_file getattr;
++	dev_dontaudit_getattr_generic_blk_files($1)
+ ')
+ 
+ ########################################
+@@ -704,6 +724,7 @@
+ 	')
+ 
+ 	dontaudit $1 device_node:chr_file getattr;
++	dev_dontaudit_getattr_generic_chr_files($1)
+ ')
+ 
+ ########################################
+@@ -1160,6 +1181,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Set the attributes of the CPU
++##	microcode and id interfaces.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_cpu_dev',`
++	gen_require(`
++		type device_t, cpu_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, cpu_device_t)
++')
++
++########################################
++## <summary>
+ ##	Read the CPU identity.
+ ## </summary>
+ ## <param name="domain">
+@@ -1958,6 +1998,42 @@
+ 
+ ########################################
+ ## <summary>
++##	Get the attributes of the null device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_null_dev',`
++	gen_require(`
++		type device_t, null_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, null_device_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of the null device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_null_dev',`
++	gen_require(`
++		type device_t, null_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, null_device_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write to the null device (/dev/null).
+ ## </summary>
+ ## <param name="domain">
+@@ -2769,6 +2845,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Read generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_generic_usb_dev',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write generic the USB devices.
+ ## </summary>
+ ## <param name="domain">
+@@ -2787,6 +2881,97 @@
+ 
+ ########################################
+ ## <summary>
++##	Read and write generic the USB fifo files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_pipes',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	allow $1 device_t:dir search_dir_perms;
++	allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++##	Get the attributes of the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_kvm_dev',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, kvm_device_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_kvm_dev',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, kvm_device_t)
++')
++
++########################################
++## <summary>
++##	Read the kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_kvm',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, kvm_device_t)
++')
++
++########################################
++## <summary>
++##      Read and write to kvm devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_kvm',`
++	gen_require(`
++		type device_t, kvm_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, kvm_device_t)
++')
++
++########################################
++## <summary>
+ ##	Mount a usbfs filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -3322,3 +3507,223 @@
+ 
+ 	typeattribute $1 devices_unconfined_type;
  ')
++
++########################################
++## <summary>
++##	Get the attributes of the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_autofs_dev',`
++	gen_require(`
++		type device_t, autofs_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, autofs_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes of
++##	the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_autofs_dev',`
++	gen_require(`
++		type autofs_device_t;
++	')
++
++	dontaudit $1 autofs_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_autofs_dev',`
++	gen_require(`
++		type device_t, autofs_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, autofs_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to set the attributes of
++##	the autofs device node.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_setattr_autofs_dev',`
++	gen_require(`
++		type autofs_device_t;
++	')
++
++	dontaudit $1 autofs_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++##	Read and write the autofs device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_autofs',`
++	gen_require(`
++		type device_t, autofs_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, autofs_device_t)
++')
++
++########################################
++## <summary>
++##	Get the attributes of the network control device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
++')
++
++########################################
++## <summary>
++##	Read the network control identity.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, netcontrol_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write the the network control device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_netcontrol',`
++	gen_require(`
++		type device_t, netcontrol_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
++')
++
++########################################
++## <summary>
++##	Get the attributes of the QEMU
++##	microcode and id interfaces.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_qemu',`
++	gen_require(`
++		type device_t, qemu_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, qemu_device_t)
++')
++
++########################################
++## <summary>
++##	Set the attributes of the QEMU
++##	microcode and id interfaces.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_qemu',`
++	gen_require(`
++		type device_t, qemu_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, qemu_device_t)
++')
++
++########################################
++## <summary>
++##	Read the QEMU device
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_qemu',`
++	gen_require(`
++		type device_t, qemu_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, qemu_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write the the QEMU device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_qemu',`
++	gen_require(`
++		type device_t, qemu_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, qemu_device_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
+--- nsaserefpolicy/policy/modules/kernel/devices.te	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2008-11-11 16:22:03.000000000 -0500
+@@ -32,6 +32,12 @@
+ type apm_bios_t;
+ dev_node(apm_bios_t)
  
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in	2008-11-12 08:31:10.000000000 -0500
-@@ -79,26 +79,31 @@
- network_port(auth, tcp,113,s0)
- network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
- type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
-+network_port(certmaster, tcp,51235,s0)
- network_port(clamd, tcp,3310,s0)
- network_port(clockspeed, udp,4041,s0)
- network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
- network_port(comsat, udp,512,s0)
- network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
-+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
- network_port(cvs, tcp,2401,s0, udp,2401,s0)
- network_port(dcc, udp,6276,s0, udp,6277,s0)
- network_port(dbskkd, tcp,1178,s0)
- network_port(dhcpc, udp,68,s0)
--network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
-+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp 7911,s0)
- network_port(dict, tcp,2628,s0)
- network_port(distccd, tcp,3632,s0)
- network_port(dns, udp,53,s0, tcp,53,s0)
- network_port(fingerd, tcp,79,s0)
-+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
- network_port(ftp_data, tcp,20,s0)
- network_port(ftp, tcp,21,s0)
- network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
- network_port(giftd, tcp,1213,s0)
- network_port(gopher, tcp,70,s0, udp,70,s0)
- network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
-+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
++#
++# Type for /dev/autofs
++#
++type autofs_device_t;
++dev_node(autofs_device_t)
++
+ type cardmgr_dev_t;
+ dev_node(cardmgr_dev_t)
+ files_tmp_file(cardmgr_dev_t)
+@@ -49,6 +55,12 @@
+ type cpu_device_t;
+ dev_node(cpu_device_t)
+ 
++#
++# network control devices 
++#
++type netcontrol_device_t;
++dev_node(netcontrol_device_t)
++
+ # for the IBM zSeries z90crypt hardware ssl accelorator
+ type crypt_device_t;
+ dev_node(crypt_device_t)
+@@ -66,12 +78,25 @@
+ dev_node(framebuf_device_t)
+ 
+ #
++# Type for /dev/ipmi/0
++#
++type ipmi_device_t;
++dev_node(ipmi_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
+ dev_node(kmsg_device_t)
+ 
+ #
++# kvm_device_t is the type of
++# /dev/kvm
++#
++type kvm_device_t;
++dev_node(kvm_device_t)
++
++#
+ # Type for /dev/mapper/control
+ #
+ type lvm_control_t;
+@@ -118,6 +143,12 @@
+ dev_node(nvram_device_t)
+ 
+ #
++# qemu control devices 
++#
++type qemu_device_t;
++dev_node(qemu_device_t)
 +
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
- network_port(howl, tcp,5335,s0, udp,5353,s0)
- network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-@@ -117,6 +122,8 @@
- network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
- network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
- network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-+network_port(kismet, tcp,2501,s0)
-+network_port(kprop, tcp,754,s0)
- network_port(ktalkd, udp,517,s0, udp,518,s0)
- network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
- type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +133,7 @@
- network_port(mmcc, tcp,5050,s0, udp,5050,s0)
- network_port(monopd, tcp,1234,s0)
- network_port(msnp, tcp,1863,s0, udp,1863,s0)
-+network_port(munin, tcp,4949,s0, udp,4949,s0)
- network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
- portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
- network_port(nessus, tcp,1241,s0)
-@@ -137,11 +145,13 @@
- network_port(pegasus_http, tcp,5988,s0)
- network_port(pegasus_https, tcp,5989,s0)
- network_port(postfix_policyd, tcp,10031,s0)
-+network_port(pulseaudio, tcp,4713,s0)
- network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
- network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
- network_port(portmap, udp,111,s0, tcp,111,s0)
- network_port(postgresql, tcp,5432,s0)
- network_port(postgrey, tcp,60000,s0)
-+network_port(prelude, tcp,4690,s0, udp,4690,s0)
- network_port(printer, tcp,515,s0)
- network_port(ptal, tcp,5703,s0)
- network_port(pxe, udp,4011,s0)
-@@ -159,9 +169,10 @@
- network_port(rwho, udp,513,s0)
- network_port(smbd, tcp,137-139,s0, tcp,445,s0)
- network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
--network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp, 1161, s0)
- network_port(spamd, tcp,783,s0)
- network_port(ssh, tcp,22,s0)
-+network_port(streaming, tcp, 1755, s0, udp, 1755, s0)
- network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
- type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
- type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +181,16 @@
- network_port(syslogd, udp,514,s0)
- network_port(telnetd, tcp,23,s0)
- network_port(tftp, udp,69,s0)
--network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
-+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s0)
- network_port(traceroute, udp,64000,s0, udp,64001,s0, udp,64002,s0, udp,64003,s0, udp,64004,s0, udp,64005,s0, udp,64006,s0, udp,64007,s0, udp,64008,s0, udp,64009,s0, udp,64010,s0)
- network_port(transproxy, tcp,8081,s0)
- type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
- network_port(uucpd, tcp,540,s0)
-+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
- network_port(vnc, tcp,5900,s0)
- network_port(wccp, udp,2048,s0)
-+# Reserve 100 ports for vnc/virt machines
-+portcon tcp 5901-5999 gen_context(system_u:object_r:vnc_port_t,s0)
- network_port(whois, tcp,43,s0, udp,43,s0)
- network_port(xdmcp, udp,177,s0, tcp,177,s0)
- network_port(xen, tcp,8002,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.5.13/policy/modules/kernel/devices.fc
---- nsaserefpolicy/policy/modules/kernel/devices.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -1,7 +1,7 @@
++#
+ # Type for /dev/pmu 
+ #
+ type power_device_t;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.if	2008-11-11 16:22:03.000000000 -0500
+@@ -1247,18 +1247,34 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`domain_mmap_low',`
++interface(`domain_mmap_low_type',`
+ 	gen_require(`
+ 		attribute mmap_low_domain_type;
+ 	')
  
- /dev			-d	gen_context(system_u:object_r:device_t,s0)
- /dev/.*				gen_context(system_u:object_r:device_t,s0)
+-	allow $1 self:memprotect mmap_zero;
 -
-+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -12,42 +12,59 @@
- /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
- /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
- /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
-+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
- /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
- /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
- /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
-+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
- /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
- /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
- /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
-+/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
-+/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
- /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
-+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-+/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
-+/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
- /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
- /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
- /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
- /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
-+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
-+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
- /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
- /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
- /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -69,14 +86,14 @@
- /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
- /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
--/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
--/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
--/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
-+/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
- /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
- ifdef(`distro_suse', `
- /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ 	typeattribute $1 mmap_low_domain_type;
  ')
- /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-+/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
- /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
- /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -91,6 +108,7 @@
- 
- /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
- /dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
- /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
+ ########################################
+ ## <summary>
++##	Ability to mmap a low area of the address space,
++##      as configured by /proc/sys/kernel/mmap_min_addr.
++##      Preventing such mappings helps protect against
++##      exploiting null deref bugs in the kernel.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to mmap low memory.
++##	</summary>
++## </param>
++#
++interface(`domain_mmap_low',`
++
++	allow $1 self:memprotect mmap_zero;
++')
++
++########################################
++## <summary>
+ ##	Allow specified type to receive labeled
+ ##	networking packets from all domains, over
+ ##	all protocols (TCP, UDP, etc)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
+--- nsaserefpolicy/policy/modules/kernel/domain.te	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-11-11 16:22:03.000000000 -0500
+@@ -5,6 +5,13 @@
+ #
+ # Declarations
+ #
++## <desc>
++## <p>
++## Allow all domains to use other domains file descriptors
++## </p>
++## </desc>
++#
++gen_tunable(allow_domain_fd_use, true)
  
-@@ -98,13 +116,23 @@
+ # Mark process types as domains
+ attribute domain;
+@@ -80,11 +87,14 @@
+ allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++kernel_read_crypto_sysctls(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
+ kernel_dontaudit_search_key(domain)
+ kernel_dontaudit_link_key(domain)
++userdom_dontaudit_search_all_users_keys(domain)
  
- /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ # create child processes in the domain
+ allow domain self:process { fork sigchld };
+@@ -113,6 +123,7 @@
+ optional_policy(`
+ 	xserver_dontaudit_use_xdm_fds(domain)
+ 	xserver_dontaudit_rw_xdm_pipes(domain)
++	xserver_dontaudit_rw_xdm_home_files(domain)
+ ')
  
-+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
- /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
- /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
- /dev/input/uinput	-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/ucb1x00	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
-+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
-+/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+ ########################################
+@@ -131,6 +142,9 @@
+ allow unconfined_domain_type domain:fd use;
+ allow unconfined_domain_type domain:fifo_file rw_file_perms;
  
- /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
-+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
++allow unconfined_domain_type domain:dbus send_msg;
++allow domain unconfined_domain_type:dbus send_msg;
++
+ # Act upon any other process.
+ allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
- /dev/pts(/.*)?			<<none>>
+@@ -140,7 +154,7 @@
  
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if	2008-11-11 16:22:03.000000000 -0500
-@@ -65,7 +65,7 @@
+ # For /proc/pid
+ allow unconfined_domain_type domain:dir list_dir_perms;
+-allow unconfined_domain_type domain:file read_file_perms;
++allow unconfined_domain_type domain:file rw_file_perms;
+ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  
- 	relabelfrom_dirs_pattern($1, device_t, device_node)
- 	relabelfrom_files_pattern($1, device_t, device_node)
--	relabelfrom_lnk_files_pattern($1, device_t, device_node)
-+	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
- 	relabelfrom_sock_files_pattern($1, device_t, device_node)
- 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
-@@ -167,6 +167,25 @@
+ # act on all domains keys
+@@ -148,3 +162,39 @@
  
- ########################################
- ## <summary>
-+##	Manage of directories in /dev.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to relabel.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_manage_generic_dirs',`
-+	gen_require(`
-+		type device_t;
-+	')
+ # receive from all domains over labeled networking
+ domain_all_recvfrom_all_domains(unconfined_domain_type)
 +
-+	manage_dirs_pattern($1, device_t, device_t)
++tunable_policy(`allow_domain_fd_use',`
++	# Allow all domains to use fds past to them
++	allow domain domain:fd use;
 +')
 +
++optional_policy(`
++	cron_dontaudit_write_system_job_tmp_files(domain)
++	cron_rw_pipes(domain)
++ifdef(`hide_broken_symptoms',`
++	cron_dontaudit_rw_tcp_sockets(domain)
++	allow domain domain:key search;
++')
++')
 +
-+########################################
-+## <summary>
- ##	Delete a directory in the device directory.
- ## </summary>
- ## <param name="domain">
-@@ -667,6 +686,7 @@
- 	')
- 
- 	dontaudit $1 device_node:blk_file getattr;
-+	dev_dontaudit_getattr_generic_blk_files($1)
- ')
- 
- ########################################
-@@ -704,6 +724,7 @@
- 	')
++ifdef(`hide_broken_symptoms',`
++        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
++')
++
++optional_policy(`
++	rpm_rw_pipes(domain)
++	rpm_dontaudit_use_script_fds(domain)
++	rpm_dontaudit_write_pid_files(domain)
++')
++
++optional_policy(`
++	rhgb_dontaudit_use_ptys(domain)
++')
++
++optional_policy(`
++	unconfined_dontaudit_rw_pipes(domain)
++	unconfined_sigchld(domain)
++')
++
++# broken kernel
++dontaudit can_change_object_identity can_change_object_identity:key link;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc
+--- nsaserefpolicy/policy/modules/kernel/files.fc	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/files.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -32,6 +32,7 @@
+ /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
+ /boot/lost\+found/.*		<<none>>
+ /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
++/boot/efi(/.*)?/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
  
- 	dontaudit $1 device_node:chr_file getattr;
-+	dev_dontaudit_getattr_generic_chr_files($1)
+ #
+ # /emul
+@@ -49,6 +50,7 @@
+ /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/hosts.deny		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-11-11 16:22:03.000000000 -0500
+@@ -110,6 +110,11 @@
+ ## </param>
+ #
+ interface(`files_config_file',`
++	gen_require(`
++		attribute etcfile;
++	')
++
++	typeattribute $1 etcfile;
+ 	files_type($1)
  ')
  
- ########################################
-@@ -1160,6 +1181,25 @@
+@@ -928,8 +933,8 @@
+ 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
+ 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
+ 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
+-	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
+-	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
++	relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
++	relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
  
- ########################################
- ## <summary>
-+##	Set the attributes of the CPU
-+##	microcode and id interfaces.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_setattr_cpu_dev',`
+ 	# satisfy the assertions:
+ 	seutil_relabelto_bin_policy($1)
+@@ -953,6 +958,32 @@
+ ## </param>
+ ## <rolecap/>
+ #
++interface(`files_rw_all_files',`
 +	gen_require(`
-+		type device_t, cpu_device_t;
++		attribute file_type;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
++	rw_files_pattern($1, { file_type $2 }, { file_type $2 })
 +')
 +
 +########################################
 +## <summary>
- ##	Read the CPU identity.
- ## </summary>
- ## <param name="domain">
-@@ -1958,6 +1998,42 @@
- 
- ########################################
- ## <summary>
-+##	Get the attributes of the null device nodes.
++##	Manage all files on the filesystem, except
++##	the listed exceptions.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	The type of the domain perfoming this action.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`dev_getattr_null_dev',`
+ interface(`files_manage_all_files',`
+ 	gen_require(`
+ 		attribute file_type;
+@@ -1060,6 +1091,24 @@
+ ##	</summary>
+ ## </param>
+ #
++interface(`files_relabel_all_file_type_fs',`
 +	gen_require(`
-+		type device_t, null_device_t;
++		attribute file_type;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, null_device_t)
++	allow $1 file_type:filesystem { relabelfrom relabelto };
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the null device nodes.
++##	Relabel a filesystem to the type of a file.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5585,24 +7424,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_null_dev',`
-+	gen_require(`
-+		type device_t, null_device_t;
-+	')
-+
-+	setattr_chr_files_pattern($1, device_t, null_device_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write to the null device (/dev/null).
- ## </summary>
- ## <param name="domain">
-@@ -2769,6 +2845,24 @@
+ interface(`files_relabelto_all_file_type_fs',`
+ 	gen_require(`
+ 		attribute file_type;
+@@ -1303,6 +1352,24 @@
  
  ########################################
  ## <summary>
-+##	Read generic the USB devices.
++##	Remove entries from the tmp directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5610,43 +7439,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_generic_usb_dev',`
++interface(`files_delete_tmp_dir_entry',`
 +	gen_require(`
-+		type usb_device_t;
++		type root_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, usb_device_t)
++	allow $1 tmp_t:dir del_entry_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write generic the USB devices.
+ ##	Unmount a rootfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -2787,6 +2881,97 @@
+@@ -1889,6 +1956,26 @@
  
  ########################################
  ## <summary>
-+##	Read and write generic the USB fifo files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_generic_usb_pipes',`
-+	gen_require(`
-+		type usb_device_t;
-+	')
-+
-+	allow $1 device_t:dir search_dir_perms;
-+	allow $1 usb_device_t:fifo_file rw_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of the kvm devices.
++##	Read config files in /etc.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5654,17 +7464,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_kvm_dev',`
++interface(`files_read_config_files',`
 +	gen_require(`
-+		type device_t, kvm_device_t;
++		attribute etcfile;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, kvm_device_t)
++	allow $1 etcfile:dir list_dir_perms;
++	read_files_pattern($1, etcfile, etcfile)
++	read_lnk_files_pattern($1, etcfile, etcfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the kvm devices.
+ ##	Do not audit attempts to write generic files in /etc.
+ ## </summary>
+ ## <param name="domain">
+@@ -2224,6 +2311,49 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete directories on new filesystems
++##	that have not yet been labeled.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5672,17 +7492,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_kvm_dev',`
++interface(`files_delete_isid_type_dirs',`
 +	gen_require(`
-+		type device_t, kvm_device_t;
++		type file_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, kvm_device_t)
++	delete_dirs_pattern($1, file_t, file_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the kvm devices.
++##	Delete files on new filesystems
++##	that have not yet been labeled.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5690,45 +7511,63 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_kvm',`
++interface(`files_delete_isid_type_files',`
 +	gen_require(`
-+		type device_t, kvm_device_t;
++		type file_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, kvm_device_t)
++	delete_files_pattern($1, file_t, file_t)
++	delete_lnk_files_pattern($1, file_t, file_t)
++	delete_fifo_files_pattern($1, file_t, file_t)
++	delete_sock_files_pattern($1, file_t, file_t)
++	delete_blk_files_pattern($1, file_t, file_t)
++	delete_chr_files_pattern($1, file_t, file_t)
 +')
 +
 +########################################
 +## <summary>
-+##      Read and write to kvm devices.
+ ##	Do not audit attempts to search directories on new filesystems
+ ##	that have not yet been labeled.
+ ## </summary>
+@@ -2744,6 +2874,24 @@
+ 
+ ########################################
+ ## <summary>
++##	read files in /mnt.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##      Domain allowed access.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_kvm',`
++interface(`files_read_mnt_files',`
 +	gen_require(`
-+		type device_t, kvm_device_t;
++		type mnt_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, kvm_device_t)
++	read_files_pattern($1, mnt_t, mnt_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Mount a usbfs filesystem.
+ ##	Create, read, write, and delete symbolic links in /mnt.
  ## </summary>
  ## <param name="domain">
-@@ -3322,3 +3507,223 @@
- 
- 	typeattribute $1 devices_unconfined_type;
+@@ -3394,6 +3542,8 @@
+ 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+ 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+ 	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	files_delete_isid_type_dirs($1)
++	files_delete_isid_type_files($1)
  ')
-+
-+########################################
-+## <summary>
-+##	Get the attributes of the autofs device node.
+ 
+ ########################################
+@@ -3471,6 +3621,47 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete generic directories in /usr in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5736,36 +7575,47 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_autofs_dev',`
++interface(`files_delete_usr_dirs',`
 +	gen_require(`
-+		type device_t, autofs_device_t;
++		type usr_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
++	delete_dirs_pattern($1, usr_t, usr_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to get the attributes of
-+##	the autofs device node.
++##	Delete generic files in /usr in the caller domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_getattr_autofs_dev',`
++interface(`files_delete_usr_files',`
 +	gen_require(`
-+		type autofs_device_t;
++		type usr_t;
 +	')
 +
-+	dontaudit $1 autofs_device_t:chr_file getattr;
++	delete_files_pattern($1, usr_t, usr_t)
++	delete_lnk_files_pattern($1, usr_t, usr_t)
++	delete_fifo_files_pattern($1, usr_t, usr_t)
++	delete_sock_files_pattern($1, usr_t, usr_t)
++	delete_blk_files_pattern($1, usr_t, usr_t)
++	delete_chr_files_pattern($1, usr_t, usr_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the autofs device node.
+ ##	Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+@@ -3547,6 +3738,24 @@
+ 
+ ########################################
+ ## <summary>
++##	dontaudit write of /usr files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5773,90 +7623,119 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_autofs_dev',`
++interface(`files_dontaudit_write_usr_files',`
 +	gen_require(`
-+		type device_t, autofs_device_t;
++		type usr_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
++	dontaudit $1 usr_t:file write;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to set the attributes of
-+##	the autofs device node.
+ ##	Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+@@ -4433,6 +4642,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read generic process ID files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_setattr_autofs_dev',`
++interface(`files_read_generic_pids',`
 +	gen_require(`
-+		type autofs_device_t;
++		type var_t, var_run_t;
 +	')
 +
-+	dontaudit $1 autofs_device_t:chr_file setattr;
++	list_dirs_pattern($1,var_t,var_run_t)
++	read_files_pattern($1, var_run_t, var_run_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the autofs device.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_autofs',`
-+	gen_require(`
-+		type device_t, autofs_device_t;
-+	')
+ ##	Read and write generic process ID files.
+ ## </summary>
+ ## <param name="domain">
+@@ -4761,12 +4989,14 @@
+ 	allow $1 poly_t:dir { create mounton };
+ 	fs_unmount_xattr_fs($1)
+ 
++	fs_mount_tmpfs($1)
++	fs_unmount_tmpfs($1)
 +
-+	rw_chr_files_pattern($1, device_t, autofs_device_t)
-+')
+ 	ifdef(`distro_redhat',`
+ 		# namespace.init
+ 		files_search_home($1)
+ 		corecmd_exec_bin($1)
+ 		seutil_domtrans_setfiles($1)
+-		mount_domtrans($1)
+ 	')
+ ')
+ 
+@@ -4787,3 +5017,71 @@
+ 
+ 	typeattribute $1 files_unconfined_type;
+ ')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of the network control device
++##	Create a core files in /
 +## </summary>
++## <desc>
++##	<p>
++##	Create a core file in /,
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`dev_getattr_netcontrol',`
++interface(`files_dump_core',`
 +	gen_require(`
-+		type device_t, netcontrol_device_t;
++		type root_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
++	manage_files_pattern($1, root_t, root_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read the network control identity.
++##     Create a default directory in /
 +## </summary>
++## <desc>
++##     <p>
++##     Create a default_t direcrory in /
++##     </p>
++## </desc>
 +## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
++##     <summary>
++##     Domain allowed access.
++##     </summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`dev_read_netcontrol',`
-+	gen_require(`
-+		type device_t, netcontrol_device_t;
-+	')
++interface(`files_create_default_dir',`
++       gen_require(`
++               type root_t, default_t;
++       ')
 +
-+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
++       allow $1 default_t:dir create;
++       filetrans_pattern($1, root_t, default_t, dir)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the the network control device.
++##	manage generic symbolic links
++##	in the /var/run directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5864,18 +7743,60 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_netcontrol',`
++interface(`files_manage_generic_pids_symlinks',`
 +	gen_require(`
-+		type device_t, netcontrol_device_t;
++		type var_run_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
++	manage_lnk_files_pattern($1,var_run_t,var_run_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te
+--- nsaserefpolicy/policy/modules/kernel/files.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/files.te	2008-11-11 16:22:03.000000000 -0500
+@@ -52,11 +52,14 @@
+ #
+ # etc_t is the type of the system etc directories.
+ #
+-type etc_t;
++attribute etcfile;
 +
-+########################################
-+## <summary>
-+##	Get the attributes of the QEMU
-+##	microcode and id interfaces.
++type etc_t, etcfile;
+ files_type(etc_t)
+ # compatibility aliases for removed types:
+ typealias etc_t alias automount_etc_t;
+ typealias etc_t alias snmpd_etc_t;
++typealias etc_t alias gconf_etc_t;
+ 
+ #
+ # etc_runtime_t is the type of various
+@@ -174,6 +177,7 @@
+ #
+ type var_run_t;
+ files_pid_file(var_run_t)
++files_mountpoint(var_run_t)
+ 
+ #
+ # var_spool_t is the type of /var/spool
+@@ -197,10 +201,7 @@
+ #
+ # Rules for all tmp file types
+ #
+-
+-allow tmpfile tmp_t:filesystem associate;
+-
+-fs_associate_tmpfs(tmpfile)
++allow file_type tmp_t:filesystem associate;
+ 
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if	2008-11-11 16:22:03.000000000 -0500
+@@ -535,6 +535,24 @@
+ 
+ ########################################
+ ## <summary>
++##	Mounton a CIFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -5883,384 +7804,273 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_getattr_qemu',`
++interface(`fs_mounton_cifs',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type cifs_t;
 +	')
 +
-+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
++	allow $1 cifs_t:dir mounton;
 +')
 +
 +########################################
 +## <summary>
-+##	Set the attributes of the QEMU
-+##	microcode and id interfaces.
+ ##	Remount a CIFS or SMB network filesystem.
+ ##	This allows some mount options to be changed.
+ ## </summary>
+@@ -737,6 +755,7 @@
+ 		attribute noxattrfs;
+ 	')
+ 
++	list_dirs_pattern($1, noxattrfs, noxattrfs)
+ 	read_files_pattern($1, noxattrfs, noxattrfs)
+ ')
+ 
+@@ -779,6 +798,25 @@
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to read
++##	dirs on a CIFS or SMB filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_setattr_qemu',`
++interface(`fs_dontaudit_list_cifs_dirs',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type cifs_t;
 +	')
 +
-+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
++	dontaudit $1 cifs_t:dir list_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read the QEMU device
++##	Do not audit attempts to read
+ ##	files on a CIFS or SMB filesystem.
+ ## </summary>
+ ## <param name="domain">
+@@ -955,6 +993,46 @@
+ 
+ ########################################
+ ## <summary>
++##	Append files
++##	on a CIFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`dev_read_qemu',`
++interface(`fs_append_cifs_files',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type cifs_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, qemu_device_t)
++	append_files_pattern($1, cifs_t, cifs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the the QEMU device.
++##	dontaudit Append files
++##	on a CIFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`dev_rw_qemu',`
++interface(`fs_dontaudit_append_cifs_files',`
 +	gen_require(`
-+		type device_t, qemu_device_t;
++		type cifs_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, qemu_device_t)
++	dontaudit $1 cifs_t:file append;
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.5.13/policy/modules/kernel/devices.te
---- nsaserefpolicy/policy/modules/kernel/devices.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.te	2008-11-11 16:22:03.000000000 -0500
-@@ -32,6 +32,12 @@
- type apm_bios_t;
- dev_node(apm_bios_t)
- 
-+#
-+# Type for /dev/autofs
-+#
-+type autofs_device_t;
-+dev_node(autofs_device_t)
-+
- type cardmgr_dev_t;
- dev_node(cardmgr_dev_t)
- files_tmp_file(cardmgr_dev_t)
-@@ -49,6 +55,12 @@
- type cpu_device_t;
- dev_node(cpu_device_t)
- 
-+#
-+# network control devices 
-+#
-+type netcontrol_device_t;
-+dev_node(netcontrol_device_t)
-+
- # for the IBM zSeries z90crypt hardware ssl accelorator
- type crypt_device_t;
- dev_node(crypt_device_t)
-@@ -66,12 +78,25 @@
- dev_node(framebuf_device_t)
- 
- #
-+# Type for /dev/ipmi/0
-+#
-+type ipmi_device_t;
-+dev_node(ipmi_device_t)
-+
-+#
- # Type for /dev/kmsg
- #
- type kmsg_device_t;
- dev_node(kmsg_device_t)
- 
- #
-+# kvm_device_t is the type of
-+# /dev/kvm
-+#
-+type kvm_device_t;
-+dev_node(kvm_device_t)
-+
-+#
- # Type for /dev/mapper/control
- #
- type lvm_control_t;
-@@ -118,6 +143,12 @@
- dev_node(nvram_device_t)
- 
- #
-+# qemu control devices 
-+#
-+type qemu_device_t;
-+dev_node(qemu_device_t)
 +
-+#
- # Type for /dev/pmu 
- #
- type power_device_t;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.5.13/policy/modules/kernel/domain.if
---- nsaserefpolicy/policy/modules/kernel/domain.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.if	2008-11-11 16:22:03.000000000 -0500
-@@ -1247,18 +1247,34 @@
- ##	</summary>
- ## </param>
- #
--interface(`domain_mmap_low',`
-+interface(`domain_mmap_low_type',`
- 	gen_require(`
- 		attribute mmap_low_domain_type;
- 	')
- 
--	allow $1 self:memprotect mmap_zero;
--
- 	typeattribute $1 mmap_low_domain_type;
- ')
++########################################
++## <summary>
+ ##	Do not audit attempts to create, read,
+ ##	write, and delete files
+ ##	on a CIFS or SMB network filesystem.
+@@ -1209,6 +1287,25 @@
  
  ########################################
  ## <summary>
-+##	Ability to mmap a low area of the address space,
-+##      as configured by /proc/sys/kernel/mmap_min_addr.
-+##      Preventing such mappings helps protect against
-+##      exploiting null deref bugs in the kernel.
++##	Create, read, write, and delete dirs
++##	on a DOS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed to mmap low memory.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`domain_mmap_low',`
-+
-+	allow $1 self:memprotect mmap_zero;
-+')
-+
-+########################################
-+## <summary>
- ##	Allow specified type to receive labeled
- ##	networking packets from all domains, over
- ##	all protocols (TCP, UDP, etc)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te
---- nsaserefpolicy/policy/modules/kernel/domain.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te	2008-11-11 16:22:03.000000000 -0500
-@@ -5,6 +5,13 @@
- #
- # Declarations
- #
-+## <desc>
-+## <p>
-+## Allow all domains to use other domains file descriptors
-+## </p>
-+## </desc>
-+#
-+gen_tunable(allow_domain_fd_use, true)
- 
- # Mark process types as domains
- attribute domain;
-@@ -80,11 +87,14 @@
- allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
- allow domain self:file rw_file_perms;
- kernel_read_proc_symlinks(domain)
-+kernel_read_crypto_sysctls(domain)
-+
- # Every domain gets the key ring, so we should default
- # to no one allowed to look at it; afs kernel support creates
- # a keyring
- kernel_dontaudit_search_key(domain)
- kernel_dontaudit_link_key(domain)
-+userdom_dontaudit_search_all_users_keys(domain)
- 
- # create child processes in the domain
- allow domain self:process { fork sigchld };
-@@ -113,6 +123,7 @@
- optional_policy(`
- 	xserver_dontaudit_use_xdm_fds(domain)
- 	xserver_dontaudit_rw_xdm_pipes(domain)
-+	xserver_dontaudit_rw_xdm_home_files(domain)
- ')
- 
- ########################################
-@@ -131,6 +142,9 @@
- allow unconfined_domain_type domain:fd use;
- allow unconfined_domain_type domain:fifo_file rw_file_perms;
- 
-+allow unconfined_domain_type domain:dbus send_msg;
-+allow domain unconfined_domain_type:dbus send_msg;
-+
- # Act upon any other process.
- allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
- 
-@@ -140,7 +154,7 @@
- 
- # For /proc/pid
- allow unconfined_domain_type domain:dir list_dir_perms;
--allow unconfined_domain_type domain:file read_file_perms;
-+allow unconfined_domain_type domain:file rw_file_perms;
- allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
- 
- # act on all domains keys
-@@ -148,3 +162,39 @@
- 
- # receive from all domains over labeled networking
- domain_all_recvfrom_all_domains(unconfined_domain_type)
-+
-+tunable_policy(`allow_domain_fd_use',`
-+	# Allow all domains to use fds past to them
-+	allow domain domain:fd use;
-+')
-+
-+optional_policy(`
-+	cron_dontaudit_write_system_job_tmp_files(domain)
-+	cron_rw_pipes(domain)
-+ifdef(`hide_broken_symptoms',`
-+	cron_dontaudit_rw_tcp_sockets(domain)
-+	allow domain domain:key search;
-+')
-+')
-+
-+ifdef(`hide_broken_symptoms',`
-+        dbus_dontaudit_system_bus_rw_tcp_sockets(domain)
-+')
-+
-+optional_policy(`
-+	rpm_rw_pipes(domain)
-+	rpm_dontaudit_use_script_fds(domain)
-+	rpm_dontaudit_write_pid_files(domain)
-+')
-+
-+optional_policy(`
-+	rhgb_dontaudit_use_ptys(domain)
-+')
++interface(`fs_manage_dos_dirs',`
++	gen_require(`
++		type dosfs_t;
++	')
 +
-+optional_policy(`
-+	unconfined_dontaudit_rw_pipes(domain)
-+	unconfined_sigchld(domain)
++	manage_dirs_pattern($1, dosfs_t, dosfs_t)
 +')
 +
-+# broken kernel
-+dontaudit can_change_object_identity can_change_object_identity:key link;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.5.13/policy/modules/kernel/files.fc
---- nsaserefpolicy/policy/modules/kernel/files.fc	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -32,6 +32,7 @@
- /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
- /boot/lost\+found/.*		<<none>>
- /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
-+/boot/efi(/.*)?/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
++########################################
++## <summary>
+ ##	Create, read, write, and delete files
+ ##	on a DOS filesystem.
+ ## </summary>
+@@ -1228,6 +1325,26 @@
  
- #
- # /emul
-@@ -49,6 +50,7 @@
- /etc/fstab\.REVOKE	--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/HOSTNAME		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/ioctl\.save	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-+/etc/hosts.deny		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/issue		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/issue\.net		--	gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.5.13/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.if	2008-11-11 16:22:03.000000000 -0500
-@@ -110,6 +110,11 @@
- ## </param>
- #
- interface(`files_config_file',`
+ ########################################
+ ## <summary>
++##	Read and write files on hugetlbfs files
++##	file systems.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_rw_hugetlbfs_files',`
 +	gen_require(`
-+		attribute etcfile;
++		type hugetlbfs_t;
++
 +	')
 +
-+	typeattribute $1 etcfile;
- 	files_type($1)
- ')
++	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
+ ##	Read eventpollfs files.
+ ## </summary>
+ ## <desc>
+@@ -1287,24 +1404,6 @@
  
-@@ -928,8 +933,8 @@
- 	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
- 	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
- 	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
--	relabelfrom_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
--	relabelfrom_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
-+	relabel_blk_files_pattern($1, { file_type $2 }, { file_type $2 })
-+	relabel_chr_files_pattern($1, { file_type $2 }, { file_type $2 })
+ ########################################
+ ## <summary>
+-##	Read and write hugetlbfs files.
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-#
+-interface(`fs_rw_hugetlbfs_files',`
+-	gen_require(`
+-		type hugetlbfs_t;
+-	')
+-
+-	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
+-')
+-
+-########################################
+-## <summary>
+ ##	Search inotifyfs filesystem. 
+ ## </summary>
+ ## <param name="domain">
+@@ -1478,6 +1577,24 @@
  
- 	# satisfy the assertions:
- 	seutil_relabelto_bin_policy($1)
-@@ -953,6 +958,32 @@
- ## </param>
- ## <rolecap/>
- #
-+interface(`files_rw_all_files',`
+ ########################################
+ ## <summary>
++##	Mounton a NFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_mounton_nfs',`
 +	gen_require(`
-+		attribute file_type;
++		type nfs_t;
 +	')
 +
-+	rw_files_pattern($1, { file_type $2 }, { file_type $2 })
++	allow $1 nfs_t:dir mounton;
 +')
 +
 +########################################
 +## <summary>
-+##	Manage all files on the filesystem, except
-+##	the listed exceptions.
+ ##	Remount a NFS filesystem.  This allows
+ ##	some mount options to be changed.
+ ## </summary>
+@@ -1681,7 +1798,7 @@
+ 		type nfs_t;
+ 	')
+ 
+-	dontaudit $1 nfs_t:file { read write };
++	dontaudit $1 nfs_t:file rw_file_perms;
+ ')
+ 
+ ########################################
+@@ -2002,6 +2119,47 @@
+ 
+ ########################################
+ ## <summary>
++##	Append files
++##	on a NFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the domain perfoming this action.
-+##	</summary>
-+## </param>
-+## <param name="exception_types" optional="true">
-+##	<summary>
-+##	The types to be excluded.  Each type or attribute
-+##	must be negated by the caller.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
- interface(`files_manage_all_files',`
- 	gen_require(`
- 		attribute file_type;
-@@ -1060,6 +1091,24 @@
- ##	</summary>
- ## </param>
- #
-+interface(`files_relabel_all_file_type_fs',`
++interface(`fs_append_nfs_files',`
 +	gen_require(`
-+		attribute file_type;
++		type nfs_t;
 +	')
 +
-+	allow $1 file_type:filesystem { relabelfrom relabelto };
++	append_files_pattern($1, nfs_t, nfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Relabel a filesystem to the type of a file.
++##	dontaudit Append files
++##	on a NFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
- interface(`files_relabelto_all_file_type_fs',`
- 	gen_require(`
- 		attribute file_type;
-@@ -1303,6 +1352,24 @@
++interface(`fs_dontaudit_append_nfs_files',`
++	gen_require(`
++		type nfs_t;
++	')
++
++	dontaudit $1 nfs_t:file append;
++')
++
++
++########################################
++## <summary>
+ ##	Do not audit attempts to create,
+ ##	read, write, and delete files
+ ##	on a NFS filesystem.
+@@ -2996,6 +3154,7 @@
+ 		type tmpfs_t;
+ 	')
+ 
++	dontaudit $1 tmpfs_t:dir rw_dir_perms;
+ 	dontaudit $1 tmpfs_t:file rw_file_perms;
+ ')
+ 
+@@ -3132,6 +3291,25 @@
  
  ########################################
  ## <summary>
-+##	Remove entries from the tmp directory.
++##	Read and write block nodes on removable filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6268,135 +8078,135 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`files_delete_tmp_dir_entry',`
++interface(`fs_rw_removable_blk_files',`
 +	gen_require(`
-+		type root_t;
++		type removable_t;
 +	')
 +
-+	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 removable_t:dir list_dir_perms;
++	rw_blk_files_pattern($1, removable_t, removable_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Unmount a rootfs filesystem.
+ ##	Relabel block nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -1889,6 +1956,26 @@
+@@ -3317,6 +3495,7 @@
+ 	')
+ 
+ 	allow $1 filesystem_type:filesystem getattr;
++	files_getattr_all_file_type_fs($1)
+ ')
  
  ########################################
- ## <summary>
-+##	Read config files in /etc.
+@@ -3644,3 +3823,142 @@
+ 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
+ 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
+ ')
++
++########################################
++## <summary>
++##	Search directories
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_read_config_files',`
++interface(`fs_search_fusefs_dirs',`
 +	gen_require(`
-+		attribute etcfile;
++		type fusefs_t;
 +	')
 +
-+	allow $1 etcfile:dir list_dir_perms;
-+	read_files_pattern($1, etcfile, etcfile)
-+	read_lnk_files_pattern($1, etcfile, etcfile)
++	allow $1 fusefs_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to write generic files in /etc.
- ## </summary>
- ## <param name="domain">
-@@ -2224,6 +2311,49 @@
- 
- ########################################
- ## <summary>
-+##	Delete directories on new filesystems
-+##	that have not yet been labeled.
++##	Create, read, write, and delete directories
++##	on a FUSEFS filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`fs_manage_fusefs_dirs',`
++	gen_require(`
++		type fusefs_t;
++	')
++
++	allow $1 fusefs_t:dir manage_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to create, read,
++##	write, and delete directories
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_delete_isid_type_dirs',`
++interface(`fs_dontaudit_manage_fusefs_dirs',`
 +	gen_require(`
-+		type file_t;
++		type fusefs_t;
 +	')
 +
-+	delete_dirs_pattern($1, file_t, file_t)
++	dontaudit $1 fusefs_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Delete files on new filesystems
-+##	that have not yet been labeled.
++##	Create, read, write, and delete files
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_delete_isid_type_files',`
++interface(`fs_manage_fusefs_files',`
 +	gen_require(`
-+		type file_t;
++		type fusefs_t;
 +	')
 +
-+	delete_files_pattern($1, file_t, file_t)
-+	delete_lnk_files_pattern($1, file_t, file_t)
-+	delete_fifo_files_pattern($1, file_t, file_t)
-+	delete_sock_files_pattern($1, file_t, file_t)
-+	delete_blk_files_pattern($1, file_t, file_t)
-+	delete_chr_files_pattern($1, file_t, file_t)
++	manage_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to search directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
-@@ -2744,6 +2874,24 @@
- 
- ########################################
- ## <summary>
-+##	read files in /mnt.
++##	Read, a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_read_mnt_files',`
++interface(`fs_read_fusefs_files',`
 +	gen_require(`
-+		type mnt_t;
++		type fusefs_t;
 +	')
 +
-+	read_files_pattern($1, mnt_t, mnt_t)
++	read_files_pattern($1,fusefs_t,fusefs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete symbolic links in /mnt.
- ## </summary>
- ## <param name="domain">
-@@ -3394,6 +3542,8 @@
- 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
- 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
- 	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	files_delete_isid_type_dirs($1)
-+	files_delete_isid_type_files($1)
- ')
- 
- ########################################
-@@ -3471,6 +3621,47 @@
- 
- ########################################
- ## <summary>
-+##	Delete generic directories in /usr in the caller domain.
++##	Read symbolic links on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6404,47 +8214,103 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`files_delete_usr_dirs',`
++interface(`fs_read_fusefs_symlinks',`
 +	gen_require(`
-+		type usr_t;
++		type fusefs_t;
 +	')
 +
-+	delete_dirs_pattern($1, usr_t, usr_t)
++	allow $1 fusefs_t:dir list_dir_perms;
++	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
 +')
 +
++
 +########################################
 +## <summary>
-+##	Delete generic files in /usr in the caller domain.
++##	Do not audit attempts to create,
++##	read, write, and delete files
++##	on a FUSEFS filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_delete_usr_files',`
++interface(`fs_dontaudit_manage_fusefs_files',`
 +	gen_require(`
-+		type usr_t;
++		type fusefs_t;
 +	')
 +
-+	delete_files_pattern($1, usr_t, usr_t)
-+	delete_lnk_files_pattern($1, usr_t, usr_t)
-+	delete_fifo_files_pattern($1, usr_t, usr_t)
-+	delete_sock_files_pattern($1, usr_t, usr_t)
-+	delete_blk_files_pattern($1, usr_t, usr_t)
-+	delete_chr_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 fusefs_t:file manage_file_perms;
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-11-11 16:22:03.000000000 -0500
+@@ -21,7 +21,6 @@
+ 
+ # Use xattrs for the following filesystem types.
+ # Requires that a security xattr handler exist for the filesystem.
+-fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
+@@ -76,6 +75,11 @@
+ allow cpusetfs_t self:filesystem associate;
+ genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
+ 
++type ecryptfs_t;
++fs_noxattr_type(ecryptfs_t)
++files_mountpoint(ecryptfs_t)
++genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 +
-+########################################
-+## <summary>
- ##	Get the attributes of files in /usr.
- ## </summary>
- ## <param name="domain">
-@@ -3547,6 +3738,24 @@
+ type eventpollfs_t;
+ fs_type(eventpollfs_t)
+ # change to task SID 20060628
+@@ -141,6 +145,8 @@
+ fs_noxattr_type(vmblock_t)
+ files_mountpoint(vmblock_t)
+ genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
+ 
+ type vxfs_t;
+ fs_noxattr_type(vxfs_t)
+@@ -241,6 +247,7 @@
+ genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+ 
+ ########################################
+ #
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if	2008-11-11 16:22:03.000000000 -0500
+@@ -1198,6 +1198,7 @@
+ 	')
+ 
+ 	dontaudit $1 proc_type:dir list_dir_perms;
++	dontaudit $1 proc_type:file getattr;
+ ')
+ 
+ ########################################
+@@ -1234,9 +1235,11 @@
+ interface(`kernel_read_sysctl',`
+ 	gen_require(`
+ 		type sysctl_t;
++		type proc_t;
+ 	')
+ 
+ 	list_dirs_pattern($1, proc_t, sysctl_t)
++	read_files_pattern($1, sysctl_t, sysctl_t)
+ ')
+ 
+ ########################################
+@@ -1569,6 +1572,26 @@
  
  ########################################
  ## <summary>
-+##	dontaudit write of /usr files
++##	Read generic crypto sysctls.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6452,119 +8318,178 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_write_usr_files',`
++interface(`kernel_read_crypto_sysctls',`
 +	gen_require(`
-+		type usr_t;
++		type proc_t, sysctl_t, sysctl_crypto_t;
 +	')
 +
-+	dontaudit $1 usr_t:file write;
++	read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
++
++	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Relabel a file to the type used in /usr.
+ ##	Read generic kernel sysctls.
  ## </summary>
  ## <param name="domain">
-@@ -4433,6 +4642,25 @@
+@@ -1768,6 +1791,7 @@
+ 	')
+ 
+ 	dontaudit $1 sysctl_type:dir list_dir_perms;
++	dontaudit $1 sysctl_type:file read_file_perms;
+ ')
+ 
+ ########################################
+@@ -2582,6 +2606,24 @@
  
  ########################################
  ## <summary>
-+##	Read generic process ID files.
++##      Relabel to unlabeled context .
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
++##      <summary>
++##      Domain allowed access.
++##      </summary>
 +## </param>
 +#
-+interface(`files_read_generic_pids',`
++interface(`kernel_relabelto_unlabeled',`
 +	gen_require(`
-+		type var_t, var_run_t;
++		type unlabeled_t;
 +	')
 +
-+	list_dirs_pattern($1,var_t,var_run_t)
-+	read_files_pattern($1, var_run_t, var_run_t)
++	allow $1 unlabeled_t:dir_file_class_set relabelto;
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write generic process ID files.
+ ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -4761,12 +4989,14 @@
- 	allow $1 poly_t:dir { create mounton };
- 	fs_unmount_xattr_fs($1)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
+--- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te	2008-11-11 16:22:03.000000000 -0500
+@@ -63,6 +63,15 @@
+ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
-+	fs_mount_tmpfs($1)
-+	fs_unmount_tmpfs($1)
+ #
++# infinibandeventfs fs
++#
 +
- 	ifdef(`distro_redhat',`
- 		# namespace.init
- 		files_search_home($1)
- 		corecmd_exec_bin($1)
- 		seutil_domtrans_setfiles($1)
--		mount_domtrans($1)
++type infinibandeventfs_t;
++fs_type(infinibandeventfs_t)
++allow infinibandeventfs_t self:filesystem associate;
++genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
++
++#
+ # kvmFS
+ #
+ 
+@@ -120,6 +129,10 @@
+ type sysctl_rpc_t, sysctl_type;
+ genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
+ 
++# /proc/sys/crypto directory and files
++type sysctl_crypto_t, sysctl_type;
++genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
++
+ # /proc/sys/fs directory and files
+ type sysctl_fs_t, sysctl_type;
+ files_mountpoint(sysctl_fs_t)
+@@ -160,6 +173,7 @@
+ #
+ type unlabeled_t;
+ sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
++fs_associate(unlabeled_t)
+ 
+ # These initial sids are no longer used, and can be removed:
+ sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
+@@ -274,6 +288,8 @@
+ 	fs_rw_tmpfs_chr_files(kernel_t)
+ ')
+ 
++unprivuser_home_dir_filetrans_home_content(kernel_t, { file dir })
++
+ tunable_policy(`read_default_t',`
+ 	files_list_default(kernel_t)
+ 	files_read_default_files(kernel_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if
+--- nsaserefpolicy/policy/modules/kernel/selinux.if	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if	2008-11-11 16:22:03.000000000 -0500
+@@ -164,6 +164,7 @@
+ 		type security_t;
  	')
- ')
  
-@@ -4787,3 +5017,71 @@
++	selinux_dontaudit_getattr_fs($1)
+ 	dontaudit $1 security_t:dir search_dir_perms;
+ 	dontaudit $1 security_t:file { getattr read };
+ ')
+@@ -185,6 +186,7 @@
+ 		type security_t;
+ 	')
  
- 	typeattribute $1 files_unconfined_type;
++	selinux_get_fs_mount($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file { getattr read };
  ')
-+
-+########################################
-+## <summary>
-+##	Create a core files in /
+@@ -265,6 +267,34 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow caller to read the state of Booleans 
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Create a core file in /,
++##	Allow caller read the state of Booleans 
 +##	</p>
 +## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	The process type allowed to set the Boolean.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
-+interface(`files_dump_core',`
++interface(`selinux_get_boolean',`
 +	gen_require(`
-+		type root_t;
++		type security_t;
++		attribute booleans_type;
++		bool secure_mode_policyload;
 +	')
 +
-+	manage_files_pattern($1, root_t, root_t)
++	allow $1 security_t:dir list_dir_perms;
++	allow $1 booleans_type:dir list_dir_perms;
++	allow $1 booleans_type:file read_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##     Create a default directory in /
-+## </summary>
-+## <desc>
-+##     <p>
-+##     Create a default_t direcrory in /
-+##     </p>
-+## </desc>
-+## <param name="domain">
-+##     <summary>
-+##     Domain allowed access.
-+##     </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_create_default_dir',`
-+       gen_require(`
-+               type root_t, default_t;
-+       ')
-+
-+       allow $1 default_t:dir create;
-+       filetrans_pattern($1, root_t, default_t, dir)
-+')
+ ##	Allow caller to set the state of Booleans to
+ ##	enable or disable conditional portions of the policy.
+ ## </summary>
+@@ -288,11 +318,13 @@
+ interface(`selinux_set_boolean',`
+ 	gen_require(`
+ 		type security_t;
++		attribute booleans_type;
+ 		bool secure_mode_policyload;
+ 	')
+ 
+ 	allow $1 security_t:dir list_dir_perms;
+-	allow $1 security_t:file { getattr read write };
++	allow $1 booleans_type:dir list_dir_perms;
++	allow $1 booleans_type:file { getattr read write };
+ 
+ 	if(!secure_mode_policyload) {
+ 		allow $1 security_t:security setbool;
+@@ -510,3 +542,23 @@
+ 
+ 	typeattribute $1 selinux_unconfined_type;
+ ')
 +
 +########################################
 +## <summary>
-+##	manage generic symbolic links
-+##	in the /var/run directory.
++##	Generate a file context for a boolean type
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6572,193 +8497,161 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`files_manage_generic_pids_symlinks',`
++interface(`selinux_genbool',`
 +	gen_require(`
-+		type var_run_t;
++		attribute booleans_type;
 +	')
 +
-+	manage_lnk_files_pattern($1,var_run_t,var_run_t)
++	type $1, booleans_type;
++	fs_type($1)
++	mls_trusted_object($1)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.5.13/policy/modules/kernel/files.te
---- nsaserefpolicy/policy/modules/kernel/files.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/files.te	2008-11-11 16:22:03.000000000 -0500
-@@ -52,11 +52,14 @@
- #
- # etc_t is the type of the system etc directories.
- #
--type etc_t;
-+attribute etcfile;
-+
-+type etc_t, etcfile;
- files_type(etc_t)
- # compatibility aliases for removed types:
- typealias etc_t alias automount_etc_t;
- typealias etc_t alias snmpd_etc_t;
-+typealias etc_t alias gconf_etc_t;
- 
- #
- # etc_runtime_t is the type of various
-@@ -174,6 +177,7 @@
- #
- type var_run_t;
- files_pid_file(var_run_t)
-+files_mountpoint(var_run_t)
- 
- #
- # var_spool_t is the type of /var/spool
-@@ -197,10 +201,7 @@
- #
- # Rules for all tmp file types
- #
--
--allow tmpfile tmp_t:filesystem associate;
--
--fs_associate_tmpfs(tmpfile)
-+allow file_type tmp_t:filesystem associate;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te
+--- nsaserefpolicy/policy/modules/kernel/selinux.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te	2008-11-11 16:22:03.000000000 -0500
+@@ -10,6 +10,7 @@
+ attribute can_setenforce;
+ attribute can_setsecparam;
+ attribute selinux_unconfined_type;
++attribute booleans_type;
  
- ########################################
- #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.5.13/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.if	2008-11-11 16:22:03.000000000 -0500
-@@ -535,6 +535,24 @@
+ # 
+ # security_t is the target type when checking
+@@ -23,6 +24,11 @@
+ genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
+ genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
  
- ########################################
- ## <summary>
-+##	Mounton a CIFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_mounton_cifs',`
-+	gen_require(`
-+		type cifs_t;
-+	')
-+
-+	allow $1 cifs_t:dir mounton;
-+')
++type boolean_t, booleans_type;
++fs_type(boolean_t)
++mls_trusted_object(boolean_t)
++#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
 +
-+########################################
-+## <summary>
- ##	Remount a CIFS or SMB network filesystem.
- ##	This allows some mount options to be changed.
- ## </summary>
-@@ -737,6 +755,7 @@
- 		attribute noxattrfs;
+ neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
+ neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
+ neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -36,7 +36,7 @@
+ /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+-/dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/(raw/)?rawctl	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ ifdef(`distro_redhat', `
+ /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if
+--- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if	2008-11-11 16:22:03.000000000 -0500
+@@ -250,9 +250,11 @@
+ interface(`term_dontaudit_use_console',`
+ 	gen_require(`
+ 		type console_device_t;
++		type tty_device_t;
  	')
  
-+	list_dirs_pattern($1, noxattrfs, noxattrfs)
- 	read_files_pattern($1, noxattrfs, noxattrfs)
+ 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
  ')
  
-@@ -779,6 +798,25 @@
  ########################################
- ## <summary>
- ##	Do not audit attempts to read
-+##	dirs on a CIFS or SMB filesystem.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.fc serefpolicy-3.5.13/policy/modules/roles/guest.fc
+--- nsaserefpolicy/policy/modules/roles/guest.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/guest.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1 @@
++# file contexts handled by userdomain and genhomedircon
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.if serefpolicy-3.5.13/policy/modules/roles/guest.if
+--- nsaserefpolicy/policy/modules/roles/guest.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/guest.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,161 @@
++## <summary>Least privledge terminal user role</summary>
++
++########################################
++## <summary>
++##	Change to the guest role.
 +## </summary>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##	Domain to not audit.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`fs_dontaudit_list_cifs_dirs',`
-+	gen_require(`
-+		type cifs_t;
-+	')
-+
-+	dontaudit $1 cifs_t:dir list_dir_perms;
++template(`guest_role_change_template',`
++	userdom_role_change_template($1, guest)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to read
- ##	files on a CIFS or SMB filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -955,6 +993,46 @@
- 
- ########################################
- ## <summary>
-+##	Append files
-+##	on a CIFS filesystem.
++##	Change from the guest role.
 +## </summary>
-+## <param name="domain">
++## <desc>
++##	<p>
++##	Change from the guest role to
++##	the specified role.
++##	</p>
++##	<p>
++##	This is a template to support third party modules
++##	and its use is not allowed in upstream reference
++##	policy.
++##	</p>
++## </desc>
++## <param name="prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
-+interface(`fs_append_cifs_files',`
-+	gen_require(`
-+		type cifs_t;
-+	')
-+
-+	append_files_pattern($1, cifs_t, cifs_t)
++template(`guest_role_change_to_template',`
++	userdom_role_change_template(guest, $1)
 +')
 +
 +########################################
-+## <summary>
-+##	dontaudit Append files
-+##	on a CIFS filesystem.
++## <summary>
++##	Search the guest users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_dontaudit_append_cifs_files',`
++interface(`guest_search_home_dirs',`
 +	gen_require(`
-+		type cifs_t;
++		type guest_home_dir_t;
 +	')
 +
-+	dontaudit $1 cifs_t:file append;
++	files_search_home($1)
++	allow $1 guest_home_dir_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to create, read,
- ##	write, and delete files
- ##	on a CIFS or SMB network filesystem.
-@@ -1209,6 +1287,25 @@
- 
- ########################################
- ## <summary>
-+##	Create, read, write, and delete dirs
-+##	on a DOS filesystem.
++##	Do not audit attempts to search the guest
++##	users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_manage_dos_dirs',`
++interface(`guest_dontaudit_search_home_dirs',`
 +	gen_require(`
-+		type dosfs_t;
++		type guest_home_dir_t;
 +	')
 +
-+	manage_dirs_pattern($1, dosfs_t, dosfs_t)
++	dontaudit $1 guest_home_dir_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Create, read, write, and delete files
- ##	on a DOS filesystem.
- ## </summary>
-@@ -1228,6 +1325,26 @@
- 
- ########################################
- ## <summary>
-+##	Read and write files on hugetlbfs files
-+##	file systems.
++##	Create, read, write, and delete guest
++##	home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6766,50 +8659,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_rw_hugetlbfs_files',`
++interface(`guest_manage_home_dirs',`
 +	gen_require(`
-+		type hugetlbfs_t;
-+
++		type guest_home_dir_t;
 +	')
 +
-+	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
++	files_search_home($1)
++	allow $1 guest_home_dir_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
- ##	Read eventpollfs files.
- ## </summary>
- ## <desc>
-@@ -1287,24 +1404,6 @@
- 
- ########################################
- ## <summary>
--##	Read and write hugetlbfs files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
--interface(`fs_rw_hugetlbfs_files',`
--	gen_require(`
--		type hugetlbfs_t;
--	')
--
--	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
--')
--
--########################################
--## <summary>
- ##	Search inotifyfs filesystem. 
- ## </summary>
- ## <param name="domain">
-@@ -1478,6 +1577,24 @@
- 
- ########################################
- ## <summary>
-+##	Mounton a NFS filesystem.
++##	Relabel to guest home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6817,329 +8678,542 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_mounton_nfs',`
++interface(`guest_relabelto_home_dirs',`
 +	gen_require(`
-+		type nfs_t;
++		type guest_home_dir_t;
 +	')
 +
-+	allow $1 nfs_t:dir mounton;
++	files_search_home($1)
++	allow $1 guest_home_dir_t:dir relabelto;
 +')
 +
 +########################################
 +## <summary>
- ##	Remount a NFS filesystem.  This allows
- ##	some mount options to be changed.
- ## </summary>
-@@ -1681,7 +1798,7 @@
- 		type nfs_t;
- 	')
- 
--	dontaudit $1 nfs_t:file { read write };
-+	dontaudit $1 nfs_t:file rw_file_perms;
- ')
- 
- ########################################
-@@ -2002,6 +2119,47 @@
- 
- ########################################
- ## <summary>
-+##	Append files
-+##	on a NFS filesystem.
++##	Do not audit attempts to append to the guest
++##	users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_append_nfs_files',`
++interface(`guest_dontaudit_append_home_content_files',`
 +	gen_require(`
-+		type nfs_t;
++		type guest_home_t;
 +	')
 +
-+	append_files_pattern($1, nfs_t, nfs_t)
++	dontaudit $1 guest_home_t:file append;
 +')
 +
 +########################################
 +## <summary>
-+##	dontaudit Append files
-+##	on a NFS filesystem.
++##	Read files in the guest users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_dontaudit_append_nfs_files',`
++interface(`guest_read_home_content_files',`
 +	gen_require(`
-+		type nfs_t;
++		type guest_home_dir_t, guest_home_t;
 +	')
 +
-+	dontaudit $1 nfs_t:file append;
++	files_search_home($1)
++	allow $1 { guest_home_dir_t guest_home_t }:dir list_dir_perms;
++	read_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
++	read_lnk_files_pattern($1, { guest_home_dir_t guest_home_t }, guest_home_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.5.13/policy/modules/roles/guest.te
+--- nsaserefpolicy/policy/modules/roles/guest.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/guest.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,36 @@
 +
++policy_module(guest, 1.0.0)
 +
 +########################################
-+## <summary>
- ##	Do not audit attempts to create,
- ##	read, write, and delete files
- ##	on a NFS filesystem.
-@@ -2996,6 +3154,7 @@
- 		type tmpfs_t;
- 	')
- 
-+	dontaudit $1 tmpfs_t:dir rw_dir_perms;
- 	dontaudit $1 tmpfs_t:file rw_file_perms;
- ')
- 
-@@ -3132,6 +3291,25 @@
- 
- ########################################
- ## <summary>
-+##	Read and write block nodes on removable filesystems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
 +#
-+interface(`fs_rw_removable_blk_files',`
++# Declarations
++#
++
++role xguest_r;
++
++userdom_restricted_user_template(guest)
++
++########################################
++#
++# Local policy
++#
++
++optional_policy(`
++	java_per_role_template(guest, guest_t, guest_r)
++')
++
++optional_policy(`
++	mono_per_role_template(guest, guest_t, guest_r)
++')
++
++
++optional_policy(`
 +	gen_require(`
-+		type removable_t;
++		type xguest_t;
++		role xguest_r;
 +	')
 +
-+	allow $1 removable_t:dir list_dir_perms;
-+	rw_blk_files_pattern($1, removable_t, removable_t)
++	mozilla_per_role_template(xguest, xguest_t, xguest_r)
 +')
 +
++gen_user(guest_u, user, guest_r, s0, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.fc serefpolicy-3.5.13/policy/modules/roles/logadm.fc
+--- nsaserefpolicy/policy/modules/roles/logadm.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/logadm.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1 @@
++# file contexts handled by userdomain and genhomedircon
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.if serefpolicy-3.5.13/policy/modules/roles/logadm.if
+--- nsaserefpolicy/policy/modules/roles/logadm.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/logadm.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,44 @@
++## <summary>Audit administrator role</summary>
++
 +########################################
 +## <summary>
- ##	Relabel block nodes on tmpfs filesystems.
- ## </summary>
- ## <param name="domain">
-@@ -3317,6 +3495,7 @@
- 	')
- 
- 	allow $1 filesystem_type:filesystem getattr;
-+	files_getattr_all_file_type_fs($1)
- ')
- 
- ########################################
-@@ -3644,3 +3823,142 @@
- 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
- 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
- ')
++##	Change to the generic user role.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
++##	</summary>
++## </param>
++## <rolecap/>
++#
++template(`logadm_role_change_template',`
++	userdom_role_change_template($1, logadm)
++')
 +
 +########################################
 +## <summary>
-+##	Search directories
-+##	on a FUSEFS filesystem.
++##	Change from the generic user role.
 +## </summary>
-+## <param name="domain">
++## <desc>
++##	<p>
++##	Change from the generic user role to
++##	the specified role.
++##	</p>
++##	<p>
++##	This is a template to support third party modules
++##	and its use is not allowed in upstream reference
++##	policy.
++##	</p>
++## </desc>
++## <param name="prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
-+interface(`fs_search_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
++template(`logadm_role_change_to_template',`
++	userdom_role_change_template(logadm, $1)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/logadm.te serefpolicy-3.5.13/policy/modules/roles/logadm.te
+--- nsaserefpolicy/policy/modules/roles/logadm.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/logadm.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,20 @@
++
++policy_module(logadm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++role logadm_r;
++
++userdom_base_user_template(logadm)
++
++########################################
++#
++# logadmin local policy
++#
++
++allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++
++logging_admin(logadm_t, logadm_r, { logadm_devpts_t logadm_tty_device_t })
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
+--- nsaserefpolicy/policy/modules/roles/staff.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/staff.te	2008-11-11 16:22:03.000000000 -0500
+@@ -4,27 +4,68 @@
+ ########################################
+ #
+ # Declarations
+-#
+ 
++#
+ role staff_r;
+ 
+-userdom_unpriv_user_template(staff)
++userdom_admin_login_user_template(staff)
+ 
+ ########################################
+ #
+ # Local policy
+ #
+ 
++kernel_read_ring_buffer(staff_t)
++kernel_getattr_core_if(staff_t)
++kernel_getattr_message_if(staff_t)
++kernel_read_software_raid_state(staff_t)
++
++auth_domtrans_pam_console(staff_t)
++
++libs_manage_shared_libs(staff_t)
++
+ optional_policy(`
+ 	auditadm_role_change_template(staff)
+ ')
+ 
+ optional_policy(`
++	kerneloops_manage_tmp_files(staff_t)
++')
++
++optional_policy(`
++	logadm_role_change_template(staff)
++')
++
++optional_policy(`
++	postgresql_userdom_template(staff, staff_t, staff_r)
++')
++
++optional_policy(`
+ 	secadm_role_change_template(staff)
+ ')
+ 
+ optional_policy(`
++	ssh_per_role_template(staff, staff_t, staff_r)
++')
 +
-+	allow $1 fusefs_t:dir search_dir_perms;
++optional_policy(`
+ 	sysadm_role_change_template(staff)
+ 	sysadm_dontaudit_use_terms(staff_t)
+ ')
+ 
++optional_policy(`
++	usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
 +')
 +
-+########################################
-+## <summary>
-+##	Create, read, write, and delete directories
-+##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`fs_manage_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
++optional_policy(`
++	unconfined_role_change_template(staff)
++')
 +
-+	allow $1 fusefs_t:dir manage_dir_perms;
++optional_policy(`
++	webadm_role_change_template(staff)
 +')
 +
-+########################################
-+## <summary>
-+##	Do not audit attempts to create, read,
-+##	write, and delete directories
-+##	on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_dontaudit_manage_fusefs_dirs',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
++optional_policy(`
++	cron_admin_template(sysadm)
++')
 +
-+	dontaudit $1 fusefs_t:dir manage_dir_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
+--- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if	2008-11-11 16:22:03.000000000 -0500
+@@ -334,10 +334,10 @@
+ #
+ interface(`sysadm_getattr_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	allow $1 sysadm_home_dir_t:dir getattr;
++	allow $1 admin_home_t:dir getattr;
+ ')
+ 
+ ########################################
+@@ -354,10 +354,29 @@
+ #
+ interface(`sysadm_dontaudit_getattr_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir getattr;
++	dontaudit $1 admin_home_t:dir getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete files
-+##	on a FUSEFS filesystem.
++##	Do not audit attempts to write to 
++##	sysadm users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_manage_fusefs_files',`
++interface(`sysadm_dontaudit_write_home_dirs',`
 +	gen_require(`
-+		type fusefs_t;
++		type admin_home_t;
 +	')
 +
-+	manage_files_pattern($1, fusefs_t, fusefs_t)
-+')
++	dontaudit $1 admin_home_t:dir write;
+ ')
+ 
+ ########################################
+@@ -372,10 +391,10 @@
+ #
+ interface(`sysadm_search_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	allow $1 sysadm_home_dir_t:dir search_dir_perms;
++	allow $1 admin_home_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+@@ -391,10 +410,10 @@
+ #
+ interface(`sysadm_dontaudit_search_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
++	dontaudit $1 admin_home_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+@@ -409,10 +428,10 @@
+ #
+ interface(`sysadm_list_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	allow $1 sysadm_home_dir_t:dir list_dir_perms;
++	allow $1 admin_home_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+@@ -428,10 +447,10 @@
+ #
+ interface(`sysadm_dontaudit_list_home_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
++	dontaudit $1 admin_home_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+@@ -458,10 +477,10 @@
+ #
+ interface(`sysadm_home_dir_filetrans',`
+ 	gen_require(`
+-		type sysadm_home_dir_t;
++		type admin_home_t;
+ 	')
+ 
+-	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
++	filetrans_pattern($1, admin_home_t, $2, $3)
+ ')
+ 
+ ########################################
+@@ -476,10 +495,10 @@
+ #
+ interface(`sysadm_search_home_content_dirs',`
+ 	gen_require(`
+-		type sysadm_home_dir_t, sysadm_home_t;
++		type admin_home_t;
+ 	')
+ 
+-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
++	allow $1 admin_home_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+@@ -494,13 +513,12 @@
+ #
+ interface(`sysadm_read_home_content_files',`
+ 	gen_require(`
+-		type sysadm_home_dir_t, sysadm_home_t;
++		type admin_home_t;
+ 	')
+ 
+ 	files_search_home($1)
+-	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
+-	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
+-	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
++	read_files_pattern($1, admin_home_t, admin_home_t)
++	read_lnk_files_pattern($1, admin_home_t, admin_home_t)
+ ')
+ 
+ ########################################
+@@ -516,13 +534,33 @@
+ #
+ interface(`sysadm_dontaudit_read_home_content_files',`
+ 	gen_require(`
+-		type sysadm_home_dir_t, sysadm_home_t;
++		type admin_home_t;
+ 	')
+ 
+-	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:dir search_dir_perms;
+-	dontaudit $1 sysadm_home_t:file read_file_perms;
++	dontaudit $1 admin_home_t:dir list_dir_perms;
++	dontaudit $1 admin_home_t:file read_file_perms;
 +
+ ')
 +########################################
 +## <summary>
-+##	Read, a FUSEFS filesystem.
++##	Do not audit attempts to read sym links in the sysadm
++##	home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`fs_read_fusefs_files',`
++interface(`sysadm_dontaudit_read_home_sym_links',`
 +	gen_require(`
-+		type fusefs_t;
++		type admin_home_t;
 +	')
 +
-+	read_files_pattern($1,fusefs_t,fusefs_t)
-+')
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +
-+########################################
-+## <summary>
-+##	Read symbolic links on a FUSEFS filesystem.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_read_fusefs_symlinks',`
-+	gen_require(`
-+		type fusefs_t;
-+	')
++')
 +
-+	allow $1 fusefs_t:dir list_dir_perms;
-+	read_lnk_files_pattern($1, fusefs_t, fusefs_t)
+ 
+ ########################################
+ ## <summary>
+@@ -536,12 +574,12 @@
+ #
+ interface(`sysadm_read_tmp_files',`
+ 	gen_require(`
+-		type sysadm_tmp_t;
++		type user_tmp_t;
+ 	')
+ 
+ 	files_search_tmp($1)
+-	allow $1 sysadm_tmp_t:dir list_dir_perms;
+-	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
+-	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
++	allow $1 user_tmp_t:dir list_dir_perms;
++	read_files_pattern($1, user_tmp_t, user_tmp_t)
++	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+ 
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
+--- nsaserefpolicy/policy/modules/roles/sysadm.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te	2008-11-11 16:22:03.000000000 -0500
+@@ -15,7 +15,7 @@
+ 
+ role sysadm_r;
+ 
+-userdom_admin_user_template(sysadm)
++userdom_admin_login_user_template(sysadm)
+ 
+ ifndef(`enable_mls',`
+ 	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+@@ -110,10 +110,6 @@
+ ')
+ 
+ optional_policy(`
+-	cron_admin_template(sysadm)
+-')
+-
+-optional_policy(`
+ 	cvs_exec(sysadm_t)
+ ')
+ 
+@@ -171,6 +167,10 @@
+ ')
+ 
+ optional_policy(`
++	kerberos_exec_kadmind(sysadm_t)
 +')
 +
++optional_policy(`
+ 	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+ 
+@@ -215,8 +215,8 @@
+ 
+ optional_policy(`
+ 	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+-	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+-	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
++#	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
++#	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
+ ')
+ 
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
+--- nsaserefpolicy/policy/modules/roles/unprivuser.if	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if	2008-11-11 16:22:03.000000000 -0500
+@@ -62,6 +62,26 @@
+ 	files_home_filetrans($1, user_home_dir_t, dir)
+ ')
+ 
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to create,
-+##	read, write, and delete files
-+##	on a FUSEFS filesystem.
++##	Create generic user home directories
++##	with automatic file type transition.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_manage_fusefs_files',`
++interface(`unprivuser_home_dir_filetrans',`
 +	gen_require(`
-+		type fusefs_t;
++		type user_home_dir_t;
 +	')
 +
-+	dontaudit $1 fusefs_t:file manage_file_perms;
++	filetrans_pattern($1, user_home_dir_t, $2, $3)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
---- nsaserefpolicy/policy/modules/kernel/filesystem.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te	2008-11-11 16:22:03.000000000 -0500
-@@ -21,7 +21,6 @@
- 
- # Use xattrs for the following filesystem types.
- # Requires that a security xattr handler exist for the filesystem.
--fs_use_xattr ecryptfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
- fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
-@@ -76,6 +75,11 @@
- allow cpusetfs_t self:filesystem associate;
- genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
- 
-+type ecryptfs_t;
-+fs_noxattr_type(ecryptfs_t)
-+files_mountpoint(ecryptfs_t)
-+genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 +
- type eventpollfs_t;
- fs_type(eventpollfs_t)
- # change to task SID 20060628
-@@ -141,6 +145,8 @@
- fs_noxattr_type(vmblock_t)
- files_mountpoint(vmblock_t)
- genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
-+genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
-+genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
- 
- type vxfs_t;
- fs_noxattr_type(vxfs_t)
-@@ -241,6 +247,7 @@
- genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
- genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
- genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
-+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
- 
  ########################################
- #
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if	2008-11-11 16:22:03.000000000 -0500
-@@ -1198,6 +1198,7 @@
+ ## <summary>
+ ##	Search generic user home directories.
+@@ -77,6 +97,7 @@
+ 		type user_home_dir_t;
  	')
  
- 	dontaudit $1 proc_type:dir list_dir_perms;
-+	dontaudit $1 proc_type:file getattr;
++	files_search_home($1)
+ 	allow $1 user_home_dir_t:dir search_dir_perms;
  ')
  
- ########################################
-@@ -1234,9 +1235,11 @@
- interface(`kernel_read_sysctl',`
+@@ -177,11 +198,29 @@
+ #
+ interface(`unprivuser_manage_home_content_dirs',`
  	gen_require(`
- 		type sysctl_t;
-+		type proc_t;
+-		type user_home_dir_t, user_home_t;
++		attribute user_home_dir_type, user_home_type;
  	')
  
- 	list_dirs_pattern($1, proc_t, sysctl_t)
-+	read_files_pattern($1, sysctl_t, sysctl_t)
- ')
- 
- ########################################
-@@ -1569,6 +1572,26 @@
- 
- ########################################
- ## <summary>
-+##	Read generic crypto sysctls.
+ 	files_search_home($1)
+-	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++	manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
++')
++
++########################################
++## <summary>
++##	Don't audit list on the user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7147,573 +9221,230 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`kernel_read_crypto_sysctls',`
++interface(`unprivuser_dontaudit_list_home_dirs',`
 +	gen_require(`
-+		type proc_t, sysctl_t, sysctl_crypto_t;
++		type user_home_t, user_home_dir_t;
 +	')
 +
-+	read_files_pattern($1, { proc_t sysctl_t sysctl_crypto_t }, sysctl_crypto_t)
-+
-+	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Read generic kernel sysctls.
- ## </summary>
- ## <param name="domain">
-@@ -1768,6 +1791,7 @@
- 	')
- 
- 	dontaudit $1 sysctl_type:dir list_dir_perms;
-+	dontaudit $1 sysctl_type:file read_file_perms;
++	dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
  ')
  
  ########################################
-@@ -2582,6 +2606,24 @@
- 
- ########################################
- ## <summary>
-+##      Relabel to unlabeled context .
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`kernel_relabelto_unlabeled',`
-+	gen_require(`
-+		type unlabeled_t;
+@@ -236,11 +275,30 @@
+ #
+ interface(`unprivuser_mmap_home_content_files',`
+ 	gen_require(`
+-		type user_home_t;
++		attribute user_home_type;
 +	')
 +
-+	allow $1 unlabeled_t:dir_file_class_set relabelto;
++	files_search_home($1)
++	allow $1 user_home_type:file execute;
 +')
 +
 +########################################
 +## <summary>
- ##	Unconfined access to kernel module resources.
- ## </summary>
- ## <param name="domain">
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.5.13/policy/modules/kernel/kernel.te
---- nsaserefpolicy/policy/modules/kernel/kernel.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.te	2008-11-11 16:22:03.000000000 -0500
-@@ -63,6 +63,15 @@
- genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
- 
- #
-+# infinibandeventfs fs
-+#
-+
-+type infinibandeventfs_t;
-+fs_type(infinibandeventfs_t)
-+allow infinibandeventfs_t self:filesystem associate;
-+genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
-+
++##	Read link files in generic user home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
- # kvmFS
- #
- 
-@@ -120,6 +129,10 @@
- type sysctl_rpc_t, sysctl_type;
- genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0)
- 
-+# /proc/sys/crypto directory and files
-+type sysctl_crypto_t, sysctl_type;
-+genfscon proc /sys/crypto gen_context(system_u:object_r:sysctl_crypto_t,s0)
-+
- # /proc/sys/fs directory and files
- type sysctl_fs_t, sysctl_type;
- files_mountpoint(sysctl_fs_t)
-@@ -160,6 +173,7 @@
- #
- type unlabeled_t;
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-+fs_associate(unlabeled_t)
- 
- # These initial sids are no longer used, and can be removed:
- sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -274,6 +288,8 @@
- 	fs_rw_tmpfs_chr_files(kernel_t)
- ')
- 
-+unprivuser_home_dir_filetrans_home_content(kernel_t, { file dir })
-+
- tunable_policy(`read_default_t',`
- 	files_list_default(kernel_t)
- 	files_read_default_files(kernel_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.5.13/policy/modules/kernel/selinux.if
---- nsaserefpolicy/policy/modules/kernel/selinux.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.if	2008-11-11 16:22:03.000000000 -0500
-@@ -164,6 +164,7 @@
- 		type security_t;
- 	')
- 
-+	selinux_dontaudit_getattr_fs($1)
- 	dontaudit $1 security_t:dir search_dir_perms;
- 	dontaudit $1 security_t:file { getattr read };
- ')
-@@ -185,6 +186,7 @@
- 		type security_t;
++interface(`unprivuser_read_home_content_symlinks',`
++	gen_require(`
++		type user_home_t, user_home_dir_t;
  	')
  
-+	selinux_get_fs_mount($1)
- 	allow $1 security_t:dir list_dir_perms;
- 	allow $1 security_t:file { getattr read };
+ 	files_search_home($1)
+-	allow $1 user_home_t:file execute;
++	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
  ')
-@@ -265,6 +267,34 @@
  
  ########################################
- ## <summary>
-+##	Allow caller to read the state of Booleans 
+@@ -342,3 +400,542 @@
+ 	manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+ ')
+ 
++########################################
++## <summary>
++##	Do not audit attempts to write user home files.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Allow caller read the state of Booleans 
++##	Do not audit attempts to write user home files.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
 +##	</p>
 +## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	The process type allowed to set the Boolean.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`selinux_get_boolean',`
++template(`unprivuser_dontaudit_write_home_content_files',`
 +	gen_require(`
-+		type security_t;
-+		attribute booleans_type;
-+		bool secure_mode_policyload;
++		type user_home_t;
 +	')
 +
-+	allow $1 security_t:dir list_dir_perms;
-+	allow $1 booleans_type:dir list_dir_perms;
-+	allow $1 booleans_type:file read_file_perms;
-+')
++	dontaudit $1 user_home_t:file write;
 +
-+########################################
-+## <summary>
- ##	Allow caller to set the state of Booleans to
- ##	enable or disable conditional portions of the policy.
- ## </summary>
-@@ -288,11 +318,13 @@
- interface(`selinux_set_boolean',`
- 	gen_require(`
- 		type security_t;
-+		attribute booleans_type;
- 		bool secure_mode_policyload;
- 	')
- 
- 	allow $1 security_t:dir list_dir_perms;
--	allow $1 security_t:file { getattr read write };
-+	allow $1 booleans_type:dir list_dir_perms;
-+	allow $1 booleans_type:file { getattr read write };
- 
- 	if(!secure_mode_policyload) {
- 		allow $1 security_t:security setbool;
-@@ -510,3 +542,23 @@
- 
- 	typeattribute $1 selinux_unconfined_type;
- ')
++	fs_dontaudit_list_nfs($1)
++	fs_dontaudit_rw_nfs_files($1)
++
++	fs_dontaudit_list_cifs($1)
++	fs_dontaudit_rw_cifs_files($1)
++')
 +
 +########################################
 +## <summary>
-+##	Generate a file context for a boolean type
++##	Do not audit attempts to unlink user home files.
 +## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to unlink user home files.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`selinux_genbool',`
++template(`unprivuser_dontaudit_unlink_home_content_files',`
 +	gen_require(`
-+		attribute booleans_type;
++		type user_home_t;
 +	')
 +
-+	type $1, booleans_type;
-+	fs_type($1)
-+	mls_trusted_object($1)
-+')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-3.5.13/policy/modules/kernel/selinux.te
---- nsaserefpolicy/policy/modules/kernel/selinux.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/selinux.te	2008-11-11 16:22:03.000000000 -0500
-@@ -10,6 +10,7 @@
- attribute can_setenforce;
- attribute can_setsecparam;
- attribute selinux_unconfined_type;
-+attribute booleans_type;
- 
- # 
- # security_t is the target type when checking
-@@ -23,6 +24,11 @@
- genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
- genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
- 
-+type boolean_t, booleans_type;
-+fs_type(boolean_t)
-+mls_trusted_object(boolean_t)
-+#genfscon selinuxfs /booleans gen_context(system_u:object_r:boolean_t,s0)
-+
- neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy;
- neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce;
- neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.5.13/policy/modules/kernel/storage.fc
---- nsaserefpolicy/policy/modules/kernel/storage.fc	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/storage.fc	2008-11-11 16:22:03.000000000 -0500
-@@ -36,7 +36,7 @@
- /dev/pg[0-3]		-c	gen_context(system_u:object_r:removable_device_t,s0)
- /dev/ps3d.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/ram.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
--/dev/rawctl		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-+/dev/(raw/)?rawctl	-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- /dev/rd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
- ifdef(`distro_redhat', `
- /dev/root		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.5.13/policy/modules/kernel/terminal.if
---- nsaserefpolicy/policy/modules/kernel/terminal.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/terminal.if	2008-11-11 16:22:03.000000000 -0500
-@@ -250,9 +250,11 @@
- interface(`term_dontaudit_use_console',`
- 	gen_require(`
- 		type console_device_t;
-+		type tty_device_t;
- 	')
- 
- 	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
-+	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
- ')
- 
- ########################################
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.5.13/policy/modules/roles/staff.te
---- nsaserefpolicy/policy/modules/roles/staff.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/staff.te	2008-11-11 16:22:03.000000000 -0500
-@@ -4,27 +4,68 @@
- ########################################
- #
- # Declarations
--#
- 
-+#
- role staff_r;
- 
--userdom_unpriv_user_template(staff)
-+userdom_admin_login_user_template(staff)
- 
- ########################################
- #
- # Local policy
- #
- 
-+kernel_read_ring_buffer(staff_t)
-+kernel_getattr_core_if(staff_t)
-+kernel_getattr_message_if(staff_t)
-+kernel_read_software_raid_state(staff_t)
-+
-+auth_domtrans_pam_console(staff_t)
-+
-+libs_manage_shared_libs(staff_t)
-+
- optional_policy(`
- 	auditadm_role_change_template(staff)
- ')
- 
- optional_policy(`
-+	kerneloops_manage_tmp_files(staff_t)
-+')
-+
-+optional_policy(`
-+	logadm_role_change_template(staff)
-+')
-+
-+optional_policy(`
-+	postgresql_userdom_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
- 	secadm_role_change_template(staff)
- ')
- 
- optional_policy(`
-+	ssh_per_role_template(staff, staff_t, staff_r)
-+')
-+
-+optional_policy(`
- 	sysadm_role_change_template(staff)
- 	sysadm_dontaudit_use_terms(staff_t)
- ')
- 
-+optional_policy(`
-+	usernetctl_run(staff_t, staff_r, { staff_devpts_t staff_tty_device_t })
-+')
-+
-+optional_policy(`
-+	unconfined_role_change_template(staff)
-+')
-+
-+optional_policy(`
-+	webadm_role_change_template(staff)
-+')
-+
-+optional_policy(`
-+	cron_admin_template(sysadm)
++	dontaudit $1 user_home_t:file unlink;
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
---- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if	2008-11-11 16:22:03.000000000 -0500
-@@ -334,10 +334,10 @@
- #
- interface(`sysadm_getattr_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	allow $1 sysadm_home_dir_t:dir getattr;
-+	allow $1 admin_home_t:dir getattr;
- ')
- 
- ########################################
-@@ -354,10 +354,29 @@
- #
- interface(`sysadm_dontaudit_getattr_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir getattr;
-+	dontaudit $1 admin_home_t:dir getattr;
++########################################
++## <summary>
++##	Do not audit attempts to manage users
++##	temporary directories.
++## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to manage users
++##	temporary directories.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++template(`unprivuser_dontaudit_manage_tmp_dirs',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	dontaudit $1 user_tmp_t:dir manage_dir_perms;
 +')
 +
++
 +########################################
 +## <summary>
-+##	Do not audit attempts to write to 
-+##	sysadm users home directory.
++##	Create, read, write, and delete user
++##	temporary named sockets.
 +## </summary>
++## <desc>
++##	<p>
++##	Create, read, write, and delete user
++##	temporary named sockets.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`sysadm_dontaudit_write_home_dirs',`
++template(`unprivuser_manage_tmp_sockets',`
 +	gen_require(`
-+		type admin_home_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 admin_home_t:dir write;
- ')
- 
- ########################################
-@@ -372,10 +391,10 @@
- #
- interface(`sysadm_search_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	allow $1 sysadm_home_dir_t:dir search_dir_perms;
-+	allow $1 admin_home_t:dir search_dir_perms;
- ')
- 
- ########################################
-@@ -391,10 +410,10 @@
- #
- interface(`sysadm_dontaudit_search_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
-+	dontaudit $1 admin_home_t:dir search_dir_perms;
- ')
- 
- ########################################
-@@ -409,10 +428,10 @@
- #
- interface(`sysadm_list_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	allow $1 sysadm_home_dir_t:dir list_dir_perms;
-+	allow $1 admin_home_t:dir list_dir_perms;
- ')
- 
- ########################################
-@@ -428,10 +447,10 @@
- #
- interface(`sysadm_dontaudit_list_home_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
-+	dontaudit $1 admin_home_t:dir list_dir_perms;
- ')
- 
- ########################################
-@@ -458,10 +477,10 @@
- #
- interface(`sysadm_home_dir_filetrans',`
- 	gen_require(`
--		type sysadm_home_dir_t;
-+		type admin_home_t;
- 	')
- 
--	filetrans_pattern($1, sysadm_home_dir_t, $2, $3)
-+	filetrans_pattern($1, admin_home_t, $2, $3)
- ')
- 
- ########################################
-@@ -476,10 +495,10 @@
- #
- interface(`sysadm_search_home_content_dirs',`
- 	gen_require(`
--		type sysadm_home_dir_t, sysadm_home_t;
-+		type admin_home_t;
- 	')
- 
--	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir search_dir_perms;
-+	allow $1 admin_home_t:dir search_dir_perms;
- ')
- 
- ########################################
-@@ -494,13 +513,12 @@
- #
- interface(`sysadm_read_home_content_files',`
- 	gen_require(`
--		type sysadm_home_dir_t, sysadm_home_t;
-+		type admin_home_t;
- 	')
- 
- 	files_search_home($1)
--	allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
--	read_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
--	read_lnk_files_pattern($1, { sysadm_home_dir_t sysadm_home_t }, sysadm_home_t)
-+	read_files_pattern($1, admin_home_t, admin_home_t)
-+	read_lnk_files_pattern($1, admin_home_t, admin_home_t)
- ')
- 
- ########################################
-@@ -516,13 +534,33 @@
- #
- interface(`sysadm_dontaudit_read_home_content_files',`
- 	gen_require(`
--		type sysadm_home_dir_t, sysadm_home_t;
-+		type admin_home_t;
- 	')
- 
--	dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:dir search_dir_perms;
--	dontaudit $1 sysadm_home_t:file read_file_perms;
-+	dontaudit $1 admin_home_t:dir list_dir_perms;
-+	dontaudit $1 admin_home_t:file read_file_perms;
++	files_search_tmp($1)
++	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++')
 +
- ')
 +########################################
 +## <summary>
-+##	Do not audit attempts to read sym links in the sysadm
-+##	home directory.
++##	Read all unprivileged users files in /tmp
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`sysadm_dontaudit_read_home_sym_links',`
++interface(`unprivuser_read_tmp_files',`
 +	gen_require(`
-+		type admin_home_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
-+
++	read_files_pattern($1, user_tmp_t,  user_tmp_t)
 +')
 +
- 
- ########################################
- ## <summary>
-@@ -536,12 +574,12 @@
- #
- interface(`sysadm_read_tmp_files',`
- 	gen_require(`
--		type sysadm_tmp_t;
++########################################
++## <summary>
++##	Write all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unprivuser_write_tmp_files',`
++	gen_require(`
 +		type user_tmp_t;
- 	')
- 
- 	files_search_tmp($1)
--	allow $1 sysadm_tmp_t:dir list_dir_perms;
--	read_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
--	read_lnk_files_pattern($1, sysadm_tmp_t, sysadm_tmp_t)
-+	allow $1 user_tmp_t:dir list_dir_perms;
-+	read_files_pattern($1, user_tmp_t, user_tmp_t)
-+	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
- 
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.te serefpolicy-3.5.13/policy/modules/roles/sysadm.te
---- nsaserefpolicy/policy/modules/roles/sysadm.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.te	2008-11-11 16:22:03.000000000 -0500
-@@ -15,7 +15,7 @@
- 
- role sysadm_r;
- 
--userdom_admin_user_template(sysadm)
-+userdom_admin_login_user_template(sysadm)
- 
- ifndef(`enable_mls',`
- 	userdom_security_admin_template(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-@@ -110,10 +110,6 @@
- ')
- 
- optional_policy(`
--	cron_admin_template(sysadm)
--')
--
--optional_policy(`
- 	cvs_exec(sysadm_t)
- ')
- 
-@@ -171,6 +167,10 @@
- ')
- 
- optional_policy(`
-+	kerberos_exec_kadmind(sysadm_t)
++	')
++
++	write_files_pattern($1, user_tmp_t,  user_tmp_t)
 +')
 +
-+optional_policy(`
- 	kudzu_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- ')
- 
-@@ -215,8 +215,8 @@
- 
- optional_policy(`
- 	netutils_run(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
--	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
--	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-+#	netutils_run_ping(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
-+#	netutils_run_traceroute(sysadm_t, sysadm_r, { sysadm_tty_device_t sysadm_devpts_t })
- ')
- 
- optional_policy(`
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.5.13/policy/modules/roles/unprivuser.if
---- nsaserefpolicy/policy/modules/roles/unprivuser.if	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.if	2008-11-11 16:22:03.000000000 -0500
-@@ -62,6 +62,26 @@
- 	files_home_filetrans($1, user_home_dir_t, dir)
- ')
- 
++########################################
++## <summary>
++##	Write all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unprivuser_manage_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++	files_search_tmp($1)
++	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
++')
 +
 +########################################
 +## <summary>
-+##	Create generic user home directories
-+##	with automatic file type transition.
++##	Write all unprivileged users lnk_files in /tmp
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7721,41 +9452,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_home_dir_filetrans',`
++interface(`unprivuser_manage_tmp_symlinks',`
 +	gen_require(`
-+		type user_home_dir_t;
++		type user_tmp_t;
 +	')
 +
-+	filetrans_pattern($1, user_home_dir_t, $2, $3)
-+')
-+
- ########################################
- ## <summary>
- ##	Search generic user home directories.
-@@ -77,6 +97,7 @@
- 		type user_home_dir_t;
- 	')
- 
-+	files_search_home($1)
- 	allow $1 user_home_dir_t:dir search_dir_perms;
- ')
- 
-@@ -177,11 +198,29 @@
- #
- interface(`unprivuser_manage_home_content_dirs',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_dir_type, user_home_type;
- 	')
- 
- 	files_search_home($1)
--	manage_dirs_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	manage_dirs_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
++	files_search_tmp($1)
++	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Don't audit list on the user home subdirectory.
++##	Do not audit attempts to relabel unpriv user
++##	home files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7763,30 +9472,36 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_dontaudit_list_home_dirs',`
++interface(`unprivuser_dontaudit_home_content_files',`
 +	gen_require(`
-+		type user_home_t, user_home_dir_t;
++		attribute user_home_type;
 +	')
 +
-+	dontaudit $1 { user_home_dir_t user_home_t }:dir list_dir_perms;
- ')
- 
- ########################################
-@@ -236,11 +275,30 @@
- #
- interface(`unprivuser_mmap_home_content_files',`
- 	gen_require(`
--		type user_home_t;
-+		attribute user_home_type;
++	dontaudit $1 user_home_type:file { relabelto relabelfrom };
++')
++
++########################################
++## <summary>
++##	unlink all unprivileged users files in /tmp
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unprivuser_unlink_tmp_files',`
++	gen_require(`
++		attribute user_tmpfile;
 +	')
 +
-+	files_search_home($1)
-+	allow $1 user_home_type:file execute;
++	files_delete_tmp_dir_entry($1)
++	allow $1 user_tmpfile:file unlink;
 +')
 +
 +########################################
 +## <summary>
-+##	Read link files in generic user home directories.
++##	Connect to unpriviledged users over an unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7794,28 +9509,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_read_home_content_symlinks',`
++interface(`unprivuser_stream_connect',`
 +	gen_require(`
-+		type user_home_t, user_home_dir_t;
- 	')
- 
- 	files_search_home($1)
--	allow $1 user_home_t:file execute;
-+	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- ')
- 
- ########################################
-@@ -342,3 +400,542 @@
- 	manage_sock_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- ')
- 
++		attribute user_tmpfile;
++		attribute userdomain;
++	')
++
++	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
++')
++
 +########################################
 +## <summary>
-+##	Do not audit attempts to write user home files.
++##	Create, read, write, and delete user
++##	temporary directories.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Do not audit attempts to write user home files.
++##	Create, read, write, and delete user
++##	temporary directories.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
@@ -7824,114 +9535,124 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_dontaudit_write_home_content_files',`
++template(`unprivuser_manage_tmp_dirs',`
 +	gen_require(`
-+		type user_home_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_home_t:file write;
-+
-+	fs_dontaudit_list_nfs($1)
-+	fs_dontaudit_rw_nfs_files($1)
-+
-+	fs_dontaudit_list_cifs($1)
-+	fs_dontaudit_rw_cifs_files($1)
++	files_search_tmp($1)
++	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to unlink user home files.
++##	Create, read, write, and delete user
++##	temporary named pipes.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Do not audit attempts to unlink user home files.
++##	Create, read, write, and delete user
++##	temporary named pipes.
 +##	</p>
 +##	<p>
 +##	This is a templated interface, and should only
 +##	be called from a per-userdomain template.
 +##	</p>
 +## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_dontaudit_unlink_home_content_files',`
++template(`unprivuser_manage_tmp_pipes',`
 +	gen_require(`
-+		type user_home_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_home_t:file unlink;
++	files_search_tmp($1)
++	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to manage users
-+##	temporary directories.
++##	Manage user untrusted files.
 +## </summary>
 +## <desc>
-+##	<p>
-+##	Do not audit attempts to manage users
-+##	temporary directories.
-+##	</p>
-+##	<p>
-+##	This is a templated interface, and should only
-+##	be called from a per-userdomain template.
-+##	</p>
++##      <p>
++##      Create, read, write, and delete untrusted files.
++##      </p>
++##      <p>
++##      This is a templated interface, and should only
++##      be called from a per-userdomain template.
++##      </p>
 +## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##      The prefix of the user domain (e.g., user
++##      is the prefix for user_t).
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##      Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_dontaudit_manage_tmp_dirs',`
++template(`unprivuser_manage_untrusted_content_files',`
 +	gen_require(`
-+		type user_tmp_t;
++		type user_untrusted_content_t;
 +	')
 +
-+	dontaudit $1 user_tmp_t:dir manage_dir_perms;
++	manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t)
 +')
 +
-+
 +########################################
 +## <summary>
-+##	Create, read, write, and delete user
-+##	temporary named sockets.
++##	Manage user untrusted tmp files.
 +## </summary>
 +## <desc>
-+##	<p>
-+##	Create, read, write, and delete user
-+##	temporary named sockets.
-+##	</p>
-+##	<p>
-+##	This is a templated interface, and should only
-+##	be called from a per-userdomain template.
-+##	</p>
++##      <p>
++##      Create, read, write, and delete untrusted tmp files.
++##      </p>
++##      <p>
++##      This is a templated interface, and should only
++##      be called from a per-userdomain template.
++##      </p>
 +## </desc>
++## <param name="userdomain_prefix">
++##	<summary>
++##      The prefix of the user domain (e.g., user
++##      is the prefix for user_t).
++##	</summary>
++## </param>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##      Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_manage_tmp_sockets',`
++template(`unprivuser_manage_untrusted_content_tmp_files',`
 +	gen_require(`
-+		type user_tmp_t;
++		type user_untrusted_content_tmp_t;
 +	')
 +
-+	files_search_tmp($1)
-+	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
++	manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read all unprivileged users files in /tmp
++##	RW unpriviledged user SysV sempaphores.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7939,54 +9660,74 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_read_tmp_files',`
++interface(`unprivuser_rw_semaphores',`
 +	gen_require(`
-+		type user_tmp_t;
++		attribute unpriv_userdomain;
 +	')
 +
-+	read_files_pattern($1, user_tmp_t,  user_tmp_t)
++	allow $1 unpriv_userdomain:sem rw_sem_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Write all unprivileged users files in /tmp
++##	Read user tmpfs files.
 +## </summary>
++## <desc>
++##	<p>
++##	<p>
++##	read user temporary file system files
++##	</p>
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_write_tmp_files',`
++template(`unprivuser_read_tmpfs_files',`
 +	gen_require(`
-+		type user_tmp_t;
++		type user_tmpfs_t;
 +	')
 +
-+	write_files_pattern($1, user_tmp_t,  user_tmp_t)
++	fs_search_tmpfs($1)
++	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Write all unprivileged users files in /tmp
++##	Unlink user tmpfs files.
 +## </summary>
++## <desc>
++##	<p>
++##	Read/write user tmpfs files.
++##	</p>
++##	<p>
++##	This is a templated interface, and should only
++##	be called from a per-userdomain template.
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_manage_tmp_files',`
++template(`unprivuser_delete_tmpfs_files',`
 +	gen_require(`
-+		type user_tmp_t;
++		type user_tmpfs_t;
 +	')
 +
-+	files_search_tmp($1)
-+	manage_files_pattern($1, user_tmp_t,  user_tmp_t)
++	fs_search_tmpfs($1)
++	allow $1 user_tmpfs_t:dir list_dir_perms;
++	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Write all unprivileged users lnk_files in /tmp
++##	append all unprivileged users home directory
++##	files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7994,19 +9735,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_manage_tmp_symlinks',`
++interface(`unprivuser_append_home_content_files',`
 +	gen_require(`
-+		type user_tmp_t;
++		attribute user_home_dir_type, user_home_type;
 +	')
 +
-+	files_search_tmp($1)
-+	manage_lnk_files_pattern($1, user_tmp_t,  user_tmp_t)
++	files_search_home($1)
++	allow $1 user_home_type:dir list_dir_perms;
++	append_files_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_append_nfs_files($1)
++	')
++	tunable_policy(`use_samba_home_dirs',`
++		fs_append_cifs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to relabel unpriv user
-+##	home files.
++##	dontaudit append all unprivileged users home directory
++##	files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8014,17 +9762,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_dontaudit_home_content_files',`
++interface(`unprivuser_dontaudit_append_home_content_files',`
 +	gen_require(`
 +		attribute user_home_type;
 +	')
 +
-+	dontaudit $1 user_home_type:file { relabelto relabelfrom };
++	dontaudit $1 user_home_type:file  append_file_perms;
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_dontaudit_append_nfs_files($1)
++	')
++	tunable_policy(`use_samba_home_dirs',`
++		fs_dontaudit_append_cifs_files($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	unlink all unprivileged users files in /tmp
++##	dontaudit Read all unprivileged users home directory
++##	files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8032,169 +9787,226 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_unlink_tmp_files',`
++interface(`unprivuser_dontaudit_read_home_content_files',`
 +	gen_require(`
-+		attribute user_tmpfile;
++		attribute user_home_dir_type, user_home_type;
 +	')
 +
-+	files_delete_tmp_dir_entry($1)
-+	allow $1 user_tmpfile:file unlink;
++	files_search_home($1)
++	dontaudit $1 user_home_type:dir list_dir_perms;
++	dontaudit $1 user_home_type:file read_file_perms;
++	dontaudit $1 user_home_type:file read_lnk_file_perms;
++
++	tunable_policy(`use_nfs_home_dirs',`
++		fs_dontaudit_read_nfs_files($1)
++	')
++
++	tunable_policy(`use_samba_home_dirs',`
++		fs_dontaudit_read_cifs_files($1)
++	')
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te
+--- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-10-17 08:49:14.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te	2008-11-11 16:22:03.000000000 -0500
+@@ -13,3 +13,18 @@
+ 
+ userdom_unpriv_user_template(user)
+ 
++optional_policy(`
++	kerneloops_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	postgresql_userdom_template(user, user_t, user_r)
++')
++
++optional_policy(`
++	rpm_dontaudit_dbus_chat(user_t)
++')
++
++optional_policy(`
++	setroubleshoot_dontaudit_stream_connect(user_t)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.fc serefpolicy-3.5.13/policy/modules/roles/webadm.fc
+--- nsaserefpolicy/policy/modules/roles/webadm.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/webadm.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1 @@
++# No webadm file contexts.
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.if serefpolicy-3.5.13/policy/modules/roles/webadm.if
+--- nsaserefpolicy/policy/modules/roles/webadm.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/webadm.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,44 @@
++## <summary>Policy for webadm role</summary>
 +
 +########################################
 +## <summary>
-+##	Connect to unpriviledged users over an unix stream socket.
++##	Change to the generic user role.
 +## </summary>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`unprivuser_stream_connect',`
-+	gen_require(`
-+		attribute user_tmpfile;
-+		attribute userdomain;
-+	')
-+
-+	stream_connect_pattern($1, user_tmpfile, user_tmpfile, userdomain)
++template(`webadm_role_change_template',`
++	userdom_role_change_template($1, webadm)
 +')
 +
 +########################################
 +## <summary>
-+##	Create, read, write, and delete user
-+##	temporary directories.
++##	Change from the generic user role.
 +## </summary>
 +## <desc>
 +##	<p>
-+##	Create, read, write, and delete user
-+##	temporary directories.
++##	Change from the generic user role to
++##	the specified role.
 +##	</p>
 +##	<p>
-+##	This is a templated interface, and should only
-+##	be called from a per-userdomain template.
++##	This is a template to support third party modules
++##	and its use is not allowed in upstream reference
++##	policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+template(`unprivuser_manage_tmp_dirs',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
-+
-+	files_search_tmp($1)
-+	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
++template(`webadm_role_change_to_template',`
++	userdom_role_change_template(webadm, $1)
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/webadm.te serefpolicy-3.5.13/policy/modules/roles/webadm.te
+--- nsaserefpolicy/policy/modules/roles/webadm.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/webadm.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,65 @@
++
++policy_module(webadm, 1.0.0)
 +
-+########################################
-+## <summary>
-+##	Create, read, write, and delete user
-+##	temporary named pipes.
-+## </summary>
 +## <desc>
-+##	<p>
-+##	Create, read, write, and delete user
-+##	temporary named pipes.
-+##	</p>
-+##	<p>
-+##	This is a templated interface, and should only
-+##	be called from a per-userdomain template.
-+##	</p>
++## <p>
++## Allow webadm to read files in users home directories
++## </p>
 +## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
++gen_tunable(webadm_read_user_files, false)
++
++## <desc>
++## <p>
++## Allow webadm to manage files in users home directories
++## </p>
++## </desc>
++gen_tunable(webadm_manage_user_files, false)
++
++########################################
++#
++# Declarations
 +#
-+template(`unprivuser_manage_tmp_pipes',`
-+	gen_require(`
-+		type user_tmp_t;
-+	')
 +
-+	files_search_tmp($1)
-+	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
++role webadm_r;
++
++userdom_base_user_template(webadm)
++
++########################################
++#
++# webadmin local policy
++#
++
++allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
++
++files_dontaudit_search_all_dirs(webadm_t)
++files_manage_generic_locks(webadm_t)
++files_list_var(webadm_t)
++
++selinux_get_enforce_mode(webadm_t)
++seutil_domtrans_setfiles(webadm_t)
++
++logging_send_syslog_msg(webadm_t)
++
++unprivuser_dontaudit_search_home_dirs(webadm_t)
++
++optional_policy(`
++	sysadm_role_change_template(webadm)
++	sysadm_dontaudit_read_home_content_files(webadm_t)
++')
++
++apache_admin(webadm_t, webadm_r, { webadm_devpts_t webadm_tty_device_t })
++
++optional_policy(`
++tunable_policy(`webadm_read_user_files',`
++   unprivuser_read_home_content_files(webadm_t)
++   unprivuser_read_tmp_files(webadm_t)
 +')
++')
++
++optional_policy(`
++tunable_policy(`webadm_manage_user_files',`
++   unprivuser_manage_home_content_dirs(webadm_t)
++   unprivuser_read_tmp_files(webadm_t)
++   unprivuser_write_tmp_files(webadm_t)
++')
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.fc serefpolicy-3.5.13/policy/modules/roles/xguest.fc
+--- nsaserefpolicy/policy/modules/roles/xguest.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/xguest.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1 @@
++# file contexts handled by userdomain and genhomedircon
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.if serefpolicy-3.5.13/policy/modules/roles/xguest.if
+--- nsaserefpolicy/policy/modules/roles/xguest.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/xguest.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,161 @@
++## <summary>Least privledge X Windows user role</summary>
 +
 +########################################
 +## <summary>
-+##	Manage user untrusted files.
++##	Change to the xguest role.
 +## </summary>
-+## <desc>
-+##      <p>
-+##      Create, read, write, and delete untrusted files.
-+##      </p>
-+##      <p>
-+##      This is a templated interface, and should only
-+##      be called from a per-userdomain template.
-+##      </p>
-+## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##      The prefix of the user domain (e.g., user
-+##      is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##      Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+template(`unprivuser_manage_untrusted_content_files',`
-+	gen_require(`
-+		type user_untrusted_content_t;
-+	')
-+
-+	manage_files_pattern($1, user_untrusted_content_t, user_untrusted_content_t)
++template(`xguest_role_change_template',`
++	userdom_role_change_template($1, xguest)
 +')
 +
 +########################################
 +## <summary>
-+##	Manage user untrusted tmp files.
++##	Change from the xguest role.
 +## </summary>
 +## <desc>
-+##      <p>
-+##      Create, read, write, and delete untrusted tmp files.
-+##      </p>
-+##      <p>
-+##      This is a templated interface, and should only
-+##      be called from a per-userdomain template.
-+##      </p>
++##	<p>
++##	Change from the xguest role to
++##	the specified role.
++##	</p>
++##	<p>
++##	This is a template to support third party modules
++##	and its use is not allowed in upstream reference
++##	policy.
++##	</p>
 +## </desc>
-+## <param name="userdomain_prefix">
-+##	<summary>
-+##      The prefix of the user domain (e.g., user
-+##      is the prefix for user_t).
-+##	</summary>
-+## </param>
-+## <param name="domain">
++## <param name="prefix">
 +##	<summary>
-+##      Domain allowed access.
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+template(`unprivuser_manage_untrusted_content_tmp_files',`
-+	gen_require(`
-+		type user_untrusted_content_tmp_t;
-+	')
-+
-+	manage_files_pattern($1, user_untrusted_content_tmp_t, user_untrusted_content_tmp_t)
++template(`xguest_role_change_to_template',`
++	userdom_role_change_template(xguest, $1)
 +')
 +
 +########################################
 +## <summary>
-+##	RW unpriviledged user SysV sempaphores.
++##	Search the xguest users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8202,74 +10014,57 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_rw_semaphores',`
++interface(`xguest_search_home_dirs',`
 +	gen_require(`
-+		attribute unpriv_userdomain;
++		type xguest_home_dir_t;
 +	')
 +
-+	allow $1 unpriv_userdomain:sem rw_sem_perms;
++	files_search_home($1)
++	allow $1 xguest_home_dir_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read user tmpfs files.
++##	Do not audit attempts to search the xguest
++##	users home directory.
 +## </summary>
-+## <desc>
-+##	<p>
-+##	<p>
-+##	read user temporary file system files
-+##	</p>
-+##	</p>
-+## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_read_tmpfs_files',`
++interface(`xguest_dontaudit_search_home_dirs',`
 +	gen_require(`
-+		type user_tmpfs_t;
++		type xguest_home_dir_t;
 +	')
-+
-+	fs_search_tmpfs($1)
-+	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++
++	dontaudit $1 xguest_home_dir_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Unlink user tmpfs files.
++##	Create, read, write, and delete xguest
++##	home directories.
 +## </summary>
-+## <desc>
-+##	<p>
-+##	Read/write user tmpfs files.
-+##	</p>
-+##	<p>
-+##	This is a templated interface, and should only
-+##	be called from a per-userdomain template.
-+##	</p>
-+## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+template(`unprivuser_delete_tmpfs_files',`
++interface(`xguest_manage_home_dirs',`
 +	gen_require(`
-+		type user_tmpfs_t;
++		type xguest_home_dir_t;
 +	')
 +
-+	fs_search_tmpfs($1)
-+	allow $1 user_tmpfs_t:dir list_dir_perms;
-+	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++	files_search_home($1)
++	allow $1 xguest_home_dir_t:dir manage_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	append all unprivileged users home directory
-+##	files.
++##	Relabel to xguest home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8277,51 +10072,37 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_append_home_content_files',`
++interface(`xguest_relabelto_home_dirs',`
 +	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
++		type xguest_home_dir_t;
 +	')
 +
 +	files_search_home($1)
-+	allow $1 user_home_type:dir list_dir_perms;
-+	append_files_pattern($1, { user_home_dir_type user_home_type }, user_home_type)
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_append_nfs_files($1)
-+	')
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_append_cifs_files($1)
-+	')
++	allow $1 xguest_home_dir_t:dir relabelto;
 +')
 +
 +########################################
 +## <summary>
-+##	dontaudit append all unprivileged users home directory
-+##	files.
++##	Do not audit attempts to append to the xguest
++##	users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_dontaudit_append_home_content_files',`
++interface(`xguest_dontaudit_append_home_content_files',`
 +	gen_require(`
-+		attribute user_home_type;
++		type xguest_home_t;
 +	')
 +
-+	dontaudit $1 user_home_type:file  append_file_perms;
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_dontaudit_append_nfs_files($1)
-+	')
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_dontaudit_append_cifs_files($1)
-+	')
++	dontaudit $1 xguest_home_t:file append;
 +')
 +
 +########################################
 +## <summary>
-+##	dontaudit Read all unprivileged users home directory
-+##	files.
++##	Read files in the xguest users home directory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -8329,86 +10110,107 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`unprivuser_dontaudit_read_home_content_files',`
++interface(`xguest_read_home_content_files',`
 +	gen_require(`
-+		attribute user_home_dir_type, user_home_type;
++		type xguest_home_dir_t, xguest_home_t;
 +	')
 +
 +	files_search_home($1)
-+	dontaudit $1 user_home_type:dir list_dir_perms;
-+	dontaudit $1 user_home_type:file read_file_perms;
-+	dontaudit $1 user_home_type:file read_lnk_file_perms;
++	allow $1 { xguest_home_dir_t xguest_home_t }:dir list_dir_perms;
++	read_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
++	read_lnk_files_pattern($1, { xguest_home_dir_t xguest_home_t }, xguest_home_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te
+--- nsaserefpolicy/policy/modules/roles/xguest.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/roles/xguest.te	2008-11-13 18:02:56.000000000 -0500
+@@ -0,0 +1,87 @@
 +
-+	tunable_policy(`use_nfs_home_dirs',`
-+		fs_dontaudit_read_nfs_files($1)
-+	')
++policy_module(xguest, 1.0.0)
 +
-+	tunable_policy(`use_samba_home_dirs',`
-+		fs_dontaudit_read_cifs_files($1)
-+	')
++## <desc>
++## <p>
++## Allow xguest users to mount removable media
++## </p>
++## </desc>
++gen_tunable(xguest_mount_media, true)
++
++## <desc>
++## <p>
++## Allow xguest to configure Network Manager
++## </p>
++## </desc>
++gen_tunable(xguest_connect_network, true)
++
++## <desc>
++## <p>
++## Allow xguest to use blue tooth devices
++## </p>
++## </desc>
++gen_tunable(xguest_use_bluetooth, true)
++
++########################################
++#
++# Declarations
++#
++
++role xguest_r;
++
++userdom_restricted_xwindows_user_template(xguest)
++
++########################################
++#
++# Local policy
++#
++
++#optional_policy(`
++#	mozilla_per_role_template(xguest, xguest_t, xguest_r)
++#')
++
++optional_policy(`
++	java_per_role_template(xguest, xguest_t, xguest_r)
 +')
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.5.13/policy/modules/roles/unprivuser.te
---- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/roles/unprivuser.te	2008-11-11 16:22:03.000000000 -0500
-@@ -13,3 +13,18 @@
- 
- userdom_unpriv_user_template(user)
- 
 +optional_policy(`
-+	kerneloops_dontaudit_dbus_chat(user_t)
++	mono_per_role_template(xguest, xguest_t, xguest_r)
 +')
 +
 +optional_policy(`
-+	postgresql_userdom_template(user, user_t, user_r)
++	nsplugin_per_role_template(xguest, xguest_t, xguest_r)
 +')
 +
++# Allow mounting of file systems
 +optional_policy(`
-+	rpm_dontaudit_dbus_chat(user_t)
++	tunable_policy(`xguest_mount_media',`
++		hal_dbus_chat(xguest_t)
++		init_read_utmp(xguest_t)
++		auth_list_pam_console_data(xguest_t)
++		kernel_read_fs_sysctls(xguest_t)
++		files_dontaudit_getattr_boot_dirs(xguest_t)
++		files_search_mnt(xguest_t)
++		fs_manage_noxattr_fs_files(xguest_t)
++		fs_manage_noxattr_fs_dirs(xguest_t)
++		fs_manage_noxattr_fs_dirs(xguest_t)
++		fs_getattr_noxattr_fs(xguest_t)
++		fs_read_noxattr_fs_symlinks(xguest_t)
++	')
 +')
 +
 +optional_policy(`
-+	setroubleshoot_dontaudit_stream_connect(user_t)
++	hal_dbus_chat(xguest_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.5.13/policy/modules/roles/xguest.te
---- nsaserefpolicy/policy/modules/roles/xguest.te	2008-11-07 08:30:49.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/roles/xguest.te	2008-11-11 16:22:03.000000000 -0500
-@@ -6,21 +6,21 @@
- ## Allow xguest users to mount removable media
- ## </p>
- ## </desc>
--gen_tunable(xguest_mount_media, false)
-+gen_tunable(xguest_mount_media, true)
- 
- ## <desc>
- ## <p>
- ## Allow xguest to configure Network Manager
- ## </p>
- ## </desc>
--gen_tunable(xguest_connect_network, false)
-+gen_tunable(xguest_connect_network, true)
- 
- ## <desc>
- ## <p>
- ## Allow xguest to use blue tooth devices
- ## </p>
- ## </desc>
--gen_tunable(xguest_use_bluetooth, false)
-+gen_tunable(xguest_use_bluetooth, true)
- 
- ########################################
- #
-@@ -48,6 +48,10 @@
- 	mono_per_role_template(xguest, xguest_t, xguest_r)
- ')
- 
++
 +optional_policy(`
-+	nsplugin_per_role_template($1, $1_usertype, $1_r)
++	tunable_policy(`xguest_connect_network',`
++		networkmanager_dbus_chat(xguest_t)
++	')
 +')
 +
- # Allow mounting of file systems
- optional_policy(`
- 	tunable_policy(`xguest_mount_media',`
++optional_policy(`
++	tunable_policy(`xguest_use_bluetooth',`
++		bluetooth_dbus_chat(xguest_t)
++	')
++')
++gen_user(xguest_u, user, xguest_r, s0, s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aide.if serefpolicy-3.5.13/policy/modules/services/aide.if
 --- nsaserefpolicy/policy/modules/services/aide.if	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/aide.if	2008-11-11 16:22:03.000000000 -0500
@@ -9174,7 +10976,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-11-11 19:06:29.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/apache.te	2008-11-13 14:28:18.000000000 -0500
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -9389,7 +11191,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+-	auth_domtrans_chk_passwd(httpd_t)
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@@ -9400,8 +11203,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
--	auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
 +		samba_domtrans_winbind_helper(httpd_t)
  ')
  ')
@@ -9718,7 +11520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +854,16 @@
+@@ -691,12 +854,22 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -9734,10 +11536,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	fs_manage_nfs_dirs(httpd_sys_script_t)
 +	fs_manage_nfs_files(httpd_sys_script_t)
 +	fs_manage_nfs_symlinks(httpd_sys_script_t)
++')
++
++tunable_policy(`httpd_use_nfs',`
++	fs_manage_nfs_dirs(httpd_suexec_t)
++	fs_manage_nfs_files(httpd_suexec_t)
++	fs_manage_nfs_symlinks(httpd_suexec_t)
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +871,31 @@
+@@ -704,6 +877,31 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -9769,7 +11577,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +908,10 @@
+@@ -716,10 +914,10 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -9784,7 +11592,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -727,6 +919,8 @@
+@@ -727,6 +925,8 @@
  # httpd_rotatelogs local policy
  #
  
@@ -9793,7 +11601,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
  
  kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +935,66 @@
+@@ -741,3 +941,66 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -10546,39 +12354,269 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 +auth_use_nsswitch(bluetooth_t)
 +
- libs_use_ld_so(bluetooth_t)
- libs_use_shared_libs(bluetooth_t)
- 
-@@ -117,11 +123,9 @@
- 
- miscfiles_read_localization(bluetooth_t)
- miscfiles_read_fonts(bluetooth_t)
--
--sysnet_read_config(bluetooth_t)
-+miscfiles_read_hwdata(bluetooth_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
--
- sysadm_dontaudit_use_ptys(bluetooth_t)
- sysadm_dontaudit_search_home_dirs(bluetooth_t)
- 
-@@ -128,10 +132,15 @@
- optional_policy(`
- 	dbus_system_bus_client_template(bluetooth, bluetooth_t)
- 	dbus_connect_system_bus(bluetooth_t)
-+	dbus_system_domain(bluetooth_t, bluetooth_exec_t)
+ libs_use_ld_so(bluetooth_t)
+ libs_use_shared_libs(bluetooth_t)
+ 
+@@ -117,11 +123,9 @@
+ 
+ miscfiles_read_localization(bluetooth_t)
+ miscfiles_read_fonts(bluetooth_t)
+-
+-sysnet_read_config(bluetooth_t)
++miscfiles_read_hwdata(bluetooth_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+-
+ sysadm_dontaudit_use_ptys(bluetooth_t)
+ sysadm_dontaudit_search_home_dirs(bluetooth_t)
+ 
+@@ -128,10 +132,15 @@
+ optional_policy(`
+ 	dbus_system_bus_client_template(bluetooth, bluetooth_t)
+ 	dbus_connect_system_bus(bluetooth_t)
++	dbus_system_domain(bluetooth_t, bluetooth_exec_t)
++
++	optional_policy(`
++		cups_dbus_chat(bluetooth_t)
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(bluetooth_t)
++		hal_dbus_chat(bluetooth_t)
++	')
+ ')
+ 
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
+--- nsaserefpolicy/policy/modules/services/certmaster.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,9 @@
++
++/etc/rc\.d/init\.d/certmaster 		--   		gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
++/usr/bin/certmaster			--		gen_context(system_u:object_r:certmaster_exec_t,s0)
++
++/etc/certmaster(/.*)?					gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
++
++/var/run/certmaster.*					gen_context(system_u:object_r:certmaster_var_run_t,s0)
++
++/var/log/certmaster(/.*)?  				gen_context(system_u:object_r:certmaster_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.if serefpolicy-3.5.13/policy/modules/services/certmaster.if
+--- nsaserefpolicy/policy/modules/services/certmaster.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,128 @@
++## <summary>policy for certmaster</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run certmaster.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`certmaster_domtrans',`
++	gen_require(`
++		type certmaster_t, certmaster_exec_t;
++	')
++
++	domain_auto_trans($1,certmaster_exec_t,certmaster_t)
++
++	allow certmaster_t $1:fd use;
++	allow certmaster_t $1:fifo_file rw_file_perms;
++	allow certmaster_t $1:process sigchld;
++')
++
++#######################################
++## <summary>
++##      read
++##      certmaster logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`certmaster_read_log',`
++        gen_require(`
++                type certmaster_var_log_t;
++        ')
++
++        read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
++')
++
++#######################################
++## <summary>
++##      Append to certmaster logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`certmaster_append_log',`
++        gen_require(`
++                type certmaster_var_log_t;
++        ')
++
++        append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete
++##      certmaster logs.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`certmaster_manage_log',`
++        gen_require(`
++                type certmaster_var_log_t;
++        ')
++
++        manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
++        manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
++')
++
++########################################
++## <summary>
++##      All of the rules required to administrate 
++##      an snort environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the syslog domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`certmaster_admin',`
++        gen_require(`
++                type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
++		type certmaster_etc_rw_t, certmaster_var_log_t;
++		type certmaster_initrc_exec_t;
++        ')
++
++        allow $1 certmaster_t:process { ptrace signal_perms };
++        ps_process_pattern($1, certmaster_t)
++
++        init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
++        domain_system_change_exemption($1)
++        role_transition $2 certmaster_initrc_exec_t system_r;
++        allow $2 system_r;
++
++        files_list_etc($1)
++	miscfiles_manage_cert_dirs($1)	
++	miscfiles_manage_cert_files($1)	
++
++	admin_pattern($1, certmaster_etc_rw_t)
++
++	files_list_pids($1)
++	admin_pattern($1, certmaster_var_run_t)
++        
++	logging_list_logs($1)
++	admin_pattern($1, certmaster_var_log_t)
++	
++	files_list_var_lib($1)
++	admin_pattern($1, certmaster_var_lib_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.5.13/policy/modules/services/certmaster.te
+--- nsaserefpolicy/policy/modules/services/certmaster.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,81 @@
++policy_module(certmaster,1.0.0)
++
++########################################
++#
++# Declarations
++#
 +
-+	optional_policy(`
-+		cups_dbus_chat(bluetooth_t)
- ')
- 
- optional_policy(`
--	nis_use_ypbind(bluetooth_t)
-+		hal_dbus_chat(bluetooth_t)
-+	')
- ')
- 
- optional_policy(`
++# type and domain for certmaster
++type certmaster_t;
++type certmaster_exec_t;
++init_daemon_domain(certmaster_t, certmaster_exec_t)
++
++type certmaster_initrc_exec_t;
++init_script_file(certmaster_initrc_exec_t)
++
++# var/lib files
++type certmaster_var_lib_t;
++files_type(certmaster_var_lib_t)
++
++# config files
++type certmaster_etc_rw_t;
++files_config_file(certmaster_etc_rw_t)
++
++# log files
++type certmaster_var_log_t;
++logging_log_file(certmaster_var_log_t)
++
++# pid files
++type certmaster_var_run_t;
++files_pid_file(certmaster_var_run_t)
++
++###########################################
++#			  
++# certmaster local policy 
++#
++
++allow certmaster_t self:tcp_socket create_stream_socket_perms;
++
++# config files
++list_dirs_pattern(certmaster_t,certmaster_etc_rw_t,certmaster_etc_rw_t)
++manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
++
++# var/lib files for certmaster
++manage_files_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
++manage_dirs_pattern(certmaster_t,certmaster_var_lib_t,certmaster_var_lib_t)
++files_var_lib_filetrans(certmaster_t,certmaster_var_lib_t, { file dir })
++
++# log files
++manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
++logging_log_filetrans(certmaster_t,certmaster_var_log_t, file )
++
++# pid file
++manage_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
++manage_sock_files_pattern(certmaster_t, certmaster_var_run_t,certmaster_var_run_t)
++files_pid_filetrans(certmaster_t,certmaster_var_run_t, { file sock_file })
++
++corecmd_search_bin(certmaster_t)
++corecmd_getattr_bin_files(certmaster_t)
++
++# network
++corenet_tcp_bind_inaddr_any_node(certmaster_t)
++corenet_tcp_bind_certmaster_port(certmaster_t)
++
++files_search_etc(certmaster_t)
++files_list_var(certmaster_t)
++files_search_var_lib(certmaster_t)
++
++# read meminfo
++kernel_read_system_state(certmaster_t)
++
++auth_use_nsswitch(certmaster_t)
++
++libs_use_ld_so(certmaster_t)
++libs_use_shared_libs(certmaster_t)
++
++miscfiles_read_localization(certmaster_t)
++
++miscfiles_manage_cert_dirs(certmaster_t)
++miscfiles_manage_cert_files(certmaster_t)
++
++permissive certmaster_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.5.13/policy/modules/services/clamav.fc
 --- nsaserefpolicy/policy/modules/services/clamav.fc	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/clamav.fc	2008-11-11 16:22:03.000000000 -0500
@@ -14000,6 +16038,261 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_sigchld_newrole(ftpd_t)
  ')
  
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.fc serefpolicy-3.5.13/policy/modules/services/gamin.fc
+--- nsaserefpolicy/policy/modules/services/gamin.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gamin.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.5.13/policy/modules/services/gamin.if
+--- nsaserefpolicy/policy/modules/services/gamin.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gamin.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,57 @@
++
++## <summary>policy for gamin</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_domtrans',`
++	gen_require(`
++		type gamin_t;
++                type gamin_exec_t;
++	')
++
++	domtrans_pattern($1, gamin_exec_t, gamin_t)
++')
++
++########################################
++## <summary>
++##	Execute gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_exec',`
++	gen_require(`
++                type gamin_exec_t;
++	')
++
++	can_exec($1, gamin_exec_t)
++')
++
++########################################
++## <summary>
++##	Connect to gamin over an unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gamin_stream_connect',`
++	gen_require(`
++		type gamin_t;
++	')
++
++	allow $1 gamin_t:unix_stream_socket connectto;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.5.13/policy/modules/services/gamin.te
+--- nsaserefpolicy/policy/modules/services/gamin.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gamin.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,39 @@
++policy_module(gamin, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gamin_t;
++type gamin_exec_t;
++application_domain(gamin_t, gamin_exec_t)
++role system_r types gamin_t;
++
++########################################
++#
++# gamin local policy
++#
++
++# Init script handling
++domain_use_interactive_fds(gamin_t)
++allow gamin_t self:capability sys_ptrace;
++
++# internal communication is often done using fifo and unix sockets.
++allow gamin_t self:fifo_file rw_file_perms;
++allow gamin_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(gamin_t)
++files_read_etc_runtime_files(gamin_t)
++files_list_all(gamin_t)
++files_getattr_all_files(gamin_t)
++
++fs_list_inotifyfs(gamin_t)
++domain_read_all_domains_state(gamin_t)
++domain_dontaudit_ptrace_all_domains(gamin_t)
++
++libs_use_ld_so(gamin_t)
++libs_use_shared_libs(gamin_t)
++
++miscfiles_read_localization(gamin_t)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.fc serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc
+--- nsaserefpolicy/policy/modules/services/gnomeclock.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,3 @@
++
++/usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.if serefpolicy-3.5.13/policy/modules/services/gnomeclock.if
+--- nsaserefpolicy/policy/modules/services/gnomeclock.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,75 @@
++
++## <summary>policy for gnomeclock</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run gnomeclock.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gnomeclock_domtrans',`
++	gen_require(`
++		type gnomeclock_t;
++                type gnomeclock_exec_t;
++	')
++
++	domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
++')
++
++
++########################################
++## <summary>
++##	Execute gnomeclock in the gnomeclock domain, and
++##	allow the specified role the gnomeclock domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the gnomeclock domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`gnomeclock_run',`
++	gen_require(`
++		type gnomeclock_t;
++	')
++
++	gnomeclock_domtrans($1)
++	role $2 types gnomeclock_t;
++	dontaudit gnomeclock_t $3:chr_file rw_term_perms;
++')
++
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	gnomeclock over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnomeclock_dbus_chat',`
++	gen_require(`
++		type gnomeclock_t;
++		class dbus send_msg;
++	')
++
++	allow $1 gnomeclock_t:dbus send_msg;
++	allow gnomeclock_t $1:dbus send_msg;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gnomeclock.te serefpolicy-3.5.13/policy/modules/services/gnomeclock.te
+--- nsaserefpolicy/policy/modules/services/gnomeclock.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/gnomeclock.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,55 @@
++policy_module(gnomeclock, 1.0.0)
++########################################
++#
++# Declarations
++#
++
++type gnomeclock_t;
++type gnomeclock_exec_t;
++dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
++
++########################################
++#
++# gnomeclock local policy
++#
++allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
++allow gnomeclock_t self:process { getattr getsched };
++
++# internal communication is often done using fifo and unix sockets.
++allow gnomeclock_t self:fifo_file rw_file_perms;
++allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
++
++corecmd_exec_bin(gnomeclock_t)
++
++userdom_ptrace_all_users(gnomeclock_t)
++
++files_read_etc_files(gnomeclock_t)
++files_read_usr_files(gnomeclock_t)
++
++miscfiles_manage_localization(gnomeclock_t)
++miscfiles_etc_filetrans_localization(gnomeclock_t)
++
++fs_list_inotifyfs(gnomeclock_t)
++
++auth_use_nsswitch(gnomeclock_t)
++
++libs_use_ld_so(gnomeclock_t)
++libs_use_shared_libs(gnomeclock_t)
++
++miscfiles_read_localization(gnomeclock_t)
++
++userdom_read_all_users_state(gnomeclock_t)
++
++optional_policy(`
++	consolekit_dbus_chat(gnomeclock_t)
++')
++
++optional_policy(`
++	clock_domtrans(gnomeclock_t)
++')
++
++optional_policy(`
++	polkit_domtrans_auth(gnomeclock_t)
++	polkit_read_lib(gnomeclock_t)
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc
 --- nsaserefpolicy/policy/modules/services/hal.fc	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/hal.fc	2008-11-11 16:22:03.000000000 -0500
@@ -14458,12 +16751,90 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  sysadm_search_home_dirs(mailman_queue_t)
 +sysadm_getattr_home_dirs(mailman_queue_t)
 +
-+optional_policy(`
-+	apache_read_config(mailman_queue_t)
++optional_policy(`
++	apache_read_config(mailman_queue_t)
++')
+ 
+ optional_policy(`
+ 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-3.5.13/policy/modules/services/mailscanner.fc
+--- nsaserefpolicy/policy/modules/services/mailscanner.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mailscanner.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++/var/spool/MailScanner(/.*)?	gen_context(system_u:object_r:mailscanner_spool_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.if serefpolicy-3.5.13/policy/modules/services/mailscanner.if
+--- nsaserefpolicy/policy/modules/services/mailscanner.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mailscanner.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,59 @@
++## <summary>Anti-Virus and Anti-Spam Filter</summary>
++
++########################################
++## <summary>
++##	Search mailscanner spool directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mailscanner_search_spool',`
++	gen_require(`
++		type mailscanner_spool_t;
++	')
++
++	files_search_spool($1)
++	allow $1 mailscanner_spool_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	read mailscanner spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mailscanner_read_spool',`
++	gen_require(`
++		type mailscanner_spool_t;
++	')
++
++	files_search_spool($1)
++	read_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	mailscanner spool files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mailscanner_manage_spool',`
++	gen_require(`
++		type mailscanner_spool_t;
++	')
++
++	files_search_spool($1)
++	manage_files_pattern($1, mailscanner_spool_t, mailscanner_spool_t)
 +')
- 
- optional_policy(`
- 	cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.te serefpolicy-3.5.13/policy/modules/services/mailscanner.te
+--- nsaserefpolicy/policy/modules/services/mailscanner.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mailscanner.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,5 @@
++
++policy_module(mailscanner, 1.0.0)
++
++type mailscanner_spool_t;
++files_type(mailscanner_spool_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/mta.fc	2008-11-11 16:22:03.000000000 -0500
@@ -16330,6 +18701,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	unconfined_use_terms(openvpn_t)
 +')
 +
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.fc serefpolicy-3.5.13/policy/modules/services/pads.fc
+--- nsaserefpolicy/policy/modules/services/pads.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pads.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,12 @@
++
++/etc/pads-ether-codes   --      gen_context(system_u:object_r:pads_config_t, s0)
++/etc/pads-signature-list        --      gen_context(system_u:object_r:pads_config_t, s0)
++/etc/pads.conf  --      gen_context(system_u:object_r:pads_config_t, s0)
++/etc/pads-assets.csv    --      gen_context(system_u:object_r:pads_config_t, s0)
++
++/etc/rc\.d/init\.d/pads --      gen_context(system_u:object_r:pads_initrc_exec_t, s0)
++
++/usr/bin/pads           --      gen_context(system_u:object_r:pads_exec_t, s0)
++
++/var/run/pads.pid       --      gen_context(system_u:object_r:pads_var_run_t, s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.if serefpolicy-3.5.13/policy/modules/services/pads.if
+--- nsaserefpolicy/policy/modules/services/pads.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pads.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,10 @@
++## <summary>SELinux policy for PADS daemon.</summary>
++## <desc>
++##	<p>
++##	PADS is a libpcap based detection engine used to
++##	passively detect network assets.  It is designed to
++##	complement IDS technology by providing context to IDS
++##	alerts.
++##	</p>
++## </desc>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pads.te serefpolicy-3.5.13/policy/modules/services/pads.te
+--- nsaserefpolicy/policy/modules/services/pads.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pads.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,68 @@
++
++policy_module(pads, 0.0.1) 
++
++########################################
++#
++# Declarations
++#
++
++type pads_t;
++type pads_exec_t;
++init_daemon_domain(pads_t, pads_exec_t)
++role system_r types pads_t;
++
++type pads_initrc_exec_t;
++init_script_file(pads_initrc_exec_t)
++
++type pads_config_t;
++files_config_file(pads_config_t)
++
++type pads_var_run_t;
++files_pid_file(pads_var_run_t)
++
++########################################
++#
++# Declarations
++#
++
++allow pads_t self:capability { dac_override net_raw };
++allow pads_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
++allow pads_t self:packet_socket { ioctl setopt getopt read bind create };
++allow pads_t self:udp_socket { create ioctl };
++allow pads_t self:unix_dgram_socket { write create connect };
++
++allow pads_t pads_config_t:file manage_file_perms;
++files_etc_filetrans(pads_t, pads_config_t, file)
++
++allow pads_t pads_var_run_t:file manage_file_perms;
++files_pid_filetrans(pads_t, pads_var_run_t, file)
++
++corecmd_search_bin(pads_t)
++
++corenet_all_recvfrom_unlabeled(pads_t)
++corenet_all_recvfrom_netlabel(pads_t)
++corenet_tcp_sendrecv_all_if(pads_t)
++corenet_tcp_sendrecv_all_nodes(pads_t)
++
++corenet_tcp_connect_prelude_port(pads_t)
++
++dev_read_rand(pads_t)
++dev_read_urand(pads_t)
++
++kernel_read_sysctl(pads_t)
++
++files_read_etc_files(pads_t)
++files_search_spool(pads_t)
++
++libs_use_ld_so(pads_t)
++libs_use_shared_libs(pads_t)
++
++miscfiles_read_localization(pads_t)
++
++logging_send_syslog_msg(pads_t)
++
++sysnet_dns_name_resolve(pads_t)
++
++optional_policy(`
++        prelude_manage_spool(pads_t)
++')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.5.13/policy/modules/services/pcscd.te
 --- nsaserefpolicy/policy/modules/services/pcscd.te	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/pcscd.te	2008-11-11 16:22:03.000000000 -0500
@@ -16432,84 +18905,414 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.5.13/policy/modules/services/pki.fc
 --- nsaserefpolicy/policy/modules/services/pki.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pki.fc	2008-11-13 13:57:43.000000000 -0500
-@@ -0,0 +1,66 @@
-+
-+/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
++++ serefpolicy-3.5.13/policy/modules/services/pki.fc	2008-11-13 18:17:36.000000000 -0500
+@@ -0,0 +1,46 @@
 +
-+/etc/init.d/pki-ca		--	gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ca	--	gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-kra	--	gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-ra      	--      gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-tks	--	gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++/etc/rc\.d/init\.d/pki-tps     	--      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
 +
 +/etc/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
-+/etc/pki-ca/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
++/etc/pki-ca/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
++/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
++/etc/pki-kra/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
++/etc/pki-ocsp/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++/etc/pki-ra(/.*)?               	gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
++/etc/pki-tks/tomcat5\.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++/etc/pki-tps(/.*)?              	gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
 +
-+/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
++/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
++/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
++
++/usr/sbin/httpd.worker  	--     	gen_context(system_u:object_r:pki_ra_exec_t,s0)
 +
-+/var/run/pki-ca.pid			gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
++/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++/var/lib/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/lib/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++/var/lib/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
 +
 +/var/log/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_log_t,s0)
++/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
++/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
++/var/log/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_log_t,s0)
++/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
++/var/log/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_log_t,s0)
++
++/var/run/pki-ca\.pid		--	gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++/var/run/pki-kra\.pid		--	gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++/var/run/pki-ocsp\.pid		--	gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++/var/run/pki-ra\.pid		--	gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++/var/run/pki-tks\.pid		--	gen_context(system_u:object_r:pki_tks_var_run_t,s0)
++/var/run/pki-tps\.pid		--	gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.5.13/policy/modules/services/pki.if
+--- nsaserefpolicy/policy/modules/services/pki.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pki.if	2008-11-13 13:57:43.000000000 -0500
+@@ -0,0 +1,643 @@
 +
-+/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
++## <summary>policy for pki</summary>
 +
-+/etc/init.d/pki-kra		--	gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++########################################
++## <summary>
++##	Execute pki_ca server in the pki_ca domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_ca_script_domtrans',`
++	gen_require(`
++		attribute pki_ca_script;
++	')
 +
-+/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
-+/etc/pki-kra/tomcat5.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++	init_script_domtrans_spec($1,pki_ca_script)
++')
 +
-+/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
++########################################
++## <summary>
++##	Create a set of derived types for apache
++##	web content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`pki_ca_template',`
++	gen_require(`
++		attribute pki_ca_process;
++		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
++		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
++		type pki_ca_tomcat_exec_t;
++		type $1_port_t;
++	')
++	########################################
++	#
++	# Declarations
++	#
 +
-+/var/run/pki-kra.pid			gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++	type $1_t, pki_ca_process;
++	type $1_exec_t, pki_ca_executable;
++	domain_type($1_t)
++	init_daemon_domain($1_t, $1_exec_t)
 +
-+/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
++	type $1_script_exec_t, pki_ca_script;
++	init_script_file($1_script_exec_t)
 +
-+/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++	type $1_etc_rw_t, pki_ca_config;
++	files_type($1_etc_rw_t)
++
++	type $1_var_run_t, pki_ca_var_run;
++	files_pid_file($1_var_run_t)
++
++	type $1_var_lib_t, pki_ca_var_lib;
++	files_type($1_var_lib_t)
++
++	type $1_log_t, pki_ca_var_log;
++	logging_log_file($1_log_t)
++
++	########################################
++	#
++	# $1 local policy
++	#
++
++	# Execstack/execmem caused by java app.
++	allow $1_t self:process { execstack execmem getsched setsched };
++
++	## internal communication is often done using fifo and unix sockets.
++	allow $1_t self:fifo_file rw_file_perms;
++	allow $1_t self:unix_stream_socket create_stream_socket_perms;
++	allow $1_t self:tcp_socket create_stream_socket_perms;
++	allow $1_t self:process signull;
++
++	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
++
++	corenet_all_recvfrom_unlabeled($1_t)
++	corenet_tcp_sendrecv_all_if($1_t)
++	corenet_tcp_sendrecv_all_nodes($1_t)
++	corenet_tcp_sendrecv_all_ports($1_t)
++
++	corenet_tcp_bind_all_nodes($1_t)
++	corenet_tcp_bind_ocsp_port($1_t)
++	corenet_tcp_connect_ocsp_port($1_t)
++
++	# This is for /etc/$1/tomcat.conf:
++	can_exec($1_t, pki_ca_tomcat_exec_t)
++
++	# Init script handling
++	domain_use_interactive_fds($1_t)
++
++	files_read_etc_files($1_t)
++
++	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
++	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
++	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
++	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
++	logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++	corecmd_exec_bin($1_t)
++	corecmd_read_bin_symlinks($1_t)
++	corecmd_exec_shell($1_t)
++
++	dev_list_sysfs($1_t)
++	dev_read_rand($1_t)
++	dev_read_urand($1_t)
++
++	# Java is looking in /tmp for some reason...:
++	files_manage_generic_tmp_dirs($1_t)
++	files_manage_generic_tmp_files($1_t)
++	files_read_usr_files($1_t)
++	files_read_usr_symlinks($1_t)
++	# These are used to read tomcat class files in /var/lib/tomcat
++	files_read_var_lib_files($1_t)
++	files_read_var_lib_symlinks($1_t)
++
++	kernel_read_network_state($1_t)
++	kernel_read_system_state($1_t)
++	kernel_search_network_state($1_t)
++	# audit2allow
++        kernel_signull_unlabeled($1_t)
++
++	auth_use_nsswitch($1_t)
++
++	init_dontaudit_write_utmp($1_t)
++
++	libs_use_ld_so($1_t)
++	libs_use_shared_libs($1_t)
++
++	miscfiles_read_localization($1_t)
++
++	ifdef(`targeted_policy',`
++		term_dontaudit_use_unallocated_ttys($1_t)
++		term_dontaudit_use_generic_ptys($1_t)
++	')
++
++#This is broken in selinux-policy we need java_exec defined, Will add to policy
++	gen_require(`
++		type java_exec_t;
++	')
++	can_exec($1_t, java_exec_t)
++
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ca environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ca_admin',`
++	gen_require(`
++		type pki_ca_tomcat_exec_t;
++		attribute pki_ca_process;
++		attribute pki_ca_config;
++		attribute pki_ca_executable;
++		attribute pki_ca_var_lib;
++		attribute pki_ca_var_log;
++		attribute pki_ca_var_run;
++		attribute pki_ca_pidfiles;
++		attribute pki_ca_script;
++	')
 +
-+/etc/init.d/pki-ocsp		--	gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++	allow $1 pki_ca_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ca_t)
 +
-+/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
-+/etc/pki-ocsp/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++	# Allow pki_ca_t to restart the service
++	pki_ca_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ca_script system_r;
++	allow $2 system_r;
 +
-+/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++	manage_all_pattern($1, pki_ca_config)
++	manage_all_pattern($1, pki_ca_var_run)
++	manage_all_pattern($1, pki_ca_var_lib)
++	manage_all_pattern($1, pki_ca_var_log)
++	manage_all_pattern($1, pki_ca_config)
++	manage_all_pattern($1, pki_ca_tomcat_exec_t)
++')
 +
-+/var/run/pki-ocsp.pid			gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++########################################
++## <summary>
++##	Execute pki_kra server in the pki_kra domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_kra_script_domtrans',`
++	gen_require(`
++		attribute pki_kra_script;
++	')
 +
-+/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
++	init_script_domtrans_spec($1,pki_kra_script)
++')
 +
-+/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
-+/etc/init.d/pki-ra      --      gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
-+/etc/pki-ra(/.*)?               gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-+/var/lib/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
-+/var/log/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_log_t,s0)
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_kra environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_kra_admin',`
++	gen_require(`
++		type pki_kra_tomcat_exec_t;
++		attribute pki_kra_process;
++		attribute pki_kra_config;
++		attribute pki_kra_executable;
++		attribute pki_kra_var_lib;
++		attribute pki_kra_var_log;
++		attribute pki_kra_var_run;
++		attribute pki_kra_pidfiles;
++		attribute pki_kra_script;
++	')
 +
++	allow $1 pki_kra_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_kra_t)
 +
-+/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
++	# Allow pki_kra_t to restart the service
++	pki_kra_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_kra_script system_r;
++	allow $2 system_r;
 +
-+/etc/init.d/pki-tks		--	gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++	manage_all_pattern($1, pki_kra_config)
++	manage_all_pattern($1, pki_kra_var_run)
++	manage_all_pattern($1, pki_kra_var_lib)
++	manage_all_pattern($1, pki_kra_var_log)
++	manage_all_pattern($1, pki_kra_config)
++	manage_all_pattern($1, pki_kra_tomcat_exec_t)
++')
 +
-+/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
-+/etc/pki-tks/tomcat5.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++########################################
++## <summary>
++##	Execute pki_ocsp server in the pki_ocsp domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_ocsp_script_domtrans',`
++	gen_require(`
++		attribute pki_ocsp_script;
++	')
 +
-+/var/lib/pki-tks(/.*)?		gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++	init_script_domtrans_spec($1,pki_ocsp_script)
++')
 +
-+/var/run/pki-tks.pid			gen_context(system_u:object_r:pki_tks_var_run_t,s0)
 +
-+/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ocsp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ocsp_admin',`
++	gen_require(`
++		type pki_ocsp_tomcat_exec_t;
++		attribute pki_ocsp_process;
++		attribute pki_ocsp_config;
++		attribute pki_ocsp_executable;
++		attribute pki_ocsp_var_lib;
++		attribute pki_ocsp_var_log;
++		attribute pki_ocsp_var_run;
++		attribute pki_ocsp_pidfiles;
++		attribute pki_ocsp_script;
++	')
 +
-+/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
-+/etc/init.d/pki-tps     --      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
-+/etc/pki-tps(/.*)?              gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
-+/var/lib/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
-+/var/log/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_log_t,s0)
++	allow $1 pki_ocsp_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ocsp_t)
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.5.13/policy/modules/services/pki.if
---- nsaserefpolicy/policy/modules/services/pki.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pki.if	2008-11-13 13:57:43.000000000 -0500
-@@ -0,0 +1,643 @@
++	# Allow pki_ocsp_t to restart the service
++	pki_ocsp_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ocsp_script system_r;
++	allow $2 system_r;
 +
-+## <summary>policy for pki</summary>
++	manage_all_pattern($1, pki_ocsp_config)
++	manage_all_pattern($1, pki_ocsp_var_run)
++	manage_all_pattern($1, pki_ocsp_var_lib)
++	manage_all_pattern($1, pki_ocsp_var_log)
++	manage_all_pattern($1, pki_ocsp_config)
++	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
++')
 +
 +########################################
 +## <summary>
-+##	Execute pki_ca server in the pki_ca domain.
++##	Execute pki_ra server in the pki_ra domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16517,12 +19320,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`pki_ca_script_domtrans',`
++interface(`pki_ra_script_domtrans',`
 +	gen_require(`
-+		attribute pki_ca_script;
++		attribute pki_ra_script;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_ca_script)
++	init_script_domtrans_spec($1,pki_ra_script)
 +')
 +
 +########################################
@@ -16536,37 +19339,32 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+template(`pki_ca_template',`
++template(`pki_ra_template',`
 +	gen_require(`
-+		attribute pki_ca_process;
-+		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
-+		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
-+		type pki_ca_tomcat_exec_t;
-+		type $1_port_t;
++		attribute pki_ra_process;
++		attribute pki_ra_config, pki_ra_var_lib;
++		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
 +	')
 +	########################################
 +	#
 +	# Declarations
 +	#
 +
-+	type $1_t, pki_ca_process;
-+	type $1_exec_t, pki_ca_executable;
++	type $1_t, pki_ra_process;
++	type $1_exec_t, pki_ra_executable;
 +	domain_type($1_t)
 +	init_daemon_domain($1_t, $1_exec_t)
 +
-+	type $1_script_exec_t, pki_ca_script;
++	type $1_script_exec_t, pki_ra_script;
 +	init_script_file($1_script_exec_t)
 +
-+	type $1_etc_rw_t, pki_ca_config;
++	type $1_etc_rw_t, pki_ra_config;
 +	files_type($1_etc_rw_t)
 +
-+	type $1_var_run_t, pki_ca_var_run;
-+	files_pid_file($1_var_run_t)
-+
-+	type $1_var_lib_t, pki_ca_var_lib;
++	type $1_var_lib_t, pki_ra_var_lib;
 +	files_type($1_var_lib_t)
 +
-+	type $1_log_t, pki_ca_var_log;
++	type $1_log_t, pki_ra_var_log;
 +	logging_log_file($1_log_t)
 +
 +	########################################
@@ -16574,28 +19372,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	# $1 local policy
 +	#
 +
-+	# Execstack/execmem caused by java app.
-+	allow $1_t self:process { execstack execmem getsched setsched };
-+
 +	## internal communication is often done using fifo and unix sockets.
 +	allow $1_t self:fifo_file rw_file_perms;
 +	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-+	allow $1_t self:tcp_socket create_stream_socket_perms;
-+	allow $1_t self:process signull;
-+
-+	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
-+
-+	corenet_all_recvfrom_unlabeled($1_t)
-+	corenet_tcp_sendrecv_all_if($1_t)
-+	corenet_tcp_sendrecv_all_nodes($1_t)
-+	corenet_tcp_sendrecv_all_ports($1_t)
-+
-+	corenet_tcp_bind_all_nodes($1_t)
-+	corenet_tcp_bind_ocsp_port($1_t)
-+	corenet_tcp_connect_ocsp_port($1_t)
-+
-+	# This is for /etc/$1/tomcat.conf:
-+	can_exec($1_t, pki_ca_tomcat_exec_t)
 +
 +	# Init script handling
 +	domain_use_interactive_fds($1_t)
@@ -16606,10 +19385,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
 +	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
 +
-+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
-+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
-+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
-+
 +	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 +	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 +	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
@@ -16619,55 +19394,99 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
 +	logging_log_filetrans($1_t, $1_log_t, { file dir } )
 +
-+	corecmd_exec_bin($1_t)
-+	corecmd_read_bin_symlinks($1_t)
-+	corecmd_exec_shell($1_t)
++	init_dontaudit_write_utmp($1_t)
 +
-+	dev_list_sysfs($1_t)
-+	dev_read_rand($1_t)
-+	dev_read_urand($1_t)
++	libs_use_ld_so($1_t)
++	libs_use_shared_libs($1_t)
 +
-+	# Java is looking in /tmp for some reason...:
-+	files_manage_generic_tmp_dirs($1_t)
-+	files_manage_generic_tmp_files($1_t)
-+	files_read_usr_files($1_t)
-+	files_read_usr_symlinks($1_t)
-+	# These are used to read tomcat class files in /var/lib/tomcat
-+	files_read_var_lib_files($1_t)
-+	files_read_var_lib_symlinks($1_t)
++	miscfiles_read_localization($1_t)
 +
-+	kernel_read_network_state($1_t)
-+	kernel_read_system_state($1_t)
-+	kernel_search_network_state($1_t)
-+	# audit2allow
-+        kernel_signull_unlabeled($1_t)
++	ifdef(`targeted_policy',`
++		term_dontaudit_use_unallocated_ttys($1_t)
++		term_dontaudit_use_generic_ptys($1_t)
++	')
 +
-+	auth_use_nsswitch($1_t)
++	gen_require(`
++		type httpd_t;
++	')
 +
-+	init_dontaudit_write_utmp($1_t)
++	allow httpd_t pki_ra_etc_rw_t:file { read getattr };
++	allow httpd_t pki_ra_log_t:file read;
++	allow httpd_t pki_ra_var_lib_t:lnk_file read;
 +
-+	libs_use_ld_so($1_t)
-+	libs_use_shared_libs($1_t)
 +
-+	miscfiles_read_localization($1_t)
++')
 +
-+	ifdef(`targeted_policy',`
-+		term_dontaudit_use_unallocated_ttys($1_t)
-+		term_dontaudit_use_generic_ptys($1_t)
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ra environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ra_admin',`
++	gen_require(`
++		attribute pki_ra_process;
++		attribute pki_ra_config;
++		attribute pki_ra_executable;
++		attribute pki_ra_var_lib;
++		attribute pki_ra_var_log;
++		attribute pki_ra_script;
 +	')
 +
-+#This is broken in selinux-policy we need java_exec defined, Will add to policy
++	allow $1 pki_ra_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ra_t)
++
++	# Allow pki_ra_t to restart the service
++	pki_ra_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ra_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_ra_config)
++	manage_all_pattern($1, pki_ra_var_lib)
++	manage_all_pattern($1, pki_ra_var_log)
++	manage_all_pattern($1, pki_ra_config)
++')
++
++########################################
++## <summary>
++##	Execute pki_tks server in the pki_tks domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_tks_script_domtrans',`
 +	gen_require(`
-+		type java_exec_t;
++		attribute pki_tks_script;
 +	')
-+	can_exec($1_t, java_exec_t)
 +
++	init_script_domtrans_spec($1,pki_tks_script)
 +')
 +
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
-+##	an pki_ca environment
++##	an pki_tks environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16686,39 +19505,39 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </param>
 +## <rolecap/>
 +#
-+interface(`pki_ca_admin',`
++interface(`pki_tks_admin',`
 +	gen_require(`
-+		type pki_ca_tomcat_exec_t;
-+		attribute pki_ca_process;
-+		attribute pki_ca_config;
-+		attribute pki_ca_executable;
-+		attribute pki_ca_var_lib;
-+		attribute pki_ca_var_log;
-+		attribute pki_ca_var_run;
-+		attribute pki_ca_pidfiles;
-+		attribute pki_ca_script;
++		type pki_tks_tomcat_exec_t;
++		attribute pki_tks_process;
++		attribute pki_tks_config;
++		attribute pki_tks_executable;
++		attribute pki_tks_var_lib;
++		attribute pki_tks_var_log;
++		attribute pki_tks_var_run;
++		attribute pki_tks_pidfiles;
++		attribute pki_tks_script;
 +	')
 +
-+	allow $1 pki_ca_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_ca_t)
++	allow $1 pki_tks_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_tks_t)
 +
-+	# Allow pki_ca_t to restart the service
-+	pki_ca_script_domtrans($1)
++	# Allow pki_tks_t to restart the service
++	pki_tks_script_domtrans($1)
 +	domain_system_change_exemption($1)
-+	role_transition $2 pki_ca_script system_r;
++	role_transition $2 pki_tks_script system_r;
 +	allow $2 system_r;
 +
-+	manage_all_pattern($1, pki_ca_config)
-+	manage_all_pattern($1, pki_ca_var_run)
-+	manage_all_pattern($1, pki_ca_var_lib)
-+	manage_all_pattern($1, pki_ca_var_log)
-+	manage_all_pattern($1, pki_ca_config)
-+	manage_all_pattern($1, pki_ca_tomcat_exec_t)
++	manage_all_pattern($1, pki_tks_config)
++	manage_all_pattern($1, pki_tks_var_run)
++	manage_all_pattern($1, pki_tks_var_lib)
++	manage_all_pattern($1, pki_tks_var_log)
++	manage_all_pattern($1, pki_tks_config)
++	manage_all_pattern($1, pki_tks_tomcat_exec_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Execute pki_kra server in the pki_kra domain.
++##	Execute pki_tps server in the pki_tps domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16726,18 +19545,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`pki_kra_script_domtrans',`
++interface(`pki_tps_script_domtrans',`
 +	gen_require(`
-+		attribute pki_kra_script;
++		attribute pki_tps_script;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_kra_script)
++	init_script_domtrans_spec($1,pki_tps_script)
 +')
 +
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate 
-+##	an pki_kra environment
++##	an pki_tps environment
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16756,218 +19576,253 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </param>
 +## <rolecap/>
 +#
-+interface(`pki_kra_admin',`
++interface(`pki_tps_admin',`
 +	gen_require(`
-+		type pki_kra_tomcat_exec_t;
-+		attribute pki_kra_process;
-+		attribute pki_kra_config;
-+		attribute pki_kra_executable;
-+		attribute pki_kra_var_lib;
-+		attribute pki_kra_var_log;
-+		attribute pki_kra_var_run;
-+		attribute pki_kra_pidfiles;
-+		attribute pki_kra_script;
++		attribute pki_tps_process;
++		attribute pki_tps_config;
++		attribute pki_tps_executable;
++		attribute pki_tps_var_lib;
++		attribute pki_tps_var_log;
++		attribute pki_tps_script;
 +	')
 +
-+	allow $1 pki_kra_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_kra_t)
++	allow $1 pki_tps_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_tps_t)
++
++	# Allow pki_tps_t to restart the service
++	pki_tps_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_tps_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_tps_config)
++	manage_all_pattern($1, pki_tps_var_lib)
++	manage_all_pattern($1, pki_tps_var_log)
++	manage_all_pattern($1, pki_tps_config)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.5.13/policy/modules/services/pki.te
+--- nsaserefpolicy/policy/modules/services/pki.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pki.te	2008-11-13 13:57:43.000000000 -0500
+@@ -0,0 +1,91 @@
++policy_module(pki,1.0.0)
++
++attribute pki_ca_config;
++attribute pki_ca_executable;
++attribute pki_ca_var_lib;
++attribute pki_ca_var_log;
++attribute pki_ca_var_run;
++attribute pki_ca_pidfiles;
++attribute pki_ca_script;
++attribute pki_ca_process;
++
++type pki_ca_tomcat_exec_t;
++files_type(pki_ca_tomcat_exec_t)
++
++pki_ca_template(pki_ca)
++
++attribute pki_kra_config;
++attribute pki_kra_executable;
++attribute pki_kra_var_lib;
++attribute pki_kra_var_log;
++attribute pki_kra_var_run;
++attribute pki_kra_pidfiles;
++attribute pki_kra_script;
++attribute pki_kra_process;
++
++type pki_kra_tomcat_exec_t;
++files_type(pki_kra_tomcat_exec_t)
++
++pki_ca_template(pki_kra)
++
++
++attribute pki_ocsp_config;
++attribute pki_ocsp_executable;
++attribute pki_ocsp_var_lib;
++attribute pki_ocsp_var_log;
++attribute pki_ocsp_var_run;
++attribute pki_ocsp_pidfiles;
++attribute pki_ocsp_script;
++attribute pki_ocsp_process;
++
++type pki_ocsp_tomcat_exec_t;
++files_type(pki_ocsp_tomcat_exec_t)
++
++pki_ca_template(pki_ocsp)
++
++
++attribute pki_ra_config;
++attribute pki_ra_executable;
++attribute pki_ra_var_lib;
++attribute pki_ra_var_log;
++attribute pki_ra_var_run;
++attribute pki_ra_pidfiles;
++attribute pki_ra_script;
++attribute pki_ra_process;
++
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_ra_template(pki_ra)
++
++
++attribute pki_tks_config;
++attribute pki_tks_executable;
++attribute pki_tks_var_lib;
++attribute pki_tks_var_log;
++attribute pki_tks_var_run;
++attribute pki_tks_pidfiles;
++attribute pki_tks_script;
++attribute pki_tks_process;
++
++type pki_tks_tomcat_exec_t;
++files_type(pki_tks_tomcat_exec_t)
++
++pki_ca_template(pki_tks)
++
++
++attribute pki_tps_config;
++attribute pki_tps_executable;
++attribute pki_tps_var_lib;
++attribute pki_tps_var_log;
++attribute pki_tps_var_run;
++attribute pki_tps_pidfiles;
++attribute pki_tps_script;
++attribute pki_tps_process;
++
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_ra_template(pki_tps)
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.5.13/policy/modules/services/polkit.fc
+--- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/polkit.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,9 @@
 +
-+	# Allow pki_kra_t to restart the service
-+	pki_kra_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 pki_kra_script system_r;
-+	allow $2 system_r;
++/usr/libexec/polkit-read-auth-helper	--	gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++/usr/libexec/polkit-grant-helper.*	--	gen_context(system_u:object_r:polkit_grant_exec_t,s0)
++/usr/libexec/polkit-resolve-exe-helper.* --	gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
++/usr/libexec/polkitd			--	gen_context(system_u:object_r:polkit_exec_t,s0)
 +
-+	manage_all_pattern($1, pki_kra_config)
-+	manage_all_pattern($1, pki_kra_var_run)
-+	manage_all_pattern($1, pki_kra_var_lib)
-+	manage_all_pattern($1, pki_kra_var_log)
-+	manage_all_pattern($1, pki_kra_config)
-+	manage_all_pattern($1, pki_kra_tomcat_exec_t)
-+')
++/var/lib/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
++/var/run/PolicyKit(/.*)?			gen_context(system_u:object_r:polkit_var_run_t,s0)
++/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
+--- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/polkit.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,233 @@
++
++## <summary>policy for polkit_auth</summary>
 +
 +########################################
 +## <summary>
-+##	Execute pki_ocsp server in the pki_ocsp domain.
++##	Execute a domain transition to run polkit_auth.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	The type of the process performing this action.
-+##	</summary>
++## <summary>
++##	Domain allowed to transition.
++## </summary>
 +## </param>
 +#
-+interface(`pki_ocsp_script_domtrans',`
++interface(`polkit_domtrans_auth',`
 +	gen_require(`
-+		attribute pki_ocsp_script;
++		type polkit_auth_t;
++                type polkit_auth_exec_t;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_ocsp_script)
++	domtrans_pattern($1, polkit_auth_exec_t, polkit_auth_t)
 +')
 +
-+
 +########################################
 +## <summary>
-+##	All of the rules required to administrate 
-+##	an pki_ocsp environment
++##	Search polkit lib directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the syslog domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
-+interface(`pki_ocsp_admin',`
++interface(`polkit_search_lib',`
 +	gen_require(`
-+		type pki_ocsp_tomcat_exec_t;
-+		attribute pki_ocsp_process;
-+		attribute pki_ocsp_config;
-+		attribute pki_ocsp_executable;
-+		attribute pki_ocsp_var_lib;
-+		attribute pki_ocsp_var_log;
-+		attribute pki_ocsp_var_run;
-+		attribute pki_ocsp_pidfiles;
-+		attribute pki_ocsp_script;
++		type polkit_var_lib_t;
 +	')
 +
-+	allow $1 pki_ocsp_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_ocsp_t)
-+
-+	# Allow pki_ocsp_t to restart the service
-+	pki_ocsp_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 pki_ocsp_script system_r;
-+	allow $2 system_r;
-+
-+	manage_all_pattern($1, pki_ocsp_config)
-+	manage_all_pattern($1, pki_ocsp_var_run)
-+	manage_all_pattern($1, pki_ocsp_var_lib)
-+	manage_all_pattern($1, pki_ocsp_var_log)
-+	manage_all_pattern($1, pki_ocsp_config)
-+	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
++	allow $1 polkit_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Execute pki_ra server in the pki_ra domain.
++##	read polkit lib files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`pki_ra_script_domtrans',`
++interface(`polkit_read_lib',`
 +	gen_require(`
-+		attribute pki_ra_script;
++		type polkit_var_lib_t;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_ra_script)
++	files_search_var_lib($1)
++	read_files_pattern($1, polkit_var_lib_t,  polkit_var_lib_t)
++
++	# Broken placement
++	cron_read_system_job_lib_files($1)
 +')
 +
 +########################################
 +## <summary>
-+##	Create a set of derived types for apache
-+##	web content.
++##	Execute a domain transition to run polkit_grant.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
 +## </summary>
-+## <param name="prefix">
-+##	<summary>
-+##	The prefix to be used for deriving type names.
-+##	</summary>
 +## </param>
 +#
-+template(`pki_ra_template',`
++interface(`polkit_domtrans_grant',`
 +	gen_require(`
-+		attribute pki_ra_process;
-+		attribute pki_ra_config, pki_ra_var_lib;
-+		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
++		type polkit_grant_t;
++                type polkit_grant_exec_t;
 +	')
-+	########################################
-+	#
-+	# Declarations
-+	#
-+
-+	type $1_t, pki_ra_process;
-+	type $1_exec_t, pki_ra_executable;
-+	domain_type($1_t)
-+	init_daemon_domain($1_t, $1_exec_t)
-+
-+	type $1_script_exec_t, pki_ra_script;
-+	init_script_file($1_script_exec_t)
-+
-+	type $1_etc_rw_t, pki_ra_config;
-+	files_type($1_etc_rw_t)
-+
-+	type $1_var_lib_t, pki_ra_var_lib;
-+	files_type($1_var_lib_t)
-+
-+	type $1_log_t, pki_ra_var_log;
-+	logging_log_file($1_log_t)
-+
-+	########################################
-+	#
-+	# $1 local policy
-+	#
-+
-+	## internal communication is often done using fifo and unix sockets.
-+	allow $1_t self:fifo_file rw_file_perms;
-+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-+
-+	# Init script handling
-+	domain_use_interactive_fds($1_t)
-+
-+	files_read_etc_files($1_t)
-+
-+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
-+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
-+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
-+
-+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
-+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
-+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
-+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
-+
-+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
-+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
-+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
-+
-+	init_dontaudit_write_utmp($1_t)
-+
-+	libs_use_ld_so($1_t)
-+	libs_use_shared_libs($1_t)
-+
-+	miscfiles_read_localization($1_t)
 +
-+	ifdef(`targeted_policy',`
-+		term_dontaudit_use_unallocated_ttys($1_t)
-+		term_dontaudit_use_generic_ptys($1_t)
-+	')
++	domtrans_pattern($1, polkit_grant_exec_t, polkit_grant_t)
++')
 +
++########################################
++## <summary>
++##	Execute a domain transition to run polkit_resolve.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`polkit_domtrans_resolve',`
 +	gen_require(`
-+		type httpd_t;
++		type polkit_resolve_t;
++                type polkit_resolve_exec_t;
 +	')
 +
-+	allow httpd_t pki_ra_etc_rw_t:file { read getattr };
-+	allow httpd_t pki_ra_log_t:file read;
-+	allow httpd_t pki_ra_var_lib_t:lnk_file read;
-+
++	domtrans_pattern($1, polkit_resolve_exec_t, polkit_resolve_t)
 +
++	allow polkit_resolve_t $1:dir list_dir_perms;
++	read_files_pattern(polkit_resolve_t, $1, $1)
++	read_lnk_files_pattern(polkit_resolve_t, $1, $1)
++	allow polkit_resolve_t $1:process getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate 
-+##	an pki_ra environment
++##	Execute a policy_grant in the policy_grant domain, and
++##	allow the specified role the policy_grant domain,
++##	and use the caller's terminal.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -16976,295 +19831,516 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </param>
 +## <param name="role">
 +##	<summary>
-+##	The role to be allowed to manage the syslog domain.
++##	The role to be allowed the load_policy domain.
 +##	</summary>
 +## </param>
 +## <param name="terminal">
 +##	<summary>
-+##	The type of the user terminal.
++##	The type of the terminal allow the load_policy domain to use.
 +##	</summary>
 +## </param>
 +## <rolecap/>
 +#
-+interface(`pki_ra_admin',`
++interface(`polkit_run_grant',`
 +	gen_require(`
-+		attribute pki_ra_process;
-+		attribute pki_ra_config;
-+		attribute pki_ra_executable;
-+		attribute pki_ra_var_lib;
-+		attribute pki_ra_var_log;
-+		attribute pki_ra_script;
++		type polkit_grant_t;
 +	')
 +
-+	allow $1 pki_ra_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_ra_t)
-+
-+	# Allow pki_ra_t to restart the service
-+	pki_ra_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 pki_ra_script system_r;
-+	allow $2 system_r;
-+
-+	manage_all_pattern($1, pki_ra_config)
-+	manage_all_pattern($1, pki_ra_var_lib)
-+	manage_all_pattern($1, pki_ra_var_log)
-+	manage_all_pattern($1, pki_ra_config)
++	polkit_domtrans_grant($1)
++	role $2 types polkit_grant_t;
++	allow polkit_grant_t $3:chr_file rw_term_perms;
++	allow $1 polkit_grant_t:process signal;
++	read_files_pattern(polkit_grant_t, $1, $1)
++	allow polkit_grant_t $1:process getattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Execute pki_tks server in the pki_tks domain.
++##	Execute a policy_auth in the policy_auth domain, and
++##	allow the specified role the policy_auth domain,
++##	and use the caller's terminal.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the load_policy domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the terminal allow the load_policy domain to use.
 +##	</summary>
 +## </param>
 +#
-+interface(`pki_tks_script_domtrans',`
++interface(`polkit_run_auth',`
 +	gen_require(`
-+		attribute pki_tks_script;
++		type polkit_auth_t;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_tks_script)
++	polkit_domtrans_auth($1)
++	role $2 types polkit_auth_t;
++	allow polkit_auth_t $3:chr_file rw_term_perms;
 +')
 +
-+
-+########################################
++#######################################
 +## <summary>
-+##	All of the rules required to administrate 
-+##	an pki_tks environment
++##	The per role template for the nsplugin module.
 +## </summary>
-+## <param name="domain">
++## <desc>
++##	<p>
++##	This template creates a derived domains which are used
++##	for nsplugin web browser.
++##	</p>
++##	<p>
++##	This template is invoked automatically for each user, and
++##	generally does not need to be invoked directly
++##	by policy writers.
++##	</p>
++## </desc>
++## <param name="userdomain_prefix">
 +##	<summary>
-+##	Domain allowed access.
++##	The prefix of the user domain (e.g., user
++##	is the prefix for user_t).
 +##	</summary>
 +## </param>
-+## <param name="role">
++## <param name="user_domain">
 +##	<summary>
-+##	The role to be allowed to manage the syslog domain.
++##	The type of the user domain.
 +##	</summary>
 +## </param>
-+## <param name="terminal">
++## <param name="user_role">
 +##	<summary>
-+##	The type of the user terminal.
++##	The role associated with the user domain.
 +##	</summary>
 +## </param>
 +## <rolecap/>
-+#
-+interface(`pki_tks_admin',`
-+	gen_require(`
-+		type pki_tks_tomcat_exec_t;
-+		attribute pki_tks_process;
-+		attribute pki_tks_config;
-+		attribute pki_tks_executable;
-+		attribute pki_tks_var_lib;
-+		attribute pki_tks_var_log;
-+		attribute pki_tks_var_run;
-+		attribute pki_tks_pidfiles;
-+		attribute pki_tks_script;
-+	')
-+
-+	allow $1 pki_tks_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_tks_t)
-+
-+	# Allow pki_tks_t to restart the service
-+	pki_tks_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 pki_tks_script system_r;
-+	allow $2 system_r;
-+
-+	manage_all_pattern($1, pki_tks_config)
-+	manage_all_pattern($1, pki_tks_var_run)
-+	manage_all_pattern($1, pki_tks_var_lib)
-+	manage_all_pattern($1, pki_tks_var_log)
-+	manage_all_pattern($1, pki_tks_config)
-+	manage_all_pattern($1, pki_tks_tomcat_exec_t)
++#
++template(`polkit_per_role_template',`
++	polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t })
++	polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t })
++	polkit_read_lib($2)
 +')
 +
 +########################################
 +## <summary>
-+##	Execute pki_tps server in the pki_tps domain.
++##	Send and receive messages from
++##	polkit over dbus.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	The type of the process performing this action.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`pki_tps_script_domtrans',`
++interface(`polkit_dbus_chat',`
 +	gen_require(`
-+		attribute pki_tps_script;
++		type polkit_t;
++		class dbus send_msg;
 +	')
 +
-+	init_script_domtrans_spec($1,pki_tps_script)
++	allow $1 polkit_t:dbus send_msg;
++	allow polkit_t $1:dbus send_msg;
 +')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
+--- nsaserefpolicy/policy/modules/services/polkit.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/polkit.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,232 @@
++policy_module(polkit_auth, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type polkit_t;
++type polkit_exec_t;
++init_daemon_domain(polkit_t, polkit_exec_t)
++
++type polkit_grant_t;
++type polkit_grant_exec_t;
++init_system_domain(polkit_grant_t, polkit_grant_exec_t)
 +
++type polkit_resolve_t;
++type polkit_resolve_exec_t;
++init_system_domain(polkit_resolve_t, polkit_resolve_exec_t)
++
++type polkit_auth_t;
++type polkit_auth_exec_t;
++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
++
++type polkit_var_lib_t;
++files_type(polkit_var_lib_t)
++
++type polkit_var_run_t;
++files_pid_file(polkit_var_run_t)
 +
 +########################################
-+## <summary>
-+##	All of the rules required to administrate 
-+##	an pki_tps environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	The role to be allowed to manage the syslog domain.
-+##	</summary>
-+## </param>
-+## <param name="terminal">
-+##	<summary>
-+##	The type of the user terminal.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
-+interface(`pki_tps_admin',`
-+	gen_require(`
-+		attribute pki_tps_process;
-+		attribute pki_tps_config;
-+		attribute pki_tps_executable;
-+		attribute pki_tps_var_lib;
-+		attribute pki_tps_var_log;
-+		attribute pki_tps_script;
++# polkit local policy
++#
++
++allow polkit_t self:capability { setgid setuid };
++allow polkit_t self:process getattr;
++
++allow polkit_t self:unix_dgram_socket create_socket_perms;
++allow polkit_t self:fifo_file rw_file_perms;
++allow polkit_t self:unix_stream_socket create_stream_socket_perms;
++
++polkit_domtrans_auth(polkit_t)
++polkit_domtrans_resolve(polkit_t)
++
++can_exec(polkit_t, polkit_exec_t)
++corecmd_exec_bin(polkit_t)
++
++domain_use_interactive_fds(polkit_t)
++
++files_read_etc_files(polkit_t)
++files_read_usr_files(polkit_t)
++
++fs_list_inotifyfs(polkit_t)
++
++kernel_read_kernel_sysctls(polkit_t)
++
++auth_use_nsswitch(polkit_t)
++
++libs_use_ld_so(polkit_t)
++libs_use_shared_libs(polkit_t)
++
++miscfiles_read_localization(polkit_t)
++
++logging_send_syslog_msg(polkit_t)
++
++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
++manage_files_pattern(polkit_t, polkit_var_run_t, polkit_var_run_t)
++files_pid_filetrans(polkit_t, polkit_var_run_t, { file dir })
++
++optional_policy(`
++	dbus_system_domain(polkit_t, polkit_exec_t)
++	optional_policy(`
++		consolekit_dbus_chat(polkit_t)
 +	')
++')
 +
-+	allow $1 pki_tps_process:process { ptrace signal_perms };
-+	ps_process_pattern($1, pki_tps_t)
++########################################
++#
++# polkit_auth local policy
++#
 +
-+	# Allow pki_tps_t to restart the service
-+	pki_tps_script_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 pki_tps_script system_r;
-+	allow $2 system_r;
++allow polkit_auth_t self:capability setgid;
++allow polkit_auth_t self:process { getattr };
 +
-+	manage_all_pattern($1, pki_tps_config)
-+	manage_all_pattern($1, pki_tps_var_lib)
-+	manage_all_pattern($1, pki_tps_var_log)
-+	manage_all_pattern($1, pki_tps_config)
++allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
++allow polkit_auth_t self:fifo_file rw_file_perms;
++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_auth_t, polkit_auth_exec_t)
++corecmd_search_bin(polkit_auth_t)
++
++domain_use_interactive_fds(polkit_auth_t)
++
++files_read_etc_files(polkit_auth_t)
++files_read_usr_files(polkit_auth_t)
++
++auth_use_nsswitch(polkit_auth_t)
++
++libs_use_ld_so(polkit_auth_t)
++libs_use_shared_libs(polkit_auth_t)
++
++miscfiles_read_localization(polkit_auth_t)
++
++logging_send_syslog_msg(polkit_auth_t)
++
++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
++manage_files_pattern(polkit_auth_t, polkit_var_run_t, polkit_var_run_t)
++files_pid_filetrans(polkit_auth_t, polkit_var_run_t, { file dir })
++
++userdom_read_all_users_state(polkit_t)
++
++unprivuser_append_home_content_files(polkit_auth_t)
++unprivuser_dontaudit_read_home_content_files(polkit_auth_t)
++
++optional_policy(`
++	cron_read_system_job_lib_files(polkit_t)
 +')
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.5.13/policy/modules/services/pki.te
---- nsaserefpolicy/policy/modules/services/pki.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/pki.te	2008-11-13 13:57:43.000000000 -0500
-@@ -0,0 +1,91 @@
-+policy_module(pki,1.0.0)
 +
-+attribute pki_ca_config;
-+attribute pki_ca_executable;
-+attribute pki_ca_var_lib;
-+attribute pki_ca_var_log;
-+attribute pki_ca_var_run;
-+attribute pki_ca_pidfiles;
-+attribute pki_ca_script;
-+attribute pki_ca_process;
++optional_policy(`
++	dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
++	consolekit_dbus_chat(polkit_auth_t)
++	dbus_system_domain(polkit_exec_t, polkit_t)
++')
 +
-+type pki_ca_tomcat_exec_t;
-+files_type(pki_ca_tomcat_exec_t)
++optional_policy(`
++	hal_getattr(polkit_auth_t)
++	hal_read_state(polkit_auth_t)
++')
 +
-+pki_ca_template(pki_ca)
++########################################
++#
++# polkit_grant local policy
++#
 +
-+attribute pki_kra_config;
-+attribute pki_kra_executable;
-+attribute pki_kra_var_lib;
-+attribute pki_kra_var_log;
-+attribute pki_kra_var_run;
-+attribute pki_kra_pidfiles;
-+attribute pki_kra_script;
-+attribute pki_kra_process;
++allow polkit_grant_t self:capability setuid;
++allow polkit_grant_t self:process getattr;
 +
-+type pki_kra_tomcat_exec_t;
-+files_type(pki_kra_tomcat_exec_t)
++allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
++allow polkit_grant_t self:fifo_file rw_file_perms;
++allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
 +
-+pki_ca_template(pki_kra)
++can_exec(polkit_grant_t, polkit_grant_exec_t)
++corecmd_search_bin(polkit_grant_t)
 +
++files_read_etc_files(polkit_grant_t)
++files_read_usr_files(polkit_grant_t)
 +
-+attribute pki_ocsp_config;
-+attribute pki_ocsp_executable;
-+attribute pki_ocsp_var_lib;
-+attribute pki_ocsp_var_log;
-+attribute pki_ocsp_var_run;
-+attribute pki_ocsp_pidfiles;
-+attribute pki_ocsp_script;
-+attribute pki_ocsp_process;
++auth_use_nsswitch(polkit_grant_t)
++auth_domtrans_chk_passwd(polkit_grant_t)
 +
-+type pki_ocsp_tomcat_exec_t;
-+files_type(pki_ocsp_tomcat_exec_t)
++libs_use_ld_so(polkit_grant_t)
++libs_use_shared_libs(polkit_grant_t)
 +
-+pki_ca_template(pki_ocsp)
++miscfiles_read_localization(polkit_grant_t)
 +
++logging_send_syslog_msg(polkit_grant_t)
 +
-+attribute pki_ra_config;
-+attribute pki_ra_executable;
-+attribute pki_ra_var_lib;
-+attribute pki_ra_var_log;
-+attribute pki_ra_var_run;
-+attribute pki_ra_pidfiles;
-+attribute pki_ra_script;
-+attribute pki_ra_process;
++polkit_domtrans_auth(polkit_grant_t)
++polkit_domtrans_resolve(polkit_grant_t)
 +
-+type pki_ra_tomcat_exec_t;
-+files_type(pki_ra_tomcat_exec_t)
++manage_files_pattern(polkit_grant_t, polkit_var_run_t, polkit_var_run_t)
 +
-+pki_ra_template(pki_ra)
++manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
++userdom_read_all_users_state(polkit_grant_t)
 +
++optional_policy(`
++	dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
++	consolekit_dbus_chat(polkit_grant_t)
++')
 +
-+attribute pki_tks_config;
-+attribute pki_tks_executable;
-+attribute pki_tks_var_lib;
-+attribute pki_tks_var_log;
-+attribute pki_tks_var_run;
-+attribute pki_tks_pidfiles;
-+attribute pki_tks_script;
-+attribute pki_tks_process;
++gen_require(`
++	type system_crond_var_lib_t;
++')
 +
-+type pki_tks_tomcat_exec_t;
-+files_type(pki_tks_tomcat_exec_t)
++manage_files_pattern(polkit_grant_t, system_crond_var_lib_t,  system_crond_var_lib_t)
 +
-+pki_ca_template(pki_tks)
++########################################
++#
++# polkit_resolve local policy
++#
 +
++allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace };
++allow polkit_resolve_t self:process getattr;
 +
-+attribute pki_tps_config;
-+attribute pki_tps_executable;
-+attribute pki_tps_var_lib;
-+attribute pki_tps_var_log;
-+attribute pki_tps_var_run;
-+attribute pki_tps_pidfiles;
-+attribute pki_tps_script;
-+attribute pki_tps_process;
++allow polkit_resolve_t self:unix_dgram_socket create_socket_perms;
++allow polkit_resolve_t self:fifo_file rw_file_perms;
++allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t)
++
++can_exec(polkit_resolve_t, polkit_resolve_exec_t)
++corecmd_search_bin(polkit_resolve_t)
++
++polkit_domtrans_auth(polkit_resolve_t)
++
++files_read_etc_files(polkit_resolve_t)
++files_read_usr_files(polkit_resolve_t)
++
++auth_use_nsswitch(polkit_resolve_t)
++
++libs_use_ld_so(polkit_resolve_t)
++libs_use_shared_libs(polkit_resolve_t)
++
++miscfiles_read_localization(polkit_resolve_t)
++
++logging_send_syslog_msg(polkit_resolve_t)
++
++userdom_read_all_users_state(polkit_resolve_t)
++userdom_ptrace_all_users(polkit_resolve_t)
++mcs_ptrace_all(polkit_resolve_t)
++
++optional_policy(`
++	dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t)
++	optional_policy(`
++		consolekit_dbus_chat(polkit_resolve_t)
++	')
++')
++
++optional_policy(`
++	hal_getattr(polkit_resolve_t)
++	hal_read_state(polkit_resolve_t)
++')
++
++optional_policy(`
++	unconfined_ptrace(polkit_resolve_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te
+--- nsaserefpolicy/policy/modules/services/portmap.te	2008-10-17 08:49:13.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/portmap.te	2008-11-11 16:22:03.000000000 -0500
+@@ -41,6 +41,7 @@
+ manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
+ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
+ 
++kernel_read_system_state(portmap_t)
+ kernel_read_kernel_sysctls(portmap_t)
+ kernel_list_proc(portmap_t)
+ kernel_read_proc_symlinks(portmap_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.fc serefpolicy-3.5.13/policy/modules/services/portreserve.fc
+--- nsaserefpolicy/policy/modules/services/portreserve.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/portreserve.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,12 @@
++# portreserve executable will have:
++# label: system_u:object_r:portreserve_exec_t
++# MLS sensitivity: s0
++# MCS categories: <none>
++
++#exec
++/sbin/portreserve		--	gen_context(system_u:object_r:portreserve_exec_t,s0)
++
++/var/run/portreserve(/.*)? 		gen_context(system_u:object_r:portreserve_var_run_t,s0)
++
++/etc/portreserve(/.*)? 			gen_context(system_u:object_r:portreserve_etc_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.if serefpolicy-3.5.13/policy/modules/services/portreserve.if
+--- nsaserefpolicy/policy/modules/services/portreserve.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/portreserve.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,70 @@
++## <summary>policy for portreserve</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run portreserve.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`portreserve_domtrans',`
++	gen_require(`
++		type portreserve_t, portreserve_exec_t;
++	')
++
++	domain_auto_trans($1,portreserve_exec_t,portreserve_t)
++
++	allow portreserve_t $1:fd use;
++	allow portreserve_t $1:fifo_file rw_file_perms;
++	allow portreserve_t $1:process sigchld;
++')
++
++#######################################
++## <summary>
++##      Allow the specified domain to read
++##      portreserve etcuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`portreserve_read_etc',`
++        gen_require(`
++                type portreserve_etc_t;
++        ')
++
++        files_search_etc($1)
++        allow $1 portreserve_etc_t:dir list_dir_perms;
++        read_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
++        read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
++')
++
++#######################################
++## <summary>
++##      Allow the specified domain to manage
++##      portreserve etcuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++##
++#
++interface(`portreserve_manage_etc',`
++        gen_require(`
++                type portreserve_etc_t;
++        ')
++
++        files_search_etc($1)
++        manage_dirs_pattern($1, portreserve_etc_t, portreserve_etc_t)
++        manage_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
++        read_lnk_files_pattern($1, portreserve_etc_t, portreserve_etc_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te
+--- nsaserefpolicy/policy/modules/services/portreserve.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/portreserve.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,55 @@
++policy_module(portreserve,1.0.0)
++
++########################################
++#
++# Declarations
++#
 +
-+type pki_tps_tomcat_exec_t;
-+files_type(pki_tps_tomcat_exec_t)
++type portreserve_t;
++type portreserve_exec_t;
++init_daemon_domain(portreserve_t, portreserve_exec_t)
 +
-+pki_ra_template(pki_tps)
++type portreserve_etc_t;
++files_type(portreserve_etc_t)
 +
++type portreserve_var_run_t;
++files_pid_file(portreserve_var_run_t)
++
++########################################
++#
++# Portreserve local policy
++#
++allow portreserve_t self:fifo_file  rw_fifo_file_perms;
++allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
++allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
++allow portreserve_t self:tcp_socket  create_socket_perms;
++allow portreserve_t self:udp_socket  create_socket_perms;
++
++# Read etc files
++list_dirs_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
++read_files_pattern(portreserve_t, portreserve_etc_t, portreserve_etc_t)
++
++# Manage /var/run/portreserve/*
++manage_dirs_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
++manage_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
++manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
++files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
 +
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.5.13/policy/modules/services/portmap.te
---- nsaserefpolicy/policy/modules/services/portmap.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/portmap.te	2008-11-11 16:22:03.000000000 -0500
-@@ -41,6 +41,7 @@
- manage_files_pattern(portmap_t, portmap_var_run_t, portmap_var_run_t)
- files_pid_filetrans(portmap_t, portmap_var_run_t, file)
- 
-+kernel_read_system_state(portmap_t)
- kernel_read_kernel_sysctls(portmap_t)
- kernel_list_proc(portmap_t)
- kernel_read_proc_symlinks(portmap_t)
-diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portreserve.te serefpolicy-3.5.13/policy/modules/services/portreserve.te
---- nsaserefpolicy/policy/modules/services/portreserve.te	2008-11-07 08:30:49.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/portreserve.te	2008-11-11 16:22:03.000000000 -0500
-@@ -35,6 +35,8 @@
- manage_sock_files_pattern(portreserve_t, portreserve_var_run_t, portreserve_var_run_t)
- files_pid_filetrans(portreserve_t,portreserve_var_run_t, { file sock_file })
- 
 +corenet_sendrecv_unlabeled_packets(portreserve_t)
 +corenet_all_recvfrom_netlabel(portreserve_t)
- corenet_tcp_bind_all_ports(portreserve_t)
- corenet_tcp_bind_all_ports(portreserve_t)
- corenet_udp_bind_all_nodes(portreserve_t)
++corenet_tcp_bind_all_ports(portreserve_t)
++corenet_tcp_bind_all_ports(portreserve_t)
++corenet_udp_bind_all_nodes(portreserve_t)
++corenet_udp_bind_all_ports(portreserve_t)
++corenet_tcp_bind_inaddr_any_node(portreserve_t)
++corenet_udp_bind_inaddr_any_node(portreserve_t)
++
++files_read_etc_files(portreserve_t)
++
++libs_use_ld_so(portreserve_t)
++libs_use_shared_libs(portreserve_t)
++
++# Init script handling
++#init_use_fds(portreserve_t)
++#init_use_script_ptys(portreserve_t)
++#domain_use_interactive_fds(portreserve_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc
 --- nsaserefpolicy/policy/modules/services/postfix.fc	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/postfix.fc	2008-11-11 16:22:03.000000000 -0500
@@ -22467,6 +25543,209 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow tor_t self:fifo_file rw_fifo_file_perms;
  allow tor_t self:unix_stream_socket create_stream_socket_perms;
  allow tor_t self:netlink_route_socket r_netlink_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.fc serefpolicy-3.5.13/policy/modules/services/ulogd.fc
+--- nsaserefpolicy/policy/modules/services/ulogd.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,10 @@
++
++/etc/rc\.d/init\.d/ulogd                --              gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
++
++/etc/ulogd.conf                         --          	gen_context(system_u:object_r:ulogd_etc_t,s0)
++
++/usr/lib/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_modules_t,s0)	
++
++/usr/sbin/ulogd				--		gen_context(system_u:object_r:ulogd_exec_t,s0)
++
++/var/log/ulogd(/.*)?					gen_context(system_u:object_r:ulogd_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.5.13/policy/modules/services/ulogd.if
+--- nsaserefpolicy/policy/modules/services/ulogd.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,127 @@
++## <summary>policy for ulogd</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run ulogd.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ulogd_domtrans',`
++	gen_require(`
++		type ulogd_t, ulogd_exec_t;
++	')
++
++	domtrans_pattern($1,ulogd_exec_t,ulogd_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to read
++##      ulogd configuration files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_read_config',`
++        gen_require(`
++                type ulogd_etc_t;
++        ')
++
++        files_search_etc($1)
++        read_files_pattern($1, ulogd_etc_t, ulogd_etc_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to read ulogd's log files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_read_log',`
++        gen_require(`
++                type ulogd_var_log_t;
++        ')
++
++        logging_search_logs($1)
++        allow $1 ulogd_var_log_t:dir list_dir_perms;
++        read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
++')
++
++########################################
++## <summary>
++##      Allow the specified domain to append to ulogd's log files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++##
++#
++interface(`ulogd_append_log',`
++        gen_require(`
++                type ulogd_var_log_t;
++        ')
++
++        logging_search_logs($1)
++        allow $1 ulogd_var_log_t:dir list_dir_perms;
++        allow $1 ulogd_var_log_t:file append_file_perms;
++')
++
++########################################
++## <summary>
++##      All of the rules required to administrate 
++##      an ulogd environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <param name="role">
++##      <summary>
++##      The role to be allowed to manage the syslog domain.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`ulogd_admin',`
++        gen_require(`
++                type ulogd_t, ulogd_etc_t;
++                type ulogd_var_log_t, ulogd_initrc_exec_t;
++		type ulogd_modules_t;
++        ')
++
++        allow $1 ulogd_t:process { ptrace signal_perms };
++        ps_process_pattern($1, ulogd_t)
++
++        init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
++        domain_system_change_exemption($1)
++        role_transition $2 ulogd_initrc_exec_t system_r;
++        allow $2 system_r;
++
++	files_search_etc($1)
++        admin_pattern($1, ulogd_etc_t)
++
++        logging_list_logs($1)
++        admin_pattern($1, ulogd_var_log_t)
++
++        files_search_usr($1)
++        admin_pattern($1, ulogd_modules_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.te serefpolicy-3.5.13/policy/modules/services/ulogd.te
+--- nsaserefpolicy/policy/modules/services/ulogd.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ulogd.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,54 @@
++policy_module(ulogd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ulogd_t;
++type ulogd_exec_t;
++init_daemon_domain(ulogd_t, ulogd_exec_t)
++
++type ulogd_initrc_exec_t;
++init_script_file(ulogd_initrc_exec_t)
++
++# /usr/lib files
++type ulogd_modules_t;
++files_type(ulogd_modules_t)
++
++# config files
++type ulogd_etc_t;
++files_type(ulogd_etc_t)
++
++# log files
++type ulogd_var_log_t;
++logging_log_file(ulogd_var_log_t)
++
++########################################
++
++#
++# ulogd local policy
++#
++
++allow ulogd_t self:capability net_admin;
++allow ulogd_t self:netlink_nflog_socket create_socket_perms;
++
++# config files
++read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
++
++# modules for ulogd
++list_dirs_pattern(ulogd_t,ulogd_modules_t,ulogd_modules_t)
++mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
++
++# log files
++manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
++logging_log_filetrans(ulogd_t,ulogd_var_log_t, file )
++
++files_search_etc(ulogd_t)
++
++libs_use_ld_so(ulogd_t)
++libs_use_shared_libs(ulogd_t)
++
++miscfiles_read_localization(ulogd_t)
++
++permissive ulogd_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc
 --- nsaserefpolicy/policy/modules/services/virt.fc	2008-10-17 08:49:11.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc	2008-11-11 16:22:03.000000000 -0500
@@ -24723,6 +28002,108 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow zebra_t self:unix_dgram_socket create_socket_perms;
  allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.fc serefpolicy-3.5.13/policy/modules/services/zosremote.fc
+--- nsaserefpolicy/policy/modules/services/zosremote.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/zosremote.fc	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,2 @@
++
++/sbin/audispd-zos-remote	--	gen_context(system_u:object_r:zos_remote_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.if serefpolicy-3.5.13/policy/modules/services/zosremote.if
+--- nsaserefpolicy/policy/modules/services/zosremote.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/zosremote.if	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,52 @@
++## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary>
++
++########################################
++## <summary>
++##      Execute a domain transition to run audispd-zos-remote.
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`zos_remote_domtrans',`
++        gen_require(`
++                type zos_remote_t;
++                type zos_remote_exec_t;
++        ')
++
++        domtrans_pattern($1, zos_remote_exec_t, zos_remote_t)
++')
++
++########################################
++## <summary>
++##	Allow specified type and role to transition and
++##	run in the zos_remote_t domain. Allow specified type
++##	to use zos_remote_t terminal.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the zos_remote domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the role's terminal.
++##	</summary>
++## </param>
++#
++interface(`zos_remote_run',`
++	gen_require(`
++		type zos_remote_t;
++	')
++
++	zos_remote_domtrans($1)
++	role $2 types zos_remote_t;
++	dontaudit zos_remote_t $3:chr_file rw_term_perms;
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zosremote.te serefpolicy-3.5.13/policy/modules/services/zosremote.te
+--- nsaserefpolicy/policy/modules/services/zosremote.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/zosremote.te	2008-11-11 16:22:03.000000000 -0500
+@@ -0,0 +1,36 @@
++policy_module(zosremote,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type zos_remote_t;
++type zos_remote_exec_t;
++logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
++
++init_system_domain(zos_remote_t, zos_remote_exec_t)
++
++role system_r types zos_remote_t;
++
++
++########################################
++#
++# zos_remote local policy
++#
++
++allow zos_remote_t self:fifo_file rw_file_perms;
++allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
++
++allow zos_remote_t self:process signal;
++
++files_read_etc_files(zos_remote_t)
++
++auth_use_nsswitch(zos_remote_t);
++
++libs_use_ld_so(zos_remote_t)
++libs_use_shared_libs(zos_remote_t)
++
++miscfiles_read_localization(zos_remote_t)
++
++logging_send_syslog_msg(zos_remote_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.5.13/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2008-10-17 08:49:13.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/application.te	2008-11-11 16:22:03.000000000 -0500
@@ -24770,7 +28151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/authlogin.if	2008-11-13 18:30:27.000000000 -0500
 @@ -56,10 +56,6 @@
  	miscfiles_read_localization($1_chkpwd_t)
  
@@ -24961,7 +28342,40 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -1447,6 +1511,10 @@
+@@ -1175,6 +1239,32 @@
+ 
+ ########################################
+ ## <summary>
++##	rw all files on the filesystem, except
++##	the shadow passwords and listed exceptions.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the domain perfoming this action.
++##	</summary>
++## </param>
++## <param name="exception_types" optional="true">
++##	<summary>
++##	The types to be excluded.  Each type or attribute
++##	must be negated by the caller.
++##	</summary>
++## </param>
++#
++
++interface(`auth_rw_all_files_except_shadow',`
++	gen_require(`
++		type shadow_t;
++	')
++
++	files_rw_all_files($1,$2 -shadow_t)
++')
++
++########################################
++## <summary>
+ ##	Manage all files on the filesystem, except
+ ##	the shadow passwords and listed exceptions.
+ ## </summary>
+@@ -1447,6 +1537,10 @@
  	')
  
  	optional_policy(`
@@ -24972,7 +28386,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		nis_use_ypbind($1)
  	')
  
-@@ -1457,6 +1525,7 @@
+@@ -1457,6 +1551,7 @@
  	optional_policy(`
  		samba_stream_connect_winbind($1)
  		samba_read_var_files($1)
@@ -24980,7 +28394,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -1491,3 +1560,59 @@
+@@ -1491,3 +1586,79 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -25022,6 +28436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	rw_files_pattern($1, auth_cache_t,  auth_cache_t)
 +')
++
 +########################################
 +## <summary>
 +##	Manage authentication cache
@@ -25040,6 +28455,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	manage_files_pattern($1, auth_cache_t,  auth_cache_t)
 +')
++
++#######################################
++## <summary>
++##	Automatic transition from cache_t to cache.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_filetrans_cache',`
++	gen_require(`
++		type auth_cache_t;
++	')
++
++	files_var_filetrans($1,auth_cache_t,file)
++')
++
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.5.13/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-10-17 08:49:13.000000000 -0400
 +++ serefpolicy-3.5.13/policy/modules/system/authlogin.te	2008-11-11 16:22:03.000000000 -0500
@@ -25835,7 +29269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-11-13 08:39:45.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc	2008-11-13 18:36:50.000000000 -0500
 @@ -60,12 +60,15 @@
  #
  # /opt
@@ -25940,7 +29374,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ') dnl end distro_redhat
  
  #
-@@ -310,3 +330,20 @@
+@@ -310,3 +330,19 @@
  /var/spool/postfix/lib(64)?(/.*)? 		gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/usr(/.*)?			gen_context(system_u:object_r:lib_t,s0)
  /var/spool/postfix/lib(64)?/ld.*\.so.*	--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -25959,7 +29393,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libpostproc\.so.*         --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/sse2/libpostproc\.so.*    --     gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
 --- nsaserefpolicy/policy/modules/system/libraries.te	2008-10-17 08:49:13.000000000 -0400
@@ -26619,7 +30052,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  		samba_run_smbmount($1, $2, $3)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/mount.te	2008-11-13 18:00:51.000000000 -0500
 @@ -18,17 +18,18 @@
  init_system_domain(mount_t,mount_exec_t)
  role system_r types mount_t;
@@ -26728,15 +30161,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -138,6 +153,7 @@
+@@ -136,7 +151,7 @@
+ 
+ tunable_policy(`allow_mount_anyfile',`
  	auth_read_all_dirs_except_shadow(mount_t)
- 	auth_read_all_files_except_shadow(mount_t)
+-	auth_read_all_files_except_shadow(mount_t)
++	auth_rw_all_files_except_shadow(mount_t)
  	files_mounton_non_security(mount_t)
-+	files_rw_all_files(mount_t)
  ')
  
- optional_policy(`
-@@ -167,6 +183,8 @@
+@@ -167,6 +182,8 @@
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -26745,7 +30179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -181,6 +199,11 @@
+@@ -181,6 +198,11 @@
  	')
  ')
  
@@ -26757,7 +30191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # for kernel package installation
  optional_policy(`
  	rpm_rw_pipes(mount_t)
-@@ -188,6 +211,7 @@
+@@ -188,6 +210,7 @@
  
  optional_policy(`
  	samba_domtrans_smbmount(mount_t)
@@ -26765,7 +30199,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -198,4 +222,26 @@
+@@ -198,4 +221,26 @@
  optional_policy(`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -27672,7 +31106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if	2008-11-13 17:40:46.000000000 -0500
 @@ -553,6 +553,7 @@
  		type net_conf_t;
  	')
@@ -27681,7 +31115,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	allow $1 self:tcp_socket create_socket_perms;
  	allow $1 self:udp_socket create_socket_perms;
  
-@@ -569,6 +570,10 @@
+@@ -569,6 +570,14 @@
  
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
@@ -27689,10 +31123,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	optional_policy(`
 +		avahi_stream_connect($1)
 +	')
++
++	optional_policy(`
++		nscd_socket_use($1)
++	')
  ')
  
  ########################################
-@@ -598,6 +603,8 @@
+@@ -598,6 +607,8 @@
  
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
@@ -27701,7 +31139,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -632,3 +639,49 @@
+@@ -632,3 +643,49 @@
  	files_search_etc($1)
  	allow $1 net_conf_t:file read_file_perms;
  ')
@@ -27753,7 +31191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.5.13/policy/modules/system/sysnetwork.te
 --- nsaserefpolicy/policy/modules/system/sysnetwork.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.te	2008-11-13 17:41:30.000000000 -0500
 @@ -20,6 +20,9 @@
  init_daemon_domain(dhcpc_t,dhcpc_exec_t)
  role system_r types dhcpc_t;
@@ -27917,7 +31355,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_use_interactive_fds(ifconfig_t)
  
-@@ -335,6 +355,14 @@
+@@ -300,6 +320,8 @@
+ 
+ seutil_use_runinit_fds(ifconfig_t)
+ 
++sysnet_dns_name_resolve(ifconfig_t)
++
+ userdom_use_all_users_fds(ifconfig_t)
+ 
+ ifdef(`distro_ubuntu',`
+@@ -335,6 +357,14 @@
  ')
  
  optional_policy(`
@@ -31725,7 +35172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.5.13/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/xen.te	2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/xen.te	2008-11-13 14:38:02.000000000 -0500
 @@ -6,6 +6,13 @@
  # Declarations
  #
@@ -31925,12 +35372,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_rw_script_stream_sockets(xm_t)
  init_use_fds(xm_t)
  
-@@ -360,6 +397,23 @@
+@@ -358,8 +395,25 @@
  
- sysnet_read_config(xm_t)
+ miscfiles_read_localization(xm_t)
  
-+sysadm_dontaudit_search_home_dirs(xm_t)
+-sysnet_read_config(xm_t)
++sysnet_dns_name_resolve(xm_t)
 +
++sysadm_dontaudit_search_home_dirs(xm_t)
+ 
  xen_append_log(xm_t)
  xen_stream_connect(xm_t)
  xen_stream_connect_xenstore(xm_t)