diff --git a/booleans-targeted.conf b/booleans-targeted.conf
index 67579c4..2f6490c 100644
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@@ -254,6 +254,7 @@ allow_unconfined_nsplugin_transition=true
 # System uses init upstart program
 # 
 init_upstart = true
+init_systemd = true
 
 # Allow mount to mount any file/dir
 # 
diff --git a/policy-F14.patch b/policy-F14.patch
index 241cf07..868dd23 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -448,7 +448,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwat
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.8.7/policy/modules/admin/consoletype.te
 --- nsaserefpolicy/policy/modules/admin/consoletype.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/admin/consoletype.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/admin/consoletype.te	2010-07-15 11:17:56.000000000 -0400
 @@ -85,6 +85,7 @@
  	hal_dontaudit_rw_pipes(consoletype_t)
  	hal_dontaudit_rw_dgram_sockets(consoletype_t)
@@ -5637,8 +5637,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathy.te serefpolicy-3.8.7/policy/modules/apps/telepathy.te
 --- nsaserefpolicy/policy/modules/apps/telepathy.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.7/policy/modules/apps/telepathy.te	2010-07-14 14:08:02.000000000 -0400
-@@ -0,0 +1,302 @@
++++ serefpolicy-3.8.7/policy/modules/apps/telepathy.te	2010-07-15 15:59:08.000000000 -0400
+@@ -0,0 +1,309 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -5708,6 +5708,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +
 +kernel_read_system_state(telepathy_msn_t)
 +
++auth_use_nsswitch(telepathy_msn_t)
++
 +logging_send_syslog_msg(telepathy_msn_t)
 +
 +miscfiles_read_certs(telepathy_msn_t)
@@ -5799,6 +5801,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, { dir file })
 +userdom_search_user_home_dirs(telepathy_mission_control_t)
 +
++dev_read_rand(telepathy_mission_control_t)
++
 +files_read_etc_files(telepathy_mission_control_t)
 +files_read_usr_files(telepathy_mission_control_t)
 +
@@ -5812,6 +5816,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +        fs_manage_cifs_files(telepathy_mission_control_t)
 +')
 +
++auth_use_nsswitch(telepathy_mission_control_t)
++
 +# ~/.cache/.mc_connections.
 +optional_policy(`
 +        manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
@@ -5821,6 +5827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +optional_policy(`
 +        gnome_read_gconf_home_files(telepathy_mission_control_t)
 +        gnome_setattr_cache_home_dir(telepathy_mission_control_t)
++	gnome_read_generic_cache_files(telepathy_mission_control_t)
 +')
 +
 +#######################################
@@ -6520,7 +6527,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.7/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2010-06-08 10:35:48.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/kernel/devices.if	2010-07-14 16:39:53.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/kernel/devices.if	2010-07-15 15:55:56.000000000 -0400
 @@ -606,6 +606,24 @@
  
  ########################################
@@ -7025,7 +7032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.7/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/kernel/files.if	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/kernel/files.if	2010-07-15 15:49:30.000000000 -0400
 @@ -1053,10 +1053,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -7550,7 +7557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  typealias etc_runtime_t alias firstboot_rw_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.7/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/kernel/filesystem.if	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/kernel/filesystem.if	2010-07-15 16:01:12.000000000 -0400
 @@ -1233,7 +1233,7 @@
  		type cifs_t;
  	')
@@ -7586,7 +7593,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1923,6 +1942,25 @@
+@@ -1923,6 +1942,43 @@
  
  ########################################
  ## <summary>
@@ -7609,10 +7616,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 +########################################
 +## <summary>
++##	Manage hugetlbfs dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fs_manage_hugetlbfs_dirs',`
++	gen_require(`
++		type hugetlbfs_t;
++	')
++
++	manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t)
++')
++
++########################################
++## <summary>
  ##	Read and write hugetlbfs files.
  ## </summary>
  ## <param name="domain">
-@@ -1991,6 +2029,7 @@
+@@ -1991,6 +2047,7 @@
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -7620,7 +7645,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ')
  
  ########################################
-@@ -2387,6 +2426,25 @@
+@@ -2387,6 +2444,25 @@
  
  ########################################
  ## <summary>
@@ -7646,7 +7671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2441,7 +2499,7 @@
+@@ -2441,7 +2517,7 @@
  		type nfs_t;
  	')
  
@@ -7655,7 +7680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ')
  
  ########################################
-@@ -2629,6 +2687,24 @@
+@@ -2629,6 +2705,24 @@
  
  ########################################
  ## <summary>
@@ -7680,7 +7705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Read removable storage symbolic links.
  ## </summary>
  ## <param name="domain">
-@@ -2837,7 +2913,7 @@
+@@ -2837,7 +2931,7 @@
  #########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links
@@ -7689,7 +7714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3962,6 +4038,24 @@
+@@ -3962,6 +4056,24 @@
  
  ########################################
  ## <summary>
@@ -7714,7 +7739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4654,3 +4748,24 @@
+@@ -4654,3 +4766,24 @@
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -10400,7 +10425,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.te serefpolicy-3.8.7/policy/modules/services/aisexec.te
 --- nsaserefpolicy/policy/modules/services/aisexec.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/aisexec.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/aisexec.te	2010-07-15 10:03:26.000000000 -0400
+@@ -32,7 +32,7 @@
+ # aisexec local policy
+ #
+ 
+-allow aisexec_t self:capability { sys_nice sys_resource ipc_lock };
++allow aisexec_t self:capability { sys_nice sys_resource ipc_lock ipc_owner };
+ allow aisexec_t self:process { setrlimit setsched signal };
+ allow aisexec_t self:fifo_file rw_fifo_file_perms;
+ allow aisexec_t self:sem create_sem_perms;
 @@ -97,3 +97,6 @@
  	rhcs_rw_groupd_semaphores(aisexec_t)
  	rhcs_rw_groupd_shm(aisexec_t)
@@ -10463,7 +10497,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.8.7/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/apache.if	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/apache.if	2010-07-15 12:58:21.000000000 -0400
 @@ -13,17 +13,13 @@
  #
  template(`apache_content_template',`
@@ -12297,7 +12331,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cert
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgroup.te serefpolicy-3.8.7/policy/modules/services/cgroup.te
 --- nsaserefpolicy/policy/modules/services/cgroup.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/cgroup.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/cgroup.te	2010-07-15 12:56:38.000000000 -0400
 @@ -18,8 +18,8 @@
  type cgrules_etc_t;
  files_config_file(cgrules_etc_t)
@@ -12309,6 +12343,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cgro
  init_daemon_domain(cgconfig_t, cgconfig_exec_t)
  
  type cgconfig_initrc_exec_t;
+@@ -53,7 +53,7 @@
+ # cgred personal policy.
+ #
+ 
+-allow cgred_t self:capability { net_admin sys_ptrace dac_override };
++allow cgred_t self:capability { net_admin sys_admin sys_ptrace dac_override };
+ allow cgred_t self:netlink_socket { write bind create read };
+ allow cgred_t self:unix_dgram_socket { write create connect };
+ 
+@@ -65,6 +65,7 @@
+ kernel_read_system_state(cgred_t)
+ 
+ domain_read_all_domains_state(cgred_t)
++domain_setpriority_all_domains(cgred_t)
+ 
+ files_getattr_all_files(cgred_t)
+ files_getattr_all_sockets(cgred_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chronyd.if serefpolicy-3.8.7/policy/modules/services/chronyd.if
 --- nsaserefpolicy/policy/modules/services/chronyd.if	2010-03-29 15:04:22.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/services/chronyd.if	2010-07-14 14:08:02.000000000 -0400
@@ -14032,7 +14083,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  	snmp_stream_connect(cyrus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.8.7/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2010-05-25 16:28:22.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/dbus.if	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/dbus.if	2010-07-15 15:51:55.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -14097,8 +14148,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  
  	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  	files_search_var_lib($1)
-@@ -436,8 +447,17 @@
+@@ -434,10 +445,21 @@
+ 	dbus_system_bus_client($1)
+ 	dbus_connect_system_bus($1)
  
++	init_stream_connect($1)
++
  	ps_process_pattern(system_dbusd_t, $1)
  
 +	userdom_dontaudit_search_admin_dir($1)
@@ -14490,7 +14545,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.8.7/policy/modules/services/exim.te
 --- nsaserefpolicy/policy/modules/services/exim.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/exim.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/exim.te	2010-07-15 14:20:14.000000000 -0400
 @@ -35,6 +35,9 @@
  application_executable_file(exim_exec_t)
  mta_agent_executable(exim_exec_t)
@@ -14512,6 +14567,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
  	tunable_policy(`exim_can_connect_db',`
  		mysql_stream_connect(exim_t)
  	')
+@@ -184,6 +191,7 @@
+ 
+ optional_policy(`
+ 	procmail_domtrans(exim_t)
++	procmail_read_home_files(exim_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.8.7/policy/modules/services/fail2ban.if
 --- nsaserefpolicy/policy/modules/services/fail2ban.if	2010-03-18 06:48:09.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/services/fail2ban.if	2010-07-14 14:08:02.000000000 -0400
@@ -17379,6 +17442,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
  ')
  
  ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-3.8.7/policy/modules/services/nis.fc
+--- nsaserefpolicy/policy/modules/services/nis.fc	2010-05-25 16:28:22.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/nis.fc	2010-07-15 10:01:15.000000000 -0400
+@@ -11,6 +11,7 @@
+ 
+ /usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+ /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
++/usr/sbin/ypbind	--	gen_context(system_u:object_r:ypbind_exec_t,s0)
+ /usr/sbin/ypserv	--	gen_context(system_u:object_r:ypserv_exec_t,s0)
+ 
+ /var/yp(/.*)?			gen_context(system_u:object_r:var_yp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.7/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2009-09-16 09:09:20.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/services/nscd.if	2010-07-14 14:08:02.000000000 -0400
@@ -18945,6 +19019,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc
  
  /usr/bin/procmail	--	gen_context(system_u:object_r:procmail_exec_t,s0)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.8.7/policy/modules/services/procmail.if
+--- nsaserefpolicy/policy/modules/services/procmail.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/procmail.if	2010-07-15 14:20:39.000000000 -0400
+@@ -77,3 +77,23 @@
+ 	files_search_tmp($1)
+ 	rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
+ ')
++
++########################################
++## <summary>
++##	Read procmail home directory content
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`procmail_read_home_files',`
++	gen_require(`
++		type procmail_home_t;
++	')
++
++        userdom_search_user_home_dirs($1)
++	read_files_pattern($1, procmail_home_t, procmail_home_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.8.7/policy/modules/services/procmail.te
 --- nsaserefpolicy/policy/modules/services/procmail.te	2010-06-18 13:07:19.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/services/procmail.te	2010-07-14 14:08:02.000000000 -0400
@@ -20418,6 +20519,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtki
  ##	Allow rtkit to control scheduling for your process
  ## </summary>
  ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit.te serefpolicy-3.8.7/policy/modules/services/rtkit.te
+--- nsaserefpolicy/policy/modules/services/rtkit.te	2010-06-18 13:07:19.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/rtkit.te	2010-07-15 14:47:12.000000000 -0400
+@@ -8,6 +8,7 @@
+ type rtkit_daemon_t;
+ type rtkit_daemon_exec_t;
+ dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
++init_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
+ 
+ ########################################
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.8.7/policy/modules/services/samba.fc
 --- nsaserefpolicy/policy/modules/services/samba.fc	2009-07-29 15:15:33.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/services/samba.fc	2010-07-14 14:08:02.000000000 -0400
@@ -22453,7 +22565,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.7/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/virt.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/virt.te	2010-07-15 16:01:57.000000000 -0400
 @@ -4,6 +4,7 @@
  #
  # Declarations
@@ -22630,7 +22742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  files_read_kernel_modules(virtd_t)
  files_read_usr_src_files(virtd_t)
 -files_manage_etc_files(virtd_t)
-+	
++
 +# Manages /etc/sysconfig/system-config-firewall
 +files_manage_system_conf_files(virtd_t)
 +files_manage_system_conf_files(virtd_t)
@@ -22638,10 +22750,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -263,6 +300,15 @@
+@@ -262,6 +299,17 @@
+ fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
- 
++fs_manage_hugetlbfs_dirs(virtd_t)
++fs_rw_hugetlbfs_files(virtd_t)
++
 +mls_fd_share_all_levels(virtd_t)
 +mls_file_read_to_clearance(virtd_t)
 +mls_file_write_to_clearance(virtd_t)
@@ -22650,11 +22765,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +mls_socket_write_to_clearance(virtd_t)
 +mls_socket_read_to_clearance(virtd_t)
 +mls_rangetrans_source(virtd_t)
-+
+ 
  mcs_process_set_categories(virtd_t)
  
- storage_manage_fixed_disk(virtd_t)
-@@ -286,15 +332,22 @@
+@@ -286,15 +334,22 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -22677,7 +22791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -365,6 +418,7 @@
+@@ -365,6 +420,7 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -22685,7 +22799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -402,6 +456,19 @@
+@@ -402,6 +458,19 @@
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -22705,7 +22819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +489,7 @@
+@@ -422,6 +491,7 @@
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -22713,7 +22827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,6 +497,7 @@
+@@ -429,6 +499,7 @@
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -22721,7 +22835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  domain_use_interactive_fds(virt_domain)
  
-@@ -440,6 +509,11 @@
+@@ -440,6 +511,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -22733,7 +22847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +531,120 @@
+@@ -457,8 +533,120 @@
  ')
  
  optional_policy(`
@@ -23621,7 +23735,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.7/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/services/xserver.te	2010-07-14 14:54:05.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/services/xserver.te	2010-07-15 16:02:17.000000000 -0400
 @@ -35,6 +35,13 @@
  
  ## <desc>
@@ -23937,7 +24051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Allow gdm to run gdm-binary
  can_exec(xdm_t, xdm_exec_t)
-@@ -322,32 +435,53 @@
+@@ -322,32 +435,55 @@
  allow xdm_t xdm_lock_t:file manage_file_perms;
  files_lock_filetrans(xdm_t, xdm_lock_t, file)
  
@@ -23967,6 +24081,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +fs_list_inotifyfs(xdm_t)
 +fs_read_noxattr_fs_files(xdm_t)
 +fs_dontaudit_list_fusefs(xdm_t)
++fs_manage_cgroup_dirs(xdm_t)
++fs_rw_cgroup_files(xdm_t)
 +
 +manage_files_pattern(xdm_t, user_fonts_t, user_fonts_t)
 +
@@ -23996,7 +24112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xdm_t xserver_t:unix_stream_socket connectto;
  
  allow xdm_t xserver_tmp_t:sock_file rw_sock_file_perms;
-@@ -355,10 +489,13 @@
+@@ -355,10 +491,13 @@
  
  # transition to the xdm xserver
  domtrans_pattern(xdm_t, xserver_exec_t, xserver_t)
@@ -24010,7 +24126,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -367,15 +504,22 @@
+@@ -367,15 +506,22 @@
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -24034,7 +24150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  corecmd_exec_shell(xdm_t)
  corecmd_exec_bin(xdm_t)
-@@ -390,11 +534,14 @@
+@@ -390,11 +536,14 @@
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -24049,7 +24165,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_read_rand(xdm_t)
  dev_read_sysfs(xdm_t)
  dev_getattr_framebuffer_dev(xdm_t)
-@@ -402,6 +549,7 @@
+@@ -402,6 +551,7 @@
  dev_getattr_mouse_dev(xdm_t)
  dev_setattr_mouse_dev(xdm_t)
  dev_rw_apm_bios(xdm_t)
@@ -24057,7 +24173,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
-@@ -410,18 +558,22 @@
+@@ -410,18 +560,22 @@
  dev_getattr_misc_dev(xdm_t)
  dev_setattr_misc_dev(xdm_t)
  dev_dontaudit_rw_misc(xdm_t)
@@ -24083,7 +24199,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -432,9 +584,17 @@
+@@ -432,9 +586,17 @@
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -24101,7 +24217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -443,14 +603,19 @@
+@@ -443,14 +605,19 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -24121,7 +24237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -461,10 +626,12 @@
+@@ -461,10 +628,12 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -24136,7 +24252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -473,6 +640,11 @@
+@@ -473,6 +642,11 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -24148,7 +24264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  xserver_rw_session(xdm_t, xdm_tmpfs_t)
  xserver_unconfined(xdm_t)
-@@ -504,11 +676,17 @@
+@@ -504,11 +678,17 @@
  ')
  
  optional_policy(`
@@ -24166,7 +24282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -516,12 +694,51 @@
+@@ -516,12 +696,51 @@
  ')
  
  optional_policy(`
@@ -24218,7 +24334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	hostname_exec(xdm_t)
  ')
  
-@@ -539,20 +756,63 @@
+@@ -539,20 +758,63 @@
  ')
  
  optional_policy(`
@@ -24284,7 +24400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -561,7 +821,6 @@
+@@ -561,7 +823,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -24292,7 +24408,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +831,10 @@
+@@ -572,6 +833,10 @@
  ')
  
  optional_policy(`
@@ -24303,7 +24419,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -596,10 +859,9 @@
+@@ -596,10 +861,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -24315,7 +24431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -611,6 +873,18 @@
+@@ -611,6 +875,18 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -24334,7 +24450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -630,12 +904,19 @@
+@@ -630,12 +906,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24356,7 +24472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -669,7 +950,6 @@
+@@ -669,7 +952,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -24364,7 +24480,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -679,9 +959,12 @@
+@@ -679,9 +961,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -24378,7 +24494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -696,8 +979,13 @@
+@@ -696,8 +981,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -24392,7 +24508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -719,11 +1007,14 @@
+@@ -719,11 +1009,14 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -24407,7 +24523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,12 +1066,28 @@
+@@ -775,12 +1068,28 @@
  ')
  
  optional_policy(`
@@ -24437,7 +24553,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -804,10 +1111,10 @@
+@@ -804,10 +1113,10 @@
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -24450,7 +24566,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,6 +1135,13 @@
+@@ -828,6 +1137,13 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -24464,7 +24580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -843,11 +1157,14 @@
+@@ -843,11 +1159,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -24481,7 +24597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -993,3 +1310,33 @@
+@@ -993,3 +1312,33 @@
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -25278,8 +25394,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
  # /var
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.8.7/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2010-03-18 10:35:11.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/system/init.if	2010-07-14 14:08:02.000000000 -0400
-@@ -193,8 +193,10 @@
++++ serefpolicy-3.8.7/policy/modules/system/init.if	2010-07-15 16:04:00.000000000 -0400
+@@ -105,7 +105,9 @@
+ 
+ 	role system_r types $1;
+ 
+-	domtrans_pattern(init_t,$2,$1)
++	tunable_policy(`init_systemd',`', `
++		domtrans_pattern(init_t,$2,$1)
++	')
+ 
+ 	ifdef(`hide_broken_symptoms',`
+ 		# RHEL4 systems seem to have a stray
+@@ -193,8 +195,10 @@
  	gen_require(`
  		attribute direct_run_init, direct_init, direct_init_entry;
  		type initrc_t;
@@ -25290,7 +25417,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  
  	typeattribute $1 daemon;
-@@ -205,6 +207,15 @@
+@@ -205,6 +209,17 @@
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
@@ -25298,15 +25425,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 initrc_transition_domain:fd use;
 +
-+	tunable_policy(`init_upstart',`
++	tunable_policy(`init_upstart || init_systemd',`
 +		# Handle upstart direct transition to a executable
 +		domtrans_pattern(init_t,$2,$1)
 +		allow init_t $1:process siginh;
++		allow $1 init_t:unix_stream_socket connectto;
++		allow $1 init_t:unix_dgram_socket sendto;
 +	')
  
  	# daemons started from init will
  	# inherit fds from init for the console
-@@ -285,7 +296,7 @@
+@@ -285,7 +300,7 @@
  		type initrc_t;
  	')
  
@@ -25315,25 +25444,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  
  	ifdef(`enable_mcs',`
  		range_transition initrc_t $2:process $3;
-@@ -338,6 +349,7 @@
+@@ -336,8 +351,10 @@
+ #
+ interface(`init_system_domain',`
  	gen_require(`
++		type init_t;
  		type initrc_t;
  		role system_r;
 +		attribute initrc_transition_domain;
  	')
  
  	application_domain($1,$2)
-@@ -345,6 +357,9 @@
+@@ -345,6 +362,17 @@
  	role system_r types $1;
  
  	domtrans_pattern(initrc_t,$2,$1)
 +	allow initrc_t $1:process siginh;
 +	allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
 +	allow $1 initrc_transition_domain:fd use;
++
++	tunable_policy(`init_systemd',`
++		# Handle upstart/systemd direct transition to a executable
++		domtrans_pattern(init_t,$2,$1)
++		allow init_t $1:process siginh;
++		allow $1 init_t:unix_stream_socket connectto;
++		allow $1 init_t:unix_dgram_socket sendto;
++	')
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -353,6 +368,37 @@
+@@ -353,6 +381,37 @@
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -25371,7 +25511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -669,6 +715,8 @@
+@@ -669,12 +728,14 @@
  		type initctl_t;
  	')
  
@@ -25380,7 +25520,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	dev_list_all_dev_nodes($1)
  	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
  
-@@ -682,6 +730,8 @@
+ 	init_exec($1)
+ 
+-	tunable_policy(`init_upstart',`
++	tunable_policy(`init_upstart || init_systemd',`
+ 		gen_require(`
+ 			type init_t;
+ 		')
+@@ -682,6 +743,8 @@
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
  		allow $1 init_t:unix_dgram_socket sendto;
@@ -25389,7 +25536,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  ')
  
-@@ -754,18 +804,19 @@
+@@ -754,18 +817,19 @@
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -25413,7 +25560,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	')
  ')
  
-@@ -781,23 +832,45 @@
+@@ -781,23 +845,45 @@
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -25463,7 +25610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -849,8 +922,10 @@
+@@ -849,8 +935,10 @@
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -25474,7 +25621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -1637,7 +1712,7 @@
+@@ -1637,7 +1725,7 @@
  		type initrc_var_run_t;
  	')
  
@@ -25483,7 +25630,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
  ')
  
  ########################################
-@@ -1712,3 +1787,56 @@
+@@ -1712,3 +1800,94 @@
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -25540,9 +25687,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
 +	init_dontaudit_use_script_fds($1)
 +')
 +
++
++########################################
++## <summary>
++##	Allow the specified domain to connect to
++##	the init process with a unix socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_stream_connect',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to read/write to
++##	init with a unix domain stream sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_rw_stream_sockets',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:unix_stream_socket rw_socket_perms;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.7/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/system/init.te	2010-07-14 16:30:09.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/system/init.te	2010-07-15 15:58:07.000000000 -0400
 @@ -16,6 +16,27 @@
  ## </desc>
  gen_tunable(init_upstart, false)
@@ -25616,7 +25801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # For /var/run/shutdown.pid.
  allow init_t init_var_run_t:file manage_file_perms;
-@@ -120,12 +145,14 @@
+@@ -120,15 +145,19 @@
  corecmd_exec_bin(init_t)
  
  dev_read_sysfs(init_t)
@@ -25629,9 +25814,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  domain_sigstop_all_domains(init_t)
 +domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
++domain_read_all_domains_state(init_t)
  
  files_read_etc_files(init_t)
-@@ -167,6 +194,8 @@
++files_read_all_pids(init_t)
+ files_rw_generic_pids(init_t)
+ files_dontaudit_search_isid_type_dirs(init_t)
+ files_manage_etc_runtime_files(init_t)
+@@ -167,6 +196,8 @@
  
  miscfiles_read_localization(init_t)
  
@@ -25640,7 +25830,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
  ')
-@@ -190,10 +219,23 @@
+@@ -177,7 +208,7 @@
+ 	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
+ ')
+ 
+-tunable_policy(`init_upstart',`
++tunable_policy(`init_upstart || init_systemd',`
+ 	corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ 	# Run the shell in the sysadm role for single-user mode.
+@@ -185,15 +216,48 @@
+ 	sysadm_shell_domtrans(init_t)
+ ')
+ 
++tunable_policy(`init_systemd',`
++	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
++	# Until systemd is fixed
++	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++
++	dev_write_kmsg(init_t)
++	dev_rw_autofs(init_t)
++
++	files_mounton_all_mountpoints(init_t)
++
++	fs_manage_cgroup_dirs(init_t)
++	fs_manage_tmpfs_dirs(init_t)
++	fs_mount_all_fs(init_t)
++	fs_list_auto_mountpoints(init_t)
++	fs_read_cgroup_files(init_t)
++	fs_write_cgroup_files(init_t)
++
++	init_read_script_state(init_t)
++')
++
+ optional_policy(`
+ 	auth_rw_login_records(init_t)
  ')
  
  optional_policy(`
@@ -25664,7 +25888,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	nscd_socket_use(init_t)
  ')
  
-@@ -211,7 +253,7 @@
+@@ -211,7 +275,7 @@
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -25673,7 +25897,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -240,6 +282,7 @@
+@@ -240,6 +304,7 @@
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -25681,7 +25905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  can_exec(initrc_t, initrc_tmp_t)
  manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
-@@ -257,11 +300,22 @@
+@@ -257,11 +322,22 @@
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -25704,7 +25928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  corecmd_exec_all_executables(initrc_t)
  
-@@ -297,11 +351,13 @@
+@@ -297,11 +373,13 @@
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -25718,7 +25942,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -320,8 +376,10 @@
+@@ -320,8 +398,10 @@
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -25730,7 +25954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -337,6 +395,8 @@
+@@ -337,6 +417,8 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -25739,7 +25963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  fs_delete_cgroup_dirs(initrc_t)
  fs_list_cgroup_dirs(initrc_t)
-@@ -350,6 +410,8 @@
+@@ -350,6 +432,8 @@
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -25748,7 +25972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -362,6 +424,7 @@
+@@ -362,6 +446,7 @@
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -25756,7 +25980,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -393,13 +456,14 @@
+@@ -393,13 +478,14 @@
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -25772,7 +25996,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  userdom_read_user_home_content_files(initrc_t)
  # Allow access to the sysadm TTYs. Note that this will give access to the
  # TTYs to any process in the initrc_t domain. Therefore, daemons and such
-@@ -472,7 +536,7 @@
+@@ -472,7 +558,7 @@
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -25781,7 +26005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -518,6 +582,19 @@
+@@ -518,6 +604,19 @@
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -25801,7 +26025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -525,10 +602,17 @@
+@@ -525,10 +624,17 @@
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -25819,7 +26043,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	')
  
  	optional_policy(`
-@@ -543,6 +627,35 @@
+@@ -543,6 +649,35 @@
  	')
  ')
  
@@ -25855,7 +26079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -555,6 +668,8 @@
+@@ -555,6 +690,8 @@
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -25864,7 +26088,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -583,6 +698,11 @@
+@@ -571,6 +708,7 @@
+ 
+ optional_policy(`
+ 	cgroup_stream_connect(initrc_t)
++	domain_setpriority_all_domains(initrc_t)
+ ')
+ 
+ optional_policy(`
+@@ -583,6 +721,11 @@
  ')
  
  optional_policy(`
@@ -25876,7 +26108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -599,6 +719,7 @@
+@@ -599,6 +742,7 @@
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -25884,7 +26116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -700,7 +821,12 @@
+@@ -700,7 +844,12 @@
  ')
  
  optional_policy(`
@@ -25897,7 +26129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -723,6 +849,10 @@
+@@ -723,6 +872,10 @@
  ')
  
  optional_policy(`
@@ -25908,7 +26140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -765,8 +895,6 @@
+@@ -765,8 +918,6 @@
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -25917,7 +26149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -779,10 +907,12 @@
+@@ -779,10 +930,12 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -25930,7 +26162,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -804,11 +934,19 @@
+@@ -804,11 +957,19 @@
  ')
  
  optional_policy(`
@@ -25951,7 +26183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -818,6 +956,25 @@
+@@ -818,6 +979,25 @@
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -25977,7 +26209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
  ')
  
  optional_policy(`
-@@ -843,3 +1000,35 @@
+@@ -843,3 +1023,33 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -26010,9 +26242,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +	fail2ban_read_lib_files(daemon)
 +')
 +
-+ifdef(`init_systemd', `
-+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
-+')
++init_rw_stream_sockets(daemon)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.8.7/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2010-03-18 06:48:09.000000000 -0400
 +++ serefpolicy-3.8.7/policy/modules/system/ipsec.fc	2010-07-14 14:08:02.000000000 -0400
@@ -26403,7 +26633,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.8.7/policy/modules/system/iscsi.te
 --- nsaserefpolicy/policy/modules/system/iscsi.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/system/iscsi.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/system/iscsi.te	2010-07-15 11:02:25.000000000 -0400
 @@ -76,6 +76,8 @@
  
  dev_rw_sysfs(iscsid_t)
@@ -26672,7 +26902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
 +/sbin/sushell		--	gen_context(system_u:object_r:sulogin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.8.7/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2010-06-18 13:07:19.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/system/locallogin.te	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/system/locallogin.te	2010-07-15 15:53:52.000000000 -0400
 @@ -32,9 +32,8 @@
  # Local login local policy
  #
@@ -26694,7 +26924,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  dev_dontaudit_getattr_apm_bios_dev(local_login_t)
  dev_dontaudit_setattr_apm_bios_dev(local_login_t)
  dev_dontaudit_read_framebuffer(local_login_t)
-@@ -151,6 +152,12 @@
+@@ -125,6 +126,7 @@
+ auth_domtrans_pam_console(local_login_t)
+ 
+ init_dontaudit_use_fds(local_login_t)
++init_stream_connect(local_login_t)
+ 
+ miscfiles_read_localization(local_login_t)
+ 
+@@ -151,6 +153,12 @@
  	fs_read_cifs_symlinks(local_login_t)
  ')
  
@@ -26707,7 +26945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  optional_policy(`
  	alsa_domtrans(local_login_t)
  ')
-@@ -180,7 +187,7 @@
+@@ -180,7 +188,7 @@
  ')
  
  optional_policy(`
@@ -26716,7 +26954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  ')
  
  optional_policy(`
-@@ -197,9 +204,10 @@
+@@ -197,9 +205,10 @@
  # Sulogin local policy
  #
  
@@ -26728,7 +26966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  allow sulogin_t self:unix_dgram_socket create_socket_perms;
  allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
  allow sulogin_t self:unix_dgram_socket sendto;
-@@ -219,6 +227,7 @@
+@@ -219,6 +228,7 @@
  files_dontaudit_search_isid_type_dirs(sulogin_t)
  
  auth_read_shadow(sulogin_t)
@@ -26736,7 +26974,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  
  init_getpgid_script(sulogin_t)
  
-@@ -232,14 +241,23 @@
+@@ -232,14 +242,23 @@
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -26762,7 +27000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locall
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -250,11 +268,3 @@
+@@ -250,11 +269,3 @@
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -30091,7 +30329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.8.7/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2010-07-14 11:21:53.000000000 -0400
-+++ serefpolicy-3.8.7/policy/modules/system/userdomain.if	2010-07-14 14:08:02.000000000 -0400
++++ serefpolicy-3.8.7/policy/modules/system/userdomain.if	2010-07-15 15:54:39.000000000 -0400
 @@ -30,8 +30,9 @@
  	')
  
@@ -30103,7 +30341,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	domain_type($1_t)
  	corecmd_shell_entry_type($1_t)
  	corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,90 @@
+@@ -43,69 +44,92 @@
  	term_user_pty($1_t, user_devpts_t)
  
  	term_user_tty($1_t, user_tty_device_t)
@@ -30223,17 +30461,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	fs_list_cgroup_dirs($1_usertype)
 +	fs_dontaudit_rw_cgroup_files($1_usertype)
++
++	storage_rw_fuse($1_usertype)
++
++	auth_use_nsswitch($1_usertype)
  
 -	libs_exec_ld_so($1_t)
-+	storage_rw_fuse($1_usertype)
++	init_stream_connect($1_usertype)
  
 -	miscfiles_read_localization($1_t)
 -	miscfiles_read_certs($1_t)
-+	auth_use_nsswitch($1_usertype)
++	libs_exec_ld_so($1_usertype)
  
 -	sysnet_read_config($1_t)
-+	libs_exec_ld_so($1_usertype)
-+
 +	miscfiles_read_certs($1_usertype)
 +	miscfiles_read_localization($1_usertype)
 +	miscfiles_read_man_pages($1_usertype)
@@ -30241,7 +30481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	tunable_policy(`allow_execmem',`
  		# Allow loading DSOs that require executable stack.
-@@ -116,6 +138,16 @@
+@@ -116,6 +140,16 @@
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;
  	')
@@ -30258,7 +30498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -149,6 +181,8 @@
+@@ -149,6 +183,8 @@
  		type user_home_t, user_home_dir_t;
  	')
  
@@ -30267,7 +30507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Domain access to home dir
-@@ -166,27 +200,6 @@
+@@ -166,27 +202,6 @@
  	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
  	files_list_home($2)
  
@@ -30295,7 +30535,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -218,8 +231,11 @@
+@@ -218,8 +233,11 @@
  interface(`userdom_manage_home_role',`
  	gen_require(`
  		type user_home_t, user_home_dir_t;
@@ -30307,7 +30547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	##############################
  	#
  	# Domain access to home dir
-@@ -228,17 +244,21 @@
+@@ -228,17 +246,21 @@
  	type_member $2 user_home_dir_t:dir user_home_dir_t;
  
  	# full control of the home directory
@@ -30339,7 +30579,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
  	files_list_home($2)
  
-@@ -246,25 +266,23 @@
+@@ -246,25 +268,23 @@
  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
  
  	tunable_policy(`use_nfs_home_dirs',`
@@ -30369,7 +30609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -289,6 +307,8 @@
+@@ -289,6 +309,8 @@
  		type user_tmp_t;
  	')
  
@@ -30378,7 +30618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_poly_member_tmp($2, user_tmp_t)
  
  	manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +317,45 @@
+@@ -297,6 +319,45 @@
  	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
  	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
  	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -30424,7 +30664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -316,6 +375,7 @@
+@@ -316,6 +377,7 @@
  	')
  
  	exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -30432,7 +30672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($1)
  ')
  
-@@ -350,6 +410,8 @@
+@@ -350,6 +412,8 @@
  		type user_tmpfs_t;
  	')
  
@@ -30441,7 +30681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
  	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
  	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +422,41 @@
+@@ -360,46 +424,41 @@
  
  #######################################
  ## <summary>
@@ -30463,10 +30703,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	gen_require(`
 -		type $1_t;
 -	')
--
++interface(`userdom_basic_networking',`
+ 
 -	allow $1_t self:tcp_socket create_stream_socket_perms;
 -	allow $1_t self:udp_socket create_socket_perms;
-+interface(`userdom_basic_networking',`
++	allow $1 self:tcp_socket create_stream_socket_perms;
++	allow $1 self:udp_socket create_socket_perms;
  
 -	corenet_all_recvfrom_unlabeled($1_t)
 -	corenet_all_recvfrom_netlabel($1_t)
@@ -30478,9 +30720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	corenet_udp_sendrecv_all_ports($1_t)
 -	corenet_tcp_connect_all_ports($1_t)
 -	corenet_sendrecv_all_client_packets($1_t)
-+	allow $1 self:tcp_socket create_stream_socket_perms;
-+	allow $1 self:udp_socket create_socket_perms;
- 
+-
 -	corenet_all_recvfrom_labeled($1_t, $1_t)
 +	corenet_all_recvfrom_unlabeled($1)
 +	corenet_all_recvfrom_netlabel($1)
@@ -30508,7 +30748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -430,6 +487,7 @@
+@@ -430,6 +489,7 @@
  	dev_dontaudit_rw_dri($1_t)
  	# GNOME checks for usb and other devices:
  	dev_rw_usbfs($1_t)
@@ -30516,7 +30756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
  	xserver_xsession_entry_type($1_t)
-@@ -490,7 +548,7 @@
+@@ -490,7 +550,7 @@
  		attribute unpriv_userdomain;
  	')
  
@@ -30525,7 +30765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	##############################
  	#
-@@ -500,73 +558,78 @@
+@@ -500,73 +560,78 @@
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -30546,27 +30786,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
+-
+-	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
  
--	corecmd_exec_bin($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	corenet_udp_bind_generic_node($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
--
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -30644,7 +30884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	tunable_policy(`user_ttyfile_stat',`
-@@ -574,65 +637,108 @@
+@@ -574,65 +639,108 @@
  	')
  
  	optional_policy(`
@@ -30680,51 +30920,51 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +		optional_policy(`
 +			policykit_dbus_chat($1_usertype)
 +		')
++
++		optional_policy(`
++			bluetooth_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
++			consolekit_dbus_chat($1_usertype)
++			consolekit_read_log($1_usertype)
++		')
++
++		optional_policy(`
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++		')
++
++		optional_policy(`
++			evolution_dbus_chat($1_usertype)
++			evolution_alarm_dbus_chat($1_usertype)
++		')
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			bluetooth_dbus_chat($1_usertype)
++			gnome_dbus_chat_gconfdefault($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1_t)
 -			evolution_alarm_dbus_chat($1_t)
-+			consolekit_dbus_chat($1_usertype)
-+			consolekit_read_log($1_usertype)
++			hal_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
++			modemmanager_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			evolution_dbus_chat($1_usertype)
-+			evolution_alarm_dbus_chat($1_usertype)
++			networkmanager_dbus_chat($1_usertype)
++			networkmanager_read_lib_files($1_usertype)
  		')
  
  		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
-+			gnome_dbus_chat_gconfdefault($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			hal_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			modemmanager_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			networkmanager_dbus_chat($1_usertype)
-+			networkmanager_read_lib_files($1_usertype)
-+		')
-+
-+		optional_policy(`
 +			vpn_dbus_chat($1_usertype)
  		')
  	')
@@ -30733,24 +30973,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
 +		git_session_role($1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		inetd_use_fds($1_usertype)
++		inetd_rw_tcp_sockets($1_usertype)
  	')
  
  	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
++		inn_read_config($1_usertype)
++		inn_read_news_lib($1_usertype)
++		inn_read_news_spool($1_usertype)
  	')
  
  	optional_policy(`
 -		locate_read_lib_files($1_t)
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		locate_read_lib_files($1_usertype)
  	')
  
@@ -30758,20 +30998,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
 -		modutils_read_module_config($1_t)
 +		modutils_read_module_config($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		mta_rw_spool($1_usertype)
-+		mta_manage_queue($1_usertype)
  	')
  
  	optional_policy(`
 -		mta_rw_spool($1_t)
++		mta_rw_spool($1_usertype)
++		mta_manage_queue($1_usertype)
++	')
++
++	optional_policy(`
 +		nsplugin_role($1_r, $1_usertype)
  	')
  
  	optional_policy(`
-@@ -643,41 +749,50 @@
+@@ -643,41 +751,50 @@
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -30833,7 +31073,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  #######################################
-@@ -705,13 +820,26 @@
+@@ -705,13 +822,26 @@
  
  	userdom_base_user_template($1)
  
@@ -30842,12 +31082,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
++
++	ifelse(`$1',`unconfined',`',`
++		gen_tunable(allow_$1_exec_content, true)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
-+	ifelse(`$1',`unconfined',`',`
-+		gen_tunable(allow_$1_exec_content, true)
-+
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@@ -30865,7 +31105,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	userdom_change_password_template($1)
  
-@@ -729,72 +857,74 @@
+@@ -729,72 +859,74 @@
  
  	allow $1_t self:context contains;
  
@@ -30933,10 +31173,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	miscfiles_exec_tetex_data($1_t)
 +	miscfiles_read_tetex_data($1_usertype)
 +	miscfiles_exec_tetex_data($1_usertype)
-+
-+	seutil_read_config($1_usertype)
  
 -	seutil_read_config($1_t)
++	seutil_read_config($1_usertype)
++
 +	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
@@ -30975,7 +31215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -826,12 +956,35 @@
+@@ -826,12 +958,35 @@
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -31011,7 +31251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  		loadkeys_run($1_t,$1_r)
  	')
  ')
-@@ -867,45 +1020,83 @@
+@@ -867,45 +1022,83 @@
  	#
  
  	auth_role($1_r, $1_t)
@@ -31082,14 +31322,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -		')
 +	optional_policy(`
 +		openoffice_role_template($1, $1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		policykit_role($1_r, $1_usertype)
  	')
  
  	optional_policy(`
 -		java_role($1_r, $1_t)
-+		policykit_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
 +		pulseaudio_role($1_r, $1_usertype)
 +	')
 +
@@ -31110,7 +31350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -940,7 +1131,7 @@
+@@ -940,7 +1133,7 @@
  	#
  
  	# Inherit rules for ordinary users.
@@ -31119,7 +31359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	userdom_common_user_template($1)
  
  	##############################
-@@ -949,54 +1140,77 @@
+@@ -949,54 +1142,77 @@
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -31208,26 +31448,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 +	optional_policy(`
 +		mount_run_fusermount($1_t, $1_r)
++	')
++
++	optional_policy(`
++		wine_role_template($1, $1_r, $1_t)
  	')
  
 -	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		wine_role_template($1, $1_r, $1_t)
++		postfix_run_postdrop($1_t, $1_r)
  	')
  
++	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
-+		postfix_run_postdrop($1_t, $1_r)
-+	')
-+
-+	# Run pppd in pppd_t by default for user
-+	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
  	')
  ')
  
-@@ -1032,7 +1246,7 @@
+@@ -1032,7 +1248,7 @@
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -31236,7 +31476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	##############################
-@@ -1067,6 +1281,9 @@
+@@ -1067,6 +1283,9 @@
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -31246,7 +31486,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1081,6 +1298,7 @@
+@@ -1081,6 +1300,7 @@
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -31254,7 +31494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1112,10 +1330,13 @@
+@@ -1112,10 +1332,13 @@
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -31268,7 +31508,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	fs_set_all_quotas($1_t)
  	fs_exec_noxattr($1_t)
  
-@@ -1135,6 +1356,7 @@
+@@ -1135,6 +1358,7 @@
  	logging_send_syslog_msg($1_t)
  
  	modutils_domtrans_insmod($1_t)
@@ -31276,7 +31516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1203,6 +1425,8 @@
+@@ -1203,6 +1427,8 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -31285,7 +31525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1230,6 +1454,7 @@
+@@ -1230,6 +1456,7 @@
  	seutil_run_checkpolicy($1,$2)
  	seutil_run_loadpolicy($1,$2)
  	seutil_run_semanage($1,$2)
@@ -31293,7 +31533,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	seutil_run_setfiles($1, $2)
  
  	optional_policy(`
-@@ -1268,12 +1493,15 @@
+@@ -1268,12 +1495,15 @@
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -31310,7 +31550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1384,6 +1612,7 @@
+@@ -1384,6 +1614,7 @@
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -31318,7 +31558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_home($1)
  ')
  
-@@ -1430,6 +1659,14 @@
+@@ -1430,6 +1661,14 @@
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -31333,7 +31573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1445,9 +1682,11 @@
+@@ -1445,9 +1684,11 @@
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -31345,7 +31585,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1504,6 +1743,42 @@
+@@ -1504,6 +1745,42 @@
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -31388,7 +31628,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1578,6 +1853,8 @@
+@@ -1578,6 +1855,8 @@
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -31397,7 +31637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1592,10 +1869,12 @@
+@@ -1592,10 +1871,12 @@
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -31412,7 +31652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1638,26 +1917,27 @@
+@@ -1638,26 +1919,27 @@
  
  ########################################
  ## <summary>
@@ -31445,7 +31685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1665,13 +1945,31 @@
+@@ -1665,13 +1947,31 @@
  ##	</summary>
  ## </param>
  #
@@ -31481,7 +31721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1689,12 +1987,32 @@
+@@ -1689,12 +1989,32 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -31514,7 +31754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1705,11 +2023,14 @@
+@@ -1705,11 +2025,14 @@
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -31532,7 +31772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1799,8 +2120,7 @@
+@@ -1799,8 +2122,7 @@
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -31542,7 +31782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1816,20 +2136,14 @@
+@@ -1816,20 +2138,14 @@
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -31567,7 +31807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  ########################################
  ## <summary>
-@@ -2171,7 +2485,7 @@
+@@ -2171,7 +2487,7 @@
  		type user_tmp_t;
  	')
  
@@ -31576,7 +31816,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2424,13 +2738,14 @@
+@@ -2424,13 +2740,14 @@
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -31592,7 +31832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2451,26 +2766,6 @@
+@@ -2451,26 +2768,6 @@
  
  ########################################
  ## <summary>
@@ -31619,7 +31859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2804,7 +3099,7 @@
+@@ -2804,7 +3101,7 @@
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -31628,7 +31868,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2820,11 +3115,13 @@
+@@ -2820,11 +3117,13 @@
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -31644,7 +31884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2961,7 +3258,45 @@
+@@ -2961,7 +3260,45 @@
  		type user_tmp_t;
  	')
  
@@ -31691,7 +31931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2998,6 +3333,7 @@
+@@ -2998,6 +3335,7 @@
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -31699,7 +31939,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_search_proc($1)
  ')
  
-@@ -3128,3 +3464,779 @@
+@@ -3128,3 +3466,779 @@
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 88b63ff..59629a1 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-2
+- Make boot with systemd in enforcing mode
+
 * Mon Jul 14 2010 Dan Walsh <dwalsh@redhat.com> 3.8.7-1
 - Update to upstream