++##
++## Allow clamd to use JIT compiler
++##
++##
++gen_tunable(clamd_use_jit, false)
++
+ ########################################
+ #
+ # Declarations
+@@ -57,6 +64,7 @@
#
allow clamd_t self:capability { kill setgid setuid dac_override };
@@ -13827,7 +13879,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow clamd_t self:unix_dgram_socket create_socket_perms;
-@@ -189,10 +190,14 @@
+@@ -189,10 +197,14 @@
auth_use_nsswitch(freshclam_t)
@@ -13842,6 +13894,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
optional_policy(`
cron_system_entry(freshclam_t, freshclam_exec_t)
')
+@@ -246,6 +258,12 @@
+
+ mta_send_mail(clamscan_t)
+
++tunable_policy(`clamd_use_jit',`
++ allow clamd_t self:process execmem;
++', `
++ dontaudit clamd_t self:process execmem;
++')
++
+ optional_policy(`
+ amavis_read_spool_files(clamscan_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clogd.fc serefpolicy-3.7.16/policy/modules/services/clogd.fc
--- nsaserefpolicy/policy/modules/services/clogd.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/services/clogd.fc 2010-03-23 11:38:44.000000000 -0400
@@ -14056,13 +14121,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.16/policy/modules/services/consolekit.fc
--- nsaserefpolicy/policy/modules/services/consolekit.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc 2010-03-23 11:38:44.000000000 -0400
-@@ -2,4 +2,5 @@
++++ serefpolicy-3.7.16/policy/modules/services/consolekit.fc 2010-03-29 13:08:45.000000000 -0400
+@@ -1,5 +1,7 @@
+ /usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
++
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-+
++/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.7.16/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2009-07-14 14:19:57.000000000 -0400
@@ -14483,7 +14550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
+/var/log/mcelog.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.7.16/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/cron.if 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.if 2010-03-25 14:56:10.000000000 -0400
@@ -12,6 +12,10 @@
##
#
@@ -14659,7 +14726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.7.16/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.16/policy/modules/services/cron.te 2010-03-23 11:38:44.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/cron.te 2010-03-29 13:12:03.000000000 -0400
@@ -38,8 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -14938,6 +15005,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
unconfined_domain(system_cronjob_t)
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
+@@ -590,7 +670,7 @@
+ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
+-list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+ read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+
+ tunable_policy(`fcron_crond', `
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.7.16/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2009-07-28 15:51:13.000000000 -0400
+++ serefpolicy-3.7.16/policy/modules/services/cups.fc 2010-03-23 11:38:44.000000000 -0400
@@ -24533,6 +24609,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.7.16/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2010-03-23 10:55:15.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/sasl.te 2010-03-29 09:28:33.000000000 -0400
+@@ -50,6 +50,9 @@
+ kernel_read_kernel_sysctls(saslauthd_t)
+ kernel_read_system_state(saslauthd_t)
+
++#577519
++corecmd_exec_bin(saslauthd_t)
++
+ corenet_all_recvfrom_unlabeled(saslauthd_t)
+ corenet_all_recvfrom_netlabel(saslauthd_t)
+ corenet_tcp_sendrecv_generic_if(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.16/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2010-01-11 09:40:36.000000000 -0500
+++ serefpolicy-3.7.16/policy/modules/services/sendmail.if 2010-03-23 11:38:44.000000000 -0400
@@ -26898,7 +26987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.16/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2010-03-23 10:55:15.000000000 -0400
-+++ serefpolicy-3.7.16/policy/modules/services/virt.te 2010-03-25 14:51:49.000000000 -0400
++++ serefpolicy-3.7.16/policy/modules/services/virt.te 2010-03-29 13:34:58.000000000 -0400
@@ -36,13 +36,6 @@
##