diff --git a/policy-F12.patch b/policy-F12.patch
index e531109..6c82550 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -338,12 +338,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_dontaudit_getattr_all_sockets(readahead_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.32/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc	2009-09-16 07:03:08.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc	2009-09-24 08:56:43.000000000 -0700
 @@ -1,17 +1,17 @@
  
  /bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/debuginfo-install      --      gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/debuginfo-install      --      gen_context(system_u:object_r:debuginfo_exec_t,s0)
  /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
  /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -362,7 +362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
  ifdef(`distro_redhat', `
-@@ -21,15 +21,22 @@
+@@ -21,15 +21,23 @@
  /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -375,6 +375,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
  
  /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
  /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
@@ -387,8 +388,43 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2009-09-16 07:03:08.000000000 -0700
-@@ -66,6 +66,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if	2009-09-24 08:54:37.000000000 -0700
+@@ -13,11 +13,34 @@
+ interface(`rpm_domtrans',`
+ 	gen_require(`
+ 		type rpm_t, rpm_exec_t;
++		type debuginfo_exec_t;
+ 	')
+ 
+ 	files_search_usr($1)
+ 	corecmd_search_bin($1)
+ 	domtrans_pattern($1, rpm_exec_t, rpm_t)
++	domtrans_pattern($1, debuginfo_exec_t, rpm_t)
++')
++
++########################################
++## <summary>
++##	Execute debuginfo_install programs in the rpm domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpm_domtrans_debuginfo',`
++	gen_require(`
++		type rpm_t;
++		type debuginfo_exec_t;
++	')
++
++	files_search_usr($1)
++	corecmd_search_bin($1)
++	domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+ ')
+ 
+ ########################################
+@@ -66,6 +89,11 @@
  	rpm_domtrans($1)
  	role $2 types rpm_t;
  	role $2 types rpm_script_t;
@@ -400,7 +436,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	seutil_run_loadpolicy(rpm_script_t, $2)
  	seutil_run_semanage(rpm_script_t, $2)
  	seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +151,35 @@
+@@ -146,6 +174,35 @@
  
  ########################################
  ## <summary>
@@ -436,7 +472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -167,6 +201,48 @@
+@@ -167,6 +224,48 @@
  
  ########################################
  ## <summary>
@@ -485,7 +521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
-@@ -186,6 +262,24 @@
+@@ -186,6 +285,24 @@
  
  ########################################
  ## <summary>
@@ -510,7 +546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
-@@ -219,7 +313,51 @@
+@@ -219,7 +336,51 @@
  	')
  
  	files_search_tmp($1)
@@ -562,7 +598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -245,6 +383,24 @@
+@@ -245,6 +406,24 @@
  
  ########################################
  ## <summary>
@@ -587,7 +623,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	Create, read, write, and delete the RPM package database.
  ## </summary>
  ## <param name="domain">
-@@ -283,3 +439,46 @@
+@@ -265,6 +444,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Create, read, write, and delete the RPM package database.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`rpm_manage_cache',`
++	gen_require(`
++		type rpm_var_cache_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
++	manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to create, read, 
+ ##	write, and delete the RPM package database.
+ ## </summary>
+@@ -283,3 +482,46 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -636,11 +699,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te	2009-09-16 07:03:08.000000000 -0700
-@@ -31,11 +31,15 @@
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te	2009-09-24 08:56:31.000000000 -0700
+@@ -15,6 +15,9 @@
+ domain_interactive_fd(rpm_t)
+ role system_r types rpm_t;
+ 
++type debuginfo_exec_t;
++domain_entry_file(rpm_t, debuginfo_exec_t)
++
+ type rpm_file_t;
+ files_type(rpm_file_t)
+ 
+@@ -31,11 +34,18 @@
  files_type(rpm_var_lib_t)
  typealias rpm_var_lib_t alias var_lib_rpm_t;
  
++type rpm_var_cache_t;
++files_type(rpm_var_cache_t)
++
 +type rpm_var_run_t;
 +files_pid_file(rpm_var_run_t)
 +
@@ -653,7 +729,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  domain_type(rpm_script_t)
  domain_entry_file(rpm_t, rpm_script_exec_t)
  domain_interactive_fd(rpm_script_t)
-@@ -52,8 +56,9 @@
+@@ -52,8 +62,9 @@
  # rpm Local policy
  #
  
@@ -665,7 +741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow rpm_t self:process { getattr setexec setfscreate setrlimit };
  allow rpm_t self:fd use;
  allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +73,8 @@
+@@ -68,6 +79,8 @@
  allow rpm_t self:sem create_sem_perms;
  allow rpm_t self:msgq create_msgq_perms;
  allow rpm_t self:msg { send receive };
@@ -674,7 +750,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  allow rpm_t rpm_log_t:file manage_file_perms;
  logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +94,13 @@
+@@ -83,12 +96,21 @@
+ manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ 
++manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
++manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
++files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
++
+ # Access /var/lib/rpm files
  manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
  files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
  
@@ -688,7 +772,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_all_executables(rpm_t)
  
-@@ -108,12 +120,14 @@
+@@ -108,12 +130,14 @@
  dev_list_sysfs(rpm_t)
  dev_list_usbfs(rpm_t)
  dev_read_urand(rpm_t)
@@ -703,7 +787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  fs_search_auto_mountpoints(rpm_t)
  
  mls_file_read_all_levels(rpm_t)
-@@ -132,6 +146,8 @@
+@@ -132,6 +156,8 @@
  # for installing kernel packages
  storage_raw_read_fixed_disk(rpm_t)
  
@@ -712,7 +796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  auth_relabel_all_files_except_shadow(rpm_t)
  auth_manage_all_files_except_shadow(rpm_t)
  auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +171,7 @@
+@@ -155,6 +181,7 @@
  files_exec_etc_files(rpm_t)
  
  init_domtrans_script(rpm_t)
@@ -720,7 +804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  libs_exec_ld_so(rpm_t)
  libs_exec_lib_files(rpm_t)
-@@ -174,17 +191,28 @@
+@@ -174,17 +201,28 @@
  ')
  
  optional_policy(`
@@ -750,7 +834,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ifdef(`TODO',`
-@@ -210,8 +238,8 @@
+@@ -210,8 +248,8 @@
  # rpm-script Local policy
  #
  
@@ -761,7 +845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow rpm_script_t self:fd use;
  allow rpm_script_t self:fifo_file rw_fifo_file_perms;
  allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +250,15 @@
+@@ -222,12 +260,15 @@
  allow rpm_script_t self:sem create_sem_perms;
  allow rpm_script_t self:msgq create_msgq_perms;
  allow rpm_script_t self:msg { send receive };
@@ -777,7 +861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
  
  manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +270,9 @@
+@@ -239,6 +280,9 @@
  
  kernel_read_kernel_sysctls(rpm_script_t)
  kernel_read_system_state(rpm_script_t)
@@ -787,7 +871,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  dev_list_sysfs(rpm_script_t)
  
-@@ -255,6 +289,7 @@
+@@ -255,6 +299,7 @@
  fs_mount_xattr_fs(rpm_script_t)
  fs_unmount_xattr_fs(rpm_script_t)
  fs_search_auto_mountpoints(rpm_script_t)
@@ -795,7 +879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  mcs_killall(rpm_script_t)
  mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +307,19 @@
+@@ -272,14 +317,19 @@
  storage_raw_read_fixed_disk(rpm_script_t)
  storage_raw_write_fixed_disk(rpm_script_t)
  
@@ -815,7 +899,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  domain_read_all_domains_state(rpm_script_t)
  domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +331,7 @@
+@@ -291,6 +341,7 @@
  files_exec_etc_files(rpm_script_t)
  files_read_etc_runtime_files(rpm_script_t)
  files_exec_usr_files(rpm_script_t)
@@ -823,7 +907,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  init_domtrans_script(rpm_script_t)
  
-@@ -308,12 +349,15 @@
+@@ -308,12 +359,15 @@
  seutil_domtrans_loadpolicy(rpm_script_t)
  seutil_domtrans_setfiles(rpm_script_t)
  seutil_domtrans_semanage(rpm_script_t)
@@ -839,7 +923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	')
  ')
  
-@@ -326,13 +370,22 @@
+@@ -326,13 +380,22 @@
  ')
  
  optional_policy(`
@@ -2338,7 +2422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2009-07-28 10:28:33.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if	2009-09-18 07:42:05.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if	2009-09-23 16:27:38.000000000 -0700
 @@ -45,6 +45,18 @@
  	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
  	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2366,7 +2450,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	userdom_search_user_home_dirs($1)
  ')
  
-@@ -88,6 +101,24 @@
+@@ -88,6 +101,25 @@
  
  ########################################
  ## <summary>
@@ -2378,12 +2462,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +##	</summary>
 +## </param>
 +#
-+interface(`mozilla_dontaudit_write_user_home_files',`
++interface(`mozilla_dontaudit_manage_user_home_files',`
 +	gen_require(`
 +		type mozilla_home_t;
 +	')
 +
-+	dontaudit $1 mozilla_home_t:file write;
++	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
++	dontaudit $1 mozilla_home_t:file manage_file_perms;
 +')
 +
 +########################################
@@ -2486,8 +2571,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
 --- nsaserefpolicy/policy/modules/apps/nsplugin.if	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if	2009-09-18 18:30:00.000000000 -0700
-@@ -0,0 +1,319 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if	2009-09-23 07:34:03.000000000 -0700
+@@ -0,0 +1,320 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -2600,6 +2685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	dontaudit nsplugin_t $2:process ptrace;
 +	allow nsplugin_t $2:sem rw_sem_perms;
 +	allow nsplugin_t $2:shm rw_shm_perms;
++	dontaudit nsplugin_t $2:shm destroy;
 +
 +	allow $2 nsplugin_t:process { getattr ptrace signal_perms };
 +	allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -2809,8 +2895,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te	2009-09-16 07:03:08.000000000 -0700
-@@ -0,0 +1,292 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te	2009-09-24 08:43:03.000000000 -0700
+@@ -0,0 +1,294 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@@ -3025,6 +3111,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow nsplugin_config_t self:fifo_file rw_file_perms;
 +allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
 +
++dev_dontaudit_read_rand(nsplugin_config_t)
++
 +fs_search_auto_mountpoints(nsplugin_config_t)
 +fs_list_inotifyfs(nsplugin_config_t)
 +
@@ -3650,8 +3738,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No types are sandbox_exec_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2009-09-21 06:08:50.000000000 -0700
-@@ -0,0 +1,181 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if	2009-09-23 16:34:36.000000000 -0700
+@@ -0,0 +1,182 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -3696,6 +3784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	# Dontaudit leaked file descriptors
 +	dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
 +	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
++	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
 +	
 +	manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
 +	manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -3835,8 +3924,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2009-09-21 05:40:55.000000000 -0700
-@@ -0,0 +1,326 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te	2009-09-24 11:21:41.000000000 -0700
+@@ -0,0 +1,328 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -3971,6 +4060,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
 +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 +
++domain_dontaudit_read_all_domains_state(sandbox_x_domain)
++
 +files_search_home(sandbox_x_domain)
 +files_dontaudit_list_tmp(sandbox_x_domain)
 +
@@ -4025,7 +4116,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_use_user_ptys(sandbox_x_t)
 +
 +optional_policy(`
-+	mozilla_dontaudit_write_user_home_files(sandbox_x_t)
++	mozilla_dontaudit_manage_user_home_files(sandbox_x_t)
 +')
 +
 +
@@ -4186,8 +4277,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/sbin/seunshare	--	gen_context(system_u:object_r:seunshare_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.32/policy/modules/apps/seunshare.if
 --- nsaserefpolicy/policy/modules/apps/seunshare.if	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if	2009-09-18 18:59:52.000000000 -0700
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if	2009-09-23 16:34:12.000000000 -0700
+@@ -0,0 +1,81 @@
 +
 +## <summary>policy for seunshare</summary>
 +
@@ -4239,6 +4330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	# leaks from firefox
 +	dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
++	dontaudit seunshare_t $1:udp_socket rw_socket_perms;
 +')
 +
 +########################################
@@ -4270,7 +4362,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.32/policy/modules/apps/seunshare.te
 --- nsaserefpolicy/policy/modules/apps/seunshare.te	1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te	2009-09-18 07:46:57.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te	2009-09-23 16:28:08.000000000 -0700
 @@ -0,0 +1,45 @@
 +policy_module(seunshare,1.0.0)
 +
@@ -4315,7 +4407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +userdom_use_user_terminals(seunshare_t)
 +
 +optional_policy(`
-+	mozilla_dontaudit_write_user_home_files(seunshare_t)
++	mozilla_dontaudit_manage_user_home_files(seunshare_t)
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2009-09-09 06:23:16.000000000 -0700
@@ -6293,8 +6385,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
 --- nsaserefpolicy/policy/modules/kernel/storage.if	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if	2009-09-16 07:03:09.000000000 -0700
-@@ -529,7 +529,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/storage.if	2009-09-23 07:29:31.000000000 -0700
+@@ -266,6 +266,7 @@
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
++	dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -529,7 +530,7 @@
  
  	')
  
@@ -8253,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ##	All of the rules required to administrate 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 06:09:20.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te	2009-09-24 08:54:43.000000000 -0700
 @@ -75,6 +75,7 @@
  
  corecmd_exec_bin(abrt_t)
@@ -8262,10 +8362,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_tcp_connect_http_port(abrt_t)
  
-@@ -109,9 +110,13 @@
+@@ -105,13 +106,20 @@
+ 	dbus_system_bus_client(abrt_t)
+ ')
+ 
++optional_policy(`
++	nsplugin_read_rw_files(abrt_t)
++')
++
+ # to install debuginfo packages 
  optional_policy(`
- 	rpm_manage_db(abrt_t)
- 	rpm_domtrans(abrt_t)
+-	rpm_manage_db(abrt_t)
+-	rpm_domtrans(abrt_t)
++	rpm_manage_cache(abrt_t)
++	rpm_domtrans_debuginfo(abrt_t)
 +	rpm_signull(abrt_t)
  ')
  
@@ -8275,7 +8385,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
 +
 +permissive abrt_t;
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc
 --- nsaserefpolicy/policy/modules/services/afs.fc	2009-07-23 11:11:04.000000000 -0700
 +++ serefpolicy-3.6.32/policy/modules/services/afs.fc	2009-09-16 07:03:09.000000000 -0700
@@ -9874,7 +9983,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ## </summary>
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te	2009-09-21 05:20:47.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te	2009-09-22 17:55:58.000000000 -0700
 @@ -56,7 +56,7 @@
  
  allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
@@ -11964,7 +12073,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  /var/lib/cache/hald(/.*)?			gen_context(system_u:object_r:hald_cache_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
 --- nsaserefpolicy/policy/modules/services/hal.if	2009-07-28 10:28:33.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/hal.if	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/hal.if	2009-09-24 11:39:22.000000000 -0700
 @@ -413,3 +413,21 @@
  	files_search_pids($1)
  	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -11989,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/hal.te	2009-09-23 07:21:23.000000000 -0700
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -12000,15 +12109,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Local policy
-@@ -100,6 +103,7 @@
+@@ -100,7 +103,9 @@
  kernel_rw_irq_sysctls(hald_t)
  kernel_rw_vm_sysctls(hald_t)
  kernel_write_proc_files(hald_t)
 +kernel_search_network_sysctl(hald_t)
  kernel_setsched(hald_t)
++kernel_request_load_module(hald_t)
  
  auth_read_pam_console_data(hald_t)
-@@ -156,6 +160,11 @@
+ 
+@@ -156,6 +161,11 @@
  fs_search_all(hald_t)
  fs_list_inotifyfs(hald_t)
  fs_list_auto_mountpoints(hald_t)
@@ -12020,7 +12131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_getattr_all_mountpoints(hald_t)
  
  mls_file_read_all_levels(hald_t)
-@@ -202,8 +211,10 @@
+@@ -202,8 +212,10 @@
  seutil_read_default_contexts(hald_t)
  seutil_read_file_contexts(hald_t)
  
@@ -12032,7 +12143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  userdom_dontaudit_use_unpriv_user_fds(hald_t)
  userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -290,6 +301,7 @@
+@@ -290,6 +302,7 @@
  ')
  
  optional_policy(`
@@ -12040,7 +12151,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(hald_t)
  	policykit_domtrans_resolve(hald_t)
  	policykit_read_lib(hald_t)
-@@ -321,6 +333,10 @@
+@@ -321,6 +334,10 @@
  	virt_manage_images(hald_t)
  ')
  
@@ -12051,7 +12162,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ########################################
  #
  # Hal acl local policy
-@@ -341,6 +357,7 @@
+@@ -341,6 +358,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -12059,7 +12170,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corecmd_exec_bin(hald_acl_t)
  
-@@ -357,6 +374,8 @@
+@@ -357,6 +375,8 @@
  files_read_usr_files(hald_acl_t)
  files_read_etc_files(hald_acl_t)
  
@@ -12068,7 +12179,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  storage_getattr_removable_dev(hald_acl_t)
  storage_setattr_removable_dev(hald_acl_t)
  storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +388,7 @@
+@@ -369,6 +389,7 @@
  miscfiles_read_localization(hald_acl_t)
  
  optional_policy(`
@@ -12076,7 +12187,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	policykit_domtrans_auth(hald_acl_t)
  	policykit_read_lib(hald_acl_t)
  	policykit_read_reload(hald_acl_t)
-@@ -450,12 +470,16 @@
+@@ -450,12 +471,16 @@
  
  miscfiles_read_localization(hald_keymap_t)
  
@@ -12095,7 +12206,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  allow hald_dccm_t self:process getsched;
  allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
  allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +493,22 @@
+@@ -469,10 +494,22 @@
  manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_dccm_t)
  
@@ -12118,7 +12229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_all_recvfrom_unlabeled(hald_dccm_t)
  corenet_all_recvfrom_netlabel(hald_dccm_t)
  corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +520,7 @@
+@@ -484,6 +521,7 @@
  corenet_tcp_bind_generic_node(hald_dccm_t)
  corenet_udp_bind_generic_node(hald_dccm_t)
  corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -12126,7 +12237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  corenet_tcp_bind_dccm_port(hald_dccm_t)
  
  logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +528,7 @@
+@@ -491,3 +529,7 @@
  files_read_usr_files(hald_dccm_t)
  
  miscfiles_read_localization(hald_dccm_t)
@@ -12335,7 +12446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te	2009-09-16 10:43:44.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/mta.te	2009-09-22 17:56:19.000000000 -0700
 @@ -27,6 +27,9 @@
  type mail_spool_t;
  files_mountpoint(mail_spool_t)
@@ -12346,7 +12457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type sendmail_exec_t;
  mta_agent_executable(sendmail_exec_t)
  
-@@ -57,6 +60,8 @@
+@@ -57,8 +60,11 @@
  
  can_exec(system_mail_t, mta_exec_type)
  
@@ -12354,8 +12465,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
  kernel_read_system_state(system_mail_t)
  kernel_read_network_state(system_mail_t)
++kernel_request_load_module(system_mail_t)
  
-@@ -72,16 +77,21 @@
+ dev_read_sysfs(system_mail_t)
+ dev_read_rand(system_mail_t)
+@@ -72,16 +78,21 @@
  
  userdom_use_user_terminals(system_mail_t)
  userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -12377,7 +12491,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -100,6 +110,7 @@
+@@ -100,6 +111,7 @@
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
  	cron_dontaudit_write_pipes(system_mail_t)
@@ -12385,7 +12499,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -178,6 +189,10 @@
+@@ -178,6 +190,10 @@
  ')
  
  optional_policy(`
@@ -12396,7 +12510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
-@@ -197,6 +212,25 @@
+@@ -197,6 +213,25 @@
  	')
  ')
  
@@ -16761,7 +16875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/share/setroubleshoot/SetroubleshootFixit\.py* 	--	gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.if	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if	2009-09-24 11:40:15.000000000 -0700
 @@ -16,8 +16,8 @@
  	')
  
@@ -16773,7 +16887,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -36,6 +36,84 @@
+@@ -36,6 +36,102 @@
  		type setroubleshootd_t, setroubleshoot_var_run_t;
  	')
  
@@ -16826,6 +16940,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +########################################
 +## <summary>
++##	Dontaudit read/write to a setroubleshoot unix datagram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`setroubleshoot_dontaudit_rw_dgram_sockets',`
++	gen_require(`
++		type setroubleshoot_fixit_t;
++	')
++
++	dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate 
 +##	an setroubleshoot environment
 +## </summary>
@@ -16861,7 +16993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te	2009-09-24 11:38:01.000000000 -0700
 @@ -22,13 +22,19 @@
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
@@ -16923,7 +17055,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,74 @@
+@@ -94,23 +113,72 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -16998,8 +17130,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +optional_policy(`
 +        policykit_dbus_chat(setroubleshoot_fixit_t)
 +')
-+
-+permissive setroubleshoot_fixit_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2009-08-14 13:14:31.000000000 -0700
 +++ serefpolicy-3.6.32/policy/modules/services/smartmon.te	2009-09-16 07:03:09.000000000 -0700
@@ -17132,8 +17262,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dev_read_sysfs(snmpd_t)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc
 --- nsaserefpolicy/policy/modules/services/spamassassin.fc	2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc	2009-09-16 07:03:09.000000000 -0700
-@@ -1,15 +1,25 @@
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc	2009-09-24 10:21:09.000000000 -0700
+@@ -1,15 +1,26 @@
 -HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamassassin_home_t,s0)
 +HOME_DIR/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
 +/root/\.spamassassin(/.*)?	gen_context(system_u:object_r:spamc_home_t,s0)
@@ -17151,10 +17281,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/bin/mimedefang-multiplexor --	gen_context(system_u:object_r:spamd_exec_t,s0)
  
  /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
- 
++/var/lib/spamassassin/compiled(/.*)?	gen_context(system_u:object_r:spamd_compiled_t,s0)
++
 +/var/log/spamd\.log	--	gen_context(system_u:object_r:spamd_log_t,s0)
 +/var/log/mimedefang	--	gen_context(system_u:object_r:spamd_log_t,s0)
-+
+ 
  /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
  
  /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -17274,7 +17405,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te	2009-09-24 10:20:36.000000000 -0700
 @@ -20,6 +20,35 @@
  ## </desc>
  gen_tunable(spamd_enable_home_dirs, true)
@@ -17311,7 +17442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  type spamassassin_t;
  type spamassassin_exec_t;
  typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-@@ -51,10 +80,18 @@
+@@ -51,10 +80,21 @@
  typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
  files_tmp_file(spamc_tmp_t)
  ubac_constrained(spamc_tmp_t)
@@ -17322,6 +17453,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  init_daemon_domain(spamd_t, spamd_exec_t)
 +can_exec(spamd_t, spamd_exec_t)
 +
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
 +type spamd_initrc_exec_t;
 +init_script_file(spamd_initrc_exec_t)
 +
@@ -17330,7 +17464,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  type spamd_spool_t;
  files_type(spamd_spool_t)
-@@ -110,6 +147,7 @@
+@@ -110,6 +150,7 @@
  dev_read_urand(spamassassin_t)
  
  fs_search_auto_mountpoints(spamassassin_t)
@@ -17338,7 +17472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  # this should probably be removed
  corecmd_list_bin(spamassassin_t)
-@@ -150,6 +188,7 @@
+@@ -150,6 +191,7 @@
  	corenet_udp_sendrecv_all_ports(spamassassin_t)
  	corenet_tcp_connect_all_ports(spamassassin_t)
  	corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -17346,7 +17480,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  	sysnet_read_config(spamassassin_t)
  ')
-@@ -186,6 +225,8 @@
+@@ -186,6 +228,8 @@
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -17355,7 +17489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -207,16 +248,33 @@
+@@ -207,16 +251,33 @@
  allow spamc_t self:unix_stream_socket connectto;
  allow spamc_t self:tcp_socket create_stream_socket_perms;
  allow spamc_t self:udp_socket create_socket_perms;
@@ -17389,7 +17523,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  
  corenet_all_recvfrom_unlabeled(spamc_t)
  corenet_all_recvfrom_netlabel(spamc_t)
-@@ -246,9 +304,15 @@
+@@ -246,9 +307,15 @@
  files_dontaudit_search_var(spamc_t)
  # cjp: this may be removable:
  files_list_home(spamc_t)
@@ -17405,7 +17539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  miscfiles_read_localization(spamc_t)
  
  # cjp: this should probably be removed:
-@@ -256,27 +320,40 @@
+@@ -256,27 +323,40 @@
  
  sysnet_read_config(spamc_t)
  
@@ -17452,7 +17586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  ########################################
-@@ -288,7 +365,7 @@
+@@ -288,7 +368,7 @@
  # setuids to the user running spamc.  Comment this if you are not
  # using this ability.
  
@@ -17461,12 +17595,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  dontaudit spamd_t self:capability sys_tty_config;
  allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow spamd_t self:fd use;
-@@ -304,10 +381,13 @@
+@@ -304,10 +384,17 @@
  allow spamd_t self:unix_stream_socket connectto;
  allow spamd_t self:tcp_socket create_stream_socket_perms;
  allow spamd_t self:udp_socket create_socket_perms;
 -allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
 +
++can_exec(spamd_t, spamd_compiled_t)
++manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++
 +manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
 +logging_log_filetrans(spamd_t, spamd_log_t, file)
  
@@ -17476,7 +17614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
  
  manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +396,12 @@
+@@ -316,10 +403,12 @@
  
  # var/lib files for spamd
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -17490,7 +17628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
  
  kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +451,27 @@
+@@ -369,22 +458,27 @@
  
  init_dontaudit_rw_utmp(spamd_t)
  
@@ -17522,7 +17660,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -402,23 +489,16 @@
+@@ -402,23 +496,16 @@
  
  optional_policy(`
  	dcc_domtrans_client(spamd_t)
@@ -17547,7 +17685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  	postfix_read_config(spamd_t)
  ')
  
-@@ -433,6 +513,10 @@
+@@ -433,6 +520,10 @@
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -17558,7 +17696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  ')
  
  optional_policy(`
-@@ -445,5 +529,9 @@
+@@ -445,5 +536,9 @@
  ')
  
  optional_policy(`
@@ -23738,7 +23876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te	2009-09-24 11:41:09.000000000 -0700
 @@ -23,6 +23,9 @@
  type selinux_config_t;
  files_type(selinux_config_t)
@@ -23881,17 +24019,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 -allow semanage_t self:unix_dgram_socket create_socket_perms;
 -allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--
--allow semanage_t policy_config_t:file rw_file_perms;
 +seutil_semanage_policy(semanage_t)
 +allow semanage_t self:fifo_file rw_fifo_file_perms;
  
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-allow semanage_t policy_config_t:file rw_file_perms;
 +manage_dirs_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
 +manage_files_pattern(semanage_t, selinux_var_lib_t,  selinux_var_lib_t)
  
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
 -kernel_read_system_state(semanage_t)
 -kernel_read_kernel_sysctls(semanage_t)
 -
@@ -23917,14 +24055,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +can_exec(semanage_t, semanage_exec_t)
  
 -term_use_all_terms(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
- 
+-
 -# Running genhomedircon requires this for finding all users
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+ 
 -logging_send_syslog_msg(semanage_t)
 -
 -miscfiles_read_localization(semanage_t)
@@ -23967,7 +24105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -499,111 +482,36 @@
+@@ -499,111 +482,40 @@
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -24049,55 +24187,56 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 -userdom_use_all_users_fds(setfiles_t)
 -# for config files in a home directory
 -userdom_read_user_home_content_files(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+ 
 -ifdef(`distro_debian',`
 -	# udev tmpfs is populated with static device nodes
 -	# and then relabeled afterwards; thus
 -	# /dev/console has the tmpfs type
 -	fs_rw_tmpfs_chr_files(setfiles_t)
 -')
-+init_dontaudit_use_fds(setsebool_t)
- 
--ifdef(`distro_redhat', `
--	fs_rw_tmpfs_chr_files(setfiles_t)
--	fs_rw_tmpfs_blk_files(setfiles_t)
--	fs_relabel_tmpfs_blk_file(setfiles_t)
--	fs_relabel_tmpfs_chr_file(setfiles_t)
--')
 +# Bug in semanage
 +seutil_domtrans_setfiles(setsebool_t)
 +seutil_manage_file_contexts(setsebool_t)
 +seutil_manage_default_contexts(setsebool_t)
 +seutil_manage_config(setsebool_t)
  
--ifdef(`distro_ubuntu',`
--	optional_policy(`
--		unconfined_domain(setfiles_t)
--	')
+-ifdef(`distro_redhat', `
+-	fs_rw_tmpfs_chr_files(setfiles_t)
+-	fs_rw_tmpfs_blk_files(setfiles_t)
+-	fs_relabel_tmpfs_blk_file(setfiles_t)
+-	fs_relabel_tmpfs_chr_file(setfiles_t)
 -')
 +########################################
 +#
 +# Setfiles local policy
 +#
  
--ifdef(`hide_broken_symptoms',`
+-ifdef(`distro_ubuntu',`
 -	optional_policy(`
--		udev_dontaudit_rw_dgram_sockets(setfiles_t)
+-		unconfined_domain(setfiles_t)
 -	')
+-')
 +seutil_setfiles(setfiles_t)
 +# During boot in Rawhide
 +term_use_generic_ptys(setfiles_t)
  
--	# cjp: cover up stray file descriptors.
+-ifdef(`hide_broken_symptoms',`
 -	optional_policy(`
--		unconfined_dontaudit_read_pipes(setfiles_t)
--		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+-		udev_dontaudit_rw_dgram_sockets(setfiles_t)
 -	')
--')
 +seutil_setfiles(setfiles_mac_t)
 +allow setfiles_mac_t self:capability2 mac_admin;
 +kernel_relabelto_unlabeled(setfiles_mac_t)
  
+-	# cjp: cover up stray file descriptors.
+ 	optional_policy(`
+-		unconfined_dontaudit_read_pipes(setfiles_t)
+-		unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+-	')
++	setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t)
+ ')
+ 
  optional_policy(`
 -	hotplug_use_fds(setfiles_t)
 +	unconfined_domain(setfiles_mac_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index e028818..4189670 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.32
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -80,6 +80,7 @@ SELinux Base package
 Summary: SELinux policy documentation
 Group: System Environment/Base
 Requires(pre): selinux-policy = %{version}-%{release}
+Requires: /usr/bin/xdg-open
 
 %description doc
 SELinux policy documentation package
@@ -447,6 +448,9 @@ exit 0
 %endif
 
 %changelog
+* Tue Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-10
+- Allow sendmail to request kernel modules load
+
 * Mon Sep 21 2009 Dan Walsh <dwalsh@redhat.com> 3.6.32-9
 - Fix all kernel_request_load_module domains