From 5e25d306ca2e2c7dafa1770c00834c0817b2d976 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Sep 01 2010 14:34:12 +0000
Subject: - Fixes for jabberd policy

- Fixes for sandbox policy

---

diff --git a/policy-F13.patch b/policy-F13.patch
index 180b020..34dd0cc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -48,6 +48,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +## </desc>
 +gen_tunable(mmap_low_allowed, false)
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
+--- nsaserefpolicy/policy/mcs	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/mcs	2010-09-01 12:09:30.921083663 +0200
+@@ -86,10 +86,10 @@
+ 	(( h1 dom h2 ) and ( l2 eq h2 ));
+ 
+ # new file labels must be dominated by the relabeling subject clearance
+-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
++mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { relabelfrom }
+ 	( h1 dom h2 );
+ 
+-mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
++mlsconstrain { dir lnk_file chr_file blk_file sock_file fifo_file file } { create relabelto }
+ 	(( h1 dom h2 ) and ( l2 eq h2 ));
+ 
+ mlsconstrain process { transition dyntransition }
+@@ -98,7 +98,7 @@
+ mlsconstrain process { ptrace }
+ 	(( h1 dom h2) or ( t1 == mcsptraceall ));
+ 
+-mlsconstrain process { sigkill sigstop }
++mlsconstrain process { signal sigkill sigstop }
+ 	(( h1 dom h2 ) or ( t1 == mcskillall ));
+ 
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
 --- nsaserefpolicy/policy/mls	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/mls	2010-05-28 09:41:59.943612109 +0200
@@ -452,7 +477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.t
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-3.7.19/policy/modules/admin/firstboot.te
 --- nsaserefpolicy/policy/modules/admin/firstboot.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te	2010-05-28 09:41:59.950610882 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/firstboot.te	2010-09-01 16:15:20.344336196 +0200
 @@ -77,6 +77,7 @@
  miscfiles_read_localization(firstboot_t)
  
@@ -461,7 +486,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstbo
  modutils_read_module_config(firstboot_t)
  modutils_read_module_deps(firstboot_t)
  
-@@ -121,6 +122,12 @@
+@@ -99,6 +100,10 @@
+ ')
+ 
+ optional_policy(`
++	iptables_domtrans(firstboot_t)
++')
++
++optional_policy(`
+ 	nis_use_ypbind(firstboot_t)
+ ')
+ 
+@@ -121,6 +126,12 @@
  ')
  
  optional_policy(`
@@ -6587,8 +6623,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if	2010-08-25 16:02:58.406085258 +0200
-@@ -0,0 +1,315 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if	2010-09-01 12:14:39.094335217 +0200
+@@ -0,0 +1,335 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -6640,6 +6676,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 +	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
 +	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++	dontaudit sandbox_x_domain $1:process signal;
 +	
 +	allow $1 sandbox_tmpfs_type:file manage_file_perms;
 +	dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -6676,7 +6713,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	')
 +
 +	type $1_t, sandbox_domain, sandbox_x_type;
-+	domain_type($1_t)
++	application_type($1_t)
 +
 +	mls_rangetrans_target($1_t)
 +
@@ -6711,7 +6748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	')
 +
 +	type $1_t, sandbox_x_domain;
-+	domain_type($1_t)
++	application_type($1_t)
 +
 +	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
@@ -6733,7 +6770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	allow $1_t self:capability setuid;
 +
 +	type $1_client_t, sandbox_x_domain;
-+	domain_type($1_client_t)
++	application_type($1_client_t)
 +
 +	type $1_client_tmpfs_t, sandbox_tmpfs_type;
 +	files_tmpfs_file($1_client_tmpfs_t)
@@ -6795,7 +6832,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
 +')
 +
-+########################################
++#######################################
++## <summary>
++## allow domain to read
++## sandbox tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`sandbox_read_tmpfs_files',`
++   gen_require(`
++       attribute sandbox_tmpfs_type;
++   ')
++
++   allow $1 sandbox_tmpfs_type:file read_file_perms;
++')
++
++#########################################
 +## <summary>
 +##	allow domain to manage
 +##	sandbox tmpfs files
@@ -6906,7 +6962,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-08-25 16:17:36.953085328 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-09-01 12:20:15.387083633 +0200
 @@ -0,0 +1,402 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
@@ -6955,6 +7011,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
 +fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 +
++kernel_dontaudit_request_load_module(sandbox_xserver_t)
++
 +corecmd_exec_bin(sandbox_xserver_t)
 +corecmd_exec_shell(sandbox_xserver_t)
 +
@@ -6973,7 +7031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +dev_rwx_zero(sandbox_xserver_t)
 +
-+files_read_etc_files(sandbox_xserver_t)
++files_read_config_files(sandbox_xserver_t)
 +files_read_usr_files(sandbox_xserver_t)
 +files_search_home(sandbox_xserver_t)
 +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
@@ -7032,7 +7090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
 +files_entrypoint_all_files(sandbox_domain)
 +
-+files_read_etc_files(sandbox_domain)
++files_read_config_files(sandbox_domain)
 +files_read_usr_files(sandbox_domain)
 +files_read_var_files(sandbox_domain)
 +files_dontaudit_search_all_dirs(sandbox_domain)
@@ -7080,7 +7138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +dev_read_sysfs(sandbox_x_domain)
 +
 +files_entrypoint_all_files(sandbox_x_domain)
-+files_read_etc_files(sandbox_x_domain)
++files_read_config_files(sandbox_x_domain)
 +files_read_usr_files(sandbox_x_domain)
 +files_read_usr_symlinks(sandbox_x_domain)
 +
@@ -7146,7 +7204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +#
 +# sandbox_x_client_t local policy
 +#
-+allow sandbox_x_client_t self:tcp_socket create_socket_perms;
++allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
 +allow sandbox_x_client_t self:udp_socket create_socket_perms;
 +allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
 +allow sandbox_x_client_t self:netlink_selinux_socket create_socket_perms;
@@ -7180,7 +7238,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +allow sandbox_web_type self:process setsched;
 +dontaudit sandbox_web_type self:process setrlimit;
 +
-+allow sandbox_web_type self:tcp_socket create_socket_perms;
++allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
 +allow sandbox_web_type self:udp_socket create_socket_perms;
 +allow sandbox_web_type self:dbus { acquire_svc send_msg };
 +allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
@@ -7201,10 +7259,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +corenet_raw_sendrecv_all_nodes(sandbox_web_type)
 +corenet_tcp_sendrecv_http_port(sandbox_web_type)
 +corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
++corenet_tcp_sendrecv_squid_port(sandbox_web_type)
 +corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
 +corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
 +corenet_tcp_connect_http_port(sandbox_web_type)
 +corenet_tcp_connect_http_cache_port(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
 +corenet_tcp_connect_flash_port(sandbox_web_type)
 +corenet_tcp_connect_ftp_port(sandbox_web_type)
 +corenet_tcp_connect_ipp_port(sandbox_web_type)
@@ -7216,12 +7276,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +corenet_tcp_connect_speech_port(sandbox_web_type)
 +corenet_sendrecv_http_client_packets(sandbox_web_type)
 +corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
++corenet_sendrecv_squid_client_packets(sandbox_web_type)
 +corenet_sendrecv_ftp_client_packets(sandbox_web_type)
 +corenet_sendrecv_ipp_client_packets(sandbox_web_type)
 +corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
-+corenet_sendrecv_squid_client_packets(sandbox_web_type)
-+corenet_tcp_connect_squid_port(sandbox_web_type)
 +# Should not need other ports
 +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
 +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
@@ -7233,7 +7291,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +fs_rw_anon_inodefs_files(sandbox_web_type)
 +fs_dontaudit_getattr_all_fs(sandbox_web_type)
 +
-+storage_dontaudit_rw_fuse(sandbox_web_type)
 +storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
 +
 +auth_use_nsswitch(sandbox_web_type)
@@ -7265,8 +7322,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +optional_policy(`
 +	nsplugin_read_rw_files(sandbox_web_type)
-+	nsplugin_manage_rw(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
++	nsplugin_manage_rw(sandbox_web_type)
 +')
 +
 +optional_policy(`
@@ -7284,7 +7341,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +optional_policy(`
 +	udev_read_state(sandbox_web_type)
-+	udev_read_db(sandbox_web_type)
 +')
 +
 +########################################
@@ -8543,7 +8599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in	2010-08-05 11:50:26.359085282 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in	2010-09-01 11:58:19.510084657 +0200
 @@ -25,6 +25,7 @@
  #
  type tun_tap_device_t;
@@ -8612,9 +8668,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
  network_port(i18n_input, tcp,9010,s0)
  network_port(imaze, tcp,5323,s0, udp,5323,s0)
-@@ -125,39 +133,53 @@
+@@ -124,40 +132,55 @@
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
  network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
  network_port(jabber_interserver, tcp,5269,s0)
++network_port(jabber_router, tcp,5347,s0)
  network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
 +network_port(kerberos_admin, tcp,749,s0)
@@ -8668,7 +8726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -177,18 +199,22 @@
+@@ -177,18 +200,22 @@
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
  network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -8692,7 +8750,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -201,23 +227,23 @@
+@@ -201,23 +228,23 @@
  network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -14966,7 +15024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-08-24 14:39:54.754083905 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te	2010-09-01 12:22:03.915084400 +0200
 @@ -19,11 +19,13 @@
  # Declarations
  #
@@ -15277,19 +15335,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +621,11 @@
+@@ -500,8 +621,13 @@
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
  	userdom_use_user_terminals(httpd_t)
 +	userdom_use_user_terminals(httpd_suexec_t)
++	userdom_use_user_terminals(httpd_user_script_t)
 +
  ',`
  	userdom_dontaudit_use_user_terminals(httpd_t)
 +	userdom_dontaudit_use_user_terminals(httpd_suexec_t)
++	userdom_dontaudit_use_user_terminals(httpd_user_script_t)
  ')
  
  optional_policy(`
-@@ -514,6 +638,9 @@
+@@ -514,6 +640,9 @@
  
  optional_policy(`
  	cobbler_search_lib(httpd_t)
@@ -15299,7 +15359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -528,7 +655,7 @@
+@@ -528,7 +657,7 @@
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -15308,7 +15368,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +664,12 @@
+@@ -537,8 +666,12 @@
  ')
  
  optional_policy(`
@@ -15322,7 +15382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -557,6 +688,7 @@
+@@ -557,6 +690,7 @@
  
  optional_policy(`
  	# Allow httpd to work with mysql
@@ -15330,7 +15390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +699,7 @@
+@@ -567,6 +701,7 @@
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -15338,7 +15398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -577,12 +710,23 @@
+@@ -577,12 +712,23 @@
  ')
  
  optional_policy(`
@@ -15362,7 +15422,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -591,6 +735,11 @@
+@@ -591,6 +737,11 @@
  ')
  
  optional_policy(`
@@ -15374,7 +15434,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -618,6 +767,10 @@
+@@ -618,6 +769,10 @@
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -15385,7 +15445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -699,17 +852,18 @@
+@@ -699,17 +854,18 @@
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -15407,7 +15467,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +894,21 @@
+@@ -740,10 +896,21 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -15430,7 +15490,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +934,12 @@
+@@ -769,6 +936,12 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -15443,7 +15503,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -792,9 +963,13 @@
+@@ -792,9 +965,13 @@
  files_search_var_lib(httpd_sys_script_t)
  files_search_spool(httpd_sys_script_t)
  
@@ -15457,7 +15517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,6 +978,28 @@
+@@ -803,6 +980,28 @@
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -15486,7 +15546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1027,16 @@
+@@ -830,6 +1029,16 @@
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -15503,7 +15563,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1049,7 @@
+@@ -842,6 +1051,7 @@
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -15511,7 +15571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -891,11 +1099,33 @@
+@@ -891,11 +1101,33 @@
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -21845,7 +21905,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.7.19/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/hal.te	2010-06-09 13:12:04.850507212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/hal.te	2010-09-01 12:01:45.692083773 +0200
 @@ -55,6 +55,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -21932,7 +21992,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	gpm_dontaudit_getattr_gpmctl(hald_t)
  ')
  
-@@ -295,6 +309,7 @@
+@@ -282,6 +296,10 @@
+ ')
+ 
+ optional_policy(`
++	netutils_domtrans(hald_t)
++')
++
++optional_policy(`
+ 	ntp_domtrans(hald_t)
+ ')
+ 
+@@ -295,6 +313,7 @@
  ')
  
  optional_policy(`
@@ -21940,7 +22011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	ppp_read_rw_config(hald_t)
  ')
  
-@@ -315,11 +330,19 @@
+@@ -315,11 +334,19 @@
  ')
  
  optional_policy(`
@@ -21960,7 +22031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  	updfstab_domtrans(hald_t)
  ')
  
-@@ -331,6 +354,10 @@
+@@ -331,6 +358,10 @@
  	virt_manage_images(hald_t)
  ')
  
@@ -21971,7 +22042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  ########################################
  #
  # Hal acl local policy
-@@ -351,6 +378,7 @@
+@@ -351,6 +382,7 @@
  manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
  files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -21979,7 +22050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  corecmd_exec_bin(hald_acl_t)
  
-@@ -463,6 +491,10 @@
+@@ -463,6 +495,10 @@
  
  miscfiles_read_localization(hald_keymap_t)
  
@@ -22025,6 +22096,293 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
  
  mta_send_mail(innd_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.7.19/policy/modules/services/jabber.fc
+--- nsaserefpolicy/policy/modules/services/jabber.fc	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.fc	2010-09-01 11:58:19.516083496 +0200
+@@ -2,5 +2,14 @@
+ 
+ /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
+ 
++# for new version of jabberd
++/usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
++/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
++
++/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
++
++
+ /var/lib/jabber(/.*)?		gen_context(system_u:object_r:jabberd_var_lib_t,s0)
+ /var/log/jabber(/.*)?		gen_context(system_u:object_r:jabberd_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if
+--- nsaserefpolicy/policy/modules/services/jabber.if	2010-04-13 20:44:36.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.if	2010-09-01 11:58:19.536083725 +0200
+@@ -1,17 +1,96 @@
+ ## <summary>Jabber instant messaging server</summary>
+ 
+-########################################
++#######################################
+ ## <summary>
+-##	Connect to jabber over a TCP socket  (Deprecated)
++##      Execute a domain transition to run jabberd services
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd',`
++        gen_require(`
++                type jabberd_t, jabberd_exec_t;
++        ')
++
++        domtrans_pattern($1, jabberd_exec_t, jabberd_t)
++')
++
++######################################
++## <summary>
++##      Execute a domain transition to run jabberd router service
++## </summary>
++## <param name="domain">
++## <summary>
++##      Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`jabber_domtrans_jabberd_router',`
++        gen_require(`
++                type jabberd_router_t, jabberd_router_exec_t;
++        ')
++
++        domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
++')
++
++#######################################
++## <summary>
++##      Read jabberd lib files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
+ ## </param>
+ #
+-interface(`jabber_tcp_connect',`
+-	refpolicywarn(`$0($*) has been deprecated.')
++interface(`jabberd_read_lib_files',`
++        gen_require(`
++                type jabberd_var_lib_t;
++        ')
++
++        files_search_var_lib($1)
++        read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
++')
++
++#######################################
++## <summary>
++##      Dontaudit inherited read jabberd lib files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`jabberd_dontaudit_read_lib_files',`
++        gen_require(`
++                type jabberd_var_lib_t;
++        ')
++
++        dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
++')
++
++#######################################
++## <summary>
++##      Create, read, write, and delete
++##      jabberd lib files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`jabberd_manage_lib_files',`
++        gen_require(`
++                type jabberd_var_lib_t;
++        ')
++
++        files_search_var_lib($1)
++        manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
+ ')
+ 
+ ########################################
+@@ -35,11 +114,15 @@
+ 	gen_require(`
+ 		type jabberd_t, jabberd_log_t, jabberd_var_lib_t;
+ 		type jabberd_var_run_t, jabberd_initrc_exec_t;
++		type jabberd_router_t;
+ 	')
+ 
+ 	allow $1 jabberd_t:process { ptrace signal_perms };
+ 	ps_process_pattern($1, jabberd_t)
+ 
++	allow $1 jabberd_router_t:process { ptrace signal_perms };
++        ps_process_pattern($1, jabberd_router_t)
++
+ 	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
+ 	domain_system_change_exemption($1)
+ 	role_transition $2 jabberd_initrc_exec_t system_r;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.7.19/policy/modules/services/jabber.te
+--- nsaserefpolicy/policy/modules/services/jabber.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.te	2010-09-01 11:58:19.543083755 +0200
+@@ -6,13 +6,19 @@
+ # Declarations
+ #
+ 
+-type jabberd_t;
++attribute jabberd_domain;
++
++type jabberd_t, jabberd_domain;
+ type jabberd_exec_t;
+ init_daemon_domain(jabberd_t, jabberd_exec_t)
+ 
+ type jabberd_initrc_exec_t;
+ init_script_file(jabberd_initrc_exec_t)
+ 
++type jabberd_router_t, jabberd_domain;
++type jabberd_router_exec_t;
++init_daemon_domain(jabberd_router_t, jabberd_router_exec_t)
++
+ type jabberd_log_t;
+ logging_log_file(jabberd_log_t)
+ 
+@@ -22,40 +28,78 @@
+ type jabberd_var_run_t;
+ files_pid_file(jabberd_var_run_t)
+ 
+-########################################
++permissive jabberd_router_t;
++permissive jabberd_t;
++
++#######################################
+ #
+-# Local policy
++# Local policy for jabberd domains
+ #
+ 
+-allow jabberd_t self:capability dac_override;
+-dontaudit jabberd_t self:capability sys_tty_config;
+-allow jabberd_t self:process signal_perms;
+-allow jabberd_t self:fifo_file read_fifo_file_perms;
+-allow jabberd_t self:tcp_socket create_stream_socket_perms;
+-allow jabberd_t self:udp_socket create_socket_perms;
++allow jabberd_domain self:process signal_perms;
++allow jabberd_domain self:fifo_file read_fifo_file_perms;
++allow jabberd_domain self:tcp_socket create_stream_socket_perms;
++allow jabberd_domain self:udp_socket create_socket_perms;
++
++manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++manage_dirs_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
++
++# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
++manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
++logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
+ 
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
++files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
+ 
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++corenet_all_recvfrom_unlabeled(jabberd_domain)
++corenet_all_recvfrom_netlabel(jabberd_domain)
++corenet_tcp_sendrecv_generic_if(jabberd_domain)
++corenet_udp_sendrecv_generic_if(jabberd_domain)
++corenet_tcp_sendrecv_generic_node(jabberd_domain)
++corenet_udp_sendrecv_generic_node(jabberd_domain)
++corenet_tcp_sendrecv_all_ports(jabberd_domain)
++corenet_udp_sendrecv_all_ports(jabberd_domain)
++corenet_tcp_bind_generic_node(jabberd_domain)
++
++dev_read_urand(jabberd_domain)
++dev_read_urand(jabberd_domain)
++
++files_read_etc_files(jabberd_domain)
++files_read_etc_runtime_files(jabberd_domain)
++
++logging_send_syslog_msg(jabberd_domain)
++
++miscfiles_read_localization(jabberd_domain)
++
++sysnet_read_config(jabberd_domain)
++
++######################################
++#
++# Local policy for jabberd-router
++#
+ 
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
++
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++
++optional_policy(`
++        kerberos_use(jabberd_router_t)
++')
++
++########################################
++#
++# Local policy for jabberd
++#
++
++allow jabberd_t self:capability dac_override;
++dontaudit jabberd_t self:capability sys_tty_config;
+ 
+ kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+ kernel_read_proc_symlinks(jabberd_t)
++kernel_read_system_state(jabberd_t)
+ 
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+ corenet_tcp_bind_jabber_client_port(jabberd_t)
+ corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+ corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+@@ -67,18 +111,9 @@
+ 
+ domain_use_interactive_fds(jabberd_t)
+ 
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
+-
+ fs_getattr_all_fs(jabberd_t)
+ fs_search_auto_mountpoints(jabberd_t)
+ 
+-logging_send_syslog_msg(jabberd_t)
+-
+-miscfiles_read_localization(jabberd_t)
+-
+-sysnet_read_config(jabberd_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc	2010-07-23 13:43:56.367388499 +0200
@@ -28467,6 +28825,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzo
  userdom_dontaudit_search_user_home_dirs(pyzor_t)
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qmail.te serefpolicy-3.7.19/policy/modules/services/qmail.te
+--- nsaserefpolicy/policy/modules/services/qmail.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/qmail.te	2010-09-01 12:03:11.253344636 +0200
+@@ -125,6 +125,10 @@
+ 	spamassassin_domtrans_client(qmail_local_t)
+ ')
+ 
++optional_policy(`
++	uucp_domtrans(qmail_local_t)
++')
++
+ ########################################
+ #
+ # qmail-lspawn local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.fc serefpolicy-3.7.19/policy/modules/services/qpidd.fc
 --- nsaserefpolicy/policy/modules/services/qpidd.fc	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.7.19/policy/modules/services/qpidd.fc	2010-05-28 09:42:00.163610797 +0200
@@ -29330,7 +29702,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.if serefpolicy-3.7.19/policy/modules/services/rhcs.if
 --- nsaserefpolicy/policy/modules/services/rhcs.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/rhcs.if	2010-07-09 10:11:12.956385549 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rhcs.if	2010-09-01 11:22:33.060333720 +0200
 @@ -0,0 +1,439 @@
 +## <summary>RHCS - Red Hat Cluster Suite</summary>
 +
@@ -29708,7 +30080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs
 +#
 +interface(`rhcs_rw_cluster_semaphores',`
 +        gen_require(`
-+                type cluster_domain;
++                attribute cluster_domain;
 +        ')
 +
 +        allow $1 cluster_domain:sem { rw_sem_perms destroy };
@@ -33082,6 +33454,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
  
 -/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
 +/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.if serefpolicy-3.7.19/policy/modules/services/uucp.if
+--- nsaserefpolicy/policy/modules/services/uucp.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/uucp.if	2010-09-01 12:03:39.662084414 +0200
+@@ -1,5 +1,24 @@
+ ## <summary>Unix to Unix Copy</summary>
+ 
++#######################################
++## <summary>
++## Execute the uucico program in the
++## uucpd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uucp_domtrans',`
++	gen_require(`
++		type uucpd_t, uucpd_exec_t;
++	')
++
++	domtrans_pattern($1, uucpd_exec_t, uucpd_t)
++')
++
+ ########################################
+ ## <summary>
+ ##	Allow the specified domain to append
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te
 --- nsaserefpolicy/policy/modules/services/uucp.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/uucp.te	2010-08-04 15:04:00.352085562 +0200
@@ -37145,13 +37545,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
  dev_read_sysfs(kdump_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc	2010-08-30 10:11:52.522085110 +0200
-@@ -127,17 +127,21 @@
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc	2010-09-01 11:39:53.971335059 +0200
+@@ -127,17 +127,22 @@
  /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/plugins/codec//mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/codec/plugins/libdmo_plugin\.so    --  gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37172,7 +37573,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/win32/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +155,7 @@
+@@ -151,6 +156,7 @@
  /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37180,7 +37581,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +213,7 @@
+@@ -208,6 +214,7 @@
  
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37188,7 +37589,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +308,8 @@
+@@ -302,13 +309,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -37204,7 +37605,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -319,14 +320,153 @@
+@@ -319,14 +321,153 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 528de8e..7a93695 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 52%{?dist}
+Release: 53%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
 %endif
 
 %changelog
+* Wed Sep 1 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-53
+- Fixes for jabberd policy
+- Fixes for sandbox policy
+
 * Mon Aug 30 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-52
 - Fix label for /bin/mountpoint 
 - Allow fsadm to read virt blk image files