From a838d3f5db9786b818f6d8cc87841946d1072646 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Feb 29 2008 22:13:08 +0000
Subject: - Change httpd_$1_script_r*_t to httpd_$1_content_r*_t


---

diff --git a/policy-20071130.patch b/policy-20071130.patch
index 6f38bc8..27d8d1a 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -736,6 +736,38 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.3.1/M
  endef
  
  # create-base-per-role-tmpl modulenames,outputfile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8	2008-02-18 14:30:19.000000000 -0500
++++ serefpolicy-3.3.1/man/man8/httpd_selinux.8	2008-02-29 09:31:45.000000000 -0500
+@@ -22,23 +22,19 @@
+ .EX
+ httpd_sys_content_t 
+ .EE 
+-- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
++- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
+ .EX
+ httpd_sys_script_exec_t  
+ .EE 
+ - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+ .EX
+-httpd_sys_script_ro_t 
++httpd_sys_content_rw_t 
+ .EE
+-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
++- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+ .EX
+-httpd_sys_script_rw_t 
++httpd_sys_content_ra_t 
+ .EE
+-- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+-.EX
+-httpd_sys_script_ra_t 
+-.EE
+-- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
++- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+ .EX
+ httpd_unconfined_script_exec_t  
+ .EE 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.3.1/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2008-02-15 09:52:54.000000000 -0500
 +++ serefpolicy-3.3.1/policy/flask/access_vectors	2008-02-26 08:29:22.000000000 -0500
@@ -3222,7 +3254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
 +/usr/lib(64)?/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/gpg.if	2008-02-29 17:00:38.000000000 -0500
 @@ -38,6 +38,10 @@
  	gen_require(`
  		type gpg_exec_t, gpg_helper_exec_t;
@@ -3234,7 +3266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
  	')
  
  	########################################
-@@ -45,275 +49,56 @@
+@@ -45,275 +49,59 @@
  	# Declarations
  	#
  
@@ -3302,17 +3334,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 -
 -	dev_read_rand($1_gpg_t)
 -	dev_read_urand($1_gpg_t)
-+	typealias gpg_agent_t alias  $1_gpg_agent_t;
-+	role $3 types gpg_agent_t;
- 
+-
 -	fs_getattr_xattr_fs($1_gpg_t)
-+	typealias gpg_helper_t alias  $1_gpg_helper_t;
-+	role $3 types gpg_helper_t;
- 
+-
 -	domain_use_interactive_fds($1_gpg_t)
-+	typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
-+	role $3 types gpg_pinentry_t;
- 
+-
 -	files_read_etc_files($1_gpg_t)
 -	files_read_usr_files($1_gpg_t)
 -	files_dontaudit_search_var($1_gpg_t)
@@ -3327,14 +3353,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 -	sysnet_read_config($1_gpg_t)
 -
 -	userdom_use_user_terminals($1,$1_gpg_t)
--
++	typealias gpg_agent_t alias  $1_gpg_agent_t;
++	role $3 types gpg_agent_t;
+ 
 -	optional_policy(`
 -		nis_use_ypbind($1_gpg_t)
-+	ifelse(`$1',`user',`',`
-+		typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
-+		typealias user_gpg_secret_t alias $1_gpg_secret_t;
- 	')
- 
+-	')
+-
 -	ifdef(`TODO',`
 -	# Read content to encrypt/decrypt/sign
 -	read_content($1_gpg_t, $1)
@@ -3359,9 +3384,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 -	# communicate with the user 
 -	allow $1_gpg_helper_t $2:fd use;
 -	allow $1_gpg_helper_t $2:fifo_file write;
--
++	typealias gpg_helper_t alias  $1_gpg_helper_t;
++	role $3 types gpg_helper_t;
+ 
 -	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
--
++	typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
++	role $3 types gpg_pinentry_t;
+ 
 -	corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
 -	corenet_all_recvfrom_netlabel($1_gpg_helper_t)
 -	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
@@ -3393,8 +3422,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 -
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
--	')
--
++	ifelse(`$1',`user',`',`
++		typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
++		typealias user_gpg_secret_t alias $1_gpg_secret_t;
+ 	')
+ 
 -	optional_policy(`
 -		xserver_use_xdm_fds($1_gpg_t)
 -		xserver_rw_xdm_pipes($1_gpg_t)
@@ -3404,25 +3436,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
 -	#
 -	# GPG agent local policy
 -	#
--
--	# rlimit: gpg-agent wants to prevent coredumps
--	allow $1_gpg_agent_t self:process setrlimit;
 +	# transition from the userdomain to the derived domain
 +	domtrans_pattern($2,gpg_exec_t,gpg_t)
  
--	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
--	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+-	# rlimit: gpg-agent wants to prevent coredumps
+-	allow $1_gpg_agent_t self:process setrlimit;
 +	# Transition from the user domain to the derived domain.
 +	domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
  
+-	allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+-	allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
++	allow $2 gpg_t:process signal_perms;
+ 
 -	# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
 -	manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 -	manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
 -	manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-+	allow $2 gpg_t:process signal_perms;
 +	# Thunderbird leaks descriptors
 +	dontaudit gpg_t $2:tcp_socket rw_socket_perms;
 +	dontaudit gpg_t $2:udp_socket rw_socket_perms;
++	dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
++	dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
  
 -	# allow gpg to connect to the gpg agent
 -	stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -6744,7 +6778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
  type lvm_control_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-28 13:12:42.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te	2008-02-29 13:18:04.000000000 -0500
 @@ -5,6 +5,13 @@
  #
  # Declarations
@@ -6943,7 +6977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-02-26 16:54:33.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-02-29 09:10:51.000000000 -0500
 @@ -310,6 +310,25 @@
  
  ########################################
@@ -7590,7 +7624,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
  # amavis local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc	2008-02-27 13:12:43.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc	2008-02-29 09:34:05.000000000 -0500
 @@ -1,4 +1,4 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -7617,7 +7651,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
  /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
  /var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -7625,7 +7659,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  /var/lib/squirrelmail/prefs(/.*)?	gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
  
  /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -71,5 +73,16 @@
+@@ -66,10 +68,21 @@
+ /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
+ 
+-/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
  
  /var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -7636,16 +7676,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +#Bugzilla file context
 +/usr/share/bugzilla(/.*)?	-d	gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
 +/usr/share/bugzilla(/.*)?	--	gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
-+/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
++/var/lib/bugzilla(/.*)?			gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
 +#viewvc file context
-+/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
++/var/spool/viewvc(/.*)?  		gen_context(system_u:object_r:httpd_sys_content_rw_t, s0)
 +/var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-02-27 17:47:47.000000000 -0500
-@@ -18,10 +18,6 @@
++++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-02-29 14:20:00.000000000 -0500
+@@ -13,21 +13,16 @@
+ #
+ template(`apache_content_template',`
+ 	gen_require(`
+-		attribute httpdcontent;
+ 		attribute httpd_exec_scripts;
  		attribute httpd_script_exec_type;
  		type httpd_t, httpd_suexec_t, httpd_log_t;
  	')
@@ -7654,28 +7699,92 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 -	gen_tunable(allow_httpd_$1_script_anon_write,false)
 -
  	#This type is for webpages
- 	type httpd_$1_content_t, httpdcontent; # customizable
+-	type httpd_$1_content_t, httpdcontent; # customizable
++	type httpd_$1_content_t;
  	files_type(httpd_$1_content_t)
-@@ -71,7 +67,7 @@
+ 
+ 	# This type is used for .htaccess files
+-	type httpd_$1_htaccess_t; # customizable;
++	type httpd_$1_htaccess_t;
+ 	files_type(httpd_$1_htaccess_t)
+ 
+ 	# Type that CGI scripts run as
+@@ -42,20 +37,22 @@
+ 
+ 	# The following three are the only areas that 
+ 	# scripts can read, read/write, or append to
+-	type httpd_$1_script_ro_t, httpdcontent; # customizable
+-	files_type(httpd_$1_script_ro_t)
++	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+ 
+-	type httpd_$1_script_rw_t, httpdcontent; # customizable
+-	files_type(httpd_$1_script_rw_t)
++	type httpd_$1_content_rw_t;
++	files_type(httpd_$1_content_rw_t)
++	typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;
+ 
+-	type httpd_$1_script_ra_t, httpdcontent; # customizable
+-	files_type(httpd_$1_script_ra_t)
++	type httpd_$1_content_ra_t;
++	files_type(httpd_$1_content_ra_t)
++	typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;
+ 
+-	allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
++	read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+ 
+ 	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+ 
+-	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
++	allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
++	allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+ 
+ 	allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ 	allow httpd_$1_script_t self:unix_stream_socket connectto;
+@@ -65,29 +62,26 @@
+ 	dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+ 
+ 	# Allow the script process to search the cgi directory, and users directory
+-	allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
++	allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
++	read_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t)
++	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t)
+ 
+ 	append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
  	logging_search_logs(httpd_$1_script_t)
  
  	can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
 -	allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
 +	allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
  
- 	allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
- 	read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
-@@ -87,7 +83,8 @@
- 	manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- 	manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- 	manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-	allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+-	read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-	append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-
+-	allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
+-	read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+-	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+-
+-	manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-	manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-	manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-	manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-	manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
 -	files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-+	read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
-+	read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
++	allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
++	read_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++	append_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++	read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++
++	manage_dirs_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++	manage_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++	manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++	manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++	manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
  
  	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
  	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -96,6 +93,7 @@
+@@ -96,6 +90,7 @@
  	dev_read_urand(httpd_$1_script_t)
  
  	corecmd_exec_all_executables(httpd_$1_script_t)
@@ -7683,18 +7792,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  	files_exec_etc_files(httpd_$1_script_t)
  	files_read_etc_files(httpd_$1_script_t)
-@@ -120,10 +118,6 @@
- 		can_exec(httpd_$1_script_t, httpdcontent)
- 	')
+@@ -111,34 +106,21 @@
+ 
+ 	seutil_dontaudit_search_config(httpd_$1_script_t)
  
+-	tunable_policy(`httpd_enable_cgi && httpd_unified',`
+-		allow httpd_$1_script_t httpdcontent:file entrypoint;
+-
+-		manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+-		manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+-		manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+-		can_exec(httpd_$1_script_t, httpdcontent)
+-	')
+-
 -	tunable_policy(`allow_httpd_$1_script_anon_write',`
 -		miscfiles_manage_public_files(httpd_$1_script_t)
 -	') 
 -
  	# Allow the web server to run scripts and serve pages
  	tunable_policy(`httpd_builtin_scripting',`
- 		manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +171,6 @@
+-		manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-		manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-		manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-		rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-
+-		allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+-		read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-		append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-		read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-
+-		allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
+-		read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+-		read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
++		manage_dirs_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++		manage_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++		manage_lnk_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++		rw_sock_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++
++		allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
++		read_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++		append_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++		read_lnk_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++
++		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
++		read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
++		read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+ 
+ 		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ 		read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+@@ -177,48 +159,6 @@
  		miscfiles_read_localization(httpd_$1_script_t)
  	')
  
@@ -7743,7 +7889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	optional_policy(`
  		tunable_policy(`httpd_enable_cgi && allow_ypbind',`
  			nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,72 +217,79 @@
+@@ -265,72 +205,77 @@
  template(`apache_per_role_template', `
  	gen_require(`
  		attribute httpdcontent, httpd_script_domains;
@@ -7754,19 +7900,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +		type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
 +		type httpd_user_content_t;
 +		type httpd_user_script_t;
-+		type httpd_user_script_ra_t;
-+		type httpd_user_script_rw_t;
-+		type httpd_user_script_ro_t;
++		type httpd_user_content_ra_t;
++		type httpd_user_content_rw_t;
++		type httpd_user_content_t;
 +		type httpd_user_script_exec_t;
 +		type httpd_user_htaccess_t;
 +	')
 +
 +
 +	ifelse(`$1',`user',`',`
-+		typealias httpd_user_content_t alias httpd_$1_content_t;
-+		typealias httpd_user_script_ra_t alias httpd_$1_script_ra_t;
-+		typealias httpd_user_script_rw_t alias httpd_$1_script_rw_t;
-+		typealias httpd_user_script_ro_t alias httpd_$1_script_ro_t;
++		typealias httpd_user_content_t alias httpd_$1_script_t;
++		typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t;
++		typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t;
++		typealias httpd_user_content_t alias httpd_$1_script_ro_t;
 +		typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t;
 +		typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t;
  	')
@@ -7821,26 +7967,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 +	allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
 +
-+	manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+	manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+	manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+	relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+	relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+	relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+
-+	manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+	manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+	manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+	relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+	relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+	relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+
-+	manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+	manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+	manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+	relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+	relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+	relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++	manage_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++	manage_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++	manage_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++	relabel_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++	relabel_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++	relabel_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++
++	manage_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t)
++	manage_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++	manage_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++	relabel_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t)
++	relabel_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++	relabel_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++
++	manage_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++	manage_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++	manage_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++	relabel_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++	relabel_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++	relabel_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
 +
 +	manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
 +	manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
@@ -7857,10 +8003,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
 -		allow httpd_$1_script_t httpdcontent:file entrypoint;
-+		allow httpd_user_script_t httpdcontent:file entrypoint;
- 
+-
 -		domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
-+		domtrans_pattern($2, httpdcontent, httpd_user_script_t)
++		can_exec(httpd_user_script_t, httpd_user_content_t)
  	')
  
  	# allow accessing files/dirs below the users home dir
@@ -7875,7 +8020,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  ')
  
-@@ -352,12 +311,11 @@
+@@ -352,12 +297,11 @@
  #
  template(`apache_read_user_scripts',`
  	gen_require(`
@@ -7892,7 +8037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -378,12 +336,12 @@
+@@ -378,12 +322,12 @@
  #
  template(`apache_read_user_content',`
  	gen_require(`
@@ -7909,7 +8054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -761,6 +719,7 @@
+@@ -761,6 +705,7 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -7917,18 +8062,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -845,6 +804,10 @@
+@@ -841,12 +786,16 @@
+ # sysadm_t to run scripts
+ interface(`apache_domtrans_sys_script',`
+ 	gen_require(`
+-		attribute httpdcontent;
  		type httpd_sys_script_t;
- 	')
- 
-+	tunable_policy(`httpd_enable_cgi',`
-+		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
++		type httpd_sys_content_t;
 +	')
 +
++	tunable_policy(`httpd_enable_cgi',`
++		domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ 	')
+ 
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
- 		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+-		domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
++		domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t)
  	')
-@@ -932,7 +895,7 @@
+ ')
+ 
+@@ -932,7 +881,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -7937,7 +8090,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1023,16 +986,16 @@
+@@ -1023,16 +972,16 @@
  #
  interface(`apache_manage_all_user_content',`
  	gen_require(`
@@ -7961,7 +8114,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1088,3 +1051,133 @@
+@@ -1088,3 +1037,133 @@
  
  	allow httpd_t $1:process signal;
  ')
@@ -8097,7 +8250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-28 16:49:32.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-02-29 13:36:51.000000000 -0500
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -8193,7 +8346,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  # httpd_modules_t is the type given to module files (libraries) 
  # that come with Apache /etc/httpd/modules and /usr/lib/apache
  type httpd_modules_t;
-@@ -202,12 +233,16 @@
+@@ -180,6 +211,9 @@
+ 
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+ 
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -202,12 +236,16 @@
  	prelink_object_file(httpd_modules_t)
  ')
  
@@ -8211,7 +8374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  dontaudit httpd_t self:capability { net_admin sys_tty_config };
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
-@@ -249,6 +284,7 @@
+@@ -249,6 +287,7 @@
  allow httpd_t httpd_modules_t:dir list_dir_perms;
  mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
  read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -8219,7 +8382,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  apache_domtrans_rotatelogs(httpd_t)
  # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +325,7 @@
+@@ -289,6 +328,7 @@
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -8227,7 +8390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +352,7 @@
+@@ -315,9 +355,7 @@
  
  auth_use_nsswitch(httpd_t)
  
@@ -8238,18 +8401,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -335,6 +370,10 @@
+@@ -335,6 +373,10 @@
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
 +# php uploads a file to /tmp and then execs programs to acton them
 +manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
 +manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
-+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
++files_tmp_filetrans(httpd_sys_script_t,httpd_sys_content_rw_t,{ dir file lnk_file sock_file fifo_file })
  
  libs_use_ld_so(httpd_t)
  libs_use_shared_libs(httpd_t)
-@@ -351,25 +390,38 @@
+@@ -351,25 +393,38 @@
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -8293,18 +8456,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_can_network_relay',`
  	# allow httpd to work as a relay
  	corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +434,10 @@
+@@ -382,12 +437,22 @@
  	corenet_sendrecv_http_cache_client_packets(httpd_t)
  ')
  
+-tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+-	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++	allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++	filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
++	can_exec(httpd_sys_script_t, httpd_sys_content_t)
++')
++
 +tunable_policy(`allow_httpd_sys_script_anon_write',`
 +	miscfiles_manage_public_files(httpd_sys_script_t)
 +') 
-+
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
  
-@@ -399,11 +455,21 @@
+-	manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
+-	manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
+-	manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
++tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
++	domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
++	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
++	manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
++	manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
++	manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ ')
+ 
+ tunable_policy(`httpd_enable_ftp_server',`
+@@ -399,11 +464,21 @@
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -8326,7 +8506,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
  	allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +503,14 @@
+@@ -437,8 +512,14 @@
  ')
  
  optional_policy(`
@@ -8342,7 +8522,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -450,19 +522,13 @@
+@@ -450,19 +531,13 @@
  ')
  
  optional_policy(`
@@ -8363,7 +8543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -472,13 +538,14 @@
+@@ -472,13 +547,14 @@
  	openca_kill(httpd_t)
  ')
  
@@ -8382,7 +8562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  optional_policy(`
-@@ -486,6 +553,7 @@
+@@ -486,6 +562,7 @@
  ')
  
  optional_policy(`
@@ -8390,7 +8570,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -521,6 +589,19 @@
+@@ -521,6 +598,19 @@
  	userdom_use_sysadm_terms(httpd_helper_t)
  ')
  
@@ -8410,7 +8590,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache PHP script local policy
-@@ -550,18 +631,24 @@
+@@ -550,18 +640,24 @@
  
  fs_search_auto_mountpoints(httpd_php_t)
  
@@ -8438,7 +8618,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -585,6 +672,8 @@
+@@ -585,6 +681,8 @@
  manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -8447,7 +8627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  kernel_read_kernel_sysctls(httpd_suexec_t)
  kernel_list_proc(httpd_suexec_t)
  kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +682,7 @@
+@@ -593,9 +691,7 @@
  
  fs_search_auto_mountpoints(httpd_suexec_t)
  
@@ -8458,7 +8638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +715,7 @@
+@@ -628,6 +724,7 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -8466,7 +8646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -638,6 +726,12 @@
+@@ -638,6 +735,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -8479,7 +8659,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +749,6 @@
+@@ -655,10 +758,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -8490,7 +8670,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  #
  # Apache system script local policy
-@@ -668,7 +758,8 @@
+@@ -668,7 +767,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -8500,7 +8680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +773,44 @@
+@@ -682,15 +782,44 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -8546,7 +8726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +820,15 @@
+@@ -700,9 +829,15 @@
  	clamav_domtrans_clamscan(httpd_sys_script_t)
  ')
  
@@ -8562,7 +8742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -724,3 +850,46 @@
+@@ -724,3 +859,46 @@
  logging_search_logs(httpd_rotatelogs_t)
  
  miscfiles_read_localization(httpd_rotatelogs_t)
@@ -9951,7 +10131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.3.1/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/clamav.te	2008-02-29 09:36:56.000000000 -0500
 @@ -48,6 +48,9 @@
  type freshclam_var_log_t;
  logging_log_file(freshclam_var_log_t)
@@ -9962,15 +10142,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ########################################
  #
  # clamd local policy
-@@ -87,6 +90,7 @@
+@@ -87,6 +90,9 @@
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
  kernel_read_kernel_sysctls(clamd_t)
 +kernel_read_system_state(clamd_t)
++
++corecmd_search_bin(clamd_t)
  
  corenet_all_recvfrom_unlabeled(clamd_t)
  corenet_all_recvfrom_netlabel(clamd_t)
-@@ -120,6 +124,8 @@
+@@ -120,6 +126,8 @@
  cron_use_system_job_fds(clamd_t)
  cron_rw_pipes(clamd_t)
  
@@ -9979,7 +10161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  optional_policy(`
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
-@@ -127,6 +133,10 @@
+@@ -127,6 +135,10 @@
  	amavis_create_pid_files(clamd_t)
  ')
  
@@ -9990,7 +10172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam
  ########################################
  #
  # Freshclam local policy
-@@ -233,3 +243,7 @@
+@@ -233,3 +245,7 @@
  optional_policy(`
  	apache_read_sys_content(clamscan_t)
  ')
@@ -20565,7 +20747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te	2008-02-29 09:09:42.000000000 -0500
 @@ -22,13 +22,16 @@
  type setroubleshoot_var_run_t;
  files_pid_file(setroubleshoot_var_run_t)
@@ -20595,7 +20777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  
  corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +73,21 @@
+@@ -68,16 +73,23 @@
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
@@ -20615,10 +20797,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
  fs_getattr_all_dirs(setroubleshootd_t)
  fs_getattr_all_files(setroubleshootd_t)
 +fs_read_fusefs_symlinks(setroubleshootd_t)
++fs_dontaudit_read_nfs_files(setroubleshootd_t)
++fs_dontaudit_read_cifs_files(setroubleshootd_t)
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -97,19 +107,20 @@
+@@ -97,19 +109,20 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -22717,7 +22901,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-28 09:30:18.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if	2008-02-29 17:12:34.000000000 -0500
 @@ -15,6 +15,11 @@
  template(`xserver_common_domain_template',`
  	gen_require(`
@@ -22839,7 +23023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +		allow $1_xserver_t input_xevent_t:x_event send;
 +		allow $1_xserver_t x_rootwindow_t:x_drawable send;
-+		allow $1_xserver_t $1_input_xevent_t:x_event send;
++		allow $1_xserver_t xdm_input_xevent_t:x_event send;
 +		allow $1_xserver_t $1_t:x_drawable send;
 +
 +	',`
@@ -23113,29 +23297,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	optional_policy(`
 +		xserver_read_user_iceauth($1, $2)
 +	')
-+
+ 
+-	libs_use_ld_so($1_iceauth_t)
+-	libs_use_shared_libs($1_iceauth_t)
 +	##############################
 +	#
 +	# User X object manager local policy
 +	#
  
--	libs_use_ld_so($1_iceauth_t)
--	libs_use_shared_libs($1_iceauth_t)
+-	userdom_use_user_terminals($1,$1_iceauth_t)
 +	# Device rules
 +	allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
  
--	userdom_use_user_terminals($1,$1_iceauth_t)
-+	allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send;
-+	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- 
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_manage_nfs_files($1_iceauth_t)
 -	')
-+	mls_xwin_read_to_clearance($2)
++	allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send;
++	allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
  
 -	tunable_policy(`use_samba_home_dirs',`
 -		fs_manage_cifs_files($1_iceauth_t)
 -	')
++	mls_xwin_read_to_clearance($2)
++
 +	xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
  ')
  
@@ -23168,7 +23352,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
-@@ -542,25 +539,364 @@
+@@ -542,25 +539,382 @@
  	allow $2 xdm_tmp_t:sock_file { read write };
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
@@ -23267,7 +23451,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		attribute x_server_domain, x_domain;
 +		attribute xproperty_type;
 +		attribute xevent_type, xextension_type;
-+		attribute $1_x_domain, $1_input_xevent_type;
 +		class x_drawable all_x_drawable_perms;
 +		class x_screen all_x_screen_perms;
 +		class x_gc all_x_gc_perms;
@@ -23283,6 +23466,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		class x_resource all_x_resource_perms;
 +		class x_event all_x_event_perms;
 +		class x_synthetic_event all_x_synthetic_event_perms;
++
++		attribute xdm_x_domain, xdm_input_xevent_type;
++		type xdm_t;
 +	')
 +
 +	##############################
@@ -23291,13 +23477,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	#
 +
 +	# Type attributes
-+	typeattribute $3 $1_x_domain, x_domain;
++	typeattribute $2_t xdm_x_domain, x_domain;
 +
 +	# Types for properties
 +	type $2_default_xproperty_t, xproperty_type;
 +
 +	# Types for events
-+	type $2_input_xevent_t, $1_input_xevent_type, xevent_type;
++	type $2_input_xevent_t, xdm_input_xevent_type, xevent_type;
 +	type $2_property_xevent_t, xevent_type;
 +	type $2_focus_xevent_t, xevent_type;
 +	type $2_manage_xevent_t, xevent_type;
@@ -23312,7 +23498,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# Hacks
 +	# everyone can get the input focus of everyone else
 +	# this is a fundamental brokenness in the X protocol
-+	allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
++	allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
 +	tunable_policy(`allow_read_x_device',`
 +		allow $3 { x_domain x_server_domain }:x_device read;
 +	')
@@ -23325,7 +23511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	allow $3 x_server_domain:x_server { getattr manage };
 +	# everyone can do override-redirect windows.
 +	# this could be used to spoof labels
-+	allow $3 self:x_drawable override;
++	allow $3 $3:x_drawable override;
 +	# everyone can receive management events on the root window
 +	# allows to know when new windows appear, among other things
 +	allow $3 manage_xevent_t:x_event receive;
@@ -23334,7 +23520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# can read server-owned resources
 +	allow $3 x_server_domain:x_resource read;
 +	# can mess with own clients
-+	allow $3 self:x_client { manage destroy };
++	allow $3 $3:x_client { manage destroy };
 +
 +	# X Protocol Extensions
 +	allow $3 std_xext_t:x_extension { query use };
@@ -23344,12 +23530,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# X Properties
 +	# can read and write client properties
 +	allow $3 $2_default_xproperty_t:x_property { create destroy read write };
++	allow $1_t $2_default_xproperty_t:x_property { read };
++
 +	allow $3 default_xproperty_t:x_property read;
++
 +	allow $3 output_xext_t:x_extension use;
 +
 +	allow $3 xdm_default_xproperty_t:x_property { write read };
 +
-+	type_transition $3 default_xproperty_t:x_property $2_default_xproperty_t;
++	type_transition $2_t default_xproperty_t:x_property $2_default_xproperty_t;
 +	# can read and write cut buffers
 +	allow $3 clipboard_xproperty_t:x_property { create read write };
 +	# can read/write info properties
@@ -23358,15 +23547,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# can change properties of root window
 +	allow $3 x_rootwindow_t:x_drawable { list_property get_property set_property };
 +	# can change properties of own windows
-+	allow $3 self:x_drawable { list_property get_property set_property };
++	allow $3 $3:x_drawable { list_property get_property set_property };
 +
 +	# X Windows
 +	# operations allowed on root windows
 +	allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show };
 +
 +	# operations allowed on my windows
-+	allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-+	type_transition $3 x_rootwindow_t:x_drawable $3;
++	allow $3 $3:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
++	type_transition $2_t x_rootwindow_t:x_drawable $2_t;
 +
 +	# X Colormaps
 +	# can use the default colormap
@@ -23378,21 +23567,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	# X Input
 +	# can receive own events
 +	allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $3 input_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $1_t $2_input_xevent_t:{ x_event x_synthetic_event } receive;
++
 +	allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $1_t $2_property_xevent_t:{ x_event x_synthetic_event } receive;
++
 +	allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $1_t $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
++
 +	allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive;
++	allow $1_t $2_manage_xevent_t:{ x_event x_synthetic_event } { send receive };
++
 +	allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive;
-+	allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } receive;
-+	allow $3 $2_client_xevent_t:x_synthetic_event send;
-+	type_transition $3 input_xevent_t:x_event $2_input_xevent_t;
-+	type_transition $3 property_xevent_t:x_event $2_property_xevent_t;
-+	type_transition $3 focus_xevent_t:x_event $2_focus_xevent_t;
-+	type_transition $3 manage_xevent_t:x_event $2_manage_xevent_t;
-+	type_transition $3 default_xevent_t:x_event $2_default_xevent_t;
++	allow $1_t $2_default_xevent_t:{ x_event x_synthetic_event } receive;
++	
++	allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } { send receive };
++	allow $1_t $2_client_xevent_t:{ x_event x_synthetic_event } { send };
++	type_transition $2_t input_xevent_t:x_event $2_input_xevent_t;
++	type_transition $2_t property_xevent_t:x_event $2_property_xevent_t;
++	type_transition $2_t focus_xevent_t:x_event $2_focus_xevent_t;
++	type_transition $2_t manage_xevent_t:x_event $2_manage_xevent_t;
++	type_transition $2_t default_xevent_t:x_event $2_default_xevent_t;
 +
 +	allow $3 default_xevent_t:x_event receive;
 +
-+	type_transition $3 client_xevent_t:x_event $2_client_xevent_t;
++	type_transition $2_t client_xevent_t:x_event $2_client_xevent_t;
 +	# can receive certain root window events
 +	allow $3 focus_xevent_t:x_event receive;
 +	allow $3 property_xevent_t:x_event receive;
@@ -23412,13 +23612,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +	# Other X Objects
 +	# can create and use cursors
-+	allow $3 self:x_cursor *;
++	allow $3 $3:x_cursor *;
 +	# can create and use graphics contexts
-+	allow $3 self:x_gc *;
++	allow $3 $3:x_gc *;
 +	# can create and use colormaps
-+	allow $3 self:x_colormap *;
++	allow $3 $3:x_colormap *;
 +	# can read and write own objects
-+	allow $3 self:x_resource { read write };
++	allow $3 $3:x_resource { read write };
 +
 +	allow $3 screensaver_xext_t:x_extension use;
 +	allow $3 unknown_xext_t:x_extension use;
@@ -23453,9 +23653,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +		allow $3 xevent_type:{ x_event x_synthetic_event } *;
 +	')
 +
++	allow $3 xdm_t:x_client destroy;
++	allow $3 xdm_t:x_drawable { receive get_property getattr list_child };
 +
-+	allow xdm_xserver_t $2_input_xevent_t:x_event send;
-+	allow xdm_xserver_t $3:x_drawable send;
++	allow x_server_domain $2_input_xevent_t:x_event send;
++	allow x_xserver_domain $3:x_drawable send;
 +')
 +
 +#######################################
@@ -23495,7 +23697,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 +	allow $3 self:shm create_shm_perms;
 +	allow $3 self:unix_dgram_socket create_socket_perms;
-+	allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
++	allow $3 $3:unix_stream_socket { connectto create_stream_socket_perms };
 +
 +	# Read .Xauthority file
 +	allow $3 user_xauth_home_t:file { getattr read };
@@ -23524,7 +23726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	xserver_read_xdm_tmp_files($3)
 +
 +	# X object manager
-+	xserver_common_x_domain_template(xdm,$2,$3)
++	xserver_common_x_domain_template($1,$2,$3)
 +
 +	userdom_search_user_home_dirs($1,$3)
 +	userdom_manage_user_home_content_dirs($1, xdm_t)
@@ -23539,7 +23741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  ')
  
-@@ -593,26 +929,44 @@
+@@ -593,26 +947,44 @@
  #
  template(`xserver_use_user_fonts',`
  	gen_require(`
@@ -23591,7 +23793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Transition to a user Xauthority domain.
  ## </summary>
  ## <desc>
-@@ -638,10 +992,77 @@
+@@ -638,10 +1010,77 @@
  #
  template(`xserver_domtrans_user_xauth',`
  	gen_require(`
@@ -23671,7 +23873,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -671,10 +1092,10 @@
+@@ -671,10 +1110,10 @@
  #
  template(`xserver_user_home_dir_filetrans_user_xauth',`
  	gen_require(`
@@ -23684,7 +23886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -760,7 +1181,7 @@
+@@ -760,7 +1199,7 @@
  		type xconsole_device_t;
  	')
  
@@ -23693,7 +23895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -860,6 +1281,25 @@
+@@ -860,6 +1299,25 @@
  
  ########################################
  ## <summary>
@@ -23719,7 +23921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm-writable configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -914,6 +1354,7 @@
+@@ -914,6 +1372,7 @@
  	files_search_tmp($1)
  	allow $1 xdm_tmp_t:dir list_dir_perms;
  	create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -23727,7 +23929,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -955,6 +1396,24 @@
+@@ -955,6 +1414,24 @@
  
  ########################################
  ## <summary>
@@ -23752,7 +23954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Execute the X server in the XDM X server domain.
  ## </summary>
  ## <param name="domain">
-@@ -965,15 +1424,47 @@
+@@ -965,15 +1442,47 @@
  #
  interface(`xserver_domtrans_xdm_xserver',`
  	gen_require(`
@@ -23801,7 +24003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Make an X session script an entrypoint for the specified domain.
  ## </summary>
  ## <param name="domain">
-@@ -1123,7 +1614,7 @@
+@@ -1123,7 +1632,7 @@
  		type xdm_xserver_tmp_t;
  	')
  
@@ -23810,7 +24012,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1312,3 +1803,108 @@
+@@ -1312,3 +1821,108 @@
  	files_search_tmp($1)
  	stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
  ')
@@ -26554,14 +26756,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
  #################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/mount.fc	2008-02-26 08:29:22.000000000 -0500
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.fc	2008-02-29 16:11:11.000000000 -0500
+@@ -1,4 +1,6 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 -
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
++/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
 +/usr/bin/fusermount            --      gen_context(system_u:object_r:mount_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-02-06 10:33:22.000000000 -0500
@@ -28572,7 +28775,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-02-27 13:18:26.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-02-29 16:26:11.000000000 -0500
 @@ -29,9 +29,14 @@
  	')
  
@@ -29089,7 +29292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 -	xserver_xsession_entry_type($1_t)
 -	xserver_dontaudit_write_log($1_t)
 -	xserver_stream_connect_xdm($1_t)
-+	xserver_user_x_domain_template($1,$1,$1_t, $1_tmpfs_t)
++	xserver_user_x_domain_template($1,$1,$1_usertype, $1_tmpfs_t)
 +	xserver_xsession_entry_type($1_usertype)
 +	xserver_dontaudit_write_log($1_usertype)
 +	xserver_stream_connect_xdm($1_usertype)
@@ -29659,11 +29862,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1207,7 +1208,23 @@
+@@ -1207,7 +1208,27 @@
  	')
  
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
++		mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++	')
++
++	optional_policy(`
 +		nsplugin_per_role_template($1, $1_usertype, $1_r)
 +	')
 +
@@ -29684,7 +29891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  ')
  
-@@ -1284,8 +1301,6 @@
+@@ -1284,8 +1305,6 @@
  	# Manipulate other users crontab.
  	allow $1_t self:passwd crontab;
  
@@ -29693,7 +29900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1363,13 +1378,6 @@
+@@ -1363,13 +1382,6 @@
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -29707,7 +29914,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	optional_policy(`
  		userhelper_exec($1_t)
  	')
-@@ -1422,6 +1430,7 @@
+@@ -1422,6 +1434,7 @@
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -29715,7 +29922,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1787,10 +1796,14 @@
+@@ -1787,10 +1800,14 @@
  template(`userdom_user_home_content',`
  	gen_require(`
  		attribute $1_file_type;
@@ -29731,7 +29938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1886,11 +1899,11 @@
+@@ -1886,11 +1903,11 @@
  #
  template(`userdom_search_user_home_dirs',`
  	gen_require(`
@@ -29745,7 +29952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1920,11 +1933,11 @@
+@@ -1920,11 +1937,11 @@
  #
  template(`userdom_list_user_home_dirs',`
  	gen_require(`
@@ -29759,7 +29966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -1968,12 +1981,12 @@
+@@ -1968,12 +1985,12 @@
  #
  template(`userdom_user_home_domtrans',`
  	gen_require(`
@@ -29775,7 +29982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2003,10 +2016,10 @@
+@@ -2003,10 +2020,10 @@
  #
  template(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
@@ -29788,7 +29995,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2038,11 +2051,47 @@
+@@ -2038,11 +2055,47 @@
  #
  template(`userdom_manage_user_home_content_dirs',`
  	gen_require(`
@@ -29838,7 +30045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2074,10 +2123,10 @@
+@@ -2074,10 +2127,10 @@
  #
  template(`userdom_dontaudit_setattr_user_home_content_files',`
  	gen_require(`
@@ -29851,7 +30058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2107,11 +2156,11 @@
+@@ -2107,11 +2160,11 @@
  #
  template(`userdom_read_user_home_content_files',`
  	gen_require(`
@@ -29865,7 +30072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2141,11 +2190,11 @@
+@@ -2141,11 +2194,11 @@
  #
  template(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -29880,7 +30087,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2175,10 +2224,14 @@
+@@ -2175,10 +2228,14 @@
  #
  template(`userdom_dontaudit_write_user_home_content_files',`
  	gen_require(`
@@ -29897,7 +30104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2208,11 +2261,11 @@
+@@ -2208,11 +2265,11 @@
  #
  template(`userdom_read_user_home_content_symlinks',`
  	gen_require(`
@@ -29911,7 +30118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2242,11 +2295,11 @@
+@@ -2242,11 +2299,11 @@
  #
  template(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -29925,7 +30132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2276,10 +2329,10 @@
+@@ -2276,10 +2333,10 @@
  #
  template(`userdom_dontaudit_exec_user_home_content_files',`
  	gen_require(`
@@ -29938,7 +30145,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2311,12 +2364,12 @@
+@@ -2311,12 +2368,12 @@
  #
  template(`userdom_manage_user_home_content_files',`
  	gen_require(`
@@ -29954,7 +30161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2348,10 +2401,10 @@
+@@ -2348,10 +2405,10 @@
  #
  template(`userdom_dontaudit_manage_user_home_content_dirs',`
  	gen_require(`
@@ -29967,7 +30174,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2383,12 +2436,12 @@
+@@ -2383,12 +2440,12 @@
  #
  template(`userdom_manage_user_home_content_symlinks',`
  	gen_require(`
@@ -29983,7 +30190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2420,12 +2473,12 @@
+@@ -2420,12 +2477,12 @@
  #
  template(`userdom_manage_user_home_content_pipes',`
  	gen_require(`
@@ -29999,7 +30206,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2457,12 +2510,12 @@
+@@ -2457,12 +2514,12 @@
  #
  template(`userdom_manage_user_home_content_sockets',`
  	gen_require(`
@@ -30015,7 +30222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2507,11 +2560,11 @@
+@@ -2507,11 +2564,11 @@
  #
  template(`userdom_user_home_dir_filetrans',`
  	gen_require(`
@@ -30029,7 +30236,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2556,11 +2609,11 @@
+@@ -2556,11 +2613,11 @@
  #
  template(`userdom_user_home_content_filetrans',`
  	gen_require(`
@@ -30043,7 +30250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2600,11 +2653,11 @@
+@@ -2600,11 +2657,11 @@
  #
  template(`userdom_user_home_dir_filetrans_user_home_content',`
  	gen_require(`
@@ -30057,7 +30264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2634,11 +2687,11 @@
+@@ -2634,11 +2691,11 @@
  #
  template(`userdom_write_user_tmp_sockets',`
  	gen_require(`
@@ -30071,7 +30278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2668,11 +2721,11 @@
+@@ -2668,11 +2725,11 @@
  #
  template(`userdom_list_user_tmp',`
  	gen_require(`
@@ -30085,7 +30292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2704,10 +2757,10 @@
+@@ -2704,10 +2761,10 @@
  #
  template(`userdom_dontaudit_list_user_tmp',`
  	gen_require(`
@@ -30098,7 +30305,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2739,10 +2792,10 @@
+@@ -2739,10 +2796,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30111,7 +30318,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2772,12 +2825,12 @@
+@@ -2772,12 +2829,12 @@
  #
  template(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -30127,7 +30334,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2809,10 +2862,10 @@
+@@ -2809,10 +2866,10 @@
  #
  template(`userdom_dontaudit_read_user_tmp_files',`
  	gen_require(`
@@ -30140,7 +30347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2844,10 +2897,48 @@
+@@ -2844,10 +2901,48 @@
  #
  template(`userdom_dontaudit_append_user_tmp_files',`
  	gen_require(`
@@ -30191,7 +30398,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2877,12 +2968,12 @@
+@@ -2877,12 +2972,12 @@
  #
  template(`userdom_rw_user_tmp_files',`
  	gen_require(`
@@ -30207,7 +30414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2914,10 +3005,10 @@
+@@ -2914,10 +3009,10 @@
  #
  template(`userdom_dontaudit_manage_user_tmp_files',`
  	gen_require(`
@@ -30220,7 +30427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2949,12 +3040,12 @@
+@@ -2949,12 +3044,12 @@
  #
  template(`userdom_read_user_tmp_symlinks',`
  	gen_require(`
@@ -30236,7 +30443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -2986,11 +3077,11 @@
+@@ -2986,11 +3081,11 @@
  #
  template(`userdom_manage_user_tmp_dirs',`
  	gen_require(`
@@ -30250,7 +30457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3022,11 +3113,11 @@
+@@ -3022,11 +3117,11 @@
  #
  template(`userdom_manage_user_tmp_files',`
  	gen_require(`
@@ -30264,7 +30471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3058,11 +3149,11 @@
+@@ -3058,11 +3153,11 @@
  #
  template(`userdom_manage_user_tmp_symlinks',`
  	gen_require(`
@@ -30278,7 +30485,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3094,11 +3185,11 @@
+@@ -3094,11 +3189,11 @@
  #
  template(`userdom_manage_user_tmp_pipes',`
  	gen_require(`
@@ -30292,7 +30499,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3130,11 +3221,11 @@
+@@ -3130,11 +3225,11 @@
  #
  template(`userdom_manage_user_tmp_sockets',`
  	gen_require(`
@@ -30306,7 +30513,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3179,10 +3270,10 @@
+@@ -3179,10 +3274,10 @@
  #
  template(`userdom_user_tmp_filetrans',`
  	gen_require(`
@@ -30319,7 +30526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	files_search_tmp($2)
  ')
  
-@@ -3223,10 +3314,10 @@
+@@ -3223,10 +3318,10 @@
  #
  template(`userdom_tmp_filetrans_user_tmp',`
  	gen_require(`
@@ -30332,7 +30539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -3254,6 +3345,42 @@
+@@ -3254,6 +3349,42 @@
  ##	</summary>
  ## </param>
  #
@@ -30375,7 +30582,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  template(`userdom_rw_user_tmpfs_files',`
  	gen_require(`
  		type $1_tmpfs_t;
-@@ -4231,11 +4358,11 @@
+@@ -4231,11 +4362,11 @@
  #
  interface(`userdom_search_staff_home_dirs',`
  	gen_require(`
@@ -30389,7 +30596,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4251,10 +4378,10 @@
+@@ -4251,10 +4382,10 @@
  #
  interface(`userdom_dontaudit_search_staff_home_dirs',`
  	gen_require(`
@@ -30402,7 +30609,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4270,11 +4397,11 @@
+@@ -4270,11 +4401,11 @@
  #
  interface(`userdom_manage_staff_home_dirs',`
  	gen_require(`
@@ -30416,7 +30623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4289,16 +4416,16 @@
+@@ -4289,16 +4420,16 @@
  #
  interface(`userdom_relabelto_staff_home_dirs',`
  	gen_require(`
@@ -30436,7 +30643,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	users home directory.
  ## </summary>
  ## <param name="domain">
-@@ -4307,12 +4434,27 @@
+@@ -4307,12 +4438,27 @@
  ##	</summary>
  ## </param>
  #
@@ -30467,7 +30674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4327,13 +4469,13 @@
+@@ -4327,13 +4473,13 @@
  #
  interface(`userdom_read_staff_home_content_files',`
  	gen_require(`
@@ -30485,7 +30692,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4531,10 +4673,10 @@
+@@ -4531,10 +4677,10 @@
  #
  interface(`userdom_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -30498,7 +30705,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4551,10 +4693,10 @@
+@@ -4551,10 +4697,10 @@
  #
  interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
  	gen_require(`
@@ -30511,7 +30718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4569,10 +4711,10 @@
+@@ -4569,10 +4715,10 @@
  #
  interface(`userdom_search_sysadm_home_dirs',`
  	gen_require(`
@@ -30524,7 +30731,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4588,10 +4730,10 @@
+@@ -4588,10 +4734,10 @@
  #
  interface(`userdom_dontaudit_search_sysadm_home_dirs',`
  	gen_require(`
@@ -30537,7 +30744,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4606,10 +4748,10 @@
+@@ -4606,10 +4752,10 @@
  #
  interface(`userdom_list_sysadm_home_dirs',`
  	gen_require(`
@@ -30550,7 +30757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4625,10 +4767,10 @@
+@@ -4625,10 +4771,10 @@
  #
  interface(`userdom_dontaudit_list_sysadm_home_dirs',`
  	gen_require(`
@@ -30563,7 +30770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4644,12 +4786,11 @@
+@@ -4644,12 +4790,11 @@
  #
  interface(`userdom_dontaudit_read_sysadm_home_content_files',`
  	gen_require(`
@@ -30579,7 +30786,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4676,10 +4817,10 @@
+@@ -4676,10 +4821,10 @@
  #
  interface(`userdom_sysadm_home_dir_filetrans',`
  	gen_require(`
@@ -30592,7 +30799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4694,10 +4835,10 @@
+@@ -4694,10 +4839,10 @@
  #
  interface(`userdom_search_sysadm_home_content_dirs',`
  	gen_require(`
@@ -30605,7 +30812,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4712,13 +4853,13 @@
+@@ -4712,13 +4857,13 @@
  #
  interface(`userdom_read_sysadm_home_content_files',`
  	gen_require(`
@@ -30623,7 +30830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4754,11 +4895,49 @@
+@@ -4754,11 +4899,49 @@
  #
  interface(`userdom_search_all_users_home_dirs',`
  	gen_require(`
@@ -30674,7 +30881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4778,6 +4957,14 @@
+@@ -4778,6 +4961,14 @@
  
  	files_list_home($1)
  	allow $1 home_dir_type:dir list_dir_perms;
@@ -30689,7 +30896,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ')
  
  ########################################
-@@ -4839,6 +5026,26 @@
+@@ -4839,6 +5030,26 @@
  
  ########################################
  ## <summary>
@@ -30716,7 +30923,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all directories
  ##	in all users home directories.
  ## </summary>
-@@ -4859,6 +5066,25 @@
+@@ -4859,6 +5070,25 @@
  
  ########################################
  ## <summary>
@@ -30742,7 +30949,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all files
  ##	in all users home directories.
  ## </summary>
-@@ -4879,6 +5105,26 @@
+@@ -4879,6 +5109,26 @@
  
  ########################################
  ## <summary>
@@ -30769,7 +30976,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete all symlinks
  ##	in all users home directories.
  ## </summary>
-@@ -5115,7 +5361,7 @@
+@@ -5115,7 +5365,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -30778,7 +30985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  	')
  
  	files_search_home($1)
-@@ -5304,6 +5550,50 @@
+@@ -5304,6 +5554,50 @@
  
  ########################################
  ## <summary>
@@ -30829,7 +31036,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5509,6 +5799,42 @@
+@@ -5509,6 +5803,42 @@
  
  ########################################
  ## <summary>
@@ -30872,7 +31079,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5674,6 +6000,42 @@
+@@ -5674,6 +6004,42 @@
  
  ########################################
  ## <summary>
@@ -30915,7 +31122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5704,3 +6066,368 @@
+@@ -5704,3 +6070,368 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')