diff --git a/policy-F13.patch b/policy-F13.patch
index e1eee2c..a95636a 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -71,7 +71,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.19/policy/mcs
 --- nsaserefpolicy/policy/mcs	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/mcs	2010-09-01 12:09:30.921083663 +0200
++++ serefpolicy-3.7.19/policy/mcs	2010-09-23 12:57:46.199386949 +0200
 @@ -86,10 +86,10 @@
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
@@ -85,14 +85,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.7.1
  	(( h1 dom h2 ) and ( l2 eq h2 ));
  
  mlsconstrain process { transition dyntransition }
-@@ -98,7 +98,7 @@
- mlsconstrain process { ptrace }
- 	(( h1 dom h2) or ( t1 == mcsptraceall ));
- 
--mlsconstrain process { sigkill sigstop }
-+mlsconstrain process { signal sigkill sigstop }
+@@ -101,6 +101,9 @@
+ mlsconstrain process { sigkill sigstop }
  	(( h1 dom h2 ) or ( t1 == mcskillall ));
  
++mlsconstrain process { signal }
++	(( h1 dom h2 ) or ( t1 != mcsuntrustedproc ));
++
+ #
+ # MCS policy for SELinux-enabled databases
  #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.7.19/policy/mls
 --- nsaserefpolicy/policy/mls	2010-04-13 20:44:37.000000000 +0200
@@ -2463,8 +2464,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.7.19/policy/modules/admin/shutdown.te
 --- nsaserefpolicy/policy/modules/admin/shutdown.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2010-08-24 15:45:05.100083585 +0200
-@@ -0,0 +1,66 @@
++++ serefpolicy-3.7.19/policy/modules/admin/shutdown.te	2010-09-24 14:23:58.850635407 +0200
+@@ -0,0 +1,67 @@
 +policy_module(shutdown,1.0.0)
 +
 +########################################
@@ -2510,10 +2511,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +auth_use_nsswitch(shutdown_t)
 +auth_write_login_records(shutdown_t)
 +
-+init_dontaudit_write_utmp(shutdown_t)
 +init_read_utmp(shutdown_t)
++init_rw_utmp(shutdown_t)
 +init_telinit(shutdown_t)
 +
++logging_search_logs(shutdown_t)
 +logging_send_audit_msgs(shutdown_t)
 +
 +miscfiles_read_localization(shutdown_t)
@@ -3530,7 +3532,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.19/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/gnome.if	2010-05-28 09:41:59.977610927 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/gnome.if	2010-09-23 13:21:33.431386911 +0200
 @@ -74,6 +74,24 @@
  
  ########################################
@@ -6764,8 +6766,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +# No types are sandbox_exec_t
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if	2010-09-01 12:14:39.094335217 +0200
-@@ -0,0 +1,335 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if	2010-09-23 13:00:53.092386606 +0200
+@@ -0,0 +1,338 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -6857,6 +6859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +	application_type($1_t)
 +
 +	mls_rangetrans_target($1_t)
++	mcs_untrusted_proc($1_t)
 +
 +	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
@@ -6890,6 +6893,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +	type $1_t, sandbox_x_domain;
 +	application_type($1_t)
++	mcs_untrusted_proc($1_t)
 +
 +	type $1_file_t, sandbox_file_type;
 +	files_type($1_file_t)
@@ -6912,6 +6916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +
 +	type $1_client_t, sandbox_x_domain;
 +	application_type($1_client_t)
++	mcs_untrusted_proc($1_t)
 +
 +	type $1_client_tmpfs_t, sandbox_tmpfs_type;
 +	files_tmpfs_file($1_client_tmpfs_t)
@@ -11693,6 +11698,47 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel
  ########################################
  #
  # Unlabeled process local policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.if serefpolicy-3.7.19/policy/modules/kernel/mcs.if
+--- nsaserefpolicy/policy/modules/kernel/mcs.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.if	2010-09-23 12:59:03.197386946 +0200
+@@ -102,3 +102,29 @@
+ 
+ 	typeattribute $1 mcssetcats;
+ ')
++
++#######################################
++## <summary>
++##      Make specified process type MCS untrusted.
++## </summary>
++## <desc>
++##      <p>
++##      Make specified process type MCS untrusted.  This
++##      prevents this process from sending signals to other processes 
++##      with different mcs labels
++##      object.
++##      </p>
++## </desc>
++## <param name="domain">
++##      <summary>
++##      The type of the process.
++##      </summary>
++## </param>
++#
++interface(`mcs_untrusted_proc',`
++        gen_require(`
++                attribute mcsuntrustedproc;
++        ')
++
++        typeattribute $1 mcsuntrustedproc;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-3.7.19/policy/modules/kernel/mcs.te
+--- nsaserefpolicy/policy/modules/kernel/mcs.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/mcs.te	2010-09-23 12:58:14.301386891 +0200
+@@ -11,3 +11,4 @@
+ attribute mcssetcats;
+ attribute mcswriteall;
+ attribute mcsreadall;
++attribute mcsuntrustedproc;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.7.19/policy/modules/kernel/selinux.if
 --- nsaserefpolicy/policy/modules/kernel/selinux.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/kernel/selinux.if	2010-05-28 09:42:00.040610567 +0200
@@ -13232,8 +13278,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te	2010-09-09 16:58:48.150084581 +0200
-@@ -0,0 +1,455 @@
++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te	2010-09-23 13:17:47.400386803 +0200
+@@ -0,0 +1,457 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -13598,8 +13644,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi
 +')
 +
 +optional_policy(`
++	optional_policy(`
++		samba_run_unconfined_net(unconfined_t, unconfined_r)
++	')
 +	samba_role_notrans(unconfined_r)
-+	samba_run_unconfined_net(unconfined_t, unconfined_r)
 +#	samba_run_winbind_helper(unconfined_t, unconfined_r)
 +	samba_run_smbcontrol(unconfined_t, unconfined_r)
 +')
@@ -16685,7 +16733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-09-21 15:44:46.945387235 +0200
++++ serefpolicy-3.7.19/policy/modules/services/boinc.te	2010-09-23 15:00:44.162636936 +0200
 @@ -0,0 +1,176 @@
 +
 +policy_module(boinc,1.0.0)
@@ -16718,7 +16766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +role system_r types boinc_project_t;
 +
 +type boinc_project_tmp_t;
-+files_tmp_file(boinc_tmp_t)
++files_tmp_file(boinc_project_tmp_t)
 +
 +type boinc_project_var_lib_t;
 +files_type(boinc_project_var_lib_t)
@@ -21001,7 +21049,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.7.19/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-09-13 12:37:55.230085213 +0200
++++ serefpolicy-3.7.19/policy/modules/services/dovecot.te	2010-09-23 15:00:20.316636690 +0200
 @@ -9,6 +9,9 @@
  type dovecot_exec_t;
  init_daemon_domain(dovecot_t, dovecot_exec_t)
@@ -21146,7 +21194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -234,18 +263,34 @@
+@@ -234,18 +263,35 @@
  #
  allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
  
@@ -21177,11 +21225,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  auth_use_nsswitch(dovecot_deliver_t)
  
  logging_send_syslog_msg(dovecot_deliver_t)
++logging_append_all_logs(dovecot_deliver_t)
 +logging_search_logs(dovecot_deliver_t)
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -263,15 +308,24 @@
+@@ -263,15 +309,24 @@
  userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
  
  tunable_policy(`use_nfs_home_dirs',`
@@ -22783,16 +22832,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.fc serefpolicy-3.7.19/policy/modules/services/jabber.fc
 --- nsaserefpolicy/policy/modules/services/jabber.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.fc	2010-09-01 11:58:19.516083496 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.fc	2010-09-24 14:38:41.409386147 +0200
 @@ -2,5 +2,14 @@
  
  /usr/sbin/jabberd	--	gen_context(system_u:object_r:jabberd_exec_t,s0)
  
 +# for new version of jabberd
 +/usr/bin/router         --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
-+/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
-+/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/c2s            --      gen_context(system_u:object_r:jabberd_router_exec_t,s0)
 +/usr/bin/s2s            --      gen_context(system_u:object_r:jabberd_exec_t,s0)
++/usr/bin/sm             --      gen_context(system_u:object_r:jabberd_exec_t,s0)
 +
 +/var/lib/jabberd(/.*)?           gen_context(system_u:object_r:jabberd_var_lib_t,s0)
 +
@@ -22801,7 +22850,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
  /var/log/jabber(/.*)?		gen_context(system_u:object_r:jabberd_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.if serefpolicy-3.7.19/policy/modules/services/jabber.if
 --- nsaserefpolicy/policy/modules/services/jabber.if	2010-04-13 20:44:36.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.if	2010-09-16 15:09:16.987637037 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.if	2010-09-24 14:58:50.065385991 +0200
 @@ -1,17 +1,96 @@
  ## <summary>Jabber instant messaging server</summary>
  
@@ -22838,7 +22887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
 +## </summary>
 +## </param>
 +#
-+interface(`jabber_domtrans_jabberd_router',`
++interface(`jabber_domtrans_router',`
 +        gen_require(`
 +                type jabberd_router_t, jabberd_router_exec_t;
 +        ')
@@ -22917,14 +22966,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
  	ps_process_pattern($1, jabberd_t)
  
 +	allow $1 jabberd_router_t:process { ptrace signal_perms };
-+        ps_process_pattern($1, jabberd_router_t)
++	ps_process_pattern($1, jabberd_router_t)
 +
  	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 jabberd_initrc_exec_t system_r;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabber.te serefpolicy-3.7.19/policy/modules/services/jabber.te
 --- nsaserefpolicy/policy/modules/services/jabber.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/jabber.te	2010-09-01 11:58:19.543083755 +0200
++++ serefpolicy-3.7.19/policy/modules/services/jabber.te	2010-09-24 14:39:25.654636939 +0200
 @@ -6,13 +6,19 @@
  # Declarations
  #
@@ -22946,18 +22995,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
  type jabberd_log_t;
  logging_log_file(jabberd_log_t)
  
-@@ -22,40 +28,78 @@
+@@ -22,74 +28,97 @@
  type jabberd_var_run_t;
  files_pid_file(jabberd_var_run_t)
  
 -########################################
++
 +permissive jabberd_router_t;
 +permissive jabberd_t;
 +
-+#######################################
++######################################
  #
 -# Local policy
-+# Local policy for jabberd domains
++# Local policy for jabberd router and c2s components
  #
  
 -allow jabberd_t self:capability dac_override;
@@ -22966,6 +23016,95 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
 -allow jabberd_t self:fifo_file read_fifo_file_perms;
 -allow jabberd_t self:tcp_socket create_stream_socket_perms;
 -allow jabberd_t self:udp_socket create_socket_perms;
+-
+-manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
+-files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
+-
+-manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
+-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
+-
+-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
+-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
+-
+-kernel_read_kernel_sysctls(jabberd_t)
+-kernel_list_proc(jabberd_t)
+-kernel_read_proc_symlinks(jabberd_t)
+-
+-corenet_all_recvfrom_unlabeled(jabberd_t)
+-corenet_all_recvfrom_netlabel(jabberd_t)
+-corenet_tcp_sendrecv_generic_if(jabberd_t)
+-corenet_udp_sendrecv_generic_if(jabberd_t)
+-corenet_tcp_sendrecv_generic_node(jabberd_t)
+-corenet_udp_sendrecv_generic_node(jabberd_t)
+-corenet_tcp_sendrecv_all_ports(jabberd_t)
+-corenet_udp_sendrecv_all_ports(jabberd_t)
+-corenet_tcp_bind_generic_node(jabberd_t)
+-corenet_tcp_bind_jabber_client_port(jabberd_t)
+-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
+-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
+-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
++allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+-dev_read_sysfs(jabberd_t)
+-# For SSL
+-dev_read_rand(jabberd_t)
++corenet_tcp_bind_jabber_client_port(jabberd_router_t)
++corenet_tcp_bind_jabber_router_port(jabberd_router_t)
++corenet_tcp_connect_jabber_router_port(jabberd_router_t)
++corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
++corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
+ 
+-domain_use_interactive_fds(jabberd_t)
++fs_getattr_all_fs(jabberd_router_t)
+ 
+-files_read_etc_files(jabberd_t)
+-files_read_etc_runtime_files(jabberd_t)
++miscfiles_read_certs(jabberd_router_t)
+ 
+-fs_getattr_all_fs(jabberd_t)
+-fs_search_auto_mountpoints(jabberd_t)
++optional_policy(`
++        kerberos_use(jabberd_router_t)
++')
++
++optional_policy(`
++		nis_use_ypbind(jabberd_router_t)
++')
+ 
+-logging_send_syslog_msg(jabberd_t)
++#####################################
++#
++# Local policy for other jabberd components
++#
+ 
+-miscfiles_read_localization(jabberd_t)
++kernel_read_system_state(jabberd_t)
+ 
+-sysnet_read_config(jabberd_t)
++corenet_tcp_bind_jabber_interserver_port(jabberd_t)
++corenet_tcp_connect_jabber_router_port(jabberd_t)
+ 
+ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
+ userdom_dontaudit_search_user_home_dirs(jabberd_t)
+ 
+ optional_policy(`
+-	nis_use_ypbind(jabberd_t)
++       seutil_sigchld_newrole(jabberd_t)
+ ')
+ 
+ optional_policy(`
+-	seutil_sigchld_newrole(jabberd_t)
++       udev_read_db(jabberd_t)
+ ')
+ 
+-optional_policy(`
+-	udev_read_db(jabberd_t)
+-')
++#######################################
++#
++# Local policy for jabberd domains
++#
++
 +allow jabberd_domain self:process signal_perms;
 +allow jabberd_domain self:fifo_file read_fifo_file_perms;
 +allow jabberd_domain self:tcp_socket create_stream_socket_perms;
@@ -22977,14 +23116,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
 +# log and pid files are moved into /var/lib/jabberd in the newer version of jabberd
 +manage_files_pattern(jabberd_domain, jabberd_log_t, jabberd_log_t)
 +logging_log_filetrans(jabberd_domain, jabberd_log_t, { file dir })
- 
--manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
--files_var_lib_filetrans(jabberd_t, jabberd_var_lib_t, file)
++
 +manage_files_pattern(jabberd_domain, jabberd_var_run_t, jabberd_var_run_t)
 +files_pid_filetrans(jabberd_domain, jabberd_var_run_t, file)
- 
--manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
--logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
++
 +corenet_all_recvfrom_unlabeled(jabberd_domain)
 +corenet_all_recvfrom_netlabel(jabberd_domain)
 +corenet_tcp_sendrecv_generic_if(jabberd_domain)
@@ -22995,8 +23130,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
 +corenet_udp_sendrecv_all_ports(jabberd_domain)
 +corenet_tcp_bind_generic_node(jabberd_domain)
 +
++# For SSL
++dev_read_rand(jabberd_domain)
 +dev_read_urand(jabberd_domain)
-+dev_read_urand(jabberd_domain)
++dev_read_sysfs(jabberd_domain)
 +
 +files_read_etc_files(jabberd_domain)
 +files_read_etc_runtime_files(jabberd_domain)
@@ -23007,67 +23144,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb
 +
 +sysnet_read_config(jabberd_domain)
 +
-+######################################
-+#
-+# Local policy for jabberd-router
-+#
- 
--manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
--files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
-+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
-+
-+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
-+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
-+
-+optional_policy(`
-+        kerberos_use(jabberd_router_t)
-+')
-+
-+########################################
-+#
-+# Local policy for jabberd
-+#
-+
-+allow jabberd_t self:capability dac_override;
-+dontaudit jabberd_t self:capability sys_tty_config;
- 
- kernel_read_kernel_sysctls(jabberd_t)
--kernel_list_proc(jabberd_t)
- kernel_read_proc_symlinks(jabberd_t)
-+kernel_read_system_state(jabberd_t)
- 
--corenet_all_recvfrom_unlabeled(jabberd_t)
--corenet_all_recvfrom_netlabel(jabberd_t)
--corenet_tcp_sendrecv_generic_if(jabberd_t)
--corenet_udp_sendrecv_generic_if(jabberd_t)
--corenet_tcp_sendrecv_generic_node(jabberd_t)
--corenet_udp_sendrecv_generic_node(jabberd_t)
--corenet_tcp_sendrecv_all_ports(jabberd_t)
--corenet_udp_sendrecv_all_ports(jabberd_t)
--corenet_tcp_bind_generic_node(jabberd_t)
-+corenet_tcp_connect_jabber_router_port(jabberd_t)
- corenet_tcp_bind_jabber_client_port(jabberd_t)
- corenet_tcp_bind_jabber_interserver_port(jabberd_t)
- corenet_sendrecv_jabber_client_server_packets(jabberd_t)
-@@ -67,18 +111,9 @@
- 
- domain_use_interactive_fds(jabberd_t)
- 
--files_read_etc_files(jabberd_t)
--files_read_etc_runtime_files(jabberd_t)
--
- fs_getattr_all_fs(jabberd_t)
- fs_search_auto_mountpoints(jabberd_t)
- 
--logging_send_syslog_msg(jabberd_t)
--
--miscfiles_read_localization(jabberd_t)
--
--sysnet_read_config(jabberd_t)
--
- userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
- userdom_dontaudit_search_user_home_dirs(jabberd_t)
- 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc
 --- nsaserefpolicy/policy/modules/services/kerberos.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc	2010-07-23 13:43:56.367388499 +0200
@@ -25048,7 +25124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +/usr/lib(64)?/nagios/plugins/check_by_ssh       --      gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.if serefpolicy-3.7.19/policy/modules/services/nagios.if
 --- nsaserefpolicy/policy/modules/services/nagios.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nagios.if	2010-05-28 09:42:00.132610905 +0200
++++ serefpolicy-3.7.19/policy/modules/services/nagios.if	2010-09-23 15:05:10.602684332 +0200
 @@ -64,8 +64,8 @@
  
  ########################################
@@ -25077,7 +25153,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
  ')
  
  ########################################
-@@ -99,3 +100,152 @@
+@@ -99,3 +100,155 @@
  
  	domtrans_pattern($1, nrpe_exec_t, nrpe_t)
  ')
@@ -25153,15 +25229,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +    	gen_require(`
 +        	type nagios_t, nrpe_t;
-+		type nagios_log_t;
++			type nagios_log_t;
 +    	')
 +
-+	type nagios_$1_plugin_t;
-+	type nagios_$1_plugin_exec_t;
-+	application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
-+	role system_r types nagios_$1_plugin_t;
++		type nagios_$1_plugin_t;
++		type nagios_$1_plugin_exec_t;
++		application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
++		role system_r types nagios_$1_plugin_t;
++
++		allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
++
++		allow nrpe_t nagios_$1_plugin_t:process { signal sigkill };
 +
-+        allow nagios_$1_plugin_t self:fifo_file rw_fifo_file_perms;
 +
 +        # automatic transition rules from nrpe domain
 +        # to specific nagios plugin domain
@@ -25174,7 +25253,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +        # cjp: leaked file descriptor
 +        dontaudit nagios_$1_plugin_t nrpe_t:tcp_socket { read write };
-+	dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
++		dontaudit nagios_$1_plugin_t nagios_log_t:file { read write };
 +
 +        miscfiles_read_localization(nagios_$1_plugin_t)
 +')
@@ -31906,7 +31985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.19/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/rpc.te	2010-07-13 09:40:21.467753409 +0200
++++ serefpolicy-3.7.19/policy/modules/services/rpc.te	2010-09-24 12:39:25.042386720 +0200
 @@ -80,6 +80,7 @@
  
  corecmd_exec_bin(rpcd_t)
@@ -31915,7 +31994,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  files_manage_mounttab(rpcd_t)
  files_getattr_all_dirs(rpcd_t)
  
-@@ -98,15 +99,26 @@
+@@ -89,6 +90,7 @@
+ fs_rw_rpc_sockets(rpcd_t)
+ fs_get_all_fs_quotas(rpcd_t)
+ fs_getattr_all_fs(rpcd_t)
++fs_set_xattr_fs_quotas(rpcd_t)
+ 
+ storage_getattr_fixed_disk_dev(rpcd_t)
+ 
+@@ -98,15 +100,26 @@
  
  seutil_dontaudit_search_config(rpcd_t)
  
@@ -31942,7 +32029,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  ########################################
  #
  # NFSD local policy
-@@ -120,6 +132,7 @@
+@@ -120,6 +133,7 @@
  # for /proc/fs/nfs/exports - should we have a new type?
  kernel_read_system_state(nfsd_t)
  kernel_read_network_state(nfsd_t)
@@ -31950,7 +32037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  kernel_dontaudit_getattr_core_if(nfsd_t)
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
-@@ -161,6 +174,7 @@
+@@ -161,6 +175,7 @@
  	fs_read_noxattr_fs_files(nfsd_t)
  	auth_manage_all_files_except_shadow(nfsd_t)
  ')
@@ -31958,7 +32045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
  
  tunable_policy(`nfs_export_all_ro',`
  	dev_getattr_all_blk_files(nfsd_t)
-@@ -219,6 +233,8 @@
+@@ -219,6 +234,8 @@
  	userdom_list_user_tmp(gssd_t)
  	userdom_read_user_tmp_files(gssd_t)
  	userdom_read_user_tmp_symlinks(gssd_t)
@@ -32397,7 +32484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-08-30 19:22:59.872334445 +0200
++++ serefpolicy-3.7.19/policy/modules/services/samba.te	2010-09-23 13:18:50.383386842 +0200
 @@ -66,6 +66,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs, false)
@@ -32584,15 +32671,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  
  ########################################
  #
-@@ -525,6 +562,7 @@
+@@ -518,13 +555,13 @@
+ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+ 
+ allow smbcontrol_t nmbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
  
+-allow smbcontrol_t nmbd_var_run_t:file { read lock };
+-
+-allow smbcontrol_t smbd_t:process signal;
+-
++allow smbcontrol_t smbd_t:process { signal signull };
++read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
  allow smbcontrol_t winbind_t:process { signal signull };
  
 +files_search_var_lib(smbcontrol_t)
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -536,6 +574,8 @@
+@@ -536,6 +573,8 @@
  
  miscfiles_read_localization(smbcontrol_t)
  
@@ -32601,7 +32698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  ########################################
  #
  # smbmount Local policy
-@@ -618,7 +658,7 @@
+@@ -618,7 +657,7 @@
  # SWAT Local policy
  #
  
@@ -32610,7 +32707,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t self:process { setrlimit signal_perms };
  allow swat_t self:fifo_file rw_fifo_file_perms;
  allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +666,25 @@
+@@ -626,23 +665,25 @@
  allow swat_t self:udp_socket create_socket_perms;
  allow swat_t self:unix_stream_socket connectto;
  
@@ -32644,7 +32741,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
  allow swat_t smbd_t:process signull;
-@@ -657,11 +699,14 @@
+@@ -657,11 +698,14 @@
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
  allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -32660,7 +32757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
  kernel_read_network_state(swat_t)
-@@ -700,6 +745,8 @@
+@@ -700,6 +744,8 @@
  
  miscfiles_read_localization(swat_t)
  
@@ -32669,7 +32766,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -713,12 +760,23 @@
+@@ -713,12 +759,23 @@
  	kerberos_use(swat_t)
  ')
  
@@ -32694,6 +32791,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
+@@ -763,6 +820,7 @@
+ 
+ kernel_read_kernel_sysctls(winbind_t)
+ kernel_read_system_state(winbind_t)
++kernel_read_network_state(winbind_t)
+ 
+ corecmd_exec_bin(winbind_t)
+ 
 @@ -779,6 +837,9 @@
  corenet_tcp_bind_generic_node(winbind_t)
  corenet_udp_bind_generic_node(winbind_t)
@@ -35111,16 +35216,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if
 --- nsaserefpolicy/policy/modules/services/virt.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.if	2010-09-16 16:52:58.485636847 +0200
-@@ -21,6 +21,7 @@
++++ serefpolicy-3.7.19/policy/modules/services/virt.if	2010-09-23 12:59:31.493386880 +0200
+@@ -21,6 +21,8 @@
  	type $1_t, virt_domain;
  	domain_type($1_t)
  	domain_user_exemption_target($1_t)
 +	mls_rangetrans_target($1_t)
++	mcs_untrusted_proc($1_t)
  	role system_r types $1_t;
  
  	type $1_devpts_t;
-@@ -35,16 +36,16 @@
+@@ -35,16 +37,16 @@
  	type $1_image_t, virt_image_type;
  	files_type($1_image_t)
  	dev_node($1_image_t)
@@ -35141,7 +35247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@
+@@ -57,18 +59,6 @@
  	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  
@@ -35160,7 +35266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	optional_policy(`
  		xserver_rw_shm($1_t)
  	')
-@@ -171,6 +160,7 @@
+@@ -171,6 +161,7 @@
  	files_search_etc($1)
  	read_files_pattern($1, virt_etc_t, virt_etc_t)
  	read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -35168,7 +35274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -192,6 +182,7 @@
+@@ -192,6 +183,7 @@
  	files_search_etc($1)
  	manage_files_pattern($1, virt_etc_t, virt_etc_t)
  	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
@@ -35176,7 +35282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -229,6 +220,24 @@
+@@ -229,6 +221,24 @@
  	')
  ')
  
@@ -35201,7 +35307,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ########################################
  ## <summary>
  ##	Read virt PID files.
-@@ -306,6 +315,24 @@
+@@ -306,6 +316,24 @@
  	read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
  ')
  
@@ -35226,7 +35332,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ########################################
  ## <summary>
  ##	Create, read, write, and delete
-@@ -386,6 +413,24 @@
+@@ -386,6 +414,24 @@
  	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
  ')
  
@@ -35251,7 +35357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ########################################
  ## <summary>
  ##	Allow domain to read virt image files
-@@ -433,15 +478,15 @@
+@@ -433,15 +479,15 @@
  ##	</summary>
  ## </param>
  #
@@ -35272,7 +35378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  ########################################
-@@ -516,3 +561,50 @@
+@@ -516,3 +562,50 @@
  
  	virt_manage_log($1)
  ')
@@ -35825,7 +35931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.7.19/policy/modules/services/xserver.if
 --- nsaserefpolicy/policy/modules/services/xserver.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.if	2010-09-16 16:53:59.645636878 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.if	2010-09-23 13:20:56.798386762 +0200
 @@ -19,9 +19,10 @@
  interface(`xserver_restricted_role',`
  	gen_require(`
@@ -35881,7 +35987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	dev_rw_xserver_misc($2)
  	dev_rw_power_management($2)
-@@ -89,14 +95,14 @@
+@@ -89,14 +95,15 @@
  	dev_write_misc($2)
  	# open office is looking for the following
  	dev_getattr_agp_dev($2)
@@ -35891,6 +35997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	dev_rw_usbfs($2)
  
  	miscfiles_read_fonts($2)
++	miscfiles_read_hwdata($2)
 +	miscfiles_setattr_fonts_cache_dirs($2)
  
  	xserver_common_x_domain_template(user, $2)
@@ -35898,7 +36005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -107,13 +113,24 @@
+@@ -107,11 +114,25 @@
  	# Needed for escd, remove if we get escd policy
  	xserver_manage_xdm_tmp_files($2)
  
@@ -35917,13 +36024,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +	',`
 +        dev_dontaudit_rw_dri($2)
 +    ')
++
++	optional_policy(`
++		gnome_read_gconf_config($2)
++	')
  ')
  
-+
  ########################################
- ## <summary>
- ##	Rules required for using the X Windows server
-@@ -143,11 +160,12 @@
+@@ -143,11 +164,12 @@
  	allow $2 xserver_tmpfs_t:file rw_file_perms;
  
  	allow $2 iceauth_home_t:file manage_file_perms;
@@ -35938,7 +36046,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
  	manage_files_pattern($2, user_fonts_t, user_fonts_t)
  	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +215,7 @@
+@@ -197,7 +219,7 @@
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -35947,7 +36055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -227,7 +245,7 @@
+@@ -227,7 +249,7 @@
  		type xserver_t, xserver_tmpfs_t;
  	')
  
@@ -35956,7 +36064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $1 xserver_t:shm rw_shm_perms;
  	allow $1 xserver_tmpfs_t:file rw_file_perms;
  ')
-@@ -291,12 +309,12 @@
+@@ -291,12 +313,12 @@
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -35972,7 +36080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	allow $1 xdm_tmp_t:dir search;
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -310,7 +328,7 @@
+@@ -310,7 +332,7 @@
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($1)
  
@@ -35981,7 +36089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xserver_use_user_fonts($1)
  
  	xserver_read_xdm_tmp_files($1)
-@@ -355,6 +373,12 @@
+@@ -355,6 +377,12 @@
  		class x_property all_x_property_perms;
  		class x_event all_x_event_perms;
  		class x_synthetic_event all_x_synthetic_event_perms;
@@ -35994,7 +36102,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	')
  
  	##############################
-@@ -386,6 +410,15 @@
+@@ -386,6 +414,15 @@
  	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
  	# dont audit send failures
  	dontaudit $2 input_xevent_type:x_event send;
@@ -36010,7 +36118,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  #######################################
-@@ -458,9 +491,9 @@
+@@ -458,9 +495,9 @@
  
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
@@ -36022,7 +36130,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -472,10 +505,11 @@
+@@ -472,10 +509,11 @@
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($2)
  
@@ -36035,7 +36143,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	# X object manager
  	xserver_object_types_template($1)
-@@ -545,6 +579,27 @@
+@@ -545,6 +583,27 @@
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -36063,7 +36171,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -598,6 +653,7 @@
+@@ -598,6 +657,7 @@
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -36071,7 +36179,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -615,7 +671,7 @@
+@@ -615,7 +675,7 @@
  		type xconsole_device_t;
  	')
  
@@ -36080,7 +36188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -724,11 +780,13 @@
+@@ -724,11 +784,13 @@
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -36096,7 +36204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -765,7 +823,7 @@
+@@ -765,7 +827,7 @@
  		type xdm_tmp_t;
  	')
  
@@ -36105,7 +36213,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -805,7 +863,7 @@
+@@ -805,7 +867,7 @@
  	')
  
  	files_search_pids($1)
@@ -36114,7 +36222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -897,7 +955,7 @@
+@@ -897,7 +959,7 @@
  	')
  
  	logging_search_logs($1)
@@ -36123,7 +36231,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -916,7 +974,7 @@
+@@ -916,7 +978,7 @@
  		type xserver_log_t;
  	')
  
@@ -36132,7 +36240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -964,6 +1022,44 @@
+@@ -964,6 +1026,44 @@
  
  ########################################
  ## <summary>
@@ -36177,7 +36285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1052,7 +1148,7 @@
+@@ -1052,7 +1152,7 @@
  		type xdm_tmp_t;
  	')
  
@@ -36186,7 +36294,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1210,7 +1306,7 @@
+@@ -1210,7 +1310,7 @@
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -36195,7 +36303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1224,9 +1320,20 @@
+@@ -1224,9 +1324,20 @@
  		class x_device all_x_device_perms;
  		class x_pointer all_x_pointer_perms;
  		class x_keyboard all_x_keyboard_perms;
@@ -36216,7 +36324,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  ########################################
-@@ -1250,3 +1357,330 @@
+@@ -1250,3 +1361,330 @@
  	typeattribute $1 x_domain;
  	typeattribute $1 xserver_unconfined_type;
  ')
@@ -39309,8 +39417,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
  dev_read_sysfs(kdump_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc	2010-09-01 11:39:53.971335059 +0200
-@@ -127,17 +127,22 @@
++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc	2010-09-24 12:55:11.845386098 +0200
+@@ -127,17 +127,23 @@
  /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39318,14 +39426,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/usr/lib/vlc/plugins/mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/plugins/codec//mmx/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/plugins/codec/librealvideo_plugin\.so --  gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/codec/plugins/libdmo_plugin\.so    --  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/plugins/codec/libdmo_plugin\.so	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib64/vlc/codec/librealvideo_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib64/vlc/codec/libdmo_plugin\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so --   gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib/vlc/plugins/codec/librealaudio_plugin\.so --   gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so --   gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib64/vlc/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib64/vlc/codec/librealaudio_plugin\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39337,7 +39446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libADM5.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/win32/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,6 +156,7 @@
+@@ -151,6 +157,7 @@
  /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39345,7 +39454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +214,7 @@
+@@ -208,6 +215,7 @@
  
  /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39353,7 +39462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  /usr/lib(64)?/libglide3\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libglide3-v[0-9]*\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/helix/plugins/[^/]*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -302,13 +309,8 @@
+@@ -302,13 +310,8 @@
  /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -39369,7 +39478,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
  ') dnl end distro_redhat
  
  #
-@@ -319,14 +321,153 @@
+@@ -319,14 +322,153 @@
  /var/ftp/lib(64)?(/.*)?				gen_context(system_u:object_r:lib_t,s0)
  /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:ld_so_t,s0)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index edd6db2..96801d2 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 60%{?dist}
+Release: 61%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
 %endif
 
 %changelog
+* Fri Sep 24 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-61
+- Move c2s to run in jabber_router_t domain
+- Allow domains with different mcs levels to send each other signals as long as they are not identified as mcsconstrainproc
+- Allow nrpe to send signal and sigkill to the plugins
+- Fix up xguest to allow it to read hwdata and gconf_etc_t
+
 * Tue Sep 21 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-60
 - Allow boinc projects to execute java