diff --git a/policy-20070501.patch b/policy-20070501.patch
index 64856d5..058ae0a 100644
--- a/policy-20070501.patch
+++ b/policy-20070501.patch
@@ -5154,8 +5154,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-2.6.4/policy/modules/services/cups.fc
 --- nsaserefpolicy/policy/modules/services/cups.fc	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-11-28 08:28:47.000000000 -0500
-@@ -8,6 +8,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/cups.fc	2007-12-12 10:15:07.000000000 -0500
+@@ -8,17 +8,15 @@
  /etc/cups/ppd/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/ppds\.dat	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/printers\.conf.* --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -5163,30 +5163,82 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  /etc/cups/certs		-d	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  /etc/cups/certs/.*	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
-@@ -16,8 +17,9 @@
+-/etc/hp(/.*)?			gen_context(system_u:object_r:hplip_etc_t,s0)
+-
  /etc/printcap.* 	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
  
  /usr/bin/cups-config-daemon --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 +/usr/bin/hpijs		--	gen_context(system_u:object_r:hplip_exec_t,s0)
  
 -/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-+/usr/lib(64)?/cups/daemon -d gen_context(system_u:object_r:cupsd_exec_t,s0)
- /usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
+-/usr/lib(64)?/cups/daemon/.*	-- gen_context(system_u:object_r:cupsd_exec_t,s0)
  /usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
  
-@@ -52,3 +54,5 @@
+ /usr/libexec/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+@@ -26,6 +24,11 @@
+ /usr/sbin/cupsd		--	gen_context(system_u:object_r:cupsd_exec_t,s0)
+ /usr/sbin/hal_lpadmin --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/hpiod		--	gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/sbin/hp-[^/]+	--	gen_context(system_u:object_r:hplip_exec_t,s0)
++# keep as separate lines to ensure proper sorting
++/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
++
+ /usr/sbin/printconf-backend --	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+ /usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
+@@ -33,7 +36,7 @@
+ 
+ /usr/share/cups(/.*)?		gen_context(system_u:object_r:cupsd_etc_t,s0)
+ /usr/share/foomatic/db/oldprinterids --	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/usr/share/hplip/hpssd\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
++/usr/share/hplip/[^/]*\.py --	gen_context(system_u:object_r:hplip_exec_t,s0)
+ 
+ /var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /var/cache/foomatic(/.*)? 	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+@@ -51,4 +54,5 @@
+ /var/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  /var/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_var_run_t,s0)
  
- /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+-/var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
 +/usr/local/Brother/inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/usr/local/Printer/[^/]*/inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-11-26 13:00:58.000000000 -0500
-@@ -87,14 +87,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/cups.te	2007-12-12 10:42:46.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(cups,1.6.0)
++policy_module(cups,1.7.2)
+ 
+ ########################################
+ #
+@@ -48,9 +48,8 @@
+ type hplip_t;
+ type hplip_exec_t;
+ init_daemon_domain(hplip_t,hplip_exec_t)
+-
+-type hplip_etc_t;
+-files_config_file(hplip_etc_t)
++domtrans_pattern(cupsd_t,hplip_exec_t, hplip_t)
++domtrans_pattern(cupsd_config_t,hplip_exec_t, hplip_t)
+ 
+ type hplip_var_run_t;
+ files_pid_file(hplip_var_run_t)
+@@ -79,22 +78,20 @@
+ #
+ 
+ # /usr/lib/cups/backend/serial needs sys_admin(?!)
+-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
+ dontaudit cupsd_t self:capability { sys_tty_config net_admin };
+-allow cupsd_t self:process { setsched signal_perms };
++allow cupsd_t self:process { setpgid setsched signal_perms };
+ allow cupsd_t self:fifo_file rw_file_perms;
+ allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow cupsd_t self:unix_dgram_socket create_socket_perms;
  allow cupsd_t self:netlink_selinux_socket create_socket_perms;
- allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
+-allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
 +allow cupsd_t self:shm create_shm_perms;
  allow cupsd_t self:tcp_socket create_stream_socket_perms;
  allow cupsd_t self:udp_socket create_socket_perms;
@@ -5199,7 +5251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t cupsd_etc_t:{ dir file } setattr;
  read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
  read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
-@@ -107,7 +106,7 @@
+@@ -107,7 +104,7 @@
  
  # allow cups to execute its backend scripts
  can_exec(cupsd_t, cupsd_exec_t)
@@ -5208,7 +5260,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  allow cupsd_t cupsd_exec_t:lnk_file read;
  
  manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -151,20 +150,23 @@
+@@ -124,18 +121,20 @@
+ manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
+ files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
+ 
+-read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
+-
++allow cupsd_t hplip_t:process sigkill;
+ allow cupsd_t hplip_var_run_t:file { read getattr };
+ 
+ stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
+ allow cupsd_t ptal_var_run_t : sock_file setattr;
+ 
++auth_use_nsswitch(cupsd_t)
++
+ kernel_read_system_state(cupsd_t)
+ kernel_read_network_state(cupsd_t)
+ kernel_read_all_sysctls(cupsd_t)
+ 
+-corenet_non_ipsec_sendrecv(cupsd_t)
++corenet_all_recvfrom_unlabeled(cupsd_t)
++corenet_all_recvfrom_netlabel(cupsd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_t)
+ corenet_udp_sendrecv_all_if(cupsd_t)
+ corenet_raw_sendrecv_all_if(cupsd_t)
+@@ -151,32 +150,36 @@
  corenet_tcp_bind_reserved_port(cupsd_t)
  corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
@@ -5222,6 +5298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  dev_read_urand(cupsd_t)
  dev_read_sysfs(cupsd_t)
 -dev_read_usbfs(cupsd_t)
++dev_rw_generic_usb_dev(cupsd_t)
 +dev_rw_usbfs(cupsd_t)
  dev_getattr_printer_dev(cupsd_t)
  
@@ -5233,15 +5310,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  mls_fd_use_all_levels(cupsd_t)
  mls_file_downgrade(cupsd_t)
-@@ -177,6 +179,7 @@
+-mls_file_write_down(cupsd_t)
+-mls_file_read_up(cupsd_t)
+-mls_rangetrans_target(cupsd_t)
++mls_file_write_all_levels(cupsd_t)
++mls_file_read_all_levels(cupsd_t)
+ mls_socket_write_all_levels(cupsd_t)
+ 
+ term_use_unallocated_ttys(cupsd_t)
  term_search_ptys(cupsd_t)
  
  auth_domtrans_chk_passwd(cupsd_t)
-+auth_domtrans_upd_passwd(cupsd_t)
++auth_domtrans_upd_passwd_chk(cupsd_t)
  auth_dontaudit_read_pam_pid(cupsd_t)
  
  # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -199,14 +202,17 @@
+@@ -190,7 +193,7 @@
+ # read python modules
+ files_read_usr_files(cupsd_t)
+ # for /var/lib/defoma
+-files_search_var_lib(cupsd_t)
++files_read_var_lib_files(cupsd_t)
+ files_list_world_readable(cupsd_t)
+ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+@@ -199,12 +202,9 @@
  files_read_var_symlinks(cupsd_t)
  # for /etc/printcap
  files_dontaudit_write_etc_files(cupsd_t)
@@ -5249,29 +5342,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 -# redhat bug #214953
 -# cjp: this might be a broken behavior
 -files_dontaudit_getattr_all_tmp_files(cupsd_t)
-+
-+# smbspool is iterating through all existing tmp files.
-+# Looking for kerberos files
-+files_getattr_all_tmp_files(cupsd_t)
-+files_read_all_tmp_files(cupsd_t)
-+files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
  
  selinux_compute_access_vector(cupsd_t)
++selinux_validate_context(cupsd_t)
  
  init_exec_script_files(cupsd_t)
-+init_dontaudit_rw_utmp(cupsd_t)
  
- libs_use_ld_so(cupsd_t)
- libs_use_shared_libs(cupsd_t)
-@@ -214,6 +220,7 @@
+@@ -213,6 +213,7 @@
+ # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
  libs_read_lib_files(cupsd_t)
  
- logging_send_syslog_msg(cupsd_t)
 +logging_send_audit_msgs(cupsd_t)
+ logging_send_syslog_msg(cupsd_t)
  
  miscfiles_read_localization(cupsd_t)
- # invoking ghostscript needs to read fonts
-@@ -223,6 +230,7 @@
+@@ -223,25 +224,27 @@
  
  sysnet_read_config(cupsd_t)
  
@@ -5279,40 +5364,166 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
  userdom_dontaudit_search_all_users_home_content(cupsd_t)
  
-@@ -233,6 +241,10 @@
+ # Write to /var/spool/cups.
+ lpd_manage_spool(cupsd_t)
++lpd_read_config(cupsd_t)
+ 
+ ifdef(`enable_mls',`
  	lpd_relabel_spool(cupsd_t)
  ')
  
+-ifdef(`targeted_policy',`
+-	files_dontaudit_read_root_files(cupsd_t)
+-
+-	term_dontaudit_use_unallocated_ttys(cupsd_t)
+-	term_dontaudit_use_generic_ptys(cupsd_t)
 +optional_policy(`
 +	avahi_dbus_chat(cupsd_t)
 +')
-+
- ifdef(`targeted_policy',`
- 	files_dontaudit_read_root_files(cupsd_t)
  
-@@ -284,6 +296,10 @@
++optional_policy(`
+ 	init_stream_connect_script(cupsd_t)
+ 
+ 	unconfined_rw_pipes(cupsd_t)
++	unconfined_rw_stream_sockets(cupsd_t)
+ 
+ 	optional_policy(`
+ 		init_dbus_chat_script(cupsd_t)
+@@ -284,16 +287,16 @@
  ')
  
  optional_policy(`
-+	nis_use_ypbind(cupsd_t)
+-	nscd_socket_use(cupsd_t)
+-')
+-
+-optional_policy(`
+ 	# cups execs smbtool which reads samba_etc_t files
+ 	samba_read_config(cupsd_t)
+ 	samba_rw_var_files(cupsd_t)
+ ')
+ 
+ optional_policy(`
++	mta_send_mail(cupsd_t)
 +')
 +
 +optional_policy(`
- 	nscd_socket_use(cupsd_t)
+ 	seutil_sigchld_newrole(cupsd_t)
  ')
  
-@@ -294,6 +310,10 @@
+@@ -341,7 +344,8 @@
+ kernel_read_system_state(cupsd_config_t)
+ kernel_read_kernel_sysctls(cupsd_config_t)
+ 
+-corenet_non_ipsec_sendrecv(cupsd_config_t)
++corenet_all_recvfrom_unlabeled(cupsd_config_t)
++corenet_all_recvfrom_netlabel(cupsd_config_t)
+ corenet_tcp_sendrecv_all_if(cupsd_config_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
+ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -351,6 +355,7 @@
+ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
++dev_rw_generic_usb_dev(cupsd_config_t)
+ 
+ fs_getattr_all_fs(cupsd_config_t)
+ fs_search_auto_mountpoints(cupsd_config_t)
+@@ -396,12 +401,11 @@
+ 	')
  ')
  
- optional_policy(`
-+	sendmail_domtrans(cupsd_t)
+-ifdef(`targeted_policy',`
+-	files_dontaudit_read_root_files(cupsd_config_t)
+-
+-	term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++optional_policy(`
+ 	term_use_generic_ptys(cupsd_config_t)
 +')
-+
+ 
 +optional_policy(`
- 	seutil_sigchld_newrole(cupsd_t)
+ 	unconfined_rw_pipes(cupsd_config_t)
+ ')
+ 
+@@ -422,6 +426,7 @@
+ optional_policy(`
+ 	hal_domtrans(cupsd_config_t)
+ 	hal_read_tmp_files(cupsd_config_t)
++	hal_dontaudit_use_fds(hplip_t)
  ')
  
-@@ -587,7 +607,7 @@
+ optional_policy(`
+@@ -492,7 +497,8 @@
+ kernel_read_system_state(cupsd_lpd_t)
+ kernel_read_network_state(cupsd_lpd_t)
+ 
+-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
++corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
++corenet_all_recvfrom_netlabel(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_udp_sendrecv_all_if(cupsd_lpd_t)
+ corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
+@@ -510,6 +516,8 @@
+ 
+ files_read_etc_files(cupsd_lpd_t)
+ 
++auth_use_nsswitch(cupsd_lpd_t)
++
+ libs_use_ld_so(cupsd_lpd_t)
+ libs_use_shared_libs(cupsd_lpd_t)
+ 
+@@ -517,22 +525,12 @@
+ 
+ miscfiles_read_localization(cupsd_lpd_t)
+ 
+-sysnet_read_config(cupsd_lpd_t)
+-
+ cups_stream_connect(cupsd_lpd_t)
+ 
+ optional_policy(`
+ 	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
+ ')
+ 
+-optional_policy(`
+-	nis_use_ypbind(cupsd_lpd_t)
+-')
+-
+-optional_policy(`
+-	nscd_socket_use(cupsd_lpd_t)
+-')
+-
+ ########################################
+ #
+ # HPLIP local policy
+@@ -550,14 +548,12 @@
+ allow hplip_t self:udp_socket create_socket_perms;
+ allow hplip_t self:rawip_socket create_socket_perms;
+ 
+-allow hplip_t cupsd_etc_t:dir search;
++allow hplip_t cupsd_etc_t:dir search_dir_perms;
+ 
+ cups_stream_connect(hplip_t)
+-
+-allow hplip_t hplip_etc_t:dir list_dir_perms;
+-read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
+-read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
+-files_search_etc(hplip_t)
++# For CUPS to run as a backend
++allow cupsd_t hplip_t:process signal;
++allow hplip_t cupsd_t:unix_stream_socket connected_stream_socket_perms;
+ 
+ manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
+ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
+@@ -565,7 +561,8 @@
+ kernel_read_system_state(hplip_t)
+ kernel_read_kernel_sysctls(hplip_t)
+ 
+-corenet_non_ipsec_sendrecv(hplip_t)
++corenet_all_recvfrom_unlabeled(hplip_t)
++corenet_all_recvfrom_netlabel(hplip_t)
+ corenet_tcp_sendrecv_all_if(hplip_t)
+ corenet_udp_sendrecv_all_if(hplip_t)
+ corenet_raw_sendrecv_all_if(hplip_t)
+@@ -587,7 +584,7 @@
  dev_read_urand(hplip_t)
  dev_read_rand(hplip_t)
  dev_rw_generic_usb_dev(hplip_t)
@@ -5321,6 +5532,831 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
  
  fs_getattr_all_fs(hplip_t)
  fs_search_auto_mountpoints(hplip_t)
+@@ -614,13 +611,7 @@
+ userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
+ userdom_dontaudit_search_all_users_home_content(hplip_t)
+ 
+-lpd_read_config(cupsd_t)
+-
+-ifdef(`targeted_policy', `
+-	term_dontaudit_use_unallocated_ttys(hplip_t)
+-	term_dontaudit_use_generic_ptys(hplip_t)
+-	files_dontaudit_read_root_files(hplip_t)
+-')
++lpd_manage_spool(hplip_t)
+ 
+ optional_policy(`
+ 	seutil_sigchld_newrole(hplip_t)
+@@ -662,7 +653,8 @@
+ kernel_list_proc(ptal_t)
+ kernel_read_proc_symlinks(ptal_t)
+ 
+-corenet_non_ipsec_sendrecv(ptal_t)
++corenet_all_recvfrom_unlabeled(ptal_t)
++corenet_all_recvfrom_netlabel(ptal_t)
+ corenet_tcp_sendrecv_all_if(ptal_t)
+ corenet_tcp_sendrecv_all_nodes(ptal_t)
+ corenet_tcp_sendrecv_all_ports(ptal_t)
+@@ -693,12 +685,6 @@
+ userdom_dontaudit_use_unpriv_user_fds(ptal_t)
+ userdom_dontaudit_search_all_users_home_content(ptal_t)
+ 
+-ifdef(`targeted_policy', `
+-	term_dontaudit_use_unallocated_ttys(ptal_t)
+-	term_dontaudit_use_generic_ptys(ptal_t)
+-	files_dontaudit_read_root_files(ptal_t)
+-')
+-
+ optional_policy(`
+ 	seutil_sigchld_newrole(ptal_t)
+ ')
+@@ -706,3 +692,54 @@
+ optional_policy(`
+ 	udev_read_db(ptal_t)
+ ')
++
++
++# This whole section needs to be moved to a smbspool policy
++# smbspool seems to be iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++userdom_read_unpriv_users_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
++optional_policy(`
++	unconfined_read_tmp_files(cupsd_t)
++')
++
++ifdef(`targeted_policy',`
++	term_dontaudit_use_unallocated_ttys(cupsd_t)
++	term_dontaudit_use_generic_ptys(cupsd_t)
++
++	init_stream_connect_script(cupsd_t)
++
++	unconfined_rw_pipes(cupsd_t)
++
++	optional_policy(`
++		init_dbus_chat_script(cupsd_t)
++
++		unconfined_dbus_send(cupsd_t)
++
++		dbus_stub(cupsd_t)
++	')
++')
++
++ifdef(`targeted_policy',`
++	files_dontaudit_read_root_files(cupsd_config_t)
++
++	term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++	term_use_generic_ptys(cupsd_config_t)
++
++	unconfined_rw_pipes(cupsd_config_t)
++')
++
++ifdef(`targeted_policy', `
++	term_dontaudit_use_unallocated_ttys(hplip_t)
++	term_dontaudit_use_generic_ptys(hplip_t)
++	files_dontaudit_read_root_files(hplip_t)
++')
++
++ifdef(`targeted_policy', `
++	term_dontaudit_use_unallocated_ttys(ptal_t)
++	term_dontaudit_use_generic_ptys(ptal_t)
++	files_dontaudit_read_root_files(ptal_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te.old serefpolicy-2.6.4/policy/modules/services/cups.te.old
+--- nsaserefpolicy/policy/modules/services/cups.te.old	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/cups.te.old	2007-12-12 10:15:46.000000000 -0500
+@@ -0,0 +1,728 @@
++
++policy_module(cups,1.6.0)
++
++########################################
++#
++# Declarations
++#
++
++type cupsd_config_t;
++type cupsd_config_exec_t;
++init_daemon_domain(cupsd_config_t,cupsd_config_exec_t)
++
++type cupsd_config_var_run_t;
++files_pid_file(cupsd_config_var_run_t)
++
++type cupsd_t;
++type cupsd_exec_t;
++init_daemon_domain(cupsd_t,cupsd_exec_t)
++
++type cupsd_etc_t;
++files_config_file(cupsd_etc_t)
++
++type cupsd_rw_etc_t;
++files_config_file(cupsd_rw_etc_t)
++
++type cupsd_log_t;
++logging_log_file(cupsd_log_t)
++
++type cupsd_lpd_t;
++type cupsd_lpd_exec_t;
++domain_type(cupsd_lpd_t)
++domain_entry_file(cupsd_lpd_t,cupsd_lpd_exec_t)
++role system_r types cupsd_lpd_t;
++
++type cupsd_lpd_tmp_t;
++files_tmp_file(cupsd_lpd_tmp_t)
++
++type cupsd_lpd_var_run_t;
++files_pid_file(cupsd_lpd_var_run_t)
++
++type cupsd_tmp_t;
++files_tmp_file(cupsd_tmp_t)
++
++type cupsd_var_run_t;
++files_pid_file(cupsd_var_run_t)
++mls_trusted_object(cupsd_var_run_t)
++
++type hplip_t;
++type hplip_exec_t;
++init_daemon_domain(hplip_t,hplip_exec_t)
++
++type hplip_etc_t;
++files_config_file(hplip_etc_t)
++
++type hplip_var_run_t;
++files_pid_file(hplip_var_run_t)
++
++type ptal_t;
++type ptal_exec_t;
++init_daemon_domain(ptal_t,ptal_exec_t)
++
++type ptal_etc_t;
++files_config_file(ptal_etc_t)
++
++type ptal_var_run_t;
++files_pid_file(ptal_var_run_t)
++
++ifdef(`enable_mcs',`
++	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
++')
++
++ifdef(`enable_mls',`
++	init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,mls_systemhigh)
++')
++
++########################################
++#
++# Cups local policy
++#
++
++# /usr/lib/cups/backend/serial needs sys_admin(?!)
++allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++dontaudit cupsd_t self:capability { sys_tty_config net_admin };
++allow cupsd_t self:process { setsched signal_perms };
++allow cupsd_t self:fifo_file rw_file_perms;
++allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow cupsd_t self:unix_dgram_socket create_socket_perms;
++allow cupsd_t self:netlink_selinux_socket create_socket_perms;
++allow cupsd_t self:netlink_route_socket r_netlink_socket_perms;
++allow cupsd_t self:shm create_shm_perms;
++allow cupsd_t self:tcp_socket create_stream_socket_perms;
++allow cupsd_t self:udp_socket create_socket_perms;
++allow cupsd_t self:appletalk_socket create_socket_perms;
++# generic socket here until appletalk socket is available in kernels
++allow cupsd_t self:socket create_socket_perms;
++
++allow cupsd_t cupsd_etc_t:{ dir file } setattr;
++read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
++read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
++files_search_etc(cupsd_t)
++
++manage_dirs_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
++manage_files_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t)
++filetrans_pattern(cupsd_t,cupsd_etc_t,cupsd_rw_etc_t,file)
++files_var_filetrans(cupsd_t,cupsd_rw_etc_t,{ dir file })
++
++# allow cups to execute its backend scripts
++can_exec(cupsd_t, cupsd_exec_t)
++allow cupsd_t cupsd_exec_t:dir search_dir_perms;
++allow cupsd_t cupsd_exec_t:lnk_file read;
++
++manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
++allow cupsd_t cupsd_log_t:dir setattr;
++logging_log_filetrans(cupsd_t,cupsd_log_t,{ file dir })
++
++manage_dirs_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++manage_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
++files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
++
++allow cupsd_t cupsd_var_run_t:dir setattr;
++manage_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
++manage_sock_files_pattern(cupsd_t,cupsd_var_run_t,cupsd_var_run_t)
++files_pid_filetrans(cupsd_t,cupsd_var_run_t,file)
++
++read_files_pattern(cupsd_t,hplip_etc_t,hplip_etc_t)
++
++allow cupsd_t hplip_var_run_t:file { read getattr };
++
++stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
++allow cupsd_t ptal_var_run_t : sock_file setattr;
++
++kernel_read_system_state(cupsd_t)
++kernel_read_network_state(cupsd_t)
++kernel_read_all_sysctls(cupsd_t)
++
++corenet_non_ipsec_sendrecv(cupsd_t)
++corenet_tcp_sendrecv_all_if(cupsd_t)
++corenet_udp_sendrecv_all_if(cupsd_t)
++corenet_raw_sendrecv_all_if(cupsd_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_t)
++corenet_udp_sendrecv_all_nodes(cupsd_t)
++corenet_raw_sendrecv_all_nodes(cupsd_t)
++corenet_tcp_sendrecv_all_ports(cupsd_t)
++corenet_udp_sendrecv_all_ports(cupsd_t)
++corenet_tcp_bind_all_nodes(cupsd_t)
++corenet_udp_bind_all_nodes(cupsd_t)
++corenet_tcp_bind_ipp_port(cupsd_t)
++corenet_udp_bind_ipp_port(cupsd_t)
++corenet_tcp_bind_reserved_port(cupsd_t)
++corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
++corenet_tcp_connect_all_ports(cupsd_t)
++corenet_tcp_connect_smbd_port(cupsd_t)
++corenet_sendrecv_hplip_client_packets(cupsd_t)
++corenet_sendrecv_ipp_client_packets(cupsd_t)
++corenet_sendrecv_ipp_server_packets(cupsd_t)
++corenet_tcp_bind_all_rpc_ports(cupsd_t)
++
++dev_rw_printer(cupsd_t)
++dev_read_urand(cupsd_t)
++dev_read_sysfs(cupsd_t)
++dev_rw_usbfs(cupsd_t)
++dev_getattr_printer_dev(cupsd_t)
++
++domain_read_all_domains_state(cupsd_t)
++
++fs_getattr_all_fs(cupsd_t)
++fs_search_auto_mountpoints(cupsd_t)
++fs_read_anon_inodefs_files(cupsd_t)
++
++mls_fd_use_all_levels(cupsd_t)
++mls_file_downgrade(cupsd_t)
++mls_file_write_down(cupsd_t)
++mls_file_read_up(cupsd_t)
++mls_rangetrans_target(cupsd_t)
++mls_socket_write_all_levels(cupsd_t)
++
++term_use_unallocated_ttys(cupsd_t)
++term_search_ptys(cupsd_t)
++
++auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd(cupsd_t)
++auth_dontaudit_read_pam_pid(cupsd_t)
++
++# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
++corecmd_exec_shell(cupsd_t)
++corecmd_exec_bin(cupsd_t)
++
++domain_use_interactive_fds(cupsd_t)
++
++files_read_etc_files(cupsd_t)
++files_read_etc_runtime_files(cupsd_t)
++# read python modules
++files_read_usr_files(cupsd_t)
++# for /var/lib/defoma
++files_search_var_lib(cupsd_t)
++files_list_world_readable(cupsd_t)
++files_read_world_readable_files(cupsd_t)
++files_read_world_readable_symlinks(cupsd_t)
++# Satisfy readahead
++files_read_var_files(cupsd_t)
++files_read_var_symlinks(cupsd_t)
++# for /etc/printcap
++files_dontaudit_write_etc_files(cupsd_t)
++
++# smbspool is iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++files_read_all_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
++
++selinux_compute_access_vector(cupsd_t)
++
++init_exec_script_files(cupsd_t)
++init_dontaudit_rw_utmp(cupsd_t)
++
++libs_use_ld_so(cupsd_t)
++libs_use_shared_libs(cupsd_t)
++# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
++libs_read_lib_files(cupsd_t)
++
++logging_send_syslog_msg(cupsd_t)
++logging_send_audit_msgs(cupsd_t)
++
++miscfiles_read_localization(cupsd_t)
++# invoking ghostscript needs to read fonts
++miscfiles_read_fonts(cupsd_t)
++
++seutil_read_config(cupsd_t)
++
++sysnet_read_config(cupsd_t)
++
++files_dontaudit_list_home(cupsd_t)
++userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
++userdom_dontaudit_search_all_users_home_content(cupsd_t)
++
++# Write to /var/spool/cups.
++lpd_manage_spool(cupsd_t)
++
++ifdef(`enable_mls',`
++	lpd_relabel_spool(cupsd_t)
++')
++
++optional_policy(`
++	avahi_dbus_chat(cupsd_t)
++')
++
++ifdef(`targeted_policy',`
++	files_dontaudit_read_root_files(cupsd_t)
++
++	term_dontaudit_use_unallocated_ttys(cupsd_t)
++	term_dontaudit_use_generic_ptys(cupsd_t)
++
++	init_stream_connect_script(cupsd_t)
++
++	unconfined_rw_pipes(cupsd_t)
++
++	optional_policy(`
++		init_dbus_chat_script(cupsd_t)
++
++		unconfined_dbus_send(cupsd_t)
++
++		dbus_stub(cupsd_t)
++	')
++')
++
++optional_policy(`
++	apm_domtrans_client(cupsd_t)
++')
++
++optional_policy(`
++	cron_system_entry(cupsd_t, cupsd_exec_t)
++')
++
++optional_policy(`
++	dbus_system_bus_client_template(cupsd,cupsd_t)
++	dbus_send_system_bus(cupsd_t)
++
++	userdom_dbus_send_all_users(cupsd_t)
++
++	optional_policy(`
++		hal_dbus_chat(cupsd_t)
++	')
++')
++
++optional_policy(`
++	hostname_exec(cupsd_t)
++')
++
++optional_policy(`
++	inetd_core_service_domain(cupsd_t,cupsd_exec_t,cupsd_t)
++')
++
++optional_policy(`
++	logrotate_domtrans(cupsd_t)
++')
++
++optional_policy(`
++	nis_use_ypbind(cupsd_t)
++')
++
++optional_policy(`
++	nscd_socket_use(cupsd_t)
++')
++
++optional_policy(`
++	# cups execs smbtool which reads samba_etc_t files
++	samba_read_config(cupsd_t)
++	samba_rw_var_files(cupsd_t)
++')
++
++optional_policy(`
++	sendmail_domtrans(cupsd_t)
++')
++
++optional_policy(`
++	seutil_sigchld_newrole(cupsd_t)
++')
++
++optional_policy(`
++	udev_read_db(cupsd_t)
++')
++
++########################################
++#
++# Cups configuration daemon local policy
++#
++
++allow cupsd_config_t self:capability { chown sys_tty_config };
++dontaudit cupsd_config_t self:capability sys_tty_config;
++allow cupsd_config_t self:process signal_perms;
++allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_config_t self:unix_stream_socket create_socket_perms;
++allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
++allow cupsd_config_t self:tcp_socket create_stream_socket_perms;
++allow cupsd_config_t self:netlink_route_socket r_netlink_socket_perms;
++
++allow cupsd_config_t cupsd_t:process signal;
++ps_process_pattern(cupsd_config_t,cupsd_t)
++
++manage_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
++manage_lnk_files_pattern(cupsd_config_t,cupsd_etc_t,cupsd_etc_t)
++filetrans_pattern(cupsd_config_t,cupsd_etc_t,cupsd_rw_etc_t,file)
++
++manage_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++manage_lnk_files_pattern(cupsd_config_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++files_var_filetrans(cupsd_config_t,cupsd_rw_etc_t,file)
++
++can_exec(cupsd_config_t, cupsd_config_exec_t) 
++
++allow cupsd_config_t cupsd_log_t:file rw_file_perms;
++
++allow cupsd_config_t cupsd_tmp_t:file manage_file_perms;
++files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { file dir })
++
++allow cupsd_config_t cupsd_var_run_t:file { getattr read };
++
++manage_files_pattern(cupsd_config_t,cupsd_config_var_run_t,cupsd_config_var_run_t)
++files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
++
++kernel_read_system_state(cupsd_config_t)
++kernel_read_kernel_sysctls(cupsd_config_t)
++
++corenet_non_ipsec_sendrecv(cupsd_config_t)
++corenet_tcp_sendrecv_all_if(cupsd_config_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
++corenet_tcp_sendrecv_all_ports(cupsd_config_t)
++corenet_tcp_connect_all_ports(cupsd_config_t)
++corenet_sendrecv_all_client_packets(cupsd_config_t)
++
++dev_read_sysfs(cupsd_config_t)
++dev_read_urand(cupsd_config_t)
++dev_read_rand(cupsd_config_t)
++
++fs_getattr_all_fs(cupsd_config_t)
++fs_search_auto_mountpoints(cupsd_config_t)
++
++corecmd_exec_bin(cupsd_config_t)
++corecmd_exec_shell(cupsd_config_t)
++
++domain_use_interactive_fds(cupsd_config_t)
++# killall causes the following
++domain_dontaudit_search_all_domains_state(cupsd_config_t)
++
++files_read_usr_files(cupsd_config_t)
++files_read_etc_files(cupsd_config_t)
++files_read_etc_runtime_files(cupsd_config_t)
++files_read_var_symlinks(cupsd_config_t)
++
++# Alternatives asks for this
++init_getattr_script_files(cupsd_config_t)
++
++libs_use_ld_so(cupsd_config_t)
++libs_use_shared_libs(cupsd_config_t)
++
++logging_send_syslog_msg(cupsd_config_t)
++
++miscfiles_read_localization(cupsd_config_t)
++
++seutil_dontaudit_search_config(cupsd_config_t)
++
++sysnet_read_config(cupsd_config_t)
++
++userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
++userdom_dontaudit_search_sysadm_home_dirs(cupsd_config_t)
++
++lpd_read_config(cupsd_config_t)
++
++cups_stream_connect(cupsd_config_t)
++
++ifdef(`distro_redhat',`
++	init_getattr_script_files(cupsd_config_t)
++
++	optional_policy(`
++		rpm_read_db(cupsd_config_t)
++	')
++')
++
++ifdef(`targeted_policy',`
++	files_dontaudit_read_root_files(cupsd_config_t)
++
++	term_dontaudit_use_unallocated_ttys(cupsd_config_t)
++	term_use_generic_ptys(cupsd_config_t)
++
++	unconfined_rw_pipes(cupsd_config_t)
++')
++
++optional_policy(`
++	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
++')
++
++optional_policy(`
++	dbus_system_bus_client_template(cupsd_config,cupsd_config_t)
++	dbus_connect_system_bus(cupsd_config_t)
++	dbus_send_system_bus(cupsd_config_t)
++
++	optional_policy(`
++		hal_dbus_chat(cupsd_config_t)
++	')
++')
++
++optional_policy(`
++	hal_domtrans(cupsd_config_t)
++	hal_read_tmp_files(cupsd_config_t)
++')
++
++optional_policy(`
++	hostname_exec(cupsd_config_t)
++')
++
++optional_policy(`
++	logrotate_use_fds(cupsd_config_t)
++')
++
++optional_policy(`
++	nis_use_ypbind(cupsd_config_t)
++')
++
++optional_policy(`
++	nscd_socket_use(cupsd_config_t)
++')
++
++optional_policy(`
++	rpm_read_db(cupsd_config_t)
++')
++
++optional_policy(`
++	seutil_sigchld_newrole(cupsd_config_t)
++')
++
++optional_policy(`
++	udev_read_db(cupsd_config_t)
++')
++
++########################################
++#
++# Cups lpd support
++#
++
++allow cupsd_lpd_t self:process signal_perms;
++allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
++allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
++allow cupsd_lpd_t self:udp_socket create_socket_perms;
++allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
++
++# for identd
++# cjp: this should probably only be inetd_child rules?
++allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
++allow cupsd_lpd_t self:capability { setuid setgid };
++files_search_home(cupsd_lpd_t)
++optional_policy(`
++	kerberos_use(cupsd_lpd_t)
++')
++#end for identd
++
++allow cupsd_lpd_t cupsd_etc_t:dir list_dir_perms;
++read_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
++read_lnk_files_pattern(cupsd_lpd_t,cupsd_etc_t,cupsd_etc_t)
++
++allow cupsd_lpd_t cupsd_rw_etc_t:dir list_dir_perms;
++read_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++read_lnk_files_pattern(cupsd_lpd_t,cupsd_rw_etc_t,cupsd_rw_etc_t)
++
++manage_dirs_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
++manage_files_pattern(cupsd_lpd_t,cupsd_lpd_tmp_t,cupsd_lpd_tmp_t)
++files_tmp_filetrans(cupsd_lpd_t, cupsd_lpd_tmp_t, { file dir })
++
++manage_files_pattern(cupsd_lpd_t,cupsd_lpd_var_run_t,cupsd_lpd_var_run_t)
++files_pid_filetrans(cupsd_lpd_t,cupsd_lpd_var_run_t,file)
++
++kernel_read_kernel_sysctls(cupsd_lpd_t)
++kernel_read_system_state(cupsd_lpd_t)
++kernel_read_network_state(cupsd_lpd_t)
++
++corenet_non_ipsec_sendrecv(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
++corenet_udp_sendrecv_all_if(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
++corenet_udp_sendrecv_all_nodes(cupsd_lpd_t)
++corenet_tcp_sendrecv_all_ports(cupsd_lpd_t)
++corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
++corenet_tcp_bind_all_nodes(cupsd_lpd_t)
++corenet_udp_bind_all_nodes(cupsd_lpd_t)
++corenet_tcp_connect_ipp_port(cupsd_lpd_t)
++
++dev_read_urand(cupsd_lpd_t)
++dev_read_rand(cupsd_lpd_t)
++
++fs_getattr_xattr_fs(cupsd_lpd_t)
++
++files_read_etc_files(cupsd_lpd_t)
++
++libs_use_ld_so(cupsd_lpd_t)
++libs_use_shared_libs(cupsd_lpd_t)
++
++logging_send_syslog_msg(cupsd_lpd_t)
++
++miscfiles_read_localization(cupsd_lpd_t)
++
++sysnet_read_config(cupsd_lpd_t)
++
++cups_stream_connect(cupsd_lpd_t)
++
++optional_policy(`
++	inetd_service_domain(cupsd_lpd_t,cupsd_lpd_exec_t)
++')
++
++optional_policy(`
++	nis_use_ypbind(cupsd_lpd_t)
++')
++
++optional_policy(`
++	nscd_socket_use(cupsd_lpd_t)
++')
++
++########################################
++#
++# HPLIP local policy
++#
++
++# Needed for USB Scanneer and xsane
++allow hplip_t self:capability { dac_override dac_read_search net_raw };
++dontaudit hplip_t self:capability sys_tty_config;
++allow hplip_t self:fifo_file rw_fifo_file_perms;
++allow hplip_t self:process signal_perms;
++allow hplip_t self:unix_dgram_socket create_socket_perms;
++allow hplip_t self:unix_stream_socket create_socket_perms;
++allow hplip_t self:netlink_route_socket r_netlink_socket_perms;
++allow hplip_t self:tcp_socket create_stream_socket_perms;
++allow hplip_t self:udp_socket create_socket_perms;
++allow hplip_t self:rawip_socket create_socket_perms;
++
++allow hplip_t cupsd_etc_t:dir search;
++
++cups_stream_connect(hplip_t)
++
++allow hplip_t hplip_etc_t:dir list_dir_perms;
++read_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
++read_lnk_files_pattern(hplip_t,hplip_etc_t,hplip_etc_t)
++files_search_etc(hplip_t)
++
++manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
++files_pid_filetrans(hplip_t,hplip_var_run_t,file)
++
++kernel_read_system_state(hplip_t)
++kernel_read_kernel_sysctls(hplip_t)
++
++corenet_non_ipsec_sendrecv(hplip_t)
++corenet_tcp_sendrecv_all_if(hplip_t)
++corenet_udp_sendrecv_all_if(hplip_t)
++corenet_raw_sendrecv_all_if(hplip_t)
++corenet_tcp_sendrecv_all_nodes(hplip_t)
++corenet_udp_sendrecv_all_nodes(hplip_t)
++corenet_raw_sendrecv_all_nodes(hplip_t)
++corenet_tcp_sendrecv_all_ports(hplip_t)
++corenet_udp_sendrecv_all_ports(hplip_t)
++corenet_tcp_bind_all_nodes(hplip_t)
++corenet_udp_bind_all_nodes(hplip_t)
++corenet_tcp_bind_hplip_port(hplip_t)
++corenet_tcp_connect_hplip_port(hplip_t)
++corenet_tcp_connect_ipp_port(hplip_t)
++corenet_sendrecv_hplip_client_packets(hplip_t)
++corenet_receive_hplip_server_packets(hplip_t)
++
++dev_read_sysfs(hplip_t)
++dev_rw_printer(hplip_t)
++dev_read_urand(hplip_t)
++dev_read_rand(hplip_t)
++dev_rw_generic_usb_dev(hplip_t)
++dev_rw_usbfs(hplip_t)
++
++fs_getattr_all_fs(hplip_t)
++fs_search_auto_mountpoints(hplip_t)
++
++# for python
++corecmd_exec_bin(hplip_t)
++
++domain_use_interactive_fds(hplip_t)
++
++files_read_etc_files(hplip_t)
++files_read_etc_runtime_files(hplip_t)
++files_read_usr_files(hplip_t)
++
++libs_use_ld_so(hplip_t)
++libs_use_shared_libs(hplip_t)
++
++logging_send_syslog_msg(hplip_t)
++
++miscfiles_read_localization(hplip_t)
++
++sysnet_read_config(hplip_t)
++
++userdom_dontaudit_use_unpriv_user_fds(hplip_t)
++userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
++userdom_dontaudit_search_all_users_home_content(hplip_t)
++
++lpd_read_config(cupsd_t)
++
++ifdef(`targeted_policy', `
++	term_dontaudit_use_unallocated_ttys(hplip_t)
++	term_dontaudit_use_generic_ptys(hplip_t)
++	files_dontaudit_read_root_files(hplip_t)
++')
++
++optional_policy(`
++	seutil_sigchld_newrole(hplip_t)
++')
++
++optional_policy(`
++	snmp_read_snmp_var_lib_files(hplip_t)
++')
++
++optional_policy(`
++	udev_read_db(hplip_t)
++')
++
++########################################
++#
++# PTAL local policy
++#
++
++allow ptal_t self:capability { chown sys_rawio };
++dontaudit ptal_t self:capability sys_tty_config;
++allow ptal_t self:fifo_file rw_fifo_file_perms;
++allow ptal_t self:unix_dgram_socket create_socket_perms;
++allow ptal_t self:unix_stream_socket create_stream_socket_perms;
++allow ptal_t self:tcp_socket create_stream_socket_perms;
++
++allow ptal_t ptal_etc_t:dir list_dir_perms;
++read_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
++read_lnk_files_pattern(ptal_t,ptal_etc_t,ptal_etc_t)
++files_search_etc(ptal_t)
++
++manage_dirs_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_lnk_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_fifo_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++manage_sock_files_pattern(ptal_t,ptal_var_run_t,ptal_var_run_t)
++files_pid_filetrans(ptal_t,ptal_var_run_t,{ dir file lnk_file sock_file fifo_file })
++
++kernel_read_kernel_sysctls(ptal_t)
++kernel_list_proc(ptal_t)
++kernel_read_proc_symlinks(ptal_t)
++
++corenet_non_ipsec_sendrecv(ptal_t)
++corenet_tcp_sendrecv_all_if(ptal_t)
++corenet_tcp_sendrecv_all_nodes(ptal_t)
++corenet_tcp_sendrecv_all_ports(ptal_t)
++corenet_tcp_bind_all_nodes(ptal_t)
++corenet_tcp_bind_ptal_port(ptal_t)
++
++dev_read_sysfs(ptal_t)
++dev_read_usbfs(ptal_t)
++dev_rw_printer(ptal_t)
++
++fs_getattr_all_fs(ptal_t)
++fs_search_auto_mountpoints(ptal_t)
++
++domain_use_interactive_fds(ptal_t)
++
++files_read_etc_files(ptal_t)
++files_read_etc_runtime_files(ptal_t)
++
++libs_use_ld_so(ptal_t)
++libs_use_shared_libs(ptal_t)
++
++logging_send_syslog_msg(ptal_t)
++
++miscfiles_read_localization(ptal_t)
++
++sysnet_read_config(ptal_t)
++
++userdom_dontaudit_use_unpriv_user_fds(ptal_t)
++userdom_dontaudit_search_all_users_home_content(ptal_t)
++
++ifdef(`targeted_policy', `
++	term_dontaudit_use_unallocated_ttys(ptal_t)
++	term_dontaudit_use_generic_ptys(ptal_t)
++	files_dontaudit_read_root_files(ptal_t)
++')
++
++optional_policy(`
++	seutil_sigchld_newrole(ptal_t)
++')
++
++optional_policy(`
++	udev_read_db(ptal_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.6.4/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/cvs.te	2007-08-07 09:42:35.000000000 -0400
@@ -5654,7 +6690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-11-13 16:42:56.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-12-06 20:33:54.000000000 -0500
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -5772,7 +6808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -190,12 +202,58 @@
+@@ -190,12 +202,62 @@
  
  seutil_dontaudit_search_config(dovecot_auth_t)
  
@@ -5810,6 +6846,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +#
 +# dovecot deliver local policy
 +#
++allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
++
 +allow dovecot_deliver_t dovecot_etc_t:file read_file_perms;
 +allow dovecot_deliver_t dovecot_var_run_t:dir r_dir_perms;
 +
@@ -5824,6 +6862,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove
 +libs_use_ld_so(dovecot_deliver_t)
 +libs_use_shared_libs(dovecot_deliver_t)
 +
++dovecot_auth_stream_connect(dovecot_deliver_t)
++
 +miscfiles_read_localization(dovecot_deliver_t)
 +
 +optional_policy(`
@@ -5838,7 +6878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 --- nsaserefpolicy/policy/modules/services/exim.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc	2007-10-05 09:28:27.000000000 -0400
 @@ -0,0 +1,16 @@
-+# $Id: policy-20070501.patch,v 1.80 2007/12/03 18:55:51 dwalsh Exp $
++# $Id: policy-20070501.patch,v 1.81 2007/12/12 15:44:27 dwalsh Exp $
 +# Draft SELinux refpolicy module for the Exim MTA
 +# 
 +# Devin Carraway <selinux/at/devin.com>
@@ -6019,7 +7059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 --- nsaserefpolicy/policy/modules/services/exim.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.6.4/policy/modules/services/exim.te	2007-10-30 16:46:45.000000000 -0400
 @@ -0,0 +1,231 @@
-+# $Id: policy-20070501.patch,v 1.80 2007/12/03 18:55:51 dwalsh Exp $
++# $Id: policy-20070501.patch,v 1.81 2007/12/12 15:44:27 dwalsh Exp $
 +# Draft SELinux refpolicy module for the Exim MTA
 +# 
 +# Devin Carraway <selinux/at/devin.com>
diff --git a/selinux-policy.spec b/selinux-policy.spec
index fe7d96e..5868d63 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init
 %endif
 
 %changelog
+* Wed Dec 12 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-62
+- Fix labeling on * /usr/lib64/cups/backend/hp.*
+- Upgrade to Fedora 8 cups policy
+
 * Mon Dec 3 2007 Dan Walsh <dwalsh@redhat.com> 2.6.4-61
 - Remove duplicate defintion of /opt/Adobe