diff --git a/policy-20071130.patch b/policy-20071130.patch
index 6595363..2b116e0 100644
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@@ -2205,7 +2205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.3.1/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/logrotate.te 2008-09-23 08:36:21.000000000 -0400
@@ -96,9 +96,11 @@
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
@@ -2218,6 +2218,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
+@@ -161,7 +163,7 @@
+ ')
+
+ optional_policy(`
+- mailman_exec(logrotate_t)
++ mailman_domtrans(logrotate_t)
+ mailman_search_data(logrotate_t)
+ mailman_manage_log(logrotate_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.3.1/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/logwatch.te 2008-09-08 11:45:12.000000000 -0400
@@ -14502,7 +14511,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-09-12 13:42:32.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-09-22 14:18:58.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -14599,7 +14608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,32 +171,35 @@
+@@ -149,32 +171,36 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -14613,6 +14622,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dev_read_urand(cupsd_t)
dev_read_sysfs(cupsd_t)
-dev_read_usbfs(cupsd_t)
++dev_rw_input_dev(cupsd_t) #447878
+dev_rw_generic_usb_dev(cupsd_t)
+dev_rw_usbfs(cupsd_t)
dev_getattr_printer_dev(cupsd_t)
@@ -14639,7 +14649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
-@@ -186,7 +211,7 @@
+@@ -186,7 +212,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -14648,7 +14658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +220,16 @@
+@@ -195,15 +221,16 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -14669,7 +14679,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +245,22 @@
+@@ -219,17 +246,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -14694,7 +14704,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -242,12 +273,21 @@
+@@ -242,12 +274,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -14716,7 +14726,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -263,6 +303,10 @@
+@@ -263,6 +304,10 @@
')
optional_policy(`
@@ -14727,7 +14737,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -281,7 +325,7 @@
+@@ -281,7 +326,7 @@
# Cups configuration daemon local policy
#
@@ -14736,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
dontaudit cupsd_config_t self:capability sys_tty_config;
allow cupsd_config_t self:process signal_perms;
allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
-@@ -326,6 +370,7 @@
+@@ -326,6 +371,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -14744,7 +14754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -353,6 +398,7 @@
+@@ -353,6 +399,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -14752,7 +14762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -372,6 +418,10 @@
+@@ -372,6 +419,10 @@
')
optional_policy(`
@@ -14763,7 +14773,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -387,6 +437,7 @@
+@@ -387,6 +438,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -14771,7 +14781,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
')
optional_policy(`
-@@ -499,15 +550,10 @@
+@@ -499,15 +551,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -14788,7 +14798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +583,14 @@
+@@ -537,14 +584,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -14805,7 +14815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
-@@ -564,7 +610,8 @@
+@@ -564,7 +611,8 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -14815,7 +14825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
optional_policy(`
seutil_sigchld_newrole(hplip_t)
-@@ -645,3 +692,45 @@
+@@ -645,3 +693,45 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -16985,13 +16995,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.3.1/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.fc 2008-09-08 11:45:12.000000000 -0400
-@@ -1,3 +1,7 @@
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.fc 2008-09-19 11:19:39.000000000 -0400
+@@ -1,3 +1,8 @@
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
- /var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
-+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+-/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++
++/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++
+/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.3.1/policy/modules/services/fail2ban.if
@@ -17068,7 +17080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te 2008-09-19 11:19:08.000000000 -0400
@@ -18,6 +18,9 @@
type fail2ban_var_run_t;
files_pid_file(fail2ban_var_run_t)
@@ -17088,18 +17100,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
# log files
allow fail2ban_t fail2ban_log_t:dir setattr;
-@@ -33,8 +36,9 @@
+@@ -33,8 +36,10 @@
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
# pid file
++manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
-+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
++files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { dir file sock_file })
kernel_read_system_state(fail2ban_t)
-@@ -46,15 +50,26 @@
+@@ -46,15 +51,26 @@
domain_use_interactive_fds(fail2ban_t)
files_read_etc_files(fail2ban_t)
@@ -17127,7 +17140,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -64,5 +79,11 @@
+@@ -64,5 +80,11 @@
')
optional_policy(`
@@ -22242,7 +22255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te 2008-09-23 09:11:49.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -22331,7 +22344,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
cyrus_stream_connect(postfix_master_t)
-@@ -248,6 +271,10 @@
+@@ -189,6 +212,10 @@
+ ')
+
+ optional_policy(`
++ postgrey_search_spool(postfix_master_t)
++')
++
++optional_policy(`
+ sendmail_signal(postfix_master_t)
+ ')
+
+@@ -248,6 +275,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -22342,7 +22366,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix local local policy
-@@ -273,18 +300,25 @@
+@@ -273,18 +304,25 @@
files_read_etc_files(postfix_local_t)
@@ -22368,7 +22392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
optional_policy(`
-@@ -295,8 +329,7 @@
+@@ -295,8 +333,7 @@
#
# Postfix map local policy
#
@@ -22378,7 +22402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +379,6 @@
+@@ -346,8 +383,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -22387,7 +22411,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -360,6 +391,11 @@
+@@ -360,6 +395,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -22399,7 +22423,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix pickup local policy
-@@ -384,6 +420,7 @@
+@@ -384,6 +424,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -22407,7 +22431,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -391,6 +428,12 @@
+@@ -391,6 +432,12 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
@@ -22420,7 +22444,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -400,6 +443,10 @@
+@@ -400,6 +447,10 @@
')
optional_policy(`
@@ -22431,7 +22455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -436,8 +483,7 @@
+@@ -436,8 +487,7 @@
')
optional_policy(`
@@ -22441,7 +22465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
#######################################
-@@ -463,6 +509,15 @@
+@@ -463,6 +513,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -22457,7 +22481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix qmgr local policy
-@@ -532,9 +587,6 @@
+@@ -532,9 +591,6 @@
# connect to master process
stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
@@ -22467,7 +22491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
# for prng_exch
allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +609,10 @@
+@@ -557,6 +613,10 @@
sasl_connect(postfix_smtpd_t)
')
@@ -22478,7 +22502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
#
# Postfix virtual local policy
-@@ -572,7 +628,7 @@
+@@ -572,7 +632,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -23251,7 +23275,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.fc serefpolicy-3.3.1/policy/modules/services/postgrey.fc
--- nsaserefpolicy/policy/modules/services/postgrey.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.fc 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.fc 2008-09-23 09:06:46.000000000 -0400
@@ -7,3 +7,7 @@
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
@@ -23262,8 +23286,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.3.1/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-09-19 10:23:53.000000000 -0400
-@@ -12,10 +12,82 @@
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.if 2008-09-23 09:13:12.000000000 -0400
+@@ -12,10 +12,100 @@
#
interface(`postgrey_stream_connect',`
gen_require(`
@@ -23280,6 +23304,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
+
+########################################
+##
++## Search the spool directory
++##
++##
++##
++## Domain allowed access
++##
++##
++#
++interface(`postgrey_search_spool',`
++ gen_require(`
++ type postgrey_spool_t;
++ ')
++
++ allow $1 postgrey_spool_t:dir search_dir_perms;
++')
++
++########################################
++##
+## Execute postgrey server in the postgrey domain.
+##
+##
@@ -23569,8 +23611,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.3.1/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-09-08 11:45:12.000000000 -0400
-@@ -0,0 +1,20 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.fc 2008-09-22 09:14:58.000000000 -0400
+@@ -0,0 +1,24 @@
+/sbin/audisp-prelude -- gen_context(system_u:object_r:prelude_audisp_exec_t,s0)
+
+/usr/bin/prelude-manager -- gen_context(system_u:object_r:prelude_exec_t,s0)
@@ -23588,9 +23630,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+/usr/bin/prelude-lml -- gen_context(system_u:object_r:prelude_lml_exec_t,s0)
+/var/run/prelude-lml.pid -- gen_context(system_u:object_r:prelude_lml_var_run_t,s0)
+
++/etc/rc\.d/init\.d/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_script_exec_t, s0)
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
+/etc/rc\.d/init\.d/prelude-manager -- gen_context(system_u:object_r:prelude_script_exec_t,s0)
+
++/etc/prelude-correlator(/.*)? gen_context(system_u:object_r:prelude_correlator_config_t, s0)
++/usr/bin/prelude-correlator -- gen_context(system_u:object_r:prelude_correlator_exec_t, s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-09-08 11:45:12.000000000 -0400
@@ -23788,8 +23834,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-19 10:06:47.000000000 -0400
-@@ -0,0 +1,260 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-22 09:14:34.000000000 -0400
+@@ -0,0 +1,325 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -23842,6 +23888,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+########################################
+#
++# prelude_correlator declarations
++#
++
++type prelude_correlator_t;
++type prelude_correlator_exec_t;
++init_daemon_domain(prelude_correlator_t, prelude_correlator_exec_t)
++role system_r types prelude_correlator_t;
++
++type prelude_correlator_script_exec_t;
++init_script_file(prelude_correlator_script_exec_t)
++
++type prelude_correlator_config_t;
++files_config_file(prelude_correlator_config_t)
++
++########################################
++#
+# prelude local policy
+#
+
@@ -23875,15 +23937,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+corenet_tcp_bind_all_nodes(prelude_t)
+corenet_tcp_bind_prelude_port(prelude_t)
+corenet_tcp_connect_prelude_port(prelude_t)
++corenet_tcp_connect_postgresql_port(prelude_t)
+
+dev_read_rand(prelude_t)
+dev_read_urand(prelude_t)
+
++kernel_read_sysctl(prelude_t)
++
+# Init script handling
+domain_use_interactive_fds(prelude_t)
+
+files_read_etc_files(prelude_t)
+files_read_usr_files(prelude_t)
++files_search_tmp(prelude_t)
+
+fs_rw_anon_inodefs_files(prelude_t)
+
@@ -23939,6 +24005,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+# Init script handling
+domain_use_interactive_fds(prelude_audisp_t)
+
++kernel_read_sysctl(prelude_audisp_t)
++
+files_read_etc_files(prelude_audisp_t)
+
+libs_use_ld_so(prelude_audisp_t)
@@ -23953,13 +24021,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+########################################
+#
++# prelude_correlator local policy
++#
++
++allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
++allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
++allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
++
++read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
++
++prelude_manage_spool(prelude_correlator_t)
++
++corecmd_search_sbin(prelude_correlator_t)
++
++corenet_all_recvfrom_unlabeled(prelude_correlator_t)
++corenet_all_recvfrom_netlabel(prelude_correlator_t)
++corenet_tcp_sendrecv_all_if(prelude_correlator_t)
++corenet_tcp_sendrecv_all_nodes(prelude_correlator_t)
++corenet_tcp_connect_prelude_port(prelude_correlator_t)
++
++dev_read_rand(prelude_correlator_t)
++dev_read_urand(prelude_correlator_t)
++
++files_read_etc_files(prelude_correlator_t)
++files_read_usr_files(prelude_correlator_t)
++files_search_spool(prelude_correlator_t)
++
++libs_use_ld_so(prelude_correlator_t)
++libs_use_shared_libs(prelude_correlator_t)
++
++logging_send_syslog_msg(prelude_correlator_t)
++
++miscfiles_read_localization(prelude_correlator_t)
++
++sysnet_dns_name_resolve(prelude_correlator_t)
++
++########################################
++#
+# prelude_lml local declarations
+#
+
+allow prelude_lml_t self:capability dac_override;
+
+# Init script handling
-+# Test me
+domain_use_interactive_fds(prelude_lml_t)
+
+allow prelude_lml_t self:tcp_socket { write getattr setopt read create connect };
@@ -24017,6 +24121,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+miscfiles_read_localization(prelude_lml_t)
+
++sysnet_dns_name_resolve(prelude_lml_t)
++
+optional_policy(`
+ gamin_exec(prelude_lml_t)
+')
@@ -24033,8 +24139,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
+
+optional_policy(`
+ apache_content_template(prewikka)
++ files_search_tmp(httpd_prewikka_script_t)
+ files_read_etc_files(httpd_prewikka_script_t)
+
++ apache_search_sys_content(httpd_prewikka_script_t)
++
++ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
++
+ auth_use_nsswitch(httpd_prewikka_script_t)
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
@@ -33690,7 +33801,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-09-15 13:03:33.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-09-23 08:51:57.000000000 -0400
@@ -61,10 +61,29 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -33756,7 +33867,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
-@@ -158,9 +188,12 @@
+@@ -150,6 +180,8 @@
+
+ logging_set_audit_parameters(auditd_t)
+ logging_send_syslog_msg(auditd_t)
++logging_domtrans_audisp(auditd_t)
++logging_audisp_signal(auditd_t)
+
+ libs_use_ld_so(auditd_t)
+ libs_use_shared_libs(auditd_t)
+@@ -158,9 +190,12 @@
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -33769,7 +33889,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-@@ -171,6 +204,10 @@
+@@ -171,6 +206,10 @@
')
optional_policy(`
@@ -33780,7 +33900,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
seutil_sigchld_newrole(auditd_t)
')
-@@ -208,6 +245,7 @@
+@@ -208,6 +247,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -33788,7 +33908,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
domain_use_interactive_fds(klogd_t)
-@@ -252,7 +290,6 @@
+@@ -252,7 +292,6 @@
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
@@ -33796,7 +33916,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -262,7 +299,7 @@
+@@ -262,7 +301,7 @@
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -33805,7 +33925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -274,6 +311,9 @@
+@@ -274,6 +313,9 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -33815,7 +33935,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -289,12 +329,14 @@
+@@ -289,12 +331,14 @@
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
@@ -33830,7 +33950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
dev_filetrans(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
-@@ -327,6 +369,8 @@
+@@ -327,6 +371,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -33839,7 +33959,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -339,19 +383,20 @@
+@@ -339,19 +385,20 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -33862,7 +33982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +425,11 @@
+@@ -380,15 +427,11 @@
')
optional_policy(`
@@ -33880,7 +34000,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
')
optional_policy(`
-@@ -399,3 +440,67 @@
+@@ -399,3 +442,66 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -33918,8 +34038,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/loggin
+corecmd_search_bin(audisp_t)
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
-+logging_domtrans_audisp(auditd_t)
-+logging_audisp_signal(auditd_t)
++sysnet_dns_name_resolve(audisp_t)
+
+########################################
+#