diff --git a/policy-F13.patch b/policy-F13.patch
index 07af8ce..734cd08 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -2610,7 +2610,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.7.17/policy/modules/apps/gnome.if
 --- nsaserefpolicy/policy/modules/apps/gnome.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/apps/gnome.if	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/gnome.if	2010-03-30 12:44:27.000000000 -0400
 @@ -74,6 +74,24 @@
  
  ########################################
@@ -2636,21 +2636,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
  ##	manage gnome homedir content (.config)
  ## </summary>
  ## <param name="user_domain">
-@@ -84,10 +102,246 @@
+@@ -84,10 +102,403 @@
  #
  interface(`gnome_manage_config',`
  	gen_require(`
--		type gnome_home_t;
 +		attribute gnome_home_type;
- 	')
- 
--	allow $1 gnome_home_t:dir manage_dir_perms;
--	allow $1 gnome_home_t:file manage_file_perms;
++	')
++
 +	allow $1 gnome_home_type:dir manage_dir_perms;
 +	allow $1 gnome_home_type:file manage_file_perms;
 +	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
- 	userdom_search_user_home_dirs($1)
- ')
++	userdom_search_user_home_dirs($1)
++')
 +
 +########################################
 +## <summary>
@@ -2672,6 +2669,94 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 +########################################
 +## <summary>
++##	Create objects in a Gnome cache home directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++#
++interface(`gnome_cache_filetrans',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	filetrans_pattern($1, cache_home_t, $2, $3)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++##	Read generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_read_generic_cache_files',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	read_files_pattern($1, cache_home_t, cache_home_t)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++##	Set attributes of cache home dir (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_setattr_cache_home_dir',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++##	write to generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_write_generic_cache_files',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	write_files_pattern($1, cache_home_t, cache_home_t)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
 +##	read gnome homedir content (.config)
 +## </summary>
 +## <param name="user_domain">
@@ -2692,6 +2777,58 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 +########################################
 +## <summary>
++##	Set attributes of Gnome config dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_setattr_config_dirs',`
++	gen_require(`
+ 		type gnome_home_t;
+ 	')
+ 
+-	allow $1 gnome_home_t:dir manage_dir_perms;
+-	allow $1 gnome_home_t:file manage_file_perms;
++	setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
++	files_search_home($1)
++')
++
++########################################
++## <summary>
++##	Create objects in a Gnome gconf home directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++#
++interface(`gnome_data_filetrans',`
++	gen_require(`
++		type data_home_t;
++	')
++
++	filetrans_pattern($1, data_home_t, $2, $3)
++	gnome_search_gconf($1)
++')
++
++########################################
++## <summary>
 +##	read gconf config files
 +## </summary>
 +## <param name="user_domain">
@@ -2771,6 +2908,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if
 +
 +########################################
 +## <summary>
++##	search gconf homedir (.local)
++## </summary>
++## <param name="user_domain">
++##	<summary>
++##	The type of the domain.
++##	</summary>
++## </param>
++#
++interface(`gnome_search_gconf',`
++	gen_require(`
++		type gconf_home_t;
++	')
++
++	allow $1 gconf_home_t:dir search_dir_perms;
+ 	userdom_search_user_home_dirs($1)
+ ')
++
++########################################
++## <summary>
 +##	Append gconf home files
 +## </summary>
 +## <param name="domain">
@@ -3048,9 +3204,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.fc s
  /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.7.17/policy/modules/apps/gpg.if
 --- nsaserefpolicy/policy/modules/apps/gpg.if	2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/apps/gpg.if	2010-03-29 15:35:14.000000000 -0400
-@@ -52,11 +52,8 @@
++++ serefpolicy-3.7.17/policy/modules/apps/gpg.if	2010-03-30 12:45:14.000000000 -0400
+@@ -21,6 +21,7 @@
+ 		type gpg_agent_t, gpg_agent_exec_t;
+ 		type gpg_agent_tmp_t;
+ 		type gpg_helper_t, gpg_pinentry_t;
++		type gpg_pinentry_tmp_t;
+ 	')
  
+ 	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
+@@ -50,13 +51,17 @@
+ 	# Transition from the user domain to the agent domain.
+ 	domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
+ 
++	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
++	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
++
++	optional_policy(`
++		gpg_pinentry_dbus_chat($2)
++	')
++
  	ifdef(`hide_broken_symptoms',`
  		#Leaked File Descriptors
 +		dontaudit gpg_t $2:socket_class_set { read write };
@@ -3062,9 +3235,75 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if s
  	')
  ')
  
+@@ -95,3 +100,65 @@
+ 
+ 	allow $1 gpg_t:process signal;
+ ')
++
++########################################
++## <summary>
++##	Read and write GPG named pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gpg_agent_rw_named_pipes',`
++	# Just wants read/write could this be a leak?
++	gen_require(`
++		type gpg_agent_t;
++	')
++
++	allow $1 gpg_agent_t:fifo_file rw_fifo_file_perms;
++')
++
++########################################
++## <summary>
++##	Send messages to and from GPG
++##	Pinentry over DBUS.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gpg_pinentry_dbus_chat',`
++	gen_require(`
++		type gpg_pinentry_t;
++		class dbus send_msg;
++	')
++
++	allow $1 gpg_pinentry_t:dbus send_msg;
++	allow gpg_pinentry_t $1:dbus send_msg;
++')
++
++
++########################################
++## <summary>
++##	List Gnu Privacy Guard user 
++##	content dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gpg_list_user_content_dirs',`
++	gen_require(`
++		type gpg_secret_t;
++	')
++
++	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
++	userdom_search_user_home_dirs($1)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.7.17/policy/modules/apps/gpg.te
 --- nsaserefpolicy/policy/modules/apps/gpg.te	2009-12-04 09:43:33.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/apps/gpg.te	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/gpg.te	2010-03-30 12:45:14.000000000 -0400
 @@ -20,6 +20,7 @@
  typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
  application_domain(gpg_t, gpg_exec_t)
@@ -3081,16 +3320,59 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
  
  type gpg_pinentry_t;
  type pinentry_exec_t;
-@@ -59,7 +61,7 @@
+@@ -53,14 +55,22 @@
+ application_domain(gpg_pinentry_t, pinentry_exec_t)
+ ubac_constrained(gpg_pinentry_t)
+ 
++type gpg_pinentry_tmp_t;
++files_tmp_file(gpg_pinentry_tmp_t)
++ubac_constrained(gpg_pinentry_tmp_t)
++
++type gpg_pinentry_tmpfs_t;
++files_tmpfs_file(gpg_pinentry_tmpfs_t)
++ubac_constrained(gpg_pinentry_tmpfs_t)
++
+ ########################################
+ #
+ # GPG local policy
  #
  
  allow gpg_t self:capability { ipc_lock setuid };
 -# setrlimit is for ulimit -c 0
+-allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
 +#at setrlimit is for ulimit -c 0
- allow gpg_t self:process { signal setrlimit getcap setcap setpgid };
++allow gpg_t self:process { signal signull setrlimit getcap setcap setpgid };
  
  allow gpg_t self:fifo_file rw_fifo_file_perms;
-@@ -112,6 +114,7 @@
+ allow gpg_t self:tcp_socket create_stream_socket_perms;
+@@ -69,6 +79,8 @@
+ manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
+ files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
+ 
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
++
+ # transition from the gpg domain to the helper domain
+ domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
+ 
+@@ -79,6 +91,9 @@
+ 
+ kernel_read_sysctl(gpg_t)
+ 
++corecmd_exec_shell(gpg_t)
++corecmd_exec_bin(gpg_t)
++
+ corenet_all_recvfrom_unlabeled(gpg_t)
+ corenet_all_recvfrom_netlabel(gpg_t)
+ corenet_tcp_sendrecv_generic_if(gpg_t)
+@@ -95,6 +110,7 @@
+ dev_read_generic_usb_dev(gpg_t)
+ 
+ fs_getattr_xattr_fs(gpg_t)
++fs_list_inotifyfs(gpg_t)
+ 
+ domain_use_interactive_fds(gpg_t)
+ 
+@@ -112,6 +128,7 @@
  # sign/encrypt user files
  userdom_manage_user_tmp_files(gpg_t)
  userdom_manage_user_home_content_files(gpg_t)
@@ -3098,29 +3380,335 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te s
  
  mta_write_config(gpg_t)
  
-@@ -130,10 +133,10 @@
- 	xserver_rw_xdm_pipes(gpg_t)
+@@ -126,15 +143,24 @@
+ ')
+ 
+ optional_policy(`
+-	xserver_use_xdm_fds(gpg_t)
+-	xserver_rw_xdm_pipes(gpg_t)
++	mozilla_read_user_home_files(gpg_t)
++	mozilla_write_user_home_files(gpg_t)
+ ')
+ 
+ optional_policy(`
+-	cron_system_entry(gpg_t, gpg_exec_t)
+-	cron_read_system_job_tmp_files(gpg_t)
++	mutt_rw_tmp_files(gpg_t)
+ ')
+ 
++optional_policy(`
++	xserver_use_xdm_fds(gpg_t)
++	xserver_rw_xdm_pipes(gpg_t)
++')
++
++#optional_policy(`
++#	cron_system_entry(gpg_t, gpg_exec_t)
++#	cron_read_system_job_tmp_files(gpg_t)
++#')
++
+ ########################################
+ #
+ # GPG helper local policy
+@@ -184,6 +210,7 @@
+ #
+ # GPG agent local policy
+ #
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
+ 
+ # rlimit: gpg-agent wants to prevent coredumps
+ allow gpg_agent_t self:process setrlimit;
+@@ -206,6 +233,7 @@
+ stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
+ 
+ corecmd_search_bin(gpg_agent_t)
++corecmd_exec_shell(gpg_agent_t)
+ 
+ domain_use_interactive_fds(gpg_agent_t)
+ 
+@@ -242,26 +270,62 @@
+ # Pinentry local policy
+ #
+ 
+-allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
++allow gpg_pinentry_t self:process { getcap getsched setsched signal };
+ allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
++allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
++allow gpg_pinentry_t self:shm create_shm_perms;
++allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
++allow gpg_pinentry_t self:unix_dgram_socket sendto;
++allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
++
++can_exec(gpg_pinentry_t, pinentry_exec_t)
+ 
+ # we need to allow gpg-agent to call pinentry so it can get the passphrase 
+ # from the user.
+ domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
+ 
++manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
++userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
++
++manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
++manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
++fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
++fs_getattr_tmpfs(gpg_pinentry_t)
++
++corecmd_exec_bin(gpg_pinentry_t)
++
++corenet_all_recvfrom_netlabel(gpg_pinentry_t)
++corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
++corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
++corenet_tcp_bind_generic_node(gpg_pinentry_t)
++corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
++corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
++corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
++corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
++
+ # read /proc/meminfo
+ kernel_read_system_state(gpg_pinentry_t)
+ 
++dev_read_urand(gpg_pinentry_t)
++dev_read_rand(gpg_pinentry_t)
++
+ files_read_usr_files(gpg_pinentry_t)
+ # read /etc/X11/qtrc
+ files_read_etc_files(gpg_pinentry_t)
+ 
++logging_send_syslog_msg(gpg_pinentry_t)
++
+ miscfiles_read_fonts(gpg_pinentry_t)
+ miscfiles_read_localization(gpg_pinentry_t)
+ 
+ # for .Xauthority
+ userdom_read_user_home_content_files(gpg_pinentry_t)
+ 
++userdom_read_user_tmpfs_files(gpg_pinentry_t)
++# Bug: user pulseaudio files need open,read and unlink:
++allow gpg_pinentry_t user_tmpfs_t:file unlink;
++userdom_signull_unpriv_users(gpg_pinentry_t)
++
+ tunable_policy(`use_nfs_home_dirs',`
+ 	fs_read_nfs_files(gpg_pinentry_t)
+ ')
+@@ -271,5 +335,24 @@
+ ')
+ 
+ optional_policy(`
+-	xserver_stream_connect(gpg_pinentry_t)
++	dbus_session_bus_client(gpg_pinentry_t)
++	dbus_system_bus_client(gpg_pinentry_t)
++')
++
++optional_policy(`
++	gnome_write_generic_cache_files(gpg_pinentry_t)
++	gnome_read_generic_cache_files(gpg_pinentry_t)
+ ')
++
++optional_policy(`
++	pulseaudio_exec(gpg_pinentry_t)
++	pulseaudio_rw_home_files(gpg_pinentry_t)
++	pulseaudio_setattr_home_dir(gpg_pinentry_t)
++	pulseaudio_stream_connect(gpg_pinentry_t)
++	pulseaudio_signull(gpg_pinentry_t)
++')
++
++optional_policy(`
++	xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.fc serefpolicy-3.7.17/policy/modules/apps/irc.fc
+--- nsaserefpolicy/policy/modules/apps/irc.fc	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/irc.fc	2010-03-30 12:46:43.000000000 -0400
+@@ -2,10 +2,17 @@
+ # /home
+ #
+ HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
++HOME_DIR/\.irssi(/.*)?	gen_context(system_u:object_r:irssi_home_t,s0)
++
++#
++# /etc
++#
++/etc/irssi\.conf	--	gen_context(system_u:object_r:irssi_etc_t,s0)
+ 
+ #
+ # /usr
+ #
+ /usr/bin/[st]irc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+ /usr/bin/ircII		--	gen_context(system_u:object_r:irc_exec_t,s0)
++/usr/bin/irssi		--	gen_context(system_u:object_r:irssi_exec_t,s0)
+ /usr/bin/tinyirc	--	gen_context(system_u:object_r:irc_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.if serefpolicy-3.7.17/policy/modules/apps/irc.if
+--- nsaserefpolicy/policy/modules/apps/irc.if	2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/irc.if	2010-03-30 12:46:43.000000000 -0400
+@@ -18,14 +18,51 @@
+ interface(`irc_role',`
+ 	gen_require(`
+ 		type irc_t, irc_exec_t;
++		type irssi_t, irssi_exec_t, irssi_home_t;
+ 	')
+ 
++	########################################
++	#
++	# Irc shared declarations.
++	#
++
+ 	role $1 types irc_t;
+ 
++	########################################
++	#
++	# Irssi shared declarations.
++	#
++
++	role $1 types irssi_t;
++
++	########################################
++	#
++	# Irc shared policy.
++	#
++
+ 	# Transition from the user domain to the derived domain.
+ 	domtrans_pattern($2, irc_exec_t, irc_t)
+ 
+ 	# allow ps to show irc
+ 	ps_process_pattern($2, irc_t)
+ 	allow $2 irc_t:process signal;
++
++	########################################
++	#
++	# Irssi shared policy.
++	#
++
++	domtrans_pattern($2, irssi_exec_t, irssi_t)
++
++	allow $2 irssi_t:process { ptrace signal_perms };
++	ps_process_pattern($2, irssi_t)
++
++	manage_dirs_pattern($2, irssi_home_t, irssi_home_t)
++	manage_files_pattern($2, irssi_home_t, irssi_home_t)
++	manage_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
++
++	relabel_dirs_pattern($2, irssi_home_t, irssi_home_t)
++	relabel_files_pattern($2, irssi_home_t, irssi_home_t)
++	relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
  ')
- 
--optional_policy(`
--	cron_system_entry(gpg_t, gpg_exec_t)
--	cron_read_system_job_tmp_files(gpg_t)
--')
-+#optional_policy(`
-+#	cron_system_entry(gpg_t, gpg_exec_t)
-+#	cron_read_system_job_tmp_files(gpg_t)
-+#')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/irc.te serefpolicy-3.7.17/policy/modules/apps/irc.te
+--- nsaserefpolicy/policy/modules/apps/irc.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/irc.te	2010-03-30 12:46:43.000000000 -0400
+@@ -25,6 +25,30 @@
  
  ########################################
  #
-@@ -184,6 +187,7 @@
- #
- # GPG agent local policy
++# Irssi personal declarations.
++#
++
++## <desc>
++## <p>
++## Allow the Irssi IRC Client to connect to any port,
++## and to bind to any unreserved port.
++## </p>
++## </desc>
++gen_tunable(irssi_use_full_network, false)
++
++type irssi_t;
++type irssi_exec_t;
++application_domain(irssi_t, irssi_exec_t)
++ubac_constrained(irssi_t)
++
++type irssi_etc_t;
++files_config_file(irssi_etc_t)
++
++type irssi_home_t;
++userdom_user_home_content(irssi_home_t)
++
++########################################
++#
+ # Local policy
  #
-+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
  
- # rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
+@@ -102,3 +126,83 @@
+ optional_policy(`
+ 	nis_use_ypbind(irc_t)
+ ')
++
++########################################
++#
++# Irssi personal declarations.
++#
++
++allow irssi_t self:process { signal sigkill };
++allow irssi_t self:fifo_file rw_fifo_file_perms;
++allow irssi_t self:netlink_route_socket create_netlink_socket_perms;
++allow irssi_t self:tcp_socket create_stream_socket_perms;
++allow irssi_t self:udp_socket create_socket_perms;
++
++read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
++
++manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
++manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
++manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
++userdom_user_home_dir_filetrans(irssi_t, irssi_home_t, { dir file lnk_file })
++userdom_search_user_home_dirs(irssi_t)
++
++corecmd_search_bin(irssi_t)
++corecmd_read_bin_symlinks(irssi_t)
++
++corenet_tcp_connect_ircd_port(irssi_t)
++corenet_sendrecv_ircd_client_packets(irssi_t)
++
++# Privoxy
++corenet_tcp_connect_http_cache_port(irssi_t)
++corenet_sendrecv_http_cache_client_packets(irssi_t)
++
++corenet_all_recvfrom_netlabel(irssi_t)
++corenet_all_recvfrom_unlabeled(irssi_t)
++corenet_tcp_sendrecv_generic_if(irssi_t)
++corenet_tcp_sendrecv_generic_node(irssi_t)
++corenet_tcp_sendrecv_generic_port(irssi_t)
++corenet_tcp_bind_generic_node(irssi_t)
++corenet_udp_bind_generic_node(irssi_t)
++
++dev_read_urand(irssi_t)
++# irssi-otr genkey.
++dev_read_rand(irssi_t)
++
++files_read_etc_files(irssi_t)
++files_read_usr_files(irssi_t)
++
++fs_search_auto_mountpoints(irssi_t)
++
++miscfiles_read_localization(irssi_t)
++
++sysnet_read_config(irssi_t)
++
++userdom_use_user_terminals(irssi_t)
++
++tunable_policy(`irssi_use_full_network', `
++	corenet_tcp_bind_all_unreserved_ports(irssi_t)
++	corenet_tcp_connect_all_ports(irssi_t)
++	corenet_sendrecv_generic_server_packets(irssi_t)
++	corenet_sendrecv_all_client_packets(irssi_t)
++')
++
++tunable_policy(`use_nfs_home_dirs', `
++	fs_manage_nfs_dirs(irssi_t)
++	fs_manage_nfs_files(irssi_t)
++	fs_manage_nfs_symlinks(irssi_t)
++')
++
++tunable_policy(`use_samba_home_dirs', `
++	fs_manage_cifs_dirs(irssi_t)
++	fs_manage_cifs_files(irssi_t)
++	fs_manage_cifs_symlinks(irssi_t)
++')
++
++optional_policy(`
++	automount_dontaudit_getattr_tmp_dirs(irssi_t)
++')
++
++optional_policy(`
++	nis_use_ypbind(irssi_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.7.17/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2010-02-22 08:30:53.000000000 -0500
 +++ serefpolicy-3.7.17/policy/modules/apps/java.fc	2010-03-29 15:35:14.000000000 -0400
@@ -3677,6 +4265,84 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.
 +	allow $2 mplayer_exec_t:file entrypoint;
 +	domtrans_pattern($1, mplayer_exec_t, $2)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.te serefpolicy-3.7.17/policy/modules/apps/mplayer.te
+--- nsaserefpolicy/policy/modules/apps/mplayer.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/mplayer.te	2010-03-30 12:45:59.000000000 -0400
+@@ -152,11 +152,15 @@
+ 
+ allow mplayer_t self:process { signal_perms getsched };
+ allow mplayer_t self:fifo_file rw_fifo_file_perms;
++allow mplayer_t self:netlink_route_socket create_netlink_socket_perms;
+ allow mplayer_t self:sem create_sem_perms;
++allow mplayer_t self:tcp_socket create_socket_perms;
++allow mplayer_t self:unix_dgram_socket sendto;
+ 
+ manage_dirs_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
+ manage_lnk_files_pattern(mplayer_t, mplayer_home_t, mplayer_home_t)
++userdom_user_home_dir_filetrans(mplayer_t, mplayer_home_t, dir)
+ userdom_search_user_home_dirs(mplayer_t)
+ 
+ manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
+@@ -178,6 +182,15 @@
+ # Sysctl on kernel version 
+ kernel_read_kernel_sysctls(mplayer_t)
+ 
++corenet_all_recvfrom_netlabel(mplayer_t)
++corenet_all_recvfrom_unlabeled(mplayer_t)
++corenet_tcp_sendrecv_generic_if(mplayer_t)
++corenet_tcp_sendrecv_generic_node(mplayer_t)
++corenet_tcp_bind_generic_node(mplayer_t)
++
++corenet_sendrecv_pulseaudio_client_packets(mplayer_t)
++corenet_tcp_connect_pulseaudio_port(mplayer_t)
++
+ # Run bash/sed (??) 
+ corecmd_exec_bin(mplayer_t)
+ corecmd_exec_shell(mplayer_t)
+@@ -192,6 +205,9 @@
+ # RTC clock 
+ dev_read_realtime_clock(mplayer_t)
+ 
++dev_read_rand(mplayer_t)
++dev_read_urand(mplayer_t)
++
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device(mplayer_t)
+ 
+@@ -211,6 +227,8 @@
+ fs_search_auto_mountpoints(mplayer_t)
+ fs_list_inotifyfs(mplayer_t)
+ 
++logging_send_syslog_msg(mplayer_t)
++
+ miscfiles_read_localization(mplayer_t)
+ miscfiles_read_fonts(mplayer_t)
+ 
+@@ -221,6 +239,7 @@
+ userdom_read_user_tmp_symlinks(mplayer_t)
+ userdom_read_user_home_content_files(mplayer_t)
+ userdom_read_user_home_content_symlinks(mplayer_t)
++userdom_write_user_tmp_sockets(mplayer_t)
+ 
+ xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
+ 
+@@ -290,5 +309,15 @@
+ ')
+ 
+ optional_policy(`
++	gnome_setattr_config_dirs(mplayer_t)
++')
++
++optional_policy(`
+ 	nscd_socket_use(mplayer_t)
+ ')
++
++optional_policy(`
++	pulseaudio_exec(mplayer_t)
++	pulseaudio_stream_connect(mplayer_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.7.17/policy/modules/apps/nsplugin.fc
 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.17/policy/modules/apps/nsplugin.fc	2010-03-29 15:35:14.000000000 -0400
@@ -4585,7 +5251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaud
  manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.7.17/policy/modules/apps/qemu.if
 --- nsaserefpolicy/policy/modules/apps/qemu.if	2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/apps/qemu.if	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/apps/qemu.if	2010-03-30 12:48:21.000000000 -0400
 @@ -127,12 +127,14 @@
  template(`qemu_role',`
  	gen_require(`
@@ -4669,20 +5335,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
  ##	Manage qemu temporary dirs.
  ## </summary>
  ## <param name="domain">
-@@ -306,3 +369,23 @@
+@@ -306,3 +369,24 @@
  
  	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
 +
 +########################################
 +## <summary>
-+##	Make qemu_exec_t an entrypoint for
-+##	the specified domain.
++##     Make qemu_exec_t an entrypoint for
++##     the specified domain.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	The domain for which qemu_exec_t is an entrypoint.
-+##	</summary>
++##     <summary>
++##     The domain for which qemu_exec_t is an entrypoint.
++##     </summary>
 +## </param>
 +#
 +interface(`qemu_entry_type',`
@@ -4693,6 +5359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if 
 +	domain_entry_file($1, qemu_exec_t)
 +')
 +
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.7.17/policy/modules/apps/qemu.te
 --- nsaserefpolicy/policy/modules/apps/qemu.te	2010-02-22 08:30:53.000000000 -0500
 +++ serefpolicy-3.7.17/policy/modules/apps/qemu.te	2010-03-29 15:35:14.000000000 -0400
@@ -14991,7 +15658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyru
  	snmp_stream_connect(cyrus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.7.17/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2009-07-28 13:28:33.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/dbus.if	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/dbus.if	2010-03-30 12:54:59.000000000 -0400
 @@ -42,8 +42,10 @@
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -15082,7 +15749,49 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  ##	for service (acquire_svc).
  ## </summary>
  ## <param name="domain">
-@@ -364,6 +372,19 @@
+@@ -334,6 +342,41 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow a application domain to be started
++##	by the session dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Type to be used as a domain.
++##	</summary>
++## </param>
++## <param name="entry_point">
++##	<summary>
++##	Type of the program to be used as an 
++##	entry point to this domain.
++##	</summary>
++## </param>
++#
++interface(`dbus_session_domain',`
++	gen_require(`
++		attribute session_bus_type;
++	')
++
++	domtrans_pattern(session_bus_type, $2, $1)
++
++	dbus_session_bus_client($1)
++	dbus_connect_session_bus($1)
++
++	optional_policy(`
++		# If unconfined_t wants to start a dbus_session_domain.
++		# unconfined_dbusd_t should get implemented for F13.
++		# Can just remove this when it is.
++		unconfined_dbus_connect($1)
++	')
++')
++
++########################################
++## <summary>
+ ##	Create a domain for processes
+ ##	which can be started by the system dbus
+ ## </summary>
+@@ -364,6 +407,19 @@
  	dbus_system_bus_client($1)
  	dbus_connect_system_bus($1)
  
@@ -15102,7 +15811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
  	ifdef(`hide_broken_symptoms', `
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
-@@ -405,3 +426,24 @@
+@@ -405,3 +461,43 @@
  
  	typeattribute $1 dbusd_unconfined;
  ')
@@ -15127,6 +15836,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
 +	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
 +')
 +
++########################################
++## <summary>
++##	Read system dbus lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dbus_read_lib_files',`
++	gen_require(`
++		type system_dbusd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.7.17/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2009-11-17 10:54:26.000000000 -0500
 +++ serefpolicy-3.7.17/policy/modules/services/dbus.te	2010-03-29 15:35:14.000000000 -0400
@@ -15201,8 +15929,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +/var/log/denyhosts(/.*)?					gen_context(system_u:object_r:denyhosts_var_log_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.17/policy/modules/services/denyhosts.if
 --- nsaserefpolicy/policy/modules/services/denyhosts.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/denyhosts.if	2010-03-29 15:35:14.000000000 -0400
-@@ -0,0 +1,90 @@
++++ serefpolicy-3.7.17/policy/modules/services/denyhosts.if	2010-03-30 12:55:47.000000000 -0400
+@@ -0,0 +1,87 @@
 +## <summary>Deny Hosts.</summary>
 +## <desc>
 +##	<p>
@@ -15264,34 +15992,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +##	Role allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`denyhosts_admin', `
 +	gen_require(`
 +		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
-+		type denyhosts_var_log_t;
++		type denyhosts_var_log_t, denyhosts_initrc_exec_t;
 +	')
 +
 +	allow $1 denyhosts_t:process { ptrace signal_perms getattr };
-+	read_files_pattern($1, denyhosts_t, denyhosts_t)
-+	        
-+	admin_pattern($1, denyhosts_var_lib_t)
-+
-+	logging_search_logs($1)
-+	admin_pattern($1, denyhosts_var_log_t)
-+
-+	files_search_locks($1)
-+	admin_pattern($1, denyhosts_var_lock_t)
-+
++	
 +	denyhosts_initrc_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 denyhosts_initrc_exec_t system_r;
 +	allow $2 system_r;
 +
 +	kernel_search_proc($1)
-+	allow $1 denyhosts_t:dir list_dir_perms;
 +	ps_process_pattern($1, denyhosts_t)
-+	read_lnk_files_pattern($1, denyhosts_t, denyhosts_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, denyhosts_var_lib_t)
++
++	logging_search_logs($1)
++	admin_pattern($1, denyhosts_var_log_t)
++
++	files_search_locks($1)
++	admin_pattern($1, denyhosts_var_lock_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.17/policy/modules/services/denyhosts.te
 --- nsaserefpolicy/policy/modules/services/denyhosts.te	1969-12-31 19:00:00.000000000 -0500
@@ -16385,10 +17110,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.7.17/policy/modules/services/git.if
 --- nsaserefpolicy/policy/modules/services/git.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/git.if	2010-03-29 15:35:14.000000000 -0400
-@@ -1 +1,535 @@
++++ serefpolicy-3.7.17/policy/modules/services/git.if	2010-03-30 12:56:01.000000000 -0400
+@@ -1 +1,532 @@
 -## <summary>GIT revision control system</summary>
-+## <summary>Git - Fast Version Control System.</summary>
++## <summary>Fast Version Control System.</summary>
 +## <desc>
 +##	<p>
 +##		A really simple TCP git daemon that normally listens on
@@ -16416,6 +17141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +interface(`git_session_role',`
 +	gen_require(`
 +		type git_session_t, gitd_exec_t;
++		type git_session_content_t;
 +	')
 +
 +	########################################
@@ -16434,6 +17160,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +	allow $2 git_session_t:process { ptrace signal_perms };
 +	ps_process_pattern($2, git_session_t)
++
++	exec_files_pattern($2, git_session_content_t, git_session_content_t)
++	manage_dirs_pattern($2, git_session_content_t, git_session_content_t)
++	manage_files_pattern($2, git_session_content_t, git_session_content_t)
++
++	relabel_dirs_pattern($2, git_session_content_t, git_session_content_t)
++	relabel_files_pattern($2, git_session_content_t, git_session_content_t)
 +')
 +
 +########################################
@@ -16562,7 +17295,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	exec_files_pattern($1, $2, $2)
 +	manage_dirs_pattern($1, $2, $2)
 +	manage_files_pattern($1, $2, $2)
-+	files_search_var($1)
++	files_search_var_lib($1)
 +
 +	tunable_policy(`git_system_use_cifs',`
 +		fs_exec_cifs_files($1)
@@ -16587,7 +17320,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_rwx_all_content',`
 +	gen_require(`
@@ -16598,7 +17330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	manage_dirs_pattern($1, git_content, git_content)
 +	manage_files_pattern($1, git_content, git_content)
 +	userdom_search_user_home_dirs($1)
-+	files_search_var($1)
++	files_search_var_lib($1)
 +
 +	tunable_policy(`use_nfs_home_dirs',`
 +		fs_exec_nfs_files($1)
@@ -16635,7 +17367,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_rwx_all_system_content',`
 +	gen_require(`
@@ -16645,7 +17376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	exec_files_pattern($1, git_system_content, git_system_content)
 +	manage_dirs_pattern($1, git_system_content, git_system_content)
 +	manage_files_pattern($1, git_system_content, git_system_content)
-+	files_search_var($1)
++	files_search_var_lib($1)
 +
 +	tunable_policy(`git_system_use_cifs',`
 +		fs_exec_cifs_files($1)
@@ -16670,7 +17401,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_rwx_generic_system_content',`
 +	gen_require(`
@@ -16680,7 +17410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	exec_files_pattern($1, git_system_content_t, git_system_content_t)
 +	manage_dirs_pattern($1, git_system_content_t, git_system_content_t)
 +	manage_files_pattern($1, git_system_content_t, git_system_content_t)
-+	files_search_var($1)
++	files_search_var_lib($1)
 +
 +	tunable_policy(`git_system_use_cifs',`
 +		fs_exec_cifs_files($1)
@@ -16705,7 +17435,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_read_all_content_files',`
 +	gen_require(`
@@ -16748,7 +17477,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_read_session_content_files',`
 +	gen_require(`
@@ -16780,7 +17508,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_read_all_system_content_files',`
 +	gen_require(`
@@ -16812,7 +17539,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_read_generic_system_content_files',`
 +	gen_require(`
@@ -16844,7 +17570,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_relabel_all_content',`
 +	gen_require(`
@@ -16867,7 +17592,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_relabel_all_system_content',`
 +	gen_require(`
@@ -16889,7 +17613,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_relabel_generic_system_content',`
 +	gen_require(`
@@ -16911,7 +17634,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`git_relabel_session_content',`
 +	gen_require(`
@@ -16925,8 +17647,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.7.17/policy/modules/services/git.te
 --- nsaserefpolicy/policy/modules/services/git.te	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/git.te	2010-03-29 15:35:14.000000000 -0400
-@@ -1,9 +1,182 @@
++++ serefpolicy-3.7.17/policy/modules/services/git.te	2010-03-30 12:56:01.000000000 -0400
+@@ -1,9 +1,193 @@
  
 -policy_module(git, 1.0)
 +policy_module(git, 1.0.3)
@@ -17003,19 +17725,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +allow git_domains self:fifo_file rw_fifo_file_perms;
 +allow git_domains self:netlink_route_socket create_netlink_socket_perms;
-+allow git_domains self:tcp_socket { create_socket_perms listen };
++allow git_domains self:tcp_socket create_socket_perms;
 +allow git_domains self:udp_socket create_socket_perms;
 +allow git_domains self:unix_dgram_socket create_socket_perms;
 +
 +corenet_all_recvfrom_netlabel(git_domains)
 +corenet_all_recvfrom_unlabeled(git_domains)
-+
 +corenet_tcp_bind_generic_node(git_domains)
-+
 +corenet_tcp_sendrecv_generic_if(git_domains)
 +corenet_tcp_sendrecv_generic_node(git_domains)
 +corenet_tcp_sendrecv_generic_port(git_domains)
-+
 +corenet_tcp_bind_git_port(git_domains)
 +corenet_sendrecv_git_server_packets(git_domains)
 +
@@ -17034,6 +17753,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +miscfiles_read_localization(git_domains)
 +
++sysnet_read_config(git_domains)
++
++optional_policy(`
++	automount_dontaudit_getattr_tmp_dirs(git_domains)
++')
++
++optional_policy(`
++	nis_use_ypbind(git_domains)
++')
++
 +########################################
 +#
 +# Git daemon system repository private policy.
@@ -17041,7 +17770,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +list_dirs_pattern(git_system_t, git_content, git_content)
 +read_files_pattern(git_system_t, git_content, git_content)
-+files_search_var(git_system_t)
++files_search_var_lib(git_system_t)
 +
 +tunable_policy(`git_system_enable_homedirs', `
 +	userdom_search_user_home_dirs(git_system_t)
@@ -17066,11 +17795,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	fs_list_nfs(git_system_t)
 +	fs_read_nfs_files(git_system_t)
 +')
-+
-+########################################
-+#
+ 
+ ########################################
+ #
+-# Declarations
 +# Git daemon session repository private policy.
-+#
+ #
+ 
+-apache_content_template(git)
++allow git_session_t self:tcp_socket { accept listen };
 +
 +list_dirs_pattern(git_session_t, git_session_content_t, git_session_content_t)
 +read_files_pattern(git_session_t, git_session_content_t, git_session_content_t)
@@ -17080,6 +17813,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +
 +tunable_policy(`git_session_bind_all_unreserved_ports', `
 +	corenet_tcp_bind_all_unreserved_ports(git_session_t)
++	corenet_sendrecv_generic_server_packets(git_session_t)
 +')
 +
 +tunable_policy(`use_nfs_home_dirs', `
@@ -17102,16 +17836,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.
 +	git_read_session_content_files(httpd_git_script_t)
 +	files_dontaudit_getattr_tmp_dirs(httpd_git_script_t)
 +')
- 
- ########################################
- #
--# Declarations
++
++########################################
++#
 +# Git-shell private policy.
- #
- 
--apache_content_template(git)
-+#git_role_template(git_shell)
-+#gen_user(git_shell_u, user, git_shell_r, s0, s0)
++#
++
++git_role_template(git_shell)
++gen_user(git_shell_u, user, git_shell_r, s0, s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpsd.te serefpolicy-3.7.17/policy/modules/services/gpsd.te
 --- nsaserefpolicy/policy/modules/services/gpsd.te	2010-01-07 14:53:53.000000000 -0500
 +++ serefpolicy-3.7.17/policy/modules/services/gpsd.te	2010-03-29 15:35:14.000000000 -0400
@@ -18379,7 +19112,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.7.17/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.17/policy/modules/services/nagios.te	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/nagios.te	2010-03-30 12:57:22.000000000 -0400
 @@ -6,17 +6,23 @@
  # Declarations
  #
@@ -18663,7 +19396,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
 +
 +files_read_etc_files(nagios_mail_plugin_t)
 +
-+libs_use_lib_files(nagios_mail_plugin_t)
++libs_use_shared_libs(nagios_mail_plugin_t)
 +libs_use_ld_so(nagios_mail_plugin_t) 
 +
 +logging_send_syslog_msg(nagios_mail_plugin_t)
@@ -19791,6 +20524,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddj
 +userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
 +userdom_manage_user_home_content(oddjob_mkhomedir_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oident.te serefpolicy-3.7.17/policy/modules/services/oident.te
+--- nsaserefpolicy/policy/modules/services/oident.te	2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/oident.te	2010-03-30 12:57:38.000000000 -0400
+@@ -49,6 +49,7 @@
+ kernel_read_network_state(oidentd_t)
+ kernel_read_network_state_symlinks(oidentd_t)
+ kernel_read_sysctl(oidentd_t)
++kernel_request_load_module(oidentd_t)
+ 
+ logging_send_syslog_msg(oidentd_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.7.17/policy/modules/services/openvpn.te
 --- nsaserefpolicy/policy/modules/services/openvpn.te	2010-03-23 10:55:15.000000000 -0400
 +++ serefpolicy-3.7.17/policy/modules/services/openvpn.te	2010-03-30 09:05:45.000000000 -0400
@@ -25143,7 +25887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:home_ssh_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.7.17/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/services/ssh.if	2010-03-29 15:35:14.000000000 -0400
++++ serefpolicy-3.7.17/policy/modules/services/ssh.if	2010-03-30 12:59:11.000000000 -0400
 @@ -36,6 +36,7 @@
  	gen_require(`
  		attribute ssh_server;
@@ -25283,7 +26027,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	userdom_user_home_domtrans($1_ssh_agent_t, $3)
  	allow $3 $1_ssh_agent_t:fd use;
  	allow $3 $1_ssh_agent_t:fifo_file rw_file_perms;
-@@ -696,6 +708,27 @@
+@@ -696,6 +708,50 @@
  	dontaudit $1 sshd_key_t:file { getattr read };
  ')
  
@@ -25308,6 +26052,29 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +    userdom_search_user_home_dirs($1)
 +')
 +
++########################################
++## <summary>
++##	Create Secure Shell home directory 
++##	content.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ssh_create_user_home_files',`
++	gen_require(`
++		type home_ssh_t;
++	')
++
++	# This is only for Seahorse. May no longer be required in future.
++	create_dirs_pattern($1, home_ssh_t, home_ssh_t)
++	create_files_pattern($1, home_ssh_t, home_ssh_t)
++	userdom_user_home_dir_filetrans($1, home_ssh_t, { dir file })
++	userdom_search_user_home_dirs($1)
++')
++
  #######################################
  ## <summary>
  ##	Delete from the ssh temp files.
@@ -34153,21 +34920,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.7.17/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2010-03-03 23:26:37.000000000 -0500
-+++ serefpolicy-3.7.17/policy/modules/system/userdomain.te	2010-03-29 15:35:15.000000000 -0400
-@@ -29,10 +29,10 @@
++++ serefpolicy-3.7.17/policy/modules/system/userdomain.te	2010-03-30 12:40:26.000000000 -0400
+@@ -29,13 +29,6 @@
  
  ## <desc>
  ## <p>
 -## Allow users to read system messages.
-+## Allow regular users direct dri device access
- ## </p>
- ## </desc>
+-## </p>
+-## </desc>
 -gen_tunable(user_dmesg, false)
-+gen_tunable(user_direct_dri, false)
- 
- ## <desc>
- ## <p>
-@@ -54,11 +54,20 @@
+-
+-## <desc>
+-## <p>
+ ## Allow user to r/w files on filesystems
+ ## that do not have extended attributes (FAT, CDROM, FLOPPY)
+ ## </p>
+@@ -54,11 +47,20 @@
  # all user domains
  attribute userdomain;
  
@@ -34190,7 +34958,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
-@@ -72,6 +81,7 @@
+@@ -72,6 +74,7 @@
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -34198,7 +34966,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
  userdom_user_home_content(user_home_t)
  fs_associate_tmpfs(user_home_t)
  files_associate_tmp(user_home_t)
-@@ -97,3 +107,29 @@
+@@ -97,3 +100,29 @@
  type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
  dev_node(user_tty_device_t)
  ubac_constrained(user_tty_device_t)