diff --git a/policy-F13.patch b/policy-F13.patch
index 7c7f67b..8411ffc 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -356,6 +356,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anacond
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/brctl.if serefpolicy-3.7.19/policy/modules/admin/brctl.if
+--- nsaserefpolicy/policy/modules/admin/brctl.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/brctl.if	2010-08-04 14:41:54.102084891 +0200
+@@ -17,3 +17,23 @@
+ 
+ 	domtrans_pattern($1, brctl_exec_t, brctl_t)
+ ')
++
++######################################
++## <summary>
++##      Execute brctl in the brctl domain.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`brctl_run',`
++        gen_require(`
++                type brctl_t, brctl_exec_t;
++        ')
++
++        brctl_domtrans($1)
++        role $2 types brctl_t;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.te serefpolicy-3.7.19/policy/modules/admin/certwatch.te
 --- nsaserefpolicy/policy/modules/admin/certwatch.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/admin/certwatch.te	2010-07-19 15:48:02.471151653 +0200
@@ -682,8 +709,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +/usr/bin/ncftool                --      gen_context(system_u:object_r:ncftool_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.if serefpolicy-3.7.19/policy/modules/admin/ncftool.if
 --- nsaserefpolicy/policy/modules/admin/ncftool.if	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if	2010-06-15 18:40:03.049767991 +0200
-@@ -0,0 +1,74 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.if	2010-08-04 14:43:25.607335716 +0200
+@@ -0,0 +1,78 @@
 +
 +## <summary>policy for ncftool</summary>
 +
@@ -728,6 +755,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 +	ncftool_domtrans($1)
 +	role $2 types ncftool_t;
++
++	optional_policy(`
++		brctl_run(ncftool_t, $2)
++	')
 +')
 +
 +########################################
@@ -760,8 +791,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te
 --- nsaserefpolicy/policy/modules/admin/ncftool.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te	2010-06-16 22:19:10.097109891 +0200
-@@ -0,0 +1,79 @@
++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te	2010-08-04 14:43:51.328085349 +0200
+@@ -0,0 +1,81 @@
 +
 +policy_module(ncftool,1.0.0)
 +
@@ -830,6 +861,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool
 +sysnet_read_dhcpc_state(ncftool_t)
 +sysnet_relabelfrom_net_conf(ncftool_t)
 +sysnet_relabelto_net_conf(ncftool_t)
++sysnet_read_dhcpc_pid(ncftool_t)
++sysnet_signal_dhcpc(ncftool_t)
 +
 +userdom_read_user_tmp_files(ncftool_t)
 +
@@ -6786,7 +6819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-07-09 09:45:47.464135449 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te	2010-08-04 15:18:13.603335743 +0200
 @@ -0,0 +1,391 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
@@ -6823,7 +6856,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
 +#
 +# sandbox xserver policy
 +#
-+allow sandbox_xserver_t self:process execmem;
++allow sandbox_xserver_t self:process { execmem execstack };
 +allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
 +allow sandbox_xserver_t self:shm create_shm_perms;
 +allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
@@ -8245,7 +8278,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-07-14 11:26:33.298158993 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc	2010-08-04 15:16:45.690085499 +0200
 @@ -9,8 +9,10 @@
  /bin/bash2			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /bin/fish			--	gen_context(system_u:object_r:shell_exec_t,s0)
@@ -8300,9 +8333,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
-@@ -217,10 +230,15 @@
+@@ -216,11 +229,17 @@
+ 
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
++/usr/share/dayplanner/dayplanner -- 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -8316,7 +8351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -240,6 +258,7 @@
+@@ -240,6 +259,7 @@
  /usr/share/shorewall-shell(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -8324,7 +8359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -297,6 +316,7 @@
+@@ -297,6 +317,7 @@
  /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -8332,7 +8367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
  /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0)
-@@ -331,3 +351,21 @@
+@@ -331,3 +352,21 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -9381,7 +9416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +/nsr/logs(/.*)?						gen_context(system_u:object_r:var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.if	2010-07-09 09:46:06.705385324 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.if	2010-08-04 14:39:59.845084944 +0200
 @@ -1053,10 +1053,8 @@
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9920,12 +9955,30 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	dontaudit write of /usr files
  ## </summary>
  ## <param name="domain">
-@@ -5032,6 +5404,25 @@
+@@ -5032,6 +5404,43 @@
  	search_dirs_pattern($1, var_t, var_run_t)
  ')
  
 +#######################################
 +## <summary>
++## Add and remove entries from pid directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_rw_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	allow $1 var_run_t:dir rw_dir_perms;
++')
++
++#######################################
++## <summary>
 +##      Create generic pid directory.
 +## </summary>
 +## <param name="domain">
@@ -9946,7 +9999,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -5091,6 +5482,24 @@
+@@ -5091,6 +5500,24 @@
  
  ########################################
  ## <summary>
@@ -9971,7 +10024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Create an object in the process ID directory, with a private type.
  ## </summary>
  ## <desc>
-@@ -5238,6 +5647,7 @@
+@@ -5238,6 +5665,7 @@
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -9979,7 +10032,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ')
  
  ########################################
-@@ -5306,6 +5716,24 @@
+@@ -5306,6 +5734,24 @@
  
  ########################################
  ## <summary>
@@ -10004,7 +10057,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  ##	Search the contents of generic spool
  ##	directories (/var/spool).
  ## </summary>
-@@ -5494,12 +5922,15 @@
+@@ -5494,12 +5940,15 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -10021,7 +10074,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
  	')
  ')
  
-@@ -5520,3 +5951,229 @@
+@@ -5520,3 +5969,229 @@
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -11197,7 +11250,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.19/policy/modules/kernel/terminal.if
 --- nsaserefpolicy/policy/modules/kernel/terminal.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if	2010-05-28 09:42:00.042610995 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/terminal.if	2010-08-04 15:34:29.688085386 +0200
 @@ -292,9 +292,11 @@
  interface(`term_dontaudit_use_console',`
  	gen_require(`
@@ -11255,7 +11308,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/termin
  ')
  
  ########################################
-@@ -1333,7 +1354,7 @@
+@@ -1233,10 +1254,12 @@
+ interface(`term_dontaudit_getattr_all_ttys',`
+ 	gen_require(`
+ 		attribute ttynode;
++		type tty_device_t;
+ 	')
+ 
+ 	dev_list_all_dev_nodes($1)
+ 	dontaudit $1 ttynode:chr_file getattr;
++	dontaudit $1 tty_device_t:chr_file getattr;
+ ')
+ 
+ ########################################
+@@ -1333,7 +1356,7 @@
  		attribute ttynode;
  	')
  
@@ -13484,7 +13550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  	admin_pattern($1, abrt_var_cache_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.19/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/abrt.te	2010-07-21 09:31:43.073135212 +0200
++++ serefpolicy-3.7.19/policy/modules/services/abrt.te	2010-08-04 15:15:53.954335601 +0200
 @@ -1,11 +1,19 @@
  
 -policy_module(abrt, 1.0.1)
@@ -13617,7 +13683,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
  
  logging_read_generic_logs(abrt_t)
  logging_send_syslog_msg(abrt_t)
-@@ -103,22 +152,125 @@
+@@ -103,22 +152,129 @@
  miscfiles_read_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
@@ -13630,9 +13696,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +tunable_policy(`abrt_anon_write',`
 +        miscfiles_manage_public_files(abrt_t)
 +')
+ 
+ optional_policy(`
+-	dbus_connect_system_bus(abrt_t)
+-	dbus_system_bus_client(abrt_t)
++	afs_rw_udp_sockets(abrt_t)
++')
 +
 +optional_policy(`
-+	afs_rw_udp_sockets(abrt_t)
++	apache_read_modules(abrt_t)
 +')
 +
 +optional_policy(`
@@ -13654,10 +13726,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 +	policykit_read_lib(abrt_t)
 +	policykit_read_reload(abrt_t)
 +')
- 
- optional_policy(`
--	dbus_connect_system_bus(abrt_t)
--	dbus_system_bus_client(abrt_t)
++
++optional_policy(`
 +	prelink_exec(abrt_t)
 +	libs_exec_ld_so(abrt_t)
 +	corecmd_exec_all_executables(abrt_t)
@@ -14281,7 +14351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if	2010-07-09 09:33:54.638134829 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if	2010-08-04 15:15:10.969085367 +0200
 @@ -13,17 +13,13 @@
  #
  template(`apache_content_template',`
@@ -14490,15 +14560,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ##	Apache cache.
  ## </summary>
  ## <param name="domain">
-@@ -756,6 +789,7 @@
+@@ -756,6 +789,28 @@
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
 +	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
++')
++
++#######################################
++## <summary>
++##  Allow the specified domain to read
++##  the apache modules files.
++##  directory.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`apache_read_modules',`
++    gen_require(`
++        type httpd_modules_t;
++    ')
++	
++    allow $1 httpd_modules_t:dir list_dir_perms;
++	read_files_pattern($1,httpd_modules_t, httpd_modules_t)
  ')
  
  ########################################
-@@ -814,6 +848,7 @@
+@@ -814,6 +869,7 @@
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -14506,7 +14597,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	files_search_var($1)
  ')
  
-@@ -841,6 +876,54 @@
+@@ -841,6 +897,54 @@
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -14561,7 +14652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  ## <summary>
  ##	Execute all web scripts in the system
-@@ -858,6 +941,11 @@
+@@ -858,6 +962,11 @@
  	gen_require(`
  		attribute httpdcontent;
  		type httpd_sys_script_t;
@@ -14573,7 +14664,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1033,7 @@
+@@ -945,7 +1054,7 @@
  		type httpd_squirrelmail_t;
  	')
  
@@ -14582,7 +14673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -985,6 +1073,24 @@
+@@ -985,6 +1094,24 @@
  	allow $1 httpd_sys_content_t:dir search_dir_perms;
  ')
  
@@ -14607,7 +14698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  ## <summary>
  ##	Read apache system content.
-@@ -1086,6 +1192,25 @@
+@@ -1086,6 +1213,25 @@
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -14633,7 +14724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ########################################
  ## <summary>
  ##	Dontaudit attempts to write
-@@ -1102,7 +1227,7 @@
+@@ -1102,7 +1248,7 @@
  		type httpd_tmp_t;
  	')
  
@@ -14642,7 +14733,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  ')
  
  ########################################
-@@ -1172,7 +1297,7 @@
+@@ -1172,7 +1318,7 @@
  		type httpd_modules_t, httpd_lock_t;
  		type httpd_var_run_t, httpd_php_tmp_t;
  		type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -14651,7 +14742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
  	')
  
  	allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1327,62 @@
+@@ -1202,12 +1348,62 @@
  
  	kernel_search_proc($1)
  	allow $1 httpd_t:dir list_dir_perms;
@@ -17595,7 +17686,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  	role_transition $2 cobblerd_initrc_exec_t system_r;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te
 --- nsaserefpolicy/policy/modules/services/cobbler.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te	2010-07-23 14:04:59.759138567 +0200
++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te	2010-08-04 15:19:21.628084941 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(cobbler, 1.0.0) 
@@ -17603,7 +17694,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  
  ########################################
  #
-@@ -24,6 +24,9 @@
+@@ -14,6 +14,14 @@
+ ## </desc>
+ gen_tunable(cobbler_anon_write, false)
+ 
++## <desc>
++##	<p>
++##	Allow Cobbler to connect to the
++##	network using TCP.
++##	</p>
++##	</desc>
++gen_tunable(cobbler_can_network_connect, false)
++
+ type cobblerd_t;
+ type cobblerd_exec_t;
+ init_daemon_domain(cobblerd_t, cobblerd_exec_t)
+@@ -24,6 +32,9 @@
  type cobbler_etc_t;
  files_config_file(cobbler_etc_t)
  
@@ -17613,14 +17719,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  type cobbler_var_log_t;
  logging_log_file(cobbler_var_log_t)
  
-@@ -36,12 +39,18 @@
+@@ -36,12 +47,20 @@
  #
  
  allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
 +dontaudit cobblerd_t self:capability sys_tty_config;
  allow cobblerd_t self:process { getsched setsched signal };
  allow cobblerd_t self:fifo_file rw_fifo_file_perms;
++allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
  allow cobblerd_t self:tcp_socket create_stream_socket_perms;
++allow cobblerd_t self:udp_socket create_stream_socket_perms;
  
 +list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
  read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
@@ -17632,7 +17740,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
  manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
  files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
-@@ -70,7 +79,12 @@
+@@ -65,12 +84,23 @@
+ corenet_tcp_sendrecv_generic_if(cobblerd_t)
+ corenet_tcp_sendrecv_generic_node(cobblerd_t)
+ corenet_tcp_sendrecv_generic_port(cobblerd_t)
++corenet_tcp_connect_http_port(cobblerd_t)
++corenet_tcp_sendrecv_http_port(cobblerd_t)
++corenet_sendrecv_http_client_packets(cobblerd_t)
++
++domain_dontaudit_exec_all_entry_files(cobblerd_t)
++domain_dontaudit_read_all_domains_state(cobblerd_t)
+ 
+ dev_read_urand(cobblerd_t)
  
  files_read_usr_files(cobblerd_t)
  files_list_boot(cobblerd_t)
@@ -17645,7 +17764,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  
  miscfiles_read_localization(cobblerd_t)
  miscfiles_read_public_files(cobblerd_t)
-@@ -84,7 +98,7 @@
+@@ -79,12 +109,18 @@
+ sysnet_rw_dhcp_config(cobblerd_t)
+ sysnet_write_config(cobblerd_t)
+ 
++tunable_policy(`cobbler_can_network_connect',`
++	corenet_tcp_connect_all_ports(cobblerd_t)
++	corenet_tcp_sendrecv_all_ports(cobblerd_t)
++	corenet_sendrecv_all_client_packets(cobblerd_t)
++')
++
+ tunable_policy(`cobbler_anon_write',`
+ 	miscfiles_manage_public_files(cobblerd_t)
  ')
  
  optional_policy(`
@@ -17654,7 +17784,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
  ')
  
  optional_policy(`
-@@ -112,10 +126,21 @@
+@@ -112,10 +148,21 @@
  ')
  
  optional_policy(`
@@ -17976,8 +18106,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/corosync.te serefpolicy-3.7.19/policy/modules/services/corosync.te
 --- nsaserefpolicy/policy/modules/services/corosync.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-07-21 09:37:29.061134765 +0200
-@@ -0,0 +1,139 @@
++++ serefpolicy-3.7.19/policy/modules/services/corosync.te	2010-08-04 14:57:52.139335328 +0200
+@@ -0,0 +1,140 @@
 +
 +policy_module(corosync,1.0.0)
 +
@@ -18116,6 +18246,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/coro
 +	corenet_tcp_connect_ricci_port(corosync_t)
 +
 +	ricci_read_lib_files(corosync_t)
++	ricci_rw_modclusterd_tmpfs_files(corosync_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.7.19/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2010-04-13 20:44:36.000000000 +0200
@@ -29381,7 +29512,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  /usr/libexec/ricci-modrpm	--	gen_context(system_u:object_r:ricci_modrpm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.if serefpolicy-3.7.19/policy/modules/services/ricci.if
 --- nsaserefpolicy/policy/modules/services/ricci.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.if	2010-07-21 09:56:46.277134919 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.if	2010-08-04 15:00:06.454085086 +0200
 @@ -18,6 +18,24 @@
  	domtrans_pattern($1, ricci_exec_t, ricci_t)
  ')
@@ -29407,7 +29538,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  ########################################
  ## <summary>
  ##	Execute a domain transition to run ricci_modcluster.
-@@ -165,3 +183,67 @@
+@@ -94,6 +112,25 @@
+ 	allow $1 ricci_modclusterd_t:unix_stream_socket connectto;
+ ')
+ 
++#######################################
++## <summary>
++## Read and write to ricci_modclusterd temporary file system.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ricci_rw_modclusterd_tmpfs_files',`
++        gen_require(`
++                type ricci_modclusterd_tmpfs_t;
++        ')
++
++        allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
++        allow $1 ricci_modclusterd_tmpfs_t:file unlink;
++')    
++
+ ########################################
+ ## <summary>
+ ##	Execute a domain transition to run ricci_modlog.
+@@ -165,3 +202,67 @@
  
  	domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
  ')
@@ -29477,7 +29634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.7.19/policy/modules/services/ricci.te
 --- nsaserefpolicy/policy/modules/services/ricci.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ricci.te	2010-05-28 09:42:00.173610620 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ricci.te	2010-08-04 14:57:19.868085260 +0200
 @@ -11,6 +11,9 @@
  domain_type(ricci_t)
  init_daemon_domain(ricci_t, ricci_exec_t)
@@ -29488,22 +29645,40 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  # tmp files
  type ricci_tmp_t;
  files_tmp_file(ricci_tmp_t)
-@@ -194,10 +197,13 @@
+@@ -50,6 +53,9 @@
+ domain_type(ricci_modclusterd_t)
+ init_daemon_domain(ricci_modclusterd_t, ricci_modclusterd_exec_t)
+ 
++type ricci_modclusterd_tmpfs_t;
++files_tmpfs_file(ricci_modclusterd_tmpfs_t)
++
+ type ricci_modlog_t;
+ type ricci_modlog_exec_t;
+ domain_type(ricci_modlog_t)
+@@ -194,12 +200,21 @@
  # ricci_modcluster local policy
  #
  
 -allow ricci_modcluster_t self:capability sys_nice;
++manage_dirs_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, ricci_modclusterd_tmpfs_t)
++manage_files_pattern(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t,ricci_modclusterd_tmpfs_t)
++fs_tmpfs_filetrans(ricci_modclusterd_t, ricci_modclusterd_tmpfs_t, { dir file })
++
 +allow ricci_modcluster_t self:capability { net_bind_service sys_nice };
  allow ricci_modcluster_t self:process setsched;
  allow ricci_modcluster_t self:fifo_file rw_fifo_file_perms;
  
-+corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
-+corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
-+
  kernel_read_kernel_sysctls(ricci_modcluster_t)
  kernel_read_system_state(ricci_modcluster_t)
++kernel_request_load_module(ricci_modclusterd_t)
++
++corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
++corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
++corenet_tcp_connect_generic_port(ricci_modclusterd_t)
  
-@@ -227,6 +233,11 @@
+ corecmd_exec_shell(ricci_modcluster_t)
+ corecmd_exec_bin(ricci_modcluster_t)
+@@ -227,6 +242,11 @@
  ricci_stream_connect_modclusterd(ricci_modcluster_t)
  
  optional_policy(`
@@ -29515,7 +29690,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	ccs_stream_connect(ricci_modcluster_t)
  	ccs_domtrans(ricci_modcluster_t)
  	ccs_manage_config(ricci_modcluster_t)
-@@ -245,6 +256,10 @@
+@@ -245,6 +265,10 @@
  ')
  
  optional_policy(`
@@ -29526,7 +29701,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	# XXX This has got to go.
  	unconfined_domain(ricci_modcluster_t)
  ')
-@@ -259,11 +274,11 @@
+@@ -259,11 +283,11 @@
  allow ricci_modclusterd_t self:fifo_file rw_fifo_file_perms;
  allow ricci_modclusterd_t self:unix_stream_socket create_stream_socket_perms;
  allow ricci_modclusterd_t self:tcp_socket create_stream_socket_perms;
@@ -29539,7 +29714,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  
  # log files
  allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
-@@ -294,6 +309,8 @@
+@@ -294,6 +318,8 @@
  
  fs_getattr_xattr_fs(ricci_modclusterd_t)
  
@@ -29548,7 +29723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  init_stream_connect_script(ricci_modclusterd_t)
  
  locallogin_dontaudit_use_fds(ricci_modclusterd_t)
-@@ -303,7 +320,11 @@
+@@ -303,7 +329,11 @@
  miscfiles_read_localization(ricci_modclusterd_t)
  
  sysnet_domtrans_ifconfig(ricci_modclusterd_t)
@@ -29561,7 +29736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  
  optional_policy(`
  	ccs_domtrans(ricci_modclusterd_t)
-@@ -312,6 +333,10 @@
+@@ -312,6 +342,10 @@
  ')
  
  optional_policy(`
@@ -29572,7 +29747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  	unconfined_use_fds(ricci_modclusterd_t)
  ')
  
-@@ -440,6 +465,12 @@
+@@ -440,6 +474,12 @@
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
@@ -29585,7 +29760,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc
  storage_raw_read_fixed_disk(ricci_modstorage_t)
  
  term_dontaudit_use_console(ricci_modstorage_t)
-@@ -457,6 +488,11 @@
+@@ -457,6 +497,11 @@
  mount_domtrans(ricci_modstorage_t)
  
  optional_policy(`
@@ -31928,7 +32103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
 --- nsaserefpolicy/policy/modules/services/ssh.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2010-05-28 09:42:00.194610898 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te	2010-08-04 15:01:13.430084931 +0200
 @@ -34,6 +34,9 @@
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
@@ -31991,8 +32166,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
  manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -292,22 +303,30 @@
+@@ -290,24 +301,34 @@
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
  
++dev_rw_crypto(sshd_t)
++
  term_use_all_ptys(sshd_t)
  term_setattr_all_ptys(sshd_t)
 +term_setattr_all_ttys(sshd_t)
@@ -32026,7 +32205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -315,7 +334,12 @@
+@@ -315,7 +336,12 @@
  ')
  
  optional_policy(`
@@ -32040,7 +32219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  ')
  
  optional_policy(`
-@@ -323,6 +347,10 @@
+@@ -323,6 +349,10 @@
  ')
  
  optional_policy(`
@@ -32051,7 +32230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -333,10 +361,18 @@
+@@ -333,10 +363,18 @@
  ')
  
  optional_policy(`
@@ -32256,6 +32435,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbm
  
 -/var/run/usbmuxd	-s 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
 +/var/run/usbmuxd.*	 	gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.7.19/policy/modules/services/uucp.te
+--- nsaserefpolicy/policy/modules/services/uucp.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/uucp.te	2010-08-04 15:04:00.352085562 +0200
+@@ -84,6 +84,7 @@
+ corenet_udp_sendrecv_generic_node(uucpd_t)
+ corenet_tcp_sendrecv_all_ports(uucpd_t)
+ corenet_udp_sendrecv_all_ports(uucpd_t)
++corenet_tcp_connect_ssh_port(uucpd_t)
+ 
+ dev_read_urand(uucpd_t)
+ 
+@@ -114,6 +115,10 @@
+ 	kerberos_use(uucpd_t)
+ ')
+ 
++optional_policy(`
++	ssh_exec(uucpd_t)
++')    
++
+ ########################################
+ #
+ # UUX Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.if serefpolicy-3.7.19/policy/modules/services/varnishd.if
 --- nsaserefpolicy/policy/modules/services/varnishd.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/varnishd.if	2010-05-28 09:42:00.198610771 +0200
@@ -32285,6 +32486,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varn
  #######################################
  ## <summary>
  ##	Read varnish logs.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/varnishd.te serefpolicy-3.7.19/policy/modules/services/varnishd.te
+--- nsaserefpolicy/policy/modules/services/varnishd.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/services/varnishd.te	2010-08-04 15:24:49.633084903 +0200
+@@ -52,6 +52,7 @@
+ #
+ 
+ allow varnishd_t self:capability { dac_override ipc_lock setuid setgid };
++dontaudit varnishd_t self:capability sys_tty_config;
+ allow varnishd_t self:process signal;
+ allow varnishd_t self:fifo_file rw_fifo_file_perms;
+ allow varnishd_t self:tcp_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhostmd.fc serefpolicy-3.7.19/policy/modules/services/vhostmd.fc
 --- nsaserefpolicy/policy/modules/services/vhostmd.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/services/vhostmd.fc	2010-07-21 10:49:49.095135392 +0200
@@ -32507,7 +32719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
 +')    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.7.19/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/virt.te	2010-07-13 09:50:27.906502586 +0200
++++ serefpolicy-3.7.19/policy/modules/services/virt.te	2010-08-04 15:20:48.325085430 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(virt, 1.3.2)
@@ -32531,7 +32743,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  type virt_etc_t;
  files_config_file(virt_etc_t)
  
-@@ -72,8 +72,12 @@
+@@ -66,20 +66,26 @@
+ # virt Image files
+ type virt_image_t; # customizable
+ virt_image(virt_image_t)
++files_mountpoint(virt_image_t)
+ 
+ # virt Image files
+ type virt_content_t; # customizable
  virt_image(virt_content_t)
  userdom_user_home_content(virt_content_t)
  
@@ -32544,7 +32763,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  type virt_var_run_t;
  files_pid_file(virt_var_run_t)
-@@ -90,6 +94,11 @@
+ 
+ type virt_var_lib_t;
+ files_type(virt_var_lib_t)
++files_mountpoint(virt_var_lib_t)
+ 
+ type virtd_t;
+ type virtd_exec_t;
+@@ -90,6 +96,11 @@
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -32556,7 +32782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -105,10 +114,6 @@
+@@ -105,10 +116,6 @@
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -32567,7 +32793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
  
  allow svirt_t svirt_image_t:dir search_dir_perms;
-@@ -148,11 +153,13 @@
+@@ -148,11 +155,13 @@
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -32581,7 +32807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -161,6 +168,7 @@
+@@ -161,6 +170,7 @@
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -32589,7 +32815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  	fs_manage_dos_dirs(svirt_t)
  	fs_manage_dos_files(svirt_t)
  ')
-@@ -179,22 +187,30 @@
+@@ -179,22 +189,30 @@
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -32623,7 +32849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  
-@@ -205,9 +221,15 @@
+@@ -205,9 +223,15 @@
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -32639,7 +32865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
-@@ -248,25 +270,41 @@
+@@ -248,25 +272,41 @@
  dev_rw_kvm(virtd_t)
  dev_getattr_all_chr_files(virtd_t)
  dev_rw_mtrr(virtd_t)
@@ -32684,7 +32910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  mcs_process_set_categories(virtd_t)
  
-@@ -291,15 +329,22 @@
+@@ -291,15 +331,22 @@
  
  logging_send_syslog_msg(virtd_t)
  
@@ -32707,7 +32933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -370,6 +415,7 @@
+@@ -370,6 +417,7 @@
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -32715,7 +32941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  ')
  
  optional_policy(`
-@@ -407,6 +453,19 @@
+@@ -407,6 +455,19 @@
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -32735,7 +32961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -427,6 +486,7 @@
+@@ -427,6 +488,7 @@
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -32743,7 +32969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -434,6 +494,7 @@
+@@ -434,6 +496,7 @@
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -32751,7 +32977,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  domain_use_interactive_fds(virt_domain)
  
-@@ -445,6 +506,11 @@
+@@ -445,6 +508,11 @@
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -32763,7 +32989,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -462,8 +528,13 @@
+@@ -462,8 +530,13 @@
  ')
  
  optional_policy(`
@@ -33546,7 +33772,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.7.19/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/xserver.te	2010-07-19 13:20:20.524151390 +0200
++++ serefpolicy-3.7.19/policy/modules/services/xserver.te	2010-08-04 15:12:04.599085274 +0200
 @@ -1,5 +1,5 @@
  
 -policy_module(xserver, 3.3.2)
@@ -34034,7 +34260,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -447,14 +603,19 @@
+@@ -447,14 +603,21 @@
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -34046,6 +34272,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  term_setattr_unallocated_ttys(xdm_t)
 +term_relabel_all_ttys(xdm_t)
 +term_relabel_unallocated_ttys(xdm_t)
++
++application_signal(xdm_t)
  
  auth_domtrans_pam_console(xdm_t)
  auth_manage_pam_pid(xdm_t)
@@ -34054,7 +34282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  auth_rw_faillog(xdm_t)
  auth_write_login_records(xdm_t)
  
-@@ -465,10 +626,12 @@
+@@ -465,10 +628,12 @@
  
  logging_read_generic_logs(xdm_t)
  
@@ -34069,7 +34297,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -477,6 +640,12 @@
+@@ -477,6 +642,12 @@
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -34082,7 +34310,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  xserver_rw_session(xdm_t, xdm_tmpfs_t)
  xserver_unconfined(xdm_t)
-@@ -508,11 +677,17 @@
+@@ -508,11 +679,17 @@
  ')
  
  optional_policy(`
@@ -34100,7 +34328,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -520,12 +695,51 @@
+@@ -520,12 +697,51 @@
  ')
  
  optional_policy(`
@@ -34152,7 +34380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	hostname_exec(xdm_t)
  ')
  
-@@ -543,20 +757,63 @@
+@@ -543,20 +759,63 @@
  ')
  
  optional_policy(`
@@ -34218,7 +34446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -565,7 +822,6 @@
+@@ -565,7 +824,6 @@
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -34226,7 +34454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -576,6 +832,10 @@
+@@ -576,6 +834,10 @@
  ')
  
  optional_policy(`
@@ -34237,7 +34465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -600,10 +860,9 @@
+@@ -600,10 +862,9 @@
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -34249,7 +34477,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
  allow xserver_t self:sock_file read_sock_file_perms;
-@@ -615,6 +874,18 @@
+@@ -615,6 +876,18 @@
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -34268,7 +34496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -634,12 +905,19 @@
+@@ -634,12 +907,19 @@
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -34290,7 +34518,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -673,7 +951,6 @@
+@@ -673,7 +953,6 @@
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -34298,7 +34526,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -683,9 +960,12 @@
+@@ -683,9 +962,12 @@
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -34312,7 +34540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
-@@ -700,8 +980,13 @@
+@@ -700,8 +982,13 @@
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -34326,7 +34554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -723,11 +1008,14 @@
+@@ -723,11 +1010,14 @@
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -34341,7 +34569,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -779,12 +1067,28 @@
+@@ -779,12 +1069,28 @@
  ')
  
  optional_policy(`
@@ -34371,7 +34599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -811,7 +1115,7 @@
+@@ -811,7 +1117,7 @@
  allow xserver_t xdm_var_lib_t:file { getattr read };
  dontaudit xserver_t xdm_var_lib_t:dir search;
  
@@ -34380,7 +34608,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -832,9 +1136,14 @@
+@@ -832,9 +1138,14 @@
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -34395,7 +34623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
  	fs_manage_nfs_files(xserver_t)
-@@ -849,11 +1158,14 @@
+@@ -849,11 +1160,14 @@
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -34412,7 +34640,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
  ')
  
  optional_policy(`
-@@ -999,3 +1311,33 @@
+@@ -999,3 +1313,33 @@
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -34446,6 +34674,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_append_cifs_files(xdmhomewriter)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.if serefpolicy-3.7.19/policy/modules/system/application.if
+--- nsaserefpolicy/policy/modules/system/application.if	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/application.if	2010-08-04 15:09:32.261085029 +0200
+@@ -130,3 +130,21 @@
+ 
+ 	allow $1 application_domain_type:process signull;
+ ')
++
++#######################################
++## <summary>
++## Send signal to all application domains.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_signal',`
++	gen_require(`
++		attribute application_domain_type;
++	')
++
++	allow $1 application_domain_type:process signal;
++')    
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.7.19/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/application.te	2010-05-28 09:42:00.208611712 +0200
@@ -35649,7 +35902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.19/policy/modules/system/ipsec.fc
 --- nsaserefpolicy/policy/modules/system/ipsec.fc	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/ipsec.fc	2010-06-16 22:14:29.964859861 +0200
++++ serefpolicy-3.7.19/policy/modules/system/ipsec.fc	2010-08-04 14:47:49.067094603 +0200
 @@ -25,6 +25,7 @@
  /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
@@ -35658,6 +35911,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  
  /usr/local/lib(64)?/ipsec/eroute --	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+@@ -37,6 +38,8 @@
+ 
+ /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+ 
++/var/lock/subsys/ipsec  --	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++
+ /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ 
+ /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if
 --- nsaserefpolicy/policy/modules/system/ipsec.if	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/ipsec.if	2010-07-01 15:59:17.968602268 +0200
@@ -36055,6 +36317,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.
  
  domain_use_interactive_fds(iscsid_t)
  domain_dontaudit_read_all_domains_state(iscsid_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.7.19/policy/modules/system/kdump.te
+--- nsaserefpolicy/policy/modules/system/kdump.te	2010-04-13 20:44:37.000000000 +0200
++++ serefpolicy-3.7.19/policy/modules/system/kdump.te	2010-08-04 15:02:29.137102846 +0200
+@@ -30,6 +30,7 @@
+ 
+ kernel_read_system_state(kdump_t)
+ kernel_read_core_if(kdump_t)
++kernel_request_load_module(kdump_t)
+ 
+ dev_read_framebuffer(kdump_t)
+ dev_read_sysfs(kdump_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2010-04-13 20:44:37.000000000 +0200
 +++ serefpolicy-3.7.19/policy/modules/system/libraries.fc	2010-07-23 13:50:23.212138972 +0200
@@ -38588,7 +38861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.7.19/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if	2010-06-15 18:40:03.064777332 +0200
++++ serefpolicy-3.7.19/policy/modules/system/sysnetwork.if	2010-08-04 14:40:49.949335299 +0200
 @@ -60,25 +60,24 @@
  		netutils_run(dhcpc_t, $2)
  		netutils_run_ping(dhcpc_t, $2)
@@ -38733,7 +39006,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  #######################################
-@@ -464,6 +535,10 @@
+@@ -444,6 +515,7 @@
+ 		type dhcpc_var_run_t;
+ 	')
+ 
++	files_rw_pid_dirs($1)
+ 	allow $1 dhcpc_var_run_t:file unlink;
+ ')
+ 
+@@ -464,6 +536,10 @@
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, ifconfig_exec_t, ifconfig_t)
@@ -38744,7 +39025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -677,7 +752,10 @@
+@@ -677,7 +753,10 @@
  	corenet_tcp_connect_ldap_port($1)
  	corenet_sendrecv_ldap_client_packets($1)
  
@@ -38756,7 +39037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
  ')
  
  ########################################
-@@ -709,5 +787,52 @@
+@@ -709,5 +788,52 @@
  	corenet_tcp_connect_portmap_port($1)
  	corenet_sendrecv_portmap_client_packets($1)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 45c1ce1..9d53773 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.19
-Release: 42%{?dist}
+Release: 43%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,13 @@ exit 0
 %endif
 
 %changelog
+* Wed Aug 4 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-43
+- Allow ncftool to run brctl
+- Fixes for ricci-modclusterd policy
+- Allow uucpd to execute ssh client
+- Add label for dayplanner
+- Allow sandbox_xserver execstack
+
 * Mon Aug 2 2010 Miroslav Grepl <mgrepl@redhat.com> 3.7.19-42
 - Allow kdump to read information from the debugging filesystem
 - Update boinc policy