diff --git a/policy-20070703.patch b/policy-20070703.patch
index 6123c15..25cb8ec 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -9924,8 +9924,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.0.8/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2008-06-12 23:37:59.000000000 -0400
-@@ -20,9 +20,25 @@
++++ serefpolicy-3.0.8/policy/modules/services/dbus.te 2008-09-23 15:30:42.000000000 -0400
+@@ -9,7 +9,8 @@
+ #
+ # Delcarations
+ #
+-
++attribute dbusd_unconfined;
++
+ type dbusd_etc_t alias etc_dbusd_t;
+ files_type(dbusd_etc_t)
+
+@@ -20,9 +21,25 @@
type system_dbusd_tmp_t;
files_tmp_file(system_dbusd_tmp_t)
@@ -9951,7 +9961,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
##############################
#
# Local policy
-@@ -32,7 +48,7 @@
+@@ -32,7 +49,7 @@
# cjp: dac_override should probably go in a distro_debian
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
@@ -9960,7 +9970,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow system_dbusd_t self:fifo_file { read write };
allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
-@@ -40,6 +56,8 @@
+@@ -40,6 +57,8 @@
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -9969,7 +9979,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -48,6 +66,8 @@
+@@ -48,6 +67,8 @@
manage_files_pattern(system_dbusd_t,system_dbusd_tmp_t,system_dbusd_tmp_t)
files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
@@ -9978,7 +9988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
manage_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
manage_sock_files_pattern(system_dbusd_t,system_dbusd_var_run_t,system_dbusd_var_run_t)
files_pid_filetrans(system_dbusd_t,system_dbusd_var_run_t,file)
-@@ -60,6 +80,8 @@
+@@ -60,6 +81,8 @@
fs_getattr_all_fs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
@@ -9987,16 +9997,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
selinux_get_fs_mount(system_dbusd_t)
selinux_validate_context(system_dbusd_t)
-@@ -86,6 +108,8 @@
+@@ -76,7 +99,6 @@
+ corecmd_list_bin(system_dbusd_t)
+ corecmd_read_bin_pipes(system_dbusd_t)
+ corecmd_read_bin_sockets(system_dbusd_t)
+-corecmd_exec_bin(system_dbusd_t)
+
+ domain_use_interactive_fds(system_dbusd_t)
+
+@@ -86,6 +108,9 @@
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
+init_dbus_chat_script(system_dbusd_t)
+init_bin_domtrans_spec(system_dbusd_t)
++init_domtrans_script(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -116,9 +140,26 @@
+@@ -116,9 +141,26 @@
')
optional_policy(`
@@ -10004,7 +10023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+')
+
+optional_policy(`
-+ networkmanager_init_script_domtrans_spec(system_dbusd_t)
++ networkmanager_script_domtrans(system_dbusd_t)
+')
+
+optional_policy(`
@@ -12773,25 +12792,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2008-07-24 14:08:47.000000000 -0400
-@@ -1,7 +1,13 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2008-09-23 15:25:05.000000000 -0400
+@@ -1,7 +1,16 @@
++/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
++
++/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++
/usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++
++/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
-+
-+/var/log/wpa_supplicant\.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-+/etc/NetworkManager/dispatcher.d(/.*) gen_context(system_u:object_r:NetworkManager_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2008-07-24 14:08:32.000000000 -0400
-@@ -97,3 +97,59 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2008-09-23 15:25:58.000000000 -0400
+@@ -74,7 +74,7 @@
+ ')
+
+ corecmd_search_bin($1)
+- domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
++ domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
+
+ ########################################
+@@ -97,3 +97,58 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
@@ -12824,7 +12855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+##
+##
+#
-+interface(`networkmanager_init_script_domtrans_spec',`
++interface(`networkmanager_script_domtrans',`
+ gen_require(`
+ type NetworkManager_script_exec_t;
+ ')
@@ -12832,7 +12863,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+ init_script_domtrans_spec($1, NetworkManager_script_exec_t)
+')
+
-+
+########################################
+##
+## Read NetworkManager PID files.
@@ -12853,47 +12883,62 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-08-11 15:45:47.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-09-23 16:05:47.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
-+policy_module(networkmanager,1.9.0)
++policy_module(networkmanager, 1.10.2)
########################################
#
-@@ -13,6 +13,13 @@
- type NetworkManager_var_run_t;
- files_pid_file(NetworkManager_var_run_t)
+@@ -8,7 +8,16 @@
+ type NetworkManager_t;
+ type NetworkManager_exec_t;
+-init_daemon_domain(NetworkManager_t,NetworkManager_exec_t)
++init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
++
+type NetworkManager_log_t;
+logging_log_file(NetworkManager_log_t)
+
+type NetworkManager_script_exec_t;
+init_script_type(NetworkManager_script_exec_t)
-+init_script_domtrans_spec(NetworkManager_t, NetworkManager_script_exec_t)
+
- ########################################
- #
- # Local policy
-@@ -20,9 +27,9 @@
++type NetworkManager_tmp_t;
++files_tmp_file(NetworkManager_tmp_t)
+
+ type NetworkManager_var_run_t;
+ files_pid_file(NetworkManager_var_run_t)
+@@ -20,9 +29,9 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
-allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,10 +45,14 @@
- manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
- files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+@@ -33,15 +42,22 @@
-+manage_files_pattern(NetworkManager_t,NetworkManager_log_t,NetworkManager_log_t)
-+logging_log_filetrans(NetworkManager_t,NetworkManager_log_t, file)
+ can_exec(NetworkManager_t, NetworkManager_exec_t)
+
+-manage_dirs_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
+-manage_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
+-manage_sock_files_pattern(NetworkManager_t,NetworkManager_var_run_t,NetworkManager_var_run_t)
++manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
++logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
++
++manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
++files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, sock_file)
+
++manage_dirs_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
++manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
+ files_pid_filetrans(NetworkManager_t,NetworkManager_var_run_t, { dir file sock_file })
+
kernel_read_system_state(NetworkManager_t)
kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
@@ -12902,7 +12947,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t)
-@@ -64,9 +75,11 @@
+@@ -64,9 +80,11 @@
dev_read_sysfs(NetworkManager_t)
dev_read_rand(NetworkManager_t)
dev_read_urand(NetworkManager_t)
@@ -12914,14 +12959,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
mls_file_read_all_levels(NetworkManager_t)
-@@ -82,10 +95,16 @@
- files_read_etc_files(NetworkManager_t)
+@@ -83,9 +101,14 @@
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
-+files_list_tmp(NetworkManager_t)
-+
-+storage_getattr_fixed_disk_dev(NetworkManager_t)
++storage_getattr_fixed_disk_dev(NetworkManager_t)
++
init_read_utmp(NetworkManager_t)
+init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
@@ -12931,17 +12974,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -113,6 +132,9 @@
+@@ -109,10 +132,14 @@
+ sysnet_etc_filetrans_config(NetworkManager_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
+-userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
userdom_dontaudit_use_unpriv_users_ttys(NetworkManager_t)
# Read gnome-keyring
userdom_read_unpriv_users_home_content_files(NetworkManager_t)
+userdom_unpriv_users_stream_connect(NetworkManager_t)
+
++userdom_dontaudit_search_sysadm_home_dirs(NetworkManager_t)
++
+cron_read_system_job_lib_files(NetworkManager_t)
optional_policy(`
bind_domtrans(NetworkManager_t)
-@@ -129,28 +151,22 @@
+@@ -129,28 +156,26 @@
')
optional_policy(`
@@ -12954,12 +13003,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
- dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
- dbus_send_system_bus(NetworkManager_t)
-+ dbus_system_domain(NetworkManager_t,NetworkManager_exec_t)
++ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
')
optional_policy(`
- howl_signal(NetworkManager_t)
-+ hal_dontaudit_list_lib_dirs(NetworkManager_t)
+ hal_write_log(NetworkManager_t)
')
@@ -12970,35 +13018,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
optional_policy(`
- nscd_socket_use(NetworkManager_t)
++ nscd_domtrans(NetworkManager_t)
nscd_signal(NetworkManager_t)
+ nscd_script_domtrans(NetworkManager_t)
-+ nscd_domtrans(NetworkManager_t)
- ')
-
- optional_policy(`
-@@ -162,19 +178,21 @@
- ppp_domtrans(NetworkManager_t)
- ppp_read_pid_files(NetworkManager_t)
- ppp_signal(NetworkManager_t)
-+ ppp_signull(NetworkManager_t)
-+ ppp_read_config(NetworkManager_t)
- ')
-
- optional_policy(`
-- seutil_sigchld_newrole(NetworkManager_t)
++')
++
++optional_policy(`
+ # Dispatcher starting and stoping ntp
+ ntp_script_domtrans(NetworkManager_t)
')
optional_policy(`
-- udev_read_db(NetworkManager_t)
-+ seutil_sigchld_newrole(NetworkManager_t)
+@@ -159,9 +184,17 @@
')
optional_policy(`
-- # Read gnome-keyring
-- unconfined_read_home_content_files(NetworkManager_t)
-+ udev_read_db(NetworkManager_t)
+- ppp_domtrans(NetworkManager_t)
++ ppp_script_domtrans(NetworkManager_t)
+ ppp_read_pid_files(NetworkManager_t)
+ ppp_signal(NetworkManager_t)
++ ppp_signull(NetworkManager_t)
++ ppp_read_config(NetworkManager_t)
++')
++
++optional_policy(`
++ rpm_exec(NetworkManager_t)
++ rpm_read_db(NetworkManager_t)
++ rpm_dontaudit_manage_db(NetworkManager_t)
')
optional_policy(`
@@ -14393,7 +14439,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
# Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.0.8/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2008-08-11 15:46:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.if 2008-09-23 15:56:03.000000000 -0400
@@ -76,6 +76,24 @@
########################################
@@ -14419,7 +14465,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
## Execute domain in the ppp domain.
##
##
-@@ -159,6 +177,25 @@
+@@ -102,6 +120,16 @@
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## The role to allow the ppp domain.
++##
++##
++##
++##
++## The type of the terminal allow the ppp domain to use.
++##
++##
+ ##
+ #
+ interface(`ppp_run_cond',`
+@@ -126,6 +154,16 @@
+ ## Domain allowed access.
+ ##
+ ##
++##
++##
++## The role to allow the ppp domain.
++##
++##
++##
++##
++## The type of the terminal allow the ppp domain to use.
++##
++##
+ ##
+ #
+ interface(`ppp_run',`
+@@ -159,6 +197,25 @@
########################################
##
@@ -14445,9 +14525,41 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
## Read PPP-writable configuration files.
##
##
+@@ -248,5 +305,23 @@
+ type pppd_var_run_t;
+ ')
+
+- files_pid_filetrans($1,pppd_var_run_t,file)
++ files_pid_filetrans($1, pppd_var_run_t, file)
++')
++
++########################################
++##
++## Execute ppp server in the ntpd domain.
++##
++##
++##
++## The type of the process performing this action.
++##
++##
++#
++interface(`ppp_script_domtrans',`
++ gen_require(`
++ type pppd_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1, pppd_script_exec_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2008-08-11 16:47:54.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2008-09-23 16:00:30.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(ppp,1.5.0)
++policy_module(ppp,1.6.1)
+
+ ########################################
+ #
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -14466,7 +14578,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
kernel_read_network_state(pppd_t)
kernel_load_module(pppd_t)
-@@ -197,11 +197,7 @@
+@@ -162,6 +162,8 @@
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
+
++auth_use_nsswitch(pppd_t)
++
+ libs_use_ld_so(pppd_t)
+ libs_use_shared_libs(pppd_t)
+
+@@ -174,10 +176,9 @@
+ sysnet_etc_filetrans_config(pppd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(pppd_t)
+-userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
+ # for ~/.ppprc - if it actually exists then you need some policy to read it
+ #allow pppd_t { sysadm_home_dir_t home_root_t user_home_dir_type }:dir search;
+-userdom_search_sysadm_home_dirs(pppd_t)
++userdom_dontaudit_search_sysadm_home_dirs(pppd_t)
+ userdom_search_unpriv_users_home_dirs(pppd_t)
+
+ ppp_exec(pppd_t)
+@@ -194,14 +195,12 @@
+
+ optional_policy(`
+ mta_send_mail(pppd_t)
++ mta_mailcontent(pppd_etc_t)
++ mta_mailcontent(pppd_etc_rw_t)
')
optional_policy(`
@@ -14479,14 +14617,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.
')
optional_policy(`
-@@ -221,6 +217,7 @@
+@@ -221,8 +220,9 @@
# PPTP Local policy
#
-+allow pptp_t self:process signal;
- dontaudit pptp_t self:capability sys_tty_config;
+-dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:capability net_raw;
++dontaudit pptp_t self:capability sys_tty_config;
++allow pptp_t self:process signal;
allow pptp_t self:fifo_file { read write };
+ allow pptp_t self:unix_dgram_socket create_socket_perms;
+ allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -292,6 +292,14 @@
+ ')
+
+ optional_policy(`
++ dbus_system_domain(pppd_t,pppd_exec_t)
++
++ optional_policy(`
++ networkmanager_dbus_chat(pppd_t)
++ ')
++')
++
++optional_policy(`
+ hostname_exec(pptp_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.fc serefpolicy-3.0.8/policy/modules/services/prelude.fc
--- nsaserefpolicy/policy/modules/services/prelude.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/services/prelude.fc 2008-06-12 23:37:59.000000000 -0400
@@ -17141,15 +17297,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.8/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.fc 2008-06-12 23:37:58.000000000 -0400
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.fc 2008-09-09 08:19:50.000000000 -0400
+@@ -6,11 +6,18 @@
+ /usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+ /usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamd_exec_t,s0)
++/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+
+ /var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
++/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
++
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
+-
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
-
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-06-12 23:37:59.000000000 -0400
@@ -17267,8 +17435,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2008-06-12 23:37:58.000000000 -0400
-@@ -53,7 +53,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2008-09-09 08:22:51.000000000 -0400
+@@ -31,6 +31,9 @@
+ type spamd_spool_t;
+ files_type(spamd_spool_t)
+
++type spamd_log_t;
++logging_log_file(spamd_log_t)
++
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+
+@@ -53,7 +56,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -17277,7 +17455,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -81,11 +81,12 @@
+@@ -69,10 +72,13 @@
+ allow spamd_t self:unix_stream_socket connectto;
+ allow spamd_t self:tcp_socket create_stream_socket_perms;
+ allow spamd_t self:udp_socket create_socket_perms;
+-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
++
++manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
++logging_log_filetrans(spamd_t, spamd_log_t, file)
+
+ manage_dirs_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
+ manage_files_pattern(spamd_t,spamd_spool_t,spamd_spool_t)
++manage_sock_files_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
+ files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+
+ manage_dirs_pattern(spamd_t,spamd_tmp_t,spamd_tmp_t)
+@@ -81,11 +87,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -17292,7 +17485,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -150,10 +151,12 @@
+@@ -134,6 +141,8 @@
+
+ init_dontaudit_rw_utmp(spamd_t)
+
++auth_use_nsswitch(spamd_t)
++
+ libs_use_ld_so(spamd_t)
+ libs_use_shared_libs(spamd_t)
+
+@@ -141,19 +150,17 @@
+
+ miscfiles_read_localization(spamd_t)
+
+-sysnet_read_config(spamd_t)
+-sysnet_use_ldap(spamd_t)
+-sysnet_dns_name_resolve(spamd_t)
+-
+ userdom_use_unpriv_users_fds(spamd_t)
+ userdom_search_unpriv_users_home_dirs(spamd_t)
userdom_dontaudit_search_sysadm_home_dirs(spamd_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -17305,7 +17516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +174,7 @@
+@@ -171,6 +178,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -17313,6 +17524,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spam
dcc_stream_connect_dccifd(spamd_t)
')
+@@ -180,10 +188,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(spamd_t)
+-')
+-
+-optional_policy(`
+ postfix_read_config(spamd_t)
+ ')
+
@@ -212,3 +216,30 @@
optional_policy(`
udev_read_db(spamd_t)
@@ -23598,7 +23820,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-07-02 17:13:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-09-23 15:36:50.000000000 -0400
@@ -29,8 +29,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ddbfc26..b9f92af 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 115%{?dist}
+Release: 116%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
%endif
%changelog
+* Tue Sep 9 2008 Dan Walsh 3.0.8-116
+- add mimedefang to spamd
+
* Tue Aug 26 2008 Dan Walsh 3.0.8-115
- Remove definition for /var/run/mod_fcgid(/.*)?