diff --git a/policy-20100106.patch b/policy-20100106.patch
index 816aab0..b1ecaa3 100644
--- a/policy-20100106.patch
+++ b/policy-20100106.patch
@@ -1,3 +1,75 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.fc serefpolicy-3.6.32/policy/modules/admin/dmesg.fc
+--- nsaserefpolicy/policy/modules/admin/dmesg.fc 2010-01-18 18:24:22.545542516 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/dmesg.fc 2010-02-03 20:56:22.897834567 +0100
+@@ -1,4 +1,3 @@
+
+ /bin/dmesg -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+
+-/usr/sbin/mcelog -- gen_context(system_u:object_r:dmesg_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.fc serefpolicy-3.6.32/policy/modules/admin/mcelog.fc
+--- nsaserefpolicy/policy/modules/admin/mcelog.fc 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.fc 2010-02-03 17:54:52.841394806 +0100
+@@ -0,0 +1,2 @@
++
++/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.if serefpolicy-3.6.32/policy/modules/admin/mcelog.if
+--- nsaserefpolicy/policy/modules/admin/mcelog.if 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.if 2010-02-03 17:55:31.442144688 +0100
+@@ -0,0 +1,20 @@
++
++## policy for mcelog
++
++########################################
++##
++## Execute a domain transition to run mcelog.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`mcelog_domtrans',`
++ gen_require(`
++ type mcelog_t, mcelog_exec_t;
++ ')
++
++ domtrans_pattern($1, mcelog_exec_t, mcelog_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mcelog.te serefpolicy-3.6.32/policy/modules/admin/mcelog.te
+--- nsaserefpolicy/policy/modules/admin/mcelog.te 1970-01-01 01:00:00.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/admin/mcelog.te 2010-02-03 17:55:20.114145133 +0100
+@@ -0,0 +1,30 @@
++
++policy_module(mcelog,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mcelog_t;
++type mcelog_exec_t;
++application_domain(mcelog_t, mcelog_exec_t)
++cron_system_entry(mcelog_t, mcelog_exec_t)
++
++permissive mcelog_t;
++
++########################################
++#
++# mcelog local policy
++#
++
++kernel_read_system_state(mcelog_t)
++
++dev_read_raw_memory(mcelog_t)
++dev_read_kmsg(mcelog_t)
++
++files_read_etc_files(mcelog_t)
++
++miscfiles_read_localization(mcelog_t)
++
++logging_send_syslog_msg(mcelog_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100
+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100
@@ -100,8 +172,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc
--- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100
-@@ -3,6 +3,14 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-02-03 10:39:06.085145272 +0100
+@@ -3,6 +3,15 @@
HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
@@ -113,19 +185,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
+/root/\.pulse(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
++/root/\.Xdefaults -- gen_context(system_u:object_r:gnome_home_t,s0)
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-02 15:10:12.321068500 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-03 22:59:15.907072357 +0100
@@ -72,6 +72,24 @@
domtrans_pattern($1, gconfd_exec_t, gconfd_t)
')
+#######################################
+##
-+## Dontaudit search gnome homedir content (.config)
++## Dontaudit search gnome homedir content
+##
+##
+##
@@ -190,7 +263,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#######################################
+##
-+## Read gnome homedir content (.config)
++## Read gnome homedir content
+##
+##
+##
@@ -200,10 +273,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+template(`gnome_list_home_config',`
+ gen_require(`
-+ type config_home_t;
++ type gnome_home_t;
+ ')
+
-+ allow $1 config_home_t:dir list_dir_perms;
++ allow $1 gnome_home_t:dir list_dir_perms;
+')
+
########################################
@@ -255,8 +328,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te
--- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100
-+++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-01-21 18:31:15.086614286 +0100
-@@ -7,6 +7,7 @@
++++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-02-03 22:11:10.235822052 +0100
+@@ -7,11 +7,12 @@
#
attribute gnomedomain;
@@ -264,6 +337,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type gconf_etc_t;
files_config_file(gconf_etc_t)
+
+-type gconf_home_t;
++type gconf_home_t, gnome_home_type;
+ typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
+ typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
+ typealias gconf_home_t alias unconfined_gconf_home_t;
@@ -31,12 +32,15 @@
application_domain(gconfd_t, gconfd_exec_t)
ubac_constrained(gconfd_t)
@@ -983,7 +1062,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-18 18:24:22.727540243 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-27 15:33:53.900626544 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-02-03 15:45:55.176148406 +0100
@@ -96,6 +96,7 @@
corenet_tcp_connect_ftp_port(abrt_t)
corenet_tcp_connect_all_ports(abrt_t)
@@ -992,7 +1071,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_memory_dev(abrt_t)
-@@ -200,10 +201,13 @@
+@@ -176,6 +177,13 @@
+ sssd_stream_connect(abrt_t)
+ ')
+
++ifdef(`hide_broken_symptoms', `
++ gen_require(`
++ attribute domain;
++ ')
++ allow abrt_t domain:file write;
++')
++
+ permissive abrt_t;
+
+ ########################################
+@@ -200,10 +208,13 @@
files_read_etc_files(abrt_helper_t)
files_dontaudit_all_non_security_leaks(abrt_helper_t)
@@ -1116,7 +1209,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to read and write Apache
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-02 14:56:02.348068014 +0100
++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-03 20:16:18.858822145 +0100
@@ -309,7 +309,7 @@
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -1126,6 +1219,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
+@@ -363,10 +363,10 @@
+ manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+ files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
+
+-setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
++manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+ manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
+-files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
++files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file dir })
+
+ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+ manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
@@ -400,6 +400,7 @@
dev_rw_crypto(httpd_t)
@@ -1229,13 +1335,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.32/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2010-01-18 18:24:22.769530360 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-01-29 09:59:49.239614360 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cron.te 2010-02-03 21:39:39.157822554 +0100
@@ -323,6 +323,10 @@
udev_read_db(crond_t)
')
+optional_policy(`
-+ mta_system_content(cron_var_run_t)
++ mta_system_content(crond_var_run_t)
+')
+
########################################
@@ -2202,6 +2308,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-01-18 18:24:22.891530024 +0100
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2010-02-03 22:59:41.283821731 +0100
+@@ -177,6 +177,10 @@
+ userdom_signull_unpriv_users(setroubleshoot_fixit_t)
+
+ optional_policy(`
++ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
++')
++
++optional_policy(`
+ rpm_signull(setroubleshoot_fixit_t)
+ rpm_read_db(setroubleshoot_fixit_t)
+ rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-18 18:24:22.892539860 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-19 14:20:15.303858953 +0100
@@ -2676,10 +2796,42 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(tgtd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.fc serefpolicy-3.6.32/policy/modules/services/tuned.fc
+--- nsaserefpolicy/policy/modules/services/tuned.fc 2010-01-18 18:24:22.907534364 +0100
++++ serefpolicy-3.6.32/policy/modules/services/tuned.fc 2010-02-03 17:28:43.165143461 +0100
+@@ -3,4 +3,7 @@
+
+ /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
+
++/var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
++/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
++
+ /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te
--- nsaserefpolicy/policy/modules/services/tuned.te 2010-01-18 18:24:22.909530847 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-02 19:06:55.670067778 +0100
-@@ -36,7 +36,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2010-02-03 17:35:32.298159249 +0100
+@@ -13,6 +13,9 @@
+ type tuned_initrc_exec_t;
+ init_script_file(tuned_initrc_exec_t)
+
++type tuned_log_t;
++logging_log_file(tuned_log_t)
++
+ type tuned_var_run_t;
+ files_pid_file(tuned_var_run_t)
+
+@@ -26,6 +29,10 @@
+ dontaudit tuned_t self:capability { dac_override sys_tty_config };
+ allow tuned_t self:fifo_file rw_fifo_file_perms;
+
++manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
++manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
++logging_log_filetrans(tuned_t, tuned_log_t, file)
++
+ manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
+ files_pid_filetrans(tuned_t, tuned_var_run_t, { file })
+
+@@ -36,7 +43,7 @@
kernel_read_system_state(tuned_t)
dev_read_sysfs(tuned_t)
@@ -2768,7 +2920,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/usbmuxd.te serefpolicy-3.6.32/policy/modules/services/usbmuxd.te
--- nsaserefpolicy/policy/modules/services/usbmuxd.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 18:58:37.916068136 +0100
++++ serefpolicy-3.6.32/policy/modules/services/usbmuxd.te 2010-02-02 19:28:04.029318349 +0100
@@ -0,0 +1,44 @@
+
+policy_module(usbmuxd,1.0.0)
@@ -2793,7 +2945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+
+allow usbmuxd_t self:capability { kill setgid setuid };
-+allow usbmuxd_t self:process { fork signal signull };
++allow usbmuxd_t self:process { fork };
+
+# Init script handling
+domain_use_interactive_fds(usbmuxd_t)
@@ -2845,7 +2997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_rw_kvm(virt_domain)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-18 18:24:22.917530119 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-01 14:37:29.435332322 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-02-03 14:24:48.062145095 +0100
@@ -65,6 +65,8 @@
/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -2863,7 +3015,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
-@@ -116,6 +119,9 @@
+@@ -116,7 +119,11 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -2871,11 +3023,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lxdm(/*.)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/slim.* -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+ /var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-18 18:24:22.923530253 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-01 17:25:59.218331954 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-02-03 10:39:48.878145130 +0100
@@ -301,6 +301,9 @@
manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
@@ -2886,7 +3040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
-@@ -309,7 +312,10 @@
+@@ -309,8 +312,12 @@
files_read_usr_files(xauth_t)
files_search_pids(xauth_t)
files_dontaudit_getattr_all_dirs(xauth_t)
@@ -2895,9 +3049,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_dontaudit_leaks(xauth_t)
fs_getattr_all_fs(xauth_t)
++fs_read_nfs_symlinks(xauth_t)
fs_search_auto_mountpoints(xauth_t)
-@@ -506,6 +512,7 @@
+ # cjp: why?
+@@ -506,6 +513,7 @@
dev_dontaudit_rw_misc(xdm_t)
dev_getattr_video_dev(xdm_t)
dev_setattr_video_dev(xdm_t)
@@ -2905,7 +3061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
dev_read_sound(xdm_t)
-@@ -582,6 +589,7 @@
+@@ -582,6 +590,7 @@
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
userdom_stream_connect(xdm_t)
@@ -2913,7 +3069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_manage_user_tmp_dirs(xdm_t)
userdom_manage_user_tmp_sockets(xdm_t)
userdom_manage_tmpfs_role(system_r, xdm_t)
-@@ -668,6 +676,7 @@
+@@ -668,6 +677,7 @@
optional_policy(`
gnome_read_gconf_config(xdm_t)
@@ -2921,7 +3077,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -675,6 +684,10 @@
+@@ -675,6 +685,10 @@
')
optional_policy(`
@@ -2932,7 +3088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
loadkeys_exec(xdm_t)
')
-@@ -712,6 +725,7 @@
+@@ -712,6 +726,7 @@
optional_policy(`
pulseaudio_exec(xdm_t)
pulseaudio_dbus_chat(xdm_t)
@@ -2940,6 +3096,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# On crash gdm execs gdb to dump stack
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.6.32/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te 2010-01-18 18:24:22.925530368 +0100
++++ serefpolicy-3.6.32/policy/modules/system/application.te 2010-02-03 15:31:03.649144986 +0100
+@@ -15,6 +15,10 @@
+ files_dontaudit_search_all_dirs(application_domain_type)
+
+ optional_policy(`
++ afs_rw_udp_sockets(application_domain_type)
++')
++
++optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.fc serefpolicy-3.6.32/policy/modules/system/fstools.fc
--- nsaserefpolicy/policy/modules/system/fstools.fc 2010-01-18 18:24:22.930540014 +0100
+++ serefpolicy-3.6.32/policy/modules/system/fstools.fc 2010-01-27 18:13:10.349614395 +0100
@@ -2989,8 +3159,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-02 15:33:20.194067768 +0100
-@@ -1686,3 +1686,25 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-03 22:20:50.365821844 +0100
+@@ -165,6 +165,7 @@
+ type init_t;
+ role system_r;
+ attribute daemon;
++ attribute initrc_transition_domain;
+ ')
+
+ typeattribute $1 daemon;
+@@ -180,6 +181,7 @@
+ # Handle upstart direct transition to a executable
+ domtrans_pattern(init_t,$2,$1)
+ allow init_t $1:process siginh;
++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+
+ # daemons started from init will
+ # inherit fds from init for the console
+@@ -273,6 +275,7 @@
+ gen_require(`
+ type initrc_t;
+ role system_r;
++ attribute initrc_transition_domain;
+ ')
+
+ application_domain($1,$2)
+@@ -281,6 +284,7 @@
+
+ domtrans_pattern(initrc_t,$2,$1)
+ allow initrc_t $1:process siginh;
++ allow $1 initrc_transition_domain:fifo_file rw_inherited_fifo_file_perms;
+
+ ifdef(`hide_broken_symptoms',`
+ # RHEL4 systems seem to have a stray
+@@ -775,8 +779,10 @@
+ interface(`init_labeled_script_domtrans',`
+ gen_require(`
+ type initrc_t;
++ attribute initrc_transition_domain;
+ ')
+
++ typeattribute $1 initrc_transition_domain;
+ domtrans_pattern($1, $2, initrc_t)
+ files_search_etc($1)
+ ')
+@@ -1686,3 +1692,26 @@
allow $1 initrc_t:sem rw_sem_perms;
')
@@ -3010,6 +3223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:udp_socket { read write };
+ dontaudit $1 initrc_t:unix_dgram_socket { read write };
+ dontaudit $1 initrc_t:unix_stream_socket { read write };
+ dontaudit $1 initrc_t:shm rw_shm_perms;
@@ -3018,8 +3232,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100
-@@ -212,6 +212,10 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-02-03 22:20:55.858821762 +0100
+@@ -40,6 +40,7 @@
+ attribute init_script_domain_type;
+ attribute init_script_file_type;
+ attribute init_run_all_scripts_domain;
++attribute initrc_transition_domain;
+
+ # Mark process types as daemons
+ attribute daemon;
+@@ -212,6 +213,10 @@
')
optional_policy(`
@@ -3030,7 +3252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
# the directory. But we do not want to allow this.
-@@ -872,6 +876,7 @@
+@@ -872,6 +877,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -3316,6 +3538,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(dhcpc_t)
kernel_request_load_module(dhcpc_t)
kernel_use_fds(dhcpc_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.32/policy/modules/system/udev.te
+--- nsaserefpolicy/policy/modules/system/udev.te 2010-01-18 18:24:22.973540245 +0100
++++ serefpolicy-3.6.32/policy/modules/system/udev.te 2010-02-03 14:37:00.939144600 +0100
+@@ -273,6 +273,10 @@
+ ')
+
+ optional_policy(`
++ usbmuxd_domtrans(udev_t)
++')
++
++optional_policy(`
+ vbetool_domtrans(udev_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-18 18:24:22.975530582 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-18 18:27:02.790542463 +0100