diff -ru policy/macros/admin_macros.te policy.new/macros/admin_macros.te
--- policy/macros/admin_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/admin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -14,9 +14,12 @@
 #
 undefine(`admin_domain')
 define(`admin_domain',`
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type;
-type $1_home_t, file_type, sysadmfile, home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, $1_domain_file_type;
 
 # Type and access for pty devices.
 can_create_pty($1)
diff -ru policy/macros/program/apache_macros.te policy.new/macros/program/apache_macros.te
--- policy/macros/program/apache_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/apache_macros.te	2004-10-26 23:19:27.000000000 +1000
@@ -18,18 +18,23 @@
 file_type_auto_trans(httpd_$1_script_t, tmp_t, $1_tmp_t)
 ', `
 
+ifelse($1, sys, `
 #This type is for webpages
 #
-type httpd_$1_content_t, file_type, homedirfile, sysadmfile;
-ifelse($1, sys, `
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, sysadm_domain_file_type;
 typealias httpd_sys_content_t alias httpd_sysadm_content_t;
-')
 
 # This type is used for .htaccess files
 #
 type httpd_$1_htaccess_t, file_type, sysadmfile;
 
 type httpd_$1_script_exec_t, file_type, sysadmfile;
+', `
+# same as above, add $1_domain_file_type attribute
+type httpd_$1_content_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type httpd_$1_htaccess_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_exec_t, file_type, sysadmfile, $1_domain_file_type;
+')
 
 # Type that CGI scripts run as
 type httpd_$1_script_t, domain, privmail;
@@ -69,20 +74,20 @@
 uncond_can_ypbind(httpd_$1_script_t)
 }
 ')
+
+ifelse($1, `sys', `
 # The following are the only areas that 
 # scripts can read, read/write, or append to
 #
-type httpd_$1_script_ro_t, file_type, sysadmfile;
-type httpd_$1_script_rw_t, file_type, sysadmfile;
+type httpd_$1_script_ro_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, sysadm_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, sysadm_domain_file_type;
+', `
+type httpd_$1_script_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type httpd_$1_script_ra_t, file_type, sysadmfile, $1_domain_file_type;
+')
 file_type_auto_trans(httpd_$1_script_t, tmp_t, httpd_$1_script_rw_t)
-type httpd_$1_script_ra_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-ifelse($1, `sys', `', `
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:dir { getattr search };
-allow $1_locate_t { httpd_$1_content_t httpd_$1_htaccess_t httpd_$1_script_exec_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_ra_t }:file { getattr read };
-')dnl end ifelse
-')dnl end slocate.te
 
 #########################################################
 # Permissions for running child processes and scripts
diff -ru policy/macros/program/fingerd_macros.te policy.new/macros/program/fingerd_macros.te
--- policy/macros/program/fingerd_macros.te	2003-08-14 22:37:36.000000000 +1000
+++ policy.new/macros/program/fingerd_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -10,6 +10,6 @@
 # allow fingerd to create a fingerlog file in the user home dir
 #
 define(`fingerd_macro', `
-type $1_home_fingerlog_t, file_type, sysadmfile;
+type $1_home_fingerlog_t, file_type, sysadmfile, $1_domain_file_type;
 file_type_auto_trans(fingerd_t, $1_home_dir_t, $1_home_fingerlog_t)
 ')
diff -ru policy/macros/program/gpg_agent_macros.te policy.new/macros/program/gpg_agent_macros.te
--- policy/macros/program/gpg_agent_macros.te	2004-09-21 14:39:17.000000000 +1000
+++ policy.new/macros/program/gpg_agent_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -58,7 +58,7 @@
 allow $1_gpg_agent_t self:fifo_file { getattr read write };
 
 # create /tmp files
-tmp_domain($1_gpg_agent)
+tmp_domain($1_gpg_agent, `, $1_domain_file_type')
 
 # gpg connect
 allow $1_gpg_t $1_gpg_agent_tmp_t:dir { search };
diff -ru policy/macros/program/gpg_macros.te policy.new/macros/program/gpg_macros.te
--- policy/macros/program/gpg_macros.te	2004-08-28 12:05:12.000000000 +1000
+++ policy.new/macros/program/gpg_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -25,7 +25,7 @@
 allow $1_t self:capability { setuid };
 ', `
 type $1_gpg_t, domain, privlog;
-type $1_gpg_secret_t, file_type, homedirfile, sysadmfile;
+type $1_gpg_secret_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')dnl end ifdef single_userdomain
 
 # Transition from the user domain to the derived domain.
diff -ru policy/macros/program/irc_macros.te policy.new/macros/program/irc_macros.te
--- policy/macros/program/irc_macros.te	2004-03-27 00:46:45.000000000 +1100
+++ policy.new/macros/program/irc_macros.te	2004-10-26 23:46:34.000000000 +1000
@@ -24,13 +24,8 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_irc_t, domain;
-type $1_home_irc_t, file_type, homedirfile, sysadmfile;
-type $1_irc_exec_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:dir { getattr search };
-allow $1_locate_t { $1_home_irc_t $1_irc_exec_t }:file { getattr read };
-')
+type $1_home_irc_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
+type $1_irc_exec_t, file_type, sysadmfile, $1_domain_file_type;
 
 allow $1_t { $1_home_irc_t $1_irc_exec_t }:file { relabelfrom relabelto create_file_perms };
 
diff -ru policy/macros/program/rssh_macros.te policy.new/macros/program/rssh_macros.te
--- policy/macros/program/rssh_macros.te	2004-09-23 22:31:25.000000000 +1000
+++ policy.new/macros/program/rssh_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,8 +19,8 @@
 role rssh_$1_r types rssh_$1_t;
 allow system_r rssh_$1_r;
 
-type rssh_$1_rw_t, file_type, sysadmfile;
-type rssh_$1_ro_t, file_type, sysadmfile;
+type rssh_$1_rw_t, file_type, sysadmfile, $1_domain_file_type;
+type rssh_$1_ro_t, file_type, sysadmfile, $1_domain_file_type;
 
 general_domain_access(rssh_$1_t);
 uses_shlib(rssh_$1_t);
diff -ru policy/macros/program/screen_macros.te policy.new/macros/program/screen_macros.te
--- policy/macros/program/screen_macros.te	2004-10-02 03:36:13.000000000 +1000
+++ policy.new/macros/program/screen_macros.te	2004-10-26 23:22:33.000000000 +1000
@@ -26,7 +26,7 @@
 typealias $1_home_t alias $1_home_screen_t;
 ', `
 type $1_screen_t, domain, privlog, privfd;
-type $1_home_screen_t, file_type, homedirfile, sysadmfile;
+type $1_home_screen_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 # Transition from the user domain to this domain.
 domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff -ru policy/macros/program/slocate_macros.te policy.new/macros/program/slocate_macros.te
--- policy/macros/program/slocate_macros.te	2004-09-03 14:10:35.000000000 +1000
+++ policy.new/macros/program/slocate_macros.te	2004-10-26 23:33:57.000000000 +1000
@@ -52,8 +52,8 @@
 allow $1_locate_t $1_tty_device_t:chr_file rw_file_perms;
 allow $1_locate_t $1_devpts_t:chr_file rw_file_perms;
 
-allow $1_locate_t { home_root_t $1_home_dir_t $1_home_t }:dir { getattr search };
-allow $1_locate_t $1_home_t:{ file lnk_file } { getattr read };
+allow $1_locate_t $1_domain_file_type:dir { getattr search };
+allow $1_locate_t $1_domain_file_type:{ file lnk_file sock_file fifo_file } { getattr read };
 
 base_file_read_access($1_locate_t)
 r_dir_file($1_locate_t, { etc_t lib_t var_t })
diff -ru policy/macros/program/spamassassin_macros.te policy.new/macros/program/spamassassin_macros.te
--- policy/macros/program/spamassassin_macros.te	2004-10-14 10:10:03.000000000 +1000
+++ policy.new/macros/program/spamassassin_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -80,7 +80,7 @@
 dontaudit $1_spamassassin_t { sysctl_t sysctl_kernel_t }:dir search;
 
 # The type of ~/.spamassassin
-type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile;
+type $1_home_spamassassin_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 create_dir_file($1_t, $1_home_spamassassin_t)
 allow $1_t $1_home_spamassassin_t:notdevfile_class_set { relabelfrom relabelto };
 allow $1_t $1_home_spamassassin_t:dir { relabelfrom relabelto };
diff -ru policy/macros/program/ssh_macros.te policy.new/macros/program/ssh_macros.te
--- policy/macros/program/ssh_macros.te	2004-10-15 14:57:20.000000000 +1000
+++ policy.new/macros/program/ssh_macros.te	2004-10-26 23:46:14.000000000 +1000
@@ -26,7 +26,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_ssh_t, domain, privlog;
-type $1_home_ssh_t, file_type, homedirfile, sysadmfile;
+type $1_home_ssh_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 ifdef(`automount.te', `
 allow $1_ssh_t autofs_t:dir { search getattr };
@@ -115,11 +115,6 @@
 r_dir_file({ sshd_t sshd_extern_t }, $1_home_ssh_t)
 rw_dir_create_file($1_t, $1_home_ssh_t)
 
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_ssh_t:dir { getattr search };
-allow $1_locate_t $1_home_ssh_t:file { getattr read };
-')
-
 # for /bin/sh used to execute xauth
 dontaudit $1_ssh_t proc_t:dir search;
 dontaudit $1_ssh_t proc_t:{ lnk_file file } { getattr read };
diff -ru policy/macros/program/tvtime_macros.te policy.new/macros/program/tvtime_macros.te
--- policy/macros/program/tvtime_macros.te	2004-10-06 04:52:36.000000000 +1000
+++ policy.new/macros/program/tvtime_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -19,7 +19,7 @@
 ifdef(`tvtime.te', `
 define(`tvtime_domain',`
 # Derived domain based on the calling user domain and the program.
-type $1_home_tvtime_t, file_type, homedirfile, sysadmfile;
+type $1_home_tvtime_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 x_client_domain($1, tvtime)
 
diff -ru policy/macros/program/uml_macros.te policy.new/macros/program/uml_macros.te
--- policy/macros/program/uml_macros.te	2004-07-13 09:08:07.000000000 +1000
+++ policy.new/macros/program/uml_macros.te	2004-10-26 23:46:42.000000000 +1000
@@ -25,14 +25,9 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_uml_t, domain;
-type $1_uml_exec_t, file_type, sysadmfile;
-type $1_uml_ro_t, file_type, sysadmfile;
-type $1_uml_rw_t, file_type, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_uml_exec_t $1_uml_ro_t $1_uml_rw_t }:file { getattr read };
-')
+type $1_uml_exec_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_ro_t, file_type, sysadmfile, $1_domain_file_type;
+type $1_uml_rw_t, file_type, sysadmfile, $1_domain_file_type;
 
 can_ptrace($1_t, $1_uml_t)
 
diff -ru policy/macros/program/vmware_macros.te policy.new/macros/program/vmware_macros.te
--- policy/macros/program/vmware_macros.te	2004-09-25 01:42:14.000000000 +1000
+++ policy.new/macros/program/vmware_macros.te	2004-10-26 23:15:16.000000000 +1000
@@ -23,10 +23,10 @@
 role $1_r types $1_vmware_t;
 
 # The user file type is for files created when the user is running VMWare
-type $1_vmware_file_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_file_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # The user file type for the VMWare configuration files
-type $1_vmware_conf_t, homedirfile, file_type, sysadmfile;
+type $1_vmware_conf_t, homedirfile, file_type, sysadmfile, $1_domain_file_type;
 
 # for compatibility with older policy versions
 typealias $1_vmware_t alias vmware_$1_t;
diff -ru policy/macros/program/x_client_macros.te policy.new/macros/program/x_client_macros.te
--- policy/macros/program/x_client_macros.te	2004-09-11 16:21:48.000000000 +1000
+++ policy.new/macros/program/x_client_macros.te	2004-10-26 23:46:20.000000000 +1000
@@ -30,9 +30,9 @@
 ', `
 type $1_$2_t, domain $3;
 # Type for files that are writeable by this domain.
-type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile;
+type $1_$2_rw_t, file_type, homedirfile, sysadmfile, tmpfile, $1_domain_file_type;
 # Type for files that are read-only for this domain
-type $1_$2_ro_t, file_type, homedirfile, sysadmfile;
+type $1_$2_ro_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 ')
 
 # Transition from the user domain to the derived domain.
@@ -81,11 +81,6 @@
 allow $1_t $1_$2_ro_t:fifo_file create_file_perms;
 allow $1_t $1_$2_ro_t:{ dir file lnk_file } { relabelto relabelfrom };
 
-ifdef(`slocate.te', `
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:dir { getattr search };
-allow $1_locate_t { $1_$2_ro_t $1_$2_rw_t }:file { getattr read };
-')
-
 # Allow the user domain to send any signal to the $2 process.
 allow $1_t $1_$2_t:process signal_perms;
 
diff -ru policy/macros/program/xauth_macros.te policy.new/macros/program/xauth_macros.te
--- policy/macros/program/xauth_macros.te	2004-06-17 15:10:45.000000000 +1000
+++ policy.new/macros/program/xauth_macros.te	2004-10-26 23:46:26.000000000 +1000
@@ -24,11 +24,7 @@
 ', `
 # Derived domain based on the calling user domain and the program.
 type $1_xauth_t, domain;
-type $1_home_xauth_t, file_type, homedirfile, sysadmfile;
-
-ifdef(`slocate.te', `
-allow $1_locate_t $1_home_xauth_t:file { getattr read };
-')
+type $1_home_xauth_t, file_type, homedirfile, sysadmfile, $1_domain_file_type;
 
 allow $1_xauth_t self:process signal;
 
diff -ru policy/macros/user_macros.te policy.new/macros/user_macros.te
--- policy/macros/user_macros.te	2004-10-20 09:31:18.000000000 +1000
+++ policy.new/macros/user_macros.te	2004-10-27 00:20:47.000000000 +1000
@@ -23,16 +23,16 @@
 ')dnl end single_userdomain
 
 # Type for home directory.
-type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type;
-type $1_home_t, file_type, sysadmfile, home_type, user_home_type;
+type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, $1_domain_file_type;
+type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_domain_file_type;
 
-tmp_domain($1, `, user_tmpfile')
+tmp_domain($1, `, user_tmpfile, $1_domain_file_type')
 
 # Type and access for pty devices.
-can_create_pty($1, `, userpty_type, user_tty_type')
+can_create_pty($1, `, userpty_type, user_tty_type, $1_domain_file_type')
 
 #Type for tty devices.
-type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs;
+type $1_tty_device_t, file_type, sysadmfile, ttyfile, user_tty_type, dev_fs, $1_domain_file_type;
  
 base_user_domain($1)
 
@@ -135,6 +135,9 @@
 # user_t/$1_t is an unprivileged users domain.
 type $1_t, domain, userdomain, unpriv_userdomain, web_client_domain, nscd_client_domain, privfd;
 
+# define an attribute for all files created by this role
+attribute $1_domain_file_type;
+
 # Grant read/search permissions to some of /proc.
 allow $1_t proc_t:dir r_dir_perms;
 allow $1_t proc_t:{ file lnk_file } r_file_perms;