diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/crond.te	2005-09-16 11:35:39.000000000 -0400
@@ -106,7 +106,7 @@
 
 # Inherit and use descriptors from initrc for anacron.
 allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
 
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/fsadm.te	2005-09-16 11:35:39.000000000 -0400
@@ -102,10 +102,10 @@
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
 
 read_locale(fsadm_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.27.1/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/hostname.te	2005-09-16 11:35:39.000000000 -0400
@@ -24,5 +24,5 @@
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
 allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/ifconfig.te	2005-09-16 11:35:39.000000000 -0400
@@ -52,7 +52,8 @@
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
 allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/initrc.te	2005-09-16 11:35:39.000000000 -0400
@@ -214,7 +214,15 @@
 allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 allow initrc_t self:capability sys_admin;
 allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files 
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -322,3 +330,6 @@
 ifdef(`dbusd.te', `
 allow initrc_t system_dbusd_var_run_t:sock_file write;
 ')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/ldconfig.te	2005-09-16 11:35:39.000000000 -0400
@@ -16,7 +16,8 @@
 
 domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
 dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
 
 uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.27.1/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/load_policy.te	2005-09-16 11:35:39.000000000 -0400
@@ -45,11 +45,9 @@
 allow load_policy_t root_t:dir search;
 allow load_policy_t etc_t:dir search;
 
-# Read the devpts root directory (needed?)  
-allow load_policy_t devpts_t:dir r_dir_perms;
-
 # Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(load_policy_t)
 allow load_policy_t self:capability dac_override;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/login.te	2005-09-16 11:35:39.000000000 -0400
@@ -62,6 +62,11 @@
 
 ifdef(`pamconsole.te', `
 rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
 ')
 
 # Use capabilities
@@ -200,23 +205,20 @@
 # since very weak authentication is used.
 login_spawn_domain(remote_login, unpriv_userdomain)
 
-allow remote_login_t devpts_t:dir search;
 allow remote_login_t userpty_type:chr_file { setattr write };
 
 # Use the pty created by rlogind.
 ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
 # Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 # Use the pty created by telnetd.
 ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, telnetd)
 # Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
@@ -225,3 +227,8 @@
 # Allow remote login to resolve host names (passed in via the -h switch)
 can_resolve(remote_login_t)
 
+ifdef(`use_mcs', `
+ifdef(`getty.te', `
+range_transition getty_t login_exec_t s0 - s0:c0.c127;
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/modutil.te	2005-09-16 11:35:39.000000000 -0400
@@ -59,7 +59,8 @@
 allow depmod_t modules_object_t:file unlink;
 
 # Access terminals.
-allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(depmod_t, initrc)
+allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.
@@ -97,7 +98,8 @@
 allow insmod_t usr_t:file { getattr read };
 
 allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(insmod_t, initrc)
+allow insmod_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -138,8 +140,9 @@
 
 allow insmod_t fs_t:filesystem getattr;
 allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t }:dir search;
 allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
+r_dir_file(insmod_t, debugfs_t)
 
 # Rules for /proc/sys/kernel/tainted
 read_sysctl(insmod_t)
@@ -162,7 +165,6 @@
 domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
 can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
 allow insmod_t devtty_t:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
 allow insmod_t privmodule:process sigchld;
 dontaudit sysadm_t self:capability sys_module;
 
@@ -197,8 +199,8 @@
 
 allow update_modules_t device_t:dir { getattr search };
 allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
+can_access_pty(update_modules_t, initrc)
+allow update_modules_t admin_tty_type:chr_file rw_file_perms;
 
 can_exec(update_modules_t, insmod_exec_t)
 allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.27.1/domains/program/mount.te
--- nsapolicy/domains/program/mount.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/mount.te	2005-09-16 11:35:39.000000000 -0400
@@ -16,7 +16,8 @@
 role sysadm_r types mount_t;
 role system_r types mount_t;
 
-allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
+can_access_pty(mount_t, initrc)
+allow mount_t console_device_t:chr_file { read write };
 
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 allow mount_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.27.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/netutils.te	2005-09-16 11:35:39.000000000 -0400
@@ -55,7 +55,8 @@
 
 # Access terminals.
 allow netutils_t privfd:fd use;
-allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(netutils_t, initrc)
+allow netutils_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 allow netutils_t proc_t:dir search;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/restorecon.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,7 +19,7 @@
 role sysadm_r types restorecon_t;
 role secadm_r types restorecon_t;
 
-allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(restorecon_t, initrc)
 allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
 
 domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/setfiles.te	2005-09-16 11:35:39.000000000 -0400
@@ -22,7 +22,7 @@
 ifdef(`distro_redhat', `
 domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
 ')
-allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(hostname_t, initrc)
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
 allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/ssh.te	2005-09-16 11:35:39.000000000 -0400
@@ -153,6 +153,7 @@
 #
 sshd_program_domain(sshd)
 if (ssh_sysadm_login) {
+allow sshd_t devpts_t:dir r_dir_perms;
 sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 } else {
 sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
@@ -178,7 +179,7 @@
 allow { sshd_t sshd_extern_t } self:process signal;
 } else {
 ')
-allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
+can_access_pty({ sshd_t sshd_extern_t }, initrc)
 allow { sshd_t sshd_extern_t } self:capability net_bind_service;
 allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
 
@@ -231,3 +232,6 @@
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/su.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,3 +12,10 @@
 
 # Everything else is in the su_domain macro in
 # macros/program/su_macros.te.
+
+ifdef(`use_mcs', `
+ifdef(`targeted_policy', `
+range_transition unconfined_t su_exec_t s0 - s0:c0.c127;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.1/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/syslogd.te	2005-09-16 11:35:39.000000000 -0400
@@ -33,7 +33,7 @@
 tmp_domain(syslogd)
 
 # read files in /etc
-allow syslogd_t etc_t:file r_file_perms;
+allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
 
 # Use capabilities.
 allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/alsa.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,6 +11,8 @@
 allow alsa_t self:unix_stream_socket create_stream_socket_perms;
 allow alsa_t self:unix_dgram_socket create_socket_perms;
 allow unpriv_userdomain alsa_t:sem { unix_read unix_write associate read write };
+allow unpriv_userdomain alsa_t:shm { unix_read unix_write create_shm_perms };
+
 type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
 rw_dir_create_file(alsa_t,alsa_etc_rw_t)
 allow alsa_t self:capability { setgid setuid ipc_owner };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.1/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/amanda.te	2005-09-16 11:35:39.000000000 -0400
@@ -84,7 +84,6 @@
 
 # configuration files -> read only
 allow amanda_t amanda_config_t:file { getattr read };
-allow amanda_t amanda_config_t:dir search;
 
 # access to amanda_amandates_t
 allow amanda_t amanda_amandates_t:file { getattr lock read write };
@@ -97,43 +96,18 @@
 allow amanda_t amanda_data_t:file { read write };
 
 # access to proc_t
-allow amanda_t proc_t:dir { getattr search };
 allow amanda_t proc_t:file { getattr read };
 
 # access to etc_t and similar
-allow amanda_t etc_t:dir { getattr search };
 allow amanda_t etc_t:file { getattr read };
 allow amanda_t etc_runtime_t:file { getattr read };
 
-# access to var_t and similar
-allow amanda_t var_t:dir search;
-allow amanda_t var_lib_t:dir search;
-allow amanda_t amanda_var_lib_t:dir search;
-
 # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
-allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
-allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
-
-# access to var_run_t
-allow amanda_t var_run_t:dir search;
-
-# access to var_log_t
-allow amanda_t var_log_t:dir getattr;
-
-# access to var_spool_t
-allow amanda_t var_spool_t:dir getattr;
-
-# access to amanda_usr_lib_t
-allow amanda_t amanda_usr_lib_t:dir search;
+rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
 
 # access to device_t and similar
-allow amanda_t device_t:dir search;
-allow amanda_t devpts_t:dir getattr;
 allow amanda_t devtty_t:chr_file { read write };
 
-# access to boot_t
-allow amanda_t boot_t:dir getattr;
-
 # access to fs_t
 allow amanda_t fs_t:filesystem getattr;
 
@@ -192,18 +166,8 @@
 ########################
 
 # access to user_home_t
-allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
 allow amanda_t user_home_type:file { getattr read };
 
-# access to file_t ( /floppy, /cdrom )
-allow amanda_t mnt_t:dir getattr;
-
-###########
-# Dontaudit
-###########
-dontaudit amanda_t lost_found_t:dir { getattr read };
-	
-	
 ##############################################################################
 # AMANDA RECOVER DECLARATIONS
 ##############################################################################
@@ -301,22 +265,17 @@
 #
 allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
 
-allow amanda_t file_type:dir {getattr read search };
+#amanda needs to look at fs_type directories to decide whether it should backup
+allow amanda_t { fs_type file_type }:dir {getattr read search };
 allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
 allow amanda_t device_type:{ blk_file chr_file } getattr;
 allow amanda_t fixed_disk_device_t:blk_file read;
 domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
 
-dontaudit amanda_t file_type:sock_file getattr;
+allow amanda_t file_type:sock_file getattr;
 logdir_domain(amanda)
 
-dontaudit amanda_t autofs_t:dir { getattr read search };
-dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
-dontaudit amanda_t nfs_t:dir { getattr read };
-dontaudit amanda_t proc_t:dir read;
 dontaudit amanda_t proc_t:lnk_file read;
-dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
-dontaudit amanda_t security_t:dir { getattr read };
-dontaudit amanda_t sysfs_t:dir { getattr read };
 dontaudit amanda_t unlabeled_t:file getattr;
-dontaudit amanda_t usbfs_t:dir getattr;
+#amanda wants to check attributes on fifo_files
+allow amanda_t file_type:fifo_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/anaconda.te policy-1.27.1/domains/program/unused/anaconda.te
--- nsapolicy/domains/program/unused/anaconda.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/anaconda.te	2005-09-16 11:35:39.000000000 -0400
@@ -17,11 +17,6 @@
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
-ifdef(`su.te', `
-role system_r types sysadm_su_t;
-domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
-')
-
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/apache.te	2005-09-16 11:35:39.000000000 -0400
@@ -113,9 +113,12 @@
 can_network_server(httpd_t)
 can_kerberos(httpd_t)
 can_resolve(httpd_t)
-can_ypbind(httpd_t)
-can_ldap(httpd_t)
+nsswitch_domain(httpd_t)
 allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+# allow httpd to connect to mysql/posgresql 
+allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
+# allow httpd to work as a relay
+allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 if (httpd_can_network_connect) {
 can_network_client(httpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/apmd.te	2005-09-16 11:35:39.000000000 -0400
@@ -47,6 +47,7 @@
 
 # acpid also has a logfile
 log_domain(apmd)
+tmp_domain(apmd)
 
 ifdef(`distro_suse', `
 var_lib_domain(apmd)
@@ -140,3 +141,10 @@
 allow apmd_t user_tty_type:chr_file rw_file_perms;
 # Access /dev/apm_bios.
 allow initrc_t apm_bios_t:chr_file { setattr getattr read };
+
+ifdef(`logrotate.te', `
+allow apmd_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow apmd_t devpts_t:dir { getattr search };
+allow apmd_t security_t:dir search;
+r_dir_file(apmd_t, usr_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/auditd.te	2005-09-16 11:35:39.000000000 -0400
@@ -65,3 +65,5 @@
 allow auditctl_t privfd:fd use;
 
 
+allow auditd_t sbin_t:dir search;
+can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.27.1/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/automount.te	2005-09-16 11:35:39.000000000 -0400
@@ -34,7 +34,9 @@
 can_exec(automount_t, { etc_t automount_etc_t })
 
 can_network_server(automount_t)
+can_resolve(automount_t)
 can_ypbind(automount_t)
+can_ldap(automount_t)
 
 ifdef(`fsadm.te', `
 domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
@@ -56,6 +58,7 @@
 
 allow automount_t { bin_t sbin_t }:dir search;
 can_exec(automount_t, mount_exec_t)
+can_exec(automount_t, shell_exec_t)
 
 allow mount_t autofs_t:dir getattr;
 dontaudit automount_t var_t:dir write;
@@ -73,3 +76,4 @@
 
 allow automount_t var_lib_t:dir search;
 allow automount_t var_lib_nfs_t:dir search;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/bluetooth.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,11 +11,16 @@
 daemon_domain(bluetooth)
 
 file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
+file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
 
 tmp_domain(bluetooth)
 
 # Use capabilities.
 allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
+allow bluetooth_t self:process getsched;
+allow bluetooth_t proc_t:file { getattr read };
+
+allow bluetooth_t self:shm create_shm_perms;
 
 lock_domain(bluetooth)
 
@@ -35,6 +40,7 @@
 
 # bluetooth_conf_t is the type of the /etc/bluetooth dir.
 type bluetooth_conf_t, file_type, sysadmfile;
+type bluetooth_conf_rw_t, file_type, sysadmfile;
 
 # Read /etc/bluetooth
 allow bluetooth_t bluetooth_conf_t:dir search;
@@ -44,5 +50,14 @@
 allow bluetooth_t usbfs_t:dir r_dir_perms;
 allow bluetooth_t usbfs_t:file rw_file_perms; 
 allow bluetooth_t bin_t:dir search;
-can_exec(bluetooth_t, bin_t)
+can_exec(bluetooth_t, { bin_t shell_exec_t })
+allow bluetooth_t bin_t:lnk_file read;
+
+#Handle bluetooth serial devices
+allow bluetooth_t tty_device_t:chr_file rw_file_perms;
+allow bluetooth_t self:fifo_file rw_file_perms;
+allow bluetooth_t etc_t:file { getattr read };
+r_dir_file(bluetooth_t, fonts_t)
+allow bluetooth_t urandom_device_t:chr_file r_file_perms;
+allow bluetooth_t usr_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/cups.te	2005-09-16 11:35:39.000000000 -0400
@@ -188,6 +188,7 @@
 # Uses networking to talk to the daemons
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
 
 # for python
 can_exec(hplip_t, bin_t)
@@ -196,6 +197,9 @@
 allow hplip_t proc_t:file r_file_perms;
 allow hplip_t urandom_device_t:chr_file { getattr read };
 allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+allow hplip_t devpts_t:dir search;
+allow hplip_t devpts_t:chr_file { getattr ioctl };
+
 
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
@@ -231,12 +235,13 @@
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 can_ps(cupsd_config_t, cupsd_t)
 
-allow cupsd_config_t self:capability chown;
+allow cupsd_config_t self:capability { chown sys_tty_config };
 
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+allow cupsd_config_t var_t:lnk_file read;
 
 can_network_tcp(cupsd_config_t)
 can_ypbind(cupsd_config_t)
@@ -311,3 +316,7 @@
 r_dir_file(cupsd_lpd_t, cupsd_etc_t)
 r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
 allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/cyrus.te	2005-09-16 11:35:39.000000000 -0400
@@ -42,7 +42,7 @@
 create_dir_file(cyrus_t, mail_spool_t)
 allow cyrus_t var_spool_t:dir search;
 
-ifdef(`saslaudthd.te', `
+ifdef(`saslauthd.te', `
 allow cyrus_t saslauthd_var_run_t:dir search;
 allow cyrus_t saslauthd_var_run_t:sock_file { read write };
 allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.1/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dbusd.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,7 +12,7 @@
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 allow system_dbusd_t self:capability { dac_override setgid setuid };
-can_ypbind(system_dbusd_t)
+nsswitch_domain(system_dbusd_t)
 
 # I expect we need more than this
 
@@ -23,3 +23,5 @@
 can_exec(system_dbusd_t, sbin_t)
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.27.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dhcpc.te	2005-09-16 11:35:39.000000000 -0400
@@ -134,7 +134,6 @@
 allow dhcpc_t home_root_t:dir search;
 allow initrc_t dhcpc_state_t:file { getattr read };
 dontaudit dhcpc_t var_lock_t:dir search;
-dontaudit dhcpc_t selinux_config_t:dir search;
 allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
 dontaudit dhcpc_t domain:dir getattr;
 allow dhcpc_t initrc_var_run_t:file rw_file_perms;
@@ -145,6 +144,7 @@
 ifdef(`ypbind.te', `
 domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
 allow dhcpc_t ypbind_var_run_t:file { r_file_perms unlink };
+allow dhcpc_t ypbind_t:process signal;
 ')
 ifdef(`ntpd.te', `
 domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/dovecot.te	2005-09-16 11:35:39.000000000 -0400
@@ -43,7 +43,9 @@
 can_kerberos(dovecot_t)
 
 allow dovecot_t tmp_t:dir search;
-rw_dir_file(dovecot_t, mail_spool_t)
+rw_dir_create_file(dovecot_t, mail_spool_t)
+
+
 create_dir_file(dovecot_t, dovecot_spool_t)
 create_dir_file(mta_delivery_agent, dovecot_spool_t)
 allow dovecot_t mail_spool_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/hwclock.te	2005-09-16 11:35:39.000000000 -0400
@@ -47,3 +46,4 @@
 # for when /usr is not mounted
 dontaudit hwclock_t file_t:dir search;
 allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/kudzu.te	2005-09-16 11:35:39.000000000 -0400
@@ -20,7 +20,7 @@
 allow kudzu_t ramfs_t:dir search;
 allow kudzu_t ramfs_t:sock_file write;
 allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-allow kudzu_t modules_conf_t:file { getattr read unlink };
+allow kudzu_t modules_conf_t:file { getattr read unlink rename };
 allow kudzu_t modules_object_t:dir r_dir_perms;
 allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
 allow kudzu_t mouse_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/mta.te	2005-09-16 11:35:39.000000000 -0400
@@ -72,3 +72,7 @@
 
 allow system_mail_t etc_runtime_t:file { getattr read };
 allow system_mail_t { random_device_t urandom_device_t }:chr_file { getattr read };
+ifdef(`targeted_policy', `
+typealias system_mail_t alias sysadm_mail_t;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.1/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/mysqld.te	2005-09-16 11:35:39.000000000 -0400
@@ -12,7 +12,7 @@
 #
 daemon_domain(mysqld, `, nscd_client_domain')
 
-allow mysqld_t mysqld_port_t:tcp_socket name_bind;
+allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
 
 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
 
@@ -42,7 +42,7 @@
 create_dir_file(mysqld_t, mysqld_db_t)
 allow mysqld_t var_lib_t:dir { getattr search };
 
-can_network_server(mysqld_t)
+can_network(mysqld_t)
 can_ypbind(mysqld_t)
 
 # read config files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.27.1/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/NetworkManager.te	2005-09-16 11:35:39.000000000 -0400
@@ -11,7 +11,7 @@
 # NetworkManager_t is the domain for the NetworkManager daemon. 
 # NetworkManager_exec_t is the type of the NetworkManager executable.
 #
-daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod' )
+daemon_domain(NetworkManager, `, nscd_client_domain, privsysmod, mlsfileread' )
 
 can_network(NetworkManager_t)
 allow NetworkManager_t port_type:tcp_socket name_connect;
@@ -109,3 +109,4 @@
 ')
 allow NetworkManager_t var_lib_t:dir search;
 dontaudit NetworkManager_t user_tty_type:chr_file { read write };
+dontaudit NetworkManager_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/ntpd.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,7 +54,7 @@
 # for cron jobs
 # system_crond_t is not right, cron is not doing what it should
 ifdef(`crond.te', `
-system_crond_entry(ntpd_exec_t, ntpd_t)
+system_crond_entry(ntpdate_exec_t, ntpd_t)
 ')
 
 can_exec(ntpd_t, initrc_exec_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/openct.te policy-1.27.1/domains/program/unused/openct.te
--- nsapolicy/domains/program/unused/openct.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/openct.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,16 @@
+#DESC openct - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for openct
+#
+
+daemon_domain(openct)
+#
+# openct asks for these
+#
+rw_dir_file(openct_t, usbfs_t)
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/pamconsole.te	2005-09-16 11:35:39.000000000 -0400
@@ -25,6 +25,7 @@
 # for /var/run/console.lock checking
 allow pam_console_t { var_t var_run_t }:dir search;
 r_dir_file(pam_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
 
 # Allow to set attributes on /dev entries
 allow pam_console_t device_t:dir { getattr read };
@@ -48,3 +49,4 @@
 allow initrc_t pam_var_console_t:dir rw_dir_perms;
 allow initrc_t pam_var_console_t:file unlink;
 allow pam_console_t file_context_t:file { getattr read };
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.1/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/pegasus.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,31 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server 
+#
+# Author:  Jason Vas Dias <jvdias@redhat.com>
+# Package: tog-pegasus
+# 
+#################################
+#
+# Rules for the pegasus domain
+#
+daemon_domain(pegasus, `, nscd_client_domain')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
+type pegasus_mof_t, file_type, sysadmfile;
+type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
+allow pegasus_t self:capability { dac_override net_bind_service }; 
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
+allow pegasus_t proc_t:file { getattr read };
+allow pegasus_t sysctl_vm_t:dir search;
+allow pegasus_t initrc_var_run_t:file { read write lock };
+allow pegasus_t urandom_device_t:chr_file { getattr read };
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
+rw_dir_create_file(pegasus_t, pegasus_conf_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/postfix.te	2005-09-16 11:35:39.000000000 -0400
@@ -329,7 +329,8 @@
 domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
 ')
 ifdef(`sendmail.te', `
-allow sendmail_t postfix_etc_t:dir search;
+r_dir_file(sendmail_t, postfix_etc_t)
+allow sendmail_t postfix_spool_t:dir search;
 ')
 
 # Program for creating database files
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/pppd.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,6 +54,7 @@
 can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
 allow pppd_t { bin_t sbin_t }:dir search;
 allow pppd_t { sbin_t bin_t }:lnk_file read;
+dontaudit  ifconfig_t pppd_t:fd use;
 
 # Access /dev/ppp.
 allow pppd_t ppp_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/procmail.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,8 +19,7 @@
 uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
-can_ypbind(procmail_t)
-can_winbind(procmail_t)
+nsswitch_domain(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/readahead.te policy-1.27.1/domains/program/unused/readahead.te
--- nsapolicy/domains/program/unused/readahead.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/readahead.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for readahead
+#
+
+daemon_domain(readahead)
+#
+# readahead asks for these
+#
+allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
+allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
+dontaudit readahead_t shadow_t:file { getattr read };
+allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
+dontaudit readahead_t file_type:sock_file getattr;
+allow readahead_t proc_t:file { getattr read };
+dontaudit readahead_t device_type:blk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/roundup.te policy-1.27.1/domains/program/unused/roundup.te
--- nsapolicy/domains/program/unused/roundup.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/domains/program/unused/roundup.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
+# Authors:  W. Michael Petullo <redhat@flyn.org
+#
+daemon_domain(roundup)
+var_lib_domain(roundup)
+can_network(roundup_t)
+allow roundup_t http_cache_port_t:tcp_socket name_bind;
+allow roundup_t smtp_port_t:tcp_socket name_connect;
+
+# execute python
+allow roundup_t bin_t:dir r_dir_perms;
+can_exec(roundup_t, bin_t)
+allow roundup_t bin_t:lnk_file read;
+
+allow roundup_t self:capability { setgid setuid };
+
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+
+ifdef(`mysqld.te', `
+allow roundup_t mysqld_db_t:dir search;
+allow roundup_t mysqld_var_run_t:sock_file write;
+allow roundup_t mysqld_t:unix_stream_socket connectto;
+')
+
+# /usr/share/mysql/charsets/Index.xml
+allow roundup_t usr_t:file { getattr read };
+allow roundup_t urandom_device_t:chr_file { getattr read };
+allow roundup_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.27.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/rpcd.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,7 +19,7 @@
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
-allow $1_t etc_t:file { getattr read };
+allow $1_t { etc_runtime_t etc_t }:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
 dontaudit $1_t self:capability net_admin;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te	2005-09-16 11:17:10.000000000 -0400
+++ policy-1.27.1/domains/program/unused/samba.te	2005-09-16 11:35:39.000000000 -0400
@@ -25,6 +25,9 @@
 # not sure why it needs this
 tmp_domain(smbd)
 
+# Allow samba to search mnt_t for potential mounted dirs
+allow smbd_t mnt_t:dir r_dir_perms;
+
 ifdef(`crond.te', `
 allow system_crond_t samba_etc_t:file { read getattr lock };
 allow system_crond_t samba_log_t:file { read getattr lock };
@@ -47,9 +50,8 @@
 
 # Use the network.
 can_network(smbd_t)
-can_ldap(smbd_t)
+nsswitch_domain(smbd_t)
 can_kerberos(smbd_t)
-can_winbind(smbd_t)
 allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -75,6 +77,11 @@
 allow smbd_t samba_log_t:dir ra_dir_perms;
 dontaudit smbd_t samba_log_t:dir remove_name;
 
+ifdef(`hide_broken_symptoms', `
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
+
 allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/snmpd.te	2005-09-16 11:35:39.000000000 -0400
@@ -22,8 +22,9 @@
 
 # for the .index file
 var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
 file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
 
 log_domain(snmpd)
 # for /usr/share/snmp/mibs
@@ -33,7 +34,7 @@
 can_udp_send(snmpd_t, sysadm_t)
 
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
 allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/squid.te	2005-09-16 11:35:39.000000000 -0400
@@ -60,7 +60,7 @@
 can_tcp_connect(web_client_domain, squid_t)
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
 allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
@@ -81,4 +81,5 @@
 ifdef(`winbind.te', `
 domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
 allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+allow winbind_helper_t squid_log_t:file ra_file_perms;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te	2005-09-16 11:17:10.000000000 -0400
+++ policy-1.27.1/domains/program/unused/udev.te	2005-09-16 11:35:39.000000000 -0400
@@ -140,7 +140,13 @@
 r_dir_file(udev_t, domain)
 allow udev_t modules_dep_t:file r_file_perms;
 
+nsswitch_domain(udev_t)
+
 ifdef(`unlimitedUtils', `
 unconfined_domain(udev_t) 
 ')
 dontaudit hostname_t udev_t:fd use;
+ifdef(`use_mcs', `
+range_transition kernel_t udev_exec_t s0 - s0:c0.c127;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/winbind.te	2005-09-16 11:35:39.000000000 -0400
@@ -44,6 +44,7 @@
 r_dir_file(winbind_t, samba_etc_t)
 allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
 allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t samba_var_t:dir search;
 allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
 can_winbind(winbind_helper_t)
 allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/xdm.te	2005-09-16 11:35:39.000000000 -0400
@@ -371,3 +371,6 @@
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 
 #### Also see xdm_macros.te
+ifdef(`use_mcs', `
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypserv.te policy-1.27.1/domains/program/unused/ypserv.te
--- nsapolicy/domains/program/unused/ypserv.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/ypserv.te	2005-09-16 11:35:39.000000000 -0400
@@ -39,3 +39,4 @@
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_exec(ypserv_t, bin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/useradd.te policy-1.27.1/domains/program/useradd.te
--- nsapolicy/domains/program/useradd.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/useradd.te	2005-09-16 11:35:39.000000000 -0400
@@ -67,6 +67,7 @@
 
 # for when /root is the cwd
 dontaudit $1_t sysadm_home_dir_t:dir search;
+nsswitch_domain($1_t)
 ')
 user_group_add_program(useradd)
 
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.27.1/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/distros.fc	2005-09-16 11:35:39.000000000 -0400
@@ -99,6 +99,7 @@
 /usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
 /usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
 /usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/.*/program/libsoffice\.so  	--  system_u:object_r:texrel_shlib_t
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
 /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
--- nsapolicy/file_contexts/program/bluetooth.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/bluetooth.fc	2005-09-16 11:35:39.000000000 -0400
@@ -1,5 +1,6 @@
 # bluetooth
 /etc/bluetooth(/.*)?		system_u:object_r:bluetooth_conf_t
+/etc/bluetooth/link_key		system_u:object_r:bluetooth_conf_rw_t
 /usr/bin/rfcomm		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
 /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/dhcpc.fc	2005-09-16 11:35:39.000000000 -0400
@@ -4,6 +4,7 @@
 /etc/dhclient.*conf	--	system_u:object_r:dhcp_etc_t
 /etc/dhclient-script	--	system_u:object_r:dhcp_etc_t
 /sbin/dhcpcd		--	system_u:object_r:dhcpc_exec_t
+/sbin/dhcdbd		--	system_u:object_r:dhcpc_exec_t
 /sbin/dhclient.*	--	system_u:object_r:dhcpc_exec_t
 /var/lib/dhcp(3)?/dhclient.*	system_u:object_r:dhcpc_state_t
 /var/lib/dhcpcd(/.*)?		system_u:object_r:dhcpc_state_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ipsec.fc	2005-09-16 11:35:39.000000000 -0400
@@ -21,6 +21,7 @@
 /usr/lib(64)?/ipsec/spi	--	system_u:object_r:ipsec_exec_t
 /usr/local/lib(64)?/ipsec/spi --	system_u:object_r:ipsec_exec_t
 /var/run/pluto(/.*)?		system_u:object_r:ipsec_var_run_t
+/var/racoon(/.*)?		system_u:object_r:ipsec_var_run_t
 
 # Kame
 /usr/sbin/racoon	--	system_u:object_r:ipsec_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/openct.fc policy-1.27.1/file_contexts/program/openct.fc
--- nsapolicy/file_contexts/program/openct.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/openct.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/sbin/openct-control	-- 	system_u:object_r:openct_exec_t
+/var/run/openct(/.*)?			system_u:object_r:openct_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.1/file_contexts/program/pegasus.fc
--- nsapolicy/file_contexts/program/pegasus.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/pegasus.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,11 @@
+# File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+/usr/sbin/cimserver		--	system_u:object_r:pegasus_exec_t
+/usr/sbin/cimconfig		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimuser		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/cimauth		-- 	system_u:object_r:pegasus_conf_exec_t
+/usr/sbin/init_repository	-- 	system_u:object_r:pegasus_exec_t
+/usr/lib(64)?/Pegasus/providers/.*\.so.*	system_u:object_r:shlib_t
+/etc/Pegasus(/.*)?			system_u:object_r:pegasus_conf_t
+/var/lib/Pegasus(/.*)?	                system_u:object_r:pegasus_data_t
+/var/run/tog-pegasus(/.*)?              system_u:object_r:pegasus_var_run_t
+/usr/share/Pegasus/mof(/.*)?/.*\.mof    system_u:object_r:pegasus_mof_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pppd.fc policy-1.27.1/file_contexts/program/pppd.fc
--- nsapolicy/file_contexts/program/pppd.fc	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/file_contexts/program/pppd.fc	2005-09-16 11:35:39.000000000 -0400
@@ -20,6 +20,6 @@
 /etc/ppp/plugins/rp-pppoe\.so 	--	system_u:object_r:shlib_t
 /etc/ppp/resolv\.conf 	--	system_u:object_r:pppd_etc_rw_t
 # Fix pptp sockets
-/var/run/pptp(/.*)?	--	system_u:object_r:pptp_var_run_t
+/var/run/pptp(/.*)?		system_u:object_r:pptp_var_run_t
 # Fix /etc/ppp {up,down} family scripts (see man pppd)
 /etc/ppp/(auth|ip(v6|x)?)-(up|down)	--	system_u:object_r:pppd_script_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/readahead.fc policy-1.27.1/file_contexts/program/readahead.fc
--- nsapolicy/file_contexts/program/readahead.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/readahead.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1 @@
+/usr/sbin/readahead -- system_u:object_r:readahead_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/roundup.fc policy-1.27.1/file_contexts/program/roundup.fc
--- nsapolicy/file_contexts/program/roundup.fc	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/file_contexts/program/roundup.fc	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,2 @@
+/usr/bin/roundup-server         --      system_u:object_r:roundup_exec_t
+/var/lib/roundup(/.*)?          --      system_u:object_r:roundup_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpm.fc policy-1.27.1/file_contexts/program/rpm.fc
--- nsapolicy/file_contexts/program/rpm.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/rpm.fc	2005-09-16 11:52:41.000000000 -0400
@@ -23,3 +23,7 @@
 /var/lib/YaST2(/.*)?			system_u:object_r:rpm_var_lib_t
 /var/log/YaST2(/.*)?			system_u:object_r:rpm_log_t
 ')
+
+ifdef(`mls_policy', `
+/sbin/cpio			--	system_u:object_r:rpm_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/xdm.fc policy-1.27.1/file_contexts/program/xdm.fc
--- nsapolicy/file_contexts/program/xdm.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/xdm.fc	2005-09-16 11:35:39.000000000 -0400
@@ -3,7 +3,7 @@
 /usr/X11R6/bin/[xgkw]dm	--	system_u:object_r:xdm_exec_t
 /opt/kde3/bin/kdm	--	system_u:object_r:xdm_exec_t
 /usr/bin/gpe-dm		--	system_u:object_r:xdm_exec_t
-/usr/bin/gdm-binary	--	system_u:object_r:xdm_exec_t
+/usr/(s)?bin/gdm-binary	--	system_u:object_r:xdm_exec_t
 /var/[xgk]dm(/.*)?		system_u:object_r:xserver_log_t
 /usr/var/[xgkw]dm(/.*)?		system_u:object_r:xserver_log_t
 /var/log/[kw]dm\.log	--	system_u:object_r:xserver_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ypserv.fc policy-1.27.1/file_contexts/program/ypserv.fc
--- nsapolicy/file_contexts/program/ypserv.fc	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ypserv.fc	2005-09-16 11:35:39.000000000 -0400
@@ -1,3 +1,4 @@
 # ypserv
 /usr/sbin/ypserv		--	system_u:object_r:ypserv_exec_t
+/usr/lib/yp/.+			--	system_u:object_r:bin_t
 /etc/ypserv\.conf		--	system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/genfs_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -94,7 +94,7 @@
 genfscon debugfs /			system_u:object_r:debugfs_t
 genfscon inotifyfs /			system_u:object_r:inotifyfs_t
 genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
-genfscon mqueue /			system_u:object_r:mqueue_t
+genfscon capifs /			system_u:object_r:capifs_t
 
 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.27.1/macros/core_macros.te
--- nsapolicy/macros/core_macros.te	2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/macros/core_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -620,6 +620,9 @@
 # Label pty files with a derived type.
 type_transition $1_t devpts_t:chr_file $1_devpts_t;
 
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
 # Read and write my pty files.
 allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/global_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -157,6 +157,11 @@
 r_dir_file($1, locale_t)
 ')
 
+define(`can_access_pty', `
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 $2_devpts_t:chr_file rw_file_perms;
+')
+
 ###################################
 #
 # access_terminal(domain, typeprefix)
@@ -166,8 +171,7 @@
 define(`access_terminal', `
 allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
 allow $1 devtty_t:chr_file { read write getattr ioctl };
-allow $1 devpts_t:dir { read search getattr };
-allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
+can_access_pty($1, $2)
 ') 
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/network_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -153,7 +153,8 @@
 ')dnl end can_network definition
 
 define(`can_resolve',`
-can_network_udp($1, `dns_port_t')
+can_network_client($1, `dns_port_t')
+allow $1 dns_port_t:tcp_socket name_connect;
 ')
 
 define(`can_portmap',`
@@ -173,3 +174,17 @@
 allow $1 winbind_var_run_t:sock_file { getattr read write };
 ')
 ')
+
+
+#################################
+#
+# nsswitch_domain(domain)
+#
+# Permissions for looking up uid/username mapping via nsswitch
+#
+define(`nsswitch_domain', `
+can_resolve($1)
+can_ypbind($1)
+can_ldap($1)
+can_winbind($1)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.27.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/program/apache_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -38,7 +38,7 @@
 allow httpd_$1_script_t etc_runtime_t:file { getattr read };
 read_locale(httpd_$1_script_t)
 allow httpd_$1_script_t fs_t:filesystem getattr;
-allow httpd_$1_script_t self:unix_stream_socket create_stream_socket_perms;
+allow httpd_$1_script_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 allow httpd_$1_script_t { self proc_t }:file r_file_perms;
 allow httpd_$1_script_t { self proc_t }:dir r_dir_perms;
@@ -49,7 +49,7 @@
 }
 
 if (httpd_enable_cgi && httpd_can_network_connect) {
-can_network(httpd_$1_script_t)
+can_network_client(httpd_$1_script_t)
 allow httpd_$1_script_t port_type:tcp_socket name_connect;
 }
 
@@ -83,7 +83,9 @@
 # Allow the script interpreters to run the scripts.  So
 # the perl executable will be able to run a perl script
 #########################################################################
+allow httpd_$1_script_t httpd_$1_script_exec_t:dir r_dir_perms;
 can_exec_any(httpd_$1_script_t)
+
 allow httpd_$1_script_t etc_t:file { getattr read };
 dontaudit httpd_$1_script_t selinux_config_t:dir search;
 
@@ -193,4 +195,11 @@
 create_dir_file($1_crond_t, httpd_$1_content_t)
 ')
 
+ifdef(`ftpd.te', `
+if (ftp_home_dir) {
+create_dir_file(ftpd_t, httpd_$1_content_t)
+}
+')
+
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.27.1/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te	2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/program/cdrecord_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -41,7 +41,7 @@
 
 allow $1_cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
 allow $1_cdrecord_t self:process { getsched setsched fork sigchld sigkill };
-allow $1_cdrecord_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_cdrecord_t, $1)
 allow $1_cdrecord_t $1_home_t:dir search;
 allow $1_cdrecord_t $1_home_dir_t:dir r_dir_perms;
 allow $1_cdrecord_t $1_home_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/i18n_input_macros.te policy-1.27.1/macros/program/i18n_input_macros.te
--- nsapolicy/macros/program/i18n_input_macros.te	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.1/macros/program/i18n_input_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com> 
+#
+
+#
+# i18n_input_domain(domain)
+#
+ifdef(`i18n_input.te', `
+define(`i18n_input_domain', `
+allow i18n_input_t $1_home_dir_t:dir { getattr search };
+r_dir_file(i18n_input_t, $1_home_t)
+if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
+if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
+')
+')
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.27.1/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/mta_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -34,7 +34,7 @@
 
 uses_shlib($1_mail_t)
 can_network_client_tcp($1_mail_t)
-allow $1_mail_t port_type:tcp_socket name_connect;
+allow $1_mail_t { smtp_port_t port_type }:tcp_socket name_connect;
 can_resolve($1_mail_t)
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
@@ -68,7 +68,7 @@
 allow system_mail_t system_crond_tmp_t:file { read getattr ioctl };
 allow mta_user_agent system_crond_tmp_t:file { read getattr };
 ')
-allow system_mail_t initrc_devpts_t:chr_file { read write getattr };
+can_access_pty(system_mail_t, initrc)
 
 ', `
 # For when the user wants to send mail via port 25 localhost
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/pyzor_macros.te policy-1.27.1/macros/program/pyzor_macros.te
--- nsapolicy/macros/program/pyzor_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/pyzor_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -64,6 +64,6 @@
 
 # Allow pyzor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_pyzor_t, $1)
 allow $1_pyzor_t sshd_t:fd use;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/razor_macros.te policy-1.27.1/macros/program/razor_macros.te
--- nsapolicy/macros/program/razor_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/razor_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -70,6 +70,6 @@
 
 # Allow razor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_razor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_razor_t, $1)
 allow $1_razor_t sshd_t:fd use;
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.1/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/macros/program/su_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -54,7 +54,7 @@
 allow $1_su_t self:process { setsched setrlimit };
 allow $1_su_t device_t:dir search;
 allow $1_su_t self:process { fork sigchld };
-can_ypbind($1_su_t)
+nsswitch_domain($1_su_t)
 r_dir_file($1_su_t, selinux_config_t)
 
 dontaudit $1_su_t shadow_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.27.1/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/program/uml_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -81,7 +81,7 @@
 allow uml_net_t $1_uml_t:unix_stream_socket { read write };
 allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
 dontaudit uml_net_t privfd:fd use;
-allow uml_net_t $1_uml_devpts_t:chr_file { read write };
+can_access_pty(uml_net_t, $1_uml)
 dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
 ')dnl end ifdef uml_net.te
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.1/macros/user_macros.te
--- nsapolicy/macros/user_macros.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/macros/user_macros.te	2005-09-16 11:35:39.000000000 -0400
@@ -121,6 +121,7 @@
 # user domains.
 ifelse($1, sysadm, `',`
 ifdef(`apache.te', `apache_user_domain($1)')
+ifdef(`i18n_input.te', `i18n_input_domain($1)')
 ')
 ifdef(`slocate.te', `locate_domain($1)')
 ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/Makefile	2005-09-16 11:36:31.000000000 -0400
@@ -16,7 +16,7 @@
 MLS=n
 
 # Set to y if MCS is enabled in the policy
-MCS=n
+MCS=y
 
 FLASKDIR = flask/
 PREFIX = /usr
@@ -29,15 +29,10 @@
 VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
 PREVERS := 19
 KERNVERS := $(shell cat /selinux/policyvers)
+MLSENABLED := $(shell cat /selinux/mls)
 POLICYVER := policy.$(VERS)
 TOPDIR = $(DESTDIR)/etc/selinux
 TYPE=strict
-ifeq ($(MLS),y)
-TYPE=mls
-endif
-ifeq ($(MCS),y)
-TYPE=mcs
-endif
 
 INSTALLDIR = $(TOPDIR)/$(TYPE)
 POLICYPATH = $(INSTALLDIR)/policy
@@ -89,8 +84,12 @@
 all:  policy
 
 tmp/valid_fc: $(LOADPATH) $(FC) 
+ifeq ($(CHECKPOLMLS), -M)
+ifeq ($(MLSENABLED),1)
 	@echo "Validating file contexts files ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FC)
+endif
+endif
 	@touch tmp/valid_fc
 
 install: $(FCPATH) $(APPFILES) $(ROOTFILES) $(USERPATH)/local.users
@@ -160,7 +159,7 @@
 	@mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
 ifneq ($(VERS),$(PREVERS))
-	$(CHECKPOLICY) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
+	$(CHECKPOLICY) $(CHECKPOLMLS) -c $(PREVERS) -o $(POLICYPATH)/policy.$(PREVERS) policy.conf
 endif
 
 # Note: Can't use install, so not sure how to deal with mode, user, and group
@@ -170,8 +169,12 @@
 
 $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ifeq ($(CHECKPOLMLS), -M)
+ifeq (1, $(MLSENABLED))
 	@echo "Validating file contexts files ..."
 	$(SETFILES) -q -c $(POLICYVER) $(FC)
+endif
+endif
 
 reload tmp/load: $(LOADPATH) 
 	@echo "Loading Policy ..."
@@ -355,10 +358,9 @@
 	@for file in $(USER_FILES); do \
 		echo "Converting $$file"; \
 		sed -r -e 's/\;/ level s0 range s0;/' $$file | \
-		sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
+		sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
 		mv $$file.new $$file; \
 	done
-	@sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
 	@echo "Enabling MCS in the Makefile"
 	@sed "s/MCS=y/MCS=y/" Makefile > Makefile.new
 	@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs	2005-09-15 16:13:03.000000000 -0400
+++ policy-1.27.1/mcs	2005-09-16 11:35:39.000000000 -0400
@@ -200,9 +200,23 @@
 #
 # Only files are constrained by MCS at this stage.
 #
-mlsconstrain file { read write setattr append unlink link rename
+mlsconstrain file { write setattr append unlink link rename
 		    create ioctl lock execute } (h1 dom h2);
 
+mlsconstrain file { read } ((h1 dom h2) or 
+			    ( t1 == mlsfileread ));
+
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+	( h1 dom h2 );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
 
 # XXX
 #
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/net_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -50,6 +50,10 @@
 portcon tcp 53 system_u:object_r:dns_port_t
 
 portcon udp 67  system_u:object_r:dhcpd_port_t
+portcon udp 647  system_u:object_r:dhcpd_port_t
+portcon tcp 647  system_u:object_r:dhcpd_port_t
+portcon udp 847  system_u:object_r:dhcpd_port_t
+portcon tcp 847  system_u:object_r:dhcpd_port_t
 portcon udp 68  system_u:object_r:dhcpc_port_t
 portcon udp 70 system_u:object_r:gopher_port_t
 portcon tcp 70 system_u:object_r:gopher_port_t
@@ -164,6 +168,8 @@
 portcon tcp 50000 system_u:object_r:hplip_port_t
 portcon tcp 50002 system_u:object_r:hplip_port_t
 portcon tcp 5900  system_u:object_r:vnc_port_t 
+portcon tcp 5988  system_u:object_r:pegasus_http_port_t
+portcon tcp 5989  system_u:object_r:pegasus_https_port_t
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
 portcon tcp 6002  system_u:object_r:xserver_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.27.1/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/appconfig/root_default_contexts	2005-09-16 11:35:39.000000000 -0400
@@ -1,2 +1,6 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t		system_r:unconfined_t
+system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/program/ssh.te	2005-09-16 11:35:39.000000000 -0400
@@ -17,3 +17,6 @@
 type sshd_key_t, file_type, sysadmfile;
 type sshd_var_run_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/program/xdm.te	2005-09-16 11:35:39.000000000 -0400
@@ -20,3 +20,7 @@
 type xdm_tmp_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
 domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/unconfined.te	2005-09-16 11:35:39.000000000 -0400
@@ -7,15 +7,14 @@
 type unconfined_t, domain, privuser, privhome, privrole, privowner, admin, auth_write, fs_domain, privmem;
 role system_r types unconfined_t;
 role user_r types unconfined_t;
-role sysadm_r types unconfined_t;
 unconfined_domain(unconfined_t)
 allow domain unconfined_t:fd use;
 allow domain unconfined_t:process sigchld;
 
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
-typealias bin_t alias su_exec_t;
 typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
 typeattribute tty_device_t admin_tty_type;
 typeattribute devpts_t admin_tty_type;
 
@@ -63,6 +62,7 @@
 bool use_samba_home_dirs false;
 
 ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
 
 # Allow system to run with NIS
 bool allow_ypbind false;
@@ -77,3 +77,14 @@
 allow domain self:process execmem;
 }
 
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
+# Needed to get su working
+bool secure_mode false;
+typealias unconfined_t alias { sysadm_chkpwd_t };
+typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
+su_domain(sysadm)
+typeattribute sysadm_su_t unrestricted;
+role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/tunables/distro.tun	2005-09-16 11:35:39.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/tunables/tunable.tun	2005-09-16 11:35:39.000000000 -0400
@@ -1,5 +1,5 @@
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/types/file.te	2005-09-16 11:35:39.000000000 -0400
@@ -307,8 +307,7 @@
 type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
 allow hugetlbfs_t self:filesystem associate;
 
-type mqueue_t, mount_point, fs_type,  sysadmfile;
-allow mqueue_t self:filesystem associate;
+typealias file_t alias  mqueue_t;
 
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
@@ -325,6 +324,9 @@
 type inotifyfs_t, fs_type, sysadmfile;
 allow inotifyfs_t self:filesystem associate;
 
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te	2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/types/network.te	2005-09-16 11:35:39.000000000 -0400
@@ -120,6 +120,8 @@
 type zebra_port_t, port_type;
 type i18n_input_port_t, port_type;
 type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
 type openvpn_port_t, port_type;
 type clamd_port_t, port_type, reserved_port_type;
 type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/types/security.te	2005-09-16 11:35:39.000000000 -0400
@@ -19,6 +19,10 @@
 # the security server policy configuration.
 #
 type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains 
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
 
 #
 # policy_src_t is the type of the policy source