--- nsaserefpolicy/policy/modules/system/application.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.fc	2007-03-01 11:40:30.000000000 -0500
@@ -0,0 +1 @@
+# No application file contexts.
--- nsaserefpolicy/policy/modules/system/application.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.if	2007-03-01 12:02:52.000000000 -0500
@@ -0,0 +1,113 @@
+## <summary>Policy for application domains</summary>
+
+########################################
+## <summary>
+##	Make the specified type usable as an application domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a domain type.
+##	</summary>
+## </param>
+#
+interface(`application_type',`
+	gen_require(`
+		attribute application_type;
+	')
+
+	typeattribute $1 application_type;
+
+	# start with basic domain
+	domain_type($1)
+')
+
+########################################
+## <summary>
+##	Make the specified type usable for files
+##	that are exectuables, such as binary programs.
+##	This does not include shared libraries.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+#
+interface(`application_executable_file',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	typeattribute $1 application_exec_type;
+
+	corecmd_executable_file($1)
+')
+
+########################################
+## <summary>
+## Execute application executables in the caller domain.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`application_exec',`
+	gen_require(`
+		attribute application_exec_type;
+	')
+
+	can_exec($1, application_exec_type)
+')
+
+########################################
+## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+       # Need this dontaudit or command completion fires hundreds of avcs
+       corecmd_dontaudit_exec_all_executables($1)
+       corecmd_exec_bin($1)
+       corecmd_exec_sbin($1)
+       corecmd_exec_shell($1)
+       corecmd_exec_ls($1)
+       corecmd_exec_chroot($1)
+       application_exec($1)
+')
+
+########################################
+## <summary>
+##	Create a domain which can be started by users
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`application_domain',`
+
+	application_type($1)
+	application_executable_file($2)
+	domain_entry_file($1,$2)
+	role system_r types $1;
+
+	optional_policy(`
+		ssh_sigchld($1)
+		ssh_rw_stream_sockets($1)
+	')
+
+')
--- nsaserefpolicy/policy/modules/system/application.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/application.te	2007-03-01 11:57:33.000000000 -0500
@@ -0,0 +1,9 @@
+
+policy_module(application,1.0.0)
+
+# Attribute of user applications
+attribute application_type;
+
+# Executables to be run by user
+attribute application_exec_type;
+
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.7/policy/modules/system/selinuxutil.te	2007-03-01 12:03:00.000000000 -0500
@@ -26,11 +24,8 @@
 files_type(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
-domain_type(checkpolicy_t)
-role system_r types checkpolicy_t;
-
 type checkpolicy_exec_t;
-domain_entry_file(checkpolicy_t,checkpolicy_exec_t)
+application_domain(checkpolicy_t, checkpolicy_exec_t)
 
 #
 # default_context_t is the type applied to
@@ -47,20 +42,15 @@
 files_type(file_context_t)
 
 type load_policy_t;
-domain_type(load_policy_t)
-role system_r types load_policy_t;
-
 type load_policy_exec_t;
-domain_entry_file(load_policy_t,load_policy_exec_t)
+application_domain(load_policy_t,load_policy_exec_t)
 
 type newrole_t;
+type newrole_exec_t;
+application_domain(newrole_t,newrole_exec_t)
+domain_interactive_fd(newrole_t)
 domain_role_change_exemption(newrole_t)
 domain_obj_id_change_exemption(newrole_t)
-domain_type(newrole_t)
-domain_interactive_fd(newrole_t)
-
-type newrole_exec_t;
-domain_entry_file(newrole_t,newrole_exec_t)
 
 #
 # policy_config_t is the type of /etc/security/selinux/*
@@ -83,30 +73,34 @@
 type restorecon_exec_t;
 domain_obj_id_change_exemption(restorecon_t)
 init_system_domain(restorecon_t,restorecon_exec_t)
-role system_r types restorecon_t;
+application_type($1)
 
 type restorecond_t;
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
-role system_r types restorecond_t;
 
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 
 type run_init_t;
 type run_init_exec_t;
-domain_type(run_init_t)
-domain_entry_file(run_init_t,run_init_exec_t)
+application_domain(run_init_t)
 domain_system_change_exemption(run_init_t)
 
 type semanage_t;
-domain_type(semanage_t)
+type semanage_exec_t;
+application_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 
-type semanage_exec_t;
-domain_entry_file(semanage_t, semanage_exec_t)
-role system_r types semanage_t;
+type semanage_gui_t;
+type semanage_gui_exec_t;
+application_domain(semanage_gui_t, semanage_gui_exec_t)
+domain_interactive_fd(semanage_gui_t)
+
+ifdef(`targeted_policy',`
+init_system_domain(semanage_t, semanage_exec_t)
+')
 
 type semanage_store_t;
 files_type(semanage_store_t)
@@ -121,12 +115,9 @@
 files_type(semanage_trans_lock_t)
 
 type setfiles_t, can_relabelto_binary_policy;
-domain_obj_id_change_exemption(setfiles_t)
-domain_type(setfiles_t)
-role system_r types setfiles_t;
-
 type setfiles_exec_t;
-domain_entry_file(setfiles_t,setfiles_exec_t)
+application_domain(setfiles_t,setfiles_exec_t)
+domain_obj_id_change_exemption(setfiles_t)
 
 ifdef(`distro_redhat',`
 	init_system_domain(setfiles_t,setfiles_exec_t)