diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.2.5/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te	2006-01-12 18:28:45.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/alsa.te	2006-01-24 13:48:54.000000000 -0500
@@ -34,6 +34,7 @@
 files_read_etc_files(alsa_t)
 
 term_use_generic_pty(alsa_t)
+term_dontaudit_use_unallocated_tty(alsa_t)
 
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.2.5/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/kudzu.te	2006-01-24 13:54:24.000000000 -0500
@@ -73,6 +73,7 @@
 storage_read_tape_device(kudzu_t)
 storage_raw_write_fixed_disk(kudzu_t)
 storage_raw_read_fixed_disk(kudzu_t)
+storage_raw_read_removable_device(kudzu_t)
 
 term_search_ptys(kudzu_t)
 term_dontaudit_use_console(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.fc serefpolicy-2.2.5/policy/modules/admin/prelink.fc
--- nsaserefpolicy/policy/modules/admin/prelink.fc	2006-01-11 18:41:32.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/prelink.fc	2006-01-24 12:45:29.000000000 -0500
@@ -4,3 +4,4 @@
 /usr/sbin/prelink(\.bin)?	--	gen_context(system_u:object_r:prelink_exec_t,s0)
 
 /var/log/prelink\.log		--	gen_context(system_u:object_r:prelink_log_t,s0)
+/var/lib/misc/prelink\.*	--	gen_context(system_u:object_r:prelink_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.5/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2006-01-13 17:06:02.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/prelink.te	2006-01-24 12:47:49.000000000 -0500
@@ -28,6 +28,7 @@
 
 allow prelink_t prelink_cache_t:file manage_file_perms;
 files_filetrans_etc(prelink_t, prelink_cache_t, file)
+files_filetrans_var_lib(prelink_t, prelink_cache_t, file)
 
 allow prelink_t prelink_log_t:dir { setattr rw_dir_perms };
 allow prelink_t prelink_log_t:file { create ra_file_perms };
@@ -58,6 +59,7 @@
 files_list_all(prelink_t)
 files_getattr_all_files(prelink_t)
 files_write_non_security_dir(prelink_t)
+files_read_etc_files(prelink_t)
 files_read_etc_runtime_files(prelink_t)
 
 fs_getattr_xattr_fs(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.2.5/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/readahead.te	2006-01-24 16:51:20.000000000 -0500
@@ -27,7 +27,7 @@
 
 kernel_read_kernel_sysctl(readahead_t)
 kernel_read_system_state(readahead_t)
-kernel_getattr_core(readahead_t)
+kernel_dontaudit_getattr_core(readahead_t)
 
 dev_read_sysfs(readahead_t)
 dev_getattr_generic_chr_file(readahead_t)
@@ -48,6 +48,7 @@
 fs_getattr_all_pipes(readahead_t)
 fs_getattr_all_files(readahead_t)
 fs_search_ramfs(readahead_t)
+fs_read_tmpfs_symlinks(readahead_t)
 
 term_dontaudit_use_console(readahead_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2006-01-17 17:08:52.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/admin/tmpreaper.te	2006-01-24 12:53:38.000000000 -0500
@@ -44,6 +44,10 @@
 
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
 
+optional_policy(`lpd',`
+	lpd_manage_spool(tmpreaper_t)
+')
+
 ifdef(`TODO',`
 allow tmpreaper_t { home_type file_t }:notdevfile_class_set { getattr unlink };
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.5/policy/modules/apps/slocate.te
--- nsaserefpolicy/policy/modules/apps/slocate.te	2006-01-16 13:55:42.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/apps/slocate.te	2006-01-24 13:16:12.000000000 -0500
@@ -34,13 +34,16 @@
 
 corecmd_exec_bin(locate_t)
 
+libs_use_shared_libs(locate_t)
+libs_use_ld_so(locate_t)
+
 files_list_all(locate_t)
 files_getattr_all_files(locate_t)
 files_read_etc_runtime_files(locate_t)
 files_read_etc_files(locate_t)
 
 fs_getattr_xattr_fs(locate_t)
-
+miscfiles_read_localization(locate_t)
 optional_policy(`cron',`
 	cron_system_entry(locate_t, locate_exec_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/bootloader.te serefpolicy-2.2.5/policy/modules/kernel/bootloader.te
--- nsaserefpolicy/policy/modules/kernel/bootloader.te	2006-01-19 10:00:40.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/bootloader.te	2006-01-24 12:28:24.000000000 -0500
@@ -115,6 +115,7 @@
 dev_read_raw_memory(bootloader_t)
 
 fs_getattr_xattr_fs(bootloader_t)
+fs_read_tmpfs_symlinks(bootloader_t)
 
 term_getattr_all_user_ttys(bootloader_t)
 term_dontaudit_manage_pty_dir(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-01-19 10:00:40.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/files.if	2006-01-24 12:48:54.000000000 -0500
@@ -354,10 +354,12 @@
 		attribute file_type;
 		class dir search;
 		class file getattr;
+		class lnk_file getattr;
 	')
 
 	allow $1 file_type:dir search;
 	allow $1 file_type:file getattr;
+	allow $1 file_type:lnk_file getattr;
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.5/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if	2006-01-20 10:02:32.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/kernel/filesystem.if	2006-01-24 13:39:15.000000000 -0500
@@ -2295,6 +2295,23 @@
 
 ########################################
 ## <summary>
+##	Read tmpfs link files.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`fs_read_tmpfs_symlinks',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	allow $1 tmpfs_t:lnk_file read;
+')
+
+########################################
+## <summary>
 ##	Read and write character nodes on tmpfs filesystems.
 ## </summary>
 ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.fc serefpolicy-2.2.5/policy/modules/services/automount.fc
--- nsaserefpolicy/policy/modules/services/automount.fc	2005-12-09 16:09:22.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/automount.fc	2006-01-24 11:56:59.000000000 -0500
@@ -14,3 +14,7 @@
 #
 
 /var/run/autofs(/.*)?		gen_context(system_u:object_r:automount_var_run_t,s0)
+#
+# /misc
+#
+/misc		-d 		gen_context(system_u:object_r:mnt_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.5/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-01-17 17:08:53.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/cups.te	2006-01-24 11:56:59.000000000 -0500
@@ -148,6 +148,7 @@
 fs_search_auto_mountpoints(cupsd_t)
 
 term_dontaudit_use_console(cupsd_t)
+term_write_unallocated_ttys(cupsd_t)
 
 auth_domtrans_chk_passwd(cupsd_t)
 auth_dontaudit_read_pam_pid(cupsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.2.5/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc	2005-11-14 18:24:08.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/dbus.fc	2006-01-24 11:56:59.000000000 -0500
@@ -1,5 +1,6 @@
 /etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
+# Sorting does not work correctly if I combine these next two roles
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
-
+/bin/dbus-daemon 	--	gen_context(system_u:object_r:system_dbusd_exec_t,s0)
 /var/run/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.2.5/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/procmail.te	2006-01-24 13:19:41.000000000 -0500
@@ -66,6 +66,7 @@
 userdom_priveleged_home_dir_manager(procmail_t)
 # Do not audit attempts to access /root.
 userdom_dontaudit_search_sysadm_home_dir(procmail_t)
+userdom_dontaudit_search_staff_home_dir(procmail_t)
 
 mta_manage_spool(procmail_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if	2006-01-23 08:26:51.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/services/xserver.if	2006-01-24 11:56:59.000000000 -0500
@@ -6,6 +6,9 @@
 	#
 	# Declarations
 	#
+	gen_require(`
+		type xkb_var_lib_t, xserver_log_t;
+	')
 
 	type $1_xserver_t;
 	domain_type($1_xserver_t)
@@ -202,6 +205,12 @@
 	# Declarations
 	#
 
+	gen_require(`
+		type xauth_exec_t;
+		type xserver_exec_t;
+		type iceauth_exec_t;
+	')
+
 	xserver_common_domain_template($1)
 	role $3 types $1_xserver_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/authlogin.te	2006-01-24 13:17:33.000000000 -0500
@@ -221,10 +221,6 @@
 	files_dontaudit_read_root_file(pam_console_t)
 ')
 
-optional_policy(`alsa',`
-	alsa_domtrans(pam_console_t)
-')
-
 optional_policy(`gpm',`
 	gpm_getattr_gpmctl(pam_console_t)
 	gpm_setattr_gpmctl(pam_console_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.5/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te	2006-01-17 17:08:56.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/fstools.te	2006-01-24 13:39:56.000000000 -0500
@@ -81,6 +81,7 @@
 # for /dev/shm
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dir(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
 
 mls_file_write_down(fsadm_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.5/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/locallogin.te	2006-01-24 13:17:56.000000000 -0500
@@ -210,13 +210,13 @@
 	usermanage_read_crack_db(local_login_t)
 ')
 
+optional_policy(`alsa',`
+	alsa_domtrans(local_login_t)
+')
+
 ifdef(`TODO',`
 # Login can polyinstantiate
 polyinstantiater(local_login_t)
-
-ifdef(`alsa.te', `
-domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
-')
 ') dnl endif TODO
 
 #################################
@@ -266,6 +266,10 @@
 ifdef(`distro_suse', `define(`sulogin_no_pam')')
 ifdef(`distro_debian', `define(`sulogin_no_pam')')
 
+optional_policy(`nscd',`
+	nscd_use_socket(sulogin_t)
+')
+
 ifdef(`sulogin_no_pam', `
 	allow sulogin_t self:capability sys_tty_config;
 	init_get_process_group(sulogin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.5/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-01-19 10:00:41.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/logging.te	2006-01-24 11:56:59.000000000 -0500
@@ -98,10 +98,12 @@
 audit_manager_domain(secadm_t)
 
 ifdef(`targeted_policy', `', `
-ifdef(`separate_secadm', `', `
+ifdef(`enable_mls', `
+audit_manager_domain(secadm_t)
+', `
 audit_manager_domain(sysadm_t)
-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
 ') 
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
 ')
 ') dnl end TODO
 
@@ -272,9 +274,6 @@
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file create_file_perms;
 files_filetrans_pid(syslogd_t,devlog_t,sock_file)
-# cjp: I belive these are not needed:
-allow syslogd_t devlog_t:unix_stream_socket name_bind;
-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
 
 # create/append log files.
 allow syslogd_t var_log_t:dir rw_dir_perms;
@@ -325,8 +324,7 @@
 corenet_non_ipsec_sendrecv(syslogd_t)
 corenet_udp_bind_all_nodes(syslogd_t)
 corenet_tcp_bind_syslogd_port(syslogd_t)
-#cjp: why?
-corenet_tcp_connect_rsh_port(syslogd_t)
+corenet_udp_bind_syslogd_port(syslogd_t)
 
 fs_getattr_all_fs(syslogd_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.2.5/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te	2006-01-17 17:08:57.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/lvm.te	2006-01-24 13:39:43.000000000 -0500
@@ -198,6 +198,7 @@
 
 fs_getattr_xattr_fs(lvm_t)
 fs_search_auto_mountpoints(lvm_t)
+fs_read_tmpfs_symlinks(lvm_t)
 
 storage_relabel_fixed_disk(lvm_t)
 # LVM creates block devices in /dev/mapper or /dev/<vg>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.2.5/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te	2006-01-13 17:06:08.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/modutils.te	2006-01-24 13:41:16.000000000 -0500
@@ -113,6 +113,8 @@
 
 miscfiles_read_localization(insmod_t)
 
+seutil_read_file_contexts(insmod_t)
+
 if( ! secure_mode_insmod ) {
 	kernel_userland_entry(insmod_t,insmod_exec_t)
 }
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.5/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te	2006-01-17 17:08:57.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/mount.te	2006-01-24 12:28:29.000000000 -0500
@@ -46,6 +46,7 @@
 fs_relabelfrom_all_fs(mount_t)
 fs_search_auto_mountpoints(mount_t)
 fs_use_tmpfs_chr_dev(mount_t)
+fs_read_tmpfs_symlinks(mount_t)
 
 term_use_all_terms(mount_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if	2006-01-23 08:26:51.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/userdomain.if	2006-01-24 13:20:21.000000000 -0500
@@ -219,7 +219,7 @@
 	corecmd_exec_sbin($1_t)
 	corecmd_exec_ls($1_t)
 
-	domain_exec_all_entry_files($1_t)
+#	domain_exec_all_entry_files($1_t)
 	domain_use_wide_inherit_fd($1_t)
 	# When the user domain runs ps, there will be a number of access
 	# denials when ps tries to search /proc.  Do not audit these denials.
@@ -533,6 +533,7 @@
 
 	typeattribute $1_t unpriv_userdomain;
 	domain_wide_inherit_fd($1_t)
+	domain_exec_all_entry_files($1_t)
 
 	typeattribute $1_devpts_t user_ptynode;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-01-19 10:00:42.000000000 -0500
+++ serefpolicy-2.2.5/policy/modules/system/userdomain.te	2006-01-24 13:52:39.000000000 -0500
@@ -145,6 +145,8 @@
 	allow sysadm_t user_home_dir_t:dir create_dir_perms;
 	files_filetrans_home(sysadm_t,user_home_dir_t)
 
+	corecmd_exec_shell(sysadm_t)
+
 	mls_process_read_up(sysadm_t)
 
 	logging_read_audit_log(sysadm_t)
@@ -214,6 +216,10 @@
 		hostname_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`consoletype',`
+		consoletype_exec(sysadm_t)
+	')
+
 	optional_policy(`ipsec',`
 		# allow system administrator to use the ipsec script to look
 		# at things (e.g., ipsec auto --status)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.5/policy/users
--- nsaserefpolicy/policy/users	2006-01-20 10:02:31.000000000 -0500
+++ serefpolicy-2.2.5/policy/users	2006-01-24 11:56:59.000000000 -0500
@@ -27,7 +27,7 @@
 gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user_r, s0, s0)
-gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff_r ifdef(`enable_mls', `secadm_r')  sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -41,9 +41,6 @@
 ifdef(`targeted_policy',`
 	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-	',`
-		gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
-	')
+	
+	gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') ifdef(`direct_sysadm_daemon',`system_r'), s0, s0 - s15:c0.c255, c0.c255)
 ')