diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.2.41/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type	2006-01-06 17:55:17.000000000 -0500
+++ serefpolicy-2.2.41/config/appconfig-strict-mls/default_type	2006-05-18 11:41:22.000000000 -0400
@@ -2,3 +2,4 @@
 secadm_r:secadm_t
 staff_r:staff_t
 user_r:user_t
+auditadm_r:auditadm_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.41/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/global_tunables	2006-05-18 11:41:22.000000000 -0400
@@ -73,6 +73,14 @@
 
 ## <desc>
 ## <p>
+## Allow nfs servers to modify public files
+## used for public file transfer services.
+## </p>
+## </desc>
+gen_tunable(allow_nfsd_anon_write,false)
+
+## <desc>
+## <p>
 ## Allow java executable stack
 ## </p>
 ## </desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.2.41/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te	2006-04-04 18:06:37.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/admin/consoletype.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,7 +8,12 @@
 
 type consoletype_t;
 type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
 mls_file_read_up(consoletype_t)
 mls_file_write_down(consoletype_t)
 role system_r types consoletype_t;
@@ -107,3 +112,12 @@
 optional_policy(`
 	userdom_use_unpriv_users_fds(consoletype_t)
 ')
+
+optional_policy(`
+	xen_append_log(consoletype_t)
+	xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+	kernel_read_xen_state(consoletype_t)
+	kernel_write_xen_state(consoletype_t)
+
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.2.41/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/admin/prelink.te	2006-05-18 11:41:22.000000000 -0400
@@ -48,6 +48,8 @@
 corecmd_mmap_all_executables(prelink_t)
 corecmd_read_sbin_symlinks(prelink_t)
 
+domain_obj_id_change_exemption(prelink_t)
+
 dev_read_urand(prelink_t)
 
 files_list_all(prelink_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.fc
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.fc	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.fc	2006-05-18 11:41:22.000000000 -0400
@@ -0,0 +1,3 @@
+/usr/lib/openoffice.org.*/program/.*\.bin	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/valgrind 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/mplayer 	-- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.if serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.if
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.if	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.if	2006-05-18 11:41:22.000000000 -0400
@@ -0,0 +1,29 @@
+## <summary>Unconfined domain with execmem/execstack privs</summary>
+
+########################################
+## <summary>
+##	Execute the application that requires dexecmem program in the unconfined_execmem domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unconfined_execmem_domtrans',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type unconfined_execmem_t, unconfined_execmem_exec_t;
+		')
+
+		corecmd_search_bin($1)
+		domain_auto_trans($1, unconfined_execmem_exec_t, unconfined_execmem_t)
+
+		allow $1 unconfined_execmem_t:fd use;
+		allow unconfined_execmem_t $1:fd use;
+		allow unconfined_execmem_t $1:fifo_file rw_file_perms;
+		allow unconfined_execmem_t $1:process sigchld;
+	',`
+		errprint(`Warning: $0($1) has no effect in strict policy.'__endline__)
+	')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/unconfined_execmem.te serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.te
--- nsaserefpolicy/policy/modules/apps/unconfined_execmem.te	1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/apps/unconfined_execmem.te	2006-05-18 11:41:42.000000000 -0400
@@ -0,0 +1,21 @@
+
+policy_module(unconfined_execmem,1.1.2)
+
+########################################
+#
+# Declarations
+#
+
+type unconfined_execmem_t;
+type unconfined_execmem_exec_t;
+init_system_domain(unconfined_execmem_t,unconfined_execmem_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+ifdef(`targeted_policy',`
+	allow unconfined_execmem_t self:process { execstack execmem };
+	unconfined_domain_noaudit(unconfined_execmem_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.41/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if	2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/files.if	2006-05-18 11:41:22.000000000 -0400
@@ -1882,6 +1882,21 @@
 ')
 
 ########################################
+#
+# files_unlink_boot_flag(domain)
+#
+# /halt, /.autofsck, etc
+#
+interface(`files_unlink_boot_flag',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:file unlink;
+')
+
+
+########################################
 ## <summary>
 ##	Read files in /etc that are dynamically
 ##	created on boot, such as mtab.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.2.41/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te	2006-04-29 11:17:34.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/kernel.te	2006-05-18 11:41:22.000000000 -0400
@@ -28,6 +28,7 @@
 
 ifdef(`enable_mls',`
 	role secadm_r;
+	role auditadm_r;
 ')
 
 #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.2.41/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/mls.te	2006-05-18 11:41:22.000000000 -0400
@@ -64,4 +64,5 @@
 range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 range_transition kernel_t lvm_exec_t s0 - s15:c0.c255;
 range_transition initrc_t setrans_exec_t s15:c0.c255;
+range_transition run_init_t initrc_exec_t s0 - s15:c0.c255;
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-2.2.41/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if	2006-04-26 11:23:32.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/kernel/terminal.if	2006-05-18 11:41:22.000000000 -0400
@@ -430,7 +430,7 @@
 		type devpts_t;
 	')
 
-	dontaudit $1 devpts_t:chr_file { getattr read write };
+	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
 ')
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.fc serefpolicy-2.2.41/policy/modules/services/amavis.fc
--- nsaserefpolicy/policy/modules/services/amavis.fc	2006-03-07 16:19:28.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/amavis.fc	2006-05-18 11:41:22.000000000 -0400
@@ -9,3 +9,4 @@
 /var/log/amavisd\.log		--	gen_context(system_u:object_r:amavis_var_log_t,s0)
 /var/run/amavis(/.*)?			gen_context(system_u:object_r:amavis_var_run_t,s0)
 /var/virusmails(/.*)?			gen_context(system_u:object_r:amavis_quarantine_t,s0)
+/var/spool/amavisd(/.*)?		gen_context(system_u:object_r:amavis_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.2.41/policy/modules/services/amavis.te
--- nsaserefpolicy/policy/modules/services/amavis.te	2006-05-05 16:44:48.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/amavis.te	2006-05-18 11:41:22.000000000 -0400
@@ -31,6 +31,9 @@
 type amavis_tmp_t;
 files_tmp_file(amavis_tmp_t)
 
+type amavis_spool_t;
+files_type(amavis_spool_t)
+
 # virus quarantine
 type amavis_quarantine_t;
 files_type(amavis_quarantine_t)
@@ -40,7 +43,7 @@
 # amavis local policy
 #
 
-allow amavis_t self:capability { chown dac_override setgid setuid };
+allow amavis_t self:capability { kill chown dac_override setgid setuid };
 dontaudit amavis_t self:capability sys_tty_config;
 allow amavis_t self:process { signal sigchld signull };
 allow amavis_t self:fifo_file rw_file_perms;
@@ -70,6 +73,11 @@
 files_var_filetrans(amavis_t,amavis_var_lib_t,{ file dir sock_file })
 files_var_lib_filetrans(amavis_t,amavis_var_lib_t,file)
 
+# Spool Files
+files_spool_filetrans(amavis_t,amavis_spool_t,{ dir file })
+allow amavis_t amavis_spool_t:dir manage_dir_perms;
+allow amavis_t amavis_spool_t:file manage_file_perms;
+
 # log files
 allow amavis_t amavis_var_log_t:file create_file_perms;
 allow amavis_t amavis_var_log_t:sock_file create_file_perms;
@@ -84,6 +92,7 @@
 
 # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 kernel_dontaudit_list_proc(amavis_t)
+kernel_dontaudit_read_system_state(amavis_t)
 
 # find perl
 corecmd_exec_bin(amavis_t)
@@ -115,6 +124,7 @@
 
 init_use_fds(amavis_t)
 init_use_script_ptys(amavis_t)
+init_stream_connect_script(amavis_t)
 
 libs_use_ld_so(amavis_t)
 libs_use_shared_libs(amavis_t)
@@ -132,10 +142,15 @@
 cron_use_system_job_fds(amavis_t)
 cron_rw_pipes(amavis_t)
 
+kernel_read_kernel_sysctls(amavis_t)
+
 mta_read_config(amavis_t)
 
+term_dontaudit_use_generic_ptys(amavis_t)
+
 optional_policy(`
 	clamav_stream_connect(amavis_t)
+	clamav_domtrans_clamscan(amavis_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.2.41/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te	2006-05-17 16:57:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/bind.te	2006-05-18 11:41:22.000000000 -0400
@@ -125,6 +125,8 @@
 
 domain_use_interactive_fds(named_t)
 
+dev_read_urand(named_t)
+
 files_read_etc_files(named_t)
 files_read_etc_runtime_files(named_t)
 
@@ -137,6 +139,7 @@
 logging_send_syslog_msg(named_t)
 
 miscfiles_read_localization(named_t)
+miscfiles_read_certs(named_t)
 
 sysnet_read_config(named_t)
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.41/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/bluetooth.te	2006-05-18 11:41:22.000000000 -0400
@@ -218,13 +218,14 @@
 
 	unconfined_stream_connect(bluetooth_helper_t)
 
-	userdom_read_all_users_home_content_files(bluetooth_helper_t)
+	userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
 
 	optional_policy(`
 		xserver_stream_connect_xdm(bluetooth_helper_t)
 		xserver_use_xdm_fds(bluetooth_helper_t)
 		xserver_rw_xdm_pipes(bluetooth_helper_t)
 	')
+	files_manage_generic_tmp_files(bluetooth_helper_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.41/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te	2006-05-04 16:43:40.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/cups.te	2006-05-18 11:41:22.000000000 -0400
@@ -672,6 +672,7 @@
 allow cupsd_lpd_t self:fifo_file rw_file_perms;
 allow cupsd_lpd_t self:tcp_socket connected_stream_socket_perms;
 allow cupsd_lpd_t self:udp_socket create_socket_perms;
+allow cupsd_lpd_t self:netlink_route_socket r_netlink_socket_perms;
 
 # for identd
 # cjp: this should probably only be inetd_child rules?
@@ -699,6 +700,8 @@
 allow cupsd_lpd_t cupsd_rw_etc_t:file r_file_perms;
 allow cupsd_lpd_t cupsd_rw_etc_t:lnk_file { getattr read };
 
+cups_stream_connect(cupsd_lpd_t)
+
 kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.2.41/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te	2006-03-24 11:15:50.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/cvs.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,6 +8,7 @@
 
 type cvs_t;
 type cvs_exec_t;
+corecmd_executable_file(cvs_exec_t)
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
 role system_r types cvs_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.41/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/hal.te	2006-05-18 11:41:22.000000000 -0400
@@ -93,6 +93,7 @@
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
+files_read_kernel_img(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-2.2.41/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc	2006-05-12 09:22:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/pyzor.fc	2006-05-18 11:41:22.000000000 -0400
@@ -5,3 +5,7 @@
 
 /var/lib/pyzord(/.*)?		gen_context(system_u:object_r:pyzor_var_lib_t,s0)
 /var/log/pyzord.log	--	gen_context(system_u:object_r:pyzord_log_t,s0)
+ifdef(`strict_policy',`
+HOME_DIR/\.pyzor(/.*)?		gen_context(system_u:object_r:ROLE_pyzor_home_t,s0)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.2.41/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/rpc.te	2006-05-18 11:41:22.000000000 -0400
@@ -65,6 +65,8 @@
 files_manage_mounttab(rpcd_t)
 
 miscfiles_read_certs(rpcd_t)
+dev_read_urand(rpcd_t)
+dev_read_rand(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
@@ -114,6 +116,12 @@
 portmap_tcp_connect(nfsd_t) 
 portmap_udp_chat(nfsd_t)
 
+# Access to public_content_t and public_content_rw_t
+miscfiles_read_public_files(nfsd_t)
+tunable_policy(`allow_nfsd_anon_write',`
+	miscfiles_manage_public_files(nfsd_t)
+') 
+
 tunable_policy(`nfs_export_all_rw',`
 	fs_read_noxattr_fs_files(nfsd_t) 
 	auth_manage_all_files_except_shadow(nfsd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.41/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te	2006-04-28 14:40:40.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/rsync.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,6 +8,7 @@
 
 type rsync_t;
 type rsync_exec_t;
+corecmd_executable_file(rsync_exec_t)
 init_daemon_domain(rsync_t,rsync_exec_t)
 role system_r types rsync_t;
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.if serefpolicy-2.2.41/policy/modules/services/xfs.if
--- nsaserefpolicy/policy/modules/services/xfs.if	2006-02-10 17:05:19.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/services/xfs.if	2006-05-18 11:41:22.000000000 -0400
@@ -41,3 +41,22 @@
 	allow $1 xfs_tmp_t:sock_file write;
 	allow $1 xfs_t:unix_stream_socket connectto;
 ')
+
+
+########################################
+## <summary>
+##	Allow the specified domain to execute xfs
+##	in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xfs_exec',`
+	gen_require(`
+		type xfs_exec_t;
+	')
+	can_exec($1,xfs_exec_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.41/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/xfs.te	2006-05-18 11:41:22.000000000 -0400
@@ -34,6 +34,7 @@
 allow xfs_t xfs_var_run_t:file create_file_perms;
 allow xfs_t xfs_var_run_t:dir rw_dir_perms;
 files_pid_filetrans(xfs_t,xfs_var_run_t,file)
+xfs_exec(xfs_t)
 
 # Bind to /tmp/.font-unix/fs-1.
 # cjp: I do not believe this has an effect.
@@ -49,6 +50,8 @@
 
 term_dontaudit_use_console(xfs_t)
 
+corecmd_list_bin(xfs_t)
+corecmd_list_sbin(xfs_t)
 domain_use_interactive_fds(xfs_t)
 
 files_read_etc_files(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.2.41/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te	2006-04-19 17:43:32.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/services/xserver.te	2006-05-18 11:41:22.000000000 -0400
@@ -311,6 +311,8 @@
 	allow xdm_t self:process { execheap execmem };
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
+	userdom_generic_user_home_dir_filetrans_generic_user_home_content(xdm_t, {file dir })
+
 ')
 
 tunable_policy(`use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.2.41/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te	2006-03-02 18:45:56.000000000 -0500
+++ serefpolicy-2.2.41/policy/modules/system/hostname.te	2006-05-18 11:41:22.000000000 -0400
@@ -8,7 +8,10 @@
 
 type hostname_t;
 type hostname_exec_t;
-init_system_domain(hostname_t,hostname_exec_t)
+
+#dont transition from initrc
+domain_type(hostname_t)
+domain_entry_file(hostname_t,hostname_exec_t)
 role system_r types hostname_t;
 
 ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.41/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te	2006-05-12 16:31:53.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/init.te	2006-05-18 11:41:22.000000000 -0400
@@ -350,6 +350,7 @@
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
+files_unlink_boot_flag(initrc_t)
 
 libs_rw_ld_so_cache(initrc_t)
 libs_use_ld_so(initrc_t)
@@ -374,6 +375,7 @@
 mls_process_read_up(initrc_t)
 mls_process_write_down(initrc_t)
 mls_rangetrans_source(initrc_t)
+mls_rangetrans_target(initrc_t)
 
 modutils_read_module_config(initrc_t)
 modutils_domtrans_insmod(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.41/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/logging.te	2006-05-18 11:41:22.000000000 -0400
@@ -14,10 +14,14 @@
 role system_r types auditctl_t;
 
 type auditd_etc_t;
+ifdef(`enable_mls',`', `
 files_security_file(auditd_etc_t)
+')
 
 type auditd_log_t;
+ifdef(`enable_mls',`', `
 files_security_file(auditd_log_t)
+')
 
 type auditd_t;
 # real declaration moved to mls until
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.41/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-04-04 18:06:38.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/selinuxutil.fc	2006-05-18 11:41:22.000000000 -0400
@@ -37,6 +37,8 @@
 /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
 /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_debian', `
 /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.41/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/selinuxutil.te	2006-05-18 11:41:22.000000000 -0400
@@ -447,7 +447,7 @@
 
 logging_send_syslog_msg(restorecond_t)
 
-miscfiles_read_localization(run_init_t)
+miscfiles_read_localization(restorecond_t)
 
 #################################
 #
@@ -461,6 +461,8 @@
 selinux_compute_relabel_context(run_init_t)
 selinux_compute_user_contexts(run_init_t)
 
+mls_rangetrans_source(run_init_t)
+
 ifdef(`direct_sysadm_daemon',`',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
@@ -526,6 +528,8 @@
 #
 
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
+allow semanage_t self:unix_dgram_socket create_socket_perms;
+allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
 allow semanage_t policy_config_t:file { read write };
 
@@ -535,10 +539,18 @@
 corecmd_exec_bin(semanage_t)
 corecmd_exec_sbin(semanage_t)
 
+dev_read_urand(semanage_t)
+
 files_read_etc_files(semanage_t)
 files_read_usr_files(semanage_t)
 files_list_pids(semanage_t)
 
+logging_send_syslog_msg(semanage_t)
+
+miscfiles_read_localization(semanage_t)
+
+selinux_set_boolean(semanage_t)
+
 mls_file_write_down(semanage_t)
 mls_rangetrans_target(semanage_t)
 mls_file_read_up(semanage_t)
@@ -551,8 +563,6 @@
 libs_use_shared_libs(semanage_t)
 libs_use_lib_files(semanage_t)
 
-miscfiles_read_localization(semanage_t)
-
 seutil_search_default_contexts(semanage_t)
 seutil_manage_file_contexts(semanage_t)
 seutil_manage_selinux_config(semanage_t)
@@ -565,10 +575,12 @@
 seutil_get_semanage_trans_lock(semanage_t)
 seutil_get_semanage_read_lock(semanage_t)
 
+userdom_search_sysadm_home_dirs(semanage_t)
+
 ifdef(`targeted_policy',`
 # Handle pp files created in homedir and /tmp
-	files_read_generic_tmp_files(semanage_t)
 	userdom_read_generic_user_home_content_files(semanage_t)
+	files_read_generic_tmp_files(semanage_t)
 ')
 
 optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.2.41/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/setrans.te	2006-05-18 11:41:22.000000000 -0400
@@ -23,7 +23,8 @@
 # setrans local policy
 #
 
-allow setrans_t self:process { setcap signal_perms };
+allow setrans_t self:capability sys_resource;
+allow setrans_t self:process { setrlimit setcap signal_perms };
 allow setrans_t self:unix_stream_socket create_stream_socket_perms;
 allow setrans_t self:unix_dgram_socket create_socket_perms;
 allow setrans_t self:netlink_selinux_socket create_socket_perms;
@@ -57,6 +58,7 @@
 term_dontaudit_use_generic_ptys(setrans_t)
 
 init_use_fds(setrans_t)
+init_dontaudit_use_script_ptys(setrans_t)
 
 libs_use_ld_so(setrans_t)
 libs_use_shared_libs(setrans_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.2.41/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te	2006-05-17 16:57:08.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/sysnetwork.te	2006-05-18 11:41:22.000000000 -0400
@@ -249,6 +249,8 @@
 optional_policy(`
 	xen_append_log(dhcpc_t)
 	xen_dontaudit_rw_unix_stream_sockets(dhcpc_t)
+	kernel_read_xen_state(dhcpc_t)
+	kernel_write_xen_state(dhcpc_t)
 ')
 
 ########################################
@@ -351,4 +353,6 @@
 optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
+	kernel_read_xen_state(ifconfig_t)
+	kernel_write_xen_state(ifconfig_t)
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.41/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/unconfined.te	2006-05-18 11:41:22.000000000 -0400
@@ -107,6 +107,10 @@
 	')
 
 	optional_policy(`
+		unconfined_execmem_domtrans(unconfined_t)
+	')
+
+	optional_policy(`
 		lpd_domtrans_checkpc(unconfined_t)
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.41/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-05-17 10:54:31.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/userdomain.te	2006-05-18 11:41:22.000000000 -0400
@@ -6,6 +6,7 @@
 
 	ifdef(`enable_mls',`
 		role secadm_r;
+		role auditadm_r;
 	')
 ')
 
@@ -67,6 +68,7 @@
 	# Define some type aliases to help with compatibility with
 	# macros and domains from the "strict" policy.
 	unconfined_alias_domain(secadm_t)
+	unconfined_alias_domain(auditadm_t)
 	unconfined_alias_domain(sysadm_t)
 
 	# User home directory type.
@@ -82,6 +84,7 @@
 
 	# compatibility for switching from strict
 #	dominance { role secadm_r { role system_r; }}
+#	dominance { role auditadm_r { role system_r; }}
 #	dominance { role sysadm_r { role system_r; }}
 #	dominance { role user_r { role system_r; }}
 #	dominance { role staff_r { role system_r; }}
@@ -105,8 +108,10 @@
 
 	ifdef(`enable_mls',`
 		allow secadm_r system_r;
+		allow auditadm_r system_r;
 		allow secadm_r user_r;
 		allow staff_r secadm_r;
+		allow staff_r auditadm_r;
 	')
 
 	optional_policy(`
@@ -126,9 +131,21 @@
 	role_change(staff, sysadm)
 
 	ifdef(`enable_mls',`
-		admin_user_template(secadm)
+#		admin_user_template(secadm)
+#		admin_user_template(auditadm)
+		unpriv_user_template(secadm)
+		unpriv_user_template(auditadm)
+
+		role_change(staff,auditadm)
 		role_change(staff,secadm)
+
 		role_change(sysadm,secadm)
+		role_change(sysadm,auditadm)
+
+		role_change(auditadm,secadm)
+		role_change(auditadm,sysadm)
+
+		role_change(secadm,auditadm)
 		role_change(secadm,sysadm)
 	')
 
@@ -172,19 +189,33 @@
 	')
 
 	ifdef(`enable_mls',`
+		allow secadm_t self:capability dac_override;
 		corecmd_exec_shell(secadm_t)
 		mls_process_read_up(secadm_t)
+		mls_file_read_up(secadm_t)
 		mls_file_write_down(secadm_t)
 		mls_file_upgrade(secadm_t)
 		mls_file_downgrade(secadm_t)
 		init_exec(secadm_t)
 		logging_read_audit_log(secadm_t)
-		logging_run_auditctl(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
 		userdom_dontaudit_append_staff_home_content_files(secadm_t)
-		files_relabel_all_files(secadm_t)
+	        auth_relabel_all_files_except_shadow(secadm_t)
 		auth_relabel_shadow(secadm_t)
+		domain_obj_id_change_exemption(secadm_t)
+	        logging_read_generic_logs(secadm_t)
+
+		seutil_run_runinit(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
+		domain_kill_all_domains(auditadm_t)
+	        seutil_read_bin_policy(auditadm_t)
+		corecmd_exec_shell(auditadm_t)
+	        logging_read_generic_logs(auditadm_t)
+		logging_manage_audit_log(auditadm_t)
+		logging_manage_audit_config(auditadm_t)
+		logging_run_auditctl(auditadm_t,auditadm_r,{ auditadm_tty_device_t auditadm_devpts_t })
+		logging_run_auditd(auditadm_t, auditadm_r, { auditadm_tty_device_t auditadm_devpts_t })
 	', `
-		logging_read_audit_log(sysadm_t)
+		logging_manage_audit_log(sysadm_t)
+		logging_manage_audit_config(sysadm_t)
 		logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
@@ -248,6 +279,7 @@
 
 		ifdef(`enable_mls',`
 			consoletype_exec(secadm_t)
+			consoletype_exec(auditadm_t)
 		')
 	')
 
@@ -266,6 +298,7 @@
 
 		ifdef(`enable_mls',`
 			dmesg_exec(secadm_t)
+			dmesg_exec(auditadm_t)
 		')
 	')
 
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.2.41/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc	2006-05-03 16:01:26.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/xen.fc	2006-05-18 11:41:22.000000000 -0400
@@ -13,5 +13,6 @@
 
 /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
 /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
+/var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
 /var/run/xenstore\.pid	--	gen_context(system_u:object_r:xenstored_var_run_t,s0)
 /var/run/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.2.41/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te	2006-05-03 16:01:26.000000000 -0400
+++ serefpolicy-2.2.41/policy/modules/system/xen.te	2006-05-18 11:41:22.000000000 -0400
@@ -77,7 +77,7 @@
 # pid file
 allow xend_t xend_var_run_t:file manage_file_perms;
 allow xend_t xend_var_run_t:sock_file manage_file_perms;
-allow xend_t xend_var_run_t:dir rw_dir_perms;
+allow xend_t xend_var_run_t:dir { setattr rw_dir_perms };
 files_pid_filetrans(xend_t,xend_var_run_t, { file sock_file })
 
 # log files
@@ -92,6 +92,10 @@
 allow xend_t xend_var_lib_t:dir create_dir_perms;
 files_var_lib_filetrans(xend_t,xend_var_lib_t,{ file dir sock_file })
 
+optional_policy(`
+	consoletype_domtrans(xend_t)
+')
+
 # transition to store
 domain_auto_trans(xend_t, xenstored_exec_t, xenstored_t)
 allow xenstored_t xend_t:fd use;
@@ -153,8 +157,6 @@
 sysnet_delete_dhcpc_pid(xend_t)
 sysnet_read_dhcpc_pid(xend_t)
 
-consoletype_exec(xend_t)
-
 xen_stream_connect_xenstore(xend_t)
 
 ########################################
@@ -180,6 +182,7 @@
 
 term_create_pty(xenconsoled_t,xen_devpts_t);
 term_dontaudit_use_generic_ptys(xenconsoled_t)
+term_use_console(xenconsoled_t)
 
 init_use_fds(xenconsoled_t)
 
@@ -198,6 +201,7 @@
 
 allow xenstored_t self:capability { dac_override mknod ipc_lock };
 allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
 
 # pid file
 allow xenstored_t xenstored_var_run_t:file manage_file_perms;
@@ -220,12 +224,15 @@
 dev_rw_xen(xenstored_t)
 
 term_dontaudit_use_generic_ptys(xenstored_t)
+term_dontaudit_use_console(xenconsoled_t)
 
 init_use_fds(xenstored_t)
 
 libs_use_ld_so(xenstored_t)
 libs_use_shared_libs(xenstored_t)
 
+logging_send_syslog_msg(xenstored_t)
+
 miscfiles_read_localization(xenstored_t)
 
 xen_append_log(xenstored_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/rolemap serefpolicy-2.2.41/policy/rolemap
--- nsaserefpolicy/policy/rolemap	2006-01-26 15:38:41.000000000 -0500
+++ serefpolicy-2.2.41/policy/rolemap	2006-05-18 11:41:22.000000000 -0400
@@ -15,5 +15,6 @@
 
 	ifdef(`enable_mls',`
 		secadm_r secadm secadm_t
+		auditadm_r auditadm auditadm_t
 	')
 ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.41/policy/users
--- nsaserefpolicy/policy/users	2006-02-15 17:02:30.000000000 -0500
+++ serefpolicy-2.2.41/policy/users	2006-05-18 11:41:22.000000000 -0400
@@ -29,7 +29,7 @@
 gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
@@ -44,8 +44,8 @@
 	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')