Added two new booleans. allow_polyinstatiation which will remove lots of privs if your system does not use it. intel wants to allow ia32el to dynamically transition from unconfined_t to unconfined_execmem_t when running 32 bit applications on ia64 platforms. We do not want this in general so this boolean turns it off allow_unconfined_execmem_dyntrans On MLS machines we do not want certain user roles to be able to execute some confined domains. So I added a new attribute user_exec_file that designates confined apps that can be executed by user accounts without a dynamic transition. Amanda now needs to create directories in amanda_log_t. yum-updatesd is marked as rpm_exec_t and needs to dbus to mono apps. rpm_scripts needs to be able to run pidof and stuff like that so needs mcs_ptrace_all and killall sysadm_passwd_t runs nscd apps rhgb executes files in /etc/profile.d vmware requires unconfined_t node_type:rawip_socket node_bind relabeling of chr_devices for cups in MLS requires relaabelto automount wants to manage autofs_t:sym_link Adding support for fuse-encfs although kernel section is broken rhgb needs to setattr on it devpts_t automount uses rawip_socket cupsd needs to read hplib_etc_t files/dirs dovecot wants to rewrite utmp file hal wants to be able to create symlinks in /media (ipod for example) Additional lpr_exec_t, sorry about not fixing the ones you already added dontaudt ncsd_t trying to talk to sysadm_t when run under the covers of useradd rhgb needs access to devpts chr_file rhgb runs consoletype It also needs siginh on xserver to work properly setroubleshoot needs getsched Began iscsi domain libjavaplugin_ojigcc3 needs textrel auditctl needs to be able to getattr on file systems auditd needs fs_use_all_levels fusermount needs label mdadm wants to rw_dir on mdadm_var_run_t:dir newrole needs multilevel fd semanage_t needs to verify file context setrands needs mls fd access Don't transition to bluetooth_helper from unconfined_t unconfined_t needs to be able to kill and ptrace all apps xend needs to communicate with xserver over tcp (vnc?)