--- nsaserefpolicy/policy/modules/admin/acct.te	2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/acct.te	2007-08-02 10:58:36.000000000 -0400
@@ -9,6 +9,7 @@
 type acct_t;
 type acct_exec_t;
 init_system_domain(acct_t,acct_exec_t)
+application_executable_file(acct_exec_t)
 
 type acct_data_t;
 logging_log_file(acct_data_t)
--- nsaserefpolicy/policy/modules/admin/netutils.te	2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/netutils.te	2007-08-02 10:58:36.000000000 -0400
@@ -29,6 +29,7 @@
 type traceroute_t;
 type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
+application_executable_file(traceroute_exec_t)
 role system_r types traceroute_t;
 
 ########################################
--- nsaserefpolicy/policy/modules/admin/rpm.te	2007-07-25 10:37:43.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/admin/rpm.te	2007-08-02 10:58:36.000000000 -0400
@@ -9,6 +9,8 @@
 type rpm_t;
 type rpm_exec_t;
 init_system_domain(rpm_t,rpm_exec_t)
+application_executable_file(rpm_exec_t)
+
 domain_obj_id_change_exemption(rpm_t)
 domain_role_change_exemption(rpm_t)
 domain_system_change_exemption(rpm_t)
--- nsaserefpolicy/policy/modules/services/cvs.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/cvs.te	2007-08-02 10:58:36.000000000 -0400
@@ -16,6 +16,7 @@
 type cvs_t;
 type cvs_exec_t;
 inetd_tcp_service_domain(cvs_t,cvs_exec_t)
+application_executable_file(cvs_exec_t)
 role system_r types cvs_t;
 
 type cvs_data_t; # customizable
--- nsaserefpolicy/policy/modules/services/rsync.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/rsync.te	2007-08-02 10:58:37.000000000 -0400
@@ -17,6 +17,7 @@
 type rsync_t;
 type rsync_exec_t;
 init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
 role system_r types rsync_t;
 
 type rsync_data_t;
--- nsaserefpolicy/policy/modules/services/ssh.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ssh.te	2007-08-02 10:58:37.000000000 -0400
@@ -24,7 +24,7 @@
 
 # Type for the ssh-agent executable.
 type ssh_agent_exec_t;
-files_type(ssh_agent_exec_t)
+application_executable_file(ssh_agent_exec_t)
 
 # ssh client executable.
 type ssh_exec_t;
--- nsaserefpolicy/policy/modules/system/application.if	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/application.if	2007-08-02 10:58:37.000000000 -0400
@@ -63,6 +63,26 @@
 
 ########################################
 ## <summary>
+##	Execute all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`application_exec_all',`
+       # Need this dontaudit or command completion fires hundreds of avcs
+       corecmd_dontaudit_exec_all_executables($1)
+       corecmd_exec_bin($1)
+       corecmd_exec_shell($1)
+       corecmd_exec_chroot($1)
+       application_exec($1)
+')
+
+########################################
+## <summary>
 ##	Create a domain which can be started by users
 ## </summary>
 ## <param name="domain">
--- nsaserefpolicy/policy/modules/system/fstools.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/fstools.te	2007-08-02 10:58:37.000000000 -0400
@@ -9,6 +9,7 @@
 type fsadm_t;
 type fsadm_exec_t;
 init_system_domain(fsadm_t,fsadm_exec_t)
+application_executable_file(fsadm_exec_t)
 role system_r types fsadm_t;
 
 type fsadm_log_t;
--- nsaserefpolicy/policy/modules/system/init.if	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/init.if	2007-08-02 10:58:37.000000000 -0400
@@ -194,9 +194,13 @@
 	gen_require(`
 		type initrc_t;
 		role system_r;
+		attribute daemon;
 	')
 
-	application_domain($1,$2)
+	domain_type($1)
+	domain_entry_file($1,$2)
+
+	typeattribute $1 daemon;
 
 	role system_r types $1;
 
--- nsaserefpolicy/policy/modules/system/lvm.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/lvm.te	2007-08-02 10:58:37.000000000 -0400
@@ -16,6 +16,7 @@
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t,lvm_exec_t)
+application_executable_file(lvm_exec_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
 domain_obj_id_change_exemption(lvm_t)
--- nsaserefpolicy/policy/modules/system/mount.te	2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/mount.te	2007-08-02 10:58:37.000000000 -0400
@@ -16,19 +23,21 @@
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
 role system_r types mount_t;
 
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-# causes problems with interfaces when
-# this is optionally declared in monolithic
-# policy--duplicate type declaration
 type unconfined_mount_t;
 application_domain(unconfined_mount_t,mount_exec_t)
+role system_r types unconfined_mount_t;
 
 ########################################
 #
--- nsaserefpolicy/policy/modules/system/userdomain.if	2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if	2007-08-02 10:58:37.000000000 -0400
@@ -62,6 +62,10 @@
 
 	allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
 
+	application_exec_all($1_t)
+
+	auth_use_nsswitch($1_t)
+
 	kernel_read_kernel_sysctls($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)