diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 530ba5c3..aa940d01 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -8,6 +8,7 @@
fetchmail
openct
readahead
+ slrnpull
smartmon
sysstat
vbetool (Dan Walsh)
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index 976192da..5f151a8a 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -1,5 +1,5 @@
-policy_module(logrotate,1.1.0)
+policy_module(logrotate,1.1.1)
########################################
#
@@ -180,6 +180,10 @@ optional_policy(`nscd',`
nscd_use_socket(logrotate_t)
')
+optional_policy(`slrnpull',`
+ slrnpull_manage_spool(logrotate_t)
+')
+
optional_policy(`squid',`
# cjp: why?
squid_domtrans(logrotate_t)
diff --git a/refpolicy/policy/modules/services/slrnpull.fc b/refpolicy/policy/modules/services/slrnpull.fc
new file mode 100644
index 00000000..1714ce0e
--- /dev/null
+++ b/refpolicy/policy/modules/services/slrnpull.fc
@@ -0,0 +1,10 @@
+#
+# /usr
+#
+
+/usr/bin/slrnpull -- gen_context(system_u:object_r:slrnpull_exec_t,s0)
+
+#
+# /var
+#
+/var/spool/slrnpull(/.*)? gen_context(system_u:object_r:slrnpull_spool_t,s0)
diff --git a/refpolicy/policy/modules/services/slrnpull.if b/refpolicy/policy/modules/services/slrnpull.if
new file mode 100644
index 00000000..4e1d944d
--- /dev/null
+++ b/refpolicy/policy/modules/services/slrnpull.if
@@ -0,0 +1,38 @@
+## Service for downloading news feeds the slrn newsreader.
+
+########################################
+##
+## Allow the domain to search slrnpull spools.
+##
+##
+## domain allowed access
+##
+#
+interface(`slrnpull_search_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Allow the domain to create, read,
+## write, and delete slrnpull spools.
+##
+##
+## domain allowed access
+##
+#
+interface(`slrnpull_manage_spool',`
+ gen_require(`
+ type slrnpull_spool_t;
+ ')
+
+ files_search_spool($1)
+ allow $1 slrnpull_spool_t:dir create_dir_perms;
+ allow $1 slrnpull_spool_t:file create_file_perms;
+ allow $1 slrnpull_spool_t:lnk_file create_lnk_perms;
+')
diff --git a/refpolicy/policy/modules/services/slrnpull.te b/refpolicy/policy/modules/services/slrnpull.te
new file mode 100644
index 00000000..f1e84d8c
--- /dev/null
+++ b/refpolicy/policy/modules/services/slrnpull.te
@@ -0,0 +1,87 @@
+
+policy_module(slrnpull,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type slrnpull_t;
+type slrnpull_exec_t;
+init_daemon_domain(slrnpull_t,slrnpull_exec_t)
+
+type slrnpull_var_run_t;
+files_pid_file(slrnpull_var_run_t)
+
+type slrnpull_spool_t;
+files_type(slrnpull_spool_t)
+
+type slrnpull_log_t;
+logging_log_file(slrnpull_log_t)
+
+########################################
+#
+# Local policy
+#
+
+dontaudit slrnpull_t self:capability sys_tty_config;
+allow slrnpull_t self:process signal_perms;
+
+allow slrnpull_t slrnpull_log_t:file create_file_perms;
+logging_create_log(slrnpull_t,slrnpull_log_t)
+
+allow slrnpull_t slrnpull_spool_t:dir rw_dir_perms;
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
+allow slrnpull_t slrnpull_spool_t:file create_file_perms;
+allow slrnpull_t slrnpull_spool_t:lnk_file create_lnk_perms;
+files_search_spool(slrnpull_t)
+
+allow slrnpull_t slrnpull_var_run_t:file create_file_perms;
+allow slrnpull_t slrnpull_var_run_t:dir rw_dir_perms;
+files_create_pid(slrnpull_t,slrnpull_var_run_t)
+
+kernel_list_proc(slrnpull_t)
+kernel_read_kernel_sysctl(slrnpull_t)
+kernel_read_proc_symlinks(slrnpull_t)
+
+dev_read_sysfs(slrnpull_t)
+
+domain_use_wide_inherit_fd(slrnpull_t)
+
+files_read_etc_files(slrnpull_t)
+
+fs_getattr_all_fs(slrnpull_t)
+fs_search_auto_mountpoints(slrnpull_t)
+
+term_dontaudit_use_console(slrnpull_t)
+
+init_use_fd(slrnpull_t)
+init_use_script_pty(slrnpull_t)
+
+libs_use_ld_so(slrnpull_t)
+libs_use_shared_libs(slrnpull_t)
+
+logging_send_syslog_msg(slrnpull_t)
+
+miscfiles_read_localization(slrnpull_t)
+
+userdom_dontaudit_use_unpriv_user_fd(slrnpull_t)
+userdom_dontaudit_search_sysadm_home_dir(slrnpull_t)
+
+ifdef(`targeted_policy',`
+ files_dontaudit_read_root_file(slrnpull_t)
+ term_dontaudit_use_unallocated_tty(slrnpull_t)
+ term_dontaudit_use_generic_pty(slrnpull_t)
+')
+
+optional_policy(`cron',`
+ cron_system_entry(slrnpull_t,slrnpull_exec_t)
+')
+
+optional_policy(`selinuxutil',`
+ seutil_sigchld_newrole(slrnpull_t)
+')
+
+optional_policy(`udev',`
+ udev_read_db(slrnpull_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 53d45a34..ca5e45d6 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -424,6 +424,10 @@ template(`base_user_template',`
samba_connect_winbind($1_t)
')
+ optional_policy(`slrnpull',`
+ slrnpull_search_spool($1_t)
+ ')
+
optional_policy(`squid',`
squid_use($1_t)
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2c8bab21..8f30f4b1 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.1.0)
+policy_module(userdomain,1.1.1)
gen_require(`
role sysadm_r, staff_r, user_r;