diff --git a/docs/macro_conversion_guide b/docs/macro_conversion_guide
index 4e0391d3..cebb782a 100644
--- a/docs/macro_conversion_guide
+++ b/docs/macro_conversion_guide
@@ -576,6 +576,15 @@ allow $1 $2:unix_stream_socket connectto;
 #
 allow $1 $2:unix_dgram_socket sendto;
 
+#
+# can_winbind():
+#
+ifdef(`winbind.te', `
+allow $1 winbind_var_run_t:dir { getattr search };
+allow $1 winbind_t:unix_stream_socket connectto;
+allow $1 winbind_var_run_t:sock_file { getattr read write };
+')
+
 #
 # can_ypbind(): complete
 #
diff --git a/refpolicy/policy/mcs b/refpolicy/policy/mcs
index c23f172d..5af2fc17 100644
--- a/refpolicy/policy/mcs
+++ b/refpolicy/policy/mcs
@@ -147,13 +147,141 @@ category c124;
 category c125;
 category c126;
 category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
 
 
 #
 # Each MCS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c127;
+level s0:c0.c255;
 
 #
 # Define the MCS policy
@@ -201,9 +329,23 @@ level s0:c0.c127;
 #
 # Only files are constrained by MCS at this stage.
 #
-mlsconstrain file { read write setattr append unlink link rename
+mlsconstrain file { write setattr append unlink link rename
 		    create ioctl lock execute } (h1 dom h2);
 
+mlsconstrain file { read } ((h1 dom h2) or 
+			    ( t1 == mlsfileread ));
+
+
+# new file labels must be dominated by the relabeling subject clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+	( h1 dom h2 );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
 
 # XXX
 #
diff --git a/refpolicy/policy/mls b/refpolicy/policy/mls
index 45b15f01..dc1ab872 100644
--- a/refpolicy/policy/mls
+++ b/refpolicy/policy/mls
@@ -15,12 +15,17 @@ sensitivity s6;
 sensitivity s7;
 sensitivity s8;
 sensitivity s9;
-
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
 
 #
 # Define the ordering of the sensitivity levels (least to greatest)
 #
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
 
 
 #
@@ -156,22 +161,156 @@ category c124;
 category c125;
 category c126;
 category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
 
 
 #
 # Each MLS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c127;
-level s1:c0.c127;
-level s2:c0.c127;
-level s3:c0.c127;
-level s4:c0.c127;
-level s5:c0.c127;
-level s6:c0.c127;
-level s7:c0.c127;
-level s8:c0.c127;
-level s9:c0.c127;
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
 
 
 #
diff --git a/refpolicy/policy/modules/admin/anaconda.te b/refpolicy/policy/modules/admin/anaconda.te
index 107b339b..b9883817 100644
--- a/refpolicy/policy/modules/admin/anaconda.te
+++ b/refpolicy/policy/modules/admin/anaconda.te
@@ -48,10 +48,6 @@ optional_policy(`usermanage.te',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`su.te',`
-	role system_r types sysadm_su_t;
-	domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
-')
 optional_policy(`ssh.te',`
 	role system_r types sysadm_ssh_agent_t;
 	domain_auto_trans(anaconda_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
diff --git a/refpolicy/policy/modules/admin/kudzu.te b/refpolicy/policy/modules/admin/kudzu.te
index caa4615d..f13f83be 100644
--- a/refpolicy/policy/modules/admin/kudzu.te
+++ b/refpolicy/policy/modules/admin/kudzu.te
@@ -104,6 +104,7 @@ libs_read_lib(kudzu_t)
 
 logging_send_syslog_msg(kudzu_t)
 
+miscfiles_read_hwdata(kudzu_t)
 miscfiles_read_localization(kudzu_t)
 
 modutils_read_module_conf(kudzu_t)
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
index 57aa956f..a97588cf 100644
--- a/refpolicy/policy/modules/admin/logrotate.if
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -11,9 +11,6 @@
 interface(`logrotate_domtrans',`
 	gen_require(`
 		type logrotate_t, logrotate_exec_t;
-		class process sigchld;
-		class fd use;
-		class fifo_file rw_file_perms;
 	')
 
 	domain_auto_trans($1,logrotate_exec_t,logrotate_t)
@@ -42,7 +39,6 @@ interface(`logrotate_domtrans',`
 interface(`logrotate_run',`
 	gen_require(`
 		type logrotate_t;
-		class chr_file rw_term_perms;
 	')
 
 	logrotate_domtrans($1)
@@ -66,6 +62,22 @@ interface(`logrotate_exec',`
 	can_exec($1,logrotate_exec_t)
 ')
 
+########################################
+## <summary>
+##	Inherit and use logrotate file descriptors.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`logrotate_use_fd',`
+	gen_require(`
+		type logrotate_t;
+	')
+
+	allow $1 logrotate_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to inherit logrotate file descriptors.
@@ -77,7 +89,6 @@ interface(`logrotate_exec',`
 interface(`logrotate_dontaudit_use_fd',`
 	gen_require(`
 		type logrotate_t;
-		class fd use;
 	')
 
 	dontaudit $1 logrotate_t:fd use;
@@ -94,7 +105,6 @@ interface(`logrotate_dontaudit_use_fd',`
 interface(`logrotate_read_tmp_files',`
 	gen_require(`
 		type logrotate_tmp_t;
-		class file r_file_perms;
 	')
 
 	files_search_tmp($1)
diff --git a/refpolicy/policy/modules/admin/su.if b/refpolicy/policy/modules/admin/su.if
index d5526ee3..2b1a7c52 100644
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@@ -28,174 +28,170 @@
 ## </param>
 #
 template(`su_per_userdomain_template',`
-	# in optional since loadable modules do not natively
-	# support per-userdomain templates yet.
-	optional_policy(`su.te',`
-		gen_require(`
-			type su_exec_t;
-		')
-
-		type $1_su_t;
-		domain_entry_file($1_su_t,su_exec_t)
-		domain_type($1_su_t)
-		domain_role_change_exempt($1_su_t)
-		domain_subj_id_change_exempt($1_su_t)
-		domain_obj_id_change_exempt($1_su_t)
-		domain_wide_inherit_fd($1_su_t)
-		role $3 types $1_su_t;
-
-		allow $2 $1_su_t:process signal;
-
-		allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-		dontaudit $1_su_t self:capability sys_tty_config;
-		allow $1_su_t self:process { setexec setsched setrlimit };
-		allow $1_su_t self:fifo_file rw_file_perms;
-		allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-
-		# Transition from the user domain to this domain.
-		domain_auto_trans($2, su_exec_t, $1_su_t)
-		allow $2 $1_su_t:fd use;
-		allow $1_su_t $2:fd use;
-		allow $1_su_t $2:fifo_file rw_file_perms;
-		allow $1_su_t $2:process sigchld;
-
-		# By default, revert to the calling domain when a shell is executed.
-		corecmd_shell_domtrans($1_su_t,$2)
-		allow $2 $1_su_t:fd use;
-		allow $1_su_t $2:fd use;
-		allow $1_su_t $2:fifo_file rw_file_perms;
-		allow $1_su_t $2:process sigchld;
-
-		kernel_read_system_state($1_su_t)
-		kernel_read_kernel_sysctl($1_su_t)
-
-		# for SSP
-		dev_read_urand($1_su_t)
-
-		fs_search_auto_mountpoints($1_su_t)
-
-		selinux_get_fs_mount($1_su_t)
-		selinux_validate_context($1_su_t)
-		selinux_compute_access_vector($1_su_t)
-		selinux_compute_create_context($1_su_t)
-		selinux_compute_relabel_context($1_su_t)
-		selinux_compute_user_contexts($1_su_t)
-
-		# Relabel ttys and ptys.
-		term_relabel_all_user_ttys($1_su_t)
-		term_relabel_all_user_ptys($1_su_t)
-		# Close and re-open ttys and ptys to get the fd into the correct domain.
-		term_use_all_user_ttys($1_su_t)
-		term_use_all_user_ptys($1_su_t)
-
-		auth_domtrans_user_chk_passwd($1_su_t,$1)
-		auth_dontaudit_read_shadow($1_su_t)
-
-		domain_wide_inherit_fd($1_su_t)
-
-		files_read_etc_files($1_su_t)
-		files_search_var_lib($1_su_t)
-
-		init_dontaudit_use_fd($1_su_t)
-		# Write to utmp.
-		init_rw_script_pid($1_su_t)
-
-		libs_use_ld_so($1_su_t)
-		libs_use_shared_libs($1_su_t)
-
-		logging_send_syslog_msg($1_su_t)
-
-		miscfiles_read_localization($1_su_t)
-
-		seutil_read_config($1_su_t)
-		seutil_read_default_contexts($1_su_t)
-
-		userdom_use_user_terminals($1,$1_su_t)
-
-		if(secure_mode)
-		{
-			# Only allow transitions to unprivileged user domains.
-			userdom_spec_domtrans_unpriv_users($1_su_t)
-		} else {
-			# Allow transitions to all user domains
-			userdom_spec_domtrans_all_users($1_su_t)
-		}
-
-		if (use_nfs_home_dirs) {
-			fs_search_nfs($1_su_t)
-		}
-
-		if (use_samba_home_dirs) {
-			fs_search_cifs($1_su_t)
-		}
-
-		optional_policy(`crond.te',`
-			cron_read_pipe($1_su_t)
-		')
-
-		optional_policy(`kerberos.te',`
-			kerberos_use($1_su_t)
-		')
-
-		optional_policy(`nis.te',`
-			nis_use_ypbind($1_su_t)
-		')
-
-		optional_policy(`nscd.te',`
-			nscd_use_socket($1_su_t)
-		')
-
-		ifdef(`TODO',`
-
-		ifdef(`support_polyinstantiation', `
-		mls_file_read_up($1_su_t)
-		mls_file_write_down($1_su_t)
-		mls_file_upgrade($1_su_t)
-		mls_file_downgrade($1_su_t)
-		mls_process_set_level($1_su_t)
-
-		# Su can polyinstantiate
-		polyinstantiater($1_su_t)
-		# Su has to unmount polyinstantiated directories (like home)
-		# that should not be polyinstantiated under the new user
-		allow $1_su_t fs_t:filesystem unmount;
-		# Su needs additional permission to mount over a previous mount
-		allow $1_su_t polymember:dir mounton;
-		')
-
-		# Caused by su - init scripts
-		dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
-
-		# Inherit and use descriptors from gnome-pty-helper.
-		ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
-
-		allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
-		allow $1_su_t $1_home_t:file create_file_perms;
-
-		ifdef(`user_canbe_sysadm', `
-		allow $1_su_t home_dir_type:dir { search write };
-		', `
-		dontaudit $1_su_t home_dir_type:dir { search write };
-		')
-
-		# Modify .Xauthority file (via xauth program).
-		ifdef(`xauth.te', `
-		file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
-		file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
-		file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
-		domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
-		')
-
-		ifdef(`cyrus.te', `
-		allow $1_su_t cyrus_var_lib_t:dir search;
-		')
-		ifdef(`ssh.te', `
-		# Access sshd cookie files.
-		allow $1_su_t sshd_tmp_t:file rw_file_perms;
-		file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
-		')
-		') dnl end TODO
+	gen_require(`
+		type su_exec_t;
 	')
+
+	type $1_su_t;
+	domain_entry_file($1_su_t,su_exec_t)
+	domain_type($1_su_t)
+	domain_role_change_exempt($1_su_t)
+	domain_subj_id_change_exempt($1_su_t)
+	domain_obj_id_change_exempt($1_su_t)
+	domain_wide_inherit_fd($1_su_t)
+	role $3 types $1_su_t;
+
+	allow $2 $1_su_t:process signal;
+
+	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+	dontaudit $1_su_t self:capability sys_tty_config;
+	allow $1_su_t self:process { setexec setsched setrlimit };
+	allow $1_su_t self:fifo_file rw_file_perms;
+	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
+	# Transition from the user domain to this domain.
+	domain_auto_trans($2, su_exec_t, $1_su_t)
+	allow $2 $1_su_t:fd use;
+	allow $1_su_t $2:fd use;
+	allow $1_su_t $2:fifo_file rw_file_perms;
+	allow $1_su_t $2:process sigchld;
+
+	# By default, revert to the calling domain when a shell is executed.
+	corecmd_shell_domtrans($1_su_t,$2)
+	allow $2 $1_su_t:fd use;
+	allow $1_su_t $2:fd use;
+	allow $1_su_t $2:fifo_file rw_file_perms;
+	allow $1_su_t $2:process sigchld;
+
+	kernel_read_system_state($1_su_t)
+	kernel_read_kernel_sysctl($1_su_t)
+
+	# for SSP
+	dev_read_urand($1_su_t)
+
+	fs_search_auto_mountpoints($1_su_t)
+
+	selinux_get_fs_mount($1_su_t)
+	selinux_validate_context($1_su_t)
+	selinux_compute_access_vector($1_su_t)
+	selinux_compute_create_context($1_su_t)
+	selinux_compute_relabel_context($1_su_t)
+	selinux_compute_user_contexts($1_su_t)
+
+	# Relabel ttys and ptys.
+	term_relabel_all_user_ttys($1_su_t)
+	term_relabel_all_user_ptys($1_su_t)
+	# Close and re-open ttys and ptys to get the fd into the correct domain.
+	term_use_all_user_ttys($1_su_t)
+	term_use_all_user_ptys($1_su_t)
+
+	auth_domtrans_user_chk_passwd($1_su_t,$1)
+	auth_dontaudit_read_shadow($1_su_t)
+
+	domain_wide_inherit_fd($1_su_t)
+
+	files_read_etc_files($1_su_t)
+	files_search_var_lib($1_su_t)
+
+	init_dontaudit_use_fd($1_su_t)
+	# Write to utmp.
+	init_rw_script_pid($1_su_t)
+
+	libs_use_ld_so($1_su_t)
+	libs_use_shared_libs($1_su_t)
+
+	logging_send_syslog_msg($1_su_t)
+
+	miscfiles_read_localization($1_su_t)
+
+	seutil_read_config($1_su_t)
+	seutil_read_default_contexts($1_su_t)
+
+	userdom_use_user_terminals($1,$1_su_t)
+
+	if(secure_mode)
+	{
+		# Only allow transitions to unprivileged user domains.
+		userdom_spec_domtrans_unpriv_users($1_su_t)
+	} else {
+		# Allow transitions to all user domains
+		userdom_spec_domtrans_all_users($1_su_t)
+	}
+
+	tunable_policy(`use_nfs_home_dirs',`
+		fs_search_nfs($1_su_t)
+	')
+
+	tunable_policy(`use_samba_home_dirs',`
+		fs_search_cifs($1_su_t)
+	')
+
+	optional_policy(`crond.te',`
+		cron_read_pipe($1_su_t)
+	')
+
+	optional_policy(`kerberos.te',`
+		kerberos_use($1_su_t)
+	')
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1_su_t)
+	')
+
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_su_t)
+	')
+
+	ifdef(`TODO',`
+
+	ifdef(`support_polyinstantiation', `
+	mls_file_read_up($1_su_t)
+	mls_file_write_down($1_su_t)
+	mls_file_upgrade($1_su_t)
+	mls_file_downgrade($1_su_t)
+	mls_process_set_level($1_su_t)
+
+	# Su can polyinstantiate
+	polyinstantiater($1_su_t)
+	# Su has to unmount polyinstantiated directories (like home)
+	# that should not be polyinstantiated under the new user
+	allow $1_su_t fs_t:filesystem unmount;
+	# Su needs additional permission to mount over a previous mount
+	allow $1_su_t polymember:dir mounton;
+	')
+
+	# Caused by su - init scripts
+	dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+
+	# Inherit and use descriptors from gnome-pty-helper.
+	ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
+
+	allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
+	allow $1_su_t $1_home_t:file create_file_perms;
+
+	ifdef(`user_canbe_sysadm', `
+	allow $1_su_t home_dir_type:dir { search write };
+	', `
+	dontaudit $1_su_t home_dir_type:dir { search write };
+	')
+
+	# Modify .Xauthority file (via xauth program).
+	ifdef(`xauth.te', `
+	file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+	file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+	domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+	')
+
+	ifdef(`cyrus.te', `
+	allow $1_su_t cyrus_var_lib_t:dir search;
+	')
+	ifdef(`ssh.te', `
+	# Access sshd cookie files.
+	allow $1_su_t sshd_tmp_t:file rw_file_perms;
+	file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
+	')
+	') dnl end TODO
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/admin/su.te b/refpolicy/policy/modules/admin/su.te
index e01bee1c..56158ebc 100644
--- a/refpolicy/policy/modules/admin/su.te
+++ b/refpolicy/policy/modules/admin/su.te
@@ -6,7 +6,11 @@ policy_module(su,1.0)
 # Declarations
 #
 
-type su_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type su_exec_t;
+')
 files_type(su_exec_t)
 
 # Remaining policy in the per-user domain template
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index b3ed57c7..612b4c57 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -68,14 +68,14 @@ allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit exe
 allow chfn_t self:process { setrlimit setfscreate };
 allow chfn_t self:fd use;
 allow chfn_t self:fifo_file rw_file_perms;
-allow chfn_t self:unix_dgram_socket create_socket_perms;
-allow chfn_t self:unix_stream_socket create_stream_socket_perms;
-allow chfn_t self:unix_dgram_socket sendto;
-allow chfn_t self:unix_stream_socket connectto;
 allow chfn_t self:shm create_shm_perms;
 allow chfn_t self:sem create_sem_perms;
 allow chfn_t self:msgq create_msgq_perms;
 allow chfn_t self:msg { send receive };
+allow chfn_t self:unix_dgram_socket create_socket_perms;
+allow chfn_t self:unix_stream_socket create_stream_socket_perms;
+allow chfn_t self:unix_dgram_socket sendto;
+allow chfn_t self:unix_stream_socket connectto;
 
 kernel_read_system_state(chfn_t)
 kernel_read_kernel_sysctl(chfn_t)
@@ -192,14 +192,15 @@ allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
 allow groupadd_t self:process { setrlimit setfscreate };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_file_perms;
-allow groupadd_t self:unix_dgram_socket create_socket_perms;
-allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
-allow groupadd_t self:unix_dgram_socket sendto;
-allow groupadd_t self:unix_stream_socket connectto;
 allow groupadd_t self:shm create_shm_perms;
 allow groupadd_t self:sem create_sem_perms;
 allow groupadd_t self:msgq create_msgq_perms;
 allow groupadd_t self:msg { send receive };
+allow groupadd_t self:unix_dgram_socket create_socket_perms;
+allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
+allow groupadd_t self:unix_dgram_socket sendto;
+allow groupadd_t self:unix_stream_socket connectto;
+allow groupadd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
 
 fs_getattr_xattr_fs(groupadd_t)
 fs_search_auto_mountpoints(groupadd_t)
@@ -236,6 +237,7 @@ miscfiles_read_localization(groupadd_t)
 
 auth_manage_shadow(groupadd_t)
 auth_rw_lastlog(groupadd_t)
+auth_use_nsswitch(groupadd_t)
 
 seutil_read_config(groupadd_t)
 
@@ -445,7 +447,6 @@ allow sysadm_passwd_t { etc_t shadow_t }:file { relabelfrom relabelto };
 
 ifdef(`targeted_policy', `
 role system_r types sysadm_passwd_t;
-allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
 ')
 ') dnl endif TODO
 
@@ -459,14 +460,15 @@ allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit
 allow useradd_t self:process setfscreate;
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_file_perms;
-allow useradd_t self:unix_dgram_socket create_socket_perms;
-allow useradd_t self:unix_stream_socket create_stream_socket_perms;
-allow useradd_t self:unix_dgram_socket sendto;
-allow useradd_t self:unix_stream_socket connectto;
 allow useradd_t self:shm create_shm_perms;
 allow useradd_t self:sem create_sem_perms;
 allow useradd_t self:msgq create_msgq_perms;
 allow useradd_t self:msg { send receive };
+allow useradd_t self:unix_dgram_socket create_socket_perms;
+allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+allow useradd_t self:unix_dgram_socket sendto;
+allow useradd_t self:unix_stream_socket connectto;
+allow useradd_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
 
 # Allow access to context for shadow file
 selinux_get_fs_mount(useradd_t)
@@ -486,6 +488,7 @@ term_use_all_user_ptys(useradd_t)
 
 auth_manage_shadow(useradd_t)
 auth_rw_lastlog(useradd_t)
+auth_use_nsswitch(useradd_t)
 
 corecmd_exec_shell(useradd_t)
 # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
diff --git a/refpolicy/policy/modules/apps/webalizer.te b/refpolicy/policy/modules/apps/webalizer.te
index 2d58940c..2225882a 100644
--- a/refpolicy/policy/modules/apps/webalizer.te
+++ b/refpolicy/policy/modules/apps/webalizer.te
@@ -89,6 +89,10 @@ userdom_use_unpriv_users_fd(webalizer_t)
 apache_read_log(webalizer_t)
 apache_manage_sys_content(webalizer_t)
 
+optional_policy(`ftp.te',`
+	ftp_read_log(webalizer_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(webalizer_t)
 ')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index d13b1cd9..6e37fb1e 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -53,7 +53,7 @@ network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dbskkd, tcp,1178,s0)
 network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
 network_port(dict, tcp,2628,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
 network_port(fingerd, tcp,79,s0)
@@ -86,6 +86,8 @@ network_port(nessus, tcp,1241,s0)
 network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
 network_port(ntp, udp,123,s0)
 network_port(openvpn, udp,5000,s0)
+network_port(pegasus_http, tcp,5988,s0)
+network_port(pegasus_https, tcp,5989,s0)
 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
 network_port(portmap, udp,111,s0, tcp,111,s0)
 network_port(postgresql, tcp,5432,s0)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index e69e2b87..7209a09b 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -175,6 +175,24 @@ interface(`fs_getattr_xattr_fs',`
 	allow $1 fs_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Get the quotas of a persistent
+##	filesystem which has extended
+##	attributes, such as ext3, JFS, or XFS.
+## </summary>
+## <param name="domain">
+##	The type of the domain getting quotas.
+## </param>
+#
+interface(`fs_get_xattr_fs_quotas',`
+	gen_require(`
+		type fs_t;
+	')
+
+	allow $1 fs_t:filesystem quotaget;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 511d8642..367b1760 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -44,6 +44,10 @@ type binfmt_misc_fs_t, filesystem_type;
 files_mountpoint(binfmt_misc_fs_t)
 genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
 
+type capifs_t, filesystem_type;
+allow capifs_t self:filesystem associate;
+genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
 type eventpollfs_t, filesystem_type;
 genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
 
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 06b32a17..6e63f7a4 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -709,17 +709,17 @@ interface(`kernel_read_network_state',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts by caller to search the sysctl directory.
+##	Do not audit attempts by caller to search
+##	the base directory of sysctls.
 ## </summary>
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 ##
 #
-interface(`kernel_dontaudit_search_sysctl_dir',`
+interface(`kernel_dontaudit_search_sysctl',`
 	gen_require(`
 		type sysctl_t;
-		class dir search;
 	')
 
 	dontaudit $1 sysctl_t:dir search;
@@ -736,8 +736,6 @@ interface(`kernel_dontaudit_search_sysctl_dir',`
 interface(`kernel_read_device_sysctl',`
 	gen_require(`
 		type proc_t, sysctl_t, sysctl_dev_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	allow $1 proc_t:dir search;
@@ -757,8 +755,6 @@ interface(`kernel_read_device_sysctl',`
 interface(`kernel_rw_device_sysctl',`
 	gen_require(`
 		type proc_t, sysctl_t, sysctl_dev_t;
-		class dir r_dir_perms;
-		class file rw_file_perms;
 	')
 
 	allow $1 proc_t:dir search;
@@ -778,8 +774,6 @@ interface(`kernel_rw_device_sysctl',`
 interface(`kernel_read_vm_sysctl',`
 	gen_require(`
 		type proc_t, sysctl_t, sysctl_vm_t;
-		class dir r_dir_perms;
-		class file r_file_perms;
 	')
 
 	allow $1 proc_t:dir search;
@@ -798,8 +792,6 @@ interface(`kernel_read_vm_sysctl',`
 interface(`kernel_rw_vm_sysctl',`
 	gen_require(`
 		type proc_t, sysctl_t, sysctl_vm_t;
-		class dir r_dir_perms;
-		class file rw_file_perms;
 	')
 
 	allow $1 proc_t:dir search;
@@ -809,16 +801,31 @@ interface(`kernel_rw_vm_sysctl',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts by caller to search sysctl network directories.
+##	Search network sysctl directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`kernel_search_network_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_net_t;
+	')
+
+	allow $1 { proc_t sysctl_t sysctl_net_t }:dir search;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts by caller to search network sysctl directories.
 ## </summary>
 ## <param name="domain">
 ##	The process type not to audit.
 ## </param>
 #
-interface(`kernel_dontaudit_search_network_sysctl_dir',`
+interface(`kernel_dontaudit_search_network_sysctl',`
 	gen_require(`
 		type sysctl_net_t;
-		class dir search;
 	')
 
 	dontaudit $1 sysctl_net_t:dir search;
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 169fd14d..d7611ba2 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -220,10 +220,6 @@ ifdef(`TODO',`
 ifdef(`targeted_policy', `
 unconfined_domain(kernel_t)
 ')
-ifdef(`mls_policy', `
-# run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s9:c0.c127;
-')
 ') dnl end TODO
 
 ########################################
diff --git a/refpolicy/policy/modules/kernel/mls.te b/refpolicy/policy/modules/kernel/mls.te
index 4f29a663..bbdabb5c 100644
--- a/refpolicy/policy/modules/kernel/mls.te
+++ b/refpolicy/policy/modules/kernel/mls.te
@@ -43,3 +43,32 @@ attribute mlstrustedobject;
 
 attribute privrangetrans;
 attribute mlsrangetrans;
+
+########################################
+#
+# THIS IS A HACK
+#
+# Only the base module can have range_transitions, so we
+# temporarily have to break encapsulation to work around this.
+#
+
+type getty_t;
+type login_exec_t;
+type init_exec_t;
+type initrc_t;
+type su_exec_t;
+type udev_exec_t;
+type unconfined_t;
+
+ifdef(`enable_mcs', `
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+')
+
+ifdef(`enable_mls', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c255;
+')
diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if
index 0a1a0727..2d39c8ad 100644
--- a/refpolicy/policy/modules/kernel/selinux.if
+++ b/refpolicy/policy/modules/kernel/selinux.if
@@ -31,12 +31,27 @@ interface(`selinux_get_fs_mount',`
 interface(`selinux_dontaudit_getattr_dir',`
 	gen_require(`
 		type security_t;
-		class dir getattr;
 	')
 
 	dontaudit $1 security_t:dir getattr;
 ')
 
+########################################
+## <summary>
+##	Search selinuxfs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`selinux_search_fs',`
+	gen_require(`
+		type security_t;
+	')
+
+	allow $1 security_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search selinuxfs.
@@ -48,7 +63,6 @@ interface(`selinux_dontaudit_getattr_dir',`
 interface(`selinux_dontaudit_search_fs',`
 	gen_require(`
 		type security_t;
-		class dir search;
 	')
 
 	dontaudit $1 security_t:dir search;
@@ -66,8 +80,6 @@ interface(`selinux_dontaudit_search_fs',`
 interface(`selinux_get_enforce_mode',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read };
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -97,9 +109,6 @@ interface(`selinux_set_enforce_mode',`
 	gen_require(`
 		type security_t;
 		attribute can_setenforce;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security setenforce;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -121,9 +130,6 @@ interface(`selinux_load_policy',`
 	gen_require(`
 		type security_t;
 		attribute can_load_policy;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security load_policy;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -158,9 +164,6 @@ interface(`selinux_load_policy',`
 interface(`selinux_set_boolean',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security setbool;
 	')
 
 	ifelse(`$2',`',`
@@ -199,9 +202,6 @@ interface(`selinux_set_parameters',`
 	gen_require(`
 		type security_t;
 		attribute can_setsecparam;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security setsecparam;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -222,9 +222,6 @@ interface(`selinux_set_parameters',`
 interface(`selinux_validate_context',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security check_context;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -243,9 +240,6 @@ interface(`selinux_validate_context',`
 interface(`selinux_compute_access_vector',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security compute_av;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -264,9 +258,6 @@ interface(`selinux_compute_access_vector',`
 interface(`selinux_compute_create_context',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security compute_create;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -286,9 +277,6 @@ interface(`selinux_compute_create_context',`
 interface(`selinux_compute_member',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security compute_member;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -316,9 +304,6 @@ interface(`selinux_compute_member',`
 interface(`selinux_compute_relabel_context',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security compute_relabel;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -337,9 +322,6 @@ interface(`selinux_compute_relabel_context',`
 interface(`selinux_compute_user_contexts',`
 	gen_require(`
 		type security_t;
-		class dir { read search getattr };
-		class file { getattr read write };
-		class security compute_user;
 	')
 
 	allow $1 security_t:dir { read search getattr };
@@ -359,9 +341,6 @@ interface(`selinux_unconfined',`
 	gen_require(`
 		attribute can_load_policy, can_setenforce, can_setsecparam;
 		type security_t;
-		class dir { getattr search read };
-		class file { getattr read write };
-		class security { load_policy setenforce setbool };
 	')
 
 	# Access the security API.
diff --git a/refpolicy/policy/modules/kernel/storage.fc b/refpolicy/policy/modules/kernel/storage.fc
index cb5177df..287099ae 100644
--- a/refpolicy/policy/modules/kernel/storage.fc
+++ b/refpolicy/policy/modules/kernel/storage.fc
@@ -51,6 +51,7 @@ ifdef(`distro_redhat', `
 
 /dev/ida/[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s0)
 
+/dev/md/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s0)
 /dev/mapper/.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,s0)
 
 /dev/raw/raw[0-9]+	-c	gen_context(system_u:object_r:fixed_disk_device_t,s0)
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 894d88dc..d461ed8b 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -29,6 +29,10 @@ files_mountpoint(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 
+ifdef(`targeted_policy',`
+	typeattribute devpts_t ttynode;
+')
+
 #
 # devtty_t is the type of /dev/tty.
 #
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 34ebf100..0543cffe 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -539,7 +539,7 @@ interface(`apache_list_modules',`
 # Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
 interface(`apache_manage_sys_content',`
 	gen_require(`
-		type httpd_log_t;
+		type httpd_sys_content_t;
 	')
 
 	files_search_var($1)
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 0f5b1d66..e0d79b41 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -215,6 +215,14 @@ corenet_tcp_bind_all_nodes(httpd_t)
 corenet_udp_bind_all_nodes(httpd_t)
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
+# allow httpd to connect to mysql/posgresql 
+corenet_tcp_connect_postgresql_port(httpd_t)
+corenet_tcp_connect_mysqld_port(httpd_t)
+# allow httpd to work as a relay
+corenet_tcp_connect_gopher_port(httpd_t)
+corenet_tcp_connect_ftp_port(httpd_t)
+corenet_tcp_connect_http_port(httpd_t)
+corenet_tcp_connect_http_cache_port(httpd_t)
 
 dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
@@ -226,6 +234,8 @@ fs_search_auto_mountpoints(httpd_t)
 
 term_dontaudit_use_console(httpd_t)
 
+auth_use_nsswitch(httpd_t)
+
 # execute perl
 corecmd_exec_bin(httpd_t)
 corecmd_exec_sbin(httpd_t)
@@ -261,7 +271,6 @@ miscfiles_read_certs(httpd_t)
 
 seutil_dontaudit_search_config(httpd_t)
 
-sysnet_dns_name_resolve(httpd_t)
 sysnet_use_ldap(httpd_t)
 sysnet_read_config(httpd_t)
 
@@ -363,10 +372,6 @@ optional_policy(`mysql.te',`
 	mysql_rw_db_socket(httpd_t)
 ')
 
-optional_policy(`nis.te',`
-	nis_use_ypbind(httpd_t)
-')
-
 optional_policy(`nscd.te',`
 	nscd_use_socket(httpd_t)
 ')
diff --git a/refpolicy/policy/modules/services/apm.te b/refpolicy/policy/modules/services/apm.te
index b9f32626..36c6544a 100644
--- a/refpolicy/policy/modules/services/apm.te
+++ b/refpolicy/policy/modules/services/apm.te
@@ -20,6 +20,9 @@ domain_entry_file(apm_t,apm_exec_t)
 type apmd_log_t;
 logging_log_file(apmd_log_t)
 
+type apmd_tmp_t;
+files_tmp_file(apmd_tmp_t)
+
 type apmd_var_run_t;
 files_pid_file(apmd_var_run_t)
 
@@ -72,6 +75,10 @@ allow apmd_t self:unix_stream_socket create_stream_socket_perms;
 allow apmd_t apmd_log_t:file create_file_perms;
 logging_create_log(apmd_t,apmd_log_t)
 
+allow apmd_t apmd_tmp_t:dir create_dir_perms;
+allow apmd_t apmd_tmp_t:file create_file_perms;
+files_create_tmp_files(apmd_t, apmd_tmp_t, { file dir })
+
 allow apmd_t apmd_var_run_t:dir rw_dir_perms;
 allow apmd_t apmd_var_run_t:file create_file_perms;
 allow apmd_t apmd_var_run_t:sock_file create_file_perms;
@@ -96,6 +103,8 @@ fs_dontaudit_getattr_all_symlinks(apmd_t); # Excessive?
 fs_dontaudit_getattr_all_pipes(apmd_t); # Excessive?
 fs_dontaudit_getattr_all_sockets(apmd_t); # Excessive?
 
+selinux_search_fs(apmd_t)
+
 term_dontaudit_use_console(apmd_t)
 
 corecmd_exec_bin(apmd_t)
@@ -144,6 +153,7 @@ ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_tty(apmd_t)
 	term_dontaudit_use_generic_pty(apmd_t)
 	files_dontaudit_read_root_file(apmd_t)
+	unconfined_domain_template(apmd_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -165,10 +175,10 @@ ifdef(`distro_redhat',`
 		netutils_domtrans(apmd_t)
 	')
 
-	',`
+',`
 
 	# for ifconfig which is run all the time
-	kernel_dontaudit_search_sysctl_dir(apmd_t)
+	kernel_dontaudit_search_sysctl(apmd_t)
 ')
 
 ifdef(`distro_suse',`
@@ -182,6 +192,10 @@ optional_policy(`clock.te',`
 	clock_rw_adjtime(apmd_t)
 ')
 
+optional_policy(`logrotate.te',`
+	logrotate_use_fd(apmd_t)
+')
+
 optional_policy(`mta.te',`
 	mta_send_mail(apmd_t)
 ')
@@ -212,6 +226,8 @@ optional_policy(`cron.te',`
 	allow apmd_t crond_t:fifo_file { getattr read write ioctl };
 ')
 
+r_dir_file(apmd_t, hwdata_t)
+
 optional_policy(`rhgb.te',`
 	rhgb_domain(apmd_t)
 ')
diff --git a/refpolicy/policy/modules/services/dbus.te b/refpolicy/policy/modules/services/dbus.te
index e8ecba65..5d0821d9 100644
--- a/refpolicy/policy/modules/services/dbus.te
+++ b/refpolicy/policy/modules/services/dbus.te
@@ -35,8 +35,9 @@ dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process getattr;
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:dbus { send_msg acquire_svc };
-allow system_dbusd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
 allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
@@ -71,6 +72,9 @@ selinux_compute_user_contexts(system_dbusd_t)
 
 term_dontaudit_use_console(system_dbusd_t)
 
+auth_use_nsswitch(system_dbusd_t)
+auth_read_pam_console_data(system_dbusd_t)
+
 corecmd_list_bin(system_dbusd_t)
 corecmd_read_bin_symlink(system_dbusd_t)
 corecmd_read_bin_file(system_dbusd_t)
@@ -120,14 +124,6 @@ tunable_policy(`read_default_t',`
 	files_read_default_pipes(system_dbusd_t)
 ')
 
-optional_policy(`authlogin.te',`
-	auth_read_pam_console_data(system_dbusd_t)
-')
-
-optional_policy(`nis.te',`
-	nis_use_ypbind(system_dbusd_t)
-')
-
 optional_policy(`nscd.te',`
 	nscd_use_socket(system_dbusd_t)
 ')
diff --git a/refpolicy/policy/modules/services/dhcp.te b/refpolicy/policy/modules/services/dhcp.te
index 62a990f8..6673f768 100644
--- a/refpolicy/policy/modules/services/dhcp.te
+++ b/refpolicy/policy/modules/services/dhcp.te
@@ -61,6 +61,7 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t)
 corenet_udp_sendrecv_all_ports(dhcpd_t)
 corenet_tcp_bind_all_nodes(dhcpd_t)
 corenet_udp_bind_all_nodes(dhcpd_t)
+corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
 corenet_tcp_connect_all_ports(dhcpd_t)
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index e54b4ce0..32eda81f 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -157,10 +157,10 @@ tunable_policy(`use_samba_home_dirs && ftp_home_dir',`
 	fs_read_cifs_symlinks(ftpd_t)
 ')
 
-optional_policy(`crond.te', `
+optional_policy(`cron.te',`
 	corecmd_exec_shell(ftpd_t)
 
-	files_read_usr_file(ftpd_t)
+	files_read_usr_files(ftpd_t)
 
        	cron_system_entry(ftpd_t, ftpd_exec_t)
 
@@ -170,14 +170,16 @@ optional_policy(`crond.te', `
 ')
 
 optional_policy(`inetd.te',`
-	if (!ftpd_is_daemon) {
+	tunable_policy(`! ftpd_is_daemon',`
 		#reh: typeattributes not allowed in conditionals yet.
 		#inetd_tcp_service_domain(ftpd_t,ftpd_exec_t)
+	')
 
-		optional_policy(`tcpd.te',`
+	optional_policy(`tcpd.te',`
+		tunable_policy(`! ftpd_is_daemon',`
 			tcpd_domtrans(tcpd_t)
 		')
-	}
+	')
 ')
 
 optional_policy(`mount.te',`
diff --git a/refpolicy/policy/modules/services/hal.te b/refpolicy/policy/modules/services/hal.te
index b9f19340..0eff9fd5 100644
--- a/refpolicy/policy/modules/services/hal.te
+++ b/refpolicy/policy/modules/services/hal.te
@@ -101,6 +101,7 @@ libs_exec_lib_files(hald_t)
 logging_send_syslog_msg(hald_t)
 
 miscfiles_read_localization(hald_t)
+miscfiles_read_hwdata(hald_t)
 
 seutil_read_config(hald_t)
 seutil_read_default_contexts(hald_t)
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 2d7e33c6..eb91503d 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -343,7 +343,7 @@ interface(`mta_rw_aliases',`
 #
 interface(`mta_dontaudit_rw_delivery_tcp_socket',`
 	gen_require(`
-		attribute mailserver_domain;
+		attribute mailserver_delivery;
 	')
 
 	dontaudit $1 mailserver_delivery:tcp_socket { read write };
diff --git a/refpolicy/policy/modules/services/mysql.te b/refpolicy/policy/modules/services/mysql.te
index 0d8f7d3c..49f0f9ec 100644
--- a/refpolicy/policy/modules/services/mysql.te
+++ b/refpolicy/policy/modules/services/mysql.te
@@ -68,6 +68,7 @@ corenet_raw_sendrecv_all_nodes(mysqld_t)
 corenet_tcp_sendrecv_all_ports(mysqld_t)
 corenet_tcp_bind_all_nodes(mysqld_t)
 corenet_tcp_bind_mysqld_port(mysqld_t)
+corenet_tcp_connect_mysqld_port(mysqld_t)
 
 dev_read_sysfs(mysqld_t)
 
diff --git a/refpolicy/policy/modules/services/nis.te b/refpolicy/policy/modules/services/nis.te
index 1c1d9e5d..7928f964 100644
--- a/refpolicy/policy/modules/services/nis.te
+++ b/refpolicy/policy/modules/services/nis.te
@@ -182,6 +182,8 @@ fs_search_auto_mountpoints(ypserv_t)
 
 term_dontaudit_use_console(ypserv_t)
 
+corecmd_exec_bin(ypserv_t)
+
 domain_use_wide_inherit_fd(ypserv_t)
 
 init_use_fd(ypserv_t)
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
index 0e5f6f7a..c1c2fa05 100644
--- a/refpolicy/policy/modules/services/nscd.te
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -34,6 +34,7 @@ allow nscd_t self:unix_stream_socket create_stream_socket_perms;
 allow nscd_t self:unix_dgram_socket create_socket_perms;
 allow nscd_t self:netlink_selinux_socket create_socket_perms;
 allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow nscd_t self:tcp_socket create_socket_perms;
 allow nscd_t self:udp_socket create_socket_perms;
 
diff --git a/refpolicy/policy/modules/services/ntp.te b/refpolicy/policy/modules/services/ntp.te
index 3c1bdba4..e7683901 100644
--- a/refpolicy/policy/modules/services/ntp.te
+++ b/refpolicy/policy/modules/services/ntp.te
@@ -30,10 +30,11 @@ init_system_domain(ntpd_t,ntpdate_exec_t)
 # Local policy
 #
 
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot };
+# sys_resource and setrlimit is for locking memory
 # ntpdate wants sys_nice
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock sys_chroot sys_nice sys_resource };
 dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
-allow ntpd_t self:process { signal_perms setcap setsched };
+allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
 allow ntpd_t self:fifo_file { read write getattr };
 allow ntpd_t self:unix_dgram_socket create_socket_perms;
 allow ntpd_t self:unix_stream_socket create_socket_perms;
@@ -120,8 +121,7 @@ ifdef(`targeted_policy', `
 
 optional_policy(`cron.te',`
 	# for cron jobs
-	# system_crond_t is not right, cron is not doing what it should
-	cron_system_entry(ntpd_t,ntpd_exec_t)
+	cron_system_entry(ntpd_t,ntpdate_exec_t)
 ')
 
 optional_policy(`firstboot.te',`
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 1ad01fb6..aa54016a 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -26,6 +26,7 @@ files_pid_file(rsync_var_run_t)
 # Local policy
 #
 
+allow rsync_t self:capability sys_chroot;
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_file_perms;
 allow rsync_t self:tcp_socket { listen accept connected_socket_perms };
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 5ea57456..ae2ede64 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -225,10 +225,12 @@ dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
+fs_get_xattr_fs_quotas(smbd_t)
 fs_search_auto_mountpoints(smbd_t)
 
 term_dontaudit_use_console(smbd_t)
 
+auth_use_nsswitch(smbd_t)
 auth_domtrans_chk_passwd(smbd_t)
 
 domain_use_wide_inherit_fd(smbd_t)
@@ -238,6 +240,8 @@ files_read_etc_files(smbd_t)
 files_read_etc_runtime_files(smbd_t)
 files_read_usr_files(smbd_t)
 files_search_spool(smbd_t)
+# Allow samba to list mnt_t for potential mounted dirs
+files_list_mnt(smbd_t)
 
 init_use_fd(smbd_t)
 init_use_script_pty(smbd_t)
@@ -268,17 +272,6 @@ optional_policy(`kerberos.te',`
 	kerberos_use(smbd_t)
 ')
 
-optional_policy(`ldap.te',`
-	allow smbd_t self:tcp_socket create_socket_perms;
-	corenet_tcp_sendrecv_all_if(smbd_t)
-	corenet_raw_sendrecv_all_if(smbd_t)
-	corenet_tcp_sendrecv_all_nodes(smbd_t)
-	corenet_raw_sendrecv_all_nodes(smbd_t)
-	corenet_tcp_sendrecv_ldap_port(smbd_t)
-	corenet_tcp_bind_all_nodes(smbd_t)
-	sysnet_read_config(smbd_t)
-')
-
 optional_policy(`nis.te',`
 	nis_use_ypbind(smbd_t)
 ')
@@ -300,7 +293,10 @@ optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
 anonymous_domain(smbd)
-can_winbind(smbd_t)
+ifdef(`hide_broken_symptoms', `
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
 ')
 
 ########################################
@@ -626,6 +622,8 @@ allow winbind_helper_t samba_etc_t:dir r_dir_perms;
 allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
 allow winbind_helper_t samba_etc_t:file r_file_perms;
 
+allow winbind_helper_t samba_var_t:dir search;
+
 allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
 allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
 allow winbind_helper_t winbind_t:unix_stream_socket connectto;
@@ -644,3 +642,7 @@ miscfiles_read_localization(winbind_helper_t)
 optional_policy(`nscd.te',`
 	nscd_use_socket(winbind_helper_t)
 ')
+
+ifdef(`TODO',`
+allow winbind_helper_t squid_log_t:file ra_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/snmp.te b/refpolicy/policy/modules/services/snmp.te
index 7892b207..10adf7d2 100644
--- a/refpolicy/policy/modules/services/snmp.te
+++ b/refpolicy/policy/modules/services/snmp.te
@@ -26,11 +26,10 @@ files_type(snmpd_var_lib_t)
 # Local policy
 #
 allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config };
-allow snmpd_t self:file { getattr read };
 allow snmpd_t self:fifo_file rw_file_perms;
-allow snmpd_t self:tcp_socket create_stream_socket_perms;
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
 
 allow snmpd_t snmpd_etc_t:file { getattr read };
 
@@ -38,9 +37,10 @@ allow snmpd_t snmpd_log_t:file create_file_perms;
 logging_create_log(snmpd_t,snmpd_log_t)
 
 allow snmpd_t snmpd_var_lib_t:file create_file_perms;
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
 allow snmpd_t snmpd_var_lib_t:dir create_dir_perms;
 files_create_usr(snmpd_t,snmpd_var_lib_t)
-files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir })
+files_create_var(snmpd_t,snmpd_var_lib_t,{ file dir sock_file })
 files_create_var_lib(snmpd_t,snmpd_var_lib_t)
 
 allow snmpd_t snmpd_var_run_t:file create_file_perms;
@@ -80,6 +80,7 @@ corecmd_exec_sbin(snmpd_t)
 corecmd_exec_shell(snmpd_t)
 
 domain_use_wide_inherit_fd(snmpd_t)
+domain_signull_all_domains(snmpd_t)
 domain_read_all_domains_state(snmpd_t)
 
 files_read_etc_files(snmpd_t)
diff --git a/refpolicy/policy/modules/services/squid.te b/refpolicy/policy/modules/services/squid.te
index 5e8fcb90..a18741a8 100644
--- a/refpolicy/policy/modules/services/squid.te
+++ b/refpolicy/policy/modules/services/squid.te
@@ -78,6 +78,10 @@ corenet_tcp_bind_all_nodes(squid_t)
 corenet_udp_bind_all_nodes(squid_t)
 corenet_tcp_bind_http_cache_port(squid_t)
 corenet_udp_bind_http_cache_port(squid_t)
+corenet_tcp_bind_ftp_port(squid_t)
+corenet_udp_bind_ftp_port(squid_t)
+corenet_tcp_bind_gopher_port(squid_t)
+corenet_udp_bind_gopher_port(squid_t)
 corenet_tcp_connect_ftp_port(squid_t)
 corenet_tcp_connect_gopher_port(squid_t)
 corenet_tcp_connect_http_port(squid_t)
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 59469f2f..a5743928 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -825,6 +825,28 @@ interface(`auth_manage_login_records',`
 	allow $1 wtmp_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Use nsswitch to look up uid-username mappings.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`auth_use_nsswitch',`
+
+	sysnet_dns_name_resolve($1)
+	sysnet_use_ldap($1)
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind($1)
+	')
+
+	ifdef(`TODO',`
+	can_winbind($1)
+	')
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to the authlogin module.
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 88401cfe..63225ee9 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -19,7 +19,11 @@ logging_log_file(faillog_t)
 type lastlog_t;
 logging_log_file(lastlog_t)
 
-type login_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type login_exec_t;
+')
 files_type(login_exec_t)
 
 type pam_console_t;
@@ -141,7 +145,8 @@ allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
 # for /var/run/console.lock checking
 allow pam_console_t pam_var_console_t:dir r_dir_perms;;
 allow pam_console_t pam_var_console_t:file r_file_perms;
-allow pam_console_t pam_var_console_t:lnk_file r_file_perms;
+dontaudit pam_console_t pam_var_console_t:file write;
+allow pam_console_t pam_var_console_t:lnk_file { getattr read };
 
 kernel_read_kernel_sysctl(pam_console_t)
 kernel_use_fd(pam_console_t)
@@ -182,6 +187,8 @@ term_setattr_console(pam_console_t)
 term_getattr_unallocated_ttys(pam_console_t)
 term_setattr_unallocated_ttys(pam_console_t)
 
+auth_use_nsswitch(pam_console_t)
+
 domain_use_wide_inherit_fd(pam_console_t)
 
 files_read_etc_files(pam_console_t)
@@ -305,6 +312,8 @@ allow utempter_t self:unix_stream_socket create_stream_socket_perms;
 
 allow utempter_t wtmp_t:file rw_file_perms;
 
+dev_read_urand(utempter_t)
+
 term_getattr_all_user_ttys(utempter_t)
 term_getattr_all_user_ptys(utempter_t)
 term_dontaudit_use_all_user_ttys(utempter_t)
diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te
index 05334331..3ac2b203 100644
--- a/refpolicy/policy/modules/system/clock.te
+++ b/refpolicy/policy/modules/system/clock.te
@@ -50,7 +50,7 @@ domain_use_wide_inherit_fd(hwclock_t)
 init_use_fd(hwclock_t)
 init_use_script_pty(hwclock_t)
 
-files_list_etc(hwclock_t)
+files_read_etc_files(hwclock_t)
 # for when /usr is not mounted:
 files_dontaudit_search_isid_type_dir(hwclock_t)
 
diff --git a/refpolicy/policy/modules/system/getty.te b/refpolicy/policy/modules/system/getty.te
index c403848e..00586cd8 100644
--- a/refpolicy/policy/modules/system/getty.te
+++ b/refpolicy/policy/modules/system/getty.te
@@ -6,7 +6,11 @@ policy_module(getty,1.0)
 # Declarations
 #
 
-type getty_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type getty_t;
+')
 type getty_exec_t;
 init_domain(getty_t,getty_exec_t)
 domain_wide_inherit_fd(getty_t)
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index b9e33102..6e268c6d 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -111,6 +111,7 @@ libs_read_lib(hotplug_t)
 modutils_domtrans_insmod(hotplug_t)
 modutils_read_mods_deps(hotplug_t)
 
+miscfiles_read_hwdata(hotplug_t)
 miscfiles_read_localization(hotplug_t)
 
 seutil_dontaudit_search_config(hotplug_t)
@@ -163,6 +164,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(hotplug_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(hotplug_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(hotplug_t)
 ')
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 8513036e..9b5f8e47 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -22,7 +22,11 @@ role system_r types init_t;
 #
 # init_exec_t is the type of the init program.
 #
-type init_exec_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type init_exec_t;
+')
 kernel_userland_entry(init_t,init_exec_t)
 domain_entry_file(init_t,init_exec_t)
 
@@ -41,7 +45,11 @@ type initctl_t;
 files_type(initctl_t)
 mls_trusted_object(initctl_t)
 
-type initrc_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type initrc_t;
+')
 domain_type(initrc_t)
 role system_r types initrc_t;
 
@@ -192,7 +200,7 @@ allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow initrc_t init_t:fd use;
 
-allow initrc_t initrc_exec_t:file { getattr read ioctl execute execute_no_trans };
+can_exec(initrc_t,initrc_exec_t)
 
 allow initrc_t initrc_state_t:dir create_dir_perms;
 allow initrc_t initrc_state_t:file create_file_perms;
@@ -201,6 +209,7 @@ allow initrc_t initrc_state_t:lnk_file { create read getattr setattr unlink rena
 allow initrc_t initrc_var_run_t:file create_file_perms;
 files_create_pid(initrc_t,initrc_var_run_t)
 
+can_exec(initrc_t,initrc_tmp_t)
 allow initrc_t initrc_tmp_t:file create_file_perms;
 allow initrc_t initrc_tmp_t:dir create_dir_perms;
 files_create_tmp_files(initrc_t,initrc_tmp_t, { file dir })
@@ -329,6 +338,8 @@ logging_append_all_logs(initrc_t)
 logging_read_auditd_config(initrc_t)
 
 miscfiles_read_localization(initrc_t)
+# slapd needs to read cert files from its initscript
+miscfiles_read_certs(initrc_t)
 
 mls_file_read_up(initrc_t)
 mls_file_write_down(initrc_t)
@@ -610,6 +621,16 @@ ifdef(`distro_redhat', `
 	allow initrc_t self:capability sys_admin;
 	allow initrc_t device_t:dir create;
 
+	# wants to delete /poweroff and other files 
+	allow initrc_t root_t:file unlink;
+	# wants to read /.fonts directory
+	allow initrc_t default_t:file { getattr read };
+	ifdef(`xserver.te', `
+	# wants to cleanup xserver log dir
+	allow initrc_t xserver_log_t:dir rw_dir_perms;
+	allow initrc_t xserver_log_t:file unlink;
+	')
+
 	optional_policy(`rpm.te',`
 		rpm_stub()
 		#read ahead wants to read this
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index a9549633..be5328a5 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -89,6 +89,7 @@ corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
 corenet_tcp_bind_all_nodes(ipsec_t)
 corenet_udp_bind_reserved_port(ipsec_t)
+corenet_udp_bind_isakmp_port(ipsec_t)
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index d23c918e..36fd3bda 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -123,16 +123,19 @@ fs_search_auto_mountpoints(auditd_t)
 
 term_dontaudit_use_console(auditd_t)
 
-init_use_fd(auditd_t)
-init_exec(auditd_t)
-init_write_initctl(auditd_t)
-init_use_script_pty(auditd_t)
+# cjp: why?
+corecmd_exec_sbin(auditd_t)
 
 domain_use_wide_inherit_fd(auditd_t)
 
 files_read_etc_files(auditd_t)
 files_list_usr(auditd_t)
 
+init_use_fd(auditd_t)
+init_exec(auditd_t)
+init_write_initctl(auditd_t)
+init_use_script_pty(auditd_t)
+
 logging_send_syslog_msg(auditd_t)
 
 libs_use_ld_so(auditd_t)
@@ -292,6 +295,7 @@ init_use_script_pty(syslogd_t)
 domain_use_wide_inherit_fd(syslogd_t)
 
 files_read_etc_files(syslogd_t)
+files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dir(syslogd_t)
 
@@ -325,6 +329,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(syslogd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(syslogd_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(syslogd_t)
 ')
diff --git a/refpolicy/policy/modules/system/miscfiles.fc b/refpolicy/policy/modules/system/miscfiles.fc
index 34430146..5327fda9 100644
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@@ -12,8 +12,8 @@
 #
 # /srv
 #
-/srv/([^/]*/)?ftp(/.*)?		gen_context(system_u:object_r:ftpd_anon_t,s0)
-/srv/([^/]*/)?rsync(/.*)?	gen_context(system_u:object_r:ftpd_anon_t,s0)
+/srv/([^/]*/)?ftp(/.*)?		gen_context(system_u:object_r:public_content_t,s0)
+/srv/([^/]*/)?rsync(/.*)?	gen_context(system_u:object_r:public_content_t,s0)
 
 #
 # /usr
@@ -44,7 +44,7 @@
 #
 # /var
 #
-/var/ftp(/.*)?			gen_context(system_u:object_r:ftpd_anon_t,s0)
+/var/ftp(/.*)?			gen_context(system_u:object_r:public_content_t,s0)
 
 ifdef(`distro_debian', `
 /var/lib/msttcorefonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 44bac280..39c5c5bf 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -5,7 +5,7 @@
 ##	Read system SSL certificates.
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_certs',`
@@ -23,7 +23,7 @@ interface(`miscfiles_read_certs',`
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_fonts',`
@@ -41,40 +41,20 @@ interface(`miscfiles_read_fonts',`
 
 ########################################
 ## <summary>
-##	Read public files used for file
-##	transfer services.
+##	Read hardware identification data.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
 ## </param>
 #
-interface(`miscfiles_read_public_files',`
+interface(`miscfiles_read_hwdata',`
 	gen_require(`
-		type ftpd_anon_t;
+		type hwdata_t;
 	')
 
-	allow $1 ftpd_anon_t:dir r_dir_perms;
-	allow $1 ftpd_anon_t:file r_file_perms;
-	allow $1 ftpd_anon_t:lnk_file { getattr read };
-')
-
-########################################
-## <summary>
-##	Create, read, write, and delete public files
-##	and directories used for file transfer services.
-## </summary>
-## <param name="domain">
-##	Domain allowed access.
-## </param>
-#
-interface(`miscfiles_manage_public_files',`
-	gen_require(`
-		type ftpd_anon_rw_t;
-	')
-
-	allow $1 ftpd_anon_rw_t:dir create_dir_perms;
-	allow $1 ftpd_anon_rw_t:file create_file_perms;
-	allow $1 ftpd_anon_rw_t:lnk_file create_lnk_perms;
+	allow $1 hwdata_t:dir r_dir_perms;
+	allow $1 hwdata_t:file r_file_perms;
+	allow $1 hwdata_t:file { getattr read };
 ')
 
 ########################################
@@ -82,7 +62,7 @@ interface(`miscfiles_manage_public_files',`
 ##	Allow process to read localization info
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_localization',`
@@ -106,7 +86,7 @@ interface(`miscfiles_read_localization',`
 ##	Allow process to read legacy time localization info
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_legacy_read_localization',`
@@ -176,12 +156,50 @@ interface(`miscfiles_manage_man_pages',`
 	allow $1 man_t:lnk_file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read public files used for file
+##	transfer services.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_read_public_files',`
+	gen_require(`
+		type public_content_t;
+	')
+
+	allow $1 public_content_t:dir r_dir_perms;
+	allow $1 public_content_t:file r_file_perms;
+	allow $1 public_content_t:lnk_file { getattr read };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete public files
+##	and directories used for file transfer services.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`miscfiles_manage_public_files',`
+	gen_require(`
+		type public_content_rw_t;
+	')
+
+	allow $1 public_content_rw_t:dir create_dir_perms;
+	allow $1 public_content_rw_t:file create_file_perms;
+	allow $1 public_content_rw_t:lnk_file create_lnk_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read TeX data
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_read_tetex_data',`
@@ -203,7 +221,7 @@ interface(`miscfiles_read_tetex_data',`
 ##	Execute TeX data programs in the caller domain.
 ## </summary>
 ## <param name="domain">
-##	Type type of the process performing this action.
+##	Domain allowed access.
 ## </param>
 #
 interface(`miscfiles_exec_tetex_data',`
diff --git a/refpolicy/policy/modules/system/miscfiles.te b/refpolicy/policy/modules/system/miscfiles.te
index 535e1af9..ba7d43ee 100644
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@@ -20,13 +20,10 @@ type fonts_t;
 files_type(fonts_t)
 
 #
-# Type for anonymous FTP data, used by ftp and rsync
+# type for /usr/share/hwdata
 #
-type ftpd_anon_t; #, customizable;
-files_type(ftpd_anon_t)
-
-type ftpd_anon_rw_t; #, customizable;
-files_type(ftpd_anon_rw_t)
+type hwdata_t;
+files_type(hwdata_t)
 
 #
 # type for /tmp/.ICE-unix
@@ -46,6 +43,15 @@ files_type(locale_t)
 type man_t alias catman_t;
 files_type(man_t)
 
+#
+# Types for public content
+#
+type public_content_t; #, customizable;
+files_type(public_content_t)
+
+type public_content_rw_t; #, customizable;
+files_type(public_content_rw_t)
+
 #
 # Base type for the tests directory.
 #
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index ced726e3..98e63978 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -19,7 +19,7 @@ files_tmp_file(mount_tmp_t)
 # mount local policy
 #
 
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
 
 allow mount_t mount_tmp_t:file create_file_perms;
 allow mount_t mount_tmp_t:dir create_dir_perms;
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index d690a995..4afa29bb 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -168,7 +168,8 @@ init_use_script_pty(load_policy_t)
 
 domain_use_wide_inherit_fd(load_policy_t)
 
-files_search_etc(load_policy_t)
+# for mcs.conf
+files_read_etc_files(load_policy_t)
 
 libs_use_ld_so(load_policy_t)
 libs_use_shared_libs(load_policy_t)
@@ -287,6 +288,11 @@ dev_rw_generic_file(restorecon_t)
 
 fs_getattr_xattr_fs(restorecon_t)
 
+mls_file_read_up(restorecon_t)
+mls_file_write_down(restorecon_t)
+mls_file_upgrade(restorecon_t)
+mls_file_downgrade(restorecon_t)
+
 selinux_get_fs_mount(restorecon_t)
 selinux_validate_context(restorecon_t)
 selinux_compute_access_vector(restorecon_t)
@@ -311,11 +317,6 @@ libs_use_shared_libs(restorecon_t)
 
 logging_send_syslog_msg(restorecon_t)
 
-mls_file_read_up(restorecon_t)
-mls_file_write_down(restorecon_t)
-mls_file_upgrade(restorecon_t)
-mls_file_downgrade(restorecon_t)
-
 userdom_use_all_user_fd(restorecon_t)
 
 # relabeling rules
@@ -430,6 +431,11 @@ kernel_list_unlabeled(setfiles_t)
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
 
+mls_file_read_up(setfiles_t)
+mls_file_write_down(setfiles_t)
+mls_file_upgrade(setfiles_t)
+mls_file_downgrade(setfiles_t)
+
 selinux_get_fs_mount(setfiles_t)
 selinux_validate_context(setfiles_t)
 selinux_compute_access_vector(setfiles_t)
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index 5e3a4c87..656a0aa9 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -395,13 +395,19 @@ interface(`sysnet_dns_name_resolve',`
 		type net_conf_t;
 	')
 
+	allow $1 self:tcp_socket create_socket_perms;
 	allow $1 self:udp_socket create_socket_perms;
+	corenet_tcp_sendrecv_all_if($1)
 	corenet_udp_sendrecv_all_if($1)
 	corenet_raw_sendrecv_all_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
 	corenet_udp_sendrecv_all_nodes($1)
 	corenet_raw_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_all_ports($1)
 	corenet_udp_sendrecv_dns_port($1)
+	corenet_tcp_bind_all_nodes($1)
 	corenet_udp_bind_all_nodes($1)
+	corenet_tcp_connect_dns_port($1)
 
 	files_search_etc($1)
 	allow $1 net_conf_t:file r_file_perms;
diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te
index 75715b6f..9cac1431 100644
--- a/refpolicy/policy/modules/system/sysnetwork.te
+++ b/refpolicy/policy/modules/system/sysnetwork.te
@@ -57,6 +57,7 @@ allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms;
 allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans };
 
 allow dhcpc_t dhcp_state_t:dir rw_dir_perms;
+allow dhcpc_t dhcp_state_t:file { getattr read };
 allow dhcpc_t dhcpc_state_t:file create_file_perms;
 type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t;
 
@@ -268,8 +269,7 @@ files_read_etc_files(ifconfig_t);
 kernel_use_fd(ifconfig_t)
 kernel_read_system_state(ifconfig_t)
 kernel_read_network_state(ifconfig_t)
-kernel_dontaudit_search_sysctl_dir(ifconfig_t)
-kernel_dontaudit_search_network_sysctl_dir(ifconfig_t)
+kernel_search_network_sysctl(ifconfig_t)
 
 corenet_use_tun_tap_device(ifconfig_t)
 
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 4247dd39..c021f91f 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -6,8 +6,13 @@ policy_module(udev,1.0)
 # Declarations
 #
 
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type udev_exec_t;
+')
+
 type udev_t;
-type udev_exec_t;
 type udev_helper_exec_t;
 kernel_userland_entry(udev_t,udev_exec_t)
 domain_obj_id_change_exempt(udev_t)
@@ -34,19 +39,19 @@ files_pid_file(udev_var_run_t)
 # Local policy
 #
 
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_nice };
 allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow udev_t self:process { execmem setfscreate };
 allow udev_t self:fd use;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:unix_stream_socket { listen accept };
-allow udev_t self:unix_dgram_socket sendto;
-allow udev_t self:unix_stream_socket connectto;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
 allow udev_t self:shm create_shm_perms;
 allow udev_t self:sem create_sem_perms;
 allow udev_t self:msgq create_msgq_perms;
 allow udev_t self:msg { send receive };
+allow udev_t self:unix_stream_socket { listen accept };
+allow udev_t self:unix_dgram_socket sendto;
+allow udev_t self:unix_stream_socket connectto;
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
 
 allow udev_t udev_exec_t:file write;
@@ -89,6 +94,8 @@ selinux_compute_create_context(udev_t)
 selinux_compute_relabel_context(udev_t)
 selinux_compute_user_contexts(udev_t)
 
+auth_use_nsswitch(udev_t)
+
 corecmd_exec_bin(udev_t)
 corecmd_exec_sbin(udev_t)
 corecmd_exec_shell(udev_t)
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 7def5d09..3f6f48e3 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -6,7 +6,11 @@ policy_module(unconfined,1.0)
 # Declarations
 #
 
-type unconfined_t;
+# real declaration moved to mls until
+# range_transition works in loadable modules
+gen_require(`
+	type unconfined_t;
+')
 type unconfined_exec_t;
 init_system_domain(unconfined_t,unconfined_exec_t)
 role system_r types unconfined_t;
@@ -34,5 +38,12 @@ ifdef(`targeted_policy',`
 
 	ifdef(`TODO',`
 	ifdef(`samba.te', `samba_domain(user)')
+
+	ifdef(`use_mcs',`
+	domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+	can_exec(sysadm_su_t, bin_t)
+	rw_dir_create_file(sysadm_su_t, home_dir_type)
+	')
+
 	') dnl end TODO
 ')
diff --git a/strict/attrib.te b/strict/attrib.te
index b5e4d8b3..459e7cc6 100644
--- a/strict/attrib.te
+++ b/strict/attrib.te
@@ -443,6 +443,9 @@ attribute serial_device;
 # Attribute to designate unrestricted access
 attribute unrestricted;
 
+# Attribute to designate can transition to unconfined_t
+attribute unconfinedtrans;
+
 # For clients of nscd.
 attribute nscd_client_domain;
 
diff --git a/strict/domains/misc/kernel.te b/strict/domains/misc/kernel.te
index b2df503f..c0d017c3 100644
--- a/strict/domains/misc/kernel.te
+++ b/strict/domains/misc/kernel.te
@@ -30,7 +30,7 @@ domain_auto_trans(kernel_t, init_exec_t, init_t)
 
 ifdef(`mls_policy', `
 # run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+range_transition kernel_t init_exec_t s0 - s9:c0.c255;
 ')
 
 # Share state with the init process.
diff --git a/strict/domains/program/anaconda.te b/strict/domains/program/anaconda.te
index 3e7ef0ac..175947d2 100644
--- a/strict/domains/program/anaconda.te
+++ b/strict/domains/program/anaconda.te
@@ -17,11 +17,6 @@ unconfined_domain(anaconda_t)
 role system_r types ldconfig_t;
 domain_auto_trans(anaconda_t, ldconfig_exec_t, ldconfig_t)
 
-ifdef(`su.te', `
-role system_r types sysadm_su_t;
-domain_auto_trans(anaconda_t, su_exec_t, sysadm_su_t)
-')
-
 # Run other rc scripts in the anaconda_t domain.
 domain_auto_trans(anaconda_t, initrc_exec_t, initrc_t)
 
diff --git a/strict/domains/program/apache.te b/strict/domains/program/apache.te
index fb1fc1e7..116069bd 100644
--- a/strict/domains/program/apache.te
+++ b/strict/domains/program/apache.te
@@ -113,9 +113,12 @@ allow httpd_t bin_t:lnk_file read;
 can_network_server(httpd_t)
 can_kerberos(httpd_t)
 can_resolve(httpd_t)
-can_ypbind(httpd_t)
-can_ldap(httpd_t)
+nsswitch_domain(httpd_t)
 allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+# allow httpd to connect to mysql/posgresql 
+allow httpd_t { postgresql_port_t mysqld_port_t }:tcp_socket name_connect;
+# allow httpd to work as a relay
+allow httpd_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 if (httpd_can_network_connect) {
 can_network_client(httpd_t)
@@ -222,7 +225,7 @@ tmp_domain(httpd_php)
 # Creation of lock files for apache2
 lock_domain(httpd)
 
-# Allow apache to used ftpd_anon_t
+# Allow apache to used public_content_t
 anonymous_domain(httpd)
 
 # connect to mysql
@@ -305,9 +308,9 @@ allow httpd_helper_t httpd_log_t:file { append };
 if (httpd_tty_comm) {
 allow { httpd_t httpd_helper_t } devpts_t:dir search;
 ifdef(`targeted_policy', `
-allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file { read write };
+allow { httpd_helper_t httpd_t } { devtty_t devpts_t }:chr_file rw_file_perms;
 ')
-allow { httpd_t httpd_helper_t } admin_tty_type:chr_file { read write };
+allow { httpd_t httpd_helper_t } admin_tty_type:chr_file rw_file_perms;
 } else {
 dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
 }
@@ -367,13 +370,13 @@ allow httpd_suexec_t { usr_t lib_t }:file { getattr read ioctl };
 allow httpd_suexec_t autofs_t:dir { search getattr };
 tmp_domain(httpd_suexec)
 
-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+if (httpd_enable_cgi && httpd_unified) {
 domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
 ')
 }
-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
 domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
 create_dir_file(httpd_t, httpdcontent)
 }
diff --git a/strict/domains/program/apmd.te b/strict/domains/program/apmd.te
index 6ce59586..8394e24f 100644
--- a/strict/domains/program/apmd.te
+++ b/strict/domains/program/apmd.te
@@ -47,6 +47,7 @@ file_type_auto_trans(apmd_t, var_run_t, apmd_var_run_t, sock_file)
 
 # acpid also has a logfile
 log_domain(apmd)
+tmp_domain(apmd)
 
 ifdef(`distro_suse', `
 var_lib_domain(apmd)
@@ -140,3 +141,15 @@ dontaudit apmd_t selinux_config_t:dir search;
 allow apmd_t user_tty_type:chr_file rw_file_perms;
 # Access /dev/apm_bios.
 allow initrc_t apm_bios_t:chr_file { setattr getattr read };
+
+ifdef(`logrotate.te', `
+allow apmd_t logrotate_t:fd use;
+')dnl end if logrotate.te
+allow apmd_t devpts_t:dir { getattr search };
+allow apmd_t security_t:dir search;
+allow apmd_t usr_t:dir search;
+r_dir_file(apmd_t, hwdata_t)
+ifdef(`targeted_policy', `
+unconfined_domain(apmd_t)
+')
+
diff --git a/strict/domains/program/auditd.te b/strict/domains/program/auditd.te
index 84adf36c..3dd15a7b 100644
--- a/strict/domains/program/auditd.te
+++ b/strict/domains/program/auditd.te
@@ -65,3 +65,5 @@ allow auditctl_t initrc_devpts_t:chr_file { read write };
 allow auditctl_t privfd:fd use;
 
 
+allow auditd_t sbin_t:dir search;
+can_exec(auditd_t, sbin_t)
diff --git a/strict/domains/program/automount.te b/strict/domains/program/automount.te
index d86e11d2..d1bb20ea 100644
--- a/strict/domains/program/automount.te
+++ b/strict/domains/program/automount.te
@@ -34,7 +34,9 @@ allow automount_t self:unix_dgram_socket create_socket_perms;
 can_exec(automount_t, { etc_t automount_etc_t })
 
 can_network_server(automount_t)
+can_resolve(automount_t)
 can_ypbind(automount_t)
+can_ldap(automount_t)
 
 ifdef(`fsadm.te', `
 domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
@@ -56,6 +58,7 @@ can_exec(automount_t, bin_t)')
 
 allow automount_t { bin_t sbin_t }:dir search;
 can_exec(automount_t, mount_exec_t)
+can_exec(automount_t, shell_exec_t)
 
 allow mount_t autofs_t:dir getattr;
 dontaudit automount_t var_t:dir write;
@@ -73,3 +76,4 @@ file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
 
 allow automount_t var_lib_t:dir search;
 allow automount_t var_lib_nfs_t:dir search;
+
diff --git a/strict/domains/program/bootloader.te b/strict/domains/program/bootloader.te
index 5046cd0a..37e1c19e 100644
--- a/strict/domains/program/bootloader.te
+++ b/strict/domains/program/bootloader.te
@@ -24,7 +24,9 @@ allow bootloader_t var_log_t:file write;
 # for nscd
 dontaudit bootloader_t var_run_t:dir search;
 
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
+')
 allow bootloader_t { initrc_t privfd }:fd use;
 
 tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
diff --git a/strict/domains/program/cardmgr.te b/strict/domains/program/cardmgr.te
index 16a6f1fb..8f789886 100644
--- a/strict/domains/program/cardmgr.te
+++ b/strict/domains/program/cardmgr.te
@@ -15,7 +15,9 @@ daemon_domain(cardmgr, `, privmodule')
 allow cardmgr_t urandom_device_t:chr_file read;
 
 type cardctl_exec_t, file_type, sysadmfile, exec_type;
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
+')
 role sysadm_r types cardmgr_t;
 allow cardmgr_t admin_tty_type:chr_file { read write };
 
@@ -85,3 +87,4 @@ ifdef(`hald.te', `
 rw_dir_file(hald_t, cardmgr_var_run_t)
 allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
 ')
+allow cardmgr_t device_t:lnk_file { getattr read };
diff --git a/strict/domains/program/crond.te b/strict/domains/program/crond.te
index 536824f9..ceb0a453 100644
--- a/strict/domains/program/crond.te
+++ b/strict/domains/program/crond.te
@@ -106,7 +106,7 @@ allow system_crond_t init_t:fd use;
 
 # Inherit and use descriptors from initrc for anacron.
 allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
 
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
@@ -205,7 +205,7 @@ dontaudit system_crond_t removable_t:filesystem getattr;
 #
 # Required for webalizer
 #
+dontaudit crond_t self:capability sys_tty_config;
 ifdef(`apache.te', `
 allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
 ')
-dontaudit crond_t self:capability sys_tty_config;
diff --git a/strict/domains/program/cups.te b/strict/domains/program/cups.te
index c1685dba..a152ac31 100644
--- a/strict/domains/program/cups.te
+++ b/strict/domains/program/cups.te
@@ -188,6 +188,7 @@ allow hplip_t hplip_port_t:tcp_socket name_bind;
 # Uses networking to talk to the daemons
 allow hplip_t self:unix_dgram_socket create_socket_perms;
 allow hplip_t self:unix_stream_socket create_socket_perms;
+allow hplip_t self:rawip_socket create_socket_perms;
 
 # for python
 can_exec(hplip_t, bin_t)
@@ -196,6 +197,9 @@ allow hplip_t self:file { getattr read };
 allow hplip_t proc_t:file r_file_perms;
 allow hplip_t urandom_device_t:chr_file { getattr read };
 allow hplip_t usr_t:{ file lnk_file } r_file_perms;
+allow hplip_t devpts_t:dir search;
+allow hplip_t devpts_t:chr_file { getattr ioctl };
+
 
 dontaudit cupsd_t selinux_config_t:dir search;
 dontaudit cupsd_t selinux_config_t:file { getattr read };
@@ -209,7 +213,7 @@ allow cupsd_t userdomain:dbus send_msg;
 ')
 
 # CUPS configuration daemon
-daemon_domain(cupsd_config)
+daemon_domain(cupsd_config, `, nscd_client_domain')
 
 allow cupsd_config_t devpts_t:dir search;
 allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
@@ -231,12 +235,13 @@ allow cupsd_config_t cupsd_t:process { signal };
 allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
 can_ps(cupsd_config_t, cupsd_t)
 
-allow cupsd_config_t self:capability chown;
+allow cupsd_config_t self:capability { chown sys_tty_config };
 
 rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
 rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
 file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
 file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+allow cupsd_config_t var_t:lnk_file read;
 
 can_network_tcp(cupsd_config_t)
 can_ypbind(cupsd_config_t)
@@ -245,6 +250,7 @@ can_tcp_connect(cupsd_config_t, cupsd_t)
 allow cupsd_config_t self:fifo_file rw_file_perms;
 
 allow cupsd_config_t self:unix_stream_socket create_socket_perms;
+allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
 ifdef(`dbusd.te', `
 dbusd_client(system, cupsd_config)
 allow cupsd_config_t userdomain:dbus send_msg;
@@ -255,9 +261,8 @@ allow userdomain cupsd_config_t:dbus send_msg;
 ifdef(`hald.te', `
 
 ifdef(`dbusd.te', `
-allow cupsd_t hald_t:dbus send_msg;
-allow cupsd_config_t hald_t:dbus send_msg;
-allow hald_t cupsd_t:dbus send_msg;
+allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
+allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
 ')dnl end if dbusd.te
 
 allow hald_t cupsd_config_t:process signal;
@@ -310,3 +315,7 @@ allow inetd_t printer_port_t:tcp_socket name_bind;
 r_dir_file(cupsd_lpd_t, cupsd_etc_t)
 r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
 allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+')
+
diff --git a/strict/domains/program/cvs.te b/strict/domains/program/cvs.te
index 324ddd34..3f3e63c2 100644
--- a/strict/domains/program/cvs.te
+++ b/strict/domains/program/cvs.te
@@ -23,6 +23,9 @@ allow cvs_t { bin_t sbin_t }:lnk_file read;
 allow cvs_t etc_runtime_t:file { getattr read };
 allow system_mail_t cvs_data_t:file { getattr read };
 dontaudit cvs_t devtty_t:chr_file { read write };
+ifdef(`kerberos.te', `
 # Allow kerberos to work
 allow cvs_t { krb5_keytab_t krb5_conf_t }:file r_file_perms;
 dontaudit cvs_t krb5_conf_t:file write;
+')
+
diff --git a/strict/domains/program/cyrus.te b/strict/domains/program/cyrus.te
index 86800350..a423235a 100644
--- a/strict/domains/program/cyrus.te
+++ b/strict/domains/program/cyrus.te
@@ -42,7 +42,7 @@ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 create_dir_file(cyrus_t, mail_spool_t)
 allow cyrus_t var_spool_t:dir search;
 
-ifdef(`saslaudthd.te', `
+ifdef(`saslauthd.te', `
 allow cyrus_t saslauthd_var_run_t:dir search;
 allow cyrus_t saslauthd_var_run_t:sock_file { read write };
 allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
diff --git a/strict/domains/program/dbusd.te b/strict/domains/program/dbusd.te
index 4c72b6b4..acad4def 100644
--- a/strict/domains/program/dbusd.te
+++ b/strict/domains/program/dbusd.te
@@ -12,7 +12,7 @@ r_dir_file(system_dbusd_t, pam_var_console_t)
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 allow system_dbusd_t self:capability { dac_override setgid setuid };
-can_ypbind(system_dbusd_t)
+nsswitch_domain(system_dbusd_t)
 
 # I expect we need more than this
 
@@ -23,3 +23,5 @@ allow initrc_t system_dbusd_var_run_t:sock_file write;
 can_exec(system_dbusd_t, sbin_t)
 allow system_dbusd_t self:fifo_file { read write };
 allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:unix_stream_socket connectto;
+allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/dhcpc.te b/strict/domains/program/dhcpc.te
index 0308ed95..c12bc42b 100644
--- a/strict/domains/program/dhcpc.te
+++ b/strict/domains/program/dhcpc.te
@@ -120,6 +120,7 @@ tmp_domain(dhcpc)
 allow dhcpc_t self:packet_socket create_socket_perms;
 allow dhcpc_t var_lib_t:dir search;
 file_type_auto_trans(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcp_state_t:file { getattr read };
 
 allow dhcpc_t bin_t:dir { getattr search };
 allow dhcpc_t bin_t:lnk_file read;
@@ -161,5 +162,5 @@ allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
 ifdef(`unconfined.te', `
 allow unconfined_t dhcpc_t:dbus send_msg;
 allow dhcpc_t unconfined_t:dbus send_msg;
-')dnl end ifdef unconfined.te
+')
 ')
diff --git a/strict/domains/program/dhcpd.te b/strict/domains/program/dhcpd.te
index 07ad4ce6..e276af2c 100644
--- a/strict/domains/program/dhcpd.te
+++ b/strict/domains/program/dhcpd.te
@@ -17,8 +17,6 @@
 #
 daemon_domain(dhcpd, `, nscd_client_domain')
 
-allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
-
 # for UDP port 4011
 allow dhcpd_t pxe_port_t:udp_socket name_bind;
 
@@ -27,6 +25,7 @@ type dhcp_etc_t, file_type, sysadmfile, usercanread;
 # Use the network.
 can_network(dhcpd_t)
 allow dhcpd_t port_type:tcp_socket name_connect;
+allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
 can_ypbind(dhcpd_t)
 allow dhcpd_t self:unix_dgram_socket create_socket_perms;
 allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --git a/strict/domains/program/fsadm.te b/strict/domains/program/fsadm.te
index 56114512..d5a6220c 100644
--- a/strict/domains/program/fsadm.te
+++ b/strict/domains/program/fsadm.te
@@ -102,10 +102,10 @@ allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
 
 read_locale(fsadm_t)
 
diff --git a/strict/domains/program/hald.te b/strict/domains/program/hald.te
index 5cd42b12..9792bee5 100644
--- a/strict/domains/program/hald.te
+++ b/strict/domains/program/hald.te
@@ -100,4 +100,4 @@ allow hald_t unconfined_t:dbus send_msg;
 ifdef(`mount.te', `
 domain_auto_trans(hald_t, mount_exec_t, mount_t)
 ')
-
+r_dir_file(hald_t, hwdata_t)
diff --git a/strict/domains/program/hostname.te b/strict/domains/program/hostname.te
index 07169c8b..2138baf5 100644
--- a/strict/domains/program/hostname.te
+++ b/strict/domains/program/hostname.te
@@ -24,5 +24,5 @@ dontaudit hostname_t file_t:dir search;
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
 allow hostname_t initrc_t:fd use;
diff --git a/strict/domains/program/hotplug.te b/strict/domains/program/hotplug.te
index 38e1d521..a6d8fbe2 100644
--- a/strict/domains/program/hotplug.te
+++ b/strict/domains/program/hotplug.te
@@ -11,9 +11,9 @@
 # hotplug_exec_t is the type of the hotplug executable.
 #
 ifdef(`unlimitedUtils', `
-daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer')
+daemon_domain(hotplug, `, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, domain, privlog, sysctl_kernel_writer, nscd_client_domain')
 ', `
-daemon_domain(hotplug, `, privmodule')
+daemon_domain(hotplug, `, privmodule, nscd_client_domain')
 ')
 
 etcdir_domain(hotplug)
@@ -132,6 +132,7 @@ allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
 allow hotplug_t sysfs_t:dir { getattr read search write };
 allow hotplug_t sysfs_t:file rw_file_perms;
 allow hotplug_t sysfs_t:lnk_file { getattr read };
+r_dir_file(hotplug_t, hwdata_t)
 allow hotplug_t udev_runtime_t:file rw_file_perms;
 ifdef(`lpd.te', `
 allow hotplug_t printer_device_t:chr_file setattr;
diff --git a/strict/domains/program/hwclock.te b/strict/domains/program/hwclock.te
index e5c5c4e9..dab39eec 100644
--- a/strict/domains/program/hwclock.te
+++ b/strict/domains/program/hwclock.te
@@ -21,7 +21,6 @@ ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 ')
 type adjtime_t, file_type, sysadmfile;
-
 allow hwclock_t fs_t:filesystem getattr;
 
 read_locale(hwclock_t)
@@ -47,3 +46,4 @@ read_locale(hwclock_t)
 # for when /usr is not mounted
 dontaudit hwclock_t file_t:dir search;
 allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+r_dir_file(hwclock_t, etc_t)
diff --git a/strict/domains/program/ifconfig.te b/strict/domains/program/ifconfig.te
index dbab5bf1..6cccc32d 100644
--- a/strict/domains/program/ifconfig.te
+++ b/strict/domains/program/ifconfig.te
@@ -52,7 +52,8 @@ allow ifconfig_t run_init_t:fd use;
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
 allow ifconfig_t tun_tap_device_t:chr_file { read write };
@@ -60,7 +61,7 @@ allow ifconfig_t tun_tap_device_t:chr_file { read write };
 # ifconfig attempts to search some sysctl entries.
 # Do not audit those attempts; comment out these rules if it is desired to
 # see the denials.
-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
 
 allow ifconfig_t fs_t:filesystem getattr;
 
diff --git a/strict/domains/program/initrc.te b/strict/domains/program/initrc.te
index 2715d03c..c66d876a 100644
--- a/strict/domains/program/initrc.te
+++ b/strict/domains/program/initrc.te
@@ -56,6 +56,10 @@ allow initrc_t self:process { fork sigchld getpgid setsched setpgid setrlimit ge
 can_create_pty(initrc)
 
 tmp_domain(initrc)
+#
+# Some initscripts generate scripts that they need to execute (ldap)
+#
+can_exec(initrc_t, initrc_tmp_t)
 
 var_run_domain(initrc)
 allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
@@ -214,7 +218,15 @@ file_type_auto_trans(initrc_t, device_t, fixed_disk_device_t, blk_file)
 allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 allow initrc_t self:capability sys_admin;
 allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files 
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -322,3 +334,6 @@ allow initrc_t device_t:lnk_file create_file_perms;
 ifdef(`dbusd.te', `
 allow initrc_t system_dbusd_var_run_t:sock_file write;
 ')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --git a/strict/domains/program/ipsec.te b/strict/domains/program/ipsec.te
index 36e55ac3..ea45a367 100644
--- a/strict/domains/program/ipsec.te
+++ b/strict/domains/program/ipsec.te
@@ -219,7 +219,7 @@ can_exec(ipsec_mgmt_t, consoletype_exec_t )
 dontaudit ipsec_mgmt_t selinux_config_t:dir search;
 dontaudit ipsec_t ttyfile:chr_file { read write };
 allow ipsec_t self:capability { dac_override dac_read_search };
-allow ipsec_t reserved_port_t:udp_socket name_bind;
+allow ipsec_t { isakmp_port_t reserved_port_t }:udp_socket name_bind;
 allow ipsec_mgmt_t dev_fs:file_class_set getattr;
 dontaudit ipsec_mgmt_t device_t:lnk_file read;
 allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --git a/strict/domains/program/kudzu.te b/strict/domains/program/kudzu.te
index 803ae3df..c560dc7c 100644
--- a/strict/domains/program/kudzu.te
+++ b/strict/domains/program/kudzu.te
@@ -64,6 +64,7 @@ can_exec(kudzu_t, { bin_t sbin_t init_exec_t })
 allow kudzu_t lib_t:file { read getattr };
 # Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
 allow kudzu_t usr_t:file { read getattr };
+r_dir_file(kudzu_t, hwdata_t)
 
 # Communicate with rhgb-client.
 allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --git a/strict/domains/program/ldconfig.te b/strict/domains/program/ldconfig.te
index 2ab5c48c..fbb76886 100644
--- a/strict/domains/program/ldconfig.te
+++ b/strict/domains/program/ldconfig.te
@@ -16,7 +16,8 @@ role system_r types ldconfig_t;
 
 domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
 dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
 
 uses_shlib(ldconfig_t)
diff --git a/strict/domains/program/load_policy.te b/strict/domains/program/load_policy.te
index e10a6e2c..7ff7a61c 100644
--- a/strict/domains/program/load_policy.te
+++ b/strict/domains/program/load_policy.te
@@ -45,11 +45,12 @@ r_dir_file(load_policy_t, selinux_config_t)
 allow load_policy_t root_t:dir search;
 allow load_policy_t etc_t:dir search;
 
-# Read the devpts root directory (needed?)  
-allow load_policy_t devpts_t:dir r_dir_perms;
+# for mcs.conf
+allow load_policy_t etc_t:file { getattr read };
 
 # Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(load_policy_t)
 allow load_policy_t self:capability dac_override;
 
diff --git a/strict/domains/program/login.te b/strict/domains/program/login.te
index 887aa580..f0fb1cb5 100644
--- a/strict/domains/program/login.te
+++ b/strict/domains/program/login.te
@@ -200,23 +200,20 @@ login_domain(remote)
 # since very weak authentication is used.
 login_spawn_domain(remote_login, unpriv_userdomain)
 
-allow remote_login_t devpts_t:dir search;
 allow remote_login_t userpty_type:chr_file { setattr write };
 
 # Use the pty created by rlogind.
 ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
 # Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 # Use the pty created by telnetd.
 ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, telnetd)
 # Relabel ptys created by telnetd.
-allow remote_login_t telnetd_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t telnetd_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 allow remote_login_t ptyfile:chr_file { getattr relabelfrom relabelto ioctl };
@@ -225,3 +222,8 @@ allow remote_login_t fs_t:filesystem { getattr };
 # Allow remote login to resolve host names (passed in via the -h switch)
 can_resolve(remote_login_t)
 
+ifdef(`use_mcs', `
+ifdef(`getty.te', `
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+')
+')
diff --git a/strict/domains/program/modutil.te b/strict/domains/program/modutil.te
index 0af4cf55..27d960a7 100644
--- a/strict/domains/program/modutil.te
+++ b/strict/domains/program/modutil.te
@@ -59,7 +59,8 @@ allow depmod_t modules_object_t:{ file lnk_file } r_file_perms;
 allow depmod_t modules_object_t:file unlink;
 
 # Access terminals.
-allow depmod_t { console_device_t initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(depmod_t, initrc)
+allow depmod_t { console_device_t admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow depmod_t sysadm_gph_t:fd use;')
 
 # Read System.map from home directories.
@@ -97,7 +98,8 @@ allow insmod_t self:lnk_file read;
 allow insmod_t usr_t:file { getattr read };
 
 allow insmod_t privfd:fd use;
-allow insmod_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(insmod_t, initrc)
+allow insmod_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow insmod_t sysadm_gph_t:fd use;')
 
 allow insmod_t { agp_device_t apm_bios_t }:chr_file { read write };
@@ -162,7 +164,6 @@ type insmod_exec_t, file_type, exec_type, sysadmfile;
 domain_auto_trans(privmodule, insmod_exec_t, insmod_t)
 can_exec(insmod_t, { insmod_exec_t shell_exec_t bin_t sbin_t etc_t })
 allow insmod_t devtty_t:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
 allow insmod_t privmodule:process sigchld;
 dontaudit sysadm_t self:capability sys_module;
 
@@ -197,8 +198,8 @@ allow update_modules_t init_t:fd use;
 
 allow update_modules_t device_t:dir { getattr search };
 allow update_modules_t { console_device_t devtty_t }:chr_file rw_file_perms;
-allow update_modules_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
-allow update_modules_t devpts_t:dir search;
+can_access_pty(update_modules_t, initrc)
+allow update_modules_t admin_tty_type:chr_file rw_file_perms;
 
 can_exec(update_modules_t, insmod_exec_t)
 allow update_modules_t urandom_device_t:chr_file { getattr read };
diff --git a/strict/domains/program/mount.te b/strict/domains/program/mount.te
index ab6c3593..e78f7fed 100644
--- a/strict/domains/program/mount.te
+++ b/strict/domains/program/mount.te
@@ -16,13 +16,14 @@ mount_loopback_privs(sysadm, mount)
 role sysadm_r types mount_t;
 role system_r types mount_t;
 
-allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
+can_access_pty(mount_t, initrc)
+allow mount_t console_device_t:chr_file { read write };
 
 domain_auto_trans(initrc_t, mount_exec_t, mount_t)
 allow mount_t init_t:fd use;
 allow mount_t privfd:fd use;
 
-allow mount_t self:capability { ipc_lock dac_override };
+allow mount_t self:capability { dac_override ipc_lock sys_tty_config };
 allow mount_t self:process { fork signal_perms };
 
 allow mount_t file_type:dir search;
diff --git a/strict/domains/program/mysqld.te b/strict/domains/program/mysqld.te
index ea0315be..8a96d2a4 100644
--- a/strict/domains/program/mysqld.te
+++ b/strict/domains/program/mysqld.te
@@ -12,7 +12,7 @@
 #
 daemon_domain(mysqld, `, nscd_client_domain')
 
-allow mysqld_t mysqld_port_t:tcp_socket name_bind;
+allow mysqld_t mysqld_port_t:tcp_socket { name_bind name_connect };
 
 allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
 
@@ -88,7 +88,7 @@ allow userdomain mysqld_var_run_t:sock_file write;
 }
 ')
 
+allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
 ifdef(`crond.te', `
 allow system_crond_t mysqld_etc_t:file { getattr read };
 ')
-allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --git a/strict/domains/program/named.te b/strict/domains/program/named.te
index 39924d7e..04c0712f 100644
--- a/strict/domains/program/named.te
+++ b/strict/domains/program/named.te
@@ -113,8 +113,8 @@ can_resolve(ndc_t)
 read_locale(ndc_t)
 can_tcp_connect(ndc_t, named_t)
 
-# for /etc/rndc.key
 ifdef(`distro_redhat', `
+# for /etc/rndc.key
 allow { ndc_t initrc_t } named_conf_t:dir search;
 # Allow init script to cp localtime to named_conf_t
 allow initrc_t named_conf_t:file { setattr write };
diff --git a/strict/domains/program/netutils.te b/strict/domains/program/netutils.te
index 9b13fd49..8dcbdf11 100644
--- a/strict/domains/program/netutils.te
+++ b/strict/domains/program/netutils.te
@@ -55,7 +55,8 @@ allow netutils_t fs_t:filesystem getattr;
 
 # Access terminals.
 allow netutils_t privfd:fd use;
-allow netutils_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(netutils_t, initrc)
+allow netutils_t admin_tty_type:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow netutils_t sysadm_gph_t:fd use;')
 allow netutils_t proc_t:dir search;
 
diff --git a/strict/domains/program/newrole.te b/strict/domains/program/newrole.te
index 8d66e4ba..207274d9 100644
--- a/strict/domains/program/newrole.te
+++ b/strict/domains/program/newrole.te
@@ -18,3 +18,7 @@ allow newrole_t var_run_t:dir r_dir_perms;
 allow newrole_t initrc_var_run_t:file rw_file_perms;
 
 role secadm_r types newrole_t;
+
+ifdef(`targeted_policy', `
+typeattribute newrole_t unconfinedtrans;
+')
diff --git a/strict/domains/program/nscd.te b/strict/domains/program/nscd.te
index 77e2eb77..8e899c74 100644
--- a/strict/domains/program/nscd.te
+++ b/strict/domains/program/nscd.te
@@ -76,3 +76,4 @@ allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
 log_domain(nscd)
 r_dir_file(nscd_t, cert_t)
 allow nscd_t tun_tap_device_t:chr_file { read write };
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --git a/strict/domains/program/ntpd.te b/strict/domains/program/ntpd.te
index db49c23f..9916a6a4 100644
--- a/strict/domains/program/ntpd.te
+++ b/strict/domains/program/ntpd.te
@@ -26,11 +26,11 @@ allow ntpd_t ntp_drift_t:file create_file_perms;
 # for SSP
 allow ntpd_t urandom_device_t:chr_file { getattr read };
 
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
-dontaudit ntpd_t self:capability { net_admin };
-allow ntpd_t self:process { setcap setsched };
+# sys_resource and setrlimit is for locking memory
+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
+dontaudit ntpd_t self:capability { fsetid net_admin };
+allow ntpd_t self:process { setcap setsched setrlimit };
 # ntpdate wants sys_nice
-dontaudit ntpd_t self:capability { fsetid sys_nice };
 
 # for some reason it creates a file in /tmp
 tmp_domain(ntpd)
@@ -54,7 +54,7 @@ allow initrc_t net_conf_t:file { getattr read ioctl };
 # for cron jobs
 # system_crond_t is not right, cron is not doing what it should
 ifdef(`crond.te', `
-system_crond_entry(ntpd_exec_t, ntpd_t)
+system_crond_entry(ntpdate_exec_t, ntpd_t)
 ')
 
 can_exec(ntpd_t, initrc_exec_t)
diff --git a/strict/domains/program/pamconsole.te b/strict/domains/program/pamconsole.te
index 488bed3c..11c19947 100644
--- a/strict/domains/program/pamconsole.te
+++ b/strict/domains/program/pamconsole.te
@@ -25,6 +25,7 @@ allow pam_console_t { kernel_t init_t }:fd use;
 # for /var/run/console.lock checking
 allow pam_console_t { var_t var_run_t }:dir search;
 r_dir_file(pam_console_t, pam_var_console_t)
+dontaudit pam_console_t pam_var_console_t:file write;
 
 # Allow to set attributes on /dev entries
 allow pam_console_t device_t:dir { getattr read };
@@ -48,3 +49,4 @@ allow pam_console_t xdm_var_run_t:file { getattr read };
 allow initrc_t pam_var_console_t:dir rw_dir_perms;
 allow initrc_t pam_var_console_t:file unlink;
 allow pam_console_t file_context_t:file { getattr read };
+nsswitch_domain(pam_console_t)
diff --git a/strict/domains/program/passwd.te b/strict/domains/program/passwd.te
index d7dff6c0..30d7f860 100644
--- a/strict/domains/program/passwd.te
+++ b/strict/domains/program/passwd.te
@@ -153,5 +153,4 @@ allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_rel
 
 ifdef(`targeted_policy', `
 role system_r types sysadm_passwd_t;
-allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
 ')
diff --git a/strict/domains/program/pegasus.te b/strict/domains/program/pegasus.te
new file mode 100644
index 00000000..e2b557e2
--- /dev/null
+++ b/strict/domains/program/pegasus.te
@@ -0,0 +1,37 @@
+#DESC pegasus - The Open Group Pegasus CIM/WBEM Server 
+#
+# Author:  Jason Vas Dias <jvdias@redhat.com>
+# Package: tog-pegasus
+# 
+#################################
+#
+# Rules for the pegasus domain
+#
+daemon_domain(pegasus, `, nscd_client_domain, auth')
+type pegasus_data_t, file_type, sysadmfile;
+type pegasus_conf_t, file_type, sysadmfile;
+type pegasus_mof_t, file_type, sysadmfile;
+type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
+allow pegasus_t self:capability { dac_override net_bind_service audit_write }; 
+can_network_tcp(pegasus_t);
+nsswitch_domain(pegasus_t);
+allow pegasus_t pegasus_var_run_t:sock_file { create setattr };
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
+allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
+allow pegasus_t self:file { read getattr };
+allow pegasus_t self:fifo_file rw_file_perms;
+allow pegasus_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
+allow pegasus_t proc_t:file { getattr read };
+allow pegasus_t sysctl_vm_t:dir search;
+allow pegasus_t initrc_var_run_t:file { read write lock };
+allow pegasus_t urandom_device_t:chr_file { getattr read };
+r_dir_file(pegasus_t, etc_t)
+r_dir_file(pegasus_t, var_lib_t)
+r_dir_file(pegasus_t, pegasus_mof_t)
+rw_dir_create_file(pegasus_t, pegasus_conf_t)
+rw_dir_create_file(pegasus_t, pegasus_data_t)
+rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
+allow pegasus_t shadow_t:file { getattr read };
+dontaudit pegasus_t selinux_config_t:dir search;
+
diff --git a/strict/domains/program/ping.te b/strict/domains/program/ping.te
index c0c664f6..6461c51a 100644
--- a/strict/domains/program/ping.te
+++ b/strict/domains/program/ping.te
@@ -37,6 +37,7 @@ domain_auto_trans(initrc_t, ping_exec_t, ping_t)
 uses_shlib(ping_t)
 can_network_client(ping_t)
 can_resolve(ping_t)
+allow ping_t dns_port_t:tcp_socket name_connect;
 can_ypbind(ping_t)
 allow ping_t etc_t:file { getattr read };
 allow ping_t self:unix_stream_socket create_socket_perms;
@@ -58,6 +59,6 @@ dontaudit ping_t var_t:dir search;
 dontaudit ping_t devtty_t:chr_file { read write };
 dontaudit ping_t self:capability sys_tty_config;
 ifdef(`hide_broken_symptoms', `
-allow ping_t init_t:fd use;
+dontaudit ping_t init_t:fd use;
 ')
 
diff --git a/strict/domains/program/postfix.te b/strict/domains/program/postfix.te
index 26ac65ba..5d24e5f4 100644
--- a/strict/domains/program/postfix.te
+++ b/strict/domains/program/postfix.te
@@ -54,6 +54,8 @@ allow postfix_$1_t fs_t:filesystem getattr;
 allow postfix_$1_t proc_net_t:dir search;
 allow postfix_$1_t proc_net_t:file { getattr read };
 can_exec(postfix_$1_t, postfix_$1_exec_t)
+r_dir_file(postfix_$1_t, cert_t)
+allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
 
 allow postfix_$1_t tmp_t:dir getattr;
 
@@ -69,6 +71,9 @@ ifdef(`crond.te',
 postfix_domain(master, `, mail_server_domain')
 rhgb_domain(postfix_master_t)
 
+# for a find command
+dontaudit postfix_master_t security_t:dir search;
+
 read_sysctl(postfix_master_t)
 
 domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
@@ -97,10 +102,12 @@ allow postfix_master_t initrc_devpts_t:chr_file rw_file_perms;
 dontaudit postfix_master_t selinux_config_t:dir search;
 can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
 ifdef(`distro_redhat', `
+# compatability for old default main.cf
 file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
-', `
-file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
+# for newer main.cf that uses /etc/aliases
+file_type_auto_trans(postfix_master_t, etc_t, etc_aliases_t)
 ')
+file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
 allow postfix_master_t sendmail_exec_t:file r_file_perms;
 allow postfix_master_t sbin_t:lnk_file { getattr read };
 ifdef(`pppd.te', `
@@ -121,7 +128,7 @@ allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
 can_network(postfix_master_t)
 allow postfix_master_t port_type:tcp_socket name_connect;
 can_ypbind(postfix_master_t)
-allow postfix_master_t smtp_port_t:tcp_socket name_bind;
+allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
 allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
 allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
 allow postfix_master_t postfix_prng_t:file getattr;
@@ -135,14 +142,10 @@ can_unix_connect(postfix_smtpd_t,saslauthd_t)
 ')
 
 create_dir_file(postfix_master_t, postfix_spool_flush_t)
-allow postfix_master_t random_device_t:chr_file { read getattr };
 allow postfix_master_t postfix_prng_t:file rw_file_perms;
 # for ls to get the current context
 allow postfix_master_t self:file { getattr read };
 
-# for SSP
-allow postfix_master_t urandom_device_t:chr_file read;
-
 # allow access to deferred queue and allow removing bogus incoming entries
 allow postfix_master_t postfix_spool_t:dir create_dir_perms;
 allow postfix_master_t postfix_spool_t:file create_file_perms;
@@ -163,7 +166,6 @@ postfix_server_domain(smtp, `, mail_server_sender')
 allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
 allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
 allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
-allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
 allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
 # if you have two different mail servers on the same host let them talk via
 # SMTP, also if one mail server wants to talk to itself then allow it and let
@@ -172,7 +174,6 @@ allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
 can_tcp_connect(postfix_smtp_t, mail_server_domain)
 
 postfix_server_domain(smtpd)
-allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
 allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
 allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
@@ -184,7 +185,6 @@ allow postfix_smtpd_t self:file { getattr read };
 
 # for prng_exch
 allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-
 allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
 
 postfix_server_domain(local, `, mta_delivery_agent')
@@ -196,7 +196,7 @@ dontaudit procmail_t postfix_master_t:fd use;
 ')
 allow postfix_local_t etc_aliases_t:file r_file_perms;
 allow postfix_local_t self:fifo_file rw_file_perms;
-allow postfix_local_t self:process setrlimit;
+allow postfix_local_t self:process { setsched setrlimit };
 allow postfix_local_t postfix_spool_t:file rw_file_perms;
 # for .forward - maybe we need a new type for it?
 allow postfix_local_t postfix_private_t:dir search;
@@ -241,6 +241,7 @@ postfix_user_domain(postqueue)
 allow postfix_postqueue_t postfix_public_t:dir search;
 allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
 allow postfix_postqueue_t self:udp_socket { create ioctl };
+allow postfix_postqueue_t self:tcp_socket create;
 allow postfix_master_t postfix_postqueue_exec_t:file getattr;
 domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 allow postfix_postqueue_t initrc_t:process sigchld;
@@ -260,7 +261,7 @@ dontaudit postfix_postqueue_t net_conf_t:file r_file_perms;
 postfix_user_domain(showq)
 # the following auto_trans is usually in postfix server domain
 domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
-allow postfix_showq_t self:udp_socket { create ioctl };
+can_resolve(postfix_showq_t)
 r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
 domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
 allow postfix_showq_t self:capability { setuid setgid };
@@ -284,6 +285,7 @@ ifdef(`crond.te',
 allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
 # usually it does not need a UDP socket
 allow postfix_postdrop_t self:udp_socket create_socket_perms;
+allow postfix_postdrop_t self:tcp_socket create;
 allow postfix_postdrop_t self:capability sys_resource;
 
 postfix_public_domain(pickup)
@@ -329,7 +331,8 @@ ifdef(`procmail.te', `
 domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
 ')
 ifdef(`sendmail.te', `
-allow sendmail_t postfix_etc_t:dir search;
+r_dir_file(sendmail_t, postfix_etc_t)
+allow sendmail_t postfix_spool_t:dir search;
 ')
 
 # Program for creating database files
@@ -350,3 +353,4 @@ can_network_server(postfix_map_t)
 allow postfix_map_t port_type:tcp_socket name_connect;
 allow postfix_local_t mail_spool_t:dir { remove_name };
 allow postfix_local_t mail_spool_t:file { unlink };
+can_exec(postfix_local_t, bin_t)
diff --git a/strict/domains/program/procmail.te b/strict/domains/program/procmail.te
index 347587be..fbf044d8 100644
--- a/strict/domains/program/procmail.te
+++ b/strict/domains/program/procmail.te
@@ -19,8 +19,7 @@ role system_r types procmail_t;
 uses_shlib(procmail_t)
 allow procmail_t device_t:dir search;
 can_network_server(procmail_t)
-can_ypbind(procmail_t)
-can_winbind(procmail_t)
+nsswitch_domain(procmail_t)
 
 allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
 
@@ -60,6 +59,14 @@ allow procmail_t { self proc_t }:lnk_file read;
 allow procmail_t usr_t:file { getattr ioctl read };
 ifdef(`spamassassin.te', `
 can_exec(procmail_t, spamassassin_exec_t)
+can_resolve(procmail_t)
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
+')
+ifdef(`targeted_policy', `
+can_resolve(procmail_t)
+allow procmail_t port_t:udp_socket name_bind;
+allow procmail_t tmp_t:dir getattr;
 ')
 
 # Search /var/run.
diff --git a/strict/domains/program/readahead.te b/strict/domains/program/readahead.te
new file mode 100644
index 00000000..dde8e379
--- /dev/null
+++ b/strict/domains/program/readahead.te
@@ -0,0 +1,21 @@
+#DESC readahead - read files in page cache 
+#
+# Author: Dan Walsh (dwalsh@redhat.com)
+#
+
+#################################
+#
+# Declarations for readahead
+#
+
+daemon_domain(readahead)
+#
+# readahead asks for these
+#
+allow readahead_t { file_type -secure_file_type }:{ file lnk_file } { getattr read };
+allow readahead_t { file_type -secure_file_type }:dir r_dir_perms;
+dontaudit readahead_t shadow_t:file { getattr read };
+allow readahead_t { device_t device_type }:{ lnk_file chr_file blk_file } getattr;
+dontaudit readahead_t file_type:sock_file getattr;
+allow readahead_t proc_t:file { getattr read };
+dontaudit readahead_t device_type:blk_file read;
diff --git a/strict/domains/program/restorecon.te b/strict/domains/program/restorecon.te
index 0e3a2781..dc58221b 100644
--- a/strict/domains/program/restorecon.te
+++ b/strict/domains/program/restorecon.te
@@ -19,7 +19,7 @@ role system_r types restorecon_t;
 role sysadm_r types restorecon_t;
 role secadm_r types restorecon_t;
 
-allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(restorecon_t, initrc)
 allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
 
 domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
diff --git a/strict/domains/program/rlogind.te b/strict/domains/program/rlogind.te
index b0ac4f0d..88af4e4f 100644
--- a/strict/domains/program/rlogind.te
+++ b/strict/domains/program/rlogind.te
@@ -35,4 +35,6 @@ allow rlogind_t self:file { getattr read };
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
-allow rlogind_t krb5_keytab_t:file r_file_perms;
+ifdef(`kerberos.te', `
+allow rlogind_t krb5_keytab_t:file { getattr read };
+')
diff --git a/strict/domains/program/roundup.te b/strict/domains/program/roundup.te
new file mode 100644
index 00000000..4c3e97a2
--- /dev/null
+++ b/strict/domains/program/roundup.te
@@ -0,0 +1,29 @@
+# Roundup Issue Tracking System
+#
+# Authors:  W. Michael Petullo <redhat@flyn.org
+#
+daemon_domain(roundup)
+var_lib_domain(roundup)
+can_network(roundup_t)
+allow roundup_t http_cache_port_t:tcp_socket name_bind;
+allow roundup_t smtp_port_t:tcp_socket name_connect;
+
+# execute python
+allow roundup_t bin_t:dir r_dir_perms;
+can_exec(roundup_t, bin_t)
+allow roundup_t bin_t:lnk_file read;
+
+allow roundup_t self:capability { setgid setuid };
+
+allow roundup_t self:unix_stream_socket create_stream_socket_perms;
+
+ifdef(`mysqld.te', `
+allow roundup_t mysqld_db_t:dir search;
+allow roundup_t mysqld_var_run_t:sock_file write;
+allow roundup_t mysqld_t:unix_stream_socket connectto;
+')
+
+# /usr/share/mysql/charsets/Index.xml
+allow roundup_t usr_t:file { getattr read };
+allow roundup_t urandom_device_t:chr_file { getattr read };
+allow roundup_t etc_t:file { getattr read };
diff --git a/strict/domains/program/rpcd.te b/strict/domains/program/rpcd.te
index 9fae9328..91b83542 100644
--- a/strict/domains/program/rpcd.te
+++ b/strict/domains/program/rpcd.te
@@ -19,7 +19,7 @@ daemon_base_domain($1)
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
-allow $1_t etc_t:file { getattr read };
+allow $1_t { etc_runtime_t etc_t }:file { getattr read };
 read_locale($1_t)
 allow $1_t self:capability net_bind_service;
 dontaudit $1_t self:capability net_admin;
@@ -148,6 +148,15 @@ r_dir_file(gssd_t, proc_net_t)
 allow gssd_t rpc_pipefs_t:dir r_dir_perms;
 allow gssd_t rpc_pipefs_t:sock_file { read write };
 allow gssd_t rpc_pipefs_t:file r_file_perms;
-allow gssd_t self:capability setuid;
+allow gssd_t self:capability { dac_override dac_read_search setuid };
 allow nfsd_t devtty_t:chr_file rw_file_perms;
 allow rpcd_t devtty_t:chr_file rw_file_perms;
+
+bool allow_gssd_read_tmp true;
+if (allow_gssd_read_tmp) {
+ifdef(`targeted_policy', `
+r_dir_file(gssd_t, tmp_t)
+', `
+r_dir_file(gssd_t, user_tmpfile)
+')
+}
diff --git a/strict/domains/program/rsync.te b/strict/domains/program/rsync.te
index 8786fb8e..bed52a3f 100644
--- a/strict/domains/program/rsync.te
+++ b/strict/domains/program/rsync.te
@@ -15,5 +15,4 @@ inetd_child_domain(rsync)
 type rsync_data_t, file_type, sysadmfile;
 r_dir_file(rsync_t, rsync_data_t)
 anonymous_domain(rsync)
-
-
+allow rsync_t self:capability sys_chroot;
diff --git a/strict/domains/program/samba.te b/strict/domains/program/samba.te
index 1ce50e52..4193f733 100644
--- a/strict/domains/program/samba.te
+++ b/strict/domains/program/samba.te
@@ -25,6 +25,9 @@ allow smbd_t self:process setrlimit;
 # not sure why it needs this
 tmp_domain(smbd)
 
+# Allow samba to search mnt_t for potential mounted dirs
+allow smbd_t mnt_t:dir r_dir_perms;
+
 ifdef(`crond.te', `
 allow system_crond_t samba_etc_t:file { read getattr lock };
 allow system_crond_t samba_log_t:file { read getattr lock };
@@ -47,9 +50,8 @@ allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease
 
 # Use the network.
 can_network(smbd_t)
-can_ldap(smbd_t)
+nsswitch_domain(smbd_t)
 can_kerberos(smbd_t)
-can_winbind(smbd_t)
 allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
 
 allow smbd_t urandom_device_t:chr_file { getattr read };
@@ -75,6 +77,12 @@ allow smbd_t var_log_t:dir search;
 allow smbd_t samba_log_t:dir ra_dir_perms;
 dontaudit smbd_t samba_log_t:dir remove_name;
 
+ifdef(`hide_broken_symptoms', `
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
+allow smbd_t fs_t:filesystem quotaget;
+
 allow smbd_t usr_t:file { getattr read };
 
 # Access Samba shares.
diff --git a/strict/domains/program/setfiles.te b/strict/domains/program/setfiles.te
index dae93e01..85bcd4ce 100644
--- a/strict/domains/program/setfiles.te
+++ b/strict/domains/program/setfiles.te
@@ -12,7 +12,7 @@
 #
 # needs auth_write attribute because it has relabelfrom/relabelto
 # access to shadow_t
-type setfiles_t, domain, privlog, privowner, auth_write, change_context;
+type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
 type setfiles_exec_t, file_type, sysadmfile, exec_type;
 
 role system_r types setfiles_t;
@@ -22,7 +22,7 @@ role secadm_r types setfiles_t;
 ifdef(`distro_redhat', `
 domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
 ')
-allow setfiles_t initrc_devpts_t:chr_file { read write ioctl };
+can_access_pty(hostname_t, initrc)
 allow setfiles_t { ttyfile ptyfile tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
 
 allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --git a/strict/domains/program/snmpd.te b/strict/domains/program/snmpd.te
index 9e86c4bf..ea75c8d6 100644
--- a/strict/domains/program/snmpd.te
+++ b/strict/domains/program/snmpd.te
@@ -22,8 +22,9 @@ etc_domain(snmpd)
 
 # for the .index file
 var_lib_domain(snmpd)
-file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
+file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, { dir sock_file })
 file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
+allow snmpd_t snmpd_var_lib_t:sock_file create_file_perms;
 
 log_domain(snmpd)
 # for /usr/share/snmp/mibs
@@ -33,7 +34,7 @@ can_udp_send(sysadm_t, snmpd_t)
 can_udp_send(snmpd_t, sysadm_t)
 
 allow snmpd_t self:unix_dgram_socket create_socket_perms;
-allow snmpd_t self:unix_stream_socket create_socket_perms;
+allow snmpd_t self:unix_stream_socket create_stream_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
 allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
 allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
@@ -79,5 +80,6 @@ allow snmpd_t proc_net_t:file r_file_perms;
 
 allow snmpd_t domain:dir { getattr search };
 allow snmpd_t domain:file { getattr read };
+allow snmpd_t domain:process signull;
 
 dontaudit snmpd_t selinux_config_t:dir search;
diff --git a/strict/domains/program/squid.te b/strict/domains/program/squid.te
index bf7d01d1..1727186b 100644
--- a/strict/domains/program/squid.te
+++ b/strict/domains/program/squid.te
@@ -60,7 +60,7 @@ can_ypbind(squid_t)
 can_tcp_connect(web_client_domain, squid_t)
 
 # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
-allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:{ tcp_socket udp_socket } name_bind;
 allow squid_t { gopher_port_t ftp_port_t http_port_t http_cache_port_t }:tcp_socket name_connect;
 
 # to allow running programs from /usr/lib/squid (IE unlinkd)
@@ -81,4 +81,5 @@ r_dir_file(squid_t, cert_t)
 ifdef(`winbind.te', `
 domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
 allow winbind_helper_t squid_t:tcp_socket rw_socket_perms;
+allow winbind_helper_t squid_log_t:file ra_file_perms;
 ')
diff --git a/strict/domains/program/ssh.te b/strict/domains/program/ssh.te
index 28c9beaf..367e4c73 100644
--- a/strict/domains/program/ssh.te
+++ b/strict/domains/program/ssh.te
@@ -153,6 +153,7 @@ allow $2 $1_t:unix_stream_socket rw_stream_socket_perms;
 #
 sshd_program_domain(sshd)
 if (ssh_sysadm_login) {
+allow sshd_t devpts_t:dir r_dir_perms;
 sshd_spawn_domain(sshd, userdomain, { sysadm_devpts_t userpty_type })
 } else {
 sshd_spawn_domain(sshd, unpriv_userdomain, userpty_type)
@@ -178,7 +179,7 @@ allow { sshd_t sshd_extern_t } var_run_t:dir { getattr search };
 allow { sshd_t sshd_extern_t } self:process signal;
 } else {
 ')
-allow { sshd_t sshd_extern_t } initrc_devpts_t:chr_file rw_file_perms;
+can_access_pty({ sshd_t sshd_extern_t }, initrc)
 allow { sshd_t sshd_extern_t } self:capability net_bind_service;
 allow { sshd_t sshd_extern_t } ssh_port_t:tcp_socket name_bind;
 
@@ -231,3 +232,6 @@ type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
 allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
 allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
 allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+')
diff --git a/strict/domains/program/su.te b/strict/domains/program/su.te
index 3a277f76..6d39909c 100644
--- a/strict/domains/program/su.te
+++ b/strict/domains/program/su.te
@@ -12,3 +12,12 @@ allow sysadm_su_t user_home_dir_type:dir search;
 
 # Everything else is in the su_domain macro in
 # macros/program/su_macros.te.
+
+ifdef(`use_mcs', `
+ifdef(`targeted_policy', `
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+can_exec(sysadm_su_t, bin_t)
+rw_dir_create_file(sysadm_su_t, home_dir_type)
+')
+')
diff --git a/strict/domains/program/syslogd.te b/strict/domains/program/syslogd.te
index 8583814b..be427ecd 100644
--- a/strict/domains/program/syslogd.te
+++ b/strict/domains/program/syslogd.te
@@ -14,9 +14,9 @@
 # by syslogd.
 #
 ifdef(`klogd.te', `
-daemon_domain(syslogd, `, privkmsg')
+daemon_domain(syslogd, `, privkmsg, nscd_client_domain')
 ', `
-daemon_domain(syslogd, `, privmem, privkmsg')
+daemon_domain(syslogd, `, privmem, privkmsg, nscd_client_domain')
 ')
 
 # can_network is for the UDP socket
@@ -33,7 +33,7 @@ allow privlog console_device_t:chr_file { ioctl read write getattr };
 tmp_domain(syslogd)
 
 # read files in /etc
-allow syslogd_t etc_t:file r_file_perms;
+allow syslogd_t { etc_runtime_t etc_t }:file r_file_perms;
 
 # Use capabilities.
 allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
diff --git a/strict/domains/program/udev.te b/strict/domains/program/udev.te
index 5ff434f7..cc5f7d45 100644
--- a/strict/domains/program/udev.te
+++ b/strict/domains/program/udev.te
@@ -28,12 +28,12 @@ can_exec_any(udev_t)
 type udev_tdb_t, file_type, sysadmfile, dev_fs;
 typealias udev_tdb_t alias udev_tbl_t;
 file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio };
+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin sys_rawio sys_nice };
 allow udev_t self:file { getattr read };
 allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
 allow udev_t self:unix_dgram_socket create_socket_perms;
 allow udev_t self:fifo_file rw_file_perms;
-allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; 
+allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; 
 allow udev_t device_t:file { unlink rw_file_perms };
 allow udev_t device_t:sock_file create_file_perms;
 allow udev_t device_t:lnk_file create_lnk_perms;
@@ -140,7 +140,13 @@ file_type_auto_trans(udev_t, etc_t, dhcp_etc_t, file)
 r_dir_file(udev_t, domain)
 allow udev_t modules_dep_t:file r_file_perms;
 
+nsswitch_domain(udev_t)
+
 ifdef(`unlimitedUtils', `
 unconfined_domain(udev_t) 
 ')
 dontaudit hostname_t udev_t:fd use;
+ifdef(`use_mcs', `
+range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
+range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+')
diff --git a/strict/domains/program/useradd.te b/strict/domains/program/useradd.te
index 121e03c5..1df38af0 100644
--- a/strict/domains/program/useradd.te
+++ b/strict/domains/program/useradd.te
@@ -55,7 +55,6 @@ read_locale($1_t)
 # useradd/userdel request read/write for /var/log/lastlog, and read of /dev, 
 # but will operate without them.
 dontaudit $1_t { device_t var_t var_log_t }:dir search;
-allow useradd_t lastlog_t:file { read write };
 
 # For userdel and groupadd
 allow $1_t fs_t:filesystem getattr;
@@ -67,8 +66,12 @@ ifdef(`gnome-pty-helper.te', `allow $1_t gphdomain:fd use;')
 
 # for when /root is the cwd
 dontaudit $1_t sysadm_home_dir_t:dir search;
+nsswitch_domain($1_t)
+
+allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
 ')
 user_group_add_program(useradd)
+allow useradd_t lastlog_t:file { getattr read write };
 
 # for getting the number of groups
 read_sysctl(useradd_t)
diff --git a/strict/domains/program/utempter.te b/strict/domains/program/utempter.te
index b9e670dd..92b443fd 100644
--- a/strict/domains/program/utempter.te
+++ b/strict/domains/program/utempter.te
@@ -19,6 +19,8 @@ uses_shlib(utempter_t)
 type utempter_exec_t, file_type, sysadmfile, exec_type;
 domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
 
+allow utempter_t urandom_device_t:chr_file { getattr read };
+
 # Use capabilities.
 allow utempter_t self:capability setgid;
 
diff --git a/strict/domains/program/webalizer.te b/strict/domains/program/webalizer.te
index 381f68b9..c1f38bde 100644
--- a/strict/domains/program/webalizer.te
+++ b/strict/domains/program/webalizer.te
@@ -20,6 +20,9 @@ etc_domain(webalizer)
 #read apache log
 allow webalizer_t var_log_t:dir r_dir_perms;
 r_dir_file(webalizer_t, httpd_log_t)
+ifdef(`ftpd.te', `
+allow webalizer_t xferlog_t:file { getattr read };
+')
 
 #r/w /var/lib/webalizer
 var_lib_domain(webalizer)
diff --git a/strict/domains/program/winbind.te b/strict/domains/program/winbind.te
index aca91741..7b9e5e98 100644
--- a/strict/domains/program/winbind.te
+++ b/strict/domains/program/winbind.te
@@ -44,6 +44,7 @@ r_dir_file(winbind_helper_t, samba_etc_t)
 r_dir_file(winbind_t, samba_etc_t)
 allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
 allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
+allow winbind_helper_t samba_var_t:dir search;
 allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
 can_winbind(winbind_helper_t)
 allow winbind_helper_t privfd:fd use;
diff --git a/strict/domains/program/xdm.te b/strict/domains/program/xdm.te
index 3e9dba64..e3e9c8da 100644
--- a/strict/domains/program/xdm.te
+++ b/strict/domains/program/xdm.te
@@ -371,3 +371,6 @@ can_exec(xdm_t, xdm_exec_t)
 dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
 
 #### Also see xdm_macros.te
+ifdef(`use_mcs', `
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+')
diff --git a/strict/domains/program/yppasswdd.te b/strict/domains/program/yppasswdd.te
new file mode 100644
index 00000000..b7588a2f
--- /dev/null
+++ b/strict/domains/program/yppasswdd.te
@@ -0,0 +1,40 @@
+#DESC yppassdd - NIS password update daemon
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com>
+# Depends: portmap.te
+#
+
+#################################
+#
+# Rules for the yppasswdd_t domain.
+#
+daemon_domain(yppasswdd, `, auth_write, privowner')
+
+# Use capabilities.
+allow yppasswdd_t self:capability { net_bind_service };
+
+# Use the network.
+can_network_server(yppasswdd_t)
+
+read_sysctl(yppasswdd_t)
+
+# Send to portmap and initrc.
+can_udp_send(yppasswdd_t, portmap_t)
+can_udp_send(yppasswdd_t, initrc_t)
+
+allow yppasswdd_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+dontaudit yppasswdd_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow yppasswdd_t { etc_t etc_runtime_t }:file { getattr read };
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
+file_type_auto_trans(yppasswdd_t, etc_t, shadow_t, file)
+allow yppasswdd_t { etc_t shadow_t }:file { relabelfrom relabelto };
+can_setfscreate(yppasswdd_t)
+allow yppasswdd_t proc_t:file getattr;
+allow yppasswdd_t { bin_t sbin_t }:dir search;
+allow yppasswdd_t bin_t:lnk_file read;
+can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
+allow yppasswdd_t self:fifo_file rw_file_perms;
+rw_dir_create_file(yppasswdd_t, var_yp_t)
diff --git a/strict/domains/program/ypserv.te b/strict/domains/program/ypserv.te
index 656c15db..1ecc731d 100644
--- a/strict/domains/program/ypserv.te
+++ b/strict/domains/program/ypserv.te
@@ -39,3 +39,4 @@ allow rpcd_t ypserv_conf_t:file { getattr read };
 ')
 allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
 dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+can_exec(ypserv_t, bin_t)
diff --git a/strict/file_contexts/distros.fc b/strict/file_contexts/distros.fc
index 6df147cd..33c7f5e1 100644
--- a/strict/file_contexts/distros.fc
+++ b/strict/file_contexts/distros.fc
@@ -1,67 +1,67 @@
 ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t
-/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t
-/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t
-/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t
-/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t
-/usr/share/rhn/rhn_applet/needed-packages\.py	--	system_u:object_r:bin_t
-/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t
-/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
-/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
-/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
-/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t
-/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t
-/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t
-/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
-/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
-/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
-/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t
-/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t
-/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t
-/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
-/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t
-/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t
-/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t
-/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
-/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
-/usr/share/switchdesk/switchdesk-gui\.py	--	system_u:object_r:bin_t
-/usr/share/system-config-network/neat-control\.py	--	system_u:object_r:bin_t
-/usr/share/system-config-nfs/nfs-export\.py	--	system_u:object_r:bin_t
-/usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t
-/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t
-/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t
-/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t
-/etc/rhgb(/.*)?		-d		system_u:object_r:mnt_t
-/usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
+/usr/share/system-config-network(/netconfig)?/[^/]+\.py -- system_u:object_r:bin_t:s0
+/etc/sysconfig/networking/profiles/.*/resolv\.conf -- system_u:object_r:net_conf_t:s0
+/etc/sysconfig/network-scripts/.*resolv\.conf -- system_u:object_r:net_conf_t:s0
+/usr/share/rhn/rhn_applet/applet\.py -- system_u:object_r:bin_t:s0
+/usr/share/rhn/rhn_applet/eggtrayiconmodule\.so -- system_u:object_r:shlib_t:s0
+/usr/share/rhn/rhn_applet/needed-packages\.py	--	system_u:object_r:bin_t:s0
+/usr/share/authconfig/authconfig-gtk\.py -- system_u:object_r:bin_t:s0
+/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t:s0
+/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t:s0
+/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t:s0
+/usr/share/system-logviewer/system-logviewer\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-lvm/system-config-lvm.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-date/system-config-date\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t:s0
+/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t:s0
+/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t:s0
+/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/system-config-netboot\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/pxeos\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-netboot/pxeboot\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-nfs/system-config-nfs\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t:s0
+/usr/share/system-config-samba/system-config-samba\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-services/serviceconf\.py -- system_u:object_r:bin_t:s0
+/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t:s0
+/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t:s0
+/usr/share/switchdesk/switchdesk-gui\.py	--	system_u:object_r:bin_t:s0
+/usr/share/system-config-network/neat-control\.py	--	system_u:object_r:bin_t:s0
+/usr/share/system-config-nfs/nfs-export\.py	--	system_u:object_r:bin_t:s0
+/usr/share/pydict/pydict\.py	--	system_u:object_r:bin_t:s0
+/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t:s0
+/usr/share/pwlib/make/ptlib-config --	system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexdir	--	system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexnam	--	system_u:object_r:bin_t:s0
+/usr/share/texmf/web2c/mktexupd	--	system_u:object_r:bin_t:s0
+/etc/rhgb(/.*)?		-d		system_u:object_r:mnt_t:s0
+/usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t:s0
 #
 # /emul/ia32-linux/usr
 #
-/emul(/.*)?				system_u:object_r:usr_t
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t
-/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t
-/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t
-/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t
-/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t
-/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
-/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t
+/emul(/.*)?				system_u:object_r:usr_t:s0
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?		system_u:object_r:lib_t:s0
+/emul/ia32-linux/usr(/.*)?/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.jar	--	system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/java/.*\.jsa	--	system_u:object_r:shlib_t:s0
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t:s0
+/emul/ia32-linux/usr(/.*)?/bin(/.*)?		system_u:object_r:bin_t:s0
+/emul/ia32-linux/usr(/.*)?/Bin(/.*)?		system_u:object_r:bin_t:s0
+/emul/ia32-linux/usr(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t:s0
+/emul/ia32-linux/usr/libexec(/.*)?		system_u:object_r:bin_t:s0
 # /emul/ia32-linux/lib
-/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t
-/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t
-/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
+/emul/ia32-linux/lib(/.*)?					system_u:object_r:lib_t:s0
+/emul/ia32-linux/lib/.*\.so(\.[^/]*)*		--	system_u:object_r:shlib_t:s0
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t:s0
 # /emul/ia32-linux/bin
-/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t
+/emul/ia32-linux/bin(/.*)?			system_u:object_r:bin_t:s0
 # /emul/ia32-linux/sbin
-/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t
+/emul/ia32-linux/sbin(/.*)?			system_u:object_r:sbin_t:s0
 
 ifdef(`dbusd.te', `', `
-/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t
+/var/run/dbus(/.*)?            system_u:object_r:system_dbusd_var_run_t:s0
 ')
 
 # The following are libraries with text relocations in need of execmod permissions
@@ -69,94 +69,96 @@ ifdef(`dbusd.te', `', `
 
 # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
 # 	HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
-/usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t
-/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t
-/usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t
-/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 		-- system_u:object_r:texrel_shlib_t
-/usr/lib/libg\+\+\.so\.2\.7\.2\.8		-- system_u:object_r:texrel_shlib_t
-/usr/lib/libglide3\.so.* 			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libdv\.so.* 				-- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/oggfformat\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/theorarend\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/plugins/vorbisrend\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/codecs/colorcvt\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/helix/codecs/cvt1\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t
-/usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t
-/usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t
-/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t
-/usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t
+/usr/lib/gstreamer-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgsthermescolorspace\.so -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/gstreamer-.*/libgstmms\.so 	 -- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libg\+\+\.so\.2\.7\.2\.8		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libglide3\.so.* 			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdv\.so.* 				-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/oggfformat\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/theorarend\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/plugins/vorbisrend\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/codecs/colorcvt\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/helix/codecs/cvt1\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libSDL-.*\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/modules/dri/.*\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/libOSMesa\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/X11R6/lib/libfglrx_gamma\.so.* 		--  system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libHermes\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/hp2ps				-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/stage2			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/valgrind/vg.*\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/libxpcom_core.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program(/.*)?			system_u:object_r:bin_t:s0
+/usr/lib/.*/program/.*\.so.*			system_u:object_r:shlib_t:s0
+/usr/lib/.*/program/libicudata\.so.*		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libsts645li\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libvclplug_gen645li\.so	-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libwrp645li\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/program/libswd680li\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/librecentfile\.so 	--  system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libsvx680li\.so	--  system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so  	--  system_u:object_r:texrel_shlib_t:s0
+/usr/lib(64)?/.*/program/libsoffice\.so  	--  system_u:object_r:texrel_shlib_t:s0
 
 # Fedora Extras packages: ladspa, imlib2, ocaml
-/usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/bandpass_iir_1892\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/butterworth_1902\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/fm_osc_1415\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/gsm_1215\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/gverb_1216\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/hermes_filter_1200\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/highpass_iir_1890\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/lowpass_iir_1891\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/notch_iir_1894\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/pitch_scale_1193\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/pitch_scale_1194\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc1_1425\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc2_1426\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc3_1427\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/sc4_1882\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t
-/usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t
+/usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/bandpass_a_iir_1893\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/bandpass_iir_1892\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/butterworth_1902\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/fm_osc_1415\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/gsm_1215\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/gverb_1216\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/hermes_filter_1200\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/highpass_iir_1890\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/lowpass_iir_1891\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/notch_iir_1894\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/pitch_scale_1193\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/pitch_scale_1194\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc1_1425\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc2_1426\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc3_1427\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/sc4_1882\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ladspa/se4_1883\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libImlib2\.so.* 			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/ocaml/stublibs/dllnums\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/httpd/modules/libphp5\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/php/modules/.*\.so			-- system_u:object_r:texrel_shlib_t:s0
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t
-/usr/lib/libpostproc\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libavformat-.*\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libavcodec-.*\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libxvidcore\.so.*			-- system_u:object_r:texrel_shlib_t
-/usr/lib/xine/plugins/.*\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libgsm\.so.*				-- system_u:object_r:texrel_shlib_t
-/usr/lib/libmp3lame\.so.*			-- system_u:object_r:texrel_shlib_t
+/usr/lib/xmms/Input/libmpg123\.so		-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libpostproc\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libavformat-.*\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libavcodec-.*\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libxvidcore\.so.*			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/xine/plugins/.*\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libgsm\.so.*				-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libmp3lame\.so.*			-- system_u:object_r:texrel_shlib_t:s0
 
 # Flash plugin, Macromedia
-HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
-/usr/lib/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t
+HOME_DIR/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/.*/plugins/libflashplayer\.so.*	-- system_u:object_r:texrel_shlib_t:s0
 
 # Jai, Sun Microsystems (Jpackage SPRM)
-/usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t
-/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t
+/usr/lib/libmlib_jai\.so			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdivxdecore.so.0			-- system_u:object_r:texrel_shlib_t:s0
+/usr/lib/libdivxencore.so.0			-- system_u:object_r:texrel_shlib_t:s0
 
 # Java, Sun Microsystems (JPackage SRPM)
-/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t
+/usr/.*/jre/lib/i386/libdeploy.so		-- system_u:object_r:texrel_shlib_t:s0
 
-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t
-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t
-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl  --  system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api	-- system_u:object_r:shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api	-- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api	-- system_u:object_r:texrel_shlib_t:s0
+/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl  --  system_u:object_r:texrel_shlib_t:s0
 ')
 
 ifdef(`distro_suse', `
-/var/lib/samba/bin/.+					system_u:object_r:bin_t
-/var/lib/samba/bin/.*\.so(\.[^/]*)*		-l	system_u:object_r:lib_t
-/usr/lib/samba/classic/.*			--	system_u:object_r:bin_t
-/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/success					--	system_u:object_r:etc_runtime_t
-/etc/defkeymap\.map				--	system_u:object_r:etc_runtime_t
+/var/lib/samba/bin/.+					system_u:object_r:bin_t:s0
+/var/lib/samba/bin/.*\.so(\.[^/]*)*		-l	system_u:object_r:lib_t:s0
+/usr/lib/samba/classic/.*			--	system_u:object_r:bin_t:s0
+/usr/lib/samba/classic/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t:s0
+/success					--	system_u:object_r:etc_runtime_t:s0
+/etc/defkeymap\.map				--	system_u:object_r:etc_runtime_t:s0
 ')
diff --git a/strict/file_contexts/program/cyrus.fc b/strict/file_contexts/program/cyrus.fc
index 04b78be9..71a90263 100644
--- a/strict/file_contexts/program/cyrus.fc
+++ b/strict/file_contexts/program/cyrus.fc
@@ -1,5 +1,5 @@
 # cyrus
 /var/lib/imap(/.*)?				system_u:object_r:cyrus_var_lib_t
 /usr/lib(64)?/cyrus-imapd/.*		 	--	system_u:object_r:bin_t
-/usr/lib(64)?/cyrus-imapd/cyrus-master 		--	system_u:object_r:cyrus_exec_t	
+/usr/lib(64)?/cyrus-imapd/cyrus-master 		--	system_u:object_r:cyrus_exec_t
 /var/spool/imap(/.*)?		system_u:object_r:mail_spool_t
diff --git a/strict/file_contexts/program/ethereal.fc b/strict/file_contexts/program/ethereal.fc
index abe9b020..ba1af85d 100644
--- a/strict/file_contexts/program/ethereal.fc
+++ b/strict/file_contexts/program/ethereal.fc
@@ -1,3 +1,3 @@
 /usr/sbin/tethereal.*		--	system_u:object_r:tethereal_exec_t
-/usr/sbin/ethereal.*		--	system_u:object_r:ethereal_exec_t				
-HOME_DIR/\.ethereal(/.*)? 		system_u:object_r:ROLE_ethereal_home_t		
+/usr/sbin/ethereal.*		--	system_u:object_r:ethereal_exec_t
+HOME_DIR/\.ethereal(/.*)? 		system_u:object_r:ROLE_ethereal_home_t
diff --git a/strict/file_contexts/program/games.fc b/strict/file_contexts/program/games.fc
index a4ab9335..3465eeee 100644
--- a/strict/file_contexts/program/games.fc
+++ b/strict/file_contexts/program/games.fc
@@ -1,8 +1,10 @@
 #  games
-/usr/lib(64)?/games/.* 	--	system_u:object_r:games_exec_t
-/var/games(/.*)?		system_u:object_r:games_data_t
-/usr/games/.*		--	system_u:object_r:games_exec_t
+/usr/lib/games(/.*)? 		system_u:object_r:games_exec_t
 /var/lib/games(/.*)? 		system_u:object_r:games_data_t
+ifdef(`distro_debian', `
+/usr/games/.*		--	system_u:object_r:games_exec_t
+/var/games(/.*)?		system_u:object_r:games_data_t
+', `
 /usr/bin/micq		--	system_u:object_r:games_exec_t
 /usr/bin/blackjack	--	system_u:object_r:games_exec_t
 /usr/bin/gataxx		--	system_u:object_r:games_exec_t
@@ -53,4 +55,7 @@
 /usr/bin/lskat		--	system_u:object_r:games_exec_t
 /usr/bin/lskatproc	--	system_u:object_r:games_exec_t
 /usr/bin/Maelstrom	--	system_u:object_r:games_exec_t
+/usr/bin/civclient.*	--	system_u:object_r:games_exec_t
+/usr/bin/civserver.*	--	system_u:object_r:games_exec_t
+')dnl end non-Debian section
 
diff --git a/strict/genfs_contexts b/strict/genfs_contexts
index 6686d2ed..11c16d44 100644
--- a/strict/genfs_contexts
+++ b/strict/genfs_contexts
@@ -94,7 +94,7 @@ genfscon afs /				system_u:object_r:nfs_t
 genfscon debugfs /			system_u:object_r:debugfs_t
 genfscon inotifyfs /			system_u:object_r:inotifyfs_t
 genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
-genfscon mqueue /			system_u:object_r:mqueue_t
+genfscon capifs /			system_u:object_r:capifs_t
 
 # needs more work
 genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --git a/strict/macros/core_macros.te b/strict/macros/core_macros.te
index 4ff37c75..4a5900a2 100644
--- a/strict/macros/core_macros.te
+++ b/strict/macros/core_macros.te
@@ -620,6 +620,9 @@ allow $1_devpts_t devpts_t:filesystem associate;
 # Label pty files with a derived type.
 type_transition $1_t devpts_t:chr_file $1_devpts_t;
 
+# allow searching /dev/pts
+allow $1_t devpts_t:dir { getattr read search };
+
 # Read and write my pty files.
 allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
 ')
diff --git a/strict/macros/global_macros.te b/strict/macros/global_macros.te
index 8bd5d7be..54dce1dc 100644
--- a/strict/macros/global_macros.te
+++ b/strict/macros/global_macros.te
@@ -157,6 +157,11 @@ allow $1 lib_t:file r_file_perms;
 r_dir_file($1, locale_t)
 ')
 
+define(`can_access_pty', `
+allow $1 devpts_t:dir r_dir_perms;
+allow $1 $2_devpts_t:chr_file rw_file_perms;
+')
+
 ###################################
 #
 # access_terminal(domain, typeprefix)
@@ -166,8 +171,7 @@ r_dir_file($1, locale_t)
 define(`access_terminal', `
 allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
 allow $1 devtty_t:chr_file { read write getattr ioctl };
-allow $1 devpts_t:dir { read search getattr };
-allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
+can_access_pty($1, $2)
 ') 
 
 #
@@ -514,6 +518,9 @@ define(`application_domain', `
 type $1_t, domain, privlog $2;
 type $1_exec_t, file_type, sysadmfile, exec_type;
 role sysadm_r types $1_t;
+ifdef(`targeted_policy', `
+role system_r types $1_t;
+')
 domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
 uses_shlib($1_t)
 ')
@@ -600,10 +607,10 @@ allow $1 self:capability sys_admin;
 # Also define boolean to allow anonymous writing
 #
 define(`anonymous_domain', `
-r_dir_file($1_t, ftpd_anon_t)
+r_dir_file($1_t, { public_content_t public_content_rw_t } )
 bool allow_$1_anon_write false;
 if (allow_$1_anon_write) {
-create_dir_file($1_t,ftpd_anon_rw_t)
+create_dir_file($1_t,public_content_rw_t)
 }
 ')
 # 
@@ -618,6 +625,7 @@ create_dir_file($1_t,ftpd_anon_rw_t)
 define(`unconfined_domain', `
 
 typeattribute $1 unrestricted;
+typeattribute $1 privuser;
 
 # Mount/unmount any filesystem. 
 allow $1 fs_type:filesystem *;
diff --git a/strict/macros/network_macros.te b/strict/macros/network_macros.te
index 0c8817a5..8e8b05a4 100644
--- a/strict/macros/network_macros.te
+++ b/strict/macros/network_macros.te
@@ -153,7 +153,8 @@ allow $1 mount_t:udp_socket rw_socket_perms;
 ')dnl end can_network definition
 
 define(`can_resolve',`
-can_network_udp($1, `dns_port_t')
+can_network_client($1, `dns_port_t')
+allow $1 dns_port_t:tcp_socket name_connect;
 ')
 
 define(`can_portmap',`
@@ -173,3 +174,17 @@ allow $1 winbind_t:unix_stream_socket connectto;
 allow $1 winbind_var_run_t:sock_file { getattr read write };
 ')
 ')
+
+
+#################################
+#
+# nsswitch_domain(domain)
+#
+# Permissions for looking up uid/username mapping via nsswitch
+#
+define(`nsswitch_domain', `
+can_resolve($1)
+can_ypbind($1)
+can_ldap($1)
+can_winbind($1)
+')
diff --git a/strict/macros/program/i18n_input_macros.te b/strict/macros/program/i18n_input_macros.te
new file mode 100644
index 00000000..58699fc8
--- /dev/null
+++ b/strict/macros/program/i18n_input_macros.te
@@ -0,0 +1,21 @@
+#
+# Macros for i18n_input
+#
+
+#
+# Authors:  Dan Walsh <dwalsh@redhat.com> 
+#
+
+#
+# i18n_input_domain(domain)
+#
+ifdef(`i18n_input.te', `
+define(`i18n_input_domain', `
+allow i18n_input_t $1_home_dir_t:dir { getattr search };
+r_dir_file(i18n_input_t, $1_home_t)
+if (use_nfs_home_dirs) { r_dir_file(i18n_input_t, nfs_t) }
+if (use_samba_home_dirs) { r_dir_file(i18n_input_t, cifs_t) }
+')
+')
+
+
diff --git a/strict/macros/program/pyzor_macros.te b/strict/macros/program/pyzor_macros.te
index 36b4c547..af67d30a 100644
--- a/strict/macros/program/pyzor_macros.te
+++ b/strict/macros/program/pyzor_macros.te
@@ -64,6 +64,6 @@ allow $1_pyzor_t self:unix_stream_socket create_stream_socket_perms;
 
 # Allow pyzor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_pyzor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_pyzor_t, $1)
 allow $1_pyzor_t sshd_t:fd use;
 ')
diff --git a/strict/macros/program/razor_macros.te b/strict/macros/program/razor_macros.te
index ca681f7d..e4c7c559 100644
--- a/strict/macros/program/razor_macros.te
+++ b/strict/macros/program/razor_macros.te
@@ -70,6 +70,6 @@ allow $1_razor_t self:unix_stream_socket create_stream_socket_perms;
 
 # Allow razor to be run by hand.  Needed by any action other than
 # invocation from a spam filter.
-allow $1_razor_t $1_devpts_t:chr_file rw_file_perms;
+can_access_pty($1_razor_t, $1)
 allow $1_razor_t sshd_t:fd use;
 ')
diff --git a/strict/macros/program/su_macros.te b/strict/macros/program/su_macros.te
index 055e08a1..ca2f2be0 100644
--- a/strict/macros/program/su_macros.te
+++ b/strict/macros/program/su_macros.te
@@ -68,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read;
 ')
 
 # Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control audit_write };
 dontaudit $1_su_t self:capability sys_tty_config;
 #
 # Caused by su - init scripts
diff --git a/strict/macros/program/uml_macros.te b/strict/macros/program/uml_macros.te
index 9b877754..bc635f86 100644
--- a/strict/macros/program/uml_macros.te
+++ b/strict/macros/program/uml_macros.te
@@ -81,7 +81,7 @@ domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
 allow uml_net_t $1_uml_t:unix_stream_socket { read write };
 allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
 dontaudit uml_net_t privfd:fd use;
-allow uml_net_t $1_uml_devpts_t:chr_file { read write };
+can_access_pty(uml_net_t, $1_uml)
 dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
 ')dnl end ifdef uml_net.te
 
diff --git a/strict/macros/user_macros.te b/strict/macros/user_macros.te
index dfc6c179..2c766656 100644
--- a/strict/macros/user_macros.te
+++ b/strict/macros/user_macros.te
@@ -121,6 +121,7 @@ allow $1_t system_map_t:file { getattr read };
 # user domains.
 ifelse($1, sysadm, `',`
 ifdef(`apache.te', `apache_user_domain($1)')
+ifdef(`i18n_input.te', `i18n_input_domain($1)')
 ')
 ifdef(`slocate.te', `locate_domain($1)')
 ifdef(`lockdev.te', `lockdev_domain($1)')
diff --git a/strict/mcs b/strict/mcs
index 20ec239c..d67b134e 100644
--- a/strict/mcs
+++ b/strict/mcs
@@ -146,13 +146,141 @@ category c124;
 category c125;
 category c126;
 category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
 
 
 #
 # Each MCS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c127;
+level s0:c0.c255;
 
 #
 # Define the MCS policy
@@ -200,9 +328,23 @@ level s0:c0.c127;
 #
 # Only files are constrained by MCS at this stage.
 #
-mlsconstrain file { read write setattr append unlink link rename
+mlsconstrain file { write setattr append unlink link rename
 		    create ioctl lock execute } (h1 dom h2);
 
+mlsconstrain file { read } ((h1 dom h2) or 
+			    ( t1 == mlsfileread ));
+
+
+# new file labels must be dominated by the relabeling subject's clearance
+mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom relabelto }
+	( h1 dom h2 );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
 
 # XXX
 #
diff --git a/strict/mls b/strict/mls
index 01a652a1..b3e9b5a3 100644
--- a/strict/mls
+++ b/strict/mls
@@ -13,12 +13,17 @@ sensitivity s6;
 sensitivity s7;
 sensitivity s8;
 sensitivity s9;
-
+sensitivity s10;
+sensitivity s11;
+sensitivity s12;
+sensitivity s13;
+sensitivity s14;
+sensitivity s15;
 
 #
 # Define the ordering of the sensitivity levels (least to greatest)
 #
-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
+dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
 
 
 #
@@ -154,22 +159,156 @@ category c124;
 category c125;
 category c126;
 category c127;
+category c128;
+category c129;
+category c130;
+category c131;
+category c132;
+category c133;
+category c134;
+category c135;
+category c136;
+category c137;
+category c138;
+category c139;
+category c140;
+category c141;
+category c142;
+category c143;
+category c144;
+category c145;
+category c146;
+category c147;
+category c148;
+category c149;
+category c150;
+category c151;
+category c152;
+category c153;
+category c154;
+category c155;
+category c156;
+category c157;
+category c158;
+category c159;
+category c160;
+category c161;
+category c162;
+category c163;
+category c164;
+category c165;
+category c166;
+category c167;
+category c168;
+category c169;
+category c170;
+category c171;
+category c172;
+category c173;
+category c174;
+category c175;
+category c176;
+category c177;
+category c178;
+category c179;
+category c180;
+category c181;
+category c182;
+category c183;
+category c184;
+category c185;
+category c186;
+category c187;
+category c188;
+category c189;
+category c190;
+category c191;
+category c192;
+category c193;
+category c194;
+category c195;
+category c196;
+category c197;
+category c198;
+category c199;
+category c200;
+category c201;
+category c202;
+category c203;
+category c204;
+category c205;
+category c206;
+category c207;
+category c208;
+category c209;
+category c210;
+category c211;
+category c212;
+category c213;
+category c214;
+category c215;
+category c216;
+category c217;
+category c218;
+category c219;
+category c220;
+category c221;
+category c222;
+category c223;
+category c224;
+category c225;
+category c226;
+category c227;
+category c228;
+category c229;
+category c230;
+category c231;
+category c232;
+category c233;
+category c234;
+category c235;
+category c236;
+category c237;
+category c238;
+category c239;
+category c240;
+category c241;
+category c242;
+category c243;
+category c244;
+category c245;
+category c246;
+category c247;
+category c248;
+category c249;
+category c250;
+category c251;
+category c252;
+category c253;
+category c254;
+category c255;
 
 
 #
 # Each MLS level specifies a sensitivity and zero or more categories which may
 # be associated with that sensitivity.
 #
-level s0:c0.c127;
-level s1:c0.c127;
-level s2:c0.c127;
-level s3:c0.c127;
-level s4:c0.c127;
-level s5:c0.c127;
-level s6:c0.c127;
-level s7:c0.c127;
-level s8:c0.c127;
-level s9:c0.c127;
+level s0:c0.c255;
+level s1:c0.c255;
+level s2:c0.c255;
+level s3:c0.c255;
+level s4:c0.c255;
+level s5:c0.c255;
+level s6:c0.c255;
+level s7:c0.c255;
+level s8:c0.c255;
+level s9:c0.c255;
+level s10:c0.c255;
+level s11:c0.c255;
+level s12:c0.c255;
+level s13:c0.c255;
+level s14:c0.c255;
+level s15:c0.c255;
 
 
 #
diff --git a/strict/net_contexts b/strict/net_contexts
index f38e6130..8ab11180 100644
--- a/strict/net_contexts
+++ b/strict/net_contexts
@@ -50,6 +50,10 @@ portcon udp 53 system_u:object_r:dns_port_t
 portcon tcp 53 system_u:object_r:dns_port_t
 
 portcon udp 67  system_u:object_r:dhcpd_port_t
+portcon udp 647  system_u:object_r:dhcpd_port_t
+portcon tcp 647  system_u:object_r:dhcpd_port_t
+portcon udp 847  system_u:object_r:dhcpd_port_t
+portcon tcp 847  system_u:object_r:dhcpd_port_t
 portcon udp 68  system_u:object_r:dhcpc_port_t
 portcon udp 70 system_u:object_r:gopher_port_t
 portcon tcp 70 system_u:object_r:gopher_port_t
@@ -164,6 +168,8 @@ portcon tcp 5703 system_u:object_r:ptal_port_t
 portcon tcp 50000 system_u:object_r:hplip_port_t
 portcon tcp 50002 system_u:object_r:hplip_port_t
 portcon tcp 5900  system_u:object_r:vnc_port_t 
+portcon tcp 5988  system_u:object_r:pegasus_http_port_t
+portcon tcp 5989  system_u:object_r:pegasus_https_port_t
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
 portcon tcp 6002  system_u:object_r:xserver_port_t
diff --git a/strict/types/devpts.te b/strict/types/devpts.te
index 56b8ddef..291ec53a 100644
--- a/strict/types/devpts.te
+++ b/strict/types/devpts.te
@@ -18,4 +18,7 @@ type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
 #
 type devpts_t, mount_point, fs_type;
 
+ifdef(`targeted_policy', `
+typeattribute devpts_t ttyfile;
+')
 
diff --git a/strict/types/file.te b/strict/types/file.te
index 24d00238..7b6fa9e4 100644
--- a/strict/types/file.te
+++ b/strict/types/file.te
@@ -307,8 +307,7 @@ allow dosfs_t self:filesystem associate;
 type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
 allow hugetlbfs_t self:filesystem associate;
 
-type mqueue_t, mount_point, fs_type,  sysadmfile;
-allow mqueue_t self:filesystem associate;
+typealias file_t alias  mqueue_t;
 
 # udev_runtime_t is the type of the udev table file
 type udev_runtime_t, file_type, sysadmfile;
@@ -325,6 +324,9 @@ allow debugfs_t self:filesystem associate;
 type inotifyfs_t, fs_type, sysadmfile;
 allow inotifyfs_t self:filesystem associate;
 
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
@@ -332,11 +334,16 @@ allow file_type removable_t:filesystem associate;
 allow file_type noexattrfile:filesystem associate;
 
 # Type for anonymous FTP data, used by ftp and rsync
-type ftpd_anon_t, file_type, sysadmfile, customizable;
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
+type public_content_t, file_type, sysadmfile, customizable;
+type public_content_rw_t, file_type, sysadmfile, customizable;
+typealias public_content_t alias ftpd_anon_t;
+typealias public_content_rw_t alias ftpd_anon_rw_t;
 
 allow customizable self:filesystem associate;
 
 # type for /tmp/.ICE-unix
 type ice_tmp_t, file_type, sysadmfile, tmpfile;
 
+# type for /usr/share/hwdata
+type hwdata_t, file_type, sysadmfile;
+
diff --git a/strict/types/network.te b/strict/types/network.te
index aaf10d9a..eb8bdcb3 100644
--- a/strict/types/network.te
+++ b/strict/types/network.te
@@ -120,6 +120,8 @@ type stunnel_port_t, port_type;
 type zebra_port_t, port_type;
 type i18n_input_port_t, port_type;
 type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
 type openvpn_port_t, port_type;
 type clamd_port_t, port_type;
 type transproxy_port_t, port_type;
diff --git a/strict/users b/strict/users
index c0269c46..acf0292a 100644
--- a/strict/users
+++ b/strict/users
@@ -9,7 +9,7 @@
 # Each user has a set of roles that may be entered by processes
 # with the users identity.  The syntax of a user declaration is:
 #
-# 	user username roles role_set [ level default_level range allowed_range ];
+# 	user username roles role_set [ level default_level range allowed_range ] level s0 range s0;
 #
 # The MLS default level and allowed range should only be specified if 
 # MLS was enabled in the policy.