more upstream merging

2005-09-16 19:36:10 +00:00 · 2005-09-16 19:36:10 +00:00 · cff75c90ca
commit cff75c90ca
parent a47ea60ca9
53 changed files with 878 additions and 482 deletions
--- a/refpolicy/policy/modules/admin/su.if
+++ b/refpolicy/policy/modules/admin/su.if
@ -28,7 +28,9 @@
 ## </param>
 #
 template(`su_per_userdomain_template',`
-
+	# in optional since loadable modules do not natively
+	# support per-userdomain templates yet.
+	optional_policy(`su.te',`
 		gen_require(`
 			type su_exec_t;
 		')
@ -44,10 +46,11 @@ template(`su_per_userdomain_template',`

 		allow $2 $1_su_t:process signal;

-	allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+		allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
 		dontaudit $1_su_t self:capability sys_tty_config;
 		allow $1_su_t self:process { setexec setsched setrlimit };
 		allow $1_su_t self:fifo_file rw_file_perms;
+		allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };

 		# Transition from the user domain to this domain.
 		domain_auto_trans($2, su_exec_t, $1_su_t)
@ -143,6 +146,22 @@ template(`su_per_userdomain_template',`
 		')

 		ifdef(`TODO',`
+
+		ifdef(`support_polyinstantiation', `
+		typeattribute $1_su_t mlsfileread;
+		typeattribute $1_su_t mlsfilewrite;
+		typeattribute $1_su_t mlsfileupgrade;
+		typeattribute $1_su_t mlsfiledowngrade;
+		typeattribute $1_su_t mlsprocsetsl;
+		# Su can polyinstantiate
+		polyinstantiater($1_su_t)
+		# Su has to unmount polyinstantiated directories (like home)
+		# that should not be polyinstantiated under the new user
+		allow $1_su_t fs_t:filesystem unmount;
+		# Su needs additional permission to mount over a previous mount
+		allow $1_su_t polymember:dir mounton;
+		')
+
 		# Caused by su - init scripts
 		dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };

@ -176,3 +195,4 @@ template(`su_per_userdomain_template',`
 		')
 		') dnl end TODO
 	')
+')
--- a/refpolicy/policy/modules/admin/sudo.if
+++ b/refpolicy/policy/modules/admin/sudo.if
@ -54,7 +54,7 @@ template(`sudo_per_userdomain_template',`
 	#

 	# Use capabilities.
-	allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
+	allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
 	allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 	allow $1_sudo_t self:process { setexec setrlimit };
 	allow $1_sudo_t self:fd use;
--- a/refpolicy/policy/modules/apps/gpg.if
+++ b/refpolicy/policy/modules/apps/gpg.if
@ -75,7 +75,7 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_t self:capability { ipc_lock setuid };
 	allow { $2 $1_gpg_t } $1_gpg_t:process signal;
 	# setrlimit is for ulimit -c 0
-	allow $1_gpg_t self:process { setrlimit setcap };
+	allow $1_gpg_t self:process { setrlimit setcap setpgid };

 	allow $1_gpg_t self:fifo_file rw_file_perms;
 	allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
@ -84,9 +84,6 @@ template(`gpg_per_userdomain_template',`
 	allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
 	allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;

-	allow $2 $1_gpg_secret_t:file getattr;
-	allow $2 $1_gpg_secret_t:dir rw_dir_perms;
-
 	corenet_tcp_sendrecv_all_if($1_gpg_t)
 	corenet_raw_sendrecv_all_if($1_gpg_t)
 	corenet_udp_sendrecv_all_if($1_gpg_t)
@ -97,6 +94,7 @@ template(`gpg_per_userdomain_template',`
 	corenet_udp_sendrecv_all_ports($1_gpg_t)
 	corenet_tcp_bind_all_nodes($1_gpg_t)
 	corenet_udp_bind_all_nodes($1_gpg_t)
+	corenet_tcp_connect_all_ports($1_gpg_t)

 	dev_read_rand($1_gpg_t)
 	dev_read_urand($1_gpg_t)
@ -108,8 +106,6 @@ template(`gpg_per_userdomain_template',`
 	files_read_etc_files($1_gpg_t)
 	files_read_usr_files($1_gpg_t)
 	files_dontaudit_search_var($1_gpg_t)
-	# should not need read access...
-	files_list_home($1_gpg_t)

 	libs_use_shared_libs($1_gpg_t)
 	libs_use_ld_so($1_gpg_t)
@ -122,54 +118,22 @@ template(`gpg_per_userdomain_template',`

 	userdom_use_user_terminals($1,$1_gpg_t)

-	# Legacy
-	tunable_policy(`allow_gpg_execstack',`
-		allow $1_gpg_t self:process execmem;
-		libs_legacy_use_shared_libs($1_gpg_t)
-		libs_legacy_use_ld_so($1_gpg_t)
-		miscfiles_legacy_read_localization($1_gpg_t)
-		# Not quite sure why this is needed... 
-		allow $1_gpg_t gpg_exec_t:file execmod;
-	')
-
-	tunable_policy(`use_nfs_home_dirs',`
-		fs_manage_nfs_dirs($1_gpg_t)
-		fs_manage_nfs_files($1_gpg_t)
-		fs_manage_nfs_symlinks($1_gpg_t)
-	')
-
-	tunable_policy(`use_samba_home_dirs',`
-		fs_manage_cifs_dirs($1_gpg_t)
-		fs_manage_cifs_files($1_gpg_t)
-		fs_manage_cifs_symlinks($1_gpg_t)
-	')
-
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_gpg_t)
 	')

 	ifdef(`TODO',`
+	# Read content to encrypt/decrypt/sign
+	read_content($1_gpg_t, $1)
+
+	# Write content to encrypt/decrypt/sign
+	write_trusted($1_gpg_t, $1)

 	ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')

 	# allow ps to show gpg
 	can_ps($1_t, $1_gpg_t)

-	# use $1_gpg_secret_t for files it creates
-	# NB we are doing the type transition for directory creation only!
-	# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
-	# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
-	# a file and write output to your home directory it will use user_home_t.
-	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
-
-	file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
-	create_dir_file($1_gpg_t, $1_home_t)
-
-	# allow the usual access to /tmp
-	file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
-
-	rw_dir_create_file($1_gpg_t, $1_file_type)
-
 	') dnl end TODO

 	########################################
@ -210,6 +174,7 @@ template(`gpg_per_userdomain_template',`
 	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
 	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
 	corenet_udp_bind_all_nodes($1_gpg_helper_t)
+	corenet_tcp_connect_all_ports($1_gpg_helper_t)

 	dev_read_urand($1_gpg_helper_t)

@ -233,8 +198,7 @@ template(`gpg_per_userdomain_template',`
 	ifdef(`TODO',`

 	ifdef(`xdm.te',`
-		dontaudit $1_gpg_t xdm_t:fd use;
-		dontaudit $1_gpg_t xdm_t:fifo_file read;
+		can_pipe_xdm($1_gpg_t)
 	')
 	') dnl end TODO

@ -296,8 +260,6 @@ template(`gpg_per_userdomain_template',`

 	ifdef(`TODO',`

-	allow $1_gpg_agent_t xdm_t:fd use;
-
 	# allow ps to show gpg-agent
 	can_ps($1_t, $1_gpg_agent_t)

@ -353,7 +315,6 @@ template(`gpg_per_userdomain_template',`
 		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
 		allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
 		allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
-		allow $1_gpg_pinentry_t xdm_t:fd use;
 	')

 	allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@ -62,10 +62,6 @@ type inotifyfs_t, filesystem_type;
 allow inotifyfs_t self:filesystem associate;
 genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)

-type mqueue_t, filesystem_type;
-files_mountpoint(mqueue_t)
-allow mqueue_t self:filesystem associate;
-
 type nfsd_fs_t, filesystem_type;
 genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)

@ -86,12 +82,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
 #
 type tmpfs_t, filesystem_type;
 files_type(tmpfs_t)
+files_mountpoint(tmpfs_t)

 # Use a transition SID based on the allocating task SID and the
 # filesystem SID to label inodes in the following filesystem types,
 # and label the filesystem itself with the specified context.
 # This is appropriate for pseudo filesystems like devpts and tmpfs
 # where we want to label objects with a derived type.
+fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0);
 fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
 fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);

--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@ -28,7 +28,7 @@ attribute sysctl_type;
 type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
 role system_r types kernel_t;
 domain_base_type(kernel_t)
-sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
+sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)

 #
 # Procfs types
--- a/refpolicy/policy/modules/kernel/selinux.te
+++ b/refpolicy/policy/modules/kernel/selinux.te
@ -15,7 +15,7 @@ attribute can_setsecparam;
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t;
+type security_t; #, mlstrustedobject;
 fs_type(security_t)
 sid security context_template(system_u:object_r:security_t,s0)
 genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@ -91,6 +91,7 @@ template(`cron_per_userdomain_template',`
 	corenet_udp_sendrecv_all_ports($1_crond_t)
 	corenet_tcp_bind_all_nodes($1_crond_t)
 	corenet_udp_bind_all_nodes($1_crond_t)
+	corenet_tcp_connect_all_ports($1_crond_t)

 	dev_read_urand($1_crond_t)

@ -188,6 +189,8 @@ template(`cron_per_userdomain_template',`
 	# crontab signals crond by updating the mtime on the spooldir
 	allow $1_crontab_t cron_spool_t:dir setattr;

+	kernel_read_system_state($1_crontab_t)
+
 	# for the checks used by crontab -u
 	selinux_dontaudit_search_fs($1_crontab_t)

@ -210,7 +213,7 @@ template(`cron_per_userdomain_template',`

 	miscfiles_read_localization($1_crontab_t)

-	seutil_dontaudit_search_config($1_crontab_t)
+	seutil_read_config($1_crontab_t)

 	userdom_manage_user_tmp_dirs($1,$1_crontab_t)
 	userdom_manage_user_tmp_files($1,$1_crontab_t)
--- a/refpolicy/policy/modules/services/dbus.if
+++ b/refpolicy/policy/modules/services/dbus.if
@ -46,12 +46,13 @@ template(`dbus_per_userdomain_template',`
 	#

 	allow $1_dbusd_t self:process { getattr sigkill signal };
+	allow $1_dbusd_t self:file { getattr read write };
 	allow $1_dbusd_t self:dbus { send_msg acquire_svc };
 	allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
 	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
 	# Receive notifications of policy reloads and enforcing status changes.
-	allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
+	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;

 	# For connecting to the bus
 	allow $2 $1_dbusd_t:unix_stream_socket connectto;
@ -141,6 +142,12 @@ template(`dbus_per_userdomain_template',`
 	optional_policy(`nscd.te',`
 		nscd_use_socket($1_dbusd_t)
 	')
+
+	ifdef(`TODO',`
+	ifdef(`xdm.te', `
+	can_pipe_xdm($1_dbusd_t)
+	')
+	')
 ')

 #######################################
--- a/refpolicy/policy/modules/services/kerberos.fc
+++ b/refpolicy/policy/modules/services/kerberos.fc
@ -1,6 +1,10 @@
 /etc/krb5\.conf			--	context_template(system_u:object_r:krb5_conf_t,s0)
 /etc/krb5\.keytab			context_template(system_u:object_r:krb5_keytab_t,s0)

+/etc/krb5kdc(/.*)?			context_template(system_u:object_r:krb5kdc_conf_t,s0)
+/etc/krb5kdc/kadm5.keytab 	--	context_template(system_u:object_r:krb5_keytab_t,s0)
+/etc/krb5kdc/principal.*		context_template(system_u:object_r:krb5kdc_principal_t,s0)
+
 /usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0)
 /usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0)

@ -11,4 +15,4 @@
 /var/kerberos/krb5kdc/principal.*	context_template(system_u:object_r:krb5kdc_principal_t,s0)

 /var/log/krb5kdc\.log			context_template(system_u:object_r:krb5kdc_log_t,s0)
-/var/log/kadmind\.log			context_template(system_u:object_r:kadmind_log_t,s0)
+/var/log/kadmin(d)?\.log		context_template(system_u:object_r:kadmind_log_t,s0)
--- a/refpolicy/policy/modules/services/kerberos.if
+++ b/refpolicy/policy/modules/services/kerberos.if
@ -54,6 +54,7 @@ interface(`kerberos_use',`
 		corenet_udp_sendrecv_kerberos_port($1)
 		corenet_tcp_bind_all_nodes($1)
 		corenet_udp_bind_all_nodes($1)
+		corenet_tcp_connect_kerberos_port($1)
 		sysnet_read_config($1)
 		sysnet_dns_name_resolve($1)
 	')
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@ -70,6 +70,7 @@ template(`mta_per_userdomain_template',`
 	corenet_raw_sendrecv_all_nodes($1_mail_t)
 	corenet_tcp_sendrecv_all_ports($1_mail_t)
 	corenet_tcp_bind_all_nodes($1_mail_t)
+	corenet_tcp_connect_all_ports($1_mail_t)

 	domain_use_wide_inherit_fd($1_mail_t)

--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@ -110,6 +110,7 @@ template(`ssh_per_userdomain_template',`
 	corenet_raw_sendrecv_all_nodes($1_ssh_t)
 	corenet_tcp_sendrecv_all_ports($1_ssh_t)
 	corenet_tcp_bind_all_nodes($1_ssh_t)
+	corenet_tcp_connect_ssh_port($1_ssh_t)

 	dev_read_urand($1_ssh_t)

@ -132,6 +133,7 @@ template(`ssh_per_userdomain_template',`
 	files_read_usr_files($1_ssh_t)
 	files_read_etc_runtime_files($1_ssh_t)
 	files_read_etc_files($1_ssh_t)
+	files_read_var_files($1_ssh_t)

 	libs_use_ld_so($1_ssh_t)
 	libs_use_shared_libs($1_ssh_t)
@ -184,9 +186,6 @@ template(`ssh_per_userdomain_template',`
 	')

 	ifdef(`TODO',`
-	# Read /var.
-	allow $1_ssh_t var_t:dir r_dir_perms;
-	allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;

 	# Read /var/run, /var/log.
 	allow $1_ssh_t var_run_t:dir r_dir_perms;
@ -215,32 +214,33 @@ template(`ssh_per_userdomain_template',`
 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_t)

-	ifdef(`xserver.te', `
-	# Communicate with the X server.
-	can_unix_connect($1_ssh_t, $1_xserver_t)
-	allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-	allow $1_ssh_t $1_xserver_tmp_t:dir search;
-	ifdef(`xdm.te', `
-	allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-	allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-	')
-	')dnl end if xserver
+	# Connect to X server
+	x_client_domain($1_ssh, $1)

 	#allow ssh to access keys stored on removable media
 	# Should we have a boolean around this?
 	files_search_mnt($1_ssh_t)
 	r_dir_file($1_ssh_t, removable_t) 

-	ifdef(`xdm.te', `
-	# should be able to remove these two later
-	allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-	allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-	allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-	allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-	allow $1_ssh_t xdm_xserver_t:fd use;
-	allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-	allow $1_ssh_t xdm_t:fd use;
-	')dnl end if xdm.te
+	type $1_ssh_keysign_t, domain, nscd_client_domain;
+	role $1_r types $1_ssh_keysign_t;
+
+	if (allow_ssh_keysign) {
+	domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+	allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+	allow $1_ssh_keysign_t self:capability { setgid setuid };
+	allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+	uses_shlib($1_ssh_keysign_t)
+	dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+	dontaudit $1_ssh_keysign_t proc_t:dir search;
+	dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+	allow $1_ssh_keysign_t usr_t:dir search;
+	allow $1_ssh_keysign_t etc_t:file { getattr read };
+	allow $1_ssh_keysign_t self:dir search;
+	allow $1_ssh_keysign_t self:file { getattr read };
+	allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+	}
+
 	') dnl endif TODO

 	##############################
@ -301,7 +301,7 @@ template(`ssh_per_userdomain_template',`

 	miscfiles_read_localization($1_ssh_agent_t)

-	seutil_dontaudit_search_config($1_ssh_agent_t)
+	seutil_dontaudit_read_config($1_ssh_agent_t)

 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_ssh_agent_t)
@ -325,14 +325,14 @@ template(`ssh_per_userdomain_template',`
 	')

 	optional_policy(`xdm.te', `
-		xdm_use_fd($1_ssh_agent_t)
-		xdm_rw_pipe($1_ssh_agent_t)
-
 		# KDM:
-		xdm_sigchld($1_ssh_agent_t)
+		#xdm_sigchld($1_ssh_agent_t)
 	')

 	ifdef(`TODO',`
+	ifdef(`xdm.te',`
+	can_pipe_xdm($1_ssh_agent_t)
+	')

 	# allow ps to show ssh
 	can_ps($1_t, $1_ssh_agent_t)
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@ -47,12 +47,14 @@ template(`authlogin_per_userdomain_template',`
 	role $3 types $1_chkpwd_t;
 	role $3 types system_chkpwd_t;

-	allow $1_chkpwd_t self:capability setuid;
+	allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
 	allow $1_chkpwd_t self:process getattr;

 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };

+	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
 	# Transition from the user domain to this domain.
 	domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)

@ -64,6 +66,9 @@ template(`authlogin_per_userdomain_template',`
 	# is_selinux_enabled
 	kernel_read_system_state($1_chkpwd_t)

+	dev_read_rand($1_chkpwd_t)
+	dev_read_urand($1_chkpwd_t)
+
 	fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)

 	domain_use_wide_inherit_fd($1_chkpwd_t)
@ -82,6 +87,7 @@ template(`authlogin_per_userdomain_template',`
 	seutil_read_config($1_chkpwd_t)

 	sysnet_dns_name_resolve($1_chkpwd_t)
+	sysnet_use_ldap($1_chkpwd_t)

 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_chkpwd_t)
@ -93,17 +99,6 @@ template(`authlogin_per_userdomain_template',`
 		kerberos_use($1_chkpwd_t)
 	')

-	optional_policy(`ldap.te',`
-		allow $1_chkpwd_t self:tcp_socket create_socket_perms;
-		corenet_tcp_sendrecv_all_if($1_chkpwd_t)
-		corenet_raw_sendrecv_all_if($1_chkpwd_t)
-		corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
-		corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
-		corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
-		corenet_tcp_bind_all_nodes($1_chkpwd_t)
-		sysnet_read_config($1_chkpwd_t)
-	')
-
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1_chkpwd_t)
 	')
@ -115,6 +110,12 @@ template(`authlogin_per_userdomain_template',`
 	optional_policy(`selinuxutil.te',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
+
+	ifdef(`TODO',`
+	can_winbind($1)
+	r_dir_file($1, cert_t)
+	dontaudit $1 shadow_t:file { getattr read };
+	')
 ')

 ########################################
@ -221,6 +222,9 @@ interface(`auth_domtrans_chk_passwd',`
 	corecmd_search_sbin($1)
 	domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)

+	allow $1 self:capability { audit_write audit_control };
+	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
 	allow $1 system_chkpwd_t:fd use;
 	allow system_chkpwd_t $1:fd use;
 	allow system_chkpwd_t $1:fifo_file rw_file_perms;
@ -228,26 +232,25 @@ interface(`auth_domtrans_chk_passwd',`

 	dontaudit $1 shadow_t:file { getattr read };

+	dev_read_rand($1)
+	dev_read_urand($1)
+
 	sysnet_dns_name_resolve($1)
+	sysnet_use_ldap($1)

 	optional_policy(`kerberos.te',`
 		kerberos_use($1)
 	')

-	optional_policy(`ldap.te',`
-		allow $1 self:tcp_socket create_socket_perms;
-		corenet_tcp_sendrecv_all_if($1)
-		corenet_raw_sendrecv_all_if($1)
-		corenet_tcp_sendrecv_all_nodes($1)
-		corenet_raw_sendrecv_all_nodes($1)
-		corenet_tcp_sendrecv_ldap_port($1)
-		corenet_tcp_bind_all_nodes($1)
-		sysnet_read_config($1)
-	')
-
 	optional_policy(`nis.te',`
 		nis_use_ypbind($1)
 	')
+
+	ifdef(`TODO',`
+	can_winbind($1)
+	r_dir_file($1, cert_t)
+	dontaudit $1 shadow_t:file { getattr read };
+	')
 ')

 ########################################
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@ -46,11 +46,11 @@ ifdef(`targeted_policy',`
 #
 # /opt
 #
-/opt/.*/bin(/.*)?		context_template(system_u:object_r:bin_t,s0)
+/opt/(.*)?/bin(/.*)?		context_template(system_u:object_r:bin_t,s0)

-/opt/.*/libexec(/.*)?		context_template(system_u:object_r:bin_t,s0)
+/opt/(.*)?/libexec(/.*)?	context_template(system_u:object_r:bin_t,s0)

-/opt/.*/sbin(/.*)?		context_template(system_u:object_r:sbin_t,s0)
+/opt/(.*)?/sbin(/.*)?		context_template(system_u:object_r:sbin_t,s0)

 #
 # /usr
@ -70,13 +70,9 @@ ifdef(`distro_suse', `
 ')

 /usr/lib(64)?/sftp-server --	context_template(system_u:object_r:bin_t,s0)
-
 /usr/lib(64)?/emacsen-common/.*	context_template(system_u:object_r:bin_t,s0)
-
 /usr/lib(64)?/ipsec/.*	--	context_template(system_u:object_r:sbin_t,s0)
-
 /usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0)
-
 /usr/lib(64)?/news/bin(/.*)?	context_template(system_u:object_r:bin_t,s0)

 ifdef(`distro_suse', `
@ -85,8 +81,9 @@ ifdef(`distro_suse', `

 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)

 /usr/libexec(/.*)?		context_template(system_u:object_r:bin_t,s0)
 /usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
@ -97,8 +94,8 @@ ifdef(`distro_suse', `

 /usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)
 /usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0)
-
 /usr/share/mc/extfs/.*	--	context_template(system_u:object_r:bin_t,s0)
+/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)

 #
 # /var
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@ -19,8 +19,8 @@ ifdef(`distro_redhat',`
 # /boot
 #
 /boot/\.journal			<<none>>
-
-/boot/lost\+found(/.*)?		context_template(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/boot/lost\+found/.*		<<none>>

 #
 # /etc
@ -66,7 +66,8 @@ ifdef(`distro_gentoo', `
 # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
 HOME_ROOT		-d	context_template(system_u:object_r:home_root_t,s0)
 HOME_ROOT/\.journal		<<none>>
-HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+HOME_ROOT/lost\+found/.*	<<none>>

 #
 # /initrd
@ -77,7 +78,8 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
 #
 # /lost+found
 #
-/lost\+found(/.*)?		context_template(system_u:object_r:lost_found_t,s0)
+/lost\+found		-d	context_template(system_u:object_r:lost_found_t,s0)
+/lost\+found/.*			<<none>>

 #
 # /media
@ -98,7 +100,7 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
 #
 /opt(/.*)?			context_template(system_u:object_r:usr_t,s0)

-/opt/.*/var/lib(64)?(/.*)?	context_template(system_u:object_r:var_lib_t,s0)
+/opt/(.*)?/var/lib(64)?(/.*)?	context_template(system_u:object_r:var_lib_t,s0)

 #
 # /proc
@ -110,6 +112,11 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
 #
 /selinux(/.*)?                  <<none>>

+#
+# /srv
+#
+/srv(/.*)?			context_template(system_u:object_r:var_t,s0)
+
 #
 # /sys
 #
@ -122,7 +129,8 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>

-/tmp/lost\+found(/.*)?		context_template(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/tmp/lost\+found/.*		<<none>>

 #
 # /usr
@ -130,8 +138,6 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
 /usr(/.*)?			context_template(system_u:object_r:usr_t,s0)
 /usr/\.journal			<<none>>

-/usr/lost\+found(/.*)?		context_template(system_u:object_r:lost_found_t,s0)
-
 /usr/etc(/.*)?			context_template(system_u:object_r:etc_t,s0)

 /usr/inclu.e(/.*)?		context_template(system_u:object_r:usr_t,s0)
@ -140,10 +146,14 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)

 /usr/local/etc(/.*)?		context_template(system_u:object_r:etc_t,s0)

-/usr/local/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/usr/local/lost\+found/.*	<<none>>

 /usr/local/src(/.*)?		context_template(system_u:object_r:src_t,s0)

+/usr/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/usr/lost\+found/.*		<<none>>
+
 /usr/share(/.*)?/lib(64)?(/.*)?	context_template(system_u:object_r:usr_t,s0)

 /usr/src(/.*)?			context_template(system_u:object_r:src_t,s0)
@ -167,7 +177,8 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)

 /var/lock(/.*)?			context_template(system_u:object_r:var_lock_t,s0)

-/var/lost\+found(/.*)?		context_template(system_u:object_r:lost_found_t,s0)
+/var/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/var/lost\+found/.*		<<none>>

 /var/run(/.*)?			context_template(system_u:object_r:var_run_t,s0)
 /var/run/.*\.*pid		<<none>>
@ -176,5 +187,6 @@ HOME_ROOT/lost\+found(/.*)?	context_template(system_u:object_r:lost_found_t,s0)

 /var/tmp		-d	context_template(system_u:object_r:tmp_t,s0)
 /var/tmp/.*			<<none>>
-
+/var/tmp/lost\+found	-d	context_template(system_u:object_r:lost_found_t,s0)
+/var/tmp/lost\+found/.*		<<none>>
 /var/tmp/vi\.recover	-d	context_template(system_u:object_r:tmp_t,s0)
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@ -73,15 +73,21 @@ interface(`files_pid_file',`
 ')

 ########################################
-#
-# files_tmp_file(type)
-#
+## <summary>
+##	Make the specified type a file
+##	used for temporary files.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a
+##	temporary file.
+## </param>
 interface(`files_tmp_file',`
 	gen_require(`
 		attribute tmpfile;
 	')

 	files_type($1)
+	fs_associate_tmpfs($1)
 	typeattribute $1 tmpfile;
 ')

--- a/refpolicy/policy/modules/system/libraries.fc
+++ b/refpolicy/policy/modules/system/libraries.fc
@ -15,8 +15,8 @@
 #
 # /opt
 #
-/opt/.*/lib(64)?(/.*)?				context_template(system_u:object_r:lib_t,s0)
-/opt/.*/lib(64)?/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:shlib_t,s0)
+/opt/(.*)?/lib(64)?(/.*)?			context_template(system_u:object_r:lib_t,s0)
+/opt/(.*)?/lib(64)?/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:shlib_t,s0)

 #
 # /sbin
@ -26,6 +26,10 @@
 #
 # /usr
 #
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* --	context_template(system_u:object_r:texrel_shlib_t,s0)
+
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
+
 /usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:texrel_shlib_t,s0)

 /usr(/.*)?/java/.*\.so(\.[^/]*)*	--	context_template(system_u:object_r:texrel_shlib_t,s0)
@ -41,6 +45,10 @@

 /usr/lib/win32/.*			--	context_template(system_u:object_r:shlib_t,s0)

+/usr/(local/)?lib/wine/.*\.so  		--	context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/(local/)?lib/libfame-.*\.so.*	--	context_template(system_u:object_r:texrel_shlib_t,s0)
+/usr/local/.*\.so(\.[^/]*)*		--	context_template(system_u:object_r:shlib_t,s0)
+
 /usr/X11R6/lib/libGL\.so.* 		--	context_template(system_u:object_r:texrel_shlib_t,s0)
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	context_template(system_u:object_r:texrel_shlib_t,s0)

--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@ -1,8 +1,13 @@
 ## <summary>Policy for the kernel message logger and system logging daemon.</summary>

 #######################################
-#
-# logging_log_file(domain)
+## <summary>
+##	Make the specified type a file
+##	used for logs.
+## </summary>
+## <param name="file_type">
+##	Type of the file to be used as a log.
+## </param>
 #
 interface(`logging_log_file',`
 	gen_require(`
@ -10,6 +15,7 @@ interface(`logging_log_file',`
 	')

 	files_type($1)
+	fs_associate_tmpfs($1)
 	typeattribute $1 logfile;
 ')

--- a/refpolicy/policy/modules/system/lvm.fc
+++ b/refpolicy/policy/modules/system/lvm.fc
@ -8,23 +8,18 @@
 #
 /etc/lvm(/.*)?			context_template(system_u:object_r:lvm_etc_t,s0)
 /etc/lvm/\.cache	--	context_template(system_u:object_r:lvm_metadata_t,s0)
-
 /etc/lvm/archive(/.*)?		context_template(system_u:object_r:lvm_metadata_t,s0)
-
 /etc/lvm/backup(/.*)?		context_template(system_u:object_r:lvm_metadata_t,s0)
-
 /etc/lvm/lock(/.*)?		context_template(system_u:object_r:lvm_lock_t,s0)

 /etc/lvmtab(/.*)?		context_template(system_u:object_r:lvm_metadata_t,s0)
-
 /etc/lvmtab\.d(/.*)?		context_template(system_u:object_r:lvm_metadata_t,s0)

 #
 # /lib
 #
-/lib/lvm-10(/.*)	--	context_template(system_u:object_r:lvm_exec_t,s0)
-
-/lib/lvm-200(/.*)	--	context_template(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-10/.*		--	context_template(system_u:object_r:lvm_exec_t,s0)
+/lib/lvm-200/.*		--	context_template(system_u:object_r:lvm_exec_t,s0)

 #
 # /sbin
@ -50,6 +45,7 @@
 /sbin/lvresize		--	context_template(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvs		--	context_template(system_u:object_r:lvm_exec_t,s0)
 /sbin/lvscan		--	context_template(system_u:object_r:lvm_exec_t,s0)
+/sbin/multipathd	--	context_template(system_u:object_r:lvm_exec_t,s0)
 /sbin/pvchange		--	context_template(system_u:object_r:lvm_exec_t,s0)
 /sbin/pvcreate		--	context_template(system_u:object_r:lvm_exec_t,s0)
 /sbin/pvdata		--	context_template(system_u:object_r:lvm_exec_t,s0)
@ -82,9 +78,12 @@
 #
 # /usr
 #
+/usr/sbin/clvmd		--	context_template(system_u:object_r:clvmd_exec_t,s0)
 /usr/sbin/lvm		--	context_template(system_u:object_r:lvm_exec_t,s0)

 #
 # /var
 #
 /var/lock/lvm(/.*)?		context_template(system_u:object_r:lvm_lock_t,s0)
+
+/var/cache/multipathd(/.*)?	context_template(system_u:object_r:lvm_metadata_t,s0)
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@ -6,6 +6,13 @@ policy_module(lvm,1.0)
 # Declarations
 #

+type clvmd_t;
+type clvmd_exec_t;
+init_daemon_domain(clvmd_t,clvmd_exec_t)
+
+type clvmd_var_run_t;
+files_pid_file(clvmd_var_run_t)
+
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t,lvm_exec_t)
@ -28,7 +35,91 @@ files_tmp_file(lvm_tmp_t)

 ########################################
 #
-# Local policy
+# Cluster LVM daemon local policy
+#
+
+dontaudit clvmd_t self:capability sys_tty_config;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t self:tcp_socket create_stream_socket_perms;
+allow clvmd_t self:udp_socket create_socket_perms;
+
+allow clvmd_t clvmd_var_run_t:file create_file_perms;
+allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
+files_create_pid(clvmd_t,clvmd_var_run_t)
+
+kernel_read_kernel_sysctl(clvmd_t)
+kernel_list_proc(clvmd_t)
+kernel_read_proc_symlinks(clvmd_t)
+
+corenet_tcp_sendrecv_all_if(clvmd_t)
+corenet_udp_sendrecv_all_if(clvmd_t)
+corenet_raw_sendrecv_all_if(clvmd_t)
+corenet_tcp_sendrecv_all_nodes(clvmd_t)
+corenet_udp_sendrecv_all_nodes(clvmd_t)
+corenet_raw_sendrecv_all_nodes(clvmd_t)
+corenet_tcp_sendrecv_all_ports(clvmd_t)
+corenet_udp_sendrecv_all_ports(clvmd_t)
+corenet_tcp_bind_all_nodes(clvmd_t)
+corenet_udp_bind_all_nodes(clvmd_t)
+corenet_tcp_bind_reserved_port(clvmd_t)
+corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+
+dev_read_sysfs(clvmd_t)
+
+fs_getattr_all_fs(clvmd_t)
+fs_search_auto_mountpoints(clvmd_t)
+
+term_dontaudit_use_console(clvmd_t)
+
+domain_use_wide_inherit_fd(clvmd_t)
+
+init_use_fd(clvmd_t)
+init_use_script_pty(clvmd_t)
+
+libs_use_ld_so(clvmd_t)
+libs_use_shared_libs(clvmd_t)
+
+logging_send_syslog_msg(clvmd_t)
+
+miscfiles_read_localization(clvmd_t)
+
+seutil_dontaudit_search_config(clvmd_t)
+seutil_sigchld_newrole(clvmd_t)
+
+sysnet_read_config(clvmd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(clvmd_t)
+userdom_dontaudit_search_sysadm_home_dir(clvmd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(clvmd_t)
+	term_dontaudit_use_generic_pty(clvmd_t)
+	files_dontaudit_read_root_file(clvmd_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(clvmd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(clvmd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(clvmd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(clvmd_t)
+')
+') dnl end TODO
+
+########################################
+#
+# LVM Local policy
 #

 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
@ -167,13 +258,10 @@ optional_policy(`udev.te', `
 ')

 ifdef(`TODO',`
-
 optional_policy(`gnome-pty-helper.te', `
 	allow lvm_t sysadm_gph_t:fd use;
 ')
-
 optional_policy(`rhgb.te',`
 rhgb_domain(lvm_t)
 ')
-
 ') dnl end TODO
--- a/refpolicy/policy/modules/system/miscfiles.fc
+++ b/refpolicy/policy/modules/system/miscfiles.fc
@ -1,13 +1,15 @@
-
 #
 # /etc
 #
 /etc/localtime		--	context_template(system_u:object_r:locale_t,s0)
+/etc/pki(/.*)?			context_template(system_u:object_r:cert_t,s0)

 #
 # /opt
 #
-/opt/.*/man(/.*)?		context_template(system_u:object_r:man_t,s0)
+/opt/(.*)?/man(/.*)?		context_template(system_u:object_r:man_t,s0)
+
+/srv/([^/]*/)?rsync(/.*)?	context_template(system_u:object_r:ftpd_anon_t,s0)

 #
 # /usr
--- a/refpolicy/policy/modules/system/miscfiles.te
+++ b/refpolicy/policy/modules/system/miscfiles.te
@ -25,6 +25,9 @@ files_type(fonts_t)
 type ftpd_anon_t; #, customizable;
 files_type(ftpd_anon_t)

+type ftpd_anon_rw_t; #, customizable;
+files_type(ftpd_anon_rw_t)
+
 #
 # type for /tmp/.ICE-unix
 #
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@ -181,8 +181,7 @@ userdom_use_all_user_fd(load_policy_t)
 # Newrole local policy
 #

-allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
-
+allow newrole_t self:capability { fowner setuid setgid dac_override };
 allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@ -41,10 +41,12 @@ template(`base_user_template',`
 	# type for contents of home directory
 	type $1_home_t, $1_file_type, home_type;
 	files_type($1_home_t)
+	fs_associate_tmpfs($1_home_t)

 	# type of home directory
 	type $1_home_dir_t, home_dir_type, home_type;
 	files_type($1_home_dir_t)
+	fs_associate_tmpfs($1_home_dir_t)

 	type $1_tmp_t, $1_file_type;
 	files_tmp_file($1_tmp_t)
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@ -13,19 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')

 ########################################
 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
 #
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')
+define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')

 ########################################
 #
 # gen_con(context,mls_sensitivity,[mcs_categories])
 #
-# MLS: Optionally put the sensitivity for the file
-# MCS: Optionally put the categories of the file
-#
 define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl

 ########################################
--- a/refpolicy/policy/systemuser
+++ b/refpolicy/policy/systemuser
@ -4,11 +4,8 @@
 #

 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
 #
-define(`gen_user',`
-user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
-')

 #
 # system_u is the user identity for system processes and objects.
@ -16,7 +13,7 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
+gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)

 # Normal users should not be added to this file,
 # but instead added to the users file.
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@ -5,7 +5,7 @@
 #

 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range)
+# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #

 #
@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
-	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
+	gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
+		gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
 	',`
-		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
+		gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
 	')
 ')
--- a/strict/assert.te
+++ b/strict/assert.te
@ -30,58 +30,52 @@ neverallow domain ~domain:process { transition dyntransition };
 # Verify that only the insmod_t and kernel_t domains 
 # have the sys_module capability.
 #
-neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
+neverallow {domain -privsysmod -unrestricted } self:capability sys_module;

 #
 # Verify that executable types, the system dynamic loaders, and the
 # system shared libraries can only be modified by administrators.
 #
-neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
-neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
+neverallow {domain  -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
+neverallow {domain  ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;

 #
 # Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
-neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;

 #
 # Verify that only appropriate domains can write to /etc (IE mess with
 # /etc/passwd)
-neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
-neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
+neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };

 #
 # Verify that other system software can only be modified by administrators.
 #
-neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
-neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
+neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
+neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };

 #
 # Verify that only certain domains have access to the raw disk devices.
 #
-neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
+neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };

 #
 # Verify that only the X server and klogd have access to memory devices.
 #
-neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
+neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };

 #
 # Verify that only domains with the privlog attribute can actually syslog
 #
-neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
+neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };

 #
 # Verify that /proc/kmsg is only accessible to klogd.
 #
-ifdef(`klogd.te', `
-neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
-', `
-ifdef(`syslogd.te', `
-neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
-')dnl end if syslogd
-')dnl end if klogd
+neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;

 #
 # Verify that /proc/kcore is inaccessible.
@ -93,14 +87,14 @@ neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
 # Verify that sysctl variables are only changeable
 # by initrc and administrators.
 #
-neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
-neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
-neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
-neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
+neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
+neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
+neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
+neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };

 #
 # Verify that certain domains are limited to only being
@ -146,13 +140,13 @@ neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:f
 #
 # Verify that only the admin domains and initrc_t have setenforce.
 #
-neverallow { domain -admin -initrc_t } security_t:security setenforce;
+neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;

 #
 # Verify that only the kernel and load_policy_t have load_policy.
 #

-neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
+neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;

 #
 # for gross mistakes in policy
--- a/strict/attrib.te
+++ b/strict/attrib.te
@ -141,6 +141,10 @@ attribute privhome;
 # to read /etc/shadow, and grants the permission.
 attribute auth;

+# The auth_bool attribute identifies every domain that can 
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
 # The auth_write attribute identifies every domain that can have write or
 # relabel access to /etc/shadow, but does not grant it.
 attribute auth_write;
@ -180,6 +184,12 @@ attribute sysctl_type;
 # XXX used in different assertions within assert.te.
 attribute admin;

+# The secadmin attribute identifies every security administrator domain.
+# It is used in TE assertions when verifying that only administrator 
+# domains have certain permissions.  
+# This attribute is presently associated with sysadm_t and secadm_t
+attribute secadmin;
+
 # The userdomain attribute identifies every user domain, presently
 # user_t and sysadm_t.  It is used in TE rules that should be applied
 # to all user domains.
@ -454,3 +464,18 @@ attribute transitionbool;
 # of the file system.
 attribute customizable;

+##############################
+# Attributes for polyinstatiation support:
+#
+
+# For labeling types that are to be polyinstantiated
+attribute polydir;
+
+# And for labeling the parent directories of those polyinstantiated directories
+# This is necessary for remounting the original in the parent to give
+# security aware apps access
+attribute polyparent;
+
+# And labeling for the member directories
+attribute polymember;
+
--- a/strict/domains/program/lvm.te
+++ b/strict/domains/program/lvm.te
@ -121,3 +121,16 @@ r_dir_file(lvm_t, selinux_config_t)

 # it has no reason to need this
 dontaudit lvm_t proc_kcore_t:file getattr;
+
+# cluster LVM daemon
+daemon_domain(clvmd)
+can_network(clvmd_t)
+can_ypbind(clvmd_t)
+allow clvmd_t self:capability net_bind_service;
+allow clvmd_t self:socket create_socket_perms;
+allow clvmd_t self:fifo_file { read write };
+allow clvmd_t self:file { getattr read };
+allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow clvmd_t reserved_port_t:tcp_socket name_bind;
+dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
+dontaudit clvmd_t selinux_config_t:dir search;
--- a/strict/domains/program/snmpd.te
+++ b/strict/domains/program/snmpd.te
@ -8,7 +8,7 @@
 #
 # Rules for the snmpd_t domain.
 #
-daemon_domain(snmpd)
+daemon_domain(snmpd, `, nscd_client_domain')

 #temp
 allow snmpd_t var_t:dir getattr;
@ -16,17 +16,14 @@ allow snmpd_t var_t:dir getattr;
 can_network_server(snmpd_t)
 can_ypbind(snmpd_t)

-type snmp_port_t, port_type, reserved_port_type;
 allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;

 etc_domain(snmpd)
-typealias snmpd_etc_t alias etc_snmpd_t;

 # for the .index file
 var_lib_domain(snmpd)
 file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
 file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
-typealias snmpd_var_lib_t alias snmpd_var_rw_t;

 log_domain(snmpd)
 # for /usr/share/snmp/mibs
@ -39,13 +36,15 @@ allow snmpd_t self:unix_dgram_socket create_socket_perms;
 allow snmpd_t self:unix_stream_socket create_socket_perms;
 allow snmpd_t etc_t:lnk_file read;
 allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
-allow snmpd_t urandom_device_t:chr_file read;
+allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };

 allow snmpd_t proc_t:dir search;
 allow snmpd_t proc_t:file r_file_perms;
 allow snmpd_t self:file { getattr read };
-allow snmpd_t self:fifo_file { read write };
+allow snmpd_t self:fifo_file rw_file_perms;
+allow snmpd_t { bin_t sbin_t }:dir search;
+can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })

 ifdef(`distro_redhat', `
 ifdef(`rpm.te', `
@ -61,6 +60,9 @@ dontaudit snmpd_t initrc_var_run_t:file write;
 dontaudit snmpd_t rpc_pipefs_t:dir getattr;
 allow snmpd_t rpc_pipefs_t:dir getattr;
 read_sysctl(snmpd_t)
+allow snmpd_t sysctl_net_t:dir search;
+allow snmpd_t sysctl_net_t:file { getattr read };
+
 dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
 allow snmpd_t sysfs_t:dir { getattr read search };
 ifdef(`amanda.te', `
@ -75,6 +77,7 @@ allow snmpd_t var_lib_nfs_t:dir search;
 allow snmpd_t proc_net_t:dir search;
 allow snmpd_t proc_net_t:file r_file_perms;

-dontaudit snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:dir { getattr search };
+allow snmpd_t domain:file { getattr read };

 dontaudit snmpd_t selinux_config_t:dir search;
--- a/strict/file_contexts/program/kerberos.fc
+++ b/strict/file_contexts/program/kerberos.fc
@ -9,3 +9,12 @@
 /var/log/krb5kdc\.log			system_u:object_r:krb5kdc_log_t
 /var/log/kadmind\.log			system_u:object_r:kadmind_log_t
 /usr(/local)?/bin/ksu		--	system_u:object_r:su_exec_t
+
+# gentoo file locations
+/usr/sbin/krb5kdc			--	system_u:object_r:krb5kdc_exec_t
+/usr/sbin/kadmind			--	system_u:object_r:kadmind_exec_t
+/etc/krb5kdc(/.*)?				system_u:object_r:krb5kdc_conf_t
+/etc/krb5kdc/principal.*		system_u:object_r:krb5kdc_principal_t
+/etc/krb5kdc/kadm5.keytab 	--	system_u:object_r:krb5_keytab_t
+/var/log/kadmin.log			--	system_u:object_r:kadmind_log_t
+
--- a/strict/file_contexts/program/lvm.fc
+++ b/strict/file_contexts/program/lvm.fc
@ -13,8 +13,8 @@
 /var/lock/lvm(/.*)?		system_u:object_r:lvm_lock_t
 /dev/lvm		-c	system_u:object_r:fixed_disk_device_t
 /dev/mapper/control	-c	system_u:object_r:lvm_control_t
-/lib/lvm-10(/.*)	--	system_u:object_r:lvm_exec_t
-/lib/lvm-200(/.*)	--	system_u:object_r:lvm_exec_t
+/lib/lvm-10/.*		--	system_u:object_r:lvm_exec_t
+/lib/lvm-200/.*		--	system_u:object_r:lvm_exec_t
 /sbin/e2fsadm		--	system_u:object_r:lvm_exec_t
 /sbin/lvchange		--	system_u:object_r:lvm_exec_t
 /sbin/lvcreate		--	system_u:object_r:lvm_exec_t
@ -64,3 +64,6 @@
 /sbin/pvremove     --      system_u:object_r:lvm_exec_t
 /sbin/pvs          --      system_u:object_r:lvm_exec_t
 /sbin/vgs          --      system_u:object_r:lvm_exec_t
+/sbin/multipathd   --      system_u:object_r:lvm_exec_t
+/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
+/usr/sbin/clvmd   --      system_u:object_r:clvmd_exec_t
--- a/strict/file_contexts/program/rsync.fc
+++ b/strict/file_contexts/program/rsync.fc
@ -1,2 +1,3 @@
 # rsync program
 /usr/bin/rsync	--	system_u:object_r:rsync_exec_t
+/srv/([^/]*/)?rsync(/.*)?	system_u:object_r:ftpd_anon_t
--- a/strict/file_contexts/types.fc
+++ b/strict/file_contexts/types.fc
@ -261,13 +261,13 @@ ifdef(`distro_suse', `
 # /opt
 #
 /opt(/.*)?			system_u:object_r:usr_t
-/opt/.*/lib(64)?(/.*)?				system_u:object_r:lib_t
-/opt/.*/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/opt/.*/libexec(/.*)?	system_u:object_r:bin_t
-/opt/.*/bin(/.*)?		system_u:object_r:bin_t
-/opt/.*/sbin(/.*)?		system_u:object_r:sbin_t
-/opt/.*/man(/.*)?		system_u:object_r:man_t
-/opt/.*/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t
+/opt(/.*)?/lib(64)?(/.*)?				system_u:object_r:lib_t
+/opt(/.*)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/opt(/.*)?/libexec(/.*)?	system_u:object_r:bin_t
+/opt(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/opt(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/opt(/.*)?/man(/.*)?		system_u:object_r:man_t
+/opt(/.*)?/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t

 #
 # /etc
@ -359,7 +359,9 @@ ifdef(`distro_gentoo', `

 # nvidia share libraries
 /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
 /usr(/.*)?/nvidia/.*\.so(\..*)?	-- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)*	--	system_u:object_r:texrel_shlib_t
 /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	-- system_u:object_r:texrel_shlib_t

 # libGL
@ -385,6 +387,10 @@ ifdef(`distro_gentoo', `
 /usr/local/etc(/.*)?		system_u:object_r:etc_t
 /usr/local/src(/.*)?		system_u:object_r:src_t
 /usr/local/man(/.*)?		system_u:object_r:man_t
+/usr/local/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/usr/(local/)?lib/wine/.*\.so   --	system_u:object_r:texrel_shlib_t
+/usr/(local/)?lib/libfame-.*\.so.*    --	system_u:object_r:texrel_shlib_t
+

 #
 # /usr/X11R6/man
@ -442,13 +448,22 @@ HOME_ROOT/\.journal		<<none>>
 #
 # Lost and found directories.
 #
-/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
-HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
-/var/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
+/lost\+found		-d	system_u:object_r:lost_found_t
+/lost\+found/.*			<<none>>
+/usr/lost\+found	-d	system_u:object_r:lost_found_t
+/usr/lost\+found/.*		<<none>>
+/boot/lost\+found	-d	system_u:object_r:lost_found_t
+/boot/lost\+found/.*		<<none>>
+HOME_ROOT/lost\+found	-d	system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found/.*	<<none>>
+/var/lost\+found	-d	system_u:object_r:lost_found_t
+/var/lost\+found/.*		<<none>>
+/tmp/lost\+found	-d	system_u:object_r:lost_found_t
+/tmp/lost\+found/.*		<<none>>
+/var/tmp/lost\+found	-d	system_u:object_r:lost_found_t
+/var/tmp/lost\+found/.*		<<none>>
+/usr/local/lost\+found	-d	system_u:object_r:lost_found_t
+/usr/local/lost\+found/.*	<<none>>

 #
 # system localization
@ -458,6 +473,7 @@ HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
 /usr/lib/locale(/.*)?		system_u:object_r:locale_t
 /etc/localtime		--	system_u:object_r:locale_t
 /etc/localtime		-l	system_u:object_r:etc_t
+/etc/pki(/.*)?				system_u:object_r:cert_t

 #
 # Gnu Cash
@ -465,6 +481,11 @@ HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
 /usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
 /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t

+#
+# Turboprint
+#
+/usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t
+
 #
 # initrd mount point, only used during boot
 #
@ -481,5 +502,12 @@ HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
 #
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird --      system_u:object_r:bin_t
 /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
-/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
+/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
+
+#
+# /srv
+#
+/srv(/.*)?			system_u:object_r:var_t
+
--- a/strict/macros/program/chkpwd_macros.te
+++ b/strict/macros/program/chkpwd_macros.te
@ -17,30 +17,25 @@ define(`chkpwd_domain',`
 # Derived domain based on the calling user domain and the program.
 type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;

+role $1_r types $1_chkpwd_t;
+
 # is_selinux_enabled
 allow $1_chkpwd_t proc_t:file read;
+
 can_getcon($1_chkpwd_t)
-can_ypbind($1_chkpwd_t)
-can_kerberos($1_chkpwd_t)
-can_ldap($1_chkpwd_t)
-can_resolve($1_chkpwd_t)
-# Transition from the user domain to this domain.
+authentication_domain($1_chkpwd_t)
+
 ifelse($1, system, `
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
-role system_r types system_chkpwd_t;
-dontaudit auth_chkpwd shadow_t:file { getattr read };
 allow auth_chkpwd sbin_t:dir search;
-dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
-can_ypbind(auth_chkpwd)
-can_kerberos(auth_chkpwd)
-can_ldap(auth_chkpwd)
-can_resolve(auth_chkpwd)
+allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+authentication_domain(auth_chkpwd)
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
-
-# The user role is authorized for this domain.
-role $1_r types $1_chkpwd_t;
+allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };

 # Write to the user domain tty.
 access_terminal($1_chkpwd_t, $1)
--- a/strict/macros/program/crond_macros.te
+++ b/strict/macros/program/crond_macros.te
@ -67,6 +67,7 @@ role $1_r types $1_crond_t;

 # This domain is granted permissions common to most domains.
 can_network($1_crond_t)
+allow $1_crond_t port_type:tcp_socket name_connect;
 can_ypbind($1_crond_t)
 r_dir_file($1_crond_t, self)
 allow $1_crond_t self:fifo_file rw_file_perms;
--- a/strict/macros/program/crontab_macros.te
+++ b/strict/macros/program/crontab_macros.te
@ -41,8 +41,6 @@ read_locale($1_crontab_t)
 # Use capabilities dac_override is to create the file in the directory
 # under /tmp
 allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
-dontaudit $1_crontab_t proc_t:dir search;
-dontaudit $1_crontab_t selinux_config_t:dir search;

 # Type for temporary files.
 file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
@ -65,6 +63,11 @@ dontaudit $1_crontab_t crond_t:process signal;

 # for the checks used by crontab -u
 dontaudit $1_crontab_t security_t:dir search;
+allow $1_crontab_t proc_t:dir search;
+allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
+allow $1_crontab_t selinux_config_t:dir search;
+allow $1_crontab_t selinux_config_t:file { getattr read };
+dontaudit $1_crontab_t self:dir search;

 # crontab signals crond by updating the mtime on the spooldir
 allow $1_crontab_t cron_spool_t:dir setattr;
--- a/strict/macros/program/dbusd_macros.te
+++ b/strict/macros/program/dbusd_macros.te
@ -30,17 +30,20 @@ r_dir_file($1_dbusd_t, etc_dbusd_t)
 tmp_domain($1_dbusd) 
 allow $1_dbusd_t self:process fork;
 ifdef(`xdm.te', `
-allow $1_dbusd_t xdm_t:fd use;
-allow $1_dbusd_t xdm_t:fifo_file write;
+can_pipe_xdm($1_dbusd_t)
 ')

 allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;

 allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t self:file { getattr read write };
 allow $1_dbusd_t proc_t:file read;

+can_getsecurity($1_dbusd_t)
+r_dir_file($1_dbusd_t, default_context_t)
+allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
 ifdef(`pamconsole.te', `
 r_dir_file($1_dbusd_t, pam_var_console_t)
 ')
--- a/strict/macros/program/gpg_agent_macros.te
+++ b/strict/macros/program/gpg_agent_macros.te
@ -22,7 +22,6 @@ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
 role $1_r types $1_gpg_agent_t;

 allow $1_gpg_agent_t privfd:fd use;
-allow $1_gpg_agent_t xdm_t:fd use;

 # Write to the user domain tty.
 access_terminal($1_gpg_agent_t, $1)
@ -86,10 +85,9 @@ ifdef(`xdm.te', `
 allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
 allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
 can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
-allow $1_gpg_pinentry_t xdm_t:fd use;
 ')dnl end ig xdm.te

-r_dir_file($1_gpg_pinentry_t, fonts_t)
+read_fonts($1_gpg_pinentry_t, $1)
 # read kde font cache
 allow $1_gpg_pinentry_t usr_t:file { getattr read };

--- a/strict/macros/program/gpg_macros.te
+++ b/strict/macros/program/gpg_macros.te
@ -23,27 +23,15 @@ type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;

 # Transition from the user domain to the derived domain.
 domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
+role $1_r types $1_gpg_t;

 can_network($1_gpg_t)
+allow $1_gpg_t port_type:tcp_socket name_connect;
 can_ypbind($1_gpg_t)

 # for a bug in kmail
 dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };

-# The user role is authorized for this domain.
-role $1_r types $1_gpg_t;
-
-# Legacy
-if (allow_gpg_execstack) {
-legacy_domain($1_gpg)
-allow $1_gpg_t locale_t:file execute;
-
-# Not quite sure why this is needed... 
-allow $1_gpg_t gpg_exec_t:file execmod;
-}
-
-allow $1_t $1_gpg_secret_t:file getattr;
-
 allow $1_gpg_t device_t:dir r_dir_perms;
 allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;

@ -60,45 +48,28 @@ allow $1_gpg_t { privfd $1_t }:fd use;
 allow { $1_t $1_gpg_t } $1_gpg_t:process signal;

 # setrlimit is for ulimit -c 0
-allow $1_gpg_t self:process { setrlimit setcap };
+allow $1_gpg_t self:process { setrlimit setcap setpgid };

 # allow ps to show gpg
 can_ps($1_t, $1_gpg_t)

 uses_shlib($1_gpg_t)

-# should not need read access...
-allow $1_gpg_t home_root_t:dir { read search };
-
-# use $1_gpg_secret_t for files it creates
-# NB we are doing the type transition for directory creation only!
-# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
-# secring.gpg will be of $1_gpg_secret_t too.  But when you use gpg to decrypt
-# a file and write output to your home directory it will use user_home_t.
-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
+# Access .gnupg
 rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)

-file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
-create_dir_file($1_gpg_t, $1_home_t)
+# Read content to encrypt/decrypt/sign
+read_content($1_gpg_t, $1)

-# allow the usual access to /tmp
-file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
-
-if (use_nfs_home_dirs) {
-create_dir_file($1_gpg_t, nfs_t)
-}
-if (use_samba_home_dirs) {
-create_dir_file($1_gpg_t, cifs_t)
-}
+# Write content to encrypt/decrypt/sign
+write_trusted($1_gpg_t, $1)

 allow $1_gpg_t self:capability { ipc_lock setuid };
-rw_dir_create_file($1_gpg_t, $1_file_type)

 allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
 allow $1_gpg_t fs_t:filesystem getattr;
 allow $1_gpg_t usr_t:file r_file_perms;
 read_locale($1_gpg_t)
-allow $1_t $1_gpg_secret_t:dir rw_dir_perms;

 dontaudit $1_gpg_t var_t:dir search;

@ -130,6 +101,7 @@ allow $1_gpg_helper_t $1_t:fd use;
 allow $1_gpg_helper_t $1_t:fifo_file write;
 # get keys from the network
 can_network_client($1_gpg_helper_t)
+allow $1_gpg_helper_t port_type:tcp_socket name_connect;
 allow $1_gpg_helper_t etc_t:file { getattr read };
 allow $1_gpg_helper_t urandom_device_t:chr_file read;
 allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
@ -137,8 +109,7 @@ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
 dontaudit $1_gpg_helper_t var_t:dir search;

 ifdef(`xdm.te', `
-dontaudit $1_gpg_t xdm_t:fd use;
-dontaudit $1_gpg_t xdm_t:fifo_file read;
+can_pipe_xdm($1_gpg_t)
 ')

 ')dnl end gpg_domain definition
--- a/strict/macros/program/inetd_macros.te
+++ b/strict/macros/program/inetd_macros.te
@ -56,7 +56,6 @@ allow $1_t self:dir search;
 allow $1_t self:{ lnk_file file } { getattr read };
 can_kerberos($1_t)
 allow $1_t urandom_device_t:chr_file r_file_perms;
-type $1_port_t, port_type, reserved_port_type;
 # Use sockets inherited from inetd.
 ifelse($2, `', `
 allow inetd_t $1_port_t:udp_socket name_bind;
--- a/strict/macros/program/kerberos_macros.te
+++ b/strict/macros/program/kerberos_macros.te
@ -2,6 +2,7 @@ define(`can_kerberos',`
 ifdef(`kerberos.te',`
 if (allow_kerberos) {
 can_network_client($1, `kerberos_port_t')
+allow $1 kerberos_port_t:tcp_socket name_connect;
 can_resolve($1)
 }
 ') dnl kerberos.te
--- a/strict/macros/program/mta_macros.te
+++ b/strict/macros/program/mta_macros.te
@ -34,6 +34,7 @@ role $1_r types $1_mail_t;

 uses_shlib($1_mail_t)
 can_network_client_tcp($1_mail_t)
+allow $1_mail_t port_type:tcp_socket name_connect;
 can_resolve($1_mail_t)
 can_ypbind($1_mail_t)
 allow $1_mail_t self:unix_dgram_socket create_socket_perms;
--- a/strict/macros/program/newrole_macros.te
+++ b/strict/macros/program/newrole_macros.te
@ -49,7 +49,7 @@ can_setexec($1_t)
 allow $1_t autofs_t:dir search;

 # Use capabilities.
-allow $1_t self:capability { setuid setgid net_bind_service dac_override };
+allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };

 # Read the devpts root directory.
 allow $1_t devpts_t:dir r_dir_perms;
@ -60,8 +60,7 @@ r_dir_file($1_t, selinux_config_t)
 allow $1_t etc_t:file r_file_perms;

 # Read /var.
-allow $1_t var_t:dir r_dir_perms;
-allow $1_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_t, var_t)

 # Read /dev directories and any symbolic links.
 allow $1_t device_t:dir r_dir_perms;
--- a/strict/macros/program/ssh_agent_macros.te
+++ b/strict/macros/program/ssh_agent_macros.te
@ -49,6 +49,7 @@ read_locale($1_ssh_agent_t)
 allow $1_ssh_agent_t proc_t:dir search;
 dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
 dontaudit $1_ssh_agent_t selinux_config_t:dir search;
+dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
 read_sysctl($1_ssh_agent_t)

 # Access the ssh temporary files. Should we have an own type here
@ -62,7 +63,7 @@ allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
 allow $1_ssh_agent_t self:capability setgid;

 # access the random devices
-allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
+allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };

 # for ssh-add
 can_unix_connect($1_t, $1_ssh_agent_t)
@ -89,8 +90,7 @@ allow $1_ssh_t $1_t:unix_stream_socket connectto;
 allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;

 ifdef(`xdm.te', `
-allow $1_ssh_agent_t xdm_t:fd use;
-allow $1_ssh_agent_t xdm_t:fifo_file { read write };
+can_pipe_xdm($1_ssh_agent_t)

 # kdm: sigchld
 allow $1_ssh_agent_t xdm_t:process sigchld;
--- a/strict/macros/program/ssh_macros.te
+++ b/strict/macros/program/ssh_macros.te
@ -53,8 +53,7 @@ allow $1_ssh_t fs_type:filesystem getattr;
 base_file_read_access($1_ssh_t)

 # Read /var.
-allow $1_ssh_t var_t:dir r_dir_perms;
-allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, var_t)

 # Read /var/run, /var/log.
 allow $1_ssh_t var_run_t:dir r_dir_perms;
@ -63,8 +62,7 @@ allow $1_ssh_t var_log_t:dir r_dir_perms;
 allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;

 # Read /etc.
-allow $1_ssh_t etc_t:dir r_dir_perms;
-allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
+r_dir_file($1_ssh_t, etc_t)
 allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;

 # Read /dev directories and any symbolic links.
@ -80,6 +78,7 @@ allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
 # Grant permissions needed to create TCP and UDP sockets and
 # to access the network.
 can_network_client_tcp($1_ssh_t)
+allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
 can_resolve($1_ssh_t)
 can_ypbind($1_ssh_t)
 can_kerberos($1_ssh_t)
@ -130,18 +129,8 @@ allow $1_t $1_ssh_t:process signal;
 # allow ps to show ssh
 can_ps($1_t, $1_ssh_t)

-ifdef(`xserver.te', `
-# Communicate with the X server.
-ifdef(`startx.te', `
-can_unix_connect($1_ssh_t, $1_xserver_t)
-allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
-allow $1_ssh_t $1_xserver_tmp_t:dir search;
-')dnl end if startx
-ifdef(`xdm.te', `
-allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
-allow $1_ssh_t { xdm_tmp_t }:sock_file write;
-')
-')dnl end if xserver
+# Connect to X server
+x_client_domain($1_ssh, $1)

 ifdef(`ssh-agent.te', `
 ssh_agent_domain($1)
@ -152,18 +141,26 @@ ssh_agent_domain($1)
 allow $1_ssh_t mnt_t:dir search;
 r_dir_file($1_ssh_t, removable_t) 

-ifdef(`xdm.te', `
-# should be able to remove these two later
-allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
-allow $1_ssh_t xdm_xserver_tmp_t:dir search;
-allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
-allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
-allow $1_ssh_t xdm_xserver_t:fd use;
-allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
-allow $1_ssh_t xdm_t:fd use;
-')dnl end if xdm.te
-')dnl end macro definition
+type $1_ssh_keysign_t, domain, nscd_client_domain;
+role $1_r types $1_ssh_keysign_t;

+if (allow_ssh_keysign) {
+domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+allow $1_ssh_keysign_t self:capability { setgid setuid };
+allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+uses_shlib($1_ssh_keysign_t)
+dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:dir search;
+dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
+allow $1_ssh_keysign_t usr_t:dir search;
+allow $1_ssh_keysign_t etc_t:file { getattr read };
+allow $1_ssh_keysign_t self:dir search;
+allow $1_ssh_keysign_t self:file { getattr read };
+allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
+}
+
+')dnl end macro definition
 ', `

 define(`ssh_domain',`')
--- a/strict/macros/program/su_macros.te
+++ b/strict/macros/program/su_macros.te
@ -24,6 +24,13 @@ ifdef(`su.te', `
 define(`su_restricted_domain', `
 # Derived domain based on the calling user domain and the program.
 type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
+ifdef(`support_polyinstantiation', `
+typeattribute $1_su_t mlsfileread;
+typeattribute $1_su_t mlsfilewrite;
+typeattribute $1_su_t mlsfileupgrade;
+typeattribute $1_su_t mlsfiledowngrade;
+typeattribute $1_su_t mlsprocsetsl;
+')

 # for SSP
 allow $1_su_t urandom_device_t:chr_file { getattr read };
@ -32,7 +39,6 @@ allow $1_su_t urandom_device_t:chr_file { getattr read };
 domain_auto_trans($1_t, su_exec_t, $1_su_t)

 allow $1_su_t sbin_t:dir search;
-domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)

 uses_shlib($1_su_t)
 allow $1_su_t etc_t:file { getattr read };
@ -62,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read;
 ')

 # Use capabilities.
-allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
 dontaudit $1_su_t self:capability sys_tty_config;
 #
 # Caused by su - init scripts
@ -88,6 +94,13 @@ allow $1_su_t privfd:fd use;
 allow $1_su_t { var_t var_run_t }:dir search;
 allow $1_su_t initrc_var_run_t:file rw_file_perms;
 can_kerberos($1_su_t)
+
+ifdef(`chkpwd.te', `
+domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
+')
+
+allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+
 ') dnl end su_restricted_domain

 define(`su_mini_domain', `
@ -109,10 +122,6 @@ allow $1_su_t { ttyfile ptyfile }:chr_file { read write };

 define(`su_domain', `
 su_mini_domain($1)
-ifdef(`chkpwd.te', `
-# Run chkpwd.
-can_exec($1_su_t, chkpwd_exec_t)
-')

 # Inherit and use descriptors from gnome-pty-helper.
 ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
@ -139,6 +148,16 @@ if (use_samba_home_dirs) {
 allow $1_su_t cifs_t:dir search;
 }

+ifdef(`support_polyinstantiation', `
+# Su can polyinstantiate
+polyinstantiater($1_su_t)
+# Su has to unmount polyinstantiated directories (like home)
+# that should not be polyinstantiated under the new user
+allow $1_su_t fs_t:filesystem unmount;
+# Su needs additional permission to mount over a previous mount
+allow $1_su_t polymember:dir mounton;
+')
+
 # Modify .Xauthority file (via xauth program).
 ifdef(`xauth.te', `
 file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
--- a/strict/mcs
+++ b/strict/mcs
@ -0,0 +1,212 @@
+#
+# Define sensitivities 
+#
+# Each sensitivity has a name and zero or more aliases.
+#
+# MCS is single-sensitivity.
+#
+sensitivity s0;
+
+#
+# Define the ordering of the sensitivity levels (least to greatest)
+#
+dominance { s0 }
+
+
+#
+# Define the categories
+#
+# Each category has a name and zero or more aliases.
+#
+category c0;
+category c1;
+category c2;
+category c3;
+category c4;
+category c5;
+category c6;
+category c7;
+category c8;
+category c9;
+category c10;
+category c11;
+category c12;
+category c13;
+category c14;
+category c15;
+category c16;
+category c17;
+category c18;
+category c19;
+category c20;
+category c21;
+category c22;
+category c23;
+category c24;
+category c25;
+category c26;
+category c27;
+category c28;
+category c29;
+category c30;
+category c31;
+category c32;
+category c33;
+category c34;
+category c35;
+category c36;
+category c37;
+category c38;
+category c39;
+category c40;
+category c41;
+category c42;
+category c43;
+category c44;
+category c45;
+category c46;
+category c47;
+category c48;
+category c49;
+category c50;
+category c51;
+category c52;
+category c53;
+category c54;
+category c55;
+category c56;
+category c57;
+category c58;
+category c59;
+category c60;
+category c61;
+category c62;
+category c63;
+category c64;
+category c65;
+category c66;
+category c67;
+category c68;
+category c69;
+category c70;
+category c71;
+category c72;
+category c73;
+category c74;
+category c75;
+category c76;
+category c77;
+category c78;
+category c79;
+category c80;
+category c81;
+category c82;
+category c83;
+category c84;
+category c85;
+category c86;
+category c87;
+category c88;
+category c89;
+category c90;
+category c91;
+category c92;
+category c93;
+category c94;
+category c95;
+category c96;
+category c97;
+category c98;
+category c99;
+category c100;
+category c101;
+category c102;
+category c103;
+category c104;
+category c105;
+category c106;
+category c107;
+category c108;
+category c109;
+category c110;
+category c111;
+category c112;
+category c113;
+category c114;
+category c115;
+category c116;
+category c117;
+category c118;
+category c119;
+category c120;
+category c121;
+category c122;
+category c123;
+category c124;
+category c125;
+category c126;
+category c127;
+
+
+#
+# Each MCS level specifies a sensitivity and zero or more categories which may
+# be associated with that sensitivity.
+#
+level s0:c0.c127;
+
+#
+# Define the MCS policy
+#
+# mlsconstrain class_set perm_set expression ;
+#
+# mlsvalidatetrans class_set expression ;
+#
+# expression : ( expression )
+#	     | not expression
+#	     | expression and expression
+#	     | expression or expression
+#	     | u1 op u2
+#	     | r1 role_mls_op r2
+#	     | t1 op t2
+#	     | l1 role_mls_op l2
+#	     | l1 role_mls_op h2
+#	     | h1 role_mls_op l2
+#	     | h1 role_mls_op h2
+#	     | l1 role_mls_op h1
+#	     | l2 role_mls_op h2
+#	     | u1 op names
+#	     | u2 op names
+#	     | r1 op names
+#	     | r2 op names
+#	     | t1 op names
+#	     | t2 op names
+#	     | u3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | r3 op names (NOTE: this is only available for mlsvalidatetrans)
+#	     | t3 op names (NOTE: this is only available for mlsvalidatetrans)
+#
+# op : == | !=
+# role_mls_op : == | != | eq | dom | domby | incomp
+#
+# names : name | { name_list }
+# name_list : name | name_list name
+#
+
+#
+# MCS policy for the file classes
+#
+# Constrain file access so that the high range of the process dominates
+# the high range of the file.  We use the high range of the process so
+# that processes can always simply run at s0.
+#
+# Only files are constrained by MCS at this stage.
+#
+mlsconstrain file { read write setattr append unlink link rename
+		    create ioctl lock execute } (h1 dom h2);
+
+
+# XXX
+#
+# For some reason, we need to reference the mlsfileread attribute
+# or we get a build error.  Below is a dummy entry to do this.
+mlsconstrain xextension query ( t1 == mlsfileread );
+
--- a/strict/types/file.te
+++ b/strict/types/file.te
@ -276,7 +276,8 @@ allow { file_type device_type ttyfile } fs_t:filesystem associate;
 # Allow the pty to be associated with the file system.
 allow devpts_t self:filesystem associate;

-type tmpfs_t, file_type, sysadmfile, fs_type;
+type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
+allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
 allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
 ifdef(`distro_redhat', `
 allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
@ -332,6 +333,7 @@ allow file_type noexattrfile:filesystem associate;

 # Type for anonymous FTP data, used by ftp and rsync
 type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;

 allow customizable self:filesystem associate;

--- a/strict/types/security.te
+++ b/strict/types/security.te
@ -12,32 +12,32 @@
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, fs_type;
+type security_t, mount_point, fs_type, mlstrustedobject;

 #
 # policy_config_t is the type of /etc/security/selinux/*
 # the security server policy configuration.
 #
-type policy_config_t, file_type;
+type policy_config_t, file_type, secadmfile;

 #
 # policy_src_t is the type of the policy source
 # files.
 #
-type policy_src_t, file_type, sysadmfile;
+type policy_src_t, file_type, secadmfile;


 #
 # default_context_t is the type applied to 
 # /etc/selinux/*/contexts/*
 #
-type default_context_t, file_type, sysadmfile, login_contexts;
+type default_context_t, file_type, login_contexts, secadmfile;

 #
 # file_context_t is the type applied to 
 # /etc/selinux/*/contexts/files
 #
-type file_context_t, file_type, sysadmfile;
+type file_context_t, file_type, secadmfile;

 #
 # no_access_t is the type for objects that should
@ -49,6 +49,6 @@ type no_access_t, file_type, sysadmfile;
 # selinux_config_t is the type applied to 
 # /etc/selinux/config
 #
-type selinux_config_t, file_type, sysadmfile;
+type selinux_config_t, file_type, secadmfile;


--- a/strict/users
+++ b/strict/users
@ -41,10 +41,17 @@ user user_u roles { user_r };

 # The sysadm_r user also needs to be permitted system_r if we are to allow
 # direct execution of daemons
-user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
+user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };

 # sample for administrative user
 #user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };

 # sample for regular user
 #user jdoe roles { user_r };
+
+#
+# The following users correspond to special Unix identities
+# 
+ifdef(`nx_server.te', `
+user nx roles nx_server_r;
+')
--- a/tools/regression.sh
+++ b/tools/regression.sh
@ -1,8 +1,8 @@
 #!/bin/bash

 DISTROS="redhat gentoo debian suse"
-STRICT_TYPES="strict strict-mls"
-TARG_TYPES="targeted targeted-mls"
+STRICT_TYPES="strict strict-mls strict-mcs"
+TARG_TYPES="targeted targeted-mls targeted-mcs"
 POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
 SETFILES="/usr/sbin/setfiles"