--- nsaserefpolicy/policy/modules/kernel/files.fc	2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/kernel/files.fc	2008-08-14 13:53:54.000000000 -0400
@@ -32,6 +32,7 @@
 /boot/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
+/boot/efi(/.*)?/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
 
 #
 # /emul
--- nsaserefpolicy/policy/modules/kernel/files.if	2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/kernel/files.if	2008-08-14 13:53:54.000000000 -0400
@@ -110,6 +110,11 @@
 ## </param>
 #
 interface(`files_config_file',`
+	gen_require(`
+		attribute etcfile;
+	')
+
+	typeattribute $1 etcfile;
 	files_type($1)
 ')
 
@@ -1303,6 +1308,24 @@
 
 ########################################
 ## <summary>
+##	Remove entries from the tmp directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_tmp_dir_entry',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 tmp_t:dir del_entry_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Unmount a rootfs filesystem.
 ## </summary>
 ## <param name="domain">
@@ -1889,6 +1912,26 @@
 
 ########################################
 ## <summary>
+##	Read config files in /etc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_config_files',`
+	gen_require(`
+		attribute etcfile;
+	')
+
+	allow $1 etcfile:dir list_dir_perms;
+	read_files_pattern($1, etcfile, etcfile)
+	read_lnk_files_pattern($1, etcfile, etcfile)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to write generic files in /etc.
 ## </summary>
 ## <param name="domain">
@@ -2224,6 +2267,49 @@
 
 ########################################
 ## <summary>
+##	Delete directories on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_dirs',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_dirs_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
+##	Delete files on new filesystems
+##	that have not yet been labeled.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_isid_type_files',`
+	gen_require(`
+		type file_t;
+	')
+
+	delete_files_pattern($1, file_t, file_t)
+	delete_lnk_files_pattern($1, file_t, file_t)
+	delete_fifo_files_pattern($1, file_t, file_t)
+	delete_sock_files_pattern($1, file_t, file_t)
+	delete_blk_files_pattern($1, file_t, file_t)
+	delete_chr_files_pattern($1, file_t, file_t)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search directories on new filesystems
 ##	that have not yet been labeled.
 ## </summary>
@@ -2744,6 +2830,24 @@
 
 ########################################
 ## <summary>
+##	read files in /mnt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_read_mnt_files',`
+	gen_require(`
+		type mnt_t;
+	')
+
+	read_files_pattern($1, mnt_t, mnt_t)
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete symbolic links in /mnt.
 ## </summary>
 ## <param name="domain">
@@ -3394,6 +3498,8 @@
 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 	delete_sock_files_pattern($1, tmpfile, tmpfile)
+	files_delete_isid_type_dirs($1)
+	files_delete_isid_type_files($1)
 ')
 
 ########################################
@@ -3471,6 +3577,47 @@
 
 ########################################
 ## <summary>
+##	Delete generic directories in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_dirs',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_dirs_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
+##	Delete generic files in /usr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_delete_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	delete_files_pattern($1, usr_t, usr_t)
+	delete_lnk_files_pattern($1, usr_t, usr_t)
+	delete_fifo_files_pattern($1, usr_t, usr_t)
+	delete_sock_files_pattern($1, usr_t, usr_t)
+	delete_blk_files_pattern($1, usr_t, usr_t)
+	delete_chr_files_pattern($1, usr_t, usr_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of files in /usr.
 ## </summary>
 ## <param name="domain">
@@ -3547,6 +3694,24 @@
 
 ########################################
 ## <summary>
+##	dontaudit write of /usr files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_write_usr_files',`
+	gen_require(`
+		type usr_t;
+	')
+
+	dontaudit $1 usr_t:file write;
+')
+
+########################################
+## <summary>
 ##	Relabel a file to the type used in /usr.
 ## </summary>
 ## <param name="domain">
@@ -4761,12 +4926,14 @@
 	allow $1 poly_t:dir { create mounton };
 	fs_unmount_xattr_fs($1)
 
+	fs_mount_tmpfs($1)
+	fs_unmount_tmpfs($1)
+
 	ifdef(`distro_redhat',`
 		# namespace.init
 		files_search_home($1)
 		corecmd_exec_bin($1)
 		seutil_domtrans_setfiles($1)
-		mount_domtrans($1)
 	')
 ')
 
@@ -4787,3 +4954,53 @@
 
 	typeattribute $1 files_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Create a core files in /
+## </summary>
+## <desc>
+##	<p>
+##	Create a core file in /,
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_dump_core',`
+	gen_require(`
+		type root_t;
+	')
+
+	manage_files_pattern($1, root_t, root_t)
+')
+
+########################################
+## <summary>
+##     Create a default directory in /
+## </summary>
+## <desc>
+##     <p>
+##     Create a default_t direcrory in /
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_create_default_dir',`
+       gen_require(`
+               type root_t, default_t;
+       ')
+
+       allow $1 default_t:dir create;
+       filetrans_pattern($1, root_t, default_t, dir)
+')
+
--- nsaserefpolicy/policy/modules/kernel/files.te	2008-08-07 11:15:01.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/kernel/files.te	2008-08-14 13:53:54.000000000 -0400
@@ -52,11 +52,14 @@
 #
 # etc_t is the type of the system etc directories.
 #
-type etc_t;
+attribute etcfile;
+
+type etc_t, etcfile;
 files_type(etc_t)
 # compatibility aliases for removed types:
 typealias etc_t alias automount_etc_t;
 typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
 
 #
 # etc_runtime_t is the type of various
@@ -174,6 +177,7 @@
 #
 type var_run_t;
 files_pid_file(var_run_t)
+files_mountpoint(var_run_t)
 
 #
 # var_spool_t is the type of /var/spool
@@ -197,10 +201,7 @@
 #
 # Rules for all tmp file types
 #
-
-allow tmpfile tmp_t:filesystem associate;
-
-fs_associate_tmpfs(tmpfile)
+allow file_type tmp_t:filesystem associate;
 
 ########################################
 #