--- nsaserefpolicy/policy/modules/services/radius.fc	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/radius.fc	2008-08-14 13:53:54.000000000 -0400
@@ -20,3 +20,5 @@
 
 /var/run/radiusd(/.*)?		gen_context(system_u:object_r:radiusd_var_run_t,s0)
 /var/run/radiusd\.pid	--	gen_context(system_u:object_r:radiusd_var_run_t,s0)
+
+/etc/rc.d/init.d/radiusd	--	gen_context(system_u:object_r:radius_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/radius.if	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/radius.if	2008-08-14 13:53:54.000000000 -0400
@@ -16,6 +16,25 @@
 
 ########################################
 ## <summary>
+##	Execute radius server in the radius domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`radius_script_domtrans',`
+	gen_require(`
+		type radius_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1, radius_script_exec_t)
+')
+
+########################################
+## <summary>
 ##	All of the rules required to administrate 
 ##	an radius environment
 ## </summary>
@@ -30,22 +49,29 @@
 	gen_require(`
 		type radiusd_t, radiusd_etc_t, radiusd_log_t;
 		type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
+		type radius_script_exec_t;
 	')
 
 	allow $1 radiusd_t:process { ptrace signal_perms getattr };
 	ps_process_pattern($1, radiusd_t)
 
+	# Allow radius_t to restart the apache service
+	radius_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 radius_script_exec_t system_r;
+	allow $2 system_r;
+
 	files_list_etc($1)
-	manage_files_pattern($1, radiusd_etc_t, radiusd_etc_t)
+	admin_pattern($1, radiusd_etc_t, radiusd_etc_t)
 
 	logging_list_logs($1)
-	manage_files_pattern($1, radiusd_log_t, radiusd_log_t)
+	admin_pattern($1, radiusd_log_t, radiusd_log_t)
 
-	manage_files_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
+	admin_pattern($1, radiusd_etc_rw_t, radiusd_etc_rw_t)
 
 	files_list_var_lib($1)
-	manage_files_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
+	admin_pattern($1, radiusd_var_lib_t, radiusd_var_lib_t)
 
 	files_list_pids($1)
-	manage_files_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
+	admin_pattern($1, radiusd_var_run_t, radiusd_var_run_t)
 ')
--- nsaserefpolicy/policy/modules/services/radius.te	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/radius.te	2008-08-14 13:53:54.000000000 -0400
@@ -25,6 +25,9 @@
 type radiusd_var_run_t;
 files_pid_file(radiusd_var_run_t)
 
+type radius_script_exec_t;
+init_script_type(radius_script_exec_t)
+
 ########################################
 #
 # Local policy
@@ -34,12 +37,11 @@
 # gzip also needs chown access to preserve GID for radwtmp files
 allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { setsched signal };
+allow radiusd_t self:process { getsched setsched sigkill signal };
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket create_stream_socket_perms;
 allow radiusd_t self:tcp_socket create_stream_socket_perms;
 allow radiusd_t self:udp_socket create_socket_perms;
-allow radiusd_t self:netlink_route_socket r_netlink_socket_perms;
 
 allow radiusd_t radiusd_etc_t:dir list_dir_perms;
 read_files_pattern(radiusd_t, radiusd_etc_t, radiusd_etc_t)
@@ -86,9 +88,6 @@
 fs_getattr_all_fs(radiusd_t)
 fs_search_auto_mountpoints(radiusd_t)
 
-auth_read_shadow(radiusd_t)
-auth_domtrans_chk_passwd(radiusd_t)
-
 corecmd_exec_bin(radiusd_t)
 corecmd_exec_shell(radiusd_t)
 
@@ -98,6 +97,10 @@
 files_read_etc_files(radiusd_t)
 files_read_etc_runtime_files(radiusd_t)
 
+auth_use_nsswitch(radiusd_t)
+auth_read_shadow(radiusd_t)
+auth_domtrans_chk_passwd(radiusd_t)
+
 libs_use_ld_so(radiusd_t)
 libs_use_shared_libs(radiusd_t)
 libs_exec_lib_files(radiusd_t)
@@ -107,8 +110,6 @@
 miscfiles_read_localization(radiusd_t)
 miscfiles_read_certs(radiusd_t)
 
-sysnet_read_config(radiusd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 
 sysadm_dontaudit_search_home_dirs(radiusd_t)
@@ -123,7 +124,9 @@
 ')
 
 optional_policy(`
-	nis_use_ypbind(radiusd_t)
+	mysql_read_config(radiusd_t)
+	mysql_stream_connect(radiusd_t)
+	corenet_tcp_connect_mysqld_port(radiusd_t)
 ')
 
 optional_policy(`