--- nsaserefpolicy/policy/modules/services/rpcbind.fc	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rpcbind.fc	2008-08-14 13:53:54.000000000 -0400
@@ -5,3 +5,5 @@
 /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
 /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
 /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
+
+/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/rpcbind.if	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rpcbind.if	2008-08-14 13:53:54.000000000 -0400
@@ -95,3 +95,68 @@
 	manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
 	files_search_var_lib($1)
 ')
+
+########################################
+## <summary>
+##	Execute rpcbind server in the rpcbind domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+#
+interface(`rpcbind_script_domtrans',`
+	gen_require(`
+		type rpcbind_script_exec_t;
+	')
+
+	init_script_domtrans_spec($1, rpcbind_script_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an rpcbind environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the rpcbind domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`rpcbind_admin',`
+	gen_require(`
+		type rpcbind_t;
+		type rpcbind_script_exec_t;
+		type rpcbind_var_lib_t;
+		type rpcbind_var_run_t;
+	')
+
+	allow $1 rpcbind_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, rpcbind_t, rpcbind_t)
+	        
+	# Allow rpcbind_t to restart the apache service
+	rpcbind_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 rpcbind_script_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_var_lib($1)
+        admin_pattern($1, rpcbind_var_lib_t)
+
+	files_list_pids($1)
+        admin_pattern($1, rpcbind_var_run_t)
+')
--- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.5/policy/modules/services/rpcbind.te	2008-08-14 13:53:54.000000000 -0400
@@ -16,16 +16,21 @@
 type rpcbind_var_lib_t;
 files_type(rpcbind_var_lib_t)
 
+type rpcbind_script_exec_t;
+init_script_type(rpcbind_script_exec_t)
+
 ########################################
 #
 # rpcbind local policy
 #
 
-allow rpcbind_t self:capability setuid;
+allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
 allow rpcbind_t self:fifo_file rw_file_perms;
 allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
 allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow rpcbind_t self:udp_socket create_socket_perms;
+# BROKEN ...
+dontaudit rpcbind_t self:udp_socket listen;
 allow rpcbind_t self:tcp_socket create_stream_socket_perms;
 
 manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
@@ -37,6 +42,7 @@
 manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
 files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
 
+kernel_read_system_state(rpcbind_t)
 kernel_read_network_state(rpcbind_t)
 
 corenet_all_recvfrom_unlabeled(rpcbind_t)