diff --git a/cinder.te b/cinder.te

index 488a7a659..a05691d8f 100644

--- a/cinder.te

+++ b/cinder.te

@@ -159,6 +159,8 @@ kernel_read_kernel_sysctls(cinder_volume_t)

 logging_send_syslog_msg(cinder_volume_t)

+systemd_dbus_chat_logind(cinder_volume_t)

+

 optional_policy(`

 	lvm_domtrans(cinder_volume_t)

 ')

diff --git a/ganesha.fc b/ganesha.fc

new file mode 100644

index 000000000..c723bfb97

--- /dev/null

+++ b/ganesha.fc

@@ -0,0 +1,12 @@

+/usr/bin/ganesha.nfsd		--	gen_context(system_u:object_r:ganesha_exec_t,s0)

+

+/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)

+

+/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)

+

+/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:ganesha_unit_file_t,s0)

+

+/var/log/ganesha.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)

+/var/log/ganesha-gfapi.log.*	--	gen_context(system_u:object_r:ganesha_var_log_t,s0)

+

+/var/run/ganesha(/.*)?		gen_context(system_u:object_r:ganesha_var_run_t,s0)

diff --git a/ganesha.if b/ganesha.if

new file mode 100644

index 000000000..4c347e5cc

--- /dev/null

+++ b/ganesha.if

@@ -0,0 +1,146 @@

+## <summary>policy for ganesha</summary>

+

+########################################

+## <summary>

+##	Execute ganesha_exec_t in the ganesha domain.

+## </summary>

+## <param name="domain">

+## <summary>

+##	Domain allowed to transition.

+## </summary>

+## </param>

+#

+interface(`ganesha_domtrans',`

+	gen_require(`

+		type ganesha_t, ganesha_exec_t;

+	')

+

+	corecmd_search_bin($1)

+	domtrans_pattern($1, ganesha_exec_t, ganesha_t)

+')

+

+######################################

+## <summary>

+##	Execute ganesha in the caller domain.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`ganesha_exec',`

+	gen_require(`

+		type ganesha_exec_t;

+	')

+

+	corecmd_search_bin($1)

+	can_exec($1, ganesha_exec_t)

+')

+########################################

+## <summary>

+##	Read ganesha PID files.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`ganesha_read_pid_files',`

+	gen_require(`

+		type ganesha_var_run_t;

+	')

+

+	files_search_pids($1)

+	read_files_pattern($1, ganesha_var_run_t, ganesha_var_run_t)

+')

+

+########################################

+## <summary>

+##	Execute ganesha server in the ganesha domain.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed to transition.

+##	</summary>

+## </param>

+#

+interface(`ganesha_systemctl',`

+	gen_require(`

+		type ganesha_t;

+		type ganesha_unit_file_t;

+	')

+

+	systemd_exec_systemctl($1)

+        systemd_read_fifo_file_passwd_run($1)

+	allow $1 ganesha_unit_file_t:file read_file_perms;

+	allow $1 ganesha_unit_file_t:service manage_service_perms;

+

+	ps_process_pattern($1, ganesha_t)

+')

+

+

+########################################

+## <summary>

+##	Send and receive messages from

+##	ganesha over dbus.

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+#

+interface(`ganesha_dbus_chat',`

+	gen_require(`

+		type ganesha_t;

+		class dbus send_msg;

+	')

+

+	allow $1 ganesha_t:dbus send_msg;

+	allow ganesha_t $1:dbus send_msg;

+')

+

+########################################

+## <summary>

+##	All of the rules required to administrate

+##	an ganesha environment

+## </summary>

+## <param name="domain">

+##	<summary>

+##	Domain allowed access.

+##	</summary>

+## </param>

+## <param name="role">

+##	<summary>

+##	Role allowed access.

+##	</summary>

+## </param>

+## <rolecap/>

+#

+interface(`ganesha_admin',`

+	gen_require(`

+		type ganesha_t;

+		type ganesha_var_run_t;

+	type ganesha_unit_file_t;

+	')

+

+	allow $1 ganesha_t:process { signal_perms };

+	ps_process_pattern($1, ganesha_t)

+

+    tunable_policy(`deny_ptrace',`',`

+        allow $1 ganesha_t:process ptrace;

+    ')

+

+	files_search_pids($1)

+	admin_pattern($1, ganesha_var_run_t)

+

+	ganesha_systemctl($1)

+	admin_pattern($1, ganesha_unit_file_t)

+	allow $1 ganesha_unit_file_t:service all_service_perms;

+	optional_policy(`

+		systemd_passwd_agent_exec($1)

+		systemd_read_fifo_file_passwd_run($1)

+	')

+')

diff --git a/ganesha.te b/ganesha.te

new file mode 100644

index 000000000..f25a3f34d

--- /dev/null

+++ b/ganesha.te

@@ -0,0 +1,111 @@

+policy_module(ganesha, 1.0.0)

+

+########################################

+#

+# Declarations

+#

+

+## <desc>

+## 

+## Allow ganesha to read/write fuse files

+## 

+## </desc>

+gen_tunable(ganesha_use_fusefs, false)

+

+type ganesha_t;

+type ganesha_exec_t;

+init_daemon_domain(ganesha_t, ganesha_exec_t)

+

+type ganesha_var_log_t;

+logging_log_file(ganesha_var_log_t)

+

+type ganesha_var_run_t;

+files_pid_file(ganesha_var_run_t)

+

+type ganesha_tmp_t;

+files_tmp_file(ganesha_tmp_t)

+

+type ganesha_unit_file_t;

+systemd_unit_file(ganesha_unit_file_t)

+

+########################################

+#

+# ganesha local policy

+#

+dontaudit ganesha_t self:capability net_admin;

+

+allow ganesha_t self:capability { dac_read_search dac_override };

+allow ganesha_t self:capability2 block_suspend;

+allow ganesha_t self:process { setcap setrlimit };

+allow ganesha_t self:fifo_file rw_fifo_file_perms;

+allow ganesha_t self:unix_stream_socket create_stream_socket_perms;

+allow ganesha_t self:tcp_socket { accept listen };

+

+manage_dirs_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)

+manage_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)

+manage_lnk_files_pattern(ganesha_t, ganesha_var_run_t, ganesha_var_run_t)

+files_pid_filetrans(ganesha_t, ganesha_var_run_t, { dir file lnk_file })

+

+manage_dirs_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)

+manage_files_pattern(ganesha_t, ganesha_var_log_t, ganesha_var_log_t)

+logging_log_filetrans(ganesha_t, ganesha_var_log_t, { file dir })

+

+manage_dirs_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)

+manage_files_pattern(ganesha_t, ganesha_tmp_t, ganesha_tmp_t)

+files_tmp_filetrans(ganesha_t, ganesha_tmp_t, { file dir })

+

+kernel_read_system_state(ganesha_t)

+kernel_search_network_sysctl(ganesha_t)

+kernel_read_net_sysctls(ganesha_t)

+

+auth_use_nsswitch(ganesha_t)

+

+corenet_tcp_bind_nfs_port(ganesha_t)

+corenet_tcp_connect_generic_port(ganesha_t)

+corenet_tcp_connect_gluster_port(ganesha_t)

+corenet_udp_bind_dey_keyneg_port(ganesha_t)

+corenet_tcp_bind_dey_keyneg_port(ganesha_t)

+corenet_udp_bind_nfs_port(ganesha_t)

+corenet_udp_bind_all_rpc_ports(ganesha_t)

+corenet_tcp_bind_all_rpc_ports(ganesha_t)

+corenet_tcp_bind_mountd_port(ganesha_t)

+corenet_udp_bind_mountd_port(ganesha_t)

+corenet_tcp_connect_virt_migration_port(ganesha_t)

+corenet_tcp_connect_all_rpc_ports(ganesha_t)

+

+dev_rw_infiniband_dev(ganesha_t)

+dev_read_gpfs(ganesha_t)

+dev_read_rand(ganesha_t)

+

+logging_send_syslog_msg(ganesha_t)

+

+sysnet_dns_name_resolve(ganesha_t)

+

+optional_policy(`

+	dbus_system_bus_client(ganesha_t)

+	dbus_connect_system_bus(ganesha_t)

+    unconfined_dbus_chat(ganesha_t)

+')

+

+optional_policy(`

+    glusterd_read_conf(ganesha_t)

+    glusterd_read_lib_files(ganesha_t)

+    glusterd_manage_pid(ganesha_t)

+')

+

+optional_policy(`

+    kerberos_read_keytab(ganesha_t)

+')

+

+optional_policy(`

+	rpc_manage_nfs_state_data_dir(ganesha_t)

+    rpc_read_nfs_state_data(ganesha_t)

+	rpcbind_stream_connect(ganesha_t)

+')

+

+tunable_policy(`ganesha_use_fusefs',`

+    fs_manage_fusefs_dirs(ganesha_t)

+    fs_manage_fusefs_files(ganesha_t)

+    fs_read_fusefs_symlinks(ganesha_t)

+    fs_getattr_fusefs(ganesha_t)

+')

diff --git a/glusterd.fc b/glusterd.fc

index e42e81f5f..9806f50ae 100644

--- a/glusterd.fc

+++ b/glusterd.fc

@@ -23,8 +23,3 @@

 /var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)

 /var/run/glusterd.*	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)

 /var/run/glusterd.*	-s	gen_context(system_u:object_r:glusterd_var_run_t,s0)

-

-/var/log/ganesha(/.*)?      gen_context(system_u:object_r:glusterd_log_t,s0)

-/var/log/ganesha.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)

-/var/log/ganesha-gfapi.log	--	gen_context(system_u:object_r:glusterd_log_t,s0)

-

diff --git a/glusterd.if b/glusterd.if

index a62e355ac..291191f17 100644

--- a/glusterd.if

+++ b/glusterd.if

@@ -135,7 +135,6 @@ interface(`glusterd_manage_log',`

 	manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)

 	manage_files_pattern($1, glusterd_log_t, glusterd_log_t)

 	manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)

-    logging_log_named_filetrans($1, glusterd_log_t, file, "ganesha.log")

 ')

 ######################################

diff --git a/glusterd.te b/glusterd.te

index 7804cbaf4..2bcedd014 100644

--- a/glusterd.te

+++ b/glusterd.te

@@ -64,8 +64,6 @@ files_type(glusterd_var_lib_t)

 type glusterd_brick_t;

 files_type(glusterd_brick_t)

-typealias glusterd_log_t alias ganesha_var_log_t;

-

 ########################################

 #

 # Local policy

@@ -270,6 +268,11 @@ optional_policy(`

     ')

 ')

+optional_policy(`

+    ganesha_systemctl(glusterd_t)

+    ganesha_dbus_chat(glusterd_t)

+')

+

 optional_policy(`

     hostname_exec(glusterd_t)

 ')

@@ -310,8 +313,8 @@ optional_policy(`

 optional_policy(`

     rpc_systemctl_nfsd(glusterd_t)

     rpc_systemctl_rpcd(glusterd_t)

+

     rpc_domtrans_nfsd(glusterd_t)

-    rpc_dbus_chat_nfsd(glusterd_t)

     rpc_domtrans_rpcd(glusterd_t)

     rpc_manage_nfs_state_data(glusterd_t)

 	rpc_manage_nfs_state_data_dir(glusterd_t)

diff --git a/nova.te b/nova.te

index 2259a5192..af8dd5527 100644

--- a/nova.te

+++ b/nova.te

@@ -124,6 +124,7 @@ corenet_sendrecv_dns_server_packets(nova_domain)

 corenet_sendrecv_dhcpd_server_packets(nova_domain)

 auth_use_nsswitch(nova_t)

+auth_use_pam(nova_t)

 auth_read_passwd(nova_domain)

 dev_read_sysfs(nova_domain)

@@ -132,7 +133,7 @@ dev_read_rand(nova_domain)

 fs_getattr_all_fs(nova_domain)

-init_read_utmp(nova_domain)

+init_rw_utmp(nova_domain)

 libs_exec_ldconfig(nova_domain)

diff --git a/rhcs.te b/rhcs.te

index 0e8b031bb..c029ccd71 100644

--- a/rhcs.te

+++ b/rhcs.te

@@ -265,7 +265,7 @@ optional_policy(`

 ')

 optional_policy(`

-    rpc_dbus_chat_nfsd(cluster_t)

+    ganesha_dbus_chat(cluster_t)

 ')

 optional_policy(`

diff --git a/rpc.fc b/rpc.fc

index b08ec8d2d..38a2f0911 100644

--- a/rpc.fc

+++ b/rpc.fc

@@ -1,5 +1,3 @@

-

-

 #

 # /etc

 #

@@ -11,10 +9,6 @@

 /usr/lib/systemd/system/nfs.* 		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)

 /usr/lib/systemd/system/rpc.* 		--	gen_context(system_u:object_r:rpcd_unit_file_t,s0)

-/usr/lib/systemd/system/nfs-ganesha-config.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)

-/usr/lib/systemd/system/nfs-ganesha-lock.*		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)

-/usr/lib/systemd/system/nfs-ganesha.*e		--	gen_context(system_u:object_r:nfsd_unit_file_t,s0)

-

 #

 # /sbin

 #

@@ -33,15 +27,12 @@

 /usr/sbin/rpc\.svcgssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)

 /usr/sbin/sm-notify	--	gen_context(system_u:object_r:rpcd_exec_t,s0)

-/usr/bin/ganesha\.nfsd		--	gen_context(system_u:object_r:nfsd_exec_t,s0)

-

 #

 # /var

 #

 /var/lib/nfs(/.*)?		gen_context(system_u:object_r:var_lib_nfs_t,s0)

 /var/run/sm-notify.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)

-/var/run/ganesha.*		gen_context(system_u:object_r:rpcd_var_run_t,s0)

 /var/run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_var_run_t,s0)

 /var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)

diff --git a/rpc.if b/rpc.if

index 2ee527f2a..79a2a9c48 100644

--- a/rpc.if

+++ b/rpc.if

@@ -530,24 +530,3 @@ interface(`rpc_gssd_noatsecure',`

     allow $1 gssd_t:process { noatsecure rlimitinh };

 ')

-

-########################################

-## <summary>

-##	Send and receive messages from

-##	ganesha over dbus.

-## </summary>

-## <param name="domain">

-##	<summary>

-##	Domain allowed access.

-##	</summary>

-## </param>

-#

-interface(`rpc_dbus_chat_nfsd',`

-	gen_require(`

-		type nfsd_t;

-		class dbus send_msg;

-	')

-

-	allow $1 nfsd_t:dbus send_msg;

-	allow nfsd_t $1:dbus send_msg;

-')

diff --git a/rpc.te b/rpc.te

index f4df4fda2..b9665f773 100644

--- a/rpc.te

+++ b/rpc.te

@@ -65,13 +65,6 @@ systemd_unit_file(nfsd_unit_file_t)

 type var_lib_nfs_t;

 files_mountpoint(var_lib_nfs_t)

-type nfsd_tmp_t;

-files_tmp_file(nfsd_tmp_t)

-

-typealias nfsd_t alias ganesha_t;

-typealias nfsd_exec_t alias ganesha_exec_t;

-typealias nfsd_unit_file_t alias ganesha_unit_file_t;

-

 ########################################

 #

 # Common rpc domain local policy

@@ -234,17 +227,8 @@ optional_policy(`

 allow nfsd_t self:capability { dac_read_search dac_override sys_admin sys_rawio sys_resource };

-allow nfsd_t self:process { setcap };

-

 allow nfsd_t exports_t:file read_file_perms;

-manage_dirs_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)

-manage_files_pattern(nfsd_t, nfsd_tmp_t, nfsd_tmp_t)

-files_tmp_filetrans(nfsd_t, nfsd_tmp_t, { file dir })

-

-manage_files_pattern(nfsd_t, rpcd_var_run_t, rpcd_var_run_t)

-files_pid_filetrans(nfsd_t, rpcd_var_run_t, { file })

-

 # for /proc/fs/nfs/exports - should we have a new type?

 kernel_read_system_state(nfsd_t)

 kernel_read_network_state(nfsd_t)

@@ -318,16 +302,6 @@ tunable_policy(`nfs_export_all_ro',`

 	files_read_non_security_files(nfsd_t)

 ')

-optional_policy(`

-    glusterd_manage_log(nfsd_t)

-    glusterd_manage_pid(nfsd_t)

-')

-

-optional_policy(`

-    dbus_system_bus_client(nfsd_t)

-    dbus_acquire_svc_system_dbusd(nfsd_t)

-')

-

 optional_policy(`

 	mount_exec(nfsd_t)

 	mount_manage_pid_files(nfsd_t)

@@ -357,6 +331,8 @@ kernel_signal(gssd_t)

 corecmd_exec_bin(gssd_t)

+domain_manage_all_domains_keyrings(gssd_t)

+

 fs_list_rpc(gssd_t)

 fs_rw_rpc_sockets(gssd_t)

 fs_read_rpc_files(gssd_t)

diff --git a/rpm.te b/rpm.te

index 7394a0dfc..4402cbe09 100644

--- a/rpm.te

+++ b/rpm.te

@@ -34,6 +34,7 @@ logging_log_file(rpm_log_t)

 type rpm_var_lib_t;

 files_type(rpm_var_lib_t)

+files_mountpoint(rpm_var_lib_t)

 typealias rpm_var_lib_t alias var_lib_rpm_t;

 type rpm_var_cache_t;

diff --git a/snapper.fc b/snapper.fc

index 4f4bdb397..0a43846a8 100644

--- a/snapper.fc

+++ b/snapper.fc

@@ -7,6 +7,7 @@

 /mnt/(.*/)?\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)

 /\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)

+

 /usr/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)

 /var/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)

 /etc/\.snapshots(/.*)?   gen_context(system_u:object_r:snapperd_data_t,s0)

diff --git a/snapper.te b/snapper.te

index 8c9e4a200..5be6d3542 100644

--- a/snapper.te

+++ b/snapper.te

@@ -22,7 +22,7 @@ files_type(snapperd_data_t)

 #

 # snapperd local policy

 #

-allow snapperd_t self:capability { dac_read_search fowner sys_admin };

+allow snapperd_t self:capability { dac_read_search dac_override fowner sys_admin };

 allow snapperd_t self:process setsched;

 allow snapperd_t self:fifo_file rw_fifo_file_perms;

@@ -57,6 +57,8 @@ files_read_all_files(snapperd_t)

 files_read_all_symlinks(snapperd_t)

 files_list_all(snapperd_t)

 files_manage_isid_type_dirs(snapperd_t)

+files_manage_non_security_dirs(snapperd_t)

+files_relabel_non_security_files(snapperd_t)

 fs_getattr_all_fs(snapperd_t)

 fs_mount_xattr_fs(snapperd_t)

diff --git a/sysstat.te b/sysstat.te

index a2690e315..efb2f855c 100644

--- a/sysstat.te

+++ b/sysstat.te

@@ -44,6 +44,7 @@ dev_read_urand(sysstat_t)

 files_search_var(sysstat_t)

 files_read_etc_runtime_files(sysstat_t)

+files_search_all_mountpoints(sysstat_t)

 fs_getattr_all_fs(sysstat_t)

 fs_list_inotifyfs(sysstat_t)