From 04ed479779165e56d1dfe6e69c8d6b05a8910a7c Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Jun 09 2016 14:45:01 +0000
Subject: * Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195

- Add hwloc-dump-hwdata SELinux policy
- Add labels for mediawiki123
- Fix label for all fence_scsi_check scripts
- Allow setcap for fenced
- Allow glusterd domain read krb5_keytab_t files.
- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
- Update refpolicy to handle hwloc
- Fix typo in files_setattr_non_security_dirs.
- Add interface files_setattr_non_security_dirs()

---

diff --git a/docker-selinux.tgz b/docker-selinux.tgz
index 35c2662..251805a 100644
Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 1593fb5..337540a 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -11023,7 +11023,7 @@ index b876c48..03f9342 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..f0133ab 100644
+index f962f76..917b5b2 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -11279,7 +11279,32 @@ index f962f76..f0133ab 100644
  	allow $1 non_security_file_type:file mounton;
  ')
  
-@@ -582,6 +748,42 @@ interface(`files_getattr_all_files',`
+@@ -545,6 +711,24 @@ interface(`files_write_non_security_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Allow attempts to setattr any directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_non_security_dirs',`
++	gen_require(`
++		attribute non_security_file_type;
++	')
++
++	allow $1 non_security_file_type:dir { read setattr };
++')
++
++########################################
++## <summary>
+ ##	Allow attempts to manage non-security directories
+ ## </summary>
+ ## <param name="domain">
+@@ -582,6 +766,42 @@ interface(`files_getattr_all_files',`
  
  ########################################
  ## <summary>
@@ -11322,7 +11347,7 @@ index f962f76..f0133ab 100644
  ##	Do not audit attempts to get the attributes
  ##	of all files.
  ## </summary>
-@@ -620,6 +822,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
+@@ -620,6 +840,63 @@ interface(`files_dontaudit_getattr_non_security_files',`
  
  ########################################
  ## <summary>
@@ -11386,7 +11411,7 @@ index f962f76..f0133ab 100644
  ##	Read all files.
  ## </summary>
  ## <param name="domain">
-@@ -683,88 +942,83 @@ interface(`files_read_non_security_files',`
+@@ -683,88 +960,83 @@ interface(`files_read_non_security_files',`
  		attribute non_security_file_type;
  	')
  
@@ -11504,7 +11529,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -772,55 +1026,173 @@ interface(`files_read_all_symlinks_except',`
+@@ -772,40 +1044,158 @@ interface(`files_read_all_symlinks_except',`
  ##	</summary>
  ## </param>
  #
@@ -11566,23 +11591,19 @@ index f962f76..f0133ab 100644
 +##	<summary>
 +##	The types to be excluded.  Each type or attribute
 +##	must be negated by the caller.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_read_all_symlinks',`
++##	</summary>
++## </param>
++#
 +interface(`files_read_all_dirs_except',`
- 	gen_require(`
- 		attribute file_type;
- 	')
- 
--	dontaudit $1 file_type:lnk_file read;
++	gen_require(`
++		attribute file_type;
++	')
++
 +	allow $1 { file_type $2 }:dir list_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes
--##	of non security symbolic links.
++')
++
++########################################
++## <summary>
 +##	Read all files on the filesystem, except
 +##	the listed exceptions.
 +## </summary>
@@ -11675,25 +11696,10 @@ index f962f76..f0133ab 100644
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_read_all_symlinks',`
-+	gen_require(`
-+		attribute file_type;
-+	')
-+
-+	dontaudit $1 file_type:lnk_file read;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to get the attributes
-+##	of non security symbolic links.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -953,6 +1325,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
+ ##	</summary>
+ ## </param>
+ #
+@@ -953,6 +1343,25 @@ interface(`files_dontaudit_getattr_non_security_pipes',`
  
  ########################################
  ## <summary>
@@ -11719,7 +11725,7 @@ index f962f76..f0133ab 100644
  ##	Get the attributes of all named sockets.
  ## </summary>
  ## <param name="domain">
-@@ -991,6 +1382,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
+@@ -991,6 +1400,44 @@ interface(`files_dontaudit_getattr_all_sockets',`
  
  ########################################
  ## <summary>
@@ -11764,7 +11770,7 @@ index f962f76..f0133ab 100644
  ##	Do not audit attempts to get the attributes
  ##	of non security named sockets.
  ## </summary>
-@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1520,12 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -11781,7 +11787,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+@@ -1140,6 +1586,8 @@ interface(`files_manage_all_files',`
  	# satisfy the assertions:
  	seutil_create_bin_policy($1)
  	files_manage_kernel_modules($1)
@@ -11790,7 +11796,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
+@@ -1182,24 +1630,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -11815,7 +11821,7 @@ index f962f76..f0133ab 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
+@@ -1444,8 +1874,8 @@ interface(`files_relabel_non_auth_files',`
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
  
@@ -11826,7 +11832,7 @@ index f962f76..f0133ab 100644
  ')
  
  #############################################
-@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2031,24 @@ interface(`files_setattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -11851,7 +11857,7 @@ index f962f76..f0133ab 100644
  ##	Do not audit attempts to set the attributes on all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,44 +2121,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,44 +2139,44 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -11910,7 +11916,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1736,94 +2166,223 @@ interface(`files_list_root',`
+@@ -1736,79 +2184,208 @@ interface(`files_list_root',`
  ##	</summary>
  ## </param>
  #
@@ -12004,24 +12010,19 @@ index f962f76..f0133ab 100644
  #
 -interface(`files_dontaudit_read_root_files',`
 +interface(`files_write_all_dirs',`
- 	gen_require(`
--		type root_t;
++	gen_require(`
 +		attribute file_type;
- 	')
- 
--	dontaudit $1 root_t:file { getattr read };
++	')
++
 +	allow $1 file_type:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to read or write
--##	files in the root directory.
++')
++
++########################################
++## <summary>
 +##	List the contents of the root directory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
@@ -12155,25 +12156,10 @@ index f962f76..f0133ab 100644
 +## </param>
 +#
 +interface(`files_dontaudit_read_root_files',`
-+	gen_require(`
-+		type root_t;
-+	')
-+
-+	dontaudit $1 root_t:file { getattr read };
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read or write
-+##	files in the root directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
-@@ -1892,25 +2451,25 @@ interface(`files_delete_root_dir_entry',`
+ 	gen_require(`
+ 		type root_t;
+ 	')
+@@ -1892,25 +2469,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -12205,7 +12191,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1923,7 +2482,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2500,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -12214,7 +12200,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -1946,6 +2505,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2523,42 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -12257,7 +12243,7 @@ index f962f76..f0133ab 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2181,6 +2776,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2794,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -12282,7 +12268,7 @@ index f962f76..f0133ab 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2645,6 +3258,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3276,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -12307,7 +12293,7 @@ index f962f76..f0133ab 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3347,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3365,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -12315,7 +12301,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -2724,7 +3356,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3374,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -12324,7 +12310,7 @@ index f962f76..f0133ab 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3412,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3430,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -12350,7 +12336,7 @@ index f962f76..f0133ab 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3449,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3467,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -12375,7 +12361,7 @@ index f962f76..f0133ab 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,24 +3632,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3650,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -12400,7 +12386,7 @@ index f962f76..f0133ab 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3021,9 +3672,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3690,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -12411,7 +12397,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3680,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3698,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -12433,7 +12419,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3708,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3726,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -12460,7 +12446,7 @@ index f962f76..f0133ab 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3745,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3763,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -12468,7 +12454,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3098,6 +3767,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3785,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -12476,7 +12462,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3142,10 +3812,48 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,10 +3830,48 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -12527,7 +12513,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3161,10 +3869,10 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3161,10 +3887,10 @@ interface(`files_getattr_isid_type_dirs',`
  #
  interface(`files_dontaudit_search_isid_type_dirs',`
  	gen_require(`
@@ -12540,7 +12526,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3180,10 +3888,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3180,10 +3906,10 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  #
  interface(`files_list_isid_type_dirs',`
  	gen_require(`
@@ -12553,7 +12539,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3199,10 +3907,10 @@ interface(`files_list_isid_type_dirs',`
+@@ -3199,10 +3925,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -12566,7 +12552,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3218,10 +3926,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3944,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -12635,7 +12621,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3237,10 +4001,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +4019,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -12648,7 +12634,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3256,10 +4020,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4038,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -12680,7 +12666,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3275,10 +4058,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4076,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -12693,7 +12679,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3294,10 +4077,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4095,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -12706,7 +12692,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3313,10 +4096,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4114,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -12719,7 +12705,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3332,10 +4115,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4133,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -12732,7 +12718,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3351,10 +4134,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4152,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -12745,7 +12731,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3370,10 +4153,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4171,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -12758,7 +12744,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3389,10 +4172,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4190,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -12771,7 +12757,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3408,10 +4191,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4209,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -12784,7 +12770,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3427,10 +4210,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4228,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -12797,7 +12783,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3446,10 +4229,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4247,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -12810,7 +12796,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3465,10 +4248,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4266,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -12842,7 +12828,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3484,10 +4286,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4304,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -12855,7 +12841,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3503,10 +4305,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4323,10 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -12868,7 +12854,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -3552,6 +4354,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4372,27 @@ interface(`files_dontaudit_getattr_home_dir',`
  
  ########################################
  ## <summary>
@@ -12896,7 +12882,7 @@ index f962f76..f0133ab 100644
  ##	Search home directories root (/home).
  ## </summary>
  ## <param name="domain">
-@@ -3814,20 +4637,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4655,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -12940,7 +12926,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -4012,6 +4853,12 @@ interface(`files_read_kernel_modules',`
+@@ -4012,6 +4871,12 @@ interface(`files_read_kernel_modules',`
  	allow $1 modules_object_t:dir list_dir_perms;
  	read_files_pattern($1, modules_object_t, modules_object_t)
  	read_lnk_files_pattern($1, modules_object_t, modules_object_t)
@@ -12953,7 +12939,7 @@ index f962f76..f0133ab 100644
  ')
  
  ########################################
-@@ -4217,192 +5064,218 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,192 +5082,218 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -13213,12 +13199,11 @@ index f962f76..f0133ab 100644
  ########################################
  ## <summary>
 -##	Read files in the tmp directory (/tmp).
--## </summary>
--## <param name="domain">
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	temporary directory (/tmp).
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="file_type">
  ##	<summary>
 -##	Domain allowed access.
@@ -13269,7 +13254,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4410,53 +5283,56 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4410,53 +5301,56 @@ interface(`files_manage_generic_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13338,7 +13323,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4464,77 +5340,93 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,77 +5358,93 @@ interface(`files_rw_generic_tmp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -13456,7 +13441,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4542,110 +5434,116 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,110 +5452,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -13573,40 +13558,25 @@ index f962f76..f0133ab 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
-+#
-+interface(`files_manage_generic_tmp_files',`
-+	gen_require(`
-+		type tmp_t;
-+	')
-+
-+	manage_files_pattern($1, tmp_t, tmp_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read symbolic links in the tmp directory (/tmp).
-+## </summary>
-+## <param name="domain">
- ##	<summary>
+-##	<summary>
 -##	The name of the object being created.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
+-##	</summary>
+-## </param>
  #
 -interface(`files_tmp_filetrans',`
-+interface(`files_read_generic_tmp_symlinks',`
++interface(`files_manage_generic_tmp_files',`
  	gen_require(`
  		type tmp_t;
  	')
  
 -	filetrans_pattern($1, tmp_t, $2, $3, $4)
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	manage_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Delete the contents of /tmp.
-+##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Read symbolic links in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13615,7 +13585,7 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_purge_tmp',`
-+interface(`files_rw_generic_tmp_sockets',`
++interface(`files_read_generic_tmp_symlinks',`
  	gen_require(`
 -		attribute tmpfile;
 +		type tmp_t;
@@ -13627,13 +13597,13 @@ index f962f76..f0133ab 100644
 -	delete_lnk_files_pattern($1, tmpfile, tmpfile)
 -	delete_fifo_files_pattern($1, tmpfile, tmpfile)
 -	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Set the attributes of the /usr directory.
-+##	Relabel a dir from the type used in /tmp.
++##	Read and write generic named sockets in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13642,20 +13612,20 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_setattr_usr_dirs',`
-+interface(`files_relabelfrom_tmp_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
  	gen_require(`
 -		type usr_t;
 +		type tmp_t;
  	')
  
 -	allow $1 usr_t:dir setattr;
-+	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
++	rw_sock_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search the content of /usr.
-+##	Relabel a file from the type used in /tmp.
++##	Relabel a dir from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13664,21 +13634,21 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_search_usr',`
-+interface(`files_relabelfrom_tmp_files',`
++interface(`files_relabelfrom_tmp_dirs',`
  	gen_require(`
 -		type usr_t;
 +		type tmp_t;
  	')
  
 -	allow $1 usr_t:dir search_dir_perms;
-+	relabelfrom_files_pattern($1, tmp_t, tmp_t)
++	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	List the contents of generic
 -##	directories in /usr.
-+##	Set the attributes of all tmp directories.
++##	Relabel a file from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13687,20 +13657,20 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_list_usr',`
-+interface(`files_setattr_all_tmp_dirs',`
++interface(`files_relabelfrom_tmp_files',`
  	gen_require(`
 -		type usr_t;
-+		attribute tmpfile;
++		type tmp_t;
  	')
  
 -	allow $1 usr_t:dir list_dir_perms;
-+	allow $1 tmpfile:dir { search_dir_perms setattr };
++	relabelfrom_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit write of /usr dirs
-+##	Allow caller to read inherited tmp files.
++##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13710,20 +13680,20 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_dontaudit_write_usr_dirs',`
-+interface(`files_read_inherited_tmp_files',`
++interface(`files_setattr_all_tmp_dirs',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
 -	dontaudit $1 usr_t:dir write;
-+	allow $1 tmpfile:file { append read_inherited_file_perms };
++	allow $1 tmpfile:dir { search_dir_perms setattr };
  ')
  
  ########################################
  ## <summary>
 -##	Add and remove entries from /usr directories.
-+##	Allow caller to append inherited tmp files.
++##	Allow caller to read inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13732,21 +13702,21 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_rw_usr_dirs',`
-+interface(`files_append_inherited_tmp_files',`
++interface(`files_read_inherited_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
 -	allow $1 usr_t:dir rw_dir_perms;
-+	allow $1 tmpfile:file append_inherited_file_perms;
++	allow $1 tmpfile:file { append read_inherited_file_perms };
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to add and remove
 -##	entries from /usr directories.
-+##	Allow caller to read and write inherited tmp files.
++##	Allow caller to append inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13756,92 +13726,90 @@ index f962f76..f0133ab 100644
  ## </param>
  #
 -interface(`files_dontaudit_rw_usr_dirs',`
-+interface(`files_rw_inherited_tmp_file',`
++interface(`files_append_inherited_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
 -	dontaudit $1 usr_t:dir rw_dir_perms;
-+	allow $1 tmpfile:file rw_inherited_file_perms;
++	allow $1 tmpfile:file append_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Delete generic directories in /usr in the caller domain.
-+##	List all tmp directories.
++##	Allow caller to read and write inherited tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4786,111 +5677,100 @@ interface(`files_dontaudit_rw_usr_dirs',`
+@@ -4786,17 +5677,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_delete_usr_dirs',`
-+interface(`files_list_all_tmp',`
++interface(`files_rw_inherited_tmp_file',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
  	')
  
 -	delete_dirs_pattern($1, usr_t, usr_t)
-+	allow $1 tmpfile:dir list_dir_perms;
++	allow $1 tmpfile:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Delete generic files in /usr in the caller domain.
-+##	Relabel to and from all temporary
-+##	directory types.
++##	List all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -4804,73 +5695,59 @@ interface(`files_delete_usr_dirs',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`files_delete_usr_files',`
-+interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_all_tmp',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
-+		type var_t;
  	')
  
 -	delete_files_pattern($1, usr_t, usr_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:dir list_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Get the attributes of files in /usr.
-+##	Do not audit attempts to get the attributes
-+##	of all tmp files.
++##	Relabel to and from all temporary
++##	directory types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`files_getattr_usr_files',`
-+interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_relabel_all_tmp_dirs',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
++		type var_t;
  	')
  
 -	getattr_files_pattern($1, usr_t, usr_t)
-+	dontaudit $1 tmpfile:file getattr;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_dirs_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
  ## <summary>
 -##	Read generic files in /usr.
-+##	Allow attempts to get the attributes
++##	Do not audit attempts to get the attributes
 +##	of all tmp files.
  ## </summary>
 -## <desc>
@@ -13863,13 +13831,14 @@ index f962f76..f0133ab 100644
 -## </desc>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
 -## <infoflow type="read" weight="10"/>
  #
 -interface(`files_read_usr_files',`
-+interface(`files_getattr_all_tmp_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
@@ -13878,67 +13847,74 @@ index f962f76..f0133ab 100644
 -	allow $1 usr_t:dir list_dir_perms;
 -	read_files_pattern($1, usr_t, usr_t)
 -	read_lnk_files_pattern($1, usr_t, usr_t)
-+	allow $1 tmpfile:file getattr;
++	dontaudit $1 tmpfile:file getattr;
  ')
  
  ########################################
  ## <summary>
 -##	Execute generic programs in /usr in the caller domain.
-+##	Relabel to and from all temporary
-+##	file types.
++##	Allow attempts to get the attributes
++##	of all tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -4878,55 +5755,58 @@ interface(`files_read_usr_files',`
  ##	</summary>
  ## </param>
-+## <rolecap/>
  #
 -interface(`files_exec_usr_files',`
-+interface(`files_relabel_all_tmp_files',`
++interface(`files_getattr_all_tmp_files',`
  	gen_require(`
 -		type usr_t;
 +		attribute tmpfile;
-+		type var_t;
  	')
  
 -	allow $1 usr_t:dir list_dir_perms;
 -	exec_files_pattern($1, usr_t, usr_t)
 -	read_lnk_files_pattern($1, usr_t, usr_t)
-+	allow $1 var_t:dir search_dir_perms;
-+	relabel_files_pattern($1, tmpfile, tmpfile)
++	allow $1 tmpfile:file getattr;
  ')
  
  ########################################
  ## <summary>
 -##	dontaudit write of /usr files
-+##	Do not audit attempts to get the attributes
-+##	of all tmp sock_file.
++##	Relabel to and from all temporary
++##	file types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4898,35 +5778,17 @@ interface(`files_exec_usr_files',`
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
++## <rolecap/>
  #
 -interface(`files_dontaudit_write_usr_files',`
--	gen_require(`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
 -		type usr_t;
--	')
--
++		attribute tmpfile;
++		type var_t;
+ 	')
+ 
 -	dontaudit $1 usr_t:file write;
--')
--
--########################################
--## <summary>
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Create, read, write, and delete files in the /usr directory.
--## </summary>
--## <param name="domain">
--##	<summary>
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`files_manage_usr_files',`
 +interface(`files_dontaudit_getattr_all_tmp_sockets',`
  	gen_require(`
@@ -13957,7 +13933,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4934,67 +5796,70 @@ interface(`files_manage_usr_files',`
+@@ -4934,67 +5814,70 @@ interface(`files_manage_usr_files',`
  ##	</summary>
  ## </param>
  #
@@ -14046,7 +14022,7 @@ index f962f76..f0133ab 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -5003,35 +5868,50 @@ interface(`files_read_usr_symlinks',`
+@@ -5003,35 +5886,50 @@ interface(`files_read_usr_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -14106,7 +14082,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5039,20 +5919,17 @@ interface(`files_dontaudit_search_src',`
+@@ -5039,20 +5937,17 @@ interface(`files_dontaudit_search_src',`
  ##	</summary>
  ## </param>
  #
@@ -14131,7 +14107,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5060,20 +5937,18 @@ interface(`files_getattr_usr_src_files',`
+@@ -5060,20 +5955,18 @@ interface(`files_getattr_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -14156,7 +14132,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5081,38 +5956,35 @@ interface(`files_read_usr_src_files',`
+@@ -5081,38 +5974,35 @@ interface(`files_read_usr_src_files',`
  ##	</summary>
  ## </param>
  #
@@ -14204,7 +14180,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5120,37 +5992,36 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5120,37 +6010,36 @@ interface(`files_create_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -14252,7 +14228,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5158,35 +6029,35 @@ interface(`files_delete_kernel_symbol_table',`
+@@ -5158,35 +6047,35 @@ interface(`files_delete_kernel_symbol_table',`
  ##	</summary>
  ## </param>
  #
@@ -14297,7 +14273,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5194,36 +6065,55 @@ interface(`files_dontaudit_write_var_dirs',`
+@@ -5194,36 +6083,55 @@ interface(`files_dontaudit_write_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14363,7 +14339,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5231,36 +6121,37 @@ interface(`files_dontaudit_search_var',`
+@@ -5231,36 +6139,37 @@ interface(`files_dontaudit_search_var',`
  ##	</summary>
  ## </param>
  #
@@ -14411,7 +14387,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5268,17 +6159,17 @@ interface(`files_manage_var_dirs',`
+@@ -5268,17 +6177,17 @@ interface(`files_manage_var_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14433,7 +14409,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5286,17 +6177,17 @@ interface(`files_read_var_files',`
+@@ -5286,17 +6195,17 @@ interface(`files_read_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -14455,7 +14431,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5304,73 +6195,86 @@ interface(`files_append_var_files',`
+@@ -5304,73 +6213,86 @@ interface(`files_append_var_files',`
  ##	</summary>
  ## </param>
  #
@@ -14562,7 +14538,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5378,50 +6282,41 @@ interface(`files_read_var_symlinks',`
+@@ -5378,50 +6300,41 @@ interface(`files_read_var_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -14627,7 +14603,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5429,69 +6324,56 @@ interface(`files_var_filetrans',`
+@@ -5429,69 +6342,56 @@ interface(`files_var_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -14712,7 +14688,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5499,17 +6381,18 @@ interface(`files_dontaudit_search_var_lib',`
+@@ -5499,17 +6399,18 @@ interface(`files_dontaudit_search_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -14736,7 +14712,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5517,70 +6400,54 @@ interface(`files_list_var_lib',`
+@@ -5517,70 +6418,54 @@ interface(`files_list_var_lib',`
  ##	</summary>
  ## </param>
  #
@@ -14820,7 +14796,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5588,41 +6455,36 @@ interface(`files_read_var_lib_files',`
+@@ -5588,41 +6473,36 @@ interface(`files_read_var_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -14872,7 +14848,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5630,36 +6492,36 @@ interface(`files_manage_urandom_seed',`
+@@ -5630,36 +6510,36 @@ interface(`files_manage_urandom_seed',`
  ##	</summary>
  ## </param>
  #
@@ -14919,7 +14895,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5667,38 +6529,35 @@ interface(`files_setattr_lock_dirs',`
+@@ -5667,38 +6547,35 @@ interface(`files_setattr_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -14967,7 +14943,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5706,19 +6565,17 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,19 +6583,17 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -14991,7 +14967,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5726,60 +6583,54 @@ interface(`files_list_locks',`
+@@ -5726,60 +6601,54 @@ interface(`files_list_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15067,7 +15043,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5787,20 +6638,18 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,20 +6656,18 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15093,7 +15069,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5808,165 +6657,156 @@ interface(`files_getattr_generic_locks',`
+@@ -5808,165 +6675,156 @@ interface(`files_getattr_generic_locks',`
  ##	</summary>
  ## </param>
  #
@@ -15321,7 +15297,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5974,59 +6814,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
+@@ -5974,59 +6832,71 @@ interface(`files_dontaudit_getattr_pid_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -15412,7 +15388,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6034,18 +6886,18 @@ interface(`files_dontaudit_search_pids',`
+@@ -6034,18 +6904,18 @@ interface(`files_dontaudit_search_pids',`
  ##	</summary>
  ## </param>
  #
@@ -15436,47 +15412,58 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6053,19 +6905,1228 @@ interface(`files_list_pids',`
+@@ -6053,19 +6923,21 @@ interface(`files_list_pids',`
  ##	</summary>
  ## </param>
  #
 -interface(`files_read_generic_pids',`
 +interface(`files_manage_var_lib_symlinks',`
  	gen_require(`
+-		type var_t, var_run_t;
 +		type var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
 +	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
+ ')
+ 
 +# cjp: the next two interfaces really need to be fixed
 +# in some way.  They really neeed their own types.
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
 +##	Create, read, write, and delete the
 +##	pseudorandom number generator seed.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6073,43 +6945,1377 @@ interface(`files_read_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
 +interface(`files_manage_urandom_seed',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_run_t;
 +		type var_t, var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_files_pattern($1, var_lib_t, var_lib_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
 +##	Allow domain to manage mount tables
 +##	necessary for rpcd, nfsd, etc.
-+## </summary>
+ ## </summary>
+-## <desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -16489,12 +16476,9 @@ index f962f76..f0133ab 100644
 +interface(`files_delete_all_pid_dirs',`
 +	gen_require(`
 +		attribute pidfile;
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	read_files_pattern($1, var_run_t, var_run_t)
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
 +	allow $1 var_t:dir search_dir_perms;
 +	delete_dirs_pattern($1, pidfile, pidfile)
@@ -16506,21 +16490,29 @@ index f962f76..f0133ab 100644
 +##	used for spool files.
 +## </summary>
 +## <desc>
-+##	<p>
+ ##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
 +##	Make the specified type usable for spool files.
 +##	This will also make the type usable for files, making
 +##	calls to files_type() redundant.  Failure to use this interface
 +##	for a spool file may result in problems with
 +##	purging spool files.
-+##	</p>
-+##	<p>
-+##	Related interfaces:
-+##	</p>
-+##	<ul>
+ ##	</p>
+ ##	<p>
+ ##	Related interfaces:
+ ##	</p>
+ ##	<ul>
+-##		<li>files_pid_file()</li>
 +##		<li>files_spool_filetrans()</li>
-+##	</ul>
-+##	<p>
-+##	Example usage with a domain that can create and
+ ##	</ul>
+ ##	<p>
+ ##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
 +##	write its spool file in the system spool file
 +##	directories (/var/spool):
 +##	</p>
@@ -16529,7 +16521,7 @@ index f962f76..f0133ab 100644
 +##	files_spool_file(myfile_spool_t)
 +##	allow mydomain_t myfile_spool_t:file { create_file_perms write_file_perms };
 +##	files_spool_filetrans(mydomain_t, myfile_spool_t, file)
-+##	</p>
+ ##	</p>
 +## </desc>
 +## <param name="file_type">
 +##	<summary>
@@ -16660,36 +16652,30 @@ index f962f76..f0133ab 100644
 +	')
 +
 +	list_dirs_pattern($1, var_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Write named generic process ID pipes
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete generic
 +##	spool directories (/var/spool).
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6073,43 +8134,170 @@ interface(`files_read_generic_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_write_generic_pid_pipes',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_manage_generic_spool_dirs',`
- 	gen_require(`
--		type var_run_t;
++	gen_require(`
 +		type var_t, var_spool_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	allow $1 var_run_t:fifo_file write;
++	')
++
 +	allow $1 var_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, var_spool_t, var_spool_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create an object in the process ID directory, with a private type.
++')
++
++########################################
++## <summary>
 +##	Read generic spool files.
 +## </summary>
 +## <param name="domain">
@@ -16839,27 +16825,9 @@ index f962f76..f0133ab 100644
 +########################################
 +## <summary>
 +##	Create a core files in /
- ## </summary>
- ## <desc>
++## </summary>
++## <desc>
  ##	<p>
--##	Create an object in the process ID directory (e.g., /var/run)
--##	with a private type.  Typically this is used for creating
--##	private PID files in /var/run with the private type instead
--##	of the general PID file type. To accomplish this goal,
--##	either the program must be SELinux-aware, or use this interface.
--##	</p>
--##	<p>
--##	Related interfaces:
--##	</p>
--##	<ul>
--##		<li>files_pid_file()</li>
--##	</ul>
--##	<p>
--##	Example usage with a domain that can create and
--##	write its PID file with a private PID file type in the
--##	/var/run directory:
--##	</p>
--##	<p>
 -##	type mypidfile_t;
 -##	files_pid_file(mypidfile_t)
 -##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
@@ -16868,7 +16836,7 @@ index f962f76..f0133ab 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -6117,80 +8305,157 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6117,80 +8323,157 @@ interface(`files_write_generic_pid_pipes',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17055,7 +17023,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6198,19 +8463,17 @@ interface(`files_rw_generic_pids',`
+@@ -6198,19 +8481,17 @@ interface(`files_rw_generic_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17079,7 +17047,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6218,18 +8481,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+@@ -6218,18 +8499,17 @@ interface(`files_dontaudit_getattr_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17102,7 +17070,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6237,129 +8499,119 @@ interface(`files_dontaudit_write_all_pids',`
+@@ -6237,129 +8517,119 @@ interface(`files_dontaudit_write_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -17272,7 +17240,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,18 +8619,19 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,18 +8637,19 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
@@ -17297,7 +17265,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6386,132 +8639,227 @@ interface(`files_search_spool',`
+@@ -6386,132 +8657,227 @@ interface(`files_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -17571,7 +17539,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6519,53 +8867,17 @@ interface(`files_spool_filetrans',`
+@@ -6519,53 +8885,17 @@ interface(`files_spool_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -17629,7 +17597,7 @@ index f962f76..f0133ab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +8885,10 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +8903,10 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -25224,7 +25192,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6..a73a163 100644
+index 2522ca6..f7ff2c7 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,88 @@ policy_module(sysadm, 2.6.1)
@@ -25388,14 +25356,14 @@ index 2522ca6..a73a163 100644
 +
 +optional_policy(`
 +	consoletype_exec(sysadm_t)
++')
++
++optional_policy(`
++    daemonstools_run_start(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	cvs_exec(sysadm_t)
-+    daemonstools_run_start(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
 +	dbus_role_template(sysadm, sysadm_r, sysadm_t)
 +
 +	dontaudit sysadm_dbusd_t self:capability net_admin;
@@ -25430,7 +25398,19 @@ index 2522ca6..a73a163 100644
  	fstools_run(sysadm_t, sysadm_r)
  ')
  
-@@ -172,13 +246,31 @@ optional_policy(`
+@@ -164,6 +238,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	hwloc_admin(sysadm_t)
++	hwloc_run_dhwd(sysadm_t, sysadm_r)
++')
++
++optional_policy(`
+ 	hadoop_role(sysadm_r, sysadm_t)
+ ')
+ 
+@@ -172,13 +251,31 @@ optional_policy(`
  	# at things (e.g., ipsec auto --status)
  	# probably should create an ipsec_admin role for this kind of thing
  	ipsec_exec_mgmt(sysadm_t)
@@ -25462,7 +25442,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -190,11 +282,12 @@ optional_policy(`
+@@ -190,11 +287,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25477,7 +25457,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -210,22 +303,20 @@ optional_policy(`
+@@ -210,22 +308,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -25506,7 +25486,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -237,14 +328,28 @@ optional_policy(`
+@@ -237,14 +333,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25535,7 +25515,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -252,10 +357,20 @@ optional_policy(`
+@@ -252,10 +362,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25556,7 +25536,7 @@ index 2522ca6..a73a163 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -266,35 +381,41 @@ optional_policy(`
+@@ -266,35 +386,41 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25605,7 +25585,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -308,6 +429,7 @@ optional_policy(`
+@@ -308,6 +434,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -25613,7 +25593,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -315,12 +437,20 @@ optional_policy(`
+@@ -315,12 +442,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25635,7 +25615,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -345,30 +475,37 @@ optional_policy(`
+@@ -345,30 +480,37 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25682,7 +25662,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -380,10 +517,6 @@ optional_policy(`
+@@ -380,10 +522,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25693,7 +25673,7 @@ index 2522ca6..a73a163 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -391,6 +524,9 @@ optional_policy(`
+@@ -391,6 +529,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -25703,7 +25683,7 @@ index 2522ca6..a73a163 100644
  ')
  
  optional_policy(`
-@@ -398,31 +534,34 @@ optional_policy(`
+@@ -398,31 +539,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25744,7 +25724,7 @@ index 2522ca6..a73a163 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -435,10 +574,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +579,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -25755,7 +25735,7 @@ index 2522ca6..a73a163 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -459,15 +594,79 @@ ifndef(`distro_redhat',`
+@@ -459,15 +599,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -50509,7 +50489,7 @@ index db75976..c54480a 100644
 +/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
 +
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6..e6556aa 100644
+index 9dc60c6..595ad40 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -51204,7 +51184,7 @@ index 9dc60c6..e6556aa 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +737,132 @@ template(`userdom_common_user_template',`
+@@ -546,93 +737,137 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -51315,18 +51295,23 @@ index 9dc60c6..e6556aa 100644
  		optional_policy(`
 -			consolekit_dbus_chat($1_t)
 +			hal_dbus_chat($1_usertype)
- 		')
- 
- 		optional_policy(`
--			cups_dbus_chat_config($1_t)
-+			kde_dbus_chat_backlighthelper($1_usertype)
 +		')
 +
++		optional_policy(`
++		hwloc_exec_dhwd($1_t)
++		hwloc_read_runtime_files($1_t)
++	')
++
++	optional_policy(`
++		kde_dbus_chat_backlighthelper($1_usertype)
+ 		')
+ 
 +        optional_policy(`
 +            memcached_stream_connect($1_usertype)
 +        ')
 +
-+		optional_policy(`
+ 		optional_policy(`
+-			cups_dbus_chat_config($1_t)
 +			modemmanager_dbus_chat($1_usertype)
  		')
  
@@ -51351,31 +51336,31 @@ index 9dc60c6..e6556aa 100644
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
 +		git_role($1_r, $1_t)
++	')
++
++	optional_policy(`
++		inetd_use_fds($1_usertype)
++		inetd_rw_tcp_sockets($1_usertype)
  	')
  
  	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
++		inn_read_config($1_usertype)
++		inn_read_news_lib($1_usertype)
++		inn_read_news_spool($1_usertype)
  	')
  
  	optional_policy(`
 -		kerberos_manage_krb5_home_files($1_t)
 -		kerberos_relabel_krb5_home_files($1_t)
 -		kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		lircd_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
-@@ -642,23 +872,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +877,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -51404,7 +51389,7 @@ index 9dc60c6..e6556aa 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +899,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +904,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -51413,7 +51398,7 @@ index 9dc60c6..e6556aa 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +908,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +913,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -51426,7 +51411,7 @@ index 9dc60c6..e6556aa 100644
  		')
  	')
  
-@@ -693,32 +921,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +926,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -51473,7 +51458,7 @@ index 9dc60c6..e6556aa 100644
  	')
  ')
  
-@@ -743,17 +974,32 @@ template(`userdom_common_user_template',`
+@@ -743,17 +979,32 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -51492,9 +51477,7 @@ index 9dc60c6..e6556aa 100644
 +
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable($1_exec_content, true)
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +		tunable_policy(`$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@@ -51502,7 +51485,9 @@ index 9dc60c6..e6556aa 100644
 +		tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -51510,7 +51495,7 @@ index 9dc60c6..e6556aa 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +1007,112 @@ template(`userdom_login_user_template', `
+@@ -761,82 +1012,112 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -51586,14 +51571,14 @@ index 9dc60c6..e6556aa 100644
 -	init_dontaudit_use_script_fds($1_t)
 +	init_dontaudit_use_fds($1_usertype)
 +	init_dontaudit_use_script_fds($1_usertype)
- 
--	libs_exec_lib_files($1_t)
++
 +    # Needed by pam_selinux.so calling in systemd-users
 +    init_entrypoint_exec(login_userdomain)
  
--	logging_dontaudit_getattr_all_logs($1_t)
+-	libs_exec_lib_files($1_t)
 +	libs_exec_lib_files($1_usertype)
-+
+ 
+-	logging_dontaudit_getattr_all_logs($1_t)
 +	logging_dontaudit_getattr_all_logs($1_usertype)
  
 -	miscfiles_read_man_pages($1_t)
@@ -51659,7 +51644,7 @@ index 9dc60c6..e6556aa 100644
  	')
  ')
  
-@@ -868,6 +1144,12 @@ template(`userdom_restricted_user_template',`
+@@ -868,6 +1149,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -51672,7 +51657,7 @@ index 9dc60c6..e6556aa 100644
  	##############################
  	#
  	# Local policy
-@@ -907,53 +1189,137 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,53 +1194,137 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -51692,14 +51677,10 @@ index 9dc60c6..e6556aa 100644
 +	dev_read_rand($1_usertype)
  
 -	logging_send_syslog_msg($1_t)
--	logging_dontaudit_send_audit_msgs($1_t)
 +	dev_read_video_dev($1_usertype)
 +	dev_write_video_dev($1_usertype)
 +	dev_rw_wireless($1_usertype)
- 
--	# Need to to this just so screensaver will work. Should be moved to screensaver domain
--	logging_send_audit_msgs($1_t)
--	selinux_get_enforce_mode($1_t)
++
 +	libs_dontaudit_setattr_lib_files($1_usertype)
 +
 +	init_read_state($1_usertype)
@@ -51717,10 +51698,11 @@ index 9dc60c6..e6556aa 100644
 +	')
 +
 +	logging_send_syslog_msg($1_t)
-+	logging_dontaudit_send_audit_msgs($1_t)
-+
-+	# Need to to this just so screensaver will work. Should be moved to screensaver domain
-+	selinux_get_enforce_mode($1_t)
+ 	logging_dontaudit_send_audit_msgs($1_t)
+ 
+ 	# Need to to this just so screensaver will work. Should be moved to screensaver domain
+-	logging_send_audit_msgs($1_t)
+ 	selinux_get_enforce_mode($1_t)
 +	seutil_exec_restorecond($1_t)
 +	seutil_read_file_contexts($1_t)
 +	seutil_read_default_contexts($1_t)
@@ -51827,7 +51809,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  #######################################
-@@ -987,27 +1353,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1358,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -51865,7 +51847,7 @@ index 9dc60c6..e6556aa 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1018,23 +1390,63 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1395,63 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -51925,21 +51907,21 @@ index 9dc60c6..e6556aa 100644
 +	optional_policy(`
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
++	')
++
++	optional_policy(`
++		wine_role_template($1, $1_r, $1_t)
  	')
  
  	optional_policy(`
 -		netutils_run_ping_cond($1_t, $1_r)
 -		netutils_run_traceroute_cond($1_t, $1_r)
-+		wine_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1043,7 +1455,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1460,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -51950,7 +51932,7 @@ index 9dc60c6..e6556aa 100644
  	')
  ')
  
-@@ -1079,7 +1493,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1498,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -51961,7 +51943,7 @@ index 9dc60c6..e6556aa 100644
  	')
  
  	##############################
-@@ -1095,6 +1511,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1516,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -51969,7 +51951,7 @@ index 9dc60c6..e6556aa 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1105,14 +1522,8 @@ template(`userdom_admin_user_template',`
+@@ -1105,14 +1527,8 @@ template(`userdom_admin_user_template',`
  	# $1_t local policy
  	#
  
@@ -51986,7 +51968,7 @@ index 9dc60c6..e6556aa 100644
  
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
-@@ -1128,6 +1539,8 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1544,8 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -51995,7 +51977,7 @@ index 9dc60c6..e6556aa 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1145,10 +1558,15 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1563,15 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -52011,7 +51993,7 @@ index 9dc60c6..e6556aa 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1159,29 +1577,40 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1582,40 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -52056,7 +52038,7 @@ index 9dc60c6..e6556aa 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1191,6 +1620,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1625,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -52065,7 +52047,7 @@ index 9dc60c6..e6556aa 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1198,13 +1629,21 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1634,21 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -52088,7 +52070,7 @@ index 9dc60c6..e6556aa 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1240,7 +1679,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1684,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -52097,7 +52079,7 @@ index 9dc60c6..e6556aa 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1250,6 +1689,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1694,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -52106,7 +52088,7 @@ index 9dc60c6..e6556aa 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1262,8 +1703,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1708,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -52118,7 +52100,7 @@ index 9dc60c6..e6556aa 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1274,29 +1717,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1722,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -52161,7 +52143,7 @@ index 9dc60c6..e6556aa 100644
  	')
  
  	optional_policy(`
-@@ -1357,14 +1802,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1807,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -52180,7 +52162,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1397,12 +1845,52 @@ interface(`userdom_user_tmp_file',`
+@@ -1397,12 +1850,52 @@ interface(`userdom_user_tmp_file',`
  ## </param>
  #
  interface(`userdom_user_tmpfs_file',`
@@ -52234,7 +52216,7 @@ index 9dc60c6..e6556aa 100644
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
  ## <param name="domain">
-@@ -1509,11 +1997,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +2002,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -52266,7 +52248,7 @@ index 9dc60c6..e6556aa 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1555,6 +2063,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2068,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -52281,7 +52263,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1570,9 +2086,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2091,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -52293,7 +52275,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1613,6 +2131,24 @@ interface(`userdom_manage_user_home_dirs',`
+@@ -1613,6 +2136,24 @@ interface(`userdom_manage_user_home_dirs',`
  
  ########################################
  ## <summary>
@@ -52318,7 +52300,7 @@ index 9dc60c6..e6556aa 100644
  ##	Relabel to user home directories.
  ## </summary>
  ## <param name="domain">
-@@ -1631,6 +2167,59 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1631,6 +2172,59 @@ interface(`userdom_relabelto_user_home_dirs',`
  
  ########################################
  ## <summary>
@@ -52378,7 +52360,7 @@ index 9dc60c6..e6556aa 100644
  ##	Create directories in the home dir root with
  ##	the user home directory type.
  ## </summary>
-@@ -1704,10 +2293,12 @@ interface(`userdom_user_home_domtrans',`
+@@ -1704,10 +2298,12 @@ interface(`userdom_user_home_domtrans',`
  #
  interface(`userdom_dontaudit_search_user_home_content',`
  	gen_require(`
@@ -52393,7 +52375,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1741,10 +2332,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2337,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -52408,7 +52390,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1769,7 +2362,7 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2367,7 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -52417,7 +52399,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1777,19 +2370,17 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1777,19 +2375,17 @@ interface(`userdom_manage_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -52441,7 +52423,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1797,55 +2388,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
+@@ -1797,55 +2393,55 @@ interface(`userdom_delete_all_user_home_content_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -52512,7 +52494,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1853,18 +2444,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1853,18 +2449,19 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52540,7 +52522,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1872,17 +2464,167 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1872,18 +2469,71 @@ interface(`userdom_mmap_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52548,13 +52530,17 @@ index 9dc60c6..e6556aa 100644
 -	gen_require(`
 -		type user_home_dir_t, user_home_t;
 -	')
+-
+-	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-	files_search_home($1)
 +interface(`usedom_dontaudit_user_getattr_tmp_sockets',`
 +    refpolicywarn(`$0($*) has been deprecated, use userdom_getattr_user_tmp_files() instead.')
 +    userdom_getattr_user_tmp_files($1)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read user home files.
 +##	Dontaudit getattr on user tmp sockets.
 +## </summary>
 +## <param name="domain">
@@ -52613,22 +52599,24 @@ index 9dc60c6..e6556aa 100644
 +## <summary>
 +##	Do not audit attempts to set the
 +##	attributes of user home files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1891,13 +2541,113 @@ interface(`userdom_read_user_home_content_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_read_user_home_content_files',`
 +interface(`userdom_dontaudit_setattr_user_home_content_files',`
-+	gen_require(`
-+		type user_home_t;
-+	')
-+
+ 	gen_require(`
+ 		type user_home_t;
+ 	')
+ 
+-	dontaudit $1 user_home_t:dir list_dir_perms;
+-	dontaudit $1 user_home_t:file read_file_perms;
 +	dontaudit $1 user_home_t:file setattr_file_perms;
 +')
- 
--	read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
++
 +########################################
 +## <summary>
 +##	Set the attributes of all user home directories.
@@ -52664,11 +52652,11 @@ index 9dc60c6..e6556aa 100644
 +	')
 +
 +	mmap_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
- 	files_search_home($1)
- ')
- 
- ########################################
- ## <summary>
++	files_search_home($1)
++')
++
++########################################
++## <summary>
 +##	Read user home files.
 +## </summary>
 +## <param name="domain">
@@ -52710,20 +52698,20 @@ index 9dc60c6..e6556aa 100644
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to read user home files.
- ## </summary>
- ## <param name="domain">
-@@ -1893,11 +2635,14 @@ interface(`userdom_read_user_home_content_files',`
- #
- interface(`userdom_dontaudit_read_user_home_content_files',`
- 	gen_require(`
--		type user_home_t;
++##	Do not audit attempts to read user home files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_user_home_content_files',`
++	gen_require(`
 +		attribute user_home_type;
 +		type user_home_dir_t;
- 	')
- 
--	dontaudit $1 user_home_t:dir list_dir_perms;
--	dontaudit $1 user_home_t:file read_file_perms;
++	')
++
 +	dontaudit $1 user_home_dir_t:dir list_dir_perms;
 +	dontaudit $1 user_home_type:dir list_dir_perms;
 +	dontaudit $1 user_home_type:file read_file_perms;
@@ -52731,7 +52719,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -1938,7 +2683,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2688,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -52740,7 +52728,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1946,10 +2691,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2696,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52753,7 +52741,7 @@ index 9dc60c6..e6556aa 100644
  	')
  
  	userdom_search_user_home_content($1)
-@@ -1958,7 +2702,7 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1958,7 +2707,7 @@ interface(`userdom_delete_all_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -52762,7 +52750,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1966,12 +2710,66 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2715,66 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -52831,7 +52819,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2007,8 +2805,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2007,8 +2810,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -52841,7 +52829,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2024,21 +2821,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2024,20 +2826,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -52855,19 +52843,18 @@ index 9dc60c6..e6556aa 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
--	')
 -')
--
+ 
  ########################################
  ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -2120,7 +2911,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2916,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -52876,7 +52863,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2128,19 +2919,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2924,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -52900,7 +52887,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2148,12 +2937,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2942,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -52916,7 +52903,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2388,18 +3177,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2388,18 +3182,54 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -52974,7 +52961,7 @@ index 9dc60c6..e6556aa 100644
  ##	Do not audit attempts to read users
  ##	temporary files.
  ## </summary>
-@@ -2414,7 +3239,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3244,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -52983,7 +52970,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2455,6 +3280,25 @@ interface(`userdom_rw_user_tmp_files',`
+@@ -2455,6 +3285,25 @@ interface(`userdom_rw_user_tmp_files',`
  	rw_files_pattern($1, user_tmp_t, user_tmp_t)
  	files_search_tmp($1)
  ')
@@ -53009,34 +52996,12 @@ index 9dc60c6..e6556aa 100644
  
  ########################################
  ## <summary>
-@@ -2538,7 +3382,7 @@ interface(`userdom_manage_user_tmp_files',`
+@@ -2538,7 +3387,27 @@ interface(`userdom_manage_user_tmp_files',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete user
 -##	temporary symbolic links.
 +##	temporary files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2546,18 +3390,59 @@ interface(`userdom_manage_user_tmp_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_manage_user_tmp_symlinks',`
-+interface(`userdom_filetrans_named_user_tmp_files',`
- 	gen_require(`
- 		type user_tmp_t;
- 	')
- 
--	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
-+    files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
- 	files_search_tmp($1)
- ')
- 
- ########################################
- ## <summary>
- ##	Create, read, write, and delete user
-+##	temporary symbolic links.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -53044,26 +53009,26 @@ index 9dc60c6..e6556aa 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_manage_user_tmp_symlinks',`
++interface(`userdom_filetrans_named_user_tmp_files',`
 +	gen_require(`
 +		type user_tmp_t;
 +	')
 +
-+	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++    files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
 +	files_search_tmp($1)
 +')
 +
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
-+##	temporary named pipes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
++##	temporary symbolic links.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2566,6 +3435,27 @@ interface(`userdom_manage_user_tmp_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
 +interface(`userdom_rw_inherited_user_tmp_pipes',`
 +	gen_require(`
 +		type user_tmp_t;
@@ -53077,10 +53042,18 @@ index 9dc60c6..e6556aa 100644
 +########################################
 +## <summary>
 +##	Create, read, write, and delete user
- ##	temporary named pipes.
- ## </summary>
- ## <param name="domain">
-@@ -2661,6 +3546,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
++##	temporary named pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
+ interface(`userdom_manage_user_tmp_pipes',`
+ 	gen_require(`
+ 		type user_tmp_t;
+@@ -2661,6 +3551,21 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -53102,7 +53075,7 @@ index 9dc60c6..e6556aa 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2672,18 +3572,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2672,18 +3577,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  ## </param>
  #
  interface(`userdom_read_user_tmpfs_files',`
@@ -53124,7 +53097,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2692,19 +3587,13 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2692,19 +3592,13 @@ interface(`userdom_read_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_rw_user_tmpfs_files',`
@@ -53147,7 +53120,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2713,13 +3602,56 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2713,13 +3607,56 @@ interface(`userdom_rw_user_tmpfs_files',`
  ## </param>
  #
  interface(`userdom_manage_user_tmpfs_files',`
@@ -53208,7 +53181,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2814,6 +3746,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3751,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -53233,7 +53206,7 @@ index 9dc60c6..e6556aa 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2832,22 +3782,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3787,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -53276,7 +53249,7 @@ index 9dc60c6..e6556aa 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2856,14 +3818,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3823,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -53314,7 +53287,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2882,8 +3863,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3868,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -53344,7 +53317,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -2955,6 +3955,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,6 +3960,42 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -53387,7 +53360,7 @@ index 9dc60c6..e6556aa 100644
  ########################################
  ## <summary>
  ##	Execute an Xserver session in all unprivileged user domains.  This
-@@ -2978,24 +4014,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
+@@ -2978,24 +4019,6 @@ interface(`userdom_xsession_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -53412,7 +53385,7 @@ index 9dc60c6..e6556aa 100644
  ########################################
  ## <summary>
  ##	Manage unpriviledged user SysV sempaphores.
-@@ -3014,9 +4032,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3014,9 +4037,9 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  	allow $1 unpriv_userdomain:sem create_sem_perms;
  ')
  
@@ -53424,7 +53397,7 @@ index 9dc60c6..e6556aa 100644
  ##	memory segments.
  ## </summary>
  ## <param name="domain">
-@@ -3025,17 +4043,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,17 +4048,17 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -53445,7 +53418,7 @@ index 9dc60c6..e6556aa 100644
  ##	memory segments.
  ## </summary>
  ## <param name="domain">
-@@ -3044,12 +4062,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
+@@ -3044,12 +4067,12 @@ interface(`userdom_rw_unpriv_user_shared_mem',`
  ##	</summary>
  ## </param>
  #
@@ -53460,7 +53433,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -3094,7 +4112,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +4117,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -53469,7 +53442,7 @@ index 9dc60c6..e6556aa 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3110,29 +4128,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +4133,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -53503,7 +53476,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -3214,7 +4216,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +4221,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -53530,7 +53503,7 @@ index 9dc60c6..e6556aa 100644
  ')
  
  ########################################
-@@ -3269,12 +4289,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4294,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -53546,7 +53519,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3282,54 +4303,56 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,54 +4308,56 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -53618,7 +53591,7 @@ index 9dc60c6..e6556aa 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3337,12 +4360,86 @@ interface(`userdom_getattr_all_users',`
+@@ -3337,17 +4365,91 @@ interface(`userdom_getattr_all_users',`
  ##	</summary>
  ## </param>
  #
@@ -53630,10 +53603,11 @@ index 9dc60c6..e6556aa 100644
  
 -	allow $1 userdomain:fd use;
 +	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to inherit the file
 +##	Do not audit attempts to use user ttys.
 +## </summary>
 +## <param name="domain">
@@ -53704,10 +53678,15 @@ index 9dc60c6..e6556aa 100644
 +	')
 +
 +	allow $1 userdomain:fd use;
- ')
- 
- ########################################
-@@ -3382,6 +4479,42 @@ interface(`userdom_signal_all_users',`
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to inherit the file
+ ##	descriptors from any user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3382,6 +4484,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -53750,7 +53729,7 @@ index 9dc60c6..e6556aa 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3402,6 +4535,60 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4540,60 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -53811,7 +53790,7 @@ index 9dc60c6..e6556aa 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3435,4 +4622,1781 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4627,1781 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index fb9b995..0203074 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -32032,10 +32032,10 @@ index 0000000..764ae00
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..33654d5
+index 0000000..c31e40e
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,297 @@
+@@ -0,0 +1,302 @@
 +policy_module(glusterd, 1.1.3)
 +
 +## <desc>
@@ -32100,7 +32100,7 @@ index 0000000..33654d5
 +allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin mknod net_raw };
 +
 +allow glusterd_t self:capability2 block_suspend;
-+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched };
++allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
 +allow glusterd_t self:sem create_sem_perms;
 +allow glusterd_t self:fifo_file rw_fifo_file_perms;
 +allow glusterd_t self:tcp_socket { accept listen };
@@ -32284,6 +32284,11 @@ index 0000000..33654d5
 +    hostname_exec(glusterd_t)
 +')
 +
++
++optional_policy(`
++    kerberos_read_keytab(glusterd_t)
++')
++
 +optional_policy(`
 +    lvm_domtrans(glusterd_t)
 +')
@@ -37023,6 +37028,166 @@ index 0000000..28816b4
 +auth_use_nsswitch(hsqldb_t)
 +
 +sysnet_read_config(hsqldb_t)
+diff --git a/hwloc.fc b/hwloc.fc
+new file mode 100644
+index 0000000..d0c5a15
+--- /dev/null
++++ b/hwloc.fc
+@@ -0,0 +1,5 @@
++/usr/sbin/hwloc-dump-hwdata	--	gen_context(system_u:object_r:hwloc_dhwd_exec_t,s0)
++
++/usr/lib/systemd/system/hwloc-dump-hwdata.*	--	gen_context(system_u:object_r:hwloc_dhwd_unit_t,s0)
++
++/var/run/hwloc(/.*)?	gen_context(system_u:object_r:hwloc_var_run_t,s0)
+diff --git a/hwloc.if b/hwloc.if
+new file mode 100644
+index 0000000..c2349ec
+--- /dev/null
++++ b/hwloc.if
+@@ -0,0 +1,106 @@
++## <summary>Dump topology and locality information from hardware tables.</summary>
++
++########################################
++## <summary>
++##	Execute hwloc dhwd in the hwloc dhwd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`hwloc_domtrans_dhwd',`
++	gen_require(`
++		type hwloc_dhwd_t, hwloc_dhwd_exec_t;
++	')
++
++	domtrans_pattern($1, hwloc_dhwd_exec_t, hwloc_dhwd_t)
++')
++
++########################################
++## <summary>
++##	Execute hwloc dhwd in the hwloc dhwd domain, and
++##	allow the specified role the hwloc dhwd domain,
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`hwloc_run_dhwd',`
++	gen_require(`
++		attribute_role hwloc_dhwd_roles;
++	')
++
++	hwloc_domtrans_dhwd($1)
++	roleattribute $2 hwloc_dhwd_roles;
++')
++
++########################################
++## <summary>
++##	Execute hwloc dhwd in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hwloc_exec_dhwd',`
++	gen_require(`
++		type hwloc_dhwd_exec_t;
++	')
++
++	can_exec($1, hwloc_dhwd_exec_t)
++')
++
++########################################
++## <summary>
++##	Read hwloc runtime files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hwloc_read_runtime_files',`
++	gen_require(`
++		type hwloc_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, hwloc_var_run_t, hwloc_var_run_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to
++##	administrate an hwloc environment.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`hwloc_admin',`
++	gen_require(`
++		type hwloc_dhwd_t, hwloc_var_run_t;
++	')
++
++	allow $1 hwloc_dhwd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, hwloc_dhwd_t)
++
++	admin_pattern($1, hwloc_var_run_t)
++	files_pid_filetrans($1, hwloc_var_run_t, dir, "hwloc")
++')
+diff --git a/hwloc.te b/hwloc.te
+new file mode 100644
+index 0000000..0f45fd5
+--- /dev/null
++++ b/hwloc.te
+@@ -0,0 +1,31 @@
++policy_module(hwloc, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role hwloc_dhwd_roles;
++roleattribute system_r hwloc_dhwd_roles;
++
++type hwloc_dhwd_t;
++type hwloc_dhwd_exec_t;
++init_system_domain(hwloc_dhwd_t, hwloc_dhwd_exec_t)
++role hwloc_dhwd_roles types hwloc_dhwd_t;
++
++type hwloc_var_run_t;
++files_pid_file(hwloc_var_run_t)
++
++type hwloc_dhwd_unit_t;
++systemd_unit_file(hwloc_dhwd_unit_t)
++
++########################################
++#
++# Local policy
++#
++
++allow hwloc_dhwd_t hwloc_var_run_t:dir manage_dir_perms;
++allow hwloc_dhwd_t hwloc_var_run_t:file manage_file_perms;
++files_pid_filetrans(hwloc_dhwd_t, hwloc_var_run_t, dir)
++
++dev_read_sysfs(hwloc_dhwd_t)
 diff --git a/hypervkvp.fc b/hypervkvp.fc
 index b46130e..e2ae3b2 100644
 --- a/hypervkvp.fc
@@ -48068,7 +48233,7 @@ index 0000000..8bc27f4
 +domain_use_interactive_fds(mcollective_t)
 +
 diff --git a/mediawiki.fc b/mediawiki.fc
-index 99f7c41..93ec6db 100644
+index 99f7c41..1745603 100644
 --- a/mediawiki.fc
 +++ b/mediawiki.fc
 @@ -1,8 +1,8 @@
@@ -48080,12 +48245,12 @@ index 99f7c41..93ec6db 100644
 +/usr/lib/mediawiki/math/texvc_tes	--	gen_context(system_u:object_r:mediawiki_script_exec_t,s0)
  
 -/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/usr/share/mediawiki(/.*)?	gen_context(system_u:object_r:mediawiki_content_t,s0)
++/usr/share/mediawiki[0-9]?(/.*)?      gen_context(system_u:object_r:mediawiki_content_t,s0)
  
 -/var/www/wiki(/.*)?	gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
 -/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:httpd_mediawiki_content_t,s0)
-+/var/www/wiki(/.*)?	gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
-+/var/www/wiki/.*\.php	--	gen_context(system_u:object_r:mediawiki_content_t,s0)
++/var/www/wiki[0-9]?(/.*)?     gen_context(system_u:object_r:mediawiki_rw_content_t,s0)
++/var/www/wiki[0-9]?\.php   --      gen_context(system_u:object_r:mediawiki_content_t,s0)
 diff --git a/mediawiki.if b/mediawiki.if
 index 9771b4b..9b183e6 100644
 --- a/mediawiki.if
@@ -85688,10 +85853,10 @@ index c8a1e16..2d409bf 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..dfb3396 100644
+index 47de2d6..bc62d96 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,95 @@
+@@ -1,31 +1,96 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -85782,6 +85947,7 @@ index 47de2d6..dfb3396 100644
 +/usr/share/corosync/corosync    --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/share/cluster/fence_scsi_check\.pl   --  gen_context(system_u:object_r:fenced_exec_t,s0)
++/usr/share/cluster/fence_scsi_check_hardreboot     --  gen_context(system_u:object_r:fenced_exec_t,s0)
 +
 +/usr/lib/pcsd/pcsd          --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
@@ -86679,7 +86845,7 @@ index c8bdea2..1574225 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 6cf79c4..1a605f9 100644
+index 6cf79c4..943fd8b 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -87047,7 +87213,7 @@ index 6cf79c4..1a605f9 100644
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
 +allow fenced_t self:capability { net_admin sys_rawio sys_resource sys_admin };
-+allow fenced_t self:process { getsched setpgid signal_perms };
++allow fenced_t self:process { getsched setcap setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
 +allow fenced_t self:udp_socket create_socket_perms;
@@ -107668,7 +107834,7 @@ index 97cd155..49321a5 100644
  
  fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f..948bc5b 100644
+index 585a77f..a7cb326 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
 @@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
@@ -107714,7 +107880,7 @@ index 585a77f..948bc5b 100644
  
  dev_read_urand(tmpreaper_t)
  
-@@ -27,15 +53,19 @@ corecmd_exec_shell(tmpreaper_t)
+@@ -27,15 +53,16 @@ corecmd_exec_shell(tmpreaper_t)
  
  fs_getattr_xattr_fs(tmpreaper_t)
  fs_list_all(tmpreaper_t)
@@ -107725,11 +107891,9 @@ index 585a77f..948bc5b 100644
 -files_getattr_all_files(tmpreaper_t)
  files_read_var_lib_files(tmpreaper_t)
  files_purge_tmp(tmpreaper_t)
+-files_setattr_all_tmp_dirs(tmpreaper_t)
 +files_delete_all_non_security_files(tmpreaper_t)
-+# why does it need setattr?
- files_setattr_all_tmp_dirs(tmpreaper_t)
-+files_setattr_isid_type_dirs(tmpreaper_t)
-+files_setattr_usr_dirs(tmpreaper_t)
++files_setattr_non_security_dirs(tmpreaper_t)
 +files_getattr_all_dirs(tmpreaper_t)
 +files_getattr_all_files(tmpreaper_t)
  
@@ -107738,7 +107902,7 @@ index 585a77f..948bc5b 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -45,7 +75,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
+@@ -45,7 +72,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
  
  logging_send_syslog_msg(tmpreaper_t)
  
@@ -107746,7 +107910,7 @@ index 585a77f..948bc5b 100644
  miscfiles_delete_man_pages(tmpreaper_t)
  
  ifdef(`distro_debian',`
-@@ -53,10 +82,33 @@ ifdef(`distro_debian',`
+@@ -53,10 +79,33 @@ ifdef(`distro_debian',`
  ')
  
  ifdef(`distro_redhat',`
@@ -107781,7 +107945,7 @@ index 585a77f..948bc5b 100644
  ')
  
  optional_policy(`
-@@ -64,6 +116,7 @@ optional_policy(`
+@@ -64,6 +113,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -107789,7 +107953,7 @@ index 585a77f..948bc5b 100644
  	apache_list_cache(tmpreaper_t)
  	apache_delete_cache_dirs(tmpreaper_t)
  	apache_delete_cache_files(tmpreaper_t)
-@@ -79,7 +132,19 @@ optional_policy(`
+@@ -79,7 +129,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -107810,7 +107974,7 @@ index 585a77f..948bc5b 100644
  ')
  
  optional_policy(`
-@@ -89,3 +154,8 @@ optional_policy(`
+@@ -89,3 +151,8 @@ optional_policy(`
  optional_policy(`
  	rpm_manage_cache(tmpreaper_t)
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 00c614a..12b5672 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 194%{?dist}
+Release: 195%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,17 @@ exit 0
 %endif
 
 %changelog
+* Thu Jun 08 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-195
+- Add hwloc-dump-hwdata SELinux policy
+- Add labels for mediawiki123
+- Fix label for all fence_scsi_check scripts
+- Allow setcap for fenced
+- Allow glusterd domain read krb5_keytab_t files.
+- Allow tmpreaper_t to read/setattr all non_security_file_type dirs
+- Update refpolicy to handle hwloc
+- Fix typo in files_setattr_non_security_dirs.
+- Add interface files_setattr_non_security_dirs()
+
 * Tue Jun 07 2016 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-194
 - Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886)
 - Add nrpe_dontaudit_write_pipes()