From 549515d4527cccd4839a128df4606faa6a5f03b0 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Apr 07 2014 16:34:33 +0000
Subject: import selinux-policy-3.12.1-153.el7.src.rpm


---

diff --git a/.selinux-policy.metadata b/.selinux-policy.metadata
index 75fe480..f47fe12 100644
--- a/.selinux-policy.metadata
+++ b/.selinux-policy.metadata
@@ -1,4 +1,4 @@
 c21486a81ff7085007e30fb56ae8612607c5cc69 SOURCES/serefpolicy-contrib-3.12.1.tgz
-036245dbc144b57e1805e15e07a737fcd0119390 SOURCES/permissivedomains.pp
-e5d300354838008da0d531041df7aa168e6d3e93 SOURCES/config.tgz
+4fd46bd7d17737f2e7c0b287a11d6362d918da8f SOURCES/permissivedomains.pp
+5054dc0ae7f7378c4f6670e89544246558e20dc4 SOURCES/config.tgz
 7c268e6658b024719ad248965c27398304ac9e79 SOURCES/serefpolicy-3.12.1.tgz
diff --git a/SOURCES/file_contexts.subs_dist b/SOURCES/file_contexts.subs_dist
index 500ef4d..5550852 100644
--- a/SOURCES/file_contexts.subs_dist
+++ b/SOURCES/file_contexts.subs_dist
@@ -5,10 +5,12 @@
 /lib /usr/lib
 /lib64 /usr/lib
 /usr/lib64 /usr/lib
-/usr/local /usr
 /usr/local/lib64 /usr/lib
 /usr/local/lib32 /usr/lib
+/etc/init.d /etc/rc.d/init.d
 /etc/systemd/system /usr/lib/systemd/system
 /var/lib/xguest/home /home
 /var/named/chroot/usr/lib64 /usr/lib
 /var/named/chroot/lib64 /usr/lib
+/var/home   /home
+/var/roothome /root
diff --git a/SOURCES/modules-targeted-contrib.conf b/SOURCES/modules-targeted-contrib.conf
index 67cdd0f..62763f2 100644
--- a/SOURCES/modules-targeted-contrib.conf
+++ b/SOURCES/modules-targeted-contrib.conf
@@ -216,6 +216,13 @@ brctl = module
 bugzilla = module
 
 # Layer: services
+# Module: bumblebee
+#
+# Support NVIDIA Optimus technology under Linux
+#
+bumblebee = module
+
+# Layer: services
 # Module: cachefilesd
 #
 # CacheFiles userspace management daemon
@@ -658,6 +665,13 @@ firstboot = module
 fprintd = module
 
 # Layer: services
+# Module: freqset
+#
+# Utility for CPU frequency scaling
+#
+freqset = module
+
+# Layer: services
 # Module: ftp
 #
 # File transfer protocol service
@@ -874,6 +888,13 @@ kdump = module
 # 
 kerberos = module
 
+# Layer: services
+# Module: keepalived
+#
+# keepalived - load-balancing and high-availability service
+#
+keepalived = module
+
 # Module: keyboardd
 #
 # system-setup-keyboard is a keyboard layout daemon that monitors 
@@ -1043,6 +1064,13 @@ memcached = module
 milter = module
 
 # Layer: services
+# Module: mip6d
+#
+# UMIP Mobile IPv6 and NEMO Basic Support protocol implementation
+#
+mip6d = module
+
+# Layer: services
 # Module: mock
 #
 # Policy for mock rpm builder
@@ -1265,6 +1293,13 @@ openshift-origin = module
 openshift = module
 
 # Layer: services
+# Module: opensm
+#
+# InfiniBand subnet manager and administration (SM/SA)
+#
+opensm = module
+
+# Layer: services
 # Module: openvpn
 #
 # Policy for OPENVPN full-featured SSL VPN solution
@@ -1278,6 +1313,13 @@ openvpn = module
 #
 openvswitch = module
 
+# Layer: services
+# Module: osad
+#
+# Client-side service written in Python that responds to pings
+#
+osad = module
+
 # Layer: contrib
 # Module: prelude
 #
@@ -1535,6 +1577,13 @@ radvd = module
 raid = module
 
 # Layer: services
+# Module: rasdaemon
+#
+# The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing
+#
+rasdaemon = module
+
+# Layer: services
 # Module: rdisc
 #
 # Network router discovery daemon
@@ -2330,3 +2379,102 @@ motion = module
 # rtas policy
 #
 rtas = module
+
+# Layer: contrib
+# Module: ninfod
+#
+# Respond to IPv6 Node Information Queries
+#
+ninfod = module
+
+# Layer: contrib
+# Module: openwsman
+#
+# WS-Management Server
+#
+openwsman = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# Remote-Console (out-of-band) and System Management Software (in-band) 
+# based on IntelligentPlatform Management Interface specification
+#
+freeipmi = module
+
+# Layer: contrib
+# Module: conman
+#
+# Conman is a program for connecting to remote consoles being managed by conmand
+#
+conman = module
+
+# Layer: contrib
+# Module: docker
+#
+# Docker
+#
+docker = module
+
+# Layer: contrib
+# Module: freeipmi
+# 
+# ipa policy module contain SELinux policies for IPA services
+#
+ipa = module
+
+# Layer: contrib
+# Module: snapper 
+# 
+# snapper policy
+#
+snapper = module
+
+# Layer: services
+# Module: vmtools
+#
+# VMware Tools daemon
+#
+vmtools = module
+
+# Layer: services
+# Module: speech-dispatcher
+#
+# speech-dispatcher - server process managing speech requests in Speech Dispatcher
+#
+speech-dispatcher = module
+
+# Layer: contrib
+# Module: rkhunter
+#
+# rkhunter policy for /var/lib/rkhunter
+#
+rkhunter = module
+
+# Layer: contrib
+# Module: pcp
+# 
+# pcp policy
+#
+pcp = module
+
+# Layer: contrib
+# Module: bacula
+#
+# bacula policy
+#
+bacula = module
+
+# Layer: contrib
+# Module: rhnsd
+#
+# rhnsd policy
+#
+rhnsd = module
+
+# Layer: contrib
+# Module: gear
+#
+# gear policy
+#
+gear = module
diff --git a/SOURCES/policy-f20-base.patch b/SOURCES/policy-f20-base.patch
index 0722c5a..3c28671 100644
--- a/SOURCES/policy-f20-base.patch
+++ b/SOURCES/policy-f20-base.patch
@@ -71,6 +71,24 @@ index 881a292..80110a4 100644
  system_r:xdm_t:s0		staff_r:staff_t:s0
  staff_r:staff_su_t:s0		staff_r:staff_t:s0
  staff_r:staff_sudo_t:s0		staff_r:staff_t:s0
+diff --git a/config/appconfig-mcs/sysadm_u_default_contexts b/config/appconfig-mcs/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-mcs/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
++system_r:crond_t:s0		sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
++sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
++
 diff --git a/config/appconfig-mcs/systemd_contexts b/config/appconfig-mcs/systemd_contexts
 new file mode 100644
 index 0000000..ff32acc
@@ -144,6 +162,24 @@ index c2a5ea8..f63999e 100644
  system_r:xdm_t			staff_r:staff_t
  staff_r:staff_su_t		staff_r:staff_t
  staff_r:staff_sudo_t		staff_r:staff_t
+diff --git a/config/appconfig-standard/sysadm_u_default_contexts b/config/appconfig-standard/sysadm_u_default_contexts
+new file mode 100644
+index 0000000..b8fda95
+--- /dev/null
++++ b/config/appconfig-standard/sysadm_u_default_contexts
+@@ -0,0 +1,12 @@
++system_r:local_login_t:s0	sysadm_r:sysadm_t:s0
++system_r:remote_login_t:s0	sysadm_r:sysadm_t:s0
++system_r:sshd_t:s0		sysadm_r:sysadm_t:s0
++system_r:crond_t:s0		sysadm_r:sysadm_t:s0
++system_r:xdm_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_sudo_t:s0		sysadm_r:sysadm_t:s0
++system_r:initrc_su_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_t:s0		sysadm_r:sysadm_t:s0
++sysadm_r:sysadm_su_t:s0		sysadm_r:sysadm_t:s0 
++sysadm_r:sysadm_sudo_t:s0	sysadm_r:sysadm_t:s0
++
 diff --git a/config/appconfig-standard/systemd_contexts b/config/appconfig-standard/systemd_contexts
 new file mode 100644
 index 0000000..ff32acc
@@ -2693,7 +2729,7 @@ index 99e3903..7270808 100644
  
  ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..3053e39 100644
+index d555767..049a211 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2901,6 +2937,15 @@ index d555767..3053e39 100644
  ')
  
  optional_policy(`
+@@ -270,7 +297,7 @@ optional_policy(`
+ # Passwd local policy
+ #
+ 
+-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
++allow passwd_t self:capability { chown dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource };
+ dontaudit passwd_t self:capability sys_tty_config;
+ allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow passwd_t self:process { setrlimit setfscreate };
 @@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
@@ -2975,7 +3020,7 @@ index d555767..3053e39 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,18 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2985,6 +3030,7 @@ index d555767..3053e39 100644
 -	nscd_run(passwd_t, passwd_roles)
 +	gnome_exec_keyringd(passwd_t)
 +	gnome_manage_cache_home_dir(passwd_t)
++	gnome_manage_generic_cache_sockets(passwd_t)
 +	gnome_stream_connect_gkeyringd(passwd_t)
 +')
 +
@@ -2994,7 +3040,7 @@ index d555767..3053e39 100644
  ')
  
  ########################################
-@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +447,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3007,7 +3053,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +463,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3015,7 +3061,7 @@ index d555767..3053e39 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +472,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3037,7 +3083,7 @@ index d555767..3053e39 100644
  ')
  
  ########################################
-@@ -443,7 +489,8 @@ optional_policy(`
+@@ -443,7 +490,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3047,7 +3093,7 @@ index d555767..3053e39 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +506,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3058,7 +3104,7 @@ index d555767..3053e39 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +517,37 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3074,6 +3120,7 @@ index d555767..3053e39 100644
  files_relabel_etc_files(useradd_t)
  files_read_etc_runtime_files(useradd_t)
 +files_manage_etc_files(useradd_t)
++files_create_var_lib_dirs(useradd_t)
 +files_rw_var_lib_dirs(useradd_t)
  
  fs_search_auto_mountpoints(useradd_t)
@@ -3107,7 +3154,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +558,36 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3158,7 +3205,7 @@ index d555767..3053e39 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +596,12 @@ optional_policy(`
+@@ -542,7 +598,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3172,7 +3219,7 @@ index d555767..3053e39 100644
  ')
  
  optional_policy(`
-@@ -550,6 +609,11 @@ optional_policy(`
+@@ -550,6 +611,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3184,7 +3231,7 @@ index d555767..3053e39 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +623,12 @@ optional_policy(`
+@@ -559,3 +625,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -3365,7 +3412,7 @@ index 7590165..fb30c11 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..6e7dd83 100644
+index 644d4d7..ad789c2 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3677,7 +3724,7 @@ index 644d4d7..6e7dd83 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +458,16 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3687,6 +3734,7 @@ index 644d4d7..6e7dd83 100644
  /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /var/lib/asterisk/agi-bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/var/lib/dirsrv/scripts-INSTANCE    --  gen_context(system_u:object_r:bin_t,s0)
 +/var/lib/iscan/interpreter		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ruby/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/gems(/.*)?/helper-scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3694,7 +3742,7 @@ index 644d4d7..6e7dd83 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +477,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -5549,7 +5597,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..06129ea 100644
+index 4edc40d..72e1a41 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -5623,7 +5671,7 @@ index 4edc40d..06129ea 100644
  # reserved_port_t is the type of INET port numbers below 1024.
  #
  type reserved_port_t, port_type, reserved_port_type;
-@@ -84,10 +107,10 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
+@@ -84,54 +107,68 @@ network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
  network_port(amavisd_recv, tcp,10024,s0)
  network_port(amavisd_send, tcp,10025,s0)
  network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
@@ -5636,7 +5684,9 @@ index 4edc40d..06129ea 100644
  network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
  network_port(audit, tcp,60,s0)
  network_port(auth, tcp,113,s0)
-@@ -96,19 +119,19 @@ network_port(boinc, tcp,31416,s0)
+ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
++network_port(bacula, tcp,9103,s0, udp,9103,s0)
+ network_port(boinc, tcp,31416,s0)
  network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
  network_port(biff) # no defined portcon
  network_port(certmaster, tcp,51235,s0)
@@ -5652,14 +5702,21 @@ index 4edc40d..06129ea 100644
  network_port(commplex_main, tcp,5000,s0, udp,5000,s0)
  network_port(comsat, udp,512,s0)
  network_port(condor, tcp,9618,s0, udp,9618,s0)
- network_port(couchdb, tcp,5984,s0, udp,5984,s0)
+-network_port(couchdb, tcp,5984,s0, udp,5984,s0)
 -network_port(cslistener, tcp,9000,s0, udp,9000,s0)
 -network_port(ctdb, tcp,4379,s0, udp,4397,s0)
++network_port(conman, tcp,7890,s0, udp,7890,s0)
++network_port(connlcli, tcp,1358,s0, udp,1358,s0)
++network_port(couchdb, tcp,5984,s0, udp,5984,s0, tcp,6984,s0, udp,6984,s0)
 +network_port(ctdb, tcp,4379,s0, udp,4379,s0)
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
  network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+ network_port(dbskkd, tcp,1178,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dccm, tcp,5679,s0, udp,5679,s0)
++network_port(dey_sapi, tcp,4330,s0)
+ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
@@ -5676,9 +5733,12 @@ index 4edc40d..06129ea 100644
 -network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
 +network_port(fmpro_internal, tcp,5003,s0, udp,5003,s0)
 +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
++network_port(freeipmi, tcp,9225,s0, udp,9225,s0)
 +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
++network_port(gear, tcp,43273,s0, udp,43273,s0)
++network_port(gdomap, tcp,538,s0, udp,538,s0)
  network_port(gds_db, tcp,3050,s0, udp,3050,s0)
  network_port(giftd, tcp,1213,s0)
  network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -5688,7 +5748,7 @@ index 4edc40d..06129ea 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -139,45 +176,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5744,7 +5804,7 @@ index 4edc40d..06129ea 100644
  network_port(matahari, tcp,49000,s0, udp,49000,s0)
  network_port(memcache, tcp,11211,s0, udp,11211,s0)
 -network_port(milter) # no defined portcon
-+network_port(milter, tcp, 8891, s0, tcp, 8893, s0) # no defined portcon
++network_port(milter, tcp, 8890,s0, tcp, 8891,s0, tcp, 8893,s0) # no defined portcon
  network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 +network_port(mongod, tcp,27017-27019,s0, tcp, 28017-28019,s0)
  network_port(monopd, tcp,1234,s0)
@@ -5755,7 +5815,7 @@ index 4edc40d..06129ea 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -185,26 +229,36 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5774,8 +5834,10 @@ index 4edc40d..06129ea 100644
  network_port(oa_system, tcp,8022,s0, udp,8022,s0)
 -network_port(oracledb, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0)
  network_port(ocsp, tcp,9080,s0)
++network_port(openflow, tcp,6633,s0, tcp,6653,s0)
  network_port(openhpid, tcp,4743,s0, udp,4743,s0)
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
++network_port(openvswitch, tcp,6634,s0)
 +network_port(osapi_compute, tcp, 8774, s0)
  network_port(pdps, tcp,1314,s0, udp,1314,s0)
  network_port(pegasus_http, tcp,5988,s0)
@@ -5794,7 +5856,7 @@ index 4edc40d..06129ea 100644
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,51 +268,59 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5847,7 +5909,12 @@ index 4edc40d..06129ea 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+ network_port(svrloc, tcp,427,s0, udp,427,s0)
+ network_port(swat, tcp,901,s0)
+ network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
+-network_port(syslogd, udp,514,s0)
++network_port(syslogd, udp,514,s0, udp,601,s0, tcp,601,s0)
+ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5858,7 +5925,7 @@ index 4edc40d..06129ea 100644
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
  network_port(ups, tcp,3493,s0)
-@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+@@ -268,10 +330,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5871,7 +5938,7 @@ index 4edc40d..06129ea 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -285,19 +338,23 @@ network_port(zabbix_agent, tcp,10050,s0)
+@@ -285,19 +347,23 @@ network_port(zabbix_agent, tcp,10050,s0)
  network_port(zookeeper_client, tcp,2181,s0)
  network_port(zookeeper_election, tcp,3888,s0)
  network_port(zookeeper_leader, tcp,2888,s0)
@@ -5898,7 +5965,7 @@ index 4edc40d..06129ea 100644
  
  ########################################
  #
-@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -330,6 +396,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5907,7 +5974,7 @@ index 4edc40d..06129ea 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -342,9 +410,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -5963,7 +6030,7 @@ index 3f6e168..51ad69a 100644
  ')
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index b31c054..e4d61f5 100644
+index b31c054..0ad8553 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
 @@ -15,15 +15,18 @@
@@ -6005,17 +6072,19 @@ index b31c054..e4d61f5 100644
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
  /dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
-@@ -118,6 +123,9 @@
+@@ -118,6 +123,11 @@
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
  ')
 +/dev/vchiq		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 +/dev/vc-mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-+/dev/vfio/vfio		-c	gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vfio/(vfio)?[0-9]*	-c	gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/sclp[0-9]*	    -c	gen_context(system_u:object_r:vfio_device_t,s0)
++/dev/vmcp[0-9]*     -c  gen_context(system_u:object_r:vfio_device_t,s0)
  /dev/vhost-net		-c	gen_context(system_u:object_r:vhost_device_t,s0)
  /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
-@@ -129,12 +137,14 @@ ifdef(`distro_suse', `
+@@ -129,12 +139,14 @@ ifdef(`distro_suse', `
  /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/watchdog.*		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -6030,7 +6099,16 @@ index b31c054..e4d61f5 100644
  /dev/card.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
  
-@@ -198,12 +208,22 @@ ifdef(`distro_debian',`
+@@ -172,6 +184,8 @@ ifdef(`distro_suse', `
+ /dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+ 
++/dev/uhid           -c  gen_context(system_u:object_r:uhid_device_t,s0)
++
+ /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
+@@ -198,12 +212,27 @@ ifdef(`distro_debian',`
  /lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
  
@@ -6042,6 +6120,11 @@ index b31c054..e4d61f5 100644
  /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
++/var/named/chroot_sdb/dev	-d	gen_context(system_u:object_r:device_t,s0)
++/var/named/chroot_sdb/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
++/var/named/chroot_sdb/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
++/var/named/chroot_sdb/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
++/
 +/var/spool/postfix/dev    -d    gen_context(system_u:object_r:device_t,s0)
  ')
 +
@@ -6056,7 +6139,7 @@ index b31c054..e4d61f5 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..b708d28 100644
+index 76f285e..fb27ae5 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6473,122 +6556,85 @@ index 76f285e..b708d28 100644
  #######################################
  ## <summary>
  ##	Set the attributes of the dlm control devices.
-@@ -2402,7 +2605,7 @@ interface(`dev_filetrans_lirc',`
- 
- ########################################
- ## <summary>
--##	Get the attributes of the lvm comtrol device.
-+##	Get the attributes of the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2410,17 +2613,17 @@ interface(`dev_filetrans_lirc',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_getattr_lvm_control',`
-+interface(`dev_getattr_loop_control',`
- 	gen_require(`
--		type device_t, lvm_control_t;
-+		type device_t, loop_control_device_t;
- 	')
- 
--	getattr_chr_files_pattern($1, device_t, lvm_control_t)
-+	getattr_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read the lvm comtrol device.
-+##	Read the loop comtrol device.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2428,17 +2631,17 @@ interface(`dev_getattr_lvm_control',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_read_lvm_control',`
-+interface(`dev_read_loop_control',`
- 	gen_require(`
--		type device_t, lvm_control_t;
-+		type device_t, loop_control_device_t;
- 	')
- 
--	read_chr_files_pattern($1, device_t, lvm_control_t)
-+	read_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -1883,6 +2086,25 @@ interface(`dev_rw_dri',`
  
  ########################################
  ## <summary>
--##	Read and write the lvm control device.
-+##	Read and write the loop control device.
++##	Read and write the dri devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_inherited_dri',`
++	gen_require(`
++		type device_t, dri_device_t;
++	')
++
++    allow $1 device_t:dir search_dir_perms;
++    allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Dontaudit read and write on the dri devices.
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -2446,17 +2649,17 @@ interface(`dev_read_lvm_control',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_lvm_control',`
-+interface(`dev_rw_loop_control',`
- 	gen_require(`
--		type device_t, lvm_control_t;
-+		type device_t, loop_control_device_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, lvm_control_t)
-+	rw_chr_files_pattern($1, device_t, loop_control_device_t)
- ')
+@@ -2017,7 +2239,7 @@ interface(`dev_rw_input_dev',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to read and write lvm control device.
-+##	Do not audit attempts to read and write loop control device.
+-##	Get the attributes of the framebuffer device node.
++##	Read input event devices (/dev/input).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2464,17 +2667,17 @@ interface(`dev_rw_lvm_control',`
+@@ -2025,17 +2247,19 @@ interface(`dev_rw_input_dev',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_dontaudit_rw_lvm_control',`
-+interface(`dev_dontaudit_rw_loop_control',`
+-interface(`dev_getattr_framebuffer_dev',`
++interface(`dev_rw_inherited_input_dev',`
  	gen_require(`
--		type lvm_control_t;
-+		type loop_control_device_t;
+-		type device_t, framebuf_device_t;
++		type device_t, event_device_t;
  	')
  
--	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
-+	dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
+-	getattr_chr_files_pattern($1, device_t, framebuf_device_t)
++    allow $1 device_t:dir search_dir_perms;
++    allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
  ')
  
++
  ########################################
  ## <summary>
--##	Delete the lvm control device.
-+##	Delete the loop control device.
+-##	Set the attributes of the framebuffer device node.
++##	Read ipmi devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2482,35 +2685,35 @@ interface(`dev_dontaudit_rw_lvm_control',`
+@@ -2043,36 +2267,35 @@ interface(`dev_getattr_framebuffer_dev',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_delete_lvm_control_dev',`
-+interface(`dev_delete_loop_control_dev',`
+-interface(`dev_setattr_framebuffer_dev',`
++interface(`dev_read_ipmi_dev',`
  	gen_require(`
--		type device_t, lvm_control_t;
-+		type device_t, loop_control_device_t;
+-		type device_t, framebuf_device_t;
++		type device_t, ipmi_device_t;
  	')
  
--	delete_chr_files_pattern($1, device_t, lvm_control_t)
-+	delete_chr_files_pattern($1, device_t, loop_control_device_t)
+-	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
++	read_chr_files_pattern($1, device_t, ipmi_device_t)
  ')
  
  ########################################
  ## <summary>
--##	dontaudit getattr raw memory devices (e.g. /dev/mem).
-+##	Get the attributes of the loop comtrol device.
+-##	Dot not audit attempts to set the attributes
+-##	of the framebuffer device node.
++##	Read and write ipmi devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -6597,46 +6643,41 @@ index 76f285e..b708d28 100644
  ##	</summary>
  ## </param>
  #
--interface(`dev_dontaudit_getattr_memory_dev',`
-+interface(`dev_getattr_lvm_control',`
+-interface(`dev_dontaudit_setattr_framebuffer_dev',`
++interface(`dev_rw_ipmi_dev',`
  	gen_require(`
--		type memory_device_t;
-+		type device_t, lvm_control_t;
+-		type framebuf_device_t;
++		type device_t, ipmi_device_t;
  	')
  
--	dontaudit $1 memory_device_t:chr_file getattr;
-+	getattr_chr_files_pattern($1, device_t, lvm_control_t)
+-	dontaudit $1 framebuf_device_t:chr_file setattr;
++	rw_chr_files_pattern($1, device_t, ipmi_device_t)
  ')
  
  ########################################
  ## <summary>
--##	Read raw memory devices (e.g. /dev/mem).
-+##	Read the lvm comtrol device.
+-##	Read the framebuffer.
++##	Get the attributes of the framebuffer device node.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2518,16 +2721,106 @@ interface(`dev_dontaudit_getattr_memory_dev',`
+@@ -2080,9 +2303,64 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_read_raw_memory',`
-+interface(`dev_read_lvm_control',`
+-interface(`dev_read_framebuffer',`
++interface(`dev_getattr_framebuffer_dev',`
  	gen_require(`
--		type device_t, memory_device_t;
--		attribute memory_raw_read;
-+		type device_t, lvm_control_t;
- 	')
- 
--	read_chr_files_pattern($1, device_t, memory_device_t)
--
--	allow $1 self:capability sys_rawio;
--	typeattribute $1 memory_raw_read;
-+	read_chr_files_pattern($1, device_t, lvm_control_t)
+-		type framebuf_device_t;
++		type device_t, framebuf_device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, framebuf_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the lvm control device.
++##	Set the attributes of the framebuffer device node.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6644,17 +6685,18 @@ index 76f285e..b708d28 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_rw_lvm_control',`
++interface(`dev_setattr_framebuffer_dev',`
 +	gen_require(`
-+		type device_t, lvm_control_t;
++		type device_t, framebuf_device_t;
 +	')
 +
-+	rw_chr_files_pattern($1, device_t, lvm_control_t)
++	setattr_chr_files_pattern($1, device_t, framebuf_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to read and write lvm control device.
++##	Dot not audit attempts to set the attributes
++##	of the framebuffer device node.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6662,17 +6704,54 @@ index 76f285e..b708d28 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_rw_lvm_control',`
++interface(`dev_dontaudit_setattr_framebuffer_dev',`
++	gen_require(`
++		type framebuf_device_t;
++	')
++
++	dontaudit $1 framebuf_device_t:chr_file setattr;
++')
++
++########################################
++## <summary>
++##	Read the framebuffer.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_framebuffer',`
 +	gen_require(`
-+		type lvm_control_t;
++		type framebuf_device_t;
+ 	')
+ 
+ 	read_chr_files_pattern($1, device_t, framebuf_device_t)
+@@ -2402,7 +2680,97 @@ interface(`dev_filetrans_lirc',`
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of the lvm comtrol device.
++##	Get the attributes of the loop comtrol device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_loop_control',`
++	gen_require(`
++		type device_t, loop_control_device_t;
 +	')
 +
-+	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
++	getattr_chr_files_pattern($1, device_t, loop_control_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Delete the lvm control device.
++##	Read the loop comtrol device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6680,17 +6759,35 @@ index 76f285e..b708d28 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_delete_lvm_control_dev',`
++interface(`dev_read_loop_control',`
 +	gen_require(`
-+		type device_t, lvm_control_t;
++		type device_t, loop_control_device_t;
 +	')
 +
-+	delete_chr_files_pattern($1, device_t, lvm_control_t)
++	read_chr_files_pattern($1, device_t, loop_control_device_t)
 +')
 +
 +########################################
 +## <summary>
-+##	dontaudit getattr raw memory devices (e.g. /dev/mem).
++##	Read and write the loop control device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_loop_control',`
++	gen_require(`
++		type device_t, loop_control_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, loop_control_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read and write loop control device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6698,17 +6795,17 @@ index 76f285e..b708d28 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_getattr_memory_dev',`
++interface(`dev_dontaudit_rw_loop_control',`
 +	gen_require(`
-+		type memory_device_t;
++		type loop_control_device_t;
 +	')
 +
-+	dontaudit $1 memory_device_t:chr_file getattr;
++	dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read raw memory devices (e.g. /dev/mem).
++##	Delete the loop control device.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6716,20 +6813,21 @@ index 76f285e..b708d28 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_read_raw_memory',`
++interface(`dev_delete_loop_control_dev',`
 +	gen_require(`
-+		type device_t, memory_device_t;
-+		attribute memory_raw_read;
++		type device_t, loop_control_device_t;
 +	')
 +
-+	read_chr_files_pattern($1, device_t, memory_device_t)
++	delete_chr_files_pattern($1, device_t, loop_control_device_t)
++')
 +
-+	allow $1 self:capability sys_rawio;
-+	typeattribute $1 memory_raw_read;
- ')
- 
- ########################################
-@@ -2725,7 +3018,7 @@ interface(`dev_write_misc',`
++########################################
++## <summary>
++##	Get the attributes of the loop comtrol device.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2725,7 +3093,7 @@ interface(`dev_write_misc',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -6738,7 +6836,7 @@ index 76f285e..b708d28 100644
  ##	</summary>
  ## </param>
  #
-@@ -2903,20 +3196,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3271,20 @@ interface(`dev_getattr_mtrr_dev',`
  
  ########################################
  ## <summary>
@@ -6763,7 +6861,7 @@ index 76f285e..b708d28 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -2925,43 +3218,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3293,34 @@ interface(`dev_getattr_mtrr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -6819,7 +6917,7 @@ index 76f285e..b708d28 100644
  ##	range registers (MTRR).
  ## </summary>
  ## <param name="domain">
-@@ -2970,13 +3254,13 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3329,13 @@ interface(`dev_write_mtrr',`
  ##	</summary>
  ## </param>
  #
@@ -6836,7 +6934,7 @@ index 76f285e..b708d28 100644
  ')
  
  ########################################
-@@ -3144,6 +3428,42 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3503,42 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
@@ -6879,7 +6977,7 @@ index 76f285e..b708d28 100644
  ##	Do not audit attempts to get the attributes
  ##	of the BIOS non-volatile RAM device.
  ## </summary>
-@@ -3163,6 +3483,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3558,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
  
  ########################################
  ## <summary>
@@ -6904,7 +7002,7 @@ index 76f285e..b708d28 100644
  ##	Read and write BIOS non-volatile RAM.
  ## </summary>
  ## <param name="domain">
-@@ -3254,7 +3592,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3667,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -6931,7 +7029,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +3618,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3693,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -6948,7 +7046,7 @@ index 76f285e..b708d28 100644
  ')
  
  ########################################
-@@ -3399,7 +3756,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +3831,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -6957,7 +7055,7 @@ index 76f285e..b708d28 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +3770,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +3845,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -6966,7 +7064,7 @@ index 76f285e..b708d28 100644
  ')
  
  ########################################
-@@ -3855,7 +4212,7 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4287,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
@@ -6975,7 +7073,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3863,53 +4220,53 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3863,53 +4295,53 @@ interface(`dev_getattr_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7040,7 +7138,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3917,37 +4274,35 @@ interface(`dev_list_sysfs',`
+@@ -3917,37 +4349,35 @@ interface(`dev_list_sysfs',`
  ##	</summary>
  ## </param>
  #
@@ -7085,7 +7183,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3955,47 +4310,35 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+@@ -3955,26 +4385,145 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -7103,91 +7201,63 @@ index 76f285e..b708d28 100644
  ## <summary>
 -##	Read hardware state information.
 +##	Do not audit attempts to search sysfs.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read the contents of
--##	the sysfs filesystem.  This filesystem contains
--##	information, parameters, and other settings on the
--##	hardware installed on the system.
--##	</p>
--## </desc>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain to not audit.
- ##	</summary>
- ## </param>
--## <infoflow type="read" weight="10"/>
- #
--interface(`dev_read_sysfs',`
++##	</summary>
++## </param>
++#
 +interface(`dev_dontaudit_search_sysfs',`
- 	gen_require(`
- 		type sysfs_t;
- 	')
- 
--	read_files_pattern($1, sysfs_t, sysfs_t)
--	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
--	list_dirs_pattern($1, sysfs_t, sysfs_t)
++	gen_require(`
++		type sysfs_t;
++	')
++
 +	dontaudit $1 sysfs_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Allow caller to modify hardware state information.
++')
++
++########################################
++## <summary>
 +##	List the contents of the sysfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4003,20 +4346,18 @@ interface(`dev_read_sysfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_sysfs',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`dev_list_sysfs',`
- 	gen_require(`
- 		type sysfs_t;
- 	')
- 
--	rw_files_pattern($1, sysfs_t, sysfs_t)
- 	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
--
- 	list_dirs_pattern($1, sysfs_t, sysfs_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write the TPM device.
++	gen_require(`
++		type sysfs_t;
++	')
++
++	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++	list_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
 +##	Write in a sysfs directories.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -4024,22 +4365,211 @@ interface(`dev_rw_sysfs',`
- ##	</summary>
- ## </param>
- #
--interface(`dev_rw_tpm',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +# cjp: added for cpuspeed
 +interface(`dev_write_sysfs_dirs',`
- 	gen_require(`
--		type device_t, tpm_device_t;
++	gen_require(`
 +		type sysfs_t;
- 	')
- 
--	rw_chr_files_pattern($1, device_t, tpm_device_t)
++	')
++
 +	allow $1 sysfs_t:dir write;
- ')
- 
- ########################################
- ## <summary>
--##	Read from pseudo random number generator devices (e.g., /dev/urandom).
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to write in a sysfs directory.
- ## </summary>
--## <desc>
--##	<p>
--##	Allow the specified domain to read from pseudo random number
--##	generator devices (e.g., /dev/urandom).  Typically this is
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain to not audit.
@@ -7229,7 +7299,15 @@ index 76f285e..b708d28 100644
 +########################################
 +## <summary>
 +##	Relabel cpu online hardware state information.
-+## </summary>
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read the contents of
+-##	the sysfs filesystem.  This filesystem contains
+-##	information, parameters, and other settings on the
+-##	hardware installed on the system.
+-##	</p>
+-## </desc>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -7259,47 +7337,13 @@ index 76f285e..b708d28 100644
 +##	hardware installed on the system.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <infoflow type="read" weight="10"/>
-+#
-+interface(`dev_read_sysfs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	read_files_pattern($1, sysfs_t, sysfs_t)
-+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+	list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Allow caller to modify hardware state information.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_sysfs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	rw_files_pattern($1, sysfs_t, sysfs_t)
-+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
-+
-+	list_dirs_pattern($1, sysfs_t, sysfs_t)
-+')
-+
-+########################################
-+## <summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+@@ -4016,6 +4565,62 @@ interface(`dev_rw_sysfs',`
+ 
+ ########################################
+ ## <summary>
 +##	Relabel hardware state directories.
 +## </summary>
 +## <param name="domain">
@@ -7356,34 +7400,10 @@ index 76f285e..b708d28 100644
 +
 +########################################
 +## <summary>
-+##	Read and write the TPM device.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_tpm',`
-+	gen_require(`
-+		type device_t, tpm_device_t;
-+	')
-+
-+	rw_chr_files_pattern($1, device_t, tpm_device_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read from pseudo random number generator devices (e.g., /dev/urandom).
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Allow the specified domain to read from pseudo random number
-+##	generator devices (e.g., /dev/urandom).  Typically this is
- ##	used in situations when a cryptographically secure random
- ##	number is not necessarily needed.  One example is the Stack
- ##	Smashing Protector (SSP, formerly known as ProPolice) support
-@@ -4113,6 +4643,25 @@ interface(`dev_write_urand',`
+ ##	Read and write the TPM device.
+ ## </summary>
+ ## <param name="domain">
+@@ -4113,6 +4718,25 @@ interface(`dev_write_urand',`
  
  ########################################
  ## <summary>
@@ -7409,7 +7429,7 @@ index 76f285e..b708d28 100644
  ##	Getattr generic the USB devices.
  ## </summary>
  ## <param name="domain">
-@@ -4409,9 +4958,9 @@ interface(`dev_rw_usbfs',`
+@@ -4409,9 +5033,9 @@ interface(`dev_rw_usbfs',`
  	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
  ')
  
@@ -7421,7 +7441,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4419,17 +4968,17 @@ interface(`dev_rw_usbfs',`
+@@ -4419,17 +5043,17 @@ interface(`dev_rw_usbfs',`
  ##	</summary>
  ## </param>
  #
@@ -7444,7 +7464,7 @@ index 76f285e..b708d28 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4437,12 +4986,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4437,12 +5061,12 @@ interface(`dev_getattr_video_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7460,7 +7480,7 @@ index 76f285e..b708d28 100644
  ')
  
  ########################################
-@@ -4539,6 +5088,134 @@ interface(`dev_write_video_dev',`
+@@ -4539,6 +5163,134 @@ interface(`dev_write_video_dev',`
  
  ########################################
  ## <summary>
@@ -7595,7 +7615,7 @@ index 76f285e..b708d28 100644
  ##	Allow read/write the vhost net device
  ## </summary>
  ## <param name="domain">
-@@ -4557,6 +5234,24 @@ interface(`dev_rw_vhost',`
+@@ -4557,6 +5309,24 @@ interface(`dev_rw_vhost',`
  
  ########################################
  ## <summary>
@@ -7620,7 +7640,7 @@ index 76f285e..b708d28 100644
  ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5457,26 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5532,26 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -7647,7 +7667,7 @@ index 76f285e..b708d28 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5566,943 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5641,946 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -7798,6 +7818,7 @@ index 76f285e..b708d28 100644
 +gen_require(`
 +	type device_t;
 +	type usb_device_t;
++    type uhid_device_t;
 +	type sound_device_t;
 +	type apm_bios_t;
 +	type mouse_device_t;
@@ -7988,6 +8009,7 @@ index 76f285e..b708d28 100644
 +	filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
 +	filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
 +	filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
++	filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
 +	filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
 +	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
 +	filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
@@ -8524,6 +8546,7 @@ index 76f285e..b708d28 100644
 +	filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
 +	filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
 +	filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
++	filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
 +	dev_filetrans_xserver_named_dev($1)
 +')
 +
@@ -8592,7 +8615,7 @@ index 76f285e..b708d28 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..831344c 100644
+index 6529bd9..b31a5e8 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -8658,17 +8681,23 @@ index 6529bd9..831344c 100644
  #
  # Type for /dev/tpm
  #
-@@ -266,6 +275,9 @@ dev_node(usbmon_device_t)
+@@ -266,6 +275,15 @@ dev_node(usbmon_device_t)
  type userio_device_t;
  dev_node(userio_device_t)
  
++#
++# uhid_device_t is the type for /dev/uhid
++#
++type uhid_device_t;
++dev_node(uhid_device_t)
++
 +type vfio_device_t;
 +dev_node(vfio_device_t)
 +
  type v4l_device_t;
  dev_node(v4l_device_t)
  
-@@ -274,6 +286,7 @@ dev_node(v4l_device_t)
+@@ -274,6 +292,7 @@ dev_node(v4l_device_t)
  #
  type vhost_device_t;
  dev_node(vhost_device_t)
@@ -8676,7 +8705,7 @@ index 6529bd9..831344c 100644
  
  # Type for vmware devices.
  type vmware_device_t;
-@@ -319,5 +332,5 @@ files_associate_tmp(device_node)
+@@ -319,5 +338,5 @@ files_associate_tmp(device_node)
  #
  
  allow devices_unconfined_type self:capability sys_rawio;
@@ -8892,7 +8921,7 @@ index 6a1e4d1..84e8030 100644
 +	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..369ddc2 100644
+index cf04cb5..64d9761 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8933,13 +8962,14 @@ index cf04cb5..369ddc2 100644
  
  # Transitions only allowed from domains to other domains
  neverallow domain ~domain:process { transition dyntransition };
-@@ -86,23 +110,45 @@ neverallow ~{ domain unlabeled_t } *:process *;
+@@ -86,23 +110,47 @@ neverallow ~{ domain unlabeled_t } *:process *;
  allow domain self:dir list_dir_perms;
  allow domain self:lnk_file { read_lnk_file_perms lock ioctl };
  allow domain self:file rw_file_perms;
 +allow domain self:fifo_file rw_fifo_file_perms;
 +allow domain self:sem create_sem_perms;
 +allow domain self:shm create_shm_perms;
++allow domain self:key manage_key_perms;
 +
  kernel_read_proc_symlinks(domain)
 +kernel_read_crypto_sysctls(domain)
@@ -8970,6 +9000,7 @@ index cf04cb5..369ddc2 100644
 +files_read_inherited_tmp_files(domain)
 +files_append_inherited_tmp_files(domain)
 +files_read_all_base_ro_files(domain)
++files_dontaduit_getattr_kernel_symbol_table(domain)
 +
 +# All executables should be able to search the directory they are in
 +corecmd_search_bin(domain)
@@ -8980,7 +9011,7 @@ index cf04cb5..369ddc2 100644
  
  ifdef(`hide_broken_symptoms',`
  	# This check is in the general socket
-@@ -121,8 +167,18 @@ tunable_policy(`global_ssp',`
+@@ -121,8 +169,18 @@ tunable_policy(`global_ssp',`
  ')
  
  optional_policy(`
@@ -8999,7 +9030,7 @@ index cf04cb5..369ddc2 100644
  ')
  
  optional_policy(`
-@@ -133,6 +189,9 @@ optional_policy(`
+@@ -133,6 +191,9 @@ optional_policy(`
  optional_policy(`
  	xserver_dontaudit_use_xdm_fds(domain)
  	xserver_dontaudit_rw_xdm_pipes(domain)
@@ -9009,7 +9040,7 @@ index cf04cb5..369ddc2 100644
  ')
  
  ########################################
-@@ -147,12 +206,18 @@ optional_policy(`
+@@ -147,12 +208,18 @@ optional_policy(`
  # Use/sendto/connectto sockets created by any domain.
  allow unconfined_domain_type domain:{ socket_class_set socket key_socket } *;
  
@@ -9029,7 +9060,7 @@ index cf04cb5..369ddc2 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,306 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +233,338 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -9046,6 +9077,10 @@ index cf04cb5..369ddc2 100644
 +dev_config_null_dev_service(unconfined_domain_type)
 +
 +optional_policy(`
++    dbus_filetrans_named_content_system(named_filetrans_domain)
++')
++
++optional_policy(`
 +    kdump_filetrans_named_content(unconfined_domain_type)
 +')
 +
@@ -9061,6 +9096,10 @@ index cf04cb5..369ddc2 100644
 +	seutil_filetrans_named_content(named_filetrans_domain)
 +')
 +
++optional_policy(`
++	wine_filetrans_named_content(named_filetrans_domain)
++')
++
 +storage_filetrans_all_named_dev(named_filetrans_domain)
 +
 +term_filetrans_all_named_dev(named_filetrans_domain)
@@ -9076,6 +9115,14 @@ index cf04cb5..369ddc2 100644
 +	init_filetrans_named_content(named_filetrans_domain)
 +')
 +
++# Allow manage transient unit files
++optional_policy(`
++    init_start_transient_unit(unconfined_domain_type)
++    init_stop_transient_unit(unconfined_domain_type)
++    init_status_transient_unit(unconfined_domain_type)
++    init_reload_transient_unit(unconfined_domain_type)
++')
++
 +optional_policy(`
 +	auth_filetrans_named_content(named_filetrans_domain)
 +	auth_filetrans_admin_home_content(named_filetrans_domain)
@@ -9126,6 +9173,10 @@ index cf04cb5..369ddc2 100644
 +')
 +
 +optional_policy(`
++    docker_filetrans_named_content(named_filetrans_domain)
++')
++
++optional_policy(`
 +	dnsmasq_filetrans_named_content(named_filetrans_domain)
 +')
 +
@@ -9225,6 +9276,10 @@ index cf04cb5..369ddc2 100644
 +')
 +
 +optional_policy(`
++    userdom_filetrans_named_user_tmp_files(named_filetrans_domain)
++')
++
++optional_policy(`
 +	virt_filetrans_named_content(named_filetrans_domain)
 +')
 +
@@ -9272,6 +9327,10 @@ index cf04cb5..369ddc2 100644
 +	cron_rw_system_job_pipes(domain)
 +')
 +
++optional_policy(`
++	devicekit_dbus_chat_power(domain)
++')
++
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit domain self:udp_socket listen;
 +	allow domain domain:key { link search };
@@ -9316,6 +9375,10 @@ index cf04cb5..369ddc2 100644
 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
 +
 +optional_policy(`
++    rkhunter_append_lib_files(domain)
++')
++
++optional_policy(`
 +	rpm_rw_script_inherited_pipes(domain)
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
@@ -9337,7 +9400,7 @@ index cf04cb5..369ddc2 100644
 +	')
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..058bb58 100644
+index c2c6e05..7996499 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9392,7 +9455,7 @@ index c2c6e05..058bb58 100644
 +/etc/sysconfig/ip6?tables.*             --      gen_context(system_u:object_r:system_conf_t,s0)
 +/etc/sysconfig/ipvsadm.*                --      gen_context(system_u:object_r:system_conf_t,s0)
 +/etc/sysconfig/system-config-firewall.* --      gen_context(system_u:object_r:system_conf_t,s0)
-+/etc/yum\.repos\.d/redhat\.repo         --      gen_context(system_u:object_r:system_conf_t,s0)
++/etc/yum\.repos\.d(/.*)?                        gen_context(system_u:object_r:system_conf_t,s0)
  
  /etc/cups/client\.conf	--	gen_context(system_u:object_r:etc_t,s0)
  
@@ -9535,7 +9598,7 @@ index c2c6e05..058bb58 100644
  /var/.*				gen_context(system_u:object_r:var_t,s0)
  /var/\.journal			<<none>>
  
-@@ -237,11 +244,24 @@ ifndef(`distro_redhat',`
+@@ -237,11 +244,25 @@ ifndef(`distro_redhat',`
  
  /var/ftp/etc(/.*)?		gen_context(system_u:object_r:etc_t,s0)
  
@@ -9553,7 +9616,8 @@ index c2c6e05..058bb58 100644
 +/var/lib/openshift/.stickshift-proxy.d(/.*)?   gen_context(system_u:object_r:etc_t,s0)
 +/var/lib/openshift/.limits.d(/.*)?        gen_context(system_u:object_r:etc_t,s0)
 +
-+/var/lib/servicelog/servicelog.db    --  gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db    --  gen_context(system_u:object_r:system_db_t,s0)
++/var/lib/servicelog/servicelog\.db-journal  --  gen_context(system_u:object_r:system_db_t,s0)
 +
 +/var/lock			-d	gen_context(system_u:object_r:var_lock_t,s0)
 +/var/lock			-l	gen_context(system_u:object_r:var_lock_t,s0)
@@ -9561,7 +9625,7 @@ index c2c6e05..058bb58 100644
  
  /var/log/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/log/lost\+found/.*		<<none>>
-@@ -256,12 +276,14 @@ ifndef(`distro_redhat',`
+@@ -256,12 +277,14 @@ ifndef(`distro_redhat',`
  /var/run		-l	gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*\.*pid		<<none>>
@@ -9576,14 +9640,14 @@ index c2c6e05..058bb58 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -270,3 +292,5 @@ ifndef(`distro_redhat',`
+@@ -270,3 +293,5 @@ ifndef(`distro_redhat',`
  ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..2b01383 100644
+index 64ff4d7..2dd815a 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -10214,7 +10278,32 @@ index 64ff4d7..2b01383 100644
  ##	Set the attributes of all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1601,6 +1971,24 @@ interface(`files_setattr_all_mountpoints',`
+ 
+ ########################################
+ ## <summary>
++##	Set the attributes of all mount points.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabelto_all_mountpoints',`
++	gen_require(`
++		attribute mountpoint;
++	')
++
++	allow $1 mountpoint:dir relabelto;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to set the attributes on all mount points.
+ ## </summary>
+ ## <param name="domain">
+@@ -1673,6 +2061,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10239,7 +10328,7 @@ index 64ff4d7..2b01383 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1691,6 +2097,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10282,7 +10371,58 @@ index 64ff4d7..2b01383 100644
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1874,25 +2298,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1707,6 +2149,23 @@ interface(`files_list_root',`
+ 	allow $1 root_t:dir list_dir_perms;
+ 	allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
+ ')
++########################################
++## <summary>
++##	Do not audit attempts to write to / dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_write_root_dirs',`
++	gen_require(`
++		type root_t;
++	')
++
++	allow $1 root_t:dir write;
++')
+ 
+ ########################################
+ ## <summary>
+@@ -1747,6 +2206,26 @@ interface(`files_dontaudit_rw_root_dir',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to check the 
++##	access on root directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_access_check_root',`
++	gen_require(`
++		type root_t;
++	')
++
++	dontaudit $1 root_t:dir_file_class_set audit_access;
++')
++
++
++########################################
++## <summary>
+ ##	Create an object in the root directory, with a private
+ ##	type using a type transition.
+ ## </summary>
+@@ -1874,25 +2353,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -10314,7 +10454,7 @@ index 64ff4d7..2b01383 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1905,7 +2329,7 @@ interface(`files_relabel_rootfs',`
+@@ -1905,7 +2384,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -10323,7 +10463,7 @@ index 64ff4d7..2b01383 100644
  ')
  
  ########################################
-@@ -1928,6 +2352,24 @@ interface(`files_unmount_rootfs',`
+@@ -1928,6 +2407,24 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -10348,7 +10488,7 @@ index 64ff4d7..2b01383 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2163,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2163,6 +2660,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -10373,7 +10513,7 @@ index 64ff4d7..2b01383 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2627,6 +3087,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2627,6 +3142,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -10398,7 +10538,7 @@ index 64ff4d7..2b01383 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2698,6 +3176,7 @@ interface(`files_read_etc_files',`
+@@ -2698,6 +3231,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10406,7 +10546,7 @@ index 64ff4d7..2b01383 100644
  ')
  
  ########################################
-@@ -2706,7 +3185,7 @@ interface(`files_read_etc_files',`
+@@ -2706,7 +3240,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -10415,7 +10555,7 @@ index 64ff4d7..2b01383 100644
  ##	</summary>
  ## </param>
  #
-@@ -2762,6 +3241,25 @@ interface(`files_manage_etc_files',`
+@@ -2762,6 +3296,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -10441,7 +10581,7 @@ index 64ff4d7..2b01383 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2780,6 +3278,24 @@ interface(`files_delete_etc_files',`
+@@ -2780,6 +3333,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -10466,7 +10606,7 @@ index 64ff4d7..2b01383 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2945,24 +3461,6 @@ interface(`files_delete_boot_flag',`
+@@ -2945,26 +3516,8 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -10488,10 +10628,14 @@ index 64ff4d7..2b01383 100644
 -
 -########################################
 -## <summary>
- ##	Read files in /etc that are dynamically
- ##	created on boot, such as mtab.
+-##	Read files in /etc that are dynamically
+-##	created on boot, such as mtab.
++##	Read files in /etc that are dynamically
++##	created on boot, such as mtab.
  ## </summary>
-@@ -3003,9 +3501,7 @@ interface(`files_read_etc_runtime_files',`
+ ## <desc>
+ ##	<p>
+@@ -3003,9 +3556,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10502,7 +10646,7 @@ index 64ff4d7..2b01383 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3013,18 +3509,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3013,18 +3564,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -10524,7 +10668,7 @@ index 64ff4d7..2b01383 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3042,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3042,6 +3592,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10551,7 +10695,7 @@ index 64ff4d7..2b01383 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3059,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3059,6 +3629,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10559,7 +10703,7 @@ index 64ff4d7..2b01383 100644
  ')
  
  ########################################
-@@ -3080,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3080,6 +3651,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10567,58 +10711,30 @@ index 64ff4d7..2b01383 100644
  ')
  
  ########################################
-@@ -3132,45 +3649,64 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3132,6 +3704,44 @@ interface(`files_getattr_isid_type_dirs',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to search directories on new filesystems
-+##	Setattr of directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
++##	Getattr all file opbjects on new filesystems
++##	that have not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_dontaudit_search_isid_type_dirs',`
-+interface(`files_setattr_isid_type_dirs',`
- 	gen_require(`
- 		type file_t;
- 	')
- 
--	dontaudit $1 file_t:dir search_dir_perms;
-+	allow $1 file_t:dir setattr;
- ')
- 
- ########################################
- ## <summary>
--##	List the contents of directories on new filesystems
-+##	Do not audit attempts to search directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`files_list_isid_type_dirs',`
-+interface(`files_dontaudit_search_isid_type_dirs',`
- 	gen_require(`
- 		type file_t;
- 	')
- 
--	allow $1 file_t:dir list_dir_perms;
-+	dontaudit $1 file_t:dir search_dir_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write directories on new filesystems
-+##	List the contents of directories on new filesystems
++##	</summary>
++## </param>
++#
++interface(`files_getattr_isid_type',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:dir_file_class_set getattr;
++')
++
++########################################
++## <summary>
++##	Setattr of directories on new filesystems
 +##	that have not yet been labeled.
 +## </summary>
 +## <param name="domain">
@@ -10627,21 +10743,20 @@ index 64ff4d7..2b01383 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_list_isid_type_dirs',`
++interface(`files_setattr_isid_type_dirs',`
 +	gen_require(`
 +		type file_t;
 +	')
 +
-+	allow $1 file_t:dir list_dir_perms;
++	allow $1 file_t:dir setattr;
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write directories on new filesystems
+ ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
- ## <param name="domain">
-@@ -3205,6 +3741,62 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3205,6 +3815,62 @@ interface(`files_delete_isid_type_dirs',`
  
  	delete_dirs_pattern($1, file_t, file_t)
  ')
@@ -10704,7 +10819,33 @@ index 64ff4d7..2b01383 100644
  
  ########################################
  ## <summary>
-@@ -3455,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3246,6 +3912,25 @@ interface(`files_mounton_isid_type_dirs',`
+ 
+ ########################################
+ ## <summary>
++##	Mount a filesystem on a new chr_file 
++##	that has not yet been labeled.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_mounton_isid_type_chr_file',`
++	gen_require(`
++		type unlabeled_t;
++	')
++
++	allow $1 unlabeled_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ##	Read files on new filesystems
+ ##	that have not yet been labeled.
+ ## </summary>
+@@ -3455,6 +4140,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -10730,7 +10871,7 @@ index 64ff4d7..2b01383 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4407,38 @@ interface(`files_list_mnt',`
+@@ -3796,20 +4500,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -10774,64 +10915,98 @@ index 64ff4d7..2b01383 100644
  ')
  
  ########################################
-@@ -4199,6 +4828,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4199,192 +4921,215 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
+-########################################
 +#######################################
-+## <summary>
+ ## <summary>
+-##	Allow the specified type to associate
+-##	to a filesystem with the type of the
+-##	temporary directory (/tmp).
 +##  Read manageable system configuration files in /etc
-+## </summary>
+ ## </summary>
+-## <param name="file_type">
+-##	<summary>
+-##	Type of the file to associate.
+-##	</summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_associate_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_read_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:filesystem associate;
 +    allow $1 etc_t:dir list_dir_perms;
 +    read_files_pattern($1, etc_t, system_conf_t)
 +    read_lnk_files_pattern($1, etc_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Get the	attributes of the tmp directory (/tmp).
 +##  Manage manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_conf_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir getattr;
 +    manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
 +    files_filetrans_system_conf_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to get the
+-##	attributes of the tmp directory (/tmp).
 +##  File name transition for system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_tmp_dirs',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_conf_named_files',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir getattr;
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "sysctl.conf.old")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "ebtables")
@@ -10849,161 +11024,253 @@ index 64ff4d7..2b01383 100644
 +    filetrans_pattern($1, etc_t, system_conf_t, file, "redhat.repo")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall")
 +	filetrans_pattern($1, etc_t, system_conf_t, file, "system-config-firewall.old")
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelto_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir search_dir_perms;
 +    relabelto_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit attempts to search the tmp directory (/tmp).
 +##  Relabel manageable system configuration files in /etc.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain to not audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_search_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_relabelfrom_system_conf_files',`
 +    gen_require(`
 +        type usr_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir search_dir_perms;
 +    relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
-+')
-+
+ ')
+ 
+-########################################
 +###################################
-+## <summary>
+ ## <summary>
+-##	Read the tmp directory (/tmp).
 +##  Create files in /etc with the type used for
 +##  the manageable system config files.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  The type of the process performing this action.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_etc_filetrans_system_conf',`
 +    gen_require(`
 +        type etc_t, system_conf_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir list_dir_perms;
 +    filetrans_pattern($1, etc_t, system_conf_t, file)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Do not audit listing of the tmp directory (/tmp).
 +##  Manage manageable system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain not to audit.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_dontaudit_list_tmp',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_manage_system_db_files',`
 +     gen_require(`
 +         type var_lib_t, system_db_t;
 +    ')
-+
+ 
+-	dontaudit $1 tmp_t:dir list_dir_perms;
 +     manage_files_pattern($1, { var_lib_t system_db_t }, system_db_t)
 +     files_filetrans_system_db_named_files($1)
-+')
-+
+ ')
+ 
+-########################################
 +#####################################
-+## <summary>
+ ## <summary>
+-##	Remove entries from the tmp directory.
 +##  File name transition for system db files in /var/lib.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
+-	gen_require(`
+-		type tmp_t;
+-	')
 +interface(`files_filetrans_system_db_named_files',`
 +    gen_require(`
 +        type var_lib_t, system_db_t;
 +    ')
-+
+ 
+-	allow $1 tmp_t:dir del_entry_dir_perms;
 +    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db")
-+')
-+
++    filetrans_pattern($1, var_lib_t, system_db_t, file, "servicelog.db-journal")
+ ')
+ 
  ########################################
  ## <summary>
- ##	Allow the specified type to associate
-@@ -4221,6 +5015,26 @@ interface(`files_associate_tmp',`
+-##	Read files in the tmp directory (/tmp).
++##	Allow the specified type to associate
++##	to a filesystem with the type of the
++##	temporary directory (/tmp).
+ ## </summary>
+-## <param name="domain">
++## <param name="file_type">
+ ##	<summary>
+-##	Domain allowed access.
++##	Type of the file to associate.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_files',`
++interface(`files_associate_tmp',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	read_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:filesystem associate;
+ ')
  
  ########################################
  ## <summary>
+-##	Manage temporary directories in /tmp.
 +##	Allow the specified type to associate
 +##	to a filesystem with the type of the
 +##	/ file system
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type of the file to associate.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_dirs',`
 +interface(`files_associate_rootfs',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type root_t;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, tmp_t, tmp_t)
 +	allow $1 root_t:filesystem associate;
-+')
-+
-+########################################
-+## <summary>
- ##	Get the	attributes of the tmp directory (/tmp).
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Manage temporary files and directories in /tmp.
++##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4234,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',`
+ ##	<summary>
+@@ -4392,53 +5137,56 @@ interface(`files_manage_generic_tmp_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_tmp_files',`
++interface(`files_getattr_tmp_dirs',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
+-	manage_files_pattern($1, tmp_t, tmp_t)
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir getattr;
++	allow $1 tmp_t:dir getattr;
  ')
  
  ########################################
  ## <summary>
+-##	Read symbolic links in the tmp directory (/tmp).
 +##	Do not audit attempts to check the 
 +##	access on tmp files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_tmp_symlinks',`
 +interface(`files_dontaudit_access_check_tmp',`
-+	gen_require(`
+ 	gen_require(`
+-		type tmp_t;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	read_lnk_files_pattern($1, tmp_t, tmp_t)
 +	dontaudit $1 tmp_t:dir_file_class_set audit_access;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to get the
- ##	attributes of the tmp directory (/tmp).
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic named sockets in the tmp directory (/tmp).
++##	Do not audit attempts to get the
++##	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11012,35 +11279,113 @@ index 64ff4d7..2b01383 100644
  ##	</summary>
  ## </param>
  #
-@@ -4271,6 +5105,7 @@ interface(`files_search_tmp',`
+-interface(`files_rw_generic_tmp_sockets',`
++interface(`files_dontaudit_getattr_tmp_dirs',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
-+	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir search_dir_perms;
+-	rw_sock_files_pattern($1, tmp_t, tmp_t)
++	dontaudit $1 tmp_t:dir getattr;
  ')
  
-@@ -4307,6 +5142,7 @@ interface(`files_list_tmp',`
- 		type tmp_t;
+ ########################################
+ ## <summary>
+-##	Set the attributes of all tmp directories.
++##	Search the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4446,77 +5194,92 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_all_tmp_dirs',`
++interface(`files_search_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
+-	allow $1 tmpfile:dir { search_dir_perms setattr };
 +	read_lnk_files_pattern($1, tmp_t, tmp_t)
- 	allow $1 tmp_t:dir list_dir_perms;
++	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4316,7 +5152,7 @@ interface(`files_list_tmp',`
+ ########################################
+ ## <summary>
+-##	List all tmp directories.
++##	Do not audit attempts to search the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
+-##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
-@@ -4328,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',`
- 	dontaudit $1 tmp_t:dir list_dir_perms;
+-interface(`files_list_all_tmp',`
++interface(`files_dontaudit_search_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
++	dontaudit $1 tmp_t:dir search_dir_perms;
  ')
  
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	directory types.
++##	Read the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_dirs',`
++interface(`files_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_dirs_pattern($1, tmpfile, tmpfile)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
++	allow $1 tmp_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp files.
++##	Do not audit listing of the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_files',`
++interface(`files_dontaudit_list_tmp',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:file getattr;
++	dontaudit $1 tmp_t:dir list_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##  Allow read and write to the tmp directory (/tmp).
@@ -11058,25 +11403,87 @@ index 64ff4d7..2b01383 100644
 +
 +    files_search_tmp($1)
 +    allow $1 tmp_t:dir rw_dir_perms;
-+')
-+
+ ')
+ 
  ########################################
  ## <summary>
- ##	Remove entries from the tmp directory.
-@@ -4343,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',`
- 		type tmp_t;
+-##	Allow attempts to get the attributes
+-##	of all tmp files.
++##	Remove entries from the tmp directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4524,110 +5287,98 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_all_tmp_files',`
++interface(`files_delete_tmp_dir_entry',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
  	')
  
+-	allow $1 tmpfile:file getattr;
 +	files_search_tmp($1)
- 	allow $1 tmp_t:dir del_entry_dir_perms;
++	allow $1 tmp_t:dir del_entry_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all temporary
+-##	file types.
++##	Read files in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_tmp_files',`
++interface(`files_read_generic_tmp_files',`
+ 	gen_require(`
+-		attribute tmpfile;
+-		type var_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	relabel_files_pattern($1, tmpfile, tmpfile)
++	read_files_pattern($1, tmp_t, tmp_t)
  ')
  
-@@ -4384,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',`
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of all tmp sock_file.
++##	Manage temporary directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain not to audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_tmp_sockets',`
++interface(`files_manage_generic_tmp_dirs',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	dontaudit $1 tmpfile:sock_file getattr;
++	manage_dirs_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Read all tmp files.
 +##	Allow shared library text relocations in tmp files.
-+## </summary>
+ ## </summary>
 +## <desc>
 +##	<p>
 +##	Allow shared library text relocations in tmp files.
@@ -11085,538 +11492,2356 @@ index 64ff4d7..2b01383 100644
 +##	This is added to support java policy.
 +##	</p>
 +## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_all_tmp_files',`
 +interface(`files_execmod_tmp',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
+ 	gen_require(`
+ 		attribute tmpfile;
+ 	')
+ 
+-	read_files_pattern($1, tmpfile, tmpfile)
 +	allow $1 tmpfile:file execmod;
-+')
-+
-+########################################
-+## <summary>
- ##	Manage temporary files and directories in /tmp.
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the tmp directories, with a private
+-##	type using a type transition.
++##	Manage temporary files and directories in /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_tmp_filetrans',`
++interface(`files_manage_generic_tmp_files',`
+ 	gen_require(`
+ 		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, tmp_t, $2, $3, $4)
++	manage_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete the contents of /tmp.
++##	Read symbolic links in the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4438,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',`
+ ##	<summary>
+@@ -4635,22 +5386,17 @@ interface(`files_tmp_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_purge_tmp',`
++interface(`files_read_generic_tmp_symlinks',`
+ 	gen_require(`
+-		attribute tmpfile;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 tmpfile:dir list_dir_perms;
+-	delete_dirs_pattern($1, tmpfile, tmpfile)
+-	delete_files_pattern($1, tmpfile, tmpfile)
+-	delete_lnk_files_pattern($1, tmpfile, tmpfile)
+-	delete_fifo_files_pattern($1, tmpfile, tmpfile)
+-	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	read_lnk_files_pattern($1, tmp_t, tmp_t)
+ ')
  
  ########################################
  ## <summary>
--##	Set the attributes of all tmp directories.
+-##	Set the attributes of the /usr directory.
++##	Read and write generic named sockets in the tmp directory (/tmp).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4658,17 +5404,17 @@ interface(`files_purge_tmp',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_usr_dirs',`
++interface(`files_rw_generic_tmp_sockets',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
+ 	')
+ 
+-	allow $1 usr_t:dir setattr;
++	rw_sock_files_pattern($1, tmp_t, tmp_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the content of /usr.
 +##	Relabel a dir from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4446,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4676,18 +5422,17 @@ interface(`files_setattr_usr_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_all_tmp_dirs',`
+-interface(`files_search_usr',`
 +interface(`files_relabelfrom_tmp_dirs',`
  	gen_require(`
--		attribute tmpfile;
+-		type usr_t;
 +		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir { search_dir_perms setattr };
+-	allow $1 usr_t:dir search_dir_perms;
 +	relabelfrom_dirs_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	List all tmp directories.
+-##	List the contents of generic
+-##	directories in /usr.
 +##	Relabel a file from the type used in /tmp.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4464,34 +5346,124 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4695,35 +5440,35 @@ interface(`files_search_usr',`
  ##	</summary>
  ## </param>
  #
--interface(`files_list_all_tmp',`
+-interface(`files_list_usr',`
 +interface(`files_relabelfrom_tmp_files',`
  	gen_require(`
--		attribute tmpfile;
+-		type usr_t;
 +		type tmp_t;
  	')
  
--	allow $1 tmpfile:dir list_dir_perms;
+-	allow $1 usr_t:dir list_dir_perms;
 +	relabelfrom_files_pattern($1, tmp_t, tmp_t)
  ')
  
  ########################################
  ## <summary>
--##	Relabel to and from all temporary
--##	directory types.
+-##	Do not audit write of /usr dirs
 +##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain to not audit.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <rolecap/>
  #
--interface(`files_relabel_all_tmp_dirs',`
+-interface(`files_dontaudit_write_usr_dirs',`
 +interface(`files_setattr_all_tmp_dirs',`
  	gen_require(`
- 		attribute tmpfile;
--		type var_t;
+-		type usr_t;
++		attribute tmpfile;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	relabel_dirs_pattern($1, tmpfile, tmpfile)
+-	dontaudit $1 usr_t:dir write;
 +	allow $1 tmpfile:dir { search_dir_perms setattr };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries from /usr directories.
 +##	Allow caller to read inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4731,36 +5476,35 @@ interface(`files_dontaudit_write_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_usr_dirs',`
 +interface(`files_read_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	allow $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file { append read_inherited_file_perms };
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to add and remove
+-##	entries from /usr directories.
 +##	Allow caller to append inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_usr_dirs',`
 +interface(`files_append_inherited_tmp_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 usr_t:dir rw_dir_perms;
 +	allow $1 tmpfile:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic directories in /usr in the caller domain.
 +##	Allow caller to read and write inherited tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4768,17 +5512,17 @@ interface(`files_dontaudit_rw_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_dirs',`
 +interface(`files_rw_inherited_tmp_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	delete_dirs_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic files in /usr in the caller domain.
 +##	List all tmp directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4786,73 +5530,59 @@ interface(`files_delete_usr_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_usr_files',`
 +interface(`files_list_all_tmp',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
+ 	')
+ 
+-	delete_files_pattern($1, usr_t, usr_t)
 +	allow $1 tmpfile:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr.
 +##	Relabel to and from all temporary
 +##	directory types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`files_getattr_usr_files',`
 +interface(`files_relabel_all_tmp_dirs',`
-+	gen_require(`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
 +		type var_t;
-+	')
-+
+ 	')
+ 
+-	getattr_files_pattern($1, usr_t, usr_t)
 +	allow $1 var_t:dir search_dir_perms;
 +	relabel_dirs_pattern($1, tmpfile, tmpfile)
  ')
  
  ########################################
-@@ -4501,7 +5473,7 @@ interface(`files_relabel_all_tmp_dirs',`
+ ## <summary>
+-##	Read generic files in /usr.
++##	Do not audit attempts to get the attributes
++##	of all tmp files.
  ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read generic
+-##	files in /usr. These files are various program
+-##	files that do not have more specific SELinux types.
+-##	Some examples of these files are:
+-##	</p>
+-##	<ul>
+-##		<li>/usr/include/*</li>
+-##		<li>/usr/share/doc/*</li>
+-##		<li>/usr/share/info/*</li>
+-##	</ul>
+-##	<p>
+-##	Generally, it is safe for many domains to have
+-##	this access.
+-##	</p>
+-## </desc>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
+-##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
+-## <infoflow type="read" weight="10"/>
  #
-@@ -4561,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',`
+-interface(`files_read_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	allow $1 usr_t:dir list_dir_perms;
+-	read_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute generic programs in /usr in the caller domain.
++##	Allow attempts to get the attributes
++##	of all tmp files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain not to audit.
-+##	Domain to not audit.
+@@ -4860,55 +5590,58 @@ interface(`files_read_usr_files',`
  ##	</summary>
  ## </param>
  #
-@@ -4593,6 +5565,44 @@ interface(`files_read_all_tmp_files',`
- 
- ########################################
- ## <summary>
-+##	Do not audit attempts to read or write
-+##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_tmp_file_leaks',`
-+	gen_require(`
-+		attribute tmpfile;
-+	')
-+
-+	dontaudit $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Do allow attempts to read or write
-+##	all leaked tmpfiles files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_rw_tmp_file_leaks',`
-+	gen_require(`
+-interface(`files_exec_usr_files',`
++interface(`files_getattr_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
 +		attribute tmpfile;
-+	')
-+
-+	allow $1 tmpfile:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create an object in the tmp directories, with a private
- ##	type using a type transition.
- ## </summary>
-@@ -4646,6 +5656,16 @@ interface(`files_purge_tmp',`
- 	delete_lnk_files_pattern($1, tmpfile, tmpfile)
- 	delete_fifo_files_pattern($1, tmpfile, tmpfile)
- 	delete_sock_files_pattern($1, tmpfile, tmpfile)
-+	delete_chr_files_pattern($1, tmpfile, tmpfile)
-+	delete_blk_files_pattern($1, tmpfile, tmpfile)
-+	files_list_isid_type_dirs($1)
-+	files_delete_isid_type_dirs($1)
-+	files_delete_isid_type_files($1)
-+	files_delete_isid_type_symlinks($1)
-+	files_delete_isid_type_fifo_files($1)
-+	files_delete_isid_type_sock_files($1)
-+	files_delete_isid_type_blk_files($1)
-+	files_delete_isid_type_chr_files($1)
- ')
+ 	')
  
- ########################################
-@@ -5223,6 +6243,24 @@ interface(`files_list_var',`
+-	allow $1 usr_t:dir list_dir_perms;
+-	exec_files_pattern($1, usr_t, usr_t)
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file getattr;
+ ')
  
  ########################################
  ## <summary>
-+##	Do not audit listing of the var directory (/var).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_list_var',`
-+	gen_require(`
-+		type var_t;
-+	')
-+
-+	dontaudit $1 var_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Create, read, write, and delete directories
- ##	in the /var directory.
+-##	dontaudit write of /usr files
++##	Relabel to and from all temporary
++##	file types.
  ## </summary>
-@@ -5578,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',`
- 	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
- ')
- 
-+########################################
-+## <summary>
-+##	manage generic symbolic links
-+##	in the /var/lib directory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_manage_var_lib_symlinks',`
-+	gen_require(`
-+		type var_lib_t;
-+	')
-+
-+	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
-+')
-+
- # cjp: the next two interfaces really need to be fixed
- # in some way.  They really neeed their own types.
+ ##	</summary>
+ ## </param>
++## <rolecap/>
+ #
+-interface(`files_dontaudit_write_usr_files',`
++interface(`files_relabel_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
++		type var_t;
+ 	')
  
-@@ -5623,7 +6680,7 @@ interface(`files_manage_mounttab',`
+-	dontaudit $1 usr_t:file write;
++	allow $1 var_t:dir search_dir_perms;
++	relabel_files_pattern($1, tmpfile, tmpfile)
+ ')
  
  ########################################
  ## <summary>
--##	Set the attributes of the generic lock directories.
-+##	List generic lock directories.
+-##	Create, read, write, and delete files in the /usr directory.
++##	Do not audit attempts to get the attributes
++##	of all tmp sock_file.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5631,12 +6688,13 @@ interface(`files_manage_mounttab',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_setattr_lock_dirs',`
-+interface(`files_list_locks',`
+-interface(`files_manage_usr_files',`
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
  	gen_require(`
- 		type var_t, var_lock_t;
+-		type usr_t;
++		attribute tmpfile;
  	')
  
--	setattr_dirs_pattern($1, var_t, var_lock_t)
-+	files_search_locks($1)
-+	list_dirs_pattern($1, var_t, var_lock_t)
+-	manage_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:sock_file getattr;
  ')
  
  ########################################
-@@ -5654,6 +6712,7 @@ interface(`files_search_locks',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Relabel a file to the type used in /usr.
++##	Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4916,67 +5649,70 @@ interface(`files_manage_usr_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_relabelto_usr_files',`
++interface(`files_read_all_tmp_files',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
  	')
  
-+	files_search_pids($1)
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_lock_t)
+-	relabelto_files_pattern($1, usr_t, usr_t)
++	read_files_pattern($1, tmpfile, tmpfile)
  ')
-@@ -5680,7 +6739,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
--##	List generic lock directories.
-+##	Do not audit attempts to read/write inherited
-+##	locks (/var/lock).
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_dontaudit_rw_inherited_locks',`
-+	gen_require(`
-+		type var_lock_t;
-+	')
-+
-+	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Set the attributes of the /var/lock directory.
+-##	Relabel a file from the type used in /usr.
++##	Do not audit attempts to read or write
++##	all leaked tmpfiles files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5688,13 +6766,12 @@ interface(`files_dontaudit_search_locks',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`files_list_locks',`
-+interface(`files_setattr_lock_dirs',`
+-interface(`files_relabelfrom_usr_files',`
++interface(`files_dontaudit_tmp_file_leaks',`
  	gen_require(`
--		type var_t, var_lock_t;
-+		type var_lock_t;
+-		type usr_t;
++		attribute tmpfile;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	relabelfrom_files_pattern($1, usr_t, usr_t)
++	dontaudit $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in /usr.
++##	Do allow attempts to read or write
++##	all leaked tmpfiles files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_symlinks',`
++interface(`files_rw_tmp_file_leaks',`
+ 	gen_require(`
+-		type usr_t;
++		attribute tmpfile;
+ 	')
+ 
+-	read_lnk_files_pattern($1, usr_t, usr_t)
++	allow $1 tmpfile:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /usr directory
++##	Create an object in the tmp directories, with a private
++##	type using a type transition.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
++## <param name="private type">
+ ##	<summary>
+-##	The type of the object to be created
++##	The type of the object to be created.
+ ##	</summary>
+ ## </param>
+-## <param name="object_class">
++## <param name="object">
+ ##	<summary>
+-##	The object class.
++##	The object class of the object being created.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -4985,35 +5721,50 @@ interface(`files_read_usr_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_usr_filetrans',`
++interface(`files_tmp_filetrans',`
+ 	gen_require(`
+-		type usr_t;
++		type tmp_t;
+ 	')
+ 
+-	filetrans_pattern($1, usr_t, $2, $3, $4)
++	filetrans_pattern($1, tmp_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search /usr/src.
++##	Delete the contents of /tmp.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_src',`
++interface(`files_purge_tmp',`
+ 	gen_require(`
+-		type src_t;
++		attribute tmpfile;
+ 	')
+ 
+-	dontaudit $1 src_t:dir search_dir_perms;
++	allow $1 tmpfile:dir list_dir_perms;
++	delete_dirs_pattern($1, tmpfile, tmpfile)
++	delete_files_pattern($1, tmpfile, tmpfile)
++	delete_lnk_files_pattern($1, tmpfile, tmpfile)
++	delete_fifo_files_pattern($1, tmpfile, tmpfile)
++	delete_sock_files_pattern($1, tmpfile, tmpfile)
++	delete_chr_files_pattern($1, tmpfile, tmpfile)
++	delete_blk_files_pattern($1, tmpfile, tmpfile)
++	files_list_isid_type_dirs($1)
++	files_delete_isid_type_dirs($1)
++	files_delete_isid_type_files($1)
++	files_delete_isid_type_symlinks($1)
++	files_delete_isid_type_fifo_files($1)
++	files_delete_isid_type_sock_files($1)
++	files_delete_isid_type_blk_files($1)
++	files_delete_isid_type_chr_files($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of files in /usr/src.
++##	Set the attributes of the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5021,20 +5772,17 @@ interface(`files_dontaudit_search_src',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_usr_src_files',`
++interface(`files_setattr_usr_dirs',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	getattr_files_pattern($1, src_t, src_t)
+-
+-	# /usr/src/linux symlink:
+-	read_lnk_files_pattern($1, usr_t, src_t)
++	allow $1 usr_t:dir setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in /usr/src.
++##	Search the content of /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5042,20 +5790,18 @@ interface(`files_getattr_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_usr_src_files',`
++interface(`files_search_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+ 	allow $1 usr_t:dir search_dir_perms;
+-	read_files_pattern($1, { usr_t src_t }, src_t)
+-	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
+-	allow $1 src_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Execute programs in /usr/src in the caller domain.
++##	List the contents of generic
++##	directories in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5063,38 +5809,35 @@ interface(`files_read_usr_src_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_exec_usr_src_files',`
++interface(`files_list_usr',`
+ 	gen_require(`
+-		type usr_t, src_t;
++		type usr_t;
+ 	')
+ 
+-	list_dirs_pattern($1, usr_t, src_t)
+-	exec_files_pattern($1, src_t, src_t)
+-	read_lnk_files_pattern($1, src_t, src_t)
++	allow $1 usr_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Install a system.map into the /boot directory.
++##	Do not audit write of /usr dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_kernel_symbol_table',`
++interface(`files_dontaudit_write_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
+-	allow $1 system_map_t:file { create_file_perms rw_file_perms };
++	dontaudit $1 usr_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read system.map in the /boot directory.
++##	Add and remove entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5102,37 +5845,36 @@ interface(`files_create_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_kernel_symbol_table',`
++interface(`files_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	read_files_pattern($1, boot_t, system_map_t)
++	allow $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete a system.map in the /boot directory.
++##	Do not audit attempts to add and remove
++##	entries from /usr directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_kernel_symbol_table',`
++interface(`files_dontaudit_rw_usr_dirs',`
+ 	gen_require(`
+-		type boot_t, system_map_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 boot_t:dir list_dir_perms;
+-	delete_files_pattern($1, boot_t, system_map_t)
++	dontaudit $1 usr_t:dir rw_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of /var.
++##	Delete generic directories in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5140,35 +5882,35 @@ interface(`files_delete_kernel_symbol_table',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_var',`
++interface(`files_delete_usr_dirs',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to /var.
++##	Delete generic files in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_var_dirs',`
++interface(`files_delete_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir write;
++	delete_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow attempts to write to /var.dirs
++##	Get the attributes of files in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5176,36 +5918,55 @@ interface(`files_dontaudit_write_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_var_dirs',`
++interface(`files_getattr_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir write;
++	getattr_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the contents of /var.
++##	Read generic files in /usr.
+ ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read generic
++##	files in /usr. These files are various program
++##	files that do not have more specific SELinux types.
++##	Some examples of these files are:
++##	</p>
++##	<ul>
++##		<li>/usr/include/*</li>
++##		<li>/usr/share/doc/*</li>
++##		<li>/usr/share/info/*</li>
++##	</ul>
++##	<p>
++##	Generally, it is safe for many domains to have
++##	this access.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`files_dontaudit_search_var',`
++interface(`files_read_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:dir search_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	read_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of /var.
++##	Execute generic programs in /usr in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5213,36 +5974,37 @@ interface(`files_dontaudit_search_var',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var',`
++interface(`files_exec_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir list_dir_perms;
++	allow $1 usr_t:dir list_dir_perms;
++	exec_files_pattern($1, usr_t, usr_t)
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete directories
+-##	in the /var directory.
++##	dontaudit write of /usr files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_dirs',`
++interface(`files_dontaudit_write_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	allow $1 var_t:dir manage_dir_perms;
++	dontaudit $1 usr_t:file write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read files in the /var directory.
++##	Create, read, write, and delete files in the /usr directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5250,17 +6012,17 @@ interface(`files_manage_var_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_files',`
++interface(`files_manage_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	read_files_pattern($1, var_t, var_t)
++	manage_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append files in the /var directory.
++##	Relabel a file to the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5268,17 +6030,17 @@ interface(`files_read_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_append_var_files',`
++interface(`files_relabelto_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	append_files_pattern($1, var_t, var_t)
++	relabelto_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write files in the /var directory.
++##	Relabel a file from the type used in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5286,73 +6048,86 @@ interface(`files_append_var_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_files',`
++interface(`files_relabelfrom_usr_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	rw_files_pattern($1, var_t, var_t)
++	relabelfrom_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read and write
+-##	files in the /var directory.
++##	Read symbolic links in /usr.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_rw_var_files',`
++interface(`files_read_usr_symlinks',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	dontaudit $1 var_t:file rw_file_perms;
++	read_lnk_files_pattern($1, usr_t, usr_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete files in the /var directory.
++##	Create objects in the /usr directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_var_files',`
++interface(`files_usr_filetrans',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t;
+ 	')
+ 
+-	manage_files_pattern($1, var_t, var_t)
++	filetrans_pattern($1, usr_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read symbolic links in the /var directory.
++##	Do not audit attempts to search /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_symlinks',`
++interface(`files_dontaudit_search_src',`
+ 	gen_require(`
+-		type var_t;
++		type src_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, var_t, var_t)
++	dontaudit $1 src_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete symbolic
+-##	links in the /var directory.
++##	Get the attributes of files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5360,50 +6135,41 @@ interface(`files_read_var_symlinks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_var_symlinks',`
++interface(`files_getattr_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	manage_lnk_files_pattern($1, var_t, var_t)
++	getattr_files_pattern($1, src_t, src_t)
++
++	# /usr/src/linux symlink:
++	read_lnk_files_pattern($1, usr_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var directory
++##	Read files in /usr/src.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_var_filetrans',`
++interface(`files_read_usr_src_files',`
+ 	gen_require(`
+-		type var_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	filetrans_pattern($1, var_t, $2, $3, $4)
++	allow $1 usr_t:dir search_dir_perms;
++	read_files_pattern($1, { usr_t src_t }, src_t)
++	read_lnk_files_pattern($1, { usr_t src_t }, src_t)
++	allow $1 src_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of the /var/lib directory.
++##	Execute programs in /usr/src in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5411,69 +6177,56 @@ interface(`files_var_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_var_lib_dirs',`
++interface(`files_exec_usr_src_files',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type usr_t, src_t;
+ 	')
+ 
+-	getattr_dirs_pattern($1, var_t, var_lib_t)
++	list_dirs_pattern($1, usr_t, src_t)
++	exec_files_pattern($1, src_t, src_t)
++	read_lnk_files_pattern($1, src_t, src_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the /var/lib directory.
++##	Install a system.map into the /boot directory.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Search the /var/lib directory.  This is
+-##	necessary to access files or directories under
+-##	/var/lib that have a private type.  For example, a
+-##	domain accessing a private library file in the
+-##	/var/lib directory:
+-##	</p>
+-##	<p>
+-##	allow mydomain_t mylibfile_t:file read_file_perms;
+-##	files_search_var_lib(mydomain_t)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_search_var_lib',`
++interface(`files_create_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir { list_dir_perms add_entry_dir_perms };
++	allow $1 system_map_t:file { create_file_perms rw_file_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	contents of /var/lib.
++##	Dontaudit getattr attempts on the system.map file
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_dontaudit_search_var_lib',`
++interface(`files_dontaduit_getattr_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_lib_t;
++		type system_map_t;
+ 	')
+ 
+-	dontaudit $1 var_lib_t:dir search_dir_perms;
++	dontaudit $1 system_map_t:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the /var/lib directory.
++##	Read system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5481,17 +6234,18 @@ interface(`files_dontaudit_search_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_var_lib',`
++interface(`files_read_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	read_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+-###########################################
++########################################
+ ## <summary>
+-##	Read-write /var/lib directories
++##	Delete a system.map in the /boot directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5499,70 +6253,54 @@ interface(`files_list_var_lib',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_var_lib_dirs',`
++interface(`files_delete_kernel_symbol_table',`
+ 	gen_require(`
+-		type var_lib_t;
++		type boot_t, system_map_t;
+ 	')
+ 
+-	rw_dirs_pattern($1, var_lib_t, var_lib_t)
++	allow $1 boot_t:dir list_dir_perms;
++	delete_files_pattern($1, boot_t, system_map_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the /var/lib directory
++##	Search the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="file_type">
+-##	<summary>
+-##	The type of the object to be created
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	The object class.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
+ #
+-interface(`files_var_lib_filetrans',`
++interface(`files_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+ 	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_lib_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic files in /var/lib.
++##	Do not audit attempts to write to /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_files',`
++interface(`files_dontaudit_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lib_t:dir list_dir_perms;
+-	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	dontaudit $1 var_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic symbolic links in /var/lib
++##	Allow attempts to write to /var.dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5570,41 +6308,36 @@ interface(`files_read_var_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_var_lib_symlinks',`
++interface(`files_write_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
++	allow $1 var_t:dir write;
+ ')
+ 
+-# cjp: the next two interfaces really need to be fixed
+-# in some way.  They really neeed their own types.
+-
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete the
+-##	pseudorandom number generator seed.
++##	Do not audit attempts to search
++##	the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_urandom_seed',`
++interface(`files_dontaudit_search_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	dontaudit $1 var_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to manage mount tables
+-##	necessary for rpcd, nfsd, etc.
++##	List the contents of /var.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5612,36 +6345,36 @@ interface(`files_manage_urandom_seed',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_mounttab',`
++interface(`files_list_var',`
+ 	gen_require(`
+-		type var_t, var_lib_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_lib_t, var_lib_t)
++	allow $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the generic lock directories.
++##	Do not audit listing of the var directory (/var).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_setattr_lock_dirs',`
++interface(`files_dontaudit_list_var',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	setattr_dirs_pattern($1, var_t, var_lock_t)
++	dontaudit $1 var_t:dir list_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the locks directory (/var/lock).
++##	Create, read, write, and delete directories
++##	in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5649,38 +6382,35 @@ interface(`files_setattr_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_locks',`
++interface(`files_manage_var_dirs',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_lock_t)
++	allow $1 var_t:dir manage_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search the
+-##	locks directory (/var/lock).
++##	Read files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_locks',`
++interface(`files_read_var_files',`
+ 	gen_require(`
+-		type var_lock_t;
++		type var_t;
+ 	')
+ 
+-	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_lock_t:dir search_dir_perms;
++	read_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List generic lock directories.
++##	Append files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5688,19 +6418,17 @@ interface(`files_dontaudit_search_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_locks',`
++interface(`files_append_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
 -	list_dirs_pattern($1, var_t, var_lock_t)
-+	allow $1 var_lock_t:dir setattr;
++	append_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Add and remove entries in the /var/lock
+-##	directories.
++##	Read and write files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5708,60 +6436,54 @@ interface(`files_list_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_lock_dirs',`
++interface(`files_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	rw_dirs_pattern($1, var_t, var_lock_t)
++	rw_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create lock directories
++##	Do not audit attempts to read and write
++##	files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
++##	<summary>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_create_lock_dirs',`
++interface(`files_dontaudit_rw_var_files',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	create_dirs_pattern($1, var_lock_t, var_lock_t)
++	dontaudit $1 var_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel to and from all lock directory types.
++##	Create, read, write, and delete files in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_relabel_all_lock_dirs',`
++interface(`files_manage_var_files',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	relabel_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of generic lock files.
++##	Read symbolic links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5769,20 +6491,18 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_getattr_generic_locks',`
++interface(`files_read_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_lock_t:dir list_dir_perms;
+-	getattr_files_pattern($1, var_lock_t, var_lock_t)
++	read_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete generic lock files.
++##	Create, read, write, and delete symbolic
++##	links in the /var directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5790,185 +6510,207 @@ interface(`files_getattr_generic_locks',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_generic_locks',`
++interface(`files_manage_var_symlinks',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, var_lock_t, var_lock_t)
++	manage_lnk_files_pattern($1, var_t, var_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	lock files.
++##	Create objects in the /var directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
+ #
+-interface(`files_manage_generic_locks',`
++interface(`files_var_filetrans',`
+ 	gen_require(`
+-		type var_t, var_lock_t;
++		type var_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	manage_dirs_pattern($1, var_lock_t, var_lock_t)
+-	manage_files_pattern($1, var_lock_t, var_lock_t)
++	filetrans_pattern($1, var_t, $2, $3, $4)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all lock files.
++##	Get the attributes of the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`files_delete_all_locks',`
++interface(`files_getattr_var_lib_dirs',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	delete_files_pattern($1, lockfile, lockfile)
++	getattr_dirs_pattern($1, var_t, var_lib_t)
  ')
  
  ########################################
-@@ -5713,7 +6790,7 @@ interface(`files_rw_lock_dirs',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Read all lock files.
++##	Search the /var/lib directory.
+ ## </summary>
++## <desc>
++##	<p>
++##	Search the /var/lib directory.  This is
++##	necessary to access files or directories under
++##	/var/lib that have a private type.  For example, a
++##	domain accessing a private library file in the
++##	/var/lib directory:
++##	</p>
++##	<p>
++##	allow mydomain_t mylibfile_t:file read_file_perms;
++##	files_search_var_lib(mydomain_t)
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="5"/>
+ #
+-interface(`files_read_all_locks',`
++interface(`files_search_var_lib',`
+ 	gen_require(`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
  	')
  
 -	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	files_search_locks($1)
- 	rw_dirs_pattern($1, var_t, var_lock_t)
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	allow $1 lockfile:dir list_dir_perms;
+-	read_files_pattern($1, lockfile, lockfile)
+-	read_lnk_files_pattern($1, lockfile, lockfile)
++	search_dirs_pattern($1, var_t, var_lib_t)
  ')
  
-@@ -5746,7 +6823,6 @@ interface(`files_create_lock_dirs',`
- ##	Domain allowed access.
+ ########################################
+ ## <summary>
+-##	manage all lock files.
++##	Do not audit attempts to search the
++##	contents of /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
--## <rolecap/>
++## <infoflow type="read" weight="5"/>
  #
- interface(`files_relabel_all_lock_dirs',`
+-interface(`files_manage_all_locks',`
++interface(`files_dontaudit_search_var_lib',`
  	gen_require(`
-@@ -5761,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',`
+-		attribute lockfile;
+-		type var_t, var_lock_t;
++		type var_lib_t;
+ 	')
+ 
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	allow $1 { var_t var_lock_t }:dir search_dir_perms;
+-	manage_dirs_pattern($1, lockfile, lockfile)
+-	manage_files_pattern($1, lockfile, lockfile)
+-	manage_lnk_files_pattern($1, lockfile, lockfile)
++	dontaudit $1 var_lib_t:dir search_dir_perms;
+ ')
  
  ########################################
  ## <summary>
--##	Get the attributes of generic lock files.
-+##	Relabel to and from all lock file types.
+-##	Create an object in the locks directory, with a private
+-##	type using a type transition.
++##	List the contents of the /var/lib directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5769,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
+-## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
+-## </param>
+-## <param name="object">
+-##	<summary>
+-##	The object class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
+-##	</summary>
+-## </param>
  #
--interface(`files_getattr_generic_locks',`
-+interface(`files_relabel_all_lock_files',`
+-interface(`files_lock_filetrans',`
++interface(`files_list_var_lib',`
  	gen_require(`
-+		attribute lockfile;
- 		type var_t, var_lock_t;
+-		type var_t, var_lock_t;
++		type var_t, var_lib_t;
  	')
  
- 	allow $1 var_t:dir search_dir_perms;
- 	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	relabel_files_pattern($1, lockfile, lockfile)
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++	list_dirs_pattern($1, var_t, var_lib_t)
+ ')
+ 
+-########################################
++###########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of the /var/run directory.
++##	Read-write /var/lib directories
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_pid_dirs',`
++interface(`files_rw_var_lib_dirs',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_lib_t;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir getattr;
++	rw_dirs_pattern($1, var_lib_t, var_lib_t)
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Get the attributes of generic lock files.
++##      Create directories in /var/lib
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
++##      <summary>
++##      Domain allowed access.
++##      </summary>
 +## </param>
 +#
-+interface(`files_getattr_generic_locks',`
-+	gen_require(`
-+		type var_t, var_lock_t;
-+	')
-+
-+	files_search_locks($1)
- 	allow $1 var_lock_t:dir list_dir_perms;
- 	getattr_files_pattern($1, var_lock_t, var_lock_t)
++interface(`files_create_var_lib_dirs',`
++    gen_require(`
++        type var_lib_t;
++    ')
++    allow $1 var_lib_t:dir { create rw_dir_perms };
  ')
-@@ -5791,13 +6887,12 @@ interface(`files_getattr_generic_locks',`
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of the /var/run directory.
++##	Create objects in the /var/lib directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
  ## </param>
++## <param name="file_type">
++##	<summary>
++##	The type of the object to be created
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The object class.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
  #
- interface(`files_delete_generic_locks',`
--	gen_require(`
-+       gen_require(`
- 		type var_t, var_lock_t;
--	')
-+       ')
+-interface(`files_setattr_pid_dirs',`
++interface(`files_var_lib_filetrans',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
+ 	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	delete_files_pattern($1, var_lock_t, var_lock_t)
-+       files_search_locks($1)
-+       delete_files_pattern($1, var_lock_t, var_lock_t)
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir setattr;
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_lib_t, $2, $3, $4)
  ')
  
  ########################################
-@@ -5816,9 +6911,7 @@ interface(`files_manage_generic_locks',`
- 		type var_t, var_lock_t;
+ ## <summary>
+-##	Search the contents of runtime process
+-##	ID directories (/var/run).
++##	Read generic files in /var/lib.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -5976,39 +6718,37 @@ interface(`files_setattr_pid_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_pids',`
++interface(`files_read_var_lib_files',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_t, var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	manage_dirs_pattern($1, var_lock_t, var_lock_t)
-+	files_search_locks($1)
- 	manage_files_pattern($1, var_lock_t, var_lock_t)
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	search_dirs_pattern($1, var_t, var_run_t)
++	allow $1 var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
-@@ -5860,8 +6953,7 @@ interface(`files_read_all_locks',`
- 		type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search
+-##	the /var/run directory.
++##	Read generic symbolic links in /var/lib
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_pids',`
++interface(`files_read_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_run_t;
++		type var_t, var_lib_t;
  	')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	allow $1 lockfile:dir list_dir_perms;
- 	read_files_pattern($1, lockfile, lockfile)
- 	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6975,7 @@ interface(`files_manage_all_locks',`
- 		type var_t, var_lock_t;
- 	')
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 var_run_t:dir search_dir_perms;
++	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
+ ')
  
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
--	allow $1 { var_t var_lock_t }:dir search_dir_perms;
-+	files_search_locks($1)
- 	manage_dirs_pattern($1, lockfile, lockfile)
- 	manage_files_pattern($1, lockfile, lockfile)
- 	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +7012,7 @@ interface(`files_lock_filetrans',`
- 		type var_t, var_lock_t;
+ ########################################
+ ## <summary>
+-##	List the contents of the runtime process
+-##	ID directories (/var/run).
++##	manage generic symbolic links
++##	in the /var/lib directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6016,18 +6756,21 @@ interface(`files_dontaudit_search_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_pids',`
++interface(`files_manage_var_lib_symlinks',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_lib_t;
  	')
  
--	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
-+	files_search_locks($1)
- 	filetrans_pattern($1, var_lock_t, $2, $3, $4)
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
++	manage_lnk_files_pattern($1,var_lib_t,var_lib_t)
  ')
  
-@@ -5961,7 +7051,7 @@ interface(`files_setattr_pid_dirs',`
- 		type var_run_t;
++# cjp: the next two interfaces really need to be fixed
++# in some way.  They really neeed their own types.
++
+ ########################################
+ ## <summary>
+-##	Read generic process ID files.
++##	Create, read, write, and delete the
++##	pseudorandom number generator seed.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6035,19 +6778,19 @@ interface(`files_list_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_pids',`
++interface(`files_manage_urandom_seed',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_t, var_lib_t;
  	')
  
 -	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	read_files_pattern($1, var_run_t, var_run_t)
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write named generic process ID pipes
++##	Allow domain to manage mount tables
++##	necessary for rpcd, nfsd, etc.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6055,58 +6798,1223 @@ interface(`files_read_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_write_generic_pid_pipes',`
++interface(`files_manage_mounttab',`
++	gen_require(`
++		type var_t, var_lib_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_lib_t, var_lib_t)
++')
++
++########################################
++## <summary>
++##	List generic lock directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	list_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Search the locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_pids($1)
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to search the
++##	locks directory (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_lock_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read/write inherited
++##	locks (/var/lock).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_rw_inherited_locks',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	dontaudit $1 var_lock_t:file rw_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/lock directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_lock_dirs',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	allow $1 var_lock_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Add and remove entries in the /var/lock
++##	directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_rw_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	rw_dirs_pattern($1, var_t, var_lock_t)
++')
++
++########################################
++## <summary>
++## 	Create lock directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`files_create_lock_dirs',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	create_dirs_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Relabel to and from all lock directory types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_dirs',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_dirs_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Relabel to and from all lock file types.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_relabel_all_lock_files',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	relabel_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Get the attributes of generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_getattr_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 var_lock_t:dir list_dir_perms;
++	getattr_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete generic lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_generic_locks',`
++       gen_require(`
++		type var_t, var_lock_t;
++       ')
++
++       files_search_locks($1)
++       delete_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete generic
++##	lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_generic_locks',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	manage_files_pattern($1, var_lock_t, var_lock_t)
++')
++
++########################################
++## <summary>
++##	Delete all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
++	delete_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Read all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	allow $1 lockfile:dir list_dir_perms;
++	read_files_pattern($1, lockfile, lockfile)
++	read_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	manage all lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_manage_all_locks',`
++	gen_require(`
++		attribute lockfile;
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	manage_dirs_pattern($1, lockfile, lockfile)
++	manage_files_pattern($1, lockfile, lockfile)
++	manage_lnk_files_pattern($1, lockfile, lockfile)
++')
++
++########################################
++## <summary>
++##	Create an object in the locks directory, with a private
++##	type using a type transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_lock_filetrans',`
++	gen_require(`
++		type var_t, var_lock_t;
++	')
++
++	files_search_locks($1)
++	filetrans_pattern($1, var_lock_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir getattr;
++')
++
++########################################
++## <summary>
++##	Set the attributes of the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_setattr_pid_dirs',`
++	gen_require(`
++		type var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_run_t:dir setattr;
- ')
- 
-@@ -5981,10 +7071,48 @@ interface(`files_search_pids',`
- 		type var_t, var_run_t;
- 	')
- 
++	allow $1 var_run_t:dir setattr;
++')
++
++########################################
++## <summary>
++##	Search the contents of runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_search_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	allow $1 var_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	search_dirs_pattern($1, var_t, var_run_t)
- ')
- 
++	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	search_dirs_pattern($1, var_t, var_run_t)
++')
++
 +######################################
 +## <summary>
 +## Add and remove entries from pid directories.
@@ -11654,13 +13879,28 @@ index 64ff4d7..2b01383 100644
 +        allow $1 var_run_t:dir create_dir_perms;
 +')
 +
- ########################################
- ## <summary>
- ##	Do not audit attempts to search
-@@ -6007,6 +7135,25 @@ interface(`files_dontaudit_search_pids',`
- 
- ########################################
- ## <summary>
++########################################
++## <summary>
++##	Do not audit attempts to search
++##	the /var/run directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_search_pids',`
++	gen_require(`
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 var_run_t:dir search_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search
 +##	the all /var/run directory.
 +## </summary>
@@ -11680,74 +13920,167 @@ index 64ff4d7..2b01383 100644
 +
 +########################################
 +## <summary>
- ##	List the contents of the runtime process
- ##	ID directories (/var/run).
- ## </summary>
-@@ -6021,7 +7168,7 @@ interface(`files_list_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++##	List the contents of the runtime process
++##	ID directories (/var/run).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_list_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- ')
- 
-@@ -6040,7 +7187,7 @@ interface(`files_read_generic_pids',`
- 		type var_t, var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	list_dirs_pattern($1, var_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Read generic process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_read_generic_pids',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	list_dirs_pattern($1, var_t, var_run_t)
- 	read_files_pattern($1, var_run_t, var_run_t)
- ')
-@@ -6060,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',`
- 		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
++	list_dirs_pattern($1, var_t, var_run_t)
++	read_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
++##	Write named generic process ID pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_write_generic_pid_pipes',`
++	gen_require(`
++		type var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_run_t:fifo_file write;
- ')
- 
-@@ -6122,7 +7269,6 @@ interface(`files_pid_filetrans',`
- 	')
- 
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	filetrans_pattern($1, var_run_t, $2, $3, $4)
- ')
- 
-@@ -6151,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',`
- 
- ########################################
- ## <summary>
--##	Read and write generic process ID files.
++	allow $1 var_run_t:fifo_file write;
++')
++
++########################################
++## <summary>
++##	Create an object in the process ID directory, with a private type.
++## </summary>
++## <desc>
++##	<p>
++##	Create an object in the process ID directory (e.g., /var/run)
++##	with a private type.  Typically this is used for creating
++##	private PID files in /var/run with the private type instead
++##	of the general PID file type. To accomplish this goal,
++##	either the program must be SELinux-aware, or use this interface.
++##	</p>
++##	<p>
++##	Related interfaces:
++##	</p>
++##	<ul>
++##		<li>files_pid_file()</li>
++##	</ul>
++##	<p>
++##	Example usage with a domain that can create and
++##	write its PID file with a private PID file type in the
++##	/var/run directory:
++##	</p>
++##	<p>
++##	type mypidfile_t;
++##	files_pid_file(mypidfile_t)
++##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
++##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private type">
++##	<summary>
++##	The type of the object to be created.
++##	</summary>
++## </param>
++## <param name="object">
++##	<summary>
++##	The object class of the object being created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++## <infoflow type="write" weight="10"/>
++#
++interface(`files_pid_filetrans',`
++	gen_require(`
++		type var_t, var_run_t;
++	')
++
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_run_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++## 	Create a generic lock directory within the run directories
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`files_pid_filetrans_lock_dir',`
++	gen_require(`
++		type var_lock_t;
++	')
++
++	files_pid_filetrans($1, var_lock_t, dir, $2)
++')
++
++########################################
++## <summary>
 +##	rw generic pid files inherited from another process
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6159,20 +7305,38 @@ interface(`files_pid_filetrans_lock_dir',`
- ##	</summary>
- ## </param>
- #
--interface(`files_rw_generic_pids',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`files_rw_inherited_generic_pid_files',`
- 	gen_require(`
--		type var_t, var_run_t;
++	gen_require(`
 +		type var_run_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
--	list_dirs_pattern($1, var_t, var_run_t)
--	rw_files_pattern($1, var_run_t, var_run_t)
++	')
++
 +	allow $1 var_run_t:file rw_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to get the attributes of
--##	daemon runtime data files.
++')
++
++########################################
++## <summary>
 +##	Read and write generic process ID files.
 +## </summary>
 +## <param name="domain">
@@ -11770,13 +14103,64 @@ index 64ff4d7..2b01383 100644
 +## <summary>
 +##	Do not audit attempts to get the attributes of
 +##	daemon runtime data files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6231,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
- 
- ########################################
- ## <summary>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file getattr;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write to daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_write_all_pids',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file write;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to ioctl daemon runtime data files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`files_dontaudit_ioctl_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_run_t;
++	')
++
++	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
++	dontaudit $1 pidfile:file ioctl;
++')
++
++########################################
++## <summary>
 +##	Relable all pid directories
 +## </summary>
 +## <param name="domain">
@@ -11887,20 +14271,23 @@ index 64ff4d7..2b01383 100644
 +
 +########################################
 +## <summary>
- ##	Read all process ID files.
- ## </summary>
- ## <param name="domain">
-@@ -6243,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
- interface(`files_read_all_pids',`
- 	gen_require(`
- 		attribute pidfile;
--		type var_t, var_run_t;
++##	Read all process ID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_read_all_pids',`
++	gen_require(`
++		attribute pidfile;
 +		type var_t;
- 	')
- 
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	list_dirs_pattern($1, var_t, pidfile)
- 	read_files_pattern($1, pidfile, pidfile)
++	')
++
++	list_dirs_pattern($1, var_t, pidfile)
++	read_files_pattern($1, pidfile, pidfile)
 +	read_lnk_files_pattern($1, pidfile, pidfile)
 +')
 +
@@ -11933,10 +14320,12 @@ index 64ff4d7..2b01383 100644
 +## </param>
 +#
 +interface(`files_exec_generic_pid_files',`
-+	gen_require(`
-+		type var_run_t;
-+	')
-+
+ 	gen_require(`
+ 		type var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:fifo_file write;
 +	exec_files_pattern($1, var_run_t, var_run_t)
 +')
 +
@@ -11976,33 +14365,57 @@ index 64ff4d7..2b01383 100644
 +	')
 +
 +	allow $1 polymember:dir mounton;
- ')
- 
- ########################################
-@@ -6268,8 +7616,8 @@ interface(`files_delete_all_pids',`
- 		type var_t, var_run_t;
- 	')
- 
++')
++
++########################################
++## <summary>
++##	Delete all process IDs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_delete_all_pids',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	allow $1 var_run_t:dir rmdir;
- 	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
- 	delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',`
- 		type var_t, var_run_t;
- 	')
- 
++	allow $1 var_t:dir search_dir_perms;
++	allow $1 var_run_t:dir rmdir;
++	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
++	delete_files_pattern($1, pidfile, pidfile)
++	delete_fifo_files_pattern($1, pidfile, pidfile)
++	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++')
++
++########################################
++## <summary>
++##	Delete all process ID directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_dirs',`
++	gen_require(`
++		attribute pidfile;
++		type var_t, var_run_t;
++	')
++
 +	files_search_pids($1)
- 	allow $1 var_t:dir search_dir_perms;
--	allow $1 var_run_t:lnk_file read_lnk_file_perms;
- 	delete_dirs_pattern($1, pidfile, pidfile)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write and delete all
--##	var_run (pid) content
++	allow $1 var_t:dir search_dir_perms;
++	delete_dirs_pattern($1, pidfile, pidfile)
++')
++
++########################################
++## <summary>
 +##	Make the specified type a file
 +##	used for spool files.
 +## </summary>
@@ -12052,153 +14465,24 @@ index 64ff4d7..2b01383 100644
 +########################################
 +## <summary>
 +##	Create all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain alloed access.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`files_manage_all_pids',`
-+interface(`files_create_all_spool_sockets',`
- 	gen_require(`
--		attribute pidfile;
-+		attribute spoolfile;
- 	')
- 
--	manage_dirs_pattern($1, pidfile, pidfile)
--	manage_files_pattern($1, pidfile, pidfile)
--	manage_lnk_files_pattern($1, pidfile, pidfile)
-+	allow $1 spoolfile:sock_file create_sock_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Mount filesystems on all polyinstantiation
--##	member directories.
-+##	Delete all spool sockets
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -6330,12 +7722,33 @@ interface(`files_manage_all_pids',`
- ##	</summary>
- ## </param>
- #
--interface(`files_mounton_all_poly_members',`
-+interface(`files_delete_all_spool_sockets',`
- 	gen_require(`
--		attribute polymember;
-+		attribute spoolfile;
- 	')
- 
--	allow $1 polymember:dir mounton;
-+	allow $1 spoolfile:sock_file delete_sock_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel to and from all spool
-+##	directory types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`files_relabel_all_spool_dirs',`
++interface(`files_create_all_spool_sockets',`
 +	gen_require(`
 +		attribute spoolfile;
-+		type var_t;
-+	')
-+
-+	relabel_dirs_pattern($1, spoolfile, spoolfile)
- ')
- 
- ########################################
-@@ -6562,3 +7975,491 @@ interface(`files_unconfined',`
- 
- 	typeattribute $1 files_unconfined_type;
- ')
-+
-+########################################
-+## <summary>
-+##	Create a core files in /
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Create a core file in /,
-+##	</p>
-+## </desc>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_manage_root_files',`
-+	gen_require(`
-+		type root_t;
 +	')
 +
-+	manage_files_pattern($1, root_t, root_t)
-+')
-+
-+########################################
-+## <summary>
-+##     Create a default directory
-+## </summary>
-+## <desc>
-+##     <p>
-+##     Create a default_t direcrory
-+##     </p>
-+## </desc>
-+## <param name="domain">
-+##     <summary>
-+##     Domain allowed access.
-+##     </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`files_create_default_dir',`
-+       gen_require(`
-+               type default_t;
-+       ')
-+
-+       allow $1 default_t:dir create;
-+')
-+
-+########################################
-+## <summary>
-+##	Create, default_t objects with an automatic
-+##	type transition.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="object">
-+##	<summary>
-+##	The class of the object being created.
-+##	</summary>
-+## </param>
-+#
-+interface(`files_root_filetrans_default',`
-+       gen_require(`
-+               type root_t, default_t;
-+       ')
-+
-+       filetrans_pattern($1, root_t, default_t, $2)
++	allow $1 spoolfile:sock_file create_sock_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	manage generic symbolic links
-+##	in the /var/run directory.
++##	Delete all spool sockets
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -12206,54 +14490,59 @@ index 64ff4d7..2b01383 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_manage_generic_pids_symlinks',`
++interface(`files_delete_all_spool_sockets',`
 +	gen_require(`
-+		type var_run_t;
++		attribute spoolfile;
 +	')
 +
-+	manage_lnk_files_pattern($1,var_run_t,var_run_t)
++	allow $1 spoolfile:sock_file delete_sock_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to getattr
-+##	all tmpfs files.
++##	Relabel to and from all spool
++##	directory types.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_dontaudit_getattr_tmpfs_files',`
++interface(`files_relabel_all_spool_dirs',`
 +	gen_require(`
-+		attribute tmpfsfile;
++		attribute spoolfile;
++		type var_t;
 +	')
 +
-+	allow $1 tmpfsfile:file getattr;
++	relabel_dirs_pattern($1, spoolfile, spoolfile)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow read write all tmpfs files
++##	Search the contents of generic spool
++##	directories (/var/spool).
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_rw_tmpfs_files',`
++interface(`files_search_spool',`
 +	gen_require(`
-+		attribute tmpfsfile;
++		type var_t, var_spool_t;
 +	')
 +
-+	allow $1 tmpfsfile:file { read write };
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to read security files 
++	search_dirs_pattern($1, var_t, var_spool_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create an object in the process ID directory, with a private type.
++##	Do not audit attempts to search generic
++##	spool directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -12261,193 +14550,687 @@ index 64ff4d7..2b01383 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_read_security_files',`
++interface(`files_dontaudit_search_spool',`
 +	gen_require(`
-+		attribute security_file_type;
++		type var_spool_t;
 +	')
 +
-+	dontaudit $1 security_file_type:file read_file_perms;
++	dontaudit $1 var_spool_t:dir search_dir_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	rw any files inherited from another process
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="object_type">
-+##  <summary>
-+##  Object type.
-+##  </summary>
-+## </param>
++##	List the contents of generic spool
++##	(/var/spool) directories.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Create an object in the process ID directory (e.g., /var/run)
+-##	with a private type.  Typically this is used for creating
+-##	private PID files in /var/run with the private type instead
+-##	of the general PID file type. To accomplish this goal,
+-##	either the program must be SELinux-aware, or use this interface.
+-##	</p>
+-##	<p>
+-##	Related interfaces:
+-##	</p>
+-##	<ul>
+-##		<li>files_pid_file()</li>
+-##	</ul>
+-##	<p>
+-##	Example usage with a domain that can create and
+-##	write its PID file with a private PID file type in the
+-##	/var/run directory:
+-##	</p>
+-##	<p>
+-##	type mypidfile_t;
+-##	files_pid_file(mypidfile_t)
+-##	allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
+-##	files_pid_filetrans(mydomain_t, mypidfile_t, file)
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
 +#
-+interface(`files_rw_all_inherited_files',`
++interface(`files_list_spool',`
 +	gen_require(`
-+		attribute file_type;
++		type var_t, var_spool_t;
 +	')
 +
-+	allow $1 { file_type $2 }:file rw_inherited_file_perms;
-+	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
-+	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
-+	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
++	list_dirs_pattern($1, var_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow any file point to be the entrypoint of this domain
++##	Create, read, write, and delete generic
++##	spool directories (/var/spool).
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The type of the object to be created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
+ ##	</summary>
+ ## </param>
+-## <param name="object">
 +#
-+interface(`files_entrypoint_all_files',`
++interface(`files_manage_generic_spool_dirs',`
 +	gen_require(`
-+		attribute file_type;
++		type var_t, var_spool_t;
 +	')
-+	allow $1 file_type:file entrypoint;
++
++	allow $1 var_t:dir search_dir_perms;
++	manage_dirs_pattern($1, var_spool_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to rw inherited file perms
-+##	of non security files.
++##	Read generic spool files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
+ ##	<summary>
+-##	The object class of the object being created.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_all_non_security_leaks',`
++interface(`files_read_generic_spool',`
 +	gen_require(`
-+		attribute non_security_file_type;
++		type var_t, var_spool_t;
 +	')
 +
-+	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
++	list_dirs_pattern($1, var_t, var_spool_t)
++	read_files_pattern($1, var_spool_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to read or write
-+##	all leaked files.
++##	Create, read, write, and delete generic
++##	spool files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_leaks',`
++interface(`files_manage_generic_spool',`
 +	gen_require(`
-+		attribute file_type;
++		type var_t, var_spool_t;
 +	')
 +
-+	dontaudit $1 file_type:file rw_inherited_file_perms;
-+	dontaudit $1 file_type:lnk_file { read };
++	allow $1 var_t:dir search_dir_perms;
++	manage_files_pattern($1, var_spool_t, var_spool_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to create_file_ass all types
++##	Create objects in the spool directory
++##	with a private type with a type transition.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+#
-+interface(`files_create_as_is_all_files',`
++## <param name="file">
++##	<summary>
++##	Type to which the created node will be transitioned.
++##	</summary>
++## </param>
++## <param name="class">
++##	<summary>
++##	Object class(es) (single or set including {}) for which this
++##	the transition will occur.
+ ##	</summary>
+ ## </param>
+ ## <param name="name" optional="true">
+@@ -6114,44 +8022,165 @@ interface(`files_write_generic_pid_pipes',`
+ ##	The name of the object being created.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="write" weight="10"/>
+ #
+-interface(`files_pid_filetrans',`
+-	gen_require(`
+-		type var_t, var_run_t;
+-	')
++interface(`files_spool_filetrans',`
 +	gen_require(`
-+		attribute file_type;
-+		class kernel_service create_files_as;
++		type var_t, var_spool_t;
 +	')
 +
-+	allow $1 file_type:kernel_service create_files_as;
++	allow $1 var_t:dir search_dir_perms;
++	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to check the 
-+##	access on all files
++##	Allow access to manage all polyinstantiated
++##	directories on the system.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_all_access_check',`
++interface(`files_polyinstantiate_all',`
 +	gen_require(`
-+		attribute file_type;
++		attribute polydir, polymember, polyparent;
++		type poly_t;
 +	')
 +
-+	dontaudit $1 file_type:dir_file_class_set audit_access;
++	# Need to give access to /selinux/member
++	selinux_compute_member($1)
++
++	# Need sys_admin capability for mounting
++	allow $1 self:capability { chown fsetid sys_admin fowner };
++
++	# Need to give access to the directories to be polyinstantiated
++	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
++
++	# Need to give access to the polyinstantiated subdirectories
++	allow $1 polymember:dir search_dir_perms;
++
++	# Need to give access to parent directories where original
++	# is remounted for polyinstantiation aware programs (like gdm)
++	allow $1 polyparent:dir { getattr mounton };
++
++	# Need to give permission to create directories where applicable
++	allow $1 self:process setfscreate;
++	allow $1 polymember: dir { create setattr relabelto };
++	allow $1 polydir: dir { write add_name open };
++	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
++
++	# Default type for mountpoints
++	allow $1 poly_t:dir { create mounton };
++	fs_unmount_xattr_fs($1)
++
++	fs_mount_tmpfs($1)
++	fs_unmount_tmpfs($1)
++
++	ifdef(`distro_redhat',`
++		# namespace.init
++		files_search_tmp($1)
++		files_search_home($1)
++		corecmd_exec_bin($1)
++		seutil_domtrans_setfiles($1)
++	')
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to write to all files
++##	Unconfined access to files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_dontaudit_write_all_files',`
++interface(`files_unconfined',`
 +	gen_require(`
-+		attribute file_type;
++		attribute files_unconfined_type;
 +	')
 +
-+	dontaudit $1 file_type:dir_file_class_set write;
++	typeattribute $1 files_unconfined_type;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to delete to all files
++##	Create a core files in /
 +## </summary>
++## <desc>
++##	<p>
++##	Create a core file in /,
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <rolecap/>
 +#
-+interface(`files_delete_all_non_security_files',`
++interface(`files_manage_root_files',`
 +	gen_require(`
-+		attribute non_security_file_type;
++		type root_t;
 +	')
 +
-+	allow $1 non_security_file_type:dir del_entry_dir_perms;
-+	allow $1 non_security_file_type:file_class_set delete_file_perms;
++	manage_files_pattern($1, root_t, root_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Transition named content in the var_run_t directory
++##     Create a default directory
 +## </summary>
++## <desc>
++##     <p>
++##     Create a default_t direcrory
++##     </p>
++## </desc>
 +## <param name="domain">
-+##	<summary>
-+##      Domain allowed access.
-+##	</summary>
++##     <summary>
++##     Domain allowed access.
++##     </summary>
 +## </param>
++## <rolecap/>
 +#
++interface(`files_create_default_dir',`
++       gen_require(`
++               type default_t;
++       ')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	filetrans_pattern($1, var_run_t, $2, $3, $4)
++       allow $1 default_t:dir create;
+ ')
+ 
+ ########################################
+ ## <summary>
+-## 	Create a generic lock directory within the run directories
++##	Create, default_t objects with an automatic
++##	type transition.
+ ## </summary>
+ ## <param name="domain">
+-## 	<summary>
+-##	Domain allowed access
++##	<summary>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
++## <param name="object">
+ ##	<summary>
+-##	The name of the object being created.
++##	The class of the object being created.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_pid_filetrans_lock_dir',`
+-	gen_require(`
+-		type var_lock_t;
+-	')
++interface(`files_root_filetrans_default',`
++       gen_require(`
++               type root_t, default_t;
++       ')
+ 
+-	files_pid_filetrans($1, var_lock_t, dir, $2)
++       filetrans_pattern($1, root_t, default_t, $2)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic process ID files.
++##	manage generic symbolic links
++##	in the /var/run directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6159,20 +8188,18 @@ interface(`files_pid_filetrans_lock_dir',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_rw_generic_pids',`
++interface(`files_manage_generic_pids_symlinks',`
+ 	gen_require(`
+-		type var_t, var_run_t;
++		type var_run_t;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, var_run_t)
+-	rw_files_pattern($1, var_run_t, var_run_t)
++	manage_lnk_files_pattern($1,var_run_t,var_run_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes of
+-##	daemon runtime data files.
++##	Do not audit attempts to getattr
++##	all tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6180,19 +8207,17 @@ interface(`files_rw_generic_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_getattr_all_pids',`
++interface(`files_dontaudit_getattr_tmpfs_files',`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
++		attribute tmpfsfile;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file getattr;
++	allow $1 tmpfsfile:file getattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to write to daemon runtime data files.
++##	Allow read write all tmpfs files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6200,18 +8225,17 @@ interface(`files_dontaudit_getattr_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_write_all_pids',`
++interface(`files_rw_tmpfs_files',`
+ 	gen_require(`
+-		attribute pidfile;
++		attribute tmpfsfile;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file write;
++	allow $1 tmpfsfile:file { read write };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to ioctl daemon runtime data files.
++##	Do not audit attempts to read security files 
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6219,41 +8243,43 @@ interface(`files_dontaudit_write_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_ioctl_all_pids',`
++interface(`files_dontaudit_read_security_files',`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_run_t;
++		attribute security_file_type;
+ 	')
+ 
+-	dontaudit $1 var_run_t:lnk_file read_lnk_file_perms;
+-	dontaudit $1 pidfile:file ioctl;
++	dontaudit $1 security_file_type:file read_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read all process ID files.
++##	rw any files inherited from another process
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
++## <param name="object_type">
++##  <summary>
++##  Object type.
++##  </summary>
++## </param>
+ #
+-interface(`files_read_all_pids',`
++interface(`files_rw_all_inherited_files',`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
++		attribute file_type;
+ 	')
+ 
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	list_dirs_pattern($1, var_t, pidfile)
+-	read_files_pattern($1, pidfile, pidfile)
++	allow $1 { file_type $2 }:file rw_inherited_file_perms;
++	allow $1 { file_type $2 }:fifo_file rw_inherited_fifo_file_perms;
++	allow $1 { file_type $2 }:sock_file rw_inherited_sock_file_perms;
++	allow $1 { file_type $2 }:chr_file rw_inherited_chr_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process IDs.
++##	Allow any file point to be the entrypoint of this domain
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6262,67 +8288,55 @@ interface(`files_read_all_pids',`
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`files_delete_all_pids',`
++interface(`files_entrypoint_all_files',`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
++		attribute file_type;
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	allow $1 var_run_t:dir rmdir;
+-	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
+-	delete_files_pattern($1, pidfile, pidfile)
+-	delete_fifo_files_pattern($1, pidfile, pidfile)
+-	delete_sock_files_pattern($1, pidfile, { pidfile var_run_t })
++	allow $1 file_type:file entrypoint;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Delete all process ID directories.
++##	Do not audit attempts to rw inherited file perms
++##	of non security files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_delete_all_pid_dirs',`
++interface(`files_dontaudit_all_non_security_leaks',`
+ 	gen_require(`
+-		attribute pidfile;
+-		type var_t, var_run_t;
++		attribute non_security_file_type;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
+-	delete_dirs_pattern($1, pidfile, pidfile)
++	dontaudit $1 non_security_file_type:file_class_set rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write and delete all
+-##	var_run (pid) content
++##	Do not audit attempts to read or write
++##	all leaked files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain alloed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_all_pids',`
++interface(`files_dontaudit_leaks',`
+ 	gen_require(`
+-		attribute pidfile;
++		attribute file_type;
+ 	')
+ 
+-	manage_dirs_pattern($1, pidfile, pidfile)
+-	manage_files_pattern($1, pidfile, pidfile)
+-	manage_lnk_files_pattern($1, pidfile, pidfile)
++	dontaudit $1 file_type:file rw_inherited_file_perms;
++	dontaudit $1 file_type:lnk_file { read };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Mount filesystems on all polyinstantiation
+-##	member directories.
++##	Allow domain to create_file_ass all types
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6330,37 +8344,37 @@ interface(`files_manage_all_pids',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_mounton_all_poly_members',`
++interface(`files_create_as_is_all_files',`
+ 	gen_require(`
+-		attribute polymember;
++		attribute file_type;
++		class kernel_service create_files_as;
+ 	')
+ 
+-	allow $1 polymember:dir mounton;
++	allow $1 file_type:kernel_service create_files_as;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Search the contents of generic spool
+-##	directories (/var/spool).
++##	Do not audit attempts to check the 
++##	access on all files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_search_spool',`
++interface(`files_dontaudit_all_access_check',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute file_type;
+ 	')
+ 
+-	search_dirs_pattern($1, var_t, var_spool_t)
++	dontaudit $1 file_type:dir_file_class_set audit_access;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search generic
+-##	spool directories.
++##	Do not audit attempts to write to all files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6368,132 +8382,206 @@ interface(`files_search_spool',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_dontaudit_search_spool',`
++interface(`files_dontaudit_write_all_files',`
+ 	gen_require(`
+-		type var_spool_t;
++		attribute file_type;
+ 	')
+ 
+-	dontaudit $1 var_spool_t:dir search_dir_perms;
++	dontaudit $1 file_type:dir_file_class_set write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of generic spool
+-##	(/var/spool) directories.
++##	Allow domain to delete to all files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_list_spool',`
++interface(`files_delete_all_non_security_files',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute non_security_file_type;
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
++	allow $1 non_security_file_type:dir del_entry_dir_perms;
++	allow $1 non_security_file_type:file_class_set delete_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool directories (/var/spool).
++##	Allow domain to delete to all dirs
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_manage_generic_spool_dirs',`
++interface(`files_delete_all_non_security_dirs',`
+ 	gen_require(`
+-		type var_t, var_spool_t;
++		attribute non_security_file_type;
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_dirs_pattern($1, var_spool_t, var_spool_t)
++	allow $1 non_security_file_type:dir { del_entry_dir_perms delete_dir_perms };
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read generic spool files.
++##	Transition named content in the var_run_t directory
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##      Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_read_generic_spool',`
 +interface(`files_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +        type etc_t;
 +		type mnt_t;
 +		type usr_t;
 +		type tmp_t;
 +		type var_t;
 +		type var_run_t;
++        type var_lock_t;
 +		type tmp_t;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, var_t, var_spool_t)
+-	read_files_pattern($1, var_spool_t, var_spool_t)
 +	files_pid_filetrans($1, mnt_t, dir, "media")
 +	files_root_filetrans($1, etc_runtime_t, file, ".readahead")
 +	files_root_filetrans($1, etc_runtime_t, file, ".autorelabel")
@@ -12459,6 +15242,8 @@ index 64ff4d7..2b01383 100644
 +	files_root_filetrans($1, usr_t, dir, "emul")
 +	files_root_filetrans($1, var_t, dir, "srv")
 +	files_root_filetrans($1, var_run_t, dir, "run")
++	files_root_filetrans($1, var_run_t, lnk_file, "run")
++	files_root_filetrans($1, var_lock_t, lnk_file, "lock")
 +	files_root_filetrans($1, tmp_t, dir, "sandbox")
 +	files_root_filetrans($1, tmp_t, dir, "tmp")
 +	files_root_filetrans($1, var_t, dir, "nsr")
@@ -12481,13 +15266,17 @@ index 64ff4d7..2b01383 100644
 +	files_etc_filetrans_etc_runtime($1, file, "iptables.save")
 +	files_tmp_filetrans($1, tmp_t, dir, "tmp-inst")
 +	files_var_filetrans($1, tmp_t, dir, "tmp")
-+')
-+
-+########################################
-+## <summary>
++    files_var_filetrans($1, var_run_t, dir, "run")
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete generic
+-##	spool files.
 +##	Make the specified type a
 +##	base file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <desc>
 +##	<p>
 +##	Identify file type as base file type.  Tools will use this attribute,
@@ -12495,35 +15284,51 @@ index 64ff4d7..2b01383 100644
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a base files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <infoflow type="none"/>
-+#
+ #
+-interface(`files_manage_generic_spool',`
 +interface(`files_base_file',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_file_type;
-+	')
+ 	')
+-
+-	allow $1 var_t:dir search_dir_perms;
+-	manage_files_pattern($1, var_spool_t, var_spool_t)
 +	files_type($1)
 +	typeattribute $1 base_file_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in the spool directory
+-##	with a private type with a type transition.
 +##	Make the specified type a
 +##	base read only file.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="file">
 +## <desc>
 +##	<p>
 +##	Make the specified type readable for all domains.
 +##	</p>
 +## </desc>
 +## <param name="file_type">
-+##	<summary>
+ ##	<summary>
+-##	Type to which the created node will be transitioned.
 +##	Type to be used as a base read only files.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="class">
 +## <infoflow type="none"/>
 +#
 +interface(`files_ro_base_file',`
@@ -12539,10 +15344,13 @@ index 64ff4d7..2b01383 100644
 +##	Read all ro base files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Object class(es) (single or set including {}) for which this
+-##	the transition will occur.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
+-## <param name="name" optional="true">
 +## <rolecap/>
 +#
 +interface(`files_read_all_base_ro_files',`
@@ -12560,58 +15368,108 @@ index 64ff4d7..2b01383 100644
 +##	Execute all base ro files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	The name of the object being created.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`files_spool_filetrans',`
 +interface(`files_exec_all_base_ro_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type var_t, var_spool_t;
 +		attribute base_ro_file_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 var_t:dir search_dir_perms;
+-	filetrans_pattern($1, var_spool_t, $2, $3, $4)
 +	can_exec($1, base_ro_file_type)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow access to manage all polyinstantiated
+-##	directories on the system.
 +##	Allow the specified domain to modify the systemd configuration of 
 +##	any file.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6501,53 +8589,17 @@ interface(`files_spool_filetrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_polyinstantiate_all',`
 +interface(`files_config_all_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute polydir, polymember, polyparent;
+-		type poly_t;
 +		attribute file_type;
-+	')
-+
+ 	')
+ 
+-	# Need to give access to /selinux/member
+-	selinux_compute_member($1)
+-
+-	# Need sys_admin capability for mounting
+-	allow $1 self:capability { chown fsetid sys_admin fowner };
+-
+-	# Need to give access to the directories to be polyinstantiated
+-	allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir };
+-
+-	# Need to give access to the polyinstantiated subdirectories
+-	allow $1 polymember:dir search_dir_perms;
+-
+-	# Need to give access to parent directories where original
+-	# is remounted for polyinstantiation aware programs (like gdm)
+-	allow $1 polyparent:dir { getattr mounton };
+-
+-	# Need to give permission to create directories where applicable
+-	allow $1 self:process setfscreate;
+-	allow $1 polymember: dir { create setattr relabelto };
+-	allow $1 polydir: dir { write add_name open };
+-	allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto };
+-
+-	# Default type for mountpoints
+-	allow $1 poly_t:dir { create mounton };
+-	fs_unmount_xattr_fs($1)
+-
+-	fs_mount_tmpfs($1)
+-	fs_unmount_tmpfs($1)
+-
+-	ifdef(`distro_redhat',`
+-		# namespace.init
+-		files_search_tmp($1)
+-		files_search_home($1)
+-		corecmd_exec_bin($1)
+-		seutil_domtrans_setfiles($1)
+-	')
 +	allow $1 file_type:service all_service_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Unconfined access to files.
 +##	Get the status of etc_t files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -6555,10 +8607,10 @@ interface(`files_polyinstantiate_all',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`files_unconfined',`
 +interface(`files_status_etc',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute files_unconfined_type;
 +		type etc_t;
-+	')
-+
+ 	')
+ 
+-	typeattribute $1 files_unconfined_type;
 +	allow $1 etc_t:service status;
-+')
+ ')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 148d87a..ccbcb66 100644
+index 148d87a..b5a89ba 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
 @@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
@@ -12631,7 +15489,7 @@ index 148d87a..ccbcb66 100644
  
  # For labeling types that are to be polyinstantiated
  attribute polydir;
-@@ -48,28 +52,45 @@ attribute usercanread;
+@@ -48,31 +52,46 @@ attribute usercanread;
  #
  type boot_t;
  files_mountpoint(boot_t)
@@ -12675,11 +15533,15 @@ index 148d87a..ccbcb66 100644
  # generated during initialization.
  #
 -type etc_runtime_t;
+-files_type(etc_runtime_t)
+-#Temporarily in policy until FC5 dissappears
+-typealias etc_runtime_t alias firstboot_rw_t;
 +type etc_runtime_t, configfile;
- files_type(etc_runtime_t)
- #Temporarily in policy until FC5 dissappears
- typealias etc_runtime_t alias firstboot_rw_t;
-@@ -81,6 +102,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
++files_ro_base_file(etc_runtime_t)
+ 
+ #
+ # file_t is the default type of a file that has not yet been
+@@ -81,6 +100,7 @@ typealias etc_runtime_t alias firstboot_rw_t;
  #
  type file_t;
  files_mountpoint(file_t)
@@ -12687,7 +15549,7 @@ index 148d87a..ccbcb66 100644
  kernel_rootfs_mountpoint(file_t)
  sid file gen_context(system_u:object_r:file_t,s0)
  
-@@ -89,6 +111,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
+@@ -89,6 +109,7 @@ sid file gen_context(system_u:object_r:file_t,s0)
  # are created
  #
  type home_root_t;
@@ -12695,7 +15557,7 @@ index 148d87a..ccbcb66 100644
  files_mountpoint(home_root_t)
  files_poly_parent(home_root_t)
  
-@@ -96,12 +119,13 @@ files_poly_parent(home_root_t)
+@@ -96,12 +117,13 @@ files_poly_parent(home_root_t)
  # lost_found_t is the type for the lost+found directories.
  #
  type lost_found_t;
@@ -12710,7 +15572,7 @@ index 148d87a..ccbcb66 100644
  files_mountpoint(mnt_t)
  
  #
-@@ -123,6 +147,7 @@ files_type(readable_t)
+@@ -123,6 +145,7 @@ files_type(readable_t)
  # root_t is the type for rootfs and the root directory.
  #
  type root_t;
@@ -12718,7 +15580,7 @@ index 148d87a..ccbcb66 100644
  files_mountpoint(root_t)
  files_poly_parent(root_t)
  kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,52 +156,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
  #
  type src_t;
  files_mountpoint(src_t)
@@ -12782,7 +15644,7 @@ index 148d87a..ccbcb66 100644
  files_pid_file(var_run_t)
  files_mountpoint(var_run_t)
  
-@@ -186,7 +222,9 @@ files_mountpoint(var_run_t)
+@@ -186,7 +220,9 @@ files_mountpoint(var_run_t)
  # var_spool_t is the type of /var/spool
  #
  type var_spool_t;
@@ -12792,7 +15654,7 @@ index 148d87a..ccbcb66 100644
  
  ########################################
  #
-@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -225,10 +261,11 @@ fs_associate_tmpfs(tmpfsfile)
  # Create/access any file in a labeled filesystem;
  allow files_unconfined_type file_type:{ file chr_file } ~execmod;
  allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -14256,7 +17118,7 @@ index 8416beb..c6cd3eb 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..1198b51 100644
+index 9e603f5..3b8dd74 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -14279,12 +17141,13 @@ index 9e603f5..1198b51 100644
  
  type bdev_t;
  fs_type(bdev_t)
-@@ -63,12 +67,17 @@ fs_type(binfmt_misc_fs_t)
+@@ -63,12 +67,18 @@ fs_type(binfmt_misc_fs_t)
  files_mountpoint(binfmt_misc_fs_t)
  genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
  
 +type oracleasmfs_t;
 +fs_type(oracleasmfs_t)
++dev_node(oracleasmfs_t)
 +files_mountpoint(oracleasmfs_t)
 +genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
 +
@@ -14298,7 +17161,7 @@ index 9e603f5..1198b51 100644
  fs_type(cgroup_t)
  files_type(cgroup_t)
  files_mountpoint(cgroup_t)
-@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+@@ -89,6 +99,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -14310,7 +17173,7 @@ index 9e603f5..1198b51 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +111,7 @@ type hugetlbfs_t;
+@@ -97,6 +112,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -14318,7 +17181,7 @@ index 9e603f5..1198b51 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -119,12 +135,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -14336,7 +17199,7 @@ index 9e603f5..1198b51 100644
  type ramfs_t;
  fs_type(ramfs_t)
  files_mountpoint(ramfs_t)
-@@ -145,11 +165,6 @@ fs_type(spufs_t)
+@@ -145,11 +166,6 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -14348,7 +17211,7 @@ index 9e603f5..1198b51 100644
  type sysv_t;
  fs_noxattr_type(sysv_t)
  files_mountpoint(sysv_t)
-@@ -167,6 +182,8 @@ type vxfs_t;
+@@ -167,6 +183,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -14357,7 +17220,7 @@ index 9e603f5..1198b51 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
+@@ -176,6 +194,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -14366,7 +17229,7 @@ index 9e603f5..1198b51 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -255,6 +275,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -14375,7 +17238,7 @@ index 9e603f5..1198b51 100644
  files_mountpoint(removable_t)
  
  #
-@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -274,6 +296,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -14392,7 +17255,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index 649e458..3270372 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14404,6 +17267,16 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
+@@ -762,8 +762,8 @@ interface(`kernel_manage_debugfs',`
+ 	')
+ 
+ 	manage_files_pattern($1, debugfs_t, debugfs_t)
++    manage_dirs_pattern($1,debugfs_t, debugfs_t)
+ 	read_lnk_files_pattern($1, debugfs_t, debugfs_t)
+-	list_dirs_pattern($1, debugfs_t, debugfs_t)
+ ')
+ 
+ ########################################
 @@ -786,6 +786,24 @@ interface(`kernel_mount_kvmfs',`
  
  ########################################
@@ -14470,7 +17343,59 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -1477,6 +1510,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1025,6 +1058,25 @@ interface(`kernel_write_proc_files',`
+ 
+ ########################################
+ ## <summary>
++##	Do not audit attempts to check the 
++##	access on generic proc entries.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kernel_dontaudit_access_check_proc',`
++	gen_require(`
++		type proc_t;
++	')
++
++	dontaudit $1 proc_t:dir_file_class_set audit_access;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts by caller to
+ ##	read system state information in proc.
+ ## </summary>
+@@ -1208,6 +1260,25 @@ interface(`kernel_read_messages',`
+ 
+ ########################################
+ ## <summary>
++##	Allow caller to read kernel messages
++##	using the /proc/kmsg interface.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`kernel_mounton_messages',`
++	gen_require(`
++		type proc_kmsg_t, proc_t;
++	')
++
++    allow $1 proc_kmsg_t:dir mounton;
++')
++
++########################################
++## <summary>
+ ##	Allow caller to get the attributes of kernel message
+ ##	interface (/proc/kmsg).
+ ## </summary>
+@@ -1477,6 +1548,24 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -14495,7 +17420,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -2085,7 +2136,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,7 +2174,7 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -14504,7 +17429,7 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -2282,6 +2333,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2371,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -14530,7 +17455,7 @@ index 649e458..d47750f 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2376,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2414,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -14539,7 +17464,7 @@ index 649e458..d47750f 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2558,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2596,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -14564,7 +17489,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2613,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2651,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -14589,7 +17514,7 @@ index 649e458..d47750f 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+@@ -2632,7 +2776,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
  	allow $1 unlabeled_t:association { sendto recvfrom };
  
  	# temporary hack until labeling on packets is supported
@@ -14598,7 +17523,7 @@ index 649e458..d47750f 100644
  ')
  
  ########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2670,6 +2814,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -14623,7 +17548,7 @@ index 649e458..d47750f 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2697,6 +2859,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -14649,7 +17574,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2806,6 +2987,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -14683,7 +17608,7 @@ index 649e458..d47750f 100644
  
  ########################################
  ## <summary>
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2961,6 +3169,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -14708,7 +17633,7 @@ index 649e458..d47750f 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2975,5 +3201,300 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -15011,7 +17936,7 @@ index 649e458..d47750f 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..5a087a7 100644
+index 6fac350..cdc610d 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15192,18 +18117,19 @@ index 6fac350..5a087a7 100644
  ')
  
  optional_policy(`
-@@ -312,6 +368,10 @@ optional_policy(`
+@@ -312,6 +368,11 @@ optional_policy(`
  ')
  
  optional_policy(`
 +    plymouthd_create_log(kernel_t)
++    plymouthd_filetrans_named_content(kernel_t)
 +')
 +
 +optional_policy(`
  	# nfs kernel server needs kernel UDP access. It is less risky and painful
  	# to just give it everything.
  	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +392,6 @@ optional_policy(`
+@@ -332,9 +393,6 @@ optional_policy(`
  
  	sysnet_read_config(kernel_t)
  
@@ -15213,7 +18139,7 @@ index 6fac350..5a087a7 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +400,7 @@ optional_policy(`
+@@ -343,9 +401,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -15224,7 +18150,7 @@ index 6fac350..5a087a7 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +409,7 @@ optional_policy(`
+@@ -354,7 +410,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -15233,7 +18159,7 @@ index 6fac350..5a087a7 100644
  	')
  ')
  
-@@ -367,6 +422,15 @@ optional_policy(`
+@@ -367,6 +423,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -15249,7 +18175,7 @@ index 6fac350..5a087a7 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +473,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +474,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
@@ -15763,10 +18689,18 @@ index 522ab32..cb9c3a2 100644
  	')
  }
 diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
-index 54f1827..cc2de1a 100644
+index 54f1827..39faa3f 100644
 --- a/policy/modules/kernel/storage.fc
 +++ b/policy/modules/kernel/storage.fc
-@@ -23,12 +23,15 @@
+@@ -7,6 +7,7 @@
+ /dev/n?tpqic[12].*	-c	gen_context(system_u:object_r:tape_device_t,s0)
+ /dev/[shmxv]d[^/]*	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/aztcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bcache[0-9]+	-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/bpcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/bsg/.+		-c	gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/cdu.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+@@ -23,12 +24,15 @@
  /dev/ht[0-1]		-b	gen_context(system_u:object_r:tape_device_t,s0)
  /dev/hwcdrom		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/initrd		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -15783,7 +18717,7 @@ index 54f1827..cc2de1a 100644
  /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -51,7 +54,8 @@ ifdef(`distro_redhat', `
+@@ -51,7 +55,8 @@ ifdef(`distro_redhat', `
  /dev/sjcd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/sonycd		-b	gen_context(system_u:object_r:removable_device_t,s0)
  /dev/tape.*		-c	gen_context(system_u:object_r:tape_device_t,s0)
@@ -15793,7 +18727,7 @@ index 54f1827..cc2de1a 100644
  /dev/ub[a-z][^/]+	-b	gen_context(system_u:object_r:removable_device_t,mls_systemhigh)
  /dev/ubd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /dev/vd[^/]*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-@@ -81,3 +85,6 @@ ifdef(`distro_redhat', `
+@@ -81,3 +86,6 @@ ifdef(`distro_redhat', `
  
  /lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
  /lib/udev/devices/fuse	-c	gen_context(system_u:object_r:fuse_device_t,s0)
@@ -15801,7 +18735,7 @@ index 54f1827..cc2de1a 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..38b597e 100644
+index 1700ef2..13caedd 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
 @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -15930,7 +18864,7 @@ index 1700ef2..38b597e 100644
  ########################################
  ## <summary>
  ##	Allow the caller to directly read
-@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
+@@ -808,3 +892,452 @@ interface(`storage_unconfined',`
  
  	typeattribute $1 storage_unconfined_type;
  ')
@@ -16031,6 +18965,16 @@ index 1700ef2..38b597e 100644
 +	dev_filetrans($1, removable_device_t, blk_file, "cm207")
 +	dev_filetrans($1, removable_device_t, blk_file, "cm208")
 +	dev_filetrans($1, removable_device_t, blk_file, "cm209")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache0")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache1")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache2")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache3")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache4")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache5")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache6")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache7")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache8")
++	dev_filetrans($1, fixed_disk_device_t, blk_file, "bcache9")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
 +	dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
@@ -16265,6 +19209,47 @@ index 1700ef2..38b597e 100644
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg7")
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg8")
 +	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg9")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg10")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg11")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg12")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg13")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg14")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg15")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg16")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg17")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg18")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg19")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg20")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg21")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg22")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg23")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg24")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg25")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg26")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg27")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg28")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg29")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg30")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg31")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg32")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg33")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg34")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg35")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg36")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg37")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg38")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg39")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg40")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg41")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg42")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg43")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg44")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg45")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg46")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg47")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg48")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg49")
++	dev_filetrans($1, scsi_generic_device_t, chr_file, "sg50")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr0")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr1")
 +	dev_filetrans($1, removable_device_t, blk_file, "sr2")
@@ -16347,16 +19332,17 @@ index 156c333..02f5a3c 100644
 +	dev_manage_generic_blk_files(fixed_disk_raw_write)
 +')
 diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..22c9cfe 100644
+index 7d45d15..a3e5a1e 100644
 --- a/policy/modules/kernel/terminal.fc
 +++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,11 +14,13 @@
  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
 -/dev/pts/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
  /dev/rfcomm[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/slamr[0-9]+	-c	gen_context(system_u:object_r:tty_device_t,s0)
++/dev/sclp_line[0-9]+    -c  gen_context(system_u:object_r:tty_device_t,s0)
  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
  /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 +/dev/ttyUSB[0-9]+	-c	gen_context(system_u:object_r:usbtty_device_t,s0)
@@ -16364,7 +19350,7 @@ index 7d45d15..22c9cfe 100644
  /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  
  /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
+@@ -41,3 +43,7 @@ ifdef(`distro_gentoo',`
  # used by init scripts to initally populate udev /dev
  /lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
  ')
@@ -16373,7 +19359,7 @@ index 7d45d15..22c9cfe 100644
 +
 +/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..5bbf50b 100644
+index 771bce1..e3722ab 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -16600,7 +19586,33 @@ index 771bce1..5bbf50b 100644
  ##	</summary>
  ## </param>
  #
-@@ -1259,7 +1376,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1165,6 +1282,25 @@ interface(`term_relabel_unallocated_ttys',`
+ 
+ ########################################
+ ## <summary>
++##	Mounton unallocated tty device nodes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`term_mounton_unallocated_ttys',`
++	gen_require(`
++		type tty_device_t;
++	')
++
++	allow $1 tty_device_t:chr_file mounton;
++')
++
++########################################
++## <summary>
+ ##	Relabel from all user tty types to
+ ##	the unallocated tty type.
+ ## </summary>
+@@ -1259,7 +1395,47 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  		type tty_device_t;
  	')
  
@@ -16649,7 +19661,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1275,11 +1432,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1275,11 +1451,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  #
  interface(`term_getattr_all_ttys',`
  	gen_require(`
@@ -16663,7 +19675,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1296,10 +1455,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1296,10 +1474,12 @@ interface(`term_getattr_all_ttys',`
  interface(`term_dontaudit_getattr_all_ttys',`
  	gen_require(`
  		attribute ttynode;
@@ -16676,7 +19688,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1377,7 +1538,27 @@ interface(`term_use_all_ttys',`
+@@ -1377,7 +1557,27 @@ interface(`term_use_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -16705,7 +19717,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1396,7 +1577,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1396,7 +1596,7 @@ interface(`term_dontaudit_use_all_ttys',`
  		attribute ttynode;
  	')
  
@@ -16714,7 +19726,7 @@ index 771bce1..5bbf50b 100644
  ')
  
  ########################################
-@@ -1504,7 +1685,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1504,7 +1704,7 @@ interface(`term_use_all_user_ttys',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -16723,7 +19735,7 @@ index 771bce1..5bbf50b 100644
  ##	</summary>
  ## </param>
  #
-@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1512,3 +1712,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
  	term_dontaudit_use_all_ttys($1)
  ')
@@ -17219,7 +20231,7 @@ index 0000000..48caabc
 +allow domain unlabeled_t:packet { send recv };
 +
 diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065..c769f81 100644
+index 834a065..ff93697 100644
 --- a/policy/modules/roles/auditadm.te
 +++ b/policy/modules/roles/auditadm.te
 @@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
@@ -17231,10 +20243,12 @@ index 834a065..c769f81 100644
  
  ########################################
  #
-@@ -22,16 +22,21 @@ corecmd_exec_shell(auditadm_t)
+@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
  
  domain_kill_all_domains(auditadm_t)
  
++mls_file_read_all_levels(auditadm_t)
++
 +selinux_read_policy(auditadm_t)
 +
  logging_send_syslog_msg(auditadm_t)
@@ -17274,10 +20288,10 @@ index 3a45a3e..7499f24 100644
 +allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
  logging_admin(logadm_t, logadm_r)
 diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da11120..d67bcca 100644
+index da11120..621ec5a 100644
 --- a/policy/modules/roles/secadm.te
 +++ b/policy/modules/roles/secadm.te
-@@ -7,8 +7,10 @@ policy_module(secadm, 2.4.0)
+@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
  
  role secadm_r;
  
@@ -17287,10 +20301,24 @@ index da11120..d67bcca 100644
 +userdom_security_admin(secadm_t, secadm_r)
 +userdom_inherit_append_admin_home_files(secadm_t)
 +userdom_read_admin_home_files(secadm_t)
++userdom_manage_tmp_role(secadm_r, secadm_t)
  
  ########################################
  #
-@@ -30,8 +32,7 @@ mls_file_upgrade(secadm_t)
+@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
+ 
+ allow secadm_t self:capability { dac_read_search dac_override };
+ 
++kernel_read_system_state(secadm_t)
++
+ corecmd_exec_shell(secadm_t)
+ 
+ dev_relabel_all_dev_nodes(secadm_t)
++dev_read_urand(secadm_t)
+ 
+ domain_obj_id_change_exemption(secadm_t)
+ 
+@@ -30,8 +36,7 @@ mls_file_upgrade(secadm_t)
  mls_file_downgrade(secadm_t)
  
  auth_role(secadm_r, secadm_t)
@@ -17311,7 +20339,7 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..4f46291 100644
+index 5da7870..5247b99 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
@@ -17386,7 +20414,7 @@ index 5da7870..4f46291 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +82,110 @@ optional_policy(`
+@@ -23,11 +82,114 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17431,6 +20459,10 @@ index 5da7870..4f46291 100644
 +')
 +
 +optional_policy(`
++	freqset_run(staff_t, staff_r)
++')
++
++optional_policy(`
 +	gnome_role(staff_r, staff_t)
 +')
 +
@@ -17498,7 +20530,7 @@ index 5da7870..4f46291 100644
  ')
  
  optional_policy(`
-@@ -35,15 +193,31 @@ optional_policy(`
+@@ -35,15 +197,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17532,7 +20564,7 @@ index 5da7870..4f46291 100644
  ')
  
  optional_policy(`
-@@ -52,10 +226,55 @@ optional_policy(`
+@@ -52,11 +230,61 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17577,6 +20609,10 @@ index 5da7870..4f46291 100644
  ')
  
  optional_policy(`
++    vmtools_run_helper(staff_t, staff_r)
++')
++
++optional_policy(`
 +	vnstatd_read_lib_files(staff_t)
 +')
 +
@@ -17586,9 +20622,11 @@ index 5da7870..4f46291 100644
 +
 +optional_policy(`
  	xserver_role(staff_r, staff_t)
++	xserver_read_log(staff_t)
  ')
  
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+ ifndef(`distro_redhat',`
+@@ -65,10 +293,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17599,7 +20637,7 @@ index 5da7870..4f46291 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +302,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -17610,7 +20648,7 @@ index 5da7870..4f46291 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +312,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +321,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17621,7 +20659,7 @@ index 5da7870..4f46291 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +341,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17632,7 +20670,7 @@ index 5da7870..4f46291 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +353,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17643,7 +20681,7 @@ index 5da7870..4f46291 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +375,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +384,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -17695,7 +20733,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..f520b74 100644
+index 88d0028..4a77968 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -18204,7 +21242,7 @@ index 88d0028..f520b74 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +575,79 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -18271,6 +21309,10 @@ index 88d0028..f520b74 100644
 +		userhelper_role_template(sysadm, sysadm_r, sysadm_t)
 +	')
 +
++    optional_policy(`
++        vmtools_run_helper(sysadm_t, sysadm_r)
++    ')
++
 +	optional_policy(`
 +		vmware_role(sysadm_r, sysadm_t)
 +	')
@@ -18344,11 +21386,11 @@ index 0000000..0e8654b
 +/usr/sbin/xrdp-sesman   --  gen_context(system_u:object_r:unconfined_exec_t,s0)
 diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if
 new file mode 100644
-index 0000000..cf6582f
+index 0000000..b1163a6
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.if
-@@ -0,0 +1,613 @@
-+## <summary>Unconfiend user role</summary>
+@@ -0,0 +1,637 @@
++## <summary>Unconfined user role</summary>
 +
 +########################################
 +## <summary>
@@ -18961,12 +22003,36 @@ index 0000000..cf6582f
 +	allow $1 self:tun_socket relabelto;
 +')
 +
++########################################
++## <summary>
++##	Allow domain to transition to unconfined_t user
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="entrypoint">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`unconfined_transition',`
++	gen_require(`
++		type unconfined_t;
++	')
++
++	domtrans_pattern($1,$2,unconfined_t)
++	allow unconfined_t $2:file entrypoint;
++	allow $1 unconfined_t:process signal_perms;
++')
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..539c163
+index 0000000..b126e2b
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,332 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -19127,6 +22193,10 @@ index 0000000..539c163
 +		sandbox_x_transition(unconfined_t, unconfined_r)
 +	')
 +
++    optional_policy(`
++        vmtools_run_helper(unconfined_t, unconfined_r)
++    ')
++
 +	optional_policy(`
 +		gen_require(`
 +			type user_tmpfs_t;
@@ -19306,7 +22376,7 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..ad1f001 100644
+index cdfddf4..c3271fb 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
@@ -19314,7 +22384,7 @@ index cdfddf4..ad1f001 100644
  
 +## <desc>
 +## <p>
-+## Allow unprivledged user to create and transition to svirt domains.
++## Allow unprivileged user to create and transition to svirt domains.
 +## </p>
 +## </desc>
 +gen_tunable(unprivuser_use_svirt, false)
@@ -19322,7 +22392,7 @@ index cdfddf4..ad1f001 100644
  # this module should be named user, but that is
  # a compile error since user is a keyword.
  
-@@ -12,12 +19,100 @@ role user_r;
+@@ -12,12 +19,102 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -19335,6 +22405,8 @@ index cdfddf4..ad1f001 100644
 +storage_read_scsi_generic(user_t)
 +storage_write_scsi_generic(user_t)
 +
++seutil_read_module_store(user_t)
++
 +init_dbus_chat(user_t)
 +init_status(user_t)
 +
@@ -19424,7 +22496,7 @@ index cdfddf4..ad1f001 100644
  ')
  
  optional_policy(`
-@@ -25,6 +120,18 @@ optional_policy(`
+@@ -25,6 +122,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19443,7 +22515,7 @@ index cdfddf4..ad1f001 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -102,10 +209,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +211,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19454,7 +22526,7 @@ index cdfddf4..ad1f001 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -128,7 +231,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +233,6 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		ssh_role_template(user, user_r, user_t)
  	')
@@ -19462,11 +22534,15 @@ index cdfddf4..ad1f001 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +265,19 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
 +
++optional_policy(`
++    vmtools_run_helper(user_t, user_r)
++')
++
 +
 +optional_policy(`
 +	virt_transition_svirt(user_t, user_r)
@@ -19843,7 +22919,7 @@ index 9d2f311..9e87525 100644
 +	postgresql_filetrans_named_content($1)
  ')
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..3e23acb 100644
+index 346d011..19dfc1f 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
 @@ -19,25 +19,32 @@ gen_require(`
@@ -19917,7 +22993,13 @@ index 346d011..3e23acb 100644
  manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
  logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
  
-@@ -304,7 +313,6 @@ kernel_list_proc(postgresql_t)
+@@ -299,12 +308,12 @@ manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run
+ files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
+ 
+ kernel_read_kernel_sysctls(postgresql_t)
++kernel_read_network_state(postgresql_t)
+ kernel_read_system_state(postgresql_t)
+ kernel_list_proc(postgresql_t)
  kernel_read_all_sysctls(postgresql_t)
  kernel_read_proc_symlinks(postgresql_t)
  
@@ -19925,7 +23007,7 @@ index 346d011..3e23acb 100644
  corenet_all_recvfrom_netlabel(postgresql_t)
  corenet_tcp_sendrecv_generic_if(postgresql_t)
  corenet_udp_sendrecv_generic_if(postgresql_t)
-@@ -342,8 +350,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
+@@ -342,8 +351,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
  domain_use_interactive_fds(postgresql_t)
  
  files_dontaudit_search_home(postgresql_t)
@@ -19935,15 +23017,19 @@ index 346d011..3e23acb 100644
  files_read_etc_runtime_files(postgresql_t)
  files_read_usr_files(postgresql_t)
  
-@@ -354,7 +361,6 @@ init_read_utmp(postgresql_t)
+@@ -354,20 +362,28 @@ init_read_utmp(postgresql_t)
  logging_send_syslog_msg(postgresql_t)
  logging_send_audit_msgs(postgresql_t)
  
 -miscfiles_read_localization(postgresql_t)
- 
+-
  seutil_libselinux_linked(postgresql_t)
  seutil_read_default_contexts(postgresql_t)
-@@ -364,10 +370,18 @@ userdom_dontaudit_search_user_home_dirs(postgresql_t)
+ 
++sysnet_use_ldap(postgresql_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
+ userdom_dontaudit_search_user_home_dirs(postgresql_t)
  userdom_dontaudit_use_user_terminals(postgresql_t)
  
  optional_policy(`
@@ -19963,7 +23049,7 @@ index 346d011..3e23acb 100644
  	allow postgresql_t self:process execmem;
  ')
  
-@@ -485,10 +499,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
+@@ -485,10 +501,52 @@ dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfin
  # It is always allowed to operate temporary objects for any database client.
  allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
  
@@ -20020,7 +23106,7 @@ index 346d011..3e23acb 100644
  	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
  ')
  
-@@ -536,7 +592,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+@@ -536,7 +594,7 @@ allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
  
@@ -20029,7 +23115,7 @@ index 346d011..3e23acb 100644
  	allow sepgsql_admin_type sepgsql_database_type:db_database *;
  
  	allow sepgsql_admin_type sepgsql_schema_type:db_schema *;
-@@ -589,3 +645,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
+@@ -589,3 +647,17 @@ allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
  allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
  
  kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
@@ -20096,7 +23182,7 @@ index 76d9f66..5c271ce 100644
 +/root/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 +/root/\.shosts				gen_context(system_u:object_r:ssh_home_t,s0)
 diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c682..c0413e8 100644
+index fe0c682..e8dcfa7 100644
 --- a/policy/modules/services/ssh.if
 +++ b/policy/modules/services/ssh.if
 @@ -32,10 +32,11 @@
@@ -20347,7 +23433,7 @@ index fe0c682..c0413e8 100644
  	allow ssh_t $3:unix_stream_socket rw_socket_perms;
  	allow ssh_t $3:unix_stream_socket connectto;
 +	allow ssh_t $3:key manage_key_perms;
-+	allow $3 ssh_t:key read;
++	allow $3 ssh_t:key { write search read view };
  
  	# user can manage the keys and config
  	manage_files_pattern($3, ssh_home_t, ssh_home_t)
@@ -20796,10 +23882,10 @@ index fe0c682..c0413e8 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..692569b 100644
+index 5fc0391..d6519a1 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,62 @@ policy_module(ssh, 2.3.3)
  #
  
  ## <desc>
@@ -20856,6 +23942,7 @@ index 5fc0391..692569b 100644
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
 +mls_trusted_object(sshd_t)
++mls_process_write_all_levels(sshd_t)
  
 -type sshd_key_t;
 -files_type(sshd_key_t)
@@ -20876,7 +23963,7 @@ index 5fc0391..692569b 100644
  
  type ssh_t;
  type ssh_exec_t;
-@@ -73,6 +91,11 @@ type ssh_home_t;
+@@ -73,6 +92,11 @@ type ssh_home_t;
  typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
  typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  userdom_user_home_content(ssh_home_t)
@@ -20888,7 +23975,7 @@ index 5fc0391..692569b 100644
  
  ##############################
  #
-@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -83,6 +107,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -20896,7 +23983,7 @@ index 5fc0391..692569b 100644
  allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
  allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -90,15 +115,11 @@ allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
  allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -20913,7 +24000,7 @@ index 5fc0391..692569b 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -107,33 +128,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -20961,7 +24048,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -154,40 +183,46 @@ files_read_var_files(ssh_t)
+@@ -154,40 +184,46 @@ files_read_var_files(ssh_t)
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -21027,7 +24114,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -195,6 +230,7 @@ optional_policy(`
+@@ -195,6 +231,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -21035,7 +24122,7 @@ index 5fc0391..692569b 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +243,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -21043,7 +24130,7 @@ index 5fc0391..692569b 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +260,54 @@ optional_policy(`
+@@ -223,33 +261,55 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -21056,12 +24143,13 @@ index 5fc0391..692569b 100644
  
  kernel_search_key(sshd_t)
  kernel_link_key(sshd_t)
- 
++kernel_read_net_sysctls(sshd_t)
++
 +files_search_all(sshd_t)
 +
 +fs_search_cgroup_dirs(sshd_t)
 +fs_rw_cgroup_files(sshd_t)
-+
+ 
  term_use_all_ptys(sshd_t)
  term_setattr_all_ptys(sshd_t)
 +term_setattr_all_ttys(sshd_t)
@@ -21107,7 +24195,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -257,11 +315,28 @@ optional_policy(`
+@@ -257,11 +317,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21137,7 +24225,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -269,6 +344,10 @@ optional_policy(`
+@@ -269,6 +346,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21148,7 +24236,7 @@ index 5fc0391..692569b 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +358,93 @@ optional_policy(`
+@@ -279,13 +360,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21242,7 +24330,7 @@ index 5fc0391..692569b 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +453,29 @@ optional_policy(`
+@@ -294,19 +455,29 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -21273,7 +24361,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +494,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -21286,7 +24374,7 @@ index 5fc0391..692569b 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +506,140 @@ optional_policy(`
+@@ -331,3 +508,140 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -21428,7 +24516,7 @@ index 5fc0391..692569b 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..9a5dab5 100644
+index d1f64a0..7acda6c 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,35 @@
@@ -21490,7 +24578,7 @@ index d1f64a0..9a5dab5 100644
  /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
  /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,26 +76,32 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,26 +76,34 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
  # /tmp
  #
  
@@ -21519,6 +24607,8 @@ index d1f64a0..9a5dab5 100644
 +/usr/s?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/s?bin/[mxgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +
++/usr/bin/sddm         	--	gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/sddm-greeter  	--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
  /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 +/usr/bin/razor-lightdm-.*    --  gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -21532,12 +24622,13 @@ index d1f64a0..9a5dab5 100644
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
+@@ -92,25 +130,50 @@ ifndef(`distro_debian',`
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 -/var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 +/var/lib/lightdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm-data(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 +/var/lib/[mxkwg]dm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 +/var/lib/xorg(/.*)?		gen_context(system_u:object_r:xserver_var_lib_t,s0)
@@ -21553,7 +24644,7 @@ index d1f64a0..9a5dab5 100644
 +/var/log/lightdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/lxdm\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
 +/var/log/mdm(/.*)?		gen_context(system_u:object_r:xdm_log_t,s0)
-+/var/log/slim\.log	--	gen_context(system_u:object_r:xdm_log_t,s0)
++/var/log/slim\.log.*	--	gen_context(system_u:object_r:xdm_log_t,s0)
  /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
  /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 +/var/log/nvidia-installer\.log.* --	gen_context(system_u:object_r:xserver_log_t,s0)
@@ -21588,7 +24679,7 @@ index d1f64a0..9a5dab5 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..5a7e2a4 100644
+index 6bf0ecc..0d55916 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -22323,10 +25414,30 @@ index 6bf0ecc..5a7e2a4 100644
  ')
  
  ########################################
-@@ -1004,6 +1230,64 @@ interface(`xserver_read_xkb_libs',`
+@@ -1004,6 +1230,84 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
++##	Manage X keyboard extension libraries.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_manage_xkb_libs',`
++	gen_require(`
++		type xkb_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 xkb_var_lib_t:dir list_dir_perms;
++	manage_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
++')
++
++########################################
++## <summary>
 +##	dontaudit access checks X keyboard extension libraries.
 +## </summary>
 +## <param name="domain">
@@ -22388,7 +25499,7 @@ index 6bf0ecc..5a7e2a4 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1017,7 +1301,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -1017,7 +1321,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -22397,7 +25508,7 @@ index 6bf0ecc..5a7e2a4 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1079,6 +1363,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1079,6 +1383,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -22440,7 +25551,7 @@ index 6bf0ecc..5a7e2a4 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1093,7 +1413,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1093,7 +1433,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -22449,7 +25560,7 @@ index 6bf0ecc..5a7e2a4 100644
  ')
  
  ########################################
-@@ -1111,8 +1431,10 @@ interface(`xserver_domtrans',`
+@@ -1111,8 +1451,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -22461,7 +25572,7 @@ index 6bf0ecc..5a7e2a4 100644
  ')
  
  ########################################
-@@ -1210,6 +1532,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
+@@ -1210,6 +1552,25 @@ interface(`xserver_dontaudit_rw_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -22487,7 +25598,7 @@ index 6bf0ecc..5a7e2a4 100644
  ##	Connect to the X server over a unix domain
  ##	stream socket.
  ## </summary>
-@@ -1226,6 +1567,26 @@ interface(`xserver_stream_connect',`
+@@ -1226,6 +1587,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -22514,7 +25625,7 @@ index 6bf0ecc..5a7e2a4 100644
  ')
  
  ########################################
-@@ -1251,7 +1612,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1251,7 +1632,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -22523,7 +25634,7 @@ index 6bf0ecc..5a7e2a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1261,13 +1622,27 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1642,27 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -22552,7 +25663,7 @@ index 6bf0ecc..5a7e2a4 100644
  ')
  
  ########################################
-@@ -1284,10 +1659,624 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1679,643 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -23179,8 +26290,27 @@ index 6bf0ecc..5a7e2a4 100644
 +
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
++
++########################################
++## <summary>
++##	Manage keys for xdm.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`xserver_rw_xdm_keys',`
++	gen_require(`
++		type xdm_t;
++	')
++
++	allow $1 xdm_t:key { read write };
++')
++
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..adbe339 100644
+index 2696452..5be1645 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -23431,7 +26561,7 @@ index 2696452..adbe339 100644
  ')
  
  ########################################
-@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,90 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -23494,6 +26624,7 @@ index 2696452..adbe339 100644
 +userdom_use_inherited_user_terminals(xauth_t)
  userdom_read_user_tmp_files(xauth_t)
 +userdom_read_all_users_state(xauth_t)
++userdom_search_user_home_dirs(xauth_t)
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
 +userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
@@ -23532,13 +26663,13 @@ index 2696452..adbe339 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +414,109 @@ optional_policy(`
+@@ -299,64 +415,109 @@ optional_policy(`
  # XDM Local policy
  #
  
 -allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
 -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service sys_ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
 +allow xdm_t self:capability2 { block_suspend };
 +dontaudit xdm_t self:capability sys_admin;
 +tunable_policy(`deny_ptrace',`',`
@@ -23652,7 +26783,7 @@ index 2696452..adbe339 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +526,30 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -23667,6 +26798,7 @@ index 2696452..adbe339 100644
 +manage_lnk_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
  manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 -logging_log_filetrans(xdm_t, xserver_log_t, file)
++files_var_filetrans(xdm_t, xserver_log_t, dir, "gdm")
  
  kernel_read_system_state(xdm_t)
 +kernel_read_device_sysctls(xdm_t)
@@ -23684,7 +26816,7 @@ index 2696452..adbe339 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +559,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23738,7 +26870,7 @@ index 2696452..adbe339 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +612,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23767,7 +26899,7 @@ index 2696452..adbe339 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +642,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23816,7 +26948,7 @@ index 2696452..adbe339 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +689,151 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -23828,7 +26960,8 @@ index 2696452..adbe339 100644
 +
 +#userdom_home_manager(xdm_t)
 +tunable_policy(`xdm_write_home',`
-+    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, file)
++    userdom_user_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
++    userdom_admin_home_dir_filetrans(xdm_t, xdm_home_t, { file lnk_file })
 +',`
 +    userdom_user_home_dir_filetrans_user_home_content(xdm_t, { dir file lnk_file fifo_file sock_file })
 +')
@@ -23838,12 +26971,14 @@ index 2696452..adbe339 100644
 +    fs_manage_nfs_dirs(xdm_t)
 +    fs_manage_nfs_files(xdm_t)
 +    fs_manage_nfs_symlinks(xdm_t)
++    fs_append_nfs_files(xdm_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +    fs_manage_cifs_dirs(xdm_t)
 +    fs_manage_cifs_files(xdm_t)
 +    fs_manage_cifs_symlinks(xdm_t)
++    fs_append_cifs_files(xdm_t)
 +')
 +
 +tunable_policy(`use_fusefs_home_dirs',`
@@ -23901,6 +27036,10 @@ index 2696452..adbe339 100644
 +')
 +
 +optional_policy(`
++    remotelogin_signull(xdm_t)
++')
++
++optional_policy(`
 +	spamassassin_filetrans_home_content(xdm_t)
 +	spamassassin_filetrans_admin_home_content(xdm_t)
 +')
@@ -23967,7 +27106,7 @@ index 2696452..adbe339 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +847,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -23994,7 +27133,7 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -514,12 +865,57 @@ optional_policy(`
+@@ -514,12 +874,57 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24052,7 +27191,7 @@ index 2696452..adbe339 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +933,78 @@ optional_policy(`
+@@ -537,28 +942,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24140,7 +27279,7 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -570,6 +1016,14 @@ optional_policy(`
+@@ -570,6 +1025,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24155,7 +27294,7 @@ index 2696452..adbe339 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -584,7 +1047,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -24164,7 +27303,7 @@ index 2696452..adbe339 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +1057,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -24177,7 +27316,7 @@ index 2696452..adbe339 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1074,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -24193,7 +27332,7 @@ index 2696452..adbe339 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1090,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -24204,7 +27343,7 @@ index 2696452..adbe339 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1105,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24226,7 +27365,7 @@ index 2696452..adbe339 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1125,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -24240,7 +27379,7 @@ index 2696452..adbe339 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1151,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -24272,7 +27411,7 @@ index 2696452..adbe339 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1183,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -24290,7 +27429,7 @@ index 2696452..adbe339 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1206,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -24314,7 +27453,7 @@ index 2696452..adbe339 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1225,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -24323,7 +27462,7 @@ index 2696452..adbe339 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1260,44 @@ optional_policy(`
+@@ -775,16 +1269,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24369,7 +27508,7 @@ index 2696452..adbe339 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1306,10 @@ optional_policy(`
+@@ -793,6 +1315,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24380,7 +27519,7 @@ index 2696452..adbe339 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1334,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -24394,7 +27533,7 @@ index 2696452..adbe339 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1345,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -24403,7 +27542,7 @@ index 2696452..adbe339 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1358,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -24438,7 +27577,7 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1423,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24447,7 +27586,7 @@ index 2696452..adbe339 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1477,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -24479,7 +27618,7 @@ index 2696452..adbe339 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1523,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -24803,7 +27942,7 @@ index c6fdab7..af71c62 100644
  	sudo_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..003b09a 100644
+index 28ad538..36fbb93 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
 @@ -1,14 +1,28 @@
@@ -24839,7 +27978,7 @@ index 28ad538..003b09a 100644
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  /sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
-@@ -16,13 +30,24 @@ ifdef(`distro_suse', `
+@@ -16,13 +30,25 @@ ifdef(`distro_suse', `
  /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
  
@@ -24851,6 +27990,7 @@ index 28ad538..003b09a 100644
 -/usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 +/usr/sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
 +/usr/sbin/pam_timestamp_check	 --	gen_context(system_u:object_r:pam_timestamp_exec_t,s0)
++/usr/sbin/pwhistory_helper  --  gen_context(system_u:object_r:updpwd_exec_t,s0)
 +/usr/sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 +/usr/sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
 +/usr/sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -24866,7 +28006,7 @@ index 28ad538..003b09a 100644
  
  /var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
  
-@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', `
+@@ -30,20 +56,24 @@ ifdef(`distro_gentoo', `
  
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -24896,7 +28036,7 @@ index 28ad538..003b09a 100644
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..08c3e93 100644
+index 3efd5b6..c74d0d5 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -25465,7 +28605,7 @@ index 3efd5b6..08c3e93 100644
  ')
  
  ########################################
-@@ -1767,11 +1989,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +1989,17 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -25479,10 +28619,14 @@ index 3efd5b6..08c3e93 100644
  	typeattribute $1 nsswitch_domain;
 +
 +	corenet_all_recvfrom_netlabel($1)
++
++    optional_policy(`
++        kerberos_keytab_domains($1)
++    ')
  ')
  
  ########################################
-@@ -1805,3 +2029,242 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2033,242 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -25726,7 +28870,7 @@ index 3efd5b6..08c3e93 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..348e8cf 100644
+index 104037e..9b993c6 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -25923,15 +29067,19 @@ index 104037e..348e8cf 100644
  miscfiles_read_generic_certs(pam_console_t)
  
  seutil_read_file_contexts(pam_console_t)
-@@ -341,6 +362,7 @@ kernel_read_system_state(updpwd_t)
+@@ -341,6 +362,11 @@ kernel_read_system_state(updpwd_t)
  dev_read_urand(updpwd_t)
  
  files_manage_etc_files(updpwd_t)
 +auth_manage_passwd(updpwd_t)
++
++mls_file_read_all_levels(updpwd_t)
++mls_file_write_all_levels(updpwd_t)
++mls_file_downgrade(updpwd_t)
  
  term_dontaudit_use_console(updpwd_t)
  term_dontaudit_use_unallocated_ttys(updpwd_t)
-@@ -350,9 +372,7 @@ auth_use_nsswitch(updpwd_t)
+@@ -350,9 +376,7 @@ auth_use_nsswitch(updpwd_t)
  
  logging_send_syslog_msg(updpwd_t)
  
@@ -25942,7 +29090,7 @@ index 104037e..348e8cf 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -380,13 +400,15 @@ term_dontaudit_use_all_ttys(utempter_t)
+@@ -380,13 +404,15 @@ term_dontaudit_use_all_ttys(utempter_t)
  term_dontaudit_use_all_ptys(utempter_t)
  term_dontaudit_use_ptmx(utempter_t)
  
@@ -25959,7 +29107,7 @@ index 104037e..348e8cf 100644
  # Allow utemper to write to /tmp/.xses-*
  userdom_write_user_tmp_files(utempter_t)
  
-@@ -397,19 +419,29 @@ ifdef(`distro_ubuntu',`
+@@ -397,19 +423,29 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -25993,7 +29141,7 @@ index 104037e..348e8cf 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -417,15 +449,21 @@ files_read_etc_files(nsswitch_domain)
+@@ -417,15 +453,21 @@ files_read_etc_files(nsswitch_domain)
  
  sysnet_dns_name_resolve(nsswitch_domain)
  
@@ -26017,7 +29165,7 @@ index 104037e..348e8cf 100644
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +476,7 @@ optional_policy(`
+@@ -438,6 +480,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -26025,7 +29173,7 @@ index 104037e..348e8cf 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +495,8 @@ optional_policy(`
+@@ -456,10 +499,145 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -26034,7 +29182,8 @@ index 104037e..348e8cf 100644
  ')
  
  optional_policy(`
-@@ -463,3 +504,133 @@ optional_policy(`
+ 	samba_stream_connect_winbind(nsswitch_domain)
++    samba_stream_connect_nmbd(nsswitch_domain)
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -26050,6 +29199,7 @@ index 104037e..348e8cf 100644
 +
 +allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
 +allow login_pgm self:capability ipc_lock;
++dontaudit login_pgm self:capability net_admin;
 +allow login_pgm self:process setkeycreate;
 +allow login_pgm self:key manage_key_perms;
 +userdom_manage_all_users_keys(login_pgm)
@@ -26062,7 +29212,7 @@ index 104037e..348e8cf 100644
 +manage_dirs_pattern(login_pgm, auth_cache_t, auth_cache_t)
 +manage_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
 +manage_sock_files_pattern(login_pgm, auth_cache_t, auth_cache_t)
-+files_var_filetrans(login_pgm, auth_cache_t, dir)
++files_var_filetrans(login_pgm, auth_cache_t, dir, "coolkey")
 +
 +manage_dirs_pattern(login_pgm, auth_home_t, auth_home_t)
 +manage_files_pattern(login_pgm, auth_home_t, auth_home_t)
@@ -26110,6 +29260,7 @@ index 104037e..348e8cf 100644
 +logging_set_tty_audit(login_pgm)
 +
 +miscfiles_dontaudit_write_generic_cert_files(login_pgm)
++miscfiles_filetrans_named_content(login_pgm)
 +
 +seutil_read_config(login_pgm)
 +seutil_read_login_config(login_pgm)
@@ -26362,7 +29513,7 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..f512b72 100644
+index 6c4b6ee..9eebe0b 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -26375,7 +29526,15 @@ index 6c4b6ee..f512b72 100644
  type fsadm_tmp_t;
  files_tmp_file(fsadm_tmp_t)
  
-@@ -41,9 +44,15 @@ allow fsadm_t self:msg { send receive };
+@@ -26,6 +29,7 @@ files_type(swapfile_t)
+ 
+ # ipc_lock is for losetup
+ allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++dontaudit fsadm_t self:capability net_admin;
+ allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+ allow fsadm_t self:fd use;
+ allow fsadm_t self:fifo_file rw_fifo_file_perms;
+@@ -41,9 +45,15 @@ allow fsadm_t self:msg { send receive };
  
  can_exec(fsadm_t, fsadm_exec_t)
  
@@ -26391,7 +29550,7 @@ index 6c4b6ee..f512b72 100644
  
  # log files
  allow fsadm_t fsadm_log_t:dir setattr;
-@@ -53,6 +62,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+@@ -53,6 +63,7 @@ logging_log_filetrans(fsadm_t, fsadm_log_t, file)
  # Enable swapping to files
  allow fsadm_t swapfile_t:file { rw_file_perms swapon };
  
@@ -26399,7 +29558,7 @@ index 6c4b6ee..f512b72 100644
  kernel_read_system_state(fsadm_t)
  kernel_read_kernel_sysctls(fsadm_t)
  kernel_request_load_module(fsadm_t)
-@@ -101,6 +111,8 @@ files_read_usr_files(fsadm_t)
+@@ -101,6 +112,8 @@ files_read_usr_files(fsadm_t)
  files_read_etc_files(fsadm_t)
  files_manage_lost_found(fsadm_t)
  files_manage_isid_type_dirs(fsadm_t)
@@ -26408,7 +29567,7 @@ index 6c4b6ee..f512b72 100644
  # Write to /etc/mtab.
  files_manage_etc_runtime_files(fsadm_t)
  files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,6 +132,9 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +133,9 @@ fs_list_auto_mountpoints(fsadm_t)
  fs_search_tmpfs(fsadm_t)
  fs_getattr_tmpfs_dirs(fsadm_t)
  fs_read_tmpfs_symlinks(fsadm_t)
@@ -26418,7 +29577,7 @@ index 6c4b6ee..f512b72 100644
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
-@@ -133,21 +148,27 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +149,27 @@ storage_raw_write_fixed_disk(fsadm_t)
  storage_raw_read_removable_device(fsadm_t)
  storage_raw_write_removable_device(fsadm_t)
  storage_read_scsi_generic(fsadm_t)
@@ -26448,7 +29607,7 @@ index 6c4b6ee..f512b72 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -166,6 +187,11 @@ optional_policy(`
+@@ -166,6 +188,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26460,7 +29619,7 @@ index 6c4b6ee..f512b72 100644
  	hal_dontaudit_write_log(fsadm_t)
  ')
  
-@@ -179,6 +205,10 @@ optional_policy(`
+@@ -179,6 +206,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26471,7 +29630,7 @@ index 6c4b6ee..f512b72 100644
  	nis_use_ypbind(fsadm_t)
  ')
  
-@@ -192,6 +222,10 @@ optional_policy(`
+@@ -192,6 +223,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26629,6 +29788,18 @@ index 9dfecf7..6d00f5c 100644
  /bin/hostname		--	gen_context(system_u:object_r:hostname_exec_t,s0)
 +
 +/usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
+diff --git a/policy/modules/system/hostname.if b/policy/modules/system/hostname.if
+index 187f04f..cf0af09 100644
+--- a/policy/modules/system/hostname.if
++++ b/policy/modules/system/hostname.if
+@@ -53,7 +53,6 @@ interface(`hostname_run',`
+ ##	Domain allowed access.
+ ## 	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hostname_exec',`
+ 	gen_require(`
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
 index f6cbda9..51e9aef 100644
 --- a/policy/modules/system/hostname.te
@@ -26830,7 +30001,7 @@ index 9a4d3a7..9d960bb 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..76da5dd 100644
+index 24e7804..2863546 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -27213,11 +30384,11 @@ index 24e7804..76da5dd 100644
 +        type init_t;
 +    ')
 +
-+    dontaudit $1 init_t:unix_stream_socket { getattr read write };
++    dontaudit $1 init_t:unix_stream_socket { getattr read write ioctl };
  ')
  
  ########################################
-@@ -743,22 +923,23 @@ interface(`init_write_initctl',`
+@@ -743,22 +923,24 @@ interface(`init_write_initctl',`
  interface(`init_telinit',`
  	gen_require(`
  		type initctl_t;
@@ -27242,6 +30413,7 @@ index 24e7804..76da5dd 100644
 -	')
 +	ps_process_pattern($1, init_t)
 +	allow $1 init_t:process signal;
++	dontaudit $1 self:capability net_admin;
 +	# upstart uses a datagram socket instead of initctl pipe
 +	allow $1 self:unix_dgram_socket create_socket_perms;
 +	allow $1 init_t:unix_dgram_socket sendto;
@@ -27250,7 +30422,7 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -787,7 +968,7 @@ interface(`init_rw_initctl',`
+@@ -787,7 +969,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -27259,7 +30431,7 @@ index 24e7804..76da5dd 100644
  ##	</summary>
  ## </param>
  #
-@@ -830,11 +1011,12 @@ interface(`init_script_file_entry_type',`
+@@ -830,11 +1012,12 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -27274,7 +30446,7 @@ index 24e7804..76da5dd 100644
  
  	ifdef(`distro_gentoo',`
  		gen_require(`
-@@ -845,11 +1027,11 @@ interface(`init_spec_domtrans_script',`
+@@ -845,11 +1028,11 @@ interface(`init_spec_domtrans_script',`
  	')
  
  	ifdef(`enable_mcs',`
@@ -27288,7 +30460,7 @@ index 24e7804..76da5dd 100644
  	')
  ')
  
-@@ -865,19 +1047,41 @@ interface(`init_spec_domtrans_script',`
+@@ -865,19 +1048,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -27334,7 +30506,7 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -933,9 +1137,14 @@ interface(`init_script_file_domtrans',`
+@@ -933,9 +1138,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -27349,7 +30521,7 @@ index 24e7804..76da5dd 100644
  	files_search_etc($1)
  ')
  
-@@ -1012,6 +1221,42 @@ interface(`init_read_state',`
+@@ -1012,6 +1222,42 @@ interface(`init_read_state',`
  
  ########################################
  ## <summary>
@@ -27392,7 +30564,7 @@ index 24e7804..76da5dd 100644
  ##	Ptrace init
  ## </summary>
  ## <param name="domain">
-@@ -1026,7 +1271,9 @@ interface(`init_ptrace',`
+@@ -1026,7 +1272,9 @@ interface(`init_ptrace',`
  		type init_t;
  	')
  
@@ -27403,7 +30575,7 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -1125,6 +1372,25 @@ interface(`init_getattr_all_script_files',`
+@@ -1125,6 +1373,25 @@ interface(`init_getattr_all_script_files',`
  
  ########################################
  ## <summary>
@@ -27429,7 +30601,7 @@ index 24e7804..76da5dd 100644
  ##	Read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1144,6 +1410,24 @@ interface(`init_read_all_script_files',`
+@@ -1144,6 +1411,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -27454,7 +30626,7 @@ index 24e7804..76da5dd 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1195,12 +1479,7 @@ interface(`init_read_script_state',`
+@@ -1195,12 +1480,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -27468,69 +30640,113 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -1440,7 +1719,7 @@ interface(`init_dbus_send_script',`
+@@ -1314,7 +1594,7 @@ interface(`init_signal_script',`
+ 
  ########################################
  ## <summary>
- ##	Send and receive messages from
--##	init scripts over dbus.
-+##	init over dbus.
+-##	Send null signals to init scripts.
++##	Send kill signals to init scripts.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1448,23 +1727,44 @@ interface(`init_dbus_send_script',`
+@@ -1322,17 +1602,17 @@ interface(`init_signal_script',`
  ##	</summary>
  ## </param>
  #
--interface(`init_dbus_chat_script',`
-+interface(`init_dbus_chat',`
+-interface(`init_signull_script',`
++interface(`init_sigkill_script',`
  	gen_require(`
--		type initrc_t;
-+		type init_t;
- 		class dbus send_msg;
+ 		type initrc_t;
  	')
  
--	allow $1 initrc_t:dbus send_msg;
--	allow initrc_t $1:dbus send_msg;
-+	allow $1 init_t:dbus send_msg;
-+	allow init_t $1:dbus send_msg;
+-	allow $1 initrc_t:process signull;
++	allow $1 initrc_t:process sigkill;
  ')
  
  ########################################
  ## <summary>
--##	Read and write the init script pty.
-+##	Send and receive messages from
-+##	init scripts over dbus.
+-##	Read and write init script unnamed pipes.
++##	Send null signals to init scripts.
  ## </summary>
--## <desc>
--##	<p>
--##	Read and write the init script pty.  This
+ ## <param name="domain">
+ ##	<summary>
+@@ -1340,17 +1620,17 @@ interface(`init_signull_script',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_rw_script_pipes',`
++interface(`init_signull_script',`
+ 	gen_require(`
+ 		type initrc_t;
+ 	')
+ 
+-	allow $1 initrc_t:fifo_file { read write };
++	allow $1 initrc_t:process signull;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Send UDP network traffic to init scripts.  (Deprecated)
++##	Read and write init script unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1358,7 +1638,25 @@ interface(`init_rw_script_pipes',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`init_udp_send_script',`
++interface(`init_rw_script_pipes',`
++	gen_require(`
++		type initrc_t;
++	')
++
++	allow $1 initrc_t:fifo_file { read write };
++')
++
++########################################
++## <summary>
++##	Send UDP network traffic to init scripts.  (Deprecated)
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`init_dbus_chat_script',`
++interface(`init_udp_send_script',`
+ 	refpolicywarn(`$0($*) has been deprecated.')
+ ')
+ 
+@@ -1440,6 +1738,27 @@ interface(`init_dbus_send_script',`
+ ########################################
+ ## <summary>
+ ##	Send and receive messages from
++##	init over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_dbus_chat',`
 +	gen_require(`
-+		type initrc_t;
++		type init_t;
 +		class dbus send_msg;
 +	')
 +
-+	allow $1 initrc_t:dbus send_msg;
-+	allow initrc_t $1:dbus send_msg;
++	allow $1 init_t:dbus send_msg;
++	allow init_t $1:dbus send_msg;
 +')
 +
 +########################################
 +## <summary>
-+##	Read and write the init script pty.
-+## </summary>
-+## <desc>
-+##	<p>
-+##	Read and write the init script pty.  This
- ##	pty is generally opened by the open_init_pty
- ##	portion of the run_init program so that the
- ##	daemon does not require direct access to
-@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
++##	Send and receive messages from
+ ##	init scripts over dbus.
+ ## </summary>
+ ## <param name="domain">
+@@ -1526,6 +1845,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -27556,7 +30772,7 @@ index 24e7804..76da5dd 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1584,6 +1922,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -27581,7 +30797,7 @@ index 24e7804..76da5dd 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
+@@ -1656,6 +2012,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -27625,7 +30841,7 @@ index 24e7804..76da5dd 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1744,7 +2137,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -27634,7 +30850,7 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1785,6 +2178,133 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -27768,7 +30984,7 @@ index 24e7804..76da5dd 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1819,3 +2339,450 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -28110,6 +31326,96 @@ index 24e7804..76da5dd 100644
 +
 +########################################
 +## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_start_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service start;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_stop_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service stop;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_reload_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service reload;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_status_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service status;
++')
++
++########################################
++## <summary>
++##	Tell init to do an unknown access.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`init_manage_transient_unit',`
++	gen_require(`
++		type init_t;
++	')
++
++	allow $1 init_t:service { start stop reload status };
++')
++
++########################################
++## <summary>
 +##	Transition to init named content
 +## </summary>
 +## <param name="domain">
@@ -28130,7 +31436,7 @@ index 24e7804..76da5dd 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..0996734 100644
+index dd3be8d..c983546 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -28185,7 +31491,7 @@ index dd3be8d..0996734 100644
  
  # Mark file type as a daemon run directory
  attribute daemonrundir;
-@@ -35,12 +64,14 @@ attribute daemonrundir;
+@@ -35,12 +64,20 @@ attribute daemonrundir;
  #
  # init_t is the domain of the init process.
  #
@@ -28198,10 +31504,16 @@ index dd3be8d..0996734 100644
  kernel_domtrans_to(init_t, init_exec_t)
  role system_r types init_t;
 +init_initrc_domain(init_t)
++
++#
++# init_tmp_t is the type for content in /tmp directory
++#
++type init_tmp_t;
++files_tmp_file(init_tmp_t)
  
  #
  # init_var_run_t is the type for /var/run/shutdown.pid.
-@@ -49,6 +80,15 @@ type init_var_run_t;
+@@ -49,6 +86,15 @@ type init_var_run_t;
  files_pid_file(init_var_run_t)
  
  #
@@ -28217,7 +31529,7 @@ index dd3be8d..0996734 100644
  # initctl_t is the type of the named pipe created
  # by init during initialization.  This pipe is used
  # to communicate with init.
-@@ -57,7 +97,7 @@ type initctl_t;
+@@ -57,7 +103,7 @@ type initctl_t;
  files_type(initctl_t)
  mls_trusted_object(initctl_t)
  
@@ -28226,7 +31538,7 @@ index dd3be8d..0996734 100644
  type initrc_exec_t, init_script_file_type;
  domain_type(initrc_t)
  domain_entry_file(initrc_t, initrc_exec_t)
-@@ -98,7 +138,9 @@ ifdef(`enable_mls',`
+@@ -98,7 +144,9 @@ ifdef(`enable_mls',`
  #
  
  # Use capabilities. old rule:
@@ -28237,8 +31549,12 @@ index dd3be8d..0996734 100644
  # is ~sys_module really needed? observed:
  # sys_boot
  # sys_tty_config
-@@ -110,12 +152,33 @@ allow init_t self:fifo_file rw_fifo_file_perms;
+@@ -108,14 +156,42 @@ allow init_t self:capability ~sys_module;
+ 
+ allow init_t self:fifo_file rw_fifo_file_perms;
  
++allow init_t self:service manage_service_perms;
++
  # Re-exec itself
  can_exec(init_t, init_exec_t)
 -
@@ -28256,6 +31572,11 @@ index dd3be8d..0996734 100644
 +allow initrc_t init_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
 +allow initrc_t init_t:fifo_file rw_fifo_file_perms;
 +
++manage_files_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_dirs_pattern(init_t, init_tmp_t, init_tmp_t)
++manage_lnk_files_pattern(init_t, init_tmp_t, init_tmp_t)
++files_tmp_filetrans(init_t, init_tmp_t, { file })
++
 +manage_dirs_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +manage_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
 +manage_lnk_files_pattern(init_t, init_var_lib_t, init_var_lib_t)
@@ -28277,7 +31598,7 @@ index dd3be8d..0996734 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,13 +188,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +201,18 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -28297,11 +31618,12 @@ index dd3be8d..0996734 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
-@@ -139,14 +207,20 @@ domain_signal_all_domains(init_t)
+@@ -139,14 +220,22 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
 +domain_read_all_domains_state(init_t)
++domain_getattr_all_domains(init_t)
  
  files_read_etc_files(init_t)
 +files_read_all_pids(init_t)
@@ -28315,10 +31637,11 @@ index dd3be8d..0996734 100644
  # Run /etc/X11/prefdm:
  files_exec_etc_files(init_t)
 +files_read_usr_files(init_t)
++files_write_root_dirs(init_t)
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -156,28 +230,52 @@ fs_list_inotifyfs(init_t)
+@@ -156,28 +245,53 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
  mcs_process_set_categories(init_t)
@@ -28358,14 +31681,15 @@ index dd3be8d..0996734 100644
 +logging_send_audit_msgs(init_t)
  logging_rw_generic_logs(init_t)
 +logging_relabel_devlog_dev(init_t)
++logging_manage_audit_config(init_t)
  
  seutil_read_config(init_t)
 +seutil_read_module_store(init_t)
-+
-+miscfiles_manage_localization(init_t)
-+miscfiles_filetrans_named_content(init_t)
  
 -miscfiles_read_localization(init_t)
++miscfiles_manage_localization(init_t)
++miscfiles_filetrans_named_content(init_t)
++
 +userdom_use_user_ttys(init_t)
 +userdom_manage_tmp_dirs(init_t)
 +userdom_manage_tmp_sockets(init_t)
@@ -28374,7 +31698,7 @@ index dd3be8d..0996734 100644
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +284,208 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +300,226 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -28404,20 +31728,21 @@ index dd3be8d..0996734 100644
 +
 +optional_policy(`
 +	chronyd_read_keys(init_t)
-+')
-+
-+optional_policy(`
-+	kdump_read_crash(init_t)
  ')
  
  optional_policy(`
 -	auth_rw_login_records(init_t)
-+	gnome_filetrans_home_content(init_t)
-+	gnome_manage_data(init_t)
++	kdump_read_crash(init_t)
  ')
  
  optional_policy(`
++	gnome_filetrans_home_content(init_t)
++	gnome_manage_data(init_t)
++')
++
++optional_policy(`
 +	iscsi_read_lib_files(init_t)
++	iscsi_manage_lock(init_t)
 +')
 +
 +optional_policy(`
@@ -28549,8 +31874,25 @@ index dd3be8d..0996734 100644
 +auth_rw_login_records(init_t)
 +auth_domtrans_chk_passwd(init_t)
 +
-+optional_policy(`
-+	ipsec_read_config(init_t)
++ifdef(`distro_redhat',`
++    # it comes from setupr scripts used in systemd unit files
++    # has been covered by initrc_t
++	optional_policy(`
++		bind_manage_config_dirs(init_t)
++		bind_manage_config(init_t)
++		bind_write_config(init_t)
++		bind_setattr_zone_dirs(init_t)
++	')
++
++    optional_policy(`
++	    ipsec_read_config(init_t)
++        ipsec_manage_pid(init_t)
++        ipsec_stream_connect(init_t)
++    ')
++
++    optional_policy(`
++        rpc_manage_nfs_state_data(init_t)
++    ')
 +')
 +
 +optional_policy(`
@@ -28570,9 +31912,10 @@ index dd3be8d..0996734 100644
 +	optional_policy(`
 +		devicekit_dbus_chat_power(init_t)
 +	')
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	nscd_use(init_t)
 +	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
 +	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
 +	# the directory. But we do not want to allow this.
@@ -28582,16 +31925,15 @@ index dd3be8d..0996734 100644
 +
 +optional_policy(`
 +		networkmanager_stream_connect(init_t)
- ')
- 
- optional_policy(`
--	nscd_use(init_t)
++')
++
++optional_policy(`
 +	plymouthd_stream_connect(init_t)
 +	plymouthd_exec_plymouth(init_t)
  ')
  
  optional_policy(`
-@@ -216,7 +493,30 @@ optional_policy(`
+@@ -216,7 +527,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28622,7 +31964,7 @@ index dd3be8d..0996734 100644
  ')
  
  ########################################
-@@ -225,8 +525,9 @@ optional_policy(`
+@@ -225,8 +559,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -28634,7 +31976,7 @@ index dd3be8d..0996734 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +592,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28651,7 +31993,7 @@ index dd3be8d..0996734 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +617,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28694,7 +32036,7 @@ index dd3be8d..0996734 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +654,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -28706,7 +32048,7 @@ index dd3be8d..0996734 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +666,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -28717,7 +32059,7 @@ index dd3be8d..0996734 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +677,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -28727,7 +32069,7 @@ index dd3be8d..0996734 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +686,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28735,7 +32077,7 @@ index dd3be8d..0996734 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +693,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28743,7 +32085,7 @@ index dd3be8d..0996734 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +701,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28761,7 +32103,7 @@ index dd3be8d..0996734 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -363,8 +719,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28775,7 +32117,7 @@ index dd3be8d..0996734 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +734,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -28789,7 +32131,7 @@ index dd3be8d..0996734 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -386,6 +747,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -28797,7 +32139,7 @@ index dd3be8d..0996734 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +759,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -28805,7 +32147,7 @@ index dd3be8d..0996734 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +778,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -28829,7 +32171,7 @@ index dd3be8d..0996734 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +811,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -28837,7 +32179,7 @@ index dd3be8d..0996734 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -485,6 +845,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -28848,7 +32190,7 @@ index dd3be8d..0996734 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +869,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -28857,7 +32199,7 @@ index dd3be8d..0996734 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +884,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -28865,7 +32207,7 @@ index dd3be8d..0996734 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +905,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -28873,7 +32215,7 @@ index dd3be8d..0996734 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -549,8 +915,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -28918,7 +32260,7 @@ index dd3be8d..0996734 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +960,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -28950,7 +32292,7 @@ index dd3be8d..0996734 100644
  	')
  ')
  
-@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +995,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -28990,7 +32332,7 @@ index dd3be8d..0996734 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1006,8 @@ optional_policy(`
+@@ -588,6 +1040,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -28999,7 +32341,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1029,7 @@ optional_policy(`
+@@ -609,6 +1063,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -29007,7 +32349,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1046,17 @@ optional_policy(`
+@@ -625,6 +1080,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29025,7 +32367,7 @@ index dd3be8d..0996734 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1073,13 @@ optional_policy(`
+@@ -641,9 +1107,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29039,7 +32381,7 @@ index dd3be8d..0996734 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1092,11 @@ optional_policy(`
+@@ -656,15 +1126,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29057,7 +32399,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1117,15 @@ optional_policy(`
+@@ -685,6 +1151,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29073,7 +32415,7 @@ index dd3be8d..0996734 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1166,7 @@ optional_policy(`
+@@ -725,6 +1200,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -29081,7 +32423,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1184,13 @@ optional_policy(`
+@@ -742,7 +1218,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29096,7 +32438,7 @@ index dd3be8d..0996734 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1213,10 @@ optional_policy(`
+@@ -765,6 +1247,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29107,7 +32449,7 @@ index dd3be8d..0996734 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1226,20 @@ optional_policy(`
+@@ -774,10 +1260,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29128,7 +32470,7 @@ index dd3be8d..0996734 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1248,10 @@ optional_policy(`
+@@ -786,6 +1282,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29139,7 +32481,7 @@ index dd3be8d..0996734 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1273,6 @@ optional_policy(`
+@@ -807,8 +1307,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29148,7 +32490,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1281,10 @@ optional_policy(`
+@@ -817,6 +1315,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29159,7 +32501,7 @@ index dd3be8d..0996734 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1294,12 @@ optional_policy(`
+@@ -826,10 +1328,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29172,12 +32514,14 @@ index dd3be8d..0996734 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,33 @@ optional_policy(`
+@@ -856,12 +1360,35 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	virt_read_config(init_t)
 +	virt_stream_connect(init_t)
++    virt_noatsecure(init_t)
++    virt_rlimitinh(init_t)
 +')
 +
 +optional_policy(`
@@ -29207,7 +32551,7 @@ index dd3be8d..0996734 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1362,18 @@ optional_policy(`
+@@ -871,6 +1398,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29226,7 +32570,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1389,10 @@ optional_policy(`
+@@ -886,6 +1425,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29237,7 +32581,7 @@ index dd3be8d..0996734 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1403,218 @@ optional_policy(`
+@@ -896,3 +1439,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29457,48 +32801,59 @@ index dd3be8d..0996734 100644
 +    ')
 + ')
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 662e79b..a199ffd 100644
+index 662e79b..15116db 100644
 --- a/policy/modules/system/ipsec.fc
 +++ b/policy/modules/system/ipsec.fc
-@@ -1,14 +1,22 @@
+@@ -1,14 +1,28 @@
  /etc/rc\.d/init\.d/ipsec	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/racoon	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/strongswan	--	gen_context(system_u:object_r:ipsec_initrc_exec_t,s0)
  
 -/etc/ipsec\.secrets		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/usr/lib/systemd/system/ipsec.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +/usr/lib/systemd/system/strongswan.*         --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
++/usr/lib/systemd/system/strongimcv.*    --  gen_context(system_u:object_r:ipsec_mgmt_unit_file_t,s0)
 +
 +/etc/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  /etc/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +/etc/strongswan/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv/ipsec\.secrets.*		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/psk\.txt		--	gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /etc/racoon(/.*)?			gen_context(system_u:object_r:ipsec_conf_file_t,s0)
  /etc/racoon/certs(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
 +/etc/strongswan(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
++/etc/strongimcv(/.*)?       gen_context(system_u:object_r:ipsec_conf_file_t,s0)
 +
  /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 +/etc/strongswan/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
++/etc/strongimcv/ipsec\.d(/.*)?          gen_context(system_u:object_r:ipsec_key_file_t,s0)
  
  /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
  
-@@ -26,16 +34,23 @@
+@@ -26,16 +40,27 @@
  /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
  /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-+/usr/libexec/strongswan/.*	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/nm-libreswan-service   --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/libexec/strongswan/.*      --	gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/libexec/strongimcv/.*      --  gen_context(system_u:object_r:ipsec_exec_t,s0)
  
  /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
  /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
  /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
 +/usr/sbin/strongswan	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/sbin/strongimcv    --  gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
  
  /var/lock/subsys/ipsec		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
 +/var/lock/subsys/strongswan		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
++/var/lock/subsys/strongimcv		--	gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
  
- /var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
+-/var/log/pluto\.log		--	gen_context(system_u:object_r:ipsec_log_t,s0)
++/var/log/pluto\.log.*		--	gen_context(system_u:object_r:ipsec_log_t,s0)
  
  /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
  
@@ -29509,7 +32864,7 @@ index 662e79b..a199ffd 100644
 +/var/run/pluto/ipsec\.info -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 +/var/run/pluto/ipsec_setup\.pid -- gen_context(system_u:object_r:ipsec_mgmt_var_run_t, s0)
 diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
-index 0d4c8d3..e6ffda3 100644
+index 0d4c8d3..3a3ec52 100644
 --- a/policy/modules/system/ipsec.if
 +++ b/policy/modules/system/ipsec.if
 @@ -55,6 +55,64 @@ interface(`ipsec_domtrans_mgmt',`
@@ -29670,7 +33025,15 @@ index 0d4c8d3..e6ffda3 100644
  ')
  
  ########################################
-@@ -369,3 +479,26 @@ interface(`ipsec_run_setkey',`
+@@ -282,6 +392,7 @@ interface(`ipsec_manage_pid',`
+ 
+ 	files_search_pids($1)
+ 	manage_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
++    manage_sock_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
+ ')
+ 
+ ########################################
+@@ -369,3 +480,26 @@ interface(`ipsec_run_setkey',`
  	ipsec_domtrans_setkey($1)
  	role $2 types setkey_t;
  ')
@@ -29698,7 +33061,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ceb7f99 100644
+index 9e54bf9..7ca1e9e 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29720,7 +33083,7 @@ index 9e54bf9..ceb7f99 100644
 -allow ipsec_t self:process { getcap setcap getsched signal setsched };
 +allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
 +dontaudit ipsec_t self:capability sys_tty_config;
-+allow ipsec_t self:process { getcap setcap getsched signal signull setsched };
++allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
  allow ipsec_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_t self:udp_socket create_socket_perms;
 +allow ipsec_t self:packet_socket create_socket_perms;
@@ -29893,14 +33256,18 @@ index 9e54bf9..ceb7f99 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +326,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -288,17 +324,22 @@ init_exec_script_files(ipsec_mgmt_t)
+ init_use_fds(ipsec_mgmt_t)
+ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
- logging_send_syslog_msg(ipsec_mgmt_t)
+-logging_send_syslog_msg(ipsec_mgmt_t)
++ipsec_mgmt_systemctl(ipsec_mgmt_t)
  
 -miscfiles_read_localization(ipsec_mgmt_t)
 -
 -seutil_dontaudit_search_config(ipsec_mgmt_t)
--
++logging_send_syslog_msg(ipsec_mgmt_t)
+ 
  sysnet_manage_config(ipsec_mgmt_t)
  sysnet_domtrans_ifconfig(ipsec_mgmt_t)
  sysnet_etc_filetrans_config(ipsec_mgmt_t)
@@ -29917,7 +33284,7 @@ index 9e54bf9..ceb7f99 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +361,10 @@ optional_policy(`
+@@ -322,6 +363,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29928,7 +33295,7 @@ index 9e54bf9..ceb7f99 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +378,7 @@ optional_policy(`
+@@ -335,7 +380,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -29937,7 +33304,7 @@ index 9e54bf9..ceb7f99 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +413,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +415,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -29957,7 +33324,7 @@ index 9e54bf9..ceb7f99 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +443,10 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +445,10 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -29970,7 +33337,7 @@ index 9e54bf9..ceb7f99 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +480,8 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +482,8 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -29983,10 +33350,10 @@ index 9e54bf9..ceb7f99 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..b2532aa 100644
+index 1b93eb7..957deb0 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,21 +1,27 @@
+@@ -1,21 +1,32 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
@@ -29995,6 +33362,9 @@ index 1b93eb7..b2532aa 100644
 +
 +/usr/lib/systemd/system/iptables.* 		--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
 +/usr/lib/systemd/system/ip6tables.* 		--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ipset.*         --  gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/usr/libexec/ipset          --  gen_context(system_u:object_r:iptables_exec_t,s0)
  
  /sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30005,6 +33375,7 @@ index 1b93eb7..b2532aa 100644
 +/sbin/ip6?tables.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables-restore.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables-multi.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipset                 --  gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30020,6 +33391,7 @@ index 1b93eb7..b2532aa 100644
 +/usr/sbin/ip6?tables.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ip6?tables-restore.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ip6?tables-multi.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipset                 --  gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ipvsadm		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ipvsadm-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30070,7 +33442,7 @@ index c42fbc3..174cfdb 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..cafb28e 100644
+index 5dfa44b..1c9fe59 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -30111,15 +33483,16 @@ index 5dfa44b..cafb28e 100644
  kernel_request_load_module(iptables_t)
  kernel_read_system_state(iptables_t)
  kernel_read_network_state(iptables_t)
-@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +65,8 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
 +dev_read_urand(iptables_t)
++dev_read_rand(iptables_t)
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +74,12 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +75,12 @@ fs_list_inotifyfs(iptables_t)
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -30134,7 +33507,7 @@ index 5dfa44b..cafb28e 100644
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +88,14 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +89,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -30152,7 +33525,7 @@ index 5dfa44b..cafb28e 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +104,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +105,8 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -30161,7 +33534,7 @@ index 5dfa44b..cafb28e 100644
  ')
  
  optional_policy(`
-@@ -110,6 +114,11 @@ optional_policy(`
+@@ -110,6 +115,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30173,7 +33546,7 @@ index 5dfa44b..cafb28e 100644
  	modutils_run_insmod(iptables_t, iptables_roles)
  ')
  
-@@ -124,6 +133,12 @@ optional_policy(`
+@@ -124,6 +134,12 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -30186,7 +33559,7 @@ index 5dfa44b..cafb28e 100644
  ')
  
  optional_policy(`
-@@ -135,9 +150,9 @@ optional_policy(`
+@@ -135,9 +151,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30528,7 +33901,7 @@ index 73bb3c0..5b9420f 100644
 +
 +/usr/sbin/ldconfig		--	gen_context(system_u:object_r:ldconfig_exec_t,s0)
 diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
-index 808ba93..9d8f729 100644
+index 808ba93..57a68da 100644
 --- a/policy/modules/system/libraries.if
 +++ b/policy/modules/system/libraries.if
 @@ -66,6 +66,25 @@ interface(`libs_exec_ldconfig',`
@@ -30664,7 +34037,7 @@ index 808ba93..9d8f729 100644
  ')
  
  ########################################
-@@ -534,3 +558,26 @@ interface(`lib_filetrans_shared_lib',`
+@@ -534,3 +558,28 @@ interface(`lib_filetrans_shared_lib',`
  interface(`files_lib_filetrans_shared_lib',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')
@@ -30681,10 +34054,12 @@ index 808ba93..9d8f729 100644
 +#
 +interface(`libs_filetrans_named_content',`
 +	gen_require(`
++        type lib_t;
 +		type ld_so_cache_t;
 +		type ldconfig_cache_t;
 +	')
 +
++    files_var_lib_filetrans($1,ldconfig_cache_t, dir, "debug")
 +	files_var_filetrans($1, ldconfig_cache_t, dir, "ldconfig")
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache")
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.cache~")
@@ -30881,7 +34256,7 @@ index 0e3c2a9..ea9bd57 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..ed59137 100644
+index c04ac46..7b55414 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -31005,10 +34380,28 @@ index c04ac46..ed59137 100644
  	unconfined_shell_domtrans(local_login_t)
  ')
  
-@@ -215,37 +211,56 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -195,6 +191,7 @@ optional_policy(`
+ optional_policy(`
+ 	xserver_read_xdm_tmp_files(local_login_t)
+ 	xserver_rw_xdm_tmp_files(local_login_t)
++    xserver_rw_xdm_keys(local_login_t)
+ ')
+ 
+ #################################
+@@ -202,7 +199,7 @@ optional_policy(`
+ # Sulogin local policy
+ #
+ 
+-allow sulogin_t self:capability dac_override;
++allow sulogin_t self:capability { dac_override sys_admin };
+ allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow sulogin_t self:fd use;
+ allow sulogin_t self:fifo_file rw_fifo_file_perms;
+@@ -215,18 +212,27 @@ allow sulogin_t self:sem create_sem_perms;
  allow sulogin_t self:msgq create_msgq_perms;
  allow sulogin_t self:msg { send receive };
  
++kernel_getattr_core_if(sulogin_t)
 +kernel_read_crypto_sysctls(sulogin_t)
  kernel_read_system_state(sulogin_t)
  
@@ -31028,12 +34421,11 @@ index c04ac46..ed59137 100644
  
  init_getpgid_script(sulogin_t)
 +init_getpgid(sulogin_t)
++init_getattr_initctl(sulogin_t)
  
  logging_send_syslog_msg(sulogin_t)
  
-+
- seutil_read_config(sulogin_t)
- seutil_read_default_contexts(sulogin_t)
+@@ -235,17 +241,28 @@ seutil_read_default_contexts(sulogin_t)
  
  userdom_use_unpriv_users_fds(sulogin_t)
  
@@ -31064,7 +34456,7 @@ index c04ac46..ed59137 100644
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -256,11 +271,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +273,3 @@ ifdef(`sulogin_no_pam', `
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -31077,7 +34469,7 @@ index c04ac46..ed59137 100644
 -	nscd_use(sulogin_t)
 -')
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index b50c5fe..2faaaf2 100644
+index b50c5fe..e55a556 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
 @@ -2,10 +2,13 @@
@@ -31121,7 +34513,7 @@ index b50c5fe..2faaaf2 100644
  
  /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
  /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
-@@ -38,13 +54,13 @@ ifdef(`distro_suse', `
+@@ -38,21 +54,22 @@ ifdef(`distro_suse', `
  
  /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
  /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
@@ -31136,8 +34528,10 @@ index b50c5fe..2faaaf2 100644
 +/var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
  
  ifndef(`distro_gentoo',`
- /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -53,6 +69,7 @@ ifndef(`distro_gentoo',`
+-/var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
++/var/log/audit\.log.*	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+ ')
+ 
  ifdef(`distro_redhat',`
  /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
  /var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
@@ -31164,7 +34558,7 @@ index b50c5fe..2faaaf2 100644
 +/var/webmin(/.*)?		gen_context(system_u:object_r:var_log_t,s0)
 +
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 4e94884..9b82ed0 100644
+index 4e94884..b144ffe 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
 @@ -233,7 +233,7 @@ interface(`logging_run_auditd',`
@@ -31254,24 +34648,17 @@ index 4e94884..9b82ed0 100644
  ########################################
  ## <summary>
  ##	Send system log messages.
-@@ -530,22 +592,85 @@ interface(`logging_log_filetrans',`
+@@ -530,22 +592,104 @@ interface(`logging_log_filetrans',`
  #
  interface(`logging_send_syslog_msg',`
  	gen_require(`
 -		type syslogd_t, devlog_t;
 +		attribute syslog_client_type;
- 	')
- 
--	allow $1 devlog_t:lnk_file read_lnk_file_perms;
--	allow $1 devlog_t:sock_file write_sock_file_perms;
++	')
++
 +	typeattribute $1 syslog_client_type;
 +')
- 
--	# the type of socket depends on the syslog daemon
--	allow $1 syslogd_t:unix_dgram_socket sendto;
--	allow $1 syslogd_t:unix_stream_socket connectto;
--	allow $1 self:unix_dgram_socket create_socket_perms;
--	allow $1 self:unix_stream_socket create_socket_perms;
++
 +########################################
 +## <summary>
 +##	Connect to the syslog control unix stream socket.
@@ -31286,11 +34673,7 @@ index 4e94884..9b82ed0 100644
 +	gen_require(`
 +		type devlog_t;
 +	')
- 
--	# If syslog is down, the glibc syslog() function
--	# will write to the console.
--	term_write_console($1)
--	term_dontaudit_read_console($1)
++
 +	allow $1 devlog_t:sock_file manage_sock_file_perms;
 +	dev_filetrans($1, devlog_t, sock_file)
 +	init_pid_filetrans($1, devlog_t, sock_file, "syslog")
@@ -31316,6 +34699,32 @@ index 4e94884..9b82ed0 100644
 +
 +########################################
 +## <summary>
++##	Allow domain to read the syslog pid files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`logging_read_syslog_pid',`
++	gen_require(`
++		type syslogd_var_run_t;
+ 	')
+ 
+-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
+-	allow $1 devlog_t:sock_file write_sock_file_perms;
++    read_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++    list_dirs_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
++')
+ 
+-	# the type of socket depends on the syslog daemon
+-	allow $1 syslogd_t:unix_dgram_socket sendto;
+-	allow $1 syslogd_t:unix_stream_socket connectto;
+-	allow $1 self:unix_dgram_socket create_socket_perms;
+-	allow $1 self:unix_stream_socket create_socket_perms;
++########################################
++## <summary>
 +##	Relabel the syslog pid sock_file.
 +## </summary>
 +## <param name="domain">
@@ -31328,7 +34737,11 @@ index 4e94884..9b82ed0 100644
 +	gen_require(`
 +		type syslogd_var_run_t;
 +	')
-+
+ 
+-	# If syslog is down, the glibc syslog() function
+-	# will write to the console.
+-	term_write_console($1)
+-	term_dontaudit_read_console($1)
 +	allow $1 syslogd_var_run_t:sock_file relabel_sock_file_perms;
 +')
 +
@@ -31352,7 +34765,59 @@ index 4e94884..9b82ed0 100644
  ')
  
  ########################################
-@@ -776,7 +901,25 @@ interface(`logging_append_all_logs',`
+@@ -609,6 +753,25 @@ interface(`logging_read_syslog_config',`
+ 
+ ########################################
+ ## <summary>
++##	Manage syslog configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_manage_syslog_config',`
++	gen_require(`
++		type syslog_conf_t;
++	')
++
++    manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
++')
++
++########################################
++## <summary>
+ ##	Allows the domain to open a file in the
+ ##	log directory, but does not allow the listing
+ ##	of the contents of the log directory.
+@@ -722,6 +885,25 @@ interface(`logging_setattr_all_log_dirs',`
+ 	allow $1 logfile:dir setattr;
+ ')
+ 
++#######################################
++## <summary>
++##	Relabel on all log dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_relabel_all_log_dirs',`
++	gen_require(`
++		attribute logfile;
++	')
++
++	relabel_dirs_pattern($1, logfile, logfile)
++')
++
+ ########################################
+ ## <summary>
+ ##	Do not audit attempts to get the attributes
+@@ -776,7 +958,25 @@ interface(`logging_append_all_logs',`
  	')
  
  	files_search_var($1)
@@ -31379,7 +34844,7 @@ index 4e94884..9b82ed0 100644
  ')
  
  ########################################
-@@ -859,7 +1002,7 @@ interface(`logging_manage_all_logs',`
+@@ -859,7 +1059,7 @@ interface(`logging_manage_all_logs',`
  
  	files_search_var($1)
  	manage_files_pattern($1, logfile, logfile)
@@ -31388,7 +34853,7 @@ index 4e94884..9b82ed0 100644
  ')
  
  ########################################
-@@ -885,6 +1028,44 @@ interface(`logging_read_generic_logs',`
+@@ -885,6 +1085,44 @@ interface(`logging_read_generic_logs',`
  
  ########################################
  ## <summary>
@@ -31433,7 +34898,7 @@ index 4e94884..9b82ed0 100644
  ##	Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -905,6 +1086,24 @@ interface(`logging_write_generic_logs',`
+@@ -905,6 +1143,24 @@ interface(`logging_write_generic_logs',`
  
  ########################################
  ## <summary>
@@ -31458,7 +34923,7 @@ index 4e94884..9b82ed0 100644
  ##	Dontaudit Write generic log files.
  ## </summary>
  ## <param name="domain">
-@@ -984,11 +1183,16 @@ interface(`logging_admin_audit',`
+@@ -984,11 +1240,16 @@ interface(`logging_admin_audit',`
  		type auditd_t, auditd_etc_t, auditd_log_t;
  		type auditd_var_run_t;
  		type auditd_initrc_exec_t;
@@ -31476,7 +34941,7 @@ index 4e94884..9b82ed0 100644
  	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
  	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
  
-@@ -1004,6 +1208,33 @@ interface(`logging_admin_audit',`
+@@ -1004,6 +1265,33 @@ interface(`logging_admin_audit',`
  	domain_system_change_exemption($1)
  	role_transition $2 auditd_initrc_exec_t system_r;
  	allow $2 system_r;
@@ -31510,7 +34975,7 @@ index 4e94884..9b82ed0 100644
  ')
  
  ########################################
-@@ -1032,10 +1263,15 @@ interface(`logging_admin_syslog',`
+@@ -1032,10 +1320,15 @@ interface(`logging_admin_syslog',`
  		type syslogd_initrc_exec_t;
  	')
  
@@ -31528,7 +34993,7 @@ index 4e94884..9b82ed0 100644
  
  	manage_dirs_pattern($1, klogd_var_run_t, klogd_var_run_t)
  	manage_files_pattern($1, klogd_var_run_t, klogd_var_run_t)
-@@ -1057,6 +1293,8 @@ interface(`logging_admin_syslog',`
+@@ -1057,6 +1350,8 @@ interface(`logging_admin_syslog',`
  	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
  
  	logging_manage_all_logs($1)
@@ -31537,13 +35002,32 @@ index 4e94884..9b82ed0 100644
  
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1085,3 +1323,35 @@ interface(`logging_admin',`
+@@ -1085,3 +1380,54 @@ interface(`logging_admin',`
  	logging_admin_audit($1, $2)
  	logging_admin_syslog($1, $2)
  ')
 +
 +########################################
 +## <summary>
++##	Transition to syslog.conf
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`logging_filetrans_named_conf',`
++	gen_require(`
++        type  syslog_conf_t;
++	')
++
++    files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
++    files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
++')
++
++########################################
++## <summary>
 +##	Transition to logging named content
 +## </summary>
 +## <param name="domain">
@@ -31574,7 +35058,7 @@ index 4e94884..9b82ed0 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..616d6a8 100644
+index 39ea221..553ae21 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -31595,7 +35079,7 @@ index 39ea221..616d6a8 100644
 +## Allow syslogd the ability to read/write terminals
 +## </p>
 +## </desc>
-+gen_tunable(logging_syslogd_use_tty, false)
++gen_tunable(logging_syslogd_use_tty, true)
  
  attribute logfile;
  
@@ -31642,16 +35126,18 @@ index 39ea221..616d6a8 100644
  read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
  allow auditctl_t auditd_etc_t:dir list_dir_perms;
  
-@@ -111,7 +134,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -111,7 +134,9 @@ domain_use_interactive_fds(auditctl_t)
  
  mls_file_read_all_levels(auditctl_t)
  
 -term_use_all_terms(auditctl_t)
++storage_getattr_removable_dev(auditctl_t)
++
 +term_use_all_inherited_terms(auditctl_t)
  
  init_dontaudit_use_fds(auditctl_t)
  
-@@ -148,6 +171,7 @@ kernel_read_kernel_sysctls(auditd_t)
+@@ -148,6 +173,7 @@ kernel_read_kernel_sysctls(auditd_t)
  # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
  # Probably want a transition, and a new auditd_helper app
  kernel_read_system_state(auditd_t)
@@ -31659,7 +35145,7 @@ index 39ea221..616d6a8 100644
  
  dev_read_sysfs(auditd_t)
  
-@@ -155,9 +179,6 @@ fs_getattr_all_fs(auditd_t)
+@@ -155,9 +181,6 @@ fs_getattr_all_fs(auditd_t)
  fs_search_auto_mountpoints(auditd_t)
  fs_rw_anon_inodefs_files(auditd_t)
  
@@ -31669,7 +35155,7 @@ index 39ea221..616d6a8 100644
  corenet_all_recvfrom_netlabel(auditd_t)
  corenet_tcp_sendrecv_generic_if(auditd_t)
  corenet_tcp_sendrecv_generic_node(auditd_t)
-@@ -183,16 +204,17 @@ logging_send_syslog_msg(auditd_t)
+@@ -183,16 +206,17 @@ logging_send_syslog_msg(auditd_t)
  logging_domtrans_dispatcher(auditd_t)
  logging_signal_dispatcher(auditd_t)
  
@@ -31691,7 +35177,7 @@ index 39ea221..616d6a8 100644
  userdom_dontaudit_use_unpriv_user_fds(auditd_t)
  userdom_dontaudit_search_user_home_dirs(auditd_t)
  
-@@ -237,19 +259,29 @@ corecmd_exec_shell(audisp_t)
+@@ -237,19 +261,29 @@ corecmd_exec_shell(audisp_t)
  
  domain_use_interactive_fds(audisp_t)
  
@@ -31722,7 +35208,7 @@ index 39ea221..616d6a8 100644
  ')
  
  ########################################
-@@ -268,7 +300,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
+@@ -268,7 +302,6 @@ files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
  
  corecmd_exec_bin(audisp_remote_t)
  
@@ -31730,7 +35216,7 @@ index 39ea221..616d6a8 100644
  corenet_all_recvfrom_netlabel(audisp_remote_t)
  corenet_tcp_sendrecv_generic_if(audisp_remote_t)
  corenet_tcp_sendrecv_generic_node(audisp_remote_t)
-@@ -280,10 +311,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -280,10 +313,18 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
  
  files_read_etc_files(audisp_remote_t)
  
@@ -31750,7 +35236,7 @@ index 39ea221..616d6a8 100644
  
  sysnet_dns_name_resolve(audisp_remote_t)
  
-@@ -326,7 +365,6 @@ files_read_etc_files(klogd_t)
+@@ -326,7 +367,6 @@ files_read_etc_files(klogd_t)
  
  logging_send_syslog_msg(klogd_t)
  
@@ -31758,12 +35244,12 @@ index 39ea221..616d6a8 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -354,12 +392,12 @@ optional_policy(`
+@@ -354,12 +394,12 @@ optional_policy(`
  # chown fsetid for syslog-ng
  # sys_admin for the integrated klog of syslog-ng and metalog
  # cjp: why net_admin!
 -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
++allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
  dontaudit syslogd_t self:capability sys_tty_config;
 +allow syslogd_t self:capability2 { syslog block_suspend };
  # setpgid for metalog
@@ -31774,15 +35260,18 @@ index 39ea221..616d6a8 100644
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -367,8 +407,10 @@ allow syslogd_t self:unix_dgram_socket sendto;
+ allow syslogd_t self:fifo_file rw_fifo_file_perms;
+ allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
++allow syslogd_t self:rawip_socket create_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
 +allow syslogd_t syslog_conf_t:dir list_dir_perms;
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -377,6 +419,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
  # create/append log files.
  manage_files_pattern(syslogd_t, var_log_t, var_log_t)
  rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -31790,7 +35279,7 @@ index 39ea221..616d6a8 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,28 +429,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -31835,7 +35324,7 @@ index 39ea221..616d6a8 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -417,6 +473,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -31844,7 +35333,7 @@ index 39ea221..616d6a8 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +485,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -31872,7 +35361,7 @@ index 39ea221..616d6a8 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +517,19 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -31892,7 +35381,7 @@ index 39ea221..616d6a8 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +541,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -31907,7 +35396,16 @@ index 39ea221..616d6a8 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +579,40 @@ optional_policy(`
+@@ -492,6 +572,8 @@ optional_policy(`
+ optional_policy(`
+ 	cron_manage_log_files(syslogd_t)
+ 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
++	cron_generic_log_filetrans_log(syslogd_t, file, "cron")
++
+ ')
+ 
+ optional_policy(`
+@@ -502,15 +584,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31948,7 +35446,7 @@ index 39ea221..616d6a8 100644
  ')
  
  optional_policy(`
-@@ -521,3 +623,26 @@ optional_policy(`
+@@ -521,3 +628,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -31976,7 +35474,7 @@ index 39ea221..616d6a8 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..b250b3e 100644
+index 879bb1e..633e449 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
 @@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
@@ -32091,20 +35589,72 @@ index 879bb1e..b250b3e 100644
  
  #
  # /var
-@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +168,9 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 +/var/lock/dmraid(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 +/var/run/lvm(/.*)?     gen_context(system_u:object_r:lvm_var_run_t,s0)
++/var/run/multipathd(/.*)?   gen_context(system_u:object_r:lvm_var_run_t,s0)
  /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 +/var/run/clvmd\.pid --  gen_context(system_u:object_r:clvmd_var_run_t,s0)
  /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
 diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..51e9872 100644
+index 58bc27f..f887230 100644
 --- a/policy/modules/system/lvm.if
 +++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
+@@ -86,6 +86,50 @@ interface(`lvm_read_config',`
+ 
+ ########################################
+ ## <summary>
++##	Read LVM configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_read_metadata',`
++	gen_require(`
++        type lvm_etc_t;
++		type lvm_metadata_t;
++	')
++
++	files_search_etc($1)
++	allow $1 lvm_etc_t:dir list_dir_perms;
++	read_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
++##	Read LVM configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`lvm_write_metadata',`
++	gen_require(`
++        type lvm_etc_t;
++		type lvm_metadata_t;
++	')
++
++	files_search_etc($1)
++	allow $1 lvm_etc_t:dir list_dir_perms;
++	write_files_pattern($1,lvm_metadata_t ,lvm_metadata_t)
++')
++
++########################################
++## <summary>
+ ##	Manage LVM configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -123,3 +167,113 @@ interface(`lvm_domtrans_clvmd',`
  	corecmd_search_bin($1)
  	domtrans_pattern($1, clvmd_exec_t, clvmd_t)
  ')
@@ -32199,6 +35749,25 @@ index 58bc27f..51e9872 100644
 +
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
++
++########################################
++## <summary>
++##	Do not audit attempts to access check cert dirs/files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`lvm_dontaudit_access_check_lock',`
++	gen_require(`
++		type lvm_lock_t;
++	')
++
++    dontaudit $1 lvm_lock_t:dir audit_access;
++')
++
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
 index e8c59a5..b22837c 100644
 --- a/policy/modules/system/lvm.te
@@ -32800,7 +36369,7 @@ index 9933677..ca14c17 100644
 +
 +/var/run/tmpfiles.d/kmod.conf --	gen_context(system_u:object_r:insmod_var_run_t,s0)
 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
-index 7449974..6375786 100644
+index 7449974..23bbbf2 100644
 --- a/policy/modules/system/modutils.if
 +++ b/policy/modules/system/modutils.if
 @@ -12,7 +12,7 @@
@@ -32857,7 +36426,57 @@ index 7449974..6375786 100644
  ##	Read the configuration options used when
  ##	loading modules.
  ## </summary>
-@@ -308,11 +346,18 @@ interface(`modutils_domtrans_update_mods',`
+@@ -163,6 +201,24 @@ interface(`modutils_domtrans_insmod',`
+ 
+ ########################################
+ ## <summary>
++##	Allow send signal to insmod.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`modutils_signal_insmod',`
++	gen_require(`
++		type insmod_t;
++	')
++
++    allow $1 insmod_t:process signal;
++')
++
++########################################
++## <summary>
+ ##	Execute insmod in the insmod domain, and
+ ##	allow the specified role the insmod domain,
+ ##	and use the caller's terminal.  Has a sigchld
+@@ -208,6 +264,24 @@ interface(`modutils_exec_insmod',`
+ 	can_exec($1, insmod_exec_t)
+ ')
+ 
++#######################################
++## <summary>
++## Don't audit execute insmod in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`modutils_dontaudit_exec_insmod',`
++    gen_require(`
++        type insmod_exec_t;
++    ')
++
++    dontaudit $1 insmod_exec_t:file exec_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ##	Execute depmod in the depmod domain.
+@@ -308,11 +382,18 @@ interface(`modutils_domtrans_update_mods',`
  #
  interface(`modutils_run_update_mods',`
  	gen_require(`
@@ -32878,7 +36497,7 @@ index 7449974..6375786 100644
  ')
  
  ########################################
-@@ -333,3 +378,25 @@ interface(`modutils_exec_update_mods',`
+@@ -333,3 +414,25 @@ interface(`modutils_exec_update_mods',`
  	corecmd_search_bin($1)
  	can_exec($1, update_modules_exec_t)
  ')
@@ -33204,7 +36823,7 @@ index 72c746e..f035d9f 100644
 +/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 +/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..e432df3 100644
+index 4584457..8a190ae 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -33221,7 +36840,7 @@ index 4584457..e432df3 100644
  ')
  
  ########################################
-@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
+@@ -38,11 +45,140 @@ interface(`mount_domtrans',`
  #
  interface(`mount_run',`
  	gen_require(`
@@ -33326,6 +36945,24 @@ index 4584457..e432df3 100644
 +	files_search_pids($1)
 +')
 +
++#######################################
++## <summary>
++##	Do not audit attemps to write mount PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`mount_dontaudit_write_mount_pid',`
++	gen_require(`
++		type mount_var_run_t;
++	')
++
++	dontaudit $1 mount_var_run_t:file write;
++')
++
 +########################################
 +## <summary>
 +##	Manage mount PID files.
@@ -33346,7 +36983,7 @@ index 4584457..e432df3 100644
  ')
  
  ########################################
-@@ -91,7 +209,7 @@ interface(`mount_signal',`
+@@ -91,7 +227,7 @@ interface(`mount_signal',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -33355,7 +36992,7 @@ index 4584457..e432df3 100644
  ##	</summary>
  ## </param>
  #
-@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +267,138 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -35601,7 +39238,7 @@ index 346a7cc..42a48b6 100644
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 6944526..821e74c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35635,6 +39272,15 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
+@@ -212,7 +231,7 @@ interface(`sysnet_rw_dhcp_config',`
+ 	')
+ 
+ 	files_search_etc($1)
+-	allow $1 dhcp_etc_t:file rw_file_perms;
++	rw_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
+ ')
+ 
+ ########################################
 @@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
  		type dhcpc_state_t;
  	')
@@ -35840,8 +39486,11 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -690,8 +840,11 @@ interface(`sysnet_dns_name_resolve',`
+ 	corenet_tcp_sendrecv_dns_port($1)
+ 	corenet_udp_sendrecv_dns_port($1)
  	corenet_tcp_connect_dns_port($1)
++    corenet_tcp_connect_dnssec_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
 +	miscfiles_read_generic_certs($1)
@@ -35849,7 +39498,7 @@ index 6944526..0bd8d93 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +873,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -35858,7 +39507,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +884,9 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
@@ -35868,7 +39517,7 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
-@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +908,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -35876,7 +39525,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +919,114 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -35953,8 +39602,46 @@ index 6944526..0bd8d93 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
++
++########################################
++## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_manage_ifconfig_run',`
++	gen_require(`
++		type ifconfig_var_run_t;
++	')
++
++	manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++	manage_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++	manage_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
++')
++
++########################################
++## <summary>
++##	Transition to sysnet ifconfig named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`sysnet_filetrans_named_content_ifconfig',`
++	gen_require(`
++		type ifconfig_var_run_t;
++	')
++
++	files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns")
++')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..087fe08 100644
+index b7686d5..28f16ce 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -36206,7 +39893,7 @@ index b7686d5..087fe08 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,31 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -36230,6 +39917,7 @@ index b7686d5..087fe08 100644
 +files_dontaudit_rw_inherited_locks(ifconfig_t)
 +files_dontaudit_read_root_files(ifconfig_t)
 +files_rw_inherited_tmp_file(ifconfig_t)
++files_dontaudit_rw_var_files(ifconfig_t)
 +
  files_read_etc_files(ifconfig_t)
  files_read_etc_runtime_files(ifconfig_t)
@@ -36237,7 +39925,7 @@ index b7686d5..087fe08 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +370,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -36265,7 +39953,7 @@ index b7686d5..087fe08 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +394,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -36288,7 +39976,7 @@ index b7686d5..087fe08 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +420,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -36302,7 +39990,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -339,7 +432,15 @@ optional_policy(`
+@@ -339,7 +433,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36319,7 +40007,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -360,3 +461,13 @@ optional_policy(`
+@@ -360,3 +462,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -36388,10 +40076,10 @@ index 0000000..e9f1096
 +/var/run/initramfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
 new file mode 100644
-index 0000000..35b4178
+index 0000000..8bca1d7
 --- /dev/null
 +++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,1400 @@
+@@ -0,0 +1,1440 @@
 +## <summary>SELinux policy for systemd components</summary>
 +
 +######################################
@@ -37338,6 +41026,27 @@ index 0000000..35b4178
 +	allow $1 hostname_etc_t:file read_file_perms;
 +')
 +
++########################################
++## <summary>
++##	Allow process to manage hostname config file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`systemd_hostnamed_manage_config',`
++	gen_require(`
++		type hostname_etc_t;
++	')
++
++	files_search_etc($1)
++	allow $1 hostname_etc_t:file manage_file_perms;
++    files_etc_filetrans($1, hostname_etc_t, file, "hostname")
++')
++
 +#######################################
 +## <summary>
 +##  Create objects in /run/systemd/generator directory
@@ -37670,6 +41379,25 @@ index 0000000..35b4178
 +	allow $1 power_unit_file_t:service start;
 +')
 +
++########################################
++## <summary>
++##	Status power unit files domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`systemd_status_power_services',`
++	gen_require(`
++		type power_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++	allow $1 power_unit_file_t:service status;
++')
++
 +#######################################
 +## <summary>
 +##  Start power unit files domain.
@@ -37794,10 +41522,10 @@ index 0000000..35b4178
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..f758960
+index 0000000..8c56513
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,650 @@
+@@ -0,0 +1,635 @@
 +policy_module(systemd, 1.0.0)
 +
 +#######################################
@@ -37881,6 +41609,7 @@ index 0000000..f758960
 +
 +# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
 +allow systemd_logind_t self:capability { chown kill dac_override fowner sys_tty_config };
++allow systemd_logind_t self:capability2 block_suspend;
 +allow systemd_logind_t self:process getcap;
 +allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -37908,6 +41637,7 @@ index 0000000..f758960
 +dev_getattr_all_blk_files(systemd_logind_t)
 +dev_rw_sysfs(systemd_logind_t)
 +dev_rw_input_dev(systemd_logind_t)
++dev_rw_dri(systemd_logind_t)
 +dev_setattr_all_chr_files(systemd_logind_t)
 +dev_setattr_dri_dev(systemd_logind_t)
 +dev_setattr_generic_usb_dev(systemd_logind_t)
@@ -37961,7 +41691,6 @@ index 0000000..f758960
 +init_dbus_chat(systemd_logind_t)
 +init_dbus_chat_script(systemd_logind_t)
 +init_read_script_state(systemd_logind_t)
-+init_read_state(systemd_logind_t)
 +init_rw_stream_sockets(systemd_logind_t)
 +
 +logging_send_syslog_msg(systemd_logind_t)
@@ -38043,7 +41772,7 @@ index 0000000..f758960
 +logging_send_syslog_msg(systemd_passwd_agent_t)
 +
 +userdom_use_user_ptys(systemd_passwd_agent_t)
-+userdom_use_inherited_user_ttys(systemd_passwd_agent_t)
++userdom_use_user_ttys(systemd_passwd_agent_t)
 +
 +optional_policy(`
 +	lvm_signull(systemd_passwd_agent_t)
@@ -38081,31 +41810,8 @@ index 0000000..f758960
 +fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
 +fs_list_all(systemd_tmpfiles_t)
 +
-+files_getattr_all_dirs(systemd_tmpfiles_t)
-+files_getattr_all_files(systemd_tmpfiles_t)
-+files_getattr_all_sockets(systemd_tmpfiles_t)
-+files_getattr_all_symlinks(systemd_tmpfiles_t)
-+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
-+files_relabel_all_lock_files(systemd_tmpfiles_t)
-+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
-+files_relabel_all_pid_files(systemd_tmpfiles_t)
-+files_relabel_all_spool_dirs(systemd_tmpfiles_t)
-+files_manage_all_pids(systemd_tmpfiles_t)
-+files_manage_all_pid_dirs(systemd_tmpfiles_t)
-+files_manage_all_locks(systemd_tmpfiles_t)
-+files_read_generic_tmp_symlinks(systemd_tmpfiles_t)
-+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_delete_boot_flag(systemd_tmpfiles_t)
-+files_delete_all_non_security_files(systemd_tmpfiles_t)
-+files_delete_all_pid_sockets(systemd_tmpfiles_t)
-+files_delete_all_pid_pipes(systemd_tmpfiles_t)
-+files_purge_tmp(systemd_tmpfiles_t)
-+files_manage_generic_tmp_files(systemd_tmpfiles_t)
-+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_dirs(systemd_tmpfiles_t)
-+files_relabelfrom_tmp_files(systemd_tmpfiles_t)
-+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
-+files_relabel_all_tmp_files(systemd_tmpfiles_t)
++files_manage_non_auth_files(systemd_tmpfiles_t)
++files_relabel_non_auth_files(systemd_tmpfiles_t)
 +files_list_lost_found(systemd_tmpfiles_t)
 +
 +mls_file_read_all_levels(systemd_tmpfiles_t)
@@ -38129,6 +41835,7 @@ index 0000000..f758960
 +logging_create_devlog_dev(systemd_tmpfiles_t)
 +logging_send_syslog_msg(systemd_tmpfiles_t)
 +logging_setattr_all_log_dirs(systemd_tmpfiles_t)
++logging_relabel_all_log_dirs(systemd_tmpfiles_t)
 +
 +miscfiles_filetrans_named_content(systemd_tmpfiles_t)
 +miscfiles_manage_man_pages(systemd_tmpfiles_t)
@@ -38308,7 +42015,6 @@ index 0000000..f758960
 +dev_read_sysfs(systemd_hostnamed_t)
 +
 +init_status(systemd_hostnamed_t)
-+init_read_state(systemd_hostnamed_t)
 +init_stream_connect(systemd_hostnamed_t)
 +
 +logging_send_syslog_msg(systemd_hostnamed_t)
@@ -38407,7 +42113,7 @@ index 0000000..f758960
 +#
 +# systemd_sysctl domains local policy
 +#
-+allow systemd_sysctl_t self:capability net_admin;
++allow systemd_sysctl_t self:capability { sys_admin net_admin };
 +allow systemd_sysctl_t self:unix_dgram_socket create_socket_perms;
 +
 +kernel_dgram_send(systemd_sysctl_t)
@@ -38428,6 +42134,7 @@ index 0000000..f758960
 +# Common rules for systemd domains
 +#
 +allow systemd_domain self:process { setfscreate signal_perms };
++dontaudit systemd_domain self:capability net_admin;
 +
 +dev_read_urand(systemd_domain)
 +
@@ -38436,6 +42143,11 @@ index 0000000..f758960
 +files_read_usr_files(systemd_domain)
 +
 +init_search_pid_dirs(systemd_domain)
++init_start_transient_unit(systemd_domain)
++init_stop_transient_unit(systemd_domain)
++init_status_transient_unit(systemd_domain)
++init_reload_transient_unit(systemd_domain)
++init_read_state(systemd_domain)
 +
 +logging_stream_connect_syslog(systemd_domain)
 +
@@ -38448,6 +42160,7 @@ index 0000000..f758960
 +
 +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
 +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
++
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
 index 40928d8..49fd32e 100644
 --- a/policy/modules/system/udev.fc
@@ -38746,7 +42459,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..de9d585 100644
+index a5ec88b..f10561b 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -38937,7 +42650,7 @@ index a5ec88b..de9d585 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -226,19 +248,34 @@ optional_policy(`
+@@ -226,19 +248,38 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -38964,6 +42677,10 @@ index a5ec88b..de9d585 100644
 +
 +optional_policy(`
 +	gpsd_domtrans(udev_t)
++')
++
++optional_policy(`
++	kdump_systemctl(udev_t)
  ')
  
  optional_policy(`
@@ -38972,7 +42689,7 @@ index a5ec88b..de9d585 100644
  ')
  
  optional_policy(`
-@@ -264,6 +301,10 @@ optional_policy(`
+@@ -264,6 +305,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38983,7 +42700,7 @@ index a5ec88b..de9d585 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +319,15 @@ optional_policy(`
+@@ -278,6 +323,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38999,7 +42716,7 @@ index a5ec88b..de9d585 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +340,7 @@ optional_policy(`
+@@ -290,6 +344,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
@@ -39804,10 +43521,10 @@ index 0280b32..61f19e9 100644
 -')
 +attribute unconfined_services;
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..65191bd 100644
+index db75976..4ca3a28 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,21 @@
+@@ -1,4 +1,28 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@@ -39828,10 +43545,17 @@ index db75976..65191bd 100644
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs/.*	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
++HOME_DIR/\.texlive2012(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
++HOME_DIR/\.texlive2014(/.*)?		gen_context(system_u:object_r:texlive_home_t,s0)
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
++
++/tmp/hsperfdata_root        gen_context(system_u:object_r:user_tmp_t,s0)
++/var/tmp/hsperfdata_root    gen_context(system_u:object_r:user_tmp_t,s0)
++
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2890de8 100644
+index 3c5dba7..333f640 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40421,7 +44145,7 @@ index 3c5dba7..2890de8 100644
  	')
  ')
  
-@@ -491,7 +659,8 @@ template(`userdom_common_user_template',`
+@@ -491,51 +659,63 @@ template(`userdom_common_user_template',`
  		attribute unpriv_userdomain;
  	')
  
@@ -40431,7 +44155,10 @@ index 3c5dba7..2890de8 100644
  
  	##############################
  	#
-@@ -501,41 +670,51 @@ template(`userdom_common_user_template',`
+ 	# User domain Local policy
+ 	#
++	allow $1_t self:packet_socket create_socket_perms;
+ 
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -40506,7 +44233,7 @@ index 3c5dba7..2890de8 100644
  
  	# cjp: some of this probably can be removed
  	selinux_get_fs_mount($1_t)
-@@ -546,93 +725,120 @@ template(`userdom_common_user_template',`
+@@ -546,93 +726,128 @@ template(`userdom_common_user_template',`
  	selinux_compute_user_contexts($1_t)
  
  	# for eject
@@ -40601,6 +44328,10 @@ index 3c5dba7..2890de8 100644
 +			evolution_alarm_dbus_chat($1_usertype)
 +		')
 +
++        optional_policy(`
++            firewalld_dbus_chat($1_usertype)
++        ')
++
 +		optional_policy(`
 +			gnome_dbus_chat_gconfdefault($1_usertype)
 +		')
@@ -40615,6 +44346,10 @@ index 3c5dba7..2890de8 100644
 +			kde_dbus_chat_backlighthelper($1_usertype)
  		')
  
++        optional_policy(`
++            memcached_stream_connect($1_usertype)
++        ')
++
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
 +			modemmanager_dbus_chat($1_usertype)
@@ -40665,7 +44400,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	optional_policy(`
-@@ -642,23 +848,21 @@ template(`userdom_common_user_template',`
+@@ -642,23 +857,21 @@ template(`userdom_common_user_template',`
  	optional_policy(`
  		mpd_manage_user_data_content($1_t)
  		mpd_relabel_user_data_content($1_t)
@@ -40694,7 +44429,7 @@ index 3c5dba7..2890de8 100644
  			mysql_stream_connect($1_t)
  		')
  	')
-@@ -671,7 +875,7 @@ template(`userdom_common_user_template',`
+@@ -671,7 +884,7 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -40703,7 +44438,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	optional_policy(`
-@@ -680,9 +884,9 @@ template(`userdom_common_user_template',`
+@@ -680,9 +893,9 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -40716,7 +44451,7 @@ index 3c5dba7..2890de8 100644
  		')
  	')
  
-@@ -693,32 +897,35 @@ template(`userdom_common_user_template',`
+@@ -693,32 +906,35 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -40726,27 +44461,31 @@ index 3c5dba7..2890de8 100644
 +
 +	optional_policy(`
 +		rpc_dontaudit_getattr_exports($1_usertype)
++	')
++
++	optional_policy(`
++		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		rpcbind_stream_connect($1_usertype)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		sandbox_transition($1_usertype, $1_r)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		sandbox_transition($1_usertype, $1_r)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
  
  	optional_policy(`
 -		usernetctl_run($1_t, $1_r)
-+		seunshare_role_template($1, $1_r, $1_t)
++		slrnpull_search_spool($1_usertype)
  	')
  
  	optional_policy(`
@@ -40755,15 +44494,11 @@ index 3c5dba7..2890de8 100644
 -		virt_home_filetrans_virt_content($1_t, dir, "isos")
 -		virt_home_filetrans_svirt_home($1_t, dir, "qemu")
 -		virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")	
-+		slrnpull_search_spool($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		thumb_role($1_r, $1_usertype)
  	')
  ')
  
-@@ -743,17 +950,33 @@ template(`userdom_common_user_template',`
+@@ -743,17 +959,33 @@ template(`userdom_common_user_template',`
  template(`userdom_login_user_template', `
  	gen_require(`
  		class context contains;
@@ -40780,9 +44515,7 @@ index 3c5dba7..2890de8 100644
 -	userdom_manage_tmpfs_role($1_r, $1_t)
 +	userdom_manage_tmp_role($1_r, $1_usertype)
 +	userdom_manage_tmpfs_role($1_r, $1_usertype)
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable($1_exec_content, true)
 +
@@ -40793,7 +44526,9 @@ index 3c5dba7..2890de8 100644
 +		tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -40801,7 +44536,7 @@ index 3c5dba7..2890de8 100644
  
  	userdom_change_password_template($1)
  
-@@ -761,82 +984,101 @@ template(`userdom_login_user_template', `
+@@ -761,83 +993,107 @@ template(`userdom_login_user_template', `
  	#
  	# User domain Local policy
  	#
@@ -40895,8 +44630,7 @@ index 3c5dba7..2890de8 100644
 +	seutil_read_file_contexts($1_usertype)
 +	seutil_read_default_contexts($1_usertype)
 +	seutil_exec_setfiles($1_usertype)
- 
--	seutil_read_config($1_t)
++
 +	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
@@ -40908,38 +44642,45 @@ index 3c5dba7..2890de8 100644
 +		init_write_key($1_usertype)
 +	')
  
+-	seutil_read_config($1_t)
++	optional_policy(`
++		mysql_filetrans_named_content($1_usertype)
++	')
+ 
  	optional_policy(`
 -		cups_read_config($1_t)
 -		cups_stream_connect($1_t)
 -		cups_stream_connect_ptal($1_t)
-+		mysql_filetrans_named_content($1_usertype)
++		mta_dontaudit_read_spool_symlinks($1_usertype)
  	')
  
  	optional_policy(`
 -		kerberos_use($1_t)
-+		mta_dontaudit_read_spool_symlinks($1_usertype)
++		quota_dontaudit_getattr_db($1_usertype)
  	')
  
  	optional_policy(`
 -		mta_dontaudit_read_spool_symlinks($1_t)
-+		quota_dontaudit_getattr_db($1_usertype)
++		rpm_read_db($1_usertype)
++		rpm_dontaudit_manage_db($1_usertype)
++		rpm_read_cache($1_usertype)
  	')
  
  	optional_policy(`
 -		quota_dontaudit_getattr_db($1_t)
-+		rpm_read_db($1_usertype)
-+		rpm_dontaudit_manage_db($1_usertype)
-+		rpm_read_cache($1_usertype)
++		oddjob_run_mkhomedir($1_t, $1_r)
  	')
  
  	optional_policy(`
 -		rpm_read_db($1_t)
 -		rpm_dontaudit_manage_db($1_t)
-+		oddjob_run_mkhomedir($1_t, $1_r)
++		wine_filetrans_named_content($1_usertype)
  	')
++
  ')
  
-@@ -868,6 +1110,12 @@ template(`userdom_restricted_user_template',`
+ #######################################
+@@ -868,6 +1124,12 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -40952,7 +44693,7 @@ index 3c5dba7..2890de8 100644
  	##############################
  	#
  	# Local policy
-@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1169,99 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -41041,57 +44782,60 @@ index 3c5dba7..2890de8 100644
 +			consolekit_dontaudit_read_log($1_usertype)
 +			consolekit_dbus_chat($1_usertype)
 +		')
-+
-+		optional_policy(`
-+			cups_dbus_chat($1_usertype)
-+			cups_dbus_chat_config($1_usertype)
-+		')
  
  		optional_policy(`
 -			consolekit_dbus_chat($1_t)
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
++			cups_dbus_chat($1_usertype)
++			cups_dbus_chat_config($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat($1_t)
-+			fprintd_dbus_chat($1_t)
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
  		')
  
  		optional_policy(`
 -			gnome_role_template($1, $1_r, $1_t)
++			fprintd_dbus_chat($1_t)
++		')
++
++		optional_policy(`
 +			realmd_dbus_chat($1_t)
  		')
  
  		optional_policy(`
-@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,17 +1270,38 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
 -		java_role($1_r, $1_t)
 +		policykit_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		setroubleshoot_dontaudit_stream_connect($1_t)
 +		pulseaudio_role($1_r, $1_usertype)
 +		pulseaudio_filetrans_admin_home_content($1_usertype)
-+	')
-+
+ 	')
+-')
+ 
+-#######################################
+-## <summary>
+-##	The template for creating a unprivileged user roughly
 +	optional_policy(`
 +		rtkit_scheduled($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		systemd_filetrans_home_content($1_usertype)
- 	')
- 
- 	optional_policy(`
- 		setroubleshoot_dontaudit_stream_connect($1_t)
- 	')
--')
- 
--#######################################
++	')
++
++	optional_policy(`
++		setroubleshoot_dontaudit_stream_connect($1_t)
++	')
++
 +	optional_policy(`
 +		udev_read_db($1_usertype)
 +	')
@@ -41102,10 +44846,12 @@ index 3c5dba7..2890de8 100644
 +')
 +
 +#######################################
- ## <summary>
- ##	The template for creating a unprivileged user roughly
++## <summary>
++##	The template for creating a unprivileged user roughly
  ##	equivalent to a regular linux user.
-@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
+ ## </summary>
+ ## <desc>
+@@ -990,27 +1330,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -41143,7 +44889,7 @@ index 3c5dba7..2890de8 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1367,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -41195,26 +44941,26 @@ index 3c5dba7..2890de8 100644
 +
 +	optional_policy(`
 +		gpm_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		mount_run_fusermount($1_t, $1_r)
 +		mount_read_pid_files($1_t)
 +	')
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
++	')
++
++	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1429,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -41225,7 +44971,7 @@ index 3c5dba7..2890de8 100644
  	')
  ')
  
-@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1467,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -41236,7 +44982,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	##############################
-@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',`
+@@ -1098,6 +1485,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -41244,25 +44990,24 @@ index 3c5dba7..2890de8 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',`
+@@ -1108,14 +1496,8 @@ template(`userdom_admin_user_template',`
+ 	# $1_t local policy
  	#
  
- 	allow $1_t self:capability ~{ sys_module audit_control audit_write };
-+	allow $1_t self:capability2 { block_suspend syslog };
- 	allow $1_t self:process { setexec setfscreate };
- 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
- 	allow $1_t self:tun_socket create;
-@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',`
- 	# Skip authentication when pam_rootok is specified.
- 	allow $1_t self:passwd rootok;
- 
+-	allow $1_t self:capability ~{ sys_module audit_control audit_write };
+-	allow $1_t self:process { setexec setfscreate };
+-	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+-	allow $1_t self:tun_socket create;
+-	# Set password information for other users.
+-	allow $1_t self:passwd { passwd chfn chsh };
+-	# Skip authentication when pam_rootok is specified.
+-	allow $1_t self:passwd rootok;
 +	# Manipulate other users crontab.
 +	allow $1_t self:passwd crontab;
-+
+ 
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
- 	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1513,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -41270,7 +45015,7 @@ index 3c5dba7..2890de8 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1531,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -41285,7 +45030,7 @@ index 3c5dba7..2890de8 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1549,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -41328,7 +45073,7 @@ index 3c5dba7..2890de8 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1590,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -41337,7 +45082,7 @@ index 3c5dba7..2890de8 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1599,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -41356,7 +45101,7 @@ index 3c5dba7..2890de8 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',`
+@@ -1243,7 +1645,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -41365,7 +45110,7 @@ index 3c5dba7..2890de8 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1655,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -41374,7 +45119,7 @@ index 3c5dba7..2890de8 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1669,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -41386,7 +45131,7 @@ index 3c5dba7..2890de8 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1683,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -41429,7 +45174,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1768,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -41448,7 +45193,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1819,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -41500,7 +45245,7 @@ index 3c5dba7..2890de8 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1968,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41532,7 +45277,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +2034,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -41547,7 +45292,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2057,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -41559,7 +45304,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2118,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -41602,7 +45347,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2233,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41611,7 +45356,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2268,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -41626,7 +45371,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2298,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -41653,7 +45398,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2326,70 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -41736,7 +45481,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2409,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41762,7 +45507,7 @@ index 3c5dba7..2890de8 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2458,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -41800,7 +45545,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2498,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -41818,7 +45563,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2546,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41827,7 +45572,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1949,19 +2554,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -41851,7 +45596,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,21 +2572,75 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -41875,91 +45620,38 @@ index 3c5dba7..2890de8 100644
  ##	<summary>
 -##	Domain to not audit.
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
++##	</summary>
++## </param>
++#
 +interface(`userdom_delete_user_home_content_sock_files',`
- 	gen_require(`
- 		type user_home_t;
- 	')
- 
--	dontaudit $1 user_home_t:file relabel_file_perms;
++	gen_require(`
++		type user_home_t;
++	')
++
 +	allow $1 user_home_t:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read user home subdirectory symbolic links.
-+##	Delete all sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--	files_search_home($1)
-+	allow $1 user_home_type:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Execute user home files.
-+##	Delete all files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	files_search_home($1)
--	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	allow $1 user_home_type:dir_file_class_set delete_file_perms;
 +')
- 
--	tunable_policy(`use_nfs_home_dirs',`
--		fs_exec_nfs_files($1)
++
 +########################################
 +## <summary>
-+##	Do not audit attempts to write user home files.
++##	Delete all sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
 +	gen_require(`
-+		type user_home_t;
- 	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
-+	dontaudit $1 user_home_t:file relabel_file_perms;
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:sock_file delete_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read user home subdirectory symbolic links.
++##	Delete all files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -41967,42 +45659,60 @@ index 3c5dba7..2890de8 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content',`
 +	gen_require(`
-+		type user_home_dir_t, user_home_t;
- 	')
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:dir_file_class_set delete_file_perms;
++')
 +
++########################################
++## <summary>
++##	Do not audit attempts to write user home files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+@@ -2010,8 +2667,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ 		type user_home_dir_t, user_home_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-	files_search_home($1)
 +	allow $1 { user_home_dir_t user_home_t }:lnk_file  read_lnk_file_perms;
  ')
  
  ########################################
- ## <summary>
-+##	Execute user home files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`userdom_exec_user_home_content_files',`
-+	gen_require(`
+@@ -2027,20 +2683,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ 	gen_require(`
+-		type user_home_dir_t, user_home_t;
 +		type user_home_dir_t;
 +		attribute user_home_type;
-+	')
-+
-+	files_search_home($1)
+ 	')
+ 
+ 	files_search_home($1)
+-	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
-+	')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to execute user home files.
- ## </summary>
- ## <param name="domain">
-@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+ 	')
+-')
+ 
+ ########################################
+ ## <summary>
+@@ -2123,7 +2773,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -42011,7 +45721,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2781,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42035,7 +45745,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2799,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42051,7 +45761,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +3041,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -42066,7 +45776,7 @@ index 3c5dba7..2890de8 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3065,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -42075,7 +45785,34 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2541,6 +3189,26 @@ interface(`userdom_manage_user_tmp_files',`
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete user
++##	temporary files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_filetrans_named_user_tmp_files',`
++	gen_require(`
++		type user_tmp_t;
++	')
++
++    files_tmp_filetrans($1, user_tmp_t, dir, "hsperfdata_root")
++	files_search_tmp($1)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete user
+ ##	temporary symbolic links.
+ ## </summary>
+ ## <param name="domain">
+@@ -2664,6 +3332,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -42101,7 +45838,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3367,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42117,7 +45854,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3395,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -42126,7 +45863,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3403,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -42161,7 +45898,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3521,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -42186,7 +45923,7 @@ index 3c5dba7..2890de8 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3557,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -42229,7 +45966,7 @@ index 3c5dba7..2890de8 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3593,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -42267,7 +46004,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3638,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -42297,7 +46034,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3730,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -42398,7 +46135,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3799,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -42413,7 +46150,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3868,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -42422,7 +46159,7 @@ index 3c5dba7..2890de8 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3884,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -42456,7 +46193,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3972,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -42483,107 +46220,37 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +4045,83 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
 -	allow $1 user_tmp_t:file write_file_perms;
 +	write_files_pattern($1, user_tmp_t, user_tmp_t)
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to use user ttys.
-+##	Do not audit attempts to write users
-+##	temporary files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_use_user_ttys',`
-+interface(`userdom_dontaudit_write_user_tmp_files',`
- 	gen_require(`
--		type user_tty_device_t;
-+		type user_tmp_t;
- 	')
- 
--	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
-+	dontaudit $1 user_tmp_t:file write;
- ')
- 
- ########################################
- ## <summary>
--##	Read the process state of all user domains.
-+##	Do not audit attempts to delete users
-+##	temporary files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_all_users_state',`
-+interface(`userdom_dontaudit_delete_user_tmp_files',`
- 	gen_require(`
--		attribute userdomain;
-+		type user_tmp_t;
- 	')
- 
--	read_files_pattern($1, userdomain, userdomain)
--	kernel_search_proc($1)
-+	dontaudit $1 user_tmp_t:file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Get the attributes of all user domains.
-+##	Do not audit attempts to read/write users
-+##	temporary fifo files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_getattr_all_users',`
-+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
- 	gen_require(`
--		attribute userdomain;
-+		type user_tmp_t;
-+	')
-+
-+	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Allow domain to read/write inherited users
-+##	fifo files.
++##	Do not audit attempts to write users
++##	temporary files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_rw_inherited_user_pipes',`
++interface(`userdom_dontaudit_write_user_tmp_files',`
 +	gen_require(`
-+		attribute userdomain;
++		type user_tmp_t;
 +	')
 +
-+	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
++	dontaudit $1 user_tmp_t:file write;
 +')
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to use user ttys.
++##	Do not audit attempts to delete users
++##	temporary files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42591,37 +46258,37 @@ index 3c5dba7..2890de8 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_dontaudit_delete_user_tmp_files',`
 +	gen_require(`
-+		type user_tty_device_t;
++		type user_tmp_t;
 +	')
 +
-+	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
++	dontaudit $1 user_tmp_t:file delete_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read the process state of all user domains.
++##	Do not audit attempts to read/write users
++##	temporary fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_rw_user_tmp_pipes',`
 +	gen_require(`
-+		attribute userdomain;
++		type user_tmp_t;
 +	')
 +
-+	read_files_pattern($1, userdomain, userdomain)
-+	read_lnk_files_pattern($1,userdomain,userdomain)
-+	kernel_search_proc($1)
++	dontaudit $1 user_tmp_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Get the attributes of all user domains.
++##	Allow domain to read/write inherited users
++##	fifo files.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -42629,13 +46296,33 @@ index 3c5dba7..2890de8 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_getattr_all_users',`
++interface(`userdom_rw_inherited_user_pipes',`
 +	gen_require(`
 +		attribute userdomain;
++	')
++
++	allow $1 userdomain:fifo_file rw_inherited_fifo_file_perms;
+ ')
+ 
+ ########################################
+@@ -3290,7 +4139,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+ 		type user_tty_device_t;
  	')
  
- 	allow $1 userdomain:process getattr;
-@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',`
+-	dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++	dontaudit $1 user_tty_device_t:chr_file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+@@ -3309,6 +4158,7 @@ interface(`userdom_read_all_users_state',`
+ 	')
+ 
+ 	read_files_pattern($1, userdomain, userdomain)
++	read_lnk_files_pattern($1,userdomain,userdomain)
+ 	kernel_search_proc($1)
+ ')
+ 
+@@ -3385,6 +4235,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -42678,7 +46365,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,6 +4291,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -42703,7 +46390,32 @@ index 3c5dba7..2890de8 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3423,6 +4327,24 @@ interface(`userdom_create_all_users_keys',`
+ 
+ ########################################
+ ## <summary>
++##	Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_all_users_keys',`
++	gen_require(`
++		attribute userdomain;
++	')
++
++	allow $1 userdomain:key manage_key_perms;
++')
++
++########################################
++## <summary>
+ ##	Send a dbus message to all user domains.
+ ## </summary>
+ ## <param name="domain">
+@@ -3438,4 +4360,1661 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
@@ -42832,6 +46544,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:dir search_dir_perms;
 +')
 +
@@ -42850,6 +46563,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:dir list_dir_perms;
 +')
 +
@@ -42868,6 +46582,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:dir list_dir_perms;
 +')
 +
@@ -42886,8 +46601,9 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:dir search_dir_perms;
-+')
+ ')
 +
 +########################################
 +## <summary>
@@ -42905,7 +46621,7 @@ index 3c5dba7..2890de8 100644
 +	')
 +
 +	allow $1 unpriv_userdomain:sem rw_sem_perms;
- ')
++')
 +
 +########################################
 +## <summary>
@@ -42980,6 +46696,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	read_files_pattern($1, admin_home_t, admin_home_t)
 +')
 +
@@ -42999,6 +46716,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	allow $1 admin_home_t:file delete_file_perms;
 +')
 +
@@ -43018,6 +46736,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	exec_files_pattern($1, admin_home_t, admin_home_t)
 +')
 +
@@ -43166,6 +46885,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	allow $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	filetrans_pattern($1, admin_home_t, $2, $3, $4)
 +')
 +
@@ -43207,25 +46927,6 @@ index 3c5dba7..2890de8 100644
 +
 +########################################
 +## <summary>
-+##	Manage keys for all user domains.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_manage_all_users_keys',`
-+	gen_require(`
-+		attribute userdomain;
-+	')
-+
-+	allow $1 userdomain:key manage_key_perms;
-+')
-+
-+
-+########################################
-+## <summary>
 +##	Do not audit attempts to read and write
 +##	unserdomain stream.
 +## </summary>
@@ -43417,6 +47118,31 @@ index 3c5dba7..2890de8 100644
 +        read_lnk_files_pattern($1, audio_home_t, audio_home_t)
 +')
 +
++######################################
++## <summary>
++##      Manage texlive content in the users homedir.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_manage_home_texlive',`
++        gen_require(`
++                type texlive_home_t;
++        ')
++
++    userdom_search_user_home_dirs($1)
++	userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2012")
++	userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2013")
++	userdom_user_home_dir_filetrans($1, texlive_home_t, dir, ".texlive2014")
++    manage_dirs_pattern($1, texlive_home_t, texlive_home_t)
++    manage_files_pattern($1, texlive_home_t, texlive_home_t)
++	manage_lnk_files_pattern($1, texlive_home_t, texlive_home_t)
++')
++
 +########################################
 +## <summary>
 +##	Do not audit attempts to write all user home content files.
@@ -43661,6 +47387,7 @@ index 3c5dba7..2890de8 100644
 +		type admin_home_t;
 +	')
 +
++	dontaudit $1 admin_home_t:lnk_file read_lnk_file_perms;
 +	dontaudit $1 admin_home_t:file read_file_perms;
 +')
 +
@@ -44236,6 +47963,22 @@ index 3c5dba7..2890de8 100644
 +	ubac_constrained($1_t)
 +
 +	auth_use_nsswitch($1_t)
++
++	ifelse(`$1',`unconfined',`',`
++		gen_tunable($1_exec_content, true)
++
++		tunable_policy(`$1_exec_content',`
++			userdom_exec_user_tmp_files($1_t)
++			userdom_exec_user_home_content_files($1_t)
++		')
++		tunable_policy(`$1_exec_content && use_nfs_home_dirs',`
++                        fs_exec_nfs_files($1_t)
++		')
++
++		tunable_policy(`$1_exec_content && use_samba_home_dirs',`
++			fs_exec_cifs_files($1_t)
++		')
++	')
 +')
 +
 +########################################
@@ -44335,7 +48078,7 @@ index 3c5dba7..2890de8 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..e0c6eeb 100644
+index e2b538b..0730c10 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
@@ -44424,7 +48167,7 @@ index e2b538b..e0c6eeb 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +83,359 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +83,382 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -44465,6 +48208,10 @@ index e2b538b..e0c6eeb 100644
 +userdom_user_home_content(audio_home_t)
 +ubac_constrained(audio_home_t)
 +
++type texlive_home_t;
++userdom_user_home_content(texlive_home_t)
++ubac_constrained(texlive_home_t)
++
 +type home_bin_t;
 +userdom_user_home_content(home_bin_t)
 +ubac_constrained(home_bin_t)
@@ -44480,12 +48227,15 @@ index e2b538b..e0c6eeb 100644
 +
 +allow userdomain userdomain:process signull;
 +allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
++dontaudit unpriv_userdomain self:rawip_socket create_socket_perms;
 +
 +# Nautilus causes this avc
 +domain_dontaudit_access_check(unpriv_userdomain)
 +dontaudit unpriv_userdomain self:dir setattr;
 +allow unpriv_userdomain self:key manage_key_perms;
 +
++mount_dontaudit_write_mount_pid(unpriv_userdomain)
++
 +optional_policy(`
 +	alsa_read_rw_config(unpriv_userdomain)
 +	alsa_manage_home_files(unpriv_userdomain)
@@ -44578,6 +48328,9 @@ index e2b538b..e0c6eeb 100644
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".cert")
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, ".pki")
 +userdom_user_home_dir_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2012")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2013")
++userdom_user_home_dir_filetrans(userdom_filetrans_type, texlive_home_t, dir, ".texlive2014")
 +
 +optional_policy(`
 +	gnome_config_filetrans(userdom_filetrans_type, home_cert_t, dir, "certificates")
@@ -44660,8 +48413,21 @@ index e2b538b..e0c6eeb 100644
 +#
 +gen_require(`
 +	class context contains;
++    class passwd { passwd chfn chsh rootok };
 +')
 +
++allow confined_admindomain self:capability ~{ sys_module audit_control audit_write };
++allow confined_admindomain self:capability2 { block_suspend syslog };
++allow confined_admindomain self:process { setexec setfscreate };
++allow confined_admindomain self:netlink_audit_socket nlmsg_readpriv;
++allow confined_admindomain self:tun_socket create_socket_perms;
++allow confined_admindomain self:packet_socket create_socket_perms;
++
++# Set password information for other users.
++allow confined_admindomain self:passwd { passwd chfn chsh };
++# Skip authentication when pam_rootok is specified.
++allow confined_admindomain self:passwd rootok;
++
 +corecmd_shell_entry_type(confined_admindomain)
 +corecmd_bin_entry_type(confined_admindomain)
 +
@@ -44818,7 +48584,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..64e135a 100644
+index 6e91317..018d0a6 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -44928,7 +48694,7 @@ index 6e91317..64e135a 100644
 +#
 +# Service
 +#
-+define(`manage_service_perms', `{ start stop status reload } ')
++define(`manage_service_perms', `{ start stop status reload enable disable } ')
 diff --git a/policy/users b/policy/users
 index c4ebc7e..30d6d7a 100644
 --- a/policy/users
diff --git a/SOURCES/policy-f20-contrib.patch b/SOURCES/policy-f20-contrib.patch
index f874adf..19dd80d 100644
--- a/SOURCES/policy-f20-contrib.patch
+++ b/SOURCES/policy-f20-contrib.patch
@@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2ed712d 100644
+index e4f84de..6098f52 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,42 @@
+@@ -1,30 +1,46 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -40,25 +40,29 @@ index e4f84de..2ed712d 100644
 +/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 +/var/run/abrtd?\.socket		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 +/var/run/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/rhsm/debug(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
  
 -/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 -/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
- 
--/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 +# ABRT retrace server
 +/usr/bin/abrt-retrace-worker				--      gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 +/usr/bin/coredump2packages					--		gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
  
+-/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
++/var/cache/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/spool/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/faf(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
+ 
 -/var/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/cache/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
  
 -/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
@@ -68,7 +72,7 @@ index e4f84de..2ed712d 100644
 +/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..702b716 100644
+index 058d908..cf17e67 100644
 --- a/abrt.if
 +++ b/abrt.if
 @@ -1,4 +1,26 @@
@@ -99,16 +103,34 @@ index 058d908..702b716 100644
  
  ######################################
  ## <summary>
-@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+@@ -40,7 +62,25 @@ interface(`abrt_exec',`
  
  ########################################
  ## <summary>
 -##	Send null signals to abrt.
++##	Send a signal to abrt.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`abrt_signal',`
++	gen_require(`
++		type abrt_t;
++	')
++
++	allow $1 abrt_t:process signal;
++')
++
++########################################
++## <summary>
 +##	Send a null signal to abrt.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+@@ -58,7 +98,7 @@ interface(`abrt_signull',`
  
  ########################################
  ## <summary>
@@ -117,7 +139,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+@@ -71,12 +111,13 @@ interface(`abrt_read_state',`
  		type abrt_t;
  	')
  
@@ -132,7 +154,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+@@ -116,8 +157,7 @@ interface(`abrt_dbus_chat',`
  
  #####################################
  ## <summary>
@@ -142,7 +164,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+@@ -130,15 +170,13 @@ interface(`abrt_domtrans_helper',`
  		type abrt_helper_t, abrt_helper_exec_t;
  	')
  
@@ -160,7 +182,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
+@@ -154,17 +192,54 @@ interface(`abrt_domtrans_helper',`
  #
  interface(`abrt_run_helper',`
  	gen_require(`
@@ -190,60 +212,60 @@ index 058d908..702b716 100644
 +
 +	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 +	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
++')
++
++########################################
++## <summary>
++##	Append abrt cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`abrt_append_cache',`
++	gen_require(`
++		type abrt_var_cache_t;
++	')
++
++	
++	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	abrt cache files.
-+##	Append abrt cache
++##	Read/Write inherited abrt cache
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+@@ -172,15 +247,18 @@ interface(`abrt_run_helper',`
  ##	</summary>
  ## </param>
  #
 -interface(`abrt_cache_manage',`
 -	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
 -	abrt_manage_cache($1)
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
 +	')
 +
 +	
-+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	abrt cache content.
-+##	Read/Write inherited abrt cache
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`abrt_rw_inherited_cache',`
-+	gen_require(`
-+		type abrt_var_cache_t;
-+	')
-+
-+	
-+	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Manage abrt cache
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+@@ -193,7 +271,6 @@ interface(`abrt_manage_cache',`
  		type abrt_var_cache_t;
  	')
  
@@ -251,7 +273,7 @@ index 058d908..702b716 100644
  	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
  	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
  	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+@@ -201,7 +278,7 @@ interface(`abrt_manage_cache',`
  
  ####################################
  ## <summary>
@@ -260,8 +282,30 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
+@@ -218,9 +295,29 @@ interface(`abrt_read_config',`
+ 	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
+ ')
  
++####################################
++## <summary>
++##	Dontaudit read abrt configuration file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`abrt_dontaudit_read_config',`
++	gen_require(`
++		type abrt_etc_t;
++	')
++
++	files_search_etc($1)
++    dontaudit $1 abrt_etc_t:dir list_dir_perms;
++    dontaudit $1 abrt_etc_t:file read_file_perms;
++')
++
  ######################################
  ## <summary>
 -##	Read abrt log files.
@@ -269,7 +313,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +355,7 @@ interface(`abrt_read_pid_files',`
  
  ######################################
  ## <summary>
@@ -279,7 +323,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +372,51 @@ interface(`abrt_manage_pid_files',`
  	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
  ')
  
@@ -333,7 +377,7 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +425,174 @@ interface(`abrt_manage_pid_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -433,6 +477,7 @@ index 058d908..702b716 100644
 +	manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 +	manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 +	manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
++    manage_sock_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 +')
 +
 +#####################################
@@ -453,7 +498,7 @@ index 058d908..702b716 100644
 +    list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 +    read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
 +    read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
-+')
+ ')
 +
 +
 +#####################################
@@ -474,7 +519,7 @@ index 058d908..702b716 100644
 +    list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +    read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
- ')
++')
 +
 +########################################
 +## <summary>
@@ -516,11 +561,12 @@ index 058d908..702b716 100644
 +	files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
 +	files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
++	files_var_filetrans($1, abrt_var_cache_t, dir, "debug")
 +	files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..1ec0046 100644
+index cc43d25..23aea8e 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -1,4 +1,4 @@
@@ -686,7 +732,7 @@ index cc43d25..1ec0046 100644
 -allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
 -dontaudit abrt_t self:capability sys_rawio;
 +allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
-+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
++dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
  allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
 +
  allow abrt_t self:fifo_file rw_fifo_file_perms;
@@ -756,7 +802,7 @@ index cc43d25..1ec0046 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +193,40 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -783,6 +829,8 @@ index cc43d25..1ec0046 100644
  
 +logging_read_generic_logs(abrt_t)
 +logging_send_syslog_msg(abrt_t)
++logging_stream_connect_syslog(abrt_t)
++logging_read_syslog_pid(abrt_t)
 +
  auth_use_nsswitch(abrt_t)
  
@@ -791,13 +839,14 @@ index cc43d25..1ec0046 100644
  
 +miscfiles_read_generic_certs(abrt_t)
  miscfiles_read_public_files(abrt_t)
++miscfiles_dontaudit_access_check_cert(abrt_t)
  
  userdom_dontaudit_read_user_home_content_files(abrt_t)
 +userdom_dontaudit_read_admin_home_files(abrt_t)
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +234,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -814,7 +863,7 @@ index cc43d25..1ec0046 100644
  ')
  
  optional_policy(`
-@@ -209,6 +243,20 @@ optional_policy(`
+@@ -209,6 +246,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -835,15 +884,19 @@ index cc43d25..1ec0046 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +268,7 @@ optional_policy(`
- 	corecmd_exec_all_executables(abrt_t)
+@@ -221,6 +272,11 @@ optional_policy(`
  ')
  
-+# to install debuginfo packages
  optional_policy(`
++    puppet_read_lib(abrt_t)
++')
++
++# to install debuginfo packages
++optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +279,7 @@ optional_policy(`
+ 	rpm_manage_cache(abrt_t)
+@@ -230,6 +286,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -851,7 +904,7 @@ index cc43d25..1ec0046 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +290,17 @@ optional_policy(`
+@@ -240,9 +297,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -870,7 +923,7 @@ index cc43d25..1ec0046 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +311,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +318,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -885,7 +938,7 @@ index cc43d25..1ec0046 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +330,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +337,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -893,7 +946,7 @@ index cc43d25..1ec0046 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +339,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +346,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -914,7 +967,7 @@ index cc43d25..1ec0046 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +360,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +367,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -941,7 +994,7 @@ index cc43d25..1ec0046 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +396,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +403,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -955,7 +1008,7 @@ index cc43d25..1ec0046 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +414,11 @@ optional_policy(`
+@@ -330,10 +421,11 @@ optional_policy(`
  
  #######################################
  #
@@ -969,7 +1022,7 @@ index cc43d25..1ec0046 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +437,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +444,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1031,7 +1084,7 @@ index cc43d25..1ec0046 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +495,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +502,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -1048,7 +1101,7 @@ index cc43d25..1ec0046 100644
  #
  
 -kernel_read_system_state(abrt_domain)
-+allow abrt_upload_watch_t self:capability dac_override;
++allow abrt_upload_watch_t self:capability { dac_override chown };
  
 -files_read_etc_files(abrt_domain)
 +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1057,9 +1110,11 @@ index cc43d25..1ec0046 100644
 +files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
 +
 +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
-+
+ 
+-logging_send_syslog_msg(abrt_domain)
 +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
-+
+ 
+-miscfiles_read_localization(abrt_domain)
 +corecmd_exec_bin(abrt_upload_watch_t)
 +
 +dev_read_urand(abrt_upload_watch_t)
@@ -1067,8 +1122,7 @@ index cc43d25..1ec0046 100644
 +files_search_spool(abrt_upload_watch_t)
 +
 +auth_read_passwd(abrt_upload_watch_t)
- 
--logging_send_syslog_msg(abrt_domain)
++
 +tunable_policy(`abrt_upload_watch_anon_write',`
 +    miscfiles_manage_public_files(abrt_upload_watch_t)
 +')
@@ -1081,8 +1135,7 @@ index cc43d25..1ec0046 100644
 +#
 +# Local policy for all abrt domain
 +#
- 
--miscfiles_read_localization(abrt_domain)
++
 +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
 +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
 +
@@ -1564,6 +1617,16 @@ index 72c33c2..6e4206c 100644
  
  optional_policy(`
  	modutils_domtrans_insmod(aiccu_t)
+diff --git a/aide.fc b/aide.fc
+index df6e4d0..4b99c25 100644
+--- a/aide.fc
++++ b/aide.fc
+@@ -3,4 +3,4 @@
+ /var/lib/aide(/.*)	gen_context(system_u:object_r:aide_db_t,mls_systemhigh)
+ 
+ /var/log/aide(/.*)?	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
+-/var/log/aide\.log	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
++/var/log/aide\.log.*	--	gen_context(system_u:object_r:aide_log_t,mls_systemhigh)
 diff --git a/aide.if b/aide.if
 index 01cbb67..94a4a24 100644
 --- a/aide.if
@@ -1985,7 +2048,7 @@ index 708b743..cc78465 100644
 +	ps_process_pattern($1, alsa_t)
  ')
 diff --git a/alsa.te b/alsa.te
-index cda6d20..443ce3c 100644
+index cda6d20..a80ddb9 100644
 --- a/alsa.te
 +++ b/alsa.te
 @@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
@@ -2014,7 +2077,7 @@ index cda6d20..443ce3c 100644
  allow alsa_t self:sem create_sem_perms;
  allow alsa_t self:shm create_shm_perms;
  allow alsa_t self:unix_stream_socket { accept listen };
-@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -51,7 +58,13 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
  manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  
@@ -2024,9 +2087,11 @@ index cda6d20..443ce3c 100644
 +files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
 +
  kernel_read_system_state(alsa_t)
++kernel_signal(alsa_t)
  
  corecmd_exec_bin(alsa_t)
-@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
+ 
+@@ -59,7 +72,6 @@ dev_read_sound(alsa_t)
  dev_read_sysfs(alsa_t)
  dev_write_sound(alsa_t)
  
@@ -2034,7 +2099,7 @@ index cda6d20..443ce3c 100644
  files_search_var_lib(alsa_t)
  
  term_dontaudit_use_console(alsa_t)
-@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
+@@ -72,8 +84,6 @@ init_use_fds(alsa_t)
  
  logging_send_syslog_msg(alsa_t)
  
@@ -2064,7 +2129,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index ed45974..ec7bb41 100644
+index ed45974..f367ba0 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2102,7 +2167,7 @@ index ed45974..ec7bb41 100644
  filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
  
  allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
+@@ -100,13 +104,15 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
  corecmd_exec_shell(amanda_t)
  corecmd_exec_bin(amanda_t)
  
@@ -2114,11 +2179,12 @@ index ed45974..ec7bb41 100644
  corenet_tcp_bind_generic_node(amanda_t)
  
 +corenet_tcp_bind_amanda_port(amanda_t)
++corenet_udp_bind_amanda_port(amanda_t)
 +
  corenet_sendrecv_all_server_packets(amanda_t)
  corenet_tcp_bind_all_rpc_ports(amanda_t)
  corenet_tcp_bind_generic_port(amanda_t)
-@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+@@ -114,6 +120,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
  
  dev_getattr_all_blk_files(amanda_t)
  dev_getattr_all_chr_files(amanda_t)
@@ -2126,7 +2192,7 @@ index ed45974..ec7bb41 100644
  
  files_read_etc_runtime_files(amanda_t)
  files_list_all(amanda_t)
-@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
+@@ -170,7 +177,6 @@ kernel_read_system_state(amanda_recover_t)
  corecmd_exec_shell(amanda_recover_t)
  corecmd_exec_bin(amanda_recover_t)
  
@@ -2134,7 +2200,7 @@ index ed45974..ec7bb41 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
+@@ -195,12 +201,16 @@ files_search_tmp(amanda_recover_t)
  
  auth_use_nsswitch(amanda_recover_t)
  
@@ -2327,8 +2393,79 @@ index c960f92..486e9ed 100644
  
  optional_policy(`
  	nscd_dontaudit_search_pid(amtu_t)
+diff --git a/anaconda.fc b/anaconda.fc
+index b098089..258407b 100644
+--- a/anaconda.fc
++++ b/anaconda.fc
+@@ -1 +1,7 @@
+ # No file context specifications.
++
++/usr/libexec/anaconda/anaconda-yum  --  gen_context(system_u:object_r:install_exec_t,s0)
++/usr/sbin/anaconda      --  gen_context(system_u:object_r:install_exec_t,s0)
++
++/usr/bin/ostree         --  gen_context(system_u:object_r:install_exec_t,s0)
++/usr/bin/rpm-ostree     --  gen_context(system_u:object_r:install_exec_t,s0)
+diff --git a/anaconda.if b/anaconda.if
+index 14a61b7..21bbf36 100644
+--- a/anaconda.if
++++ b/anaconda.if
+@@ -1 +1,54 @@
+ ## <summary>Anaconda installer.</summary>
++
++########################################
++## <summary>
++##	Execute a domain transition to run install.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`anaconda_domtrans_install',`
++	gen_require(`
++		type install_t, install_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, install_exec_t, install_t)
++')
++
++########################################
++## <summary>
++##	Execute install in the install
++##	domain, and allow the specified
++##	role the install domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++#
++interface(`anaconda_run_install',`
++	gen_require(`
++		type install_t;
++		type install_exec_t;
++		attribute_role install_roles;
++	')
++
++	anaconda_domtrans_install($1)
++	roleattribute $2 install_roles;
++	role_transition $2 install_exec_t system_r;
++
++	optional_policy(`
++		rpm_transition_script(install_t, $2)
++	')
++')
++
 diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..9f23456 100644
+index 6f1384c..f226596 100644
 --- a/anaconda.te
 +++ b/anaconda.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -2342,7 +2479,22 @@ index 6f1384c..9f23456 100644
  ########################################
  #
  # Declarations
-@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
+@@ -16,6 +20,14 @@ domain_entry_file(anaconda_t, anaconda_exec_t)
+ domain_obj_id_change_exemption(anaconda_t)
+ role system_r types anaconda_t;
+ 
++attribute_role install_roles;
++roleattribute system_r install_roles;
++
++type install_t;
++type install_exec_t;
++application_domain(install_t, install_exec_t)
++role install_roles types install_t;
++
+ ########################################
+ #
+ # Local policy
+@@ -34,8 +46,9 @@ modutils_domtrans_insmod(anaconda_t)
  modutils_domtrans_depmod(anaconda_t)
  
  seutil_domtrans_semanage(anaconda_t)
@@ -2353,9 +2505,44 @@ index 6f1384c..9f23456 100644
  
  optional_policy(`
  	rpm_domtrans(anaconda_t)
+@@ -53,3 +66,34 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_domain_noaudit(anaconda_t)
+ ')
++
++########################################
++#
++# Local policy
++#
++
++allow install_t self:capability2 mac_admin;
++
++systemd_dbus_chat_localed(install_t)
++
++tunable_policy(`deny_ptrace',`',`
++	domain_ptrace_all_domains(install_t)
++')
++
++optional_policy(`
++    mount_run(install_t, install_roles)
++')
++
++optional_policy(`
++    networkmanager_dbus_chat(install_t)
++')
++
++optional_policy(`
++	seutil_run_setfiles_mac(install_t, install_roles)
++')
++
++optional_policy(`
++	unconfined_domain_noaudit(install_t)
++')
++
++
 diff --git a/antivirus.fc b/antivirus.fc
 new file mode 100644
-index 0000000..e44bff0
+index 0000000..9d5214b
 --- /dev/null
 +++ b/antivirus.fc
 @@ -0,0 +1,43 @@
@@ -2380,10 +2567,10 @@ index 0000000..e44bff0
 +
 +/var/clamav(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
 +
-+
 +/var/amavis(/.*)?					gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/amavis(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/clamav(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
++/var/lib/clamav-unofficial-sigs(/.*)?   gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/lib/clamd.*					gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/opt/f-secure(/.*)?				gen_context(system_u:object_r:antivirus_db_t,s0)
 +/var/spool/amavisd(/.*)?			gen_context(system_u:object_r:antivirus_db_t,s0)
@@ -3011,10 +3198,10 @@ index 0000000..8ba9c95
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 550a69e..66ba451 100644
+index 550a69e..43bb1c9 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,161 +1,200 @@
+@@ -1,161 +1,212 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3041,6 +3228,7 @@ index 550a69e..66ba451 100644
 +/etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/cherokee(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/drupal.*				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/glpi(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/horde(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3058,6 +3246,7 @@ index 550a69e..66ba451 100644
 -/etc/vhosts	--	gen_context(system_u:object_r:httpd_config_t,s0)
 -/etc/WebCalendar(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/etc/zabbix/web(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/etc/thttpd\.conf       -- gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/WebCalendar(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/zabbix/web(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3098,6 +3287,7 @@ index 550a69e..66ba451 100644
 -/usr/lib/httpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 -/usr/lib/lighttpd(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 +/usr/share/jetty/bin/jetty.sh		--	gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/share/joomla(/.*)?                 gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
  
 -/usr/libexec/httpd-ssl-pass-dialog	--	gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
 +/usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3124,11 +3314,13 @@ index 550a69e..66ba451 100644
 -
 -ifdef(`distro_suse',`
 -/usr/sbin/httpd2-.*	--	gen_context(system_u:object_r:httpd_exec_t,s0)
++/usr/sbin/htcacheclean      --  gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/lighttpd		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/nginx         --  gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/php-fpm       --  gen_context(system_u:object_r:httpd_exec_t,s0)
 +/usr/sbin/rotatelogs		--	gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
 +/usr/sbin/suexec		--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/sbin/thttpd        -- gen_context(system_u:object_r:httpd_exec_t,s0)
 +
 +ifdef(`distro_suse', `
 +/usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -3167,6 +3359,7 @@ index 550a69e..66ba451 100644
 +/usr/share/drupal.*			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/doc/ghc/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +
++/usr/share/glpi(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3213,6 +3406,7 @@ index 550a69e..66ba451 100644
 +/var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/var/lib/cherokee(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/glpi(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/php(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/drupal.*			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3250,6 +3444,7 @@ index 550a69e..66ba451 100644
 +
 +/var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/glpi(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cgiwrap\.log.*		--	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/cherokee(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3260,6 +3455,8 @@ index 550a69e..66ba451 100644
  /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 -/var/log/z-push(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/log/thttpd\.log.*  -- gen_context(system_u:object_r:httpd_log_t,s0)
++/var/log/php_errors\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/z-push(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +ifdef(`distro_debian', `
 +/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3276,6 +3473,7 @@ index 550a69e..66ba451 100644
 +/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
 +
@@ -3328,7 +3526,8 @@ index 550a69e..66ba451 100644
 +/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
++/var/www/html(/.*)?/uploads(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/www/html/owncloud/data(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
@@ -3354,7 +3553,7 @@ index 550a69e..66ba451 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..fac6fe5 100644
+index 83e899c..64beed7 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -4001,131 +4200,166 @@ index 83e899c..fac6fe5 100644
 -##	Create, read, write, and delete
 -##	httpd log files.
 +##	Allow the specified domain to manage
-+##	to apache log files.
++##	to apache var lib files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
- 	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
+@@ -687,20 +751,21 @@ interface(`apache_dontaudit_append_log',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`apache_manage_log',`
++interface(`apache_manage_lib',`
+ 	gen_require(`
+-		type httpd_log_t;
++		type httpd_var_lib_t;
+ 	')
+ 
+-	logging_search_logs($1)
+-	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
+-	manage_files_pattern($1, httpd_log_t, httpd_log_t)
+-	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++	manage_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
++	read_lnk_files_pattern($1, httpd_var_lib_t, httpd_var_lib_t)
  ')
  
 -#######################################
 +########################################
  ## <summary>
 -##	Write apache log files.
-+##	Do not audit attempts to search Apache
-+##	module directories.
++##	Allow the specified domain to manage
++##	to apache log files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -708,19 +773,21 @@ interface(`apache_manage_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`apache_write_log',`
-+interface(`apache_dontaudit_search_modules',`
++interface(`apache_manage_log',`
  	gen_require(`
--		type httpd_log_t;
-+		type httpd_modules_t;
+ 		type httpd_log_t;
  	')
  
--	logging_search_logs($1)
+ 	logging_search_logs($1)
 -	write_files_pattern($1, httpd_log_t, httpd_log_t)
-+	dontaudit $1 httpd_modules_t:dir search_dir_perms;
++	manage_dirs_pattern($1, httpd_log_t, httpd_log_t)
++	manage_files_pattern($1, httpd_log_t, httpd_log_t)
++	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to search
 -##	httpd module directories.
++##	Do not audit attempts to search Apache
++##	module directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -738,7 +805,8 @@ interface(`apache_dontaudit_search_modules',`
+ 
+ ########################################
+ ## <summary>
+-##	List httpd module directories.
 +##	Allow the specified domain to read
 +##	the apache module directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -746,17 +814,19 @@ interface(`apache_dontaudit_search_modules',`
  ##	</summary>
  ## </param>
  #
--interface(`apache_dontaudit_search_modules',`
+-interface(`apache_list_modules',`
 +interface(`apache_read_modules',`
  	gen_require(`
  		type httpd_modules_t;
  	')
  
--	dontaudit $1 httpd_modules_t:dir search_dir_perms;
+-	allow $1 httpd_modules_t:dir list_dir_perms;
 +	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
  ')
  
  ########################################
  ## <summary>
--##	List httpd module directories.
+-##	Execute httpd module files.
 +##	Allow the specified domain to list
 +##	the contents of the apache modules
 +##	directory.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
+@@ -764,19 +834,19 @@ interface(`apache_list_modules',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`apache_exec_modules',`
++interface(`apache_list_modules',`
+ 	gen_require(`
+ 		type httpd_modules_t;
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
+-	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
+-	can_exec($1, httpd_modules_t)
 +	read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
  ')
  
  ########################################
  ## <summary>
--##	Execute httpd module files.
+-##	Read httpd module files.
 +##	Allow the specified domain to execute
 +##	apache modules.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
- 
- ########################################
- ## <summary>
--##	Read httpd module files.
-+##	Execute a domain transition to run httpd_rotatelogs.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed to transition.
+@@ -784,19 +854,19 @@ interface(`apache_exec_modules',`
  ##	</summary>
  ## </param>
  #
 -interface(`apache_read_module_files',`
-+interface(`apache_domtrans_rotatelogs',`
++interface(`apache_exec_modules',`
  	gen_require(`
--		type httpd_modules_t;
-+		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ 		type httpd_modules_t;
  	')
  
 -	libs_search_lib($1)
 -	read_files_pattern($1, httpd_modules_t, httpd_modules_t)
-+	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++	allow $1 httpd_modules_t:dir list_dir_perms;
++	allow $1 httpd_modules_t:lnk_file read_lnk_file_perms;
++	can_exec($1, httpd_modules_t)
  ')
  
--########################################
-+#######################################
+ ########################################
  ## <summary>
 -##	Execute a domain transition to
 -##	run httpd_rotatelogs.
-+##  Execute httpd_rotatelogs in the caller domain.
++##	Execute a domain transition to run httpd_rotatelogs.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed to transition.
--##	</summary>
+ ##	<summary>
+@@ -809,13 +879,50 @@ interface(`apache_domtrans_rotatelogs',`
+ 		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
+ 	')
+ 
+-	corecmd_search_bin($1)
+ 	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
+ ')
+ 
++#######################################
++## <summary>
++##  Execute httpd_rotatelogs in the caller domain.
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed to transition.
 +##  </summary>
- ## </param>
- #
--interface(`apache_domtrans_rotatelogs',`
++## </param>
++#
 +interface(`apache_exec_rotatelogs',`
 +    gen_require(`
 +        type httpd_rotatelogs_exec_t;
@@ -4145,17 +4379,14 @@ index 83e899c..fac6fe5 100644
 +## </param>
 +#
 +interface(`apache_exec_sys_script',`
- 	gen_require(`
--		type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
++	gen_require(`
 +		type httpd_sys_script_exec_t;
- 	')
- 
--	corecmd_search_bin($1)
--	domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
++	')
++
 +	allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
 +	can_exec($1, httpd_sys_script_exec_t)
- ')
- 
++')
++
  ########################################
  ## <summary>
 -##	List httpd system content directories.
@@ -4164,7 +4395,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +936,14 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4181,7 +4412,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +952,7 @@ interface(`apache_list_sys_content',`
  ## </param>
  ## <rolecap/>
  #
@@ -4189,23 +4420,21 @@ index 83e899c..fac6fe5 100644
  interface(`apache_manage_sys_content',`
  	gen_require(`
  		type httpd_sys_content_t;
-@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +964,98 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
 -########################################
 +######################################
- ## <summary>
--##	Create, read, write, and delete
--##	httpd system rw content.
++## <summary>
 +##	Allow the specified domain to read
 +##	apache system content rw files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <rolecap/>
 +#
 +interface(`apache_read_sys_content_rw_files',`
@@ -4217,22 +4446,26 @@ index 83e899c..fac6fe5 100644
 +')
 +
 +######################################
-+## <summary>
+ ## <summary>
+-##	Create, read, write, and delete
+-##	httpd system rw content.
 +##	Allow the specified domain to read
 +##	apache system content rw dirs.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
 +interface(`apache_read_sys_content_rw_dirs',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
+ 	gen_require(`
+ 		type httpd_sys_rw_content_t;
+ 	')
+ 
+-	apache_search_sys_content($1)
 +	list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@@ -4247,14 +4480,12 @@ index 83e899c..fac6fe5 100644
 +##	</summary>
 +## </param>
 +## <rolecap/>
- #
--interface(`apache_manage_sys_rw_content',`
++#
 +interface(`apache_manage_sys_content_rw',`
- 	gen_require(`
- 		type httpd_sys_rw_content_t;
- 	')
- 
--	apache_search_sys_content($1)
++	gen_require(`
++		type httpd_sys_rw_content_t;
++	')
++
 +	files_search_var($1)
  	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4296,7 +4527,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1063,17 @@ interface(`apache_manage_sys_rw_content',`
  ##	</summary>
  ## </param>
  #
@@ -4315,7 +4546,7 @@ index 83e899c..fac6fe5 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1083,8 @@ interface(`apache_domtrans_sys_script',`
  
  ########################################
  ## <summary>
@@ -4327,7 +4558,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1122,7 @@ interface(`apache_domtrans_all_scripts',`
  ########################################
  ## <summary>
  ##	Execute all user scripts in the user
@@ -4336,7 +4567,7 @@ index 83e899c..fac6fe5 100644
  ##	to the specified role.
  ## </summary>
  ## <param name="domain">
-@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1135,7 @@ interface(`apache_domtrans_all_scripts',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -4344,7 +4575,7 @@ index 83e899c..fac6fe5 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1148,8 @@ interface(`apache_run_all_scripts',`
  
  ########################################
  ## <summary>
@@ -4354,7 +4585,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1162,13 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -4370,7 +4601,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1186,7 @@ interface(`apache_append_squirrelmail_data',`
  
  ########################################
  ## <summary>
@@ -4379,7 +4610,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1199,12 @@ interface(`apache_search_sys_content',`
  		type httpd_sys_content_t;
  	')
  
@@ -4394,7 +4625,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1224,7 @@ interface(`apache_read_sys_content',`
  
  ########################################
  ## <summary>
@@ -4403,7 +4634,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1242,7 @@ interface(`apache_search_sys_scripts',`
  
  ########################################
  ## <summary>
@@ -4413,7 +4644,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1252,22 @@ interface(`apache_search_sys_scripts',`
  ## <rolecap/>
  #
  interface(`apache_manage_all_user_content',`
@@ -4439,7 +4670,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1285,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4449,7 +4680,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1303,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4481,7 +4712,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1338,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4490,7 +4721,7 @@ index 83e899c..fac6fe5 100644
  ')
  
  ########################################
-@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1347,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4500,7 +4731,7 @@ index 83e899c..fac6fe5 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1379,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4533,7 +4764,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1419,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
@@ -4562,7 +4793,7 @@ index 83e899c..fac6fe5 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1441,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -4576,7 +4807,7 @@ index 83e899c..fac6fe5 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1455,141 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -4640,7 +4871,19 @@ index 83e899c..fac6fe5 100644
 +
 +
 +	apache_filetrans_home_content($1)
++	files_usr_filetrans($1, httpd_sys_content_t, dir, "gallery2")
++	files_usr_filetrans($1, httpd_sys_content_t, dir, "z-push")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "z-push")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "web")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "WebCalendar")
++	files_etc_filetrans($1, httpd_sys_content_t, dir, "htdig")
++	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "horde")
++	files_etc_filetrans($1, httpd_sys_rw_content_t, dir, "owncloud")
 +	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "smarty")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "uploads")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "wp-content")
++	filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, dir, "upgrade")
 +	userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
 +')
 +
@@ -4711,10 +4954,10 @@ index 83e899c..fac6fe5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..bfe87eb 100644
+index 1a82e29..21d7195 100644
 --- a/apache.te
 +++ b/apache.te
-@@ -1,297 +1,367 @@
+@@ -1,297 +1,381 @@
 -policy_module(apache, 2.6.10)
 +policy_module(apache, 2.4.0)
 +
@@ -4759,33 +5002,33 @@ index 1a82e29..bfe87eb 100644
 -##	Determine whether httpd can use mod_auth_pam.
 -##	</p>
 +## <p>
-+## Allow Apache to use mod_auth_pam
++## Dontaudit Apache to search dirs.
 +## </p>
  ## </desc>
 -gen_tunable(allow_httpd_mod_auth_pam, false)
-+gen_tunable(httpd_mod_auth_pam, false)
++gen_tunable(httpd_dontaudit_search_dirs, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can use built in scripting.
 -##	</p>
 +## <p>
-+## Allow Apache to use mod_auth_ntlm_winbind
++## Allow Apache to use mod_auth_pam
 +## </p>
  ## </desc>
 -gen_tunable(httpd_builtin_scripting, false)
-+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
++gen_tunable(httpd_mod_auth_pam, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can check spam.
 -##	</p>
 +## <p>
-+## Allow httpd scripts and modules execmem/execstack
++## Allow Apache to use mod_auth_ntlm_winbind
 +## </p>
  ## </desc>
 -gen_tunable(httpd_can_check_spam, false)
-+gen_tunable(httpd_execmem, false)
++gen_tunable(httpd_mod_auth_ntlm_winbind, false)
  
  ## <desc>
 -##	<p>
@@ -4793,6 +5036,13 @@ index 1a82e29..bfe87eb 100644
 -##	can connect to the network using TCP.
 -##	</p>
 +## <p>
++## Allow httpd scripts and modules execmem/execstack
++## </p>
++## </desc>
++gen_tunable(httpd_execmem, false)
++
++## <desc>
++## <p>
 +## Allow httpd processes to manage IPA content
 +## </p>
 +## </desc>
@@ -4866,61 +5116,55 @@ index 1a82e29..bfe87eb 100644
 +## <p>
 +## Allow httpd to connect to memcache server
 +## </p>
-+## </desc>
-+gen_tunable(httpd_can_network_memcache, false)
-+
-+## <desc>
-+## <p>
-+## Allow httpd to act as a relay
-+## </p>
  ## </desc>
- gen_tunable(httpd_can_network_relay, false)
+-gen_tunable(httpd_can_network_relay, false)
++gen_tunable(httpd_can_network_memcache, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd daemon can
 -##	connect to zabbix over the network.
 -##	</p>
-+##  <p>
-+##  Allow http daemon to connect to zabbix
-+##  </p>
++## <p>
++## Allow httpd to act as a relay
++## </p>
  ## </desc>
 -gen_tunable(httpd_can_network_connect_zabbix, false)
-+gen_tunable(httpd_can_connect_zabbix, false)
++gen_tunable(httpd_can_network_relay, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can send mail.
 -##	</p>
 +##  <p>
-+##  Allow http daemon to connect to mythtv
++##  Allow http daemon to connect to zabbix
 +##  </p>
  ## </desc>
 -gen_tunable(httpd_can_sendmail, false)
-+gen_tunable(httpd_can_connect_mythtv, false)
++gen_tunable(httpd_can_connect_zabbix, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can communicate
 -##	with avahi service via dbus.
 -##	</p>
-+## <p>
-+## Allow http daemon to check spam
-+## </p>
++##  <p>
++##  Allow http daemon to connect to mythtv
++##  </p>
  ## </desc>
 -gen_tunable(httpd_dbus_avahi, false)
-+gen_tunable(httpd_can_check_spam, false)
++gen_tunable(httpd_can_connect_mythtv, false)
  
  ## <desc>
 -##	<p>
 -##	Determine wether httpd can use support.
 -##	</p>
 +## <p>
-+## Allow http daemon to send mail
++## Allow http daemon to check spam
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_cgi, false)
-+gen_tunable(httpd_can_sendmail, false)
++gen_tunable(httpd_can_check_spam, false)
  
  ## <desc>
 -##	<p>
@@ -4928,11 +5172,11 @@ index 1a82e29..bfe87eb 100644
 -##	FTP server by listening on the ftp port.
 -##	</p>
 +## <p>
-+## Allow Apache to communicate with avahi service via dbus
++## Allow http daemon to send mail
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_ftp_server, false)
-+gen_tunable(httpd_dbus_avahi, false)
++gen_tunable(httpd_can_sendmail, false)
  
  ## <desc>
 -##	<p>
@@ -4940,11 +5184,11 @@ index 1a82e29..bfe87eb 100644
 -##	user home directories.
 -##	</p>
 +## <p>
-+## Allow httpd cgi support
++## Allow Apache to communicate with avahi service via dbus
 +## </p>
  ## </desc>
 -gen_tunable(httpd_enable_homedirs, false)
-+gen_tunable(httpd_enable_cgi, false)
++gen_tunable(httpd_dbus_avahi, false)
  
  ## <desc>
 -##	<p>
@@ -4954,12 +5198,11 @@ index 1a82e29..bfe87eb 100644
 -##	be labeled public_content_rw_t.
 -##	</p>
 +## <p>
-+## Allow httpd to act as a FTP server by
-+## listening on the ftp port.
++## Allow Apache to communicate with sssd service via dbus
 +## </p>
  ## </desc>
 -gen_tunable(httpd_gpg_anon_write, false)
-+gen_tunable(httpd_enable_ftp_server, false)
++gen_tunable(httpd_dbus_sssd, false)
  
  ## <desc>
 -##	<p>
@@ -4967,24 +5210,24 @@ index 1a82e29..bfe87eb 100644
 -##	its temporary content.
 -##	</p>
 +## <p>
-+## Allow httpd to act as a FTP client
-+## connecting to the ftp port and ephemeral ports
++## Allow httpd cgi support
 +## </p>
  ## </desc>
 -gen_tunable(httpd_tmp_exec, false)
-+gen_tunable(httpd_can_connect_ftp, false)
++gen_tunable(httpd_enable_cgi, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd scripts and
 -##	modules can use execmem and execstack.
 -##	</p>
-+##  <p>
-+##  Allow httpd to connect to the ldap port 
-+##  </p>
++## <p>
++## Allow httpd to act as a FTP server by
++## listening on the ftp port.
++## </p>
  ## </desc>
 -gen_tunable(httpd_execmem, false)
-+gen_tunable(httpd_can_connect_ldap, false)
++gen_tunable(httpd_enable_ftp_server, false)
  
  ## <desc>
 -##	<p>
@@ -4992,34 +5235,35 @@ index 1a82e29..bfe87eb 100644
 -##	to port 80 for graceful shutdown.
 -##	</p>
 +## <p>
-+## Allow httpd to read home directories
++## Allow httpd to act as a FTP client
++## connecting to the ftp port and ephemeral ports
 +## </p>
  ## </desc>
 -gen_tunable(httpd_graceful_shutdown, false)
-+gen_tunable(httpd_enable_homedirs, false)
++gen_tunable(httpd_can_connect_ftp, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can
 -##	manage IPA content files.
 -##	</p>
-+## <p>
-+## Allow httpd to read user content 
-+## </p>
++##  <p>
++##  Allow httpd to connect to the ldap port 
++##  </p>
  ## </desc>
 -gen_tunable(httpd_manage_ipa, false)
-+gen_tunable(httpd_read_user_content, false)
++gen_tunable(httpd_can_connect_ldap, false)
  
  ## <desc>
 -##	<p>
 -##	Determine whether httpd can use mod_auth_ntlm_winbind.
 -##	</p>
 +## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
++## Allow httpd to read home directories
 +## </p>
  ## </desc>
 -gen_tunable(httpd_mod_auth_ntlm_winbind, false)
-+gen_tunable(httpd_run_stickshift, false)
++gen_tunable(httpd_enable_homedirs, false)
  
  ## <desc>
 -##	<p>
@@ -5027,11 +5271,10 @@ index 1a82e29..bfe87eb 100644
 -##	generic user home content files.
 -##	</p>
 +## <p>
-+## Allow Apache to query NS records
++## Allow httpd to read user content 
 +## </p>
  ## </desc>
--gen_tunable(httpd_read_user_content, false)
-+gen_tunable(httpd_verify_dns, false)
+ gen_tunable(httpd_read_user_content, false)
  
  ## <desc>
 -##	<p>
@@ -5039,6 +5282,20 @@ index 1a82e29..bfe87eb 100644
 -##	its resource limits.
 -##	</p>
 +## <p>
++## Allow Apache to run in stickshift mode, not transition to passenger
++## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
++## Allow Apache to query NS records
++## </p>
++## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
 +## Allow httpd daemon to change its resource limits
 +## </p>
  ## </desc>
@@ -5231,7 +5488,7 @@ index 1a82e29..bfe87eb 100644
  type httpd_rotatelogs_t;
  type httpd_rotatelogs_exec_t;
  init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -299,10 +383,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
  type httpd_squirrelmail_t;
  files_type(httpd_squirrelmail_t)
  
@@ -5244,7 +5501,7 @@ index 1a82e29..bfe87eb 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +393,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -5266,7 +5523,7 @@ index 1a82e29..bfe87eb 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +415,19 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -5286,7 +5543,7 @@ index 1a82e29..bfe87eb 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +442,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -5337,7 +5594,7 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +484,36 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -5379,7 +5636,7 @@ index 1a82e29..bfe87eb 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,14 +521,21 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -5388,8 +5645,10 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t httpd_rotatelogs_t:process signal_perms;
  
  manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
  
++allow httpd_t httpd_suexec_exec_t:process { signal signull };
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
 +allow httpd_t httpd_sys_content_t:dir list_dir_perms;
@@ -5399,7 +5658,7 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +566,172 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5473,10 +5732,11 @@ index 1a82e29..bfe87eb 100644
 +# execute perl
 +corecmd_exec_bin(httpd_t)
 +corecmd_exec_shell(httpd_t)
-+
+ 
 +domain_use_interactive_fds(httpd_t)
 +domain_dontaudit_read_all_domains_state(httpd_t)
- 
++
++files_dontaudit_search_all_pids(httpd_t)
  files_dontaudit_getattr_all_pids(httpd_t)
 -files_read_usr_files(httpd_t)
 +files_exec_usr_files(httpd_t)
@@ -5540,16 +5800,20 @@ index 1a82e29..bfe87eb 100644
  
 -ifdef(`hide_broken_symptoms',`
 -	libs_exec_lib_files(httpd_t)
++tunable_policy(`httpd_dontaudit_search_dirs',`
++    files_dontaudit_search_non_security_dirs(httpd_t)
+ ')
+ 
+-tunable_policy(`allow_httpd_anon_write',`
+-	miscfiles_manage_public_files(httpd_t)
 +#
 +# We need optionals to be able to be within booleans to make this work
 +#
 +tunable_policy(`httpd_mod_auth_pam',`
 +	auth_domtrans_chkpwd(httpd_t)
 +	logging_send_audit_msgs(httpd_t)
- ')
- 
--tunable_policy(`allow_httpd_anon_write',`
--	miscfiles_manage_public_files(httpd_t)
++')
++
 +optional_policy(`
 +	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
 +		samba_domtrans_winbind_helper(httpd_t)
@@ -5632,7 +5896,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +742,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5692,7 +5956,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +794,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5783,7 +6047,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +841,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5864,30 +6128,33 @@ index 1a82e29..bfe87eb 100644
  ')
  
  optional_policy(`
-@@ -743,14 +873,6 @@ optional_policy(`
- 	ccs_read_config(httpd_t)
+@@ -744,24 +894,32 @@ optional_policy(`
  ')
  
--optional_policy(`
+ optional_policy(`
 -	clamav_domtrans_clamscan(httpd_t)
--')
--
--optional_policy(`
++	cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+ 
+ optional_policy(`
 -	cobbler_read_config(httpd_t)
 -	cobbler_read_lib_files(httpd_t)
--')
++	cvs_read_data(httpd_t)
+ ')
  
  optional_policy(`
- 	cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +887,23 @@ optional_policy(`
+-	cron_system_entry(httpd_t, httpd_exec_t)
++	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
  optional_policy(`
+-	cvs_read_data(httpd_t)
 +	#needed by FreeIPA 
 +	dirsrv_stream_connect(httpd_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	daemontools_service_domain(httpd_t, httpd_exec_t)
 +	dirsrv_manage_config(httpd_t)
 +	dirsrv_manage_log(httpd_t)
 +	dirsrv_manage_var_run(httpd_t)
@@ -5897,13 +6164,21 @@ index 1a82e29..bfe87eb 100644
 +	dirsrvadmin_manage_config(httpd_t)
 +	dirsrvadmin_manage_tmp(httpd_t)
 +	dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
-+')
-+
-+ optional_policy(`
- 	dbus_system_bus_client(httpd_t)
+ ')
  
+ optional_policy(`
+@@ -770,6 +928,10 @@ optional_policy(`
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,46 @@ optional_policy(`
+ 		avahi_dbus_chat(httpd_t)
+ 	')
++
++    tunable_policy(`httpd_dbus_sssd',
++        sssd_dbus_chat(httpd_t)
++    ')
+ ')
+ 
+ optional_policy(`
+@@ -781,34 +943,53 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5917,6 +6192,12 @@ index 1a82e29..bfe87eb 100644
 +')
 +
 +optional_policy(`
++	mirrormanager_manage_pid_files(httpd_t)
++	mirrormanager_read_lib_files(httpd_t)
++	mirrormanager_read_log(httpd_t)
++')
++
++optional_policy(`
 +	jetty_admin(httpd_t)
 +')
 +
@@ -5936,6 +6217,7 @@ index 1a82e29..bfe87eb 100644
 -	tunable_policy(`httpd_can_network_connect_ldap',`
 -		ldap_tcp_connect(httpd_t)
 -	')
++	ldap_read_certs(httpd_t)
  ')
  
  optional_policy(`
@@ -5961,7 +6243,7 @@ index 1a82e29..bfe87eb 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +967,18 @@ optional_policy(`
+@@ -816,8 +997,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5980,7 +6262,7 @@ index 1a82e29..bfe87eb 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +987,7 @@ optional_policy(`
+@@ -826,6 +1017,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -5988,7 +6270,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  optional_policy(`
-@@ -836,20 +998,39 @@ optional_policy(`
+@@ -836,20 +1028,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6014,7 +6296,7 @@ index 1a82e29..bfe87eb 100644
 +	pki_manage_apache_lib(httpd_t)
 +	pki_manage_apache_log_files(httpd_t)
 +	pki_manage_apache_run(httpd_t)
-+    pki_read_tomcat_cert(httpd_t)
++	pki_read_tomcat_cert(httpd_t)
 +')
  
 -	tunable_policy(`httpd_can_network_connect_db',`
@@ -6022,19 +6304,19 @@ index 1a82e29..bfe87eb 100644
 -	')
 +optional_policy(`
 +	puppet_read_lib(httpd_t)
++')
++
++optional_policy(`
++	pwauth_domtrans(httpd_t)
  ')
  
  optional_policy(`
 -	puppet_read_lib_files(httpd_t)
-+	pwauth_domtrans(httpd_t)
-+')
-+
-+optional_policy(`
 +	rpm_dontaudit_read_db(httpd_t)
  ')
  
  optional_policy(`
-@@ -857,19 +1038,35 @@ optional_policy(`
+@@ -857,19 +1068,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6070,7 +6352,7 @@ index 1a82e29..bfe87eb 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1074,173 @@ optional_policy(`
+@@ -877,65 +1104,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6266,7 +6548,7 @@ index 1a82e29..bfe87eb 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -944,123 +1279,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6421,7 +6703,7 @@ index 1a82e29..bfe87eb 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,106 @@ optional_policy(`
+@@ -1077,172 +1363,106 @@ optional_policy(`
  	')
  ')
  
@@ -6593,7 +6875,8 @@ index 1a82e29..bfe87eb 100644
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -6619,8 +6902,7 @@ index 1a82e29..bfe87eb 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6658,7 +6940,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1470,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -6755,7 +7037,7 @@ index 1a82e29..bfe87eb 100644
  
  ########################################
  #
-@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1545,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -6772,7 +7054,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  ########################################
-@@ -1324,49 +1531,38 @@ optional_policy(`
+@@ -1324,49 +1561,38 @@ optional_policy(`
  # User content local policy
  #
  
@@ -6837,7 +7119,7 @@ index 1a82e29..bfe87eb 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1602,99 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -6958,10 +7240,12 @@ index 1a82e29..bfe87eb 100644
 +    corenet_tcp_connect_osapi_compute_port(httpd_t)
  ')
 diff --git a/apcupsd.fc b/apcupsd.fc
-index 5ec0e13..1c37fe1 100644
+index 5ec0e13..462acb8 100644
 --- a/apcupsd.fc
 +++ b/apcupsd.fc
-@@ -1,10 +1,13 @@
+@@ -1,10 +1,15 @@
++/etc/apcupsd/powerfail	--	gen_context(system_u:object_r:apcupsd_power_t,s0)
++
  /etc/rc\.d/init\.d/apcupsd	--	gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
  
 +/usr/lib/systemd/system/apcupsd.*  -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
@@ -6976,7 +7260,7 @@ index 5ec0e13..1c37fe1 100644
  /var/log/apcupsd\.events.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
  /var/log/apcupsd\.status.*	--	gen_context(system_u:object_r:apcupsd_log_t,s0)
 diff --git a/apcupsd.if b/apcupsd.if
-index f3c0aba..b6afc90 100644
+index f3c0aba..cbe3d4a 100644
 --- a/apcupsd.if
 +++ b/apcupsd.if
 @@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
@@ -7029,11 +7313,12 @@ index f3c0aba..b6afc90 100644
  ##	All of the rules required to
  ##	administrate an apcupsd environment.
  ## </summary>
-@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
+@@ -144,11 +187,17 @@ interface(`apcupsd_admin',`
  	gen_require(`
  		type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
  		type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
 +		type apcupsd_unit_file_t;
++		type apcupsd_power_t;
  	')
  
 -	allow $1 apcupsd_t:process { ptrace signal_perms };
@@ -7047,7 +7332,7 @@ index f3c0aba..b6afc90 100644
  	apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 apcupsd_initrc_exec_t system_r;
-@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
+@@ -165,4 +214,11 @@ interface(`apcupsd_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, apcupsd_var_run_t)
@@ -7055,33 +7340,42 @@ index f3c0aba..b6afc90 100644
 +	apcupsd_systemctl($1)
 +	admin_pattern($1, apcupsd_unit_file_t)
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
++
++	manage_files_pattern($1, apcupsd_power_t, apcupsd_power_t)
++	files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index b236327..a370cb8 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
-@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
+@@ -24,6 +24,12 @@ files_tmp_file(apcupsd_tmp_t)
  type apcupsd_var_run_t;
  files_pid_file(apcupsd_var_run_t)
  
++type apcupsd_power_t;
++files_type(apcupsd_power_t)
++
 +type apcupsd_unit_file_t;
 +systemd_unit_file(apcupsd_unit_file_t)
 +
  ########################################
  #
  # Local policy
-@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+@@ -38,9 +44,10 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
  allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
  files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
  
 -append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
 -create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
 -setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
++manage_files_pattern(apcupsd_t, apcupsd_power_t, apcupsd_power_t)
++files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
++
 +manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
  logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
  
  manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
-@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
+@@ -54,7 +61,6 @@ kernel_read_system_state(apcupsd_t)
  corecmd_exec_bin(apcupsd_t)
  corecmd_exec_shell(apcupsd_t)
  
@@ -7089,7 +7383,7 @@ index b236327..7b2142b 100644
  corenet_all_recvfrom_netlabel(apcupsd_t)
  corenet_tcp_sendrecv_generic_if(apcupsd_t)
  corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
+@@ -67,6 +73,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
  corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
  corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -7098,7 +7392,7 @@ index b236327..7b2142b 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +82,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -7122,13 +7416,23 @@ index b236327..7b2142b 100644
  sysnet_dns_name_resolve(apcupsd_t)
  
 -userdom_use_user_ttys(apcupsd_t)
-+systemd_start_power_services(apcupsd_t)
-+
 +userdom_use_inherited_user_ttys(apcupsd_t)
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
-@@ -112,7 +120,6 @@ optional_policy(`
+@@ -101,6 +113,11 @@ optional_policy(`
+ 	shutdown_domtrans(apcupsd_t)
+ ')
+ 
++optional_policy(`
++	systemd_start_power_services(apcupsd_t)
++	systemd_status_power_services(apcupsd_t)
++')
++
+ ########################################
+ #
+ # CGI local policy
+@@ -112,7 +129,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -7195,7 +7499,7 @@ index 1a7a97e..1d29dce 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7226,7 +7530,15 @@ index 3590e2f..e1494bd 100644
  allow apmd_t self:process { signal_perms getsession };
  allow apmd_t self:fifo_file rw_fifo_file_perms;
  allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+ 
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
  fs_dontaudit_getattr_all_symlinks(apmd_t)
  fs_dontaudit_getattr_all_pipes(apmd_t)
  fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7236,7 +7548,7 @@ index 3590e2f..e1494bd 100644
  
  corecmd_exec_all_executables(apmd_t)
  
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
  auth_use_nsswitch(apmd_t)
  
  init_domtrans_script(apmd_t)
@@ -7245,7 +7557,7 @@ index 3590e2f..e1494bd 100644
  
  libs_exec_ld_so(apmd_t)
  libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
  logging_send_audit_msgs(apmd_t)
  logging_send_syslog_msg(apmd_t)
  
@@ -7265,7 +7577,7 @@ index 3590e2f..e1494bd 100644
  
  optional_policy(`
  	automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -7733,10 +8045,10 @@ index 0000000..316c324
 +')
 diff --git a/authconfig.te b/authconfig.te
 new file mode 100644
-index 0000000..f2aa4e6
+index 0000000..362a049
 --- /dev/null
 +++ b/authconfig.te
-@@ -0,0 +1,32 @@
+@@ -0,0 +1,33 @@
 +policy_module(authconfig, 1.0.0)
 +
 +########################################
@@ -7765,6 +8077,7 @@ index 0000000..f2aa4e6
 +files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
 +
 +domain_use_interactive_fds(authconfig_t)
++domain_named_filetrans(authconfig_t)
 +
 +init_domtrans_script(authconfig_t)
 +
@@ -7878,7 +8191,7 @@ index 089430a..b0bed70 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index a579c3b..f27656d 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,12 +22,16 @@ type automount_tmp_t;
@@ -7915,7 +8228,15 @@ index a579c3b..294b5f4 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -108,6 +110,7 @@ fs_manage_autofs_symlinks(automount_t)
+ fs_mount_all_fs(automount_t)
+ fs_mount_autofs(automount_t)
+ fs_read_nfs_files(automount_t)
++fs_read_nfs_symlinks(automount_t)
+ fs_search_all(automount_t)
+ fs_search_auto_mountpoints(automount_t)
+ fs_unmount_all_fs(automount_t)
+@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -7938,7 +8259,7 @@ index a579c3b..294b5f4 100644
  	fstools_domtrans(automount_t)
  ')
  
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -160,3 +166,8 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(automount_t)
  ')
@@ -8139,11 +8460,51 @@ index d6ceef4..c10d39c 100644
  
  optional_policy(`
  	cron_system_entry(backup_t, backup_exec_t)
+diff --git a/bacula.if b/bacula.if
+index dcd774e..c240ffa 100644
+--- a/bacula.if
++++ b/bacula.if
+@@ -69,6 +69,7 @@ interface(`bacula_admin',`
+ 		type bacula_t, bacula_etc_t, bacula_log_t;
+ 		type bacula_spool_t, bacula_var_lib_t;
+ 		type bacula_var_run_t, bacula_initrc_exec_t;
++        attribute_role bacula_admin_roles;
+ 	')
+ 
+ 	allow $1 bacula_t:process { ptrace signal_perms };
 diff --git a/bacula.te b/bacula.te
-index 3beba2f..7ca4480 100644
+index 3beba2f..12cd4f6 100644
 --- a/bacula.te
 +++ b/bacula.te
-@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+@@ -43,7 +43,7 @@ role bacula_admin_roles types bacula_admin_t;
+ # Local policy
+ #
+ 
+-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
++allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
+ allow bacula_t self:process signal;
+ allow bacula_t self:fifo_file rw_fifo_file_perms;
+ allow bacula_t self:tcp_socket { accept listen };
+@@ -88,6 +88,10 @@ corenet_udp_bind_generic_node(bacula_t)
+ corenet_sendrecv_generic_server_packets(bacula_t)
+ corenet_udp_bind_generic_port(bacula_t)
+ 
++
++#TODO: check port labels for hplip a bacula
++corenet_tcp_bind_bacula_port(bacula_t)
++
+ corenet_sendrecv_hplip_server_packets(bacula_t)
+ corenet_tcp_bind_hplip_port(bacula_t)
+ corenet_udp_bind_hplip_port(bacula_t)
+@@ -105,6 +109,7 @@ files_read_all_symlinks(bacula_t)
+ fs_getattr_xattr_fs(bacula_t)
+ fs_list_all(bacula_t)
+ 
++auth_use_nsswitch(bacula_t)
+ auth_read_shadow(bacula_t)
+ 
+ logging_send_syslog_msg(bacula_t)
+@@ -148,9 +153,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
  
  domain_use_interactive_fds(bacula_admin_t)
  
@@ -8259,13 +8620,14 @@ index 536ec3c..271b976 100644
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..1742ebf 100644
+index 2b9a3a1..f755e6b 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,71 @@
+@@ -1,54 +1,75 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/named-sdb --     gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/unbound --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
  
 -/etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
@@ -8288,12 +8650,14 @@ index 2b9a3a1..1742ebf 100644
 +
 +/usr/lib/systemd/system/unbound.* --  gen_context(system_u:object_r:named_unit_file_t,s0)
 +/usr/lib/systemd/system/named.*	--	gen_context(system_u:object_r:named_unit_file_t,s0)
++/usr/lib/systemd/system/named-sdb.* --	gen_context(system_u:object_r:named_unit_file_t,s0)
  
  /usr/sbin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
 -/usr/sbin/named	--	gen_context(system_u:object_r:named_exec_t,s0)
 -/usr/sbin/named-checkconf	--	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 -/usr/sbin/r?ndc	--	gen_context(system_u:object_r:ndc_exec_t,s0)
 +/usr/sbin/named		--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/named-sdb	--	gen_context(system_u:object_r:named_exec_t,s0)
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
@@ -8360,6 +8724,7 @@ index 2b9a3a1..1742ebf 100644
 -/var/named/chroot/var/named/slaves(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 -/var/named/chroot/var/named/data(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 +/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
++/var/named/chroot/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
 +/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
 +/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
 +/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
@@ -9283,7 +9648,7 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..47619ff 100644
+index 7c92aa1..44edba7 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,11 +1,20 @@
@@ -9485,22 +9850,24 @@ index 7c92aa1..47619ff 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
+@@ -130,55 +151,69 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
 -miscfiles_read_fonts(boinc_t)
 -miscfiles_read_localization(boinc_t)
++modutils_dontaudit_exec_insmod(boinc_t)
+ 
+-optional_policy(`
+-	mta_send_mail(boinc_t)
+-')
 +xserver_stream_connect(boinc_t)
  
  optional_policy(`
- 	mta_send_mail(boinc_t)
+-	sysnet_dns_name_resolve(boinc_t)
++	mta_send_mail(boinc_t)
  ')
  
--optional_policy(`
--	sysnet_dns_name_resolve(boinc_t)
--')
--
  ########################################
  #
 -# Project local policy
@@ -9694,6 +10061,217 @@ index 41f8251..57f094e 100644
  optional_policy(`
  	mta_send_mail(httpd_bugzilla_script_t)
  ')
+diff --git a/bumblebee.fc b/bumblebee.fc
+new file mode 100644
+index 0000000..b5ee23b
+--- /dev/null
++++ b/bumblebee.fc
+@@ -0,0 +1,7 @@
++/etc/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/lib/systemd/system/bumblebeed.*		--	gen_context(system_u:object_r:bumblebee_unit_file_t,s0)
++
++/usr/sbin/bumblebeed		--	gen_context(system_u:object_r:bumblebee_exec_t,s0)
++
++/var/run/bumblebee.*			gen_context(system_u:object_r:bumblebee_var_run_t,s0)
+diff --git a/bumblebee.if b/bumblebee.if
+new file mode 100644
+index 0000000..de66654
+--- /dev/null
++++ b/bumblebee.if
+@@ -0,0 +1,121 @@
++## <summary>policy for bumblebee</summary>
++
++########################################
++## <summary>
++##	Execute bumblebee in the bumblebee domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`bumblebee_domtrans',`
++	gen_require(`
++		type bumblebee_t, bumblebee_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, bumblebee_exec_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	Read bumblebee PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_read_pid_files',`
++	gen_require(`
++		type bumblebee_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute bumblebee server in the bumblebee domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_systemctl',`
++	gen_require(`
++		type bumblebee_t;
++		type bumblebee_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 bumblebee_unit_file_t:file read_file_perms;
++	allow $1 bumblebee_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	Connect to bumblebee over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`bumblebee_stream_connect',`
++	gen_require(`
++		type bumblebee_t, bumblebee_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, bumblebee_var_run_t, bumblebee_var_run_t, bumblebee_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an bumblebee environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`bumblebee_admin',`
++	gen_require(`
++		type bumblebee_t;
++		type bumblebee_var_run_t;
++		type bumblebee_unit_file_t;
++	')
++
++	allow $1 bumblebee_t:process { signal_perms };
++	ps_process_pattern($1, bumblebee_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 bumblebee_t:process ptrace;
++    ')
++
++	files_search_pids($1)
++	admin_pattern($1, bumblebee_var_run_t)
++
++	bumblebee_systemctl($1)
++	admin_pattern($1, bumblebee_unit_file_t)
++	allow $1 bumblebee_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/bumblebee.te b/bumblebee.te
+new file mode 100644
+index 0000000..6e058fc
+--- /dev/null
++++ b/bumblebee.te
+@@ -0,0 +1,65 @@
++policy_module(bumblebee, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type bumblebee_t;
++type bumblebee_exec_t;
++init_daemon_domain(bumblebee_t, bumblebee_exec_t)
++
++type bumblebee_var_run_t;
++files_pid_file(bumblebee_var_run_t)
++
++type bumblebee_unit_file_t;
++systemd_unit_file(bumblebee_unit_file_t)
++
++########################################
++#
++# bumblebee local policy
++#
++
++allow bumblebee_t self:capability { setgid };
++allow bumblebee_t self:process { fork signal_perms };
++allow bumblebee_t self:fifo_file rw_fifo_file_perms;
++allow bumblebee_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_sock_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++manage_lnk_files_pattern(bumblebee_t, bumblebee_var_run_t, bumblebee_var_run_t)
++files_pid_filetrans(bumblebee_t, bumblebee_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(bumblebee_t)
++kernel_dontaudit_access_check_proc(bumblebee_t)
++kernel_manage_debugfs(bumblebee_t)
++
++corecmd_exec_shell(bumblebee_t)
++corecmd_exec_bin(bumblebee_t)
++
++dev_read_sysfs(bumblebee_t)
++
++auth_read_passwd(bumblebee_t)
++
++logging_send_syslog_msg(bumblebee_t)
++
++modutils_domtrans_insmod(bumblebee_t)
++modutils_signal_insmod(bumblebee_t)
++
++sysnet_dns_name_resolve(bumblebee_t)
++
++xserver_domtrans(bumblebee_t)
++xserver_kill(bumblebee_t)
++xserver_signal(bumblebee_t)
++xserver_stream_connect(bumblebee_t)
++xserver_manage_xkb_libs(bumblebee_t)
++corenet_tcp_connect_xserver_port(bumblebee_t)
++
++optional_policy(`
++    apm_stream_connect(bumblebee_t)
++')
++
++optional_policy(`
++    unconfined_domain(bumblebee_t)
++')
 diff --git a/cachefilesd.fc b/cachefilesd.fc
 index 648c790..aa03fc8 100644
 --- a/cachefilesd.fc
@@ -9972,6 +10550,19 @@ index 581c8ef..2c71b1d 100644
 +dev_search_sysfs(cachefiles_kernel_t)
 +
 +init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.if b/calamaris.if
+index cd9c528..ba793b7 100644
+--- a/calamaris.if
++++ b/calamaris.if
+@@ -42,7 +42,7 @@ interface(`calamaris_run',`
+ 		attribute_role calamaris_roles;
+ 	')
+ 
+-	lightsquid_domtrans($1)
++	calamaris_domtrans($1)
+ 	roleattribute $2 calamaris_roles;
+ ')
+ 
 diff --git a/calamaris.te b/calamaris.te
 index f4f21d3..de28437 100644
 --- a/calamaris.te
@@ -10279,7 +10870,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb8c9ed 100644
+index 2354e21..b2b0a2f 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10316,7 +10907,7 @@ index 2354e21..fb8c9ed 100644
  
  corenet_all_recvfrom_unlabeled(certmonger_t)
  corenet_all_recvfrom_netlabel(certmonger_t)
-@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
+@@ -49,17 +55,25 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
  
  corenet_sendrecv_certmaster_client_packets(certmonger_t)
  corenet_tcp_connect_certmaster_port(certmonger_t)
@@ -10324,6 +10915,8 @@ index 2354e21..fb8c9ed 100644
 +corenet_tcp_connect_http_port(certmonger_t)
 +corenet_tcp_connect_http_cache_port(certmonger_t)
 +
++corenet_tcp_connect_ldap_port(certmonger_t)
++
 +corenet_tcp_connect_pki_ca_port(certmonger_t)
  corenet_tcp_sendrecv_certmaster_port(certmonger_t)
  
@@ -10337,9 +10930,11 @@ index 2354e21..fb8c9ed 100644
  
 -files_read_usr_files(certmonger_t)
  files_list_tmp(certmonger_t)
++files_list_home(certmonger_t)
  
  fs_search_cgroup_dirs(certmonger_t)
-@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
+ 
+@@ -70,16 +84,18 @@ init_getattr_all_script_files(certmonger_t)
  
  logging_send_syslog_msg(certmonger_t)
  
@@ -10349,6 +10944,7 @@ index 2354e21..fb8c9ed 100644
 +systemd_exec_systemctl(certmonger_t)
 +
  userdom_search_user_home_content(certmonger_t)
++userdom_manage_home_certs(certmonger_t)
  
  optional_policy(`
 -	apache_initrc_domtrans(certmonger_t)
@@ -10359,7 +10955,7 @@ index 2354e21..fb8c9ed 100644
  ')
  
  optional_policy(`
-@@ -92,11 +104,47 @@ optional_policy(`
+@@ -92,11 +108,51 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -10370,6 +10966,10 @@ index 2354e21..fb8c9ed 100644
 +')
 +
 +optional_policy(`
++    ipa_manage_lib(certmonger_t)
++')
++
++optional_policy(`
  	kerberos_use(certmonger_t)
 +	kerberos_read_keytab(certmonger_t)
  ')
@@ -10381,7 +10981,7 @@ index 2354e21..fb8c9ed 100644
 +
 +optional_policy(`
 +	pki_rw_tomcat_cert(certmonger_t)
-+    pki_read_tomcat_lib_files(certmonger_t)
++	pki_read_tomcat_lib_files(certmonger_t)
 +')
 +
 +########################################
@@ -10621,7 +11221,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..7a38b63 100644
+index fdee107..a4c2efb 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -10649,7 +11249,7 @@ index fdee107..7a38b63 100644
  domain_setpriority_all_domains(cgclear_t)
  
  fs_manage_cgroup_dirs(cgclear_t)
-@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
+@@ -64,23 +66,25 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
  kernel_list_unlabeled(cgconfig_t)
  kernel_read_system_state(cgconfig_t)
  
@@ -10674,13 +11274,19 @@ index fdee107..7a38b63 100644
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
  
-@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
++allow cgred_t cgconfig_etc_t:file read_file_perms;
+ allow cgred_t cgrules_etc_t:file read_file_perms;
+ 
+ allow cgred_t cgred_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+@@ -99,10 +103,11 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
 -files_read_etc_files(cgred_t)
  
- fs_write_cgroup_files(cgred_t)
+-fs_write_cgroup_files(cgred_t)
++fs_manage_cgroup_dirs(cgred_t)
++fs_manage_cgroup_files(cgred_t)
 +fs_list_inotifyfs(cgred_t)
  
 -logging_send_syslog_msg(cgred_t)
@@ -10705,10 +11311,10 @@ index 0000000..57866f6
 +HOME_DIR/\.cache/chromium(/.*)?		gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
 diff --git a/chrome.if b/chrome.if
 new file mode 100644
-index 0000000..5977d96
+index 0000000..23407b8
 --- /dev/null
 +++ b/chrome.if
-@@ -0,0 +1,134 @@
+@@ -0,0 +1,137 @@
 +
 +## <summary>policy for chrome</summary>
 +
@@ -10732,6 +11338,9 @@ index 0000000..5977d96
 +
 +	allow $1 chrome_sandbox_t:fd use;
 +
++	dontaudit chrome_sandbox_t $1:socket_class_set getattr;
++	allow chrome_sandbox_t $1:unix_stream_socket rw_socket_perms;
++
 +	ifdef(`hide_broken_symptoms',`
 +		fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
 +	')
@@ -10845,10 +11454,10 @@ index 0000000..5977d96
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..406f3a0
+index 0000000..fb60ffc
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,242 @@
+@@ -0,0 +1,248 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -10977,6 +11586,8 @@ index 0000000..406f3a0
 +userdom_manage_home_certs(chrome_sandbox_t)
 +
 +optional_policy(`
++	gnome_exec_config_home_files(chrome_sandbox_t)
++	gnome_read_generic_cache_files(chrome_sandbox_t)
 +	gnome_rw_inherited_config(chrome_sandbox_t)
 +	gnome_read_home_config(chrome_sandbox_t)
 +	gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
@@ -11025,6 +11636,10 @@ index 0000000..406f3a0
 +')
 +
 +optional_policy(`
++	bumblebee_stream_connect(chrome_sandbox_t)
++')
++
++optional_policy(`
 +	cups_stream_connect(chrome_sandbox_t)
 +')
 +
@@ -11824,14 +12439,15 @@ index 29782b8..685edff 100644
  ')
 diff --git a/cloudform.fc b/cloudform.fc
 new file mode 100644
-index 0000000..3a0de96
+index 0000000..6cc6774
 --- /dev/null
 +++ b/cloudform.fc
-@@ -0,0 +1,27 @@
+@@ -0,0 +1,28 @@
 +/etc/rc\.d/init\.d/iwhd --      gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mongod	--	gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
 +
 +/usr/bin/cloud-init     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
++/usr/libexec/min-metadata-service     --      gen_context(system_u:object_r:cloud_init_exec_t,s0)
 +/usr/bin/deltacloudd    --	gen_context(system_u:object_r:deltacloudd_exec_t,s0)
 +/usr/bin/iwhd           --      gen_context(system_u:object_r:iwhd_exec_t,s0)
 +/usr/bin/mongod		    --	gen_context(system_u:object_r:mongod_exec_t,s0)
@@ -11843,7 +12459,7 @@ index 0000000..3a0de96
 +/usr/lib/systemd/system/cloud-init.* --  gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
 +
 +/var/lib/cloud(/.*)?            gen_context(system_u:object_r:cloud_var_lib_t,s0)
-+/var/log/cloud-init\.log    --  gen_context(system_u:object_r:cloud_log_t,s0)
++/var/log/cloud-init\.log.*  --  gen_context(system_u:object_r:cloud_log_t,s0)
 +/var/lib/iwhd(/.*)?             gen_context(system_u:object_r:iwhd_var_lib_t,s0)
 +/var/lib/mongo.*		gen_context(system_u:object_r:mongod_var_lib_t,s0)
 +
@@ -11905,10 +12521,10 @@ index 0000000..8ac848b
 +')
 diff --git a/cloudform.te b/cloudform.te
 new file mode 100644
-index 0000000..4e41e84
+index 0000000..786d623
 --- /dev/null
 +++ b/cloudform.te
-@@ -0,0 +1,298 @@
+@@ -0,0 +1,299 @@
 +policy_module(cloudform, 1.0)
 +########################################
 +#
@@ -12072,6 +12688,7 @@ index 0000000..4e41e84
 +
 +optional_policy(`
 +    rpm_domtrans(cloud_init_t)
++    rpm_transition_script(cloud_init_t)
 +    unconfined_domain(cloud_init_t)
 +')
 +
@@ -12240,7 +12857,7 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..d2303a4 100644
+index d8e9958..e4c023c 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
 @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
@@ -12252,13 +12869,14 @@ index d8e9958..d2303a4 100644
  dontaudit cmirrord_t self:capability sys_tty_config;
  allow cmirrord_t self:process { setfscreate signal };
  allow cmirrord_t self:fifo_file rw_fifo_file_perms;
-@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
+@@ -42,16 +42,18 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
  domain_use_interactive_fds(cmirrord_t)
  domain_obj_id_change_exemption(cmirrord_t)
  
 -files_read_etc_files(cmirrord_t)
 -
  storage_create_fixed_disk_dev(cmirrord_t)
++storage_raw_read_fixed_disk(cmirrord_t)
 +storage_rw_inherited_fixed_disk_dev(cmirrord_t)
  
  seutil_read_file_contexts(cmirrord_t)
@@ -12356,7 +12974,7 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
  ')
 diff --git a/cobbler.te b/cobbler.te
-index 2a71346..8c4ac39 100644
+index 2a71346..3a38b11 100644
 --- a/cobbler.te
 +++ b/cobbler.te
 @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12405,23 +13023,42 @@ index 2a71346..8c4ac39 100644
  ')
  
  optional_policy(`
-+    apache_domtrans(cobblerd_t)
++	apache_domtrans(cobblerd_t)
  	apache_search_sys_content(cobblerd_t)
  ')
  
-@@ -188,17 +191,25 @@ optional_policy(`
+@@ -170,6 +173,7 @@ optional_policy(`
+ 	bind_domtrans(cobblerd_t)
+ 	bind_initrc_domtrans(cobblerd_t)
+ 	bind_manage_zone(cobblerd_t)
++	bind_systemctl(cobblerd_t)
  ')
  
  optional_policy(`
-+    libs_exec_ldconfig(cobblerd_t)
+@@ -179,12 +183,22 @@ optional_policy(`
+ optional_policy(`
+ 	dhcpd_domtrans(cobblerd_t)
+ 	dhcpd_initrc_domtrans(cobblerd_t)
++	dhcpd_systemctl(cobblerd_t)
+ ')
+ 
+ optional_policy(`
+ 	dnsmasq_domtrans(cobblerd_t)
+ 	dnsmasq_initrc_domtrans(cobblerd_t)
+ 	dnsmasq_write_config(cobblerd_t)
++	dnsmasq_systemctl(cobblerd_t)
 +')
 +
 +optional_policy(`
-+    mysql_stream_connect(cobblerd_t)
++    libs_exec_ldconfig(cobblerd_t)
 +')
 +
 +optional_policy(`
- 	rpm_exec(cobblerd_t)
++    mysql_stream_connect(cobblerd_t)
+ ')
+ 
+ optional_policy(`
+@@ -192,13 +206,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12633,10 +13270,10 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..dc0423c 100644
+index 6471fa8..6ade0ea 100644
 --- a/collectd.te
 +++ b/collectd.te
-@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
+@@ -26,18 +26,27 @@ files_type(collectd_var_lib_t)
  type collectd_var_run_t;
  files_pid_file(collectd_var_run_t)
  
@@ -12651,7 +13288,11 @@ index 6471fa8..dc0423c 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
+ #
+ 
+-allow collectd_t self:capability { ipc_lock sys_nice };
++allow collectd_t self:capability { ipc_lock net_admin sys_nice };
+ allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
  allow collectd_t self:unix_stream_socket { accept listen };
@@ -12669,13 +13310,13 @@ index 6471fa8..dc0423c 100644
 +kernel_read_all_sysctls(collectd_t)
 +kernel_read_all_proc(collectd_t)
 +kernel_list_all_proc(collectd_t)
-+
-+auth_getattr_passwd(collectd_t)
-+auth_read_passwd(collectd_t)
  
 -kernel_read_network_state(collectd_t)
 -kernel_read_net_sysctls(collectd_t)
 -kernel_read_system_state(collectd_t)
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
++
 +corenet_udp_bind_generic_node(collectd_t)
 +corenet_udp_bind_collectd_port(collectd_t)
  
@@ -12697,15 +13338,20 @@ index 6471fa8..dc0423c 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,31 @@ tunable_policy(`collectd_tcp_network_connect',`
  ')
  
  optional_policy(`
++	mysql_stream_connect(collectd_t)
++')
++
++optional_policy(`
 +    netutils_domtrans_ping(collectd_t)
 +')
 +
 +optional_policy(`
  	virt_read_config(collectd_t)
++	virt_stream_connect(collectd_t)
  ')
  
  ########################################
@@ -12963,10 +13609,10 @@ index 23dc348..c4450f7 100644
  
  /var/lib/condor/execute(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
 diff --git a/condor.if b/condor.if
-index 3fe3cb8..5fe84a6 100644
+index 3fe3cb8..e979b3d 100644
 --- a/condor.if
 +++ b/condor.if
-@@ -1,81 +1,397 @@
+@@ -1,81 +1,396 @@
 -## <summary>High-Throughput Computing System.</summary>
 +
 +## <summary>policy for condor</summary>
@@ -13021,13 +13667,13 @@ index 3fe3cb8..5fe84a6 100644
 +## </summary>
 +## </param>
 +#
-+interface(`condor_domtrans',`
++interface(`condor_domtrans_master',`
 +	gen_require(`
-+		type condor_t, condor_exec_t;
++		type condor_master_t, condor_master_exec_t;
 +	')
 +
 +	corecmd_search_bin($1)
-+	domtrans_pattern($1, condor_exec_t, condor_t)
++	domtrans_pattern($1, condor_master_exec_t, condor_master_t)
 +')
 +
 +#######################################
@@ -13308,7 +13954,7 @@ index 3fe3cb8..5fe84a6 100644
 +#
 +interface(`condor_systemctl',`
 +	gen_require(`
-+		type condor_t;
++		type condor_domain;
 +		type condor_unit_file_t;
 +	')
 +
@@ -13317,10 +13963,9 @@ index 3fe3cb8..5fe84a6 100644
 +	allow $1 condor_unit_file_t:file read_file_perms;
 +	allow $1 condor_unit_file_t:service manage_service_perms;
 +
-+	ps_process_pattern($1, condor_t)
+ 	ps_process_pattern($1, condor_domain)
 +')
 +
-+
 +#######################################
 +## <summary>
 +##  Read and write condor_startd server TCP sockets.
@@ -13335,7 +13980,11 @@ index 3fe3cb8..5fe84a6 100644
 +	gen_require(`
 +		type condor_startd_t;
 +	')
-+
+ 
+-	init_labeled_script_domtrans($1, condor_initrc_exec_t)
+-	domain_system_change_exemption($1)
+-	role_transition $2 condor_initrc_exec_t system_r;
+-	allow $2 system_r;
 +	allow $1 condor_startd_t:tcp_socket rw_socket_perms;
 +')
 +
@@ -13383,12 +14032,8 @@ index 3fe3cb8..5fe84a6 100644
 +    ')
 +
 +	allow $1 condor_domain:process { signal_perms };
- 	ps_process_pattern($1, condor_domain)
- 
--	init_labeled_script_domtrans($1, condor_initrc_exec_t)
--	domain_system_change_exemption($1)
--	role_transition $2 condor_initrc_exec_t system_r;
--	allow $2 system_r;
++	ps_process_pattern($1, condor_domain)
++
 +    init_labeled_script_domtrans($1, condor_initrc_exec_t)
 +    domain_system_change_exemption($1)
 +    role_transition $2 condor_initrc_exec_t system_r;
@@ -13404,7 +14049,7 @@ index 3fe3cb8..5fe84a6 100644
  
  	files_search_var_lib($1)
  	admin_pattern($1, condor_var_lib_t)
-@@ -85,4 +401,13 @@ interface(`condor_admin',`
+@@ -85,4 +400,13 @@ interface(`condor_admin',`
  
  	files_search_tmp($1)
  	admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -13419,7 +14064,7 @@ index 3fe3cb8..5fe84a6 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index 3f2b672..ff94f23 100644
+index 3f2b672..8fb887d 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13469,7 +14114,11 @@ index 3f2b672..ff94f23 100644
  logging_log_filetrans(condor_domain, condor_log_t, { dir file })
  
  manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+ 
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
  
  kernel_read_kernel_sysctls(condor_domain)
  kernel_read_network_state(condor_domain)
@@ -13483,7 +14132,7 @@ index 3f2b672..ff94f23 100644
  corenet_tcp_sendrecv_generic_if(condor_domain)
  corenet_tcp_sendrecv_generic_node(condor_domain)
  
-@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
+@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
  dev_read_sysfs(condor_domain)
  dev_read_urand(condor_domain)
  
@@ -13495,7 +14144,7 @@ index 3f2b672..ff94f23 100644
  
  tunable_policy(`condor_tcp_network_connect',`
  	corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +134,7 @@ optional_policy(`
+@@ -125,7 +135,7 @@ optional_policy(`
  # Master local policy
  #
  
@@ -13504,7 +14153,7 @@ index 3f2b672..ff94f23 100644
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
@@ -13515,7 +14164,7 @@ index 3f2b672..ff94f23 100644
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -13524,7 +14173,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -13533,7 +14182,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Negotiator local policy
-@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -13542,7 +14191,7 @@ index 3f2b672..ff94f23 100644
  ######################################
  #
  # Procd local policy
-@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
  allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
  
@@ -13552,7 +14201,7 @@ index 3f2b672..ff94f23 100644
  
  domain_read_all_domains_state(condor_procd_t)
  
-@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -13561,7 +14210,7 @@ index 3f2b672..ff94f23 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -13570,7 +14219,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Startd local policy
-@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -13583,7 +14232,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -249,3 +272,7 @@ optional_policy(`
+@@ -249,3 +273,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -13591,6 +14240,218 @@ index 3f2b672..ff94f23 100644
 +optional_policy(`
 +    unconfined_domain(condor_startd_t)
 +')
+diff --git a/conman.fc b/conman.fc
+new file mode 100644
+index 0000000..5f97ba9
+--- /dev/null
++++ b/conman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/conman.*		--	gen_context(system_u:object_r:conman_unit_file_t,s0)
++
++/usr/sbin/conmand		--	gen_context(system_u:object_r:conman_exec_t,s0)
++
++/var/log/conman(/.*)?			gen_context(system_u:object_r:conman_log_t,s0)
++/var/log/conman\.old(/.*)?		gen_context(system_u:object_r:conman_log_t,s0)
++
+diff --git a/conman.if b/conman.if
+new file mode 100644
+index 0000000..54b4b04
+--- /dev/null
++++ b/conman.if
+@@ -0,0 +1,142 @@
++## <summary>Conman is a program for connecting to remote consoles being managed by conmand</summary>
++
++########################################
++## <summary>
++##	Execute conman in the conman domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`conman_domtrans',`
++	gen_require(`
++		type conman_t, conman_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, conman_exec_t, conman_t)
++')
++
++########################################
++## <summary>
++##	Read conman's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`conman_read_log',`
++	gen_require(`
++		type conman_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++##	Append to conman log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`conman_append_log',`
++	gen_require(`
++		type conman_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++##	Manage conman log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`conman_manage_log',`
++	gen_require(`
++		type conman_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, conman_log_t, conman_log_t)
++	manage_files_pattern($1, conman_log_t, conman_log_t)
++')
++
++########################################
++## <summary>
++##	Execute conman server in the conman domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`conman_systemctl',`
++	gen_require(`
++		type conman_t;
++		type conman_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 conman_unit_file_t:file read_file_perms;
++	allow $1 conman_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, conman_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an conman environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`conman_admin',`
++	gen_require(`
++		type conman_t;
++		type conman_log_t;
++	    type conman_unit_file_t;
++	')
++
++	allow $1 conman_t:process { signal_perms };
++	ps_process_pattern($1, conman_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 conman_t:process ptrace;
++    ')
++
++	logging_search_logs($1)
++	admin_pattern($1, conman_log_t)
++
++	conman_systemctl($1)
++	admin_pattern($1, conman_unit_file_t)
++	allow $1 conman_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/conman.te b/conman.te
+new file mode 100644
+index 0000000..0de2d4d
+--- /dev/null
++++ b/conman.te
+@@ -0,0 +1,45 @@
++policy_module(conman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type conman_t;
++type conman_exec_t;
++init_daemon_domain(conman_t, conman_exec_t)
++
++type conman_log_t;
++logging_log_file(conman_log_t)
++
++type conman_unit_file_t;
++systemd_unit_file(conman_unit_file_t)
++
++########################################
++#
++# conman local policy
++#
++
++allow conman_t self:capability { sys_tty_config };
++allow conman_t self:process { setrlimit signal_perms };
++
++allow conman_t self:fifo_file rw_fifo_file_perms;
++allow conman_t self:unix_stream_socket create_stream_socket_perms;
++allow conman_t self:tcp_socket { listen create_socket_perms };
++
++manage_dirs_pattern(conman_t, conman_log_t, conman_log_t)
++manage_files_pattern(conman_t, conman_log_t, conman_log_t)
++logging_log_filetrans(conman_t, conman_log_t, { dir })
++
++corenet_tcp_bind_generic_node(conman_t)
++corenet_tcp_bind_conman_port(conman_t)
++
++corecmd_exec_bin(conman_t)
++
++auth_read_passwd(conman_t)
++
++logging_send_syslog_msg(conman_t)
++
++optional_policy(`
++    freeipmi_stream_connect(conman_t)
++')
 diff --git a/consolekit.fc b/consolekit.fc
 index 23c9558..29e5fd3 100644
 --- a/consolekit.fc
@@ -13724,10 +14585,10 @@ index 5b830ec..0647a3b 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..d11e25b 100644
+index 5f0c793..580dff0 100644
 --- a/consolekit.te
 +++ b/consolekit.te
-@@ -19,12 +19,16 @@ type consolekit_var_run_t;
+@@ -19,21 +19,23 @@ type consolekit_var_run_t;
  files_pid_file(consolekit_var_run_t)
  init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
  
@@ -13744,7 +14605,19 @@ index 5f0c793..d11e25b 100644
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
+ 
+-create_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-append_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-read_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-setattr_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
+-logging_log_filetrans(consolekit_t, consolekit_log_t, file)
++manage_dirs_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++manage_files_pattern(consolekit_t, consolekit_log_t, consolekit_log_t)
++logging_log_filetrans(consolekit_t, consolekit_log_t, { dir file })
+ 
+ manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+ manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+@@ -54,37 +56,36 @@ dev_read_sysfs(consolekit_t)
  
  domain_read_all_domains_state(consolekit_t)
  domain_use_interactive_fds(consolekit_t)
@@ -13791,7 +14664,7 @@ index 5f0c793..d11e25b 100644
  ')
  
  ifdef(`distro_debian',`
-@@ -112,13 +115,6 @@ optional_policy(`
+@@ -112,13 +113,6 @@ optional_policy(`
  	')
  ')
  
@@ -14021,7 +14894,7 @@ index c086302..4f33119 100644
  
  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
-index 83d6744..afa2f78 100644
+index 83d6744..3f0c0dc 100644
 --- a/couchdb.if
 +++ b/couchdb.if
 @@ -2,6 +2,44 @@
@@ -14069,7 +14942,7 @@ index 83d6744..afa2f78 100644
  ##	All of the rules required to
  ##	administrate an couchdb environment.
  ## </summary>
-@@ -10,6 +48,127 @@
+@@ -10,6 +48,151 @@
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -14159,6 +15032,30 @@ index 83d6744..afa2f78 100644
 +        allow $1 couchdb_var_run_t:dir search_dir_perms;
 +')
 +
++#######################################
++## <summary>
++##  Allow domain to manage couchdb content.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`couchdb_manage_files',`
++        gen_require(`
++                type couchdb_var_run_t;
++                type couchdb_log_t;
++                type couchdb_var_lib_t;
++                type couchdb_conf_t;
++        ')
++
++    manage_files_pattern($1, couchdb_log_t, couchdb_log_t)
++    manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
++    manage_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
++    manage_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
++')
++
 +########################################
 +## <summary>
 +##	Execute couchdb server in the couchdb domain.
@@ -14197,7 +15094,7 @@ index 83d6744..afa2f78 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -19,14 +178,19 @@
+@@ -19,14 +202,19 @@
  #
  interface(`couchdb_admin',`
  	gen_require(`
@@ -14218,7 +15115,7 @@ index 83d6744..afa2f78 100644
  	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
+@@ -46,4 +234,13 @@ interface(`couchdb_admin',`
  
  	files_search_pids($1)
  	admin_pattern($1, couchdb_var_run_t)
@@ -14620,7 +15517,7 @@ index a3bbc21..7fd7d8f 100644
 +	xserver_dbus_chat_xdm(cpufreqselector_t)
 +')
 diff --git a/cron.fc b/cron.fc
-index 6e76215..224142a 100644
+index 6e76215..4819e90 100644
 --- a/cron.fc
 +++ b/cron.fc
 @@ -3,6 +3,9 @@
@@ -14633,17 +15530,18 @@ index 6e76215..224142a 100644
  /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
  /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
  
-@@ -12,9 +15,6 @@
+@@ -12,9 +15,7 @@
  /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
  /usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
  
 -/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
 -
 -/var/log/cron.*				gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/cron.*             gen_context(system_u:object_r:cron_log_t,s0)
  /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
  
  /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -27,13 +27,23 @@
+@@ -27,13 +28,23 @@
  
  /var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
@@ -14670,7 +15568,7 @@ index 6e76215..224142a 100644
  /var/spool/cron/crontabs/.*	--	<<none>>
  #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
  
-@@ -43,19 +53,23 @@
+@@ -43,19 +54,23 @@
  /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  
@@ -15665,7 +16563,7 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..f871609 100644
+index 28e1b86..439a761 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -1,4 +1,4 @@
@@ -15869,7 +16767,7 @@ index 28e1b86..f871609 100644
  selinux_get_fs_mount(admin_crontab_t)
  selinux_validate_context(admin_crontab_t)
  selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,22 +143,26 @@ selinux_compute_relabel_context(admin_crontab_t)
  selinux_compute_user_contexts(admin_crontab_t)
  
  tunable_policy(`fcron_crond',`
@@ -15885,7 +16783,9 @@ index 28e1b86..f871609 100644
  #
  
  allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
+ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
  allow crond_t self:process { setexec setfscreate };
  allow crond_t self:fd use;
  allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -16315,7 +17215,7 @@ index 28e1b86..f871609 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,18 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -16324,6 +17224,7 @@ index 28e1b86..f871609 100644
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
++	apache_manage_lib(system_cronjob_t)
 +	apache_delete_cache_dirs(system_cronjob_t)
 +	apache_delete_cache_files(system_cronjob_t)
 +')
@@ -16333,7 +17234,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -546,10 +542,6 @@ optional_policy(`
+@@ -546,10 +543,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -16344,7 +17245,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -581,6 +573,7 @@ optional_policy(`
+@@ -581,6 +574,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -16352,7 +17253,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -588,15 +581,19 @@ optional_policy(`
+@@ -588,15 +582,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16371,10 +17272,14 @@ index 28e1b86..f871609 100644
  	prelink_read_cache(system_cronjob_t)
 -	prelink_relabelfrom_lib(system_cronjob_t)
 +	prelink_relabel_lib(system_cronjob_t)
++')
++
++optional_policy(`
++    rkhunter_manage_lib_files(system_cronjob_t)
  ')
  
  optional_policy(`
-@@ -606,6 +603,7 @@ optional_policy(`
+@@ -606,6 +608,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -16382,7 +17287,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -613,12 +611,24 @@ optional_policy(`
+@@ -613,12 +616,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16409,7 +17314,7 @@ index 28e1b86..f871609 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +641,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -16443,7 +17348,7 @@ index 28e1b86..f871609 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +674,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -16627,18 +17532,26 @@ index 28e1b86..f871609 100644
 +	openshift_transition(system_cronjob_t)
  ')
 diff --git a/ctdb.fc b/ctdb.fc
-index 8401fe6..507804b 100644
+index 8401fe6..9131995 100644
 --- a/ctdb.fc
 +++ b/ctdb.fc
-@@ -2,6 +2,8 @@
+@@ -2,11 +2,16 @@
  
  /usr/sbin/ctdbd	--	gen_context(system_u:object_r:ctdbd_exec_t,s0)
  
 +/var/ctdb(/.*)?    gen_context(system_u:object_r:ctdbd_var_t,s0)
 +
++/var/lib/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
  /var/lib/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
  
  /var/log/ctdb\.log.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
+ /var/log/log\.ctdb.*	--	gen_context(system_u:object_r:ctdbd_log_t,s0)
+ 
++
++/var/run/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+ /var/run/ctdbd(/.*)?	gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+ 
+ /var/spool/ctdb(/.*)?	gen_context(system_u:object_r:ctdbd_spool_t,s0)
 diff --git a/ctdb.if b/ctdb.if
 index b25b01d..e99c5c6 100644
 --- a/ctdb.if
@@ -16930,7 +17843,7 @@ index b25b01d..e99c5c6 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..03bc338 100644
+index 6ce66e7..7725178 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -16958,19 +17871,26 @@ index 6ce66e7..03bc338 100644
  
  append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
  create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
-@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+@@ -57,10 +62,17 @@ files_spool_filetrans(ctdbd_t, ctdbd_spool_t, dir)
+ exec_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
+ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
  manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
- files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
- 
+-files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
++files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir, "ctdb")
++
 +manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
 +manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
 +manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
++files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdbd")
 +files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
-+
+ 
  manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
  manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
++manage_sock_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
  files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
-@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
+ 
+ kernel_read_network_state(ctdbd_t)
+@@ -72,9 +84,12 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
  corenet_tcp_sendrecv_generic_if(ctdbd_t)
  corenet_tcp_sendrecv_generic_node(ctdbd_t)
  corenet_tcp_bind_generic_node(ctdbd_t)
@@ -16979,16 +17899,19 @@ index 6ce66e7..03bc338 100644
  corenet_sendrecv_ctdb_server_packets(ctdbd_t)
  corenet_tcp_bind_ctdb_port(ctdbd_t)
 +corenet_udp_bind_ctdb_port(ctdbd_t)
++corenet_tcp_connect_ctdb_port(ctdbd_t)
  corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
  
  corecmd_exec_bin(ctdbd_t)
-@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
+@@ -85,12 +100,14 @@ dev_read_urand(ctdbd_t)
  
  domain_dontaudit_read_all_domains_state(ctdbd_t)
  
 -files_read_etc_files(ctdbd_t)
  files_search_all_mountpoints(ctdbd_t)
  
++fs_getattr_all_fs(ctdbd_t)
++
 +auth_read_passwd(ctdbd_t)
 +
  logging_send_syslog_msg(ctdbd_t)
@@ -16997,7 +17920,7 @@ index 6ce66e7..03bc338 100644
  miscfiles_read_public_files(ctdbd_t)
  
  optional_policy(`
-@@ -109,6 +121,7 @@ optional_policy(`
+@@ -109,6 +126,7 @@ optional_policy(`
  	samba_initrc_domtrans(ctdbd_t)
  	samba_domtrans_net(ctdbd_t)
  	samba_rw_var_files(ctdbd_t)
@@ -17147,7 +18070,7 @@ index 949011e..afe482b 100644
 +/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/cups.if b/cups.if
-index 06da9a0..c7834c8 100644
+index 06da9a0..c18145d 100644
 --- a/cups.if
 +++ b/cups.if
 @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -17224,7 +18147,7 @@ index 06da9a0..c7834c8 100644
  
  	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -348,13 +379,63 @@ interface(`cups_admin',`
+@@ -348,13 +379,64 @@ interface(`cups_admin',`
  	logging_list_logs($1)
  	admin_pattern($1, cupsd_log_t)
  
@@ -17273,6 +18196,7 @@ index 06da9a0..c7834c8 100644
 +	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
++	files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
 +')
 +
 +########################################
@@ -17294,7 +18218,7 @@ index 06da9a0..c7834c8 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..d084359 100644
+index 9f34c2e..f3aaaed 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -17427,7 +18351,7 @@ index 9f34c2e..d084359 100644
  #
  
 -allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
  dontaudit cupsd_t self:capability { sys_tty_config net_admin };
  allow cupsd_t self:capability2 block_suspend;
 -allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -17535,7 +18459,7 @@ index 9f34c2e..d084359 100644
  files_exec_usr_files(cupsd_t)
  # for /var/lib/defoma
  files_read_var_lib_files(cupsd_t)
-@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,17 +243,19 @@ files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
  files_read_var_files(cupsd_t)
  files_read_var_symlinks(cupsd_t)
@@ -17553,9 +18477,11 @@ index 9f34c2e..d084359 100644
 +fs_rw_anon_inodefs_files(cupsd_t)
 +fs_rw_inherited_tmpfs_files(cupsd_t)
  
++mls_dbus_send_all_levels(cupsd_t)
  mls_fd_use_all_levels(cupsd_t)
  mls_file_downgrade(cupsd_t)
-@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
+ mls_file_write_all_levels(cupsd_t)
+@@ -235,6 +265,8 @@ mls_socket_write_all_levels(cupsd_t)
  
  term_search_ptys(cupsd_t)
  term_use_unallocated_ttys(cupsd_t)
@@ -17564,12 +18490,13 @@ index 9f34c2e..d084359 100644
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +279,21 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
 -libs_read_lib_files(cupsd_t)
  libs_exec_lib_files(cupsd_t)
++libs_exec_ldconfig(cupsd_t)
  
  logging_send_audit_msgs(cupsd_t)
  logging_send_syslog_msg(cupsd_t)
@@ -17590,7 +18517,7 @@ index 9f34c2e..d084359 100644
  userdom_dontaudit_search_user_home_content(cupsd_t)
  
  optional_policy(`
-@@ -275,6 +305,8 @@ optional_policy(`
+@@ -275,6 +307,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -17599,7 +18526,7 @@ index 9f34c2e..d084359 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +317,10 @@ optional_policy(`
+@@ -285,8 +319,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -17610,7 +18537,7 @@ index 9f34c2e..d084359 100644
  	')
  ')
  
-@@ -299,8 +333,8 @@ optional_policy(`
+@@ -299,8 +335,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17620,7 +18547,7 @@ index 9f34c2e..d084359 100644
  ')
  
  optional_policy(`
-@@ -309,7 +343,6 @@ optional_policy(`
+@@ -309,7 +345,6 @@ optional_policy(`
  
  optional_policy(`
  	lpd_exec_lpr(cupsd_t)
@@ -17628,7 +18555,7 @@ index 9f34c2e..d084359 100644
  	lpd_read_config(cupsd_t)
  	lpd_relabel_spool(cupsd_t)
  ')
-@@ -337,7 +370,11 @@ optional_policy(`
+@@ -337,7 +372,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17641,7 +18568,7 @@ index 9f34c2e..d084359 100644
  ')
  
  ########################################
-@@ -345,12 +382,11 @@ optional_policy(`
+@@ -345,12 +384,11 @@ optional_policy(`
  # Configuration daemon local policy
  #
  
@@ -17657,7 +18584,7 @@ index 9f34c2e..d084359 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +413,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
@@ -17678,7 +18605,7 @@ index 9f34c2e..d084359 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +431,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -17699,7 +18626,7 @@ index 9f34c2e..d084359 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +448,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -17711,11 +18638,11 @@ index 9f34c2e..d084359 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +473,12 @@ optional_policy(`
+@@ -452,9 +475,12 @@ optional_policy(`
  ')
  
  optional_policy(`
-+	gnome_dontaudit_search_config(cupsd_config_t)
++    gnome_dontaudit_read_config(cupsd_config_t)
 +')
 +
 +optional_policy(`
@@ -17725,7 +18652,7 @@ index 9f34c2e..d084359 100644
  ')
  
  optional_policy(`
-@@ -490,10 +514,6 @@ optional_policy(`
+@@ -490,10 +516,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -17736,7 +18663,7 @@ index 9f34c2e..d084359 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +533,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -17770,7 +18697,7 @@ index 9f34c2e..d084359 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -546,7 +558,6 @@ optional_policy(`
+@@ -546,7 +560,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17778,7 +18705,7 @@ index 9f34c2e..d084359 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +575,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -17930,7 +18857,7 @@ index 9f34c2e..d084359 100644
  
  ########################################
  #
-@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +619,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -17938,7 +18865,7 @@ index 9f34c2e..d084359 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +628,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -17952,7 +18879,7 @@ index 9f34c2e..d084359 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +640,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -17961,13 +18888,24 @@ index 9f34c2e..d084359 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +650,4 @@ optional_policy(`
+@@ -769,3 +652,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
 +
+diff --git a/cvs.fc b/cvs.fc
+index 75c8be9..9dcffb2 100644
+--- a/cvs.fc
++++ b/cvs.fc
+@@ -1,3 +1,6 @@
++HOME_DIR/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
++/root/\.cvsignore		--	gen_context(system_u:object_r:cvs_home_t,s0)
++
+ /etc/rc\.d/init\.d/cvs	--	gen_context(system_u:object_r:cvs_initrc_exec_t,s0)
+ 
+ /opt/cvs(/.*)?	gen_context(system_u:object_r:cvs_data_t,s0)
 diff --git a/cvs.if b/cvs.if
-index 9fa7ffb..fd3262c 100644
+index 9fa7ffb..089c8d4 100644
 --- a/cvs.if
 +++ b/cvs.if
 @@ -1,5 +1,23 @@
@@ -17994,8 +18932,38 @@ index 9fa7ffb..fd3262c 100644
  ########################################
  ## <summary>
  ##	Read CVS data and metadata content.
-@@ -62,9 +80,14 @@ interface(`cvs_admin',`
- 		type cvs_data_t, cvs_var_run_t;
+@@ -41,6 +59,24 @@ interface(`cvs_exec',`
+ 
+ ########################################
+ ## <summary>
++##	Transition to cvs named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`cvs_filetrans_home_content',`
++	gen_require(`
++		type cvs_home_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, cvs_home_t, file, ".cvsignore")
++')
++
++########################################
++## <summary>
+ ##	All of the rules required to
+ ##	administrate an cvs environment
+ ## </summary>
+@@ -59,12 +95,18 @@ interface(`cvs_exec',`
+ interface(`cvs_admin',`
+ 	gen_require(`
+ 		type cvs_t, cvs_tmp_t, cvs_initrc_exec_t;
+-		type cvs_data_t, cvs_var_run_t;
++		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
++		type cvs_home_t;
  	')
  
 -	allow $1 cvs_t:process { ptrace signal_perms };
@@ -18010,8 +18978,16 @@ index 9fa7ffb..fd3262c 100644
  	init_labeled_script_domtrans($1, cvs_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 cvs_initrc_exec_t system_r;
+@@ -78,4 +120,7 @@ interface(`cvs_admin',`
+ 
+ 	files_list_pids($1)
+ 	admin_pattern($1, cvs_var_run_t)
++
++	userdom_search_user_home_dirs($1)
++	admin_pattern($1, cvs_home_t)
+ ')
 diff --git a/cvs.te b/cvs.te
-index 53fc3af..897ad64 100644
+index 53fc3af..d7cdaaf 100644
 --- a/cvs.te
 +++ b/cvs.te
 @@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
@@ -18028,7 +19004,31 @@ index 53fc3af..897ad64 100644
  application_executable_file(cvs_exec_t)
  
  type cvs_data_t; # customizable
-@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
+@@ -30,16 +31,22 @@ files_tmp_file(cvs_tmp_t)
+ type cvs_var_run_t;
+ files_pid_file(cvs_var_run_t)
+ 
++type cvs_home_t;
++userdom_user_home_content(cvs_home_t)
++
+ ########################################
+ #
+ # Local policy
+ #
+ 
+-allow cvs_t self:capability { setuid setgid };
++allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
+ allow cvs_t self:process signal_perms;
+ allow cvs_t self:fifo_file rw_fifo_file_perms;
+ allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+ 
++userdom_search_user_home_dirs(cvs_t)
++allow cvs_t cvs_home_t:file read_file_perms;
++
+ manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+ manage_lnk_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
+@@ -58,6 +65,15 @@ kernel_read_network_state(cvs_t)
  corecmd_exec_bin(cvs_t)
  corecmd_exec_shell(cvs_t)
  
@@ -18044,7 +19044,7 @@ index 53fc3af..897ad64 100644
  dev_read_urand(cvs_t)
  
  files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +86,16 @@ auth_use_nsswitch(cvs_t)
  
  init_read_utmp(cvs_t)
  
@@ -18057,8 +19057,8 @@ index 53fc3af..897ad64 100644
 -
  mta_send_mail(cvs_t)
  
- userdom_dontaudit_search_user_home_dirs(cvs_t)
- 
+-userdom_dontaudit_search_user_home_dirs(cvs_t)
+-
  # cjp: typeattribute doesnt work in conditionals yet
  auth_can_read_shadow_passwords(cvs_t)
 -tunable_policy(`allow_cvs_read_shadow',`
@@ -18066,7 +19066,7 @@ index 53fc3af..897ad64 100644
  	allow cvs_t self:capability dac_override;
  	auth_tunable_read_shadow(cvs_t)
  ')
-@@ -103,4 +113,5 @@ optional_policy(`
+@@ -103,4 +117,5 @@ optional_policy(`
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -18345,10 +19345,10 @@ index 188e2e6..719583e 100644
 -
 -miscfiles_read_localization(dbskkd_t)
 diff --git a/dbus.fc b/dbus.fc
-index dda905b..31f269b 100644
+index dda905b..ccd0ba9 100644
 --- a/dbus.fc
 +++ b/dbus.fc
-@@ -1,20 +1,26 @@
+@@ -1,20 +1,27 @@
 -HOME_DIR/\.dbus(/.*)?	gen_context(system_u:object_r:session_dbusd_home_t,s0)
 +/etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
  
@@ -18376,6 +19376,7 @@ index dda905b..31f269b 100644
  
 -/usr/libexec/dbus-daemon-launch-helper	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 +/var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
++/var/cache/ibus(/.*)?     gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
  
 -/var/lib/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
 -
@@ -18387,7 +19388,7 @@ index dda905b..31f269b 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index afcf3a2..e6ecc4d 100644
+index afcf3a2..8cc440f 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -18396,16 +19397,33 @@ index afcf3a2..e6ecc4d 100644
  
  ########################################
  ## <summary>
-@@ -19,7 +19,7 @@ interface(`dbus_stub',`
+@@ -19,7 +19,24 @@ interface(`dbus_stub',`
  
  ########################################
  ## <summary>
 -##	Role access for dbus.
++##	Execute dbus-daemon in the caller domain.
++## </summary>
++## <param name="domain" unused="true">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`dbus_exec_dbusd',`
++	gen_require(`
++        type dbusd_exec_t;
++	')
++    can_exec($1, dbusd_exec_t)
++')
++
++########################################
++## <summary>
 +##	Role access for dbus
  ## </summary>
  ## <param name="role_prefix">
  ##	<summary>
-@@ -41,59 +41,68 @@ interface(`dbus_stub',`
+@@ -41,59 +58,68 @@ interface(`dbus_stub',`
  template(`dbus_role_template',`
  	gen_require(`
  		class dbus { send_msg acquire_svc };
@@ -18495,7 +19513,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -103,65 +112,29 @@ template(`dbus_role_template',`
+@@ -103,91 +129,82 @@ template(`dbus_role_template',`
  #
  interface(`dbus_system_bus_client',`
  	gen_require(`
@@ -18529,12 +19547,17 @@ index afcf3a2..e6ecc4d 100644
  ## <summary>
 -##	Acquire service on DBUS
 -##	session bus.
--## </summary>
++##	Creating connections to specified
++##	DBUS sessions.
+ ## </summary>
 -## <param name="domain">
--##	<summary>
++## <param name="role_prefix">
+ ##	<summary>
 -##	Domain allowed access.
--##	</summary>
--## </param>
++##	The prefix of the user role (e.g., user
++##	is the prefix for user_r).
+ ##	</summary>
+ ## </param>
 -#
 -interface(`dbus_connect_session_bus',`
 -	refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
@@ -18546,235 +19569,381 @@ index afcf3a2..e6ecc4d 100644
 -##	Acquire service on all DBUS
 -##	session busses.
 -## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_connect_all_session_bus',`
--	gen_require(`
++interface(`dbus_session_client',`
+ 	gen_require(`
 -		attribute session_bus_type;
 -		class dbus acquire_svc;
--	')
--
++		class dbus send_msg;
++		type $1_dbusd_t;
+ 	')
+ 
 -	allow $1 session_bus_type:dbus acquire_svc;
--')
--
--#######################################
--## <summary>
++	allow $2 $1_dbusd_t:fd use;
++	allow $2 { $1_dbusd_t self }:dbus send_msg;
++	allow $2 $1_dbusd_t:unix_stream_socket connectto;
+ ')
+ 
+ #######################################
+ ## <summary>
 -##	Acquire service on specified
 -##	DBUS session bus.
-+##	Creating connections to specified
-+##	DBUS sessions.
++##	Template for creating connections to
++##	a user DBUS.
  ## </summary>
- ## <param name="role_prefix">
+-## <param name="role_prefix">
+-##	<summary>
+-##	The prefix of the user role (e.g., user
+-##	is the prefix for user_r).
+-##	</summary>
+-## </param>
+ ## <param name="domain">
  ##	<summary>
-@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`dbus_connect_spec_session_bus',`
-+interface(`dbus_session_client',`
++interface(`dbus_session_bus_client',`
  	gen_require(`
-+		class dbus send_msg;
- 		type $1_dbusd_t;
+-		type $1_dbusd_t;
 -		class dbus acquire_svc;
++		attribute session_bus_type;
++		class dbus send_msg;
  	')
  
 -	allow $2 $1_dbusd_t:dbus acquire_svc;
-+	allow $2 $1_dbusd_t:fd use;
-+	allow $2 { $1_dbusd_t self }:dbus send_msg;
-+	allow $2 $1_dbusd_t:unix_stream_socket connectto;
++	# SE-DBus specific permissions
++	allow $1 { session_bus_type self }:dbus send_msg;
++
++	# For connecting to the bus
++	allow $1 session_bus_type:unix_stream_socket connectto;
++
++	allow session_bus_type $1:process sigkill;
  ')
  
- #######################################
+-#######################################
++########################################
  ## <summary>
 -##	Creating connections to DBUS
 -##	session bus.
-+##	Template for creating connections to
-+##	a user DBUS.
++##	Send a message the session DBUS.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
+@@ -195,15 +212,18 @@ interface(`dbus_connect_spec_session_bus',`
+ ##	</summary>
  ## </param>
  #
- interface(`dbus_session_bus_client',`
+-interface(`dbus_session_bus_client',`
 -	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
 -	dbus_all_session_bus_client($1)
--')
--
++interface(`dbus_send_session_bus',`
++	gen_require(`
++		attribute session_bus_type;
++		class dbus send_msg;
++	')
++
++	allow $1 session_bus_type:dbus send_msg;
+ ')
+ 
 -#######################################
--## <summary>
++########################################
+ ## <summary>
 -##	Creating connections to all
 -##	DBUS session busses.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Read dbus configuration.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -211,57 +231,38 @@ interface(`dbus_session_bus_client',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_all_session_bus_client',`
++interface(`dbus_read_config',`
  	gen_require(`
 -		attribute session_bus_type, dbusd_session_bus_client;
-+		attribute session_bus_type;
- 		class dbus send_msg;
+-		class dbus send_msg;
++		type dbusd_etc_t;
  	')
  
 -	typeattribute $1 dbusd_session_bus_client;
 -
-+	# SE-DBus specific permissions
- 	allow $1 { session_bus_type self }:dbus send_msg;
+-	allow $1 { session_bus_type self }:dbus send_msg;
 -	allow session_bus_type $1:dbus send_msg;
 -	
 -	allow $1 session_bus_type:unix_stream_socket connectto;
 -	allow $1 session_bus_type:fd use;
--')
++	allow $1 dbusd_etc_t:dir list_dir_perms;
++	allow $1 dbusd_etc_t:file read_file_perms;
+ ')
  
 -#######################################
--## <summary>
++########################################
+ ## <summary>
 -##	Creating connections to specified
 -##	DBUS session bus.
--## </summary>
++##	Read system dbus lib files.
+ ## </summary>
 -## <param name="role_prefix">
 -##	<summary>
 -##	The prefix of the user role (e.g., user
 -##	is the prefix for user_r).
 -##	</summary>
 -## </param>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_spec_session_bus_client',`
--	gen_require(`
++interface(`dbus_read_lib_files',`
+ 	gen_require(`
 -		attribute dbusd_session_bus_client;
 -		type $1_dbusd_t;
 -		class dbus send_msg;
--	')
--
++		type system_dbusd_var_lib_t;
+ 	')
+ 
 -	typeattribute $2 dbusd_session_bus_client;
 -
 -	allow $2 { $1_dbusd_t self }:dbus send_msg;
 -	allow $1_dbusd_t $2:dbus send_msg;
-+	# For connecting to the bus
-+	allow $1 session_bus_type:unix_stream_socket connectto;
- 
+-
 -	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 -	allow $2 $1_dbusd_t:fd use;
-+	allow session_bus_type $1:process sigkill;
++	files_search_var_lib($1)
++	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
  ')
  
 -#######################################
 +########################################
  ## <summary>
 -##	Send messages to DBUS session bus.
-+##	Send a message the session DBUS.
++##	Create, read, write, and delete
++##	system dbus lib files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
+@@ -269,15 +270,19 @@ interface(`dbus_spec_session_bus_client',`
+ ##	</summary>
  ## </param>
  #
- interface(`dbus_send_session_bus',`
+-interface(`dbus_send_session_bus',`
 -	refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
 -	dbus_send_all_session_bus($1)
--')
--
++interface(`dbus_manage_lib_files',`
++	gen_require(`
++		type system_dbusd_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
+ ')
+ 
 -#######################################
--## <summary>
++########################################
+ ## <summary>
 -##	Send messages to all DBUS
 -##	session busses.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Connect to the system DBUS
++##	for service (acquire_svc).
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -285,44 +290,52 @@ interface(`dbus_send_session_bus',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_send_all_session_bus',`
++interface(`dbus_connect_session_bus',`
  	gen_require(`
  		attribute session_bus_type;
- 		class dbus send_msg;
+-		class dbus send_msg;
++		class dbus acquire_svc;
  	')
  
 -	allow $1 dbus_session_bus_type:dbus send_msg;
--')
--
++	allow $1 session_bus_type:dbus acquire_svc;
+ ')
+ 
 -#######################################
--## <summary>
++########################################
+ ## <summary>
 -##	Send messages to specified
 -##	DBUS session busses.
--## </summary>
++##	Allow a application domain to be started
++##	by the session dbus.
+ ## </summary>
 -## <param name="role_prefix">
--##	<summary>
++## <param name="domain_prefix">
+ ##	<summary>
 -##	The prefix of the user role (e.g., user
 -##	is the prefix for user_r).
--##	</summary>
--## </param>
--## <param name="domain">
--##	<summary>
++##	User domain prefix to be used.
+ ##	</summary>
+ ## </param>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Type to be used as a domain.
++##	</summary>
++## </param>
++## <param name="entry_point">
++##	<summary>
++##	Type of the program to be used as an
++##	entry point to this domain.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_send_spec_session_bus',`
--	gen_require(`
--		type $1_dbusd_t;
++interface(`dbus_session_domain',`
+ 	gen_require(`
+ 		type $1_dbusd_t;
 -		class dbus send_msg;
--	')
--
+ 	')
+ 
 -	allow $2 $1_dbusd_t:dbus send_msg;
-+	allow $1 session_bus_type:dbus send_msg;
++	domtrans_pattern($1_dbusd_t, $2, $3)
++
++	dbus_session_bus_client($3)
++	dbus_connect_session_bus($3)
  ')
  
  ########################################
  ## <summary>
 -##	Read dbus configuration content.
-+##	Read dbus configuration.
++##	Connect to the system DBUS
++##	for service (acquire_svc).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
+@@ -330,18 +343,18 @@ interface(`dbus_send_spec_session_bus',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_read_config',`
++interface(`dbus_connect_system_bus',`
+ 	gen_require(`
+-		type dbusd_etc_t;
++		type system_dbusd_t;
++		class dbus acquire_svc;
+ 	')
+ 
+-	allow $1 dbusd_etc_t:dir list_dir_perms;
+-	allow $1 dbusd_etc_t:file read_file_perms;
++	allow $1 system_dbusd_t:dbus acquire_svc;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read system dbus lib files.
++##	Send a message on the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -349,19 +362,18 @@ interface(`dbus_read_config',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_read_lib_files',`
++interface(`dbus_send_system_bus',`
+ 	gen_require(`
+-		type system_dbusd_var_lib_t;
++		type system_dbusd_t;
++		class dbus send_msg;
+ 	')
+ 
+-	files_search_var_lib($1)
+-	read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++	allow $1 system_dbusd_t:dbus send_msg;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	system dbus lib files.
++##	Allow unconfined access to the system DBUS.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -369,26 +381,20 @@ interface(`dbus_read_lib_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_manage_lib_files',`
++interface(`dbus_system_bus_unconfined',`
+ 	gen_require(`
+-		type system_dbusd_var_lib_t;
++		type system_dbusd_t;
++		class dbus all_dbus_perms;
+ 	')
+ 
+-	files_search_var_lib($1)
+-	manage_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
++	allow $1 system_dbusd_t:dbus *;
+ ')
  
  ########################################
  ## <summary>
 -##	Allow a application domain to be
 -##	started by the specified session bus.
--## </summary>
++##	Create a domain for processes
++##	which can be started by the system dbus
+ ## </summary>
 -## <param name="role_prefix">
 -##	<summary>
 -##	The prefix of the user role (e.g., user
 -##	is the prefix for user_r).
 -##	</summary>
 -## </param>
--## <param name="domain">
--##	<summary>
--##	Type to be used as a domain.
--##	</summary>
--## </param>
--## <param name="entry_point">
--##	<summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Type to be used as a domain.
+@@ -396,81 +402,67 @@ interface(`dbus_manage_lib_files',`
+ ## </param>
+ ## <param name="entry_point">
+ ##	<summary>
 -##	Type of the program to be used as an
 -##	entry point to this domain.
--##	</summary>
--## </param>
--#
++##	Type of the program to be used as an entry point to this domain.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`dbus_session_domain',`
 -	refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
 -	dbus_all_session_domain($1, $2)
--')
--
--########################################
--## <summary>
++interface(`dbus_system_domain',`
++	gen_require(`
++		attribute system_bus_type;
++		type system_dbusd_t;
++		role system_r;
++	')
++	typeattribute $1  system_bus_type;
++
++	domain_type($1)
++	domain_entry_file($1, $2)
++
++	domtrans_pattern(system_dbusd_t, $2, $1)
++	init_system_domain($1, $2)
++
++	ps_process_pattern($1, system_dbusd_t)
++
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Allow a application domain to be
 -##	started by the specified session bus.
-+##	Connect to the system DBUS
-+##	for service (acquire_svc).
++##	Use and inherit system DBUS file descriptors.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18790,259 +19959,276 @@ index afcf3a2..e6ecc4d 100644
  ## </param>
  #
 -interface(`dbus_all_session_domain',`
-+interface(`dbus_connect_session_bus',`
++interface(`dbus_use_system_bus_fds',`
  	gen_require(`
 -		type session_bus_type;
-+		attribute session_bus_type;
-+		class dbus acquire_svc;
++		type system_dbusd_t;
  	')
  
 -	domtrans_pattern(session_bus_type, $2, $1)
 -
 -	dbus_all_session_bus_client($1)
 -	dbus_connect_all_session_bus($1)
-+	allow $1 session_bus_type:dbus acquire_svc;
++	allow $1 system_dbusd_t:fd use;
  ')
  
  ########################################
  ## <summary>
 -##	Allow a application domain to be
 -##	started by the specified session bus.
-+##	Allow a application domain to be started
-+##	by the session dbus.
++##	Allow unconfined access to the system DBUS.
  ## </summary>
 -## <param name="role_prefix">
-+## <param name="domain_prefix">
- ##	<summary>
+-##	<summary>
 -##	The prefix of the user role (e.g., user
 -##	is the prefix for user_r).
-+##	User domain prefix to be used.
- ##	</summary>
- ## </param>
+-##	</summary>
+-## </param>
  ## <param name="domain">
-@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
+ ##	<summary>
+-##	Type to be used as a domain.
+-##	</summary>
+-## </param>
+-## <param name="entry_point">
+-##	<summary>
+-##	Type of the program to be used as an
+-##	entry point to this domain.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -interface(`dbus_spec_session_domain',`
-+interface(`dbus_session_domain',`
++interface(`dbus_unconfined',`
  	gen_require(`
- 		type $1_dbusd_t;
+-		type $1_dbusd_t;
++		attribute dbusd_unconfined;
  	')
  
- 	domtrans_pattern($1_dbusd_t, $2, $3)
- 
+-	domtrans_pattern($1_dbusd_t, $2, $3)
+-
 -	dbus_spec_session_bus_client($1, $2)
 -	dbus_connect_spec_session_bus($1, $2)
-+	dbus_session_bus_client($3)
-+	dbus_connect_session_bus($3)
++	typeattribute $1 dbusd_unconfined;
  ')
  
  ########################################
  ## <summary>
 -##	Acquire service on the DBUS system bus.
-+##	Connect to the system DBUS
-+##	for service (acquire_svc).
++##	Delete all dbus pid files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
+@@ -478,18 +470,18 @@ interface(`dbus_spec_session_domain',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_connect_system_bus',`
++interface(`dbus_delete_pid_files',`
+ 	gen_require(`
+-		type system_dbusd_t;
+-		class dbus acquire_svc;
++		type system_dbusd_var_run_t;
+ 	')
+ 
+-	allow $1 system_dbusd_t:dbus acquire_svc;
++	files_search_pids($1)
++	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
  
  ########################################
  ## <summary>
 -##	Send messages to the DBUS system bus.
-+##	Send a message on the system DBUS.
++##	Read all dbus pid files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
+@@ -497,98 +489,80 @@ interface(`dbus_connect_system_bus',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_send_system_bus',`
++interface(`dbus_read_pid_files',`
+ 	gen_require(`
+-		type system_dbusd_t;
+-		class dbus send_msg;
++		type system_dbusd_var_run_t;
+ 	')
+ 
+-	allow $1 system_dbusd_t:dbus send_msg;
++	files_search_pids($1)
++	read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
+ ')
  
  ########################################
  ## <summary>
 -##	Unconfined access to DBUS system bus.
-+##	Allow unconfined access to the system DBUS.
++##	Do not audit attempts to connect to
++##	session bus types with a unix
++##	stream socket.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_system_bus_unconfined',`
++interface(`dbus_dontaudit_stream_connect_session_bus',`
+ 	gen_require(`
+-		type system_dbusd_t;
+-		class dbus all_dbus_perms;
++		attribute session_bus_type;
+ 	')
+ 
+-	allow $1 system_dbusd_t:dbus *;
++	dontaudit $1 session_bus_type:unix_stream_socket connectto;
+ ')
  
  ########################################
  ## <summary>
 -##	Create a domain for processes which
 -##	can be started by the DBUS system bus.
-+##	Create a domain for processes
-+##	which can be started by the system dbus
++##	Allow attempts to connect to
++##	session bus types with a unix
++##	stream socket.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
+-##	Type to be used as a domain.
+-##	</summary>
+-## </param>
+-## <param name="entry_point">
+-##	<summary>
+-##	Type of the program to be used as an entry point to this domain.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
  #
- interface(`dbus_system_domain',`
+-interface(`dbus_system_domain',`
++interface(`dbus_stream_connect_session_bus',`
  	gen_require(`
-+		attribute system_bus_type;
- 		type system_dbusd_t;
- 		role system_r;
+-		type system_dbusd_t;
+-		role system_r;
++		attribute session_bus_type;
  	')
-+	typeattribute $1  system_bus_type;
- 
- 	domain_type($1)
- 	domain_entry_file($1, $2)
  
+-	domain_type($1)
+-	domain_entry_file($1, $2)
+-
 -	role system_r types $1;
 -
- 	domtrans_pattern(system_dbusd_t, $2, $1)
- 
+-	domtrans_pattern(system_dbusd_t, $2, $1)
+-
 -	dbus_system_bus_client($1)
 -	dbus_connect_system_bus($1)
 -
 -	ps_process_pattern(system_dbusd_t, $1)
 -
 -	userdom_read_all_users_state($1)
-+	ps_process_pattern($1, system_dbusd_t)
- 
+-
 -	ifdef(`hide_broken_symptoms', `
 -		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
 -	')
++	allow $1 session_bus_type:unix_stream_socket connectto;
  ')
  
  ########################################
  ## <summary>
 -##	Use and inherit DBUS system bus
 -##	file descriptors.
-+##	Use and inherit system DBUS file descriptors.
++##	Do not audit attempts to send dbus
++##	messages to session bus types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dbus_use_system_bus_fds',`
++interface(`dbus_chat_session_bus',`
+ 	gen_require(`
+-		type system_dbusd_t;
++		attribute session_bus_type;
++		class dbus send_msg;
+ 	')
+ 
+-	allow $1 system_dbusd_t:fd use;
++	allow $1 session_bus_type:dbus send_msg;
++	allow session_bus_type $1:dbus send_msg;
+ ')
  
  ########################################
  ## <summary>
 -##	Do not audit attempts to read and
 -##	write DBUS system bus TCP sockets.
-+##	Allow unconfined access to the system DBUS.
++##	Do not audit attempts to send dbus
++##	messages to session bus types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
+@@ -596,28 +570,49 @@ interface(`dbus_use_system_bus_fds',`
  ##	</summary>
  ## </param>
  #
 -interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
-+interface(`dbus_unconfined',`
++interface(`dbus_dontaudit_chat_session_bus',`
  	gen_require(`
 -		type system_dbusd_t;
-+		attribute dbusd_unconfined;
++		attribute session_bus_type;
++		class dbus send_msg;
  	')
  
 -	dontaudit $1 system_dbusd_t:tcp_socket { read write };
-+	typeattribute $1 dbusd_unconfined;
++	dontaudit $1 session_bus_type:dbus send_msg;
  ')
  
  ########################################
  ## <summary>
 -##	Unconfined access to DBUS.
-+##	Delete all dbus pid files
++##	Do not audit attempts to send dbus
++##	messages to system bus types.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`dbus_unconfined',`
-+interface(`dbus_delete_pid_files',`
++interface(`dbus_dontaudit_chat_system_bus',`
  	gen_require(`
 -		attribute dbusd_unconfined;
-+		type system_dbusd_var_run_t;
++		attribute system_bus_type;
++		class dbus send_msg;
  	')
  
 -	typeattribute $1 dbusd_unconfined;
-+	files_search_pids($1)
-+	delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Read all dbus pid files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dbus_read_pid_files',`
-+	gen_require(`
-+		type system_dbusd_var_run_t;
-+	')
-+
-+	files_search_pids($1)
-+	read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to connect to
-+##	session bus types with a unix
-+##	stream socket.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_stream_connect_session_bus',`
-+	gen_require(`
-+		attribute session_bus_type;
-+	')
-+
-+	dontaudit $1 session_bus_type:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+##	Do not audit attempts to send dbus
-+##	messages to session bus types.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dbus_dontaudit_chat_session_bus',`
-+	gen_require(`
-+		attribute session_bus_type;
-+		class dbus send_msg;
-+	')
-+
-+	dontaudit $1 session_bus_type:dbus send_msg;
++	dontaudit $1 system_bus_type:dbus send_msg;
++	dontaudit system_bus_type $1:dbus send_msg;
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Do not audit attempts to send dbus
-+##	messages to system bus types.
++##      Transition to dbus named content
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
++##      <summary>
++##      Domain allowed access.
++##      </summary>
 +## </param>
 +#
-+interface(`dbus_dontaudit_chat_system_bus',`
-+	gen_require(`
-+		attribute system_bus_type;
-+		class dbus send_msg;
-+	')
-+
-+	dontaudit $1 system_bus_type:dbus send_msg;
-+	dontaudit system_bus_type $1:dbus send_msg;
++interface(`dbus_filetrans_named_content_system',`
++    gen_require(`
++        type system_dbusd_var_lib_t;
++    ')
++    files_var_filetrans($1, system_dbusd_var_lib_t, dir, "ibus")
  ')
 diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..493ab48 100644
+index 2c2e7e1..2ead441 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -1,20 +1,18 @@
@@ -19090,7 +20276,7 @@ index 2c2e7e1..493ab48 100644
  
  ifdef(`enable_mcs',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
-@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
+@@ -51,59 +47,61 @@ ifdef(`enable_mls',`
  	init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -19149,7 +20335,9 @@ index 2c2e7e1..493ab48 100644
  
 -domain_use_interactive_fds(system_dbusd_t)
 -domain_read_all_domains_state(system_dbusd_t)
--
++dev_rw_inherited_input_dev(system_dbusd_t)
++dev_rw_inherited_dri(system_dbusd_t)
+ 
 -files_list_home(system_dbusd_t)
 -files_read_usr_files(system_dbusd_t)
 +files_rw_inherited_non_security_files(system_dbusd_t)
@@ -19167,7 +20355,7 @@ index 2c2e7e1..493ab48 100644
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +121,159 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -19225,10 +20413,9 @@ index 2c2e7e1..493ab48 100644
 +optional_policy(`
 +	gnome_exec_gconf(system_dbusd_t)
 +	gnome_read_inherited_home_icc_data_files(system_dbusd_t)
- ')
- 
- optional_policy(`
--	seutil_sigchld_newrole(system_dbusd_t)
++')
++
++optional_policy(`
 +    nis_use_ypbind(system_dbusd_t)
 +')
 +
@@ -19245,9 +20432,10 @@ index 2c2e7e1..493ab48 100644
 +
 +optional_policy(`
 +	sysnet_domtrans_dhcpc(system_dbusd_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	seutil_sigchld_newrole(system_dbusd_t)
 +	systemd_use_fds_logind(system_dbusd_t)
 +	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 +	systemd_write_inhibit_pipes(system_dbusd_t)
@@ -19341,7 +20529,7 @@ index 2c2e7e1..493ab48 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +282,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -19366,7 +20554,7 @@ index 2c2e7e1..493ab48 100644
  files_dontaudit_search_var(session_bus_type)
  
  fs_getattr_romfs(session_bus_type)
-@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
+@@ -215,7 +301,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -19374,7 +20562,7 @@ index 2c2e7e1..493ab48 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +310,36 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -19416,7 +20604,7 @@ index 2c2e7e1..493ab48 100644
  ')
  
  ########################################
-@@ -244,5 +344,6 @@ optional_policy(`
+@@ -244,5 +347,6 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -20315,12 +21503,13 @@ index ff933af..cd1d88d 100644
 +')
 +
 diff --git a/dhcp.fc b/dhcp.fc
-index 7956248..5fee161 100644
+index 7956248..333d214 100644
 --- a/dhcp.fc
 +++ b/dhcp.fc
-@@ -1,4 +1,5 @@
+@@ -1,4 +1,6 @@
  /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 +/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
++/usr/lib/systemd/system/dhcpd.*	    --	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
  
  /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
  
@@ -21437,7 +22626,7 @@ index 23ab808..84735a8 100644
 +/var/run/dnsmasq.*		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
  /var/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 diff --git a/dnsmasq.if b/dnsmasq.if
-index 19aa0b8..e34a540 100644
+index 19aa0b8..b9895ba 100644
 --- a/dnsmasq.if
 +++ b/dnsmasq.if
 @@ -10,7 +10,6 @@
@@ -21581,27 +22770,40 @@ index 19aa0b8..e34a540 100644
  	read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
  ')
  
-@@ -214,37 +292,49 @@ interface(`dnsmasq_create_pid_dirs',`
+@@ -214,37 +292,66 @@ interface(`dnsmasq_create_pid_dirs',`
  
  ########################################
  ## <summary>
 -##	Create specified objects in specified
 -##	directories with a type transition to
 -##	the dnsmasq pid file type.
-+##	Transition to dnsmasq named content
++##	Create dnsmasq pid directories.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 -## <param name="file_type">
 -##	<summary>
 -##	Directory to transition on.
 -##	</summary>
 -## </param>
 -## <param name="object">
--##	<summary>
++#
++interface(`dnsmasq_read_state',`
++	gen_require(`
++		type dnsmasq_t;
++	')
++    ps_process_pattern($1, dnsmasq_t)
++')
++
++########################################
++## <summary>
++##	Transition to dnsmasq named content
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The object class of the object being created.
 +##      Domain allowed access.
  ##	</summary>
@@ -21649,7 +22851,7 @@ index 19aa0b8..e34a540 100644
  ')
  
  ########################################
-@@ -267,12 +357,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
+@@ -267,12 +374,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
  interface(`dnsmasq_admin',`
  	gen_require(`
  		type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
@@ -21670,7 +22872,7 @@ index 19aa0b8..e34a540 100644
  	init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 dnsmasq_initrc_exec_t system_r;
-@@ -281,9 +377,13 @@ interface(`dnsmasq_admin',`
+@@ -281,9 +394,13 @@ interface(`dnsmasq_admin',`
  	files_list_var_lib($1)
  	admin_pattern($1, dnsmasq_lease_t)
  
@@ -21686,7 +22888,7 @@ index 19aa0b8..e34a540 100644
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
  ')
 diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..a3e6c7c 100644
+index ba14bcf..34a4c71 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21699,7 +22901,15 @@ index ba14bcf..a3e6c7c 100644
  ########################################
  #
  # Local policy
-@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
+@@ -38,6 +41,7 @@ allow dnsmasq_t self:packet_socket create_socket_perms;
+ allow dnsmasq_t self:rawip_socket create_socket_perms;
+ 
+ read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
++list_dirs_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+ 
+ manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
+ files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
+@@ -52,11 +56,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
  files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
  
  kernel_read_kernel_sysctls(dnsmasq_t)
@@ -21715,7 +22925,7 @@ index ba14bcf..a3e6c7c 100644
  corenet_all_recvfrom_netlabel(dnsmasq_t)
  corenet_tcp_sendrecv_generic_if(dnsmasq_t)
  corenet_udp_sendrecv_generic_if(dnsmasq_t)
-@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
+@@ -86,9 +93,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
  
  auth_use_nsswitch(dnsmasq_t)
  
@@ -21727,7 +22937,7 @@ index ba14bcf..a3e6c7c 100644
  
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -98,12 +104,21 @@ optional_policy(`
+@@ -98,12 +105,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21750,7 +22960,7 @@ index ba14bcf..a3e6c7c 100644
  ')
  
  optional_policy(`
-@@ -124,6 +139,14 @@ optional_policy(`
+@@ -124,6 +140,14 @@ optional_policy(`
  
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
@@ -21923,10 +23133,10 @@ index ef36d73..fddd51f 100644
  sysnet_etc_filetrans_config(dnssec_triggerd_t)
 diff --git a/docker.fc b/docker.fc
 new file mode 100644
-index 0000000..484dd44
+index 0000000..1c4ac02
 --- /dev/null
 +++ b/docker.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,17 @@
 +/usr/bin/docker			--	gen_context(system_u:object_r:docker_exec_t,s0)
 +
 +/usr/lib/systemd/system/docker.service		--	gen_context(system_u:object_r:docker_unit_file_t,s0)
@@ -21936,22 +23146,26 @@ index 0000000..484dd44
 +/var/run/docker\.pid		--	gen_context(system_u:object_r:docker_var_run_t,s0)
 +/var/run/docker\.sock		-s	gen_context(system_u:object_r:docker_var_run_t,s0)
 +
++/var/lock/lxc(/.*)?		gen_context(system_u:object_r:docker_lock_t,s0)
++
 +/var/log/lxc(/.*)?		gen_context(system_u:object_r:docker_log_t,s0)
 +
-+/usr/lib/lxc/rootfs		gen_context(system_u:object_r:mnt_t,s0)
-\ No newline at end of file
++/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hosts		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/containers/.*/hostname		gen_context(system_u:object_r:docker_share_t,s0)
++/var/lib/docker/.*/config\.env	gen_context(system_u:object_r:docker_share_t,s0)
 diff --git a/docker.if b/docker.if
 new file mode 100644
-index 0000000..097c75c
+index 0000000..66fe66d
 --- /dev/null
 +++ b/docker.if
-@@ -0,0 +1,202 @@
+@@ -0,0 +1,344 @@
 +
-+## <summary>policy for docker</summary>
++## <summary>The open-source application container engine.</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the docker domin.
++##	Execute docker in the docker domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -21989,6 +23203,25 @@ index 0000000..097c75c
 +
 +########################################
 +## <summary>
++##	Execute docker lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_exec_lib',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	allow $1 docker_var_lib_t:dir search_dir_perms;
++	can_exec($1, docker_var_lib_t)
++')
++
++########################################
++## <summary>
 +##	Read docker lib files.
 +## </summary>
 +## <param name="domain">
@@ -22008,6 +23241,25 @@ index 0000000..097c75c
 +
 +########################################
 +## <summary>
++##	Read docker share files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_read_share_files',`
++	gen_require(`
++		type docker_share_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, docker_share_t, docker_share_t)
++')
++
++########################################
++## <summary>
 +##	Manage docker lib files.
 +## </summary>
 +## <param name="domain">
@@ -22023,6 +23275,7 @@ index 0000000..097c75c
 +
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
++	manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
 +')
 +
 +########################################
@@ -22046,6 +23299,41 @@ index 0000000..097c75c
 +
 +########################################
 +## <summary>
++##	Create objects in a docker var lib directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`docker_lib_filetrans',`
++	gen_require(`
++		type docker_var_lib_t;
++	')
++
++	filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
 +##	Read docker PID files.
 +## </summary>
 +## <param name="domain">
@@ -22087,30 +23375,109 @@ index 0000000..097c75c
 +	ps_process_pattern($1, docker_t)
 +')
 +
++########################################
++## <summary>
++##	Read and write docker shared memory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`docker_rw_sem',`
++	gen_require(`
++		type docker_t;
++	')
++
++	allow $1 docker_t:sem rw_sem_perms;
++')
++
++#######################################
++## <summary>
++##  Read and write the docker pty type.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`docker_use_ptys',`
++    gen_require(`
++        type docker_devpts_t;
++    ')
++
++    allow $1 docker_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++##      Allow domain to create docker content
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`docker_filetrans_named_content',`
++
++    gen_require(`
++        type docker_var_lib_t;
++        type docker_share_t;
++	type docker_log_t;
++	type docker_var_run_t;
++    ')
++
++    files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
++    files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
++    logging_log_filetrans($1, docker_log_t, dir, "lxc")
++    files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
++    filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
++')
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate
-+##	an docker environment
++##	Connect to docker over a unix stream socket.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
++#
++interface(`docker_stream_connect',`
++	gen_require(`
++		type docker_t, docker_var_run_t;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an docker environment
++## </summary>
++## <param name="domain">
 +##	<summary>
-+##	Role allowed access.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`docker_admin',`
 +	gen_require(`
 +		type docker_t;
-+		type docker_var_lib_t;
-+		type docker_var_run_t;
-+	type docker_unit_file_t;
++		type docker_var_lib_t, docker_var_run_t;
++		type docker_unit_file_t;
++		type docker_lock_t;
++		type docker_log_t;
 +	')
 +
 +	allow $1 docker_t:process { ptrace signal_perms };
@@ -22122,38 +23489,27 @@ index 0000000..097c75c
 +	files_search_pids($1)
 +	admin_pattern($1, docker_var_run_t)
 +
++	files_search_locks($1)
++	admin_pattern($1, docker_lock_t)
++
++	logging_search_logs($1)
++	admin_pattern($1, docker_log_t)
++
 +	docker_systemctl($1)
 +	admin_pattern($1, docker_unit_file_t)
 +	allow $1 docker_unit_file_t:service all_service_perms;
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
 +')
-+
-+########################################
-+## <summary>
-+##	Read and write docker shared memory.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`docker_rw_sem',`
-+	gen_require(`
-+		type docker_t;
-+	')
-+
-+	allow $1 docker_t:sem rw_sem_perms;
-+')
 diff --git a/docker.te b/docker.te
 new file mode 100644
-index 0000000..1229d66
+index 0000000..c80e06c
 --- /dev/null
 +++ b/docker.te
-@@ -0,0 +1,133 @@
+@@ -0,0 +1,265 @@
 +policy_module(docker, 1.0.0)
 +
 +########################################
@@ -22161,35 +23517,70 @@ index 0000000..1229d66
 +# Declarations
 +#
 +
++## <desc>
++##  <p>
++##  Determine whether docker can
++##  connect to all TCP ports.
++##  </p>
++## </desc>
++gen_tunable(docker_connect_any, false)
++
++## <desc>
++## <p>
++## Allow docker to transition to unconfined containers.
++## </p>
++## </desc>
++gen_tunable(docker_transition_unconfined, false)
++
 +type docker_t;
 +type docker_exec_t;
 +init_daemon_domain(docker_t, docker_exec_t)
++domain_subj_id_change_exemption(docker_t)
++domain_role_change_exemption(docker_t)
 +
 +type docker_var_lib_t;
 +files_type(docker_var_lib_t)
 +
++type docker_lock_t;
++files_lock_file(docker_lock_t)
++
 +type docker_log_t;
 +logging_log_file(docker_log_t)
 +
 +type docker_tmp_t;
 +files_tmp_file(docker_tmp_t)
 +
++type docker_tmpfs_t;
++files_tmpfs_file(docker_tmpfs_t)
++
 +type docker_var_run_t;
 +files_pid_file(docker_var_run_t)
 +
 +type docker_unit_file_t;
 +systemd_unit_file(docker_unit_file_t)
 +
++type docker_devpts_t;
++term_pty(docker_devpts_t)
++
++type docker_share_t;
++files_type(docker_share_t)
++
 +########################################
 +#
 +# docker local policy
 +#
-+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
-+allow docker_t self:process signal_perms;
++allow docker_t self:capability { chown fowner fsetid mknod net_admin net_bind_service };
++allow docker_t self:process { getattr signal_perms };
 +allow docker_t self:fifo_file rw_fifo_file_perms;
 +allow docker_t self:unix_stream_socket create_stream_socket_perms;
++allow docker_t self:tcp_socket create_stream_socket_perms;
++allow docker_t self:udp_socket create_socket_perms;
 +allow docker_t self:capability2 block_suspend;
 +
++manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
++manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
++files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
++
 +manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
 +manage_files_pattern(docker_t, docker_log_t, docker_log_t)
 +manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
@@ -22200,6 +23591,19 @@ index 0000000..1229d66
 +manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
 +files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
 +
++manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
++fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
++
++manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
++manage_files_pattern(docker_t, docker_share_t, docker_share_t)
++manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
++can_exec(docker_t, docker_share_t)
++docker_filetrans_named_content(docker_t)
++
 +manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 +manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
 +manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
@@ -22213,9 +23617,13 @@ index 0000000..1229d66
 +manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
 +files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
 +
++allow docker_t docker_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
++term_create_pty(docker_t, docker_devpts_t)
++
 +kernel_read_system_state(docker_t)
 +kernel_read_network_state(docker_t)
 +kernel_read_all_sysctls(docker_t)
++kernel_rw_net_sysctls(docker_t)
 +
 +domain_use_interactive_fds(docker_t)
 +
@@ -22223,17 +23631,38 @@ index 0000000..1229d66
 +corecmd_exec_shell(docker_t)
 +
 +corenet_tcp_bind_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_if(docker_t)
++corenet_tcp_sendrecv_generic_node(docker_t)
++corenet_tcp_sendrecv_generic_port(docker_t)
++corenet_tcp_bind_all_ports(docker_t)
++corenet_tcp_connect_http_port(docker_t)
++corenet_tcp_connect_commplex_main_port(docker_t)
++corenet_udp_sendrecv_generic_if(docker_t)
++corenet_udp_sendrecv_generic_node(docker_t)
++corenet_udp_sendrecv_all_ports(docker_t)
++corenet_udp_bind_generic_node(docker_t)
++corenet_udp_bind_all_ports(docker_t)
 +
 +files_read_etc_files(docker_t)
 +
 +fs_read_cgroup_files(docker_t)
++fs_read_tmpfs_symlinks(docker_t)
++
++storage_raw_rw_fixed_disk(docker_t)
 +
 +auth_use_nsswitch(docker_t)
 +
++init_read_state(docker_t)
++
++logging_send_audit_msgs(docker_t)
++logging_send_syslog_msg(docker_t)
++
 +miscfiles_read_localization(docker_t)
 +
 +mount_domtrans(docker_t)
 +
++seutil_read_default_contexts(docker_t)
++
 +sysnet_dns_name_resolve(docker_t)
 +sysnet_exec_ifconfig(docker_t)
 +
@@ -22249,44 +23678,103 @@ index 0000000..1229d66
 +# lxc rules
 +#
 +
-+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
-+allow docker_t self:process { setsched signal_perms };
-+allow docker_t self:netlink_route_socket nlmsg_write;
-+allow docker_t self:unix_dgram_socket create_socket_perms;
++allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
++
++allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
++
++allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
++allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
++allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
++allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +
 +allow docker_t docker_var_lib_t:dir mounton;
++allow docker_t docker_var_lib_t:chr_file mounton;
++can_exec(docker_t, docker_var_lib_t)
 +
 +kernel_setsched(docker_t)
++kernel_get_sysvipc_info(docker_t)
++kernel_request_load_module(docker_t)
++kernel_mounton_messages(docker_t)
 +
 +dev_getattr_all_blk_files(docker_t)
++dev_getattr_sysfs_fs(docker_t)
 +dev_read_urand(docker_t)
 +dev_read_lvm_control(docker_t)
 +dev_read_sysfs(docker_t)
++dev_rw_loop_control(docker_t)
++dev_rw_lvm_control(docker_t)
 +
++files_getattr_isid_type_dirs(docker_t)
 +files_manage_isid_type_dirs(docker_t)
 +files_manage_isid_type_files(docker_t)
 +files_manage_isid_type_symlinks(docker_t)
 +files_manage_isid_type_chr_files(docker_t)
++files_manage_isid_type_blk_files(docker_t)
 +files_exec_isid_files(docker_t)
 +files_mounton_isid(docker_t)
 +files_mounton_non_security(docker_t)
++files_mounton_isid_type_chr_file(docker_t)
 +
 +fs_mount_all_fs(docker_t)
 +fs_unmount_all_fs(docker_t)
 +fs_remount_all_fs(docker_t)
++files_mounton_isid(docker_t)
 +fs_manage_cgroup_dirs(docker_t)
 +fs_manage_cgroup_files(docker_t)
++fs_relabelfrom_xattr_fs(docker_t)
++fs_relabelfrom_tmpfs(docker_t)
 +
 +term_use_generic_ptys(docker_t)
 +term_use_ptmx(docker_t)
 +term_getattr_pty_fs(docker_t)
++term_relabel_pty_fs(docker_t)
++term_mounton_unallocated_ttys(docker_t)
 +
 +modutils_domtrans_insmod(docker_t)
 +
 +optional_policy(`
++	dbus_system_bus_client(docker_t)
++	init_dbus_chat(docker_t)
++
++	optional_policy(`
++		systemd_dbus_chat_logind(docker_t)
++	')
++')
++
++optional_policy(`
++	udev_read_db(docker_t)
++')
++
++optional_policy(`
 +	virt_read_config(docker_t)
 +	virt_exec(docker_t)
++	virt_stream_connect(docker_t)
++	virt_stream_connect_sandbox(docker_t)
++	virt_exec_sandbox_files(docker_t)
++	virt_manage_sandbox_files(docker_t)
++	virt_relabel_sandbox_filesystem(docker_t)
++	# for lxc
++	virt_transition_svirt_sandbox(docker_t, system_r)
++	virt_mounton_sandbox_file(docker_t)
++')
++
++tunable_policy(`docker_connect_any',`
++    corenet_tcp_connect_all_ports(docker_t)
++    corenet_sendrecv_all_packets(docker_t)
++    corenet_tcp_sendrecv_all_ports(docker_t)
++')
++
++optional_policy(`
++    tunable_policy(`docker_transition_unconfined',`
++	    unconfined_transition(docker_t, docker_share_t)
++    	unconfined_transition(docker_t, docker_var_lib_t)
++    ')
++')
++
++optional_policy(`
++    unconfined_domain(docker_t)
 +')
++
 diff --git a/dovecot.fc b/dovecot.fc
 index c880070..4448055 100644
 --- a/dovecot.fc
@@ -22363,7 +23851,7 @@ index c880070..4448055 100644
 -/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
 +/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff --git a/dovecot.if b/dovecot.if
-index dbcac59..66d42bb 100644
+index dbcac59..f3e446c 100644
 --- a/dovecot.if
 +++ b/dovecot.if
 @@ -1,29 +1,49 @@
@@ -22490,8 +23978,30 @@ index dbcac59..66d42bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -120,10 +136,30 @@ interface(`dovecot_write_inherited_tmp_files',`
+ 	allow $1 dovecot_tmp_t:file write;
+ ')
  
++####################################
++## <summary>
++##	Read dovecot configuration file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dovecot_read_config',`
++	gen_require(`
++		type dovecot_etc_t;
++	')
++
++	files_search_etc($1)
++	list_dirs_pattern($1, dovecot_etc_t, dovecot_etc_t)
++	read_files_pattern($1, dovecot_etc_t, dovecot_etc_t)
++')
++
  ########################################
  ## <summary>
 -##	All of the rules required to
@@ -22501,7 +24011,7 @@ index dbcac59..66d42bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,21 +168,24 @@ interface(`dovecot_write_inherited_tmp_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -22532,7 +24042,7 @@ index dbcac59..66d42bb 100644
  
  	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+@@ -156,20 +195,25 @@ interface(`dovecot_admin',`
  	files_list_etc($1)
  	admin_pattern($1, dovecot_etc_t)
  
@@ -22565,7 +24075,7 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d4a79a1 100644
+index a7bfaf0..38bfca8 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -1,4 +1,4 @@
@@ -22926,7 +24436,7 @@ index a7bfaf0..d4a79a1 100644
  allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
  
  append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,35 +316,44 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
  files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
  
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22953,6 +24463,7 @@ index a7bfaf0..d4a79a1 100644
 -logging_search_logs(dovecot_deliver_t)
 +files_search_tmp(dovecot_deliver_t)
 +files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
++files_search_all_mountpoints(dovecot_deliver_t)
  
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(dovecot_deliver_t)
@@ -22987,7 +24498,7 @@ index a7bfaf0..d4a79a1 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -326,5 +361,6 @@ optional_policy(`
+@@ -326,5 +362,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23137,7 +24648,7 @@ index 9a21639..26c5986 100644
  ')
 +
 diff --git a/drbd.te b/drbd.te
-index 8e5ee54..6e11edb 100644
+index 8e5ee54..bdd8883 100644
 --- a/drbd.te
 +++ b/drbd.te
 @@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
@@ -23149,7 +24660,13 @@ index 8e5ee54..6e11edb 100644
  
  manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
  manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
-@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
+@@ -42,14 +42,12 @@ can_exec(drbd_t, drbd_exec_t)
+ 
+ kernel_read_system_state(drbd_t)
+ 
++corecmd_exec_bin(drbd_t)
++
+ dev_read_rand(drbd_t)
  dev_read_sysfs(drbd_t)
  dev_read_urand(drbd_t)
  
@@ -23532,9 +25049,18 @@ index 266cb8f..b619351 100644
 +    procmail_domtrans(dspam_t)
 +')
 diff --git a/entropyd.te b/entropyd.te
-index a0da189..d8bc9d5 100644
+index a0da189..dc22b89 100644
 --- a/entropyd.te
 +++ b/entropyd.te
+@@ -12,7 +12,7 @@ policy_module(entropyd, 1.7.2)
+ ##	the entropy feeds.
+ ##	</p>
+ ## </desc>
+-gen_tunable(entropyd_use_audio, false)
++gen_tunable(entropyd_use_audio, true)
+ 
+ type entropyd_t;
+ type entropyd_exec_t;
 @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
  dev_read_rand(entropyd_t)
  dev_write_rand(entropyd_t)
@@ -24119,7 +25645,7 @@ index 50d0084..6565422 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..95bb886 100644
+index 0872e50..cdea6d0 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -24196,7 +25722,7 @@ index 0872e50..95bb886 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -129,22 +142,29 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -24226,11 +25752,15 @@ index 0872e50..95bb886 100644
 -
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
++
++optional_policy(`
++    apache_read_log(fail2ban_client_t)
++')
 diff --git a/fcoe.te b/fcoe.te
-index 79b9273..76b7ed5 100644
+index 79b9273..28dec44 100644
 --- a/fcoe.te
 +++ b/fcoe.te
-@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
+@@ -20,25 +20,31 @@ files_pid_file(fcoemon_var_run_t)
  # Local policy
  #
  
@@ -24255,6 +25785,17 @@ index 79b9273..76b7ed5 100644
  
  logging_send_syslog_msg(fcoemon_t)
  
+ miscfiles_read_localization(fcoemon_t)
+ 
++userdom_dgram_send(fcoemon_t)
++
+ optional_policy(`
+ 	lldpad_dgram_send(fcoemon_t)
+ ')
++
++optional_policy(`
++    networkmanager_dgram_send(fcoemon_t)
++')
 diff --git a/fetchmail.fc b/fetchmail.fc
 index 2486e2a..fef9bff 100644
 --- a/fetchmail.fc
@@ -24413,7 +25954,7 @@ index 21d7b84..0e272bd 100644
  
  /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
 diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..0fc685b 100644
+index 5cf6ac6..1893f7f 100644
 --- a/firewalld.if
 +++ b/firewalld.if
 @@ -2,6 +2,66 @@
@@ -24513,7 +26054,12 @@ index 5cf6ac6..0fc685b 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
+@@ -41,14 +120,18 @@ interface(`firewalld_dbus_chat',`
+ interface(`firewalld_admin',`
+ 	gen_require(`
+ 		type firewalld_t, firewalld_initrc_exec_t;
+-		type firewall_etc_rw_t, firewalld_var_run_t;
++		type firewalld_etc_rw_t, firewalld_var_run_t;
  		type firewalld_var_log_t;
  	')
  
@@ -24535,7 +26081,8 @@ index 5cf6ac6..0fc685b 100644
  	admin_pattern($1, firewalld_var_log_t)
  
 -	files_search_etc($1)
- 	admin_pattern($1, firewall_etc_rw_t)
+-	admin_pattern($1, firewall_etc_rw_t)
++	admin_pattern($1, firewalld_etc_rw_t)
 +
 +	admin_pattern($1, firewalld_unit_file_t)
 +	firewalld_systemctl($1)
@@ -24960,18 +26507,19 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..34e1f1c 100644
+index c81b6e8..ed04b9e 100644
 --- a/fprintd.te
 +++ b/fprintd.te
-@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
+@@ -20,6 +20,8 @@ files_type(fprintd_var_lib_t)
  allow fprintd_t self:capability sys_nice;
  allow fprintd_t self:process { getsched setsched signal sigkill };
  allow fprintd_t self:fifo_file rw_fifo_file_perms;
 +allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
++allow fprintd_t self:unix_dgram_socket { create_socket_perms sendto };
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+@@ -28,15 +30,14 @@ kernel_read_system_state(fprintd_t)
  
  dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
@@ -24985,11 +26533,11 @@ index c81b6e8..34e1f1c 100644
  auth_use_nsswitch(fprintd_t)
  
 -miscfiles_read_localization(fprintd_t)
--
++logging_send_syslog_msg(fprintd_t)
+ 
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
- 
-@@ -54,8 +52,13 @@ optional_policy(`
+@@ -54,8 +55,17 @@ optional_policy(`
  	')
  ')
  
@@ -25002,8 +26550,324 @@ index c81b6e8..34e1f1c 100644
 +')
 +
 +optional_policy(`
++	udev_read_db(fprintd_t)
++')
++
++optional_policy(`
 +	xserver_read_state_xdm(fprintd_t)
  ')
+diff --git a/freeipmi.fc b/freeipmi.fc
+new file mode 100644
+index 0000000..0942a2e
+--- /dev/null
++++ b/freeipmi.fc
+@@ -0,0 +1,17 @@
++/usr/lib/systemd/system/bmc-watchdog.*		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_unit_file_t,s0)
++/usr/lib/systemd/system/ipmidetectd.*		--	gen_context(system_u:object_r:freeipmi_ipmidetectd_unit_file_t,s0)
++/usr/lib/systemd/system/ipmiseld.*        --  gen_context(system_u:object_r:freeipmi_ipmiseld_unit_file_t,s0)
++
++/usr/sbin/bmc-watchdog		--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_exec_t,s0)
++/usr/sbin/ipmidetectd			--	gen_context(system_u:object_r:freeipmi_ipmidetectd_exec_t,s0)
++/usr/sbin/ipmiseld		--	gen_context(system_u:object_r:freeipmi_ipmiseld_exec_t,s0)
++
++/var/cache/ipmiseld(/.*)?       			gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++/var/cache/ipmimonitoringsdrcache(/.*)?		gen_context(system_u:object_r:freeipmi_var_cache_t,s0)
++
++/var/lib/freeipmi(/.*)?     gen_context(system_u:object_r:freeipmi_var_lib_t,s0)
++
++
++/var/run/ipmidetectd\.pid	--	gen_context(system_u:object_r:freeipmi_ipmidetectd_var_run_t,s0)
++/var/run/ipmiseld\.pid	--	gen_context(system_u:object_r:freeipmi_ipmiseld_var_run_t,s0)
++/var/run/bmc-watchdog\.pid	--	gen_context(system_u:object_r:freeipmi_bmc_watchdog_var_run_t,s0)
+diff --git a/freeipmi.if b/freeipmi.if
+new file mode 100644
+index 0000000..9715f27
+--- /dev/null
++++ b/freeipmi.if
+@@ -0,0 +1,73 @@
++## <summary>Remote-Console (out-of-band) and System Management Software (in-band) based on Intelligent Platform Management Interface specification</summary>
++
++#####################################
++## <summary>
++##  Creates types and rules for a basic
++##  freeipmi init daemon domain.
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++template(`freeipmi_domain_template',`
++    gen_require(`
++        attribute freeipmi_domain, freeipmi_pid;
++    ')
++
++    #############################
++    #
++    # Declarations
++    #
++
++    type freeipmi_$1_t, freeipmi_domain;
++    type freeipmi_$1_exec_t;
++    init_daemon_domain(freeipmi_$1_t, freeipmi_$1_exec_t)
++    role system_r types freeipmi_$1_t;
++
++	type freeipmi_$1_unit_file_t;
++	systemd_unit_file(freeipmi_$1_unit_file_t)
++
++	type freeipmi_$1_var_run_t, freeipmi_pid;
++	files_pid_file(freeipmi_$1_var_run_t)
++
++    #############################
++    #
++    # Local policy
++    #
++
++	manage_files_pattern(freeipmi_$1_t, freeipmi_$1_var_run_t, freeipmi_$1_var_run_t)
++
++	kernel_read_system_state(freeipmi_$1_t)
++
++	corenet_all_recvfrom_netlabel(freeipmi_$1_t)
++	corenet_all_recvfrom_unlabeled(freeipmi_$1_t)
++
++    dev_read_raw_memory(freeipmi_$1_t)
++
++    auth_use_nsswitch(freeipmi_$1_t)
++
++    logging_send_syslog_msg(freeipmi_$1_t)
++')
++
++####################################
++## <summary>
++##	Connect to cluster domains over a unix domain
++##	stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`freeipmi_stream_connect',`
++	gen_require(`
++		attribute freeipmi_domain, freeipmi_pid;
++	')
++
++	files_search_pids($1)
++	stream_connect_pattern($1, freeipmi_pid, freeipmi_pid, freeipmi_domain)
++')
++
+diff --git a/freeipmi.te b/freeipmi.te
+new file mode 100644
+index 0000000..8071a76
+--- /dev/null
++++ b/freeipmi.te
+@@ -0,0 +1,75 @@
++policy_module(freeipmi, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute freeipmi_domain;
++attribute freeipmi_pid;
++
++freeipmi_domain_template(ipmidetectd)
++freeipmi_domain_template(ipmiseld)
++freeipmi_domain_template(bmc_watchdog)
++
++type freeipmi_var_lib_t;
++files_type(freeipmi_var_lib_t)
++
++type freeipmi_var_cache_t;
++files_type(freeipmi_var_cache_t)
++
++########################################
++#
++# freeipmi_domain local policy
++#
++
++allow freeipmi_domain self:fifo_file rw_fifo_file_perms;
++allow freeipmi_domain self:unix_stream_socket create_stream_socket_perms;
++allow freeipmi_domain self:sem create_sem_perms;
++allow freeipmi_domain self:tcp_socket { listen create_stream_socket_perms };
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_cache_t, freeipmi_var_cache_t)
++files_var_filetrans(freeipmi_domain, freeipmi_var_cache_t, { dir })
++
++manage_dirs_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++manage_lnk_files_pattern(freeipmi_domain, freeipmi_var_lib_t, freeipmi_var_lib_t)
++files_var_lib_filetrans(freeipmi_domain, freeipmi_var_lib_t, { dir })
++
++dev_read_rand(freeipmi_domain)
++dev_read_urand(freeipmi_domain)
++
++sysnet_dns_name_resolve(freeipmi_domain)
++
++#######################################
++#
++# bmc-watchdog local policy
++#
++
++files_pid_filetrans(freeipmi_bmc_watchdog_t, freeipmi_bmc_watchdog_var_run_t, file, "bmc-watchdog.pid")
++
++dev_rw_ipmi_dev(freeipmi_bmc_watchdog_t)
++
++allow freeipmi_bmc_watchdog_t freeipmi_ipmiseld_t:sem rw_sem_perms;
++
++#######################################
++#
++# ipmidetectd local policy
++#
++
++files_pid_filetrans(freeipmi_ipmidetectd_t, freeipmi_ipmidetectd_var_run_t, file, "ipmidetectd.pid")
++
++corenet_tcp_bind_freeipmi_port(freeipmi_ipmidetectd_t)
++
++#######################################
++#
++# ipmiseld local policy
++#
++
++allow freeipmi_ipmiseld_t self:capability sys_rawio;
++
++allow freeipmi_ipmiseld_t freeipmi_bmc_watchdog_t:sem rw_sem_perms;
++
++files_pid_filetrans(freeipmi_ipmiseld_t, freeipmi_ipmiseld_var_run_t, file, "ipmiseld.pid")
+diff --git a/freqset.fc b/freqset.fc
+new file mode 100644
+index 0000000..3cd9c38
+--- /dev/null
++++ b/freqset.fc
+@@ -0,0 +1 @@
++/usr/lib/enlightenment/modules/cpufreq/linux-gnu-[^/]*/freqset		--	gen_context(system_u:object_r:freqset_exec_t,s0)
+diff --git a/freqset.if b/freqset.if
+new file mode 100644
+index 0000000..190ccc0
+--- /dev/null
++++ b/freqset.if
+@@ -0,0 +1,76 @@
++
++## <summary>policy for freqset</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the freqset domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`freqset_domtrans',`
++	gen_require(`
++		type freqset_t, freqset_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, freqset_exec_t, freqset_t)
++')
++
++########################################
++## <summary>
++##	Execute freqset in the freqset domain, and
++##	allow the specified role the freqset domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the freqset domain.
++##	</summary>
++## </param>
++#
++interface(`freqset_run',`
++	gen_require(`
++		type freqset_t;
++		attribute_role freqset_roles;
++	')
++
++	freqset_domtrans($1)
++	roleattribute $2 freqset_roles;
++')
++
++########################################
++## <summary>
++##	Role access for freqset
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access
++##	</summary>
++## </param>
++## <param name="domain">
++##	<summary>
++##	User domain for the role
++##	</summary>
++## </param>
++#
++interface(`freqset_role',`
++	gen_require(`
++		type freqset_t;
++		attribute_role freqset_roles;
++	')
++
++	roleattribute $1 freqset_roles;
++
++	freqset_domtrans($2)
++
++	ps_process_pattern($2, freqset_t)
++	allow $2 freqset_t:process { signull signal sigkill };
++')
+diff --git a/freqset.te b/freqset.te
+new file mode 100644
+index 0000000..0d09fbd
+--- /dev/null
++++ b/freqset.te
+@@ -0,0 +1,34 @@
++policy_module(freqset, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role freqset_roles;
++roleattribute system_r freqset_roles;
++
++type freqset_t;
++type freqset_exec_t;
++application_domain(freqset_t, freqset_exec_t)
++
++role freqset_roles types freqset_t;
++
++########################################
++#
++# freqset local policy
++#
++allow freqset_t self:capability { setuid };
++
++allow freqset_t self:fifo_file manage_fifo_file_perms;
++allow freqset_t self:unix_stream_socket create_stream_socket_perms;
++
++dev_rw_sysfs(freqset_t)
++
++domain_use_interactive_fds(freqset_t)
++
++files_read_etc_files(freqset_t)
++
++miscfiles_read_localization(freqset_t)
++
++userdom_use_inherited_user_terminals(freqset_t)
 diff --git a/ftp.fc b/ftp.fc
 index ddb75c1..44f74e6 100644
 --- a/ftp.fc
@@ -25112,7 +26976,7 @@ index d062080..97fb494 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index e50f33c..6edd471 100644
+index e50f33c..de8e914 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -25178,7 +27042,18 @@ index e50f33c..6edd471 100644
  manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -193,22 +206,19 @@ files_pid_filetrans(ftpd_t, ftpd_var_run_t, { file dir })
+ 
+ allow ftpd_t ftpdctl_tmp_t:sock_file delete_sock_file_perms;
+ 
+-allow ftpd_t xferlog_t:dir setattr_dir_perms;
+-append_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-create_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-setattr_files_pattern(ftpd_t, xferlog_t, xferlog_t)
+-logging_log_filetrans(ftpd_t, xferlog_t, file)
++manage_dirs_pattern(ftpd_t, xferlog_t, xferlog_t)
++manage_files_pattern(ftpd_t, xferlog_t, xferlog_t)
++logging_log_filetrans(ftpd_t, xferlog_t, { dir file })
  
  kernel_read_kernel_sysctls(ftpd_t)
  kernel_read_system_state(ftpd_t)
@@ -25194,7 +27069,7 @@ index e50f33c..6edd471 100644
  corenet_all_recvfrom_netlabel(ftpd_t)
  corenet_tcp_sendrecv_generic_if(ftpd_t)
  corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -224,9 +234,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
  corenet_sendrecv_ftp_data_server_packets(ftpd_t)
  corenet_tcp_bind_ftp_data_port(ftpd_t)
  
@@ -25208,7 +27083,7 @@ index e50f33c..6edd471 100644
  files_read_etc_runtime_files(ftpd_t)
  files_search_var_lib(ftpd_t)
  
-@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -245,7 +258,6 @@ logging_send_audit_msgs(ftpd_t)
  logging_send_syslog_msg(ftpd_t)
  logging_set_loginuid(ftpd_t)
  
@@ -25216,7 +27091,7 @@ index e50f33c..6edd471 100644
  miscfiles_read_public_files(ftpd_t)
  
  seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
+@@ -254,32 +266,50 @@ sysnet_use_ldap(ftpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
  userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -25242,6 +27117,7 @@ index e50f33c..6edd471 100644
 +tunable_policy(`ftpd_use_fusefs',`
 +        fs_manage_fusefs_dirs(ftpd_t)
 +        fs_manage_fusefs_files(ftpd_t)
++        fs_manage_fusefs_symlinks(ftpd_t)
 +',`
 +        fs_search_fusefs(ftpd_t)
 +')
@@ -25273,7 +27149,7 @@ index e50f33c..6edd471 100644
  ')
  
  tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,22 +329,19 @@ tunable_policy(`ftpd_connect_db',`
  	corenet_sendrecv_mssql_client_packets(ftpd_t)
  	corenet_tcp_connect_mssql_port(ftpd_t)
  	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -25301,7 +27177,7 @@ index e50f33c..6edd471 100644
  	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
  ')
  
-@@ -360,7 +388,7 @@ optional_policy(`
+@@ -360,7 +387,7 @@ optional_policy(`
  	selinux_validate_context(ftpd_t)
  
  	kerberos_keytab_template(ftpd, ftpd_t)
@@ -25310,7 +27186,7 @@ index e50f33c..6edd471 100644
  ')
  
  optional_policy(`
-@@ -410,21 +438,20 @@ optional_policy(`
+@@ -410,21 +437,20 @@ optional_policy(`
  #
  
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -25334,7 +27210,7 @@ index e50f33c..6edd471 100644
  
  miscfiles_read_public_files(anon_sftpd_t)
  
-@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -437,23 +463,34 @@ tunable_policy(`sftpd_anon_write',`
  # Sftpd local policy
  #
  
@@ -25375,7 +27251,7 @@ index e50f33c..6edd471 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +512,11 @@ tunable_policy(`sftpd_anon_write',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -25475,6 +27351,413 @@ index fc3b036..10a1bbe 100644
  sysnet_read_config(gatekeeper_t)
  
  userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
+diff --git a/gear.fc b/gear.fc
+new file mode 100644
+index 0000000..5eabf35
+--- /dev/null
++++ b/gear.fc
+@@ -0,0 +1,7 @@
++/usr/bin/gear			--	gen_context(system_u:object_r:gear_exec_t,s0)
++
++/usr/lib/systemd/system/gear.service		--	gen_context(system_u:object_r:gear_unit_file_t,s0)
++
++/var/lib/containers/bin/gear	--	gen_context(system_u:object_r:gear_exec_t,s0)
++
++/var/lib/gear(/.*)?		gen_context(system_u:object_r:gear_var_lib_t,s0)
+diff --git a/gear.if b/gear.if
+new file mode 100644
+index 0000000..04e159f
+--- /dev/null
++++ b/gear.if
+@@ -0,0 +1,288 @@
++
++## <summary>The open-source application container engine.</summary>
++
++########################################
++## <summary>
++##	Execute gear in the gear domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gear_domtrans',`
++	gen_require(`
++		type gear_t, gear_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, gear_exec_t, gear_t)
++')
++
++########################################
++## <summary>
++##	Search gear lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_search_lib',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	allow $1 gear_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Execute gear lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_exec_lib',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	allow $1 gear_var_lib_t:dir search_dir_perms;
++	can_exec($1, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Read gear lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_read_lib_files',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage gear lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_manage_lib_files',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++	manage_lnk_files_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage gear lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_manage_lib_dirs',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, gear_var_lib_t, gear_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create objects in a gear var lib directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++## <param name="name" optional="true">
++##	<summary>
++##	The name of the object being created.
++##	</summary>
++## </param>
++#
++interface(`gear_lib_filetrans',`
++	gen_require(`
++		type gear_var_lib_t;
++	')
++
++	filetrans_pattern($1, gear_var_lib_t, $2, $3, $4)
++')
++
++########################################
++## <summary>
++##	Read gear PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_read_pid_files',`
++	gen_require(`
++		type gear_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, gear_var_run_t, gear_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute gear server in the gear domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`gear_systemctl',`
++	gen_require(`
++		type gear_t;
++		type gear_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 gear_unit_file_t:file read_file_perms;
++	allow $1 gear_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, gear_t)
++')
++
++########################################
++## <summary>
++##	Read and write gear shared memory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_rw_sem',`
++	gen_require(`
++		type gear_t;
++	')
++
++	allow $1 gear_t:sem rw_sem_perms;
++')
++
++#######################################
++## <summary>
++##  Read and write the gear pty type.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gear_use_ptys',`
++    gen_require(`
++        type gear_devpts_t;
++    ')
++
++    allow $1 gear_devpts_t:chr_file rw_term_perms;
++')
++
++#######################################
++## <summary>
++##      Allow domain to create gear content
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`gear_filetrans_named_content',`
++    gen_require(`
++            type gear_var_lib_t;
++	    type gear_var_run_t;
++    ')
++
++    files_pid_filetrans($1, gear_var_run_t, file, "gear.pid")
++    files_var_lib_filetrans($1, gear_var_lib_t, dir, "gear")
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an gear environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gear_admin',`
++	gen_require(`
++		type gear_t;
++		type gear_var_lib_t, gear_var_run_t;
++		type gear_unit_file_t;
++		type gear_lock_t;
++		type gear_log_t;
++	')
++
++	allow $1 gear_t:process { ptrace signal_perms };
++	ps_process_pattern($1, gear_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, gear_var_lib_t)
++
++	files_search_pids($1)
++	admin_pattern($1, gear_var_run_t)
++
++	logging_search_logs($1)
++	admin_pattern($1, gear_log_t)
++
++	gear_systemctl($1)
++	admin_pattern($1, gear_unit_file_t)
++	allow $1 gear_unit_file_t:service all_service_perms;
++')
+diff --git a/gear.te b/gear.te
+new file mode 100644
+index 0000000..6c32f79
+--- /dev/null
++++ b/gear.te
+@@ -0,0 +1,94 @@
++policy_module(gear, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type gear_t;
++type gear_exec_t;
++init_daemon_domain(gear_t, gear_exec_t)
++
++type gear_var_lib_t;
++files_type(gear_var_lib_t)
++
++type gear_log_t;
++logging_log_file(gear_log_t)
++
++type gear_var_run_t;
++files_pid_file(gear_var_run_t)
++
++type gear_unit_file_t;
++systemd_unit_file(gear_unit_file_t)
++
++########################################
++#
++# gear local policy
++#
++allow gear_t self:process { getattr signal_perms };
++allow gear_t self:fifo_file rw_fifo_file_perms;
++allow gear_t self:unix_stream_socket create_stream_socket_perms;
++allow gear_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(gear_t, gear_log_t, gear_log_t)
++manage_files_pattern(gear_t, gear_log_t, gear_log_t)
++manage_lnk_files_pattern(gear_t, gear_log_t, gear_log_t)
++logging_log_filetrans(gear_t, gear_log_t, { dir file lnk_file })
++
++gear_filetrans_named_content(gear_t)
++
++manage_dirs_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_chr_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_blk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++manage_lnk_files_pattern(gear_t, gear_var_lib_t, gear_var_lib_t)
++files_var_lib_filetrans(gear_t, gear_var_lib_t, { dir file lnk_file })
++
++manage_dirs_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_sock_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++manage_lnk_files_pattern(gear_t, gear_var_run_t, gear_var_run_t)
++files_pid_filetrans(gear_t, gear_var_run_t, { dir file lnk_file sock_file })
++
++kernel_read_system_state(gear_t)
++kernel_read_network_state(gear_t)
++kernel_read_all_sysctls(gear_t)
++kernel_rw_net_sysctls(gear_t)
++
++domain_use_interactive_fds(gear_t)
++
++corecmd_exec_bin(gear_t)
++corecmd_exec_shell(gear_t)
++
++corenet_tcp_bind_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_if(gear_t)
++corenet_tcp_sendrecv_generic_node(gear_t)
++corenet_tcp_sendrecv_generic_port(gear_t)
++corenet_tcp_bind_gear_port(gear_t)
++
++files_read_etc_files(gear_t)
++
++fs_read_cgroup_files(gear_t)
++fs_read_tmpfs_symlinks(gear_t)
++
++auth_use_nsswitch(gear_t)
++
++init_read_state(gear_t)
++init_dbus_chat(gear_t)
++
++logging_send_audit_msgs(gear_t)
++logging_send_syslog_msg(gear_t)
++
++miscfiles_read_localization(gear_t)
++
++mount_domtrans(gear_t)
++
++seutil_read_default_contexts(gear_t)
++
++sysnet_dns_name_resolve(gear_t)
++
++systemd_manage_all_unit_files(gear_t)
++
++optional_policy(`
++	docker_stream_connect(gear_t)
++')
 diff --git a/gift.te b/gift.te
 index 395238e..af76abb 100644
 --- a/gift.te
@@ -25570,7 +27853,7 @@ index 1e29af1..6c64f55 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index 93b0301..ad8eb38 100644
+index 93b0301..6acc1f0 100644
 --- a/git.te
 +++ b/git.te
 @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -25633,7 +27916,30 @@ index 93b0301..ad8eb38 100644
  files_search_var_lib(git_system_t)
  
  auth_use_nsswitch(git_system_t)
-@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
+@@ -165,6 +162,10 @@ logging_send_syslog_msg(git_system_t)
+ 
+ tunable_policy(`git_system_enable_homedirs',`
+ 	userdom_search_user_home_dirs(git_system_t)
++	list_dirs_pattern(httpd_git_script_t, git_user_content_t, git_user_content_t)
++	list_dirs_pattern(git_system_t, git_user_content_t, git_user_content_t)
++	read_files_pattern(git_system_t, git_user_content_t, git_user_content_t)
++
+ ')
+ 
+ tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs',`
+@@ -248,6 +249,11 @@ tunable_policy(`git_cgi_use_nfs',`
+ 	fs_dontaudit_read_nfs_files(httpd_git_script_t)
+ ')
+ 
++
++optional_policy(`
++    gitosis_read_lib_files(httpd_git_script_t)
++')
++
+ ########################################
+ #
+ # Git global policy
+@@ -255,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
  
  allow git_daemon self:fifo_file rw_fifo_file_perms;
  
@@ -26017,10 +28323,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..0f9d485
+index 0000000..36ff903
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,189 @@
+@@ -0,0 +1,200 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -26073,6 +28379,9 @@ index 0000000..0f9d485
 +type glusterd_var_lib_t;
 +files_type(glusterd_var_lib_t)
 +
++type glusterd_brick_t;
++files_type(glusterd_brick_t)
++
 +########################################
 +#
 +# Local policy
@@ -26109,10 +28418,18 @@ index 0000000..0f9d485
 +
 +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
-+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
++manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 +relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +
++manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++relabel_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
++
 +can_exec(glusterd_t, glusterd_exec_t)
 +
 +kernel_read_system_state(glusterd_t)
@@ -26164,7 +28481,7 @@ index 0000000..0f9d485
 +fs_unmount_all_fs(glusterd_t)
 +fs_getattr_all_fs(glusterd_t)
 +
-+files_mounton_mnt(glusterd_t)
++files_mounton_non_security(glusterd_t)
 +
 +storage_rw_fuse(glusterd_t)
 +
@@ -26418,10 +28735,10 @@ index fd02acc..0000000
 -
 -miscfiles_read_localization(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..6a6db28 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,61 @@
 -HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26435,6 +28752,7 @@ index e39de43..5818f74 100644
 +HOME_DIR/\.config(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.kde(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
 +HOME_DIR/\.nv(/.*)?  gen_context(system_u:object_r:cache_home_t,s0)
++HOME_DIR/\.nv/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.gconf(d)?(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 +HOME_DIR/\.gnome2(/.*)?		gen_context(system_u:object_r:gnome_home_t,s0)
 +HOME_DIR/\.gnome2/keyrings(/.*)?	gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
@@ -26443,6 +28761,7 @@ index e39de43..5818f74 100644
 +HOME_DIR/\.grl-bookmarks		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.cache/gstreamer-.*		gen_context(system_u:object_r:gstreamer_home_t,s0)
++HOME_DIR/\.cache/GLCache(/.*)?	gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
 +HOME_DIR/\.local.*		gen_context(system_u:object_r:gconf_home_t,s0)
 +HOME_DIR/\.local/share(/.*)?	gen_context(system_u:object_r:data_home_t,s0)
@@ -26479,18 +28798,19 @@ index e39de43..5818f74 100644
 +/usr/share/config(/.*)? 	gen_context(system_u:object_r:config_usr_t,s0)
 +
  /usr/bin/gnome-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
- 
--/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
 +# Don't use because toolchain is broken
 +#/usr/libexec/gconfd-2 --	gen_context(system_u:object_r:gconfd_exec_t,s0)
 +
 +/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+ 
+-/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..0e04529 100644
+index d03fd43..af9415c 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,157 @@
@@ -27204,58 +29524,92 @@ index d03fd43..0e04529 100644
  ## <summary>
 -##	Create, read, write, and delete
 -##	generic gconf home content.
-+##	Manage a sock_file in the generic cache home files (.cache)
++##	write to generic cache home files (.cache)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -473,22 +519,18 @@ interface(`gnome_read_generic_gconf_home_content',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_manage_generic_gconf_home_content',`
-+interface(`gnome_manage_generic_cache_sockets',`
++interface(`gnome_manage_generic_cache_files',`
  	gen_require(`
 -		type gconf_home_t;
 +		type cache_home_t;
  	')
  
++	manage_files_pattern($1, cache_home_t, cache_home_t)
  	userdom_search_user_home_dirs($1)
 -	allow $1 gconf_home_t:dir manage_dir_perms;
 -	allow $1 gconf_home_t:file manage_file_perms;
 -	allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
 -	allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
 -	allow $1 gconf_home_t:sock_file manage_sock_file_perms;
-+	manage_sock_files_pattern($1, cache_home_t, cache_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Search generic gconf home directories.
++##	Manage a sock_file in the generic cache home files (.cache)
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -496,79 +538,59 @@ interface(`gnome_manage_generic_gconf_home_content',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`gnome_search_generic_gconf_home',`
++interface(`gnome_manage_generic_cache_sockets',`
+ 	gen_require(`
+-		type gconf_home_t;
++		type cache_home_t;
+ 	')
+ 
+ 	userdom_search_user_home_dirs($1)
+-	allow $1 gconf_home_t:dir search_dir_perms;
++	manage_sock_files_pattern($1, cache_home_t, cache_home_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in user home
+-##	directories with the generic gconf
+-##	home type.
 +##	Dontaudit read/write to generic cache home files (.cache)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
 -##	Domain allowed access.
+-##	</summary>
+-## </param>
+-## <param name="object_class">
+-##	<summary>
+-##	Class of the object being created.
+-##	</summary>
+-## </param>
+-## <param name="name" optional="true">
+-##	<summary>
+-##	The name of the object being created.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
--interface(`gnome_search_generic_gconf_home',`
+-interface(`gnome_home_filetrans_gconf_home',`
 +interface(`gnome_dontaudit_rw_generic_cache_files',`
  	gen_require(`
 -		type gconf_home_t;
 +		type cache_home_t;
  	')
  
--	userdom_search_user_home_dirs($1)
--	allow $1 gconf_home_t:dir search_dir_perms;
+-	userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
 +	dontaudit $1 cache_home_t:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create objects in user home
--##	directories with the generic gconf
+-##	directories with the generic gnome
 -##	home type.
 +##	read gnome homedir content (.config)
  ## </summary>
@@ -27275,14 +29629,14 @@ index d03fd43..0e04529 100644
 -##	</summary>
 -## </param>
  #
--interface(`gnome_home_filetrans_gconf_home',`
+-interface(`gnome_home_filetrans_gnome_home',`
 +interface(`gnome_read_config',`
  	gen_require(`
--		type gconf_home_t;
+-		type gnome_home_t;
 +		attribute gnome_home_type;
  	')
  
--	userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
+-	userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
 +	list_dirs_pattern($1, gnome_home_type, gnome_home_type)
 +	read_files_pattern($1, gnome_home_type, gnome_home_type)
 +	read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
@@ -27291,23 +29645,22 @@ index d03fd43..0e04529 100644
  
  ########################################
  ## <summary>
--##	Create objects in user home
--##	directories with the generic gnome
--##	home type.
+-##	Create objects in gnome gconf home
+-##	directories with a private type.
 +##	Create objects in a Gnome gconf home directory
 +##	with an automatic type transition to
 +##	a specified private type.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
+@@ -577,12 +599,12 @@ interface(`gnome_home_filetrans_gnome_home',`
  ## </param>
-+## <param name="private_type">
-+##	<summary>
+ ## <param name="private_type">
+ ##	<summary>
+-##	Private file type.
 +##	The type of the object to create.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
  ## <param name="object_class">
  ##	<summary>
 -##	Class of the object being created.
@@ -27315,18 +29668,19 @@ index d03fd43..0e04529 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -591,18 +613,18 @@ interface(`gnome_home_filetrans_gnome_home',`
  ##	</summary>
  ## </param>
  #
--interface(`gnome_home_filetrans_gnome_home',`
+-interface(`gnome_gconf_home_filetrans',`
 +interface(`gnome_data_filetrans',`
  	gen_require(`
--		type gnome_home_t;
+-		type gconf_home_t;
 +		type data_home_t;
  	')
  
--	userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
+-	userdom_search_user_home_dirs($1)
+-	filetrans_pattern($1, gconf_home_t, $2, $3, $4)
 +	filetrans_pattern($1, data_home_t, $2, $3, $4)
 +	gnome_search_gconf($1)
  ')
@@ -27334,44 +29688,40 @@ index d03fd43..0e04529 100644
 -########################################
 +#######################################
  ## <summary>
--##	Create objects in gnome gconf home
--##	directories with a private type.
+-##	Read generic gnome keyring home files.
 +##	Read generic data home files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -610,46 +632,80 @@ interface(`gnome_gconf_home_filetrans',`
  ##	</summary>
  ## </param>
--## <param name="private_type">
--##	<summary>
--##	Private file type.
--##	</summary>
--## </param>
--## <param name="object_class">
--##	<summary>
--##	Class of the object being created.
--##	</summary>
-+#
+ #
+-interface(`gnome_read_keyring_home_files',`
 +interface(`gnome_read_generic_data_home_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type gnome_home_t, gnome_keyring_home_t;
 +		type data_home_t, gconf_home_t;
-+	')
-+
+ 	')
+ 
+-	userdom_search_user_home_dirs($1)
+-	read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
 +	read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
 +	read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
-+')
-+
+ ')
+ 
+-########################################
 +######################################
-+## <summary>
+ ## <summary>
+-##	Send and receive messages from
+-##	gnome keyring daemon over dbus.
 +##  Read generic data home dirs.
 +## </summary>
 +## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
--## <param name="name" optional="true">
++## </param>
 +#
 +interface(`gnome_read_generic_data_home_dirs',`
 +    gen_require(`
@@ -27384,49 +29734,49 @@ index d03fd43..0e04529 100644
 +#######################################
 +## <summary>
 +##	Manage gconf data home files
-+## </summary>
+ ## </summary>
+-## <param name="role_prefix">
 +## <param name="domain">
  ##	<summary>
--##	The name of the object being created.
+-##	The prefix of the user domain (e.g., user
+-##	is the prefix for user_t).
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
- #
--interface(`gnome_gconf_home_filetrans',`
++#
 +interface(`gnome_manage_data',`
- 	gen_require(`
++	gen_require(`
 +		type data_home_t;
- 		type gconf_home_t;
- 	')
- 
--	userdom_search_user_home_dirs($1)
--	filetrans_pattern($1, gconf_home_t, $2, $3, $4)
++		type gconf_home_t;
++	')
++
 +	allow $1 gconf_home_t:dir search_dir_perms;
 +	manage_dirs_pattern($1, data_home_t, data_home_t)
 +	manage_files_pattern($1, data_home_t, data_home_t)
 +	manage_lnk_files_pattern($1, data_home_t, data_home_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read generic gnome keyring home files.
++')
++
++########################################
++## <summary>
 +##	Read icc data home content.
- ## </summary>
++## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
--interface(`gnome_read_keyring_home_files',`
+-interface(`gnome_dbus_chat_gkeyringd',`
 +interface(`gnome_read_home_icc_data_content',`
  	gen_require(`
--		type gnome_home_t, gnome_keyring_home_t;
+-		type $1_gkeyringd_t;
+-		class dbus send_msg;
 +		type icc_data_home_t, gconf_home_t, data_home_t;
  	')
  
- 	userdom_search_user_home_dirs($1)
--	read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
+-	allow $2 $1_gkeyringd_t:dbus send_msg;
+-	allow $1_gkeyringd_t $2:dbus send_msg;
++	userdom_search_user_home_dirs($1)
 +	allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
 +	list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
 +	read_files_pattern($1, icc_data_home_t, icc_data_home_t)
@@ -27435,106 +29785,76 @@ index d03fd43..0e04529 100644
  
  ########################################
  ## <summary>
--##	Send and receive messages from
+-##	Send and receive messages from all
 -##	gnome keyring daemon over dbus.
 +##	Read inherited icc data home files.
  ## </summary>
--## <param name="role_prefix">
--##	<summary>
--##	The prefix of the user domain (e.g., user
--##	is the prefix for user_t).
--##	</summary>
--## </param>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -657,46 +713,64 @@ interface(`gnome_dbus_chat_gkeyringd',`
  ##	</summary>
  ## </param>
  #
--interface(`gnome_dbus_chat_gkeyringd',`
+-interface(`gnome_dbus_chat_all_gkeyringd',`
 +interface(`gnome_read_inherited_home_icc_data_files',`
  	gen_require(`
--		type $1_gkeyringd_t;
+-		attribute gkeyringd_domain;
 -		class dbus send_msg;
 +		type icc_data_home_t;
  	')
  
--	allow $2 $1_gkeyringd_t:dbus send_msg;
--	allow $1_gkeyringd_t $2:dbus send_msg;
+-	allow $1 gkeyringd_domain:dbus send_msg;
+-	allow gkeyringd_domain $1:dbus send_msg;
 +	allow $1 icc_data_home_t:file read_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Send and receive messages from all
--##	gnome keyring daemon over dbus.
+-##	Connect to gnome keyring daemon
+-##	with a unix stream socket.
 +##	Create gconf_home_t objects in the /root directory
  ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+## <param name="object_class">
+-## <param name="role_prefix">
++## <param name="domain">
 +##	<summary>
-+##	The class of the object to be created.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="name" optional="true">
++## <param name="object_class">
 +##	<summary>
-+##	The name of the object being created.
++##	The class of the object to be created.
 +##	</summary>
 +## </param>
- #
--interface(`gnome_dbus_chat_all_gkeyringd',`
-+interface(`gnome_admin_home_gconf_filetrans',`
- 	gen_require(`
--		attribute gkeyringd_domain;
--		class dbus send_msg;
-+		type gconf_home_t;
- 	')
- 
--	allow $1 gkeyringd_domain:dbus send_msg;
--	allow gkeyringd_domain $1:dbus send_msg;
-+	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
- ')
- 
- ########################################
- ## <summary>
--##	Connect to gnome keyring daemon
--##	with a unix stream socket.
-+##	Do not audit attempts to read
-+##	inherited gconf config files.
- ## </summary>
--## <param name="role_prefix">
-+## <param name="domain">
++## <param name="name" optional="true">
  ##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
-+##	Domain to not audit.
++##	The name of the object being created.
  ##	</summary>
  ## </param>
 +#
-+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
++interface(`gnome_admin_home_gconf_filetrans',`
 +	gen_require(`
-+		type gconf_etc_t;
++		type gconf_home_t;
 +	')
 +
-+	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
++	userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
 +')
 +
 +########################################
 +## <summary>
-+##	read gconf config files
++##	Do not audit attempts to read
++##	inherited gconf config files.
 +## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##	Domain to not audit.
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_stream_connect_gkeyringd',`
-+interface(`gnome_read_gconf_config',`
++interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
  	gen_require(`
 -		type $1_gkeyringd_t, gnome_keyring_tmp_t;
 +		type gconf_etc_t;
@@ -27542,6 +29862,31 @@ index d03fd43..0e04529 100644
  
 -	files_search_tmp($2)
 -	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
++	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Connect to all gnome keyring daemon
+-##	with a unix stream socket.
++##	read gconf config files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -704,12 +778,966 @@ interface(`gnome_stream_connect_gkeyringd',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`gnome_stream_connect_all_gkeyringd',`
++interface(`gnome_read_gconf_config',`
+ 	gen_require(`
+-		attribute gkeyringd_domain;
+-		type gnome_keyring_tmp_t;
++		type gconf_etc_t;
+ 	')
+ 
+-	files_search_tmp($1)
+-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gconf_etc_t:dir list_dir_perms;
 +	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 +	files_search_etc($1)
@@ -27564,22 +29909,19 @@ index d03fd43..0e04529 100644
 +
 +        allow $1 gconf_etc_t:dir list_dir_perms;
 +        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- ')
- 
- ########################################
- ## <summary>
--##	Connect to all gnome keyring daemon
--##	with a unix stream socket.
++')
++
++########################################
++## <summary>
 +##	Execute gconf programs in 
 +##	in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',`
- ##	</summary>
- ## </param>
- #
--interface(`gnome_stream_connect_all_gkeyringd',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`gnome_exec_gconf',`
 +	gen_require(`
 +		type gconfd_exec_t;
@@ -27924,6 +30266,23 @@ index d03fd43..0e04529 100644
 +	read_files_pattern($1, config_home_t, config_home_t)
 +	read_lnk_files_pattern($1, config_home_t, config_home_t)
 +')
++#######################################
++## <summary>
++##  append gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gnome_append_home_config',`
++    gen_require(`
++        type config_home_t;
++    ')
++
++    append_files_pattern($1, config_home_t, config_home_t)
++')
 +
 +#######################################
 +## <summary>
@@ -27943,6 +30302,24 @@ index d03fd43..0e04529 100644
 +    delete_files_pattern($1, config_home_t, config_home_t)
 +')
 +
++########################################
++## <summary>
++##	Create gnome homedir content (.config)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_create_home_config_dirs',`
++	gen_require(`
++		type config_home_t;
++	')
++
++	allow $1 config_home_t:dir create_dir_perms;
++')
++
 +#######################################
 +## <summary>
 +##  setattr gnome homedir content (.config)
@@ -28053,6 +30430,24 @@ index d03fd43..0e04529 100644
 +        can_exec($1, gstreamer_home_t)
 +')
 +
++######################################
++## <summary>
++##      Allow to execute config home content files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`gnome_exec_config_home_files',`
++        gen_require(`
++                type config_home_t;
++        ')
++
++        can_exec($1, config_home_t)
++')
++
 +#######################################
 +## <summary>
 +##  file name transition gstreamer home content files.
@@ -28080,6 +30475,7 @@ index d03fd43..0e04529 100644
 +    userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
 +    userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
 +    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
++    gnome_cache_filetrans($1, gstreamer_home_t, dir, "GLCache")
 +    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
 +    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
 +    gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
@@ -28174,14 +30570,11 @@ index d03fd43..0e04529 100644
 +## </param>
 +#
 +interface(`gnome_dbus_chat_gkeyringd',`
- 	gen_require(`
- 		attribute gkeyringd_domain;
--		type gnome_keyring_tmp_t;
++	gen_require(`
++		attribute gkeyringd_domain;
 +		class dbus send_msg;
- 	')
- 
--	files_search_tmp($1)
--	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++	')
++
 +	allow $1 gkeyringd_domain:dbus send_msg;
 +	allow gkeyringd_domain $1:dbus send_msg;
 +')
@@ -28453,7 +30846,7 @@ index d03fd43..0e04529 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..c6ff2a1 100644
+index 20f726b..5314f96 100644
 --- a/gnome.te
 +++ b/gnome.te
 @@ -1,18 +1,36 @@
@@ -28497,7 +30890,7 @@ index 20f726b..c6ff2a1 100644
  typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
  typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
  typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,226 @@ type gconfd_exec_t;
+@@ -29,107 +47,227 @@ type gconfd_exec_t;
  typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
  typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
  userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -28727,6 +31120,7 @@ index 20f726b..c6ff2a1 100644
 +manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
 +manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
 +files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
++fs_tmpfs_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
 +userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
  
 -kernel_read_system_state(gkeyringd_domain)
@@ -28758,9 +31152,9 @@ index 20f726b..c6ff2a1 100644
  
  optional_policy(`
 -	telepathy_mission_control_read_state(gkeyringd_domain)
++    gnome_create_home_config_dirs(gkeyringd_domain)
 +	gnome_read_home_config(gkeyringd_domain)
-+	gnome_read_generic_cache_files(gkeyringd_domain)
-+	gnome_write_generic_cache_files(gkeyringd_domain)
++    gnome_manage_generic_cache_files(gkeyringd_domain)
 +	gnome_manage_cache_home_dir(gkeyringd_domain)
 +	gnome_manage_generic_cache_sockets(gkeyringd_domain)
  ')
@@ -29296,7 +31690,7 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..8aa9dd9 100644
+index 44cf341..4af1ba0 100644
 --- a/gpg.te
 +++ b/gpg.te
 @@ -1,47 +1,47 @@
@@ -29420,7 +31814,7 @@ index 44cf341..8aa9dd9 100644
 +allow gpgdomain self:process { getsched setsched };
 +#at setrlimit is for ulimit -c 0
 +allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
-+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
++dontaudit gpgdomain self:netlink_audit_socket { r_netlink_socket_perms nlmsg_relay };
 +
 +allow gpgdomain self:fifo_file rw_fifo_file_perms;
 +allow gpgdomain self:tcp_socket create_stream_socket_perms;
@@ -29597,7 +31991,7 @@ index 44cf341..8aa9dd9 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +225,36 @@ tunable_policy(`use_samba_home_dirs',`
  
  ########################################
  #
@@ -29605,11 +31999,12 @@ index 44cf341..8aa9dd9 100644
 +# GPG agent local policy
  #
 +domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
- 
++
 +# rlimit: gpg-agent wants to prevent coredumps
- allow gpg_agent_t self:process setrlimit;
++allow gpg_agent_t self:process { setrlimit signal_perms };
+ 
+-allow gpg_agent_t self:process setrlimit;
 -allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
 +allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
  allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
  
@@ -29633,17 +32028,19 @@ index 44cf341..8aa9dd9 100644
  
 -kernel_dontaudit_search_sysctl(gpg_agent_t)
 +kernel_read_system_state(gpg_agent_t)
++kernel_read_core_if(gpg_agent_t)
  
 +corecmd_read_bin_symlinks(gpg_agent_t)
-+corecmd_search_bin(gpg_agent_t)
++corecmd_exec_bin(gpg_agent_t)
  corecmd_exec_shell(gpg_agent_t)
  
  dev_read_rand(gpg_agent_t)
-@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +264,41 @@ domain_use_interactive_fds(gpg_agent_t)
  
  fs_dontaudit_list_inotifyfs(gpg_agent_t)
  
 -miscfiles_read_localization(gpg_agent_t)
++miscfiles_read_certs(gpg_agent_t)
  
 -userdom_use_user_terminals(gpg_agent_t)
 +# Write to the user domain tty.
@@ -29692,7 +32089,7 @@ index 44cf341..8aa9dd9 100644
  ##############################
  #
  # Pinentry local policy
-@@ -277,8 +304,17 @@ optional_policy(`
+@@ -277,8 +306,17 @@ optional_policy(`
  
  allow gpg_pinentry_t self:process { getcap getsched setsched signal };
  allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -29711,7 +32108,7 @@ index 44cf341..8aa9dd9 100644
  
  manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +325,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
  
@@ -30103,10 +32500,10 @@ index 0000000..3ce0ac0
 +')
 diff --git a/gssproxy.te b/gssproxy.te
 new file mode 100644
-index 0000000..5044e7b
+index 0000000..bbd5979
 --- /dev/null
 +++ b/gssproxy.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,68 @@
 +policy_module(gssproxy, 1.0.0)
 +
 +########################################
@@ -30131,6 +32528,7 @@ index 0000000..5044e7b
 +#
 +# gssproxy local policy
 +#
++allow gssproxy_t self:capability { setuid setgid };
 +allow gssproxy_t self:capability2 block_suspend;
 +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
 +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -30161,6 +32559,7 @@ index 0000000..5044e7b
 +
 +miscfiles_read_localization(gssproxy_t)
 +
++userdom_read_all_users_keys(gssproxy_t)
 +userdom_manage_user_tmp_dirs(gssproxy_t)
 +userdom_manage_user_tmp_files(gssproxy_t)
 +
@@ -30325,10 +32724,10 @@ index 0000000..e2ae3b2
 +/var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
 diff --git a/hypervkvp.if b/hypervkvp.if
 new file mode 100644
-index 0000000..17c3627
+index 0000000..b7ca833
 --- /dev/null
 +++ b/hypervkvp.if
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,134 @@
 +
 +## <summary>policy for hypervkvp</summary>
 +
@@ -30410,6 +32809,29 @@ index 0000000..17c3627
 +	manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +')
 +
++#######################################
++## <summary>
++##  Execute hypervkvp server in the hypervkvp domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`hypervkvp_systemctl',`
++    gen_require(`
++        type hypervkvp_t;
++        type hypervkvp_unit_file_t;
++    ')
++
++    systemd_exec_systemctl($1)
++    allow $1 hypervkvp_unit_file_t:file read_file_perms;
++    allow $1 hypervkvp_unit_file_t:service manage_service_perms;
++
++    ps_process_pattern($1, hypervkvp_t)
++    ')
++
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -30442,10 +32864,10 @@ index 0000000..17c3627
 +')
 diff --git a/hypervkvp.te b/hypervkvp.te
 new file mode 100644
-index 0000000..d2ad022
+index 0000000..97144bc
 --- /dev/null
 +++ b/hypervkvp.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,79 @@
 +policy_module(hypervkvp, 1.0.0)
 +
 +########################################
@@ -30486,6 +32908,11 @@ index 0000000..d2ad022
 +allow hyperv_domain self:fifo_file rw_fifo_file_perms;
 +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
 +
++corecmd_exec_shell(hyperv_domain)
++corecmd_exec_bin(hyperv_domain)
++
++dev_read_sysfs(hyperv_domain)
++
 +########################################
 +#
 +# hypervkvp local policy
@@ -30495,15 +32922,30 @@ index 0000000..d2ad022
 +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
 +
++kernel_read_system_state(hypervkvp_t)
++kernel_read_network_state(hypervkvp_t)
++
++files_dontaudit_search_home(hypervkvp_t)
++
++auth_read_passwd(hypervkvp_t)
++
 +logging_send_syslog_msg(hypervkvp_t)
 +
 +sysnet_dns_name_resolve(hypervkvp_t)
 +
++userdom_dontaudit_search_admin_dir(hypervkvp_t)
++
++optional_policy(`
++    sysnet_exec_ifconfig(hypervkvp_t)
++')
++
 +########################################
 +#
 +# hypervvssd local policy
 +#
 +
++allow hypervvssd_t self:capability sys_admin;
++
 +logging_send_syslog_msg(hypervvssd_t)
 diff --git a/i18n_input.te b/i18n_input.te
 index 3bed8fa..a738d7f 100644
@@ -30874,13 +33316,32 @@ index ca07a87..6ea129c 100644
 +
  /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
 diff --git a/iodine.if b/iodine.if
-index a0bfbd0..47f7c75 100644
+index a0bfbd0..a3b02e6 100644
 --- a/iodine.if
 +++ b/iodine.if
-@@ -2,6 +2,30 @@
+@@ -2,6 +2,49 @@
  
  ########################################
  ## <summary>
++##	Execute NetworkManager with a domain transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`iodined_domtrans',`
++	gen_require(`
++		type iodined_t, iodined_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, iodined_exec_t, iodined_t)
++')
++
++########################################
++## <summary>
 +##  Execute iodined server in the iodined domain.
 +## </summary>
 +## <param name="domain">
@@ -30909,9 +33370,15 @@ index a0bfbd0..47f7c75 100644
  ##	administrate an iodined environment
  ## </summary>
 diff --git a/iodine.te b/iodine.te
-index 94ec5f8..8556c27 100644
+index 94ec5f8..6cbbf7d 100644
 --- a/iodine.te
 +++ b/iodine.te
+@@ -1,4 +1,4 @@
+-policy_module(iodine, 1.0.2)
++policy_module(iodine, 1.1.0)
+ 
+ ########################################
+ #
 @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
  type iodined_initrc_exec_t;
  init_script_file(iodined_initrc_exec_t)
@@ -30922,23 +33389,167 @@ index 94ec5f8..8556c27 100644
  ########################################
  #
  # Local policy
-@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
+@@ -43,7 +46,7 @@ corenet_udp_sendrecv_dns_port(iodined_t)
  
  corecmd_exec_shell(iodined_t)
  
 -files_read_etc_files(iodined_t)
++auth_use_nsswitch(iodined_t)
  
  logging_send_syslog_msg(iodined_t)
  
+diff --git a/ipa.fc b/ipa.fc
+new file mode 100644
+index 0000000..48d7322
+--- /dev/null
++++ b/ipa.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/ipa-otpd.*		--	gen_context(system_u:object_r:ipa_otpd_unit_file_t,s0)
++
++/usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
++
++/var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
++
+diff --git a/ipa.if b/ipa.if
+new file mode 100644
+index 0000000..a2af18e
+--- /dev/null
++++ b/ipa.if
+@@ -0,0 +1,76 @@
++## <summary>Policy for IPA services.</summary>
++
++########################################
++## <summary>
++##	Execute rtas_errd in the rtas_errd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipa_domtrans_otpd',`
++	gen_require(`
++		type ipa_otpd_t, ipa_otpd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ipa_otpd_exec_t, ipa_otpd_t)
++')
++
++########################################
++## <summary>
++##	Connect to ipa-otpd over a unix stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_stream_connect_otpd',`
++	gen_require(`
++		type ipa_otpd_t;
++	')
++    allow $1 ipa_otpd_t:unix_stream_socket connectto;
++')
++
++########################################
++## <summary>
++##	Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_manage_lib',`
++	gen_require(`
++		type ipa_var_lib_t;
++	')
++
++    manage_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++    manage_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Allow domain to manage ipa lib files/dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipa_read_lib',`
++	gen_require(`
++		type ipa_var_lib_t;
++	')
++
++    read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++    list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
++')
++
+diff --git a/ipa.te b/ipa.te
+new file mode 100644
+index 0000000..b60bc5f
+--- /dev/null
++++ b/ipa.te
+@@ -0,0 +1,43 @@
++policy_module(ipa, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute ipa_domain;
++
++type ipa_otpd_t, ipa_domain;
++type ipa_otpd_exec_t;
++init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
++
++type ipa_otpd_unit_file_t;
++systemd_unit_file(ipa_otpd_unit_file_t)
++
++type ipa_var_lib_t;
++files_type(ipa_var_lib_t)
++
++########################################
++#
++# ipa_otpd local policy
++#
++
++allow ipa_otpd_t self:capability2 block_suspend;
++
++allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
++allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
++
++corenet_tcp_connect_radius_port(ipa_otpd_t)
++
++dev_read_urand(ipa_otpd_t)
++dev_read_rand(ipa_otpd_t)
++
++sysnet_dns_name_resolve(ipa_otpd_t)
++
++optional_policy(`
++    dirsrv_stream_connect(ipa_otpd_t)
++')
++
++optional_policy(`
++	kerberos_use(ipa_otpd_t)
++')
 diff --git a/irc.fc b/irc.fc
-index 48e7739..c3285c2 100644
+index 48e7739..1bf0326 100644
 --- a/irc.fc
 +++ b/irc.fc
 @@ -1,6 +1,6 @@
  HOME_DIR/\.ircmotd	--	gen_context(system_u:object_r:irc_home_t,s0)
  HOME_DIR/\.irssi(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
 -HOME_DIR/irclogs(/.*)?	gen_context(system_u:object_r:irc_log_home_t,s0)
-+HOME_DIR/irclog(/.*)?	gen_context(system_u:object_r:issi_home_t,s0)
++HOME_DIR/irclog(/.*)?	gen_context(system_u:object_r:irc_home_t,s0)
  
  /etc/irssi\.conf	--	gen_context(system_u:object_r:irc_conf_t,s0)
  
@@ -31006,7 +33617,7 @@ index ac00fb0..36ef2e5 100644
 +		userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
  ')
 diff --git a/irc.te b/irc.te
-index ecad9c7..e413e5a 100644
+index ecad9c7..abf0b2d 100644
 --- a/irc.te
 +++ b/irc.te
 @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -31064,23 +33675,27 @@ index ecad9c7..e413e5a 100644
  
  manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
  manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
-@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
+@@ -70,7 +86,9 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
  
  kernel_read_system_state(irc_t)
  
 -corenet_all_recvfrom_unlabeled(irc_t)
++corecmd_exec_shell(irc_t)
++corecmd_exec_bin(irc_t)
++
  corenet_all_recvfrom_netlabel(irc_t)
  corenet_tcp_sendrecv_generic_if(irc_t)
  corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
+@@ -93,8 +111,6 @@ dev_read_rand(irc_t)
  
  domain_use_interactive_fds(irc_t)
  
 -files_read_usr_files(irc_t)
- 
+-
  fs_getattr_all_fs(irc_t)
  fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
+ 
+@@ -106,15 +122,18 @@ auth_use_nsswitch(irc_t)
  init_read_utmp(irc_t)
  init_dontaudit_lock_utmp(irc_t)
  
@@ -31101,7 +33716,7 @@ index ecad9c7..e413e5a 100644
  	corenet_sendrecv_all_server_packets(irc_t)
  	corenet_tcp_bind_all_unreserved_ports(irc_t)
  	corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
  	corenet_tcp_sendrecv_all_ports(irc_t)
  ')
  
@@ -31138,7 +33753,7 @@ index ecad9c7..e413e5a 100644
 +
 +kernel_read_system_state(irssi_t)
 +
-+corecmd_search_bin(irssi_t)
++corecmd_exec_shell(irssi_t)
 +corecmd_read_bin_symlinks(irssi_t)
 +
 +corenet_tcp_connect_ircd_port(irssi_t)
@@ -31280,10 +33895,38 @@ index 08b7560..417e630 100644
 +/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
 +/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket	--	gen_context(system_u:object_r:iscsi_unit_file_t,s0)
 diff --git a/iscsi.if b/iscsi.if
-index 1a35420..4b9b978 100644
+index 1a35420..2ea1241 100644
 --- a/iscsi.if
 +++ b/iscsi.if
-@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
+@@ -22,6 +22,27 @@ interface(`iscsid_domtrans',`
+ ########################################
+ ## <summary>
+ ##	Create, read, write, and delete
++##	iscsid lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`iscsi_manage_lock',`
++	gen_require(`
++		type iscsi_lock_t;
++	')
++
++    files_search_locks($1)
++    manage_files_pattern($1, iscsi_lock_t, iscsi_lock_t)
++    manage_dirs_pattern($1, iscsi_lock_t, iscsi_lock_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
+ ##	iscsid sempaphores.
+ ## </summary>
+ ## <param name="domain">
+@@ -80,17 +101,31 @@ interface(`iscsi_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -31320,7 +33963,7 @@ index 1a35420..4b9b978 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
+@@ -99,16 +134,15 @@ interface(`iscsi_admin',`
  	gen_require(`
  		type iscsid_t, iscsi_lock_t, iscsi_log_t;
  		type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
@@ -31342,7 +33985,7 @@ index 1a35420..4b9b978 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index 57304e4..46e5e3d 100644
+index 57304e4..56d45ec 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -9,8 +9,8 @@ type iscsid_t;
@@ -31366,7 +34009,20 @@ index 57304e4..46e5e3d 100644
  allow iscsid_t self:process { setrlimit setsched signal };
  allow iscsid_t self:fifo_file rw_fifo_file_perms;
  allow iscsid_t self:unix_stream_socket { accept connectto listen };
-@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -55,20 +54,22 @@ manage_dirs_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ manage_files_pattern(iscsid_t, iscsi_tmp_t, iscsi_tmp_t)
+ fs_tmpfs_filetrans(iscsid_t, iscsi_tmp_t, { dir file })
+ 
+-allow iscsid_t iscsi_var_lib_t:dir list_dir_perms;
+-read_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
+-read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++manage_dirs_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t)
++files_var_lib_filetrans(iscsid_t, iscsi_var_lib_t, dir)
+ 
+ manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t)
+ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
  
  can_exec(iscsid_t, iscsid_exec_t)
  
@@ -31380,7 +34036,7 @@ index 57304e4..46e5e3d 100644
  corenet_all_recvfrom_netlabel(iscsid_t)
  corenet_tcp_sendrecv_generic_if(iscsid_t)
  corenet_tcp_sendrecv_generic_node(iscsid_t)
-@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
+@@ -85,21 +86,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
  corenet_tcp_connect_isns_port(iscsid_t)
  corenet_tcp_sendrecv_isns_port(iscsid_t)
  
@@ -32930,7 +35586,7 @@ index 3a00b3a..21efcc4 100644
 +	allow $1 kdump_unit_file_t:service all_service_perms;
  ')
 diff --git a/kdump.te b/kdump.te
-index 70f3007..f8b68bf 100644
+index 70f3007..58bd992 100644
 --- a/kdump.te
 +++ b/kdump.te
 @@ -1,4 +1,4 @@
@@ -32939,7 +35595,7 @@ index 70f3007..f8b68bf 100644
  
  #######################################
  #
-@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
+@@ -12,35 +12,56 @@ init_system_domain(kdump_t, kdump_exec_t)
  type kdump_etc_t;
  files_config_file(kdump_etc_t)
  
@@ -32977,13 +35633,14 @@ index 70f3007..f8b68bf 100644
 +manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
 +manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
 +files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
-+
-+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
  
 -allow kdump_t kdump_etc_t:file read_file_perms;
++read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
++
 +manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
 +manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
-+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
++manage_lnk_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdump_t, kdump_lock_t, { dir file lnk_file })
  
 -files_read_etc_files(kdump_t)
  files_read_etc_runtime_files(kdump_t)
@@ -33000,7 +35657,7 @@ index 70f3007..f8b68bf 100644
  dev_read_framebuffer(kdump_t)
  dev_read_sysfs(kdump_t)
  
-@@ -48,22 +68,32 @@ term_use_console(kdump_t)
+@@ -48,22 +69,35 @@ term_use_console(kdump_t)
  
  #######################################
  #
@@ -33014,12 +35671,14 @@ index 70f3007..f8b68bf 100644
 +
  allow kdumpctl_t self:capability { dac_override sys_chroot };
  allow kdumpctl_t self:process setfscreate;
--allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
++
+ allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
 -allow kdumpctl_t self:unix_stream_socket { accept listen };
++allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
  
 -allow kdumpctl_t kdump_etc_t:file read_file_perms;
-+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
-+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
++manage_files_pattern(kdumpctl_t, kdump_lock_t, kdump_lock_t)
++files_lock_filetrans(kdumpctl_t, kdump_lock_t, file, "kdump")
  
  manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
 +manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
@@ -33038,7 +35697,7 @@ index 70f3007..f8b68bf 100644
  
  kernel_read_system_state(kdumpctl_t)
  
-@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +105,56 @@ corecmd_exec_bin(kdumpctl_t)
  corecmd_exec_shell(kdumpctl_t)
  
  dev_read_sysfs(kdumpctl_t)
@@ -33135,7 +35794,7 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..8c75bc8 100644
+index e7f5c81..12ff296 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
 @@ -1,83 +1,92 @@
@@ -33251,7 +35910,7 @@ index e7f5c81..8c75bc8 100644
  ')
  
  optional_policy(`
-@@ -87,4 +96,10 @@ optional_policy(`
+@@ -87,4 +96,24 @@ optional_policy(`
  optional_policy(`
  	kdump_manage_config(kdumpgui_t)
  	kdump_initrc_domtrans(kdumpgui_t)
@@ -33261,12 +35920,180 @@ index e7f5c81..8c75bc8 100644
 +
 +optional_policy(`
 +	policykit_dbus_chat(kdumpgui_t)
++')
++
++optional_policy(`
++    ifdef(`hide_broken_symptoms',`
++        # systemd bug
++        init_enable_services(kdumpgui_t)
++        init_disable_services(kdumpgui_t)
++        init_reload_services(kdumpgui_t)
++    ')
++')
++
++
++optional_policy(`
++    unconfined_domain(kdumpgui_t)
  ')
+diff --git a/keepalived.fc b/keepalived.fc
+new file mode 100644
+index 0000000..7e6f8be
+--- /dev/null
++++ b/keepalived.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/keepalived.*		--	gen_context(system_u:object_r:keepalived_unit_file_t,s0)
++
++/usr/sbin/keepalived		--	gen_context(system_u:object_r:keepalived_exec_t,s0)
++
++/var/run/keepalived.*		--	gen_context(system_u:object_r:keepalived_var_run_t,s0)
+diff --git a/keepalived.if b/keepalived.if
+new file mode 100644
+index 0000000..0d61849
+--- /dev/null
++++ b/keepalived.if
+@@ -0,0 +1,84 @@
++
++## <summary> keepalived - load-balancing and high-availability service</summary>
++
++########################################
++## <summary>
++##	Execute keepalived in the keepalived domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`keepalived_domtrans',`
++	gen_require(`
++		type keepalived_t, keepalived_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, keepalived_exec_t, keepalived_t)
++')
++########################################
++## <summary>
++##	Execute keepalived server in the keepalived domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`keepalived_systemctl',`
++	gen_require(`
++		type keepalived_t;
++		type keepalived_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 keepalived_unit_file_t:file read_file_perms;
++	allow $1 keepalived_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, keepalived_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an keepalived environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`keepalived_admin',`
++	gen_require(`
++		type keepalived_t;
++	    type keepalived_unit_file_t;
++	')
++
++	allow $1 keepalived_t:process { signal_perms };
++	ps_process_pattern($1, keepalived_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 keepalived_t:process ptrace;
++    ')
++
++	keepalived_systemctl($1)
++	admin_pattern($1, keepalived_unit_file_t)
++	allow $1 keepalived_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/keepalived.te b/keepalived.te
+new file mode 100644
+index 0000000..535f79b
+--- /dev/null
++++ b/keepalived.te
+@@ -0,0 +1,47 @@
++policy_module(keepalived, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type keepalived_t;
++type keepalived_exec_t;
++init_daemon_domain(keepalived_t, keepalived_exec_t)
++
++type keepalived_unit_file_t;
++systemd_unit_file(keepalived_unit_file_t)
++
++type keepalived_var_run_t;
++files_pid_file(keepalived_var_run_t)
++
++########################################
++#
++# keepalived local policy
++#
++allow keepalived_t self:capability { net_admin net_raw };
++allow keepalived_t self:process { signal_perms };
++allow keepalived_t self:netlink_socket create_socket_perms;
++allow keepalived_t self:netlink_route_socket nlmsg_write;
++allow keepalived_t self:packet_socket create_socket_perms;
++allow keepalived_t self:rawip_socket create_socket_perms;
++
++
++manage_files_pattern(keepalived_t, keepalived_var_run_t, keepalived_var_run_t)
++files_pid_filetrans(keepalived_t, keepalived_var_run_t, { file })
++
++kernel_read_system_state(keepalived_t)
++kernel_read_network_state(keepalived_t)
++
++auth_use_nsswitch(keepalived_t)
++
++corenet_tcp_connect_connlcli_port(keepalived_t)
++corenet_tcp_connect_http_port(keepalived_t)
++corenet_tcp_connect_smtp_port(keepalived_t)
++
++dev_read_urand(keepalived_t)
++
++modutils_domtrans_insmod(keepalived_t)
++
++logging_send_syslog_msg(keepalived_t)
++
 diff --git a/kerberos.fc b/kerberos.fc
-index 4fe75fd..8c702c9 100644
+index 4fe75fd..b029c28 100644
 --- a/kerberos.fc
 +++ b/kerberos.fc
-@@ -1,52 +1,44 @@
+@@ -1,52 +1,46 @@
 -HOME_DIR/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 -/root/\.k5login	--	gen_context(system_u:object_r:krb5_home_t,s0)
 +HOME_DIR/\.k5login		--	gen_context(system_u:object_r:krb5_home_t,s0)
@@ -33300,25 +36127,33 @@ index 4fe75fd..8c702c9 100644
  
 -/usr/local/kerberos/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 -/usr/local/kerberos/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+ 
 -/usr/sbin/krb5kdc	--	gen_context(system_u:object_r:krb5kdc_exec_t,s0)
 -/usr/sbin/kadmind	--	gen_context(system_u:object_r:kadmind_exec_t,s0)
--
++/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
++/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
++/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
++/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+ 
 -/usr/local/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
 -/usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
--
++/var/log/krb5kdc\.log.*			gen_context(system_u:object_r:krb5kdc_log_t,s0)
++/var/log/kadmin(d)?\.log.*		gen_context(system_u:object_r:kadmind_log_t,s0)
+ 
 -/usr/var/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/usr/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/usr/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
++/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
  
 -/var/cache/krb5rcache(/.*)?	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
--
++/var/run/krb5kdc(/.*)?          gen_context(system_u:object_r:krb5kdc_var_run_t,s0)
+ 
 -/var/kerberos/krb5kdc(/.*)?	gen_context(system_u:object_r:krb5kdc_conf_t,s0)
-+/var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
- /var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
+-/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 -/var/kerberos/krb5kdc/kadm5\.keytab	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
-+/var/kerberos/krb5kdc/kadm5\.keytab --	gen_context(system_u:object_r:krb5_keytab_t,s0)
- /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
+-/var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
 -/var/kerberos/krb5kdc/principal.*\.ok	--	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
 -
 -/var/log/krb5kdc\.log.*	--	gen_context(system_u:object_r:krb5kdc_log_t,s0)
@@ -33333,13 +36168,6 @@ index 4fe75fd..8c702c9 100644
 -/var/tmp/ldapmap1_0	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 -/var/tmp/ldap_487	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 -/var/tmp/ldap_55	--	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+/var/kerberos/krb5kdc/principal.*\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
-+
-+/var/log/krb5kdc\.log.*			gen_context(system_u:object_r:krb5kdc_log_t,s0)
-+/var/log/kadmin(d)?\.log.*		gen_context(system_u:object_r:kadmind_log_t,s0)
-+
-+/var/cache/krb5rcache(/.*)?	 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-+
 +/var/tmp/DNS_25			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
@@ -33350,7 +36178,7 @@ index 4fe75fd..8c702c9 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11e6268 100644
+index f9de9fc..b573f79 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -1,27 +1,29 @@
@@ -33623,12 +36451,13 @@ index f9de9fc..11e6268 100644
  ## <summary>
 -##	Create, read, write, and delete
 -##	kerberos key table files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
++##	Create keytab file in /etc
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
 -#
 -interface(`kerberos_manage_keytab_files',`
 -	gen_require(`
@@ -33644,13 +36473,12 @@ index f9de9fc..11e6268 100644
 -##	Create specified objects in generic
 -##	etc directories with the kerberos
 -##	keytab file type.
-+##	Create keytab file in /etc
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
+-## </param>
 -## <param name="object_class">
 -##	<summary>
 -##	Class of the object being created.
@@ -33676,16 +36504,20 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
+@@ -354,21 +255,21 @@ interface(`kerberos_etc_filetrans_keytab',`
  ## </param>
  #
  template(`kerberos_keytab_template',`
--
++    gen_require(`
++        attribute kerberos_keytab_domain;
++    ')
+ 
 -	########################################
 -	#
 -	# Declarations
 -	#
--
++    typeattribute $2 kerberos_keytab_domain;
+ 
  	type $1_keytab_t;
  	files_type($1_keytab_t)
  
@@ -33703,16 +36535,35 @@ index f9de9fc..11e6268 100644
  
  	kerberos_read_keytab($2)
  	kerberos_use($2)
-@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
+@@ -376,7 +277,26 @@ template(`kerberos_keytab_template',`
  
  ########################################
  ## <summary>
 -##	Read kerberos kdc configuration files.
 +##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`kerberos_keytab_domains',`
++    gen_require(`
++        attribute kerberos_keytab_domain;
++    ')
++
++    typeattribute $1 kerberos_keytab_domain;
++')
++
++########################################
++## <summary>
++##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -396,8 +316,7 @@ interface(`kerberos_read_kdc_config',`
  
  ########################################
  ## <summary>
@@ -33722,7 +36573,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -411,34 +330,99 @@ interface(`kerberos_manage_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -33830,7 +36681,7 @@ index f9de9fc..11e6268 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -452,12 +436,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -33846,7 +36697,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -465,82 +450,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -33987,7 +36838,7 @@ index f9de9fc..11e6268 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..353c4ce 100644
+index 3465a9a..31ad037 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -1,4 +1,4 @@
@@ -33996,7 +36847,7 @@ index 3465a9a..353c4ce 100644
  
  ########################################
  #
-@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,13 @@ policy_module(kerberos, 1.11.7)
  #
  
  ## <desc>
@@ -34009,10 +36860,12 @@ index 3465a9a..353c4ce 100644
  ## </desc>
 -gen_tunable(allow_kerberos, false)
 +gen_tunable(kerberos_enabled, false)
++
++attribute kerberos_keytab_domain;
  
  type kadmind_t;
  type kadmind_exec_t;
-@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
+@@ -35,23 +37,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
  domain_obj_id_change_exemption(kpropd_t)
  
  type krb5_conf_t;
@@ -34038,13 +36891,13 @@ index 3465a9a..353c4ce 100644
  type krb5kdc_lock_t;
 -files_type(krb5kdc_lock_t)
 +files_lock_file(krb5kdc_lock_t)
- 
 +
+ 
 +# types for KDC principal file(s)
  type krb5kdc_principal_t;
  files_type(krb5kdc_principal_t)
  
-@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
+@@ -74,28 +80,31 @@ files_pid_file(krb5kdc_var_run_t)
  # kadmind local policy
  #
  
@@ -34082,7 +36935,7 @@ index 3465a9a..353c4ce 100644
  manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
  manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
  files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
-@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
+@@ -103,13 +112,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
  manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
  files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
  
@@ -34101,7 +36954,7 @@ index 3465a9a..353c4ce 100644
  corenet_all_recvfrom_netlabel(kadmind_t)
  corenet_tcp_sendrecv_generic_if(kadmind_t)
  corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +130,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
  corenet_udp_sendrecv_all_ports(kadmind_t)
  corenet_tcp_bind_generic_node(kadmind_t)
  corenet_udp_bind_generic_node(kadmind_t)
@@ -34148,7 +37001,7 @@ index 3465a9a..353c4ce 100644
  sysnet_use_ldap(kadmind_t)
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +173,10 @@ optional_policy(`
+@@ -154,11 +175,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34159,7 +37012,13 @@ index 3465a9a..353c4ce 100644
  	nis_use_ypbind(kadmind_t)
  ')
  
-@@ -174,24 +197,27 @@ optional_policy(`
+ optional_policy(`
+ 	sssd_read_public_files(kadmind_t)
++    sssd_stream_connect(kadmind_t)
+ ')
+ 
+ optional_policy(`
+@@ -174,24 +200,27 @@ optional_policy(`
  # Krb5kdc local policy
  #
  
@@ -34191,12 +37050,17 @@ index 3465a9a..353c4ce 100644
  logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
  
  allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
- manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
- files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
+@@ -201,71 +230,76 @@ manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t)
+ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
  
--can_exec(krb5kdc_t, krb5kdc_exec_t)
+ manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
+-files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
 -
+-can_exec(krb5kdc_t, krb5kdc_exec_t)
++manage_sock_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++manage_dirs_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
++files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, { dir file sock_file })
+ 
  kernel_read_system_state(krb5kdc_t)
  kernel_read_kernel_sysctls(krb5kdc_t)
 +kernel_list_proc(krb5kdc_t)
@@ -34257,7 +37121,14 @@ index 3465a9a..353c4ce 100644
  sysnet_use_ldap(krb5kdc_t)
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +286,11 @@ optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+ 
+ optional_policy(`
++    ipa_stream_connect_otpd(krb5kdc_t)
++')
++
++optional_policy(`
+ 	ldap_stream_connect(krb5kdc_t)
  ')
  
  optional_policy(`
@@ -34271,7 +37142,7 @@ index 3465a9a..353c4ce 100644
  ')
  
  optional_policy(`
-@@ -273,6 +298,10 @@ optional_policy(`
+@@ -273,6 +307,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34282,7 +37153,7 @@ index 3465a9a..353c4ce 100644
  	udev_read_db(krb5kdc_t)
  ')
  
-@@ -281,10 +310,12 @@ optional_policy(`
+@@ -281,10 +319,12 @@ optional_policy(`
  # kpropd local policy
  #
  
@@ -34298,7 +37169,7 @@ index 3465a9a..353c4ce 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,28 +343,37 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -34326,6 +37197,23 @@ index 3465a9a..353c4ce 100644
  seutil_read_file_contexts(kpropd_t)
  
  sysnet_dns_name_resolve(kpropd_t)
+ 
+ kerberos_use(kpropd_t)
++
++
++########################################
++#
++# kerberos keytab domain local policy
++#
++
++#until we get sssd fix
++allow kerberos_keytab_domain kerberos_keytab_domain:key manage_key_perms;
++
++userdom_manage_all_users_keys(kerberos_keytab_domain)
++
++optional_policy(`
++    sssd_manage_keys(kerberos_keytab_domain)
++')
 diff --git a/kerneloops.if b/kerneloops.if
 index 714448f..fa0c994 100644
 --- a/kerneloops.if
@@ -35033,7 +37921,7 @@ index 19777b8..55d1556 100644
 +	')
 +')
 diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..a43a4f6 100644
+index 2cf3815..f932c32 100644
 --- a/ktalk.te
 +++ b/ktalk.te
 @@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
@@ -35052,7 +37940,7 @@ index 2cf3815..a43a4f6 100644
  type ktalkd_tmp_t;
  files_tmp_file(ktalkd_tmp_t)
  
-@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -35,11 +39,21 @@ kernel_read_kernel_sysctls(ktalkd_t)
  kernel_read_system_state(ktalkd_t)
  kernel_read_network_state(ktalkd_t)
  
@@ -35075,11 +37963,13 @@ index 2cf3815..a43a4f6 100644
  
  auth_use_nsswitch(ktalkd_t)
  
- init_read_utmp(ktalkd_t)
+@@ -47,4 +61,5 @@ init_read_utmp(ktalkd_t)
  
  logging_send_syslog_msg(ktalkd_t)
--
+ 
 -miscfiles_read_localization(ktalkd_t)
++userdom_use_user_ptys(ktalkd_t)
++userdom_use_user_ttys(ktalkd_t)
 diff --git a/kudzu.if b/kudzu.if
 index 5297064..6ba8108 100644
 --- a/kudzu.if
@@ -35148,7 +38038,7 @@ index d5d1572..82267a7 100644
  /var/run/.*l2tpd(/.*)?	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
  /var/run/prol2tpd\.ctl	-s	gen_context(system_u:object_r:l2tpd_var_run_t,s0)
 diff --git a/l2tp.if b/l2tp.if
-index 73e2803..2fc7570 100644
+index 73e2803..34ca3aa 100644
 --- a/l2tp.if
 +++ b/l2tp.if
 @@ -1,9 +1,45 @@
@@ -35352,7 +38242,7 @@ index 73e2803..2fc7570 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
+@@ -77,16 +224,20 @@ interface(`l2tpd_stream_connect',`
  ## </param>
  ## <rolecap/>
  #
@@ -35360,8 +38250,7 @@ index 73e2803..2fc7570 100644
 +interface(`l2tpd_admin',`
  	gen_require(`
  		type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
--		type l2tp_conf_t, l2tpd_tmp_t;
-+		type l2tp_etc_t, l2tpd_tmp_t;
+ 		type l2tp_conf_t, l2tpd_tmp_t;
  	')
  
 -	allow $1 l2tpd_t:process { ptrace signal_perms };
@@ -35377,13 +38266,6 @@ index 73e2803..2fc7570 100644
  	domain_system_change_exemption($1)
  	role_transition $2 l2tpd_initrc_exec_t system_r;
  	allow $2 system_r;
- 
- 	files_search_etc($1)
--	admin_pattern($1, l2tp_conf_t)
-+	admin_pattern($1, l2tp_etc_t)
- 
- 	files_search_pids($1)
- 	admin_pattern($1, l2tpd_var_run_t)
 diff --git a/l2tp.te b/l2tp.te
 index 19f2b97..bbbda10 100644
 --- a/l2tp.te
@@ -35486,7 +38368,7 @@ index bc25c95..6692d91 100644
 +/var/run/slapd\.args    --      gen_context(system_u:object_r:slapd_var_run_t,s0)
 +/var/run/slapd\.pid     --      gen_context(system_u:object_r:slapd_var_run_t,s0)
 diff --git a/ldap.if b/ldap.if
-index ee0c7cc..c54e3d2 100644
+index ee0c7cc..4ac8f2d 100644
 --- a/ldap.if
 +++ b/ldap.if
 @@ -1,8 +1,68 @@
@@ -35594,7 +38476,7 @@ index ee0c7cc..c54e3d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
+@@ -41,22 +119,29 @@ interface(`ldap_read_config',`
  
  ########################################
  ## <summary>
@@ -35616,7 +38498,9 @@ index ee0c7cc..c54e3d2 100644
 +	')
 +
 +	files_search_etc($1)
++    allow $1 slapd_cert_t:dir list_dir_perms;
 +    read_files_pattern($1, slapd_cert_t, slapd_cert_t)
++    read_lnk_files_pattern($1, slapd_cert_t, slapd_cert_t)
  ')
  
  ########################################
@@ -35627,7 +38511,7 @@ index ee0c7cc..c54e3d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -64,18 +147,13 @@ interface(`ldap_use',`
+@@ -64,18 +149,13 @@ interface(`ldap_use',`
  ##	</summary>
  ## </param>
  #
@@ -35649,7 +38533,7 @@ index ee0c7cc..c54e3d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
+@@ -83,21 +163,19 @@ interface(`ldap_stream_connect',`
  ##	</summary>
  ## </param>
  #
@@ -35677,7 +38561,7 @@ index ee0c7cc..c54e3d2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
+@@ -106,7 +184,7 @@ interface(`ldap_tcp_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -35686,7 +38570,7 @@ index ee0c7cc..c54e3d2 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -115,28 +191,28 @@ interface(`ldap_admin',`
+@@ -115,28 +193,28 @@ interface(`ldap_admin',`
  	gen_require(`
  		type slapd_t, slapd_tmp_t, slapd_replog_t;
  		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
@@ -35724,7 +38608,7 @@ index ee0c7cc..c54e3d2 100644
  	admin_pattern($1, slapd_replog_t)
  
  	files_list_tmp($1)
-@@ -144,4 +220,8 @@ interface(`ldap_admin',`
+@@ -144,4 +222,8 @@ interface(`ldap_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, slapd_var_run_t)
@@ -35734,7 +38618,7 @@ index ee0c7cc..c54e3d2 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index d7d9b09..562c288 100644
+index d7d9b09..d0fdb7c 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35747,7 +38631,27 @@ index d7d9b09..562c288 100644
  type slapd_lock_t;
  files_lock_file(slapd_lock_t)
  
-@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -46,7 +49,7 @@ files_pid_file(slapd_var_run_t)
+ 
+ allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+ dontaudit slapd_t self:capability sys_tty_config;
+-allow slapd_t self:process setsched;
++allow slapd_t self:process { setsched signal } ;
+ allow slapd_t self:fifo_file rw_fifo_file_perms;
+ allow slapd_t self:tcp_socket { accept listen };
+ 
+@@ -64,9 +67,7 @@ allow slapd_t slapd_lock_t:file manage_file_perms;
+ files_lock_filetrans(slapd_t, slapd_lock_t, file)
+ 
+ manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-append_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-create_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+-setattr_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
++manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
+ logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
+ 
+ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
+@@ -88,7 +89,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
  
@@ -35755,7 +38659,7 @@ index d7d9b09..562c288 100644
  corenet_all_recvfrom_netlabel(slapd_t)
  corenet_tcp_sendrecv_generic_if(slapd_t)
  corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +110,23 @@ fs_getattr_all_fs(slapd_t)
  fs_search_auto_mountpoints(slapd_t)
  
  files_read_etc_runtime_files(slapd_t)
@@ -36176,7 +39080,7 @@ index d18c960..fb5b674 100644
  	domain_system_change_exemption($1)
  	role_transition $2 lldpad_initrc_exec_t system_r;
 diff --git a/lldpad.te b/lldpad.te
-index 648def0..b17392a 100644
+index 648def0..07f58a5 100644
 --- a/lldpad.te
 +++ b/lldpad.te
 @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@@ -36188,7 +39092,7 @@ index 648def0..b17392a 100644
  allow lldpad_t self:shm create_shm_perms;
  allow lldpad_t self:fifo_file rw_fifo_file_perms;
  allow lldpad_t self:unix_stream_socket { accept listen };
-@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
+@@ -51,12 +51,14 @@ kernel_request_load_module(lldpad_t)
  
  dev_read_sysfs(lldpad_t)
  
@@ -36201,6 +39105,11 @@ index 648def0..b17392a 100644
  
  optional_policy(`
  	fcoe_dgram_send_fcoemon(lldpad_t)
+ ')
++
++optional_policy(`
++    networkmanager_dgram_send(lldpad_t)
++')
 diff --git a/loadkeys.te b/loadkeys.te
 index 6cbb977..bd5406a 100644
 --- a/loadkeys.te
@@ -36342,10 +39251,10 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..b88bbf3 100644
+index 7bab8e5..f8c5464 100644
 --- a/logrotate.te
 +++ b/logrotate.te
-@@ -1,20 +1,18 @@
+@@ -1,20 +1,26 @@
 -policy_module(logrotate, 1.14.5)
 +policy_module(logrotate, 1.14.0)
  
@@ -36356,7 +39265,14 @@ index 7bab8e5..b88bbf3 100644
  
 -attribute_role logrotate_roles;
 -roleattribute system_r logrotate_roles;
--
++## <desc>
++## <p>
++## Allow logrotate to manage nfs files
++## </p>
++## </desc>
++gen_tunable(logrotate_use_nfs, false)
++
+ 
  type logrotate_t;
 -type logrotate_exec_t;
  domain_type(logrotate_t)
@@ -36370,7 +39286,7 @@ index 7bab8e5..b88bbf3 100644
  
  type logrotate_lock_t;
  files_lock_file(logrotate_lock_t)
-@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
+@@ -25,21 +31,27 @@ files_tmp_file(logrotate_tmp_t)
  type logrotate_var_lib_t;
  files_type(logrotate_var_lib_t)
  
@@ -36404,7 +39320,7 @@ index 7bab8e5..b88bbf3 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +60,99 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -36510,7 +39426,11 @@ index 7bab8e5..b88bbf3 100644
 +userdom_dontaudit_getattr_user_home_content(logrotate_t)
  
 -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
--
++tunable_policy(`logrotate_use_nfs',`
++		fs_read_nfs_files(logrotate_t)
++		fs_read_nfs_symlinks(logrotate_t)
++')
+ 
 -ifdef(`distro_debian',`
 +ifdef(`distro_debian', `
  	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
@@ -36526,7 +39446,7 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -135,16 +154,17 @@ optional_policy(`
+@@ -135,16 +167,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -36546,7 +39466,18 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -178,7 +198,7 @@ optional_policy(`
+@@ -170,6 +203,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    dbus_system_bus_client(logrotate_t)
++')
++
++optional_policy(`
+ 	fail2ban_stream_connect(logrotate_t)
+ ')
+ 
+@@ -178,7 +215,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36555,7 +39486,7 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -198,21 +218,26 @@ optional_policy(`
+@@ -198,21 +235,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36569,24 +39500,24 @@ index 7bab8e5..b88bbf3 100644
 -	openvswitch_read_pid_files(logrotate_t)
 -	openvswitch_domtrans(logrotate_t)
 +	polipo_named_filetrans_log_files(logrotate_t)
-+')
-+
-+optional_policy(`
-+	psad_domtrans(logrotate_t)
  ')
  
  optional_policy(`
 -	polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+    rabbitmq_domtrans_beam(logrotate_t)
++	psad_domtrans(logrotate_t)
  ')
  
  optional_policy(`
 -	psad_domtrans(logrotate_t)
++    rabbitmq_domtrans_beam(logrotate_t)
++')
++
++optional_policy(`
 +	raid_domtrans_mdadm(logrotate_t)
  ')
  
  optional_policy(`
-@@ -228,10 +253,20 @@ optional_policy(`
+@@ -228,10 +270,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36600,6 +39531,7 @@ index 7bab8e5..b88bbf3 100644
 +
 +optional_policy(`
  	squid_domtrans(logrotate_t)
++    squid_read_config(logrotate_t)
  ')
  
  optional_policy(`
@@ -36607,7 +39539,7 @@ index 7bab8e5..b88bbf3 100644
  	su_exec(logrotate_t)
  ')
  
-@@ -241,13 +276,11 @@ optional_policy(`
+@@ -241,13 +294,11 @@ optional_policy(`
  
  #######################################
  #
@@ -36627,7 +39559,7 @@ index 7bab8e5..b88bbf3 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..30e3cd2 100644
+index 4256a4c..7569cd9 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
@@ -36687,19 +39619,20 @@ index 4256a4c..30e3cd2 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
-@@ -137,6 +146,11 @@ optional_policy(`
+@@ -137,6 +146,12 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	raid_domtrans_mdadm(logwatch_t)
 +	raid_access_check_mdadm(logwatch_t)
++    raid_read_conf_files(logwatch_t)
 +')
 +
 +optional_policy(`
  	rpc_search_nfs_state_data(logwatch_t)
  ')
  
-@@ -145,6 +159,13 @@ optional_policy(`
+@@ -145,6 +160,13 @@ optional_policy(`
  	samba_read_share_files(logwatch_t)
  ')
  
@@ -36713,7 +39646,7 @@ index 4256a4c..30e3cd2 100644
  ########################################
  #
  # Mail local policy
-@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +186,17 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -36726,6 +39659,11 @@ index 4256a4c..30e3cd2 100644
 +optional_policy(`
 +	courier_stream_connect_authdaemon(logwatch_mail_t)
 +')
++
++optional_policy(`
++	qmail_domtrans_inject(logwatch_mail_t)
++	qmail_domtrans_queue(logwatch_mail_t)
++')
 diff --git a/lpd.fc b/lpd.fc
 index 2fb9b2e..08974e3 100644
 --- a/lpd.fc
@@ -36739,7 +39677,7 @@ index 2fb9b2e..08974e3 100644
  
  /usr/share/printconf/.*	--	gen_context(system_u:object_r:printconf_t,s0)
 diff --git a/lpd.if b/lpd.if
-index 6256371..7826e38 100644
+index 6256371..ce2acb8 100644
 --- a/lpd.if
 +++ b/lpd.if
 @@ -1,44 +1,49 @@
@@ -36864,7 +39802,12 @@ index 6256371..7826e38 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
+@@ -149,11 +151,12 @@ interface(`lpd_manage_spool',`
+ 	manage_dirs_pattern($1, print_spool_t, print_spool_t)
+ 	manage_files_pattern($1, print_spool_t, print_spool_t)
+ 	manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
++    manage_fifo_files_pattern($1, print_spool_t, print_spool_t)
+ ')
  
  ########################################
  ## <summary>
@@ -36873,7 +39816,7 @@ index 6256371..7826e38 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +175,7 @@ interface(`lpd_relabel_spool',`
  
  ########################################
  ## <summary>
@@ -36882,7 +39825,7 @@ index 6256371..7826e38 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +203,11 @@ interface(`lpd_read_config',`
  ##	</summary>
  ## </param>
  #
@@ -36896,7 +39839,7 @@ index 6256371..7826e38 100644
  	domtrans_pattern($1, lpr_exec_t, lpr_t)
  ')
  
-@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
+@@ -237,7 +239,8 @@ interface(`lpd_run_lpr',`
  
  ########################################
  ## <summary>
@@ -36906,7 +39849,7 @@ index 6256371..7826e38 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +253,5 @@ interface(`lpd_exec_lpr',`
  		type lpr_exec_t;
  	')
  
@@ -37069,12 +40012,14 @@ index b9270f7..15f3748 100644
  ')
 diff --git a/lsm.fc b/lsm.fc
 new file mode 100644
-index 0000000..81cd4e0
+index 0000000..d60293d
 --- /dev/null
 +++ b/lsm.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,7 @@
 +/usr/bin/lsmd		--	gen_context(system_u:object_r:lsmd_exec_t,s0)
 +
++/usr/bin/.*_lsmplugin    --  gen_context(system_u:object_r:lsmd_plugin_exec_t,s0)
++
 +/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
 +
 +/var/run/lsm(/.*)?	    gen_context(system_u:object_r:lsmd_var_run_t,s0)
@@ -37185,16 +40130,23 @@ index 0000000..da30c5d
 +')
 diff --git a/lsm.te b/lsm.te
 new file mode 100644
-index 0000000..6611d9f
+index 0000000..7e8fde0
 --- /dev/null
 +++ b/lsm.te
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,90 @@
 +policy_module(lsm, 1.0.0)
 +
 +########################################
 +#
 +# Declarations
 +#
++## <desc>
++##	<p>
++##	Determine whether lsmd_plugin can
++##	connect to all TCP ports.
++##	</p>
++## </desc>
++gen_tunable(lsmd_plugin_connect_any, false)
 +
 +type lsmd_t;
 +type lsmd_exec_t;
@@ -37206,6 +40158,14 @@ index 0000000..6611d9f
 +type lsmd_unit_file_t;
 +systemd_unit_file(lsmd_unit_file_t)
 +
++type lsmd_plugin_t;
++type lsmd_plugin_exec_t;
++application_domain(lsmd_plugin_t, lsmd_plugin_exec_t)
++role system_r types lsmd_plugin_t;
++
++type lsmd_plugin_tmp_t;
++files_tmp_file(lsmd_plugin_tmp_t)
++
 +########################################
 +#
 +# lsmd local policy
@@ -37223,6 +40183,47 @@ index 0000000..6611d9f
 +corecmd_exec_bin(lsmd_t)
 +
 +logging_send_syslog_msg(lsmd_t)
++
++########################################
++#
++# Local lsmd plugin policy
++#
++
++allow lsmd_plugin_t self:udp_socket create_socket_perms;
++allow lsmd_plugin_t self:tcp_socket create_stream_socket_perms;
++
++domtrans_pattern(lsmd_t, lsmd_plugin_exec_t, lsmd_plugin_t)
++allow lsmd_plugin_t lsmd_t:unix_stream_socket { read write };
++
++allow lsmd_t lsmd_plugin_exec_t:file read_file_perms;
++stream_connect_pattern(lsmd_plugin_t, lsmd_var_run_t, lsmd_var_run_t, lsmd_t)
++
++manage_files_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++manage_dirs_pattern(lsmd_plugin_t, lsmd_plugin_tmp_t, lsmd_plugin_tmp_t)
++files_tmp_filetrans(lsmd_plugin_t, lsmd_plugin_tmp_t, { file dir })
++
++tunable_policy(`lsmd_plugin_connect_any',`
++	corenet_tcp_connect_all_ports(lsmd_plugin_t)
++	corenet_sendrecv_all_packets(lsmd_plugin_t)
++	corenet_tcp_sendrecv_all_ports(lsmd_plugin_t)
++')
++
++kernel_read_system_state(lsmd_plugin_t)
++
++dev_read_urand(lsmd_plugin_t)
++
++corecmd_exec_bin(lsmd_plugin_t)
++
++corenet_tcp_connect_http_port(lsmd_plugin_t)
++corenet_tcp_connect_http_cache_port(lsmd_plugin_t)
++corenet_tcp_connect_ssh_port(lsmd_plugin_t)
++
++init_stream_connect(lsmd_plugin_t)
++init_dontaudit_rw_stream_socket(lsmd_plugin_t)
++
++logging_send_syslog_msg(lsmd_plugin_t)
++
++sysnet_read_config(lsmd_plugin_t)
 diff --git a/mailman.fc b/mailman.fc
 index 7fa381b..bbe6b01 100644
 --- a/mailman.fc
@@ -37937,10 +40938,12 @@ index e08c55d..9e634bd 100644
 +
 +')
 diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..3c24286 100644
+index 2de0f64..c127555 100644
 --- a/mandb.fc
 +++ b/mandb.fc
-@@ -1 +1,10 @@
+@@ -1 +1,12 @@
++HOME_DIR/\.manpath	--	gen_context(system_u:object_r:mandb_home_t,s0)
++
  /etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
@@ -37950,7 +40953,7 @@ index 2de0f64..3c24286 100644
 +
 +/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
 +
-+HOME_DIR/\.manpath	--	gen_context(system_u:object_r:mandb_home_t,s0)
++/root/.manpath  --  gen_context(system_u:object_r:mandb_home_t,s0)
 diff --git a/mandb.if b/mandb.if
 index 327f3f7..4f61561 100644
 --- a/mandb.if
@@ -38190,10 +41193,10 @@ index 327f3f7..4f61561 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..7fee444 100644
+index 5a414e0..24f45a8 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
+@@ -10,28 +10,52 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -38240,6 +41243,7 @@ index 5a414e0..7fee444 100644
  
 -files_read_etc_files(mandb_t)
 +files_search_locks(mandb_t)
++files_dontaudit_search_all_mountpoints(mandb_t)
  
  miscfiles_manage_man_cache(mandb_t)
 +miscfiles_setattr_man_pages(mandb_t)
@@ -38249,7 +41253,7 @@ index 5a414e0..7fee444 100644
  ')
 +
 diff --git a/mcelog.if b/mcelog.if
-index 9dbe694..ea89ab1 100644
+index 9dbe694..c73214d 100644
 --- a/mcelog.if
 +++ b/mcelog.if
 @@ -19,6 +19,25 @@ interface(`mcelog_domtrans',`
@@ -38268,11 +41272,11 @@ index 9dbe694..ea89ab1 100644
 +#
 +interface(`mcelog_read_log',`
 +	gen_require(`
-+		type mcelog_var_log_t;
++		type mcelog_log_t;
 +	')
 +
 +	logging_search_logs($1)
-+	read_files_pattern($1, mcelog_var_log_t, mcelog_var_log_t)
++	read_files_pattern($1, mcelog_log_t, mcelog_log_t)
 +')
 +
  ########################################
@@ -38287,7 +41291,7 @@ index 9dbe694..ea89ab1 100644
  	admin_pattern($1, mcelog_var_run_t)
  ')
 diff --git a/mcelog.te b/mcelog.te
-index 13ea191..c146d9c 100644
+index 13ea191..2b4e761 100644
 --- a/mcelog.te
 +++ b/mcelog.te
 @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -38304,7 +41308,7 @@ index 13ea191..c146d9c 100644
  type mcelog_t;
  type mcelog_exec_t;
  init_daemon_domain(mcelog_t, mcelog_exec_t)
-@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+@@ -84,17 +77,21 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
  
  kernel_read_system_state(mcelog_t)
  
@@ -38314,9 +41318,10 @@ index 13ea191..c146d9c 100644
  dev_read_raw_memory(mcelog_t)
  dev_read_kmsg(mcelog_t)
  dev_rw_sysfs(mcelog_t)
- 
--files_read_etc_files(mcelog_t)
 -
+-files_read_etc_files(mcelog_t)
++dev_rw_cpu_microcode(mcelog_t)
+ 
  mls_file_read_all_levels(mcelog_t)
  
 +auth_use_nsswitch(mcelog_t)
@@ -38328,7 +41333,7 @@ index 13ea191..c146d9c 100644
  
  tunable_policy(`mcelog_client',`
  	allow mcelog_t self:unix_stream_socket connectto;
-@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
+@@ -114,9 +111,6 @@ tunable_policy(`mcelog_server',`
  	allow mcelog_t self:unix_stream_socket { listen accept };
  ')
  
@@ -38464,10 +41469,10 @@ index 0000000..3f433f1
 +')
 diff --git a/mcollective.te b/mcollective.te
 new file mode 100644
-index 0000000..a04dd6b
+index 0000000..8bc27f4
 --- /dev/null
 +++ b/mcollective.te
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,27 @@
 +policy_module(mcollective, 1.0.0)
 +
 +########################################
@@ -38480,8 +41485,6 @@ index 0000000..a04dd6b
 +init_daemon_domain(mcollective_t, mcollective_exec_t)
 +cron_system_entry(mcollective_t, mcollective_exec_t)
 +
-+permissive mcollective_t;
-+
 +type mcollective_etc_rw_t;
 +files_type(mcollective_etc_rw_t)
 +
@@ -38913,10 +41916,10 @@ index cba62db..562833a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..db83591 100644
+index 92508b2..9c51c34 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,110 @@
+@@ -1,77 +1,121 @@
 -policy_module(milter, 1.4.2)
 +policy_module(milter, 1.4.0)
  
@@ -38936,6 +41939,9 @@ index 92508b2..db83591 100644
 +type dkim_milter_private_key_t;
 +files_type(dkim_milter_private_key_t)
 +
++type dkim_milter_tmp_t;
++files_tmp_file(dkim_milter_tmp_t)
++
 +# currently-supported milters are milter-greylist, milter-regex and spamass-milter
  milter_template(greylist)
  milter_template(regex)
@@ -38960,6 +41966,8 @@ index 92508b2..db83591 100644
  allow milter_domains self:fifo_file rw_fifo_file_perms;
 -allow milter_domains self:tcp_socket { accept listen };
 +
++allow milter_domains self:process signull;
++
 +# Allow communication with MTA over a TCP socket
 +allow milter_domains self:tcp_socket create_stream_socket_perms;
  
@@ -38995,8 +42003,14 @@ index 92508b2..db83591 100644
 -logging_send_syslog_msg(milter_domains)
 +read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 +
++manage_files_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++manage_dirs_pattern(dkim_milter_t, dkim_milter_tmp_t, dkim_milter_tmp_t)
++files_tmp_filetrans(dkim_milter_t, dkim_milter_tmp_t, { dir file })
++
 +kernel_read_kernel_sysctls(dkim_milter_t)
 +
++corenet_udp_bind_all_ports(dkim_milter_t)
++
 +auth_use_nsswitch(dkim_milter_t)
 +
 +sysnet_dns_name_resolve(dkim_milter_t)
@@ -39055,7 +42069,7 @@ index 92508b2..db83591 100644
  
  optional_policy(`
  	mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +112,45 @@ optional_policy(`
+@@ -79,30 +123,45 @@ optional_policy(`
  
  ########################################
  #
@@ -39105,6 +42119,444 @@ index 92508b2..db83591 100644
  optional_policy(`
  	spamassassin_domtrans_client(spamass_milter_t)
  ')
+diff --git a/mip6d.fc b/mip6d.fc
+new file mode 100644
+index 0000000..767bbad
+--- /dev/null
++++ b/mip6d.fc
+@@ -0,0 +1,3 @@
++/usr/lib/systemd/system/mip6d.*     --  gen_context(system_u:object_r:mip6d_unit_file_t,s0)
++
++/usr/sbin/mip6d		--	gen_context(system_u:object_r:mip6d_exec_t,s0)
+diff --git a/mip6d.if b/mip6d.if
+new file mode 100644
+index 0000000..8169129
+--- /dev/null
++++ b/mip6d.if
+@@ -0,0 +1,79 @@
++
++## <summary>Mobile IPv6 and NEMO Basic Support implementation</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the mip6d domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mip6d_domtrans',`
++	gen_require(`
++		type mip6d_t, mip6d_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, mip6d_exec_t, mip6d_t)
++')
++########################################
++## <summary>
++##	Execute mip6d server in the mip6d domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`mip6d_systemctl',`
++	gen_require(`
++		type mip6d_t;
++		type mip6d_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 mip6d_unit_file_t:file read_file_perms;
++	allow $1 mip6d_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, mip6d_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an mip6d environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`mip6d_admin',`
++	gen_require(`
++		type mip6d_t;
++	    type mip6d_unit_file_t;
++	')
++
++	allow $1 mip6d_t:process { signal_perms };
++	ps_process_pattern($1, mip6d_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 mip6d_t:process ptrace;
++    ')
++
++	mip6d_systemctl($1)
++	admin_pattern($1, mip6d_unit_file_t)
++	allow $1 mip6d_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/mip6d.te b/mip6d.te
+new file mode 100644
+index 0000000..1d34063
+--- /dev/null
++++ b/mip6d.te
+@@ -0,0 +1,33 @@
++policy_module(mip6d, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mip6d_t;
++type mip6d_exec_t;
++init_daemon_domain(mip6d_t, mip6d_exec_t)
++
++type mip6d_unit_file_t;
++systemd_unit_file(mip6d_unit_file_t)
++
++########################################
++#
++# mip6d local policy
++#
++allow mip6d_t self:capability { net_admin net_raw };
++allow mip6d_t self:process { fork signal };
++allow mip6d_t self:netlink_route_socket create_netlink_socket_perms;
++allow mip6d_t self:netlink_xfrm_socket create_netlink_socket_perms;
++allow mip6d_t self:rawip_socket create_socket_perms;
++allow mip6d_t self:udp_socket create_socket_perms;
++allow mip6d_t self:fifo_file rw_fifo_file_perms;
++allow mip6d_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_rw_net_sysctls(mip6d_t)
++kernel_read_network_state(mip6d_t)
++kernel_request_load_module(mip6d_t)
++
++logging_send_syslog_msg(mip6d_t)
++
+diff --git a/mirrormanager.fc b/mirrormanager.fc
+new file mode 100644
+index 0000000..c713b27
+--- /dev/null
++++ b/mirrormanager.fc
+@@ -0,0 +1,7 @@
++/usr/share/mirrormanager/server/mirrormanager		--	gen_context(system_u:object_r:mirrormanager_exec_t,s0)
++
++/var/lib/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_lib_t,s0)
++
++/var/log/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_log_t,s0)
++
++/var/run/mirrormanager(/.*)?		gen_context(system_u:object_r:mirrormanager_var_run_t,s0)
+diff --git a/mirrormanager.if b/mirrormanager.if
+new file mode 100644
+index 0000000..fbb831d
+--- /dev/null
++++ b/mirrormanager.if
+@@ -0,0 +1,237 @@
++
++## <summary>policy for mirrormanager</summary>
++
++########################################
++## <summary>
++##	Execute mirrormanager in the mirrormanager domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`mirrormanager_domtrans',`
++	gen_require(`
++		type mirrormanager_t, mirrormanager_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, mirrormanager_exec_t, mirrormanager_t)
++')
++
++########################################
++## <summary>
++##	Read mirrormanager's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`mirrormanager_read_log',`
++	gen_require(`
++		type mirrormanager_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++##	Append to mirrormanager log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_append_log',`
++	gen_require(`
++		type mirrormanager_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++##	Manage mirrormanager log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_manage_log',`
++	gen_require(`
++		type mirrormanager_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++	manage_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++	manage_lnk_files_pattern($1, mirrormanager_log_t, mirrormanager_log_t)
++')
++
++########################################
++## <summary>
++##	Search mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_search_lib',`
++	gen_require(`
++		type mirrormanager_var_lib_t;
++	')
++
++	allow $1 mirrormanager_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read mirrormanager lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_read_lib_files',`
++	gen_require(`
++		type mirrormanager_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++    list_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++	read_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage mirrormanager lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_files',`
++	gen_require(`
++		type mirrormanager_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage mirrormanager lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_manage_lib_dirs',`
++	gen_require(`
++		type mirrormanager_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Read mirrormanager PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_read_pid_files',`
++	gen_require(`
++		type mirrormanager_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++## <summary>
++##	Manage mirrormanager PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_manage_pid_files',`
++	gen_require(`
++		type mirrormanager_var_run_t;
++	')
++
++	files_search_pids($1)
++	manage_files_pattern($1, mirrormanager_var_run_t, mirrormanager_var_run_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an mirrormanager environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mirrormanager_admin',`
++	gen_require(`
++		type mirrormanager_t;
++		type mirrormanager_log_t;
++		type mirrormanager_var_lib_t;
++		type mirrormanager_var_run_t;
++	')
++
++	allow $1 mirrormanager_t:process { signal_perms };
++	ps_process_pattern($1, mirrormanager_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 mirrormanager_t:process ptrace;
++    ')
++
++	logging_search_logs($1)
++	admin_pattern($1, mirrormanager_log_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, mirrormanager_var_lib_t)
++
++	files_search_pids($1)
++	admin_pattern($1, mirrormanager_var_run_t)
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/mirrormanager.te b/mirrormanager.te
+new file mode 100644
+index 0000000..841b732
+--- /dev/null
++++ b/mirrormanager.te
+@@ -0,0 +1,43 @@
++policy_module(mirrormanager, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type mirrormanager_t;
++type mirrormanager_exec_t;
++cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++
++type mirrormanager_log_t;
++logging_log_file(mirrormanager_log_t)
++
++type mirrormanager_var_lib_t;
++files_type(mirrormanager_var_lib_t)
++
++type mirrormanager_var_run_t;
++files_pid_file(mirrormanager_var_run_t)
++
++########################################
++#
++# mirrormanager local policy
++#
++
++allow mirrormanager_t self:fifo_file rw_fifo_file_perms;
++allow mirrormanager_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_log_t, mirrormanager_log_t)
++logging_log_filetrans(mirrormanager_t, mirrormanager_log_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_lib_t, mirrormanager_var_lib_t)
++files_var_lib_filetrans(mirrormanager_t, mirrormanager_var_lib_t, { dir })
++
++manage_dirs_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
++files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
++
 diff --git a/mock.fc b/mock.fc
 new file mode 100644
 index 0000000..8d0e473
@@ -39434,10 +42886,10 @@ index 0000000..6568bfe
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..7245033
+index 0000000..fc64201
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,273 @@
+@@ -0,0 +1,276 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -39485,6 +42937,7 @@ index 0000000..7245033
 +#
 +
 +allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability2 block_suspend;
 +allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
 +# Needed because mock can run java and mono withing build environment
 +allow mock_t self:process { execmem execstack };
@@ -39708,6 +43161,8 @@ index 0000000..7245033
 +
 +libs_exec_ldconfig(mock_build_t)
 +
++userdom_use_inherited_user_ptys(mock_build_t)
++
 +tunable_policy(`mock_enable_homedirs',`
 +	userdom_read_user_home_content_files(mock_build_t)
 +')
@@ -39790,7 +43245,7 @@ index b1ac8b5..9b22bea 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..ab6fb25 100644
+index cb4c13d..9342be3 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -39803,12 +43258,15 @@ index cb4c13d..ab6fb25 100644
  ########################################
  #
  # Local policy
-@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
+@@ -25,14 +28,14 @@ allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+ kernel_read_system_state(modemmanager_t)
+ 
  dev_read_sysfs(modemmanager_t)
++dev_read_urand(modemmanager_t)
  dev_rw_modem(modemmanager_t)
  
 -files_read_etc_files(modemmanager_t)
- 
+-
  term_use_generic_ptys(modemmanager_t)
  term_use_unallocated_ttys(modemmanager_t)
 +term_use_usb_ttys(modemmanager_t)
@@ -39974,16 +43432,16 @@ index 0000000..7415106
 +/var/motion(/.*)?       gen_context(system_u:object_r:motion_data_t,s0)
 diff --git a/motion.if b/motion.if
 new file mode 100644
-index 0000000..1b1b04c
+index 0000000..39f4a04
 --- /dev/null
 +++ b/motion.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,197 @@
 +
 +## <summary>Detect motion using a video4linux device</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the motion domain.
++##	Execute motion in the motion domain.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -40114,7 +43572,7 @@ index 0000000..1b1b04c
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++    systemd_read_fifo_file_passwd_run($1)
 +	allow $1 motion_unit_file_t:file read_file_perms;
 +	allow $1 motion_unit_file_t:service manage_service_perms;
 +
@@ -40154,12 +43612,16 @@ index 0000000..1b1b04c
 +	gen_require(`
 +		type motion_t;
 +		type motion_log_t;
-+	type motion_unit_file_t;
++	    type motion_unit_file_t;
 +	')
 +
-+	allow $1 motion_t:process { ptrace signal_perms };
++	allow $1 motion_t:process { signal_perms };
 +	ps_process_pattern($1, motion_t)
 +
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 motion_t:process ptrace;
++    ')
++
 +	logging_search_logs($1)
 +	admin_pattern($1, motion_log_t)
 +
@@ -40242,10 +43704,10 @@ index 0000000..b694afc
 +')
 +
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..a4d75bf 100644
+index 6ffaba2..ab66d2f 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,69 @@
+@@ -1,38 +1,70 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -40269,6 +43731,7 @@ index 6ffaba2..a4d75bf 100644
 +HOME_DIR/\.java(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.cache/mozilla(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.cache/icedtea-web(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.thunderbird(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/POkemon.*(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.netscape(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -40287,8 +43750,6 @@ index 6ffaba2..a4d75bf 100644
 +HOME_DIR/\.lyx(/.*)?                   gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.quakelive(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2012(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
-+HOME_DIR/\.texlive2013(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.IBMERS(/.*)?          	gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -40305,7 +43766,7 @@ index 6ffaba2..a4d75bf 100644
 -/usr/bin/netscape	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/bin/nspluginscan	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 -/usr/bin/nspluginviewer	--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
- 
+-
 -/usr/lib/[^/]*firefox[^/]*/firefox	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/[^/]*firefox[^/]*/firefox-bin	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/firefox[^/]*/mozilla-.*	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
@@ -40316,6 +43777,7 @@ index 6ffaba2..a4d75bf 100644
 -/usr/lib/mozilla/plugins-wrapped(/.*)?	gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 -/usr/lib/netscape/base-4/wrapper	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
 -/usr/lib/netscape/.+/communicator/communicator-smotif\.real	--	gen_context(system_u:object_r:mozilla_exec_t,s0)
++
 +ifdef(`distro_redhat',`
 +/usr/bin/nspluginscan		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +/usr/bin/nspluginviewer		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
@@ -40343,13 +43805,15 @@ index 6ffaba2..a4d75bf 100644
 +
 +/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 +
++/usr/lib/firefox/plugin-container               --      gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
++
 +/usr/lib/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
 +
 +ifdef(`distro_redhat',`
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..ada96f0 100644
+index 6194b80..cafb2b0 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -40481,7 +43945,8 @@ index 6194b80..ada96f0 100644
  
 -	mozilla_run_plugin($2, $1)
 -	mozilla_run_plugin_config($2, $1)
--
++	mozilla_filetrans_home_content($2)
+ 
 -	allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
 -	ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
 -
@@ -40503,8 +43968,7 @@ index 6194b80..ada96f0 100644
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
 -	userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
-+	mozilla_filetrans_home_content($2)
- 
+-
 -	allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
 -	allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
@@ -40635,7 +44099,7 @@ index 6194b80..ada96f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,140 +173,155 @@ interface(`mozilla_exec_user_plugin_home_files',`
  ## </param>
  #
  interface(`mozilla_execmod_user_home_files',`
@@ -40735,6 +44199,8 @@ index 6194b80..ada96f0 100644
 +	allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
 +	allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
 +	allow mozilla_plugin_t $1:sem create_sem_perms;
++	allow $1 mozilla_plugin_t:sem rw_sem_perms;
++	allow $1 mozilla_plugin_t:shm rw_shm_perms;
 +
 +	ps_process_pattern($1, mozilla_plugin_t)
 +	allow $1 mozilla_plugin_t:process signal_perms;
@@ -40849,7 +44315,7 @@ index 6194b80..ada96f0 100644
  ')
  
  ########################################
-@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +347,7 @@ interface(`mozilla_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -40859,7 +44325,7 @@ index 6194b80..ada96f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +355,144 @@ interface(`mozilla_dbus_chat',`
  ##	</summary>
  ## </param>
  #
@@ -40962,7 +44428,25 @@ index 6194b80..ada96f0 100644
 +                type mozilla_plugin_t;
 +        ')
 +
-+        allow $1 mozilla_plugin_t:sem { unix_read unix_write };
++        dontaudit $1 mozilla_plugin_t:sem { associate unix_read unix_write };
++')
++
++#######################################
++## <summary>
++##      Allow generict ipc read/write to a mozilla_plugin
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain to not audit.
++##      </summary>
++## </param>
++#
++interface(`mozilla_plugin_rw_sem',`
++        gen_require(`
++                type mozilla_plugin_t;
++        ')
++
++        allow $1 mozilla_plugin_t:sem { associate unix_read unix_write };
  ')
  
  ########################################
@@ -41015,7 +44499,7 @@ index 6194b80..ada96f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +500,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -41040,7 +44524,7 @@ index 6194b80..ada96f0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +519,57 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -41109,8 +44593,6 @@ index 6194b80..ada96f0 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
-+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
-+	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -41120,11 +44602,12 @@ index 6194b80..ada96f0 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
 +	optional_policy(`
 +		gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
++		gnome_cache_filetrans($1, mozilla_home_t, dir, "icedtea-web")
 +	')
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..b236449 100644
+index 6a306ee..e76899c 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -41387,7 +44870,7 @@ index 6a306ee..b236449 100644
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
  
-@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,57 +196,76 @@ auth_use_nsswitch(mozilla_t)
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
@@ -41440,12 +44923,6 @@ index 6a306ee..b236449 100644
 -	fs_manage_nfs_dirs(mozilla_t)
 -	fs_manage_nfs_files(mozilla_t)
 -	fs_manage_nfs_symlinks(mozilla_t)
--')
--
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_dirs(mozilla_t)
--	fs_manage_cifs_files(mozilla_t)
--	fs_manage_cifs_symlinks(mozilla_t)
 +userdom_home_manager(mozilla_t)
 +
 +# Uploads, local html
@@ -41497,8 +44974,16 @@ index 6a306ee..b236449 100644
 +	userdom_dontaudit_read_user_home_content_files(mozilla_t)
  ')
  
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_dirs(mozilla_t)
+-	fs_manage_cifs_files(mozilla_t)
+-	fs_manage_cifs_symlinks(mozilla_t)
+-')
++userdom_manage_home_texlive(mozilla_t)
+ 
  optional_policy(`
-@@ -244,19 +276,12 @@ optional_policy(`
+ 	apache_read_user_scripts(mozilla_t)
+@@ -244,19 +278,12 @@ optional_policy(`
  
  optional_policy(`
  	cups_read_rw_config(mozilla_t)
@@ -41520,7 +45005,7 @@ index 6a306ee..b236449 100644
  
  	optional_policy(`
  		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +290,32 @@ optional_policy(`
+@@ -265,33 +292,32 @@ optional_policy(`
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -41568,7 +45053,7 @@ index 6a306ee..b236449 100644
  ')
  
  optional_policy(`
-@@ -300,259 +324,236 @@ optional_policy(`
+@@ -300,259 +326,250 @@ optional_policy(`
  
  ########################################
  #
@@ -41582,7 +45067,7 @@ index 6a306ee..b236449 100644
 +dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
 +dontaudit mozilla_plugin_t self:capability2 block_suspend;
 +
-+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
++allow mozilla_plugin_t self:process { getsession setcap setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
 +allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
 +allow mozilla_plugin_t self:netlink_socket create_socket_perms;
 +allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
@@ -41647,6 +45132,7 @@ index 6a306ee..b236449 100644
  manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
 +userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++userdom_manage_home_texlive(mozilla_plugin_t)
  
  allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
@@ -41666,6 +45152,8 @@ index 6a306ee..b236449 100644
  kernel_request_load_module(mozilla_plugin_t)
  kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
 +files_dontaudit_read_root_files(mozilla_plugin_t)
++kernel_dontaudit_list_all_proc(mozilla_plugin_t)
++kernel_dontaudit_list_all_sysctls(mozilla_plugin_t)
  
  corecmd_exec_bin(mozilla_plugin_t)
  corecmd_exec_shell(mozilla_plugin_t)
@@ -41846,8 +45334,11 @@ index 6a306ee..b236449 100644
  userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 +userdom_manage_user_tmp_sockets(mozilla_plugin_t)
 +userdom_manage_user_tmp_dirs(mozilla_plugin_t)
++userdom_manage_tmpfs_files(mozilla_plugin_t)
 +userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
++userdom_rw_inherited_user_tmpfs_files(mozilla_plugin_t)
 +userdom_delete_user_tmp_files(mozilla_plugin_t)
++userdom_delete_user_tmpfs_files(mozilla_plugin_t)
 +userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
 +userdom_manage_home_certs(mozilla_plugin_t)
 +userdom_read_user_tmp_symlinks(mozilla_plugin_t)
@@ -41857,28 +45348,33 @@ index 6a306ee..b236449 100644
 -ifndef(`enable_mls',`
 -	fs_list_dos(mozilla_plugin_t)
 -	fs_read_dos_files(mozilla_plugin_t)
--
--	fs_search_removable(mozilla_plugin_t)
--	fs_read_removable_files(mozilla_plugin_t)
--	fs_read_removable_symlinks(mozilla_plugin_t)
 +userdom_read_user_home_content_files(mozilla_plugin_t)
 +userdom_read_user_home_content_symlinks(mozilla_plugin_t)
 +userdom_read_home_certs(mozilla_plugin_t)
 +userdom_read_home_audio_files(mozilla_plugin_t)
 +userdom_exec_user_tmp_files(mozilla_plugin_t)
  
+-	fs_search_removable(mozilla_plugin_t)
+-	fs_read_removable_files(mozilla_plugin_t)
+-	fs_read_removable_symlinks(mozilla_plugin_t)
++userdom_home_manager(mozilla_plugin_t)
+ 
 -	fs_read_iso9660_files(mozilla_plugin_t)
--')
--
++tunable_policy(`mozilla_plugin_can_network_connect',`
++	corenet_tcp_connect_all_ports(mozilla_plugin_t)
+ ')
+ 
 -tunable_policy(`allow_execmem',`
 -	allow mozilla_plugin_t self:process execmem;
--')
-+userdom_home_manager(mozilla_plugin_t)
++optional_policy(`
++    abrt_stream_connect(mozilla_plugin_t)
+ ')
  
 -tunable_policy(`mozilla_execstack',`
 -	allow mozilla_plugin_t self:process { execmem execstack };
-+tunable_policy(`mozilla_plugin_can_network_connect',`
-+	corenet_tcp_connect_all_ports(mozilla_plugin_t)
++optional_policy(`
++	alsa_read_rw_config(mozilla_plugin_t)
++	alsa_read_home_files(mozilla_plugin_t)
  ')
  
 -tunable_policy(`use_nfs_home_dirs',`
@@ -41886,8 +45382,7 @@ index 6a306ee..b236449 100644
 -	fs_manage_nfs_files(mozilla_plugin_t)
 -	fs_manage_nfs_symlinks(mozilla_plugin_t)
 +optional_policy(`
-+	alsa_read_rw_config(mozilla_plugin_t)
-+	alsa_read_home_files(mozilla_plugin_t)
++	apache_list_modules(mozilla_plugin_t)
  ')
  
 -tunable_policy(`use_samba_home_dirs',`
@@ -41895,7 +45390,7 @@ index 6a306ee..b236449 100644
 -	fs_manage_cifs_files(mozilla_plugin_t)
 -	fs_manage_cifs_symlinks(mozilla_plugin_t)
 +optional_policy(`
-+	apache_list_modules(mozilla_plugin_t)
++	bumblebee_stream_connect(mozilla_plugin_t)
  ')
  
  optional_policy(`
@@ -41956,16 +45451,20 @@ index 6a306ee..b236449 100644
  ')
  
  optional_policy(`
-@@ -560,7 +561,7 @@ optional_policy(`
+@@ -560,7 +577,11 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
++	policykit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	rtkit_scheduled(mozilla_plugin_t)
  ')
  
  optional_policy(`
-@@ -568,108 +569,130 @@ optional_policy(`
+@@ -568,108 +589,131 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42146,6 +45645,7 @@ index 6a306ee..b236449 100644
 -	automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
 +tunable_policy(`mozilla_plugin_use_spice',`
 +	dev_rw_generic_usb_dev(mozilla_plugin_t)
++	dev_setattr_generic_usb_dev(mozilla_plugin_t)
 +	corenet_tcp_bind_vnc_port(mozilla_plugin_t)
  ')
  
@@ -42217,10 +45717,24 @@ index 5fa77c7..2e01c7d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..33b18c8 100644
+index 7c8afcc..b8c9bf1 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
+@@ -7,6 +7,13 @@ policy_module(mpd, 1.0.4)
+ 
+ ## <desc>
+ ##	<p>
++##	Allow mpd execmem/execstack.
++##	</p>
++## </desc>
++gen_tunable(mpd_execmem, false)
++
++## <desc>
++##	<p>
+ ##	Determine whether mpd can traverse
+ ##	user home directories.
+ ##	</p>
+@@ -62,18 +69,25 @@ files_type(mpd_var_lib_t)
  type mpd_user_data_t;
  userdom_user_home_content(mpd_user_data_t) # customizable
  
@@ -42247,7 +45761,7 @@ index 7c8afcc..33b18c8 100644
  
  allow mpd_t mpd_data_t:dir manage_dir_perms;
  allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
+@@ -104,13 +118,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
  manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
  files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
  
@@ -42271,7 +45785,7 @@ index 7c8afcc..33b18c8 100644
  corenet_all_recvfrom_netlabel(mpd_t)
  corenet_tcp_sendrecv_generic_if(mpd_t)
  corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
+@@ -139,9 +162,9 @@ dev_read_sound(mpd_t)
  dev_write_sound(mpd_t)
  dev_read_sysfs(mpd_t)
  
@@ -42282,12 +45796,16 @@ index 7c8afcc..33b18c8 100644
  fs_list_inotifyfs(mpd_t)
  fs_rw_anon_inodefs_files(mpd_t)
  fs_search_auto_mountpoints(mpd_t)
-@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
+@@ -150,15 +173,30 @@ auth_use_nsswitch(mpd_t)
  
  logging_send_syslog_msg(mpd_t)
  
 -miscfiles_read_localization(mpd_t)
 +userdom_home_reader(mpd_t)
++
++tunable_policy(`mpd_execmem',`
++    allow mpd_t self:process { execstack execmem };
++')
  
  tunable_policy(`mpd_enable_homedirs',`
 -	userdom_search_user_home_dirs(mpd_t)
@@ -42311,7 +45829,7 @@ index 7c8afcc..33b18c8 100644
  ')
  
  tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
-@@ -191,7 +218,7 @@ optional_policy(`
+@@ -191,7 +229,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42320,7 +45838,7 @@ index 7c8afcc..33b18c8 100644
  ')
  
  optional_policy(`
-@@ -199,6 +226,16 @@ optional_policy(`
+@@ -199,6 +237,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42461,6 +45979,36 @@ index 9aca704..f92829c 100644
  	allow mplayer_t mplayer_tmpfs_t:file execute;
  ')
  
+diff --git a/mrtg.if b/mrtg.if
+index c595094..2346458 100644
+--- a/mrtg.if
++++ b/mrtg.if
+@@ -2,6 +2,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Read mrtg lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`mrtg_read_lib_files',`
++	gen_require(`
++		type mrtg_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++    read_files_pattern($1, mrtg_var_lib_t, mrtg_var_lib_t)
++')
++
++########################################
++## <summary>
+ ##	Create and append mrtg log files.
+ ## </summary>
+ ## <param name="domain">
 diff --git a/mrtg.te b/mrtg.te
 index c97c177..9411154 100644
 --- a/mrtg.te
@@ -42559,7 +46107,7 @@ index f42896c..cb2791a 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..566684a 100644
+index ed81cac..e968c28 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -42610,7 +46158,7 @@ index ed81cac..566684a 100644
  	#
  
  	type $1_mail_t, user_mail_domain;
-@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
+@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
  	type $1_mail_tmp_t;
  	files_tmp_file($1_mail_tmp_t)
  
@@ -42625,6 +46173,8 @@ index ed81cac..566684a 100644
  
 +	kernel_read_system_state($1_mail_t)
 +
++	corenet_all_recvfrom_netlabel($1_mail_t)
++
  	auth_use_nsswitch($1_mail_t)
  
 +	logging_send_syslog_msg($1_mail_t)
@@ -42632,7 +46182,7 @@ index ed81cac..566684a 100644
  	optional_policy(`
  		postfix_domtrans_user_mail_handler($1_mail_t)
  	')
-@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
+@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
  
  ########################################
  ## <summary>
@@ -42704,7 +46254,7 @@ index ed81cac..566684a 100644
  	')
  ')
  
-@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
+@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
  	application_executable_file($1)
  ')
  
@@ -42837,7 +46387,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
  	')
  
  	init_system_domain($1, sendmail_exec_t)
@@ -42845,7 +46395,7 @@ index ed81cac..566684a 100644
  	typeattribute $1 mailserver_domain;
  ')
  
-@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
  	')
  
  	typeattribute $1 mailserver_delivery;
@@ -42861,7 +46411,7 @@ index ed81cac..566684a 100644
  ')
  
  #######################################
-@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
  	')
  
  	typeattribute $1 mta_user_agent;
@@ -42874,7 +46424,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
  #
  interface(`mta_send_mail',`
  	gen_require(`
@@ -42896,7 +46446,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -42926,7 +46476,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -42934,7 +46484,7 @@ index ed81cac..566684a 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -42979,7 +46529,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
  		type sendmail_exec_t;
  	')
  
@@ -43014,7 +46564,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -528,13 +498,13 @@ interface(`mta_read_config',`
+@@ -528,13 +500,13 @@ interface(`mta_read_config',`
  
  	files_search_etc($1)
  	allow $1 etc_mail_t:dir list_dir_perms;
@@ -43031,7 +46581,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -548,33 +518,31 @@ interface(`mta_write_config',`
+@@ -548,33 +520,31 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -43071,7 +46621,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
  ##	</summary>
  ## </param>
  #
@@ -43172,7 +46722,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -43190,7 +46740,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
  	dontaudit $1 mailserver_delivery:tcp_socket { read write };
  ')
  
@@ -43216,7 +46766,7 @@ index ed81cac..566684a 100644
  #######################################
  ## <summary>
  ##	Connect to all mail servers over TCP.  (Deprecated)
-@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
  
  #######################################
  ## <summary>
@@ -43227,7 +46777,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
  
  ########################################
  ## <summary>
@@ -43236,7 +46786,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
  
  ########################################
  ## <summary>
@@ -43247,7 +46797,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  #######################################
  ## <summary>
@@ -43259,7 +46809,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
  
  #######################################
  ## <summary>
@@ -43268,7 +46818,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##  <summary>
-@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
  ##  </summary>
  ## </param>
  #
@@ -43283,7 +46833,7 @@ index ed81cac..566684a 100644
  
  	files_search_spool($1)
  	read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
  
  ########################################
  ## <summary>
@@ -43292,7 +46842,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -845,13 +812,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -43310,7 +46860,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -866,13 +834,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -43328,7 +46878,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -891,8 +860,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
  
  ########################################
  ## <summary>
@@ -43338,7 +46888,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -911,45 +879,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
  	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
@@ -43385,7 +46935,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -968,7 +900,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
  
  #######################################
  ## <summary>
@@ -43394,7 +46944,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -981,13 +913,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -43410,7 +46960,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,14 +932,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -43427,7 +46977,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete
@@ -43436,7 +46986,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
  
  #######################################
  ## <summary>
@@ -43478,7 +47028,7 @@ index ed81cac..566684a 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
  ##	</summary>
  ## </param>
  #
@@ -43486,7 +47036,7 @@ index ed81cac..566684a 100644
  interface(`mta_read_sendmail_bin',`
  	gen_require(`
  		type sendmail_exec_t;
-@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
  
  #######################################
  ## <summary>
@@ -43497,7 +47047,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -43666,7 +47216,7 @@ index ed81cac..566684a 100644
 +		type etc_mail_t;
 +	')
 +
-+	filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
++	#filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
 +	mta_etc_filetrans_aliases($1, "aliases")
 +	mta_etc_filetrans_aliases($1, "aliases.db")
 +	mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
@@ -43674,7 +47224,7 @@ index ed81cac..566684a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..09ebbbe 100644
+index afd2fad..b995f01 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -43878,14 +47428,14 @@ index afd2fad..09ebbbe 100644
 +
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
 +allow system_mail_t mail_home_t:file manage_file_perms;
 +userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
 +
 +
 +logging_append_all_logs(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +logging_send_syslog_msg(system_mail_t)
  
  optional_policy(`
@@ -43942,7 +47492,7 @@ index afd2fad..09ebbbe 100644
  	courier_manage_spool_dirs(system_mail_t)
  	courier_manage_spool_files(system_mail_t)
  	courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +146,8 @@ optional_policy(`
+@@ -245,14 +146,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43952,12 +47502,16 @@ index afd2fad..09ebbbe 100644
 -
 -optional_policy(`
 -	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
- 	fail2ban_append_log(system_mail_t)
-+	fail2ban_dontaudit_leaks(system_mail_t)
- 	fail2ban_rw_inherited_tmp_files(system_mail_t)
+-	fail2ban_append_log(system_mail_t)
+-	fail2ban_rw_inherited_tmp_files(system_mail_t)
++	fail2ban_append_log(user_mail_domain)
++	fail2ban_dontaudit_leaks(user_mail_domain)
++	fail2ban_rw_inherited_tmp_files(mta_user_agent)
++	fail2ban_rw_inherited_tmp_files(user_mail_domain)
  ')
  
-@@ -264,10 +160,15 @@ optional_policy(`
+ optional_policy(`
+@@ -264,10 +161,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43973,7 +47527,7 @@ index afd2fad..09ebbbe 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -278,6 +179,15 @@ optional_policy(`
+@@ -278,6 +180,19 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -43982,6 +47536,10 @@ index afd2fad..09ebbbe 100644
 +')
 +
 +optional_policy(`
++	postfix_domtrans_postdrop(system_mail_t)
++')
++
++optional_policy(`
 +	qmail_domtrans_inject(system_mail_t)
 +	qmail_manage_spool_dirs(system_mail_t)
 +	qmail_manage_spool_files(system_mail_t)
@@ -43989,7 +47547,7 @@ index afd2fad..09ebbbe 100644
  ')
  
  optional_policy(`
-@@ -293,42 +203,36 @@ optional_policy(`
+@@ -293,42 +208,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44042,7 +47600,7 @@ index afd2fad..09ebbbe 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +246,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -44091,7 +47649,18 @@ index afd2fad..09ebbbe 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,173 @@ optional_policy(`
+@@ -378,6 +273,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    pcp_read_lib_files(mailserver_delivery)
++')
++
++optional_policy(`
+ 	postfix_rw_inherited_master_pipes(mailserver_delivery)
+ ')
+ 
+@@ -387,24 +286,177 @@ optional_policy(`
  
  ########################################
  #
@@ -44209,6 +47778,9 @@ index afd2fad..09ebbbe 100644
 +# Check available space.
 +fs_getattr_xattr_fs(user_mail_domain)
 +
++mta_filetrans_admin_home_content(user_mail_domain)
++mta_filetrans_home_content(user_mail_domain)
++
 +init_dontaudit_rw_utmp(user_mail_domain)
 +
 +optional_policy(`
@@ -44240,6 +47812,7 @@ index afd2fad..09ebbbe 100644
 +
 +optional_policy(`
 +	openshift_rw_inherited_content(mta_user_agent)
++    openshift_dontaudit_rw_inherited_fifo_files(mta_user_agent)
 +')
 +
 +optional_policy(`
@@ -44564,10 +48137,10 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..3549b8f 100644
+index 97370e4..e53abbb 100644
 --- a/munin.te
 +++ b/munin.te
-@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+@@ -37,44 +37,47 @@ munin_plugin_template(disk)
  munin_plugin_template(mail)
  munin_plugin_template(selinux)
  munin_plugin_template(services)
@@ -44591,7 +48164,14 @@ index 97370e4..3549b8f 100644
  allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
  
  allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+ 
+ read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t)
+ 
++allow munin_plugin_domain munin_unconfined_plugin_exec_t:file read_file_perms;
++
+ allow munin_plugin_domain munin_exec_t:file read_file_perms;
+ 
+ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
  
  manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
  
@@ -44616,7 +48196,7 @@ index 97370e4..3549b8f 100644
  
  optional_policy(`
  	nscd_use(munin_plugin_domain)
-@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +117,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -44625,7 +48205,7 @@ index 97370e4..3549b8f 100644
  
  manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
  manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +133,6 @@ kernel_read_all_sysctls(munin_t)
  corecmd_exec_bin(munin_t)
  corecmd_exec_shell(munin_t)
  
@@ -44633,7 +48213,7 @@ index 97370e4..3549b8f 100644
  corenet_all_recvfrom_netlabel(munin_t)
  corenet_tcp_sendrecv_generic_if(munin_t)
  corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +155,6 @@ domain_use_interactive_fds(munin_t)
  domain_read_all_domains_state(munin_t)
  
  files_read_etc_runtime_files(munin_t)
@@ -44641,7 +48221,7 @@ index 97370e4..3549b8f 100644
  files_list_spool(munin_t)
  
  fs_getattr_all_fs(munin_t)
-@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +166,6 @@ logging_send_syslog_msg(munin_t)
  logging_read_all_logs(munin_t)
  
  miscfiles_read_fonts(munin_t)
@@ -44649,7 +48229,7 @@ index 97370e4..3549b8f 100644
  miscfiles_setattr_fonts_cache_dirs(munin_t)
  
  sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +173,6 @@ sysnet_exec_ifconfig(munin_t)
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_user_home_dirs(munin_t)
  
@@ -44663,7 +48243,7 @@ index 97370e4..3549b8f 100644
  
  optional_policy(`
  	cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +204,6 @@ optional_policy(`
+@@ -213,7 +206,6 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -44671,7 +48251,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -44699,7 +48279,7 @@ index 97370e4..3549b8f 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -268,6 +260,10 @@ optional_policy(`
+@@ -268,6 +262,10 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -44710,7 +48290,7 @@ index 97370e4..3549b8f 100644
  ####################################
  #
  # Mail local policy
-@@ -275,27 +271,36 @@ optional_policy(`
+@@ -275,27 +273,38 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -44719,6 +48299,8 @@ index 97370e4..3549b8f 100644
 +
  rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
++kernel_read_net_sysctls(mail_munin_plugin_t)
++
  dev_read_urand(mail_munin_plugin_t)
  
  logging_read_generic_logs(mail_munin_plugin_t)
@@ -44751,7 +48333,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -320,6 +329,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  allow services_munin_plugin_t self:udp_socket create_socket_perms;
  allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
  
@@ -44761,7 +48343,7 @@ index 97370e4..3549b8f 100644
  corenet_sendrecv_all_client_packets(services_munin_plugin_t)
  corenet_tcp_connect_all_ports(services_munin_plugin_t)
  corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -331,7 +343,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -44770,7 +48352,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -353,7 +361,11 @@ optional_policy(`
+@@ -353,7 +365,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44783,7 +48365,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +401,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -44791,7 +48373,7 @@ index 97370e4..3549b8f 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +426,31 @@ optional_policy(`
+@@ -413,3 +430,31 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -44824,10 +48406,10 @@ index 97370e4..3549b8f 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index c48dc17..43d56e3 100644
+index c48dc17..297f831 100644
 --- a/mysql.fc
 +++ b/mysql.fc
-@@ -1,11 +1,24 @@
+@@ -1,11 +1,25 @@
 -HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 -
 -/etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
@@ -44845,6 +48427,7 @@ index c48dc17..43d56e3 100644
 +/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
 +
 +/usr/lib/systemd/system/mysqld.*	--	gen_context(system_u:object_r:mysqld_unit_file_t,s0)
++/usr/lib/systemd/system/mariadb.*   --  gen_context(system_u:object_r:mysqld_unit_file_t,s0)
 +
 +#
 +# /etc
@@ -44860,7 +48443,7 @@ index c48dc17..43d56e3 100644
  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
  /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  
-@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +27,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
  
  /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -45417,7 +49000,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..4383f87 100644
+index 9f6179e..699587e 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -45590,7 +49173,7 @@ index 9f6179e..4383f87 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -153,29 +160,24 @@ optional_policy(`
+@@ -153,29 +160,25 @@ optional_policy(`
  
  #######################################
  #
@@ -45600,6 +49183,7 @@ index 9f6179e..4383f87 100644
  
 -allow mysqld_safe_t self:capability { chown dac_override fowner kill };
 +allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
++dontaudit mysqld_safe_t self:capability sys_ptrace;
  allow mysqld_safe_t self:process { setsched getsched setrlimit };
  allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
  
@@ -45628,7 +49212,7 @@ index 9f6179e..4383f87 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -183,21 +186,29 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -45641,10 +49225,12 @@ index 9f6179e..4383f87 100644
 -files_read_usr_files(mysqld_safe_t)
 -files_search_pids(mysqld_safe_t)
 -files_dontaudit_getattr_all_dirs(mysqld_safe_t)
++files_dontaudit_access_check_root(mysqld_safe_t)
  files_dontaudit_search_all_mountpoints(mysqld_safe_t)
 +files_dontaudit_getattr_all_dirs(mysqld_safe_t)
-+files_dontaudit_write_root_dirs(mysqld_safe_t)
  
++files_write_root_dirs(mysqld_safe_t)
++
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  logging_send_syslog_msg(mysqld_safe_t)
  
@@ -45662,7 +49248,7 @@ index 9f6179e..4383f87 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +213,7 @@ optional_policy(`
+@@ -205,7 +216,7 @@ optional_policy(`
  
  ########################################
  #
@@ -45671,7 +49257,7 @@ index 9f6179e..4383f87 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +225,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -45689,7 +49275,7 @@ index 9f6179e..4383f87 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +238,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -45900,10 +49486,10 @@ index 0000000..171f666
 +')
 diff --git a/mythtv.te b/mythtv.te
 new file mode 100644
-index 0000000..90129ac
+index 0000000..395c2fd
 --- /dev/null
 +++ b/mythtv.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,46 @@
 +policy_module(mythtv, 1.0.0)
 +
 +########################################
@@ -45923,6 +49509,9 @@ index 0000000..90129ac
 +#
 +# httpd_mythtv_script local policy
 +#
++#============= httpd_mythtv_script_t ==============
++allow httpd_mythtv_script_t self:process setpgid;
++dev_list_sysfs(httpd_mythtv_script_t)
 +
 +manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
 +manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
@@ -45938,6 +49527,8 @@ index 0000000..90129ac
 +
 +fs_read_nfs_files(httpd_mythtv_script_t)
 +
++auth_read_passwd(httpd_mythtv_script_t)
++
 +miscfiles_read_localization(httpd_mythtv_script_t)
 +
 +optional_policy(`
@@ -45946,41 +49537,51 @@ index 0000000..90129ac
 +	mysql_tcp_connect(httpd_mythtv_script_t)
 +')
 diff --git a/nagios.fc b/nagios.fc
-index d78dfc3..a00cc2d 100644
+index d78dfc3..1c81436 100644
 --- a/nagios.fc
 +++ b/nagios.fc
-@@ -1,88 +1,97 @@
+@@ -1,88 +1,109 @@
 -/etc/nagios(/.*)?	gen_context(system_u:object_r:nagios_etc_t,s0)
 -/etc/nagios/nrpe\.cfg	--	gen_context(system_u:object_r:nrpe_etc_t,s0)
 +/etc/nagios(/.*)?					gen_context(system_u:object_r:nagios_etc_t,s0)
++/etc/icinga(/.*)?					gen_context(system_u:object_r:nagios_etc_t,s0)
 +/etc/nagios/nrpe\.cfg				--	gen_context(system_u:object_r:nrpe_etc_t,s0)
 +/etc/rc\.d/init\.d/nagios			--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/nrpe				--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
  
 -/etc/rc\.d/init\.d/nagios	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/nrpe	--	gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
-+/usr/s?bin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
-+/usr/s?bin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
  
 -/usr/bin/nagios	--	gen_context(system_u:object_r:nagios_exec_t,s0)
 -/usr/bin/nrpe	--	gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/usr/lib/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/bin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/icinga		        --	gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/bin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
  
 -/usr/sbin/nagios	--	gen_context(system_u:object_r:nagios_exec_t,s0)
 -/usr/sbin/nrpe	--	gen_context(system_u:object_r:nrpe_exec_t,s0)
-+/var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
-+/var/log/netsaint(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
++/usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/icinga		        --	gen_context(system_u:object_r:nagios_exec_t,s0)
++/usr/sbin/nrpe					--	gen_context(system_u:object_r:nrpe_exec_t,s0)
  
 -/usr/lib/cgi-bin/nagios(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 -/usr/lib/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)?			gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/icinga/cgi(/.*)?				gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
  
 -/usr/lib/nagios/cgi(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
 -/usr/lib/nagios/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
-+/var/spool/nagios(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/log/nagios(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/icinga(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
++/var/log/netsaint(/.*)?					gen_context(system_u:object_r:nagios_log_t,s0)
  
 -/usr/lib/nagios/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/var/run/nagios.*					gen_context(system_u:object_r:nagios_var_run_t,s0)
++
++/var/spool/nagios(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
++/var/spool/icinga(/.*)?					gen_context(system_u:object_r:nagios_spool_t,s0)
++
 +ifdef(`distro_debian',`
 +/usr/sbin/nagios				--	gen_context(system_u:object_r:nagios_exec_t,s0)
 +')
@@ -46000,9 +49601,9 @@ index d78dfc3..a00cc2d 100644
 -/usr/lib/nagios/plugins/check_mailq		--	gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
 +# mail plugins
 +/usr/lib/nagios/plugins/check_mailq	--	gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
-+
-+/usr/lib/pnp4nagios(/.*)?			gen_context(system_u:object_r:nagios_var_lib_t,s0)
  
++/usr/lib/pnp4nagios(/.*)?			gen_context(system_u:object_r:nagios_var_lib_t,s0)
++
 +# system plugins
  /usr/lib/nagios/plugins/check_breeze	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
  /usr/lib/nagios/plugins/check_dummy	--	gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
@@ -46093,10 +49694,11 @@ index d78dfc3..a00cc2d 100644
  
 -/var/run/nagios.*	--	gen_context(system_u:object_r:nagios_var_run_t,s0)
 -/var/run/nrpe.*	--	gen_context(system_u:object_r:nrpe_var_run_t,s0)
--
--/var/spool/nagios(/.*)?	gen_context(system_u:object_r:nagios_spool_t,s0)
 +# eventhandlers
 +/usr/lib/nagios/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
++/usr/lib/icinga/plugins/eventhandlers(/.*)	gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
+ 
+-/var/spool/nagios(/.*)?	gen_context(system_u:object_r:nagios_spool_t,s0)
 diff --git a/nagios.if b/nagios.if
 index 0641e97..d7d9a79 100644
 --- a/nagios.if
@@ -46337,7 +49939,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..a0488ea 100644
+index 44ad3b7..39bcd98 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -46551,7 +50153,7 @@ index 44ad3b7..a0488ea 100644
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
  corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,14 +435,18 @@ dev_read_sysfs(nagios_system_plugin_t)
  
  domain_read_all_domains_state(nagios_system_plugin_t)
  
@@ -46564,7 +50166,15 @@ index 44ad3b7..a0488ea 100644
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
  ')
-@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+ 
++optional_policy(`
++    mrtg_read_lib_files(nagios_system_plugin_t)
++')
++
+ #######################################
+ #
+ # Event local policy
+@@ -442,11 +461,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
  
  init_domtrans_script(nagios_eventhandler_plugin_t)
  
@@ -46675,10 +50285,10 @@ index 0000000..8d7c751
 +')
 diff --git a/namespace.te b/namespace.te
 new file mode 100644
-index 0000000..c674894
+index 0000000..e289f2d
 --- /dev/null
 +++ b/namespace.te
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,41 @@
 +policy_module(namespace,1.0.0)
 +
 +########################################
@@ -46710,6 +50320,8 @@ index 0000000..c674894
 +
 +files_polyinstantiate_all(namespace_init_t)
 +
++fs_getattr_xattr_fs(namespace_init_t)
++
 +auth_use_nsswitch(namespace_init_t)
 +
 +term_use_console(namespace_init_t)
@@ -46815,10 +50427,10 @@ index 56c0fbd..173a2c0 100644
  
  userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
 diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..2b818b9 100644
+index a1fb3c3..dfb99d2 100644
 --- a/networkmanager.fc
 +++ b/networkmanager.fc
-@@ -1,43 +1,45 @@
+@@ -1,43 +1,47 @@
 -/etc/rc\.d/init\.d/wicd	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
@@ -46847,7 +50459,7 @@ index a1fb3c3..2b818b9 100644
  
 -/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
 -/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
++/usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  
 -/usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -46862,6 +50474,7 @@ index a1fb3c3..2b818b9 100644
  /usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/sbin/wicd	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
++/usr/bin/teamd          --  gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/wicd 			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/sbin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
  /usr/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
@@ -46884,11 +50497,12 @@ index a1fb3c3..2b818b9 100644
  /var/run/nm-dns-dnsmasq\.conf	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 -/var/run/wpa_supplicant(/.*)?	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/nm-xl2tpd.conf.*       --  gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/var/run/teamd(/.*)?       gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/wicd\.pid	--	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..ee2e3de 100644
+index 0e8508c..9a7332c 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -46968,28 +50582,10 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
+@@ -93,10 +96,27 @@ interface(`networkmanager_domtrans',`
+ 	domtrans_pattern($1, NetworkManager_exec_t, NetworkManager_t)
+ ')
  
- ########################################
- ## <summary>
--##	Execute networkmanager scripts with
--##	an automatic domain transition to initrc.
-+##	Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
- ##	</summary>
- ## </param>
- #
-+interface(`networkmanager_NetworkManagerrc_domtrans',`
-+	gen_require(`
-+		type NetworkManager_NetworkManagerrc_exec_t;
-+	')
-+
-+	NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
-+')
-+
 +#######################################
 +## <summary>
 +##      Execute NetworkManager scripts with an automatic domain transition to initrc.
@@ -47000,7 +50596,7 @@ index 0e8508c..ee2e3de 100644
 +##      </summary>
 +## </param>
 +#
- interface(`networkmanager_initrc_domtrans',`
++interface(`networkmanager_initrc_domtrans',`
 +        gen_require(`
 +                type NetworkManager_initrc_exec_t;
 +        ')
@@ -47008,16 +50604,19 @@ index 0e8508c..ee2e3de 100644
 +        init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Execute networkmanager scripts with
+-##	an automatic domain transition to initrc.
 +##	Execute NetworkManager server in the NetworkManager domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -104,18 +124,23 @@ interface(`networkmanager_domtrans',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`networkmanager_initrc_domtrans',`
 +interface(`networkmanager_systemctl',`
  	gen_require(`
 -		type NetworkManager_initrc_exec_t;
@@ -47041,7 +50640,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -135,7 +160,29 @@ interface(`networkmanager_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -47072,7 +50671,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
+@@ -153,7 +200,7 @@ interface(`networkmanager_signal',`
  
  ########################################
  ## <summary>
@@ -47081,7 +50680,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -171,9 +218,28 @@ interface(`networkmanager_read_lib_files',`
  	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
  ')
  
@@ -47111,7 +50710,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -181,19 +247,18 @@ interface(`networkmanager_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -47132,11 +50731,11 @@ index 0e8508c..ee2e3de 100644
  ########################################
  ## <summary>
 -##	Read networkmanager pid files.
-+##	Read NetworkManager PID files.
++##	Manage NetworkManager PID files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
+@@ -201,25 +266,44 @@ interface(`networkmanager_append_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -47155,17 +50754,37 @@ index 0e8508c..ee2e3de 100644
  ## <summary>
 -##	All of the rules required to
 -##	administrate an networkmanager environment.
-+##	Execute NetworkManager in the NetworkManager domain, and
-+##	allow the specified role the NetworkManager domain.
++##	Delete NetworkManager PID files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed to transition.
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
++#
++interface(`networkmanager_delete_pid_files',`
++	gen_require(`
++		type NetworkManager_var_run_t;
++	')
++
++	files_search_pids($1)
++    delete_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute NetworkManager in the NetworkManager domain, and
++##	allow the specified role the NetworkManager domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
  ## <param name="role">
-@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
+ ##	<summary>
+ ##	Role allowed access.
+@@ -227,33 +311,152 @@ interface(`networkmanager_read_pid_files',`
  ## </param>
  ## <rolecap/>
  #
@@ -47230,9 +50849,7 @@ index 0e8508c..ee2e3de 100644
 +    gen_require(`
 +        type NetworkManager_var_lib_t;
 +    ')
- 
--	files_search_pids($1)
--	admin_pattern($1, NetworkManager_var_run_t)
++
 +    manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +')
 +
@@ -47276,6 +50893,26 @@ index 0e8508c..ee2e3de 100644
 +    allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
 +')
 +
++#######################################
++## <summary>
++##	Send to NetworkManager with a unix dgram socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`networkmanager_dgram_send',`
++	gen_require(`
++		type NetworkManager_t, NetworkManager_var_run_t;
++	')
+ 
+ 	files_search_pids($1)
+-	admin_pattern($1, NetworkManager_var_run_t)
++	dgram_send_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
++')
++
 +########################################
 +## <summary>
 +##	Transition to networkmanager named content
@@ -47320,7 +50957,7 @@ index 0e8508c..ee2e3de 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..b5c140b 100644
+index 0b48a30..9e9b2dc 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -1,4 +1,4 @@
@@ -47351,7 +50988,7 @@ index 0b48a30..b5c140b 100644
  type NetworkManager_log_t;
  logging_log_file(NetworkManager_log_t)
  
-@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
  # Local policy
  #
  
@@ -47360,13 +50997,17 @@ index 0b48a30..b5c140b 100644
 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 +# networkmanager will ptrace itself if gdb is installed
 +# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock sys_chroot };
 +dontaudit NetworkManager_t self:capability sys_tty_config;
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
 +	dontaudit NetworkManager_t self:capability sys_module;
 +')
 +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++
++allow NetworkManager_t self:process setfscreate;
++selinux_validate_context(NetworkManager_t)
++
 +tunable_policy(`deny_ptrace',`',`
 +	allow NetworkManager_t self:capability sys_ptrace;
 +	allow NetworkManager_t self:process ptrace;
@@ -47376,7 +51017,7 @@ index 0b48a30..b5c140b 100644
 -allow NetworkManager_t self:unix_dgram_socket sendto;
 -allow NetworkManager_t self:unix_stream_socket { accept listen };
 +allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
-+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
++allow NetworkManager_t self:unix_stream_socket{ create_stream_socket_perms connectto };
  allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
 +allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
  allow NetworkManager_t self:netlink_socket create_socket_perms;
@@ -47396,16 +51037,19 @@ index 0b48a30..b5c140b 100644
 +can_exec(NetworkManager_t, NetworkManager_exec_t)
 +#wicd
 +can_exec(NetworkManager_t, wpa_cli_exec_t)
- 
++
++list_dirs_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++read_files_pattern(NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_initrc_exec_t)
++
 +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
+ 
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +97,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
  setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
@@ -47413,7 +51057,7 @@ index 0b48a30..b5c140b 100644
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +111,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
  
@@ -47432,7 +51076,7 @@ index 0b48a30..b5c140b 100644
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_generic_if(NetworkManager_t)
  corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +129,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
  corenet_tcp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_bind_generic_node(NetworkManager_t)
@@ -47458,7 +51102,7 @@ index 0b48a30..b5c140b 100644
  dev_rw_sysfs(NetworkManager_t)
  dev_read_rand(NetworkManager_t)
  dev_read_urand(NetworkManager_t)
-@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +145,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
  dev_getattr_all_chr_files(NetworkManager_t)
  dev_rw_wireless(NetworkManager_t)
  
@@ -47472,7 +51116,7 @@ index 0b48a30..b5c140b 100644
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
  fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,18 +153,33 @@ mls_file_read_all_levels(NetworkManager_t)
  
  selinux_dontaudit_search_fs(NetworkManager_t)
  
@@ -47490,7 +51134,11 @@ index 0b48a30..b5c140b 100644
  storage_getattr_fixed_disk_dev(NetworkManager_t)
  
  init_read_utmp(NetworkManager_t)
-@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
+ init_dontaudit_write_utmp(NetworkManager_t)
+ init_domtrans_script(NetworkManager_t)
++init_signull_script(NetworkManager_t)
++init_signal_script(NetworkManager_t)
++init_sigkill_script(NetworkManager_t)
  
  auth_use_nsswitch(NetworkManager_t)
  
@@ -47503,7 +51151,7 @@ index 0b48a30..b5c140b 100644
  
  seutil_read_config(NetworkManager_t)
  
-@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +194,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
  sysnet_read_dhcpc_state(NetworkManager_t)
  sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -47540,7 +51188,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -196,10 +225,6 @@ optional_policy(`
+@@ -196,10 +235,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47551,7 +51199,7 @@ index 0b48a30..b5c140b 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,16 +235,11 @@ optional_policy(`
+@@ -210,16 +245,11 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -47570,7 +51218,7 @@ index 0b48a30..b5c140b 100644
  	')
  ')
  
-@@ -231,18 +251,19 @@ optional_policy(`
+@@ -231,10 +261,11 @@ optional_policy(`
  	dnsmasq_kill(NetworkManager_t)
  	dnsmasq_signal(NetworkManager_t)
  	dnsmasq_signull(NetworkManager_t)
@@ -47579,21 +51227,27 @@ index 0b48a30..b5c140b 100644
  
  optional_policy(`
 -	gnome_stream_connect_all_gkeyringd(NetworkManager_t)
-+	hal_write_log(NetworkManager_t)
++    fcoe_dgram_send_fcoemon(NetworkManager_t)
  ')
  
  optional_policy(`
--	hal_write_log(NetworkManager_t)
-+	howl_signal(NetworkManager_t)
+@@ -246,10 +277,26 @@ optional_policy(`
  ')
  
  optional_policy(`
--	howl_signal(NetworkManager_t)
 +	gnome_dontaudit_search_config(NetworkManager_t)
- ')
- 
- optional_policy(`
-@@ -250,6 +271,10 @@ optional_policy(`
++')
++
++optional_policy(`
++    iscsid_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
++    iodined_domtrans(NetworkManager_t)
++')
++
++optional_policy(`
+ 	ipsec_domtrans_mgmt(NetworkManager_t)
  	ipsec_kill_mgmt(NetworkManager_t)
  	ipsec_signal_mgmt(NetworkManager_t)
  	ipsec_signull_mgmt(NetworkManager_t)
@@ -47604,15 +51258,11 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -257,11 +282,10 @@ optional_policy(`
+@@ -257,15 +304,19 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	libs_exec_ldconfig(NetworkManager_t)
--')
--
--optional_policy(`
--	modutils_domtrans_insmod(NetworkManager_t)
 +	l2tpd_domtrans(NetworkManager_t)
 +    l2tpd_sigkill(NetworkManager_t)
 +    l2tpd_signal(NetworkManager_t)
@@ -47620,7 +51270,17 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -274,10 +298,17 @@ optional_policy(`
+-	modutils_domtrans_insmod(NetworkManager_t)
++    lldpad_dgram_send(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
+ 	netutils_exec_ping(NetworkManager_t)
++    netutils_exec(NetworkManager_t)
+ ')
+ 
+ optional_policy(`
+@@ -274,10 +325,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -47638,7 +51298,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -289,6 +320,7 @@ optional_policy(`
+@@ -289,6 +347,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47646,7 +51306,7 @@ index 0b48a30..b5c140b 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +328,7 @@ optional_policy(`
+@@ -296,7 +355,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47655,7 +51315,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -307,6 +339,7 @@ optional_policy(`
+@@ -307,6 +366,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -47663,7 +51323,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -320,13 +353,19 @@ optional_policy(`
+@@ -320,13 +380,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47672,28 +51332,166 @@ index 0b48a30..b5c140b 100644
 +	systemd_write_inhibit_pipes(NetworkManager_t)
 +	systemd_read_logind_sessions_files(NetworkManager_t)
 +	systemd_dbus_chat_logind(NetworkManager_t)
-+	systemd_hostnamed_read_config(NetworkManager_t)
++    systemd_hostnamed_manage_config(NetworkManager_t)
++')
++
++optional_policy(`
++    ssh_exec(NetworkManager_t)
  ')
  
  optional_policy(`
 -	# unconfined_dgram_send(NetworkManager_t)
 -	unconfined_stream_connect(NetworkManager_t)
-+    ssh_exec(NetworkManager_t)
-+')
-+
-+optional_policy(`
 +	udev_exec(NetworkManager_t)
 +	udev_read_db(NetworkManager_t)
  ')
  
  optional_policy(`
-@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -356,6 +422,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
 -miscfiles_read_localization(wpa_cli_t)
 -
  term_dontaudit_use_console(wpa_cli_t)
+diff --git a/ninfod.fc b/ninfod.fc
+new file mode 100644
+index 0000000..cc31b9f
+--- /dev/null
++++ b/ninfod.fc
+@@ -0,0 +1,6 @@
++/usr/lib/systemd/system/ninfod.*		--	gen_context(system_u:object_r:ninfod_unit_file_t,s0)
++
++/usr/sbin/ninfod		--	gen_context(system_u:object_r:ninfod_exec_t,s0)
++
++/var/run/ninfod.*		--	gen_context(system_u:object_r:ninfod_run_t,s0)
++
+diff --git a/ninfod.if b/ninfod.if
+new file mode 100644
+index 0000000..a7f57d9
+--- /dev/null
++++ b/ninfod.if
+@@ -0,0 +1,79 @@
++
++## <summary>Respond to IPv6 Node Information Queries</summary>
++
++########################################
++## <summary>
++##	Execute ninfod in the ninfod domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ninfod_domtrans',`
++	gen_require(`
++		type ninfod_t, ninfod_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ninfod_exec_t, ninfod_t)
++')
++########################################
++## <summary>
++##	Execute ninfod server in the ninfod domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`ninfod_systemctl',`
++	gen_require(`
++		type ninfod_t;
++		type ninfod_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 ninfod_unit_file_t:file read_file_perms;
++	allow $1 ninfod_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, ninfod_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an ninfod environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ninfod_admin',`
++	gen_require(`
++		type ninfod_t;
++	    type ninfod_unit_file_t;
++	')
++
++	allow $1 ninfod_t:process { signal_perms };
++	ps_process_pattern($1, ninfod_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 ninfod_t:process ptrace;
++    ')
++
++	ninfod_systemctl($1)
++	admin_pattern($1, ninfod_unit_file_t)
++	allow $1 ninfod_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/ninfod.te b/ninfod.te
+new file mode 100644
+index 0000000..d75c408
+--- /dev/null
++++ b/ninfod.te
+@@ -0,0 +1,35 @@
++policy_module(ninfod, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ninfod_t;
++type ninfod_exec_t;
++init_daemon_domain(ninfod_t, ninfod_exec_t)
++
++type ninfod_run_t;
++files_pid_file(ninfod_run_t)
++
++type ninfod_unit_file_t;
++systemd_unit_file(ninfod_unit_file_t)
++
++########################################
++#
++# ninfod local policy
++#
++allow ninfod_t self:capability { net_raw setuid };
++allow ninfod_t self:process setcap;
++allow ninfod_t self:fifo_file rw_fifo_file_perms;
++allow ninfod_t self:rawip_socket { create setopt };
++allow ninfod_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(ninfod_t, ninfod_run_t, ninfod_run_t)
++files_pid_filetrans(ninfod_t,ninfod_run_t, { file })
++
++auth_use_nsswitch(ninfod_t)
++
++logging_send_syslog_msg(ninfod_t)
++
++sysnet_dns_name_resolve(ninfod_t)
 diff --git a/nis.fc b/nis.fc
 index 8aa1bfa..cd0e015 100644
 --- a/nis.fc
@@ -47998,7 +51796,7 @@ index 46e55c3..6e4e061 100644
 +	allow $1 nis_unit_file_t:service all_service_perms;
  ')
 diff --git a/nis.te b/nis.te
-index 3e4a31c..eea788e 100644
+index 3e4a31c..6aeb9dd 100644
 --- a/nis.te
 +++ b/nis.te
 @@ -1,12 +1,10 @@
@@ -48169,11 +51967,12 @@ index 3e4a31c..eea788e 100644
  dev_read_sysfs(yppasswdd_t)
  
  fs_getattr_all_fs(yppasswdd_t)
-@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -202,12 +191,20 @@ fs_search_auto_mountpoints(yppasswdd_t)
+ selinux_get_fs_mount(yppasswdd_t)
  
  auth_manage_shadow(yppasswdd_t)
++auth_manage_passwd(yppasswdd_t)
  auth_relabel_shadow(yppasswdd_t)
-+auth_read_passwd(yppasswdd_t)
  auth_etc_filetrans_shadow(yppasswdd_t)
  
 +corecmd_exec_bin(yppasswdd_t)
@@ -48759,7 +52558,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..6ab4ea1 100644
+index 8f2ab09..bc2c7fe 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -48915,7 +52714,7 @@ index 8f2ab09..6ab4ea1 100644
 +interface(`nscd_shm_use',`
 +	gen_require(`
 +		type nscd_t, nscd_var_run_t;
-+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
++		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
  	')
 +
 +	allow $1 nscd_var_run_t:dir list_dir_perms;
@@ -49057,7 +52856,7 @@ index 8f2ab09..6ab4ea1 100644
 +	allow $1 nscd_unit_file_t:service all_service_perms;
  ')
 diff --git a/nscd.te b/nscd.te
-index df4c10f..8c09c68 100644
+index df4c10f..2bbc3a6 100644
 --- a/nscd.te
 +++ b/nscd.te
 @@ -1,36 +1,37 @@
@@ -49109,7 +52908,11 @@ index df4c10f..8c09c68 100644
  type nscd_log_t;
  logging_log_file(nscd_log_t)
  
-@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
+@@ -40,56 +41,58 @@ logging_log_file(nscd_log_t)
+ #
+ 
+ allow nscd_t self:capability { kill setgid setuid };
++allow nscd_t self:capability2 block_suspend;
  dontaudit nscd_t self:capability sys_tty_config;
  allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
  allow nscd_t self:fifo_file read_fifo_file_perms;
@@ -49182,7 +52985,7 @@ index df4c10f..8c09c68 100644
  corenet_rw_tun_tap_dev(nscd_t)
  
  selinux_get_fs_mount(nscd_t)
-@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
+@@ -98,16 +101,23 @@ selinux_compute_access_vector(nscd_t)
  selinux_compute_create_context(nscd_t)
  selinux_compute_relabel_context(nscd_t)
  selinux_compute_user_contexts(nscd_t)
@@ -49207,44 +53010,45 @@ index df4c10f..8c09c68 100644
  userdom_dontaudit_use_user_terminals(nscd_t)
  userdom_dontaudit_use_unpriv_user_fds(nscd_t)
  userdom_dontaudit_search_user_home_dirs(nscd_t)
-@@ -121,20 +130,31 @@ optional_policy(`
+@@ -121,13 +131,11 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	tunable_policy(`samba_domain_controller',`
+-		samba_append_log(nscd_t)
+-		samba_dontaudit_use_fds(nscd_t)
+-	')
 +	kerberos_use(nscd_t)
 +')
-+
+ 
+-	samba_read_config(nscd_t)
+-	samba_read_var_files(nscd_t)
 +optional_policy(`
-+	udev_read_db(nscd_t)
-+')
++    nis_authenticate(nscd_t)
+ ')
+ 
+ optional_policy(`
+@@ -138,3 +146,20 @@ optional_policy(`
+ 	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
+ 	xen_append_log(nscd_t)
+ ')
 +
 +optional_policy(`
-+	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
-+	xen_append_log(nscd_t)
++	tunable_policy(`samba_domain_controller',`
++		samba_append_log(nscd_t)
++		samba_dontaudit_use_fds(nscd_t)
++	')
 +')
 +
 +optional_policy(`
- 	tunable_policy(`samba_domain_controller',`
- 		samba_append_log(nscd_t)
- 		samba_dontaudit_use_fds(nscd_t)
- 	')
--
--	samba_read_config(nscd_t)
--	samba_read_var_files(nscd_t)
- ')
- 
- optional_policy(`
--	udev_read_db(nscd_t)
 +	samba_read_config(nscd_t)
 +	samba_read_var_files(nscd_t)
 +    samba_stream_connect_nmbd(nscd_t)
- ')
- 
- optional_policy(`
--	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
--	xen_append_log(nscd_t)
++')
++
++optional_policy(`
 +	unconfined_dontaudit_rw_packet_sockets(nscd_t)
- ')
++')
 diff --git a/nsd.fc b/nsd.fc
 index 4f2b1b6..5348e92 100644
 --- a/nsd.fc
@@ -49662,7 +53466,7 @@ index 97df768..852d1c6 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..2c5b389 100644
+index a3e56f0..c37998e 100644
 --- a/nslcd.te
 +++ b/nslcd.te
 @@ -1,4 +1,4 @@
@@ -49682,7 +53486,7 @@ index a3e56f0..2c5b389 100644
 -allow nslcd_t self:capability { setgid setuid dac_override };
 -allow nslcd_t self:process signal;
 -allow nslcd_t self:unix_stream_socket { accept listen };
-+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
++allow nslcd_t self:capability { chown dac_override setgid setuid sys_nice };
 +allow nslcd_t self:process { setsched signal signull };
 +allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -50590,7 +54394,7 @@ index af3c91e..6882a3f 100644
  /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
  
 diff --git a/ntp.if b/ntp.if
-index b59196f..017b36f 100644
+index b59196f..24f45be 100644
 --- a/ntp.if
 +++ b/ntp.if
 @@ -1,4 +1,4 @@
@@ -50755,7 +54559,7 @@ index b59196f..017b36f 100644
  
  	logging_list_logs($1)
  	admin_pattern($1, ntpd_log_t)
-@@ -164,5 +246,28 @@ interface(`ntp_admin',`
+@@ -164,5 +246,30 @@ interface(`ntp_admin',`
  	files_list_pids($1)
  	admin_pattern($1, ntpd_var_run_t)
  
@@ -50780,13 +54584,15 @@ index b59196f..017b36f 100644
 +interface(`ntp_filetrans_named_content',`
 +	gen_require(`
 +		type ntp_conf_t;
++        type ntp_drift_t;
 +	')
 +
 +	files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
 +	files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
++    files_var_lib_filetrans($1, ntp_drift_t, file, "sntp-kod")
  ')
 diff --git a/ntp.te b/ntp.te
-index b90e343..8369b61 100644
+index b90e343..ae081d4 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -50799,7 +54605,15 @@ index b90e343..8369b61 100644
  type ntp_conf_t;
  files_config_file(ntp_conf_t)
  
-@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
+@@ -53,6 +56,7 @@ allow ntpd_t self:tcp_socket { accept listen };
+ 
+ manage_dirs_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
+ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
++files_var_lib_filetrans(ntpd_t, ntp_drift_t, dir, "sntp-kod")
+ 
+ allow ntpd_t ntp_conf_t:file read_file_perms;
+ 
+@@ -60,9 +64,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
  read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
  
  allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
@@ -50810,7 +54624,7 @@ index b90e343..8369b61 100644
  logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
  
  manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
-@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
+@@ -83,21 +85,16 @@ kernel_read_system_state(ntpd_t)
  kernel_read_network_state(ntpd_t)
  kernel_request_load_module(ntpd_t)
  
@@ -50834,7 +54648,7 @@ index b90e343..8369b61 100644
  
  corecmd_exec_bin(ntpd_t)
  corecmd_exec_shell(ntpd_t)
-@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
+@@ -110,13 +107,15 @@ domain_use_interactive_fds(ntpd_t)
  domain_dontaudit_list_all_domains_state(ntpd_t)
  
  files_read_etc_runtime_files(ntpd_t)
@@ -50851,7 +54665,7 @@ index b90e343..8369b61 100644
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +123,6 @@ init_exec_script_files(ntpd_t)
  
  logging_send_syslog_msg(ntpd_t)
  
@@ -50973,7 +54787,7 @@ index 0d3c270..709dda1 100644
 +	')
  ')
 diff --git a/numad.te b/numad.te
-index f5d145d..97e1148 100644
+index f5d145d..f050103 100644
 --- a/numad.te
 +++ b/numad.te
 @@ -1,4 +1,4 @@
@@ -50982,7 +54796,7 @@ index f5d145d..97e1148 100644
  
  ########################################
  #
-@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
+@@ -8,37 +8,44 @@ policy_module(numad, 1.0.3)
  type numad_t;
  type numad_exec_t;
  init_daemon_domain(numad_t, numad_exec_t)
@@ -51021,15 +54835,17 @@ index f5d145d..97e1148 100644
  
  manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
  files_pid_filetrans(numad_t, numad_var_run_t, file)
-@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
  
- dev_read_sysfs(numad_t)
+ kernel_read_system_state(numad_t)
  
--files_read_etc_files(numad_t)
+-dev_read_sysfs(numad_t)
++dev_rw_sysfs(numad_t)
++
 +domain_use_interactive_fds(numad_t)
 +domain_read_all_domains_state(numad_t)
 +domain_setpriority_all_domains(numad_t)
-+
+ 
+-files_read_etc_files(numad_t)
 +fs_manage_cgroup_dirs(numad_t)
 +fs_rw_cgroup_files(numad_t)
  
@@ -51073,7 +54889,7 @@ index 379af96..41ff159 100644
 +/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 +/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
 diff --git a/nut.if b/nut.if
-index 57c0161..54bd4d7 100644
+index 57c0161..dae3360 100644
 --- a/nut.if
 +++ b/nut.if
 @@ -1,39 +1,24 @@
@@ -51129,7 +54945,7 @@ index 57c0161..54bd4d7 100644
  
 -	files_search_pids($1)
 -	admin_pattern($1, nut_var_run_t)
-+    ps_process_pattern($1, swift_t)
++    ps_process_pattern($1, nut_t)
  ')
 diff --git a/nut.te b/nut.te
 index 0c9deb7..76988d6 100644
@@ -52301,10 +56117,10 @@ index 0000000..a437f80
 +files_read_config_files(openshift_domain)
 diff --git a/openshift.fc b/openshift.fc
 new file mode 100644
-index 0000000..f2d6119
+index 0000000..1d4e039
 --- /dev/null
 +++ b/openshift.fc
-@@ -0,0 +1,26 @@
+@@ -0,0 +1,28 @@
 +/etc/rc\.d/init\.d/libra        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/mcollective        gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
 +
@@ -52312,6 +56128,7 @@ index 0000000..f2d6119
 +
 +/var/lib/stickshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 +/var/lib/stickshift/.*/data(/.*)?	       gen_context(system_u:object_r:openshift_rw_file_t,s0)
++/var/lib/containers(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 +/var/lib/openshift(/.*)?            gen_context(system_u:object_r:openshift_var_lib_t,s0)
 +/var/lib/openshift/.*/data(/.*)?          gen_context(system_u:object_r:openshift_rw_file_t,s0)
 +
@@ -52320,7 +56137,8 @@ index 0000000..f2d6119
 +/var/lib/openshift/.*/\.tmp(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
 +/var/lib/openshift/.*/\.sandbox(/.*)?        gen_context(system_u:object_r:openshift_tmp_t,s0)
 +
-+/var/log/mcollective\.log        --    gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/mcollective\.log.*        --    gen_context(system_u:object_r:openshift_log_t,s0)
++/var/log/openshift(/.*)?	 gen_context(system_u:object_r:openshift_log_t,s0)
 +
 +/usr/s?bin/(oo|rhc)-cgroup-read        --    gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
 +
@@ -52333,10 +56151,10 @@ index 0000000..f2d6119
 +/var/run/openshift(/.*)?               gen_context(system_u:object_r:openshift_var_run_t,s0)
 diff --git a/openshift.if b/openshift.if
 new file mode 100644
-index 0000000..e03de01
+index 0000000..9451b83
 --- /dev/null
 +++ b/openshift.if
-@@ -0,0 +1,700 @@
+@@ -0,0 +1,702 @@
 +
 +## <summary> policy for openshift </summary>
 +
@@ -52958,9 +56776,11 @@ index 0000000..e03de01
 +interface(`openshift_dontaudit_rw_inherited_fifo_files',`
 +	gen_require(`
 +		type openshift_initrc_t;
++        type openshift_t;
 +	')
 +
 +	dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
++    dontaudit $1 openshift_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
@@ -53039,16 +56859,24 @@ index 0000000..e03de01
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..cd25e8e
+index 0000000..ebd0c68
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,555 @@
+@@ -0,0 +1,575 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
 +	role system_r;
 +')
 + 
++## <desc>
++## <p>
++## Allow openshift to access nfs file systems without labels
++## </p>
++## </desc>
++gen_tunable(openshift_use_nfs, false)
++
++
 +########################################
 +#
 +# Declarations
@@ -53185,6 +57013,8 @@ index 0000000..cd25e8e
 +allow openshift_domain self:shm create_shm_perms;
 +allow openshift_domain self:sem create_sem_perms;
 +dontaudit openshift_domain self:dir write;
++dontaudit openshift_domain self:rawip_socket create_socket_perms;
++
 +dontaudit openshift_t self:unix_stream_socket recvfrom;
 +dontaudit openshift_domain self:netlink_tcpdiag_socket create;
 +dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
@@ -53533,6 +57363,7 @@ index 0000000..cd25e8e
 +allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
 +allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
 +
++append_files_pattern(openshift_cron_t, openshift_log_t, openshift_log_t)
 +manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
 +manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
 +manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
@@ -53547,6 +57378,8 @@ index 0000000..cd25e8e
 +kernel_read_network_state(openshift_cron_t)
 +kernel_read_system_state(openshift_cron_t)
 +
++files_dontaudit_search_all_mountpoints(openshift_cron_t)
++
 +corecmd_exec_bin(openshift_cron_t)
 +corecmd_exec_shell(openshift_cron_t)
 +
@@ -53598,6 +57431,305 @@ index 0000000..cd25e8e
 +	ssh_dontaudit_read_server_keys(openshift_cron_t)
 +')
 +
++tunable_policy(`openshift_use_nfs',`
++        fs_list_auto_mountpoints(openshift_domain)
++	fs_manage_nfs_dirs(openshift_domain)
++	fs_manage_nfs_files(openshift_domain)
++	fs_manage_nfs_symlinks(openshift_domain)
++	fs_exec_nfs_files(openshift_domain)
++')
+diff --git a/opensm.fc b/opensm.fc
+new file mode 100644
+index 0000000..51650fa
+--- /dev/null
++++ b/opensm.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/opensm.*    	--	gen_context(system_u:object_r:opensm_unit_file_t,s0)
++
++/usr/libexec/opensm-launch	--	gen_context(system_u:object_r:opensm_exec_t,s0)
++
++/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
++
++/var/log/opensm\.log.*  	--	gen_context(system_u:object_r:opensm_log_t,s0)
+diff --git a/opensm.if b/opensm.if
+new file mode 100644
+index 0000000..776fda7
+--- /dev/null
++++ b/opensm.if
+@@ -0,0 +1,223 @@
++
++## <summary>Opensm is an InfiniBand compliant Subnet Manager and Administration, and runs on top of OpenIB</summary>
++
++########################################
++## <summary>
++##	Execute opensm in the opensm domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`opensm_domtrans',`
++	gen_require(`
++		type opensm_t, opensm_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, opensm_exec_t, opensm_t)
++')
++
++########################################
++## <summary>
++##	Search opensm cache directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_search_cache',`
++	gen_require(`
++		type opensm_cache_t;
++	')
++
++	allow $1 opensm_cache_t:dir search_dir_perms;
++	files_search_var($1)
++')
++
++########################################
++## <summary>
++##	Read opensm cache files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_read_cache_files',`
++	gen_require(`
++		type opensm_cache_t;
++	')
++
++	files_search_var($1)
++	read_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	opensm cache files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_manage_cache_files',`
++	gen_require(`
++		type opensm_cache_t;
++	')
++
++	files_search_var($1)
++	manage_files_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++##	Manage opensm cache dirs.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_manage_cache_dirs',`
++	gen_require(`
++		type opensm_cache_t;
++	')
++
++	files_search_var($1)
++	manage_dirs_pattern($1, opensm_cache_t, opensm_cache_t)
++')
++
++########################################
++## <summary>
++##	Read opensm's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_read_log',`
++	gen_require(`
++		type opensm_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++##	Append to opensm log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_append_log',`
++	gen_require(`
++		type opensm_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++
++########################################
++## <summary>
++##	Manage opensm log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`opensm_manage_log',`
++	gen_require(`
++		type opensm_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, opensm_log_t, opensm_log_t)
++	manage_files_pattern($1, opensm_log_t, opensm_log_t)
++	manage_lnk_files_pattern($1, opensm_log_t, opensm_log_t)
++')
++########################################
++## <summary>
++##	Execute opensm server in the opensm domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`opensm_systemctl',`
++	gen_require(`
++		type opensm_t;
++		type opensm_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 opensm_unit_file_t:file read_file_perms;
++	allow $1 opensm_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, opensm_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an opensm environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`opensm_admin',`
++	gen_require(`
++		type opensm_t;
++		type opensm_cache_t;
++		type opensm_log_t;
++	    type opensm_unit_file_t;
++	')
++
++	allow $1 opensm_t:process { signal_perms };
++	ps_process_pattern($1, opensm_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 opensm_t:process ptrace;
++    ')
++
++	files_search_var($1)
++	admin_pattern($1, opensm_cache_t)
++
++	logging_search_logs($1)
++	admin_pattern($1, opensm_log_t)
++
++	opensm_systemctl($1)
++	admin_pattern($1, opensm_unit_file_t)
++	allow $1 opensm_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/opensm.te b/opensm.te
+new file mode 100644
+index 0000000..a055461
+--- /dev/null
++++ b/opensm.te
+@@ -0,0 +1,44 @@
++policy_module(opensm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type opensm_t;
++type opensm_exec_t;
++init_daemon_domain(opensm_t, opensm_exec_t)
++
++type opensm_cache_t;
++files_type(opensm_cache_t)
++
++type opensm_log_t;
++logging_log_file(opensm_log_t)
++
++type opensm_unit_file_t;
++systemd_unit_file(opensm_unit_file_t)
++
++########################################
++#
++# opensm local policy
++#
++allow opensm_t self:process { signal fork };
++allow opensm_t self:fifo_file rw_fifo_file_perms;
++allow opensm_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
++files_var_filetrans(opensm_t, opensm_cache_t, { dir file })
++
++manage_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
++logging_log_filetrans(opensm_t, opensm_log_t, file )
++
++kernel_read_system_state(opensm_t)
++
++auth_read_passwd(opensm_t)
++
++corecmd_exec_bin(opensm_t)
++
++dev_read_sysfs(opensm_t)
++
++logging_send_syslog_msg(opensm_t)
 diff --git a/openvpn.fc b/openvpn.fc
 index 300213f..4cdfe09 100644
 --- a/openvpn.fc
@@ -54137,7 +58269,7 @@ index 9b15730..eedd136 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..a499612 100644
+index 508fedf..452ad74 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -1,4 +1,4 @@
@@ -54160,7 +58292,7 @@ index 508fedf..a499612 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+@@ -21,23 +18,34 @@ files_type(openvswitch_var_lib_t)
  type openvswitch_log_t;
  logging_log_file(openvswitch_log_t)
  
@@ -54188,6 +58320,7 @@ index 508fedf..a499612 100644
 -allow openvswitch_t self:rawip_socket create_socket_perms;
 -allow openvswitch_t self:unix_stream_socket { accept connectto listen };
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
++allow openvswitch_t self:tcp_socket create_stream_socket_perms;
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
  
@@ -54202,7 +58335,7 @@ index 508fedf..a499612 100644
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +53,57 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -54228,12 +58361,15 @@ index 508fedf..a499612 100644
 -
  kernel_read_network_state(openvswitch_t)
  kernel_read_system_state(openvswitch_t)
--
++kernel_request_load_module(openvswitch_t)
+ 
 -corenet_all_recvfrom_unlabeled(openvswitch_t)
 -corenet_all_recvfrom_netlabel(openvswitch_t)
 -corenet_raw_sendrecv_generic_if(openvswitch_t)
 -corenet_raw_sendrecv_generic_node(openvswitch_t)
-+kernel_request_load_module(openvswitch_t)
++corenet_tcp_connect_openflow_port(openvswitch_t)
++corenet_tcp_bind_generic_node(openvswitch_t)
++corenet_tcp_bind_openvswitch_port(openvswitch_t)
  
  corecmd_exec_bin(openvswitch_t)
 +corecmd_exec_shell(openvswitch_t)
@@ -54268,6 +58404,152 @@ index 508fedf..a499612 100644
 +optional_policy(`
 +    plymouthd_exec_plymouth(openvswitch_t)
 +')
+diff --git a/openwsman.fc b/openwsman.fc
+new file mode 100644
+index 0000000..00d0643
+--- /dev/null
++++ b/openwsman.fc
+@@ -0,0 +1,7 @@
++/usr/lib/systemd/system/openwsmand.*		--	gen_context(system_u:object_r:openwsman_unit_file_t,s0)
++
++/usr/sbin/openwsmand		--	gen_context(system_u:object_r:openwsman_exec_t,s0)
++
++/var/log/wsmand.*	--	gen_context(system_u:object_r:openwsman_log_t,s0)
++
++/var/run/wsmand.*	--	gen_context(system_u:object_r:openwsman_run_t,s0)
+diff --git a/openwsman.if b/openwsman.if
+new file mode 100644
+index 0000000..42ed4ba
+--- /dev/null
++++ b/openwsman.if
+@@ -0,0 +1,78 @@
++## <summary>WS-Management Server</summary>
++
++########################################
++## <summary>
++##	Execute openwsman in the openwsman domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`openwsman_domtrans',`
++	gen_require(`
++		type openwsman_t, openwsman_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, openwsman_exec_t, openwsman_t)
++')
++########################################
++## <summary>
++##	Execute openwsman server in the openwsman domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`openwsman_systemctl',`
++	gen_require(`
++		type openwsman_t;
++		type openwsman_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 openwsman_unit_file_t:file read_file_perms;
++	allow $1 openwsman_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, openwsman_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an openwsman environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`openwsman_admin',`
++	gen_require(`
++		type openwsman_t;
++	    type openwsman_unit_file_t;
++	')
++
++	allow $1 openwsman_t:process { signal_perms };
++	ps_process_pattern($1, openwsman_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 openwsman_t:process ptrace;
++    ')
++
++	openwsman_systemctl($1)
++	admin_pattern($1, openwsman_unit_file_t)
++	allow $1 openwsman_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/openwsman.te b/openwsman.te
+new file mode 100644
+index 0000000..49dc5ef
+--- /dev/null
++++ b/openwsman.te
+@@ -0,0 +1,43 @@
++policy_module(openwsman, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openwsman_t;
++type openwsman_exec_t;
++init_daemon_domain(openwsman_t, openwsman_exec_t)
++
++type openwsman_log_t;
++logging_log_file(openwsman_log_t)
++
++type openwsman_run_t;
++files_pid_file(openwsman_run_t)
++
++type openwsman_unit_file_t;
++systemd_unit_file(openwsman_unit_file_t)
++
++########################################
++#
++# openwsman local policy
++#
++allow openwsman_t self:process { fork };
++allow openwsman_t self:fifo_file rw_fifo_file_perms;
++allow openwsman_t self:unix_stream_socket create_stream_socket_perms;
++allow openwsman_t self:tcp_socket { create_socket_perms listen };
++
++manage_files_pattern(openwsman_t, openwsman_log_t, openwsman_log_t)
++logging_log_filetrans(openwsman_t, openwsman_log_t, { file })
++
++manage_files_pattern(openwsman_t, openwsman_run_t, openwsman_run_t)
++files_pid_filetrans(openwsman_t, openwsman_run_t, { file })
++
++auth_use_nsswitch(openwsman_t)
++
++corenet_tcp_bind_vnc_port(openwsman_t)
++
++dev_read_urand(openwsman_t)
++
++logging_send_syslog_msg(openwsman_t)
++
 diff --git a/oracleasm.fc b/oracleasm.fc
 new file mode 100644
 index 0000000..80fb8c3
@@ -54399,6 +58681,241 @@ index 0000000..0493b99
 +optional_policy(`
 +    modutils_domtrans_insmod(oracleasm_t)
 +')
+diff --git a/osad.fc b/osad.fc
+new file mode 100644
+index 0000000..1e1eceb
+--- /dev/null
++++ b/osad.fc
+@@ -0,0 +1,7 @@
++/etc/rc\.d/init\.d/osad	--	gen_context(system_u:object_r:osad_initrc_exec_t,s0)
++
++/usr/sbin/osad		--	gen_context(system_u:object_r:osad_exec_t,s0)
++
++/var/log/osad		--	gen_context(system_u:object_r:osad_log_t,s0)
++
++/var/run/osad.*		--	gen_context(system_u:object_r:osad_var_run_t,s0)
+diff --git a/osad.if b/osad.if
+new file mode 100644
+index 0000000..05648bd
+--- /dev/null
++++ b/osad.if
+@@ -0,0 +1,165 @@
++
++## <summary>Client-side service written in Python that responds to pings and runs rhn_check when told to by osa-dispatcher. </summary>
++
++########################################
++## <summary>
++##	Execute osad in the osad domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`osad_domtrans',`
++	gen_require(`
++		type osad_t, osad_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, osad_exec_t, osad_t)
++')
++
++########################################
++## <summary>
++##	Execute osad server in the osad domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`osad_initrc_domtrans',`
++	gen_require(`
++		type osad_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, osad_initrc_exec_t)
++')
++########################################
++## <summary>
++##	Read osad's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_read_log',`
++	gen_require(`
++		type osad_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++##	Append to osad log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`osad_append_log',`
++	gen_require(`
++		type osad_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, osad_log_t, osad_log_t)
++')
++
++########################################
++## <summary>
++##	Manage osad log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`osad_manage_log',`
++	gen_require(`
++		type osad_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, osad_log_t, osad_log_t)
++	manage_files_pattern($1, osad_log_t, osad_log_t)
++	manage_lnk_files_pattern($1, osad_log_t, osad_log_t)
++')
++########################################
++## <summary>
++##	Read osad PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`osad_read_pid_files',`
++	gen_require(`
++		type osad_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, osad_var_run_t, osad_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an osad environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`osad_admin',`
++	gen_require(`
++		type osad_t;
++		type osad_initrc_exec_t;
++		type osad_log_t;
++		type osad_var_run_t;
++	')
++
++	allow $1 osad_t:process { signal_perms };
++	ps_process_pattern($1, osad_t)
++
++    	tunable_policy(`deny_ptrace',`',`
++        	allow $1 osad_t:process ptrace;
++    	')
++
++	osad_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 osad_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	logging_search_logs($1)
++	admin_pattern($1, osad_log_t)
++
++	files_search_pids($1)
++	admin_pattern($1, osad_var_run_t)
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/osad.te b/osad.te
+new file mode 100644
+index 0000000..a40fcc3
+--- /dev/null
++++ b/osad.te
+@@ -0,0 +1,45 @@
++policy_module(osad, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type osad_t;
++type osad_exec_t;
++init_daemon_domain(osad_t, osad_exec_t)
++
++type osad_initrc_exec_t;
++init_script_file(osad_initrc_exec_t)
++
++type osad_log_t;
++logging_log_file(osad_log_t)
++
++type osad_var_run_t;
++files_pid_file(osad_var_run_t)
++
++########################################
++#
++# osad local policy
++#
++allow osad_t self:process setpgid;
++
++manage_files_pattern(osad_t, osad_log_t, osad_log_t)
++logging_log_filetrans(osad_t, osad_log_t, { file })
++
++manage_files_pattern(osad_t, osad_var_run_t, osad_var_run_t)
++files_pid_filetrans(osad_t, osad_var_run_t, { file})
++
++kernel_read_system_state(osad_t)
++
++auth_read_passwd(osad_t)
++
++dev_read_urand(osad_t)
++
++optional_policy(`
++    gnome_dontaudit_search_config(osad_t)
++')
++
++optional_policy(`
++    rhnsd_manage_config(osad_t)
++')
 diff --git a/pacemaker.fc b/pacemaker.fc
 index 2f0ad56..d4da0b8 100644
 --- a/pacemaker.fc
@@ -55108,6 +59625,468 @@ index 3ad10b5..49baca5 100644
  	seutil_sigchld_newrole(cardmgr_t)
  ')
  
+diff --git a/pcp.fc b/pcp.fc
+new file mode 100644
+index 0000000..9b8cb6b
+--- /dev/null
++++ b/pcp.fc
+@@ -0,0 +1,28 @@
++/etc/rc\.d/init\.d/pmcd		--	gen_context(system_u:object_r:pcp_pmcd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmlogger 	--      gen_context(system_u:object_r:pcp_pmlogger_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmproxy 	--	gen_context(system_u:object_r:pcp_pmproxy_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmwebd      --       gen_context(system_u:object_r:pcp_pmwebd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmie      --       gen_context(system_u:object_r:pcp_pmie_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/pmmgr    --      gen_context(system_u:object_r:pcp_pmmgr_initrc_exec_t,s0)
++
++/usr/bin/pmie       --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/bin/pmcd	    --	    gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/bin/pmwebd	    --	    gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/bin/pmmgr      --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
++
++/usr/libexec/pcp/bin/pmcd	--	gen_context(system_u:object_r:pcp_pmcd_exec_t,s0)
++/usr/libexec/pcp/bin/pmlogger   --      gen_context(system_u:object_r:pcp_pmlogger_exec_t,s0)
++/usr/libexec/pcp/bin/pmproxy    --      gen_context(system_u:object_r:pcp_pmproxy_exec_t,s0)
++/usr/libexec/pcp/bin/pmwebd	--	gen_context(system_u:object_r:pcp_pmwebd_exec_t,s0)
++/usr/libexec/pcp/bin/pmie     --      gen_context(system_u:object_r:pcp_pmie_exec_t,s0)
++/usr/libexec/pcp/bin/pmmgr  --      gen_context(system_u:object_r:pcp_pmmgr_exec_t,s0)
++
++/var/lib/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_lib_t,s0)
++
++/var/log/pcp(/.*)?		gen_context(system_u:object_r:pcp_log_t,s0)
++
++/var/run/pcp(/.*)?		gen_context(system_u:object_r:pcp_var_run_t,s0)
++/var/run/pmcd\.socket    --  gen_context(system_u:object_r:pcp_var_run_t,s0)
+diff --git a/pcp.if b/pcp.if
+new file mode 100644
+index 0000000..ba24b40
+--- /dev/null
++++ b/pcp.if
+@@ -0,0 +1,139 @@
++## <summary>The  pcp  command summarizes the status of a Performance Co-Pilot (PCP) installation</summary>
++
++######################################
++## <summary>
++##  Creates types and rules for a basic
++##  pcp daemon domain.
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++template(`pcp_domain_template',`
++    gen_require(`
++        attribute pcp_domain;
++    ')
++
++    type pcp_$1_t, pcp_domain;
++    type pcp_$1_exec_t;
++    init_daemon_domain(pcp_$1_t, pcp_$1_exec_t)
++
++    type pcp_$1_initrc_exec_t;
++    init_script_file(pcp_$1_initrc_exec_t)
++
++')
++
++######################################
++## <summary>
++##  Allow domain to read pcp lib files
++## </summary>
++## <param name="prefix">
++##  <summary>
++##  Prefix for the domain.
++##  </summary>
++## </param>
++#
++interface(`pcp_read_lib_files',`
++    gen_require(`
++        type pcp_var_lib_t;
++    ')
++    libs_search_lib($1)
++    read_files_pattern($1,pcp_var_lib_t,pcp_var_lib_t)
++')
++
++########################################
++## <summary>
++##  All of the rules required to administrate
++##  an pcp environment
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pcp_admin',`
++    gen_require(`
++        type pcp_pmcd_t;
++        type pcp_pmlogger_t;
++        type pcp_pmproxy_t;
++        type pcp_pmwebd_t;
++        type pcp_pmie_t;
++        type pcp_pmmgr_t;
++        type pcp_var_run_t;
++    ')
++
++    allow $1 pcp_pmcd_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmcd_t)
++
++    allow $1 pcp_pmlogger_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmlogger_t)
++
++    allow $1 pcp_pmproxy_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmproxy_t)
++
++    allow $1 pcp_pmwebd_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmwebd_t)
++
++    allow $1 pcp_pmie_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmie_t)
++
++    allow $1 pcp_pmmgr_t:process signal_perms;
++    ps_process_pattern($1, pcp_pmmgr_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 pcp_pmcd_t:process ptrace;
++        allow $1 pcp_pmlogger_t:process ptrace;
++        allow $1 pcp_pmproxy_t:process ptrace;
++        allow $1 pcp_pmwebd_t:process ptrace;
++        allow $1 pcp_pmie_t:process ptrace;
++        allow $1 pcp_pmmgr_t:process ptrace;
++    ')
++
++    files_search_pids($1)
++    admin_pattern($1, pcp_var_run_t)
++')
++
++########################################
++## <summary>
++##  Allow the specified domain to execute pcp_pmie
++##  in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmie_exec',`
++    gen_require(`
++        type pcp_pmie_exec_t;
++    ')
++
++    corecmd_search_bin($1)
++    can_exec($1, pcp_pmie_exec_t)
++')
++
++########################################
++## <summary>
++##  Allow the specified domain to execute pcp_pmlogger
++##  in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##  Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pcp_pmlogger_exec',`
++    gen_require(`
++        type pcp_pmlogger_exec_t;
++    ')
++
++    corecmd_search_bin($1)
++    can_exec($1, pcp_pmlogger_exec_t)
++')
++
+diff --git a/pcp.te b/pcp.te
+new file mode 100644
+index 0000000..b756da3
+--- /dev/null
++++ b/pcp.te
+@@ -0,0 +1,277 @@
++policy_module(pcp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++## <desc>
++## <p>
++## Allow pcp to bind to all unreserved_ports
++## </p>
++## </desc>
++gen_tunable(pcp_bind_all_unreserved_ports, false)
++
++attribute pcp_domain;
++
++pcp_domain_template(pmcd)
++pcp_domain_template(pmlogger)
++pcp_domain_template(pmproxy)
++pcp_domain_template(pmwebd)
++pcp_domain_template(pmie)
++pcp_domain_template(pmmgr)
++
++type pcp_log_t;
++logging_log_file(pcp_log_t)
++
++type pcp_var_lib_t;
++files_type(pcp_var_lib_t)
++
++type pcp_var_run_t;
++files_pid_file(pcp_var_run_t)
++
++type pcp_tmp_t;
++files_tmp_file(pcp_tmp_t)
++
++type pcp_tmpfs_t;
++files_tmpfs_file(pcp_tmpfs_t)
++
++########################################
++#
++# pcp domain local  policy
++#
++
++allow pcp_domain self:capability { setuid setgid dac_override };
++allow pcp_domain self:process signal_perms;
++allow pcp_domain self:tcp_socket create_stream_socket_perms;
++allow pcp_domain self:udp_socket create_socket_perms;
++
++manage_dirs_pattern(pcp_domain, pcp_log_t, pcp_log_t)
++manage_files_pattern(pcp_domain, pcp_log_t, pcp_log_t)
++logging_log_filetrans(pcp_domain, pcp_log_t, { dir })
++
++manage_dirs_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++manage_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++exec_files_pattern(pcp_domain, pcp_var_lib_t, pcp_var_lib_t)
++files_var_lib_filetrans(pcp_domain, pcp_var_lib_t, { dir})
++
++manage_dirs_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++manage_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++manage_sock_files_pattern(pcp_domain, pcp_var_run_t, pcp_var_run_t)
++files_pid_filetrans(pcp_domain, pcp_var_run_t, { dir file sock_file })
++
++manage_dirs_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++manage_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++manage_sock_files_pattern(pcp_domain, pcp_tmp_t, pcp_tmp_t)
++files_tmp_filetrans(pcp_domain, pcp_tmp_t, { dir file sock_file })
++
++manage_dirs_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
++manage_files_pattern(pcp_domain, pcp_tmpfs_t, pcp_tmpfs_t)
++fs_tmpfs_filetrans(pcp_domain, pcp_tmpfs_t, { dir file })
++
++dev_read_urand(pcp_domain)
++
++files_read_etc_files(pcp_domain)
++
++fs_getattr_all_fs(pcp_domain)
++
++auth_read_passwd(pcp_domain)
++
++miscfiles_read_generic_certs(pcp_domain)
++
++sysnet_read_config(pcp_domain)
++
++########################################
++#
++# pcp_pmcd local  policy
++#
++
++allow pcp_pmcd_t self:process { setsched };
++allow pcp_pmcd_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmcd_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(pcp_pmcd_t)
++
++kernel_get_sysvipc_info(pcp_pmcd_t)
++kernel_read_network_state(pcp_pmcd_t)
++kernel_read_system_state(pcp_pmcd_t)
++kernel_read_state(pcp_pmcd_t)
++kernel_read_fs_sysctls(pcp_pmcd_t)
++kernel_read_rpc_sysctls(pcp_pmcd_t)
++kernel_read_debugfs(pcp_pmcd_t)
++
++corecmd_exec_bin(pcp_pmcd_t)
++
++corenet_tcp_bind_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_amqp_port(pcp_pmcd_t)
++corenet_tcp_connect_http_port(pcp_pmcd_t)
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmcd_t)
++
++domain_read_all_domains_state(pcp_pmcd_t)
++domain_getattr_all_domains(pcp_pmcd_t)
++
++dev_getattr_all_blk_files(pcp_pmcd_t)
++dev_getattr_all_chr_files(pcp_pmcd_t)
++dev_read_sysfs(pcp_pmcd_t)
++dev_read_urand(pcp_pmcd_t)
++
++fs_getattr_all_fs(pcp_pmcd_t)
++fs_getattr_all_dirs(pcp_pmcd_t)
++fs_list_cgroup_dirs(pcp_pmcd_t)
++fs_read_cgroup_files(pcp_pmcd_t)
++
++hostname_exec(pcp_pmcd_t)
++
++init_read_utmp(pcp_pmcd_t)
++
++logging_send_syslog_msg(pcp_pmcd_t)
++
++sendmail_read_log(pcp_pmcd_t)
++
++storage_getattr_fixed_disk_dev(pcp_pmcd_t)
++
++userdom_read_user_tmp_files(pcp_pmcd_t)
++
++tunable_policy(`pcp_bind_all_unreserved_ports',`
++    corenet_sendrecv_all_server_packets(pcp_pmcd_t)
++    corenet_tcp_bind_all_unreserved_ports(pcp_pmcd_t)
++')
++
++optional_policy(`
++    dbus_system_bus_client(pcp_pmcd_t)
++
++    optional_policy(`
++        avahi_dbus_chat(pcp_pmcd_t)
++    ')
++')
++
++optional_policy(`
++    unconfined_domain(pcp_pmcd_t)
++')
++
++optional_policy(`
++    rpm_read_db(pcp_pmcd_t)
++')
++
++optional_policy(`
++    rpcbind_stream_connect(pcp_pmcd_t)
++')
++
++optional_policy(`
++    pcp_pmie_exec(pcp_pmcd_t)
++')
++
++optional_policy(`
++    mta_read_config(pcp_pmcd_t)
++')
++
++########################################
++#
++# pcp_pmproxy local  policy
++#
++
++allow pcp_pmproxy_t self:process setsched;
++allow pcp_pmproxy_t self:netlink_route_socket create_socket_perms;
++allow pcp_pmproxy_t self:unix_dgram_socket create_socket_perms;
++
++auth_use_nsswitch(pcp_pmproxy_t)
++
++logging_send_syslog_msg(pcp_pmproxy_t)
++
++optional_policy(`
++    unconfined_domain(pcp_pmproxy_t)
++')
++
++########################################
++#
++# pcp_pmwebd local  policy
++#
++
++corenet_tcp_bind_generic_node(pcp_pmwebd_t)
++
++optional_policy(`
++    unconfined_domain(pcp_pmwebd_t)
++')
++
++########################################
++#
++# pcp_pmmgr local  policy
++#
++
++allow pcp_pmmgr_t self:process { setpgid };
++allow pcp_pmmgr_t self:unix_dgram_socket create_socket_perms;
++allow pcp_pmmgr_t pcp_pmcd_t:unix_stream_socket connectto;
++
++kernel_read_system_state(pcp_pmmgr_t)
++
++auth_use_nsswitch(pcp_pmmgr_t)
++
++corenet_udp_bind_dey_sapi_port(pcp_pmmgr_t)
++
++corenet_tcp_bind_commplex_link_port(pcp_pmmgr_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmmgr_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmmgr_t)
++
++corecmd_exec_bin(pcp_pmmgr_t)
++
++logging_send_syslog_msg(pcp_pmmgr_t)
++
++optional_policy(`
++    pcp_pmie_exec(pcp_pmmgr_t)
++    pcp_pmlogger_exec(pcp_pmmgr_t)
++')
++
++optional_policy(`
++    unconfined_domain(pcp_pmmgr_t)
++')
++
++########################################
++#
++# pcp_pmie local  policy
++#
++
++allow pcp_pmie_t self:netlink_route_socket { create_socket_perms nlmsg_read };
++allow pcp_pmie_t self:unix_dgram_socket { create_socket_perms sendto };
++
++allow pcp_pmie_t pcp_pmcd_t:unix_stream_socket connectto;
++
++kernel_read_system_state(pcp_pmie_t)
++
++corecmd_exec_bin(pcp_pmie_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmie_t)
++
++logging_send_syslog_msg(pcp_pmie_t)
++
++userdom_read_user_tmp_files(pcp_pmie_t)
++
++optional_policy(`
++    unconfined_domain(pcp_pmie_t)
++')
++
++########################################
++#
++# pcp_pmlogger local  policy
++#
++
++allow pcp_pmlogger_t self:process setpgid;
++allow pcp_pmlogger_t self:netlink_route_socket {create_socket_perms nlmsg_read };
++
++allow pcp_pmlogger_t pcp_pmcd_t:unix_stream_socket connectto;
++
++corenet_tcp_bind_generic_node(pcp_pmlogger_t)
++corenet_tcp_bind_dey_sapi_port(pcp_pmlogger_t)
++corenet_tcp_bind_commplex_link_port(pcp_pmlogger_t)
++corenet_tcp_bind_amqp_port(pcp_pmlogger_t)
++
++corenet_tcp_connect_all_ephemeral_ports(pcp_pmlogger_t)
++
++tunable_policy(`pcp_bind_all_unreserved_ports',`
++    corenet_sendrecv_all_server_packets(pcp_pmlogger_t)
++    corenet_tcp_bind_all_unreserved_ports(pcp_pmlogger_t)
++')
++
++optional_policy(`
++    unconfined_domain(pcp_pmlogger_t)
++')
 diff --git a/pcscd.if b/pcscd.if
 index 43d50f9..7f77d32 100644
 --- a/pcscd.if
@@ -55122,12 +60101,15 @@ index 43d50f9..7f77d32 100644
  
  ########################################
 diff --git a/pcscd.te b/pcscd.te
-index 96db654..ff3aadd 100644
+index 96db654..a958595 100644
 --- a/pcscd.te
 +++ b/pcscd.te
-@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -22,10 +22,11 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ #
+ 
  allow pcscd_t self:capability { dac_override dac_read_search fsetid };
- allow pcscd_t self:process signal;
+-allow pcscd_t self:process signal;
++allow pcscd_t self:process { signal signull };
  allow pcscd_t self:fifo_file rw_fifo_file_perms;
 -allow pcscd_t self:unix_stream_socket { accept listen };
 -allow pcscd_t self:tcp_socket { accept listen };
@@ -55145,7 +60127,14 @@ index 96db654..ff3aadd 100644
  corenet_all_recvfrom_netlabel(pcscd_t)
  corenet_tcp_sendrecv_generic_if(pcscd_t)
  corenet_tcp_sendrecv_generic_node(pcscd_t)
-@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
+@@ -45,12 +45,13 @@ corenet_sendrecv_http_client_packets(pcscd_t)
+ corenet_tcp_connect_http_port(pcscd_t)
+ corenet_tcp_sendrecv_http_port(pcscd_t)
+ 
++domain_read_all_domains_state(pcscd_t)
++
+ dev_rw_generic_usb_dev(pcscd_t)
+ dev_rw_smartcard(pcscd_t)
  dev_rw_usbfs(pcscd_t)
  dev_read_sysfs(pcscd_t)
  
@@ -55153,7 +60142,7 @@ index 96db654..ff3aadd 100644
  files_read_etc_runtime_files(pcscd_t)
  
  term_use_unallocated_ttys(pcscd_t)
-@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
+@@ -60,16 +61,22 @@ locallogin_use_fds(pcscd_t)
  
  logging_send_syslog_msg(pcscd_t)
  
@@ -55161,8 +60150,24 @@ index 96db654..ff3aadd 100644
 -
  sysnet_dns_name_resolve(pcscd_t)
  
++userdom_read_all_users_state(pcscd_t)
++
  optional_policy(`
-@@ -85,3 +82,7 @@ optional_policy(`
+ 	dbus_system_bus_client(pcscd_t)
+ 
+ 	optional_policy(`
+ 		hal_dbus_chat(pcscd_t)
+ 	')
++
++    optional_policy(`
++        policykit_dbus_chat(pcscd_t)
++        policykit_dbus_chat_auth(pcscd_t)
++    ')
++
+ ')
+ 
+ optional_policy(`
+@@ -85,3 +92,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(pcscd_t)
  ')
@@ -55171,10 +60176,10 @@ index 96db654..ff3aadd 100644
 +	virt_rw_svirt_dev(pcscd_t)
 +')
 diff --git a/pegasus.fc b/pegasus.fc
-index dfd46e4..31122bd 100644
+index dfd46e4..d40433a 100644
 --- a/pegasus.fc
 +++ b/pegasus.fc
-@@ -1,15 +1,26 @@
+@@ -1,15 +1,32 @@
 -/etc/Pegasus(/.*)?	gen_context(system_u:object_r:pegasus_conf_t,s0)
 +
 +/etc/Pegasus(/.*)?			gen_context(system_u:object_r:pegasus_conf_t,s0)
@@ -55198,17 +60203,23 @@ index dfd46e4..31122bd 100644
 +/var/lib/openlmi-storage(/.*)?       gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
  
 -/usr/share/Pegasus/mof(/.*)?/.*\.mof	gen_context(system_u:object_r:pegasus_mof_t,s0)
-+#openlmi agents
++/var/run/openlmi-storage(/.*)?       gen_context(system_u:object_r:pegasus_openlmi_storage_var_run_t,s0)
++
 +/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
 +/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
++
++/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
 +/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
 +/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt --  gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
++
 +/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt      --  gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
-+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
 +
++/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt     --  gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt    --  gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
 +
 +/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt   --  gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
++/usr/libexec/pegasus/cmpiLMI_Hardware-cimprovagt    --  gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
 diff --git a/pegasus.if b/pegasus.if
 index d2fc677..ded726f 100644
 --- a/pegasus.if
@@ -55310,7 +60321,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..22a5b66 100644
+index 7bcf327..6c3afa0 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -55334,13 +60345,14 @@ index 7bcf327..22a5b66 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,319 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
 +# pegasus openlmi providers
 +pegasus_openlmi_domain_template(admin)
 +typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
++typealias pegasus_openlmi_admin_exec_t alias pegasus_openlmi_service_exec_t;
 +
 +pegasus_openlmi_domain_template(account)
 +domain_obj_id_change_exemption(pegasus_openlmi_account_t)
@@ -55356,6 +60368,9 @@ index 7bcf327..22a5b66 100644
 +type pegasus_openlmi_storage_lib_t;
 +files_type(pegasus_openlmi_storage_lib_t)
 +
++type pegasus_openlmi_storage_var_run_t;
++files_pid_file(pegasus_openlmi_storage_var_run_t)
++
 +pegasus_openlmi_domain_template(system)
 +typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
 +pegasus_openlmi_domain_template(unconfined)
@@ -55480,7 +60495,8 @@ index 7bcf327..22a5b66 100644
 +# pegasus openlmi system (networking) local policy
 +#
 +
-+allow pegasus_openlmi_system_t self:capability { net_admin };
++allow pegasus_openlmi_system_t self:capability { net_admin sys_boot };
++allow pegasus_openlmi_system_t self:process signal_perms;
 +
 +allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
 +
@@ -55489,6 +60505,11 @@ index 7bcf327..22a5b66 100644
 +dev_rw_sysfs(pegasus_openlmi_system_t)
 +dev_read_urand(pegasus_openlmi_system_t)
 +
++init_read_utmp(pegasus_openlmi_system_t)
++
++systemd_config_power_services(pegasus_openlmi_system_t)
++systemd_dbus_chat_logind(pegasus_openlmi_system_t)
++
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_system_t)
 +')
@@ -55502,9 +60523,12 @@ index 7bcf327..22a5b66 100644
 +# pegasus openlmi service local policy
 +#
 +
++init_manage_transient_unit(pegasus_openlmi_admin_t)
 +init_disable_services(pegasus_openlmi_admin_t)
 +init_enable_services(pegasus_openlmi_admin_t)
 +init_reload_services(pegasus_openlmi_admin_t)
++init_status(pegasus_openlmi_admin_t)
++init_reboot(pegasus_openlmi_admin_t)
 +init_exec(pegasus_openlmi_admin_t)
 +
 +systemd_config_all_services(pegasus_openlmi_admin_t)
@@ -55515,6 +60539,14 @@ index 7bcf327..22a5b66 100644
 +
 +optional_policy(`
 +    dbus_system_bus_client(pegasus_openlmi_admin_t)
++    
++    optional_policy(`
++        init_dbus_chat(pegasus_openlmi_admin_t)
++    ')
++')
++
++optional_policy(`
++    sssd_stream_connect(pegasus_openlmi_admin_t)
 +')
 +
 +######################################
@@ -55522,7 +60554,10 @@ index 7bcf327..22a5b66 100644
 +# pegasus openlmi storage local policy
 +#
 +
-+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio };
++allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio sys_resource ipc_lock };
++allow pegasus_openlmi_storage_t self:process setrlimit;
++
++allow pegasus_openlmi_storage_t self:netlink_route_socket r_netlink_socket_perms;
 +
 +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -55532,9 +60567,16 @@ index 7bcf327..22a5b66 100644
 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
 +files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
 +
++manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, pegasus_openlmi_storage_var_run_t)
++files_pid_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_var_run_t, dir, "openlmi-storage")
++
 +kernel_read_all_sysctls(pegasus_openlmi_storage_t)
++kernel_read_network_state(pegasus_openlmi_storage_t)
 +kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
++kernel_request_load_module(pegasus_openlmi_storage_t)
 +
++dev_read_raw_memory(pegasus_openlmi_storage_t)
 +dev_read_rand(pegasus_openlmi_storage_t)
 +dev_read_urand(pegasus_openlmi_storage_t)
 +
@@ -55545,9 +60587,13 @@ index 7bcf327..22a5b66 100644
 +
 +seutil_read_file_contexts(pegasus_openlmi_storage_t)
 +
++storage_raw_read_removable_device(pegasus_openlmi_storage_t)
++storage_raw_write_removable_device(pegasus_openlmi_storage_t)
 +storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
 +storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
 +
++files_read_kernel_modules(pegasus_openlmi_storage_t)
++
 +fs_getattr_all_fs(pegasus_openlmi_storage_t)
 +
 +modutils_domtrans_insmod(pegasus_openlmi_storage_t)
@@ -55555,6 +60601,10 @@ index 7bcf327..22a5b66 100644
 +udev_domtrans(pegasus_openlmi_storage_t)
 +udev_read_pid_files(pegasus_openlmi_storage_t)
 +
++init_read_state(pegasus_openlmi_storage_t)
++
++miscfiles_read_hwdata(pegasus_openlmi_storage_t)
++
 +optional_policy(`
 +    dmidecode_domtrans(pegasus_openlmi_storage_t)  
 +')
@@ -55564,7 +60614,18 @@ index 7bcf327..22a5b66 100644
 +')
 +
 +optional_policy(`
++    iscsi_manage_lock(pegasus_openlmi_storage_t)
++    iscsi_read_lib_files(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
++    libs_exec_ldconfig(pegasus_openlmi_storage_t)
++')
++
++optional_policy(`
 +    lvm_domtrans(pegasus_openlmi_storage_t)
++    lvm_read_metadata(pegasus_openlmi_storage_t)
++    lvm_write_metadata(pegasus_openlmi_storage_t)
 +')
 +
 +optional_policy(`
@@ -55609,7 +60670,7 @@ index 7bcf327..22a5b66 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +352,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -55640,7 +60701,7 @@ index 7bcf327..22a5b66 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +378,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -55673,7 +60734,7 @@ index 7bcf327..22a5b66 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,9 +406,11 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -55681,7 +60742,11 @@ index 7bcf327..22a5b66 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
++domain_named_filetrans(pegasus_t)
+ 
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+@@ -128,18 +422,29 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -55697,12 +60762,16 @@ index 7bcf327..22a5b66 100644
  optional_policy(`
 -	dbus_system_bus_client(pegasus_t)
 -	dbus_connect_system_bus(pegasus_t)
-+    dbus_system_bus_client(pegasus_t)
-+    dbus_connect_system_bus(pegasus_t)
++	dmidecode_domtrans(pegasus_t)
++')
  
 -	optional_policy(`
 -		networkmanager_dbus_chat(pegasus_t)
 -	')
++optional_policy(`
++    dbus_system_bus_client(pegasus_t)
++    dbus_connect_system_bus(pegasus_t)
++
 +    optional_policy(`
 +	networkmanager_dbus_chat(pegasus_t)
 +    ')
@@ -55713,7 +60782,7 @@ index 7bcf327..22a5b66 100644
  ')
  
  optional_policy(`
-@@ -151,16 +401,24 @@ optional_policy(`
+@@ -151,16 +456,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55742,7 +60811,7 @@ index 7bcf327..22a5b66 100644
  ')
  
  optional_policy(`
-@@ -168,7 +426,7 @@ optional_policy(`
+@@ -168,7 +481,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55751,6 +60820,15 @@ index 7bcf327..22a5b66 100644
  ')
  
  optional_policy(`
+@@ -180,6 +493,8 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    virt_getattr_images(pegasus_t)
++    virt_getattr_content(pegasus_t)
+ 	virt_domtrans(pegasus_t)
+ 	virt_stream_connect(pegasus_t)
+ 	virt_manage_config(pegasus_t)
 diff --git a/pesign.fc b/pesign.fc
 new file mode 100644
 index 0000000..7b54c39
@@ -56791,10 +61869,10 @@ index 0000000..848ddc9
 +')
 diff --git a/pkcsslotd.te b/pkcsslotd.te
 new file mode 100644
-index 0000000..2ce92e0
+index 0000000..a82ca85
 --- /dev/null
 +++ b/pkcsslotd.te
-@@ -0,0 +1,67 @@
+@@ -0,0 +1,69 @@
 +policy_module(pkcsslotd, 1.0.0)
 +
 +########################################
@@ -56862,9 +61940,11 @@ index 0000000..2ce92e0
 +auth_read_passwd(pkcsslotd_t)
 +
 +logging_send_syslog_msg(pkcsslotd_t)
++
++userdom_read_all_users_state(pkcsslotd_t)
 diff --git a/pki.fc b/pki.fc
 new file mode 100644
-index 0000000..726d992
+index 0000000..e6592ea
 --- /dev/null
 +++ b/pki.fc
 @@ -0,0 +1,56 @@
@@ -56873,7 +61953,7 @@ index 0000000..726d992
 +/var/run/pki/tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
 +/var/log/pki/pki-tomcat(/.*)?		gen_context(system_u:object_r:pki_tomcat_log_t,s0)
 +/etc/sysconfig/pki/tomcat(/.*)? 	gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
-+/var/log/pki                            gen_context(system_u:object_r:pki_log_t,s0)
++/var/log/pki(/.*)?                            gen_context(system_u:object_r:pki_log_t,s0)
 +/usr/bin/pkidaemon                      gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
 +/etc/pki/pki-tomcat/alias(/.*)?         gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 +
@@ -57226,10 +62306,10 @@ index 0000000..b975b85
 +')
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..17f5d18
+index 0000000..d1265c4
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,284 @@
+@@ -0,0 +1,291 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -57259,7 +62339,7 @@ index 0000000..17f5d18
 +files_type(pki_tomcat_etc_rw_t)
 +
 +type pki_tomcat_cert_t;
-+files_type(pki_tomcat_cert_t)
++miscfiles_cert_type(pki_tomcat_cert_t)
 +
 +tomcat_domain_template(pki_tomcat)
 +
@@ -57305,6 +62385,7 @@ index 0000000..17f5d18
 +#
 +
 +allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
++dontaudit  pki_tomcat_t self:capability net_admin;
 +allow pki_tomcat_t self:process { signal setsched signull execmem };
 +
 +allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
@@ -57342,6 +62423,7 @@ index 0000000..17f5d18
 +search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
 +
 +kernel_read_kernel_sysctls(pki_tomcat_t)
++kernel_read_net_sysctls(pki_tomcat_t)
 +
 +corenet_tcp_connect_http_cache_port(pki_tomcat_t)
 +corenet_tcp_connect_ldap_port(pki_tomcat_t)
@@ -57380,6 +62462,10 @@ index 0000000..17f5d18
 +        hostname_exec(pki_tomcat_t)
 +')
 +
++optional_policy(`
++    ipa_read_lib(pki_tomcat_t)
++')
++
 +#######################################
 +#
 +# tps local policy
@@ -57412,6 +62498,7 @@ index 0000000..17f5d18
 +
 +corenet_tcp_bind_pki_ra_port(pki_ra_t)
 +# talk to other subsystems
++corenet_tcp_connect_http_port(pki_ra_t)
 +corenet_tcp_connect_pki_ca_port(pki_ra_t)
 +corenet_tcp_connect_smtp_port(pki_ra_t)
 +
@@ -57515,10 +62602,10 @@ index 0000000..17f5d18
 +')
 +
 diff --git a/plymouthd.fc b/plymouthd.fc
-index 735500f..ef1dd7a 100644
+index 735500f..2ba6832 100644
 --- a/plymouthd.fc
 +++ b/plymouthd.fc
-@@ -1,15 +1,15 @@
+@@ -1,15 +1,14 @@
 -/bin/plymouth	--	gen_context(system_u:object_r:plymouth_exec_t,s0)
 +/bin/plymouth			--	gen_context(system_u:object_r:plymouth_exec_t,s0)
  
@@ -57539,11 +62626,11 @@ index 735500f..ef1dd7a 100644
 +/usr/sbin/plymouthd		--	gen_context(system_u:object_r:plymouthd_exec_t,s0)
  
 -/var/run/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_var_run_t,s0)
-+/var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
- 
+-
 -/var/spool/plymouth(/.*)?	gen_context(system_u:object_r:plymouthd_spool_t,s0)
++/var/spool/plymouth(/.*)?		gen_context(system_u:object_r:plymouthd_spool_t,s0)
 diff --git a/plymouthd.if b/plymouthd.if
-index 30e751f..3985ff9 100644
+index 30e751f..61feb3a 100644
 --- a/plymouthd.if
 +++ b/plymouthd.if
 @@ -1,4 +1,4 @@
@@ -57731,7 +62818,7 @@ index 30e751f..3985ff9 100644
  	gen_require(`
  		type plymouthd_var_run_t;
  	')
-@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
+@@ -233,36 +228,112 @@ interface(`plymouthd_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -57756,17 +62843,39 @@ index 30e751f..3985ff9 100644
 +	read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
 +')
 +
++#####################################
++## <summary>
++##  Allow the specified domain to create plymouthd's log files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`plymouthd_create_log',`
++    gen_require(`
++        type plymouthd_var_log_t;
++    ')
++
++    logging_search_logs($1)
++    create_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
++')
++
 +########################################
 +## <summary>
 +##	Allow the specified domain to manage
 +##	to plymouthd log files.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+-interface(`plymouthd_admin',`
 +interface(`plymouthd_manage_log',`
 +	gen_require(`
 +		type plymouthd_var_log_t;
@@ -57788,12 +62897,12 @@ index 30e751f..3985ff9 100644
 +##      </summary>
 +## </param>
 +#
-+interface(`plymouthd_create_log',`
++interface(`plymouthd_filetrans_named_content',`
++
 +    gen_require(`
 +        type plymouthd_var_log_t;
 +    ')
 +    
-+    logging_rw_generic_log_dirs($1)
 +    logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
 +')
 +
@@ -57803,14 +62912,11 @@ index 30e751f..3985ff9 100644
 +##	an plymouthd environment
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	Role allowed access.
++##	<summary>
 +##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`plymouthd_admin',`
++##	</summary>
++## </param>
++#
 +interface(`plymouthd_admin', `
  	gen_require(`
  		type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
@@ -57837,7 +62943,7 @@ index 30e751f..3985ff9 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..3a3249a 100644
+index b1f412b..b78836f 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
 @@ -1,4 +1,4 @@
@@ -57855,7 +62961,7 @@ index b1f412b..3a3249a 100644
  
  type plymouthd_var_lib_t;
  files_type(plymouthd_var_lib_t)
-@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
+@@ -28,13 +28,14 @@ files_pid_file(plymouthd_var_run_t)
  
  ########################################
  #
@@ -57868,9 +62974,11 @@ index b1f412b..3a3249a 100644
  allow plymouthd_t self:capability2 block_suspend;
 +dontaudit plymouthd_t self:capability dac_override;
  allow plymouthd_t self:process { signal getsched };
++allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow plymouthd_t self:fifo_file rw_fifo_file_perms;
  allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
+ 
+@@ -48,9 +49,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
  files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
  
  manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
@@ -57881,13 +62989,13 @@ index b1f412b..3a3249a 100644
  logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
  
  manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -70,19 +69,26 @@ domain_use_interactive_fds(plymouthd_t)
  
  fs_getattr_all_fs(plymouthd_t)
  
 -files_read_etc_files(plymouthd_t)
 -files_read_usr_files(plymouthd_t)
- 
+-
  term_getattr_pty_fs(plymouthd_t)
  term_use_all_terms(plymouthd_t)
  term_use_ptmx(plymouthd_t)
@@ -57913,12 +63021,16 @@ index b1f412b..3a3249a 100644
  ')
  
  optional_policy(`
-@@ -90,35 +96,33 @@ optional_policy(`
+@@ -90,35 +96,37 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	xserver_manage_xdm_spool_files(plymouthd_t)
 -	xserver_read_xdm_state(plymouthd_t)
++    udev_read_pid_files(plymouthd_t)
++')
++
++optional_policy(`
 +	xserver_xdm_manage_spool(plymouthd_t)
 +	xserver_read_state_xdm(plymouthd_t)
  ')
@@ -58873,7 +63985,7 @@ index ae27bb7..d00f6ba 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
  ')
 diff --git a/polipo.te b/polipo.te
-index 316d53a..35d9018 100644
+index 316d53a..6646219 100644
 --- a/polipo.te
 +++ b/polipo.te
 @@ -1,4 +1,4 @@
@@ -58949,7 +64061,7 @@ index 316d53a..35d9018 100644
  
  type polipo_cache_t;
  files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,98 @@ files_type(polipo_cache_t)
  type polipo_log_t;
  logging_log_file(polipo_log_t)
  
@@ -59002,6 +64114,7 @@ index 316d53a..35d9018 100644
 +corenet_tcp_bind_http_cache_port(polipo_daemon)
 +corenet_sendrecv_http_cache_server_packets(polipo_daemon)
 +corenet_tcp_connect_http_port(polipo_daemon)
++corenet_tcp_connect_http_cache_port(polipo_daemon)
 +corenet_tcp_connect_tor_port(polipo_daemon)
 +corenet_tcp_connect_flash_port(polipo_daemon)
  
@@ -59238,7 +64351,7 @@ index 5ad5291..7f1ae2a 100644
  	portreserve_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/portreserve.te b/portreserve.te
-index a38b57a..aa9d604 100644
+index a38b57a..49758db 100644
 --- a/portreserve.te
 +++ b/portreserve.te
 @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -59249,13 +64362,17 @@ index a38b57a..aa9d604 100644
  corenet_all_recvfrom_netlabel(portreserve_t)
  corenet_tcp_sendrecv_generic_if(portreserve_t)
  corenet_udp_sendrecv_generic_if(portreserve_t)
-@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+@@ -56,6 +55,8 @@ corenet_sendrecv_all_server_packets(portreserve_t)
  corenet_tcp_bind_all_ports(portreserve_t)
  corenet_udp_bind_all_ports(portreserve_t)
  
 -files_read_etc_files(portreserve_t)
- 
+-
  userdom_dontaudit_search_user_home_content(portreserve_t)
++
++optional_policy(`
++    sssd_search_lib(portreserve_t)
++')
 diff --git a/portslave.te b/portslave.te
 index e85e33d..a7d7c55 100644
 --- a/portslave.te
@@ -59370,7 +64487,7 @@ index c0e8785..c0e0959 100644
 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
  /var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)
 diff --git a/postfix.if b/postfix.if
-index 2e23946..0b76d72 100644
+index 2e23946..d8a163f 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -1,4 +1,4 @@
@@ -59701,7 +64818,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
+@@ -382,14 +367,31 @@ interface(`postfix_domtrans_master',`
  		type postfix_master_t, postfix_master_exec_t;
  	')
  
@@ -59709,7 +64826,6 @@ index 2e23946..0b76d72 100644
  	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
  ')
  
-+
  ########################################
  ## <summary>
 -##	Execute the master postfix program
@@ -59737,7 +64853,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
+@@ -402,21 +404,18 @@ interface(`postfix_exec_master',`
  		type postfix_master_exec_t;
  	')
  
@@ -59760,7 +64876,7 @@ index 2e23946..0b76d72 100644
  #
  interface(`postfix_stream_connect_master',`
  	gen_require(`
-@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
+@@ -428,8 +427,7 @@ interface(`postfix_stream_connect_master',`
  
  ########################################
  ## <summary>
@@ -59770,7 +64886,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
+@@ -437,15 +435,18 @@ interface(`postfix_stream_connect_master',`
  ##	</summary>
  ## </param>
  #
@@ -59793,7 +64909,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
+@@ -458,14 +459,13 @@ interface(`postfix_domtrans_postdrop',`
  		type postfix_postdrop_t, postfix_postdrop_exec_t;
  	')
  
@@ -59809,7 +64925,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
+@@ -478,30 +478,85 @@ interface(`postfix_domtrans_postqueue',`
  		type postfix_postqueue_t, postfix_postqueue_exec_t;
  	')
  
@@ -59829,18 +64945,15 @@ index 2e23946..0b76d72 100644
  ##	<summary>
 -##	Domain allowed access.
 +##	Domain allowed to transition.
- ##	</summary>
- ## </param>
++##	</summary>
++## </param>
 +## <param name="role">
 +##  <summary>
 +##  The role to be allowed the iptables domain.
 +##  </summary>
 +## </param>
 +## <rolecap/>
- #
--interface(`posftix_exec_postqueue',`
--	refpolicywarn(`$0($*) has been deprecated.')
--	postfix_exec_postqueue($1)
++#
 +
 +interface(`postfix_run_postqueue',`
 +	gen_require(`
@@ -59850,8 +64963,8 @@ index 2e23946..0b76d72 100644
 +	postfix_domtrans_postqueue($1)
 +	role $2 types postfix_postqueue_t;
 +	allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
- ')
- 
++')
++
 +########################################
 +## <summary>
 +##	Execute postfix_postgqueue in the postfix_postgqueue domain.
@@ -59883,10 +64996,13 @@ index 2e23946..0b76d72 100644
 +## <param name="role">
 +##	<summary>
 +##	Role allowed access.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`posftix_exec_postqueue',`
+-	refpolicywarn(`$0($*) has been deprecated.')
+-	postfix_exec_postqueue($1)
 +interface(`postfix_run_postgqueue',`
 +	gen_require(`
 +		type postfix_postgqueue_t;
@@ -59894,8 +65010,8 @@ index 2e23946..0b76d72 100644
 +
 +	postfix_domtrans_postgqueue($1)
 +	role $2 types postfix_postgqueue_t;
-+')
-+
+ ')
+ 
 +
  #######################################
  ## <summary>
@@ -59905,7 +65021,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
+@@ -514,13 +569,12 @@ interface(`postfix_exec_postqueue',`
  		type postfix_postqueue_exec_t;
  	')
  
@@ -59920,7 +65036,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
+@@ -533,13 +587,13 @@ interface(`postfix_create_private_sockets',`
  		type postfix_private_t;
  	')
  
@@ -59936,7 +65052,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
+@@ -552,13 +606,14 @@ interface(`postfix_manage_private_sockets',`
  		type postfix_private_t;
  	')
  
@@ -59953,7 +65069,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
+@@ -571,14 +626,12 @@ interface(`postfix_domtrans_smtp',`
  		type postfix_smtp_t, postfix_smtp_exec_t;
  	')
  
@@ -59969,7 +65085,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
+@@ -586,7 +639,7 @@ interface(`postfix_domtrans_smtp',`
  ##	</summary>
  ## </param>
  #
@@ -59978,7 +65094,7 @@ index 2e23946..0b76d72 100644
  	gen_require(`
  		attribute postfix_spool_type;
  	')
-@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
+@@ -607,11 +660,11 @@ interface(`postfix_getattr_all_spool_files',`
  #
  interface(`postfix_search_spool',`
  	gen_require(`
@@ -59992,7 +65108,7 @@ index 2e23946..0b76d72 100644
  ')
  
  ########################################
-@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
+@@ -626,11 +679,11 @@ interface(`postfix_search_spool',`
  #
  interface(`postfix_list_spool',`
  	gen_require(`
@@ -60006,7 +65122,7 @@ index 2e23946..0b76d72 100644
  ')
  
  ########################################
-@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
+@@ -645,17 +698,16 @@ interface(`postfix_list_spool',`
  #
  interface(`postfix_read_spool_files',`
  	gen_require(`
@@ -60027,7 +65143,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
+@@ -665,11 +717,50 @@ interface(`postfix_read_spool_files',`
  #
  interface(`postfix_manage_spool_files',`
  	gen_require(`
@@ -60080,7 +65196,7 @@ index 2e23946..0b76d72 100644
  ')
  
  ########################################
-@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -693,8 +784,8 @@ interface(`postfix_domtrans_user_mail_handler',`
  
  ########################################
  ## <summary>
@@ -60091,7 +65207,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,37 +801,137 @@ interface(`postfix_domtrans_user_mail_handler',`
  #
  interface(`postfix_admin',`
  	gen_require(`
@@ -60250,7 +65366,7 @@ index 2e23946..0b76d72 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..f19bca4 100644
+index 191a66f..cd766c0 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,4 +1,4 @@
@@ -60432,9 +65548,8 @@ index 191a66f..f19bca4 100644
 -########################################
 -#
 -# Common postfix user domain local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_user_domains self:capability dac_override;
 -
 -domain_use_interactive_fds(postfix_user_domains)
@@ -60442,8 +65557,9 @@ index 191a66f..f19bca4 100644
 -########################################
 -#
 -# Master local policy
--#
--
++# Postfix master process local policy
+ #
+ 
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -60499,7 +65615,7 @@ index 191a66f..f19bca4 100644
  manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
  manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
--
+ 
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
 -manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -60511,24 +65627,24 @@ index 191a66f..f19bca4 100644
 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
- 
+-
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
 -delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
- 
+-
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
-+kernel_read_all_sysctls(postfix_master_t)
- 
--can_exec(postfix_master_t, postfix_exec_t)
 -
+-can_exec(postfix_master_t, postfix_exec_t)
++manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ 
 -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
--
++kernel_read_all_sysctls(postfix_master_t)
+ 
 -corenet_all_recvfrom_unlabeled(postfix_master_t)
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
@@ -60740,7 +65856,7 @@ index 191a66f..f19bca4 100644
  ')
  
  optional_policy(`
-@@ -434,6 +335,7 @@ optional_policy(`
+@@ -434,16 +335,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60748,7 +65864,14 @@ index 191a66f..f19bca4 100644
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
  	mailman_read_log(postfix_local_t)
-@@ -444,6 +346,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    munin_search_lib(postfix_local_t)
++')
++
++optional_policy(`
+ 	nagios_search_spool(postfix_local_t)
  ')
  
  optional_policy(`
@@ -60759,7 +65882,7 @@ index 191a66f..f19bca4 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -458,15 +364,17 @@ optional_policy(`
+@@ -458,15 +368,17 @@ optional_policy(`
  
  ########################################
  #
@@ -60783,7 +65906,7 @@ index 191a66f..f19bca4 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +388,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -60803,7 +65926,7 @@ index 191a66f..f19bca4 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -492,7 +405,6 @@ corecmd_read_bin_pipes(postfix_map_t)
  corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
@@ -60811,7 +65934,7 @@ index 191a66f..f19bca4 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -500,21 +412,22 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -60837,7 +65960,7 @@ index 191a66f..f19bca4 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,21 +437,21 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -60857,7 +65980,24 @@ index 191a66f..f19bca4 100644
  #
  
  allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +484,26 @@ optional_policy(`
+ 
+ write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
++write_sock_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+ 
+ write_fifo_files_pattern(postfix_pipe_t, postfix_public_t, postfix_public_t)
+ 
+@@ -549,6 +462,10 @@ domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
+ corecmd_exec_bin(postfix_pipe_t)
+ 
+ optional_policy(`
++    cyrus_stream_connect(postfix_pipe_t)
++')
++
++optional_policy(`
+ 	dovecot_domtrans_deliver(postfix_pipe_t)
+ ')
+ 
+@@ -576,19 +493,26 @@ optional_policy(`
  
  ########################################
  #
@@ -60889,7 +66029,7 @@ index 191a66f..f19bca4 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +518,7 @@ optional_policy(`
+@@ -603,10 +527,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -60901,7 +66041,7 @@ index 191a66f..f19bca4 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -621,17 +533,24 @@ optional_policy(`
+@@ -621,17 +542,24 @@ optional_policy(`
  
  #######################################
  #
@@ -60929,7 +66069,7 @@ index 191a66f..f19bca4 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +566,77 @@ optional_policy(`
+@@ -647,67 +575,77 @@ optional_policy(`
  
  ########################################
  #
@@ -61025,7 +66165,7 @@ index 191a66f..f19bca4 100644
  ')
  
  optional_policy(`
-@@ -720,29 +649,30 @@ optional_policy(`
+@@ -720,29 +658,30 @@ optional_policy(`
  
  ########################################
  #
@@ -61064,7 +66204,7 @@ index 191a66f..f19bca4 100644
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
  	dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +684,7 @@ optional_policy(`
+@@ -754,6 +693,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -61072,7 +66212,7 @@ index 191a66f..f19bca4 100644
  ')
  
  optional_policy(`
-@@ -764,31 +695,99 @@ optional_policy(`
+@@ -764,31 +704,99 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -63078,7 +68218,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..73c437c 100644
+index d447152..f3e6fbf 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -63113,7 +68253,7 @@ index d447152..73c437c 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,108 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -63145,6 +68285,7 @@ index d447152..73c437c 100644
 -corecmd_exec_bin(procmail_t)
 -corecmd_exec_shell(procmail_t)
  
++dev_read_rand(procmail_t)
  dev_read_urand(procmail_t)
  
 -fs_getattr_all_fs(procmail_t)
@@ -63167,10 +68308,10 @@ index d447152..73c437c 100644
  
 -miscfiles_read_localization(procmail_t)
 +init_read_utmp(procmail_t)
-+
+ 
 +logging_send_syslog_msg(procmail_t)
 +logging_append_all_logs(procmail_t)
- 
++
 +list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
 +read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
  userdom_search_user_home_dirs(procmail_t)
@@ -63192,17 +68333,17 @@ index d447152..73c437c 100644
 +userdom_manage_user_tmp_dirs(procmail_t)
 +userdom_manage_user_tmp_files(procmail_t)
 +userdom_manage_user_tmp_symlinks(procmail_t)
-+
-+# Execute user executables
-+userdom_exec_user_bin_files(procmail_t)
-+
-+mta_manage_spool(procmail_t)
-+mta_read_queue(procmail_t)
  
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(procmail_t)
 -	fs_manage_cifs_files(procmail_t)
 -	fs_manage_cifs_symlinks(procmail_t)
++# Execute user executables
++userdom_exec_user_bin_files(procmail_t)
++
++mta_manage_spool(procmail_t)
++mta_read_queue(procmail_t)
++
 +ifdef(`hide_broken_symptoms',`
 +	mta_dontaudit_rw_queue(procmail_t)
  ')
@@ -63219,6 +68360,7 @@ index d447152..73c437c 100644
  optional_policy(`
 -	cyrus_stream_connect(procmail_t)
 +	dovecot_stream_connect(procmail_t)
++	dovecot_read_config(procmail_t)
  ')
  
  optional_policy(`
@@ -63257,15 +68399,25 @@ index d447152..73c437c 100644
  ')
  
  optional_policy(`
-@@ -131,6 +152,8 @@ optional_policy(`
+@@ -131,6 +154,9 @@ optional_policy(`
  ')
  
  optional_policy(`
 +	mta_read_config(procmail_t)
++	mta_mailserver_delivery(procmail_t)
 +	mta_manage_home_rw(procmail_t)
  	sendmail_domtrans(procmail_t)
  	sendmail_signal(procmail_t)
  	sendmail_dontaudit_rw_tcp_sockets(procmail_t)
+@@ -145,3 +171,8 @@ optional_policy(`
+ 	spamassassin_domtrans_client(procmail_t)
+ 	spamassassin_read_lib_files(procmail_t)
+ ')
++
++optional_policy(`
++    zarafa_stream_connect_server(procmail_t)
++    zarafa_domtrans_deliver(procmail_t)
++')
 diff --git a/prosody.fc b/prosody.fc
 new file mode 100644
 index 0000000..96a0d9f
@@ -64236,7 +69388,7 @@ index fa3dc8e..99cfa95 100644
 +	ps_process_pattern($1, pulseaudio_t)
  ')
 diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..822ab6c 100644
+index e31bbe1..5f0e288 100644
 --- a/pulseaudio.te
 +++ b/pulseaudio.te
 @@ -1,4 +1,4 @@
@@ -64253,7 +69405,8 @@ index e31bbe1..822ab6c 100644
 -
  type pulseaudio_t;
  type pulseaudio_exec_t;
- init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
++#init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
  userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
 -role pulseaudio_roles types pulseaudio_t;
 +role system_r types pulseaudio_t;
@@ -67877,10 +73030,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..0ef5efc 100644
+index 769d1fd..52bad99 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,109 @@
+@@ -1,96 +1,132 @@
 -policy_module(quantum, 1.0.2)
 +policy_module(quantum, 1.0.3)
  
@@ -67930,55 +73083,52 @@ index 769d1fd..0ef5efc 100644
 -allow quantum_t self:key manage_key_perms;
 -allow quantum_t self:tcp_socket { accept listen };
 -allow quantum_t self:unix_stream_socket { accept listen };
-+allow neutron_t self:capability { setgid setuid sys_resource };
++allow neutron_t self:capability { sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw };
 +allow neutron_t self:process { setsched setrlimit };
 +allow neutron_t self:fifo_file rw_fifo_file_perms;
 +allow neutron_t self:key manage_key_perms;
 +allow neutron_t self:tcp_socket { accept listen };
 +allow neutron_t self:unix_stream_socket { accept listen };
- 
--manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
--append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
--logging_log_filetrans(quantum_t, quantum_log_t, dir)
++allow neutron_t self:netlink_route_socket rw_netlink_socket_perms;
++
 +manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
 +logging_log_filetrans(neutron_t, neutron_log_t, dir)
  
--manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
--files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
+-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
+-logging_log_filetrans(quantum_t, quantum_log_t, dir)
 +manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
 +files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
  
--manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
--files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
+-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
+-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
 +manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
 +files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
  
--can_exec(quantum_t, quantum_tmp_t)
+-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
+-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
 +can_exec(neutron_t, neutron_tmp_t)
  
--kernel_read_kernel_sysctls(quantum_t)
--kernel_read_system_state(quantum_t)
+-can_exec(quantum_t, quantum_tmp_t)
 +kernel_read_kernel_sysctls(neutron_t)
 +kernel_read_system_state(neutron_t)
++kernel_read_network_state(neutron_t)
++kernel_request_load_module(neutron_t)
  
--corecmd_exec_shell(quantum_t)
--corecmd_exec_bin(quantum_t)
+-kernel_read_kernel_sysctls(quantum_t)
+-kernel_read_system_state(quantum_t)
 +corecmd_exec_shell(neutron_t)
 +corecmd_exec_bin(neutron_t)
  
--corenet_all_recvfrom_unlabeled(quantum_t)
--corenet_all_recvfrom_netlabel(quantum_t)
--corenet_tcp_sendrecv_generic_if(quantum_t)
--corenet_tcp_sendrecv_generic_node(quantum_t)
--corenet_tcp_sendrecv_all_ports(quantum_t)
--corenet_tcp_bind_generic_node(quantum_t)
+-corecmd_exec_shell(quantum_t)
+-corecmd_exec_bin(quantum_t)
 +corenet_all_recvfrom_unlabeled(neutron_t)
 +corenet_all_recvfrom_netlabel(neutron_t)
 +corenet_tcp_sendrecv_generic_if(neutron_t)
@@ -67986,67 +73136,93 @@ index 769d1fd..0ef5efc 100644
 +corenet_tcp_sendrecv_all_ports(neutron_t)
 +corenet_tcp_bind_generic_node(neutron_t)
  
--dev_list_sysfs(quantum_t)
--dev_read_urand(quantum_t)
+-corenet_all_recvfrom_unlabeled(quantum_t)
+-corenet_all_recvfrom_netlabel(quantum_t)
+-corenet_tcp_sendrecv_generic_if(quantum_t)
+-corenet_tcp_sendrecv_generic_node(quantum_t)
+-corenet_tcp_sendrecv_all_ports(quantum_t)
+-corenet_tcp_bind_generic_node(quantum_t)
 +corenet_tcp_bind_neutron_port(neutron_t)
 +corenet_tcp_connect_keystone_port(neutron_t)
 +corenet_tcp_connect_amqp_port(neutron_t)
 +corenet_tcp_connect_mysqld_port(neutron_t)
  
+-dev_list_sysfs(quantum_t)
+-dev_read_urand(quantum_t)
++domain_named_filetrans(neutron_t)
+ 
 -files_read_usr_files(quantum_t)
-+dev_list_sysfs(neutron_t)
++dev_read_sysfs(neutron_t)
 +dev_read_urand(neutron_t)
++dev_mounton_sysfs(neutron_t)
++dev_mount_sysfs_fs(neutron_t)
++dev_unmount_sysfs_fs(neutron_t)
  
 -auth_use_nsswitch(quantum_t)
-+auth_use_nsswitch(neutron_t)
++files_mounton_non_security(neutron_t)
  
 -libs_exec_ldconfig(quantum_t)
-+libs_exec_ldconfig(neutron_t)
++auth_use_nsswitch(neutron_t)
  
 -logging_send_audit_msgs(quantum_t)
 -logging_send_syslog_msg(quantum_t)
-+logging_send_audit_msgs(neutron_t)
-+logging_send_syslog_msg(neutron_t)
++libs_exec_ldconfig(neutron_t)
  
 -miscfiles_read_localization(quantum_t)
-+sysnet_exec_ifconfig(neutron_t)
++logging_send_audit_msgs(neutron_t)
++logging_send_syslog_msg(neutron_t)
  
 -sysnet_domtrans_ifconfig(quantum_t)
-+optional_policy(`
-+	brctl_domtrans(neutron_t)
-+')
++sysnet_exec_ifconfig(neutron_t)
++sysnet_manage_ifconfig_run(neutron_t)
++sysnet_filetrans_named_content_ifconfig(neutron_t)
  
  optional_policy(`
 -	brctl_domtrans(quantum_t)
-+	mysql_stream_connect(neutron_t)
-+	mysql_read_config(neutron_t)
-+
-+	mysql_tcp_connect(neutron_t)
++	brctl_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	mysql_stream_connect(quantum_t)
 -	mysql_read_config(quantum_t)
-+	postgresql_stream_connect(neutron_t)
-+	postgresql_unpriv_client(neutron_t)
++    dnsmasq_domtrans(neutron_t)
++    dnsmasq_signal(neutron_t)
++    dnsmasq_kill(neutron_t)
++    dnsmasq_read_state(neutron_t)
++')
  
 -	mysql_tcp_connect(quantum_t)
-+	postgresql_tcp_connect(neutron_t)
++optional_policy(`
++    iptables_domtrans(neutron_t)
  ')
  
  optional_policy(`
 -	postgresql_stream_connect(quantum_t)
 -	postgresql_unpriv_client(quantum_t)
++	mysql_stream_connect(neutron_t)
++	mysql_read_config(neutron_t)
+ 
+-	postgresql_tcp_connect(quantum_t)
++	mysql_tcp_connect(neutron_t)
+ ')
++
++optional_policy(`
++	postgresql_stream_connect(neutron_t)
++	postgresql_unpriv_client(neutron_t)
++
++	postgresql_tcp_connect(neutron_t)
++')
++
++optional_policy(`
 +    openvswitch_domtrans(neutron_t)
 +    openvswitch_stream_connect(neutron_t)
 +')
- 
--	postgresql_tcp_connect(quantum_t)
++
 +optional_policy(`
 +	sudo_exec(neutron_t)
- ')
++')  
 diff --git a/quota.fc b/quota.fc
-index cadabe3..0ee2489 100644
+index cadabe3..54ba01d 100644
 --- a/quota.fc
 +++ b/quota.fc
 @@ -1,6 +1,5 @@
@@ -68057,7 +73233,7 @@ index cadabe3..0ee2489 100644
  
  /a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
-@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
+@@ -8,24 +7,24 @@ HOME_DIR/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
  /etc/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
  
@@ -68073,6 +73249,7 @@ index cadabe3..0ee2489 100644
  
  /var/a?quota\.(user|group)	--	gen_context(system_u:object_r:quota_db_t,s0)
 +/var/lib/quota(/.*)?			gen_context(system_u:object_r:quota_flag_t,s0)
++/var/spool/cron/a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
 +/var/spool/(.*/)?a?quota\.(user|group) --	gen_context(system_u:object_r:quota_db_t,s0)
  
 -/var/lib/quota(/.*)?	gen_context(system_u:object_r:quota_flag_t,s0)
@@ -68491,7 +73668,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..136b017 100644
+index 3698b51..7d5630f 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -68513,7 +73690,7 @@ index 3698b51..136b017 100644
  allow rabbitmq_beam_t self:process { setsched signal signull };
  allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,50 +43,85 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  
  manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -68549,35 +73726,39 @@ index 3698b51..136b017 100644
  corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
  corenet_tcp_bind_generic_node(rabbitmq_beam_t)
 +corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
++corenet_tcp_bind_all_ephemeral_ports(rabbitmq_beam_t)
  
  corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
- corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
- corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
- corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+-corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
  
--dev_read_sysfs(rabbitmq_beam_t)
+ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
++corenet_tcp_sendrecv_amqp_port(rabbitmq_beam_t)
++corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
 +corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+
 +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
 +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
-+
++corenet_tcp_connect_amqp_port(rabbitmq_beam_t)
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
+ corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
++corenet_tcp_connect_jabber_interserver_port(rabbitmq_beam_t)
+ corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
+ 
+-dev_read_sysfs(rabbitmq_beam_t)
 +domain_read_all_domains_state(rabbitmq_beam_t)
-+
-+auth_read_passwd(rabbitmq_beam_t)
-+auth_use_pam(rabbitmq_beam_t)
  
 -files_read_etc_files(rabbitmq_beam_t)
-+files_getattr_all_mountpoints(rabbitmq_beam_t)
++auth_read_passwd(rabbitmq_beam_t)
++auth_use_pam(rabbitmq_beam_t)
  
 -miscfiles_read_localization(rabbitmq_beam_t)
++files_getattr_all_mountpoints(rabbitmq_beam_t)
++
 +fs_getattr_all_fs(rabbitmq_beam_t)
 +fs_getattr_all_dirs(rabbitmq_beam_t)
 +fs_getattr_cgroup(rabbitmq_beam_t)
 +fs_search_cgroup_dirs(rabbitmq_beam_t)
 +
-+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
-+
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
 +
@@ -68588,10 +73769,7 @@ index 3698b51..136b017 100644
 +logging_send_syslog_msg(rabbitmq_beam_t)
 +
 +optional_policy(`
-+    couchdb_manage_lib_files(rabbitmq_beam_t)
-+    couchdb_read_conf_files(rabbitmq_beam_t)
-+    couchdb_read_log_files(rabbitmq_beam_t)
-+    couchdb_search_pid_dirs(rabbitmq_beam_t)
++    couchdb_manage_files(rabbitmq_beam_t)
 +')
 +
 +optional_policy(`
@@ -68607,7 +73785,16 @@ index 3698b51..136b017 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -89,6 +129,8 @@ allow rabbitmq_epmd_t self:unix_stream_socket { accept listen };
+ 
+ allow rabbitmq_epmd_t rabbitmq_var_log_t:file append_file_perms;
+ 
++manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
++
+ corenet_all_recvfrom_unlabeled(rabbitmq_epmd_t)
+ corenet_all_recvfrom_netlabel(rabbitmq_epmd_t)
+ corenet_tcp_sendrecv_generic_if(rabbitmq_epmd_t)
+@@ -99,8 +141,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -68810,20 +73997,22 @@ index b31f2d7..046f5b8 100644
  userdom_dontaudit_search_user_home_dirs(radvd_t)
  
 diff --git a/raid.fc b/raid.fc
-index 5806046..5578653 100644
+index 5806046..d83ec27 100644
 --- a/raid.fc
 +++ b/raid.fc
-@@ -3,6 +3,9 @@
+@@ -3,6 +3,11 @@
  
  /etc/rc\.d/init\.d/mdmonitor	--	gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
  
++/etc/mdadm\.conf    --  gen_context(system_u:object_r:mdadm_conf_t,s0)
++
 +/usr/lib/systemd/system/mdmon@.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
 +/usr/lib/systemd/system/mdmonitor.* --  gen_context(system_u:object_r:mdadm_unit_file_t,s0)
 +
  /sbin/iprdump	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /sbin/iprinit	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
-@@ -16,6 +19,7 @@
+@@ -16,6 +21,7 @@
  /usr/sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /usr/sbin/mdadm	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
  /usr/sbin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
@@ -68832,7 +74021,7 @@ index 5806046..5578653 100644
  
  /var/run/mdadm(/.*)?	gen_context(system_u:object_r:mdadm_var_run_t,s0)
 diff --git a/raid.if b/raid.if
-index 951db7f..98a0758 100644
+index 951db7f..c0cabe8 100644
 --- a/raid.if
 +++ b/raid.if
 @@ -1,9 +1,8 @@
@@ -68913,7 +74102,7 @@ index 951db7f..98a0758 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',`
+@@ -57,47 +78,112 @@ interface(`raid_run_mdadm',`
  ##	</summary>
  ## </param>
  #
@@ -68981,7 +74170,7 @@ index 951db7f..98a0758 100644
 +
 +########################################
 +## <summary>
-+##	Manage mdadm config files.
++##	Read mdadm config files.
 +## </summary>
 +## <param name="domain">
  ##	<summary>
@@ -68992,7 +74181,7 @@ index 951db7f..98a0758 100644
 -## <rolecap/>
  #
 -interface(`raid_admin_mdadm',`
-+interface(`raid_manage_conf_files',`
++interface(`raid_read_conf_files',`
  	gen_require(`
 -		type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
 +		type mdadm_conf_t;
@@ -69000,7 +74189,24 @@ index 951db7f..98a0758 100644
  
 -	allow $1 mdadm_t:process { ptrace signal_perms };
 -	ps_process_pattern($1, mdadm_t)
--
++    read_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
++')
++
++########################################
++## <summary>
++##	Manage mdadm config files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`raid_manage_conf_files',`
++	gen_require(`
++		type mdadm_conf_t;
++	')
+ 
 -	init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
 -	domain_system_change_exemption($1)
 -	role_transition $2 mdadm_initrc_exec_t system_r;
@@ -69029,10 +74235,10 @@ index 951db7f..98a0758 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..4699a1e 100644
+index 2c1730b..aa0ff54 100644
 --- a/raid.te
 +++ b/raid.te
-@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
+@@ -15,6 +15,18 @@ role mdadm_roles types mdadm_t;
  type mdadm_initrc_exec_t;
  init_script_file(mdadm_initrc_exec_t)
  
@@ -69043,12 +74249,15 @@ index 2c1730b..4699a1e 100644
 +systemd_unit_file(mdadm_unit_file_t)
 +
 +type mdadm_tmp_t;
-+files_tmpfs_file(mdadm_tmp_t)
++files_tmp_file(mdadm_tmp_t)
++
++type mdadm_tmpfs_t;
++files_tmpfs_file(mdadm_tmpfs_t)
 +
  type mdadm_var_run_t alias mdadm_map_t;
  files_pid_file(mdadm_var_run_t)
  dev_associate(mdadm_var_run_t)
-@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
+@@ -25,43 +37,68 @@ dev_associate(mdadm_var_run_t)
  #
  
  allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
@@ -69066,6 +74275,10 @@ index 2c1730b..4699a1e 100644
 +manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
 +manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
 +files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
++
++manage_files_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++manage_dirs_pattern(mdadm_t, mdadm_tmpfs_t, mdadm_tmpfs_t)
++fs_tmpfs_filetrans(mdadm_t, mdadm_tmpfs_t, file)
  
  manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
  manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
@@ -69087,10 +74300,12 @@ index 2c1730b..4699a1e 100644
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
-@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t)
+ 
  dev_rw_sysfs(mdadm_t)
- dev_dontaudit_getattr_all_blk_files(mdadm_t)
- dev_dontaudit_getattr_all_chr_files(mdadm_t)
+-dev_dontaudit_getattr_all_blk_files(mdadm_t)
+-dev_dontaudit_getattr_all_chr_files(mdadm_t)
++dev_dontaudit_read_all_blk_files(mdadm_t)
++dev_dontaudit_read_all_chr_files(mdadm_t)
 +dev_read_crash(mdadm_t)
 +dev_read_framebuffer(mdadm_t)
  dev_read_realtime_clock(mdadm_t)
@@ -69120,7 +74335,7 @@ index 2c1730b..4699a1e 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +107,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -69142,7 +74357,15 @@ index 2c1730b..4699a1e 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -93,13 +128,30 @@ optional_policy(`
+@@ -89,17 +131,38 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    dbus_system_bus_client(mdadm_t)
++')
++
++optional_policy(`
+ 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
  ')
  
  optional_policy(`
@@ -69173,6 +74396,235 @@ index 2c1730b..4699a1e 100644
 +optional_policy(`
 +	xserver_dontaudit_search_log(mdadm_t)
 +')
+diff --git a/rasdaemon.fc b/rasdaemon.fc
+new file mode 100644
+index 0000000..8e31dd0
+--- /dev/null
++++ b/rasdaemon.fc
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/ras-mc-ctl.*		--	gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/lib/systemd/system/rasdaemon.*		--	gen_context(system_u:object_r:rasdaemon_unit_file_t,s0)
++
++/usr/sbin/rasdaemon		--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/usr/sbin/ras-mc-ctl		--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
++
++/var/lib/rasdaemon(/.*)?		gen_context(system_u:object_r:rasdaemon_var_lib_t,s0)
+diff --git a/rasdaemon.if b/rasdaemon.if
+new file mode 100644
+index 0000000..a073efd
+--- /dev/null
++++ b/rasdaemon.if
+@@ -0,0 +1,156 @@
++
++## <summary>The rasdaemon program is a daemon with monitors the RAS trace events from /sys/kernel/debug/tracing</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the rasdaemon domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`rasdaemon_domtrans',`
++	gen_require(`
++		type rasdaemon_t, rasdaemon_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, rasdaemon_exec_t, rasdaemon_t)
++')
++
++########################################
++## <summary>
++##	Search rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rasdaemon_search_lib',`
++	gen_require(`
++		type rasdaemon_var_lib_t;
++	')
++
++	allow $1 rasdaemon_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read rasdaemon lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rasdaemon_read_lib_files',`
++	gen_require(`
++		type rasdaemon_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage rasdaemon lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_files',`
++	gen_require(`
++		type rasdaemon_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage rasdaemon lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rasdaemon_manage_lib_dirs',`
++	gen_require(`
++		type rasdaemon_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Execute rasdaemon server in the rasdaemon domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`rasdaemon_systemctl',`
++	gen_require(`
++		type rasdaemon_t;
++		type rasdaemon_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 rasdaemon_unit_file_t:file read_file_perms;
++	allow $1 rasdaemon_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, rasdaemon_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an rasdaemon environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`rasdaemon_admin',`
++	gen_require(`
++		type rasdaemon_t;
++		type rasdaemon_var_lib_t;
++	type rasdaemon_unit_file_t;
++	')
++
++	allow $1 rasdaemon_t:process { ptrace signal_perms };
++	ps_process_pattern($1, rasdaemon_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, rasdaemon_var_lib_t)
++
++	rasdaemon_systemctl($1)
++	admin_pattern($1, rasdaemon_unit_file_t)
++	allow $1 rasdaemon_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/rasdaemon.te b/rasdaemon.te
+new file mode 100644
+index 0000000..6731d5c
+--- /dev/null
++++ b/rasdaemon.te
+@@ -0,0 +1,46 @@
++policy_module(rasdaemon, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type rasdaemon_t;
++type rasdaemon_exec_t;
++init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
++
++type rasdaemon_var_lib_t;
++files_type(rasdaemon_var_lib_t)
++
++type rasdaemon_unit_file_t;
++systemd_unit_file(rasdaemon_unit_file_t)
++
++########################################
++#
++# rasdaemon local policy
++#
++allow rasdaemon_t self:fifo_file rw_fifo_file_perms;
++allow rasdaemon_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++manage_files_pattern(rasdaemon_t, rasdaemon_var_lib_t, rasdaemon_var_lib_t)
++files_var_lib_filetrans(rasdaemon_t, rasdaemon_var_lib_t, { dir file  })
++
++kernel_read_system_state(rasdaemon_t)
++kernel_manage_debugfs(rasdaemon_t)
++
++dev_read_raw_memory(rasdaemon_t)
++dev_read_sysfs(rasdaemon_t)
++dev_read_urand(rasdaemon_t)
++dev_rw_cpu_microcode(rasdaemon_t)
++
++modutils_dontaudit_exec_insmod(rasdaemon_t) # more info here #1030277
++
++auth_use_nsswitch(rasdaemon_t)
++
++logging_send_syslog_msg(rasdaemon_t)
++
++optional_policy(`
++    dmidecode_exec(rasdaemon_t)
++')
++
 diff --git a/razor.fc b/razor.fc
 index 6723f4d..6e26673 100644
 --- a/razor.fc
@@ -69682,11 +75134,92 @@ index 5ddedbc..4e15f29 100644
 +		milter_manage_spamass_state(razor_t)
 +	')
  ')
+diff --git a/rdisc.fc b/rdisc.fc
+index e9765c0..ea21331 100644
+--- a/rdisc.fc
++++ b/rdisc.fc
+@@ -1,3 +1,3 @@
+-/sbin/rdisc	--	gen_context(system_u:object_r:rdisc_exec_t,s0)
++/usr/lib/systemd/system/rdisc.*         --      gen_context(system_u:object_r:rdisc_unit_file_t,s0)
+ 
+ /usr/sbin/rdisc	--	gen_context(system_u:object_r:rdisc_exec_t,s0)
+diff --git a/rdisc.if b/rdisc.if
+index 170ef52..7dd9193 100644
+--- a/rdisc.if
++++ b/rdisc.if
+@@ -18,3 +18,57 @@ interface(`rdisc_exec',`
+ 	corecmd_search_bin($1)
+ 	can_exec($1, rdisc_exec_t)
+ ')
++
++########################################
++## <summary>
++##      Execute rdisc server in the rdisc domain.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed to transition.
++##      </summary>
++## </param>
++#
++interface(`rdisc_systemctl',`
++        gen_require(`
++                type rdisc_t;
++                type rdisc_unit_file_t;
++        ')
++
++        systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++        allow $1 rdisc_unit_file_t:file read_file_perms;
++        allow $1 rdisc_unit_file_t:service manage_service_perms;
++
++        ps_process_pattern($1, rdisc_t)
++')
++
++########################################
++## <summary>
++##      All of the rules required to administrate
++##      an rdisc environment
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++## <rolecap/>
++#
++interface(`rdisc_admin',`
++        gen_require(`
++            type rdisc_t;
++            type rdisc_unit_file_t;
++        ')
++
++        allow $1 rdisc_t:process { ptrace signal_perms };
++        ps_process_pattern($1, rdisc_t)
++
++        rdisc_systemctl($1)
++        admin_pattern($1, rdisc_unit_file_t)
++        allow $1 rdisc_unit_file_t:service all_service_perms;
++        optional_policy(`
++                systemd_passwd_agent_exec($1)
++                systemd_read_fifo_file_passwd_run($1)
++        ')
++')
 diff --git a/rdisc.te b/rdisc.te
-index 9196c1d..3dac4d9 100644
+index 9196c1d..b775931 100644
 --- a/rdisc.te
 +++ b/rdisc.te
-@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
+@@ -9,6 +9,9 @@ type rdisc_t;
+ type rdisc_exec_t;
+ init_daemon_domain(rdisc_t, rdisc_exec_t)
+ 
++type rdisc_unit_file_t;
++systemd_unit_file(rdisc_unit_file_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -25,7 +28,6 @@ kernel_list_proc(rdisc_t)
  kernel_read_proc_symlinks(rdisc_t)
  kernel_read_kernel_sysctls(rdisc_t)
  
@@ -69694,7 +75227,7 @@ index 9196c1d..3dac4d9 100644
  corenet_all_recvfrom_netlabel(rdisc_t)
  corenet_udp_sendrecv_generic_if(rdisc_t)
  corenet_raw_sendrecv_generic_if(rdisc_t)
-@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t)
+@@ -39,12 +41,9 @@ fs_search_auto_mountpoints(rdisc_t)
  
  domain_use_interactive_fds(rdisc_t)
  
@@ -70160,10 +75693,10 @@ index 9a8f052..3baa71a 100644
  ')
 diff --git a/redis.fc b/redis.fc
 new file mode 100644
-index 0000000..638d6b4
+index 0000000..741b785
 --- /dev/null
 +++ b/redis.fc
-@@ -0,0 +1,11 @@
+@@ -0,0 +1,12 @@
 +/etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
 +
 +/usr/lib/systemd/system/redis.*		--	gen_context(system_u:object_r:redis_unit_file_t,s0)
@@ -70175,18 +75708,18 @@ index 0000000..638d6b4
 +/var/log/redis(/.*)?		gen_context(system_u:object_r:redis_log_t,s0)
 +
 +/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
++/var/run/redis\.sock    --  gen_context(system_u:object_r:redis_var_run_t,s0)
 diff --git a/redis.if b/redis.if
 new file mode 100644
-index 0000000..72a2d7b
+index 0000000..2640ab5
 --- /dev/null
 +++ b/redis.if
-@@ -0,0 +1,271 @@
-+
-+## <summary>redis-server SELinux policy</summary>
+@@ -0,0 +1,266 @@
++## <summary>Advanced key-value store</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the redis domin.
++##	Execute redis server in the redis domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -70220,6 +75753,7 @@ index 0000000..72a2d7b
 +
 +	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read redis's log files.
@@ -70229,7 +75763,6 @@ index 0000000..72a2d7b
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`redis_read_log',`
 +	gen_require(`
@@ -70392,14 +75925,13 @@ index 0000000..72a2d7b
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++    systemd_read_fifo_file_passwd_run($1)
 +	allow $1 redis_unit_file_t:file read_file_perms;
 +	allow $1 redis_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, redis_t)
 +')
 +
-+
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
@@ -70419,18 +75951,14 @@ index 0000000..72a2d7b
 +#
 +interface(`redis_admin',`
 +	gen_require(`
-+		type redis_t;
-+		type redis_initrc_exec_t;
-+		type redis_log_t;
-+		type redis_var_lib_t;
-+		type redis_var_run_t;
-+	type redis_unit_file_t;
++		type redis_t, redis_initrc_exec_t, redis_var_lib_t;
++		type redis_log_t, redis_var_run_t, redis_unit_file_t;
 +	')
 +
 +	allow $1 redis_t:process { ptrace signal_perms };
 +	ps_process_pattern($1, redis_t)
 +
-+	redis_initrc_domtrans($1)
++	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 +	domain_system_change_exemption($1)
 +	role_transition $2 redis_initrc_exec_t system_r;
 +	allow $2 system_r;
@@ -70447,6 +75975,7 @@ index 0000000..72a2d7b
 +	redis_systemctl($1)
 +	admin_pattern($1, redis_unit_file_t)
 +	allow $1 redis_unit_file_t:service all_service_perms;
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
@@ -70454,10 +75983,10 @@ index 0000000..72a2d7b
 +')
 diff --git a/redis.te b/redis.te
 new file mode 100644
-index 0000000..e5e9cf7
+index 0000000..51cd1fe
 --- /dev/null
 +++ b/redis.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,64 @@
 +policy_module(redis, 1.0.0)
 +
 +########################################
@@ -70505,6 +76034,8 @@ index 0000000..e5e9cf7
 +manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 +manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 +manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_sock_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++files_pid_filetrans(redis_t, redis_var_run_t, { sock_file })
 +
 +kernel_read_system_state(redis_t)
 +
@@ -70528,7 +76059,7 @@ index 327baf0..d8691bd 100644
 +
  # Remote login currently has no file contexts.
 diff --git a/remotelogin.if b/remotelogin.if
-index a9ce68e..31be971 100644
+index a9ce68e..92520aa 100644
 --- a/remotelogin.if
 +++ b/remotelogin.if
 @@ -1,4 +1,4 @@
@@ -70552,24 +76083,23 @@ index a9ce68e..31be971 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
+@@ -39,8 +38,7 @@ interface(`remotelogin_signal',`
  
- 	allow $1 remote_login_t:process signal;
- ')
--
--########################################
--## <summary>
+ ########################################
+ ## <summary>
 -##	Create, read, write, and delete
 -##	remote login temporary content.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	allow Domain to signal remote login domain.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -48,32 +46,10 @@ interface(`remotelogin_signal',`
+ ##	</summary>
+ ## </param>
+ #
 -interface(`remotelogin_manage_tmp_content',`
--	gen_require(`
++interface(`remotelogin_signull',`
+ 	gen_require(`
 -		type remote_login_tmp_t;
 -	')
 -
@@ -70591,12 +76121,14 @@ index a9ce68e..31be971 100644
 -interface(`remotelogin_relabel_tmp_content',`
 -	gen_require(`
 -		type remote_login_tmp_t;
--	')
--
++		type remote_login_t;
+ 	')
+ 
 -	files_search_tmp($1)
 -	allow $1 remote_login_tmp_t:dir relabel_dir_perms;
 -	allow $1 remote_login_tmp_t:file relabel_file_perms;
--')
++	allow $1 remote_login_t:process signull;
+ ')
 diff --git a/remotelogin.te b/remotelogin.te
 index c51a32c..bef8238 100644
 --- a/remotelogin.te
@@ -71190,10 +76722,10 @@ index b418d1c..1ad9c12 100644
  	xen_domtrans_xm(rgmanager_t)
  ')
 diff --git a/rhcs.fc b/rhcs.fc
-index 47de2d6..98a4280 100644
+index 47de2d6..5ad36aa 100644
 --- a/rhcs.fc
 +++ b/rhcs.fc
-@@ -1,31 +1,85 @@
+@@ -1,31 +1,88 @@
 -/etc/rc\.d/init\.d/dlm	--	gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/foghorn	--	gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
 +/usr/sbin/dlm_controld			--	gen_context(system_u:object_r:dlm_controld_exec_t,s0)
@@ -71252,6 +76784,8 @@ index 47de2d6..98a4280 100644
 +/var/run/gfs_controld\.pid		--	gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
 +/var/run/groupd\.pid			--	gen_context(system_u:object_r:groupd_var_run_t,s0)
 +/var/run/haproxy\.pid           --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.stat.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
++/var/run/haproxy\.sock.*        --  gen_context(system_u:object_r:haproxy_var_run_t,s0)
 +/var/run/qdiskd\.pid			--	gen_context(system_u:object_r:qdiskd_var_run_t,s0)
 +
 +# cluster administrative domains file spec
@@ -71275,6 +76809,7 @@ index 47de2d6..98a4280 100644
 +/usr/sbin/ldirectord        --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/rgmanager         --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +/usr/sbin/pacemakerd    	--  gen_context(system_u:object_r:cluster_exec_t,s0)
++/usr/sbin/pacemaker_remoted --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
 +/usr/lib/pcsd/pcsd          --  gen_context(system_u:object_r:cluster_exec_t,s0)
 +
@@ -71303,7 +76838,7 @@ index 47de2d6..98a4280 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..2e4d698 100644
+index 56bc01f..1337d42 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -71552,8 +77087,10 @@ index 56bc01f..2e4d698 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Read and write all cluster domains
+-##	shared memory.
 +##	Read and write to group shared memory.
 +## </summary>
 +## <param name="domain">
@@ -71573,10 +77110,8 @@ index 56bc01f..2e4d698 100644
 +	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +')
 +
- ########################################
- ## <summary>
--##	Read and write all cluster domains
--##	shared memory.
++########################################
++## <summary>
 +##	Read and write to group shared memory.
  ## </summary>
  ## <param name="domain">
@@ -71604,7 +77139,7 @@ index 56bc01f..2e4d698 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
+@@ -393,20 +423,44 @@ interface(`rhcs_rw_cluster_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -71616,49 +77151,65 @@ index 56bc01f..2e4d698 100644
  	')
  
 -	allow $1 groupd_t:sem { rw_sem_perms destroy };
--
--	fs_search_tmpfs($1)
--	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +	files_search_pids($1)
 +	stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
- ')
++')
  
--########################################
+-	fs_search_tmpfs($1)
+-	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
 +#####################################
- ## <summary>
--##	Read and write groupd shared memory.
++## <summary>
 +##	Connect to cluster domains over a unix domain
 +##	stream socket.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rhcs_stream_connect_cluster_to',`
++	gen_require(`
++		attribute cluster_domain;
++		attribute cluster_pid;
++	')
++
++    files_search_pids($1)
++    stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write groupd shared memory.
++##	Send a null signal to cluster.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -414,15 +468,12 @@ interface(`rhcs_rw_groupd_semaphores',`
+ ##	</summary>
+ ## </param>
  #
 -interface(`rhcs_rw_groupd_shm',`
-+interface(`rhcs_stream_connect_cluster_to',`
++interface(`rhcs_signull_cluster',`
  	gen_require(`
 -		type groupd_t, groupd_tmpfs_t;
-+		attribute cluster_domain;
-+		attribute cluster_pid;
++		type cluster_t;
  	')
  
 -	allow $1 groupd_t:shm { rw_shm_perms destroy };
 -
 -	fs_search_tmpfs($1)
 -	manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
-+    files_search_pids($1)
-+    stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
++	allow $1 cluster_t:process signull;
  ')
  
  ######################################
-@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -446,52 +497,361 @@ interface(`rhcs_domtrans_qdiskd',`
  
  ########################################
  ## <summary>
@@ -71709,7 +77260,11 @@ index 56bc01f..2e4d698 100644
 +	files_search_var_lib($1)
 +	read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
-+
+ 
+-	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
+-	domain_system_change_exemption($1)
+-	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
+-	allow $2 system_r;
 +#####################################
 +## <summary>
 +##  Allow domain to manage cluster lib files
@@ -71725,16 +77280,14 @@ index 56bc01f..2e4d698 100644
 +        type cluster_var_lib_t;
 +    ')
  
--	init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
--	domain_system_change_exemption($1)
--	role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
--	allow $2 system_r;
+-	files_search_pids($1)
+-	admin_pattern($1, cluster_pid)
 +    files_search_var_lib($1)
 +    manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_pids($1)
--	admin_pattern($1, cluster_pid)
+-	files_search_locks($1)
+-	admin_pattern($1, fenced_lock_t)
 +####################################
 +## <summary>
 +##  Allow domain to relabel cluster lib files
@@ -71755,8 +77308,8 @@ index 56bc01f..2e4d698 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
 +')
  
--	files_search_locks($1)
--	admin_pattern($1, fenced_lock_t)
+-	files_search_tmp($1)
+-	admin_pattern($1, fenced_tmp_t)
 +######################################
 +## <summary>
 +##  Execute a domain transition to run cluster administrative domain.
@@ -71772,14 +77325,14 @@ index 56bc01f..2e4d698 100644
 +        type cluster_t, cluster_exec_t;
 +    ')
  
--	files_search_tmp($1)
--	admin_pattern($1, fenced_tmp_t)
+-	files_search_var_lib($1)
+-	admin_pattern($1, qdiskd_var_lib_t)
 +    corecmd_search_bin($1)
 +    domtrans_pattern($1, cluster_exec_t, cluster_t)
 +')
  
--	files_search_var_lib($1)
--	admin_pattern($1, qdiskd_var_lib_t)
+-	fs_search_tmpfs($1)
+-	admin_pattern($1, cluster_tmpfs)
 +#######################################
 +## <summary>
 +##  Execute cluster init scripts in
@@ -71795,9 +77348,7 @@ index 56bc01f..2e4d698 100644
 +    gen_require(`
 +        type cluster_initrc_exec_t;
 +    ')
- 
--	fs_search_tmpfs($1)
--	admin_pattern($1, cluster_tmpfs)
++
 +    init_labeled_script_domtrans($1, cluster_initrc_exec_t)
 +')
 +
@@ -71911,6 +77462,7 @@ index 56bc01f..2e4d698 100644
 +    ')
 +
 +    rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
++    delete_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
 +')
 +
 +#####################################
@@ -72048,10 +77600,10 @@ index 56bc01f..2e4d698 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..26fba30 100644
+index 2c2de9a..4fd3b77 100644
 --- a/rhcs.te
 +++ b/rhcs.te
-@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
+@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
  ## </desc>
  gen_tunable(fenced_can_ssh, false)
  
@@ -72076,10 +77628,18 @@ index 2c2de9a..26fba30 100644
 +## </desc>
 +gen_tunable(cluster_use_execmem, false)
 +
++## <desc>
++##	<p>
++##	Determine whether haproxy can
++##	connect to all TCP ports.
++##	</p>
++## </desc>
++gen_tunable(haproxy_connect_any, false)
++
  attribute cluster_domain;
  attribute cluster_log;
  attribute cluster_pid;
-@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
+@@ -44,34 +73,283 @@ type foghorn_initrc_exec_t;
  init_script_file(foghorn_initrc_exec_t)
  
  rhcs_domain_template(gfs_controld)
@@ -72367,7 +77927,7 @@ index 2c2de9a..26fba30 100644
  ')
  
  #####################################
-@@ -79,7 +349,7 @@ optional_policy(`
+@@ -79,9 +357,11 @@ optional_policy(`
  # dlm_controld local policy
  #
  
@@ -72375,15 +77935,19 @@ index 2c2de9a..26fba30 100644
 +allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
  allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
  
++files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
++
  stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
-@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
+ stream_connect_pattern(dlm_controld_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
+ 
+@@ -98,16 +378,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
  
  init_rw_script_tmp_files(dlm_controld_t)
  
 +logging_send_syslog_msg(dlm_controld_t)
 +
 +optional_policy(`
-+	corosync_rw_tmpfs(dlm_controld_t)
++	rhcs_rw_cluster_tmpfs(dlm_controld_t)
 +')
 +
 +optional_policy(`
@@ -72395,9 +77959,10 @@ index 2c2de9a..26fba30 100644
  # fenced local policy
  #
  
- allow fenced_t self:capability { sys_rawio sys_resource };
+-allow fenced_t self:capability { sys_rawio sys_resource };
 -allow fenced_t self:process { getsched signal_perms };
 -allow fenced_t self:tcp_socket { accept listen };
++allow fenced_t self:capability { net_admin sys_rawio sys_resource };
 +allow fenced_t self:process { getsched setpgid signal_perms };
 +
 +allow fenced_t self:tcp_socket create_stream_socket_perms;
@@ -72409,7 +77974,7 @@ index 2c2de9a..26fba30 100644
  manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
  files_lock_filetrans(fenced_t, fenced_lock_t, file)
  
-@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
+@@ -118,9 +412,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
  
  stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
  
@@ -72420,7 +77985,16 @@ index 2c2de9a..26fba30 100644
  
  corecmd_exec_bin(fenced_t)
  corecmd_exec_shell(fenced_t)
-@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
+@@ -140,6 +433,8 @@ corenet_udp_sendrecv_ionixnetmon_port(fenced_t)
+ 
+ corenet_sendrecv_zented_server_packets(fenced_t)
+ corenet_tcp_bind_zented_port(fenced_t)
++corenet_udp_bind_zented_port(fenced_t)
++corenet_tcp_connect_zented_port(fenced_t)
+ corenet_tcp_sendrecv_zented_port(fenced_t)
+ 
+ corenet_sendrecv_http_client_packets(fenced_t)
+@@ -148,9 +443,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
  
  dev_read_sysfs(fenced_t)
  dev_read_urand(fenced_t)
@@ -72431,7 +78005,7 @@ index 2c2de9a..26fba30 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
+@@ -160,7 +453,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
  
@@ -72440,7 +78014,7 @@ index 2c2de9a..26fba30 100644
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -182,7 +463,8 @@ optional_policy(`
+@@ -182,7 +475,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72450,7 +78024,7 @@ index 2c2de9a..26fba30 100644
  ')
  
  optional_policy(`
-@@ -190,12 +472,12 @@ optional_policy(`
+@@ -190,12 +484,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72466,7 +78040,7 @@ index 2c2de9a..26fba30 100644
  ')
  
  optional_policy(`
-@@ -203,6 +485,13 @@ optional_policy(`
+@@ -203,6 +497,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -72480,7 +78054,7 @@ index 2c2de9a..26fba30 100644
  #######################################
  #
  # foghorn local policy
-@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
+@@ -221,16 +522,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
  corenet_tcp_connect_agentx_port(foghorn_t)
  corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
@@ -72501,7 +78075,7 @@ index 2c2de9a..26fba30 100644
  	snmp_stream_connect(foghorn_t)
  ')
  
-@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +560,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -72510,7 +78084,7 @@ index 2c2de9a..26fba30 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +580,53 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -72526,13 +78100,14 @@ index 2c2de9a..26fba30 100644
 +#
 +
 +# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability dac_override;
++allow haproxy_t self:capability { dac_override kill };
 +
 +allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
 +allow haproxy_t self:process { fork setrlimit signal_perms };
 +allow haproxy_t self:fifo_file rw_fifo_file_perms;
 +allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
-+allow haproxy_t self:tcp_socket { accept listen };
++allow haproxy_t self:tcp_socket create_stream_socket_perms;
++allow haproxy_t self: udp_socket create_socket_perms;
 +
 +manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
 +manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
@@ -72540,19 +78115,32 @@ index 2c2de9a..26fba30 100644
 +manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
 +files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
 +
++corenet_sendrecv_unlabeled_packets(haproxy_t)
++
 +corenet_tcp_connect_commplex_link_port(haproxy_t)
 +corenet_tcp_connect_commplex_main_port(haproxy_t)
 +corenet_tcp_bind_commplex_main_port(haproxy_t)
++corenet_tcp_bind_http_port(haproxy_t)
++corenet_tcp_bind_http_cache_port(haproxy_t)
 +
 +corenet_tcp_connect_fmpro_internal_port(haproxy_t)
++corenet_tcp_connect_http_port(haproxy_t)
++corenet_tcp_connect_http_cache_port(haproxy_t)
 +corenet_tcp_connect_rtp_media_port(haproxy_t)
 +
 +sysnet_dns_name_resolve(haproxy_t)
 +
++tunable_policy(`haproxy_connect_any',`
++	corenet_tcp_connect_all_ports(haproxy_t)
++	corenet_tcp_bind_all_ports(haproxy_t)
++	corenet_sendrecv_all_packets(haproxy_t)
++	corenet_tcp_sendrecv_all_ports(haproxy_t)
++')
++
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +669,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -72922,21 +78510,25 @@ index 3f32e4b..f97ea42 100644
  
 diff --git a/rhnsd.fc b/rhnsd.fc
 new file mode 100644
-index 0000000..1936028
+index 0000000..860a91d
 --- /dev/null
 +++ b/rhnsd.fc
-@@ -0,0 +1,5 @@
+@@ -0,0 +1,9 @@
 +/etc/rc\.d/init\.d/rhnsd	--	gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
 +
++/usr/lib/systemd/system/rhnsd.* --  gen_context(system_u:object_r:rhnsd_unit_file_t,s0)
++
 +/usr/sbin/rhnsd		--	gen_context(system_u:object_r:rhnsd_exec_t,s0)
 +
 +/var/run/rhnsd\.pid		--	gen_context(system_u:object_r:rhnsd_var_run_t,s0)
++
++/etc/sysconfig/rhn(/.*)?		gen_context(system_u:object_r:rhnsd_conf_t,s0)
 diff --git a/rhnsd.if b/rhnsd.if
 new file mode 100644
-index 0000000..88087b7
+index 0000000..8a5aaf0
 --- /dev/null
 +++ b/rhnsd.if
-@@ -0,0 +1,74 @@
+@@ -0,0 +1,118 @@
 +## <summary>policy for rhnsd</summary>
 +
 +########################################
@@ -72978,6 +78570,50 @@ index 0000000..88087b7
 +
 +########################################
 +## <summary>
++##	Execute rhnsd server in the rhnsd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`rhnsd_systemctl',`
++	gen_require(`
++		type rhnsd_t;
++		type rhnsd_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 rhnsd_unit_file_t:file read_file_perms;
++	allow $1 rhnsd_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, rhnsd_t)
++')
++
++######################################
++## <summary>
++## Allow the specified domain to manage
++## rhnsd configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhnsd_manage_config',`
++    gen_require(`
++        type rhnsd_conf_t;
++    ')
++
++    files_search_etc($1)
++    manage_files_pattern( $1, rhnsd_conf_t, rhnsd_conf_t)
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate
 +##	an rhnsd environment
 +## </summary>
@@ -73013,10 +78649,10 @@ index 0000000..88087b7
 +')
 diff --git a/rhnsd.te b/rhnsd.te
 new file mode 100644
-index 0000000..0e965c3
+index 0000000..898d82c
 --- /dev/null
 +++ b/rhnsd.te
-@@ -0,0 +1,40 @@
+@@ -0,0 +1,47 @@
 +policy_module(rhnsd, 1.0.0)
 +
 +########################################
@@ -73034,6 +78670,12 @@ index 0000000..0e965c3
 +type rhnsd_initrc_exec_t;
 +init_script_file(rhnsd_initrc_exec_t)
 +
++type rhnsd_unit_file_t;
++systemd_unit_file(rhnsd_unit_file_t)
++
++type rhnsd_conf_t;
++files_config_file(rhnsd_conf_t)
++
 +########################################
 +#
 +# rhnsd local policy
@@ -73048,17 +78690,18 @@ index 0000000..0e965c3
 +manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
 +files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
 +
-+corecmd_exec_bin(rhnsd_t)
++manage_files_pattern(rhnsd_t, rhnsd_conf_t, rhnsd_conf_t)
 +
++corecmd_exec_bin(rhnsd_t)
 +
 +logging_send_syslog_msg(rhnsd_t)
 +
 +optional_policy(`
-+	# execute rhn_check
-+	rpm_domtrans(rhnsd_t)
++    # execute rhn_check
++    rpm_domtrans(rhnsd_t)
 +')
 diff --git a/rhsmcertd.if b/rhsmcertd.if
-index 6dbc905..78746ef 100644
+index 6dbc905..4b17c93 100644
 --- a/rhsmcertd.if
 +++ b/rhsmcertd.if
 @@ -1,8 +1,8 @@
@@ -73163,14 +78806,33 @@ index 6dbc905..78746ef 100644
  ## <summary>
 -##	Connect to rhsmcertd with a
 -##	unix domain stream socket.
-+##	Read/wirte inherited lock files.
++##	Read rhsmcertd PID files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
+@@ -207,6 +202,45 @@ interface(`rhsmcertd_read_pid_files',`
  ##	</summary>
  ## </param>
  #
++interface(`rhsmcertd_manage_pid_files',`
++	gen_require(`
++		type rhsmcertd_var_run_t;
++	')
++
++	files_search_pids($1)
++    manage_files_pattern($1, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++')
++
++########################################
++## <summary>
++##	Read/wirte inherited lock files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`rhsmcertd_rw_inherited_lock_files',`
 +	gen_require(`
 +		type rhsmcertd_lock_t;
@@ -73194,7 +78856,7 @@ index 6dbc905..78746ef 100644
  interface(`rhsmcertd_stream_connect',`
  	gen_require(`
  		type rhsmcertd_t, rhsmcertd_var_run_t;
-@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
+@@ -239,30 +273,29 @@ interface(`rhsmcertd_dbus_chat',`
  
  ######################################
  ## <summary>
@@ -73238,7 +78900,7 @@ index 6dbc905..78746ef 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
+@@ -270,35 +303,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
  ##	</summary>
  ## </param>
  ## <param name="role">
@@ -73270,24 +78932,24 @@ index 6dbc905..78746ef 100644
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 rhsmcertd_t:process ptrace;
 +	')
- 
--	logging_search_logs($1)
--	admin_pattern($1, rhsmcertd_log_t)
++
 +    rhsmcertd_initrc_domtrans($1)
 +    domain_system_change_exemption($1)
 +    role_transition $2 rhsmcertd_initrc_exec_t system_r;
 +    allow $2 system_r;
  
--	files_search_var_lib($1)
--	admin_pattern($1, rhsmcertd_var_lib_t)
+-	logging_search_logs($1)
+-	admin_pattern($1, rhsmcertd_log_t)
 +    logging_search_logs($1)
 +    admin_pattern($1, rhsmcertd_log_t)
  
--	files_search_pids($1)
--	admin_pattern($1, rhsmcertd_var_run_t)
+-	files_search_var_lib($1)
+-	admin_pattern($1, rhsmcertd_var_lib_t)
 +    files_search_var_lib($1)
 +    admin_pattern($1, rhsmcertd_var_lib_t)
-+
+ 
+-	files_search_pids($1)
+-	admin_pattern($1, rhsmcertd_var_run_t)
 +    files_search_pids($1)
 +    admin_pattern($1, rhsmcertd_var_run_t)
 +
@@ -73298,7 +78960,7 @@ index 6dbc905..78746ef 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..0369e30 100644
+index 1cedd70..d193f7a 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -73319,12 +78981,15 @@ index 1cedd70..0369e30 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -51,22 +50,47 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+ 
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
- 
-+corenet_tcp_connect_http_port(rhsmcertd_t)
++kernel_read_sysctl(rhsmcertd_t)
 +
++corenet_tcp_connect_http_port(rhsmcertd_t)
++corenet_tcp_connect_squid_port(rhsmcertd_t)
+ 
  corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
  
@@ -73340,11 +79005,11 @@ index 1cedd70..0369e30 100644
 +files_manage_system_conf_files(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
++
++init_read_state(rhsmcertd_t)
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
-+init_read_state(rhsmcertd_t)
-+
 +logging_send_syslog_msg(rhsmcertd_t)
 +
 +miscfiles_manage_cert_files(rhsmcertd_t)
@@ -73361,7 +79026,12 @@ index 1cedd70..0369e30 100644
 +')
 +
 +optional_policy(`
++    rhnsd_manage_config(rhsmcertd_t)
++')
++
++optional_policy(`
  	rpm_read_db(rhsmcertd_t)
++    rpm_signull(rhsmcertd_t)
  ')
 diff --git a/ricci.if b/ricci.if
 index 2ab3ed1..23d579c 100644
@@ -73752,6 +79422,68 @@ index 9702ed2..a265af9 100644
  
  optional_policy(`
  	ccs_stream_connect(ricci_modstorage_t)
+diff --git a/rkhunter.fc b/rkhunter.fc
+new file mode 100644
+index 0000000..645a9cc
+--- /dev/null
++++ b/rkhunter.fc
+@@ -0,0 +1 @@
++/var/lib/rkhunter(/.*)?         gen_context(system_u:object_r:rkhunter_var_lib_t,s0)
+diff --git a/rkhunter.if b/rkhunter.if
+new file mode 100644
+index 0000000..0be4cee
+--- /dev/null
++++ b/rkhunter.if
+@@ -0,0 +1,39 @@
++## <summary> policy for rkhunter </summary>
++
++########################################
++## <summary>
++##	Append rkhunter lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rkhunter_append_lib_files',`
++	gen_require(`
++		type rkhunter_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	append_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage rkhunter lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rkhunter_manage_lib_files',`
++	gen_require(`
++		type rkhunter_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, rkhunter_var_lib_t, rkhunter_var_lib_t)
++')
+diff --git a/rkhunter.te b/rkhunter.te
+new file mode 100644
+index 0000000..aa2d09e
+--- /dev/null
++++ b/rkhunter.te
+@@ -0,0 +1,4 @@
++policy_module(rhhunter, 1.0)
++
++type rkhunter_var_lib_t;
++files_type(rkhunter_var_lib_t)
 diff --git a/rlogin.fc b/rlogin.fc
 index f111877..e361ee9 100644
 --- a/rlogin.fc
@@ -74544,7 +80276,7 @@ index 3bd6446..eec0a35 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/rpc.te b/rpc.te
-index e5212e6..022f7fc 100644
+index e5212e6..fa69f22 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -1,4 +1,4 @@
@@ -74730,35 +80462,38 @@ index e5212e6..022f7fc 100644
  
  optional_policy(`
  	automount_signal(rpcd_t)
-@@ -174,19 +110,23 @@ optional_policy(`
+@@ -174,19 +110,27 @@ optional_policy(`
  ')
  
  optional_policy(`
--	nis_read_ypserv_config(rpcd_t)
 +	domain_unconfined_signal(rpcd_t)
++')
++
++optional_policy(`
++	quota_manage_db(rpcd_t)
++')
++
++optional_policy(`
+ 	nis_read_ypserv_config(rpcd_t)
  ')
  
  optional_policy(`
 -	quota_manage_db_files(rpcd_t)
-+	quota_manage_db(rpcd_t)
++	quota_read_db(rpcd_t)
  ')
  
  optional_policy(`
 -	rgmanager_manage_tmp_files(rpcd_t)
-+	nis_read_ypserv_config(rpcd_t)
++	rhcs_manage_cluster_tmp_files(rpcd_t)
  ')
  
  optional_policy(`
 -	unconfined_signal(rpcd_t)
-+	quota_read_db(rpcd_t)
-+')
-+
-+optional_policy(`
-+	rhcs_manage_cluster_tmp_files(rpcd_t)
++    samba_stream_connect_nmbd(rpcd_t)
  ')
  
  ########################################
-@@ -195,41 +135,56 @@ optional_policy(`
+@@ -195,41 +139,56 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -74823,7 +80558,7 @@ index e5212e6..022f7fc 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -74831,7 +80566,7 @@ index e5212e6..022f7fc 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -74846,7 +80581,16 @@ index e5212e6..022f7fc 100644
  ')
  
  ########################################
-@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -263,7 +221,7 @@ optional_policy(`
+ # GSSD local policy
+ #
+ 
+-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
++allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
+ allow gssd_t self:process { getsched setsched };
+ allow gssd_t self:fifo_file rw_fifo_file_perms;
+ 
+@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -74854,7 +80598,7 @@ index e5212e6..022f7fc 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +238,30 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -74876,6 +80620,7 @@ index e5212e6..022f7fc 100644
  miscfiles_read_generic_certs(gssd_t)
  
  userdom_signal_all_users(gssd_t)
++userdom_manage_all_users_keys(gssd_t)
  
 -tunable_policy(`allow_gssd_read_tmp',`
 +tunable_policy(`gssd_read_tmp',`
@@ -74887,7 +80632,7 @@ index e5212e6..022f7fc 100644
  ')
  
  optional_policy(`
-@@ -306,8 +265,11 @@ optional_policy(`
+@@ -306,8 +270,11 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(gssd, gssd_t)
@@ -75083,10 +80828,10 @@ index c49828c..56cb0c2 100644
  sysnet_dns_name_resolve(rpcbind_t)
  
 diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..6392cad 100644
+index ebe91fc..576ca21 100644
 --- a/rpm.fc
 +++ b/rpm.fc
-@@ -1,61 +1,72 @@
+@@ -1,61 +1,74 @@
 -/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
 -/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -75116,6 +80861,8 @@ index ebe91fc..6392cad 100644
  /usr/libexec/packagekitd	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt  --  gen_context(system_u:object_r:rpm_exec_t,s0)
++
++/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
  
 -/usr/sbin/bcfg2	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 -/usr/sbin/pirut	--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75134,25 +80881,14 @@ index ebe91fc..6392cad 100644
 -/usr/sbin/synaptic	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 -/var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 -/var/lib/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
--')
-+/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
--/usr/share/yumex/yumex-yum-backend	--	gen_context(system_u:object_r:rpm_exec_t,s0)
--/usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/sbin/yum-cron		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
--/var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
--/var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
++
 +/usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
--/var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
--/var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
++
 +ifdef(`distro_redhat', `
 +/usr/sbin/bcfg2				--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/package-cleanup	--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75166,31 +80902,41 @@ index ebe91fc..6392cad 100644
 +/usr/sbin/synaptic		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/apt-get		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/usr/bin/apt-shell		--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+')
-+
+ ')
+ 
+-/usr/share/yumex/yumex-yum-backend	--	gen_context(system_u:object_r:rpm_exec_t,s0)
+-/usr/share/yumex/yum_childtask\.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
 +/var/cache/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
 +/var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 +/var/cache/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
  
--/var/lock/bcfg2\.run	--	gen_context(system_u:object_r:rpm_lock_t,s0)
+-/var/cache/bcfg2(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
+-/var/cache/yum(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
 +/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
  
+-/var/lib/alternatives(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/rpm(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/YaST2(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
+-/var/lib/yum(/.*)?	gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
++/var/log/up2date.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
+ 
+-/var/lock/bcfg2\.run	--	gen_context(system_u:object_r:rpm_lock_t,s0)
+ 
 -/var/log/YaST2(/.*)?	gen_context(system_u:object_r:rpm_log_t,s0)
 -/var/log/yum\.log.*	--	gen_context(system_u:object_r:rpm_log_t,s0)
-+/var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
++/var/spool/up2date(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
  
 -/var/spool/up2date(/.*)?	gen_context(system_u:object_r:rpm_var_cache_t,s0)
-+/var/spool/up2date(/.*)?		gen_context(system_u:object_r:rpm_var_cache_t,s0)
++/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
++/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
  
 -/var/run/yum.*	--	gen_context(system_u:object_r:rpm_var_run_t,s0)
 -/var/run/PackageKit(/.*)?	gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
-+/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
-+
 +# SuSE
 +ifdef(`distro_suse', `
 +/usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -75204,7 +80950,7 @@ index ebe91fc..6392cad 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index 0628d50..cafc027 100644
+index 0628d50..e9dbd7e 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -75463,16 +81209,34 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,25 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
 -##	Inherit and use rpm script file descriptors.
++##	Create rpm logs with an correct label.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_named_filetrans_log_files',`
++	gen_require(`
++		type rpm_log_t;
++	')
++    logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
++    logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
++')
++
++########################################
++## <summary>
 +##	Inherit and use file descriptors from RPM scripts.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +414,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -75483,7 +81247,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +429,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -75500,7 +81264,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +450,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -75518,7 +81282,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +470,14 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -75534,7 +81298,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +497,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -75543,7 +81307,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +518,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -75553,7 +81317,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +539,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -75562,7 +81326,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +556,12 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -75576,7 +81340,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +580,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -75586,7 +81350,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +600,28 @@ interface(`rpm_manage_db',`
  
  ########################################
  ## <summary>
@@ -75616,7 +81380,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +634,7 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -75625,7 +81389,7 @@ index 0628d50..cafc027 100644
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
-@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +660,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -75635,7 +81399,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +679,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -75645,7 +81409,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +688,72 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -75777,7 +81541,7 @@ index 0628d50..cafc027 100644
 +	allow rpm_script_t $1:process sigchld;
  ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..5b28e97 100644
+index 5cbe81c..a461faa 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
@@ -76068,7 +81832,7 @@ index 5cbe81c..5b28e97 100644
  
  kernel_read_crypto_sysctls(rpm_script_t)
  kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +293,29 @@ kernel_read_network_state(rpm_script_t)
  kernel_list_all_proc(rpm_script_t)
  kernel_read_software_raid_state(rpm_script_t)
  
@@ -76083,6 +81847,8 @@ index 5cbe81c..5b28e97 100644
 -corenet_tcp_sendrecv_http_port(rpm_script_t)
 -
 -corecmd_exec_all_executables(rpm_script_t)
++# needed by unbound-anchor
++corenet_udp_bind_all_unreserved_ports(rpm_script_t)
  
  dev_list_sysfs(rpm_script_t)
 +
@@ -76118,7 +81884,7 @@ index 5cbe81c..5b28e97 100644
  mls_file_read_all_levels(rpm_script_t)
  mls_file_write_all_levels(rpm_script_t)
  
-@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
+@@ -331,30 +331,52 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -76145,6 +81911,9 @@ index 5cbe81c..5b28e97 100644
 +files_exec_usr_files(rpm_script_t)
 +files_relabel_all_files(rpm_script_t)
 +
++init_disable_services(rpm_script_t)
++init_enable_services(rpm_script_t)
++init_reload_services(rpm_script_t)
  init_domtrans_script(rpm_script_t)
  init_telinit(rpm_script_t)
  
@@ -76156,6 +81925,7 @@ index 5cbe81c..5b28e97 100644
 +libs_ldconfig_exec_entry_type(rpm_script_t)
  
  logging_send_syslog_msg(rpm_script_t)
++logging_send_audit_msgs(rpm_script_t)
  
 -miscfiles_read_localization(rpm_script_t)
 -
@@ -76176,7 +81946,7 @@ index 5cbe81c..5b28e97 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
+@@ -363,41 +385,71 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -76191,11 +81961,19 @@ index 5cbe81c..5b28e97 100644
 +')
 +
 +optional_policy(`
++    bind_systemctl(rpm_script_t)
++')
++
++optional_policy(`
 +	certmonger_dbus_chat(rpm_script_t)
 +')
 +
 +optional_policy(`
 +	cups_filetrans_named_content(rpm_script_t)
++')
++
++optional_policy(`
++    sblim_filetrans_named_content(rpm_script_t)
  ')
  
  optional_policy(`
@@ -76206,6 +81984,8 @@ index 5cbe81c..5b28e97 100644
 -	')
 +    optional_policy(`
 +        systemd_dbus_chat_logind(rpm_script_t)
++        systemd_dbus_chat_timedated(rpm_script_t)
++        systemd_dbus_chat_localed(rpm_script_t)
 +    ')
 +')
 +
@@ -76248,7 +82028,7 @@ index 5cbe81c..5b28e97 100644
  
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
-@@ -409,6 +445,6 @@ optional_policy(`
+@@ -409,6 +461,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -76709,7 +82489,7 @@ index f1140ef..8afe362 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..ec50426 100644
+index e3e7c96..d7db2d9 100644
 --- a/rsync.te
 +++ b/rsync.te
 @@ -1,4 +1,4 @@
@@ -76836,7 +82616,7 @@ index e3e7c96..ec50426 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,78 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -76902,9 +82682,7 @@ index e3e7c96..ec50426 100644
 +
 +tunable_policy(`rsync_full_access',`
 +	allow rsync_t self:capability { dac_override dac_read_search };
-+	files_manage_non_security_dirs(rsync_t)
-+	files_manage_non_security_files(rsync_t)
-+	#files_relabel_non_security_files(rsync_t)
++	files_manage_non_auth_files(rsync_t)
  ')
  
  tunable_policy(`rsync_export_all_ro',`
@@ -76967,7 +82745,7 @@ index e3e7c96..ec50426 100644
  ')
 diff --git a/rtas.fc b/rtas.fc
 new file mode 100644
-index 0000000..25d96cb
+index 0000000..4552e91
 --- /dev/null
 +++ b/rtas.fc
 @@ -0,0 +1,13 @@
@@ -76979,23 +82757,23 @@ index 0000000..25d96cb
 +/var/lock/.*librtas  --  gen_context(system_u:object_r:rtas_errd_var_lock_t)
 +
 +/var/log/rtas_errd.*    --  gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/platform   --  gen_context(system_u:object_r:rtas_errd_log_t)
-+/var/log/epow_status    --  gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/platform.*   --  gen_context(system_u:object_r:rtas_errd_log_t)
++/var/log/epow_status.*    --  gen_context(system_u:object_r:rtas_errd_log_t)
 +
 +/var/run/rtas_errd.*     --     gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
 +
 diff --git a/rtas.if b/rtas.if
 new file mode 100644
-index 0000000..9381936
+index 0000000..0ec3302
 --- /dev/null
 +++ b/rtas.if
-@@ -0,0 +1,166 @@
+@@ -0,0 +1,162 @@
 +
-+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
++## <summary>Platform diagnostics report firmware events.</summary>
 +
 +########################################
 +## <summary>
-+##	Execute TEMPLATE in the rtas_errd domin.
++##	Execute rtas_errd in the rtas_errd domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -77011,6 +82789,7 @@ index 0000000..9381936
 +	corecmd_search_bin($1)
 +	domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read rtas_errd's log files.
@@ -77070,6 +82849,7 @@ index 0000000..9381936
 +	manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
 +	manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read rtas_errd PID files.
@@ -77106,7 +82886,7 @@ index 0000000..9381936
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_passwd_run($1)
++    systemd_read_fifo_file_passwd_run($1)
 +	allow $1 rtas_errd_unit_file_t:file read_file_perms;
 +	allow $1 rtas_errd_unit_file_t:service manage_service_perms;
 +
@@ -77124,19 +82904,12 @@ index 0000000..9381936
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
 +#
 +interface(`rtas_errd_admin',`
 +	gen_require(`
 +		type rtas_errd_t;
-+		type rtas_errd_log_t;
-+		type rtas_errd_var_run_t;
-+	type rtas_errd_unit_file_t;
++		type rtas_errd_log_t, rtas_errd_var_run_t;
++    	type rtas_errd_unit_file_t;
 +	')
 +
 +	allow $1 rtas_errd_t:process { ptrace signal_perms };
@@ -77151,6 +82924,7 @@ index 0000000..9381936
 +	rtas_errd_systemctl($1)
 +	admin_pattern($1, rtas_errd_unit_file_t)
 +	allow $1 rtas_errd_unit_file_t:service all_service_perms;
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
@@ -77158,10 +82932,10 @@ index 0000000..9381936
 +')
 diff --git a/rtas.te b/rtas.te
 new file mode 100644
-index 0000000..4e6663f
+index 0000000..9a5164c
 --- /dev/null
 +++ b/rtas.te
-@@ -0,0 +1,60 @@
+@@ -0,0 +1,95 @@
 +policy_module(rtas, 1.0.0)
 +
 +########################################
@@ -77185,13 +82959,19 @@ index 0000000..4e6663f
 +type rtas_errd_unit_file_t;
 +systemd_unit_file(rtas_errd_unit_file_t)
 +
++type rtas_errd_tmp_t;
++files_tmp_file(rtas_errd_tmp_t)
++
++type rtas_errd_tmpfs_t;
++files_tmpfs_file(rtas_errd_tmpfs_t)
++
 +########################################
 +#
 +# rtas_errd local policy
 +#
 +
-+allow rtas_errd_t self:capability sys_admin;
-+allow rtas_errd_t self:process fork;
++allow rtas_errd_t self:capability { net_admin chown sys_admin };
++allow rtas_errd_t self:process { fork signull };
 +allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
 +allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
 +
@@ -77209,19 +82989,48 @@ index 0000000..4e6663f
 +manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
 +files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
 +
++manage_files_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmp_t, rtas_errd_tmp_t)
++files_tmp_filetrans(rtas_errd_t, rtas_errd_tmp_t, { file dir })
++
++manage_files_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++manage_dirs_pattern(rtas_errd_t, rtas_errd_tmpfs_t, rtas_errd_tmpfs_t)
++fs_tmpfs_filetrans(rtas_errd_t, rtas_errd_tmpfs_t, { file dir })
++
++kernel_read_all_sysctls(rtas_errd_t)
 +kernel_read_system_state(rtas_errd_t)
++kernel_read_network_state(rtas_errd_t)
++
++domain_read_all_domains_state(rtas_errd_t)
 +
 +auth_use_nsswitch(rtas_errd_t)
 +
 +corecmd_exec_bin(rtas_errd_t)
 +
++dev_read_rand(rtas_errd_t)
++dev_read_urand(rtas_errd_t)
 +dev_read_raw_memory(rtas_errd_t)
 +dev_write_raw_memory(rtas_errd_t)
++dev_read_sysfs(rtas_errd_t)
++dev_rw_nvram(rtas_errd_t)
 +
 +files_manage_system_db_files(rtas_errd_t)
 +
++logging_send_syslog_msg(rtas_errd_t)
 +logging_read_generic_logs(rtas_errd_t)
 +
++optional_policy(`
++    hostname_exec(rtas_errd_t)
++')
++
++optional_policy(`
++    rpm_exec(rtas_errd_t)
++    rpm_dontaudit_manage_db(rtas_errd_t)
++')
++
++optional_policy(`
++    unconfined_domain(rtas_errd_t)
++')
 diff --git a/rtkit.if b/rtkit.if
 index bd35afe..051addd 100644
 --- a/rtkit.if
@@ -77375,10 +83184,10 @@ index 9927d29..6746952 100644
 +userdom_getattr_user_terminals(rwho_t)
 +
 diff --git a/samba.fc b/samba.fc
-index b8b66ff..2ccac49 100644
+index b8b66ff..d1fa967 100644
 --- a/samba.fc
 +++ b/samba.fc
-@@ -1,42 +1,54 @@
+@@ -1,42 +1,55 @@
 -/etc/rc\.d/init\.d/nmb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/smb	--	gen_context(system_u:object_r:samba_initrc_exec_t,s0)
 +
@@ -77404,6 +83213,7 @@ index b8b66ff..2ccac49 100644
 +#
 +/usr/lib/systemd/system/smb.* 	--	gen_context(system_u:object_r:samba_unit_file_t,s0)
 +/usr/lib/systemd/system/nmb.*   --      gen_context(system_u:object_r:samba_unit_file_t,s0)
++/usr/lib/systemd/system/winbind.*   --  gen_context(system_u:object_r:samba_unit_file_t,s0)
  
 -/usr/bin/net	--	gen_context(system_u:object_r:samba_net_exec_t,s0)
 -/usr/bin/ntlm_auth	--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
@@ -77459,7 +83269,7 @@ index b8b66ff..2ccac49 100644
  /var/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  /var/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  /var/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
-@@ -45,7 +57,11 @@
+@@ -45,7 +58,11 @@
  /var/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
  /var/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)
  
@@ -78232,7 +84042,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..9e91107 100644
+index 57c034b..8736764 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -78405,7 +84215,14 @@ index 57c034b..9e91107 100644
  
  type smbd_t;
  type smbd_exec_t;
-@@ -149,9 +132,10 @@ type smbd_var_run_t;
+@@ -145,13 +128,17 @@ init_daemon_domain(smbd_t, smbd_exec_t)
+ type smbd_tmp_t;
+ files_tmp_file(smbd_tmp_t)
+ 
++type smbd_tmpfs_t;
++files_tmpfs_file(smbd_tmpfs_t)
++
+ type smbd_var_run_t;
  files_pid_file(smbd_var_run_t)
  
  type smbmount_t;
@@ -78418,7 +84235,7 @@ index 57c034b..9e91107 100644
  
  type swat_t;
  type swat_exec_t;
-@@ -170,27 +154,29 @@ type winbind_exec_t;
+@@ -170,27 +157,29 @@ type winbind_exec_t;
  init_daemon_domain(winbind_t, winbind_exec_t)
  
  type winbind_helper_t;
@@ -78456,7 +84273,7 @@ index 57c034b..9e91107 100644
  
  allow samba_net_t samba_etc_t:file read_file_perms;
  
-@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -206,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
  
@@ -78483,7 +84300,7 @@ index 57c034b..9e91107 100644
  
  dev_read_urand(samba_net_t)
  
-@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t)
+@@ -229,15 +223,16 @@ auth_manage_cache(samba_net_t)
  
  logging_send_syslog_msg(samba_net_t)
  
@@ -78504,7 +84321,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -245,44 +237,56 @@ optional_policy(`
+@@ -245,44 +240,56 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78547,11 +84364,11 @@ index 57c034b..9e91107 100644
  
 -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
 +allow smbd_t nmbd_t:process { signal signull };
-+
-+allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
  
 -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
++allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++
 +allow smbd_t samba_etc_t:file { rw_file_perms setattr };
  
  manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -78573,7 +84390,7 @@ index 57c034b..9e91107 100644
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -292,20 +299,26 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
  
@@ -78582,7 +84399,13 @@ index 57c034b..9e91107 100644
  manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ 
++manage_dirs_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++manage_files_pattern(smbd_t, smbd_tmpfs_t, smbd_tmpfs_t)
++fs_tmpfs_filetrans(smbd_t, smbd_tmpfs_t, { file dir })
++
+ manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
  
@@ -78598,7 +84421,7 @@ index 57c034b..9e91107 100644
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -315,42 +328,34 @@ kernel_read_kernel_sysctls(smbd_t)
  kernel_read_software_raid_state(smbd_t)
  kernel_read_system_state(smbd_t)
  
@@ -78649,11 +84472,11 @@ index 57c034b..9e91107 100644
 -files_dontaudit_getattr_all_dirs(smbd_t)
 -files_dontaudit_list_all_mountpoints(smbd_t)
 -files_list_mnt(smbd_t)
--
++domain_dontaudit_signull_all_domains(smbd_t)
+ 
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
- fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +365,55 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -78702,6 +84525,7 @@ index 57c034b..9e91107 100644
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
  	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
++	fs_rw_inherited_tmpfs_files(smbd_t)
  ')
  
 -tunable_policy(`allow_smbd_anon_write',`
@@ -78719,7 +84543,7 @@ index 57c034b..9e91107 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +429,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -78742,7 +84566,7 @@ index 57c034b..9e91107 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +441,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -78750,7 +84574,7 @@ index 57c034b..9e91107 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +449,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -78768,7 +84592,7 @@ index 57c034b..9e91107 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -460,6 +446,7 @@ optional_policy(`
+@@ -460,6 +456,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -78776,7 +84600,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -473,6 +460,11 @@ optional_policy(`
+@@ -473,6 +470,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78788,7 +84612,18 @@ index 57c034b..9e91107 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -493,9 +485,33 @@ optional_policy(`
+@@ -482,6 +484,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	rhcs_signull_cluster(smbd_t)
++')
++
++optional_policy(`
+ 	rpc_search_nfs_state_data(smbd_t)
+ ')
+ 
+@@ -493,9 +499,36 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -78811,9 +84646,12 @@ index 57c034b..9e91107 100644
 +	allow nmbd_t self:capability { dac_read_search dac_override };
 +	fs_manage_noxattr_fs_files(smbd_t) 
 +	files_manage_non_security_files(smbd_t)
++    files_manage_non_security_dirs(smbd_t)
 +	fs_manage_noxattr_fs_files(nmbd_t) 
 +	files_manage_non_security_files(nmbd_t)
++    files_manage_non_security_dirs(nmbd_t)
 +')
++
 +userdom_filetrans_home_content(nmbd_t)
 +
  ########################################
@@ -78823,7 +84661,7 @@ index 57c034b..9e91107 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +539,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -78838,7 +84676,7 @@ index 57c034b..9e91107 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +555,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -78862,7 +84700,7 @@ index 57c034b..9e91107 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +572,42 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -78911,24 +84749,25 @@ index 57c034b..9e91107 100644
 -
  userdom_use_unpriv_users_fds(nmbd_t)
 -userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
-+userdom_dontaudit_search_user_home_dirs(nmbd_t)
- 
+-
 -tunable_policy(`samba_export_all_ro',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_list_non_auth_dirs(nmbd_t)
 -	files_read_non_auth_files(nmbd_t)
 -')
--
++userdom_dontaudit_search_user_home_dirs(nmbd_t)
+ 
 -tunable_policy(`samba_export_all_rw',`
 -	fs_read_noxattr_fs_files(nmbd_t)
 -	files_manage_non_auth_files(nmbd_t)
 +optional_policy(`
 +	ctdbd_stream_connect(nmbd_t)
 +    ctdbd_manage_var_files(nmbd_t)
++    ctdbd_manage_lib_files(nmbd_t)
  ')
  
  optional_policy(`
-@@ -600,19 +602,26 @@ optional_policy(`
+@@ -600,19 +620,26 @@ optional_policy(`
  
  ########################################
  #
@@ -78936,7 +84775,7 @@ index 57c034b..9e91107 100644
 +# smbcontrol local policy
  #
  
-+
++allow smbcontrol_t self:capability2 block_suspend;
  allow smbcontrol_t self:process signal;
 -allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 +# internal communication is often done using fifo and unix sockets.
@@ -78960,7 +84799,7 @@ index 57c034b..9e91107 100644
  samba_search_var(smbcontrol_t)
  samba_read_winbind_pid(smbcontrol_t)
  
-@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +647,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
@@ -78978,7 +84817,7 @@ index 57c034b..9e91107 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +642,23 @@ optional_policy(`
+@@ -637,22 +660,23 @@ optional_policy(`
  
  ########################################
  #
@@ -79010,7 +84849,7 @@ index 57c034b..9e91107 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +685,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -79046,7 +84885,7 @@ index 57c034b..9e91107 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +712,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -79138,7 +84977,7 @@ index 57c034b..9e91107 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +791,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -79162,7 +85001,7 @@ index 57c034b..9e91107 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +805,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -79205,7 +85044,7 @@ index 57c034b..9e91107 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +835,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -79219,10 +85058,12 @@ index 57c034b..9e91107 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +841,19 @@ optional_policy(`
+@@ -833,17 +858,20 @@ optional_policy(`
+ # Winbind local policy
  #
  
- allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_override ipc_lock setuid sys_nice };
 +allow winbind_t self:capability2 block_suspend;
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
@@ -79243,7 +85084,7 @@ index 57c034b..9e91107 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +881,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -79254,7 +85095,7 @@ index 57c034b..9e91107 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -866,23 +892,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -79284,7 +85125,7 @@ index 57c034b..9e91107 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +915,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -79305,7 +85146,7 @@ index 57c034b..9e91107 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +933,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -79316,7 +85157,7 @@ index 57c034b..9e91107 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,26 +941,43 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -79355,10 +85196,14 @@ index 57c034b..9e91107 100644
  optional_policy(`
  	kerberos_use(winbind_t)
 +	kerberos_filetrans_named_content(winbind_t)
++')
++
++optional_policy(`
++    nis_authenticate(winbind_t)
  ')
  
  optional_policy(`
-@@ -952,31 +971,29 @@ optional_policy(`
+@@ -952,31 +993,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -79396,7 +85241,7 @@ index 57c034b..9e91107 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +1007,38 @@ optional_policy(`
+@@ -990,25 +1029,38 @@ optional_policy(`
  
  ########################################
  #
@@ -79417,24 +85262,24 @@ index 57c034b..9e91107 100644
 +	role system_r types samba_unconfined_net_t;
 +
 +	unconfined_domain(samba_unconfined_net_t)
-+
+ 
+-	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+-	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
 +	manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
 +	filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
 +	userdom_use_inherited_user_terminals(samba_unconfined_net_t)
 +')
-+
+ 
 +type samba_unconfined_script_t;
 +type samba_unconfined_script_exec_t;
 +domain_type(samba_unconfined_script_t)
 +domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
 +corecmd_shell_entry_type(samba_unconfined_script_t)
 +role system_r types samba_unconfined_script_t;
- 
--	allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
--	allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
 +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
 +allow smbd_t samba_unconfined_script_exec_t:file ioctl;
- 
++
 +optional_policy(`
  	unconfined_domain(samba_unconfined_script_t)
 +')
@@ -79522,10 +85367,10 @@ index 0000000..b7db254
 +# Empty
 diff --git a/sandbox.if b/sandbox.if
 new file mode 100644
-index 0000000..577dfa7
+index 0000000..89bc443
 --- /dev/null
 +++ b/sandbox.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -79556,6 +85401,8 @@ index 0000000..577dfa7
 +	allow sandbox_domain $1:process { sigchld signull };
 +	allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
 +	dontaudit sandbox_domain $1:process signal;
++	dontaudit sandbox_domain $1:key { link read search view };
++	dontaudit sandbox_domain $1:unix_stream_socket rw_socket_perms;
 +')
 +
 +########################################
@@ -79583,10 +85430,10 @@ index 0000000..577dfa7
 +')
 diff --git a/sandbox.te b/sandbox.te
 new file mode 100644
-index 0000000..b12aada
+index 0000000..62a9666
 --- /dev/null
 +++ b/sandbox.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,63 @@
 +policy_module(sandbox,1.0.0)
 +
 +attribute sandbox_domain;
@@ -79632,6 +85479,7 @@ index 0000000..b12aada
 +')
 +
 +kernel_dontaudit_read_system_state(sandbox_domain)
++kernel_dontaudit_getattr_core_if(sandbox_domain)
 +
 +corecmd_exec_all_executables(sandbox_domain)
 +
@@ -79659,10 +85507,10 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..5da5bff
+index 0000000..3258f45
 --- /dev/null
 +++ b/sandboxX.if
-@@ -0,0 +1,392 @@
+@@ -0,0 +1,394 @@
 +
 +## <summary>policy for sandboxX </summary>
 +
@@ -79704,10 +85552,11 @@ index 0000000..5da5bff
 +	dontaudit sandbox_xserver_t $1:file read;
 +	allow sandbox_x_domain sandbox_x_domain:process signal;
 +	# Dontaudit leaked file descriptors
++	dontaudit sandbox_x_domain $1:key { link read search view };
 +	dontaudit sandbox_x_domain $1:fifo_file { read write };
 +	dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
 +	dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
-+	dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
++	dontaudit sandbox_x_domain $1:unix_stream_socket rw_socket_perms;
 +	dontaudit sandbox_x_domain $1:process { signal sigkill };
 +	
 +	allow $1 sandbox_tmpfs_type:file manage_file_perms;
@@ -79786,6 +85635,7 @@ index 0000000..5da5bff
 +
 +	domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
 +	domain_entry_file($1_client_t,  sandbox_exec_t)
++	allow $1_client_t $1_t:shm { unix_read unix_write };
 +
 +	ps_process_pattern(sandbox_xserver_t, $1_client_t)
 +	ps_process_pattern(sandbox_xserver_t, $1_t)
@@ -80057,10 +85907,10 @@ index 0000000..5da5bff
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..710df6b
+index 0000000..330fea5
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,502 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@@ -80185,7 +86035,7 @@ index 0000000..710df6b
 +#
 +# sandbox_x_domain local policy
 +#
-+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
++allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack getcap setcap };
 +tunable_policy(`deny_execmem',`',`
 +	allow sandbox_x_domain self:process execmem;
 +')
@@ -80277,6 +86127,10 @@ index 0000000..710df6b
 +storage_dontaudit_rw_fuse(sandbox_x_domain)
 +
 +optional_policy(`
++	bluetooth_dbus_chat(sandbox_x_domain)
++')
++
++optional_policy(`
 +	consolekit_dbus_chat(sandbox_x_domain)
 +')
 +
@@ -80295,6 +86149,8 @@ index 0000000..710df6b
 +
 +optional_policy(`
 +	gnome_read_gconf_config(sandbox_x_domain)
++	gnome_dontaudit_rw_inherited_config(sandbox_x_domain)
++	gnome_dontaudit_rw_inherited_config(sandbox_xserver_t)
 +')
 +
 +optional_policy(`
@@ -80342,6 +86198,10 @@ index 0000000..710df6b
 +	fs_exec_fusefs_files(sandbox_x_domain)
 +')
 +
++optional_policy(`
++	networkmanager_dontaudit_dbus_chat(sandbox_x_domain)
++')
++
 +files_search_home(sandbox_x_t)
 +userdom_use_user_ptys(sandbox_x_t)
 +
@@ -80363,6 +86223,10 @@ index 0000000..710df6b
 +logging_send_syslog_msg(sandbox_x_client_t)
 +
 +optional_policy(`
++	avahi_dbus_chat(sandbox_x_client_t)
++')
++
++optional_policy(`
 +	colord_dbus_chat(sandbox_x_client_t)
 +')
 +
@@ -80474,6 +86338,10 @@ index 0000000..710df6b
 +')
 +
 +optional_policy(`
++	avahi_dbus_chat(sandbox_web_type)
++')
++
++optional_policy(`
 +	bluetooth_dontaudit_dbus_chat(sandbox_web_type)
 +')
 +
@@ -80486,6 +86354,10 @@ index 0000000..710df6b
 +')
 +
 +optional_policy(`
++	mozilla_plugin_rw_sem(sandbox_web_type)
++')
++
++optional_policy(`
 +	nsplugin_manage_rw(sandbox_web_type)
 +	nsplugin_read_rw_files(sandbox_web_type)
 +	nsplugin_rw_exec(sandbox_web_type)
@@ -80507,10 +86379,6 @@ index 0000000..710df6b
 +')
 +
 +optional_policy(`
-+	networkmanager_dontaudit_dbus_chat(sandbox_web_type)
-+')
-+
-+optional_policy(`
 +	udev_read_state(sandbox_web_type)
 +')
 +
@@ -80540,10 +86408,11 @@ index 0000000..710df6b
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
-+    mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
++	mozilla_plugin_rw_sem(sandbox_x_domain)
 +	mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
 +')
 +userdom_dontaudit_open_user_ptys(sandbox_x_domain)
++
 diff --git a/sanlock.fc b/sanlock.fc
 index 3df2a0f..9059165 100644
 --- a/sanlock.fc
@@ -81036,7 +86905,7 @@ index 68a550d..e976fc6 100644
  
  /var/run/gather(/.*)?	gen_context(system_u:object_r:sblim_var_run_t,s0)
 diff --git a/sblim.if b/sblim.if
-index 98c9e0a..df51942 100644
+index 98c9e0a..d4aa009 100644
 --- a/sblim.if
 +++ b/sblim.if
 @@ -1,8 +1,36 @@
@@ -81087,25 +86956,41 @@ index 98c9e0a..df51942 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
+@@ -40,34 +68,51 @@ interface(`sblim_read_pid_files',`
  
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an sblim environment.
-+##	All of the rules required to administrate
-+##	an gatherd environment
++##	Transition to sblim named content
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+-##	Domain allowed access.
++##      Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="role">
--##	<summary>
++#
++interface(`sblim_filetrans_named_content',`
++	gen_require(`
++		type sblim_var_run_t;
++	')
++
++	files_pid_filetrans($1, sblim_var_run_t, dir, "gather")
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an gatherd environment
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	Role allowed access.
--##	</summary>
--## </param>
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
  ## <rolecap/>
  #
  interface(`sblim_admin',`
@@ -81137,7 +87022,7 @@ index 98c9e0a..df51942 100644
  	files_search_pids($1)
  	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 4a23d84..62df1db 100644
+index 4a23d84..20f5040 100644
 --- a/sblim.te
 +++ b/sblim.te
 @@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
@@ -81174,10 +87059,12 @@ index 4a23d84..62df1db 100644
  ######################################
  #
  # Common sblim domain local policy
-@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
+@@ -31,32 +38,38 @@ allow sblim_domain self:tcp_socket create_stream_socket_perms;
+ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
  manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
  manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
- 
++files_pid_filetrans(sblim_domain, sblim_var_run_t,dir,"gather")
++
 +manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
 +manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
 +manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
@@ -81187,7 +87074,7 @@ index 4a23d84..62df1db 100644
 +manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
 +manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
 +files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
-+
+ 
  kernel_read_network_state(sblim_domain)
 -kernel_read_system_state(sblim_domain)
  
@@ -81196,9 +87083,11 @@ index 4a23d84..62df1db 100644
  corenet_tcp_sendrecv_generic_if(sblim_domain)
  corenet_tcp_sendrecv_generic_node(sblim_domain)
  
-@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
+ corenet_tcp_sendrecv_repository_port(sblim_domain)
  
  dev_read_sysfs(sblim_domain)
++dev_read_rand(sblim_domain)
++dev_read_urand(sblim_domain)
  
 -logging_send_syslog_msg(sblim_domain)
 -
@@ -81219,7 +87108,7 @@ index 4a23d84..62df1db 100644
  allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
  allow sblim_gatherd_t self:unix_stream_socket { accept listen };
  
-@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
+@@ -84,6 +97,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
  
  init_read_utmp(sblim_gatherd_t)
  
@@ -81228,7 +87117,7 @@ index 4a23d84..62df1db 100644
  sysnet_dns_name_resolve(sblim_gatherd_t)
  
  term_getattr_pty_fs(sblim_gatherd_t)
-@@ -103,8 +115,9 @@ optional_policy(`
+@@ -103,8 +118,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -81239,7 +87128,7 @@ index 4a23d84..62df1db 100644
  ')
  
  optional_policy(`
-@@ -117,6 +130,29 @@ optional_policy(`
+@@ -117,6 +133,33 @@ optional_policy(`
  # Reposd local policy
  #
  
@@ -81266,7 +87155,11 @@ index 4a23d84..62df1db 100644
 +
 +auth_use_nsswitch(sblim_sfcbd_t)
 +
-+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
++corenet_tcp_bind_pegasus_http_port(sblim_sfcbd_t)
++corenet_tcp_connect_pegasus_http_port(sblim_sfcbd_t)
++
++dev_read_rand(sblim_sfcbd_t)
++dev_read_urand(sblim_sfcbd_t)
 +
 +domain_read_all_domains_state(sblim_sfcbd_t)
 +domain_use_interactive_fds(sblim_sfcbd_t)
@@ -82242,20 +88135,24 @@ index 5f35d78..50651d2 100644
 +	uucp_domtrans_uux(sendmail_t)
  ')
 diff --git a/sensord.fc b/sensord.fc
-index 8185d5a..719ac47 100644
+index 8185d5a..97926d2 100644
 --- a/sensord.fc
 +++ b/sensord.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,9 @@
 +/lib/systemd/system/sensord.service		--	gen_context(system_u:object_r:sensord_unit_file_t,s0)
 +
  /etc/rc\.d/init\.d/sensord	--	gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
  
  /usr/sbin/sensord	--	gen_context(system_u:object_r:sensord_exec_t,s0)
+ 
++/var/log/sensord\.rrd	--	gen_context(system_u:object_r:sensord_log_t,s0)
++
+ /var/run/sensord\.pid	--	gen_context(system_u:object_r:sensord_var_run_t,s0)
 diff --git a/sensord.if b/sensord.if
-index d204752..5eba5fd 100644
+index d204752..31cc6e6 100644
 --- a/sensord.if
 +++ b/sensord.if
-@@ -1,35 +1,75 @@
+@@ -1,35 +1,80 @@
 -## <summary>Sensor information logging daemon.</summary>
 +
 +## <summary>Sensor information logging daemon</summary>
@@ -82323,7 +88220,9 @@ index d204752..5eba5fd 100644
  	gen_require(`
 -		type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
 +		type sensord_t;
-+	type sensord_unit_file_t;
++		type sensord_unit_file_t;
++		type sensord_log_t;
++		type sensord_var_run_t;
  	')
  
  	allow $1 sensord_t:process { ptrace signal_perms };
@@ -82338,17 +88237,19 @@ index d204752..5eba5fd 100644
 +	allow $1 sensord_unit_file_t:service all_service_perms;
  
 -	files_search_pids($1)
--	admin_pattern($1, sensord_var_run_t)
++	admin_pattern($1, sensord_log_t)
+ 	admin_pattern($1, sensord_var_run_t)
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
  ')
 diff --git a/sensord.te b/sensord.te
-index 5e82fd6..fa352d8 100644
+index 5e82fd6..f3e5808 100644
 --- a/sensord.te
 +++ b/sensord.te
-@@ -9,6 +9,9 @@ type sensord_t;
+@@ -9,12 +9,18 @@ type sensord_t;
  type sensord_exec_t;
  init_daemon_domain(sensord_t, sensord_exec_t)
  
@@ -82358,7 +88259,24 @@ index 5e82fd6..fa352d8 100644
  type sensord_initrc_exec_t;
  init_script_file(sensord_initrc_exec_t)
  
-@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
+ type sensord_var_run_t;
+ files_pid_file(sensord_var_run_t)
+ 
++type sensord_log_t;
++logging_log_file(sensord_log_t)
++
+ ########################################
+ #
+ # Local policy
+@@ -23,13 +29,13 @@ files_pid_file(sensord_var_run_t)
+ allow sensord_t self:fifo_file rw_fifo_file_perms;
+ allow sensord_t self:unix_stream_socket create_stream_socket_perms;
+ 
++manage_files_pattern(sensord_t, sensord_log_t, sensord_log_t)
++logging_log_filetrans(sensord_t, sensord_log_t, file)
++
+ manage_files_pattern(sensord_t, sensord_var_run_t, sensord_var_run_t)
+ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
  
  dev_read_sysfs(sensord_t)
  
@@ -82386,7 +88304,7 @@ index 0b3a971..397a522 100644
 -/var/lib/setroubleshoot(/.*)?	gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
 +/var/lib/setroubleshoot(/.*)?		gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
 diff --git a/setroubleshoot.if b/setroubleshoot.if
-index 3a9a70b..039b0c8 100644
+index 3a9a70b..903109c 100644
 --- a/setroubleshoot.if
 +++ b/setroubleshoot.if
 @@ -1,9 +1,8 @@
@@ -82413,7 +88331,32 @@ index 3a9a70b..039b0c8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -42,6 +40,24 @@ interface(`setroubleshoot_dontaudit_stream_connect',`
+ 	dontaudit $1 setroubleshootd_t:unix_stream_socket connectto;
+ ')
+ 
++#######################################
++## <summary>
++##	Send null signals to setroubleshoot.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`setroubleshoot_signull',`
++	gen_require(`
++		type setroubleshootd_t;
++	')
++
++	allow $1 setroubleshootd_t:process signull;
++')
++
+ ########################################
+ ## <summary>
+ ##	Send and receive messages from
+@@ -107,8 +123,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
  
  ########################################
  ## <summary>
@@ -82443,7 +88386,7 @@ index 3a9a70b..039b0c8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
+@@ -119,12 +154,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
  #
  interface(`setroubleshoot_admin',`
  	gen_require(`
@@ -82464,7 +88407,7 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..d686e4a 100644
+index 49b12ae..0f1e101 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -1,4 +1,4 @@
@@ -82473,7 +88416,7 @@ index 49b12ae..d686e4a 100644
  
  ########################################
  #
-@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2)
+@@ -7,43 +7,52 @@ policy_module(setroubleshoot, 1.11.2)
  
  type setroubleshootd_t alias setroubleshoot_t;
  type setroubleshootd_exec_t;
@@ -82505,6 +88448,8 @@ index 49b12ae..d686e4a 100644
  
  allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
 -allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
++dontaudit setroubleshootd_t self:capability net_admin;
++
 +allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
 +# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
 +allow setroubleshootd_t self:process { execmem execstack };
@@ -82535,7 +88480,14 @@ index 49b12ae..d686e4a 100644
  manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
  manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
  manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
-@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t)
+@@ -55,20 +64,20 @@ kernel_read_net_sysctls(setroubleshootd_t)
+ kernel_read_network_state(setroubleshootd_t)
+ kernel_dontaudit_list_all_proc(setroubleshootd_t)
+ kernel_read_irq_sysctls(setroubleshootd_t)
++kernel_read_rpc_sysctls(setroubleshootd_t)
+ kernel_read_unlabeled_state(setroubleshootd_t)
+ 
+ corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
  corecmd_read_all_executables(setroubleshootd_t)
  
@@ -82553,7 +88505,7 @@ index 49b12ae..d686e4a 100644
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
-@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
+@@ -76,10 +85,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
  dev_getattr_all_chr_files(setroubleshootd_t)
  dev_getattr_mtrr_dev(setroubleshootd_t)
  
@@ -82565,7 +88517,7 @@ index 49b12ae..d686e4a 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
+@@ -101,33 +109,32 @@ selinux_read_policy(setroubleshootd_t)
  term_dontaudit_use_all_ptys(setroubleshootd_t)
  term_dontaudit_use_all_ttys(setroubleshootd_t)
  
@@ -82606,7 +88558,7 @@ index 49b12ae..d686e4a 100644
  ')
  
  optional_policy(`
-@@ -135,10 +139,18 @@ optional_policy(`
+@@ -135,10 +142,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82625,7 +88577,7 @@ index 49b12ae..d686e4a 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -148,26 +160,36 @@ optional_policy(`
+@@ -148,26 +163,36 @@ optional_policy(`
  
  ########################################
  #
@@ -82664,7 +88616,7 @@ index 49b12ae..d686e4a 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +200,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -83125,10 +89077,18 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index ca03de6..c3b5559 100644
+index ca03de6..e0ebb61 100644
 --- a/shorewall.te
 +++ b/shorewall.te
-@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
+@@ -34,6 +34,7 @@ logging_log_file(shorewall_log_t)
+ 
+ allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
+ dontaudit shorewall_t self:capability sys_tty_config;
++allow shorewall_t self:process signal_perms;
+ allow shorewall_t self:fifo_file rw_fifo_file_perms;
+ allow shorewall_t self:netlink_socket create_socket_perms;
+ 
+@@ -44,9 +45,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
  files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
  
  manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
@@ -83139,7 +89099,7 @@ index ca03de6..c3b5559 100644
  logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
  
  manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
-@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
+@@ -57,6 +56,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
  files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
@@ -83149,7 +89109,7 @@ index ca03de6..c3b5559 100644
  
  allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
  
-@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
+@@ -74,7 +76,6 @@ dev_read_urand(shorewall_t)
  domain_read_all_domains_state(shorewall_t)
  
  files_getattr_kernel_modules(shorewall_t)
@@ -83157,7 +89117,7 @@ index ca03de6..c3b5559 100644
  files_search_kernel_modules(shorewall_t)
  
  fs_getattr_all_fs(shorewall_t)
-@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
+@@ -86,12 +87,11 @@ init_rw_utmp(shorewall_t)
  logging_read_generic_logs(shorewall_t)
  logging_send_syslog_msg(shorewall_t)
  
@@ -83379,9 +89339,18 @@ index 7880d1f..8804935 100644
 +	xserver_xdm_append_log(shutdown_t)
  ')
 diff --git a/slocate.te b/slocate.te
-index ba26427..83d21aa 100644
+index ba26427..8417705 100644
 --- a/slocate.te
 +++ b/slocate.te
+@@ -18,7 +18,7 @@ files_type(locate_var_lib_t)
+ #
+ 
+ allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
+-allow locate_t self:process { execmem execheap execstack signal };
++allow locate_t self:process { execmem execheap execstack signal setsched };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
+ 
 @@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
  
  auth_use_nsswitch(locate_t)
@@ -83459,10 +89428,29 @@ index ca32e89..98278dd 100644
 +
  ')
 diff --git a/slpd.te b/slpd.te
-index 66ac42a..1a4c952 100644
+index 66ac42a..5efa3fd 100644
 --- a/slpd.te
 +++ b/slpd.te
-@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
+@@ -23,7 +23,7 @@ files_pid_file(slpd_var_run_t)
+ # Local policy
+ #
+ 
+-allow slpd_t self:capability { kill setgid setuid };
++allow slpd_t self:capability { kill net_admin setgid setuid };
+ allow slpd_t self:process signal;
+ allow slpd_t self:fifo_file rw_fifo_file_perms;
+ allow slpd_t self:tcp_socket { accept listen };
+@@ -35,6 +35,9 @@ logging_log_filetrans(slpd_t, slpd_log_t, file)
+ manage_files_pattern(slpd_t, slpd_var_run_t, slpd_var_run_t)
+ files_pid_filetrans(slpd_t, slpd_var_run_t, file)
+ 
++kernel_read_system_state(slpd_t)
++kernel_read_network_state(slpd_t)
++
+ corenet_all_recvfrom_unlabeled(slpd_t)
+ corenet_all_recvfrom_netlabel(slpd_t)
+ corenet_tcp_sendrecv_generic_if(slpd_t)
+@@ -50,6 +53,12 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
  corenet_tcp_bind_svrloc_port(slpd_t)
  corenet_udp_bind_svrloc_port(slpd_t)
  
@@ -83473,6 +89461,8 @@ index 66ac42a..1a4c952 100644
  auth_use_nsswitch(slpd_t)
  
 -miscfiles_read_localization(slpd_t)
++logging_send_syslog_msg(slpd_t)
++
 +sysnet_dns_name_resolve(slpd_t)
 diff --git a/slrnpull.te b/slrnpull.te
 index 5437237..3dfc982 100644
@@ -83651,7 +89641,7 @@ index a8b1aaf..fc0a2be 100644
  
  	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
 diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index 9c8f9a5..f074b4d 100644
 --- a/smoltclient.te
 +++ b/smoltclient.te
 @@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -83669,6 +89659,17 @@ index 9c8f9a5..14f15a4 100644
  
  optional_policy(`
  	abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ 	rpm_exec(smoltclient_t)
+ 	rpm_read_db(smoltclient_t)
+ ')
 diff --git a/smsd.fc b/smsd.fc
 new file mode 100644
 index 0000000..4c3fcec
@@ -84108,11 +90109,18 @@ index cbfe369..6594af3 100644
  	files_search_var_lib($1)
 diff --git a/snapper.fc b/snapper.fc
 new file mode 100644
-index 0000000..3f412d5
+index 0000000..660fcd2
 --- /dev/null
 +++ b/snapper.fc
-@@ -0,0 +1 @@
+@@ -0,0 +1,8 @@
++HOME_DIR/\.snapshots    -d  gen_context(system_u:object_r:snapperd_home_t,s0)
++
 +/usr/sbin/snapperd		--	gen_context(system_u:object_r:snapperd_exec_t,s0)
++
++/etc/snapper(/.*)?          gen_context(system_u:object_r:snapperd_conf_t,s0)
++/etc/sysconfig/snapper  --  gen_context(system_u:object_r:snapperd_conf_t,s0)
++
++/var/log/snapper\.log.* --  gen_context(system_u:object_r:snapperd_log_t,s0)
 diff --git a/snapper.if b/snapper.if
 new file mode 100644
 index 0000000..94105ee
@@ -84163,10 +90171,10 @@ index 0000000..94105ee
 +')
 diff --git a/snapper.te b/snapper.te
 new file mode 100644
-index 0000000..ad232be
+index 0000000..3591c8e
 --- /dev/null
 +++ b/snapper.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,81 @@
 +policy_module(snapper, 1.0.0)
 +
 +########################################
@@ -84178,6 +90186,18 @@ index 0000000..ad232be
 +type snapperd_exec_t;
 +init_daemon_domain(snapperd_t, snapperd_exec_t)
 +
++type snapperd_log_t;
++logging_log_file(snapperd_log_t)
++
++type snapperd_conf_t;
++files_config_file(snapperd_conf_t)
++
++type snapperd_data_t;
++files_type(snapperd_data_t)
++
++type snapperd_home_t;
++userdom_user_home_content(snapperd_home_t)
++
 +########################################
 +#
 +# snapperd local policy
@@ -84186,13 +90206,41 @@ index 0000000..ad232be
 +allow snapperd_t self:fifo_file rw_fifo_file_perms;
 +allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
 +
++manage_files_pattern(snapperd_t, snapperd_log_t, snapperd_log_t)
++logging_log_filetrans(snapperd_t, snapperd_log_t, file)
++
++manage_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_dirs_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_conf_t, snapperd_conf_t)
++
++manage_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_dirs_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_data_t, snapperd_data_t)
++
++manage_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_dirs_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++manage_lnk_files_pattern(snapperd_t, snapperd_home_t, snapperd_home_t)
++
++domain_read_all_domains_state(snapperd_t)
++
++corecmd_exec_shell(snapperd_t)
++corecmd_exec_bin(snapperd_t)
++
++files_write_all_dirs(snapperd_t)
++files_setattr_all_mountpoints(snapperd_t)
++files_relabelto_all_mountpoints(snapperd_t)
++files_relabelfrom_isid_type(snapperd_t)
++files_read_all_files(snapperd_t)
++files_list_all(snapperd_t)
++
++fs_getattr_all_fs(snapperd_t)
++
 +storage_raw_read_fixed_disk(snapperd_t)
 +
 +auth_use_nsswitch(snapperd_t)
 +
-+miscfiles_read_localization(snapperd_t)
-+
 +optional_policy(`
++    dbus_system_domain(snapperd_t, snapperd_exec_t)
 +	dbus_system_bus_client(snapperd_t)
 +	dbus_connect_system_bus(snapperd_t)
 +')
@@ -84200,8 +90248,16 @@ index 0000000..ad232be
 +optional_policy(`
 +    mount_domtrans(snapperd_t)
 +')
++
++optional_policy(`
++    lvm_domtrans(snapperd_t)
++')
++
++optional_policy(`
++    unconfined_domain(snapperd_t)
++')
 diff --git a/snmp.fc b/snmp.fc
-index c73fa24..408ff61 100644
+index c73fa24..50d80f4 100644
 --- a/snmp.fc
 +++ b/snmp.fc
 @@ -1,6 +1,6 @@
@@ -84220,10 +90276,11 @@ index c73fa24..408ff61 100644
  
  /var/log/snmpd\.log.*	--	gen_context(system_u:object_r:snmpd_log_t,s0)
  
+-/var/run/net-snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
+-/var/run/snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 +/var/net-snmp(/.*)?		gen_context(system_u:object_r:snmpd_var_lib_t,s0)
 +
- /var/run/net-snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
--/var/run/snmpd(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/net-snmp(/.*)?	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 +/var/run/snmpd(/.*)?		gen_context(system_u:object_r:snmpd_var_run_t,s0)
  /var/run/snmpd\.pid	--	gen_context(system_u:object_r:snmpd_var_run_t,s0)
 diff --git a/snmp.if b/snmp.if
@@ -84341,7 +90398,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..4b6b771 100644
+index 81864ce..e0f790d 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -84397,7 +90454,14 @@ index 81864ce..4b6b771 100644
  files_read_etc_runtime_files(snmpd_t)
  files_search_home(snmpd_t)
  
-@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
+@@ -107,15 +107,19 @@ fs_search_auto_mountpoints(snmpd_t)
+ storage_dontaudit_read_fixed_disk(snmpd_t)
+ storage_dontaudit_read_removable_device(snmpd_t)
+ storage_dontaudit_write_removable_device(snmpd_t)
++storage_getattr_fixed_disk_dev(snmpd_t)
++storage_getattr_removable_dev(snmpd_t)
+ 
+ auth_use_nsswitch(snmpd_t)
  
  init_read_utmp(snmpd_t)
  init_dontaudit_write_utmp(snmpd_t)
@@ -84411,7 +90475,7 @@ index 81864ce..4b6b771 100644
  
  seutil_dontaudit_search_config(snmpd_t)
  
-@@ -131,7 +133,11 @@ optional_policy(`
+@@ -131,7 +135,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -84424,6 +90488,14 @@ index 81864ce..4b6b771 100644
  ')
  
  optional_policy(`
+@@ -140,6 +148,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	mta_read_config(snmpd_t)
++    mta_read_aliases(snmpd_t)
+ 	mta_search_queue(snmpd_t)
+ ')
+ 
 diff --git a/snort.if b/snort.if
 index 7d86b34..5f58180 100644
 --- a/snort.if
@@ -84457,7 +90529,7 @@ index 7d86b34..5f58180 100644
 +	files_list_pids($1)
  ')
 diff --git a/snort.te b/snort.te
-index ccd28bb..80106ac 100644
+index ccd28bb..6e335a9 100644
 --- a/snort.te
 +++ b/snort.te
 @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -84475,7 +90547,18 @@ index ccd28bb..80106ac 100644
  allow snort_t self:netlink_firewall_socket create_socket_perms;
  
  allow snort_t snort_etc_t:dir list_dir_perms;
-@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
+@@ -43,9 +46,7 @@ allow snort_t snort_etc_t:file read_file_perms;
+ allow snort_t snort_etc_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(snort_t, snort_log_t, snort_log_t)
+-append_files_pattern(snort_t, snort_log_t, snort_log_t)
+-create_files_pattern(snort_t, snort_log_t, snort_log_t)
+-setattr_files_pattern(snort_t, snort_log_t, snort_log_t)
++manage_files_pattern(snort_t, snort_log_t, snort_log_t)
+ logging_log_filetrans(snort_t, snort_log_t, { file dir })
+ 
+ manage_dirs_pattern(snort_t, snort_tmp_t, snort_tmp_t)
+@@ -63,7 +64,6 @@ kernel_request_load_module(snort_t)
  kernel_dontaudit_read_system_state(snort_t)
  kernel_read_network_state(snort_t)
  
@@ -84483,7 +90566,7 @@ index ccd28bb..80106ac 100644
  corenet_all_recvfrom_netlabel(snort_t)
  corenet_tcp_sendrecv_generic_if(snort_t)
  corenet_udp_sendrecv_generic_if(snort_t)
-@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
+@@ -86,18 +86,17 @@ dev_rw_generic_usb_dev(snort_t)
  
  domain_use_interactive_fds(snort_t)
  
@@ -84518,7 +90601,7 @@ index 634c6b4..e1edfd9 100644
  
  ########################################
 diff --git a/sosreport.te b/sosreport.te
-index 703efa3..499d7e9 100644
+index 703efa3..08a6332 100644
 --- a/sosreport.te
 +++ b/sosreport.te
 @@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
@@ -84539,7 +90622,7 @@ index 703efa3..499d7e9 100644
 -allow sosreport_t self:process { setsched signull };
 +allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override chown };
 +dontaudit sosreport_t self:capability sys_ptrace;
-+allow sosreport_t self:process { setpgid setsched signull };
++allow sosreport_t self:process { setpgid setsched signal_perms };
  allow sosreport_t self:fifo_file rw_fifo_file_perms;
  allow sosreport_t self:tcp_socket { accept listen };
  allow sosreport_t self:unix_stream_socket { accept listen };
@@ -84561,10 +90644,12 @@ index 703efa3..499d7e9 100644
  manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
  fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
  
-@@ -49,6 +61,17 @@ kernel_read_software_raid_state(sosreport_t)
+@@ -48,6 +60,18 @@ kernel_read_all_sysctls(sosreport_t)
+ kernel_read_software_raid_state(sosreport_t)
  kernel_search_debugfs(sosreport_t)
  kernel_read_messages(sosreport_t)
- 
++kernel_request_load_module(sosreport_t)
++
 +corenet_all_recvfrom_netlabel(sosreport_t)
 +corenet_tcp_sendrecv_generic_if(sosreport_t)
 +corenet_tcp_sendrecv_generic_node(sosreport_t)
@@ -84575,21 +90660,21 @@ index 703efa3..499d7e9 100644
 +corenet_tcp_connect_http_port(sosreport_t)
 +corenet_tcp_connect_all_ports(sosreport_t)
 +corenet_sendrecv_http_client_packets(sosreport_t)
-+
+ 
  corecmd_exec_all_executables(sosreport_t)
  
- dev_getattr_all_chr_files(sosreport_t)
-@@ -58,6 +81,9 @@ dev_read_rand(sosreport_t)
+@@ -58,6 +82,10 @@ dev_read_rand(sosreport_t)
  dev_read_urand(sosreport_t)
  dev_read_raw_memory(sosreport_t)
  dev_read_sysfs(sosreport_t)
 +dev_rw_generic_usb_dev(sosreport_t)
++dev_rw_lvm_control(sosreport_t)
 +dev_getattr_all_chr_files(sosreport_t)
 +dev_getattr_all_blk_files(sosreport_t)
  
  domain_getattr_all_domains(sosreport_t)
  domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +91,13 @@ domain_getattr_all_sockets(sosreport_t)
+@@ -65,12 +93,13 @@ domain_getattr_all_sockets(sosreport_t)
  domain_getattr_all_pipes(sosreport_t)
  
  files_getattr_all_sockets(sosreport_t)
@@ -84604,7 +90689,7 @@ index 703efa3..499d7e9 100644
  files_read_var_lib_files(sosreport_t)
  files_read_var_symlinks(sosreport_t)
  files_read_kernel_modules(sosreport_t)
-@@ -79,27 +106,41 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -79,27 +108,49 @@ files_manage_etc_runtime_files(sosreport_t)
  files_etc_filetrans_etc_runtime(sosreport_t, file)
  
  fs_getattr_all_fs(sosreport_t)
@@ -84627,8 +90712,11 @@ index 703efa3..499d7e9 100644
  
  init_domtrans_script(sosreport_t)
 +init_getattr_initctl(sosreport_t)
++init_status(sosreport_t)
++init_stream_connect(sosreport_t)
  
  libs_domtrans_ldconfig(sosreport_t)
++libs_use_ld_so(sosreport_t)
  
  logging_read_all_logs(sosreport_t)
  logging_send_syslog_msg(sosreport_t)
@@ -84642,6 +90730,11 @@ index 703efa3..499d7e9 100644
  	abrt_manage_pid_files(sosreport_t)
  	abrt_manage_cache(sosreport_t)
 +	abrt_stream_connect(sosreport_t)
++    abrt_signal(sosreport_t)
++')
++
++optional_policy(`
++    bootloader_exec(sosreport_t)
 +')
 +
 +optional_policy(`
@@ -84649,10 +90742,15 @@ index 703efa3..499d7e9 100644
  ')
  
  optional_policy(`
-@@ -111,6 +152,11 @@ optional_policy(`
+@@ -111,6 +162,16 @@ optional_policy(`
  ')
  
  optional_policy(`
++    lvm_read_config(sosreport_t)
++    lvm_dontaudit_access_check_lock(sosreport_t)
++')
++
++optional_policy(`
 +	# needed by modinfo
 +	modutils_read_module_deps(sosreport_t)
 +')
@@ -84661,6 +90759,61 @@ index 703efa3..499d7e9 100644
  	fstools_domtrans(sosreport_t)
  ')
  
+@@ -120,6 +181,10 @@ optional_policy(`
+ 	optional_policy(`
+ 		hal_dbus_chat(sosreport_t)
+ 	')
++
++    optional_policy(`
++        rpm_dbus_chat(sosreport_t)
++    ')
+ ')
+ 
+ optional_policy(`
+@@ -131,15 +196,40 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    prelink_domtrans(sosreport_t)
++')
++
++optional_policy(`
+ 	pulseaudio_run(sosreport_t, sosreport_roles)
+ ')
+ 
+ optional_policy(`
+-	rpm_exec(sosreport_t)
+-	rpm_dontaudit_manage_db(sosreport_t)
+-	rpm_read_db(sosreport_t)
++    rhsmcertd_manage_lib_files(sosreport_t)
++    rhsmcertd_manage_pid_files(sosreport_t)
++')
++
++optional_policy(`
++    rpm_dontaudit_manage_db(sosreport_t)
++    rpm_manage_cache(sosreport_t)
++    rpm_manage_log(sosreport_t)
++    rpm_manage_pid_files(sosreport_t)
++    rpm_named_filetrans_log_files(sosreport_t)
++    rpm_read_db(sosreport_t)
++    rpm_signull(sosreport_t)
++')
++
++optional_policy(`
++    setroubleshoot_signull(sosreport_t)
++')
++
++optional_policy(`
++    unconfined_signull(sosreport_t)
+ ')
+ 
+ optional_policy(`
+ 	xserver_stream_connect(sosreport_t)
+ ')
++
++optional_policy(`
++    unconfined_domain(sosreport_t)
++')
 diff --git a/soundserver.if b/soundserver.if
 index a5abc5a..b9eff74 100644
 --- a/soundserver.if
@@ -85229,7 +91382,7 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..4babad1 100644
+index 4faa7e0..32f670e 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -1,4 +1,4 @@
@@ -85308,7 +91461,7 @@ index 4faa7e0..4babad1 100644
  type spamd_initrc_exec_t;
  init_script_file(spamd_initrc_exec_t)
  
-@@ -72,87 +39,196 @@ type spamd_log_t;
+@@ -72,87 +39,199 @@ type spamd_log_t;
  logging_log_file(spamd_log_t)
  
  type spamd_spool_t;
@@ -85445,6 +91598,8 @@ index 4faa7e0..4babad1 100644
 +manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 +manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
 +manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
++userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
++userdom_admin_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
 +userdom_home_manager(spamassassin_t)
 +
  kernel_read_kernel_sysctls(spamassassin_t)
@@ -85510,6 +91665,7 @@ index 4faa7e0..4babad1 100644
 +	userdom_manage_user_home_content_dirs(spamd_t)
 +	userdom_manage_user_home_content_files(spamd_t)
 +	userdom_manage_user_home_content_symlinks(spamd_t)
++	userdom_exec_user_bin_files(spamd_t)
  ')
  
 -tunable_policy(`use_samba_home_dirs',`
@@ -85527,7 +91683,7 @@ index 4faa7e0..4babad1 100644
  		nis_use_ypbind_uncond(spamassassin_t)
  	')
  ')
-@@ -160,6 +236,8 @@ optional_policy(`
+@@ -160,6 +239,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -85536,7 +91692,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  ########################################
-@@ -167,72 +245,85 @@ optional_policy(`
+@@ -167,72 +248,85 @@ optional_policy(`
  # Client local policy
  #
  
@@ -85653,7 +91809,7 @@ index 4faa7e0..4babad1 100644
  
  optional_policy(`
  	abrt_stream_connect(spamc_t)
-@@ -243,6 +334,7 @@ optional_policy(`
+@@ -243,6 +337,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85661,7 +91817,7 @@ index 4faa7e0..4babad1 100644
  	evolution_stream_connect(spamc_t)
  ')
  
-@@ -251,52 +343,55 @@ optional_policy(`
+@@ -251,52 +346,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85742,7 +91898,7 @@ index 4faa7e0..4babad1 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +406,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -85752,7 +91908,7 @@ index 4faa7e0..4babad1 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +416,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -85768,7 +91924,7 @@ index 4faa7e0..4babad1 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +431,59 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -85778,6 +91934,7 @@ index 4faa7e0..4babad1 100644
  corenet_tcp_bind_spamd_port(spamd_t)
 -
 -corenet_sendrecv_razor_client_packets(spamd_t)
++corenet_tcp_connect_spamd_port(spamd_t)
  corenet_tcp_connect_razor_port(spamd_t)
 -
 -corenet_sendrecv_smtp_client_packets(spamd_t)
@@ -85871,7 +92028,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -421,21 +498,13 @@ optional_policy(`
+@@ -421,21 +502,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85895,7 +92052,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -443,8 +512,8 @@ optional_policy(`
+@@ -443,8 +516,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85905,7 +92062,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -455,7 +524,12 @@ optional_policy(`
+@@ -455,7 +528,12 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -85919,7 +92076,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -463,9 +537,9 @@ optional_policy(`
+@@ -463,9 +541,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85930,7 +92087,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -474,32 +548,32 @@ optional_policy(`
+@@ -474,32 +552,32 @@ optional_policy(`
  
  ########################################
  #
@@ -85973,7 +92130,7 @@ index 4faa7e0..4babad1 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +586,21 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -86005,6 +92162,222 @@ index 4faa7e0..4babad1 100644
 +	gpg_manage_home_content(spamd_update_t)
  ')
 +
+diff --git a/speech-dispatcher.fc b/speech-dispatcher.fc
+new file mode 100644
+index 0000000..545f682
+--- /dev/null
++++ b/speech-dispatcher.fc
+@@ -0,0 +1,5 @@
++/usr/bin/speech-dispatcher		--	gen_context(system_u:object_r:speech-dispatcher_exec_t,s0)
++
++/usr/lib/systemd/system/speech-dispatcherd.service		--	gen_context(system_u:object_r:speech-dispatcher_unit_file_t,s0)
++
++/var/log/speech-dispatcher(/.*)?		gen_context(system_u:object_r:speech-dispatcher_log_t,s0)
+diff --git a/speech-dispatcher.if b/speech-dispatcher.if
+new file mode 100644
+index 0000000..ddfed09
+--- /dev/null
++++ b/speech-dispatcher.if
+@@ -0,0 +1,142 @@
++
++## <summary>speech-dispatcher - server process managing speech requests in Speech Dispatcher</summary>
++
++########################################
++## <summary>
++##	Execute speech-dispatcher in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`speech-dispatcher_domtrans',`
++	gen_require(`
++		type speech-dispatcher_t, speech-dispatcher_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, speech-dispatcher_exec_t, speech-dispatcher_t)
++')
++########################################
++## <summary>
++##	Read speech-dispatcher's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_read_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++##	Append to speech-dispatcher log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_append_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++
++########################################
++## <summary>
++##	Manage speech-dispatcher log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_manage_log',`
++	gen_require(`
++		type speech-dispatcher_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++	manage_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++	manage_lnk_files_pattern($1, speech-dispatcher_log_t, speech-dispatcher_log_t)
++')
++########################################
++## <summary>
++##	Execute speech-dispatcher server in the speech-dispatcher domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`speech-dispatcher_systemctl',`
++	gen_require(`
++		type speech-dispatcher_t;
++		type speech-dispatcher_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 speech-dispatcher_unit_file_t:file read_file_perms;
++	allow $1 speech-dispatcher_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, speech-dispatcher_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an speech-dispatcher environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`speech-dispatcher_admin',`
++	gen_require(`
++		type speech-dispatcher_t;
++		type speech-dispatcher_log_t;
++	    type speech-dispatcher_unit_file_t;
++	')
++
++	allow $1 speech-dispatcher_t:process { signal_perms };
++	ps_process_pattern($1, speech-dispatcher_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 speech-dispatcher_t:process ptrace;
++    ')
++
++	logging_search_logs($1)
++	admin_pattern($1, speech-dispatcher_log_t)
++
++	speech-dispatcher_systemctl($1)
++	admin_pattern($1, speech-dispatcher_unit_file_t)
++	allow $1 speech-dispatcher_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/speech-dispatcher.te b/speech-dispatcher.te
+new file mode 100644
+index 0000000..931fa6c
+--- /dev/null
++++ b/speech-dispatcher.te
+@@ -0,0 +1,51 @@
++policy_module(speech-dispatcher, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type speech-dispatcher_t;
++type speech-dispatcher_exec_t;
++init_daemon_domain(speech-dispatcher_t, speech-dispatcher_exec_t)
++application_executable_file(speech-dispatcher_exec_t)
++
++type speech-dispatcher_log_t;
++logging_log_file(speech-dispatcher_log_t)
++
++type speech-dispatcher_unit_file_t;
++systemd_unit_file(speech-dispatcher_unit_file_t)
++
++type speech-dispatcher_tmp_t;
++files_tmp_file(speech-dispatcher_tmp_t)
++
++type speech-dispatcher_tmpfs_t;
++files_tmpfs_file(speech-dispatcher_tmpfs_t)
++
++########################################
++#
++# speech-dispatcher local policy
++#
++allow speech-dispatcher_t self:process { fork signal_perms };
++allow speech-dispatcher_t self:fifo_file rw_fifo_file_perms;
++allow speech-dispatcher_t self:unix_stream_socket create_stream_socket_perms;
++allow speech-dispatcher_t self:tcp_socket create_socket_perms;
++
++manage_dirs_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_log_t, speech-dispatcher_log_t)
++logging_log_filetrans(speech-dispatcher_t, speech-dispatcher_log_t, { dir })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmp_t, speech-dispatcher_tmp_t)
++files_tmp_filetrans(speech-dispatcher_t, speech-dispatcher_tmp_t, { file })
++
++manage_files_pattern(speech-dispatcher_t, speech-dispatcher_tmpfs_t, speech-dispatcher_tmpfs_t)
++fs_tmpfs_filetrans(speech-dispatcher_t, speech-dispatcher_tmpfs_t, { file })
++
++kernel_read_system_state(speech-dispatcher_t)
++
++auth_read_passwd(speech-dispatcher_t)
++
++corenet_tcp_connect_pdps_port(speech-dispatcher_t)
++
++dev_read_urand(speech-dispatcher_t)
++
 diff --git a/speedtouch.te b/speedtouch.te
 index 9025dbd..388ce0a 100644
 --- a/speedtouch.te
@@ -86278,7 +92651,7 @@ index dbb005a..45291bb 100644
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a240455..16a04bf 100644
+index a240455..3dd6f00 100644
 --- a/sssd.if
 +++ b/sssd.if
 @@ -1,21 +1,21 @@
@@ -86572,7 +92945,7 @@ index a240455..16a04bf 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +388,46 @@ interface(`sssd_stream_connect',`
  
  ########################################
  ## <summary>
@@ -86597,12 +92970,31 @@ index a240455..16a04bf 100644
 +
 +########################################
 +## <summary>
++##     Manage keys for all user domains.
++## </summary>
++## <param name="domain">
++##     <summary>
++##     Domain allowed access.
++##     </summary>
++## </param>
++#
++interface(`sssd_manage_keys',`
++       gen_require(`
++               type sssd_t;
++       ')
++
++       allow $1 sssd_t:key manage_key_perms;
++       allow sssd_t $1:key manage_key_perms;
++')
++
++########################################
++## <summary>
 +##	All of the rules required to administrate
 +##	an sssd environment
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +436,7 @@ interface(`sssd_stream_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -86611,7 +93003,7 @@ index a240455..16a04bf 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +444,29 @@ interface(`sssd_stream_connect',`
  interface(`sssd_admin',`
  	gen_require(`
  		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -86653,7 +93045,7 @@ index a240455..16a04bf 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 8b537aa..fb39837 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -86696,9 +93088,11 @@ index 8b537aa..3bce4df 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+ 
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
  
 -corenet_all_recvfrom_unlabeled(sssd_t)
 -corenet_all_recvfrom_netlabel(sssd_t)
@@ -86714,7 +93108,7 @@ index 8b537aa..3bce4df 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -86724,7 +93118,7 @@ index 8b537aa..3bce4df 100644
  files_list_var_lib(sssd_t)
  
  fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
  
  seutil_read_file_contexts(sssd_t)
  # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -86742,7 +93136,7 @@ index 8b537aa..3bce4df 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,34 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -86753,6 +93147,7 @@ index 8b537aa..3bce4df 100644
  
 +userdom_manage_tmp_role(system_r, sssd_t)
 +userdom_manage_all_users_keys(sssd_t)
++userdom_home_reader(sssd_t)
 +
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
@@ -86769,15 +93164,16 @@ index 8b537aa..3bce4df 100644
 +
 +optional_policy(`
 +	dirsrv_stream_connect(sssd_t)
- ')
++')
 +
 +optional_policy(`
 +	ldap_stream_connect(sssd_t)
-+    ldap_read_certs(sssd_t)
++	ldap_read_certs(sssd_t)
 +')
 +
-+userdom_home_reader(sssd_t)
-+
++optional_policy(`
++	systemd_login_read_pid_files(sssd_t)
+ ')
 diff --git a/stapserver.fc b/stapserver.fc
 new file mode 100644
 index 0000000..0ccce59
@@ -87253,7 +93649,7 @@ index 2ac91b6..dd2ac36 100644
  ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..a5600a8 100644
+index c6aaac7..84cdcac 100644
 --- a/svnserve.te
 +++ b/svnserve.te
 @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -87297,12 +93693,16 @@ index c6aaac7..a5600a8 100644
  corenet_all_recvfrom_unlabeled(svnserve_t)
  corenet_all_recvfrom_netlabel(svnserve_t)
  corenet_tcp_sendrecv_generic_if(svnserve_t)
-@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
+@@ -52,8 +60,8 @@ corenet_tcp_sendrecv_svn_port(svnserve_t)
+ corenet_udp_bind_svn_port(svnserve_t)
+ corenet_udp_sendrecv_svn_port(svnserve_t)
  
- logging_send_syslog_msg(svnserve_t)
+-logging_send_syslog_msg(svnserve_t)
++dev_read_urand(svnserve_t)
  
 -miscfiles_read_localization(svnserve_t)
--
++logging_send_syslog_msg(svnserve_t)
+ 
  sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
@@ -87465,10 +93865,10 @@ index 0000000..df82c36
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..c7b2bf6
+index 0000000..7bef550
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,69 @@
+@@ -0,0 +1,80 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -87480,6 +93880,9 @@ index 0000000..c7b2bf6
 +type swift_exec_t;
 +init_daemon_domain(swift_t, swift_exec_t)
 +
++type swift_tmp_t;
++files_tmpfs_file(swift_tmp_t)
++
 +type swift_var_cache_t;
 +files_type(swift_var_cache_t)
 +
@@ -87504,6 +93907,10 @@ index 0000000..c7b2bf6
 +allow swift_t self:unix_stream_socket create_stream_socket_perms;
 +allow swift_t self:unix_dgram_socket create_socket_perms;
 +
++manage_dirs_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++manage_files_pattern(swift_t, swift_tmp_t, swift_tmp_t)
++files_tmp_filetrans(swift_t, swift_tmp_t, { dir file })
++
 +manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
 +manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
@@ -87538,6 +93945,10 @@ index 0000000..c7b2bf6
 +logging_send_syslog_msg(swift_t)
 +
 +userdom_dontaudit_search_user_home_dirs(swift_t)
++
++optional_policy(`
++    rpm_exec(swift_t)
++')
 diff --git a/swift_alias.fc b/swift_alias.fc
 new file mode 100644
 index 0000000..b7db254
@@ -89724,11 +96135,10 @@ index 0000000..39d17b7
 +files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
 diff --git a/thumb.fc b/thumb.fc
 new file mode 100644
-index 0000000..92b6843
+index 0000000..115bf6c
 --- /dev/null
 +++ b/thumb.fc
-@@ -0,0 +1,18 @@
-+HOME_DIR/\.texlive2012(/.*)?	gen_context(system_u:object_r:thumb_home_t,s0)
+@@ -0,0 +1,17 @@
 +HOME_DIR/\.thumbnails(/.*)?	gen_context(system_u:object_r:thumb_home_t,s0)
 +HOME_DIR/\.cache/thumbnails(/.*)?	gen_context(system_u:object_r:thumb_home_t,s0)
 +HOME_DIR/missfont\.log.*		gen_context(system_u:object_r:thumb_home_t,s0)
@@ -89745,7 +96155,7 @@ index 0000000..92b6843
 +/usr/bin/ffmpegthumbnailer		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 +/usr/bin/mate-thumbnail-font		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 +
-+/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
++/usr/lib/tumbler-?[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
 index 0000000..c1fd8b4
@@ -89887,10 +96297,10 @@ index 0000000..c1fd8b4
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..b57cc3c
+index 0000000..0e30ce2
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,149 @@
+@@ -0,0 +1,157 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -89940,6 +96350,7 @@ index 0000000..b57cc3c
 +userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
 +userdom_dontaudit_access_check_user_content(thumb_t)
 +userdom_rw_inherited_user_tmpfs_files(thumb_t)
++userdom_manage_home_texlive(thumb_t)
 +
 +manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
 +manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
@@ -90005,14 +96416,21 @@ index 0000000..b57cc3c
 +xserver_use_user_fonts(thumb_t)
 +
 +optional_policy(`
-+	dbus_dontaudit_stream_connect_session_bus(thumb_t)
-+	dbus_dontaudit_chat_session_bus(thumb_t)
++    bumblebee_stream_connect(thumb_t)
++')
++
++optional_policy(`
++    dbus_exec_dbusd(thumb_t)
++    dbus_connect_session_bus(thumb_t)
++	dbus_stream_connect_session_bus(thumb_t)
++	dbus_chat_session_bus(thumb_t)
 +')
 +
 +optional_policy(`
 +	# .config
 +	gnome_dontaudit_search_config(thumb_t)
 +	gnome_dontaudit_write_config_files(thumb_t)
++    gnome_append_home_config(thumb_t)
 +	gnome_append_generic_cache_files(thumb_t)
 +	gnome_read_generic_data_home_files(thumb_t)
 +	gnome_dontaudit_rw_generic_cache_files(thumb_t)
@@ -90782,7 +97200,7 @@ index 61c2e07..5e1df41 100644
 +	')
  ')
 diff --git a/tor.te b/tor.te
-index 964a395..78962c4 100644
+index 964a395..ea77295 100644
 --- a/tor.te
 +++ b/tor.te
 @@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -90817,7 +97235,15 @@ index 964a395..78962c4 100644
  corenet_sendrecv_dns_server_packets(tor_t)
  corenet_udp_bind_dns_port(tor_t)
  corenet_udp_sendrecv_dns_port(tor_t)
-@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
+@@ -85,6 +94,7 @@ corenet_udp_sendrecv_dns_port(tor_t)
+ corenet_sendrecv_tor_server_packets(tor_t)
+ corenet_tcp_bind_tor_port(tor_t)
+ corenet_tcp_sendrecv_tor_port(tor_t)
++corenet_tcp_bind_hplip_port(tor_t)
+ 
+ corenet_sendrecv_all_client_packets(tor_t)
+ corenet_tcp_connect_all_ports(tor_t)
+@@ -98,19 +108,22 @@ dev_read_urand(tor_t)
  domain_use_interactive_fds(tor_t)
  
  files_read_etc_runtime_files(tor_t)
@@ -90934,7 +97360,7 @@ index e29db63..061fb98 100644
  	domain_system_change_exemption($1)
  	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 7116181..6b315d8 100644
+index 7116181..3f42127 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -90947,7 +97373,7 @@ index 7116181..6b315d8 100644
  type tuned_var_run_t;
  files_pid_file(tuned_var_run_t)
  
-@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
+@@ -29,10 +32,14 @@ files_pid_file(tuned_var_run_t)
  # Local policy
  #
  
@@ -90960,10 +97386,11 @@ index 7116181..6b315d8 100644
 +allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow tuned_t self:netlink_socket create_socket_perms;
 +allow tuned_t self:udp_socket create_socket_perms;
++allow tuned_t self:socket create_socket_perms;
  
  read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
  exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
-@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
+@@ -41,14 +48,19 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
  files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
  
  manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
@@ -90982,11 +97409,12 @@ index 7116181..6b315d8 100644
  manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
  manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
  files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
++allow tuned_t tuned_var_run_t:file  relabel_file_perms;
 +can_exec(tuned_t, tuned_var_run_t)
  
  kernel_read_system_state(tuned_t)
  kernel_read_network_state(tuned_t)
-@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
+@@ -57,6 +69,8 @@ kernel_request_load_module(tuned_t)
  kernel_rw_kernel_sysctl(tuned_t)
  kernel_rw_hotplug_sysctls(tuned_t)
  kernel_rw_vm_sysctls(tuned_t)
@@ -90995,7 +97423,7 @@ index 7116181..6b315d8 100644
  
  corecmd_exec_bin(tuned_t)
  corecmd_exec_shell(tuned_t)
-@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
+@@ -64,31 +78,60 @@ corecmd_exec_shell(tuned_t)
  dev_getattr_all_blk_files(tuned_t)
  dev_getattr_all_chr_files(tuned_t)
  dev_read_urand(tuned_t)
@@ -91008,18 +97436,23 @@ index 7116181..6b315d8 100644
  files_dontaudit_search_home(tuned_t)
 -files_dontaudit_list_tmp(tuned_t)
 +files_list_tmp(tuned_t)
- 
--fs_getattr_xattr_fs(tuned_t)
++
 +fs_getattr_all_fs(tuned_t)
 +fs_search_all(tuned_t)
 +fs_rw_hugetlbfs_files(tuned_t)
-+
+ 
+-fs_getattr_xattr_fs(tuned_t)
 +auth_use_nsswitch(tuned_t)
  
  logging_send_syslog_msg(tuned_t)
++#bug in tuned
++logging_manage_syslog_config(tuned_t)
++logging_filetrans_named_conf(tuned_t)
  
 -miscfiles_read_localization(tuned_t)
 +mount_read_pid_files(tuned_t)
++
++modutils_domtrans_insmod(tuned_t)
  
  udev_read_pid_files(tuned_t)
  
@@ -91055,6 +97488,14 @@ index 7116181..6b315d8 100644
  optional_policy(`
  	sysnet_domtrans_ifconfig(tuned_t)
  ')
+@@ -96,3 +139,7 @@ optional_policy(`
+ optional_policy(`
+ 	unconfined_dbus_send(tuned_t)
+ ')
++
++optional_policy(`
++    unconfined_domain(tuned_t)
++')
 diff --git a/tvtime.if b/tvtime.if
 index 1bb0f7c..372be2f 100644
 --- a/tvtime.if
@@ -92158,7 +98599,7 @@ index af9acc0..cdaf82e 100644
  	admin_pattern($1, uucpd_log_t)
  
 diff --git a/uucp.te b/uucp.te
-index 380902c..75545d6 100644
+index 380902c..c09534e 100644
 --- a/uucp.te
 +++ b/uucp.te
 @@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -92170,7 +98611,7 @@ index 380902c..75545d6 100644
  
  type uucpd_log_t;
  logging_log_file(uucpd_log_t)
-@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
+@@ -84,15 +84,20 @@ kernel_read_kernel_sysctls(uucpd_t)
  kernel_read_system_state(uucpd_t)
  kernel_read_network_state(uucpd_t)
  
@@ -92186,12 +98627,13 @@ index 380902c..75545d6 100644
  corenet_tcp_connect_ssh_port(uucpd_t)
  corenet_tcp_sendrecv_ssh_port(uucpd_t)
  
++corenet_tcp_bind_uucpd_port(uucpd_t)
 +corenet_tcp_connect_uucpd_port(uucpd_t)
 +
  corecmd_exec_bin(uucpd_t)
  corecmd_exec_shell(uucpd_t)
  
-@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
+@@ -110,7 +115,7 @@ auth_use_nsswitch(uucpd_t)
  
  logging_send_syslog_msg(uucpd_t)
  
@@ -92200,7 +98642,7 @@ index 380902c..75545d6 100644
  
  optional_policy(`
  	cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -125,10 +129,6 @@ optional_policy(`
+@@ -125,10 +130,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -92211,7 +98653,7 @@ index 380902c..75545d6 100644
  	ssh_exec(uucpd_t)
  ')
  
-@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
+@@ -160,10 +161,15 @@ auth_use_nsswitch(uux_t)
  logging_search_logs(uux_t)
  logging_send_syslog_msg(uux_t)
  
@@ -92336,7 +98778,7 @@ index 1c35171..2cba4df 100644
  	domain_system_change_exemption($1)
  	role_transition $2 varnishd_initrc_exec_t system_r;
 diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..f50c3ff 100644
+index 9d4d8cb..a58e2dd 100644
 --- a/varnishd.te
 +++ b/varnishd.te
 @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -92348,7 +98790,7 @@ index 9d4d8cb..f50c3ff 100644
  
  type varnishd_tmp_t;
  files_tmp_file(varnishd_tmp_t)
-@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
+@@ -43,16 +43,16 @@ type varnishlog_var_run_t;
  files_pid_file(varnishlog_var_run_t)
  
  type varnishlog_log_t;
@@ -92357,9 +98799,11 @@ index 9d4d8cb..f50c3ff 100644
  
  ########################################
  #
-@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
+ # Local policy
+ #
  
- allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
+-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
++allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid chown };
  dontaudit varnishd_t self:capability sys_tty_config;
 -allow varnishd_t self:process signal;
 +allow varnishd_t self:process { execmem signal };
@@ -92501,7 +98945,7 @@ index 31c752e..ef52235 100644
  	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 77be35a..0e9a7d1 100644
+index 77be35a..9ed83d0 100644
 --- a/vdagent.te
 +++ b/vdagent.te
 @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -92512,7 +98956,7 @@ index 77be35a..0e9a7d1 100644
  allow vdagent_t self:fifo_file rw_fifo_file_perms;
  allow vdagent_t self:unix_stream_socket { accept listen };
  
-@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,20 +40,25 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  logging_log_filetrans(vdagent_t, vdagent_log_t, file)
  
@@ -92529,14 +98973,19 @@ index 77be35a..0e9a7d1 100644
 -logging_send_syslog_msg(vdagent_t)
 +systemd_read_logind_sessions_files(vdagent_t)
 +systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
  
 -miscfiles_read_localization(vdagent_t)
++term_use_virtio_console(vdagent_t)
++
 +logging_send_syslog_msg(vdagent_t)
  
  userdom_read_all_users_state(vdagent_t)
  
++xserver_read_xdm_state(vdagent_t)
++
+ optional_policy(`
+ 	dbus_system_bus_client(vdagent_t)
+ 
 diff --git a/vhostmd.if b/vhostmd.if
 index 22edd58..c3a5364 100644
 --- a/vhostmd.if
@@ -92584,7 +99033,7 @@ index 0be8535..b96e329 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..9bad8b9 100644
+index c30da4c..6351bcb 100644
 --- a/virt.fc
 +++ b/virt.fc
 @@ -1,52 +1,92 @@
@@ -92717,10 +99166,10 @@ index c30da4c..9bad8b9 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +
-+/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
++/var/log/qemu-ga\.log.*           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..73549fd 100644
+index 9dec06c..88dcafb 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -93171,17 +99620,35 @@ index 9dec06c..73549fd 100644
  	manage_files_pattern($1, virt_etc_t, virt_etc_t)
  	manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
  	manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
-@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
+@@ -414,8 +251,25 @@ interface(`virt_manage_config',`
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
 +##	Allow domain to manage virt image files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_getattr_content',`
++	gen_require(`
++		type virt_content_t;
++	')
++
++    allow $1 virt_content_t:file getattr_file_perms;
++')
++
++########################################
++## <summary>
++##	Allow domain to manage virt image files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -450,8 +286,7 @@ interface(`virt_read_content',`
+@@ -450,8 +304,7 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -93191,7 +99658,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,35 +294,17 @@ interface(`virt_read_content',`
+@@ -459,35 +312,17 @@ interface(`virt_read_content',`
  ##	</summary>
  ## </param>
  #
@@ -93230,7 +99697,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
+@@ -495,53 +330,37 @@ interface(`virt_manage_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -93294,7 +99761,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
+@@ -549,34 +368,21 @@ interface(`virt_home_filetrans_virt_content',`
  ##	</summary>
  ## </param>
  #
@@ -93337,7 +99804,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
+@@ -584,32 +390,36 @@ interface(`virt_manage_svirt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -93386,7 +99853,7 @@ index 9dec06c..73549fd 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
+@@ -618,54 +428,36 @@ interface(`virt_relabel_svirt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -93450,7 +99917,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
+@@ -673,54 +465,38 @@ interface(`virt_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -93517,7 +99984,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
+@@ -728,52 +504,58 @@ interface(`virt_manage_generic_virt_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -93556,14 +100023,31 @@ index 9dec06c..73549fd 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
 +## <rolecap/>
++#
++interface(`virt_read_log',`
++	gen_require(`
++		type virt_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, virt_log_t, virt_log_t)
++')
++
++########################################
++## <summary>
++##	Allow the specified domain to append
++##	virt log files.
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The name of the object being created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
  #
 -interface(`virt_home_filetrans_virt_home',`
-+interface(`virt_read_log',`
++interface(`virt_append_log',`
  	gen_require(`
 -		type virt_home_t;
 +		type virt_log_t;
@@ -93571,23 +100055,22 @@ index 9dec06c..73549fd 100644
  
 -	userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
 +	logging_search_logs($1)
-+	read_files_pattern($1, virt_log_t, virt_log_t)
++	append_files_pattern($1, virt_log_t, virt_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Read virt pid files.
-+##	Allow the specified domain to append
-+##	virt log files.
++##	Allow domain to manage virt log files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
+@@ -781,19 +563,19 @@ interface(`virt_home_filetrans_virt_home',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_pid_files',`
-+interface(`virt_append_log',`
++interface(`virt_manage_log',`
  	gen_require(`
 -		type virt_var_run_t;
 +		type virt_log_t;
@@ -93595,34 +100078,34 @@ index 9dec06c..73549fd 100644
  
 -	files_search_pids($1)
 -	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	logging_search_logs($1)
-+	append_files_pattern($1, virt_log_t, virt_log_t)
++	manage_dirs_pattern($1, virt_log_t, virt_log_t)
++	manage_files_pattern($1, virt_log_t, virt_log_t)
++	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt pid files.
-+##	Allow domain to manage virt log files
++##	Allow domain to getattr virt image direcories
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
+@@ -801,18 +583,18 @@ interface(`virt_read_pid_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_pid_files',`
-+interface(`virt_manage_log',`
++interface(`virt_getattr_images',`
  	gen_require(`
 -		type virt_var_run_t;
-+		type virt_log_t;
++		attribute virt_image_type;
  	')
  
 -	files_search_pids($1)
 -	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
-+	manage_dirs_pattern($1, virt_log_t, virt_log_t)
-+	manage_files_pattern($1, virt_log_t, virt_log_t)
-+	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
++	virt_search_lib($1)
++	allow $1 virt_image_type:file getattr_file_perms;
  ')
  
  ########################################
@@ -93632,7 +100115,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
+@@ -820,18 +602,18 @@ interface(`virt_manage_pid_files',`
  ##	</summary>
  ## </param>
  #
@@ -93656,7 +100139,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
+@@ -839,20 +621,73 @@ interface(`virt_search_lib',`
  ##	</summary>
  ## </param>
  #
@@ -93735,44 +100218,40 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
+@@ -860,74 +695,265 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_lib_files',`
 +interface(`virt_manage_cache',`
- 	gen_require(`
--		type virt_var_lib_t;
++	gen_require(`
 +		type virt_cache_t;
- 	')
- 
--	files_search_var_lib($1)
--	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
++	')
++
 +	files_search_var($1)
 +	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
 +	manage_files_pattern($1, virt_cache_t, virt_cache_t)
 +	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create objects in virt pid
--##	directories with a private type.
++')
++
++########################################
++## <summary>
 +##	Allow domain to manage virt image files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="private type">
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +#
 +interface(`virt_manage_images',`
-+	gen_require(`
-+		type virt_var_lib_t;
+ 	gen_require(`
+ 		type virt_var_lib_t;
 +		attribute virt_image_type;
-+	')
-+
+ 	')
+ 
+-	files_search_var_lib($1)
+-	manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
 +	virt_search_lib($1)
 +	allow $1 virt_image_type:dir list_dir_perms;
 +	manage_dirs_pattern($1, virt_image_type, virt_image_type)
@@ -93802,19 +100281,19 @@ index 9dec06c..73549fd 100644
 +    manage_dirs_pattern($1, virt_image_t, virt_image_t)
 +    manage_files_pattern($1, virt_image_t, virt_image_t)
 +    read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create objects in virt pid
+-##	directories with a private type.
 +##	Execute virt server in the virt domain.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
--##	The type of the object to be created.
++##	<summary>
 +##	Domain allowed to transition.
- ##	</summary>
- ## </param>
--## <param name="object">
++##	</summary>
++## </param>
 +#
 +interface(`virt_systemctl',`
 +	gen_require(`
@@ -93834,24 +100313,85 @@ index 9dec06c..73549fd 100644
 +##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`virt_ptrace',`
++	gen_require(`
++		attribute virt_domain;
++	')
++
++	allow $1 virt_domain:process ptrace;
++')
++
++#######################################
++## <summary>
++##	Execute Sandbox Files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="private type">
++#
++interface(`virt_exec_sandbox_files',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
++
++	can_exec($1, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++##	Manage Sandbox Files
++## </summary>
++## <param name="domain">
+ ##	<summary>
+-##	The type of the object to be created.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="object">
++#
++interface(`virt_manage_sandbox_files',`
++	gen_require(`
++		type svirt_sandbox_file_t;
++	')
++
++	manage_dirs_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_fifo_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_chr_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++	manage_lnk_files_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t)
++')
++
++#######################################
++## <summary>
++##	Relabel Sandbox File systems
++## </summary>
++## <param name="domain">
  ##	<summary>
 -##	The object class of the object being created.
-+##	Domain allowed to transition.
++##	Domain allowed access.
  ##	</summary>
  ## </param>
 -## <param name="name" optional="true">
 +#
-+interface(`virt_ptrace',`
++interface(`virt_relabel_sandbox_filesystem',`
 +	gen_require(`
-+		attribute virt_domain;
++		type svirt_sandbox_file_t;
 +	')
 +
-+	allow $1 virt_domain:process ptrace;
++	allow $1 svirt_sandbox_file_t:filesystem { relabelfrom relabelto };
 +')
 +
 +#######################################
 +## <summary>
-+##	Connect to virt over a unix domain stream socket.
++##	Mounton Sandbox Files
 +## </summary>
 +## <param name="domain">
  ##	<summary>
@@ -93862,9 +100402,27 @@ index 9dec06c..73549fd 100644
 -## <infoflow type="write" weight="10"/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_sandbox',`
++interface(`virt_mounton_sandbox_file',`
  	gen_require(`
 -		type virt_var_run_t;
++		type svirt_sandbox_file_t;
++	')
++
++	allow $1 svirt_sandbox_file_t:dir_file_class_set mounton;
++')
++
++#######################################
++## <summary>
++##	Connect to virt over a unix domain stream socket.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_stream_connect_sandbox',`
++	gen_require(`
 +		attribute svirt_sandbox_domain;
 +		type svirt_sandbox_file_t;
  	')
@@ -93926,93 +100484,110 @@ index 9dec06c..73549fd 100644
  ## <summary>
 -##	Append virt log files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`virt_dontaudit_write_pipes',`
++	gen_require(`
++		type virtd_t;
++	')
++
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++')
++
++########################################
++## <summary>
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain to not audit.
+@@ -935,19 +961,17 @@ interface(`virt_read_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_append_log',`
-+interface(`virt_dontaudit_write_pipes',`
++interface(`virt_kill_svirt',`
  	gen_require(`
 -		type virt_log_t;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, virt_log_t, virt_log_t)
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
++	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt log files.
-+##	Send a sigkill to virtual machines
++##	Send a sigkill to virtd daemon.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -955,20 +848,17 @@ interface(`virt_append_log',`
+@@ -955,20 +979,17 @@ interface(`virt_append_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
++interface(`virt_kill',`
  	gen_require(`
 -		type virt_log_t;
-+		attribute virt_domain;
++		type virtd_t;
  	')
  
 -	logging_search_logs($1)
 -	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 -	manage_files_pattern($1, virt_log_t, virt_log_t)
 -	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_domain:process sigkill;
++	allow $1 virtd_t:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Search virt image directories.
-+##	Send a sigkill to virtd daemon.
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
+@@ -976,18 +997,17 @@ interface(`virt_manage_log',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_search_images',`
-+interface(`virt_kill',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		attribute virt_image_type;
-+		type virtd_t;
++		attribute virt_domain;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	allow $1 virtd_t:process sigkill;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Send a signal to virtual machines
++##	Manage virt home files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,73 +884,75 @@ interface(`virt_search_images',`
+@@ -995,36 +1015,57 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_manage_home_files',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute virt_domain;
++		type virt_home_t;
  	')
  
 -	virt_search_lib($1)
@@ -94021,7 +100596,8 @@ index 9dec06c..73549fd 100644
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 virt_domain:process signal;
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
 +')
  
 -	tunable_policy(`virt_use_nfs',`
@@ -94030,105 +100606,70 @@ index 9dec06c..73549fd 100644
 -		fs_read_nfs_symlinks($1)
 +########################################
 +## <summary>
-+##	Manage virt home files.
++##	allow domain to read
++##	virt tmpfs files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain allowed access
 +##	</summary>
 +## </param>
 +#
-+interface(`virt_manage_home_files',`
++interface(`virt_read_tmpfs_files',`
 +	gen_require(`
-+		type virt_home_t;
++		attribute virt_tmpfs_type;
  	')
  
 -	tunable_policy(`virt_use_samba',`
 -		fs_list_cifs($1)
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
--	')
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
- ')
- 
- ########################################
- ## <summary>
--##	Read and write all virt image
--##	character files.
-+##	allow domain to read
-+##	virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
- ##	</summary>
- ## </param>
- #
--interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_read_tmpfs_files',`
- 	gen_require(`
--		attribute virt_image_type;
-+		attribute virt_tmpfs_type;
- 	')
- 
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
 +	allow $1 virt_tmpfs_type:file read_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	svirt cache files.
++')
++
++########################################
++## <summary>
 +##	allow domain to manage
 +##	virt tmpfs files
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain allowed access.
++## </summary>
++## <param name="domain">
++##	<summary>
 +##	Domain allowed access
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_svirt_cache',`
--	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
--	virt_manage_virt_cache($1)
++##	</summary>
++## </param>
++#
 +interface(`virt_manage_tmpfs_files',`
 +	gen_require(`
 +		attribute virt_tmpfs_type;
-+	')
+ 	')
 +
 +	allow $1 virt_tmpfs_type:file manage_file_perms;
  ')
  
  ########################################
  ## <summary>
--##	Create, read, write, and delete
--##	virt cache content.
+-##	Read and write all virt image
+-##	character files.
 +##	Create .virt directory in the user home directory
 +##	with an correct label.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
+@@ -1032,20 +1073,28 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_virt_cache',`
+-interface(`virt_rw_all_image_chr_files',`
 +interface(`virt_filetrans_home_content',`
  	gen_require(`
--		type virt_cache_t;
+-		attribute virt_image_type;
 +		type virt_home_t;
 +		type svirt_home_t;
  	')
  
--	files_search_var($1)
--	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
--	manage_files_pattern($1, virt_cache_t, virt_cache_t)
--	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
 +	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
 +	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
@@ -94145,40 +100686,34 @@ index 9dec06c..73549fd 100644
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
--##	virt image files.
+-##	svirt cache files.
 +##	Dontaudit attempts to Read virt_image_type devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
+@@ -1053,37 +1102,133 @@ interface(`virt_rw_all_image_chr_files',`
  ##	</summary>
  ## </param>
  #
--interface(`virt_manage_images',`
+-interface(`virt_manage_svirt_cache',`
+-	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
+-	virt_manage_virt_cache($1)
 +interface(`virt_dontaudit_read_chr_dev',`
- 	gen_require(`
--		type virt_var_lib_t;
- 		attribute virt_image_type;
- 	')
- 
--	virt_search_lib($1)
--	allow $1 virt_image_type:dir list_dir_perms;
--	manage_dirs_pattern($1, virt_image_type, virt_image_type)
--	manage_files_pattern($1, virt_image_type, virt_image_type)
--	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
--	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++	gen_require(`
++		attribute virt_image_type;
++	')
++
 +	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
-+')
+ ')
  
--	tunable_policy(`virt_use_nfs',`
--		fs_manage_nfs_dirs($1)
--		fs_manage_nfs_files($1)
--		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt cache content.
 +##	Creates types and rules for a basic
 +##	virt_lxc process domain.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="prefix">
 +##	<summary>
 +##	Prefix for the domain.
@@ -94188,12 +100723,8 @@ index 9dec06c..73549fd 100644
 +template(`virt_sandbox_domain_template',`
 +	gen_require(`
 +		attribute svirt_sandbox_domain;
- 	')
- 
--	tunable_policy(`virt_use_samba',`
--		fs_manage_cifs_files($1)
--		fs_manage_cifs_files($1)
--		fs_read_cifs_symlinks($1)
++	')
++
 +	type $1_t, svirt_sandbox_domain;
 +	domain_type($1_t)
 +	domain_user_exemption_target($1_t)
@@ -94201,6 +100732,8 @@ index 9dec06c..73549fd 100644
 +	mcs_constrained($1_t)
 +	role system_r types $1_t;
 +
++	logging_send_syslog_msg($1_t)
++
 +	kernel_read_system_state($1_t)
 +')
 +
@@ -94209,7 +100742,7 @@ index 9dec06c..73549fd 100644
 +##	Make the specified type usable as a lxc domain
 +## </summary>
 +## <param name="type">
-+##	<summary>
+ ##	<summary>
 +##	Type to be used as a lxc domain
 +##	</summary>
 +## </param>
@@ -94228,7 +100761,7 @@ index 9dec06c..73549fd 100644
 +## </summary>
 +## <param name="domain">
 +## <summary>
-+##	Domain allowed access.
+ ##	Domain allowed access.
 +## </summary>
 +## </param>
 +#
@@ -94247,22 +100780,30 @@ index 9dec06c..73549fd 100644
 +## <param name="domain">
 +##	<summary>
 +##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_virt_cache',`
 +interface(`virt_filetrans_named_content',`
-+	gen_require(`
+ 	gen_require(`
+-		type virt_cache_t;
 +		type virt_lxc_var_run_t;
 +		type virt_var_run_t;
-+	')
-+
+ 	')
+ 
+-	files_search_var($1)
+-	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
+-	manage_files_pattern($1, virt_cache_t, virt_cache_t)
+-	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
 +	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
 +	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
 +	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	virt image files.
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
 +## </summary>
@@ -94283,11 +100824,66 @@ index 9dec06c..73549fd 100644
 +		attribute svirt_sandbox_domain;
 +	')
 +
-+	allow $1 svirt_sandbox_domain:process transition;
++	allow $1 svirt_sandbox_domain:process { transition signal_perms };
 +	role $2 types svirt_sandbox_domain;
 +	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
 +
++	allow svirt_sandbox_domain $1:fifo_file rw_fifo_file_perms;
 +	allow svirt_sandbox_domain $1:process sigchld;
++	ps_process_pattern($1, svirt_sandbox_domain)
++')
++
++########################################
++## <summary>
++##	Read and write to svirt_image devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1091,36 +1236,54 @@ interface(`virt_manage_virt_cache',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`virt_manage_images',`
++interface(`virt_rw_svirt_dev',`
+ 	gen_require(`
+-		type virt_var_lib_t;
+-		attribute virt_image_type;
++		type svirt_image_t;
+ 	')
+ 
+-	virt_search_lib($1)
+-	allow $1 virt_image_type:dir list_dir_perms;
+-	manage_dirs_pattern($1, virt_image_type, virt_image_type)
+-	manage_files_pattern($1, virt_image_type, virt_image_type)
+-	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+-	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
++	allow $1 svirt_image_t:chr_file rw_file_perms;
++')
+ 
+-	tunable_policy(`virt_use_nfs',`
+-		fs_manage_nfs_dirs($1)
+-		fs_manage_nfs_files($1)
+-		fs_read_nfs_symlinks($1)
++########################################
++## <summary>
++##	Read and write to svirt_image devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_rlimitinh',`
++	gen_require(`
++		type virtd_t;
+ 	')
+ 
+-	tunable_policy(`virt_use_samba',`
+-		fs_manage_cifs_files($1)
+-		fs_manage_cifs_files($1)
+-		fs_read_cifs_symlinks($1)
++    allow $1 virtd_t:process { rlimitinh };
 +')
 +
 +########################################
@@ -94300,12 +100896,12 @@ index 9dec06c..73549fd 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`virt_rw_svirt_dev',`
++interface(`virt_noatsecure',`
 +	gen_require(`
-+		type svirt_image_t;
++		type virtd_t;
  	')
 +
-+	allow $1 svirt_image_t:chr_file rw_file_perms;
++    allow $1 virtd_t:process { noatsecure rlimitinh };
  ')
  
  ########################################
@@ -94317,7 +100913,7 @@ index 9dec06c..73549fd 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
+@@ -1136,50 +1299,36 @@ interface(`virt_manage_images',`
  #
  interface(`virt_admin',`
  	gen_require(`
@@ -94365,11 +100961,11 @@ index 9dec06c..73549fd 100644
 -
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
-+	allow $1 virt_domain:process signal_perms;
- 
+-
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++	allow $1 virt_domain:process signal_perms;
+ 
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
 -
@@ -94390,10 +100986,10 @@ index 9dec06c..73549fd 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..15485c6 100644
+index 1f22fba..57af4d0 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,147 +1,173 @@
+@@ -1,147 +1,209 @@
 -policy_module(virt, 1.6.10)
 +policy_module(virt, 1.5.0)
  
@@ -94405,7 +101001,7 @@ index 1f22fba..15485c6 100644
 +gen_require(`
 +    class passwd rootok;
 +    class passwd passwd;
-+    ')
++')
 +
 +attribute virsh_transition_domain;
 +attribute virt_ptynode;
@@ -94531,34 +101127,67 @@ index 1f22fba..15485c6 100644
 -attribute virt_image_type;
 -attribute virt_tmp_type;
 -attribute virt_tmpfs_type;
--
--attribute svirt_lxc_domain;
--
--attribute_role virt_domain_roles;
--roleattribute system_r virt_domain_roles;
 +## <desc>
 +## <p>
 +## Allow confined virtual guests to use usb devices
 +## </p>
 +## </desc>
 +gen_tunable(virt_use_usb, true)
++
++## <desc>
++## <p>
++## Allow sandbox containers to manage nfs files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_nfs, false)
++
++## <desc>
++## <p>
++## Allow sandbox containers to manage samba/cifs files
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_samba, false)
+ 
+-attribute svirt_lxc_domain;
++## <desc>
++## <p>
++## Allow sandbox containers to send audit messages
+ 
+-attribute_role virt_domain_roles;
+-roleattribute system_r virt_domain_roles;
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_audit, true)
  
 -attribute_role virt_bridgehelper_roles;
 -roleattribute system_r virt_bridgehelper_roles;
-+virt_domain_template(svirt)
-+role system_r types svirt_t;
-+typealias svirt_t alias qemu_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use netlink system calls
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_netlink, false)
  
 -attribute_role svirt_lxc_domain_roles;
 -roleattribute system_r svirt_lxc_domain_roles;
-+virt_domain_template(svirt_tcg)
-+role system_r types svirt_tcg_t;
++## <desc>
++## <p>
++## Allow sandbox containers to use sys_admin system calls, for example mount
++## </p>
++## </desc>
++gen_tunable(virt_sandbox_use_sys_admin, false)
  
--virt_domain_template(svirt)
+ virt_domain_template(svirt)
 -virt_domain_template(svirt_prot_exec)
-+type qemu_exec_t, virt_file_type;
++role system_r types svirt_t;
++typealias svirt_t alias qemu_t;
++
++virt_domain_template(svirt_tcg)
++role system_r types svirt_tcg_t;
  
 -type virt_cache_t alias svirt_cache_t;
++type qemu_exec_t, virt_file_type;
++
 +type virt_cache_t alias svirt_cache_t, virt_file_type;
  files_type(virt_cache_t)
  
@@ -94640,7 +101269,7 @@ index 1f22fba..15485c6 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -150,295 +176,142 @@ ifdef(`enable_mls',`
+@@ -150,295 +212,130 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -94833,80 +101462,60 @@ index 1f22fba..15485c6 100644
 -	fs_manage_nfs_named_sockets(virt_domain)
 -	fs_read_nfs_symlinks(virt_domain)
 -')
-+type virtd_lxc_t, virt_system_domain;
-+type virtd_lxc_exec_t, virt_file_type;
-+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
- 
+-
 -tunable_policy(`virt_use_samba',`
 -	fs_manage_cifs_dirs(virt_domain)
 -	fs_manage_cifs_files(virt_domain)
 -	fs_manage_cifs_named_sockets(virt_domain)
 -	fs_read_cifs_symlinks(virt_domain)
 -')
-+type virt_lxc_var_run_t, virt_file_type;
-+files_pid_file(virt_lxc_var_run_t)
-+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
- 
+-
 -tunable_policy(`virt_use_sysfs',`
 -	dev_rw_sysfs(virt_domain)
 -')
-+# virt lxc container files
-+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
-+files_mountpoint(svirt_sandbox_file_t)
- 
+-
 -tunable_policy(`virt_use_usb',`
 -	dev_rw_usbfs(virt_domain)
 -	dev_read_sysfs(virt_domain)
 -	fs_manage_dos_dirs(virt_domain)
 -	fs_manage_dos_files(virt_domain)
 -')
-+########################################
-+#
-+# svirt local policy
-+#
- 
+-
 -optional_policy(`
 -	tunable_policy(`virt_use_xserver',`
 -		xserver_read_xdm_pid(virt_domain)
 -		xserver_stream_connect(virt_domain)
 -	')
 -')
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -optional_policy(`
 -	dbus_read_lib_files(virt_domain)
 -')
-+corenet_udp_sendrecv_generic_if(svirt_t)
-+corenet_udp_sendrecv_generic_node(svirt_t)
-+corenet_udp_sendrecv_all_ports(svirt_t)
-+corenet_udp_bind_generic_node(svirt_t)
-+corenet_udp_bind_all_ports(svirt_t)
-+corenet_tcp_bind_all_ports(svirt_t)
-+corenet_tcp_connect_all_ports(svirt_t)
- 
+-
 -optional_policy(`
 -	nscd_use(virt_domain)
 -')
-+miscfiles_read_generic_certs(svirt_t)
++type virtd_lxc_t, virt_system_domain;
++type virtd_lxc_exec_t, virt_file_type;
++init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
  
- optional_policy(`
+-optional_policy(`
 -	samba_domtrans_smbd(virt_domain)
-+	nscd_dontaudit_write_sock_file(svirt_t)
- ')
+-')
++type virt_lxc_var_run_t, virt_file_type;
++files_pid_file(virt_lxc_var_run_t)
++typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
  
- optional_policy(`
+-optional_policy(`
 -	xen_rw_image_files(virt_domain)
-+	sssd_dontaudit_stream_connect(svirt_t)
-+	sssd_dontaudit_read_lib(svirt_t)
-+	sssd_dontaudit_read_public_files(svirt_t)
- ')
+-')
++# virt lxc container files
++type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
++files_mountpoint(svirt_sandbox_file_t)
  
--########################################
-+#######################################
+ ########################################
  #
--# svirt local policy
-+# svirt_prot_exec local policy
+ # svirt local policy
  #
  
 -list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
@@ -94928,26 +101537,35 @@ index 1f22fba..15485c6 100644
 -corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_udp_bind_generic_node(svirt_t)
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -corenet_all_recvfrom_unlabeled(svirt_t)
 -corenet_all_recvfrom_netlabel(svirt_t)
 -corenet_tcp_sendrecv_generic_if(svirt_t)
--corenet_udp_sendrecv_generic_if(svirt_t)
+ corenet_udp_sendrecv_generic_if(svirt_t)
 -corenet_tcp_sendrecv_generic_node(svirt_t)
--corenet_udp_sendrecv_generic_node(svirt_t)
+ corenet_udp_sendrecv_generic_node(svirt_t)
 -corenet_tcp_sendrecv_all_ports(svirt_t)
--corenet_udp_sendrecv_all_ports(svirt_t)
+ corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
--corenet_udp_bind_generic_node(svirt_t)
+ corenet_udp_bind_generic_node(svirt_t)
 -
 -corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
+ corenet_udp_bind_all_ports(svirt_t)
+ corenet_tcp_bind_all_ports(svirt_t)
+-
+-corenet_sendrecv_all_client_packets(svirt_t)
+ corenet_tcp_connect_all_ports(svirt_t)
+ 
++#######################################
++#
++# svirt_prot_exec local policy
++#
++
 +allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
--corenet_sendrecv_all_client_packets(svirt_t)
--corenet_tcp_connect_all_ports(svirt_t)
++
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
 +corenet_udp_sendrecv_generic_node(svirt_tcg_t)
 +corenet_udp_sendrecv_all_ports(svirt_tcg_t)
@@ -94955,7 +101573,7 @@ index 1f22fba..15485c6 100644
 +corenet_udp_bind_all_ports(svirt_tcg_t)
 +corenet_tcp_bind_all_ports(svirt_tcg_t)
 +corenet_tcp_connect_all_ports(svirt_tcg_t)
- 
++
  ########################################
  #
  # virtd local policy
@@ -95022,7 +101640,7 @@ index 1f22fba..15485c6 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +321,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +345,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -95069,29 +101687,29 @@ index 1f22fba..15485c6 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +356,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +380,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
--
--can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
+-
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +369,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +393,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -95099,7 +101717,7 @@ index 1f22fba..15485c6 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +377,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +401,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -95127,7 +101745,7 @@ index 1f22fba..15485c6 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +397,27 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +421,27 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -95160,7 +101778,7 @@ index 1f22fba..15485c6 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +448,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +472,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -95180,7 +101798,7 @@ index 1f22fba..15485c6 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +470,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +494,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -95217,7 +101835,7 @@ index 1f22fba..15485c6 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +498,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +522,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -95226,7 +101844,7 @@ index 1f22fba..15485c6 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,20 +523,12 @@ optional_policy(`
+@@ -658,20 +547,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -95247,7 +101865,7 @@ index 1f22fba..15485c6 100644
  ')
  
  optional_policy(`
-@@ -684,14 +541,20 @@ optional_policy(`
+@@ -684,14 +565,20 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -95270,7 +101888,7 @@ index 1f22fba..15485c6 100644
  	iptables_manage_config(virtd_t)
  ')
  
-@@ -704,11 +567,13 @@ optional_policy(`
+@@ -704,11 +591,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95284,7 +101902,7 @@ index 1f22fba..15485c6 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -719,10 +584,18 @@ optional_policy(`
+@@ -719,10 +608,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95303,7 +101921,7 @@ index 1f22fba..15485c6 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -737,44 +610,264 @@ optional_policy(`
+@@ -737,44 +634,277 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -95331,28 +101949,23 @@ index 1f22fba..15485c6 100644
 -allow virsh_t self:fifo_file rw_fifo_file_perms;
 -allow virsh_t self:unix_stream_socket { accept connectto listen };
 -allow virsh_t self:tcp_socket { accept listen };
--
++list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
++read_files_pattern(virt_domain, virt_content_t, virt_content_t)
++dontaudit virt_domain virt_content_t:file write_file_perms;
++dontaudit virt_domain virt_content_t:dir write;
+ 
 -manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 -manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
--
++kernel_read_net_sysctls(virt_domain)
++kernel_read_network_state(virt_domain)
+ 
 -manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 -manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
-+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
-+dontaudit virt_domain virt_content_t:file write_file_perms;
-+dontaudit virt_domain virt_content_t:dir write;
- 
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
-+kernel_read_net_sysctls(virt_domain)
- 
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@@ -95363,12 +101976,14 @@ index 1f22fba..15485c6 100644
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
  
--allow virsh_t svirt_lxc_domain:process transition;
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
--can_exec(virsh_t, virsh_exec_t)
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -95399,9 +102014,11 @@ index 1f22fba..15485c6 100644
 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
-+
+ 
+-allow virsh_t svirt_lxc_domain:process transition;
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+ 
+-can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
 +
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
@@ -95417,7 +102034,7 @@ index 1f22fba..15485c6 100644
 +corenet_tcp_bind_virt_migration_port(virt_domain)
 +corenet_tcp_connect_virt_migration_port(virt_domain)
 +corenet_rw_inherited_tun_tap_dev(virt_domain)
- 
++
 +dev_list_sysfs(virt_domain)
 +dev_getattr_fs(virt_domain)
 +dev_dontaudit_getattr_all(virt_domain)
@@ -95449,6 +102066,8 @@ index 1f22fba..15485c6 100644
 +
 +# I think we need these for now.
 +miscfiles_read_public_files(virt_domain)
++miscfiles_read_generic_certs(virt_domain)
++
 +storage_raw_read_removable_device(virt_domain)
 +
 +sysnet_read_config(virt_domain)
@@ -95467,6 +102086,10 @@ index 1f22fba..15485c6 100644
 +')
 +
 +optional_policy(`
++	nscd_dontaudit_write_sock_file(virt_domain)
++')
++
++optional_policy(`
 +	ptchown_domtrans(virt_domain)
 +')
 +
@@ -95475,6 +102098,12 @@ index 1f22fba..15485c6 100644
 +')
 +
 +optional_policy(`
++	sssd_dontaudit_stream_connect(virt_domain)
++	sssd_dontaudit_read_lib(virt_domain)
++	sssd_dontaudit_read_public_files(virt_domain)
++')
++
++optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
 +	virt_read_content(virt_domain)
@@ -95554,7 +102183,7 @@ index 1f22fba..15485c6 100644
 +allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
-+
+ 
 +ps_process_pattern(virsh_t, svirt_sandbox_domain)
 +
 +can_exec(virsh_t, virsh_exec_t)
@@ -95592,7 +102221,7 @@ index 1f22fba..15485c6 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +878,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +915,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -95619,7 +102248,7 @@ index 1f22fba..15485c6 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +898,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,23 +935,25 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -95639,20 +102268,21 @@ index 1f22fba..15485c6 100644
  
 -miscfiles_read_localization(virsh_t)
 +auth_read_passwd(virsh_t)
- 
--sysnet_dns_name_resolve(virsh_t)
++
 +logging_send_syslog_msg(virsh_t)
  
+ sysnet_dns_name_resolve(virsh_t)
+ 
 -tunable_policy(`virt_use_fusefs',`
 -	fs_manage_fusefs_dirs(virsh_t)
 -	fs_manage_fusefs_files(virsh_t)
 -	fs_read_fusefs_symlinks(virsh_t)
 -')
-+sysnet_dns_name_resolve(virsh_t)
++userdom_stream_connect(virsh_t)
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +933,20 @@ optional_policy(`
+@@ -847,14 +972,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95674,7 +102304,7 @@ index 1f22fba..15485c6 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,49 +971,65 @@ optional_policy(`
+@@ -879,49 +1010,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -95714,7 +102344,7 @@ index 1f22fba..15485c6 100644
  manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
  
 +domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
-+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
++allow virtd_t virtd_lxc_t:process { getattr noatsecure signal_perms };
 +
  allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
 -manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
@@ -95758,7 +102388,7 @@ index 1f22fba..15485c6 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1041,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1080,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -95778,7 +102408,7 @@ index 1f22fba..15485c6 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1062,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1101,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -95802,7 +102432,7 @@ index 1f22fba..15485c6 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1087,246 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -965,194 +1126,294 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -95829,14 +102459,18 @@ index 1f22fba..15485c6 100644
 -seutil_read_config(virtd_lxc_t)
 -seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
++	docker_exec_lib(virtd_lxc_t)
++')
++
++optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
- 
--sysnet_domtrans_ifconfig(virtd_lxc_t)
++
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -95856,83 +102490,8 @@ index 1f22fba..15485c6 100644
 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
 +allow svirt_sandbox_domain self:passwd rootok;
 +
-+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
-+
-+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
-+allow svirt_sandbox_domain virtd_lxc_t:fd use;
-+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
-+
-+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
-+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+
-+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
-+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
-+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
-+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
-+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
-+
-+kernel_getattr_proc(svirt_sandbox_domain)
-+kernel_list_all_proc(svirt_sandbox_domain)
-+kernel_read_all_sysctls(svirt_sandbox_domain)
-+kernel_rw_net_sysctls(svirt_sandbox_domain)
-+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
-+
-+corecmd_exec_all_executables(svirt_sandbox_domain)
-+
-+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
-+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
-+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
-+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
-+files_entrypoint_all_files(svirt_sandbox_domain)
-+files_list_var(svirt_sandbox_domain)
-+files_list_var_lib(svirt_sandbox_domain)
-+files_search_all(svirt_sandbox_domain)
-+files_read_config_files(svirt_sandbox_domain)
-+files_read_usr_symlinks(svirt_sandbox_domain)
-+files_search_locks(svirt_sandbox_domain)
-+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
-+
-+fs_getattr_all_fs(svirt_sandbox_domain)
-+fs_list_inotifyfs(svirt_sandbox_domain)
-+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
-+fs_read_fusefs_files(svirt_sandbox_domain)
-+
-+auth_dontaudit_read_passwd(svirt_sandbox_domain)
-+auth_dontaudit_read_login_records(svirt_sandbox_domain)
-+auth_dontaudit_write_login_records(svirt_sandbox_domain)
-+auth_search_pam_console_data(svirt_sandbox_domain)
-+
-+clock_read_adjtime(svirt_sandbox_domain)
-+
-+init_read_utmp(svirt_sandbox_domain)
-+init_dontaudit_write_utmp(svirt_sandbox_domain)
-+
-+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
-+
-+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
-+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
-+miscfiles_read_fonts(svirt_sandbox_domain)
-+miscfiles_read_hwdata(svirt_sandbox_domain)
-+
-+systemd_read_unit_files(svirt_sandbox_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
-+
-+optional_policy(`
-+	apache_exec_modules(svirt_sandbox_domain)
-+	apache_read_sys_content(svirt_sandbox_domain)
++tunable_policy(`deny_ptrace',`',`
++	allow svirt_sandbox_domain self:process ptrace;
 +')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
@@ -96017,23 +102576,122 @@ index 1f22fba..15485c6 100644
 -miscfiles_read_fonts(svirt_lxc_domain)
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++
++allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	ssh_use_ptys(svirt_sandbox_domain)
++	apache_exec_modules(svirt_sandbox_domain)
++	apache_read_sys_content(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	docker_manage_lib_files(svirt_lxc_net_t)
++	docker_manage_lib_dirs(svirt_lxc_net_t)
++	docker_read_share_files(svirt_sandbox_domain)
++	docker_lib_filetrans(svirt_sandbox_domain,svirt_sandbox_file_t, sock_file)
++	docker_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
++')
++
++optional_policy(`
++	ssh_use_ptys(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	udev_read_pid_files(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_use_nfs',`
++	fs_manage_nfs_dirs(svirt_sandbox_domain)
++	fs_manage_nfs_files(svirt_sandbox_domain)
++	fs_read_nfs_symlinks(svirt_sandbox_domain)
++')
++
++tunable_policy(`virt_use_samba',`
++	fs_manage_nfs_files(svirt_sandbox_domain)
++	fs_manage_cifs_files(svirt_sandbox_domain)
++	fs_read_cifs_symlinks(svirt_sandbox_domain)
  ')
  
  ########################################
@@ -96045,7 +102703,7 @@ index 1f22fba..15485c6 100644
 +typeattribute svirt_lxc_net_t sandbox_net_domain;
  
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
-+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_lxc_net_t self:capability { kill setuid setgid setfcap sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_nice sys_ptrace sys_resource setpcap };
  dontaudit svirt_lxc_net_t self:capability2 block_suspend;
 -allow svirt_lxc_net_t self:process setrlimit;
 -allow svirt_lxc_net_t self:tcp_socket { accept listen };
@@ -96053,15 +102711,18 @@ index 1f22fba..15485c6 100644
 -allow svirt_lxc_net_t self:packet_socket create_socket_perms;
 -allow svirt_lxc_net_t self:socket create_socket_perms;
 -allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
-+allow svirt_lxc_net_t self:process { execstack execmem };
- allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
+-allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
 -allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
-+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
- allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
+-allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+-
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t self:process { execstack execmem };
++
++tunable_policy(`virt_sandbox_use_sys_admin',`
++	allow svirt_lxc_net_t self:capability sys_admin;
++')
+ 
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
 -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -96072,13 +102733,20 @@ index 1f22fba..15485c6 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
++tunable_policy(`virt_sandbox_use_netlink',`
++	allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
++	allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++	allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++', `
++	logging_dontaudit_send_audit_msgs(svirt_lxc_net_t)
++')
  
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+ 
 -corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
 -corenet_tcp_connect_all_ports(svirt_lxc_net_t)
 +kernel_read_irq_sysctls(svirt_lxc_net_t)
@@ -96101,17 +102769,21 @@ index 1f22fba..15485c6 100644
  
  auth_use_nsswitch(svirt_lxc_net_t)
  
+-logging_send_audit_msgs(svirt_lxc_net_t)
 +rpm_read_db(svirt_lxc_net_t)
-+
- logging_send_audit_msgs(svirt_lxc_net_t)
  
- userdom_use_user_ptys(svirt_lxc_net_t)
+-userdom_use_user_ptys(svirt_lxc_net_t)
++logging_send_syslog_msg(svirt_lxc_net_t)
  
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
--')
--
++tunable_policy(`virt_sandbox_use_audit',`
++	logging_send_audit_msgs(svirt_lxc_net_t)
+ ')
+ 
 -#######################################
++userdom_use_user_ptys(svirt_lxc_net_t)
++
 +########################################
  #
 -# Prot exec local policy
@@ -96123,9 +102795,12 @@ index 1f22fba..15485c6 100644
 +allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_qemu_net_t self:capability2 block_suspend;
 +allow svirt_qemu_net_t self:process { execstack execmem };
-+allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
-+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++	allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++	allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++	allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
 +
 +manage_dirs_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
 +manage_files_pattern(sandbox_net_domain, svirt_home_t, svirt_home_t)
@@ -96147,8 +102822,7 @@ index 1f22fba..15485c6 100644
 +append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
 +
 +kernel_read_irq_sysctls(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +dev_read_sysfs(svirt_qemu_net_t)
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
@@ -96162,12 +102836,17 @@ index 1f22fba..15485c6 100644
 +fs_manage_cgroup_files(svirt_qemu_net_t)
 +
 +term_pty(svirt_sandbox_file_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +auth_use_nsswitch(svirt_qemu_net_t)
 +
 +rpm_read_db(svirt_qemu_net_t)
 +
-+logging_send_audit_msgs(svirt_qemu_net_t)
++logging_send_syslog_msg(svirt_qemu_net_t)
++
++tunable_policy(`virt_sandbox_use_audit',`
++	logging_send_audit_msgs(svirt_qemu_net_t)
++')
 +
 +userdom_use_user_ptys(svirt_qemu_net_t)
  
@@ -96185,7 +102864,7 @@ index 1f22fba..15485c6 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1426,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -96200,7 +102879,7 @@ index 1f22fba..15485c6 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1357,8 @@ optional_policy(`
+@@ -1183,9 +1444,8 @@ optional_policy(`
  
  ########################################
  #
@@ -96211,7 +102890,7 @@ index 1f22fba..15485c6 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1371,193 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1458,218 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -96224,7 +102903,7 @@ index 1f22fba..15485c6 100644
 +# virt_qemu_ga local policy
 +#
 +
-+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
++allow virt_qemu_ga_t self:capability { sys_admin sys_time sys_tty_config };
 +
 +allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
 +allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
@@ -96252,7 +102931,10 @@ index 1f22fba..15485c6 100644
 +corecmd_exec_shell(virt_qemu_ga_t)
 +corecmd_exec_bin(virt_qemu_ga_t)
 +
++clock_read_adjtime(virt_qemu_ga_t)
++
 +dev_rw_sysfs(virt_qemu_ga_t)
++dev_rw_realtime_clock(virt_qemu_ga_t)
 +
 +files_list_all_mountpoints(virt_qemu_ga_t)
 +files_write_all_mountpoints(virt_qemu_ga_t)
@@ -96265,6 +102947,7 @@ index 1f22fba..15485c6 100644
 +term_use_unallocated_ttys(virt_qemu_ga_t)
 +
 +logging_send_syslog_msg(virt_qemu_ga_t)
++logging_send_audit_msgs(virt_qemu_ga_t)
 +
 +sysnet_dns_name_resolve(virt_qemu_ga_t)
 +
@@ -96278,6 +102961,10 @@ index 1f22fba..15485c6 100644
 +')
 +
 +optional_policy(`
++    clock_domtrans(virt_qemu_ga_t)
++')
++
++optional_policy(`
 +    dbus_system_bus_client(virt_qemu_ga_t)
 +')
 +
@@ -96348,9 +103035,12 @@ index 1f22fba..15485c6 100644
 +
 +allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +dontaudit svirt_kvm_net_t self:capability2 block_suspend;
-+allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
-+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
-+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++
++tunable_policy(`virt_sandbox_use_netlink',`
++	allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
++	allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++	allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
++')
 +
 +term_use_generic_ptys(svirt_kvm_net_t)
 +term_use_ptmx(svirt_kvm_net_t)
@@ -96385,7 +103075,11 @@ index 1f22fba..15485c6 100644
 +
 +rpm_read_db(svirt_kvm_net_t)
 +
-+logging_send_audit_msgs(svirt_kvm_net_t)
++logging_send_syslog_msg(svirt_kvm_net_t)
++
++tunable_policy(`virt_sandbox_use_audit',`
++	logging_send_audit_msgs(svirt_kvm_net_t)
++')
 +
 +userdom_use_user_ptys(svirt_kvm_net_t)
 +
@@ -96407,6 +103101,16 @@ index 1f22fba..15485c6 100644
 +corenet_udp_bind_all_ports(sandbox_net_domain)
 +corenet_tcp_bind_all_ports(sandbox_net_domain)
 +corenet_tcp_connect_all_ports(sandbox_net_domain)
++
++optional_policy(`
++	sssd_stream_connect(sandbox_net_domain)
++')
++
++optional_policy(`
++	systemd_dbus_chat_logind(sandbox_net_domain)
++')
++
++
 diff --git a/vlock.te b/vlock.te
 index 9ead775..b5285e7 100644
 --- a/vlock.te
@@ -96421,6 +103125,247 @@ index 9ead775..b5285e7 100644
  userdom_dontaudit_search_user_home_dirs(vlock_t)
 -userdom_use_user_terminals(vlock_t)
 +userdom_use_inherited_user_terminals(vlock_t)
+diff --git a/vmtools.fc b/vmtools.fc
+new file mode 100644
+index 0000000..c5deffb
+--- /dev/null
++++ b/vmtools.fc
+@@ -0,0 +1,5 @@
++/usr/bin/vmtoolsd		--	gen_context(system_u:object_r:vmtools_exec_t,s0)
++
++/usr/bin/vmware-user-suid-wrapper		--	gen_context(system_u:object_r:vmtools_helper_exec_t,s0)
++
++/usr/lib/systemd/system/vmtoolsd.*		--	gen_context(system_u:object_r:vmtools_unit_file_t,s0)
+diff --git a/vmtools.if b/vmtools.if
+new file mode 100644
+index 0000000..7933d80
+--- /dev/null
++++ b/vmtools.if
+@@ -0,0 +1,122 @@
++## <summary>VMware Tools daemon</summary>
++
++########################################
++## <summary>
++##	Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans',`
++	gen_require(`
++		type vmtools_t, vmtools_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, vmtools_exec_t, vmtools_t)
++')
++
++########################################
++## <summary>
++##	Execute vmtools in the vmtools domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`vmtools_domtrans_helper',`
++	gen_require(`
++		type vmtools_helper_t, vmtools_helper_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, vmtools_helper_exec_t, vmtools_helper_t)
++')
++
++########################################
++## <summary>
++##	Execute vmtools helpers in the vmtools_heler domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the mozilla_plugin domain.
++##	</summary>
++## </param>
++#
++interface(`vmtools_run_helper',`
++	gen_require(`
++		attribute_role vmtools_helper_roles;
++	')
++
++    vmtools_domtrans_helper($1)
++	roleattribute $2 vmtools_helper_roles;
++')
++
++########################################
++## <summary>
++##	Execute vmtools server in the vmtools domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`vmtools_systemctl',`
++	gen_require(`
++		type vmtools_t;
++		type vmtools_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 vmtools_unit_file_t:file read_file_perms;
++	allow $1 vmtools_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, vmtools_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an vmtools environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`vmtools_admin',`
++	gen_require(`
++		type vmtools_t;
++		type vmtools_unit_file_t;
++	')
++
++	allow $1 vmtools_t:process { signal_perms };
++	ps_process_pattern($1, vmtools_t)
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 vmtools_t:process ptrace;
++	')
++
++	vmtools_systemctl($1)
++	admin_pattern($1, vmtools_unit_file_t)
++	allow $1 vmtools_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/vmtools.te b/vmtools.te
+new file mode 100644
+index 0000000..1928ad9
+--- /dev/null
++++ b/vmtools.te
+@@ -0,0 +1,96 @@
++policy_module(vmtools, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute_role vmtools_helper_roles;
++
++roleattribute system_r vmtools_helper_roles;
++
++type vmtools_t;
++type vmtools_exec_t;
++init_daemon_domain(vmtools_t, vmtools_exec_t)
++role vmtools_helper_roles types vmtools_t;
++
++type vmtools_helper_t;
++type vmtools_helper_exec_t;
++application_domain(vmtools_helper_t, vmtools_helper_exec_t)
++domain_system_change_exemption(vmtools_helper_t)
++role vmtools_helper_roles types vmtools_helper_t;
++
++type vmtools_unit_file_t;
++systemd_unit_file(vmtools_unit_file_t)
++
++type vmtools_tmp_t;
++files_tmp_file(vmtools_tmp_t)
++
++########################################
++#
++# vmtools local policy
++#
++
++allow vmtools_t self:capability { sys_time sys_rawio };
++allow vmtools_t self:fifo_file rw_fifo_file_perms;
++allow vmtools_t self:unix_stream_socket create_stream_socket_perms;
++allow vmtools_t self:unix_dgram_socket create_socket_perms;
++
++manage_dirs_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++manage_lnk_files_pattern(vmtools_t, vmtools_tmp_t, vmtools_tmp_t)
++files_tmp_filetrans(vmtools_t, vmtools_tmp_t, { file dir })
++
++kernel_read_system_state(vmtools_t)
++kernel_read_network_state(vmtools_t)
++
++corecmd_exec_bin(vmtools_t)
++corecmd_exec_shell(vmtools_t)
++
++dev_read_urand(vmtools_t)
++dev_getattr_all_blk_files(vmtools_t)
++
++fs_getattr_all_fs(vmtools_t)
++
++auth_use_nsswitch(vmtools_t)
++
++#shutdown
++init_rw_utmp(vmtools_t)
++init_stream_connect(vmtools_t)
++init_telinit(vmtools_t)
++
++logging_send_syslog_msg(vmtools_t)
++
++systemd_exec_systemctl(vmtools_t)
++
++sysnet_domtrans_ifconfig(vmtools_t)
++
++xserver_stream_connect_xdm(vmtools_t)
++xserver_stream_connect(vmtools_t)
++
++optional_policy(`
++    networkmanager_dbus_chat(vmtools_t)
++')
++
++optional_policy(`
++    unconfined_domain(vmtools_t)
++')
++
++########################################
++#
++# vmtools-helper local policy
++#
++
++domtrans_pattern(vmtools_helper_t, vmtools_exec_t, vmtools_t)
++can_exec(vmtools_helper_t, vmtools_helper_exec_t)
++
++corecmd_exec_bin(vmtools_helper_t)
++
++userdom_stream_connect(vmtools_helper_t)
++userdom_use_inherited_user_ttys(vmtools_helper_t)
++userdom_use_inherited_user_ptys(vmtools_helper_t)
++
++optional_policy(`
++    unconfined_domain(vmtools_helper_t)
++')
++
 diff --git a/vmware.if b/vmware.if
 index 20a1fb2..470ea95 100644
 --- a/vmware.if
@@ -96710,7 +103655,7 @@ index 7a7f342..afedcba 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/vpn.te b/vpn.te
-index 9329eae..824e86f 100644
+index 9329eae..38a4bf3 100644
 --- a/vpn.te
 +++ b/vpn.te
 @@ -1,4 +1,4 @@
@@ -96820,14 +103765,38 @@ index 9329eae..824e86f 100644
  
  optional_policy(`
  	dbus_system_bus_client(vpnc_t)
-@@ -125,7 +122,3 @@ optional_policy(`
+@@ -124,8 +121,5 @@ optional_policy(`
+ 
  optional_policy(`
  	networkmanager_attach_tun_iface(vpnc_t)
- ')
+-')
 -
 -optional_policy(`
 -	seutil_use_newrole_fds(vpnc_t)
--')
++	networkmanager_manage_pid_files(vpnc_t)
+ ')
+diff --git a/w3c.te b/w3c.te
+index bcb76b6..d3cf4a8 100644
+--- a/w3c.te
++++ b/w3c.te
+@@ -7,10 +7,17 @@ policy_module(w3c, 1.0.1)
+ 
+ apache_content_template(w3c_validator)
+ 
++type httpd_w3c_validator_tmp_t;
++files_tmp_file(httpd_w3c_validator_tmp_t)
++
+ ########################################
+ #
+ # Local policy
+ #
++manage_dirs_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++manage_files_pattern(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, httpd_w3c_validator_tmp_t)
++files_tmp_filetrans(httpd_w3c_validator_script_t, httpd_w3c_validator_tmp_t, { file dir })
++
+ 
+ corenet_all_recvfrom_unlabeled(httpd_w3c_validator_script_t)
+ corenet_all_recvfrom_netlabel(httpd_w3c_validator_script_t)
 diff --git a/watchdog.fc b/watchdog.fc
 index eecd0e0..8df2e8c 100644
 --- a/watchdog.fc
@@ -96846,10 +103815,10 @@ index eecd0e0..8df2e8c 100644
  
  /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
 diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..45b3926 100644
+index 29f79e8..026b259 100644
 --- a/watchdog.te
 +++ b/watchdog.te
-@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
+@@ -12,29 +12,41 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
  type watchdog_initrc_exec_t;
  init_script_file(watchdog_initrc_exec_t)
  
@@ -96868,9 +103837,15 @@ index 29f79e8..45b3926 100644
  ########################################
  #
  # Local policy
-@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
+ #
+ 
+-allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
++allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource net_raw };
+ dontaudit watchdog_t self:capability sys_tty_config;
+ allow watchdog_t self:process { setsched signal_perms };
  allow watchdog_t self:fifo_file rw_fifo_file_perms;
  allow watchdog_t self:tcp_socket { accept listen };
++allow watchdog_t self:rawip_socket create_socket_perms;
  
 -allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(watchdog_t, watchdog_log_t, file)
@@ -96883,7 +103858,12 @@ index 29f79e8..45b3926 100644
  
  manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
  files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
-@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
+ 
++kernel_read_network_state(watchdog_t)
+ kernel_read_system_state(watchdog_t)
+ kernel_read_kernel_sysctls(watchdog_t)
+ kernel_unmount_proc(watchdog_t)
+@@ -63,7 +75,6 @@ domain_signull_all_domains(watchdog_t)
  domain_signal_all_domains(watchdog_t)
  domain_kill_all_domains(watchdog_t)
  
@@ -96891,7 +103871,11 @@ index 29f79e8..45b3926 100644
  files_manage_etc_runtime_files(watchdog_t)
  files_etc_filetrans_etc_runtime(watchdog_t, file)
  
-@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t)
+@@ -72,11 +83,10 @@ fs_getattr_all_fs(watchdog_t)
+ fs_search_auto_mountpoints(watchdog_t)
+ 
+ auth_append_login_records(watchdog_t)
++auth_read_passwd(watchdog_t)
  
  logging_send_syslog_msg(watchdog_t)
  
@@ -96900,7 +103884,7 @@ index 29f79e8..45b3926 100644
  sysnet_dns_name_resolve(watchdog_t)
  
  userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
-@@ -97,3 +104,28 @@ optional_policy(`
+@@ -97,3 +107,28 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(watchdog_t)
  ')
@@ -97195,7 +104179,7 @@ index cdca8c7..3c09628 100644
  	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
  ')
 diff --git a/wine.if b/wine.if
-index fd2b6cc..52a2e72 100644
+index fd2b6cc..938c4a7 100644
 --- a/wine.if
 +++ b/wine.if
 @@ -1,46 +1,57 @@
@@ -97344,8 +104328,31 @@ index fd2b6cc..52a2e72 100644
  ')
  
  ########################################
+@@ -165,3 +169,22 @@ interface(`wine_rw_shm',`
+ 
+ 	allow $1 wine_t:shm rw_shm_perms;
+ ')
++
++########################################
++## <summary>
++##	Transition to wine named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`wine_filetrans_named_content',`
++	gen_require(`
++		type wine_home_t;
++	')
++
++	userdom_user_home_dir_filetrans($1, wine_home_t, dir, ".wine")
++')
++
 diff --git a/wine.te b/wine.te
-index b51923c..8e47110 100644
+index b51923c..4906ce0 100644
 --- a/wine.te
 +++ b/wine.te
 @@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
@@ -97361,7 +104368,7 @@ index b51923c..8e47110 100644
  type wine_exec_t;
  userdom_user_application_domain(wine_t, wine_exec_t)
  role wine_roles types wine_t;
-@@ -25,56 +26,57 @@ role wine_roles types wine_t;
+@@ -25,56 +26,58 @@ role wine_roles types wine_t;
  type wine_home_t;
  userdom_user_home_content(wine_home_t)
  
@@ -97373,34 +104380,34 @@ index b51923c..8e47110 100644
  # Local policy
  #
 +domain_mmap_low(wine_t)
-+
-+optional_policy(`
-+	unconfined_domain(wine_t)
-+')
  
 -allow wine_t self:process { execstack execmem execheap };
 -allow wine_t self:fifo_file manage_fifo_file_perms;
++optional_policy(`
++	unconfined_domain(wine_t)
++')
  
 -can_exec(wine_t, wine_exec_t)
+ 
+-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
 +########################################
 +#
 +# Common wine domain policy
 +#
  
--userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
-+allow wine_domain self:process { execstack execmem execheap };
-+allow wine_domain self:fifo_file manage_fifo_file_perms;
- 
 -manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 -manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
 -files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
-+can_exec(wine_domain, wine_exec_t)
++allow wine_domain self:process { execstack execmem execheap };
++allow wine_domain self:fifo_file manage_fifo_file_perms;
  
 -domain_mmap_low(wine_t)
++can_exec(wine_domain, wine_exec_t)
++
 +manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
 +manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
-+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
 +userdom_tmpfs_filetrans(wine_domain, file)
++wine_filetrans_named_content(wine_domain)
  
 -files_execmod_all_files(wine_t)
 +files_execmod_all_files(wine_domain)
@@ -97430,19 +104437,19 @@ index b51923c..8e47110 100644
  
  optional_policy(`
 -	rtkit_scheduled(wine_t)
--')
--
--optional_policy(`
--	unconfined_domain(wine_t)
 +	rtkit_scheduled(wine_domain)
  ')
  
  optional_policy(`
--	xserver_read_xdm_pid(wine_t)
--	xserver_rw_shm(wine_t)
+-	unconfined_domain(wine_t)
 +	xserver_read_xdm_pid(wine_domain)
 +	xserver_rw_shm(wine_domain)
  ')
+ 
+-optional_policy(`
+-	xserver_read_xdm_pid(wine_t)
+-	xserver_rw_shm(wine_t)
+-')
 diff --git a/wireshark.te b/wireshark.te
 index cf5cab6..a2d910f 100644
 --- a/wireshark.te
@@ -98800,7 +105807,7 @@ index 0cea2cd..7668014 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 diff --git a/xguest.te b/xguest.te
-index 2882821..8cf4841 100644
+index 2882821..0f1f514 100644
 --- a/xguest.te
 +++ b/xguest.te
 @@ -1,4 +1,4 @@
@@ -98911,18 +105918,26 @@ index 2882821..8cf4841 100644
  	')
  ')
  
-@@ -84,12 +97,17 @@ optional_policy(`
+@@ -84,12 +97,25 @@ optional_policy(`
  	')
  ')
  
 +
  optional_policy(`
 -	apache_role(xguest_r, xguest_t)
++    abrt_dontaudit_read_config(xguest_t)
++')
++
++optional_policy(`
 +	colord_dbus_chat(xguest_t)
 +')
 +
 +optional_policy(`
 +	chrome_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
++    thumb_role(xguest_r, xguest_t)
  ')
  
  optional_policy(`
@@ -98931,7 +105946,7 @@ index 2882821..8cf4841 100644
  ')
  
  optional_policy(`
-@@ -97,75 +115,82 @@ optional_policy(`
+@@ -97,75 +123,82 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98949,7 +105964,7 @@ index 2882821..8cf4841 100644
 -		kernel_read_network_state(xguest_t)
 +	mozilla_run_plugin(xguest_t, xguest_r)
 +')
- 
++
 +optional_policy(`
 +	mount_run_fusermount(xguest_t, xguest_r)
 +')
@@ -98958,7 +105973,7 @@ index 2882821..8cf4841 100644
 +	pcscd_read_pid_files(xguest_t)
 +	pcscd_stream_connect(xguest_t)
 +')
-+
+ 
 +optional_policy(`
 +	rhsmcertd_dontaudit_dbus_chat(xguest_t)
 +')
@@ -99131,10 +106146,10 @@ index d837e88..910aeec 100644
  userdom_search_user_home_dirs(yam_t)
  
 diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..3181728 100644
+index ce10cb1..38b143f 100644
 --- a/zabbix.fc
 +++ b/zabbix.fc
-@@ -4,11 +4,15 @@
+@@ -4,12 +4,17 @@
  /usr/bin/zabbix_server	--	gen_context(system_u:object_r:zabbix_exec_t,s0)
  /usr/bin/zabbix_agentd	--	gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
  
@@ -99149,8 +106164,10 @@ index ce10cb1..3181728 100644
 +/usr/sbin/zabbix_proxy_pgsql   --  gen_context(system_u:object_r:zabbix_exec_t,s0)
 +/usr/sbin/zabbix_proxy_sqlite3 --  gen_context(system_u:object_r:zabbix_exec_t,s0)
  
++/var/lib/zabbixsrv(/.*)?	gen_context(system_u:object_r:zabbix_var_lib_t,s0)
  /var/log/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_log_t,s0)
  
+ /var/run/zabbix(/.*)?	gen_context(system_u:object_r:zabbix_var_run_t,s0)
 diff --git a/zabbix.if b/zabbix.if
 index dd63de0..38ce620 100644
 --- a/zabbix.if
@@ -99314,10 +106331,10 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..79317e6 100644
+index 46e4cd3..614e66c 100644
 --- a/zabbix.te
 +++ b/zabbix.te
-@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
+@@ -6,27 +6,32 @@ policy_module(zabbix, 1.5.3)
  #
  
  ## <desc>
@@ -99344,7 +106361,24 @@ index 46e4cd3..79317e6 100644
  type zabbix_agent_exec_t;
  init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
  
-@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
+ type zabbix_agent_initrc_exec_t;
+ init_script_file(zabbix_agent_initrc_exec_t)
+ 
++type zabbixd_var_lib_t;
++files_type(zabbixd_var_lib_t)
++
+ type zabbix_log_t;
+ logging_log_file(zabbix_log_t)
+ 
+@@ -36,27 +41,53 @@ files_tmp_file(zabbix_tmp_t)
+ type zabbix_tmpfs_t;
+ files_tmpfs_file(zabbix_tmpfs_t)
+ 
++type zabbix_var_lib_t;
++files_type(zabbix_var_lib_t)
++
+ type zabbix_var_run_t;
+ files_pid_file(zabbix_var_run_t)
  
  ########################################
  #
@@ -99390,6 +106424,11 @@ index 46e4cd3..79317e6 100644
 -create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 -setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 -logging_log_filetrans(zabbix_t, zabbix_log_t, file)
++manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++manage_lnk_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
++files_var_lib_filetrans(zabbix_t, zabbix_var_lib_t, dir, "zabbixsrv")
++
 +manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 +manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
 +manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
@@ -99397,7 +106436,7 @@ index 46e4cd3..79317e6 100644
  
  manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
  manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
-@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -70,13 +101,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
  
  kernel_read_system_state(zabbix_t)
@@ -99411,7 +106450,13 @@ index 46e4cd3..79317e6 100644
  
  corenet_sendrecv_ftp_client_packets(zabbix_t)
  corenet_tcp_connect_ftp_port(zabbix_t)
-@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
+@@ -85,24 +112,18 @@ corenet_tcp_sendrecv_ftp_port(zabbix_t)
+ corenet_sendrecv_http_client_packets(zabbix_t)
+ corenet_tcp_connect_http_port(zabbix_t)
+ corenet_tcp_sendrecv_http_port(zabbix_t)
++corenet_tcp_connect_smtp_port(zabbix_t)
+ 
+ corenet_sendrecv_zabbix_server_packets(zabbix_t)
  corenet_tcp_bind_zabbix_port(zabbix_t)
  corenet_tcp_sendrecv_zabbix_port(zabbix_t)
  
@@ -99428,8 +106473,12 @@ index 46e4cd3..79317e6 100644
 -
  zabbix_agent_tcp_connect(zabbix_t)
  
++logging_send_syslog_msg(zabbix_t)
++
  tunable_policy(`zabbix_can_network',`
-@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
+ 	corenet_sendrecv_all_client_packets(zabbix_t)
+ 	corenet_tcp_connect_all_ports(zabbix_t)
+@@ -110,12 +131,11 @@ tunable_policy(`zabbix_can_network',`
  ')
  
  optional_policy(`
@@ -99444,7 +106493,7 @@ index 46e4cd3..79317e6 100644
  ')
  
  optional_policy(`
-@@ -125,6 +131,7 @@ optional_policy(`
+@@ -125,6 +145,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -99452,7 +106501,7 @@ index 46e4cd3..79317e6 100644
  ')
  
  ########################################
-@@ -132,18 +139,7 @@ optional_policy(`
+@@ -132,18 +153,7 @@ optional_policy(`
  # Agent local policy
  #
  
@@ -99472,7 +106521,7 @@ index 46e4cd3..79317e6 100644
  
  rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
  fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
-@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
+@@ -151,16 +161,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
  manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
  files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
  
@@ -99491,7 +106540,13 @@ index 46e4cd3..79317e6 100644
  
  corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
  corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
-@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -177,21 +183,28 @@ corenet_tcp_sendrecv_zabbix_port(zabbix_agent_t)
+ dev_getattr_all_blk_files(zabbix_agent_t)
+ dev_getattr_all_chr_files(zabbix_agent_t)
+ 
+-domain_search_all_domains_state(zabbix_agent_t)
++domain_read_all_domains_state(zabbix_agent_t)
+ 
  files_getattr_all_dirs(zabbix_agent_t)
  files_getattr_all_files(zabbix_agent_t)
  files_read_all_symlinks(zabbix_agent_t)
@@ -99499,7 +106554,9 @@ index 46e4cd3..79317e6 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
++auth_use_nsswitch(zabbix_agent_t)
++
+ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
@@ -99510,9 +106567,12 @@ index 46e4cd3..79317e6 100644
  zabbix_tcp_connect(zabbix_agent_t)
 +
 +optional_policy(`
-+	hostname_exec(zabbix_agent_t)
++	dmidecode_domtrans(zabbix_agent_t)
 +')
 +
++optional_policy(`
++	hostname_exec(zabbix_agent_t)
++')
 diff --git a/zarafa.fc b/zarafa.fc
 index faf99ed..44e94fa 100644
 --- a/zarafa.fc
@@ -99756,7 +106816,7 @@ index 36e32df..3d08962 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
  ')
 diff --git a/zarafa.te b/zarafa.te
-index a4479b1..a40d580 100644
+index a4479b1..ffeb7f4 100644
 --- a/zarafa.te
 +++ b/zarafa.te
 @@ -1,13 +1,18 @@
@@ -99770,7 +106830,7 @@ index a4479b1..a40d580 100644
  
 +## <desc>
 +##  <p>
-+## Allow zarafa domains to setrlimit/sys_rouserce.
++## Allow zarafa domains to setrlimit/sys_resource.
 +##  </p>
 +## </desc>
 +gen_tunable(zarafa_setrlimit, false)
@@ -100336,7 +107396,7 @@ index 0000000..8c61505
 +/var/spool/zoneminder-upload(/.*)?	gen_context(system_u:object_r:zoneminder_spool_t,s0)
 diff --git a/zoneminder.if b/zoneminder.if
 new file mode 100644
-index 0000000..d02a6f4
+index 0000000..fb0519e
 --- /dev/null
 +++ b/zoneminder.if
 @@ -0,0 +1,374 @@
@@ -100549,7 +107609,7 @@ index 0000000..d02a6f4
 +#
 +interface(`zoneminder_manage_lib_sock_files',`
 +    gen_require(`
-+        type sock_var_lib_t;
++        type zoneminder_var_lib_t;
 +    ')
 +    files_search_var_lib($1)
 +    manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
diff --git a/SOURCES/setrans-minimum.conf b/SOURCES/setrans-minimum.conf
index 09a6ce3..0ac9c90 100644
--- a/SOURCES/setrans-minimum.conf
+++ b/SOURCES/setrans-minimum.conf
@@ -1,8 +1,6 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
-# Uncomment the following to disable translation libary
-# disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
diff --git a/SOURCES/setrans-mls.conf b/SOURCES/setrans-mls.conf
index eb181d2..fa27ae2 100644
--- a/SOURCES/setrans-mls.conf
+++ b/SOURCES/setrans-mls.conf
@@ -1,8 +1,6 @@
 #
 # Multi-Level Security translation table for SELinux
 # 
-# Uncomment the following to disable translation libary
-# disable=1
 #
 # Objects can be labeled with one of 16 levels and be categorized with 0-1023 
 # categories defined by the admin.
diff --git a/SOURCES/setrans-targeted.conf b/SOURCES/setrans-targeted.conf
index 09a6ce3..0ac9c90 100644
--- a/SOURCES/setrans-targeted.conf
+++ b/SOURCES/setrans-targeted.conf
@@ -1,8 +1,6 @@
 #
 # Multi-Category Security translation table for SELinux
 # 
-# Uncomment the following to disable translation libary
-# disable=1
 #
 # Objects can be categorized with 0-1023 categories defined by the admin.
 # Objects can be in more than one category at a time.
diff --git a/SPECS/selinux-policy.spec b/SPECS/selinux-policy.spec
index 8dfbad8..e363177 100644
--- a/SPECS/selinux-policy.spec
+++ b/SPECS/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 103%{?dist}
+Release: 153%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -117,6 +117,7 @@ SELinux policy development and man page package
 %{_usr}/share/selinux/devel/include/*
 %dir %{_usr}/share/selinux/devel/html
 %{_usr}/share/selinux/devel/html/*html
+%{_usr}/share/selinux/devel/html/*css
 %{_usr}/share/selinux/devel/Makefile
 %{_usr}/share/selinux/devel/example.*
 %{_usr}/share/selinux/devel/policy.*
@@ -251,7 +252,7 @@ ln -sf /etc/selinux/%1/policy/policy.%{POLICYVER}  %{buildroot}%{_sysconfdir}/se
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/guest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/xguest_u \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/user_u \
-%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u 
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/users/staff_u
 
 %define relabel() \
 . %{_sysconfdir}/selinux/config; \
@@ -288,7 +289,7 @@ fi;
 
 %define postInstall() \
 . %{_sysconfdir}/selinux/config; \
-(cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
+(cd /etc/selinux/%2/modules/active/modules; rm -f nsplugin.pp l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp smstools.pp qemu.pp ) \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
    /usr/sbin/semodule -B -n -s %2; \
@@ -388,6 +389,8 @@ chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
 mkdir %{buildroot}%{_usr}/share/selinux/devel/html
 htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
 mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
+mv %{buildroot}%{_usr}/share/man/man8/index.html %{buildroot}%{_usr}/share/selinux/devel/html
+mv %{buildroot}%{_usr}/share/man/man8/style.css %{buildroot}%{_usr}/share/selinux/devel/html
 rm -rf ${htmldir}
 
 mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
@@ -453,7 +456,7 @@ Obsoletes: mod_fcgid-selinux <= %{version}-%{release}
 Obsoletes: cachefilesd-selinux <= 0.10-1
 Conflicts:  seedit
 Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
-Conflicts:	pki-selinux < 10-0.0-0.45.b1
+Conflicts:	pki-selinux < 10.0.0-0.45.b1
 Conflicts:  freeipa-server-selinux < 3.2.2-1
 
 %description targeted
@@ -481,6 +484,7 @@ exit 0
 %files targeted
 %defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/targeted/contexts/users/sysadm_u 
 %fileList targeted
 %{_usr}/share/selinux/targeted/modules-base.lst
 %{_usr}/share/selinux/targeted/modules-contrib.lst
@@ -516,7 +520,7 @@ done
 for p in $basepackages apache.pp dbus.pp inetd.pp kerberos.pp mta.pp nis.pp; do
 	rm -f /etc/selinux/minimum/modules/active/modules/$p.disabled
 done
-/usr/sbin/semanage -S minimum -i - << __eof
+/usr/sbin/semanage import -S minimum -f - << __eof
 login -m  -s unconfined_u -r s0-s0:c0.c1023 __default__
 login -m  -s unconfined_u -r s0-s0:c0.c1023 root
 __eof
@@ -538,6 +542,7 @@ exit 0
 %files minimum
 %defattr(-,root,root,-)
 %config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/unconfined_u
+%config(noreplace) %{_sysconfdir}/selinux/minimum/contexts/users/sysadm_u
 %fileList minimum
 %{_usr}/share/selinux/minimum/modules-base.lst
 %{_usr}/share/selinux/minimum/modules-contrib.lst
@@ -574,9 +579,792 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Apr 7 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-153
+- Change hsperfdata_root to have as user_tmp_t
+Resolves:#1076523
+
+* Fri Apr 4 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-152
+- Fix Multiple same specifications for /var/named/chroot/dev/zero
+- Add labels for /var/named/chroot_sdb/dev devices
+- Add support for strongimcv
+- Use kerberos_keytab_domains in auth_use_nsswitch
+- Update auth_use_nsswitch to make all these types as kerberos_keytab_domain to
+- Allow net_raw cap for neutron_t and send sigkill to dnsmasq
+- Fix ntp_filetrans_named_content for sntp-kod file
+- Add httpd_dbus_sssd boolean
+- Dontaudit exec insmod in boinc policy
+- Rename kerberos_keytab_domain to kerberos_keytab_domains
+- Add kerberos_keytab_domain()
+- Fix kerberos_keytab_template()
+- Make all domains which use kerberos as kerberos_keytab_domain
+Resolves:#1083670
+- Allow kill capability to winbind_t
+
+* Wed Apr 2 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-151
+- varnishd wants chown capability
+- update ntp_filetrans_named_content() interface
+- Add additional fixes for neutron_t. #1083335
+- Dontaudit getattr on proc_kcore_t
+- Allow pki_tomcat_t to read ipa lib files
+- Allow named_filetrans_domain to create /var/cache/ibus with correct labelign
+- Allow init_t run /sbin/augenrules
+- Add dev_unmount_sysfs_fs and sysnet_manage_ifconfig_run interfaces
+- Allow unpriv SELinux user to use sandbox
+- Add default label for /tmp/hsperfdata_root
+
+* Tue Apr 1 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149
+- Add file subs also for /var/home
+
+* Mon Mar 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-149
+- Allow xauth_t to read user_home_dir_t lnk_file
+- Add labeling for lightdm-data
+- Allow certmonger to manage ipa lib files
+- Add support for /var/lib/ipa
+- Allow pegasus to getattr virt_content
+- Added some new rules to pcp policy
+- Allow chrome_sandbox to execute config_home_t
+- Add support for ABRT FAF
+
+* Fri Mar 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-148
+- Allow kdm to send signull to remote_login_t process
+- Add gear policy
+- Turn on gear_port_t
+- Allow cgit to read gitosis lib files by default
+- Allow vdagent to read xdm state
+- Allow NM and fcoeadm to talk together over unix_dgram_socket
+
+* Thu Mar 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-147
+- Back port fixes for pegasus_openlmi_admin_t from rawhide
+Resolves:#1080973
+- Add labels for ostree
+- Add SELinux awareness for NM
+- Label /usr/sbin/pwhistory_helper as updpwd_exec_t
+
+* Wed Mar 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-146
+- add gnome_append_home_config()
+- Allow thumb to append GNOME config home files
+- Allow rasdaemon to rw /dev/cpu//msr
+- fix /var/log/pki file spec
+- make bacula_t as auth_nsswitch domain
+- Identify pki_tomcat_cert_t as a cert_type
+- Define speech-dispater_exec_t as an application executable
+- Add a new file context for /var/named/chroot/run directory
+- update storage_filetrans_all_named_dev for sg* devices
+- Allow auditctl_t  to getattr on all removeable devices
+- Allow nsswitch_domains to stream connect to nmbd
+- Allow unprivusers to connect to memcached
+- label /var/lib/dirsrv/scripts-INSTANCE as bin_t
+
+* Mon Mar 24 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-145
+- Allow also unpriv user to run vmtools
+- Allow secadm to read /dev/urandom and meminfo
+Resolves:#1079250
+- Add booleans to allow docker processes to use nfs and samba
+- Add mdadm_tmpfs support
+- Dontaudit net_amdin for /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.51-2.4.5.1.el7.x86_64/jre-abrt/bin/java running as pki_tomcat_t
+- Allow vmware-user-sui to use user ttys
+- Allow talk 2 users logged via console too
+- Allow ftp services to manage xferlog_t
+- Make all pcp domanis as unconfined for RHEL7.0 beucause of new policies
+- allow anaconda to dbus chat with systemd-localed
+
+* Fri Mar 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-144
+- allow anaconda to dbus chat with systemd-localed
+- Add fixes for haproxy based on bperkins@redhat.com
+- Allow cmirrord to make dmsetup working
+- Allow NM to execute arping
+- Allow users to send messages through talk
+- Add userdom_tmp_role for secadm_t
+
+* Thu Mar 20 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-143
+- Add additional fixes for rtas_errd
+- Fix transitions for tmp/tmpfs in rtas.te
+- Allow rtas_errd to readl all sysctls
+
+
+* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-142
+- Add support for /var/spool/rhsm/debug
+- Make virt_sandbox_use_audit as True by default
+- Allow svirt_sandbox_domains to ptrace themselves
+
+* Wed Mar 19 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-141
+- Allow docker containers to manage /var/lib/docker content
+
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-140
+- Allow docker to read tmpfs_t symlinks
+- Allow sandbox svirt_lxc_net_t to talk to syslog and to sssd over stream sockets
+
+* Mon Mar 17 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-139
+- Allow collectd to talk to libvirt
+- Allow chrome_sandbox to use leaked unix_stream_sockets
+- Dontaudit leaks of sockets into chrome_sandbox_t
+- If you create a cups directory in /var/cache then it should be labeled cups_rw_etc_t
+- Run vmtools as unconfined domains
+- Allow snort to manage its log files
+- Allow systemd_cronjob_t to be entered via bin_t
+- Allow procman to list doveconf_etc_t
+- allow keyring daemon to create content in tmpfs directories
+- Add proper labelling for icedtea-web
+- vpnc is creating content in networkmanager var run directory
+- Label sddm as xdm_exec_t to make KDE working again
+- Allow postgresql to read network state
+- Allow java running as pki_tomcat to read network sysctls
+- Fix cgroup.te to allow cgred to read cgconfig_etc_t
+- Allow beam.smp to use ephemeral ports
+- Allow winbind to use the nis to authenticate passwords
+
+* Fri Mar 14 2014 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-138
+- Make rtas_errd_t as unconfined domain for F20.It needs additional fixes. It runs rpm at least.
+- Allow net_admin cap for fence_virtd running as fenced_t
+- Make  abrt-java-connector working
+- Make cimtest script 03_defineVS.py of ComputerSystem group working
+- Fix git_system_enable_homedirs boolean
+- Allow munin mail plugins to read network systcl
+
+* Thu Mar 13 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-137
+- Allow vmtools_helper_t to execute bin_t
+- Add support for /usr/share/joomla
+- /var/lib/containers should be labeled as openshift content for now
+- Allow docker domains to talk to the login programs, to allow a process to login into the container
+- Allow install_t do dbus chat with NM
+- Fix interface names in anaconda.if
+- Add install_t for anaconda. A new type is a part of anaconda policy
+- sshd to read network sysctls
+
+* Wed Mar 12 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-136
+- Allow zabbix to send system log msgs
+- Allow init_t to stream connect to ipsec
+Resolves:#1060775
+
+* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-135
+- Add docker_connect_any boolean
+
+* Tue Mar 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-134
+- Allow unpriv SELinux users to dbus chat with firewalld
+- Add lvm_write_metadata()
+- Label /etc/yum.reposd dir as system_conf_t. Should be safe because system_conf_t is base_ro_file_type
+- Allow pegasus_openlmi_storage_t to write lvm metadata
+- Add hide_broken_symptoms for kdumpgui because of systemd bug
+- Make kdumpgui_t as unconfined domain
+Resolves:#1044299
+- Allow docker to connect to tcp/5000
+
+* Mon Mar 10 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-133
+- Allow numad to write scan_sleep_millisecs
+- Turn on entropyd_use_audio boolean by default
+- Allow cgred to read /etc/cgconfig.conf because it contains templates used together with rules from /etc/cgrules.conf.
+- Allow lscpu running as rhsmcertd_t to read /proc/sysinfo
+- Fix label on irclogs in the homedir
+- Allow kerberos_keytab_domain domains to manage keys until we get sssd fix
+- Allow postgresql to use ldap
+- Add missing syslog-conn port
+- Add support for /dev/vmcp and /dev/sclp
+Resolves:#1069310
+
+* Fri Mar 7 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-132
+- Modify xdm_write_home to allow create files/links in /root with xdm_home_
+- Allow virt domains to read network state
+Resolves:#1072019
+
+* Thu Mar 6 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-131
+- Added pcp rules
+- dontaudit openshift_cron_t searching random directories, should be back ported to RHEL6
+- clean up ctdb.te
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow certmonger to list home dirs
+
+* Wed Mar 5 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-130
+- Change userdom_use_user_inherited_ttys to userdom_use_user_ttys for systemd-tty-ask
+- Add sysnet_filetrans_named_content_ifconfig() interface
+- Allow ctdbd to connect own ports
+- Fix samba_export_all_rw booleanto cover also non security dirs
+- Allow swift to exec rpm in swift_t and allow to create tmp files/dirs
+- Allow neutron to create /run/netns with correct labeling
+- Allow kerberos keytab domains to manage sssd/userdomain keys"
+- Allow to run ip cmd in neutron_t domain
+
+* Mon Mar 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-129
+- Allow block_suspend cap2 for systemd-logind and rw dri device
+- Add labeling for /usr/libexec/nm-libreswan-service
+- Allow locallogin to rw xdm key to make Virtual Terminal login providing smartcard pin working
+- Add xserver_rw_xdm_keys()
+- Allow rpm_script_t to dbus chat also with systemd-located
+- Fix ipa_stream_connect_otpd()
+- update lpd_manage_spool() interface
+- Allow krb5kdc to stream connect to ipa-otpd
+- Add ipa_stream_connect_otpd() interface
+- Allow vpnc to unlink NM pids
+- Add networkmanager_delete_pid_files()
+- Allow munin plugins to access unconfined plugins
+- update abrt_filetrans_named_content to cover /var/spool/debug
+- Label /var/spool/debug as abrt_var_cache_t
+- Allow rhsmcertd to connect to squid port
+- Make docker_transition_unconfined as optional boolean
+- Allow certmonger to list home dirs
+
+* Wed Feb 26 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-128
+- Make snapperd as unconfined domain and add additional fixes for it
+- Remove nsplugin.pp module on upgrade
+
+* Tue Feb 25 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-127
+- Add snapperd_home_t for HOME_DIR/.snapshots directory
+- Make sosreport as unconfined domain
+- Allow sosreport to execute grub2-probe
+- Allow NM to manage hostname config file
+- Allow systemd_timedated_t to dbus chat with rpm_script_t
+- Allow lsmd plugins to connect to http/ssh/http_cache ports by default
+- Add lsmd_plugin_connect_any boolean
+- Allow mozilla_plugin to attempt to set capabilities
+- Allow lsdm_plugins to use tcp_socket
+- Dontaudit mozilla plugin from getattr on /proc or /sys
+- Dontaudit use of the keyring by the services in a sandbox
+- Dontaudit attempts to sys_ptrace caused by running ps for mysqld_safe_t
+- Allow rabbitmq_beam to connect to jabber_interserver_port
+- Allow logwatch_mail_t to transition to qmail_inject and queueu
+- Added new rules to pcp policy
+- Allow vmtools_helper_t to change role to system_r
+- Allow NM to dbus chat with vmtools
+- Fix couchdb_manage_files() to allow manage couchdb conf files
+- Add support for /var/run/redis.sock
+- dontaudit gpg trying to use audit
+- Allow consolekit to create log directories and files
+- Fix vmtools policy to allow user roles to access vmtools_helper_t
+- Allow block_suspend cap2 for ipa-otpd
+- Allow pkcsslotd to read users state
+- Add ioctl to init_dontaudit_rw_stream_socket
+- Add systemd_hostnamed_manage_config() interface
+- Remove transition for temp dirs created by init_t
+- gdm-simple-slave uses use setsockopt
+- sddm-greater is a xdm type program
+
+* Tue Feb 18 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-126
+- Add lvm_read_metadata()
+- Allow auditadm to search /var/log/audit dir
+- Add lvm_read_metadata() interface
+- Allow confined users to run vmtools helpers
+- Fix userdom_common_user_template()
+- Generic systemd unit scripts do write check on /
+- Allow init_t to create init_tmp_t in /tmp.This is for temporary content created by generic unit files
+- Add additional fixes needed for init_t and setup script running in generic unit files
+- Allow general users to create packet_sockets
+- added connlcli port
+- Add init_manage_transient_unit() interface
+- Allow init_t (generic unit files) to manage rpc state date as we had it for initrc_t
+- Fix userdomain.te to require passwd class
+- devicekit_power sends out a signal to all processes on the message bus when power is going down
+- Dontaudit rendom domains listing /proc and hittping system_map_t
+- Dontauit leaks of var_t into ifconfig_t
+- Allow domains that transition to ssh_t to manipulate its keyring
+- Define oracleasm_t as a device node
+- Change to handle /root as a symbolic link for os-tree
+- Allow sysadm_t to create packet_socket, also move some rules to attributes
+- Add label for openvswitch port
+- Remove general transition for files/dirs created in /etc/mail which got etc_aliases_t label.
+- Allow postfix_local to read .forward in pcp lib files
+- Allow pegasus_openlmi_storage_t to read lvm metadata
+- Add additional fixes for pegasus_openlmi_storage_t
+- Allow bumblebee to manage debugfs
+- Make bumblebee as unconfined domain
+- Allow snmp to read etc_aliases_t
+- Allow lscpu running in pegasus_openlmi_storage_t to read /dev/mem
+- Allow pegasus_openlmi_storage_t to read /proc/1/environ
+- Dontaudit read gconf files for cupsd_config_t
+- make vmtools as unconfined domain
+- Add vmtools_helper_t for helper scripts. Allow vmtools shutdonw a host and run ifconfig.
+- Allow collectd_t to use a mysql database
+- Allow ipa-otpd to perform DNS name resolution
+- Added new policy for keepalived
+- Allow openlmi-service provider to manage transitient units and allow stream connect to sssd
+- Add additional fixes new pscs-lite+polkit support
+- Add labeling for /run/krb5kdc
+- Change w3c_validator_tmp_t to httpd_w3c_validator_tmp_t in F20
+- Allow pcscd to read users proc info
+- Dontaudit smbd_t sending out random signuls
+- Add boolean to allow openshift domains to use nfs
+- Allow w3c_validator to create content in /tmp
+- zabbix_agent uses nsswitch
+- Allow procmail and dovecot to work together to deliver mail
+- Allow spamd to execute files in homedir if boolean turned on
+- Allow openvswitch to listen on port 6634
+- Add net_admin capability in collectd policy
+- Fixed snapperd policy
+- Fixed bugsfor pcp policy
+- Allow dbus_system_domains to be started by init
+- Fixed some interfaces
+- Add kerberos_keytab_domain attribute
+- Fix snapperd_conf_t def
+
+* Tue Feb 11 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-125
+- Addopt corenet rules for unbound-anchor to rpm_script_t
+- Allow runuser to send send audit messages.
+- Allow postfix-local to search .forward in munin lib dirs
+- Allow udisks to connect to D-Bus
+- Allow spamd to connect to spamd port
+- Fix syntax error in snapper.te
+- Dontaudit osad to search gconf home files
+- Allow rhsmcertd to manage /etc/sysconf/rhn director
+- Fix pcp labeling to accept /usr/bin for all daemon binaries
+- Fix mcelog_read_log() interface
+- Allow iscsid to manage iscsi lib files
+- Allow snapper domtrans to lvm_t. Add support for /etc/snapper and allow snapperd to manage it.
+- Make tuned_t as unconfined domain for RHEL7.0
+- Allow ABRT to read puppet certs
+- Add sys_time capability for virt-ga
+- Allow gemu-ga to domtrans to hwclock_t
+- Allow additional access for virt_qemu_ga_t processes to read system clock and send audit messages
+- Fix some AVCs in pcp policy
+- Add to bacula capability setgid and setuid and allow to bind to bacula ports
+- Changed label from rhnsd_rw_conf_t to rhnsd_conf_t
+- Add access rhnsd and osad to /etc/sysconfig/rhn
+- drbdadm executes drbdmeta
+- Fixes needed for docker
+- Allow epmd to manage /var/log/rabbitmq/startup_err file
+- Allow beam.smp connect to amqp port
+- Modify xdm_write_home to allow create also links as xdm_home_t if the boolean is on true
+- Allow init_t to manage pluto.ctl because of init_t instead of initrc_t
+- Allow systemd_tmpfiles_t to manage all non security files on the system
+- Added labels for bacula ports
+- Fix label on /dev/vfio/vfio
+- Add kernel_mounton_messages() interface
+- init wants to manage lock files for iscsi
+
+* Mon Feb 3 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-124
+- Added osad policy
+- Allow postfix to deliver to procmail
+- Allow bumblebee to seng kill signal to xserver
+- Allow vmtools to execute /usr/bin/lsb_release
+- Allow docker to write system net ctrls
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix pcp.te
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Allow call renice in mlocate
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+
+* Fri Jan 31 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-123
+- Turn on bacula, rhnsd policy
+- Add support for rhnsd unit file
+- Add dbus_chat_session_bus() interface
+- Add dbus_stream_connect_session_bus() interface
+- Fix logrotate_use_nfs boolean
+- Add lot of pcp fixes found in RHEL7
+- fix labeling for pmie for pcp pkg
+- Change thumb_t to be allowed to chat/connect with session bus type
+- Allow call renice in mlocate
+- Add logrotate_use_nfs boolean
+- Allow setroubleshootd to read rpc sysctl
+- Fixes for *_admin interfaces
+- Add pegasus_openlmi_storage_var_run_t type def
+- Add support for /var/run/openlmi-storage
+- Allow tuned to create syslog.conf with correct labeling
+- Add httpd_dontaudit_search_dirs boolean
+- Add support for winbind.service
+- ALlow also fail2ban-client to read apache logs
+- Allow vmtools to getattr on all fs
+- Add support for dey_sapi port
+- Add logging_filetrans_named_conf()
+- Allow passwd_t to use ipc_lock, so that it can change the password in gnome-keyring
+
+* Tue Jan 28 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-122
+- Update snapper policy
+- Allow domains to append rkhunter lib files
+- Allow snapperd to getattr on all fs
+- Allow xdm to create /var/gdm with correct labeling
+- Add label for snapper.log
+- Allow fail2ban-client to read apache log files
+- Allow thumb_t to execute dbus-daemon in thumb_t
+
+* Mon Jan 27 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-121
+- Allow gdm to create /var/gdm with correct labeling
+- Allow domains to append rkhunterl lib files. #1057982
+- Allow systemd_tmpfiles_t net_admin to communicate with journald
+- Add interface to getattr on an isid_type for any type of file
+- Update libs_filetrans_named_content() to have support for /usr/lib/debug directory
+- Allow initrc_t domtrans to authconfig if unconfined is enabled
+- Allow docker and mount on devpts chr_file
+- Allow docker to transition to unconfined_t if boolean set
+- init calling needs to be optional in domain.te
+- Allow uncofined domain types to handle transient unit files
+- Fix labeling for vfio devices
+- Allow net_admin capability and send system log msgs
+- Allow lldpad send dgram to NM
+- Add networkmanager_dgram_send()
+- rkhunter_var_lib_t is correct type
+- Back port pcp policy from rawhide
+- Allow openlmi-storage to read removable devices
+- Allow system cron jobs to manage rkhunter lib files
+- Add rkhunter_manage_lib_files()
+- Fix ftpd_use_fusefs boolean to allow manage also symlinks
+- Allow smbcontrob block_suspend cap2
+- Allow slpd to read network and system state info
+- Allow NM domtrans to iscsid_t if iscsiadm is executed
+- Allow slapd to send a signal itself
+- Allow sslget running as pki_ra_t to contact port 8443, the secure port of the CA.
+- Fix plymouthd_create_log() interface
+- Add rkhunter policy with files type definition for /var/lib/rkhunter until it is fixed in rkhunter package
+- Add mozilla_plugin_exec_t for /usr/lib/firefox/plugin-container
+- Allow postfix and cyrus-imapd to work out of box
+- Allow fcoemon to talk with unpriv user domain using unix_stream_socket
+- Dontaudit domains that are calling into journald to net_admin
+- Add rules to allow vmtools to do what it does
+- snapperd is D-Bus service
+- Allow OpenLMI PowerManagement to call 'systemctl --force reboot'
+- Add haproxy_connect_any boolean
+- Allow haproxy also to use http cache port by default
+Resolves:#1058248
+
+* Tue Jan 21 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-120
+- Allow apache to write to the owncloud data directory in /var/www/html...
+- Allow consolekit to create log dir
+- Add support for icinga CGI scripts
+- Add support for icinga
+- Allow kdumpctl_t to create kdump lock file
+Resolves:#1055634
+- Allow kdump to create lnk lock file
+- Allow nscd_t block_suspen capability
+- Allow unconfined domain types to manage own transient unit file
+- Allow systemd domains to handle transient init unit files
+- Add interfaces to handle transient
+
+* Mon Jan 20 2014 Miroslav Grepl<mgrepl@redhat.com> 3.12.1-119
+- Add cron unconfined role support for uncofined SELinux user
+- Call corenet_udp_bind_all_ports() in milter.te
+- Allow fence_virtd to connect to zented port
+- Fix header for mirrormanager_admin()
+- Allow dkim-milter to bind udp ports
+- Allow milter domains to send signull itself
+- Allow block_suspend for yum running as mock_t
+- Allow beam.smp to manage couchdb files
+- Add couchdb_manage_files()
+- Add labeling for /var/log/php_errors.log
+- Allow bumblebee to stream connect to xserver
+- Allow bumblebee to send a signal to xserver
+- gnome-thumbnail to stream connect to bumblebee
+- Allow xkbcomp running as bumblebee_t to execute  bin_t
+- Allow logrotate to read squid.conf
+- Additional rules to get docker and lxc to play well with SELinux
+- Allow bumbleed to connect to xserver port
+- Allow pegasus_openlmi_storage_t to read hwdata
+
+* Thu Jan 16 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-118
+- Allow init_t to work on transitient and snapshot unit files
+- Add logging_manage_syslog_config()
+- Update sysnet_dns_name_resolve() to allow connect to dnssec por
+- Allow pegasus_openlmi_storage_t to read hwdata
+Resolves:#1031721
+- Fix rhcs_rw_cluster_tmpfs()
+- Allow fenced_t to bind on zented udp port
+- Added policy for vmtools
+- Fix mirrormanager_read_lib_files()
+- Allow mirromanager scripts running as httpd_t to manage mirrormanager pid files
+- Allow ctdb to create sock files in /var/run/ctdb
+- Add sblim_filetrans_named_content() interface
+- Allow rpm scritplets to create /run/gather with correct labeling
+- Allow gnome keyring domains to create gnome config dirs
+- Dontaudit read/write to init stream socket for lsmd_plugin_t
+- Allow automount to read nfs link files
+- Allow lsm plugins to read/write lsmd stream socket
+- Allow certmonger to connect ldap port to make IPA CA certificate renewal working.
+- Add also labeling for /var/run/ctdb
+- Add missing labeling for /var/lib/ctdb
+- ALlow tuned to manage syslog.conf. Should be fixed in tuned. #1030446
+- Dontaudit hypervkvp to search homedirs
+- Dontaudit hypervkvp to search admin homedirs
+- Allow hypervkvp to execute bin_t and ifconfig in the caller domain
+- Dontaudit xguest_t to read ABRT conf files
+- Add abrt_dontaudit_read_config()
+- Allow namespace-init to getattr on fs
+- Add thumb_role() also for xguest
+- Add filename transitions to create .spamassassin with correct labeling
+- Allow apache domain to read mirrormanager pid files
+- Allow domains to read/write shm and sem owned by mozilla_plugin_t
+- Allow alsactl to send a generic signal to kernel_t
+
+* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-117
+- Add back rpm_run() for unconfined user
+
+* Tue Jan 14 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-116
+- Add missing files_create_var_lib_dirs()
+- Fix typo in ipsec.te
+- Allow passwd to create directory in /var/lib
+- Add filename trans also for event21
+- Allow iptables command to read /dev/rand
+- Add sigkill capabilityfor ipsec_t
+- Add filename transitions for bcache devices
+- Add additional rules to create /var/log/cron by syslogd_t with correct labeling
+- Add give everyone full access to all key rings
+- Add default lvm_var_run_t label for /var/run/multipathd
+- Fix log labeling to have correct default label for them after logrotate
+- Labeled ~/.nv/GLCache as being gstreamer output
+- Allow nagios_system_plugin to read mrtg lib files
+- Add mrtg_read_lib_files()
+- Call rhcs_rw_cluster_tmpfs for dlm_controld
+- Make authconfing as named_filetrans domain
+- Allow virsh to connect to user process using stream socket
+- Allow rtas_errd to read rand/urand devices and add chown capability
+- Fix labeling from /var/run/net-snmpd to correct /var/run/net-snmp
+Resolves:#1051497
+- Add also chown cap for abrt_upload_watch_t. It already has dac_override
+- Allow sosreport to manage rhsmcertd pid files
+- Add rhsmcertd_manage_pid_files()
+- Allow also setgid cap for rpc.gssd
+- Dontaudit access check for abrt on cert_t
+- Allow pegasus_openlmi_system providers to dbus chat with systemd-logind
+
+* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-115
+- Fix semanage import handling in spec file
+
+* Fri Jan 10 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-114
+- Add default lvm_var_run_t label for /var/run/multipathd
+Resolves:#1051430
+- Fix log labeling to have correct default label for them after logrotate
+- Add files_write_root_dirs
+- Add new openflow port label for 6653/tcp and 6633/tcp
+- Add xserver_manage_xkb_libs()
+- Label tcp/8891 as milter por
+- Allow gnome_manage_generic_cache_files also create cache_home_t files
+- Fix aide.log labeling
+- Fix log labeling to have correct default label for them after logrotate
+- Allow mysqld-safe write access on /root to make mysqld working
+- Allow sosreport domtrans to prelikn
+- Allow OpenvSwitch to connec to openflow ports
+- Allow NM send dgram to lldpad
+- Allow hyperv domains to execute shell
+- Allow lsmd plugins stream connect to lsmd/init
+- Allow sblim domains to create /run/gather with correct labeling
+- Allow httpd to read ldap certs
+- Allow cupsd to send dbus msgs to process with different MLS level
+- Allow bumblebee to stream connect to apmd
+- Allow bumblebee to run xkbcomp
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Additional allow rules to get libvirt-lxc containers working with docker
+- Allow docker to getattr on itself
+- Additional rules needed for sandbox apps
+- Allow mozilla_plugin to set attributes on usb device if use_spice boolean enabled
+- httpd should be able to send signal/signull to httpd_suexec_t
+- Add more fixes for neturon. Domtrans to dnsmasq, iptables. Make neutron as filenamtrans domain. 
+
+* Wed Jan 8 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-113
+- Add neutron fixes
+
+* Mon Jan 6 2014 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-112
+- Allow sshd to write to all process levels in order to change passwd when running at a level
+- Allow updpwd_t to downgrade /etc/passwd file to s0, if it is not running with this range
+- Allow apcuspd_t to status and start the power unit file
+- Allow udev to manage kdump unit file
+- Added new interface modutils_dontaudit_exec_insmod
+- Allow cobbler to search dhcp_etc_t directory
+- systemd_systemctl needs sys_admin capability
+- Allow sytemd_tmpfiles_t to delete all directories
+- passwd to create gnome-keyring passwd socket
+- Add missing zabbix_var_lib_t type
+- Fix filename trans for zabbixsrv in zabbix.te
+- Allow fprintd_t to send syslog messages
+- Add  zabbix_var_lib_t for /var/lib/zabbixsrv, also allow zabix to connect to smtp port
+- Allow mozilla plugin to chat with policykit, needed for spice
+- Allow gssprozy to change user and gid, as well as read user keyrings
+- Label upgrades directory under /var/www as httpd_sys_rw_content_t, add other filetrans rules to label content correctly
+- Allow polipo to connect to http_cache_ports
+- Allow cron jobs to manage apache var lib content
+- Allow yppassword to manage the passwd_file_t
+- Allow showall_t to send itself signals
+- Allow cobbler to restart dhcpc, dnsmasq and bind services
+- Allow certmonger to manage home cert files
+- Add userdom filename trans for user mail domains
+- Allow apcuspd_t to status and start the power unit file
+- Allow cgroupdrulesengd to create content in cgoups directories
+- Allow smbd_t to signull cluster
+- Allow gluster daemon to create fifo files in glusterd_brick_t and sock_file in glusterd_var_lib_t
+- Add label for /var/spool/cron.aquota.user
+- Allow sandbox_x domains to use work with the mozilla plugin semaphore
+- Added new policy for speech-dispatcher
+- Added dontaudit rule for insmod_exec_t  in rasdaemon policy
+- Updated rasdaemon policy
+- Allow system_mail_t to transition to postfix_postdrop_t
+- Clean up mirrormanager policy
+- Allow virt_domains to read cert files, needs backport to RHEL7
+- Allow sssd to read systemd_login_var_run_t
+- Allow irc_t to execute shell and bin-t files:
+- Add new access for mythtv
+- Allow rsync_t to manage all non auth files
+- allow modemmanger to read /dev/urand
+- Allow sandbox apps to attempt to set and get capabilties
+
+* Thu Dec 19 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-111
+- Add labeling for /var/lib/servicelog/servicelog.db-journal
+- Add support for freeipmi port
+- Add sysadm_u_default_contexts
+- Make new type to texlive files in homedir
+- Allow subscription-manager running as sosreport_t to manage rhsmcertd
+- Additional fixes for docker.te
+- Remove ability to do mount/sys_admin by default in virt_sandbox domains
+- New rules required to run docker images within libivrt
+- Add label for ~/.cvsignore
+- Change mirrormanager to be run by cron
+- Add mirrormanager policy
+- Fixed bumblebee_admin() and mip6d_admin()
+- Add log support for sensord
+- Fix typo in docker.te
+- Allow amanda to do backups over UDP
+- Allow bumblebee to read /etc/group and clean up bumblebee.te
+- type transitions with a filename not allowed inside conditionals
+- Don't allow virt-sandbox tools to use netlink out of the box, needs back port to RHEL7
+- Make new type to texlive files in homedir
+
+* Thu Dec 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-110
+- Allow freeipmi_ipmidetectd_t to use freeipmi port
+- Update freeipmi_domain_template()
+- Allow journalctl running as ABRT to read /run/log/journal
+- Allow NM to read dispatcher.d directory
+- Update freeipmi policy
+- Type transitions with a filename not allowed inside conditionals
+- Allow tor to bind to hplip port
+- Make new type to texlive files in homedir
+- Allow zabbix_agent to transition to dmidecode
+- Add rules for docker
+- Allow sosreport to send signull to unconfined_t
+- Add virt_noatsecure and virt_rlimitinh interfaces
+- Fix labeling in thumb.fc to add support for /usr/lib64/tumbler-1/tumblerddd support for freeipmi port
+- Add sysadm_u_default_contexts
+- Add logging_read_syslog_pid()
+- Fix userdom_manage_home_texlive() interface
+- Make new type to texlive files in homedir
+- Add filename transitions for /run and /lock links
+- Allow virtd to inherit rlimit information
+Resolves:#975358
+
+* Tue Dec 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-109
+- Change labeling for /usr/libexec/nm-dispatcher.action to NetworkManager_exec_t
+Resolves:#1039879
+- Add labeling for /usr/lib/systemd/system/mariadb.service
+- Allow hyperv_domain to read sysfs
+- Fix ldap_read_certs() interface to allow acess also link files
+- Add support for /usr/libexec/pegasus/cmpiLMI_Journald-cimprovagt
+- Allow tuned to run modprobe
+- Allow portreserve to search /var/lib/sss dir
+- Add SELinux support for the teamd package contains team network device control daemon.
+- Dontaudit access check on /proc for bumblebee
+- Bumblebee wants to load nvidia modules
+- Fix rpm_named_filetrans_log_files and wine.te
+- Add conman policy for rawhide
+- DRM master and input event devices are used by  the TakeDevice API
+- Clean up bumblebee policy
+- Update pegasus_openlmi_storage_t policy
+- Add freeipmi_stream_connect() interface
+- Allow logwatch read madm.conf to support RAID setup
+- Add raid_read_conf_files() interface
+- Allow up2date running as rpm_t create up2date log file with rpm_log_t labeling
+- add rpm_named_filetrans_log_files() interface
+- Allow dkim-milter to create files/dirs in /tmp
+- update freeipmi policy
+- Add policy for freeipmi services
+- Added rdisc_admin and rdisc_systemctl interfaces
+- opensm policy clean up
+- openwsman policy clean up
+- ninfod policy clean up
+- Added new policy for ninfod
+- Added new policy for openwsman
+- Added rdisc_admin and rdisc_systemctl interfaces
+- Fix kernel_dontaudit_access_check_proc()
+- Add support for /dev/uhid
+- Allow sulogin to get the attributes of initctl and sys_admin cap
+- Add kernel_dontaudit_access_check_proc()
+- Fix dev_rw_ipmi_dev()
+- Fix new interface in devices.if
+- DRM master and input event devices are used by  the TakeDevice API
+- add dev_rw_inherited_dri() and dev_rw_inherited_input_dev()
+- Added support for default conman port
+- Add interfaces for ipmi devices
+
+* Wed Dec 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-108
+- Allow sosreport to send a signal to ABRT
+- Add proper aliases for pegasus_openlmi_service_exec_t and pegasus_openlmi_service_t
+- Label /usr/sbin/htcacheclean as httpd_exec_t
+Resolves:#1037529
+- Added support for rdisc unit file
+- Add antivirus_db_t labeling for /var/lib/clamav-unofficial-sigs
+- Allow runuser running as logrotate connections to system DBUS
+- Label bcache devices as fixed_disk_device_t
+- Allow systemctl running in ipsec_mgmt_t to access /usr/lib/systemd/system/ipsec.service
+- Label /usr/lib/systemd/system/ipsec.service as ipsec_mgmt_unit_file_t
+
+* Mon Dec 2 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-107
+- Add back setpgid/setsched for sosreport_t
+
+* Mon Dec 2 2013 Dan Walsh <dwalsh@redhat.com> 3.12.1-106
+- Added fix for clout_init to transition to rpm_script_t (dwalsh@redhat.com)
+
+* Tue Nov 26 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-105
+- Dontaudit openshift domains trying to use rawip_sockets, this is caused by a bad check in the kernel.
+- Allow git_system_t to read git_user_content if the git_system_enable_homedirs boolean is turned on
+- Add lsmd_plugin_t for lsm plugins
+- Allow dovecot-deliver to search mountpoints
+- Add labeling for /etc/mdadm.conf
+- Allow opelmi admin providers to dbus chat with init_t
+- Allow sblim domain to read /dev/urandom and /dev/random
+- Allow apmd to request the kernel load modules
+- Add glusterd_brick_t type
+- label mate-keyring-daemon with gkeyringd_exec_t
+- Add plymouthd_create_log()
+- Dontaudit leaks from openshift domains into mail domains, needs back port to RHEL6
+- Allow sssd to request the kernel loads modules
+- Allow gpg_agent to use ssh-add
+- Allow gpg_agent to use ssh-add
+- Dontaudit access check on /root for myslqd_safe_t
+- Allow ctdb to getattr on al filesystems
+- Allow abrt to stream connect to syslog
+- Allow dnsmasq to list dnsmasq.d directory
+- Watchdog opens the raw socket
+- Allow watchdog to read network state info
+- Dontaudit access check on lvm lock dir
+- Allow sosreport to send signull to setroubleshootd
+- Add setroubleshoot_signull() interface
+- Fix ldap_read_certs() interface
+- Allow sosreport all signal perms
+- Allow sosreport to run systemctl
+- Allow sosreport to dbus chat with rpm
+- Add glusterd_brick_t files type
+- Allow zabbix_agentd to read all domain state
+- Clean up rtas.if
+- Allow smoltclient to execute ldconfig
+- Allow sosreport to request the kernel to load a module
+- Fix userdom_confined_admin_template()
+- Add back exec_content boolean for secadm, logadm, auditadm
+- Fix files_filetrans_system_db_named_files() interface
+- Allow sulogin to getattr on /proc/kcore
+- Add filename transition also for servicelog.db-journal
+- Add files_dontaudit_access_check_root()
+- Add lvm_dontaudit_access_check_lock() interface
+
+* Thu Nov 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-104
+- Allow watchdog to read /etc/passwd
+- Allow browser plugins to connect to bumblebee
+- New policy for bumblebee and freqset
+- Add new policy for mip6d daemon
+- Add new policy for opensm daemon
+- Allow condor domains to read/write condor_master udp_socket
+- Allow openshift_cron_t to append to openshift log files, label /var/log/openshift
+- Add back file_pid_filetrans for /var/run/dlm_controld
+- Allow smbd_t to use inherited tmpfs content
+- Allow mcelog to use the /dev/cpu device
+- sosreport runs rpcinfo
+- sosreport runs subscription-manager
+- Allow staff_t to run frequency command
+- Allow systemd_tmpfiles to relabel log directories
+- Allow staff_t to read xserver_log file
+- Label hsperfdata_root as tmp_t
+
 * Wed Nov 20 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-103
 - More sosreport fixes to make ABRT working
-        
+
 * Fri Nov 15 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-102
 - Fix files_dontaudit_unmount_all_mountpoints()
 - Add support for 2608-2609 tcp/udp ports