From 64d84cf8ece94efc144ecb3fe657118ae618916b Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 08 2010 18:17:07 +0000
Subject: Allow iptables to read shorewall tmp files

Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
intd
label vlc as an execmem_exec_t
Lots of fixes for mozilla_plugin to run google vidio chat
Allow telepath_msn to execute ldconfig and its own tmp files
Fix labels on hugepages
Allow mdadm to read files on /dev
Remove permissive domains and change back to unconfined
Allow freshclam to execute shell and bin_t
Allow devicekit_power to transition to dhcpc
Add boolean to allow icecast to connect to any port

---

diff --git a/.gitignore b/.gitignore
index 8632839..8fea9fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -223,3 +223,4 @@ serefpolicy*
 /serefpolicy-3.9.0.tgz
 /serefpolicy-3.9.1.tgz
 /serefpolicy-3.9.2.tgz
+/serefpolicy-3.9.3.tgz
diff --git a/policy-F14.patch b/policy-F14.patch
index d722157..470095b 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -206,110 +206,6 @@ index af90ef2..fbd2c40 100644
  	(( h1 dom h2 ) or ( t1 == mcskillall ));
  
  #
-diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
-index 30a0ac7..f5fc753 100644
---- a/policy/modules/admin/alsa.fc
-+++ b/policy/modules/admin/alsa.fc
-@@ -1,3 +1,5 @@
-+HOME_DIR/\.asoundrc		--	gen_context(system_u:object_r:alsa_home_t,s0)
-+
- /bin/alsaunmute		--	gen_context(system_u:object_r:alsa_exec_t,s0)
- 
- /etc/alsa/asound\.state --	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
-index fe09bea..090b5c9 100644
---- a/policy/modules/admin/alsa.if
-+++ b/policy/modules/admin/alsa.if
-@@ -16,6 +16,7 @@ interface(`alsa_domtrans',`
- 	')
- 
- 	domtrans_pattern($1, alsa_exec_t, alsa_t)
-+	corecmd_search_bin($1)
- ')
- 
- ########################################
-@@ -33,7 +34,7 @@ interface(`alsa_rw_semaphores',`
- 		type alsa_t;
- 	')
- 
--	allow $1 alsa_t:sem { unix_read unix_write associate read write };
-+	allow $1 alsa_t:sem rw_sem_perms;
- ')
- 
- ########################################
-@@ -51,7 +52,7 @@ interface(`alsa_rw_shared_mem',`
- 		type alsa_t;
- 	')
- 
--	allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
-+	allow $1 alsa_t:shm rw_shm_perms;
- ')
- 
- ########################################
-@@ -72,6 +73,7 @@ interface(`alsa_read_rw_config',`
- 	allow $1 alsa_etc_rw_t:dir list_dir_perms;
- 	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- 	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+	files_search_etc($1)
- ')
- 
- ########################################
-@@ -92,6 +94,7 @@ interface(`alsa_manage_rw_config',`
- 	allow $1 alsa_etc_rw_t:dir list_dir_perms;
- 	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- 	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-+	files_search_etc($1)
- ')
- 
- ########################################
-@@ -110,4 +113,24 @@ interface(`alsa_read_lib',`
- 	')
- 
- 	read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
-+	files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Read alsa home files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`alsa_read_home_files',`
-+	gen_require(`
-+		type alsa_home_t;
-+	')
-+
-+	allow $1 alsa_home_t:file read_file_perms;
-+	userdom_search_user_home_dirs($1)
- ')
-diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
-index 04f9d96..ed1c3dc 100644
---- a/policy/modules/admin/alsa.te
-+++ b/policy/modules/admin/alsa.te
-@@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t)
- type alsa_var_lib_t;
- files_type(alsa_var_lib_t)
- 
-+type alsa_home_t;
-+userdom_user_home_content(alsa_home_t)
-+
- ########################################
- #
- # Local policy
-@@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms;
- allow alsa_t self:unix_stream_socket create_stream_socket_perms;
- allow alsa_t self:unix_dgram_socket create_socket_perms;
- 
-+allow alsa_t alsa_home_t:file read_file_perms;
-+
- manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
- files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
 diff --git a/policy/modules/admin/amanda.if b/policy/modules/admin/amanda.if
 index d1d035e..2cb11ea 100644
 --- a/policy/modules/admin/amanda.if
@@ -1374,7 +1270,7 @@ index 95dbcf3..bdba9c5 100644
  	optional_policy(`
  		java_domtrans_unconfined(rpm_script_t)
 diff --git a/policy/modules/admin/shorewall.if b/policy/modules/admin/shorewall.if
-index 0948921..992a7fc 100644
+index 0948921..b83f3db 100644
 --- a/policy/modules/admin/shorewall.if
 +++ b/policy/modules/admin/shorewall.if
 @@ -18,6 +18,24 @@ interface(`shorewall_domtrans',`
@@ -1402,7 +1298,33 @@ index 0948921..992a7fc 100644
  #######################################
  ## <summary>
  ##	Read shorewall etc configuration files.
-@@ -134,9 +152,10 @@ interface(`shorewall_rw_lib_files',`
+@@ -117,6 +135,25 @@ interface(`shorewall_rw_lib_files',`
+ 
+ #######################################
+ ## <summary>
++##      Read shorewall tmp files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`shorewall_read_tmp_files',`
++        gen_require(`
++                type shorewall_tmp_t;
++        ')
++
++        files_search_tmp($1)
++        read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
++')
++
++#######################################
++## <summary>
+ ##	All of the rules required to administrate 
+ ##	an shorewall environment
+ ## </summary>
+@@ -134,9 +171,10 @@ interface(`shorewall_rw_lib_files',`
  #
  interface(`shorewall_admin',`
  	gen_require(`
@@ -1415,7 +1337,7 @@ index 0948921..992a7fc 100644
  	')
  
  	allow $1 shorewall_t:process { ptrace signal_perms };
-@@ -153,12 +172,12 @@ interface(`shorewall_admin',`
+@@ -153,12 +191,12 @@ interface(`shorewall_admin',`
  	files_search_locks($1)
  	admin_pattern($1, shorewall_lock_t)
  
@@ -1723,18 +1645,32 @@ index aecbf1c..0b5e634 100644
  
  	optional_policy(`
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index c35d801..3045a19 100644
+index c35d801..961424f 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
-@@ -295,6 +295,7 @@ selinux_compute_user_contexts(passwd_t)
+@@ -90,9 +90,7 @@ fs_search_auto_mountpoints(chfn_t)
+ # for SSP
+ dev_read_urand(chfn_t)
+ 
+-auth_domtrans_chk_passwd(chfn_t)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
++auth_use_pam(chfn_t)
+ 
+ # allow checking if a shell is executable
+ corecmd_check_exec_shell(chfn_t)
+@@ -295,15 +293,18 @@ selinux_compute_user_contexts(passwd_t)
  
  term_use_all_ttys(passwd_t)
  term_use_all_ptys(passwd_t)
 +term_use_generic_ptys(passwd_t)
  
- auth_domtrans_chk_passwd(passwd_t)
+-auth_domtrans_chk_passwd(passwd_t)
  auth_manage_shadow(passwd_t)
-@@ -304,6 +305,9 @@ auth_use_nsswitch(passwd_t)
+ auth_relabel_shadow(passwd_t)
+ auth_etc_filetrans_shadow(passwd_t)
+-auth_use_nsswitch(passwd_t)
++auth_use_pam(passwd_t)
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(passwd_t)
@@ -1744,7 +1680,7 @@ index c35d801..3045a19 100644
  
  domain_use_interactive_fds(passwd_t)
  
-@@ -334,6 +338,7 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -334,6 +335,7 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -1752,7 +1688,7 @@ index c35d801..3045a19 100644
  
  optional_policy(`
  	nscd_domtrans(passwd_t)
-@@ -428,7 +433,7 @@ optional_policy(`
+@@ -428,7 +430,7 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -1761,7 +1697,7 @@ index c35d801..3045a19 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -500,12 +505,8 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -500,12 +502,8 @@ seutil_domtrans_setfiles(useradd_t)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -2361,157 +2297,88 @@ index 00a19e3..46db5ff 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..ffd9870 100644
+index f5afe78..db1a0d0 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
-@@ -37,8 +37,26 @@ interface(`gnome_role',`
+@@ -37,8 +37,7 @@ interface(`gnome_role',`
  
  ########################################
  ## <summary>
 -##	Execute gconf programs in
 -##	in the caller domain.
 +##	gconf connection template.
-+## </summary>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`gnome_stream_connect_gconf',`
-+	gen_require(`
-+		type gconfd_t, gconf_tmp_t;
-+	')
-+
-+	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
-+	allow $1 gconfd_t:unix_stream_socket connectto;
-+')
-+
-+########################################
-+## <summary>
-+##	Run gconfd in gconfd domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -46,75 +64,124 @@ interface(`gnome_role',`
+@@ -46,37 +45,36 @@ interface(`gnome_role',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_exec_gconf',`
-+interface(`gnome_domtrans_gconfd',`
++interface(`gnome_stream_connect_gconf',`
  	gen_require(`
 -		type gconfd_exec_t;
-+		type gconfd_t, gconfd_exec_t;
++		type gconfd_t, gconf_tmp_t;
  	')
  
 -	can_exec($1, gconfd_exec_t)
-+	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Dontaudit search gnome homedir content (.config)
-+## </summary>
-+## <param name="user_domain">
-+##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`gnome_dontaudit_search_config',`
-+	gen_require(`
-+		attribute gnome_home_type;
-+	')
-+
-+	dontaudit $1 gnome_home_type:dir search_dir_perms;
++	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
++	allow $1 gconfd_t:unix_stream_socket connectto;
  ')
  
  ########################################
  ## <summary>
 -##	Read gconf config files.
-+##	manage gnome homedir content (.config)
++##	Run gconfd in gconfd domain.
  ## </summary>
- ## <param name="user_domain">
- ##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
-+interface(`gnome_manage_config',`
-+	gen_require(`
-+		attribute gnome_home_type;
-+	')
-+
-+	allow $1 gnome_home_type:dir manage_dir_perms;
-+	allow $1 gnome_home_type:file manage_file_perms;
-+	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
-+	userdom_search_user_home_dirs($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Send general signals to all gconf domains.
-+## </summary>
+-## <param name="user_domain">
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
  #
 -template(`gnome_read_gconf_config',`
-+interface(`gnome_signal_all',`
++interface(`gnome_domtrans_gconfd',`
  	gen_require(`
 -		type gconf_etc_t;
-+		attribute gnomedomain;
++		type gconfd_t, gconfd_exec_t;
  	')
  
 -	allow $1 gconf_etc_t:dir list_dir_perms;
 -	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 -	files_search_etc($1)
-+	allow $1 gnomedomain:process signal;
++	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
  ')
  
 -#######################################
 +########################################
  ## <summary>
 -##	Create, read, write, and delete gconf config files.
-+##	Create objects in a Gnome cache home directory
-+##	with an automatic type transition to
-+##	a specified private type.
++##	Dontaudit search gnome homedir content (.config)
  ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -84,37 +82,38 @@ template(`gnome_read_gconf_config',`
  ##	</summary>
  ## </param>
-+## <param name="private_type">
-+##	<summary>
-+##	The type of the object to create.
-+##	</summary>
-+## </param>
-+## <param name="object_class">
-+##	<summary>
-+##	The class of the object to be created.
-+##	</summary>
-+## </param>
  #
 -interface(`gnome_manage_gconf_config',`
-+interface(`gnome_cache_filetrans',`
++interface(`gnome_dontaudit_search_config',`
  	gen_require(`
 -		type gconf_etc_t;
-+		type cache_home_t;
++		attribute gnome_home_type;
  	')
  
 -	manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
 -	files_search_etc($1)
-+	filetrans_pattern($1, cache_home_t, $2, $3)
-+	userdom_search_user_home_dirs($1)
++	dontaudit $1 gnome_home_type:dir search_dir_perms;
  ')
  
  ########################################
  ## <summary>
 -##	gconf connection template.
-+##	Read generic cache home files (.cache)
++##	manage gnome homedir content (.config)
  ## </summary>
 -## <param name="user_domain">
 +## <param name="domain">
@@ -2521,37 +2388,107 @@ index f5afe78..ffd9870 100644
  ## </param>
  #
 -interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_read_generic_cache_files',`
++interface(`gnome_manage_config',`
  	gen_require(`
 -		type gconfd_t, gconf_tmp_t;
-+		type cache_home_t;
++		attribute gnome_home_type;
  	')
  
 -	read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
 -	allow $1 gconfd_t:unix_stream_socket connectto;
-+	read_files_pattern($1, cache_home_t, cache_home_t)
++	allow $1 gnome_home_type:dir manage_dir_perms;
++	allow $1 gnome_home_type:file manage_file_perms;
++	allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
 +	userdom_search_user_home_dirs($1)
  ')
  
  ########################################
  ## <summary>
 -##	Run gconfd in gconfd domain.
-+##	Set attributes of cache home dir (.cache)
++##	Send general signals to all gconf domains.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -122,12 +189,71 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,12 +121,139 @@ interface(`gnome_stream_connect_gconf',`
  ##	</summary>
  ## </param>
  #
 -interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_setattr_cache_home_dir',`
++interface(`gnome_signal_all',`
  	gen_require(`
 -		type gconfd_t, gconfd_exec_t;
-+		type cache_home_t;
++		attribute gnomedomain;
  	')
  
 -	domtrans_pattern($1, gconfd_exec_t, gconfd_t)
++	allow $1 gnomedomain:process signal;
++')
++
++########################################
++## <summary>
++##	Create objects in a Gnome cache home directory
++##	with an automatic type transition to
++##	a specified private type.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="private_type">
++##	<summary>
++##	The type of the object to create.
++##	</summary>
++## </param>
++## <param name="object_class">
++##	<summary>
++##	The class of the object to be created.
++##	</summary>
++## </param>
++#
++interface(`gnome_cache_filetrans',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	filetrans_pattern($1, cache_home_t, $2, $3)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++##	Read generic cache home files (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_read_generic_cache_files',`
++	gen_require(`
++		type cache_home_t;
++	')
++
++	read_files_pattern($1, cache_home_t, cache_home_t)
++	userdom_search_user_home_dirs($1)
++')
++
++########################################
++## <summary>
++##	Set attributes of cache home dir (.cache)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`gnome_setattr_cache_home_dir',`
++	gen_require(`
++		type cache_home_t;
++	')
++
 +	setattr_dirs_pattern($1, cache_home_t, cache_home_t)
 +	userdom_search_user_home_dirs($1)
 +')
@@ -2598,9 +2535,9 @@ index f5afe78..ffd9870 100644
 +## <summary>
 +##	read gnome homedir content (.config)
 +## </summary>
-+## <param name="user_domain">
++## <param name="domain">
 +##	<summary>
-+##	The type of the user domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@@ -2615,7 +2552,7 @@ index f5afe78..ffd9870 100644
  ')
  
  ########################################
-@@ -151,40 +277,288 @@ interface(`gnome_setattr_config_dirs',`
+@@ -151,40 +277,306 @@ interface(`gnome_setattr_config_dirs',`
  
  ########################################
  ## <summary>
@@ -2623,13 +2560,12 @@ index f5afe78..ffd9870 100644
 +##	Create objects in a Gnome gconf home directory
 +##	with an automatic type transition to
 +##	a specified private type.
- ## </summary>
--## <param name="user_domain">
++## </summary>
 +## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
 +## <param name="private_type">
 +##	<summary>
 +##	The type of the object to create.
@@ -2640,24 +2576,18 @@ index f5afe78..ffd9870 100644
 +##	The class of the object to be created.
 +##	</summary>
 +## </param>
- #
--template(`gnome_read_config',`
++#
 +interface(`gnome_data_filetrans',`
- 	gen_require(`
--		type gnome_home_t;
++	gen_require(`
 +		type data_home_t;
- 	')
- 
--	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
--	read_files_pattern($1, gnome_home_t, gnome_home_t)
--	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
++	')
++
 +	filetrans_pattern($1, data_home_t, $2, $3)
 +	gnome_search_gconf($1)
- ')
- 
- ########################################
- ## <summary>
--##	manage gnome homedir content (.config)
++')
++
++########################################
++## <summary>
 +##	Create gconf_home_t objects in the /root directory
 +## </summary>
 +## <param name="domain">
@@ -2683,9 +2613,9 @@ index f5afe78..ffd9870 100644
 +## <summary>
 +##	read gconf config files
  ## </summary>
- ## <param name="user_domain">
- ##	<summary>
-+##	The type of the user domain.
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@@ -2724,19 +2654,15 @@ index f5afe78..ffd9870 100644
 +## </summary>
 +## <param name="domain">
 +##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`gnome_manage_config',`
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`gnome_exec_gconf',`
- 	gen_require(`
--		type gnome_home_t;
++	gen_require(`
 +		type gconfd_exec_t;
- 	')
- 
--	allow $1 gnome_home_t:dir manage_dir_perms;
--	allow $1 gnome_home_t:file manage_file_perms;
++	')
++
 +	can_exec($1, gconfd_exec_t)
 +')
 +
@@ -2766,9 +2692,9 @@ index f5afe78..ffd9870 100644
 +## <summary>
 +##	search gconf homedir (.local)
 +## </summary>
-+## <param name="user_domain">
++## <param name="domain">
 +##	<summary>
-+##	The type of the domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@@ -2778,8 +2704,8 @@ index f5afe78..ffd9870 100644
 +	')
 +
 +	allow $1 gconf_home_t:dir search_dir_perms;
- 	userdom_search_user_home_dirs($1)
- ')
++	userdom_search_user_home_dirs($1)
++')
 +
 +########################################
 +## <summary>
@@ -2827,8 +2753,8 @@ index f5afe78..ffd9870 100644
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <param name="user_domain">
-+##	<summary>
+ ## <param name="user_domain">
+ ##	<summary>
 +##	The type of the user domain.
 +##	</summary>
 +## </param>
@@ -2846,17 +2772,22 @@ index f5afe78..ffd9870 100644
 +## <summary>
 +##	list gnome homedir content (.config)
 +## </summary>
-+## <param name="user_domain">
++## <param name="domain">
 +##	<summary>
-+##	The type of the user domain.
-+##	</summary>
-+## </param>
-+#
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-template(`gnome_read_config',`
 +template(`gnome_list_home_config',`
-+	gen_require(`
+ 	gen_require(`
+-		type gnome_home_t;
 +		type config_home_t;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, gnome_home_t, gnome_home_t)
+-	read_files_pattern($1, gnome_home_t, gnome_home_t)
+-	read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
 +	allow $1 config_home_t:dir list_dir_perms;
 +')
 +
@@ -2864,9 +2795,9 @@ index f5afe78..ffd9870 100644
 +## <summary>
 +##	read gnome homedir content (.config)
 +## </summary>
-+## <param name="user_domain">
++## <param name="domain">
 +##	<summary>
-+##	The type of the user domain.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
@@ -2876,6 +2807,30 @@ index f5afe78..ffd9870 100644
 +	')
 +
 +	read_files_pattern($1, config_home_t, config_home_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+ ##	manage gnome homedir content (.config)
+ ## </summary>
+-## <param name="user_domain">
++## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`gnome_manage_config',`
++template(`gnome_manage_home_config',`
+ 	gen_require(`
+-		type gnome_home_t;
++		type config_home_t;
+ 	')
+ 
+-	allow $1 gnome_home_t:dir manage_dir_perms;
+-	allow $1 gnome_home_t:file manage_file_perms;
+-	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, config_home_t, config_home_t)
 +')
 +
 +########################################
@@ -2915,7 +2870,7 @@ index f5afe78..ffd9870 100644
 +
 +	allow $1 gconfdefaultsm_t:dbus send_msg;
 +	allow gconfdefaultsm_t $1:dbus send_msg;
-+')
+ ')
 diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
 index 35f7486..26852d2 100644
 --- a/policy/modules/apps/gnome.te
@@ -3071,10 +3026,19 @@ index e9853d4..717d163 100644
  /usr/bin/gpg(2)?	--	gen_context(system_u:object_r:gpg_exec_t,s0)
  /usr/bin/gpg-agent	--	gen_context(system_u:object_r:gpg_agent_exec_t,s0)
 diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
-index 40e0a2a..7c48fc5 100644
+index 40e0a2a..13d939a 100644
 --- a/policy/modules/apps/gpg.if
 +++ b/policy/modules/apps/gpg.if
-@@ -85,6 +85,43 @@ interface(`gpg_domtrans',`
+@@ -54,6 +54,8 @@ interface(`gpg_role',`
+ 	manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ 	relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
+ 
++	allow gpg_pinentry_t $2:fifo_file { read write };
++
+ 	optional_policy(`
+ 		gpg_pinentry_dbus_chat($2)
+ 	')
+@@ -85,6 +87,43 @@ interface(`gpg_domtrans',`
  	domtrans_pattern($1, gpg_exec_t, gpg_t)
  ')
  
@@ -3678,7 +3642,7 @@ index 93ac529..aafece7 100644
  /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib(64)?/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..99a3d49 100644
+index 9a6d67d..47aa143 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
@@ -3712,7 +3676,7 @@ index 9a6d67d..99a3d49 100644
  ')
  
  ########################################
-@@ -168,6 +176,50 @@ interface(`mozilla_domtrans',`
+@@ -168,6 +176,52 @@ interface(`mozilla_domtrans',`
  
  ########################################
  ## <summary>
@@ -3756,6 +3720,8 @@ index 9a6d67d..99a3d49 100644
 +
 +	mozilla_domtrans_plugin($1)
 +	role $2 types mozilla_plugin_t;
++
++	allow mozilla_plugin_t $1:process signull;	
 +')
 +
 +########################################
@@ -3764,7 +3730,7 @@ index 9a6d67d..99a3d49 100644
  ##	mozilla over dbus.
  ## </summary>
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index cbf4bec..b2e4e0c 100644
+index cbf4bec..58899ca 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -25,6 +25,7 @@ files_config_file(mozilla_conf_t)
@@ -3775,7 +3741,7 @@ index cbf4bec..b2e4e0c 100644
  userdom_user_home_content(mozilla_home_t)
  
  type mozilla_tmpfs_t;
-@@ -33,6 +34,13 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
+@@ -33,6 +34,20 @@ typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_
  files_tmpfs_file(mozilla_tmpfs_t)
  ubac_constrained(mozilla_tmpfs_t)
  
@@ -3784,12 +3750,19 @@ index cbf4bec..b2e4e0c 100644
 +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
 +role system_r types mozilla_plugin_t;
 +
++type mozilla_plugin_tmp_t;
++files_tmp_file(mozilla_plugin_tmp_t)
++
++type mozilla_plugin_tmpfs_t;
++files_tmpfs_file(mozilla_plugin_tmpfs_t)
++ubac_constrained(mozilla_plugin_tmpfs_t)
++
 +permissive mozilla_plugin_t;
 +
  ########################################
  #
  # Local policy
-@@ -89,16 +97,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
+@@ -89,16 +104,20 @@ corenet_tcp_sendrecv_generic_node(mozilla_t)
  corenet_raw_sendrecv_generic_node(mozilla_t)
  corenet_tcp_sendrecv_http_port(mozilla_t)
  corenet_tcp_sendrecv_http_cache_port(mozilla_t)
@@ -3810,7 +3783,7 @@ index cbf4bec..b2e4e0c 100644
  corenet_sendrecv_ftp_client_packets(mozilla_t)
  corenet_sendrecv_ipp_client_packets(mozilla_t)
  corenet_sendrecv_generic_client_packets(mozilla_t)
-@@ -238,6 +250,7 @@ optional_policy(`
+@@ -238,6 +257,7 @@ optional_policy(`
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
  	gnome_manage_config(mozilla_t)
@@ -3818,7 +3791,7 @@ index cbf4bec..b2e4e0c 100644
  ')
  
  optional_policy(`
-@@ -258,6 +271,11 @@ optional_policy(`
+@@ -258,6 +278,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3830,7 +3803,7 @@ index cbf4bec..b2e4e0c 100644
  	pulseaudio_exec(mozilla_t)
  	pulseaudio_stream_connect(mozilla_t)
  	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +284,46 @@ optional_policy(`
+@@ -266,3 +291,78 @@ optional_policy(`
  optional_policy(`
  	thunderbird_domtrans(mozilla_t)
  ')
@@ -3839,7 +3812,7 @@ index cbf4bec..b2e4e0c 100644
 +#
 +# mozilla_plugin local policy
 +#
-+allow mozilla_plugin_t self:process setsched;
++allow mozilla_plugin_t self:process { setsched signal_perms execmem };
 +
 +allow mozilla_plugin_t self:sem create_sem_perms;
 +allow mozilla_plugin_t self:shm create_shm_perms;
@@ -3848,6 +3821,16 @@ index cbf4bec..b2e4e0c 100644
 +
 +read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
 +
++manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file })
++
++manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
++fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
++
 +kernel_read_kernel_sysctls(mozilla_plugin_t)
 +kernel_read_system_state(mozilla_plugin_t)
 +kernel_request_load_module(mozilla_plugin_t)
@@ -3856,6 +3839,8 @@ index cbf4bec..b2e4e0c 100644
 +corecmd_exec_shell(mozilla_plugin_t)
 +
 +dev_read_urand(mozilla_plugin_t)
++dev_read_video_dev(mozilla_plugin_t)
++dev_read_sysfs(mozilla_plugin_t)
 +
 +domain_use_interactive_fds(mozilla_plugin_t)
 +domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
@@ -3863,14 +3848,34 @@ index cbf4bec..b2e4e0c 100644
 +files_read_config_files(mozilla_plugin_t)
 +files_read_usr_files(mozilla_plugin_t)
 +
++fs_getattr_tmpfs(mozilla_plugin_t)
++
 +miscfiles_read_localization(mozilla_plugin_t)
++miscfiles_read_fonts(mozilla_plugin_t)
 +
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
 +
++userdom_rw_user_tmpfs_files(mozilla_plugin_t)
++userdom_stream_connect(mozilla_plugin_t)
++userdom_dontaudit_use_user_ptys(mozilla_plugin_t)
++
++optional_policy(`
++	dbus_read_lib_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++	gnome_manage_home_config(mozilla_plugin_t)
++')
++
 +optional_policy(`
 +	nsplugin_domtrans(mozilla_plugin_t)
 +	nsplugin_rw_exec(mozilla_plugin_t)
++	nsplugin_manage_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
++	pulseaudio_rw_home_files(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
@@ -3979,10 +3984,10 @@ index 0000000..63abc5c
 +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)?			gen_context(system_u:object_r:nsplugin_rw_t,s0)
 diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
 new file mode 100644
-index 0000000..74c624e
+index 0000000..4dd9d05
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.if
-@@ -0,0 +1,391 @@
+@@ -0,0 +1,374 @@
 +
 +## <summary>policy for nsplugin</summary>
 +
@@ -4030,21 +4035,9 @@ index 0000000..74c624e
 +## <summary>
 +##	The per role template for the nsplugin module.
 +## </summary>
-+## <desc>
-+##	<p>
-+##	This template creates a derived domains which are used
-+##	for nsplugin web browser.
-+##	</p>
-+##	<p>
-+##	This template is invoked automatically for each user, and
-+##	generally does not need to be invoked directly
-+##	by policy writers.
-+##	</p>
-+## </desc>
-+## <param name="userdomain_prefix">
++## <param name="user_role">
 +##	<summary>
-+##	The prefix of the user domain (e.g., user
-+##	is the prefix for user_t).
++##	The role associated with the user domain.
 +##	</summary>
 +## </param>
 +## <param name="user_domain">
@@ -4052,11 +4045,6 @@ index 0000000..74c624e
 +##	The type of the user domain.
 +##	</summary>
 +## </param>
-+## <param name="user_role">
-+##	<summary>
-+##	The role associated with the user domain.
-+##	</summary>
-+## </param>
 +#
 +interface(`nsplugin_role_notrans',`
 +	gen_require(`
@@ -4376,10 +4364,10 @@ index 0000000..74c624e
 +')
 diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
 new file mode 100644
-index 0000000..b4f0852
+index 0000000..23890a7
 --- /dev/null
 +++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,307 @@
+@@ -0,0 +1,308 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -4511,6 +4499,7 @@ index 0000000..b4f0852
 +fs_list_inotifyfs(nsplugin_t)
 +
 +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
++storage_dontaudit_getattr_removable_dev(nsplugin_t)
 +
 +term_dontaudit_getattr_all_ptys(nsplugin_t)
 +term_dontaudit_getattr_all_ttys(nsplugin_t)
@@ -5445,10 +5434,10 @@ index 0000000..c20d303
 +')
 diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
 new file mode 100644
-index 0000000..8d4ac56
+index 0000000..942bb30
 --- /dev/null
 +++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,403 @@
+@@ -0,0 +1,400 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@@ -5683,7 +5672,6 @@ index 0000000..8d4ac56
 +userdom_read_user_home_content_symlinks(sandbox_x_domain)
 +userdom_search_user_home_content(sandbox_x_domain)
 +
-+#============= sandbox_x_t ==============
 +files_search_home(sandbox_x_t)
 +userdom_use_user_ptys(sandbox_x_t)
 +
@@ -5737,7 +5725,6 @@ index 0000000..8d4ac56
 +dev_write_sound(sandbox_web_type)
 +dev_read_sound(sandbox_web_type)
 +
-+# Browse the web, connect to printer
 +corenet_all_recvfrom_unlabeled(sandbox_web_type)
 +corenet_all_recvfrom_netlabel(sandbox_web_type)
 +corenet_tcp_sendrecv_all_if(sandbox_web_type)
@@ -5767,7 +5754,7 @@ index 0000000..8d4ac56
 +corenet_sendrecv_ftp_client_packets(sandbox_web_type)
 +corenet_sendrecv_ipp_client_packets(sandbox_web_type)
 +corenet_sendrecv_generic_client_packets(sandbox_web_type)
-+# Should not need other ports
++
 +corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
 +corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
 +
@@ -5851,7 +5838,6 @@ index 0000000..8d4ac56
 +	mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
 +	mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
 +')
-+
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
 index 1dc7a85..7455c19 100644
 --- a/policy/modules/apps/seunshare.if
@@ -6190,10 +6176,10 @@ index 0000000..3d12484
 +')
 diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
 new file mode 100644
-index 0000000..7e8fd3a
+index 0000000..c7250ae
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,316 @@
+@@ -0,0 +1,320 @@
 +
 +policy_module(telepathy, 1.0.0)
 +
@@ -6249,11 +6235,13 @@ index 0000000..7e8fd3a
 +files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 +userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
 +userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
++can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
 +
 +corenet_sendrecv_http_client_packets(telepathy_msn_t)
 +corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
 +corenet_tcp_connect_http_port(telepathy_msn_t)
 +corenet_tcp_connect_msnp_port(telepathy_msn_t)
++corenet_tcp_connect_sametime_port(telepathy_msn_t)
 +
 +corecmd_exec_bin(telepathy_msn_t)
 +corecmd_exec_shell(telepathy_msn_t)
@@ -6268,6 +6256,8 @@ index 0000000..7e8fd3a
 +
 +auth_use_nsswitch(telepathy_msn_t)
 +
++libs_exec_ldconfig(telepathy_msn_t)
++
 +logging_send_syslog_msg(telepathy_msn_t)
 +
 +miscfiles_read_certs(telepathy_msn_t)
@@ -6318,7 +6308,7 @@ index 0000000..7e8fd3a
 +dev_read_rand(telepathy_gabble_t)
 +dev_read_urand(telepathy_gabble_t)
 +
-+files_read_etc_files(telepathy_gabble_t)
++files_read_config_files(telepathy_gabble_t)
 +files_read_usr_files(telepathy_gabble_t)
 +
 +miscfiles_read_certs(telepathy_gabble_t)
@@ -6661,7 +6651,7 @@ index 5872ea2..028c994 100644
  /var/run/vmnat.* 		-s	gen_context(system_u:object_r:vmware_var_run_t,s0)
  /var/run/vmware.* 			gen_context(system_u:object_r:vmware_var_run_t,s0)
 diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
-index 1f803bb..ab99aa0 100644
+index 1f803bb..8a97303 100644
 --- a/policy/modules/apps/vmware.te
 +++ b/policy/modules/apps/vmware.te
 @@ -126,6 +126,7 @@ dev_getattr_all_blk_files(vmware_host_t)
@@ -6672,6 +6662,17 @@ index 1f803bb..ab99aa0 100644
  
  domain_use_interactive_fds(vmware_host_t)
  domain_dontaudit_read_all_domains_state(vmware_host_t)
+@@ -159,7 +160,10 @@ netutils_domtrans_ping(vmware_host_t)
+ 
+ optional_policy(`
+ 	seutil_sigchld_newrole(vmware_host_t)
++')
+ 
++optional_policy(`
++	shutdown_domtrans(vmware_host_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/apps/wine.fc b/policy/modules/apps/wine.fc
 index 9d24449..9782698 100644
 --- a/policy/modules/apps/wine.fc
@@ -6820,7 +6821,7 @@ index 82842a0..369c3b5 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..a71e2d5 100644
+index 0eb1d97..b267560 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -9,8 +9,11 @@
@@ -6845,7 +6846,16 @@ index 0eb1d97..a71e2d5 100644
  /etc/profile.d(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /etc/xen/qemu-ifup		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/xen/scripts(/.*)?			gen_context(system_u:object_r:bin_t,s0)
-@@ -126,6 +132,7 @@ ifdef(`distro_gentoo',`
+@@ -109,6 +115,8 @@ ifdef(`distro_debian',`
+ /etc/mysql/debian-start		--	gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
++/etc/vmware-tools(/.*)?			gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /lib
+ #
+@@ -126,6 +134,7 @@ ifdef(`distro_gentoo',`
  /lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
  /lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -6853,7 +6863,7 @@ index 0eb1d97..a71e2d5 100644
  
  #
  # /sbin
-@@ -145,6 +152,10 @@ ifdef(`distro_gentoo',`
+@@ -145,6 +154,10 @@ ifdef(`distro_gentoo',`
  
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -6864,7 +6874,7 @@ index 0eb1d97..a71e2d5 100644
  ifdef(`distro_gentoo',`
  /opt/RealPlayer/realplay(\.bin)?	gen_context(system_u:object_r:bin_t,s0)
  /opt/RealPlayer/postint(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -169,6 +180,7 @@ ifdef(`distro_gentoo',`
+@@ -169,6 +182,7 @@ ifdef(`distro_gentoo',`
  /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/pgsql/test/regress/.*\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/qt.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
@@ -6872,7 +6882,7 @@ index 0eb1d97..a71e2d5 100644
  /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/apt/methods.+	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(64)?/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +232,7 @@ ifdef(`distro_gentoo',`
+@@ -220,6 +234,7 @@ ifdef(`distro_gentoo',`
  
  /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/apr-0/build/libtool --	gen_context(system_u:object_r:bin_t,s0)
@@ -6880,7 +6890,7 @@ index 0eb1d97..a71e2d5 100644
  /usr/share/debconf/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/denyhosts/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/denyhosts/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
-@@ -228,6 +241,8 @@ ifdef(`distro_gentoo',`
+@@ -228,6 +243,8 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/e16/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -6889,7 +6899,7 @@ index 0eb1d97..a71e2d5 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -314,6 +329,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +331,7 @@ ifdef(`distro_redhat', `
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -6897,7 +6907,7 @@ index 0eb1d97..a71e2d5 100644
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +356,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +358,27 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -6957,7 +6967,7 @@ index 9e5c83e..953e0e8 100644
 +/lib/udev/devices/ppp	-c	gen_context(system_u:object_r:ppp_device_t,s0)
 +/lib/udev/devices/net/.* -c	gen_context(system_u:object_r:tun_tap_device_t,s0)
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 2ecdde8..f118873 100644
+index 2ecdde8..bb4adcb 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -24,6 +24,7 @@ dev_node(ppp_device_t)
@@ -7079,7 +7089,7 @@ index 2ecdde8..f118873 100644
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pulseaudio, tcp,4713,s0)
-@@ -174,24 +194,27 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -174,24 +194,28 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -7089,6 +7099,7 @@ index 2ecdde8..f118873 100644
  network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rwho, udp,513,s0)
  network_port(sap, tcp,9875,s0, udp,9875,s0)
++network_port(sametime, tcp,1533,s0, udp,1533,s0)
  network_port(sieve, tcp,4190,s0)
 -network_port(sip, tcp,5060,s0, udp,5060,s0, tcp,5061,s0, udp,5061,s0)
 +network_port(sip, tcp,5060-5061,s0, udp,5060-5061,s0)
@@ -7111,7 +7122,7 @@ index 2ecdde8..f118873 100644
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
-@@ -201,16 +224,17 @@ network_port(transproxy, tcp,8081,s0)
+@@ -201,16 +225,17 @@ network_port(transproxy, tcp,8081,s0)
  network_port(ups, tcp,3493,s0)
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
@@ -7133,19 +7144,18 @@ index 2ecdde8..f118873 100644
  network_port(zope, tcp,8021,s0)
  
 diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
-index 3b2da10..18f3f4c 100644
+index 3b2da10..7c29e17 100644
 --- a/policy/modules/kernel/devices.fc
 +++ b/policy/modules/kernel/devices.fc
-@@ -159,6 +159,8 @@ ifdef(`distro_suse', `
+@@ -159,6 +159,7 @@ ifdef(`distro_suse', `
  
  /dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
  
-+/dev/hugepages(/.*)?		<<none>>
 +/dev/mqueue(/.*)?		<<none>>
  /dev/pts(/.*)?			<<none>>
  
  /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
-@@ -176,13 +178,12 @@ ifdef(`distro_suse', `
+@@ -176,13 +177,12 @@ ifdef(`distro_suse', `
  
  /etc/udev/devices	-d	gen_context(system_u:object_r:device_t,s0)
  
@@ -7161,7 +7171,7 @@ index 3b2da10..18f3f4c 100644
  
  ifdef(`distro_redhat',`
  # originally from named.fc
-@@ -191,3 +192,8 @@ ifdef(`distro_redhat',`
+@@ -191,3 +191,8 @@ ifdef(`distro_redhat',`
  /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
  /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
  ')
@@ -7171,10 +7181,35 @@ index 3b2da10..18f3f4c 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 8b09281..e896bf7 100644
+index 8b09281..3fb8756 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
-@@ -498,6 +498,24 @@ interface(`dev_getattr_generic_chr_files',`
+@@ -318,6 +318,24 @@ interface(`dev_dontaudit_getattr_generic_files',`
+ 
+ ########################################
+ ## <summary>
++##	read generic files in /dev.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_read_generic_files',`
++	gen_require(`
++		type device_t;
++	')
++
++	read_files_pattern($1, device_t, device_t)
++')
++
++########################################
++## <summary>
+ ##	Read and write generic files in /dev.
+ ## </summary>
+ ## <param name="domain">
+@@ -498,6 +516,24 @@ interface(`dev_getattr_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7199,7 +7234,7 @@ index 8b09281..e896bf7 100644
  ##	Dontaudit getattr for generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -534,6 +552,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
+@@ -534,6 +570,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7224,7 +7259,7 @@ index 8b09281..e896bf7 100644
  ##	Read and write generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -552,6 +588,24 @@ interface(`dev_rw_generic_chr_files',`
+@@ -552,6 +606,24 @@ interface(`dev_rw_generic_chr_files',`
  
  ########################################
  ## <summary>
@@ -7249,7 +7284,7 @@ index 8b09281..e896bf7 100644
  ##	Dontaudit attempts to read/write generic character device files.
  ## </summary>
  ## <param name="domain">
-@@ -661,6 +715,24 @@ interface(`dev_delete_generic_symlinks',`
+@@ -661,6 +733,24 @@ interface(`dev_delete_generic_symlinks',`
  
  ########################################
  ## <summary>
@@ -7274,7 +7309,7 @@ index 8b09281..e896bf7 100644
  ##	Create, delete, read, and write symbolic links in device directories.
  ## </summary>
  ## <param name="domain">
-@@ -1070,6 +1142,42 @@ interface(`dev_create_all_chr_files',`
+@@ -1070,6 +1160,42 @@ interface(`dev_create_all_chr_files',`
  
  ########################################
  ## <summary>
@@ -7317,7 +7352,7 @@ index 8b09281..e896bf7 100644
  ##	Delete all block device files.
  ## </summary>
  ## <param name="domain">
-@@ -1332,6 +1440,24 @@ interface(`dev_getattr_autofs_dev',`
+@@ -1332,6 +1458,24 @@ interface(`dev_getattr_autofs_dev',`
  
  ########################################
  ## <summary>
@@ -7342,7 +7377,7 @@ index 8b09281..e896bf7 100644
  ##	Do not audit attempts to get the attributes of
  ##	the autofs device node.
  ## </summary>
-@@ -3595,6 +3721,24 @@ interface(`dev_manage_smartcard',`
+@@ -3595,6 +3739,24 @@ interface(`dev_manage_smartcard',`
  
  ########################################
  ## <summary>
@@ -7367,7 +7402,7 @@ index 8b09281..e896bf7 100644
  ##	Get the attributes of sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3737,6 +3881,24 @@ interface(`dev_rw_sysfs',`
+@@ -3737,6 +3899,24 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
@@ -7392,7 +7427,7 @@ index 8b09281..e896bf7 100644
  ##	Read from pseudo random number generator devices (e.g., /dev/urandom).
  ## </summary>
  ## <desc>
-@@ -3906,6 +4068,24 @@ interface(`dev_read_usbmon_dev',`
+@@ -3906,6 +4086,24 @@ interface(`dev_read_usbmon_dev',`
  
  ########################################
  ## <summary>
@@ -7417,7 +7452,7 @@ index 8b09281..e896bf7 100644
  ##	Mount a usbfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -4216,11 +4396,10 @@ interface(`dev_write_video_dev',`
+@@ -4216,11 +4414,10 @@ interface(`dev_write_video_dev',`
  #
  interface(`dev_rw_vhost',`
  	gen_require(`
@@ -7496,7 +7531,7 @@ index aad8c52..09d4b31 100644
 +	dontaudit $1 domain:socket_class_set { read write };
 +')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index 099f57f..ae62211 100644
+index 099f57f..d58ef64 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.8.1)
@@ -7586,7 +7621,7 @@ index 099f57f..ae62211 100644
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -160,3 +194,77 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +194,81 @@ allow unconfined_domain_type domain:key *;
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -7648,6 +7683,10 @@ index 099f57f..ae62211 100644
 +')
 +
 +optional_policy(`
++	hal_dontaudit_read_pid_files(domain)
++')
++
++optional_policy(`
 +	ifdef(`hide_broken_symptoms',`
 +		afs_rw_udp_sockets(domain)
 +	')
@@ -8454,20 +8493,25 @@ index 07352a5..12e9ecf 100644
  #Temporarily in policy until FC5 dissappears
  typealias etc_runtime_t alias firstboot_rw_t;
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index 9306de6..41dfd80 100644
+index 59bae6a..16f0f9e 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -1,3 +1,4 @@
- /dev/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+@@ -2,5 +2,10 @@
+ /dev/shm/.*		<<none>>
  
--/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
-+/cgroup(/.*)? 	 	gen_context(system_u:object_r:cgroup_t,s0)
-+/sys/fs/cgroup(/.*)?  	<<none>>
+ /cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
++/cgroup/.*		<<none>>
+ 
++/sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup(/.*)?	<<none>>
++
++/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
++/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index e3e17ba..3b34959 100644
+index 437a42a..8d6d333 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
-@@ -1233,7 +1233,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1241,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
  		type cifs_t;
  	')
  
@@ -8476,7 +8520,7 @@ index e3e17ba..3b34959 100644
  ')
  
  ########################################
-@@ -1496,6 +1496,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1504,25 @@ interface(`fs_cifs_domtrans',`
  	domain_auto_transition_pattern($1, cifs_t, $2)
  ')
  
@@ -8502,7 +8546,7 @@ index e3e17ba..3b34959 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete dirs
-@@ -1923,7 +1942,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +1950,26 @@ interface(`fs_read_fusefs_symlinks',`
  
  ########################################
  ## <summary>
@@ -8530,7 +8574,7 @@ index e3e17ba..3b34959 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1938,6 +1976,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +1984,41 @@ interface(`fs_rw_hugetlbfs_files',`
  
  	rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
  ')
@@ -8572,7 +8616,7 @@ index e3e17ba..3b34959 100644
  
  ########################################
  ## <summary>
-@@ -1991,6 +2064,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2072,7 @@ interface(`fs_list_inotifyfs',`
  	')
  
  	allow $1 inotifyfs_t:dir list_dir_perms;
@@ -8580,7 +8624,7 @@ index e3e17ba..3b34959 100644
  ')
  
  ########################################
-@@ -2387,6 +2461,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2469,25 @@ interface(`fs_exec_nfs_files',`
  
  ########################################
  ## <summary>
@@ -8606,7 +8650,7 @@ index e3e17ba..3b34959 100644
  ##	Append files
  ##	on a NFS filesystem.
  ## </summary>
-@@ -2441,7 +2534,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2542,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
  		type nfs_t;
  	')
  
@@ -8615,7 +8659,7 @@ index e3e17ba..3b34959 100644
  ')
  
  ########################################
-@@ -2629,6 +2722,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2730,24 @@ interface(`fs_dontaudit_read_removable_files',`
  
  ########################################
  ## <summary>
@@ -8640,7 +8684,7 @@ index e3e17ba..3b34959 100644
  ##	Read removable storage symbolic links.
  ## </summary>
  ## <param name="domain">
-@@ -2837,7 +2948,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +2956,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
  #########################################
  ## <summary>
  ##	Create, read, write, and delete symbolic links
@@ -8649,7 +8693,7 @@ index e3e17ba..3b34959 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3962,6 +4073,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3970,6 +4081,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -8674,7 +8718,7 @@ index e3e17ba..3b34959 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4654,3 +4783,24 @@ interface(`fs_unconfined',`
+@@ -4662,3 +4791,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -8700,7 +8744,7 @@ index e3e17ba..3b34959 100644
 +')
 +
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 56c3408..3f4cf3d 100644
+index 0dff98e..930062c 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -52,6 +52,7 @@ type anon_inodefs_t;
@@ -10416,10 +10460,10 @@ index 0000000..8b2cdf3
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..177e89c
+index 0000000..799db36
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,462 @@
+@@ -0,0 +1,475 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -10437,6 +10481,13 @@ index 0000000..177e89c
 +
 +## <desc>
 +## <p>
++## Allow vidio playing tools to tun unconfined
++## </p>
++## </desc>
++gen_tunable(unconfined_mplayer, false)
++
++## <desc>
++## <p>
 +## Allow a user to login as an unconfined domain
 +## </p>
 +## </desc>
@@ -10858,6 +10909,12 @@ index 0000000..177e89c
 +	')
 +
 +	optional_policy(`
++		tunable_policy(`unconfined_login',`
++			mplayer_exec_domtrans(unconfined_t, unconfined_execmem_t)
++		')
++	')
++
++	optional_policy(`
 +		openoffice_exec_domtrans(unconfined_t, unconfined_execmem_t)
 +	')
 +')
@@ -11645,7 +11702,7 @@ index cf34b4e..cc216a4 100644
  kernel_read_kernel_sysctls(amavis_t)
  # amavis tries to access /proc/self/stat, /etc/shadow and /root - perl...
 diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..b37de8e 100644
+index 9e39aa5..8603d4d 100644
 --- a/policy/modules/services/apache.fc
 +++ b/policy/modules/services/apache.fc
 @@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -11693,7 +11750,7 @@ index 9e39aa5..b37de8e 100644
  
  ifdef(`distro_debian', `
  /var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -109,3 +107,16 @@ ifdef(`distro_debian', `
+@@ -109,3 +107,17 @@ ifdef(`distro_debian', `
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11705,16 +11762,17 @@ index 9e39aa5..b37de8e 100644
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +
 +/var/lib/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/rt3/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index c9e1a44..c96d035 100644
+index c9e1a44..2244b11 100644
 --- a/policy/modules/services/apache.if
 +++ b/policy/modules/services/apache.if
-@@ -13,17 +13,13 @@
+@@ -13,17 +13,14 @@
  #
  template(`apache_content_template',`
  	gen_require(`
@@ -11727,14 +11785,21 @@ index c9e1a44..c96d035 100644
 -	# allow write access to public file transfer
 -	# services files.
 -	gen_tunable(allow_httpd_$1_script_anon_write, false)
--
+ 
  	#This type is for webpages
 -	type httpd_$1_content_t, httpdcontent; # customizable
 +	type httpd_$1_content_t; # customizable;
  	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
  	files_type(httpd_$1_content_t)
  
-@@ -41,11 +37,11 @@ template(`apache_content_template',`
+@@ -36,16 +33,18 @@ template(`apache_content_template',`
+ 	domain_type(httpd_$1_script_t)
+ 	role system_r types httpd_$1_script_t;
+ 
++	search_dirs_pattern(httpd_$1_script_t, httpd_sys_content_t, httpd_script_exec_type)
++
+ 	# This type is used for executable scripts files
+ 	type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
  	corecmd_shell_entry_type(httpd_$1_script_t)
  	domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
  
@@ -11748,7 +11813,7 @@ index c9e1a44..c96d035 100644
  	typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
  	files_type(httpd_$1_ra_content_t)
  
-@@ -54,7 +50,7 @@ template(`apache_content_template',`
+@@ -54,7 +53,7 @@ template(`apache_content_template',`
  	domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
  
  	allow httpd_t { httpd_$1_content_t httpd_$1_rw_content_t httpd_$1_script_exec_t }:dir search_dir_perms;
@@ -11757,7 +11822,7 @@ index c9e1a44..c96d035 100644
  
  	allow httpd_$1_script_t self:fifo_file rw_file_perms;
  	allow httpd_$1_script_t self:unix_stream_socket connectto;
-@@ -86,7 +82,6 @@ template(`apache_content_template',`
+@@ -86,7 +85,6 @@ template(`apache_content_template',`
  	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
  	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -11765,7 +11830,7 @@ index c9e1a44..c96d035 100644
  
  	kernel_dontaudit_search_sysctl(httpd_$1_script_t)
  	kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -95,6 +90,7 @@ template(`apache_content_template',`
+@@ -95,6 +93,7 @@ template(`apache_content_template',`
  	dev_read_urand(httpd_$1_script_t)
  
  	corecmd_exec_all_executables(httpd_$1_script_t)
@@ -11773,7 +11838,7 @@ index c9e1a44..c96d035 100644
  
  	files_exec_etc_files(httpd_$1_script_t)
  	files_read_etc_files(httpd_$1_script_t)
-@@ -108,19 +104,6 @@ template(`apache_content_template',`
+@@ -108,19 +107,6 @@ template(`apache_content_template',`
  
  	seutil_dontaudit_search_config(httpd_$1_script_t)
  
@@ -11793,7 +11858,7 @@ index c9e1a44..c96d035 100644
  	# Allow the web server to run scripts and serve pages
  	tunable_policy(`httpd_builtin_scripting',`
  		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-@@ -140,6 +123,7 @@ template(`apache_content_template',`
+@@ -140,6 +126,7 @@ template(`apache_content_template',`
  		allow httpd_t httpd_$1_content_t:dir list_dir_perms;
  		read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
  		read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
@@ -11801,7 +11866,7 @@ index c9e1a44..c96d035 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi',`
-@@ -148,14 +132,19 @@ template(`apache_content_template',`
+@@ -148,14 +135,19 @@ template(`apache_content_template',`
  		# privileged users run the script:
  		domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
  
@@ -11821,7 +11886,7 @@ index c9e1a44..c96d035 100644
  
  		allow httpd_$1_script_t httpd_t:fd use;
  		allow httpd_$1_script_t httpd_t:process sigchld;
-@@ -172,6 +161,7 @@ template(`apache_content_template',`
+@@ -172,6 +164,7 @@ template(`apache_content_template',`
  		libs_read_lib_files(httpd_$1_script_t)
  
  		miscfiles_read_localization(httpd_$1_script_t)
@@ -11829,7 +11894,7 @@ index c9e1a44..c96d035 100644
  	')
  
  	optional_policy(`
-@@ -182,15 +172,13 @@ template(`apache_content_template',`
+@@ -182,15 +175,13 @@ template(`apache_content_template',`
  
  	optional_policy(`
  		postgresql_unpriv_client(httpd_$1_script_t)
@@ -11847,7 +11912,7 @@ index c9e1a44..c96d035 100644
  ')
  
  ########################################
-@@ -229,6 +217,13 @@ interface(`apache_role',`
+@@ -229,6 +220,13 @@ interface(`apache_role',`
  	relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
  	relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
  
@@ -11861,7 +11926,7 @@ index c9e1a44..c96d035 100644
  	manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
  	manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
  	manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
-@@ -243,6 +238,8 @@ interface(`apache_role',`
+@@ -243,6 +241,8 @@ interface(`apache_role',`
  	relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
  	relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
  
@@ -11870,7 +11935,7 @@ index c9e1a44..c96d035 100644
  	tunable_policy(`httpd_enable_cgi',`
  		# If a user starts a script by hand it gets the proper context
  		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
-@@ -312,6 +309,25 @@ interface(`apache_domtrans',`
+@@ -312,6 +312,25 @@ interface(`apache_domtrans',`
  	domtrans_pattern($1, httpd_exec_t, httpd_t)
  ')
  
@@ -11896,7 +11961,7 @@ index c9e1a44..c96d035 100644
  #######################################
  ## <summary>
  ##	Send a generic signal to apache.
-@@ -400,7 +416,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -400,7 +419,7 @@ interface(`apache_dontaudit_rw_fifo_file',`
  		type httpd_t;
  	')
  
@@ -11905,7 +11970,7 @@ index c9e1a44..c96d035 100644
  ')
  
  ########################################
-@@ -526,6 +542,25 @@ interface(`apache_rw_cache_files',`
+@@ -526,6 +545,25 @@ interface(`apache_rw_cache_files',`
  ########################################
  ## <summary>
  ##	Allow the specified domain to delete
@@ -11931,7 +11996,7 @@ index c9e1a44..c96d035 100644
  ##	Apache cache.
  ## </summary>
  ## <param name="domain">
-@@ -740,6 +775,25 @@ interface(`apache_dontaudit_search_modules',`
+@@ -740,6 +778,25 @@ interface(`apache_dontaudit_search_modules',`
  
  ########################################
  ## <summary>
@@ -11957,7 +12022,7 @@ index c9e1a44..c96d035 100644
  ##	Allow the specified domain to list
  ##	the contents of the apache modules
  ##	directory.
-@@ -756,6 +810,7 @@ interface(`apache_list_modules',`
+@@ -756,6 +813,7 @@ interface(`apache_list_modules',`
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -11965,7 +12030,7 @@ index c9e1a44..c96d035 100644
  ')
  
  ########################################
-@@ -814,6 +869,7 @@ interface(`apache_list_sys_content',`
+@@ -814,6 +872,7 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -11973,7 +12038,7 @@ index c9e1a44..c96d035 100644
  	files_search_var($1)
  ')
  
-@@ -836,11 +892,80 @@ interface(`apache_manage_sys_content',`
+@@ -836,11 +895,80 @@ interface(`apache_manage_sys_content',`
  	')
  
  	files_search_var($1)
@@ -12054,7 +12119,7 @@ index c9e1a44..c96d035 100644
  ########################################
  ## <summary>
  ##	Execute all web scripts in the system
-@@ -858,6 +983,11 @@ interface(`apache_domtrans_sys_script',`
+@@ -858,6 +986,11 @@ interface(`apache_domtrans_sys_script',`
  	gen_require(`
  		attribute httpdcontent;
  		type httpd_sys_script_t;
@@ -12066,7 +12131,7 @@ index c9e1a44..c96d035 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1075,7 @@ interface(`apache_read_squirrelmail_data',`
+@@ -945,7 +1078,7 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -12075,7 +12140,7 @@ index c9e1a44..c96d035 100644
  ')
  
  ########################################
-@@ -1086,6 +1216,25 @@ interface(`apache_read_tmp_files',`
+@@ -1086,6 +1219,25 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -12101,7 +12166,7 @@ index c9e1a44..c96d035 100644
  ########################################
  ## <summary>
  ##	Dontaudit attempts to write
-@@ -1102,7 +1251,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1102,7 +1254,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -12110,7 +12175,7 @@ index c9e1a44..c96d035 100644
  ')
  
  ########################################
-@@ -1172,7 +1321,7 @@ interface(`apache_admin',`
+@@ -1172,7 +1324,7 @@ interface(`apache_admin',`
  		type httpd_modules_t, httpd_lock_t;
  		type httpd_var_run_t, httpd_php_tmp_t;
  		type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -12119,7 +12184,7 @@ index c9e1a44..c96d035 100644
  	')
  
  	allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1351,43 @@ interface(`apache_admin',`
+@@ -1202,12 +1354,43 @@ interface(`apache_admin',`
  
  	kernel_search_proc($1)
  	allow $1 httpd_t:dir list_dir_perms;
@@ -12165,7 +12230,7 @@ index c9e1a44..c96d035 100644
 +	dontaudit $1 httpd_t:unix_stream_socket { read write };
  ')
 diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index e33b9cd..08ec94f 100644
+index e33b9cd..de4388a 100644
 --- a/policy/modules/services/apache.te
 +++ b/policy/modules/services/apache.te
 @@ -18,6 +18,8 @@ policy_module(apache, 2.2.0)
@@ -12212,7 +12277,21 @@ index e33b9cd..08ec94f 100644
  ## Allow HTTPD scripts and modules to connect to databases over the network.
  ## </p>
  ## </desc>
-@@ -71,6 +94,13 @@ gen_tunable(httpd_can_sendmail, false)
+@@ -57,6 +80,13 @@ gen_tunable(httpd_can_network_connect_db, false)
+ 
+ ## <desc>
+ ## <p>
++## Allow httpd to connect to memcache server
++## </p>
++## </desc>
++gen_tunable(httpd_can_network_memcache, false)
++
++## <desc>
++## <p>
+ ## Allow httpd to act as a relay
+ ## </p>
+ ## </desc>
+@@ -71,6 +101,13 @@ gen_tunable(httpd_can_sendmail, false)
  
  ## <desc>
  ## <p>
@@ -12226,7 +12305,7 @@ index e33b9cd..08ec94f 100644
  ## Allow Apache to communicate with avahi service via dbus
  ## </p>
  ## </desc>
-@@ -100,6 +130,13 @@ gen_tunable(httpd_enable_homedirs, false)
+@@ -100,6 +137,13 @@ gen_tunable(httpd_enable_homedirs, false)
  
  ## <desc>
  ## <p>
@@ -12240,7 +12319,7 @@ index e33b9cd..08ec94f 100644
  ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
  ## </p>
  ## </desc>
-@@ -107,6 +144,13 @@ gen_tunable(httpd_ssi_exec, false)
+@@ -107,6 +151,13 @@ gen_tunable(httpd_ssi_exec, false)
  
  ## <desc>
  ## <p>
@@ -12254,7 +12333,7 @@ index e33b9cd..08ec94f 100644
  ## Unify HTTPD to communicate with the terminal.
  ## Needed for entering the passphrase for certificates at
  ## the terminal.
-@@ -130,7 +174,7 @@ gen_tunable(httpd_use_cifs, false)
+@@ -130,7 +181,7 @@ gen_tunable(httpd_use_cifs, false)
  
  ## <desc>
  ## <p>
@@ -12263,7 +12342,7 @@ index e33b9cd..08ec94f 100644
  ## </p>
  ## </desc>
  gen_tunable(httpd_use_gpg, false)
-@@ -142,6 +186,13 @@ gen_tunable(httpd_use_gpg, false)
+@@ -142,6 +193,13 @@ gen_tunable(httpd_use_gpg, false)
  ## </desc>
  gen_tunable(httpd_use_nfs, false)
  
@@ -12277,7 +12356,7 @@ index e33b9cd..08ec94f 100644
  attribute httpdcontent;
  attribute httpd_user_content_type;
  
-@@ -216,7 +267,10 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +274,10 @@ files_tmp_file(httpd_suexec_tmp_t)
  
  # setup the system domain for system CGI scripts
  apache_content_template(sys)
@@ -12289,7 +12368,7 @@ index e33b9cd..08ec94f 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -226,6 +280,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +287,10 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -12300,7 +12379,7 @@ index e33b9cd..08ec94f 100644
  userdom_user_home_content(httpd_user_content_t)
  userdom_user_home_content(httpd_user_htaccess_t)
  userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +291,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +298,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
  userdom_user_home_content(httpd_user_rw_content_t)
  typeattribute httpd_user_script_t httpd_script_domains;
  typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -12308,7 +12387,7 @@ index e33b9cd..08ec94f 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -286,6 +345,7 @@ allow httpd_t self:udp_socket create_socket_perms;
+@@ -286,6 +352,7 @@ allow httpd_t self:udp_socket create_socket_perms;
  manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
  manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
  manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
@@ -12316,7 +12395,7 @@ index e33b9cd..08ec94f 100644
  
  # Allow the httpd_t to read the web servers config files
  allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -355,6 +415,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +422,7 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  kernel_read_kernel_sysctls(httpd_t)
  # for modules that want to access /proc/meminfo
  kernel_read_system_state(httpd_t)
@@ -12324,7 +12403,7 @@ index e33b9cd..08ec94f 100644
  
  corenet_all_recvfrom_unlabeled(httpd_t)
  corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,8 +426,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,8 +433,10 @@ corenet_udp_sendrecv_generic_node(httpd_t)
  corenet_tcp_sendrecv_all_ports(httpd_t)
  corenet_udp_sendrecv_all_ports(httpd_t)
  corenet_tcp_bind_generic_node(httpd_t)
@@ -12335,7 +12414,7 @@ index e33b9cd..08ec94f 100644
  corenet_sendrecv_http_server_packets(httpd_t)
  # Signal self for shutdown
  corenet_tcp_connect_http_port(httpd_t)
-@@ -378,12 +441,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +448,12 @@ dev_rw_crypto(httpd_t)
  
  fs_getattr_all_fs(httpd_t)
  fs_search_auto_mountpoints(httpd_t)
@@ -12351,7 +12430,7 @@ index e33b9cd..08ec94f 100644
  
  domain_use_interactive_fds(httpd_t)
  
-@@ -402,6 +465,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +472,10 @@ files_read_etc_files(httpd_t)
  files_read_var_lib_symlinks(httpd_t)
  
  fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -12362,7 +12441,7 @@ index e33b9cd..08ec94f 100644
  
  libs_read_lib_files(httpd_t)
  
-@@ -416,16 +483,31 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,16 +490,31 @@ seutil_dontaudit_search_config(httpd_t)
  
  userdom_use_unpriv_users_fds(httpd_t)
  
@@ -12396,7 +12475,17 @@ index e33b9cd..08ec94f 100644
  ')
  ')
  
-@@ -439,13 +521,25 @@ tunable_policy(`httpd_can_network_relay',`
+@@ -433,19 +522,35 @@ tunable_policy(`httpd_can_network_connect',`
+ 	corenet_tcp_connect_all_ports(httpd_t)
+ ')
+ 
++tunable_policy(`httpd_can_network_memcache',`
++	corenet_tcp_connect_memcache_port(httpd_t)
++')
++
+ tunable_policy(`httpd_can_network_relay',`
+ 	# allow httpd to work as a relay
+ 	corenet_tcp_connect_gopher_port(httpd_t)
  	corenet_tcp_connect_ftp_port(httpd_t)
  	corenet_tcp_connect_http_port(httpd_t)
  	corenet_tcp_connect_http_cache_port(httpd_t)
@@ -12422,7 +12511,7 @@ index e33b9cd..08ec94f 100644
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
  	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
  ')
-@@ -456,6 +550,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +561,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
  	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -12433,7 +12522,7 @@ index e33b9cd..08ec94f 100644
  
  	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
  	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -470,11 +568,25 @@ tunable_policy(`httpd_enable_homedirs',`
+@@ -470,11 +579,25 @@ tunable_policy(`httpd_enable_homedirs',`
  	userdom_read_user_home_content_files(httpd_t)
  ')
  
@@ -12459,7 +12548,7 @@ index e33b9cd..08ec94f 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_t)
  	fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +596,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +607,16 @@ tunable_policy(`httpd_can_sendmail',`
  	# allow httpd to connect to mail servers
  	corenet_tcp_connect_smtp_port(httpd_t)
  	corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -12476,7 +12565,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  tunable_policy(`httpd_ssi_exec',`
-@@ -500,8 +621,10 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -500,8 +632,10 @@ tunable_policy(`httpd_ssi_exec',`
  # are dontaudited here.
  tunable_policy(`httpd_tty_comm',`
  	userdom_use_user_terminals(httpd_t)
@@ -12487,7 +12576,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  optional_policy(`
-@@ -513,7 +636,13 @@ optional_policy(`
+@@ -513,7 +647,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12502,7 +12591,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  optional_policy(`
-@@ -528,7 +657,7 @@ optional_policy(`
+@@ -528,7 +668,7 @@ optional_policy(`
  	daemontools_service_domain(httpd_t, httpd_exec_t)
  ')
  
@@ -12511,7 +12600,7 @@ index e33b9cd..08ec94f 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +666,12 @@ optional_policy(`
+@@ -537,8 +677,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12525,7 +12614,7 @@ index e33b9cd..08ec94f 100644
  	')
  ')
  
-@@ -557,6 +690,7 @@ optional_policy(`
+@@ -557,6 +701,7 @@ optional_policy(`
  
  optional_policy(`
  	# Allow httpd to work with mysql
@@ -12533,7 +12622,7 @@ index e33b9cd..08ec94f 100644
  	mysql_stream_connect(httpd_t)
  	mysql_rw_db_sockets(httpd_t)
  
-@@ -567,6 +701,7 @@ optional_policy(`
+@@ -567,6 +712,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -12541,7 +12630,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  optional_policy(`
-@@ -577,12 +712,23 @@ optional_policy(`
+@@ -577,12 +723,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12565,7 +12654,7 @@ index e33b9cd..08ec94f 100644
  	')
  ')
  
-@@ -591,6 +737,11 @@ optional_policy(`
+@@ -591,6 +748,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12577,7 +12666,7 @@ index e33b9cd..08ec94f 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -603,6 +754,10 @@ optional_policy(`
+@@ -603,6 +765,10 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -12588,7 +12677,7 @@ index e33b9cd..08ec94f 100644
  ########################################
  #
  # Apache helper local policy
-@@ -618,6 +773,10 @@ logging_send_syslog_msg(httpd_helper_t)
+@@ -618,6 +784,10 @@ logging_send_syslog_msg(httpd_helper_t)
  
  userdom_use_user_terminals(httpd_helper_t)
  
@@ -12599,7 +12688,7 @@ index e33b9cd..08ec94f 100644
  ########################################
  #
  # Apache PHP script local policy
-@@ -699,17 +858,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +869,18 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
  files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
  
@@ -12621,7 +12710,7 @@ index e33b9cd..08ec94f 100644
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +900,21 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,10 +911,21 @@ tunable_policy(`httpd_can_network_connect',`
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
  ')
  
@@ -12644,7 +12733,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +940,12 @@ optional_policy(`
+@@ -769,6 +951,12 @@ optional_policy(`
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -12657,7 +12746,7 @@ index e33b9cd..08ec94f 100644
  ########################################
  #
  # Apache system script local policy
-@@ -792,9 +969,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
+@@ -792,9 +980,13 @@ kernel_read_kernel_sysctls(httpd_sys_script_t)
  files_search_var_lib(httpd_sys_script_t)
  files_search_spool(httpd_sys_script_t)
  
@@ -12671,7 +12760,7 @@ index e33b9cd..08ec94f 100644
  ifdef(`distro_redhat',`
  	allow httpd_sys_script_t httpd_log_t:file append_file_perms;
  ')
-@@ -803,6 +984,28 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,6 +995,28 @@ tunable_policy(`httpd_can_sendmail',`
  	mta_send_mail(httpd_sys_script_t)
  ')
  
@@ -12700,7 +12789,7 @@ index e33b9cd..08ec94f 100644
  tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
  	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1033,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -830,6 +1044,16 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_sys_script_t)
  ')
  
@@ -12717,7 +12806,7 @@ index e33b9cd..08ec94f 100644
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_sys_script_t)
  	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1055,7 @@ optional_policy(`
+@@ -842,6 +1066,7 @@ optional_policy(`
  optional_policy(`
  	mysql_stream_connect(httpd_sys_script_t)
  	mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12725,7 +12814,7 @@ index e33b9cd..08ec94f 100644
  ')
  
  optional_policy(`
-@@ -891,11 +1105,33 @@ optional_policy(`
+@@ -891,11 +1116,33 @@ optional_policy(`
  
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -12778,7 +12867,7 @@ index 67c91aa..472ddad 100644
  	mta_system_content(apcupsd_tmp_t)
  ')
 diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..c6832b0 100644
+index 1c8c27e..c7cba00 100644
 --- a/policy/modules/services/apm.te
 +++ b/policy/modules/services/apm.te
 @@ -62,6 +62,7 @@ allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
@@ -12824,20 +12913,6 @@ index 1c8c27e..c6832b0 100644
  ',`
  	# for ifconfig which is run all the time
  	kernel_dontaudit_search_sysctl(apmd_t)
-@@ -218,9 +228,13 @@ optional_policy(`
- 	udev_read_state(apmd_t) #necessary?
- ')
- 
-+ifdef(`enforcing',`
- optional_policy(`
- 	unconfined_domain(apmd_t)
- ')
-+', `
-+   permissive apmd_t;
-+')
- 
- optional_policy(`
- 	vbetool_domtrans(apmd_t)
 diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
 index 0160ba4..f31b5c9 100644
 --- a/policy/modules/services/arpwatch.te
@@ -14064,7 +14139,7 @@ index fa82327..7f4ca47 100644
  # bind to udp/323
  corenet_udp_bind_chronyd_port(chronyd_t)
 diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
-index 8c36027..0a0f374 100644
+index 8c36027..16598a4 100644
 --- a/policy/modules/services/clamav.te
 +++ b/policy/modules/services/clamav.te
 @@ -80,6 +80,7 @@ manage_files_pattern(clamd_t, clamd_tmp_t, clamd_tmp_t)
@@ -14098,17 +14173,24 @@ index 8c36027..0a0f374 100644
  ')
  
  ########################################
-@@ -182,6 +186,9 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
- allow freshclam_t clamd_var_log_t:dir search_dir_perms;
+@@ -179,9 +183,15 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+ # log files (own logfiles only)
+ manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
+ allow freshclam_t freshclam_var_log_t:dir setattr;
+-allow freshclam_t clamd_var_log_t:dir search_dir_perms;
++read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
  logging_log_filetrans(freshclam_t, freshclam_var_log_t, file)
  
 +kernel_read_kernel_sysctls(freshclam_t)
 +kernel_read_system_state(freshclam_t)
 +
++corecmd_exec_shell(freshclam_t)
++corecmd_exec_bin(freshclam_t)
++
  corenet_all_recvfrom_unlabeled(freshclam_t)
  corenet_all_recvfrom_netlabel(freshclam_t)
  corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +196,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +199,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
  corenet_tcp_sendrecv_all_ports(freshclam_t)
  corenet_tcp_sendrecv_clamd_port(freshclam_t)
  corenet_tcp_connect_http_port(freshclam_t)
@@ -14116,7 +14198,7 @@ index 8c36027..0a0f374 100644
  corenet_sendrecv_http_client_packets(freshclam_t)
  
  dev_read_rand(freshclam_t)
-@@ -207,6 +215,8 @@ miscfiles_read_localization(freshclam_t)
+@@ -207,6 +218,8 @@ miscfiles_read_localization(freshclam_t)
  
  clamav_stream_connect(freshclam_t)
  
@@ -14125,7 +14207,7 @@ index 8c36027..0a0f374 100644
  optional_policy(`
  	cron_system_entry(freshclam_t, freshclam_exec_t)
  ')
-@@ -251,6 +261,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -251,6 +264,7 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
  corenet_tcp_connect_clamd_port(clamscan_t)
  
  kernel_read_kernel_sysctls(clamscan_t)
@@ -15192,7 +15274,7 @@ index 35241ed..cbd01be 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t,  system_cronjob_var_lib_t)
  ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f35b243..939877a 100644
+index f35b243..38a83ea 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
 @@ -63,9 +63,12 @@ init_script_file(crond_initrc_exec_t)
@@ -15487,7 +15569,7 @@ index f35b243..939877a 100644
 +rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
  read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
 +read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-+allow cronjob_t user_cron_spool_t:file create_lnk_perms;
++allow cronjob_t user_cron_spool_t:file manage_lnk_file_perms;
  
  tunable_policy(`fcron_crond', `
  	allow crond_t user_cron_spool_t:file manage_file_perms;
@@ -15704,7 +15786,7 @@ index 2a0f1c1..ab82c3c 100644
  	snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
  	snmp_stream_connect(cyrus_t)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 39e901a..4ab36ba 100644
+index 39e901a..e385f2f 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -42,8 +42,10 @@ template(`dbus_role_template',`
@@ -15775,7 +15857,7 @@ index 39e901a..4ab36ba 100644
  
  	domtrans_pattern(system_dbusd_t, $2, $1)
  
-+	fs_search_cgroup_dirs($1)
++	fs_search_all($1)
 +
  	dbus_system_bus_client($1)
  	dbus_connect_system_bus($1)
@@ -15914,7 +15996,7 @@ index 8ba9425..d53ee7e 100644
 +    gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
-index f231f17..ca3a848 100644
+index f231f17..6cee08f 100644
 --- a/policy/modules/services/devicekit.te
 +++ b/policy/modules/services/devicekit.te
 @@ -75,10 +75,12 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
@@ -15942,21 +16024,15 @@ index f231f17..ca3a848 100644
  files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
  files_read_etc_files(devicekit_disk_t)
-@@ -178,17 +182,33 @@ optional_policy(`
+@@ -178,17 +182,27 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
-+ifdef(`enforcing',`
 +optional_policy(`
 +	unconfined_domain(devicekit_t)
 +	unconfined_domain(devicekit_power_t)
 +	unconfined_domain(devicekit_disk_t)
 +')
-+', `
-+	permissive devicekit_t;
-+	permissive devicekit_power_t;
-+	permissive devicekit_disk_t;
-+')
 +
  ########################################
  #
@@ -15977,7 +16053,7 @@ index f231f17..ca3a848 100644
  manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
-@@ -212,12 +232,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
+@@ -212,12 +226,14 @@ dev_rw_generic_usb_dev(devicekit_power_t)
  dev_rw_generic_chr_files(devicekit_power_t)
  dev_rw_netcontrol(devicekit_power_t)
  dev_rw_sysfs(devicekit_power_t)
@@ -15992,7 +16068,7 @@ index f231f17..ca3a848 100644
  
  term_use_all_terms(devicekit_power_t)
  
-@@ -225,6 +247,8 @@ auth_use_nsswitch(devicekit_power_t)
+@@ -225,8 +241,11 @@ auth_use_nsswitch(devicekit_power_t)
  
  miscfiles_read_localization(devicekit_power_t)
  
@@ -16000,8 +16076,11 @@ index f231f17..ca3a848 100644
 +
  sysnet_read_config(devicekit_power_t)
  sysnet_domtrans_ifconfig(devicekit_power_t)
++sysnet_domtrans_dhcpc(devicekit_power_t)
+ 
+ userdom_read_all_users_state(devicekit_power_t)
  
-@@ -261,6 +285,10 @@ optional_policy(`
+@@ -261,6 +280,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16012,7 +16091,7 @@ index f231f17..ca3a848 100644
  	hal_domtrans_mac(devicekit_power_t)
  	hal_manage_log(devicekit_power_t)
  	hal_manage_pid_dirs(devicekit_power_t)
-@@ -280,5 +308,10 @@ optional_policy(`
+@@ -280,5 +303,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16125,7 +16204,7 @@ index e1d7dc5..09f6f30 100644
  	admin_pattern($1, dovecot_var_run_t)
  
 diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
-index 14c6a2e..554ee5a 100644
+index 14c6a2e..c771d46 100644
 --- a/policy/modules/services/dovecot.te
 +++ b/policy/modules/services/dovecot.te
 @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16189,7 +16268,7 @@ index 14c6a2e..554ee5a 100644
  	postfix_search_spool(dovecot_auth_t)
  ')
  
-@@ -253,19 +261,26 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
+@@ -253,19 +261,27 @@ allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
  
  allow dovecot_deliver_t dovecot_t:process signull;
  
@@ -16198,7 +16277,8 @@ index 14c6a2e..554ee5a 100644
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
  
 +allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
-+allow dovecot_deliver_t dovecot_var_log_t:dir search_dir_perms;
++
++append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
 +
 +can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
 +
@@ -16218,7 +16298,7 @@ index 14c6a2e..554ee5a 100644
  
  miscfiles_read_localization(dovecot_deliver_t)
  
-@@ -302,4 +317,5 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -302,4 +318,5 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	mta_manage_spool(dovecot_deliver_t)
@@ -17519,10 +17599,25 @@ index 24c6253..e72b063 100644
  #
  # Local hald dccm policy
 diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
-index a57ffc0..f441c9a 100644
+index a57ffc0..4992511 100644
 --- a/policy/modules/services/icecast.te
 +++ b/policy/modules/services/icecast.te
-@@ -37,7 +37,10 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+@@ -5,6 +5,14 @@ policy_module(icecast, 1.0.0)
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow icecast to connect to all ports, not just
++## sound ports.
++## </p>
++## </desc>
++gen_tunable(icecast_connect_any, false)
++
+ type icecast_t;
+ type icecast_exec_t;
+ init_daemon_domain(icecast_t, icecast_exec_t)
+@@ -37,7 +45,16 @@ manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
  manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
  files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
  
@@ -17530,10 +17625,16 @@ index a57ffc0..f441c9a 100644
 +
  corenet_tcp_bind_soundd_port(icecast_t)
 +corenet_tcp_connect_soundd_port(icecast_t)
++
++tunable_policy(`icecast_connect_any',`
++	corenet_tcp_connect_all_ports(icecast_t)
++	corenet_tcp_bind_all_ports(icecast_t)
++	corenet_sendrecv_all_packets(icecast_t)
++')
  
  # Init script handling
  domain_use_interactive_fds(icecast_t)
-@@ -51,5 +54,9 @@ miscfiles_read_localization(icecast_t)
+@@ -51,5 +68,9 @@ miscfiles_read_localization(icecast_t)
  sysnet_dns_name_resolve(icecast_t)
  
  optional_policy(`
@@ -18264,8 +18365,27 @@ index db4fd6f..c28a876 100644
  	')
  
  	allow $1 memcached_t:process { ptrace signal_perms };
+diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
+index 55a3e2f..613c69d 100644
+--- a/policy/modules/services/milter.fc
++++ b/policy/modules/services/milter.fc
+@@ -1,3 +1,6 @@
++/etc/mail/dkim-milter/keys(/.*)?        gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
++
++/usr/sbin/dkim-filter           --      gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+ /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
+ /usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+ /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+@@ -5,6 +8,7 @@
+ /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/lib/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_state_t,s0)
+ 
++/var/run/dkim-milter(/.*)?              gen_context(system_u:object_r:dkim_milter_data_t,s0)
+ /var/run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+ /var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)
 diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
-index ed1af3c..96cba91 100644
+index ed1af3c..a000225 100644
 --- a/policy/modules/services/milter.if
 +++ b/policy/modules/services/milter.if
 @@ -37,6 +37,8 @@ template(`milter_template',`
@@ -18302,6 +18422,71 @@ index ed1af3c..96cba91 100644
  ##	Manage spamassassin milter state
  ## </summary>
  ## <param name="domain">
+@@ -100,3 +120,22 @@ interface(`milter_manage_spamass_state',`
+ 	manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ 	manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ ')
++
++#######################################
++## <summary>
++##      Delete dkim-milter PID files.
++## </summary>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
++interface(`milter_delete_dkim_pid_files',`
++        gen_require(`
++                type dkim_milter_data_t;
++        ')
++
++        files_search_pids($1)
++        delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
++')
+diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
+index 1b6dea0..6ba48ff 100644
+--- a/policy/modules/services/milter.te
++++ b/policy/modules/services/milter.te
+@@ -9,6 +9,13 @@ policy_module(milter, 1.2.1)
+ attribute milter_domains;
+ attribute milter_data_type;
+ 
++# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
++milter_template(dkim)
++
++# type for the private key of dkim-milter
++type dkim_milter_private_key_t;
++files_type(dkim_milter_private_key_t)
++
+ # currently-supported milters are milter-greylist, milter-regex and spamass-milter
+ milter_template(greylist)
+ milter_template(regex)
+@@ -20,6 +27,23 @@ milter_template(spamass)
+ type spamass_milter_state_t;
+ files_type(spamass_milter_state_t)
+ 
++#######################################
++#
++# dkim-milter local policy
++#
++
++allow dkim_milter_t self:capability { kill setgid setuid };
++
++allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
++
++auth_use_nsswitch(dkim_milter_t)
++
++sysnet_dns_name_resolve(dkim_milter_t)
++
++mta_read_config(dkim_milter_t)
++
+ ########################################
+ #
+ # milter-greylist local policy
 diff --git a/policy/modules/services/mock.fc b/policy/modules/services/mock.fc
 new file mode 100644
 index 0000000..42bb2a3
@@ -19176,7 +19361,7 @@ index 256166a..c526ce8 100644
  
  /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..01af7c3 100644
+index 343cee3..a9ebda2 100644
 --- a/policy/modules/services/mta.if
 +++ b/policy/modules/services/mta.if
 @@ -220,6 +220,25 @@ interface(`mta_agent_executable',`
@@ -19247,7 +19432,33 @@ index 343cee3..01af7c3 100644
  ')
  
  ########################################
-@@ -474,7 +494,8 @@ interface(`mta_write_config',`
+@@ -420,6 +440,25 @@ interface(`mta_signal_system_mail',`
+ 
+ ########################################
+ ## <summary>
++##	Send system mail client a kill signal
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++#
++interface(`mta_kill_system_mail',`
++	gen_require(`
++		type system_mail_t;
++	')
++
++	allow $1 system_mail_t:process sigkill;
++')
++
++########################################
++## <summary>
+ ##	Execute sendmail in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -474,7 +513,8 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -19257,7 +19468,7 @@ index 343cee3..01af7c3 100644
  ')
  
  ########################################
-@@ -698,7 +719,7 @@ interface(`mta_rw_spool',`
+@@ -698,7 +738,7 @@ interface(`mta_rw_spool',`
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
  	allow $1 mail_spool_t:file setattr;
@@ -19266,7 +19477,7 @@ index 343cee3..01af7c3 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -899,3 +920,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +939,43 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -19846,7 +20057,7 @@ index 8581040..e3c8272 100644
  ##	a domain transition.
  ## </summary>
 diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..0c4ac5b 100644
+index da5b33d..1029389 100644
 --- a/policy/modules/services/nagios.te
 +++ b/policy/modules/services/nagios.te
 @@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -19864,8 +20075,12 @@ index da5b33d..0c4ac5b 100644
  auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
-@@ -126,8 +124,6 @@ userdom_dontaudit_search_user_home_dirs(nagios_t)
+@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_user_home_dirs(nagios_t)
+ 
  mta_send_mail(nagios_t)
++mta_signal_system_mail(nagios_t)
++mta_kill_system_mail(nagios_t)
  
  optional_policy(`
 -	netutils_domtrans_ping(nagios_t)
@@ -19873,7 +20088,7 @@ index da5b33d..0c4ac5b 100644
  	netutils_kill_ping(nagios_t)
  ')
  
-@@ -340,6 +336,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +338,8 @@ files_read_usr_files(nagios_services_plugin_t)
  
  optional_policy(`
  	netutils_domtrans_ping(nagios_services_plugin_t)
@@ -19981,7 +20196,7 @@ index 2324d9e..1a1bfe4 100644
 +	append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
 +')
 diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
-index 442cff9..9677236 100644
+index 442cff9..45ecee3 100644
 --- a/policy/modules/services/networkmanager.te
 +++ b/policy/modules/services/networkmanager.te
 @@ -35,7 +35,7 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
@@ -20043,7 +20258,7 @@ index 442cff9..9677236 100644
  ')
  
  optional_policy(`
-@@ -172,7 +183,7 @@ optional_policy(`
+@@ -172,12 +183,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20052,7 +20267,14 @@ index 442cff9..9677236 100644
  ')
  
  optional_policy(`
-@@ -202,6 +213,13 @@ optional_policy(`
+ 	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
+ 
++	init_dbus_chat(NetworkManager_t)
++
+ 	optional_policy(`
+ 		consolekit_dbus_chat(NetworkManager_t)
+ 	')
+@@ -202,6 +215,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20066,7 +20288,7 @@ index 442cff9..9677236 100644
  	iptables_domtrans(NetworkManager_t)
  ')
  
-@@ -263,6 +281,7 @@ optional_policy(`
+@@ -263,6 +283,7 @@ optional_policy(`
  	vpn_kill(NetworkManager_t)
  	vpn_signal(NetworkManager_t)
  	vpn_signull(NetworkManager_t)
@@ -20445,7 +20667,7 @@ index 4996f62..975deca 100644
  kernel_read_kernel_sysctls(openct_t)
  kernel_list_proc(openct_t)
 diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
-index f3d5790..9be673c 100644
+index f3d5790..196f2a2 100644
 --- a/policy/modules/services/openvpn.te
 +++ b/policy/modules/services/openvpn.te
 @@ -24,6 +24,9 @@ files_config_file(openvpn_etc_t)
@@ -20458,6 +20680,15 @@ index f3d5790..9be673c 100644
  type openvpn_initrc_exec_t;
  init_script_file(openvpn_initrc_exec_t)
  
+@@ -48,7 +51,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket server_stream_socket_perms;
+-allow openvpn_t self:tun_socket create;
++allow openvpn_t self:tun_socket { create_socket_perms relabelfrom };
+ allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+ 
+ can_exec(openvpn_t, openvpn_etc_t)
 @@ -58,9 +61,13 @@ read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t)
  manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t)
  filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
@@ -20811,10 +21042,10 @@ index 0000000..8ecd276
 +')
 diff --git a/policy/modules/services/piranha.te b/policy/modules/services/piranha.te
 new file mode 100644
-index 0000000..17d6b45
+index 0000000..0a5f27d
 --- /dev/null
 +++ b/policy/modules/services/piranha.te
-@@ -0,0 +1,216 @@
+@@ -0,0 +1,220 @@
 +policy_module(piranha,1.0.0)
 +
 +########################################
@@ -20932,6 +21163,10 @@ index 0000000..17d6b45
 +')
 +
 +optional_policy(`
++	gnome_dontaudit_search_config(piranha_web_t)
++')
++
++optional_policy(`
 +        sasl_connect(piranha_web_t)
 +')
 +
@@ -21178,7 +21413,7 @@ index 48ff1e8..29c9906 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
-index 1e7169d..ab881a1 100644
+index 1e7169d..e731afa 100644
 --- a/policy/modules/services/policykit.te
 +++ b/policy/modules/services/policykit.te
 @@ -24,6 +24,9 @@ init_system_domain(policykit_resolve_t, policykit_resolve_exec_t)
@@ -21262,7 +21497,7 @@ index 1e7169d..ab881a1 100644
 -allow policykit_auth_t self:capability setgid;
 -allow policykit_auth_t self:process getattr;
 -allow policykit_auth_t self:fifo_file rw_file_perms;
-+allow policykit_auth_t self:capability { setgid setuid };
++allow policykit_auth_t self:capability { ipc_lock setgid setuid };
 +dontaudit policykit_auth_t self:capability sys_tty_config;
 +allow policykit_auth_t self:process { getattr getsched signal };
 +allow policykit_auth_t self:fifo_file rw_fifo_file_perms;
@@ -22956,7 +23191,7 @@ index 7dc38d1..91dbe71 100644
 +	admin_pattern($1, rgmanager_var_run_t)
 +')
 diff --git a/policy/modules/services/rgmanager.te b/policy/modules/services/rgmanager.te
-index 00fa514..ce5dbc0 100644
+index 00fa514..9ab1d80 100644
 --- a/policy/modules/services/rgmanager.te
 +++ b/policy/modules/services/rgmanager.te
 @@ -17,6 +17,9 @@ type rgmanager_exec_t;
@@ -23018,20 +23253,6 @@ index 00fa514..ce5dbc0 100644
  	mysql_domtrans_mysql_safe(rgmanager_t)
  	mysql_stream_connect(rgmanager_t)
  ')
-@@ -193,9 +209,13 @@ optional_policy(`
- 	virt_stream_connect(rgmanager_t)
- ')
- 
-+ifdef(`enforcing',`
- optional_policy(`
- 	unconfined_domain(rgmanager_t)
- ')
-+', `
-+	permissive rgmanager_t;
-+')
- 
- optional_policy(`
- 	xen_domtrans_xm(rgmanager_t)
 diff --git a/policy/modules/services/rhcs.fc b/policy/modules/services/rhcs.fc
 index c2ba53b..b19961e 100644
 --- a/policy/modules/services/rhcs.fc
@@ -23848,6 +24069,20 @@ index 6f8e268..7d64285 100644
  
  ########################################
  #
+diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
+index a07b2f4..d78daf4 100644
+--- a/policy/modules/services/rwho.te
++++ b/policy/modules/services/rwho.te
+@@ -55,6 +55,9 @@ files_read_etc_files(rwho_t)
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
+ 
++logging_send_syslog_msg(rwho_t)
++
+ miscfiles_read_localization(rwho_t)
+ 
+ sysnet_dns_name_resolve(rwho_t)
++
 diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
 index 69a6074..73db5ba 100644
 --- a/policy/modules/services/samba.fc
@@ -26231,7 +26466,7 @@ index 7c5d8d8..1a0701b 100644
 +')
 +
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3cce663..8040c74 100644
+index 3cce663..8f0fac9 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
 @@ -4,6 +4,7 @@ policy_module(virt, 1.4.0)
@@ -26485,21 +26720,7 @@ index 3cce663..8040c74 100644
  ')
  
  optional_policy(`
-@@ -385,9 +446,13 @@ optional_policy(`
- 	udev_read_db(virtd_t)
- ')
- 
-+ifdef(`enforcing',`
- optional_policy(`
- 	unconfined_domain(virtd_t)
- ')
-+', `
-+   permissive virtd_t;
-+')
- 
- ########################################
- #
-@@ -402,6 +467,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+@@ -402,6 +463,19 @@ allow virt_domain self:unix_stream_socket create_stream_socket_perms;
  allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
  allow virt_domain self:tcp_socket create_stream_socket_perms;
  
@@ -26519,7 +26740,7 @@ index 3cce663..8040c74 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +500,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +496,7 @@ corenet_rw_tun_tap_dev(virt_domain)
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -26527,7 +26748,7 @@ index 3cce663..8040c74 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +508,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +504,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -26540,7 +26761,7 @@ index 3cce663..8040c74 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,6 +521,11 @@ files_search_all(virt_domain)
+@@ -440,6 +517,11 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -26552,7 +26773,7 @@ index 3cce663..8040c74 100644
  
  term_use_all_terms(virt_domain)
  term_getattr_pty_fs(virt_domain)
-@@ -457,8 +543,121 @@ optional_policy(`
+@@ -457,8 +539,121 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26829,7 +27050,7 @@ index 6f1e3c7..39c2bb3 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index da2601a..a5b3186 100644
+index da2601a..4bc9fff 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -26844,7 +27065,7 @@ index da2601a..a5b3186 100644
  	')
  
  	role $1 types { xserver_t xauth_t iceauth_t };
-@@ -31,7 +32,7 @@ interface(`xserver_restricted_role',`
+@@ -31,12 +32,13 @@ interface(`xserver_restricted_role',`
  	allow xserver_t $2:shm rw_shm_perms;
  
  	domtrans_pattern($2, xserver_exec_t, xserver_t)
@@ -26853,7 +27074,13 @@ index da2601a..a5b3186 100644
  
  	allow xserver_t $2:shm rw_shm_perms;
  
-@@ -45,6 +46,7 @@ interface(`xserver_restricted_role',`
+ 	allow $2 user_fonts_t:dir list_dir_perms;
+ 	allow $2 user_fonts_t:file read_file_perms;
++	allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
+ 
+ 	allow $2 user_fonts_config_t:dir list_dir_perms;
+ 	allow $2 user_fonts_config_t:file read_file_perms;
+@@ -45,6 +47,7 @@ interface(`xserver_restricted_role',`
  	manage_files_pattern($2, user_fonts_cache_t, user_fonts_cache_t)
  
  	stream_connect_pattern($2, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -26861,7 +27088,7 @@ index da2601a..a5b3186 100644
  	files_search_tmp($2)
  
  	# Communicate via System V shared memory.
-@@ -56,6 +58,10 @@ interface(`xserver_restricted_role',`
+@@ -56,6 +59,10 @@ interface(`xserver_restricted_role',`
  
  	domtrans_pattern($2, iceauth_exec_t, iceauth_t)
  
@@ -26872,7 +27099,7 @@ index da2601a..a5b3186 100644
  	allow $2 iceauth_home_t:file read_file_perms;
  
  	domtrans_pattern($2, xauth_exec_t, xauth_t)
-@@ -71,9 +77,13 @@ interface(`xserver_restricted_role',`
+@@ -71,9 +78,13 @@ interface(`xserver_restricted_role',`
  	# for when /tmp/.X11-unix is created by the system
  	allow $2 xdm_t:fd use;
  	allow $2 xdm_t:fifo_file { getattr read write ioctl };
@@ -26887,7 +27114,7 @@ index da2601a..a5b3186 100644
  
  	# Client read xserver shm
  	allow $2 xserver_t:fd use;
-@@ -89,14 +99,17 @@ interface(`xserver_restricted_role',`
+@@ -89,14 +100,17 @@ interface(`xserver_restricted_role',`
  	dev_write_misc($2)
  	# open office is looking for the following
  	dev_getattr_agp_dev($2)
@@ -26907,15 +27134,18 @@ index da2601a..a5b3186 100644
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -148,6 +161,7 @@ interface(`xserver_role',`
+@@ -148,8 +162,10 @@ interface(`xserver_role',`
  	allow $2 xauth_home_t:file manage_file_perms;
  	allow $2 xauth_home_t:file { relabelfrom relabelto };
  
 +	mls_xwin_read_to_clearance($2)
  	manage_dirs_pattern($2, user_fonts_t, user_fonts_t)
  	manage_files_pattern($2, user_fonts_t, user_fonts_t)
++	allow $2 user_fonts_t:lnk_file read_lnk_file_perms;
  	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
-@@ -197,7 +211,7 @@ interface(`xserver_ro_session',`
+ 	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
+ 
+@@ -197,7 +213,7 @@ interface(`xserver_ro_session',`
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -26924,7 +27154,7 @@ index da2601a..a5b3186 100644
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -291,12 +305,12 @@ interface(`xserver_user_client',`
+@@ -291,12 +307,12 @@ interface(`xserver_user_client',`
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -26940,7 +27170,7 @@ index da2601a..a5b3186 100644
  	allow $1 xdm_tmp_t:dir search;
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -355,6 +369,12 @@ template(`xserver_common_x_domain_template',`
+@@ -355,6 +371,12 @@ template(`xserver_common_x_domain_template',`
  		class x_property all_x_property_perms;
  		class x_event all_x_event_perms;
  		class x_synthetic_event all_x_synthetic_event_perms;
@@ -26953,7 +27183,7 @@ index da2601a..a5b3186 100644
  	')
  
  	##############################
-@@ -386,6 +406,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +408,15 @@ template(`xserver_common_x_domain_template',`
  	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
  	# dont audit send failures
  	dontaudit $2 input_xevent_type:x_event send;
@@ -26969,7 +27199,7 @@ index da2601a..a5b3186 100644
  ')
  
  #######################################
-@@ -476,11 +505,16 @@ template(`xserver_user_x_domain_template',`
+@@ -476,11 +507,16 @@ template(`xserver_user_x_domain_template',`
  	xserver_use_user_fonts($2)
  
  	xserver_read_xdm_tmp_files($2)
@@ -26986,13 +27216,21 @@ index da2601a..a5b3186 100644
  	# Client write xserver shm
  	tunable_policy(`allow_write_xshm',`
  		allow $2 xserver_t:shm rw_shm_perms;
-@@ -545,6 +579,27 @@ interface(`xserver_domtrans_xauth',`
+@@ -517,6 +553,7 @@ interface(`xserver_use_user_fonts',`
+ 	# Read per user fonts
+ 	allow $1 user_fonts_t:dir list_dir_perms;
+ 	allow $1 user_fonts_t:file read_file_perms;
++	allow $1 user_fonts_t:lnk_file read_lnk_file_perms;
+ 
+ 	# Manipulate the global font cache
+ 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+@@ -545,6 +582,27 @@ interface(`xserver_domtrans_xauth',`
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
-+ifdef(`hide_broken_symptoms', `
-+	dontaudit xauth_t $1:socket_class_set { read write };
-+')
++	ifdef(`hide_broken_symptoms', `
++		dontaudit xauth_t $1:socket_class_set { read write };
++	')
 +')
 +
 +########################################
@@ -27014,7 +27252,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -598,6 +653,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +656,7 @@ interface(`xserver_read_user_xauth',`
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -27022,7 +27260,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -725,10 +781,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -725,10 +784,12 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
  		type xdm_t, xdm_tmp_t;
@@ -27035,7 +27273,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -805,7 +863,7 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +866,7 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -27044,7 +27282,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -916,7 +974,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +977,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -27053,7 +27291,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -963,6 +1021,44 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1024,44 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -27098,7 +27336,7 @@ index da2601a..a5b3186 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -1072,6 +1168,8 @@ interface(`xserver_domtrans',`
+@@ -1072,6 +1171,8 @@ interface(`xserver_domtrans',`
  
   	allow $1 xserver_t:process siginh;
  	domtrans_pattern($1, xserver_exec_t, xserver_t)
@@ -27107,7 +27345,15 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -1224,9 +1322,20 @@ interface(`xserver_manage_core_devices',`
+@@ -1185,6 +1286,7 @@ interface(`xserver_stream_connect',`
+ 
+ 	files_search_tmp($1)
+ 	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
++	allow xserver_t $1:shm rw_shm_perms;
+ ')
+ 
+ ########################################
+@@ -1224,9 +1326,20 @@ interface(`xserver_manage_core_devices',`
  		class x_device all_x_device_perms;
  		class x_pointer all_x_pointer_perms;
  		class x_keyboard all_x_keyboard_perms;
@@ -27128,7 +27374,7 @@ index da2601a..a5b3186 100644
  ')
  
  ########################################
-@@ -1250,3 +1359,329 @@ interface(`xserver_unconfined',`
+@@ -1250,3 +1363,329 @@ interface(`xserver_unconfined',`
  	typeattribute $1 x_domain;
  	typeattribute $1 xserver_unconfined_type;
  ')
@@ -27459,7 +27705,7 @@ index da2601a..a5b3186 100644
 +	manage_files_pattern($1, user_fonts_config_t, user_fonts_config_t)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index e226da4..50b4a08 100644
+index e226da4..9b9e013 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -35,6 +35,13 @@ gen_tunable(allow_write_xshm, false)
@@ -28067,7 +28313,7 @@ index e226da4..50b4a08 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -539,20 +761,63 @@ optional_policy(`
+@@ -539,20 +761,64 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28085,6 +28331,7 @@ index e226da4..50b4a08 100644
 +optional_policy(`
 +	plymouthd_search_spool(xdm_t)
 +	plymouthd_exec_plymouth(xdm_t)
++	plymouthd_stream_connect(xdm_t)
 +')
 +
 +optional_policy(`
@@ -28133,7 +28380,7 @@ index e226da4..50b4a08 100644
  
  	ifndef(`distro_redhat',`
  		allow xdm_t self:process { execheap execmem };
-@@ -561,7 +826,6 @@ optional_policy(`
+@@ -561,7 +827,6 @@ optional_policy(`
  	ifdef(`distro_rhel4',`
  		allow xdm_t self:process { execheap execmem };
  	')
@@ -28141,7 +28388,7 @@ index e226da4..50b4a08 100644
  
  optional_policy(`
  	userhelper_dontaudit_search_config(xdm_t)
-@@ -572,6 +836,10 @@ optional_policy(`
+@@ -572,6 +837,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28152,7 +28399,7 @@ index e226da4..50b4a08 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -596,7 +864,7 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -596,7 +865,7 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -28161,7 +28408,7 @@ index e226da4..50b4a08 100644
  dontaudit xserver_t self:capability chown;
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
-@@ -610,6 +878,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -610,6 +879,18 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -28180,7 +28427,7 @@ index e226da4..50b4a08 100644
  
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -629,12 +909,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -629,12 +910,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -28202,7 +28449,7 @@ index e226da4..50b4a08 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -642,6 +929,7 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -642,6 +930,7 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -28210,7 +28457,7 @@ index e226da4..50b4a08 100644
  
  # Run helper programs in xserver_t.
  corecmd_exec_bin(xserver_t)
-@@ -668,7 +956,6 @@ dev_rw_apm_bios(xserver_t)
+@@ -668,7 +957,6 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -28218,7 +28465,7 @@ index e226da4..50b4a08 100644
  dev_create_generic_dirs(xserver_t)
  dev_setattr_generic_dirs(xserver_t)
  # raw memory access is needed if not using the frame buffer
-@@ -678,8 +965,13 @@ dev_wx_raw_memory(xserver_t)
+@@ -678,8 +966,13 @@ dev_wx_raw_memory(xserver_t)
  dev_rw_xserver_misc(xserver_t)
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
@@ -28232,7 +28479,7 @@ index e226da4..50b4a08 100644
  files_read_etc_files(xserver_t)
  files_read_etc_runtime_files(xserver_t)
  files_read_usr_files(xserver_t)
-@@ -693,8 +985,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -693,8 +986,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -28246,7 +28493,7 @@ index e226da4..50b4a08 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -716,11 +1013,14 @@ logging_send_audit_msgs(xserver_t)
+@@ -716,11 +1014,14 @@ logging_send_audit_msgs(xserver_t)
  
  miscfiles_read_localization(xserver_t)
  miscfiles_read_fonts(xserver_t)
@@ -28261,7 +28508,7 @@ index e226da4..50b4a08 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -773,20 +1073,44 @@ optional_policy(`
+@@ -773,12 +1074,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28286,17 +28533,12 @@ index e226da4..50b4a08 100644
 +	udev_read_db(xserver_t)
 +')
 +
-+ifdef(`enforcing',`
 +optional_policy(`
 +	unconfined_domain(xserver_t)
  	unconfined_domtrans(xserver_t)
  ')
-+', `
-+   permissive xserver_t;
-+')
  
- optional_policy(`
- 	userhelper_search_config(xserver_t)
+@@ -787,6 +1104,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -28307,7 +28549,7 @@ index e226da4..50b4a08 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -802,10 +1126,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -802,10 +1123,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -28320,7 +28562,7 @@ index e226da4..50b4a08 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -826,6 +1150,13 @@ init_use_fds(xserver_t)
+@@ -826,6 +1147,13 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -28334,7 +28576,7 @@ index e226da4..50b4a08 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_dirs(xserver_t)
-@@ -841,11 +1172,14 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -841,11 +1169,14 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	dbus_system_bus_client(xserver_t)
@@ -28351,7 +28593,7 @@ index e226da4..50b4a08 100644
  ')
  
  optional_policy(`
-@@ -991,3 +1325,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
+@@ -991,3 +1322,33 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
  allow xserver_unconfined_type xextension_type:x_extension *;
  allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
  allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -28773,10 +29015,30 @@ index 1c4b1e7..2997dd7 100644
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 7fddc24..227958c 100644
+index 7fddc24..395f8f3 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
-@@ -91,9 +91,12 @@ interface(`auth_use_pam',`
+@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
+ 	auth_exec_pam($1)
+ 	auth_use_nsswitch($1)
+ 
++	init_rw_stream_sockets($1)
++
+ 	logging_send_audit_msgs($1)
+ 	logging_send_syslog_msg($1)
+ 
+@@ -66,6 +68,10 @@ interface(`auth_use_pam',`
+ 		optional_policy(`
+ 			consolekit_dbus_chat($1)
+ 		')
++
++		optional_policy(`
++			fprintd_dbus_chat($1)
++		')
+ 	')
+ 
+ 	optional_policy(`
+@@ -91,9 +97,12 @@ interface(`auth_use_pam',`
  interface(`auth_login_pgm_domain',`
  	gen_require(`
  		type var_auth_t, auth_cache_t;
@@ -28789,7 +29051,7 @@ index 7fddc24..227958c 100644
  	domain_subj_id_change_exemption($1)
  	domain_role_change_exemption($1)
  	domain_obj_id_change_exemption($1)
-@@ -107,8 +110,10 @@ interface(`auth_login_pgm_domain',`
+@@ -107,8 +116,10 @@ interface(`auth_login_pgm_domain',`
  	allow $1 self:capability ipc_lock;
  	allow $1 self:process setkeycreate;
  	allow $1 self:key manage_key_perms;
@@ -28800,7 +29062,7 @@ index 7fddc24..227958c 100644
  	manage_files_pattern($1, var_auth_t, var_auth_t)
  
  	manage_dirs_pattern($1, auth_cache_t, auth_cache_t)
-@@ -126,6 +131,8 @@ interface(`auth_login_pgm_domain',`
+@@ -126,6 +137,8 @@ interface(`auth_login_pgm_domain',`
  	files_read_etc_files($1)
  
  	fs_list_auto_mountpoints($1)
@@ -28809,7 +29071,7 @@ index 7fddc24..227958c 100644
  
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
-@@ -141,6 +148,7 @@ interface(`auth_login_pgm_domain',`
+@@ -141,6 +154,7 @@ interface(`auth_login_pgm_domain',`
  	mls_process_set_level($1)
  	mls_fd_share_all_levels($1)
  
@@ -28817,7 +29079,7 @@ index 7fddc24..227958c 100644
  	auth_use_pam($1)
  
  	init_rw_utmp($1)
-@@ -151,8 +159,38 @@ interface(`auth_login_pgm_domain',`
+@@ -151,8 +165,38 @@ interface(`auth_login_pgm_domain',`
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -28858,7 +29120,7 @@ index 7fddc24..227958c 100644
  	')
  ')
  
-@@ -365,13 +403,15 @@ interface(`auth_domtrans_chk_passwd',`
+@@ -365,13 +409,15 @@ interface(`auth_domtrans_chk_passwd',`
  	')
  
  	optional_policy(`
@@ -28875,7 +29137,7 @@ index 7fddc24..227958c 100644
  ')
  
  ########################################
-@@ -418,6 +458,7 @@ interface(`auth_run_chk_passwd',`
+@@ -418,6 +464,7 @@ interface(`auth_run_chk_passwd',`
  
  	auth_domtrans_chk_passwd($1)
  	role $2 types chkpwd_t;
@@ -28883,7 +29145,7 @@ index 7fddc24..227958c 100644
  ')
  
  ########################################
-@@ -874,6 +915,26 @@ interface(`auth_exec_pam',`
+@@ -874,6 +921,26 @@ interface(`auth_exec_pam',`
  
  ########################################
  ## <summary>
@@ -28910,7 +29172,7 @@ index 7fddc24..227958c 100644
  ##	Manage var auth files. Used by various other applications
  ##	and pam applets etc.
  ## </summary>
-@@ -1500,6 +1561,8 @@ interface(`auth_manage_login_records',`
+@@ -1500,6 +1567,8 @@ interface(`auth_manage_login_records',`
  #
  interface(`auth_use_nsswitch',`
  
@@ -28919,7 +29181,7 @@ index 7fddc24..227958c 100644
  	files_list_var_lib($1)
  
  	# read /etc/nsswitch.conf
-@@ -1531,7 +1594,15 @@ interface(`auth_use_nsswitch',`
+@@ -1531,7 +1600,15 @@ interface(`auth_use_nsswitch',`
  	')
  
  	optional_policy(`
@@ -29147,7 +29409,7 @@ index a97a096..dd65c15 100644
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index a442acc..e8dd9c8 100644
+index a442acc..7cb7582 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@@ -29168,7 +29430,7 @@ index a442acc..e8dd9c8 100644
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
-@@ -147,12 +151,16 @@ modutils_read_module_deps(fsadm_t)
+@@ -147,7 +151,7 @@ modutils_read_module_deps(fsadm_t)
  
  seutil_read_config(fsadm_t)
  
@@ -29176,17 +29438,8 @@ index a442acc..e8dd9c8 100644
 +term_use_all_terms(fsadm_t)
  
  ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
  	optional_policy(`
- 		unconfined_domain(fsadm_t)
- 	')
-+', `
-+   permissive fsadm_t;
-+')
- ')
- 
- optional_policy(`
-@@ -166,6 +174,14 @@ optional_policy(`
+@@ -166,6 +170,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29201,7 +29454,7 @@ index a442acc..e8dd9c8 100644
  	nis_use_ypbind(fsadm_t)
  ')
  
-@@ -175,6 +191,10 @@ optional_policy(`
+@@ -175,6 +187,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29320,7 +29573,7 @@ index 9775375..b338481 100644
  #
  # /var
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index f6aafe7..7da8294 100644
+index f6aafe7..f28524b 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -105,7 +105,11 @@ interface(`init_domain',`
@@ -29444,7 +29697,7 @@ index f6aafe7..7da8294 100644
  ')
  
  ########################################
-@@ -669,12 +733,14 @@ interface(`init_telinit',`
+@@ -669,19 +733,24 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -29460,7 +29713,8 @@ index f6aafe7..7da8294 100644
  		gen_require(`
  			type init_t;
  		')
-@@ -682,6 +748,8 @@ interface(`init_telinit',`
+ 
++		allow $1 init_t:process signal;
  		# upstart uses a datagram socket instead of initctl pipe
  		allow $1 self:unix_dgram_socket create_socket_perms;
  		allow $1 init_t:unix_dgram_socket sendto;
@@ -29469,7 +29723,7 @@ index f6aafe7..7da8294 100644
  	')
  ')
  
-@@ -754,18 +822,19 @@ interface(`init_script_file_entry_type',`
+@@ -754,18 +823,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -29493,7 +29747,7 @@ index f6aafe7..7da8294 100644
  	')
  ')
  
-@@ -781,23 +850,45 @@ interface(`init_spec_domtrans_script',`
+@@ -781,23 +851,45 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -29543,7 +29797,7 @@ index f6aafe7..7da8294 100644
  ##	Execute a init script in a specified domain.
  ## </summary>
  ## <desc>
-@@ -849,8 +940,10 @@ interface(`init_script_file_domtrans',`
+@@ -849,8 +941,12 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -29551,10 +29805,12 @@ index f6aafe7..7da8294 100644
  	')
  
 +	typeattribute $1 initrc_transition_domain;
++	# service script searches all filesystems via mountpoint
++	fs_search_all($1)
  	domtrans_pattern($1, $2, initrc_t)
  	files_search_etc($1)
  ')
-@@ -1338,6 +1431,27 @@ interface(`init_dbus_send_script',`
+@@ -1338,6 +1434,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -29582,7 +29838,7 @@ index f6aafe7..7da8294 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1637,7 +1751,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1637,7 +1754,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -29591,7 +29847,7 @@ index f6aafe7..7da8294 100644
  ')
  
  ########################################
-@@ -1712,3 +1826,94 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1712,3 +1829,94 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -29687,7 +29943,7 @@ index f6aafe7..7da8294 100644
 +	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index abab4cf..9f9b812 100644
+index abab4cf..a80b4c7 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,27 @@ gen_require(`
@@ -30138,10 +30394,11 @@ index abab4cf..9f9b812 100644
  
  	optional_policy(`
  		consolekit_dbus_chat(initrc_t)
-@@ -701,7 +882,12 @@ optional_policy(`
+@@ -701,7 +882,13 @@ optional_policy(`
  ')
  
  optional_policy(`
++        milter_delete_dkim_pid_files(initrc_t)
 +	milter_setattr_all_dirs(initrc_t)
 +')
 +
@@ -30151,7 +30408,7 @@ index abab4cf..9f9b812 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -724,6 +910,10 @@ optional_policy(`
+@@ -724,6 +911,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30162,7 +30419,7 @@ index abab4cf..9f9b812 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -745,6 +935,10 @@ optional_policy(`
+@@ -745,6 +936,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30173,7 +30430,7 @@ index abab4cf..9f9b812 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -766,8 +960,6 @@ optional_policy(`
+@@ -766,8 +961,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -30182,7 +30439,7 @@ index abab4cf..9f9b812 100644
  ')
  
  optional_policy(`
-@@ -776,14 +968,21 @@ optional_policy(`
+@@ -776,14 +969,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30204,7 +30461,7 @@ index abab4cf..9f9b812 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,11 +1004,19 @@ optional_policy(`
+@@ -805,11 +1005,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30225,7 +30482,7 @@ index abab4cf..9f9b812 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -819,6 +1026,25 @@ optional_policy(`
+@@ -819,6 +1027,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -30251,7 +30508,7 @@ index abab4cf..9f9b812 100644
  ')
  
  optional_policy(`
-@@ -844,3 +1070,55 @@ optional_policy(`
+@@ -844,3 +1071,55 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -30647,7 +30904,7 @@ index 5c94dfe..59bfb17 100644
  
  ########################################
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index a3fdcb3..e9bd52a 100644
+index a3fdcb3..bce3aea 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -13,9 +13,6 @@ role system_r types iptables_t;
@@ -30731,6 +30988,14 @@ index a3fdcb3..e9bd52a 100644
  ')
  
  optional_policy(`
+@@ -124,6 +135,7 @@ optional_policy(`
+ 
+ optional_policy(`
+ 	shorewall_rw_lib_files(iptables_t)
++	shorewall_read_tmp_files(iptables_t)
+ ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/system/iscsi.if b/policy/modules/system/iscsi.if
 index 663a47b..ad0b864 100644
 --- a/policy/modules/system/iscsi.if
@@ -30998,8 +31263,39 @@ index 9df8c4d..1d2236b 100644
 +/opt/lgtonmc/bin/.*\.so(\.[0-9])?  	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.dll	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/opt/google/picasa/.*\.yti	--  gen_context(system_u:object_r:textrel_shlib_t,s0)
+diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
+index d97d16d..8b174c8 100644
+--- a/policy/modules/system/libraries.if
++++ b/policy/modules/system/libraries.if
+@@ -46,6 +46,26 @@ interface(`libs_run_ldconfig',`
+ 
+ ########################################
+ ## <summary>
++##	Execute ldconfig in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++## 	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`libs_exec_ldconfig',`
++	gen_require(`
++		type ldconfig_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, ldconfig_exec_t)
++')
++
++########################################
++## <summary>
+ ##	Use the dynamic link/loader for automatic loading
+ ##	of shared libraries.
+ ## </summary>
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index bf416a4..af2af2d 100644
+index bf416a4..99d7f60 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -61,7 +61,7 @@ allow ldconfig_t self:capability { dac_override sys_chroot };
@@ -31049,17 +31345,11 @@ index bf416a4..af2af2d 100644
  	puppet_rw_tmp(ldconfig_t)
  ')
  
-@@ -141,6 +151,10 @@ optional_policy(`
- 	rpm_manage_script_tmp_files(ldconfig_t)
- ')
- 
-+ifdef(`enforcing',`
+@@ -144,3 +154,4 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(ldconfig_t)
-+')'
-+, `
-+	permissive ldconfig_t;
  ')
++
 diff --git a/policy/modules/system/locallogin.fc b/policy/modules/system/locallogin.fc
 index 7570583..be6a81b 100644
 --- a/policy/modules/system/locallogin.fc
@@ -31452,7 +31742,7 @@ index 58bc27f..b4f0663 100644
 +	allow $1 clvmd_tmpfs_t:file rw_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 86ef2da..7eb67d1 100644
+index 86ef2da..7f649d5 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -31476,26 +31766,19 @@ index 86ef2da..7eb67d1 100644
  manage_files_pattern(clvmd_t, clvmd_var_run_t, clvmd_var_run_t)
  files_pid_filetrans(clvmd_t, clvmd_var_run_t, file)
  
-@@ -135,9 +142,18 @@ lvm_domtrans(clvmd_t)
- lvm_read_config(clvmd_t)
+@@ -141,6 +148,11 @@ ifdef(`distro_redhat',`
+ ')
  
- ifdef(`distro_redhat',`
-+ifdef(`enforcing',`
- 	optional_policy(`
- 		unconfined_domain(clvmd_t)
- 	')
-+', `
-+	permissive clvmd_t;
-+')
+ optional_policy(`
++	aisexec_stream_connect(clvmd_t)
++	corosync_stream_connect(clvmd_t)
 +')
 +
 +optional_policy(`
-+	aisexec_stream_connect(clvmd_t)
-+	corosync_stream_connect(clvmd_t)
+ 	ccs_stream_connect(clvmd_t)
  ')
  
- optional_policy(`
-@@ -170,6 +186,7 @@ dontaudit lvm_t self:capability sys_tty_config;
+@@ -170,6 +182,7 @@ dontaudit lvm_t self:capability sys_tty_config;
  allow lvm_t self:process { sigchld sigkill sigstop signull signal };
  # LVM will complain a lot if it cannot set its priority.
  allow lvm_t self:process setsched;
@@ -31503,7 +31786,7 @@ index 86ef2da..7eb67d1 100644
  allow lvm_t self:file rw_file_perms;
  allow lvm_t self:fifo_file manage_fifo_file_perms;
  allow lvm_t self:unix_dgram_socket create_socket_perms;
-@@ -210,12 +227,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
+@@ -210,12 +223,15 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
  files_etc_filetrans(lvm_t, lvm_metadata_t, file)
  files_search_mnt(lvm_t)
  
@@ -31519,7 +31802,7 @@ index 86ef2da..7eb67d1 100644
  kernel_search_debugfs(lvm_t)
  
  corecmd_exec_bin(lvm_t)
-@@ -242,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -242,6 +258,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -31527,7 +31810,7 @@ index 86ef2da..7eb67d1 100644
  
  domain_use_interactive_fds(lvm_t)
  domain_read_all_domains_state(lvm_t)
-@@ -251,8 +272,9 @@ files_read_etc_files(lvm_t)
+@@ -251,8 +268,9 @@ files_read_etc_files(lvm_t)
  files_read_etc_runtime_files(lvm_t)
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -31538,7 +31821,7 @@ index 86ef2da..7eb67d1 100644
  fs_search_auto_mountpoints(lvm_t)
  fs_list_tmpfs(lvm_t)
  fs_read_tmpfs_symlinks(lvm_t)
-@@ -262,6 +284,7 @@ fs_rw_anon_inodefs_files(lvm_t)
+@@ -262,6 +280,7 @@ fs_rw_anon_inodefs_files(lvm_t)
  
  mls_file_read_all_levels(lvm_t)
  mls_file_write_to_clearance(lvm_t)
@@ -31546,26 +31829,19 @@ index 86ef2da..7eb67d1 100644
  
  selinux_get_fs_mount(lvm_t)
  selinux_validate_context(lvm_t)
-@@ -303,9 +326,18 @@ ifdef(`distro_redhat',`
- 	# this is from the initrd:
- 	files_rw_isid_type_dirs(lvm_t)
+@@ -309,6 +328,11 @@ ifdef(`distro_redhat',`
+ ')
  
-+ifdef(`enforcing',`
- 	optional_policy(`
- 		unconfined_domain(lvm_t)
- 	')
-+', `
-+	permissive lvm_t;
-+')
+ optional_policy(`
++	aisexec_stream_connect(lvm_t)
++	corosync_stream_connect(lvm_t)
 +')
 +
 +optional_policy(`
-+	aisexec_stream_connect(lvm_t)
-+	corosync_stream_connect(lvm_t)
+ 	bootloader_rw_tmp_files(lvm_t)
  ')
  
- optional_policy(`
-@@ -329,6 +361,10 @@ optional_policy(`
+@@ -329,6 +353,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31729,7 +32005,7 @@ index 9c0faab..def8d5a 100644
  ##	loading modules.
  ## </summary>
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 74a4466..f39f39f 100644
+index 74a4466..9abf3b1 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -18,6 +18,7 @@ type insmod_t;
@@ -31764,21 +32040,7 @@ index 74a4466..f39f39f 100644
  
  ifdef(`distro_ubuntu',`
  	optional_policy(`
-@@ -94,17 +99,21 @@ optional_policy(`
- 	rpm_manage_script_tmp_files(depmod_t)
- ')
- 
-+ifdef(`enforcing',`
- optional_policy(`
- 	# Read System.map from home directories.
- 	unconfined_domain(depmod_t)
- ')
-+', `
-+	permissive depmod_t;
-+')
- 
- ########################################
- #
+@@ -104,7 +109,7 @@ optional_policy(`
  # insmod local policy
  #
  
@@ -31787,7 +32049,7 @@ index 74a4466..f39f39f 100644
  allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  
  allow insmod_t self:udp_socket create_socket_perms;
-@@ -125,6 +134,7 @@ kernel_write_proc_files(insmod_t)
+@@ -125,6 +130,7 @@ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -31795,7 +32057,7 @@ index 74a4466..f39f39f 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +148,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -31803,7 +32065,7 @@ index 74a4466..f39f39f 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -160,11 +171,15 @@ files_write_kernel_modules(insmod_t)
+@@ -160,11 +167,15 @@ files_write_kernel_modules(insmod_t)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -31819,7 +32081,7 @@ index 74a4466..f39f39f 100644
  
  logging_send_syslog_msg(insmod_t)
  logging_search_logs(insmod_t)
-@@ -173,8 +188,7 @@ miscfiles_read_localization(insmod_t)
+@@ -173,8 +184,7 @@ miscfiles_read_localization(insmod_t)
  
  seutil_read_file_contexts(insmod_t)
  
@@ -31829,7 +32091,7 @@ index 74a4466..f39f39f 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  if( ! secure_mode_insmod ) {
-@@ -191,6 +205,10 @@ optional_policy(`
+@@ -191,6 +201,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31840,25 +32102,17 @@ index 74a4466..f39f39f 100644
  	hal_write_log(insmod_t)
  ')
  
-@@ -229,10 +247,18 @@ optional_policy(`
- 	rpm_rw_pipes(insmod_t)
+@@ -235,6 +249,10 @@ optional_policy(`
  ')
  
-+ifdef(`enforcing',`
  optional_policy(`
- 	unconfined_domain(insmod_t)
- 	unconfined_dontaudit_rw_pipes(insmod_t)
- ')
-+', `
-+	permissive insmod_t;
++	virt_dontaudit_write_pipes(insmod_t)
 +')
 +
 +optional_policy(`
-+	virt_dontaudit_write_pipes(insmod_t)
-+')
- 
- optional_policy(`
  	# cjp: why is this needed:
+ 	dev_rw_xserver_misc(insmod_t)
+ 
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
 index 72c746e..e3d06fd 100644
 --- a/policy/modules/system/mount.fc
@@ -32387,7 +32641,7 @@ index fca6947..a2f7102 100644
 +
 +userdom_use_user_terminals(showmount_t)
 diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
-index 09845c4..5ccaca7 100644
+index 09845c4..2fe5969 100644
 --- a/policy/modules/system/raid.te
 +++ b/policy/modules/system/raid.te
 @@ -30,8 +30,9 @@ allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -32401,25 +32655,24 @@ index 09845c4..5ccaca7 100644
  
  kernel_read_system_state(mdadm_t)
  kernel_read_kernel_sysctls(mdadm_t)
-@@ -57,6 +58,7 @@ domain_use_interactive_fds(mdadm_t)
+@@ -52,13 +53,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+ dev_read_realtime_clock(mdadm_t)
+ # unfortunately needed for DMI decoding:
+ dev_read_raw_memory(mdadm_t)
++dev_read_generic_files(mdadm_t)
+ 
+ domain_use_interactive_fds(mdadm_t)
  
  files_read_etc_files(mdadm_t)
  files_read_etc_runtime_files(mdadm_t)
 +files_dontaudit_getattr_tmpfs_files(mdadm_t)
  
- fs_search_auto_mountpoints(mdadm_t)
+-fs_search_auto_mountpoints(mdadm_t)
++fs_list_hugetlbfs(mdadm_t)
++fs_list_auto_mountpoints(mdadm_t)
  fs_dontaudit_list_tmpfs(mdadm_t)
-@@ -95,6 +97,10 @@ optional_policy(`
- 	udev_read_db(mdadm_t)
- ')
  
-+ifdef(`enforcing',`
- optional_policy(`
- 	unconfined_domain(mdadm_t)
- ')
-+', `
-+	permissive mdadm_t;
-+')
+ mls_file_read_all_levels(mdadm_t)
 diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
 index 2cc4bda..9e81136 100644
 --- a/policy/modules/system/selinuxutil.fc
@@ -32861,7 +33114,7 @@ index 170e2c7..bbaa8cf 100644
 +')
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ff5d72d..a0cf928 100644
+index ff5d72d..edee963 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@@ -33102,7 +33355,7 @@ index ff5d72d..a0cf928 100644
  # cjp: need a more general way to handle this:
  ifdef(`enable_mls',`
  	# read secadm tmp files
-@@ -498,112 +492,54 @@ ifdef(`enable_mls',`
+@@ -498,112 +492,50 @@ ifdef(`enable_mls',`
  	userdom_read_user_tmp_files(semanage_t)
  ')
  
@@ -33152,18 +33405,12 @@ index ff5d72d..a0cf928 100644
 -fs_list_all(setfiles_t)
 -fs_search_auto_mountpoints(setfiles_t)
 -fs_relabelfrom_noxattr_fs(setfiles_t)
-+init_dontaudit_use_fds(setsebool_t)
- 
+-
 -mls_file_read_all_levels(setfiles_t)
 -mls_file_write_all_levels(setfiles_t)
 -mls_file_upgrade(setfiles_t)
 -mls_file_downgrade(setfiles_t)
-+# Bug in semanage
-+seutil_domtrans_setfiles(setsebool_t)
-+seutil_manage_file_contexts(setsebool_t)
-+seutil_manage_default_contexts(setsebool_t)
-+seutil_manage_config(setsebool_t)
- 
+-
 -selinux_validate_context(setfiles_t)
 -selinux_compute_access_vector(setfiles_t)
 -selinux_compute_create_context(setfiles_t)
@@ -33185,9 +33432,15 @@ index ff5d72d..a0cf928 100644
 -logging_send_syslog_msg(setfiles_t)
 -
 -miscfiles_read_localization(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+ 
 -seutil_libselinux_linked(setfiles_t)
--
++# Bug in semanage
++seutil_domtrans_setfiles(setsebool_t)
++seutil_manage_file_contexts(setsebool_t)
++seutil_manage_default_contexts(setsebool_t)
++seutil_manage_config(setsebool_t)
+ 
 -userdom_use_all_users_fds(setfiles_t)
 -# for config files in a home directory
 -userdom_read_user_home_content_files(setfiles_t)
@@ -33241,13 +33494,9 @@ index ff5d72d..a0cf928 100644
  	')
  ')
  
-+ifdef(`enforcing',`
  optional_policy(`
 -	hotplug_use_fds(setfiles_t)
 +	unconfined_domain(setfiles_mac_t)
-+')
-+', `
-+	permissive lvm_t;
  ')
 diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
 index 4ec45a4..4488c6d 100644
@@ -33420,10 +33669,10 @@ index 0000000..fec3374
 +')
 diff --git a/policy/modules/system/sosreport.te b/policy/modules/system/sosreport.te
 new file mode 100644
-index 0000000..593a206
+index 0000000..c15bcea
 --- /dev/null
 +++ b/policy/modules/system/sosreport.te
-@@ -0,0 +1,158 @@
+@@ -0,0 +1,154 @@
 +policy_module(sosreport,1.0.0)
 +
 +########################################
@@ -33575,13 +33824,9 @@ index 0000000..593a206
 +	xserver_stream_connect(sosreport_t)
 +')
 +
-+ifdef(`enforcing',`
 +optional_policy(`
 +	unconfined_domain(sosreport_t)
 +')
-+', `
-+	permissive sosreport_t;
-+')
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
 index 726619b..4bb3158 100644
 --- a/policy/modules/system/sysnetwork.fc
@@ -34033,7 +34278,7 @@ index 025348a..59bc26b 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a054cf5..7cc3698 100644
+index a054cf5..9f316ca 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -52,6 +52,7 @@ allow udev_t self:unix_dgram_socket sendto;
@@ -34053,7 +34298,15 @@ index a054cf5..7cc3698 100644
  
  kernel_read_system_state(udev_t)
  kernel_request_load_module(udev_t)
-@@ -116,10 +117,13 @@ files_exec_etc_files(udev_t)
+@@ -111,15 +112,20 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+ 
+ files_read_usr_files(udev_t)
+ files_read_etc_runtime_files(udev_t)
+-files_read_etc_files(udev_t)
++
++# console_init manages files in /etc/sysconfig
++files_manage_etc_files(udev_t)
+ files_exec_etc_files(udev_t)
  files_dontaudit_search_isid_type_dirs(udev_t)
  files_getattr_generic_locks(udev_t)
  files_search_mnt(udev_t)
@@ -34067,21 +34320,7 @@ index a054cf5..7cc3698 100644
  
  mcs_ptrace_all(udev_t)
  
-@@ -192,9 +196,13 @@ ifdef(`distro_redhat',`
- 	# for arping used for static IP addresses on PCMCIA ethernet
- 	netutils_domtrans(udev_t)
- 
-+	ifdef(`enforcing',`
- 	optional_policy(`
- 		unconfined_domain(udev_t)
- 	')
-+	', `
-+	   permissive udev_t;
-+	')
- ')
- 
- optional_policy(`
-@@ -216,11 +224,16 @@ optional_policy(`
+@@ -216,11 +222,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34098,7 +34337,7 @@ index a054cf5..7cc3698 100644
  ')
  
  optional_policy(`
-@@ -233,6 +246,10 @@ optional_policy(`
+@@ -233,6 +244,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34109,7 +34348,7 @@ index a054cf5..7cc3698 100644
  	lvm_domtrans(udev_t)
  ')
  
-@@ -259,6 +276,10 @@ optional_policy(`
+@@ -259,6 +274,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34120,7 +34359,7 @@ index a054cf5..7cc3698 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -273,6 +294,11 @@ optional_policy(`
+@@ -273,6 +292,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -34870,10 +35109,10 @@ index f976344..4474379 100644
 -	')
 -')
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
-index db75976..9068325 100644
+index db75976..61db6da 100644
 --- a/policy/modules/system/userdomain.fc
 +++ b/policy/modules/system/userdomain.fc
-@@ -1,4 +1,14 @@
+@@ -1,4 +1,15 @@
  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 +HOME_DIR	-l	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
@@ -34885,12 +35124,13 @@ index db75976..9068325 100644
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 +HOME_DIR/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
 +HOME_DIR/local/bin(/.*)?	gen_context(system_u:object_r:home_bin_t,s0)
++HOME_DIR/Audio(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/Music(/.*)?    gen_context(system_u:object_r:audio_home_t,s0)
 +HOME_DIR/\.cert(/.*)?	gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:home_cert_t,s0)
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 8b4f6d8..1456a83 100644
+index 8b4f6d8..e1da594 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -36404,6 +36644,15 @@ index 8b4f6d8..1456a83 100644
  ')
  
  ########################################
+@@ -2906,7 +3205,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+ 		type user_devpts_t;
+ 	')
+ 
+-	dontaudit $1 user_devpts_t:chr_file rw_file_perms;
++	dontaudit $1 user_devpts_t:chr_file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
 @@ -2961,7 +3260,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7799e24..1b82efa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 %define CHECKPOLICYVER 2.0.21-1
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 3.9.2
+Version: 3.9.3
 Release: 1%{?dist}
 License: GPLv2+
 Group: System Environment/Base
@@ -469,6 +469,20 @@ exit 0
 %endif
 
 %changelog
+* Thu Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.3-1
+Allow iptables to read shorewall tmp files
+Change chfn and passwd to use auth_use_pam so they can send dbus messages to fpr
+intd
+label vlc as an execmem_exec_t 
+Lots of fixes for mozilla_plugin to run google vidio chat
+Allow telepath_msn to execute ldconfig and its own tmp files
+Fix labels on hugepages
+Allow mdadm to read files on /dev
+Remove permissive domains and change back to unconfined
+Allow freshclam to execute shell and bin_t
+Allow devicekit_power to transition to dhcpc
+Add boolean to allow icecast to connect to any port
+
 * Thu Aug 31 2010 Dan Walsh <dwalsh@redhat.com> 3.9.2-1
 - Merge upstream fix of mmap_zero
 - Allow mount to write files in debugfs_t
diff --git a/sources b/sources
index 1d0d2b4..3c4a5ef 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f35b66c95c41e4c046727789b361a969  serefpolicy-3.9.2.tgz
+2330fe4b7094df0e0a453856db12e3a4  serefpolicy-3.9.3.tgz