From 7846a149abe1540463c59d97cd48042dc0837852 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Jan 15 2013 16:56:41 +0000
Subject: Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy


---

diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index edd3768..ea6c8fa 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -395,7 +395,7 @@ condor = module
 #
 # ConsoleKit is a system daemon for tracking what users are logged
 # 
-#consolekit = module
+consolekit = module
 
 # Layer: services
 # Module: corosync
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 2ecf31a..70897dc 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -110364,7 +110364,7 @@ index 4705ab6..11a1ae6 100644
 +gen_tunable(selinuxuser_tcp_server,false)
 +
 diff --git a/policy/mcs b/policy/mcs
-index 216b3d1..552c23a 100644
+index 216b3d1..81bc8c4 100644
 --- a/policy/mcs
 +++ b/policy/mcs
 @@ -1,4 +1,6 @@
@@ -110374,7 +110374,44 @@ index 216b3d1..552c23a 100644
  #
  # Define sensitivities 
  #
-@@ -99,14 +101,18 @@ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+@@ -69,53 +71,50 @@ gen_levels(1,mcs_num_cats)
+ #  - /proc/pid operations are not constrained.
+ 
+ mlsconstrain file { read ioctl lock execute execute_no_trans }
+-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain file { write setattr append unlink link rename }
+-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain dir { search read ioctl lock }
+-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain fifo_file { open }
+-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+-	(( t1 != mcs_constrained_type ) and ( t2 == domain )));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
+-	(( h1 dom h2 ) or ( t1 == mcsreadall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+-	(( h1 dom h2 ) or ( t1 == mcswriteall ) or
+-	(( t1 != mcs_constrained_type ) and (t2 == domain)));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
  # New filesystem object labels must be dominated by the relabeling subject
  # clearance, also the objects are single-level.
  mlsconstrain file { create relabelto }
@@ -110385,18 +110422,30 @@ index 216b3d1..552c23a 100644
  # new file labels must be dominated by the relabeling subject clearance
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
 -	( h1 dom h2 );
-+	(( h1 dom h2 ) or ( t1 == mcswriteall ));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 +
 +mlsconstrain { file lnk_file fifo_file } { create relabelto }
-+	( l2 eq h2 );
++	(( l2 eq h2 )  or ( t1 != mcs_constrained_type ));
  
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
 -	(( h1 dom h2 ) and ( l2 eq h2 ));
-+	( h1 dom h2 );
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
  
  mlsconstrain process { transition dyntransition }
- 	(( h1 dom h2 ) or ( t1 == mcssetcats ));
-@@ -166,4 +172,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+-	(( h1 dom h2 ) or ( t1 == mcssetcats ));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain process { ptrace }
+-	(( h1 dom h2) or ( t1 == mcsptraceall ));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain process { sigkill sigstop }
+-	(( h1 dom h2 ) or ( t1 == mcskillall ));
++	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+ 
+ mlsconstrain process { signal }
+ 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+@@ -166,4 +165,23 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
  mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
  	( h1 dom h2 );
  
@@ -110571,7 +110620,7 @@ index cc8df9d..5e914db 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "yaboot.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..15f25f0 100644
+index e3dbbb8..f766e86 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
 @@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
@@ -110738,17 +110787,19 @@ index e3dbbb8..15f25f0 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,17 +234,19 @@ optional_policy(`
+@@ -195,17 +234,18 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
-+	modutils_list_module_config(bootloader_t)
- 	modutils_read_module_deps(bootloader_t)
- 	modutils_read_module_config(bootloader_t)
- 	modutils_exec_insmod(bootloader_t)
+-	modutils_read_module_deps(bootloader_t)
+-	modutils_read_module_config(bootloader_t)
+-	modutils_exec_insmod(bootloader_t)
  	modutils_exec_depmod(bootloader_t)
  	modutils_exec_update_mods(bootloader_t)
 +	modutils_domtrans_insmod_uncond(bootloader_t)
++	modutils_list_module_config(bootloader_t)
++	modutils_read_module_deps(bootloader_t)
++	modutils_read_module_config(bootloader_t)
  ')
  
  optional_policy(`
@@ -110996,7 +111047,7 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..0880523 100644
+index 8128de8..0bb92ab 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
 @@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
@@ -111012,7 +111063,7 @@ index 8128de8..0880523 100644
  
  type netutils_t;
  type netutils_exec_t;
-@@ -42,6 +42,7 @@ allow netutils_t self:packet_socket create_socket_perms;
+@@ -42,16 +42,17 @@ allow netutils_t self:packet_socket create_socket_perms;
  allow netutils_t self:udp_socket create_socket_perms;
  allow netutils_t self:tcp_socket create_stream_socket_perms;
  allow netutils_t self:socket create_socket_perms;
@@ -111020,9 +111071,10 @@ index 8128de8..0880523 100644
  
  manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
  manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
-@@ -50,8 +51,9 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+ 
  kernel_search_proc(netutils_t)
- kernel_read_network_state(netutils_t)
+-kernel_read_network_state(netutils_t)
  kernel_read_all_sysctls(netutils_t)
 +kernel_read_network_state(netutils_t)
 +kernel_request_load_module(netutils_t)
@@ -111031,7 +111083,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(netutils_t)
  corenet_tcp_sendrecv_generic_if(netutils_t)
  corenet_raw_sendrecv_generic_if(netutils_t)
-@@ -66,6 +68,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
+@@ -66,6 +67,9 @@ corenet_sendrecv_all_client_packets(netutils_t)
  corenet_udp_bind_generic_node(netutils_t)
  
  dev_read_sysfs(netutils_t)
@@ -111041,7 +111093,7 @@ index 8128de8..0880523 100644
  
  fs_getattr_xattr_fs(netutils_t)
  
-@@ -82,10 +87,9 @@ auth_use_nsswitch(netutils_t)
+@@ -82,10 +86,9 @@ auth_use_nsswitch(netutils_t)
  
  logging_send_syslog_msg(netutils_t)
  
@@ -111053,7 +111105,7 @@ index 8128de8..0880523 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -106,13 +110,14 @@ optional_policy(`
+@@ -106,13 +109,14 @@ optional_policy(`
  #
  
  allow ping_t self:capability { setuid net_raw };
@@ -111071,7 +111123,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -122,6 +127,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -111079,7 +111131,7 @@ index 8128de8..0880523 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -132,11 +138,9 @@ kernel_read_system_state(ping_t)
+@@ -132,11 +137,9 @@ kernel_read_system_state(ping_t)
  
  auth_use_nsswitch(ping_t)
  
@@ -111093,7 +111145,7 @@ index 8128de8..0880523 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -147,11 +150,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -111119,7 +111171,7 @@ index 8128de8..0880523 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -159,6 +177,15 @@ optional_policy(`
+@@ -159,6 +176,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -111135,7 +111187,7 @@ index 8128de8..0880523 100644
  ########################################
  #
  # Traceroute local policy
-@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -172,7 +198,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -111143,7 +111195,7 @@ index 8128de8..0880523 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -196,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -111151,7 +111203,7 @@ index 8128de8..0880523 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -204,11 +230,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -111417,7 +111469,7 @@ index 0960199..aa51ab2 100644
 +	can_exec($1, sudo_exec_t)
 +')
 diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
-index d9fce57..8ae7673 100644
+index d9fce57..ed65dbc 100644
 --- a/policy/modules/admin/sudo.te
 +++ b/policy/modules/admin/sudo.te
 @@ -7,3 +7,100 @@ attribute sudodomain;
@@ -111453,8 +111505,9 @@ index d9fce57..8ae7673 100644
 +allow sudodomain self:unix_stream_socket connectto;
 +allow sudodomain self:key manage_key_perms;
 +
-+kernel_read_kernel_sysctls(sudodomain)
++kernel_getattr_core_if(sudodomain)
 +kernel_link_key(sudodomain)
++kernel_read_kernel_sysctls(sudodomain)
 +
 +corecmd_read_bin_symlinks(sudodomain)
 +corecmd_exec_all_executables(sudodomain)
@@ -111485,7 +111538,6 @@ index d9fce57..8ae7673 100644
 +term_getattr_pty_fs(sudodomain)
 +term_relabel_all_ttys(sudodomain)
 +term_relabel_all_ptys(sudodomain)
-+term_getattr_pty_fs(sudodomain)
 +
 +#auth_run_chk_passwd(sudodomain)
 +# sudo stores a token in the pam_pid directory
@@ -112382,7 +112434,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..0c58f76 100644
+index 644d4d7..b8419c0 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -112405,7 +112457,7 @@ index 644d4d7..0c58f76 100644
  /etc/avahi/.*\.action 		--	gen_context(system_u:object_r:bin_t,s0)
  
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -69,6 +71,13 @@ ifdef(`distro_redhat',`
+@@ -69,16 +71,25 @@ ifdef(`distro_redhat',`
  /etc/kde/env(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /etc/kde/shutdown(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
@@ -112419,7 +112471,11 @@ index 644d4d7..0c58f76 100644
  /etc/mail/make			--	gen_context(system_u:object_r:bin_t,s0)
  
  /etc/mcelog/.*-error-trigger	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -79,6 +88,7 @@ ifdef(`distro_redhat',`
+ /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
++/etc/mcelog/.*\.setup		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ ifdef(`distro_redhat',`
+ /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  ')
  
  /etc/mgetty\+sendfax/new_fax	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112427,7 +112483,7 @@ index 644d4d7..0c58f76 100644
  
  /etc/netplug\.d(/.*)? 	 		gen_context(system_u:object_r:bin_t,s0)
  
-@@ -101,8 +111,6 @@ ifdef(`distro_redhat',`
+@@ -101,8 +112,6 @@ ifdef(`distro_redhat',`
  
  /etc/rc\.d/init\.d/functions	--	gen_context(system_u:object_r:bin_t,s0)
  
@@ -112436,7 +112492,7 @@ index 644d4d7..0c58f76 100644
  /etc/sysconfig/crond		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/init		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/sysconfig/libvirtd		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +142,11 @@ ifdef(`distro_debian',`
+@@ -134,10 +143,11 @@ ifdef(`distro_debian',`
  
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -112449,7 +112505,7 @@ index 644d4d7..0c58f76 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +160,7 @@ ifdef(`distro_gentoo',`
+@@ -151,7 +161,7 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -112458,7 +112514,7 @@ index 644d4d7..0c58f76 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +176,7 @@ ifdef(`distro_gentoo',`
+@@ -167,6 +177,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -112466,7 +112522,7 @@ index 644d4d7..0c58f76 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -178,33 +188,49 @@ ifdef(`distro_gentoo',`
+@@ -178,33 +189,49 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -112525,7 +112581,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +241,28 @@ ifdef(`distro_gentoo',`
+@@ -215,18 +242,28 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112561,7 +112617,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +277,15 @@ ifdef(`distro_gentoo',`
+@@ -241,10 +278,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -112577,7 +112633,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +298,17 @@ ifdef(`distro_gentoo',`
+@@ -257,10 +299,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -112598,7 +112654,7 @@ index 644d4d7..0c58f76 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +324,15 @@ ifdef(`distro_gentoo',`
+@@ -276,10 +325,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -112614,7 +112670,7 @@ index 644d4d7..0c58f76 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +347,21 @@ ifdef(`distro_gentoo',`
+@@ -294,16 +348,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -112627,6 +112683,7 @@ index 644d4d7..0c58f76 100644
  /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
++/usr/share/texlive/texmf/web2c/mktex(dir|nam|upd)	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/share/tucan.*/tucan.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -112638,7 +112695,7 @@ index 644d4d7..0c58f76 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,8 +379,12 @@ ifdef(`distro_redhat', `
+@@ -321,8 +381,12 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -112651,7 +112708,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/vmware-tools/(s)?bin32(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/vmware-tools/(s)?bin64(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -332,9 +394,11 @@ ifdef(`distro_redhat', `
+@@ -332,9 +396,11 @@ ifdef(`distro_redhat', `
  /usr/share/clamav/clamd-gen	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/clamav/freshclam-sleep --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/createrepo(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -112663,7 +112720,7 @@ index 644d4d7..0c58f76 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +447,15 @@ ifdef(`distro_suse', `
+@@ -383,11 +449,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -112680,7 +112737,7 @@ index 644d4d7..0c58f76 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +465,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +467,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -114347,7 +114404,7 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..ae311f6 100644
+index 4edc40d..26fc01f 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
 @@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
@@ -114560,7 +114617,7 @@ index 4edc40d..ae311f6 100644
  network_port(pktcable_cops, tcp,2126,s0, udp,2126,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
-@@ -214,14 +252,16 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -214,38 +252,41 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -114578,7 +114635,12 @@ index 4edc40d..ae311f6 100644
  network_port(repository, tcp, 6363, s0)
  network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
-@@ -233,19 +273,20 @@ network_port(rsync, tcp,873,s0, udp,873,s0)
+ network_port(rlogind, tcp,513,s0)
+-network_port(rndc, tcp,953,s0, udp,953,s0)
++network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0)
+ network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
+ network_port(rsh, tcp,514,s0)
+ network_port(rsync, tcp,873,s0, udp,873,s0)
  network_port(rtsp, tcp,554,s0, udp,554,s0)
  network_port(rwho, udp,513,s0)
  network_port(sap, tcp,9875,s0, udp,9875,s0)
@@ -116807,7 +116869,7 @@ index 6529bd9..cfec99c 100644
 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
  allow devices_unconfined_type mtrr_device_t:file *;
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..eee8419 100644
+index 6a1e4d1..70c5c72 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -116916,7 +116978,7 @@ index 6a1e4d1..eee8419 100644
  ##	Relabel to and from all entry point
  ##	file types.
  ## </summary>
-@@ -1530,4 +1543,29 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1543,30 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -116926,6 +116988,7 @@ index 6a1e4d1..eee8419 100644
 +	mcs_killall($1)
 +	mcs_ptrace_all($1)
 +	mcs_socket_write_all_levels($1)
++	mcs_process_set_categories($1)
 +')
 +
 +########################################
@@ -116947,7 +117010,7 @@ index 6a1e4d1..eee8419 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..7219a2a 100644
+index cf04cb5..bba3449 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -117073,7 +117136,7 @@ index cf04cb5..7219a2a 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +227,282 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +227,274 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -117256,9 +117319,6 @@ index cf04cb5..7219a2a 100644
 +
 +ifdef(`distro_redhat',`
 +	files_search_mnt(domain)
-+	optional_policy(`
-+		unconfined_use_fds(domain)
-+	')
 +')
 +
 +# these seem questionable:
@@ -117273,16 +117333,6 @@ index cf04cb5..7219a2a 100644
 +')
 +
 +optional_policy(`
-+	rpm_use_fds(domain)
-+	rpm_read_pipes(domain)
-+	rpm_search_log(domain)
-+	rpm_append_tmp_files(domain)
-+	rpm_dontaudit_leaks(domain)
-+	rpm_read_script_tmp_files(domain)
-+	rpm_inherited_fifo(domain)
-+')
-+
-+optional_policy(`
 +	sosreport_append_tmp_files(domain)
 +')
 +
@@ -117338,14 +117388,18 @@ index cf04cb5..7219a2a 100644
 +	puppet_rw_tmp(domain)
 +')
 +
++dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
++
 +optional_policy(`
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
++	rpm_search_log(domain)
++	rpm_append_tmp_files(domain)
++	rpm_dontaudit_leaks(domain)
++	rpm_read_script_tmp_files(domain)
++	rpm_inherited_fifo(domain)
 +')
 +
-+dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
-+
-+
 +tunable_policy(`fips_mode',`
 +	allow domain self:fifo_file manage_fifo_file_perms;
 +	kernel_read_kernel_sysctls(domain)
@@ -117356,6 +117410,7 @@ index cf04cb5..7219a2a 100644
 +		prelink_exec(domain)
 +	')
 +')
++
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
 index c2c6e05..d0e6d1c 100644
 --- a/policy/modules/kernel/files.fc
@@ -122240,7 +122295,7 @@ index 649e458..31a14c8 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..6fc8411 100644
+index 6fac350..6c81d4e 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -122261,16 +122316,15 @@ index 6fac350..6fc8411 100644
  role system_r types kernel_t;
  sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
  
-@@ -58,6 +62,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
+@@ -58,6 +62,7 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
  type debugfs_t;
  files_mountpoint(debugfs_t)
  fs_type(debugfs_t)
-+files_mountpoint(debugfs_t)
 +
  allow debugfs_t self:filesystem associate;
  genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
  
-@@ -95,6 +101,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
+@@ -95,6 +100,10 @@ genfscon proc /kcore gen_context(system_u:object_r:proc_kcore_t,mls_systemhigh)
  type proc_mdstat_t, proc_type;
  genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
  
@@ -122281,7 +122335,7 @@ index 6fac350..6fc8411 100644
  type proc_net_t, proc_type;
  genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0)
  
-@@ -153,6 +163,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
+@@ -153,6 +162,10 @@ genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
  type sysctl_vm_t, sysctl_type;
  genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
  
@@ -122292,15 +122346,7 @@ index 6fac350..6fc8411 100644
  # /proc/sys/dev directory and files
  type sysctl_dev_t, sysctl_type;
  genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-@@ -165,6 +179,7 @@ genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
- type unlabeled_t;
- fs_associate(unlabeled_t)
- sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-+fs_associate(unlabeled_t)
- 
- # These initial sids are no longer used, and can be removed:
- sid any_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -233,7 +248,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+@@ -233,7 +246,6 @@ allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
  corenet_in_generic_if(unlabeled_t)
  corenet_in_generic_node(unlabeled_t)
  
@@ -122308,7 +122354,7 @@ index 6fac350..6fc8411 100644
  corenet_all_recvfrom_netlabel(kernel_t)
  # Kernel-generated traffic e.g., ICMP replies:
  corenet_raw_sendrecv_all_if(kernel_t)
-@@ -244,17 +258,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
+@@ -244,17 +256,21 @@ corenet_tcp_sendrecv_all_if(kernel_t)
  corenet_tcp_sendrecv_all_nodes(kernel_t)
  corenet_raw_send_generic_node(kernel_t)
  corenet_send_all_packets(kernel_t)
@@ -122334,7 +122380,7 @@ index 6fac350..6fc8411 100644
  
  # Mount root file system. Used when loading a policy
  # from initrd, then mounting the root filesystem
-@@ -263,7 +281,8 @@ fs_unmount_all_fs(kernel_t)
+@@ -263,7 +279,8 @@ fs_unmount_all_fs(kernel_t)
  
  selinux_load_policy(kernel_t)
  
@@ -122344,7 +122390,7 @@ index 6fac350..6fc8411 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,25 +296,48 @@ files_list_root(kernel_t)
+@@ -277,25 +294,48 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -122393,7 +122439,7 @@ index 6fac350..6fc8411 100644
  ')
  
  optional_policy(`
-@@ -305,6 +347,19 @@ optional_policy(`
+@@ -305,6 +345,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -122413,7 +122459,7 @@ index 6fac350..6fc8411 100644
  ')
  
  optional_policy(`
-@@ -334,7 +389,6 @@ optional_policy(`
+@@ -334,7 +387,6 @@ optional_policy(`
  
  	rpc_manage_nfs_ro_content(kernel_t)
  	rpc_manage_nfs_rw_content(kernel_t)
@@ -122421,7 +122467,7 @@ index 6fac350..6fc8411 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +397,7 @@ optional_policy(`
+@@ -343,9 +395,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -122432,7 +122478,7 @@ index 6fac350..6fc8411 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +406,7 @@ optional_policy(`
+@@ -354,7 +404,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -122441,7 +122487,7 @@ index 6fac350..6fc8411 100644
  	')
  ')
  
-@@ -367,6 +419,15 @@ optional_policy(`
+@@ -367,6 +417,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -122457,7 +122503,7 @@ index 6fac350..6fc8411 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -409,4 +470,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
+@@ -409,4 +468,26 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
  allow kern_unconfined unlabeled_t:filesystem *;
  allow kern_unconfined unlabeled_t:association *;
  allow kern_unconfined unlabeled_t:packet *;
@@ -122486,10 +122532,62 @@ index 6fac350..6fc8411 100644
 +read_lnk_files_pattern(kernel_system_state_reader, proc_t, proc_t)
 +list_dirs_pattern(kernel_system_state_reader, proc_t, proc_t)
 diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
-index b08a6e8..226021d 100644
+index b08a6e8..43d504b 100644
 --- a/policy/modules/kernel/mcs.if
 +++ b/policy/modules/kernel/mcs.if
-@@ -130,3 +130,23 @@ interface(`mcs_process_set_categories',`
+@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
+ ## <rolecap/>
+ #
+ interface(`mcs_file_read_all',`
+-	gen_require(`
+-		attribute mcsreadall;
+-	')
+-
+-	typeattribute $1 mcsreadall;
++	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+ 
+ ########################################
+@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
+ ## <rolecap/>
+ #
+ interface(`mcs_file_write_all',`
+-	gen_require(`
+-		attribute mcswriteall;
+-	')
+-
+-	typeattribute $1 mcswriteall;
++	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+ 
+ ########################################
+@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
+ ## <rolecap/>
+ #
+ interface(`mcs_killall',`
+-	gen_require(`
+-		attribute mcskillall;
+-	')
+-
+-	typeattribute $1 mcskillall;
++	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+ 
+ ########################################
+@@ -104,11 +92,7 @@ interface(`mcs_killall',`
+ ## </param>
+ #
+ interface(`mcs_ptrace_all',`
+-	gen_require(`
+-		attribute mcsptraceall;
+-	')
+-
+-	typeattribute $1 mcsptraceall;
++	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
+ ')
+ 
+ ########################################
+@@ -130,3 +114,19 @@ interface(`mcs_process_set_categories',`
  
  	typeattribute $1 mcssetcats;
  ')
@@ -122507,11 +122605,7 @@ index b08a6e8..226021d 100644
 +## <rolecap/>
 +#
 +interface(`mcs_socket_write_all_levels',`
-+	gen_require(`
-+		attribute mcsnetwrite;
-+	')
-+
-+	typeattribute $1 mcsnetwrite;
++	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 +')
 diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
 index 5cbeb54..8067370 100644
@@ -122866,7 +122960,7 @@ index 81440c5..a02d444 100644
  ')
 +
 diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..443f4a0 100644
+index 522ab32..cb9c3a2 100644
 --- a/policy/modules/kernel/selinux.te
 +++ b/policy/modules/kernel/selinux.te
 @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
@@ -122877,13 +122971,7 @@ index 522ab32..443f4a0 100644
  attribute can_setsecparam;
  attribute selinux_unconfined_type;
  
-@@ -31,14 +32,15 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
- type security_t, boolean_type;
- files_mountpoint(security_t)
- fs_type(security_t)
-+files_mountpoint(security_t)
- mls_trusted_object(security_t)
- sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
+@@ -36,9 +37,9 @@ sid security gen_context(system_u:object_r:security_t,mls_systemhigh)
  genfscon selinuxfs / gen_context(system_u:object_r:security_t,s0)
  genfscon securityfs / gen_context(system_u:object_r:security_t,s0)
  
@@ -122896,7 +122984,7 @@ index 522ab32..443f4a0 100644
  
  ########################################
  #
-@@ -60,11 +62,28 @@ ifdef(`distro_rhel4',`
+@@ -60,11 +61,28 @@ ifdef(`distro_rhel4',`
  ')
  
  if(!secure_mode_policyload) {
@@ -122907,9 +122995,10 @@ index 522ab32..443f4a0 100644
 +	dev_search_sysfs(can_setenforce)
 +	allow can_setenforce security_t:dir list_dir_perms;
 +	allow can_setenforce security_t:file rw_file_perms;
-+
-+	ifdef(`distro_rhel4',`
-+		# needed for systems without audit support
+ 
+ 	ifdef(`distro_rhel4',`
+ 		# needed for systems without audit support
+-		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
 +		auditallow can_setenforce security_t:security setenforce;
 +	')
 +
@@ -122921,10 +123010,9 @@ index 522ab32..443f4a0 100644
 +	')
 +
 +	allow can_setbool boolean_type:security setbool;
- 
- 	ifdef(`distro_rhel4',`
- 		# needed for systems without audit support
--		auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
++
++	ifdef(`distro_rhel4',`
++		# needed for systems without audit support
 +		auditallow can_setbool boolean_type:security setbool;
  	')
  }
@@ -124691,7 +124779,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..39285bc 100644
+index 88d0028..e1ba9a0 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,73 @@ policy_module(sysadm, 2.5.1)
@@ -124816,13 +124904,12 @@ index 88d0028..39285bc 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -122,11 +154,20 @@ optional_policy(`
+@@ -122,11 +154,19 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	consoletype_run(sysadm_t, sysadm_r)
 +	cron_admin_role(sysadm_r, sysadm_t)
-+	#cron_role(sysadm_r, sysadm_t)
  ')
  
  optional_policy(`
@@ -124839,7 +124926,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -140,6 +181,10 @@ optional_policy(`
+@@ -140,6 +180,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124850,7 +124937,7 @@ index 88d0028..39285bc 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,11 +201,11 @@ optional_policy(`
+@@ -156,11 +200,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124864,7 +124951,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -179,6 +224,13 @@ optional_policy(`
+@@ -179,6 +223,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -124878,7 +124965,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -186,15 +238,20 @@ optional_policy(`
+@@ -186,15 +237,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124902,7 +124989,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -214,22 +271,20 @@ optional_policy(`
+@@ -214,22 +270,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -124931,7 +125018,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -241,25 +296,47 @@ optional_policy(`
+@@ -241,25 +295,47 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -124979,7 +125066,7 @@ index 88d0028..39285bc 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,31 +347,36 @@ optional_policy(`
+@@ -270,31 +346,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125023,7 +125110,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -319,12 +401,18 @@ optional_policy(`
+@@ -319,12 +400,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125043,7 +125130,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -349,7 +437,18 @@ optional_policy(`
+@@ -349,7 +436,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125063,7 +125150,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -360,19 +459,15 @@ optional_policy(`
+@@ -360,19 +458,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125085,7 +125172,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -384,10 +479,6 @@ optional_policy(`
+@@ -384,10 +478,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125096,7 +125183,7 @@ index 88d0028..39285bc 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +486,9 @@ optional_policy(`
+@@ -395,6 +485,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -125106,7 +125193,7 @@ index 88d0028..39285bc 100644
  ')
  
  optional_policy(`
-@@ -402,31 +496,34 @@ optional_policy(`
+@@ -402,31 +495,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -125147,7 +125234,7 @@ index 88d0028..39285bc 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,10 +536,6 @@ ifndef(`distro_redhat',`
+@@ -439,10 +535,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -125158,7 +125245,7 @@ index 88d0028..39285bc 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +556,75 @@ ifndef(`distro_redhat',`
+@@ -463,15 +555,75 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -125899,10 +125986,10 @@ index 0000000..bac0dc0
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..0b9a7bb
+index 0000000..09d96d1
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,373 @@
+@@ -0,0 +1,369 @@
 +policy_module(unconfineduser, 1.0.0)
 +
 +########################################
@@ -125979,10 +126066,6 @@ index 0000000..0b9a7bb
 +files_create_default_dir(unconfined_t)
 +files_root_filetrans_default(unconfined_t, dir)
 +
-+mcs_killall(unconfined_t)
-+mcs_ptrace_all(unconfined_t)
-+mls_file_write_all_levels(unconfined_t)
-+
 +init_run_daemon(unconfined_t, unconfined_r)
 +init_domtrans_script(unconfined_t)
 +init_telinit(unconfined_t)
@@ -127494,7 +127577,7 @@ index fe0c682..2b21421 100644
 +	allow $1 sshd_devpts_t:chr_file { getattr open read write ioctl };
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..129ae69 100644
+index 5fc0391..f0a738c 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,44 +6,51 @@ policy_module(ssh, 2.3.3)
@@ -127923,7 +128006,7 @@ index 5fc0391..129ae69 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +448,124 @@ optional_policy(`
+@@ -331,3 +448,123 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -127975,7 +128058,6 @@ index 5fc0391..129ae69 100644
 +
 +tunable_policy(`ssh_chroot_rw_homedirs',`
 +        files_list_home(chroot_user_t)
-+        userdom_read_user_home_content_files(chroot_user_t)
 +        userdom_manage_user_home_content(chroot_user_t)
 +', `
 +
@@ -128203,7 +128285,7 @@ index d1f64a0..c92d1e2 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..6c7c743 100644
+index 6bf0ecc..f74788a 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -129000,7 +129082,7 @@ index 6bf0ecc..6c7c743 100644
  ')
  
  ########################################
-@@ -1284,10 +1618,541 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1618,559 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -129439,6 +129521,24 @@ index 6bf0ecc..6c7c743 100644
 +#	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
 +')
 +
++#######################################
++## <summary>
++##  Transition to xserver .fontconfig named content
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`xserver_filetrans_fonts_cache_home_content',`
++    gen_require(`
++        type user_fonts_cache_t;
++    ')
++
++	userdom_user_home_dir_filetrans($1, user_fonts_cache_t, dir, ".fontconfig")
++')
++
 +########################################
 +## <summary>
 +##	Transition to xserver named content
@@ -129545,7 +129645,7 @@ index 6bf0ecc..6c7c743 100644
 +	files_search_tmp($1)
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..4a06941 100644
+index 2696452..ffd9c11 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,27 +26,50 @@ gen_require(`
@@ -130101,7 +130201,7 @@ index 2696452..4a06941 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +619,42 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +619,40 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -130128,8 +130228,6 @@ index 2696452..4a06941 100644
 +init_dbus_chat(xdm_t)
 +init_pid_filetrans(xdm_t, xdm_var_run_t, dir, "multi-session-x")
 +init_status(xdm_t)
-+
-+systemd_write_inhibit_pipes(xdm_t)
  
  libs_exec_lib_files(xdm_t)
  
@@ -130147,7 +130245,7 @@ index 2696452..4a06941 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +663,43 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +661,43 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -130197,7 +130295,7 @@ index 2696452..4a06941 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +713,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +711,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -130224,7 +130322,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -514,12 +740,71 @@ optional_policy(`
+@@ -514,12 +738,71 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130296,7 +130394,7 @@ index 2696452..4a06941 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +822,78 @@ optional_policy(`
+@@ -537,28 +820,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130353,29 +130451,29 @@ index 2696452..4a06941 100644
  optional_policy(`
 -	udev_read_db(xdm_t)
 +	ssh_signull(xdm_t)
-+')
-+
-+optional_policy(`
-+	shutdown_domtrans(xdm_t)
  ')
  
  optional_policy(`
 -	unconfined_domain(xdm_t)
 -	unconfined_domtrans(xdm_t)
-+	telepathy_exec(xdm_t)
++	shutdown_domtrans(xdm_t)
 +')
  
 -	ifndef(`distro_redhat',`
 -		allow xdm_t self:process { execheap execmem };
 -	')
 +optional_policy(`
-+	udev_read_db(xdm_t)
++	telepathy_exec(xdm_t)
 +')
  
 -	ifdef(`distro_rhel4',`
 -		allow xdm_t self:process { execheap execmem };
 -	')
 +optional_policy(`
++	udev_read_db(xdm_t)
++')
++
++optional_policy(`
 +	unconfined_signal(xdm_t)
 +')
 +
@@ -130384,7 +130482,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -570,6 +905,14 @@ optional_policy(`
+@@ -570,6 +903,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130399,7 +130497,7 @@ index 2696452..4a06941 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +937,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -594,8 +935,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -130412,7 +130510,7 @@ index 2696452..4a06941 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +954,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +952,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -130428,7 +130526,7 @@ index 2696452..4a06941 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -628,12 +981,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +979,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -130450,7 +130548,7 @@ index 2696452..4a06941 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1001,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +999,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -130464,7 +130562,7 @@ index 2696452..4a06941 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1027,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1025,27 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -130481,7 +130579,6 @@ index 2696452..4a06941 100644
 +
  # read events - the synaptics touchpad driver reads raw events
  dev_rw_input_dev(xserver_t)
-+dev_read_raw_memory(xserver_t)
 +dev_write_raw_memory(xserver_t)
  dev_rwx_zero(xserver_t)
  
@@ -130496,7 +130593,7 @@ index 2696452..4a06941 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,8 +1059,13 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,8 +1056,13 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -130510,7 +130607,7 @@ index 2696452..4a06941 100644
  
  selinux_validate_context(xserver_t)
  selinux_compute_access_vector(xserver_t)
-@@ -708,20 +1078,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1075,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -130534,7 +130631,16 @@ index 2696452..4a06941 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -775,16 +1143,40 @@ optional_policy(`
+@@ -729,8 +1094,6 @@ userdom_setattr_user_ttys(xserver_t)
+ userdom_read_user_tmp_files(xserver_t)
+ userdom_rw_user_tmpfs_files(xserver_t)
+ 
+-xserver_use_user_fonts(xserver_t)
+-
+ ifndef(`distro_redhat',`
+ 	allow xserver_t self:process { execmem execheap execstack };
+ 	domain_mmap_low_uncond(xserver_t)
+@@ -775,16 +1138,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130576,7 +130682,7 @@ index 2696452..4a06941 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1185,10 @@ optional_policy(`
+@@ -793,6 +1180,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -130587,7 +130693,7 @@ index 2696452..4a06941 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1204,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1199,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -130601,7 +130707,7 @@ index 2696452..4a06941 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1215,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1210,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -130610,7 +130716,7 @@ index 2696452..4a06941 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1228,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1223,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -130645,18 +130751,7 @@ index 2696452..4a06941 100644
  ')
  
  optional_policy(`
-@@ -859,6 +1250,10 @@ optional_policy(`
- 	rhgb_rw_tmpfs_files(xserver_t)
- ')
- 
-+optional_policy(`
-+	userhelper_search_config(xserver_t)
-+')
-+
- ########################################
- #
- # Rules common to all X window domains
-@@ -902,7 +1297,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1288,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -130665,7 +130760,7 @@ index 2696452..4a06941 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1351,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1342,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -130697,7 +130792,7 @@ index 2696452..4a06941 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1397,44 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1388,40 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -130733,10 +130828,6 @@ index 2696452..4a06941 100644
 +	fs_append_nfs_files(xdmhomewriter)
 +')
 +
-+tunable_policy(`use_nfs_home_dirs',`
-+	fs_append_nfs_files(xdmhomewriter)
-+')
-+
 +optional_policy(`
 +	unconfined_rw_shm(xserver_t)
 +
@@ -130869,10 +130960,10 @@ index 1b6619e..be02b96 100644
 +    allow $1 application_domain_type:socket_class_set getattr;
 +')
 diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
-index c6fdab7..c59902a 100644
+index c6fdab7..fc63d59 100644
 --- a/policy/modules/system/application.te
 +++ b/policy/modules/system/application.te
-@@ -6,6 +6,30 @@ attribute application_domain_type;
+@@ -6,7 +6,27 @@ attribute application_domain_type;
  # Executables to be run by user
  attribute application_exec_type;
  
@@ -130895,14 +130986,11 @@ index c6fdab7..c59902a 100644
 +	cfengine_append_inherited_log(application_domain_type)
 +')
 +
-+optional_policy(`
-+	cron_rw_inherited_user_spool_files(application_domain_type)
-+	cron_sigchld(application_domain_type)
-+')
-+
  optional_policy(`
++	cron_rw_inherited_user_spool_files(application_domain_type)
  	cron_sigchld(application_domain_type)
  ')
+ 
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
 index 28ad538..ebe81bf 100644
 --- a/policy/modules/system/authlogin.fc
@@ -131714,7 +131802,7 @@ index 3efd5b6..7c0ea2d 100644
 +	userdom_user_home_dir_filetrans($1, auth_home_t, file, ".google_authenticator~")
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..eceffb2 100644
+index 104037e..d10bb17 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
 @@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
@@ -131979,7 +132067,15 @@ index 104037e..eceffb2 100644
  files_list_var_lib(nsswitch_domain)
  
  # read /etc/nsswitch.conf
-@@ -426,6 +457,12 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
+@@ -418,14 +449,18 @@ files_read_etc_files(nsswitch_domain)
+ sysnet_dns_name_resolve(nsswitch_domain)
+ 
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+-	files_list_var_lib(nsswitch_domain)
+-
+ 	miscfiles_read_generic_certs(nsswitch_domain)
+ 	sysnet_use_ldap(nsswitch_domain)
+ ')
  
  optional_policy(`
  	tunable_policy(`authlogin_nsswitch_use_ldap',`
@@ -131992,7 +132088,7 @@ index 104037e..eceffb2 100644
  		ldap_stream_connect(nsswitch_domain)
  	')
  ')
-@@ -438,6 +475,7 @@ optional_policy(`
+@@ -438,6 +473,7 @@ optional_policy(`
  	likewise_stream_connect_lsassd(nsswitch_domain)
  ')
  
@@ -132000,7 +132096,7 @@ index 104037e..eceffb2 100644
  optional_policy(`
  	kerberos_use(nsswitch_domain)
  ')
-@@ -456,6 +494,7 @@ optional_policy(`
+@@ -456,6 +492,7 @@ optional_policy(`
  
  optional_policy(`
  	sssd_stream_connect(nsswitch_domain)
@@ -132008,7 +132104,7 @@ index 104037e..eceffb2 100644
  ')
  
  optional_policy(`
-@@ -463,3 +502,132 @@ optional_policy(`
+@@ -463,3 +500,132 @@ optional_policy(`
  	samba_read_var_files(nsswitch_domain)
  	samba_dontaudit_write_var_files(nsswitch_domain)
  ')
@@ -132283,7 +132379,7 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..86a90a2 100644
+index 6c4b6ee..417f5e5 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -132321,7 +132417,7 @@ index 6c4b6ee..86a90a2 100644
  # Write to /etc/mtab.
  files_manage_etc_runtime_files(fsadm_t)
  files_etc_filetrans_etc_runtime(fsadm_t, file)
-@@ -120,11 +131,16 @@ fs_list_auto_mountpoints(fsadm_t)
+@@ -120,6 +131,9 @@ fs_list_auto_mountpoints(fsadm_t)
  fs_search_tmpfs(fsadm_t)
  fs_getattr_tmpfs_dirs(fsadm_t)
  fs_read_tmpfs_symlinks(fsadm_t)
@@ -132331,14 +132427,7 @@ index 6c4b6ee..86a90a2 100644
  # Recreate /mnt/cdrom.
  files_manage_mnt_dirs(fsadm_t)
  # for tune2fs
- files_search_all(fsadm_t)
- 
-+mcs_file_read_all(fsadm_t)
-+
- mls_file_read_all_levels(fsadm_t)
- mls_file_write_all_levels(fsadm_t)
- 
-@@ -133,21 +149,24 @@ storage_raw_write_fixed_disk(fsadm_t)
+@@ -133,21 +147,24 @@ storage_raw_write_fixed_disk(fsadm_t)
  storage_raw_read_removable_device(fsadm_t)
  storage_raw_write_removable_device(fsadm_t)
  storage_read_scsi_generic(fsadm_t)
@@ -132365,7 +132454,7 @@ index 6c4b6ee..86a90a2 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -166,6 +185,11 @@ optional_policy(`
+@@ -166,6 +183,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -132377,7 +132466,7 @@ index 6c4b6ee..86a90a2 100644
  	hal_dontaudit_write_log(fsadm_t)
  ')
  
-@@ -179,6 +203,10 @@ optional_policy(`
+@@ -179,6 +201,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -132388,7 +132477,7 @@ index 6c4b6ee..86a90a2 100644
  	nis_use_ypbind(fsadm_t)
  ')
  
-@@ -192,6 +220,10 @@ optional_policy(`
+@@ -192,6 +218,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -133819,7 +133908,7 @@ index 24e7804..386109d 100644
 +	allow $1 init_t:system undefined;
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..682e5fc 100644
+index dd3be8d..1c57099 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,24 @@ gen_require(`
@@ -133965,7 +134054,7 @@ index dd3be8d..682e5fc 100644
  
  allow init_t initctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(init_t, initctl_t, fifo_file)
-@@ -125,28 +180,39 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
+@@ -125,13 +180,17 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
  
  kernel_read_system_state(init_t)
  kernel_share_state(init_t)
@@ -133984,10 +134073,9 @@ index dd3be8d..682e5fc 100644
  
  domain_getpgid_all_domains(init_t)
  domain_kill_all_domains(init_t)
- domain_signal_all_domains(init_t)
+@@ -139,14 +198,20 @@ domain_signal_all_domains(init_t)
  domain_signull_all_domains(init_t)
  domain_sigstop_all_domains(init_t)
-+domain_sigstop_all_domains(init_t)
  domain_sigchld_all_domains(init_t)
 +domain_read_all_domains_state(init_t)
  
@@ -134006,16 +134094,13 @@ index dd3be8d..682e5fc 100644
  # file descriptors inherited from the rootfs:
  files_dontaudit_rw_root_files(init_t)
  files_dontaudit_rw_root_chr_files(init_t)
-@@ -155,6 +221,8 @@ fs_list_inotifyfs(init_t)
- # cjp: this may be related to /dev/log
+@@ -156,28 +221,45 @@ fs_list_inotifyfs(init_t)
  fs_write_ramfs_sockets(init_t)
  
-+mcs_file_read_all(init_t)
-+mcs_file_write_all(init_t)
  mcs_process_set_categories(init_t)
- mcs_killall(init_t)
+-mcs_killall(init_t)
  
-@@ -162,22 +230,41 @@ mls_file_read_all_levels(init_t)
+ mls_file_read_all_levels(init_t)
  mls_file_write_all_levels(init_t)
  mls_process_write_down(init_t)
  mls_fd_use_all_levels(init_t)
@@ -134023,7 +134108,6 @@ index dd3be8d..682e5fc 100644
 +mls_socket_write_all_levels(init_t)
 +
 +mls_rangetrans_source(init_t)
-+mls_rangetrans_source(initrc_t)
  
  selinux_set_all_booleans(init_t)
 +selinux_load_policy(init_t)
@@ -134051,15 +134135,15 @@ index dd3be8d..682e5fc 100644
 +
 +miscfiles_manage_localization(init_t)
 +miscfiles_filetrans_named_content(init_t)
-+
-+userdom_use_user_ttys(init_t)
  
 -miscfiles_read_localization(init_t)
++userdom_use_user_ttys(init_t)
++
 +allow init_t self:process setsched;
  
  ifdef(`distro_gentoo',`
  	allow init_t self:process { getcap setcap };
-@@ -186,29 +273,176 @@ ifdef(`distro_gentoo',`
+@@ -186,29 +268,176 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -134087,9 +134171,10 @@ index dd3be8d..682e5fc 100644
 +
 +optional_policy(`
 +	gnome_filetrans_home_content(init_t)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	auth_rw_login_records(init_t)
 +	modutils_domtrans_insmod(init_t)
 +	modutils_list_module_config(init_t)
 +')
@@ -134219,11 +134304,10 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
--	auth_rw_login_records(init_t)
 +	consolekit_manage_log(init_t)
- ')
- 
- optional_policy(`
++')
++
++optional_policy(`
 +	dbus_connect_system_bus(init_t)
  	dbus_system_bus_client(init_t)
 +	dbus_delete_pid_files(init_t)
@@ -134244,7 +134328,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -216,6 +450,27 @@ optional_policy(`
+@@ -216,6 +445,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134272,7 +134356,7 @@ index dd3be8d..682e5fc 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -225,8 +480,9 @@ optional_policy(`
+@@ -225,8 +475,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -134284,7 +134368,7 @@ index dd3be8d..682e5fc 100644
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +513,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -257,12 +508,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -134301,7 +134385,7 @@ index dd3be8d..682e5fc 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +538,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -278,23 +533,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -134344,7 +134428,7 @@ index dd3be8d..682e5fc 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +575,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -302,9 +570,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -134356,7 +134440,7 @@ index dd3be8d..682e5fc 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +587,10 @@ dev_write_framebuffer(initrc_t)
+@@ -312,8 +582,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -134367,7 +134451,7 @@ index dd3be8d..682e5fc 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,17 +598,16 @@ dev_manage_generic_files(initrc_t)
+@@ -321,8 +593,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -134377,9 +134461,7 @@ index dd3be8d..682e5fc 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
- domain_signull_all_domains(initrc_t)
- domain_sigstop_all_domains(initrc_t)
-+domain_sigstop_all_domains(initrc_t)
+@@ -331,7 +602,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -134387,7 +134469,7 @@ index dd3be8d..682e5fc 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +615,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -339,6 +609,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -134395,7 +134477,7 @@ index dd3be8d..682e5fc 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,8 +623,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -346,14 +617,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -134407,7 +134489,13 @@ index dd3be8d..682e5fc 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -363,8 +642,12 @@ files_list_isid_type_dirs(initrc_t)
+ files_manage_etc_runtime_files(initrc_t)
+ files_etc_filetrans_etc_runtime(initrc_t, file)
+-files_exec_etc_files(initrc_t)
+ files_read_usr_files(initrc_t)
+ files_manage_urandom_seed(initrc_t)
+ files_manage_generic_spool(initrc_t)
+@@ -363,8 +635,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -134421,7 +134509,7 @@ index dd3be8d..682e5fc 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,9 +657,13 @@ fs_mount_all_fs(initrc_t)
+@@ -374,10 +650,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -134431,12 +134519,11 @@ index dd3be8d..682e5fc 100644
  
  # initrc_t needs to do a pidof which requires ptrace
 -mcs_ptrace_all(initrc_t)
-+mcs_file_read_all(initrc_t)
-+mcs_file_write_all(initrc_t)
- mcs_killall(initrc_t)
+-mcs_killall(initrc_t)
  mcs_process_set_categories(initrc_t)
  
-@@ -386,6 +673,7 @@ mls_process_read_up(initrc_t)
+ mls_file_read_all_levels(initrc_t)
+@@ -386,6 +663,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -134444,7 +134531,7 @@ index dd3be8d..682e5fc 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +685,7 @@ term_use_all_terms(initrc_t)
+@@ -397,6 +675,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -134452,7 +134539,7 @@ index dd3be8d..682e5fc 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +704,18 @@ logging_read_all_logs(initrc_t)
+@@ -415,20 +694,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -134476,7 +134563,15 @@ index dd3be8d..682e5fc 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -485,6 +772,10 @@ ifdef(`distro_gentoo',`
+@@ -450,7 +727,6 @@ ifdef(`distro_gentoo',`
+ 	allow initrc_t self:process setfscreate;
+ 	dev_create_null_dev(initrc_t)
+ 	dev_create_zero_dev(initrc_t)
+-	dev_create_generic_dirs(initrc_t)
+ 	term_create_console_dev(initrc_t)
+ 
+ 	# unfortunately /sbin/rc does stupid tricks
+@@ -485,6 +761,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -134487,7 +134582,7 @@ index dd3be8d..682e5fc 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +796,7 @@ ifdef(`distro_redhat',`
+@@ -505,7 +785,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -134496,7 +134591,7 @@ index dd3be8d..682e5fc 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +811,7 @@ ifdef(`distro_redhat',`
+@@ -520,6 +800,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -134504,7 +134599,7 @@ index dd3be8d..682e5fc 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +832,7 @@ ifdef(`distro_redhat',`
+@@ -540,6 +821,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -134512,7 +134607,7 @@ index dd3be8d..682e5fc 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +842,40 @@ ifdef(`distro_redhat',`
+@@ -549,8 +831,40 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -134553,7 +134648,7 @@ index dd3be8d..682e5fc 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +883,31 @@ ifdef(`distro_redhat',`
+@@ -558,14 +872,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -134585,7 +134680,7 @@ index dd3be8d..682e5fc 100644
  	')
  ')
  
-@@ -576,6 +918,39 @@ ifdef(`distro_suse',`
+@@ -576,6 +907,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -134625,7 +134720,7 @@ index dd3be8d..682e5fc 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +963,8 @@ optional_policy(`
+@@ -588,6 +952,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -134634,7 +134729,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -609,6 +986,7 @@ optional_policy(`
+@@ -609,6 +975,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -134642,7 +134737,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1003,17 @@ optional_policy(`
+@@ -625,6 +992,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134660,7 +134755,7 @@ index dd3be8d..682e5fc 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1030,13 @@ optional_policy(`
+@@ -641,9 +1019,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -134674,18 +134769,25 @@ index dd3be8d..682e5fc 100644
  	')
  
  	optional_policy(`
-@@ -668,6 +1061,10 @@ optional_policy(`
+@@ -656,15 +1038,11 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	# /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+-	# /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+-	# the directory. But we do not want to allow this.
+-	# The master process of dovecot will manage this file.
+-	dovecot_dontaudit_unlink_lib_files(initrc_t)
++	ftp_read_config(initrc_t)
+ ')
+ 
+ optional_policy(`
+-	ftp_read_config(initrc_t)
 +	glance_manage_pid_files(initrc_t)
-+')
-+
-+optional_policy(`
- 	gpm_setattr_gpmctl(initrc_t)
  ')
  
-@@ -685,6 +1082,15 @@ optional_policy(`
+ optional_policy(`
+@@ -685,6 +1063,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134701,7 +134803,7 @@ index dd3be8d..682e5fc 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1131,7 @@ optional_policy(`
+@@ -725,6 +1112,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -134709,7 +134811,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1149,14 @@ optional_policy(`
+@@ -742,7 +1130,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134724,7 +134826,7 @@ index dd3be8d..682e5fc 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1179,10 @@ optional_policy(`
+@@ -765,6 +1160,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134735,7 +134837,7 @@ index dd3be8d..682e5fc 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1192,20 @@ optional_policy(`
+@@ -774,10 +1173,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134756,7 +134858,7 @@ index dd3be8d..682e5fc 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1214,10 @@ optional_policy(`
+@@ -786,6 +1195,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134767,7 +134869,7 @@ index dd3be8d..682e5fc 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1239,6 @@ optional_policy(`
+@@ -807,8 +1220,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -134776,7 +134878,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1247,10 @@ optional_policy(`
+@@ -817,6 +1228,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134787,7 +134889,7 @@ index dd3be8d..682e5fc 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1260,12 @@ optional_policy(`
+@@ -826,10 +1241,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -134800,7 +134902,7 @@ index dd3be8d..682e5fc 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1292,31 @@ optional_policy(`
+@@ -856,12 +1273,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134824,16 +134926,12 @@ index dd3be8d..682e5fc 100644
  optional_policy(`
  	unconfined_domain(initrc_t)
 +	domain_role_change_exemption(initrc_t)
-+	mcs_file_read_all(initrc_t)
-+	mcs_file_write_all(initrc_t)
-+	mcs_socket_write_all_levels(initrc_t)
-+	mcs_killall(initrc_t)
 +
 +	files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set })
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1326,18 @@ optional_policy(`
+@@ -871,6 +1303,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -134852,7 +134950,7 @@ index dd3be8d..682e5fc 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1353,10 @@ optional_policy(`
+@@ -886,6 +1330,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -134863,7 +134961,7 @@ index dd3be8d..682e5fc 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1367,185 @@ optional_policy(`
+@@ -896,3 +1344,185 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -135312,7 +135410,7 @@ index 1b93eb7..5effebe 100644
 +/usr/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
-index c42fbc3..7071460 100644
+index c42fbc3..174cfdb 100644
 --- a/policy/modules/system/iptables.if
 +++ b/policy/modules/system/iptables.if
 @@ -17,10 +17,6 @@ interface(`iptables_domtrans',`
@@ -135326,32 +135424,7 @@ index c42fbc3..7071460 100644
  ')
  
  ########################################
-@@ -42,11 +38,22 @@ interface(`iptables_domtrans',`
- #
- interface(`iptables_run',`
- 	gen_require(`
--		attribute_role iptables_roles;
-+		#attribute_role iptables_roles;
-+		type iptables_t;
- 	')
- 
-+	#iptables_domtrans($1)
-+	#roleattribute $2 iptables_roles;
-+
- 	iptables_domtrans($1)
--	roleattribute $2 iptables_roles;
-+        role $2 types iptables_t;
-+
-+        sysnet_run_ifconfig(iptables_t, $2)
-+
-+        optional_policy(`
-+                modutils_run_insmod(iptables_t, $2)
-+        ')
-+
- ')
- 
- ########################################
-@@ -86,6 +93,29 @@ interface(`iptables_initrc_domtrans',`
+@@ -86,6 +82,29 @@ interface(`iptables_initrc_domtrans',`
  	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
  ')
  
@@ -135382,25 +135455,10 @@ index c42fbc3..7071460 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..16d64ad 100644
+index 5dfa44b..938e2ec 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
-@@ -5,26 +5,27 @@ policy_module(iptables, 1.13.1)
- # Declarations
- #
- 
--attribute_role iptables_roles;
--roleattribute system_r iptables_roles;
-+#attribute_role iptables_roles;
-+#roleattribute system_r iptables_roles;
- 
- type iptables_t;
- type iptables_exec_t;
- init_system_domain(iptables_t, iptables_exec_t)
--role iptables_roles types iptables_t;
-+#role iptables_roles types iptables_t;
-+role system_r types iptables_t;
- 
+@@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
  type iptables_initrc_exec_t;
  init_script_file(iptables_initrc_exec_t)
  
@@ -135419,7 +135477,7 @@ index 5dfa44b..16d64ad 100644
  ########################################
  #
  # Iptables local policy
-@@ -37,8 +38,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
+@@ -37,8 +37,8 @@ allow iptables_t self:process { sigchld sigkill sigstop signull signal };
  allow iptables_t self:netlink_socket create_socket_perms;
  allow iptables_t self:rawip_socket create_socket_perms;
  
@@ -135430,7 +135488,7 @@ index 5dfa44b..16d64ad 100644
  
  manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
  files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-@@ -49,6 +50,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
+@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
  allow iptables_t iptables_tmp_t:file manage_file_perms;
  files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
  
@@ -135438,18 +135496,15 @@ index 5dfa44b..16d64ad 100644
  kernel_request_load_module(iptables_t)
  kernel_read_system_state(iptables_t)
  kernel_read_network_state(iptables_t)
-@@ -64,6 +66,10 @@ corenet_relabelto_all_packets(iptables_t)
+@@ -64,6 +65,7 @@ corenet_relabelto_all_packets(iptables_t)
  corenet_dontaudit_rw_tun_tap_dev(iptables_t)
  
  dev_read_sysfs(iptables_t)
 +dev_read_urand(iptables_t)
-+ifdef(`hide_broken_symptoms',`
-+	dev_dontaudit_write_mtrr(iptables_t)
-+')
  
  fs_getattr_xattr_fs(iptables_t)
  fs_search_auto_mountpoints(iptables_t)
-@@ -72,11 +78,13 @@ fs_list_inotifyfs(iptables_t)
+@@ -72,11 +74,11 @@ fs_list_inotifyfs(iptables_t)
  mls_file_read_all_levels(iptables_t)
  
  term_dontaudit_use_console(iptables_t)
@@ -135457,14 +135512,13 @@ index 5dfa44b..16d64ad 100644
  
  domain_use_interactive_fds(iptables_t)
  
- files_read_etc_files(iptables_t)
+-files_read_etc_files(iptables_t)
 -files_read_etc_runtime_files(iptables_t)
 +files_rw_etc_runtime_files(iptables_t)
-+files_read_usr_files(iptables_t)
  
  auth_use_nsswitch(iptables_t)
  
-@@ -85,15 +93,16 @@ init_use_script_ptys(iptables_t)
+@@ -85,15 +87,14 @@ init_use_script_ptys(iptables_t)
  # to allow rules to be saved on reboot:
  init_rw_script_tmp_files(iptables_t)
  init_rw_script_stream_sockets(iptables_t)
@@ -135473,10 +135527,8 @@ index 5dfa44b..16d64ad 100644
  logging_send_syslog_msg(iptables_t)
  
 -miscfiles_read_localization(iptables_t)
- 
--sysnet_run_ifconfig(iptables_t, iptables_roles)
-+#sysnet_run_ifconfig(iptables_t, iptables_roles)
-+sysnet_domtrans_ifconfig(iptables_t)
+-
+ sysnet_run_ifconfig(iptables_t, iptables_roles)
  sysnet_dns_name_resolve(iptables_t)
  
 -userdom_use_user_terminals(iptables_t)
@@ -135484,7 +135536,7 @@ index 5dfa44b..16d64ad 100644
  userdom_use_all_users_fds(iptables_t)
  
  ifdef(`hide_broken_symptoms',`
-@@ -102,6 +111,8 @@ ifdef(`hide_broken_symptoms',`
+@@ -102,6 +103,8 @@ ifdef(`hide_broken_symptoms',`
  
  optional_policy(`
  	fail2ban_append_log(iptables_t)
@@ -135493,17 +135545,7 @@ index 5dfa44b..16d64ad 100644
  ')
  
  optional_policy(`
-@@ -110,7 +121,8 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	modutils_run_insmod(iptables_t, iptables_roles)
-+	modutils_domtrans_insmod(iptables_t)
-+	#modutils_run_insmod(iptables_t, iptables_roles)
- ')
- 
- optional_policy(`
-@@ -124,6 +136,7 @@ optional_policy(`
+@@ -124,6 +127,7 @@ optional_policy(`
  
  optional_policy(`
  	psad_rw_tmp_files(iptables_t)
@@ -135511,14 +135553,17 @@ index 5dfa44b..16d64ad 100644
  ')
  
  optional_policy(`
-@@ -137,6 +150,7 @@ optional_policy(`
+@@ -135,9 +139,9 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
++	shorewall_read_config(iptables_t)
  	shorewall_read_tmp_files(iptables_t)
  	shorewall_rw_lib_files(iptables_t)
-+	shorewall_read_tmp_files(iptables_t)
- 	shorewall_read_config(iptables_t)
+-	shorewall_read_config(iptables_t)
  ')
  
+ optional_policy(`
 diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
 index 73bb3c0..e6fa600 100644
 --- a/policy/modules/system/libraries.fc
@@ -136178,7 +136223,7 @@ index 0e3c2a9..40adf5a 100644
 +')
 +
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..b123de6 100644
+index c04ac46..e06286c 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -136259,16 +136304,15 @@ index c04ac46..b123de6 100644
  
  userdom_spec_domtrans_all_users(local_login_t)
  userdom_signal_all_users(local_login_t)
-@@ -141,19 +149,19 @@ ifdef(`distro_ubuntu',`
+@@ -141,19 +149,15 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
 -tunable_policy(`console_login',`
-+tunable_policy(`login_console_enabled',`
- 	# Able to relabel /dev/console to user tty types.
- 	term_relabel_console(local_login_t)
- ')
- 
+-	# Able to relabel /dev/console to user tty types.
+-	term_relabel_console(local_login_t)
+-')
+-
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_read_nfs_files(local_login_t)
 -	fs_read_nfs_symlinks(local_login_t)
@@ -136282,12 +136326,13 @@ index c04ac46..b123de6 100644
 -	fs_read_cifs_symlinks(local_login_t)
 +tunable_policy(`login_console_enabled',`
 +     term_use_console(local_login_t)
++     # Able to relabel /dev/console to user tty types.
 +     term_relabel_console(local_login_t)
 +     term_setattr_console(local_login_t)
  ')
  
  optional_policy(`
-@@ -177,14 +185,6 @@ optional_policy(`
+@@ -177,14 +181,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -136302,7 +136347,7 @@ index c04ac46..b123de6 100644
  	unconfined_shell_domtrans(local_login_t)
  ')
  
-@@ -215,6 +215,7 @@ allow sulogin_t self:sem create_sem_perms;
+@@ -215,6 +211,7 @@ allow sulogin_t self:sem create_sem_perms;
  allow sulogin_t self:msgq create_msgq_perms;
  allow sulogin_t self:msg { send receive };
  
@@ -136310,7 +136355,7 @@ index c04ac46..b123de6 100644
  kernel_read_system_state(sulogin_t)
  
  fs_search_auto_mountpoints(sulogin_t)
-@@ -223,13 +224,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
+@@ -223,13 +220,16 @@ fs_rw_tmpfs_chr_files(sulogin_t)
  files_read_etc_files(sulogin_t)
  # because file systems are not mounted:
  files_dontaudit_search_isid_type_dirs(sulogin_t)
@@ -136327,7 +136372,7 @@ index c04ac46..b123de6 100644
  seutil_read_config(sulogin_t)
  seutil_read_default_contexts(sulogin_t)
  
-@@ -238,14 +242,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
+@@ -238,14 +238,24 @@ userdom_use_unpriv_users_fds(sulogin_t)
  userdom_search_user_home_dirs(sulogin_t)
  userdom_use_user_ptys(sulogin_t)
  
@@ -136354,7 +136399,7 @@ index c04ac46..b123de6 100644
  	init_getpgid(sulogin_t)
  ', `
  	allow sulogin_t self:process setexec;
-@@ -256,11 +270,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +266,3 @@ ifdef(`sulogin_no_pam', `
  	selinux_compute_relabel_context(sulogin_t)
  	selinux_compute_user_contexts(sulogin_t)
  ')
@@ -136858,7 +136903,7 @@ index 4e94884..23894f4 100644
 +	init_named_pid_filetrans($1, syslogd_var_run_t, dir, "journal")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..37275c3 100644
+index 39ea221..d9a4b9b 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -137073,7 +137118,7 @@ index 39ea221..37275c3 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +425,35 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +425,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -137081,14 +137126,12 @@ index 39ea221..37275c3 100644
  manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
  files_search_var_lib(syslogd_t)
  
+-# manage pid file
 +manage_dirs_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
-+manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+-files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 +manage_sock_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 +files_pid_filetrans(syslogd_t, syslogd_var_run_t, { file dir })
-+
- # manage pid file
- manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
- files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
  
 +kernel_rw_stream_socket_perms(syslogd_t)
  kernel_read_system_state(syslogd_t)
@@ -137110,7 +137153,7 @@ index 39ea221..37275c3 100644
  corenet_all_recvfrom_netlabel(syslogd_t)
  corenet_udp_sendrecv_generic_if(syslogd_t)
  corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,10 +479,28 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +475,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -137126,20 +137169,19 @@ index 39ea221..37275c3 100644
 +
  dev_filetrans(syslogd_t, devlog_t, sock_file)
  dev_read_sysfs(syslogd_t)
+-
 +dev_read_rand(syslogd_t)
 +dev_read_urand(syslogd_t)
 +# relating to systemd-kmsg-syslogd
 +dev_write_kmsg(syslogd_t)
 +dev_read_kmsg(syslogd_t)
- 
-+domain_read_all_domains_state(syslogd_t)
- domain_use_interactive_fds(syslogd_t)
++
 +domain_read_all_domains_state(syslogd_t)
 +domain_getattr_all_domains(syslogd_t)
+ domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
- files_read_usr_files(syslogd_t)
-@@ -442,14 +512,18 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +507,18 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -137158,7 +137200,7 @@ index 39ea221..37275c3 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +535,11 @@ init_use_fds(syslogd_t)
+@@ -461,11 +530,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -137172,7 +137214,7 @@ index 39ea221..37275c3 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +576,36 @@ optional_policy(`
+@@ -502,15 +571,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -137209,7 +137251,7 @@ index 39ea221..37275c3 100644
  ')
  
  optional_policy(`
-@@ -521,3 +616,24 @@ optional_policy(`
+@@ -521,3 +611,24 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -137454,7 +137496,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..66465b0 100644
+index e8c59a5..7622d77 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -137551,13 +137593,7 @@ index e8c59a5..66465b0 100644
  
  read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
  read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -215,11 +226,13 @@ files_search_mnt(lvm_t)
- 
- kernel_get_sysvipc_info(lvm_t)
- kernel_read_system_state(lvm_t)
-+kernel_read_kernel_sysctls(lvm_t)
- # Read system variables in /proc/sys
- kernel_read_kernel_sysctls(lvm_t)
+@@ -220,6 +231,7 @@ kernel_read_kernel_sysctls(lvm_t)
  # it has no reason to need this
  kernel_dontaudit_getattr_core_if(lvm_t)
  kernel_use_fds(lvm_t)
@@ -137565,7 +137601,7 @@ index e8c59a5..66465b0 100644
  kernel_search_debugfs(lvm_t)
  
  corecmd_exec_bin(lvm_t)
-@@ -230,11 +243,13 @@ dev_delete_generic_dirs(lvm_t)
+@@ -230,11 +242,13 @@ dev_delete_generic_dirs(lvm_t)
  dev_read_rand(lvm_t)
  dev_read_urand(lvm_t)
  dev_rw_lvm_control(lvm_t)
@@ -137580,7 +137616,7 @@ index e8c59a5..66465b0 100644
  # cjp: this has no effect since LVM does not
  # have lnk_file relabelto for anything else.
  # perhaps this should be blk_files?
-@@ -246,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -246,6 +260,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -137588,7 +137624,7 @@ index e8c59a5..66465b0 100644
  
  domain_use_interactive_fds(lvm_t)
  domain_read_all_domains_state(lvm_t)
-@@ -255,17 +271,21 @@ files_read_etc_files(lvm_t)
+@@ -255,17 +270,21 @@ files_read_etc_files(lvm_t)
  files_read_etc_runtime_files(lvm_t)
  # for when /usr is not mounted:
  files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -137611,7 +137647,7 @@ index e8c59a5..66465b0 100644
  
  selinux_get_fs_mount(lvm_t)
  selinux_validate_context(lvm_t)
-@@ -285,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -285,7 +304,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
  # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
  storage_manage_fixed_disk(lvm_t)
  
@@ -137620,7 +137656,7 @@ index e8c59a5..66465b0 100644
  
  init_use_fds(lvm_t)
  init_dontaudit_getattr_initctl(lvm_t)
-@@ -293,15 +313,20 @@ init_use_script_ptys(lvm_t)
+@@ -293,15 +312,20 @@ init_use_script_ptys(lvm_t)
  init_read_script_state(lvm_t)
  
  logging_send_syslog_msg(lvm_t)
@@ -137642,7 +137678,7 @@ index e8c59a5..66465b0 100644
  
  ifdef(`distro_redhat',`
  	# this is from the initrd:
-@@ -313,6 +338,11 @@ ifdef(`distro_redhat',`
+@@ -313,6 +337,11 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -137654,7 +137690,7 @@ index e8c59a5..66465b0 100644
  	bootloader_rw_tmp_files(lvm_t)
  ')
  
-@@ -333,14 +363,26 @@ optional_policy(`
+@@ -333,14 +362,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138019,7 +138055,7 @@ index 7449974..6375786 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..7857f24 100644
+index 7a49e28..3e5393b 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
 @@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
@@ -138131,7 +138167,7 @@ index 7a49e28..7857f24 100644
  
  # Read module config and dependency information
  list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-@@ -117,7 +123,11 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
+@@ -117,14 +123,18 @@ read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
  
  can_exec(insmod_t, insmod_exec_t)
  
@@ -138139,11 +138175,11 @@ index 7a49e28..7857f24 100644
 +fs_tmpfs_filetrans(insmod_t,insmod_tmpfs_t,file)
 +
  kernel_load_module(insmod_t)
+-kernel_request_load_module(insmod_t)
 +files_manage_kernel_modules(insmod_t)
- kernel_request_load_module(insmod_t)
  kernel_read_system_state(insmod_t)
  kernel_read_network_state(insmod_t)
-@@ -125,6 +135,7 @@ kernel_write_proc_files(insmod_t)
+ kernel_write_proc_files(insmod_t)
  kernel_mount_debugfs(insmod_t)
  kernel_mount_kvmfs(insmod_t)
  kernel_read_debugfs(insmod_t)
@@ -138151,7 +138187,7 @@ index 7a49e28..7857f24 100644
  # Rules for /proc/sys/kernel/tainted
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
-@@ -142,6 +153,7 @@ dev_rw_agp(insmod_t)
+@@ -142,6 +152,7 @@ dev_rw_agp(insmod_t)
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -138159,7 +138195,7 @@ index 7a49e28..7857f24 100644
  
  domain_signal_all_domains(insmod_t)
  domain_use_interactive_fds(insmod_t)
-@@ -151,30 +163,38 @@ files_read_etc_runtime_files(insmod_t)
+@@ -151,30 +162,37 @@ files_read_etc_runtime_files(insmod_t)
  files_read_etc_files(insmod_t)
  files_read_usr_files(insmod_t)
  files_exec_etc_files(insmod_t)
@@ -138171,7 +138207,6 @@ index 7a49e28..7857f24 100644
  # for locking: (cjp: ????)
  files_write_kernel_modules(insmod_t)
 +allow insmod_t modules_dep_t:file manage_file_perms;
-+files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
  
  fs_getattr_xattr_fs(insmod_t)
  fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
@@ -138201,7 +138236,7 @@ index 7a49e28..7857f24 100644
  userdom_dontaudit_search_user_home_dirs(insmod_t)
  
  kernel_domtrans_to(insmod_t, insmod_exec_t)
-@@ -184,28 +204,32 @@ optional_policy(`
+@@ -184,28 +202,32 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138241,7 +138276,7 @@ index 7a49e28..7857f24 100644
  ')
  
  optional_policy(`
-@@ -225,6 +249,7 @@ optional_policy(`
+@@ -225,6 +247,7 @@ optional_policy(`
  
  optional_policy(`
  	rpm_rw_pipes(insmod_t)
@@ -138249,7 +138284,7 @@ index 7a49e28..7857f24 100644
  ')
  
  optional_policy(`
-@@ -233,6 +258,10 @@ optional_policy(`
+@@ -233,6 +256,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138260,7 +138295,7 @@ index 7a49e28..7857f24 100644
  	# cjp: why is this needed:
  	dev_rw_xserver_misc(insmod_t)
  
-@@ -291,11 +320,10 @@ init_use_script_ptys(update_modules_t)
+@@ -291,11 +318,10 @@ init_use_script_ptys(update_modules_t)
  
  logging_send_syslog_msg(update_modules_t)
  
@@ -138595,7 +138630,7 @@ index 4584457..300c3f7 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..bd42591 100644
+index 6a50270..1e98d92 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -10,35 +10,60 @@ policy_module(mount, 1.15.1)
@@ -138670,7 +138705,7 @@ index 6a50270..bd42591 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -49,9 +74,25 @@ can_exec(mount_t, mount_exec_t)
+@@ -49,9 +74,24 @@ can_exec(mount_t, mount_exec_t)
  
  files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  
@@ -138693,11 +138728,10 @@ index 6a50270..bd42591 100644
 +kernel_manage_debugfs(mount_t)
 +kernel_setsched(mount_t)
 +kernel_use_fds(mount_t)
-+kernel_request_load_module(mount_t)
  kernel_dontaudit_write_debugfs_dirs(mount_t)
  kernel_dontaudit_write_proc_dirs(mount_t)
  # To load binfmt_misc kernel module
-@@ -60,31 +101,46 @@ kernel_request_load_module(mount_t)
+@@ -60,31 +100,46 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -138747,7 +138781,7 @@ index 6a50270..bd42591 100644
  files_read_isid_type_files(mount_t)
  # For reading cert files
  files_read_usr_files(mount_t)
-@@ -92,28 +148,42 @@ files_list_mnt(mount_t)
+@@ -92,28 +147,39 @@ files_list_mnt(mount_t)
  files_dontaudit_write_all_mountpoints(mount_t)
  files_dontaudit_setattr_all_mountpoints(mount_t)
  
@@ -138775,9 +138809,6 @@ index 6a50270..bd42591 100644
  
 -mls_file_read_all_levels(mount_t)
 -mls_file_write_all_levels(mount_t)
-+mcs_file_read_all(mount_t)
-+mcs_file_write_all(mount_t)
-+
 +mls_file_read_to_clearance(mount_t)
 +mls_file_write_to_clearance(mount_t)
 +mls_process_write_to_clearance(mount_t)
@@ -138796,7 +138827,7 @@ index 6a50270..bd42591 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,16 +191,20 @@ auth_use_nsswitch(mount_t)
+@@ -121,16 +187,20 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -138818,7 +138849,7 @@ index 6a50270..bd42591 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +220,27 @@ ifdef(`distro_ubuntu',`
+@@ -146,26 +216,27 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -138858,7 +138889,7 @@ index 6a50270..bd42591 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +254,8 @@ optional_policy(`
+@@ -179,6 +250,8 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -138867,7 +138898,7 @@ index 6a50270..bd42591 100644
  ')
  
  optional_policy(`
-@@ -186,6 +263,28 @@ optional_policy(`
+@@ -186,6 +259,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138896,7 +138927,7 @@ index 6a50270..bd42591 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +293,124 @@ optional_policy(`
+@@ -194,24 +289,124 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -138952,10 +138983,12 @@ index 6a50270..bd42591 100644
 +optional_policy(`
 +	ssh_exec(mount_t)
 +')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
 +	usbmuxd_stream_connect(mount_t)
-+')
+ ')
 +
 +optional_policy(`
 +	userhelper_exec_console(mount_t)
@@ -138964,12 +138997,10 @@ index 6a50270..bd42591 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
- 
- optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
--	unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
 +	vmware_exec_host(mount_t)
- ')
++')
 +
 +######################################
 +#
@@ -139646,7 +139677,7 @@ index 3822072..702e0e0 100644
 +	logging_send_syslog_msg($1)
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..51e91d2 100644
+index ec01d0b..4873b1c 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,17 @@ gen_require(`
@@ -140067,11 +140098,11 @@ index ec01d0b..51e91d2 100644
 -auth_use_nsswitch(semanage_t)
 -
 -locallogin_use_fds(semanage_t)
--
--logging_send_syslog_msg(semanage_t)
 +# Admins are creating pp files in random locations
 +files_read_non_security_files(semanage_t)
  
+-logging_send_syslog_msg(semanage_t)
+-
 -miscfiles_read_localization(semanage_t)
 -
 -seutil_libselinux_linked(semanage_t)
@@ -140159,7 +140190,7 @@ index ec01d0b..51e91d2 100644
  ')
  
  ########################################
-@@ -522,108 +603,180 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +603,178 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -140241,12 +140272,12 @@ index ec01d0b..51e91d2 100644
 +	# pki is leaking
 +	pki_dontaudit_write_log(setfiles_t)
 +')
-+
+ 
+-seutil_libselinux_linked(setfiles_t)
 +optional_policy(`
 +	xserver_append_xdm_tmp_files(setfiles_t)
 +')
- 
--seutil_libselinux_linked(setfiles_t)
++
 +ifdef(`hide_broken_symptoms',`
 +
 +	optional_policy(`
@@ -140397,8 +140428,6 @@ index ec01d0b..51e91d2 100644
 +corecmd_exec_bin(policy_manager_domain)
 +corecmd_exec_shell(policy_manager_domain)
 +
-+dev_read_urand(policy_manager_domain)
-+
 +domain_use_interactive_fds(policy_manager_domain)
 +
 +files_read_etc_files(policy_manager_domain)
@@ -140503,60 +140532,41 @@ index 346a7cc..1285089 100644
 +
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..8f424e5 100644
+index 6944526..729dc8c 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
-@@ -38,11 +38,47 @@ interface(`sysnet_domtrans_dhcpc',`
+@@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
  #
  interface(`sysnet_run_dhcpc',`
  	gen_require(`
--		attribute_role dhcpc_roles;
 +		type dhcpc_t;
-+		#attribute_role dhcpc_roles;
+ 		attribute_role dhcpc_roles;
  	')
  
-+	#sysnet_domtrans_dhcpc($1)
-+	#roleattribute $2 dhcpc_roles;
-+
  	sysnet_domtrans_dhcpc($1)
--	roleattribute $2 dhcpc_roles;
-+        role $2 types dhcpc_t;
-+
-+        modutils_run_insmod(dhcpc_t, $2)
-+
-+        sysnet_run_ifconfig(dhcpc_t, $2)
+ 	roleattribute $2 dhcpc_roles;
 +
-+        optional_policy(`
-+                hostname_run(dhcpc_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                netutils_run(dhcpc_t, $2)
-+                netutils_run_ping(dhcpc_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                networkmanager_run(dhcpc_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                nis_run_ypbind(dhcpc_t, $2)
-+        ')
++	optional_policy(`
++		networkmanager_run(dhcpc_t, $2)
++	')
 +
-+        optional_policy(`
-+                nscd_run(dhcpc_t, $2)
-+        ')
++	optional_policy(`
++		nis_run_ypbind(dhcpc_t, $2)
++	')
 +
-+        optional_policy(`
-+                ntp_run(dhcpc_t, $2)
-+        ')
++	optional_policy(`
++		nscd_run(dhcpc_t, $2)
++	')
 +
-+        seutil_run_setfiles(dhcpc_t, $2)
++	optional_policy(`
++		ntp_run(dhcpc_t, $2)
++	')
 +
++	seutil_run_setfiles(dhcpc_t, $2)
  ')
  
  ########################################
-@@ -271,6 +307,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -271,6 +290,43 @@ interface(`sysnet_delete_dhcpc_state',`
  	delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
  ')
  
@@ -140600,7 +140610,7 @@ index 6944526..8f424e5 100644
  #######################################
  ## <summary>
  ##	Set the attributes of network config files.
-@@ -292,6 +365,44 @@ interface(`sysnet_setattr_config',`
+@@ -292,6 +348,44 @@ interface(`sysnet_setattr_config',`
  
  #######################################
  ## <summary>
@@ -140645,7 +140655,7 @@ index 6944526..8f424e5 100644
  ##	Read network config files.
  ## </summary>
  ## <desc>
-@@ -331,6 +442,7 @@ interface(`sysnet_read_config',`
+@@ -331,6 +425,7 @@ interface(`sysnet_read_config',`
  
  	ifdef(`distro_redhat',`
  		allow $1 net_conf_t:dir list_dir_perms;
@@ -140653,7 +140663,7 @@ index 6944526..8f424e5 100644
  		read_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -433,6 +545,7 @@ interface(`sysnet_manage_config',`
+@@ -433,6 +528,7 @@ interface(`sysnet_manage_config',`
  	allow $1 net_conf_t:file manage_file_perms;
  
  	ifdef(`distro_redhat',`
@@ -140661,7 +140671,7 @@ index 6944526..8f424e5 100644
  		manage_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -471,6 +584,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -471,6 +567,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -140669,7 +140679,7 @@ index 6944526..8f424e5 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -580,6 +694,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -580,6 +677,25 @@ interface(`sysnet_signull_ifconfig',`
  
  ########################################
  ## <summary>
@@ -140695,7 +140705,7 @@ index 6944526..8f424e5 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -596,6 +729,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -596,6 +712,7 @@ interface(`sysnet_read_dhcp_config',`
  	files_search_etc($1)
  	allow $1 dhcp_etc_t:dir list_dir_perms;
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -140703,7 +140713,7 @@ index 6944526..8f424e5 100644
  ')
  
  ########################################
-@@ -681,8 +815,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -681,8 +798,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -140712,7 +140722,7 @@ index 6944526..8f424e5 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +824,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -692,6 +807,8 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_connect_dns_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
@@ -140721,7 +140731,7 @@ index 6944526..8f424e5 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -720,8 +854,6 @@ interface(`sysnet_use_ldap',`
+@@ -720,8 +837,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -140730,7 +140740,7 @@ index 6944526..8f424e5 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +865,9 @@ interface(`sysnet_use_ldap',`
+@@ -733,6 +848,9 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
@@ -140740,7 +140750,7 @@ index 6944526..8f424e5 100644
  ')
  
  ########################################
-@@ -754,7 +889,6 @@ interface(`sysnet_use_portmap',`
+@@ -754,7 +872,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -140748,7 +140758,7 @@ index 6944526..8f424e5 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +900,73 @@ interface(`sysnet_use_portmap',`
+@@ -766,3 +883,73 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -140823,15 +140833,13 @@ index 6944526..8f424e5 100644
 +	files_etc_filetrans($1, net_conf_t, file, "yp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..be7444c 100644
+index b7686d5..7f2928d 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
-@@ -5,8 +5,15 @@ policy_module(sysnetwork, 1.14.6)
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
  # Declarations
  #
  
--attribute_role dhcpc_roles;
--roleattribute system_r dhcpc_roles;
 +## <desc>
 +## <p>
 +## Allow dhcpc client applications to execute iptables commands
@@ -140839,25 +140847,21 @@ index b7686d5..be7444c 100644
 +## </desc>
 +gen_tunable(dhcpc_exec_iptables, false)
 +
-+#attribute_role dhcpc_roles;
-+#roleattribute system_r dhcpc_roles;
+ attribute_role dhcpc_roles;
+ roleattribute system_r dhcpc_roles;
  
- # this is shared between dhcpc and dhcpd:
- type dhcp_etc_t;
-@@ -20,7 +27,11 @@ files_type(dhcp_state_t)
+@@ -20,7 +27,9 @@ files_type(dhcp_state_t)
  type dhcpc_t;
  type dhcpc_exec_t;
  init_daemon_domain(dhcpc_t, dhcpc_exec_t)
 -role dhcpc_roles types dhcpc_t;
-+#role dhcpc_roles types dhcpc_t;
-+role system_r types dhcpc_t;
 +
 +type dhcpc_helper_exec_t;
 +init_script_file(dhcpc_helper_exec_t)
  
  type dhcpc_state_t;
  files_type(dhcpc_state_t)
-@@ -37,17 +48,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
+@@ -37,17 +46,17 @@ init_system_domain(ifconfig_t, ifconfig_exec_t)
  role system_r types ifconfig_t;
  
  type net_conf_t alias resolv_conf_t;
@@ -140878,7 +140882,7 @@ index b7686d5..be7444c 100644
  
  allow dhcpc_t self:fifo_file rw_fifo_file_perms;
  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +71,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -60,8 +69,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  
  allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -140890,7 +140894,7 @@ index b7686d5..be7444c 100644
  
  # create pid file
  manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -70,6 +84,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -70,6 +82,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
  
  # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
  # in /etc created by dhcpcd will be labelled net_conf_t.
@@ -140899,7 +140903,7 @@ index b7686d5..be7444c 100644
  sysnet_manage_config(dhcpc_t)
  files_etc_filetrans(dhcpc_t, net_conf_t, file)
  
-@@ -91,14 +107,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -91,14 +105,13 @@ kernel_rw_net_sysctls(dhcpc_t)
  corecmd_exec_bin(dhcpc_t)
  corecmd_exec_shell(dhcpc_t)
  
@@ -140920,7 +140924,7 @@ index b7686d5..be7444c 100644
  corenet_tcp_sendrecv_all_ports(dhcpc_t)
  corenet_udp_sendrecv_all_ports(dhcpc_t)
  corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,11 +123,14 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,17 +121,18 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
  corenet_tcp_connect_all_ports(dhcpc_t)
  corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
  corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -140935,7 +140939,13 @@ index b7686d5..be7444c 100644
  domain_use_interactive_fds(dhcpc_t)
  domain_dontaudit_read_all_domains_state(dhcpc_t)
  
-@@ -132,15 +150,20 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+-files_read_etc_files(dhcpc_t)
+ files_read_etc_runtime_files(dhcpc_t)
+-files_read_usr_files(dhcpc_t)
+ files_search_home(dhcpc_t)
+ files_search_var_lib(dhcpc_t)
+ files_dontaudit_search_locks(dhcpc_t)
+@@ -132,11 +146,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
  term_dontaudit_use_unallocated_ttys(dhcpc_t)
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
@@ -140950,74 +140960,47 @@ index b7686d5..be7444c 100644
 -miscfiles_read_localization(dhcpc_t)
 +miscfiles_read_generic_certs(dhcpc_t)
  
--modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+#modutils_run_insmod(dhcpc_t, dhcpc_roles)
-+modutils_domtrans_insmod(dhcpc_t)
-+#sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
  
--sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
- 
- userdom_use_user_terminals(dhcpc_t)
- userdom_dontaudit_search_user_home_dirs(dhcpc_t)
-@@ -155,8 +178,23 @@ ifdef(`distro_ubuntu',`
- 	')
+@@ -156,7 +174,14 @@ ifdef(`distro_ubuntu',`
  ')
  
-+#optional_policy(`
-+#	consoletype_run(dhcpc_t, dhcpc_roles)
-+#')
-+
-+optional_policy(`
+ optional_policy(`
+-	consoletype_run(dhcpc_t, dhcpc_roles)
 +	chronyd_initrc_domtrans(dhcpc_t)
 +	chronyd_systemctl(dhcpc_t)
 +	chronyd_read_keys(dhcpc_t)
 +')
 +
 +optional_policy(`
-+	consoletype_exec(dhcpc_t)
-+')
-+
- optional_policy(`
--	consoletype_run(dhcpc_t, dhcpc_roles)
 +	devicekit_dontaudit_rw_log(dhcpc_t)
 +	devicekit_dontaudit_read_pid_files(dhcpc_t)
  ')
  
  optional_policy(`
-@@ -170,11 +208,8 @@ optional_policy(`
+@@ -174,10 +199,6 @@ optional_policy(`
  ')
  
  optional_policy(`
--	hostname_run(dhcpc_t, dhcpc_roles)
+-	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
 -')
 -
 -optional_policy(`
--	hal_dontaudit_rw_dgram_sockets(dhcpc_t)
-+	hostname_domtrans(dhcpc_t)
-+#	hostname_run(dhcpc_t, dhcpc_roles)
- ')
- 
- optional_policy(`
-@@ -188,25 +223,41 @@ optional_policy(`
+ 	hotplug_getattr_config_dirs(dhcpc_t)
+ 	hotplug_search_config(dhcpc_t)
  
- # for the dhcp client to run ping to check IP addresses
+@@ -190,23 +211,35 @@ optional_policy(`
  optional_policy(`
--	netutils_run_ping(dhcpc_t, dhcpc_roles)
--	netutils_run(dhcpc_t, dhcpc_roles)
-+	#netutils_run_ping(dhcpc_t, dhcpc_roles)
-+	#netutils_run(dhcpc_t, dhcpc_roles)
+ 	netutils_run_ping(dhcpc_t, dhcpc_roles)
+ 	netutils_run(dhcpc_t, dhcpc_roles)
 +	netutils_domtrans_ping(dhcpc_t)
-+        netutils_domtrans(dhcpc_t)
++	netutils_domtrans(dhcpc_t)
  ',`
  	allow dhcpc_t self:capability setuid;
  	allow dhcpc_t self:rawip_socket create_socket_perms;
  ')
  
  optional_policy(`
-+	modutils_domtrans_insmod(dhcpc_t)
-+')
-+
-+optional_policy(`
 +	networkmanager_domtrans(dhcpc_t)
 +	networkmanager_read_pid_files(dhcpc_t)
 +	networkmanager_manage_lib(dhcpc_t)
@@ -141042,7 +141025,7 @@ index b7686d5..be7444c 100644
  ')
  
  optional_policy(`
-@@ -216,7 +267,11 @@ optional_policy(`
+@@ -216,7 +249,11 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -141055,7 +141038,7 @@ index b7686d5..be7444c 100644
  ')
  
  optional_policy(`
-@@ -259,6 +314,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,6 +296,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -141063,7 +141046,7 @@ index b7686d5..be7444c 100644
  # for /sbin/ip
  allow ifconfig_t self:packet_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -277,11 +333,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
+@@ -277,11 +315,18 @@ corenet_rw_tun_tap_dev(ifconfig_t)
  dev_read_sysfs(ifconfig_t)
  # for IPSEC setup:
  dev_read_urand(ifconfig_t)
@@ -141082,7 +141065,7 @@ index b7686d5..be7444c 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +357,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +339,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -141110,7 +141093,7 @@ index b7686d5..be7444c 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +381,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +363,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -141133,7 +141116,7 @@ index b7686d5..be7444c 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +407,7 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +389,7 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -141143,7 +141126,7 @@ index b7686d5..be7444c 100644
  ')
  
  optional_policy(`
-@@ -339,7 +416,15 @@ optional_policy(`
+@@ -339,7 +398,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -141153,14 +141136,10 @@ index b7686d5..be7444c 100644
 +
 +optional_policy(`
 +	modutils_domtrans_insmod(ifconfig_t)
-+')
-+
-+optional_policy(`
-+	netutils_domtrans(dhcpc_t)
  ')
  
  optional_policy(`
-@@ -360,3 +445,9 @@ optional_policy(`
+@@ -360,3 +423,9 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -142180,7 +142159,7 @@ index 0000000..3e4cae7
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..223e3f0
+index 0000000..dc3c408
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
 @@ -0,0 +1,451 @@
@@ -142304,8 +142283,6 @@ index 0000000..223e3f0
 +fs_getattr_tmpfs(systemd_logind_t)
 +fs_read_tmpfs_symlinks(systemd_logind_t)
 +
-+mcs_killall(systemd_logind_t)
-+
 +storage_setattr_removable_dev(systemd_logind_t)
 +storage_setattr_scsi_generic_dev(systemd_logind_t)
 +
@@ -142488,8 +142465,6 @@ index 0000000..223e3f0
 +files_relabel_all_tmp_files(systemd_tmpfiles_t)
 +files_list_lost_found(systemd_tmpfiles_t)
 +
-+mcs_file_read_all(systemd_tmpfiles_t)
-+mcs_file_write_all(systemd_tmpfiles_t)
 +mls_file_read_all_levels(systemd_tmpfiles_t)
 +mls_file_write_all_levels(systemd_tmpfiles_t)
 +
@@ -142548,6 +142523,10 @@ index 0000000..223e3f0
 +')
 +
 +optional_policy(`
++	lpd_relabel_spool(systemd_tmpfiles_t)
++')
++
++optional_policy(`
 +	rpm_read_db(systemd_tmpfiles_t)
 +	rpm_delete_db(systemd_tmpfiles_t)
 +')
@@ -142933,7 +142912,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..6e4726f 100644
+index a5ec88b..b31b982 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -142974,7 +142953,7 @@ index a5ec88b..6e4726f 100644
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -63,31 +64,35 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -63,31 +64,36 @@ can_exec(udev_t, udev_helper_exec_t)
  # read udev config
  allow udev_t udev_etc_t:file read_file_perms;
  
@@ -142994,6 +142973,7 @@ index a5ec88b..6e4726f 100644
 -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 +files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
 +allow udev_t udev_var_run_t:file mounton;
++allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
 +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
  
 +kernel_load_module(udev_t)
@@ -143017,7 +142997,7 @@ index a5ec88b..6e4726f 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +103,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -98,6 +104,7 @@ corecmd_exec_all_executables(udev_t)
  
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
@@ -143025,7 +143005,7 @@ index a5ec88b..6e4726f 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -106,23 +112,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -106,23 +113,31 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -143061,7 +143041,7 @@ index a5ec88b..6e4726f 100644
  
  mls_file_read_all_levels(udev_t)
  mls_file_write_all_levels(udev_t)
-@@ -144,17 +158,20 @@ auth_use_nsswitch(udev_t)
+@@ -144,17 +159,20 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -143083,7 +143063,7 @@ index a5ec88b..6e4726f 100644
  
  seutil_read_config(udev_t)
  seutil_read_default_contexts(udev_t)
-@@ -170,6 +187,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -170,6 +188,8 @@ sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
  sysnet_etc_filetrans_config(udev_t)
  
@@ -143092,7 +143072,7 @@ index a5ec88b..6e4726f 100644
  userdom_dontaudit_search_user_home_content(udev_t)
  
  ifdef(`distro_gentoo',`
-@@ -179,16 +198,9 @@ ifdef(`distro_gentoo',`
+@@ -179,16 +199,9 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -143111,18 +143091,7 @@ index a5ec88b..6e4726f 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -217,6 +229,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	consolekit_read_pid_files(udev_t)
-+')
-+
-+optional_policy(`
- 	consoletype_exec(udev_t)
- ')
- 
-@@ -226,6 +242,7 @@ optional_policy(`
+@@ -226,6 +239,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -143130,7 +143099,7 @@ index a5ec88b..6e4726f 100644
  ')
  
  optional_policy(`
-@@ -235,10 +252,20 @@ optional_policy(`
+@@ -235,10 +249,20 @@ optional_policy(`
  optional_policy(`
  	devicekit_read_pid_files(udev_t)
  	devicekit_dgram_send(udev_t)
@@ -143151,7 +143120,7 @@ index a5ec88b..6e4726f 100644
  ')
  
  optional_policy(`
-@@ -264,6 +291,10 @@ optional_policy(`
+@@ -264,6 +288,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143162,7 +143131,7 @@ index a5ec88b..6e4726f 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +309,15 @@ optional_policy(`
+@@ -278,6 +306,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -143178,7 +143147,7 @@ index a5ec88b..6e4726f 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +330,7 @@ optional_policy(`
+@@ -290,6 +327,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
@@ -143213,10 +143182,10 @@ index 0abaf84..8b34dbc 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index db7aabb..4012a61 100644
+index db7aabb..01e03ec 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
-@@ -12,53 +12,59 @@
+@@ -12,53 +12,57 @@
  #
  interface(`unconfined_domain_noaudit',`
  	gen_require(`
@@ -143267,11 +143236,9 @@ index db7aabb..4012a61 100644
 +
 +	domain_mmap_low($1)
 +
-+	mcs_file_read_all($1)
++	ubac_process_exempt($1)
  
 -	tunable_policy(`allow_execheap',`
-+	ubac_process_exempt($1)
-+
 +	tunable_policy(`selinuxuser_execheap',`
  		# Allow making the stack executable via mprotect.
  		allow $1 self:process execheap;
@@ -143293,7 +143260,7 @@ index db7aabb..4012a61 100644
  #		auditallow $1 self:process execstack;
  	')
  
-@@ -69,6 +75,7 @@ interface(`unconfined_domain_noaudit',`
+@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',`
  	optional_policy(`
  		# Communicate via dbusd.
  		dbus_system_bus_unconfined($1)
@@ -143301,7 +143268,7 @@ index db7aabb..4012a61 100644
  	')
  
  	optional_policy(`
-@@ -122,9 +129,13 @@ interface(`unconfined_domain_noaudit',`
+@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
  ## </param>
  #
  interface(`unconfined_domain',`
@@ -143316,7 +143283,7 @@ index db7aabb..4012a61 100644
  		auditallow $1 self:process execheap;
  	')
  ')
-@@ -150,7 +161,7 @@ interface(`unconfined_domain',`
+@@ -150,7 +159,7 @@ interface(`unconfined_domain',`
  ## </param>
  #
  interface(`unconfined_alias_domain',`
@@ -143325,7 +143292,7 @@ index db7aabb..4012a61 100644
  ')
  
  ########################################
-@@ -176,414 +187,5 @@ interface(`unconfined_alias_domain',`
+@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',`
  ## </param>
  #
  interface(`unconfined_execmem_alias_program',`
@@ -148051,7 +148018,7 @@ index 3c5dba7..81b2173 100644
 +	filetrans_pattern($1, user_tmpfs_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..d4d6ea9 100644
+index e2b538b..069a8ea 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -148137,7 +148104,7 @@ index e2b538b..d4d6ea9 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +80,124 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +80,123 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -148260,7 +148227,6 @@ index e2b538b..d4d6ea9 100644
 +tunable_policy(`use_ecryptfs_home_dirs',`
 +	fs_manage_ecryptfs_dirs(userdom_home_manager_type)
 +	fs_manage_ecryptfs_files(userdom_home_manager_type)
-+	fs_manage_ecryptfs_files(userdom_home_manager_type)
 +')
 +# vi /etc/mtab can cause an avc trying to relabel to self.  
 +dontaudit userdomain self:file relabelto;
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index f2b1c82..6515ad8 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..ad5baf5 100644
+index e4f84de..94697ea 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,37 @@
+@@ -1,30 +1,38 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -42,6 +42,7 @@ index e4f84de..ad5baf5 100644
 -/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 -/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
  
 -/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 +# ABRT retrace server
@@ -489,7 +490,7 @@ index 058d908..cce58bb 100644
 +	dontaudit $1 abrt_t:sock_file write;
  ')
 diff --git a/abrt.te b/abrt.te
-index cc43d25..6d98338 100644
+index cc43d25..23e8575 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -1,4 +1,4 @@
@@ -498,7 +499,7 @@ index cc43d25..6d98338 100644
  
  ########################################
  #
-@@ -6,129 +6,141 @@ policy_module(abrt, 1.3.4)
+@@ -6,129 +6,143 @@ policy_module(abrt, 1.3.4)
  #
  
  ## <desc>
@@ -558,6 +559,7 @@ index cc43d25..6d98338 100644
 +# var/cache files
  type abrt_var_cache_t;
  files_type(abrt_var_cache_t)
++files_tmp_file(abrt_var_cache_t)
  
 +# pid files
  type abrt_var_run_t;
@@ -670,6 +672,7 @@ index cc43d25..6d98338 100644
  manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
  files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
++files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
  
 +# abrt pid files
  manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -686,7 +689,7 @@ index cc43d25..6d98338 100644
  kernel_request_load_module(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
  
-@@ -137,16 +149,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +151,14 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -705,12 +708,12 @@ index cc43d25..6d98338 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +173,35 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +175,34 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
+-files_read_usr_files(abrt_t)
 +files_read_var_lib_files(abrt_t)
- files_read_usr_files(abrt_t)
 +files_read_generic_tmp_files(abrt_t)
  files_read_kernel_modules(abrt_t)
 +files_dontaudit_list_default(abrt_t)
@@ -744,7 +747,7 @@ index cc43d25..6d98338 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +209,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +210,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -761,7 +764,7 @@ index cc43d25..6d98338 100644
  ')
  
  optional_policy(`
-@@ -209,6 +221,12 @@ optional_policy(`
+@@ -209,6 +222,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -774,7 +777,7 @@ index cc43d25..6d98338 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +238,7 @@ optional_policy(`
+@@ -220,6 +239,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -782,7 +785,7 @@ index cc43d25..6d98338 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +249,7 @@ optional_policy(`
+@@ -230,6 +250,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -790,7 +793,7 @@ index cc43d25..6d98338 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +260,17 @@ optional_policy(`
+@@ -240,9 +261,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -809,7 +812,7 @@ index cc43d25..6d98338 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +281,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +282,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -824,7 +827,15 @@ index cc43d25..6d98338 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -276,15 +308,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -268,6 +301,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
+ 
+ read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -276,15 +310,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -845,7 +856,7 @@ index cc43d25..6d98338 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +329,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +331,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -872,19 +883,21 @@ index cc43d25..6d98338 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -316,8 +367,11 @@ dev_read_urand(abrt_retrace_coredump_t)
+@@ -314,10 +367,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
- files_read_usr_files(abrt_retrace_coredump_t)
+ dev_read_urand(abrt_retrace_coredump_t)
  
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
+-files_read_usr_files(abrt_retrace_coredump_t)
 +
++logging_send_syslog_msg(abrt_retrace_coredump_t)
+ 
  sysnet_dns_name_resolve(abrt_retrace_coredump_t)
  
 +# to install debuginfo packages
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +384,11 @@ optional_policy(`
+@@ -330,10 +385,11 @@ optional_policy(`
  
  #######################################
  #
@@ -898,12 +911,14 @@ index cc43d25..6d98338 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -354,16 +409,22 @@ dev_read_urand(abrt_retrace_worker_t)
+@@ -352,30 +408,37 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
- files_read_usr_files(abrt_retrace_worker_t)
+ dev_read_urand(abrt_retrace_worker_t)
  
-+logging_send_syslog_msg(abrt_retrace_worker_t)
+-files_read_usr_files(abrt_retrace_worker_t)
 +
++logging_send_syslog_msg(abrt_retrace_worker_t)
+ 
  sysnet_dns_name_resolve(abrt_retrace_worker_t)
  
 +optional_policy(`
@@ -923,7 +938,13 @@ index cc43d25..6d98338 100644
  
  files_search_spool(abrt_dump_oops_t)
  manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -376,6 +437,7 @@ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+ manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
+ files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
++files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
+ 
+ read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
+ read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
  
  read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
  
@@ -931,7 +952,7 @@ index cc43d25..6d98338 100644
  kernel_read_kernel_sysctls(abrt_dump_oops_t)
  kernel_read_ring_buffer(abrt_dump_oops_t)
  
-@@ -384,14 +446,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
+@@ -384,14 +447,15 @@ domain_use_interactive_fds(abrt_dump_oops_t)
  fs_list_inotifyfs(abrt_dump_oops_t)
  
  logging_read_generic_logs(abrt_dump_oops_t)
@@ -949,7 +970,7 @@ index cc43d25..6d98338 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +463,15 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +464,14 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
@@ -967,7 +988,7 @@ index cc43d25..6d98338 100644
  
 -kernel_read_system_state(abrt_domain)
 -
- files_read_etc_files(abrt_domain)
+-files_read_etc_files(abrt_domain)
 -
 -logging_send_syslog_msg(abrt_domain)
 -
@@ -1043,7 +1064,7 @@ index bd5ec9a..a5ed692 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/accountsd.te b/accountsd.te
-index 313b33f..ea8883f 100644
+index 313b33f..f9d3343 100644
 --- a/accountsd.te
 +++ b/accountsd.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -1074,46 +1095,35 @@ index 313b33f..ea8883f 100644
  ########################################
  #
  # Local policy
-@@ -30,6 +38,7 @@ manage_dirs_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- manage_files_pattern(accountsd_t, accountsd_var_lib_t, accountsd_var_lib_t)
- files_var_lib_filetrans(accountsd_t, accountsd_var_lib_t, dir)
- 
-+kernel_read_system_state(accountsd_t)
- kernel_read_kernel_sysctls(accountsd_t)
- kernel_read_system_state(accountsd_t)
+@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
+ dev_read_sysfs(accountsd_t)
  
-@@ -42,13 +51,15 @@ files_read_usr_files(accountsd_t)
+ files_read_mnt_files(accountsd_t)
+-files_read_usr_files(accountsd_t)
  
  fs_getattr_xattr_fs(accountsd_t)
  fs_list_inotifyfs(accountsd_t)
-+fs_getattr_xattr_fs(accountsd_t)
- fs_read_noxattr_fs_files(accountsd_t)
- 
- auth_use_nsswitch(accountsd_t)
+@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
  auth_read_login_records(accountsd_t)
  auth_read_shadow(accountsd_t)
-+auth_read_login_records(accountsd_t)
  
 -miscfiles_read_localization(accountsd_t)
 +init_dbus_chat(accountsd_t)
  
  logging_send_syslog_msg(accountsd_t)
  logging_set_loginuid(accountsd_t)
-@@ -62,6 +73,11 @@ usermanage_domtrans_passwd(accountsd_t)
+@@ -65,9 +72,16 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
- 	consolekit_dbus_chat(accountsd_t)
- 	consolekit_read_log(accountsd_t)
-+	consolekit_dbus_chat(accountsd_t)
++	dbus_system_domain(accountsd_t, accountsd_exec_t)
 +')
 +
 +optional_policy(`
-+	dbus_system_domain(accountsd_t, accountsd_exec_t)
+ 	policykit_dbus_chat(accountsd_t)
  ')
  
  optional_policy(`
-@@ -70,4 +86,7 @@ optional_policy(`
- 
- optional_policy(`
  	xserver_read_xdm_tmp_files(accountsd_t)
 +	xserver_read_state_xdm(accountsd_t)
 +	xserver_dbus_chat_xdm(accountsd_t)
@@ -1164,24 +1174,32 @@ index 81280d0..bc4038b 100644
  	domain_system_change_exemption($1)
  	role_transition $2 acct_initrc_exec_t system_r;
 diff --git a/acct.te b/acct.te
-index 1a1c91a..7a449cc 100644
+index 1a1c91a..d538827 100644
 --- a/acct.te
 +++ b/acct.te
-@@ -53,14 +53,15 @@ files_list_usr(acct_t)
+@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
+ dev_read_sysfs(acct_t)
+ dev_read_urand(acct_t)
+ 
+-domain_use_interactive_fds(acct_t)
+-
+ fs_search_auto_mountpoints(acct_t)
+ fs_getattr_xattr_fs(acct_t)
+ 
+@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
+ term_dontaudit_use_generic_ptys(acct_t)
+ 
+ files_read_etc_runtime_files(acct_t)
+-files_list_usr(acct_t)
  
  auth_use_nsswitch(acct_t)
  
-+auth_use_nsswitch(acct_t)
-+
- init_use_fds(acct_t)
- init_use_script_ptys(acct_t)
- init_exec_script_files(acct_t)
+@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
  
  logging_send_syslog_msg(acct_t)
  
 -miscfiles_read_localization(acct_t)
 -
-+userdom_dontaudit_use_unpriv_user_fds(acct_t)
  userdom_dontaudit_search_user_home_dirs(acct_t)
  userdom_dontaudit_use_unpriv_user_fds(acct_t)
  
@@ -1218,10 +1236,10 @@ index 3b41be6..0b18812 100644
  	afs_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/afs.te b/afs.te
-index 6690cdf..7fefcf5 100644
+index 6690cdf..baf390f 100644
 --- a/afs.te
 +++ b/afs.te
-@@ -83,6 +83,15 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
+@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
  
  kernel_rw_afs_state(afs_t)
  
@@ -1235,9 +1253,11 @@ index 6690cdf..7fefcf5 100644
 +corenet_udp_bind_generic_node(afs_t)
 +
  files_mounton_mnt(afs_t)
- files_read_usr_files(afs_t)
+-files_read_usr_files(afs_t)
  files_rw_etc_runtime_files(afs_t)
-@@ -93,6 +102,12 @@ fs_read_nfs_symlinks(afs_t)
+ 
+ fs_getattr_xattr_fs(afs_t)
+@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
  
  logging_send_syslog_msg(afs_t)
  
@@ -1250,7 +1270,7 @@ index 6690cdf..7fefcf5 100644
  ########################################
  #
  # AFS bossserver local policy
-@@ -125,7 +140,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
+@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
  
  kernel_read_kernel_sysctls(afs_bosserver_t)
  
@@ -1258,17 +1278,40 @@ index 6690cdf..7fefcf5 100644
  corenet_all_recvfrom_netlabel(afs_bosserver_t)
  corenet_udp_sendrecv_generic_if(afs_bosserver_t)
  corenet_udp_sendrecv_generic_node(afs_bosserver_t)
-@@ -179,6 +193,9 @@ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
+@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
+ corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
+ 
+ files_list_home(afs_bosserver_t)
+-files_read_usr_files(afs_bosserver_t)
+ 
+ seutil_read_config(afs_bosserver_t)
+ 
+@@ -175,12 +187,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
+ 
+ corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+ corenet_all_recvfrom_netlabel(afs_fsserver_t)
++corenet_tcp_bind_generic_node(afs_fsserver_t)
++corenet_udp_bind_generic_node(afs_fsserver_t)
+ corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
  corenet_udp_sendrecv_generic_if(afs_fsserver_t)
  corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
  corenet_udp_sendrecv_generic_node(afs_fsserver_t)
+-corenet_tcp_bind_generic_node(afs_fsserver_t)
+-corenet_udp_bind_generic_node(afs_fsserver_t)
 +corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
 +corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-+corenet_all_recvfrom_netlabel(afs_fsserver_t)
- corenet_tcp_bind_generic_node(afs_fsserver_t)
- corenet_udp_bind_generic_node(afs_fsserver_t)
  
-@@ -224,7 +241,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
+ corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
+ corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
+@@ -190,7 +204,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
+ 
+ files_read_etc_runtime_files(afs_fsserver_t)
+ files_list_home(afs_fsserver_t)
+-files_read_usr_files(afs_fsserver_t)
+ files_list_pids(afs_fsserver_t)
+ files_dontaudit_search_mnt(afs_fsserver_t)
+ 
+@@ -224,7 +237,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
  
  kernel_read_kernel_sysctls(afs_kaserver_t)
  
@@ -1276,7 +1319,15 @@ index 6690cdf..7fefcf5 100644
  corenet_all_recvfrom_netlabel(afs_kaserver_t)
  corenet_udp_sendrecv_generic_if(afs_kaserver_t)
  corenet_udp_sendrecv_generic_node(afs_kaserver_t)
-@@ -262,7 +278,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
+@@ -239,7 +251,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
+ corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
+ 
+ files_list_home(afs_kaserver_t)
+-files_read_usr_files(afs_kaserver_t)
+ 
+ seutil_read_config(afs_kaserver_t)
+ 
+@@ -262,7 +273,6 @@ manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
  manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
  filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
  
@@ -1284,7 +1335,7 @@ index 6690cdf..7fefcf5 100644
  corenet_all_recvfrom_netlabel(afs_ptserver_t)
  corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
  corenet_udp_sendrecv_generic_if(afs_ptserver_t)
-@@ -274,6 +289,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
+@@ -274,6 +284,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
  corenet_udp_bind_afs_pt_port(afs_ptserver_t)
  corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
  
@@ -1293,7 +1344,7 @@ index 6690cdf..7fefcf5 100644
  userdom_dontaudit_use_user_terminals(afs_ptserver_t)
  
  ########################################
-@@ -293,7 +310,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
+@@ -293,7 +305,6 @@ manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
  manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
  filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
  
@@ -1301,7 +1352,7 @@ index 6690cdf..7fefcf5 100644
  corenet_all_recvfrom_netlabel(afs_vlserver_t)
  corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
  corenet_udp_sendrecv_generic_if(afs_vlserver_t)
-@@ -314,8 +330,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
+@@ -314,8 +325,4 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
  
  allow afs_domain self:udp_socket create_socket_perms;
  
@@ -1330,7 +1381,7 @@ index 3b5dcb9..fbe187f 100644
  	domain_system_change_exemption($1)
  	role_transition $2 aiccu_initrc_exec_t system_r;
 diff --git a/aiccu.te b/aiccu.te
-index 72c33c2..ca27918 100644
+index 72c33c2..6e4206c 100644
 --- a/aiccu.te
 +++ b/aiccu.te
 @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1341,9 +1392,11 @@ index 72c33c2..ca27918 100644
  corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
  corenet_tcp_connect_sixxsconfig_port(aiccu_t)
  corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
-@@ -62,9 +61,9 @@ dev_read_urand(aiccu_t)
+@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
+ dev_read_rand(aiccu_t)
+ dev_read_urand(aiccu_t)
  
- files_read_etc_files(aiccu_t)
+-files_read_etc_files(aiccu_t)
  
 -logging_send_syslog_msg(aiccu_t)
 +auth_read_passwd(aiccu_t)
@@ -1373,7 +1426,7 @@ index 01cbb67..94a4a24 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 4b28ab3..2cc5904 100644
+index 4b28ab3..cf64a9a 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1384,15 +1437,12 @@ index 4b28ab3..2cc5904 100644
  role aide_roles types aide_t;
  
  type aide_log_t;
-@@ -33,12 +34,19 @@ setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
- logging_log_filetrans(aide_t, aide_log_t, file)
+@@ -34,11 +35,16 @@ logging_log_filetrans(aide_t, aide_log_t, file)
  
  files_read_all_files(aide_t)
-+files_read_boot_symlinks(aide_t)
  files_read_all_symlinks(aide_t)
 +files_getattr_all_pipes(aide_t)
 +files_getattr_all_sockets(aide_t)
-+files_read_all_symlinks(aide_t)
 +
 +mls_file_read_to_clearance(aide_t)
 +mls_file_write_to_clearance(aide_t)
@@ -1567,10 +1617,10 @@ index 0000000..7abe946
 +')
 diff --git a/ajaxterm.te b/ajaxterm.te
 new file mode 100644
-index 0000000..84bba98
+index 0000000..a95a4ad
 --- /dev/null
 +++ b/ajaxterm.te
-@@ -0,0 +1,62 @@
+@@ -0,0 +1,60 @@
 +policy_module(ajaxterm, 1.0.0)
 +
 +########################################
@@ -1619,8 +1669,6 @@ index 0000000..84bba98
 +
 +domain_use_interactive_fds(ajaxterm_t)
 +
-+files_read_etc_files(ajaxterm_t)
-+files_read_usr_files(ajaxterm_t)
 +
 +sysnet_dns_name_resolve(ajaxterm_t)
 +
@@ -1728,7 +1776,7 @@ index 708b743..a482fed 100644
 +	ps_process_pattern($1, alsa_t)
 +')
 diff --git a/alsa.te b/alsa.te
-index cda6d20..60c0649 100644
+index cda6d20..f19402e 100644
 --- a/alsa.te
 +++ b/alsa.te
 @@ -24,6 +24,9 @@ files_type(alsa_var_lib_t)
@@ -1741,16 +1789,15 @@ index cda6d20..60c0649 100644
  ########################################
  #
  # Local policy
-@@ -59,6 +62,8 @@ dev_read_sound(alsa_t)
+@@ -59,7 +62,6 @@ dev_read_sound(alsa_t)
  dev_read_sysfs(alsa_t)
  dev_write_sound(alsa_t)
  
-+corecmd_exec_bin(alsa_t)
-+
- files_read_usr_files(alsa_t)
+-files_read_usr_files(alsa_t)
  files_search_var_lib(alsa_t)
  
-@@ -72,8 +77,6 @@ init_use_fds(alsa_t)
+ term_dontaudit_use_console(alsa_t)
+@@ -72,8 +74,6 @@ init_use_fds(alsa_t)
  
  logging_send_syslog_msg(alsa_t)
  
@@ -1760,7 +1807,7 @@ index cda6d20..60c0649 100644
  userdom_manage_unpriv_user_shared_mem(alsa_t)
  userdom_search_user_home_dirs(alsa_t)
 diff --git a/amanda.te b/amanda.te
-index ed45974..ebba0d8 100644
+index ed45974..b09436e 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -60,7 +60,7 @@ optional_policy(`
@@ -1796,12 +1843,17 @@ index ed45974..ebba0d8 100644
  corenet_all_recvfrom_netlabel(amanda_recover_t)
  corenet_tcp_sendrecv_generic_if(amanda_recover_t)
  corenet_udp_sendrecv_generic_if(amanda_recover_t)
-@@ -200,7 +199,11 @@ fstools_signal(amanda_t)
+@@ -195,12 +194,12 @@ files_search_tmp(amanda_recover_t)
+ 
+ auth_use_nsswitch(amanda_recover_t)
  
+-fstools_domtrans(amanda_t)
+-fstools_signal(amanda_t)
+-
  logging_search_logs(amanda_recover_t)
  
 -miscfiles_read_localization(amanda_recover_t)
- 
+-
 -userdom_use_user_terminals(amanda_recover_t)
 +userdom_use_inherited_user_terminals(amanda_recover_t)
  userdom_search_user_home_content(amanda_recover_t)
@@ -1878,7 +1930,7 @@ index 60d4f8c..18ef077 100644
   	domain_system_change_exemption($1)
   	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/amavis.te b/amavis.te
-index ab55ba7..3da45f7 100644
+index ab55ba7..a95b541 100644
 --- a/amavis.te
 +++ b/amavis.te
 @@ -39,7 +39,7 @@ type amavis_quarantine_t;
@@ -1912,7 +1964,7 @@ index ab55ba7..3da45f7 100644
  corenet_all_recvfrom_netlabel(amavis_t)
  corenet_tcp_sendrecv_generic_if(amavis_t)
  corenet_udp_sendrecv_generic_if(amavis_t)
-@@ -118,10 +120,12 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
+@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
  
  corenet_sendrecv_razor_client_packets(amavis_t)
  corenet_tcp_connect_razor_port(amavis_t)
@@ -1920,12 +1972,15 @@ index ab55ba7..3da45f7 100644
  
  dev_read_rand(amavis_t)
  dev_read_sysfs(amavis_t)
- dev_read_urand(amavis_t)
-+dev_read_sysfs(amavis_t)
- 
- domain_use_interactive_fds(amavis_t)
+@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
  domain_dontaudit_read_all_domains_state(amavis_t)
-@@ -141,14 +145,20 @@ init_stream_connect_script(amavis_t)
+ 
+ files_read_etc_runtime_files(amavis_t)
+-files_read_usr_files(amavis_t)
+ files_search_spool(amavis_t)
+ 
+ fs_getattr_xattr_fs(amavis_t)
+@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
  
  logging_send_syslog_msg(amavis_t)
  
@@ -1949,7 +2004,7 @@ index ab55ba7..3da45f7 100644
  ')
  
  optional_policy(`
-@@ -173,6 +183,10 @@ optional_policy(`
+@@ -173,6 +181,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1961,10 +2016,14 @@ index ab55ba7..3da45f7 100644
  	postfix_list_spool(amavis_t)
  ')
 diff --git a/amtu.te b/amtu.te
-index c960f92..c291650 100644
+index c960f92..486e9ed 100644
 --- a/amtu.te
 +++ b/amtu.te
-@@ -28,7 +28,7 @@ files_read_etc_files(amtu_t)
+@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
+ 
+ files_manage_boot_files(amtu_t)
+ files_read_etc_runtime_files(amtu_t)
+-files_read_etc_files(amtu_t)
  
  logging_send_audit_msgs(amtu_t)
  
@@ -3698,7 +3757,7 @@ index 83e899c..7b2ad39 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..44dae79 100644
+index 1a82e29..93b55a0 100644
 --- a/apache.te
 +++ b/apache.te
 @@ -1,297 +1,353 @@
@@ -4217,7 +4276,7 @@ index 1a82e29..44dae79 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +365,23 @@ role system_r types httpd_suexec_t;
+@@ -311,9 +365,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -4226,10 +4285,6 @@ index 1a82e29..44dae79 100644
 -corecmd_shell_entry_type(httpd_sys_script_t)
 -typealias httpd_sys_content_t alias ntop_http_content_t;
 +
-+optional_policy(`
-+	postgresql_unpriv_client(httpd_sys_script_t)
-+')
-+
 +typeattribute httpd_sys_content_t httpdcontent; # customizable
 +typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
 +typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
@@ -4243,7 +4298,7 @@ index 1a82e29..44dae79 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -323,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -323,12 +387,19 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -4263,7 +4318,7 @@ index 1a82e29..44dae79 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -343,33 +414,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -4314,7 +4369,7 @@ index 1a82e29..44dae79 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +460,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -378,28 +456,36 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -4356,7 +4411,7 @@ index 1a82e29..44dae79 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +497,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -407,6 +493,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -4365,7 +4420,7 @@ index 1a82e29..44dae79 100644
  allow httpd_t httpd_rotatelogs_t:process signal_perms;
  
  manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +507,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -415,6 +503,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
  
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
@@ -4376,7 +4431,7 @@ index 1a82e29..44dae79 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +541,163 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -445,140 +537,162 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -4454,7 +4509,7 @@ index 1a82e29..44dae79 100644
 +domain_use_interactive_fds(httpd_t)
  
  files_dontaudit_getattr_all_pids(httpd_t)
- files_read_usr_files(httpd_t)
+-files_read_usr_files(httpd_t)
 +files_exec_usr_files(httpd_t)
  files_list_mnt(httpd_t)
  files_search_spool(httpd_t)
@@ -4604,7 +4659,7 @@ index 1a82e29..44dae79 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +708,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -589,28 +703,46 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -4660,7 +4715,7 @@ index 1a82e29..44dae79 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +756,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -619,68 +751,38 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -4745,7 +4800,7 @@ index 1a82e29..44dae79 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +797,29 @@ tunable_policy(`httpd_setrlimit',`
+@@ -690,49 +792,29 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -4811,7 +4866,7 @@ index 1a82e29..44dae79 100644
  ')
  
  optional_policy(`
-@@ -744,12 +831,10 @@ optional_policy(`
+@@ -744,12 +826,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4826,13 +4881,12 @@ index 1a82e29..44dae79 100644
  ')
  
  optional_policy(`
-@@ -765,6 +850,24 @@ optional_policy(`
+@@ -765,6 +845,23 @@ optional_policy(`
  ')
  
  optional_policy(`
-+        # needed by FreeIPA 
++	#needed by FreeIPA 
 +	dirsrv_stream_connect(httpd_t)
-+	ldap_stream_connect(httpd_t)
 +')
 +
 +optional_policy(`
@@ -4851,7 +4905,7 @@ index 1a82e29..44dae79 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +884,42 @@ optional_policy(`
+@@ -781,34 +878,42 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4905,10 +4959,14 @@ index 1a82e29..44dae79 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +927,10 @@ optional_policy(`
+@@ -816,8 +921,14 @@ optional_policy(`
  ')
  
  optional_policy(`
++	munin_read_config(httpd_t)
++')
++
++optional_policy(`
 +	# Allow httpd to work with mysql
  	mysql_read_config(httpd_t)
  	mysql_stream_connect(httpd_t)
@@ -4916,7 +4974,7 @@ index 1a82e29..44dae79 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +939,7 @@ optional_policy(`
+@@ -826,6 +937,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -4924,7 +4982,7 @@ index 1a82e29..44dae79 100644
  ')
  
  optional_policy(`
-@@ -836,20 +950,35 @@ optional_policy(`
+@@ -836,20 +948,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4946,19 +5004,18 @@ index 1a82e29..44dae79 100644
 -	')
 +optional_policy(`
 +	pcscd_read_pub_files(httpd_t)
++')
++
++optional_policy(`
++	pki_apache_domain_signal(httpd_t)
++	pki_manage_apache_config_files(httpd_t)
++	pki_manage_apache_lib(httpd_t)
++	pki_manage_apache_log_files(httpd_t)
++	pki_manage_apache_run(httpd_t)
  ')
  
  optional_policy(`
 -	puppet_read_lib_files(httpd_t)
-+        pki_apache_domain_signal(httpd_t)
-+        pki_apache_domain_signal(httpd_t)
-+        pki_manage_apache_run(httpd_t)
-+        pki_manage_apache_config_files(httpd_t)
-+        pki_manage_apache_log_files(httpd_t)
-+        pki_manage_apache_lib(httpd_t)
-+')
-+
-+optional_policy(`
 +	puppet_read_lib(httpd_t)
 +')
 +
@@ -4967,7 +5024,7 @@ index 1a82e29..44dae79 100644
  ')
  
  optional_policy(`
-@@ -857,6 +986,16 @@ optional_policy(`
+@@ -857,6 +983,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4984,7 +5041,7 @@ index 1a82e29..44dae79 100644
  	seutil_sigchld_newrole(httpd_t)
  ')
  
-@@ -865,6 +1004,7 @@ optional_policy(`
+@@ -865,6 +1001,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -4992,7 +5049,7 @@ index 1a82e29..44dae79 100644
  	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
  	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
  ')
-@@ -877,64 +1017,168 @@ optional_policy(`
+@@ -877,65 +1014,166 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -5021,8 +5078,6 @@ index 1a82e29..44dae79 100644
 -logging_search_logs(httpd_helper_t)
  logging_send_syslog_msg(httpd_helper_t)
  
-+userdom_use_inherited_user_terminals(httpd_helper_t)
-+
 +tunable_policy(`httpd_verify_dns',`
 +	corenet_udp_bind_all_ephemeral_ports(httpd_t)
 +')
@@ -5060,10 +5115,11 @@ index 1a82e29..44dae79 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@@ -5122,11 +5178,10 @@ index 1a82e29..44dae79 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
 +# Apache suexec local policy
  #
  
@@ -5173,16 +5228,17 @@ index 1a82e29..44dae79 100644
  fs_read_iso9660_files(httpd_suexec_t)
  fs_search_auto_mountpoints(httpd_suexec_t)
  
+-files_read_usr_files(httpd_suexec_t)
 +application_exec_all(httpd_suexec_t)
 +
 +# for shell scripts
 +corecmd_exec_bin(httpd_suexec_t)
 +corecmd_exec_shell(httpd_suexec_t)
 +
- files_read_usr_files(httpd_suexec_t)
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
-@@ -944,123 +1188,74 @@ auth_use_nsswitch(httpd_suexec_t)
+ 
+@@ -944,123 +1182,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -5337,7 +5393,7 @@ index 1a82e29..44dae79 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1272,103 @@ optional_policy(`
+@@ -1077,172 +1266,103 @@ optional_policy(`
  	')
  ')
  
@@ -5503,12 +5559,12 @@ index 1a82e29..44dae79 100644
 -#
 -
 -allow httpd_sys_script_t self:tcp_socket { accept listen };
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 -
 -dontaudit httpd_sys_script_t httpd_config_t:dir search;
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
 -
 -allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
@@ -5572,7 +5628,7 @@ index 1a82e29..44dae79 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1376,70 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1250,64 +1370,70 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -5666,7 +5722,7 @@ index 1a82e29..44dae79 100644
  
  ########################################
  #
-@@ -1315,8 +1447,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1315,8 +1441,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -5683,7 +5739,7 @@ index 1a82e29..44dae79 100644
  ')
  
  ########################################
-@@ -1324,49 +1463,36 @@ optional_policy(`
+@@ -1324,49 +1457,36 @@ optional_policy(`
  # User content local policy
  #
  
@@ -5747,7 +5803,7 @@ index 1a82e29..44dae79 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1502,101 @@ dev_read_urand(httpd_passwd_t)
+@@ -1376,38 +1496,94 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -5765,33 +5821,23 @@ index 1a82e29..44dae79 100644
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
- 
--allow httpd_gpg_t self:process setrlimit;
++
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
- 
--allow httpd_gpg_t httpd_t:fd use;
--allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
--allow httpd_gpg_t httpd_t:process sigchld;
++
 +search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
 +corecmd_shell_entry_type(httpd_script_type)
- 
--dev_read_rand(httpd_gpg_t)
--dev_read_urand(httpd_gpg_t)
++
 +allow httpd_script_type self:fifo_file rw_file_perms;
 +allow httpd_script_type self:unix_stream_socket connectto;
- 
--files_read_usr_files(httpd_gpg_t)
++
 +allow httpd_script_type httpd_t:fifo_file write;
 +# apache should set close-on-exec
 +apache_dontaudit_leaks(httpd_script_type)
- 
--miscfiles_read_localization(httpd_gpg_t)
++
 +append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
 +logging_search_logs(httpd_script_type)
- 
--tunable_policy(`httpd_gpg_anon_write',`
--	miscfiles_manage_public_files(httpd_gpg_t)
++
 +kernel_dontaudit_search_sysctl(httpd_script_type)
 +kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
 +
@@ -5806,32 +5852,39 @@ index 1a82e29..44dae79 100644
 +
 +libs_exec_ld_so(httpd_script_type)
 +libs_exec_lib_files(httpd_script_type)
-+
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +miscfiles_read_fonts(httpd_script_type)
 +miscfiles_read_public_files(httpd_script_type)
-+
+ 
+-allow httpd_gpg_t httpd_t:fd use;
+-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
+-allow httpd_gpg_t httpd_t:process sigchld;
 +allow httpd_t httpd_script_type:unix_stream_socket connectto;
-+
+ 
+-dev_read_rand(httpd_gpg_t)
+-dev_read_urand(httpd_gpg_t)
 +allow httpd_t httpd_script_exec_type:file read_file_perms;
 +allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
 +allow httpd_t httpd_script_type:process { signal sigkill sigstop };
 +allow httpd_t httpd_script_exec_type:dir list_dir_perms;
-+
+ 
+-files_read_usr_files(httpd_gpg_t)
 +allow httpd_script_type self:process { setsched signal_perms };
 +allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
 +allow httpd_script_type self:unix_dgram_socket create_socket_perms;
-+
+ 
+-miscfiles_read_localization(httpd_gpg_t)
 +allow httpd_script_type httpd_t:fd use;
 +allow httpd_script_type httpd_t:process sigchld;
-+
+ 
+-tunable_policy(`httpd_gpg_anon_write',`
+-	miscfiles_manage_public_files(httpd_gpg_t)
 +dontaudit httpd_script_type httpd_t:tcp_socket { read write };
 +
-+dev_read_urand(httpd_script_type)
-+
 +fs_getattr_xattr_fs(httpd_script_type)
 +
 +files_read_etc_runtime_files(httpd_script_type)
-+files_read_usr_files(httpd_script_type)
 +
 +libs_read_lib_files(httpd_script_type)
 +
@@ -5858,10 +5911,6 @@ index 1a82e29..44dae79 100644
 +	allow httpd_t httpd_content_type:dir list_dir_perms;
 +	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
 +	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+
-+	allow httpd_t httpd_content_type:dir list_dir_perms;
-+	read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
-+	read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
 +')
 +
 +tunable_policy(`httpd_use_openstack',`
@@ -5943,7 +5992,7 @@ index f3c0aba..5189407 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..febec9a 100644
+index b236327..7e05d8c 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -5964,11 +6013,7 @@ index b236327..febec9a 100644
  corenet_all_recvfrom_netlabel(apcupsd_t)
  corenet_tcp_sendrecv_generic_if(apcupsd_t)
  corenet_tcp_sendrecv_generic_node(apcupsd_t)
-@@ -64,9 +66,11 @@ corenet_udp_sendrecv_generic_node(apcupsd_t)
- corenet_udp_bind_generic_node(apcupsd_t)
- 
- corenet_tcp_bind_apcupsd_port(apcupsd_t)
-+corenet_udp_bind_generic_node(apcupsd_t)
+@@ -67,6 +69,7 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
  corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
  corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
  corenet_tcp_connect_apcupsd_port(apcupsd_t)
@@ -5976,7 +6021,7 @@ index b236327..febec9a 100644
  
  corenet_udp_bind_snmp_port(apcupsd_t)
  corenet_sendrecv_snmp_server_packets(apcupsd_t)
-@@ -74,25 +78,33 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
+@@ -74,19 +77,23 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
  
  dev_rw_generic_usb_dev(apcupsd_t)
  
@@ -5991,10 +6036,10 @@ index b236327..febec9a 100644
 +#apcupsd runs shutdown, probably need a shutdown domain
 +init_rw_utmp(apcupsd_t)
 +init_telinit(apcupsd_t)
-+
-+auth_read_passwd(apcupsd_t)
  
 -miscfiles_read_localization(apcupsd_t)
++auth_read_passwd(apcupsd_t)
++
 +logging_send_syslog_msg(apcupsd_t)
  
  sysnet_dns_name_resolve(apcupsd_t)
@@ -6004,17 +6049,7 @@ index b236327..febec9a 100644
  
  optional_policy(`
  	hostname_exec(apcupsd_t)
- ')
- 
- optional_policy(`
-+	shutdown_domtrans(apcupsd_t)
-+')
-+
-+optional_policy(`
- 	mta_send_mail(apcupsd_t)
- 	mta_system_content(apcupsd_tmp_t)
- ')
-@@ -112,7 +124,6 @@ optional_policy(`
+@@ -112,7 +119,6 @@ optional_policy(`
  	allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
  	allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
  
@@ -6081,7 +6116,7 @@ index 1a7a97e..1d29dce 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..29e3af5 100644
+index 3590e2f..5d9ac1d 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -6121,16 +6156,7 @@ index 3590e2f..29e3af5 100644
  corecmd_exec_all_executables(apmd_t)
  
  domain_read_all_domains_state(apmd_t)
-@@ -128,6 +129,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
- 
- auth_use_nsswitch(apmd_t)
- 
-+auth_use_nsswitch(apmd_t)
-+
- init_domtrans_script(apmd_t)
- 
- libs_exec_ld_so(apmd_t)
-@@ -136,17 +139,54 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +137,16 @@ libs_exec_lib_files(apmd_t)
  logging_send_audit_msgs(apmd_t)
  logging_send_syslog_msg(apmd_t)
  
@@ -6147,53 +6173,20 @@ index 3590e2f..29e3af5 100644
  userdom_dontaudit_search_user_home_dirs(apmd_t)
 -userdom_dontaudit_search_user_home_content(apmd_t)
 +userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
-+
-+ifdef(`distro_redhat',`
-+	allow apmd_t apmd_lock_t:file manage_file_perms;
-+	files_lock_filetrans(apmd_t, apmd_lock_t, file)
-+
-+	can_exec(apmd_t, apmd_var_run_t)
-+
-+	optional_policy(`
-+		fstools_domtrans(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		iptables_domtrans(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		netutils_domtrans(apmd_t)
-+	')
-+
-+	# ifconfig_exec_t needs to be run in its own domain for Red Hat
-+	optional_policy(`
-+		sssd_search_lib(apmd_t)
-+	')
-+
-+	optional_policy(`
-+		sysnet_domtrans_ifconfig(apmd_t)
-+	')
-+
-+',`
-+	# for ifconfig which is run all the time
-+	kernel_dontaudit_search_sysctl(apmd_t)
-+')
-+
-+ifdef(`distro_suse',`
-+	manage_dirs_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-+	manage_files_pattern(apmd_t, apmd_var_lib_t, apmd_var_lib_t)
-+	files_var_lib_filetrans(apmd_t, apmd_var_lib_t, file)
-+')
  
  optional_policy(`
  	automount_domtrans(apmd_t)
-@@ -206,7 +246,11 @@ optional_policy(`
+@@ -206,11 +206,15 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	seutil_sigchld_newrole(apmd_t)
 +	shutdown_domtrans(apmd_t)
+ ')
+ 
+ optional_policy(`
+-	shutdown_domtrans(apmd_t)
++	sssd_search_lib(apmd_t)
 +')
 +
 +optional_policy(`
@@ -6202,7 +6195,7 @@ index 3590e2f..29e3af5 100644
  
  optional_policy(`
 diff --git a/apt.te b/apt.te
-index e2d8d52..c6e62d7 100644
+index e2d8d52..d82403c 100644
 --- a/apt.te
 +++ b/apt.te
 @@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
@@ -6213,7 +6206,14 @@ index e2d8d52..c6e62d7 100644
  corenet_all_recvfrom_netlabel(apt_t)
  corenet_tcp_sendrecv_generic_if(apt_t)
  corenet_tcp_sendrecv_generic_node(apt_t)
-@@ -105,20 +104,18 @@ fs_getattr_all_fs(apt_t)
+@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
+ domain_use_interactive_fds(apt_t)
+ 
+ files_exec_usr_files(apt_t)
+-files_read_etc_files(apt_t)
+ files_read_etc_runtime_files(apt_t)
+ 
+ fs_getattr_all_fs(apt_t)
  
  term_create_pty(apt_t, apt_devpts_t)
  term_list_ptys(apt_t)
@@ -6310,7 +6310,7 @@ index 50c9b9c..51c8cc0 100644
 +	allow $1 arpwatch_unit_file_t:service all_service_perms;
  ')
 diff --git a/arpwatch.te b/arpwatch.te
-index fa18c76..ef976af 100644
+index fa18c76..fd6911a 100644
 --- a/arpwatch.te
 +++ b/arpwatch.te
 @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -6356,7 +6356,14 @@ index fa18c76..ef976af 100644
  dev_read_sysfs(arpwatch_t)
  dev_read_usbmon_dev(arpwatch_t)
  dev_rw_generic_usb_dev(arpwatch_t)
-@@ -66,8 +82,6 @@ auth_use_nsswitch(arpwatch_t)
+@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
+ 
+ domain_use_interactive_fds(arpwatch_t)
+ 
+-files_read_usr_files(arpwatch_t)
+ files_search_var_lib(arpwatch_t)
+ 
+ auth_use_nsswitch(arpwatch_t)
  
  logging_send_syslog_msg(arpwatch_t)
  
@@ -6385,10 +6392,10 @@ index 7268a04..3a5dc33 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..37841a1 100644
+index 5439f1c..0be374d 100644
 --- a/asterisk.te
 +++ b/asterisk.te
-@@ -19,10 +19,11 @@ type asterisk_log_t;
+@@ -19,7 +19,7 @@ type asterisk_log_t;
  logging_log_file(asterisk_log_t)
  
  type asterisk_spool_t;
@@ -6397,11 +6404,7 @@ index 5439f1c..37841a1 100644
  
  type asterisk_tmp_t;
  files_tmp_file(asterisk_tmp_t)
-+mta_system_content(asterisk_tmp_t)
- 
- type asterisk_tmpfs_t;
- files_tmpfs_file(asterisk_tmpfs_t)
-@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
  
  manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
  
@@ -6415,7 +6418,7 @@ index 5439f1c..37841a1 100644
  can_exec(asterisk_t, asterisk_exec_t)
  
  kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
  corecmd_exec_bin(asterisk_t)
  corecmd_exec_shell(asterisk_t)
  
@@ -6423,15 +6426,7 @@ index 5439f1c..37841a1 100644
  corenet_all_recvfrom_netlabel(asterisk_t)
  corenet_tcp_sendrecv_generic_if(asterisk_t)
  corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -125,6 +125,7 @@ corenet_tcp_connect_pktcable_cops_port(asterisk_t)
- 
- corenet_sendrecv_sip_client_packets(asterisk_t)
- corenet_tcp_connect_sip_port(asterisk_t)
-+corenet_tcp_connect_jabber_client_port(asterisk_t)
- 
- dev_rw_generic_usb_dev(asterisk_t)
- dev_read_sysfs(asterisk_t)
-@@ -135,7 +136,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
  
  domain_use_interactive_fds(asterisk_t)
  
@@ -6439,7 +6434,7 @@ index 5439f1c..37841a1 100644
  files_search_spool(asterisk_t)
  files_dontaudit_search_home(asterisk_t)
  
-@@ -148,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
  
  logging_send_syslog_msg(asterisk_t)
  
@@ -6597,10 +6592,10 @@ index 0000000..98ab9ed
 +')
 diff --git a/authconfig.te b/authconfig.te
 new file mode 100644
-index 0000000..aeea7cf
+index 0000000..340b755
 --- /dev/null
 +++ b/authconfig.te
-@@ -0,0 +1,33 @@
+@@ -0,0 +1,32 @@
 +policy_module(authconfig, 1.0.0)
 +
 +########################################
@@ -6629,7 +6624,6 @@ index 0000000..aeea7cf
 +
 +domain_use_interactive_fds(authconfig_t)
 +
-+files_read_etc_files(authconfig_t)
 +
 +init_domtrans_script(authconfig_t)
 +
@@ -6717,7 +6711,7 @@ index 089430a..7cd037b 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..9fdef3d 100644
+index a579c3b..e8961f7 100644
 --- a/automount.te
 +++ b/automount.te
 @@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -6730,21 +6724,7 @@ index a579c3b..9fdef3d 100644
  ########################################
  #
  # Local policy
-@@ -50,19 +53,20 @@ manage_fifo_files_pattern(automount_t, automount_var_run_t, automount_var_run_t)
- files_pid_filetrans(automount_t, automount_var_run_t, { file fifo_file })
- 
- kernel_read_kernel_sysctls(automount_t)
-+kernel_read_vm_sysctls(automount_t)
- kernel_read_irq_sysctls(automount_t)
- kernel_read_fs_sysctls(automount_t)
- kernel_read_vm_sysctls(automount_t)
- kernel_read_proc_symlinks(automount_t)
- kernel_read_system_state(automount_t)
- kernel_read_network_state(automount_t)
-+kernel_search_vm_sysctl(automount_t)
- kernel_list_proc(automount_t)
- kernel_dontaudit_search_xen_state(automount_t)
- 
+@@ -62,7 +65,6 @@ kernel_dontaudit_search_xen_state(automount_t)
  corecmd_exec_bin(automount_t)
  corecmd_exec_shell(automount_t)
  
@@ -6752,7 +6732,7 @@ index a579c3b..9fdef3d 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +100,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -96,7 +98,6 @@ files_mount_all_file_type_fs(automount_t)
  files_mounton_all_mountpoints(automount_t)
  files_mounton_mnt(automount_t)
  files_read_etc_runtime_files(automount_t)
@@ -6760,7 +6740,7 @@ index a579c3b..9fdef3d 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +133,18 @@ auth_use_nsswitch(automount_t)
+@@ -130,15 +131,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -6867,7 +6847,7 @@ index aebe7cb..33fe57b 100644
 +	allow $1 avahi_unit_file_t:service all_service_perms;
  ')
 diff --git a/avahi.te b/avahi.te
-index 60e76be..0f0891b 100644
+index 60e76be..0730647 100644
 --- a/avahi.te
 +++ b/avahi.te
 @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -6889,15 +6869,18 @@ index 60e76be..0f0891b 100644
  corenet_all_recvfrom_netlabel(avahi_t)
  corenet_tcp_sendrecv_generic_if(avahi_t)
  corenet_udp_sendrecv_generic_if(avahi_t)
-@@ -72,6 +75,7 @@ fs_search_auto_mountpoints(avahi_t)
+@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
  fs_list_inotifyfs(avahi_t)
  
  domain_use_interactive_fds(avahi_t)
 +domain_dontaudit_signull_all_domains(avahi_t)
  
  files_read_etc_runtime_files(avahi_t)
- files_read_usr_files(avahi_t)
-@@ -83,13 +87,14 @@ init_signull_script(avahi_t)
+-files_read_usr_files(avahi_t)
+ 
+ auth_use_nsswitch(avahi_t)
+ 
+@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
  
  logging_send_syslog_msg(avahi_t)
  
@@ -6913,22 +6896,20 @@ index 60e76be..0f0891b 100644
  userdom_dontaudit_use_unpriv_user_fds(avahi_t)
  userdom_dontaudit_search_user_home_dirs(avahi_t)
  
-@@ -106,6 +111,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rpcbind_signull(avahi_t)
-+')
-+
-+optional_policy(`
- 	seutil_sigchld_newrole(avahi_t)
- ')
- 
 diff --git a/awstats.te b/awstats.te
-index d6ab824..eec2bdb 100644
+index d6ab824..116176d 100644
 --- a/awstats.te
 +++ b/awstats.te
-@@ -61,8 +61,6 @@ libs_read_lib_files(awstats_t)
+@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
+ dev_read_urand(awstats_t)
+ 
+ files_dontaudit_search_all_mountpoints(awstats_t)
+-files_read_etc_files(awstats_t)
+-files_read_usr_files(awstats_t)
+ 
+ fs_list_inotifyfs(awstats_t)
+ 
+@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
  
  logging_read_generic_logs(awstats_t)
  
@@ -6937,7 +6918,7 @@ index d6ab824..eec2bdb 100644
  sysnet_dns_name_resolve(awstats_t)
  
  tunable_policy(`awstats_purge_apache_log_files',`
-@@ -90,9 +88,13 @@ optional_policy(`
+@@ -90,9 +86,13 @@ optional_policy(`
  # CGI local policy
  #
  
@@ -6975,12 +6956,14 @@ index d6ceef4..c10d39c 100644
  optional_policy(`
  	cron_system_entry(backup_t, backup_exec_t)
 diff --git a/bacula.te b/bacula.te
-index 3beba2f..67e074e 100644
+index 3beba2f..7ca4480 100644
 --- a/bacula.te
 +++ b/bacula.te
-@@ -150,7 +150,6 @@ domain_use_interactive_fds(bacula_admin_t)
+@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
+ 
+ domain_use_interactive_fds(bacula_admin_t)
  
- files_read_etc_files(bacula_admin_t)
+-files_read_etc_files(bacula_admin_t)
  
 -miscfiles_read_localization(bacula_admin_t)
  
@@ -7067,7 +7050,7 @@ index ec95d36..7132e1e 100644
 +	')
  ')
 diff --git a/bcfg2.te b/bcfg2.te
-index 536ec3c..2d04d51 100644
+index 536ec3c..271b976 100644
 --- a/bcfg2.te
 +++ b/bcfg2.te
 @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
@@ -7080,17 +7063,22 @@ index 536ec3c..2d04d51 100644
  type bcfg2_var_run_t;
  files_pid_file(bcfg2_var_run_t)
  
-@@ -57,5 +60,3 @@ files_read_usr_files(bcfg2_t)
+@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
+ 
+ domain_use_interactive_fds(bcfg2_t)
+ 
+-files_read_usr_files(bcfg2_t)
+ 
  auth_use_nsswitch(bcfg2_t)
  
  logging_send_syslog_msg(bcfg2_t)
 -
 -miscfiles_read_localization(bcfg2_t)
 diff --git a/bind.fc b/bind.fc
-index 2b9a3a1..005bb7e 100644
+index 2b9a3a1..1cb1b4f 100644
 --- a/bind.fc
 +++ b/bind.fc
-@@ -1,54 +1,69 @@
+@@ -1,54 +1,70 @@
 -/etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/named --	gen_context(system_u:object_r:named_initrc_exec_t,s0)
@@ -7125,6 +7113,7 @@ index 2b9a3a1..005bb7e 100644
 +/usr/sbin/named-checkconf --	gen_context(system_u:object_r:named_checkconf_exec_t,s0)
 +/usr/sbin/r?ndc		--	gen_context(system_u:object_r:ndc_exec_t,s0)
  /usr/sbin/unbound	--	gen_context(system_u:object_r:named_exec_t,s0)
++/usr/sbin/unbound-anchor --	gen_context(system_u:object_r:named_exec_t,s0)
  
 -/var/bind(/.*)?	gen_context(system_u:object_r:named_cache_t,s0)
 -/var/bind/pri(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
@@ -7341,7 +7330,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..6a12335 100644
+index 076ffee..74e77ff 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -7371,20 +7360,19 @@ index 076ffee..6a12335 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -170,6 +172,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,11 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
 +	# needed by FreeIPA with DNS support
 +	dirsrv_stream_connect(named_t)
-+	ldap_stream_connect(named_t)
 +')
 +
 +optional_policy(`
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +191,7 @@ optional_policy(`
+@@ -183,6 +190,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -7392,7 +7380,7 @@ index 076ffee..6a12335 100644
  ')
  
  optional_policy(`
-@@ -209,7 +218,8 @@ optional_policy(`
+@@ -209,7 +217,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -7402,19 +7390,19 @@ index 076ffee..6a12335 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +233,10 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +232,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
-+kernel_read_system_state(ndc_t)
- kernel_read_kernel_sysctls(ndc_t)
+-kernel_read_kernel_sysctls(ndc_t)
  kernel_read_system_state(ndc_t)
++kernel_read_kernel_sysctls(ndc_t)
  
 -corenet_all_recvfrom_unlabeled(ndc_t)
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +261,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +259,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -7423,6 +7411,18 @@ index 076ffee..6a12335 100644
  
  userdom_use_user_terminals(ndc_t)
  
+diff --git a/bird.te b/bird.te
+index d4d71ec..f53b135 100644
+--- a/bird.te
++++ b/bird.te
+@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
+ corenet_tcp_sendrecv_bgp_port(bird_t)
+ 
+ # /etc/iproute2/rt_realms
+-files_read_etc_files(bird_t)
+ 
+ logging_send_syslog_msg(bird_t)
+ 
 diff --git a/bitlbee.if b/bitlbee.if
 index e73fb79..2badfc0 100644
 --- a/bitlbee.if
@@ -7443,7 +7443,7 @@ index e73fb79..2badfc0 100644
  	domain_system_change_exemption($1)
  	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..5ca06bb 100644
+index ac8c91e..a63f4c2 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
 @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -7461,16 +7461,7 @@ index ac8c91e..5ca06bb 100644
  
  allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
  allow bitlbee_t bitlbee_conf_t:file read_file_perms;
-@@ -54,13 +57,17 @@ files_tmp_filetrans(bitlbee_t, bitlbee_tmp_t, { dir file })
- manage_files_pattern(bitlbee_t, bitlbee_var_t, bitlbee_var_t)
- files_var_lib_filetrans(bitlbee_t, bitlbee_var_t, file)
- 
-+# log files
-+manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+manage_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
-+
- manage_dirs_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
- manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
+@@ -59,8 +62,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
  manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
  files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
  
@@ -7480,19 +7471,7 @@ index ac8c91e..5ca06bb 100644
  
  corenet_all_recvfrom_unlabeled(bitlbee_t)
  corenet_all_recvfrom_netlabel(bitlbee_t)
-@@ -95,6 +102,11 @@ corenet_tcp_sendrecv_http_port(bitlbee_t)
- corenet_sendrecv_http_cache_client_packets(bitlbee_t)
- corenet_tcp_connect_http_cache_port(bitlbee_t)
- corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
-+corenet_tcp_bind_ircd_port(bitlbee_t)
-+corenet_tcp_sendrecv_ircd_port(bitlbee_t)
-+corenet_sendrecv_ircd_server_packets(bitlbee_t)
-+corenet_tcp_bind_interwise_port(bitlbee_t)
-+corenet_tcp_sendrecv_interwise_port(bitlbee_t)
- 
- corenet_sendrecv_ircd_server_packets(bitlbee_t)
- corenet_tcp_bind_ircd_port(bitlbee_t)
-@@ -109,16 +121,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
+@@ -109,16 +112,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
  dev_read_rand(bitlbee_t)
  dev_read_urand(bitlbee_t)
  
@@ -7519,7 +7498,7 @@ index c295d2e..4f84e9c 100644
  
  /var/lib/blueman(/.*)?	gen_context(system_u:object_r:blueman_var_lib_t,s0)
 diff --git a/blueman.te b/blueman.te
-index bc5c984..b0c90e9 100644
+index bc5c984..0beaf43 100644
 --- a/blueman.te
 +++ b/blueman.te
 @@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
@@ -7541,23 +7520,23 @@ index bc5c984..b0c90e9 100644
  allow blueman_t self:fifo_file rw_fifo_file_perms;
  
  manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
-@@ -46,12 +47,14 @@ domain_use_interactive_fds(blueman_t)
+@@ -45,25 +46,35 @@ dev_rw_wireless(blueman_t)
+ domain_use_interactive_fds(blueman_t)
  
  files_list_tmp(blueman_t)
- files_read_usr_files(blueman_t)
-+files_list_tmp(blueman_t)
+-files_read_usr_files(blueman_t)
  
  auth_use_nsswitch(blueman_t)
  
  logging_send_syslog_msg(blueman_t)
  
 -miscfiles_read_localization(blueman_t)
-+sysnet_domtrans_ifconfig(blueman_t)
-+sysnet_dns_name_resolve(blueman_t)
- 
+-
  sysnet_domtrans_ifconfig(blueman_t)
++sysnet_dns_name_resolve(blueman_t)
  
-@@ -60,10 +63,22 @@ optional_policy(`
+ optional_policy(`
+ 	avahi_domtrans(blueman_t)
  ')
  
  optional_policy(`
@@ -7710,7 +7689,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..0b43ce7 100644
+index 6f09d24..88b8feb 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -7766,17 +7745,22 @@ index 6f09d24..0b43ce7 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -131,6 +142,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
- userdom_dontaudit_search_user_home_dirs(bluetooth_t)
+@@ -132,6 +143,7 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
  optional_policy(`
-+	devicekit_dbus_chat_power(bluetooth_t)
-+')
-+
-+optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
++	dbus_connect_system_bus(bluetooth_t)
  
  	optional_policy(`
+ 		cups_dbus_chat(bluetooth_t)
+@@ -199,7 +211,6 @@ dev_read_urand(bluetooth_helper_t)
+ domain_read_all_domains_state(bluetooth_helper_t)
+ 
+ files_read_etc_runtime_files(bluetooth_helper_t)
+-files_read_usr_files(bluetooth_helper_t)
+ files_dontaudit_list_default(bluetooth_helper_t)
+ 
+ term_dontaudit_use_all_ttys(bluetooth_helper_t)
 diff --git a/boinc.fc b/boinc.fc
 index 6d3ccad..bda740a 100644
 --- a/boinc.fc
@@ -8020,7 +8004,7 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..3dbacf3 100644
+index 7c92aa1..69f0a40 100644
 --- a/boinc.te
 +++ b/boinc.te
 @@ -1,11 +1,13 @@
@@ -8039,7 +8023,7 @@ index 7c92aa1..3dbacf3 100644
  type boinc_exec_t;
  init_daemon_domain(boinc_t, boinc_exec_t)
  
-@@ -21,31 +23,66 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -21,31 +23,64 @@ files_tmpfs_file(boinc_tmpfs_t)
  type boinc_var_lib_t;
  files_type(boinc_var_lib_t)
  
@@ -8085,9 +8069,7 @@ index 7c92aa1..3dbacf3 100644
 +
 +domain_read_all_domains_state(boinc_domain)
 +
-+files_read_etc_files(boinc_domain)
 +files_read_etc_runtime_files(boinc_domain)
-+files_read_usr_files(boinc_domain)
 +
 +fs_getattr_all_fs(boinc_domain)
 +
@@ -8115,7 +8097,7 @@ index 7c92aa1..3dbacf3 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +91,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -54,74 +89,45 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -8209,7 +8191,7 @@ index 7c92aa1..3dbacf3 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +138,61 @@ init_read_utmp(boinc_t)
+@@ -130,55 +136,61 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -8292,10 +8274,14 @@ index 7c92aa1..3dbacf3 100644
 +	unconfined_domain(boinc_project_t)
 +')
 diff --git a/brctl.te b/brctl.te
-index bcd1e87..a2559fe 100644
+index bcd1e87..6294955 100644
 --- a/brctl.te
 +++ b/brctl.te
-@@ -38,8 +38,6 @@ files_read_etc_files(brctl_t)
+@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
+ 
+ domain_use_interactive_fds(brctl_t)
+ 
+-files_read_etc_files(brctl_t)
  
  term_dontaudit_use_console(brctl_t)
  
@@ -8501,10 +8487,10 @@ index 8de2ab9..3b41945 100644
 +	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
  ')
 diff --git a/cachefilesd.te b/cachefilesd.te
-index 581c8ef..3eda1b1 100644
+index 581c8ef..2c71b1d 100644
 --- a/cachefilesd.te
 +++ b/cachefilesd.te
-@@ -1,52 +1,144 @@
+@@ -1,52 +1,143 @@
 -policy_module(cachefilesd, 1.0.1)
 +###############################################################################
 +#
@@ -8518,8 +8504,7 @@ index 581c8ef..3eda1b1 100644
 +# 2 of the License, or (at your option) any later version.
 +#
 +###############################################################################
- 
--########################################
++
 +#
 +# This security policy governs access by the CacheFiles kernel module and
 +# userspace management daemon to the files and directories in the on-disk
@@ -8527,7 +8512,8 @@ index 581c8ef..3eda1b1 100644
 +# filesystem such as NFS
 +#
 +policy_module(cachefilesd, 1.0.17)
-+
+ 
+-########################################
 +###############################################################################
  #
  # Declarations
@@ -8570,7 +8556,7 @@ index 581c8ef..3eda1b1 100644
 -# Local policy
 +# The CacheFiles kernel module causes processes accessing the cache files to do
 +# so acting as security ID cachefiles_kernel_t
-+#
+ #
 +type cachefiles_kernel_t;
 +domain_type(cachefiles_kernel_t)
 +domain_obj_id_change_exemption(cachefiles_kernel_t)
@@ -8579,7 +8565,7 @@ index 581c8ef..3eda1b1 100644
 +###############################################################################
 +#
 +# Permit RPM to deal with files in the cache
- #
++#
 +optional_policy(`
 +	rpm_use_script_fds(cachefilesd_t)
 +')
@@ -8607,11 +8593,11 @@ index 581c8ef..3eda1b1 100644
  
 -manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
 -manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
+-
+-dev_rw_cachefiles(cachefilesd_t)
 +# Allow access to cachefiles device file
 +allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
  
--dev_rw_cachefiles(cachefilesd_t)
--
 -files_create_all_files_as(cachefilesd_t)
 -files_read_etc_files(cachefilesd_t)
 +# Allow access to cache superstructure
@@ -8622,7 +8608,6 @@ index 581c8ef..3eda1b1 100644
  fs_getattr_xattr_fs(cachefilesd_t)
  
 +# Basic access
-+files_read_etc_files(cachefilesd_t)
 +logging_send_syslog_msg(cachefilesd_t)
 +init_dontaudit_use_script_ptys(cachefilesd_t)
  term_dontaudit_use_generic_ptys(cachefilesd_t)
@@ -8733,7 +8718,7 @@ index 400db07..f416e22 100644
  	domain_system_change_exemption($1)
  	role_transition $2 canna_initrc_exec_t system_r;
 diff --git a/canna.te b/canna.te
-index 4ec0626..a209a9b 100644
+index 4ec0626..88e7e89 100644
 --- a/canna.te
 +++ b/canna.te
 @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
@@ -8744,7 +8729,15 @@ index 4ec0626..a209a9b 100644
  corenet_all_recvfrom_netlabel(canna_t)
  corenet_tcp_sendrecv_generic_if(canna_t)
  corenet_tcp_sendrecv_generic_node(canna_t)
-@@ -76,8 +75,6 @@ files_dontaudit_read_root_files(canna_t)
+@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
+ 
+ domain_use_interactive_fds(canna_t)
+ 
+-files_read_etc_files(canna_t)
+ files_read_etc_runtime_files(canna_t)
+-files_read_usr_files(canna_t)
+ files_search_tmp(canna_t)
+ files_dontaudit_read_root_files(canna_t)
  
  logging_send_syslog_msg(canna_t)
  
@@ -8773,7 +8766,7 @@ index 5ded72d..f6b854c 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ccs_initrc_exec_t system_r;
 diff --git a/ccs.te b/ccs.te
-index b85b53b..619a4c5 100644
+index b85b53b..a37eebd 100644
 --- a/ccs.te
 +++ b/ccs.te
 @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
@@ -8793,7 +8786,11 @@ index b85b53b..619a4c5 100644
  corenet_all_recvfrom_netlabel(ccs_t)
  corenet_tcp_sendrecv_generic_if(ccs_t)
  corenet_udp_sendrecv_generic_if(ccs_t)
-@@ -99,11 +98,10 @@ files_read_etc_files(ccs_t)
+@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
+ 
+ dev_read_urand(ccs_t)
+ 
+-files_read_etc_files(ccs_t)
  files_read_etc_runtime_files(ccs_t)
  
  init_rw_script_tmp_files(ccs_t)
@@ -8807,7 +8804,7 @@ index b85b53b..619a4c5 100644
  
  userdom_manage_unpriv_user_shared_mem(ccs_t)
 diff --git a/cdrecord.te b/cdrecord.te
-index 55fb26a..e380b26 100644
+index 55fb26a..a7555c0 100644
 --- a/cdrecord.te
 +++ b/cdrecord.te
 @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
@@ -8819,16 +8816,19 @@ index 55fb26a..e380b26 100644
  term_use_controlling_term(cdrecord_t)
  term_list_ptys(cdrecord_t)
  
-@@ -52,8 +50,6 @@ storage_write_scsi_generic(cdrecord_t)
+@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
  
  logging_send_syslog_msg(cdrecord_t)
  
 -miscfiles_read_localization(cdrecord_t)
 -
- userdom_use_user_terminals(cdrecord_t)
- userdom_read_user_home_content_files(cdrecord_t)
+-userdom_use_user_terminals(cdrecord_t)
+-userdom_read_user_home_content_files(cdrecord_t)
++userdom_use_inherited_user_terminals(cdrecord_t)
  
-@@ -104,11 +100,7 @@ tunable_policy(`cdrecord_read_content',`
+ tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
+ 	fs_list_auto_mountpoints(cdrecord_t)
+@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
  	userdom_dontaudit_read_user_home_content_files(cdrecord_t)
  ')
  
@@ -8923,7 +8923,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..1bb3f10 100644
+index 2354e21..dd34a80 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -9034,24 +9034,26 @@ index 2354e21..1bb3f10 100644
 +
 +	domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
 +
-+	unconfined_domain(certmonger_unconfined_t)
-+
 +	allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
 +	allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
 +	allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
 +
 +	init_domtrans_script(certmonger_unconfined_t)
 +
-+	unconfined_domain(certmonger_unconfined_t)
++	optional_policy(`
++		unconfined_domain(certmonger_unconfined_t)
++	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 403af41..fd3cbaf 100644
+index 403af41..7c0b1be 100644
 --- a/certwatch.te
 +++ b/certwatch.te
-@@ -21,25 +21,24 @@ role certwatch_roles types certwatch_t;
+@@ -21,25 +21,26 @@ role certwatch_roles types certwatch_t;
  allow certwatch_t self:capability sys_nice;
  allow certwatch_t self:process { setsched getsched };
  
++kernel_read_system_state(certwatch_t)
++
 +dev_read_rand(certwatch_t)
  dev_read_urand(certwatch_t)
  
@@ -9236,7 +9238,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..18cf736 100644
+index fdee107..68d9b5f 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -9289,15 +9291,7 @@ index fdee107..18cf736 100644
  allow cgred_t self:netlink_socket { write bind create read };
  allow cgred_t self:unix_dgram_socket { write create connect };
  
-@@ -92,6 +95,7 @@ files_pid_filetrans(cgred_t, cgred_var_run_t, { file sock_file })
- 
- kernel_read_all_sysctls(cgred_t)
- kernel_read_system_state(cgred_t)
-+kernel_read_all_sysctls(cgred_t)
- 
- domain_read_all_domains_state(cgred_t)
- domain_setpriority_all_domains(cgred_t)
-@@ -99,10 +103,9 @@ domain_setpriority_all_domains(cgred_t)
+@@ -99,10 +102,9 @@ domain_setpriority_all_domains(cgred_t)
  files_getattr_all_files(cgred_t)
  files_getattr_all_sockets(cgred_t)
  files_read_all_symlinks(cgred_t)
@@ -9464,10 +9458,10 @@ index 0000000..efebae7
 +')
 diff --git a/chrome.te b/chrome.te
 new file mode 100644
-index 0000000..0ce7275
+index 0000000..8f6ba6b
 --- /dev/null
 +++ b/chrome.te
-@@ -0,0 +1,197 @@
+@@ -0,0 +1,194 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -9550,8 +9544,6 @@ index 0000000..0ce7275
 +dev_rwx_zero(chrome_sandbox_t)
 +dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
 +
-+files_read_etc_files(chrome_sandbox_t)
-+files_read_usr_files(chrome_sandbox_t)
 +
 +fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
 +
@@ -9651,7 +9643,6 @@ index 0000000..0ce7275
 +dev_read_urand(chrome_sandbox_nacl_t)
 +dev_read_sysfs(chrome_sandbox_nacl_t)
 +
-+files_read_etc_files(chrome_sandbox_nacl_t)
 +
 +init_read_state(chrome_sandbox_nacl_t)
 +
@@ -9848,7 +9839,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..dac9e4c 100644
+index 914ee2d..bd3362e 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -9870,7 +9861,7 @@ index 914ee2d..dac9e4c 100644
  allow chronyd_t self:fifo_file rw_fifo_file_perms;
  
  allow chronyd_t chronyd_keys_t:file read_file_perms;
-@@ -82,7 +87,7 @@ auth_use_nsswitch(chronyd_t)
+@@ -82,12 +87,8 @@ auth_use_nsswitch(chronyd_t)
  
  logging_send_syslog_msg(chronyd_t)
  
@@ -9879,8 +9870,13 @@ index 914ee2d..dac9e4c 100644
  
  optional_policy(`
  	gpsd_rw_shm(chronyd_t)
+ ')
+-
+-optional_policy(`
+-	mta_send_mail(chronyd_t)
+-')
 diff --git a/cipe.te b/cipe.te
-index 28c8475..a53162d 100644
+index 28c8475..9b86dd1 100644
 --- a/cipe.te
 +++ b/cipe.te
 @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
@@ -9891,7 +9887,15 @@ index 28c8475..a53162d 100644
  corenet_all_recvfrom_netlabel(ciped_t)
  corenet_udp_sendrecv_generic_if(ciped_t)
  corenet_udp_sendrecv_generic_node(ciped_t)
-@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(ciped_t)
+@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
+ 
+ domain_use_interactive_fds(ciped_t)
+ 
+-files_read_etc_files(ciped_t)
+ files_read_etc_runtime_files(ciped_t)
+ files_dontaudit_search_var(ciped_t)
+ 
+@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
  
  logging_send_syslog_msg(ciped_t)
  
@@ -10163,7 +10167,7 @@ index 4cc4a5c..99c5cca 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index 8e1fef9..725029f 100644
+index 8e1fef9..c8c9a5a 100644
 --- a/clamav.te
 +++ b/clamav.te
 @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
@@ -10260,36 +10264,26 @@ index 8e1fef9..725029f 100644
  
  tunable_policy(`clamd_use_jit',`
  	allow freshclam_t self:process execmem;
-@@ -244,6 +264,14 @@ optional_policy(`
- 	cron_system_entry(freshclam_t, freshclam_exec_t)
+@@ -241,6 +261,10 @@ optional_policy(`
  ')
  
-+optional_policy(`
+ optional_policy(`
 +	clamd_systemctl(freshclam_t)
 +')
 +
 +optional_policy(`
-+	cron_system_entry(freshclam_t, freshclam_exec_t)
-+')
-+
- ########################################
- #
- # Clamscam local policy
-@@ -275,7 +303,12 @@ kernel_dontaudit_list_proc(clamscan_t)
+ 	cron_system_entry(freshclam_t, freshclam_exec_t)
+ ')
+ 
+@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
  kernel_read_kernel_sysctls(clamscan_t)
  kernel_read_system_state(clamscan_t)
  
 -corenet_all_recvfrom_unlabeled(clamscan_t)
-+read_files_pattern(clamscan_t, clamd_var_run_t, clamd_var_run_t)
-+allow clamscan_t clamd_var_run_t:dir list_dir_perms;
-+
-+kernel_dontaudit_list_proc(clamscan_t)
-+kernel_read_system_state(clamscan_t)
-+
  corenet_all_recvfrom_netlabel(clamscan_t)
  corenet_tcp_sendrecv_generic_if(clamscan_t)
  corenet_tcp_sendrecv_generic_node(clamscan_t)
-@@ -286,14 +319,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
+@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
  
  corecmd_read_all_executables(clamscan_t)
  
@@ -10304,7 +10298,7 @@ index 8e1fef9..725029f 100644
  miscfiles_read_public_files(clamscan_t)
  
  sysnet_dns_name_resolve(clamscan_t)
-@@ -310,10 +341,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
+@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
  ')
  
  optional_policy(`
@@ -10316,7 +10310,7 @@ index 8e1fef9..725029f 100644
  ')
  
 diff --git a/clockspeed.te b/clockspeed.te
-index b59c592..c21a405 100644
+index b59c592..4b8cddc 100644
 --- a/clockspeed.te
 +++ b/clockspeed.te
 @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
@@ -10327,9 +10321,11 @@ index b59c592..c21a405 100644
  corenet_all_recvfrom_netlabel(clockspeed_cli_t)
  corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
  corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
-@@ -40,9 +39,8 @@ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
+ corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
+ 
  files_list_var_lib(clockspeed_cli_t)
- files_read_etc_files(clockspeed_cli_t)
+-files_read_etc_files(clockspeed_cli_t)
  
 -miscfiles_read_localization(clockspeed_cli_t)
  
@@ -10338,7 +10334,7 @@ index b59c592..c21a405 100644
  
  ########################################
  #
-@@ -57,7 +55,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
+@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
  manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
  manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
  
@@ -10346,9 +10342,11 @@ index b59c592..c21a405 100644
  corenet_all_recvfrom_netlabel(clockspeed_srv_t)
  corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
  corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
-@@ -70,7 +67,6 @@ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
+@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
+ corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
+ 
  files_list_var_lib(clockspeed_srv_t)
- files_read_etc_files(clockspeed_srv_t)
+-files_read_etc_files(clockspeed_srv_t)
  
 -miscfiles_read_localization(clockspeed_srv_t)
  
@@ -10731,10 +10729,20 @@ index c223f81..1f3d0b7 100644
  ## <summary>
  ##	Read cobbler configuration files.
 diff --git a/cobbler.te b/cobbler.te
-index 2a71346..30c75af 100644
+index 2a71346..7b64dc9 100644
 --- a/cobbler.te
 +++ b/cobbler.te
-@@ -193,12 +193,11 @@ optional_policy(`
+@@ -117,9 +117,7 @@ dev_read_urand(cobblerd_t)
+ files_list_boot(cobblerd_t)
+ files_list_tmp(cobblerd_t)
+ files_read_boot_files(cobblerd_t)
+-files_read_etc_files(cobblerd_t)
+ files_read_etc_runtime_files(cobblerd_t)
+-files_read_usr_files(cobblerd_t)
+ 
+ fs_getattr_all_fs(cobblerd_t)
+ fs_read_iso9660_files(cobblerd_t)
+@@ -193,12 +191,11 @@ optional_policy(`
  
  optional_policy(`
  	rsync_read_config(cobblerd_t)
@@ -11034,7 +11042,7 @@ index 8e27a37..fa2c3cb 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 09f18e2..5c8bb84 100644
+index 09f18e2..28dd440 100644
 --- a/colord.te
 +++ b/colord.te
 @@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
@@ -11070,7 +11078,7 @@ index 09f18e2..5c8bb84 100644
  
  manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
  manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
-@@ -74,9 +81,8 @@ dev_read_video_dev(colord_t)
+@@ -74,18 +81,15 @@ dev_read_video_dev(colord_t)
  dev_write_video_dev(colord_t)
  dev_rw_printer(colord_t)
  dev_read_rand(colord_t)
@@ -11081,18 +11089,16 @@ index 09f18e2..5c8bb84 100644
  dev_rw_generic_usb_dev(colord_t)
  
  domain_use_interactive_fds(colord_t)
-@@ -84,8 +90,9 @@ domain_use_interactive_fds(colord_t)
+ 
  files_list_mnt(colord_t)
- files_read_usr_files(colord_t)
+-files_read_usr_files(colord_t)
  
-+fs_search_all(colord_t)
  fs_getattr_noxattr_fs(colord_t)
 -fs_getattr_tmpfs(colord_t)
-+fs_dontaudit_getattr_all_fs(colord_t)
  fs_list_noxattr_fs(colord_t)
  fs_read_noxattr_fs_files(colord_t)
  fs_search_all(colord_t)
-@@ -100,7 +107,11 @@ auth_use_nsswitch(colord_t)
+@@ -100,7 +104,11 @@ auth_use_nsswitch(colord_t)
  
  logging_send_syslog_msg(colord_t)
  
@@ -11105,7 +11111,7 @@ index 09f18e2..5c8bb84 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_getattr_nfs(colord_t)
-@@ -120,6 +131,12 @@ optional_policy(`
+@@ -120,6 +128,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -11118,7 +11124,7 @@ index 09f18e2..5c8bb84 100644
  	policykit_dbus_chat(colord_t)
  	policykit_domtrans_auth(colord_t)
  	policykit_read_lib(colord_t)
-@@ -133,3 +150,13 @@ optional_policy(`
+@@ -133,3 +147,13 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(colord_t)
  ')
@@ -11720,15 +11726,24 @@ index 3f2b672..a7aaf98 100644
 +    unconfined_domain(condor_startd_t)
 +')
 diff --git a/consolekit.fc b/consolekit.fc
-index 23c9558..29e5fd3 100644
+index 23c9558..ee585a7 100644
 --- a/consolekit.fc
 +++ b/consolekit.fc
-@@ -1,3 +1,5 @@
-+/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
-+
- /usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
+@@ -1,7 +1,9 @@
+-/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
++#/usr/lib/systemd/system/console-kit.*  -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
+ 
+-/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
++#/usr/sbin/console-kit-daemon	--	gen_context(system_u:object_r:consolekit_exec_t,s0)
  
- /var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
+-/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
+-/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/log/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_log_t,s0)
++
++#/var/run/ConsoleKit(/.*)?	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/consolekit\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
++#/var/run/console-kit-daemon\.pid	--	gen_context(system_u:object_r:consolekit_var_run_t,s0)
 diff --git a/consolekit.if b/consolekit.if
 index 5b830ec..0647a3b 100644
 --- a/consolekit.if
@@ -11852,7 +11867,7 @@ index 5b830ec..0647a3b 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..7d6c470 100644
+index 5f0c793..f473adf 100644
 --- a/consolekit.te
 +++ b/consolekit.te
 @@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -11872,15 +11887,25 @@ index 5f0c793..7d6c470 100644
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,7 +58,6 @@ dev_read_sysfs(consolekit_t)
+@@ -54,17 +58,13 @@ dev_read_sysfs(consolekit_t)
  
  domain_read_all_domains_state(consolekit_t)
  domain_use_interactive_fds(consolekit_t)
 -domain_dontaudit_ptrace_all_domains(consolekit_t)
  
- files_read_usr_files(consolekit_t)
+-files_read_usr_files(consolekit_t)
  # needs to read /var/lib/dbus/machine-id
-@@ -74,17 +77,17 @@ auth_write_login_records(consolekit_t)
+ files_read_var_lib_files(consolekit_t)
+ files_search_all_mountpoints(consolekit_t)
+ 
+ fs_list_inotifyfs(consolekit_t)
+ 
+-mcs_ptrace_all(consolekit_t)
+-
+ term_use_all_terms(consolekit_t)
+ 
+ auth_use_nsswitch(consolekit_t)
+@@ -74,17 +74,17 @@ auth_write_login_records(consolekit_t)
  logging_send_syslog_msg(consolekit_t)
  logging_send_audit_msgs(consolekit_t)
  
@@ -11904,15 +11929,20 @@ index 5f0c793..7d6c470 100644
  ')
  
  ifdef(`distro_debian',`
-@@ -113,7 +116,7 @@ optional_policy(`
+@@ -112,13 +112,6 @@ optional_policy(`
+ 	')
  ')
  
- optional_policy(`
+-optional_policy(`
 -	hal_ptrace(consolekit_t)
-+	networkmanager_append_log(consolekit_t)
- ')
+-')
+-
+-optional_policy(`
+-	networkmanager_append_log_files(consolekit_t)
+-')
  
  optional_policy(`
+ 	policykit_domtrans_auth(consolekit_t)
 diff --git a/corosync.fc b/corosync.fc
 index da39f0f..6a96733 100644
 --- a/corosync.fc
@@ -12020,7 +12050,7 @@ index 694a037..283cf03 100644
 +	allow $1 corosync_unit_file_t:service all_service_perms;
  ')
 diff --git a/corosync.te b/corosync.te
-index eeea48d..dc3795e 100644
+index eeea48d..691ca11 100644
 --- a/corosync.te
 +++ b/corosync.te
 @@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
@@ -12033,33 +12063,15 @@ index eeea48d..dc3795e 100644
  ########################################
  #
  # Local policy
-@@ -43,6 +46,8 @@ allow corosync_t self:shm create_shm_perms;
- allow corosync_t self:unix_dgram_socket sendto;
- allow corosync_t self:unix_stream_socket { accept connectto listen };
- 
-+can_exec(corosync_t, corosync_exec_t)
-+
- manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
- relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
-@@ -73,6 +78,8 @@ can_exec(corosync_t, corosync_exec_t)
- kernel_read_all_sysctls(corosync_t)
- kernel_read_network_state(corosync_t)
- kernel_read_system_state(corosync_t)
-+kernel_read_network_state(corosync_t)
-+kernel_read_all_sysctls(corosync_t)
- 
- corecmd_exec_bin(corosync_t)
- corecmd_exec_shell(corosync_t)
-@@ -89,6 +96,7 @@ corenet_udp_sendrecv_netsupport_port(corosync_t)
- 
- dev_read_sysfs(corosync_t)
- dev_read_urand(corosync_t)
-+dev_read_sysfs(corosync_t)
- 
+@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
  domain_read_all_domains_state(corosync_t)
  
-@@ -106,7 +114,13 @@ logging_send_syslog_msg(corosync_t)
+ files_manage_mounttab(corosync_t)
+-files_read_usr_files(corosync_t)
+ 
+ auth_use_nsswitch(corosync_t)
+ 
+@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
  miscfiles_read_localization(corosync_t)
  
  userdom_read_user_tmp_files(corosync_t)
@@ -12074,15 +12086,7 @@ index eeea48d..dc3795e 100644
  
  optional_policy(`
  	ccs_read_config(corosync_t)
-@@ -133,16 +147,44 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	rhcs_getattr_fenced_exec_files(corosync_t)
-+	rhcs_getattr_fenced(corosync_t)
- 	rhcs_rw_cluster_shm(corosync_t)
- 	rhcs_rw_cluster_semaphores(corosync_t)
- 	rhcs_stream_connect_cluster(corosync_t)
+@@ -129,20 +137,29 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -12091,35 +12095,30 @@ index eeea48d..dc3795e 100644
 +')
 +
 +optional_policy(`
-+	qpidd_rw_shm(corosync_t)
-+')
-+
-+optional_policy(`
+ 	qpidd_rw_shm(corosync_t)
+ ')
+ 
+ optional_policy(`
+-	rhcs_getattr_fenced_exec_files(corosync_t)
 +	rhcs_getattr_fenced(corosync_t)
 +	# to communication with RHCS
-+	rhcs_rw_cluster_shm(corosync_t)
-+	rhcs_rw_cluster_semaphores(corosync_t)
-+	rhcs_stream_connect_cluster(corosync_t)
+ 	rhcs_rw_cluster_shm(corosync_t)
+ 	rhcs_rw_cluster_semaphores(corosync_t)
+ 	rhcs_stream_connect_cluster(corosync_t)
 +	rhcs_read_cluster_lib_files(corosync_t)
 +	rhcs_manage_cluster_lib_files(corosync_t)
 +	rhcs_relabel_cluster_lib_files(corosync_t)
-+')
-+
-+optional_policy(`
-+	# should be removed in F19
-+	# workaround because we switch hearbeat from corosync to rgmanager
-+	rgmanager_manage_files(corosync_t)
-+
- 	rgmanager_manage_tmpfs_files(corosync_t)
  ')
  
  optional_policy(`
- 	rpc_search_nfs_state_data(corosync_t)
+-	rgmanager_manage_tmpfs_files(corosync_t)
++	rpc_search_nfs_state_data(corosync_t)
+ ')
+ 
+ optional_policy(`
+-	rpc_search_nfs_state_data(corosync_t)
 -')
 \ No newline at end of file
-+')
-+
-+optional_policy(`
 +    wdmd_rw_tmpfs(corosync_t)
 +')
 diff --git a/couchdb.fc b/couchdb.fc
@@ -12597,10 +12596,10 @@ index 2f1aad6..155a337 100644
 -miscfiles_read_localization(cpuspeed_t)
 +logging_send_syslog_msg(cpuspeed_t)
 diff --git a/cpufreqselector.te b/cpufreqselector.te
-index a3bbc21..5bf715c 100644
+index a3bbc21..7fd7d8f 100644
 --- a/cpufreqselector.te
 +++ b/cpufreqselector.te
-@@ -14,24 +14,21 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
+@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
  # Local policy
  #
  
@@ -12625,11 +12624,7 @@ index a3bbc21..5bf715c 100644
  
  optional_policy(`
  	dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
-+	init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
- 
- 	optional_policy(`
- 		consolekit_dbus_chat(cpufreqselector_t)
-@@ -51,3 +48,7 @@ optional_policy(`
+@@ -51,3 +47,7 @@ optional_policy(`
  	policykit_read_lib(cpufreqselector_t)
  	policykit_read_reload(cpufreqselector_t)
  ')
@@ -13683,7 +13678,7 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..88a7b95 100644
+index 28e1b86..cb96ffb 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -1,4 +1,4 @@
@@ -13924,7 +13919,7 @@ index 28e1b86..88a7b95 100644
  logging_log_filetrans(crond_t, cron_log_t, file)
  
  manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,71 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
  
  manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
  manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -13988,7 +13983,7 @@ index 28e1b86..88a7b95 100644
 -fs_rw_cgroup_files(crond_t)
 -fs_search_auto_mountpoints(crond_t)
 -
- files_read_usr_files(crond_t)
+-files_read_usr_files(crond_t)
  files_read_etc_runtime_files(crond_t)
  files_read_generic_spool(crond_t)
  files_list_usr(crond_t)
@@ -14023,10 +14018,11 @@ index 28e1b86..88a7b95 100644
  init_spec_domtrans_script(crond_t)
  
 -auth_domtrans_chk_passwd(crond_t)
- auth_manage_var_auth(crond_t)
+-auth_manage_var_auth(crond_t)
  auth_use_nsswitch(crond_t)
  
-@@ -311,41 +251,42 @@ logging_set_loginuid(crond_t)
+ logging_send_audit_msgs(crond_t)
+@@ -311,41 +249,42 @@ logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
@@ -14085,7 +14081,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -353,102 +294,135 @@ optional_policy(`
+@@ -353,102 +292,135 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14250,7 +14246,7 @@ index 28e1b86..88a7b95 100644
  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
  allow system_cronjob_t cron_spool_t:file rw_file_perms;
  
-@@ -457,11 +431,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +429,11 @@ kernel_read_network_state(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
  kernel_read_software_raid_state(system_cronjob_t)
  
@@ -14263,7 +14259,7 @@ index 28e1b86..88a7b95 100644
  corenet_all_recvfrom_netlabel(system_cronjob_t)
  corenet_tcp_sendrecv_generic_if(system_cronjob_t)
  corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +455,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +453,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
  fs_getattr_all_pipes(system_cronjob_t)
  fs_getattr_all_sockets(system_cronjob_t)
  
@@ -14271,9 +14267,11 @@ index 28e1b86..88a7b95 100644
  domain_dontaudit_read_all_domains_state(system_cronjob_t)
  
  files_exec_etc_files(system_cronjob_t)
-@@ -493,13 +468,18 @@ files_getattr_all_pipes(system_cronjob_t)
+@@ -491,15 +464,19 @@ files_getattr_all_files(system_cronjob_t)
+ files_getattr_all_symlinks(system_cronjob_t)
+ files_getattr_all_pipes(system_cronjob_t)
  files_getattr_all_sockets(system_cronjob_t)
- files_read_usr_files(system_cronjob_t)
+-files_read_usr_files(system_cronjob_t)
  files_read_var_files(system_cronjob_t)
 +# for nscd:
  files_dontaudit_search_pids(system_cronjob_t)
@@ -14292,7 +14290,7 @@ index 28e1b86..88a7b95 100644
  init_domtrans_script(system_cronjob_t)
  
  auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +491,23 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +488,23 @@ logging_read_generic_logs(system_cronjob_t)
  logging_send_audit_msgs(system_cronjob_t)
  logging_send_syslog_msg(system_cronjob_t)
  
@@ -14319,7 +14317,7 @@ index 28e1b86..88a7b95 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +517,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +514,17 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -14337,7 +14335,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -546,10 +536,6 @@ optional_policy(`
+@@ -546,10 +533,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -14348,7 +14346,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -581,6 +567,7 @@ optional_policy(`
+@@ -581,6 +564,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -14356,7 +14354,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -588,15 +575,19 @@ optional_policy(`
+@@ -588,15 +572,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14378,7 +14376,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -606,6 +597,7 @@ optional_policy(`
+@@ -606,6 +594,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -14386,7 +14384,7 @@ index 28e1b86..88a7b95 100644
  ')
  
  optional_policy(`
-@@ -613,12 +605,24 @@ optional_policy(`
+@@ -613,12 +602,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14412,7 +14410,7 @@ index 28e1b86..88a7b95 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +630,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +627,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -14446,7 +14444,7 @@ index 28e1b86..88a7b95 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +663,152 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +660,149 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -14467,12 +14465,11 @@ index 28e1b86..88a7b95 100644
  domain_dontaudit_read_all_domains_state(cronjob_t)
  domain_dontaudit_getattr_all_domains(cronjob_t)
  
--files_exec_etc_files(cronjob_t)
+ files_exec_etc_files(cronjob_t)
 -files_read_etc_runtime_files(cronjob_t)
 -files_read_var_files(cronjob_t)
- files_read_usr_files(cronjob_t)
+-files_read_usr_files(cronjob_t)
 -files_search_spool(cronjob_t)
-+files_exec_etc_files(cronjob_t)
 +# for nscd:
  files_dontaudit_search_pids(cronjob_t)
  
@@ -14593,8 +14590,6 @@ index 28e1b86..88a7b95 100644
 +
 +domain_use_interactive_fds(crontab_domain)
 +
-+files_read_etc_files(crontab_domain)
-+files_read_usr_files(crontab_domain)
 +files_dontaudit_search_pids(crontab_domain)
 +
 +fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
@@ -15193,7 +15188,7 @@ index 06da9a0..1a6b35f 100644
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..2e06558 100644
+index 9f34c2e..c7a0a97 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -62,6 +62,9 @@ files_pid_file(cupsd_var_run_t)
@@ -15248,7 +15243,15 @@ index 9f34c2e..2e06558 100644
  files_exec_usr_files(cupsd_t)
  # for /var/lib/defoma
  files_read_var_lib_files(cupsd_t)
-@@ -247,13 +253,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -215,7 +221,6 @@ files_read_world_readable_files(cupsd_t)
+ files_read_world_readable_symlinks(cupsd_t)
+ files_read_var_files(cupsd_t)
+ files_read_var_symlinks(cupsd_t)
+-files_write_generic_pid_pipes(cupsd_t)
+ files_dontaudit_getattr_all_tmp_files(cupsd_t)
+ files_dontaudit_list_home(cupsd_t)
+ # for /etc/printcap
+@@ -247,13 +252,11 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -15262,7 +15265,7 @@ index 9f34c2e..2e06558 100644
  miscfiles_read_fonts(cupsd_t)
  miscfiles_setattr_fonts_cache_dirs(cupsd_t)
  
-@@ -275,6 +279,8 @@ optional_policy(`
+@@ -275,6 +278,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -15271,7 +15274,7 @@ index 9f34c2e..2e06558 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +291,10 @@ optional_policy(`
+@@ -285,8 +290,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -15282,7 +15285,7 @@ index 9f34c2e..2e06558 100644
  	')
  ')
  
-@@ -299,8 +307,8 @@ optional_policy(`
+@@ -299,8 +306,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15292,7 +15295,7 @@ index 9f34c2e..2e06558 100644
  ')
  
  optional_policy(`
-@@ -337,7 +345,7 @@ optional_policy(`
+@@ -337,7 +344,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15301,7 +15304,7 @@ index 9f34c2e..2e06558 100644
  ')
  
  ########################################
-@@ -386,7 +394,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
+@@ -386,7 +393,6 @@ domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
  kernel_read_system_state(cupsd_config_t)
  kernel_read_all_sysctls(cupsd_config_t)
  
@@ -15309,7 +15312,15 @@ index 9f34c2e..2e06558 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -420,11 +427,8 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -404,7 +410,6 @@ dev_read_rand(cupsd_config_t)
+ dev_rw_generic_usb_dev(cupsd_config_t)
+ 
+ files_read_etc_runtime_files(cupsd_config_t)
+-files_read_usr_files(cupsd_config_t)
+ files_read_var_symlinks(cupsd_config_t)
+ files_search_all_mountpoints(cupsd_config_t)
+ 
+@@ -420,11 +425,8 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -15321,7 +15332,7 @@ index 9f34c2e..2e06558 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,6 +456,10 @@ optional_policy(`
+@@ -452,6 +454,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15332,19 +15343,7 @@ index 9f34c2e..2e06558 100644
  	hal_domtrans(cupsd_config_t)
  	hal_read_tmp_files(cupsd_config_t)
  	hal_dontaudit_use_fds(hplip_t)
-@@ -470,6 +478,11 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	policykit_dbus_chat(cupsd_config_t)
-+	userdom_read_all_users_state(cupsd_config_t)
-+')
-+
-+optional_policy(`
- 	rpm_read_db(cupsd_config_t)
- ')
- 
-@@ -513,13 +526,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
+@@ -513,13 +519,13 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
  kernel_read_network_state(cupsd_lpd_t)
  
@@ -15359,7 +15358,7 @@ index 9f34c2e..2e06558 100644
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
  dev_read_urand(cupsd_lpd_t)
-@@ -533,7 +546,6 @@ auth_use_nsswitch(cupsd_lpd_t)
+@@ -533,7 +539,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -15367,7 +15366,14 @@ index 9f34c2e..2e06558 100644
  miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
  
  optional_policy(`
-@@ -569,7 +581,6 @@ corecmd_exec_shell(cups_pdf_t)
+@@ -562,14 +567,12 @@ fs_search_auto_mountpoints(cups_pdf_t)
+ 
+ kernel_read_system_state(cups_pdf_t)
+ 
+-files_read_usr_files(cups_pdf_t)
+ 
+ corecmd_exec_bin(cups_pdf_t)
+ corecmd_exec_shell(cups_pdf_t)
  
  auth_use_nsswitch(cups_pdf_t)
  
@@ -15375,7 +15381,7 @@ index 9f34c2e..2e06558 100644
  miscfiles_read_fonts(cups_pdf_t)
  miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
  
-@@ -582,9 +593,10 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -582,9 +585,10 @@ tunable_policy(`use_nfs_home_dirs',`
  	fs_manage_nfs_files(cups_pdf_t)
  ')
  
@@ -15389,7 +15395,7 @@ index 9f34c2e..2e06558 100644
  ')
  
  optional_policy(`
-@@ -613,9 +625,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
+@@ -613,9 +617,16 @@ allow hplip_t hplip_etc_t:dir list_dir_perms;
  allow hplip_t hplip_etc_t:file read_file_perms;
  allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
  
@@ -15406,18 +15412,15 @@ index 9f34c2e..2e06558 100644
  manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
  files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
  
-@@ -627,7 +646,9 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -627,7 +638,6 @@ stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  kernel_read_system_state(hplip_t)
  kernel_read_kernel_sysctls(hplip_t)
  
 -corenet_all_recvfrom_unlabeled(hplip_t)
-+# for python
-+corecmd_exec_bin(hplip_t)
-+
  corenet_all_recvfrom_netlabel(hplip_t)
  corenet_tcp_sendrecv_generic_if(hplip_t)
  corenet_udp_sendrecv_generic_if(hplip_t)
-@@ -644,12 +665,15 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
+@@ -644,6 +654,8 @@ corenet_sendrecv_hplip_client_packets(hplip_t)
  corenet_receive_hplip_server_packets(hplip_t)
  corenet_tcp_bind_hplip_port(hplip_t)
  corenet_tcp_connect_hplip_port(hplip_t)
@@ -15426,14 +15429,7 @@ index 9f34c2e..2e06558 100644
  
  corenet_sendrecv_ipp_client_packets(hplip_t)
  corenet_tcp_connect_ipp_port(hplip_t)
- 
- corenet_sendrecv_howl_server_packets(hplip_t)
- corenet_udp_bind_howl_port(hplip_t)
-+corenet_tcp_connect_ipp_port(hplip_t)
- 
- corecmd_exec_bin(hplip_t)
- 
-@@ -662,23 +686,25 @@ dev_rw_usbfs(hplip_t)
+@@ -662,17 +674,18 @@ dev_rw_usbfs(hplip_t)
  
  domain_use_interactive_fds(hplip_t)
  
@@ -15456,14 +15452,7 @@ index 9f34c2e..2e06558 100644
  
  sysnet_dns_name_resolve(hplip_t)
  
- userdom_dontaudit_use_unpriv_user_fds(hplip_t)
- userdom_dontaudit_search_user_home_dirs(hplip_t)
- userdom_dontaudit_search_user_home_content(hplip_t)
-+userdom_dbus_send_all_users(hplip_t)
- 
- optional_policy(`
- 	dbus_system_bus_client(hplip_t)
-@@ -731,7 +757,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +744,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -15471,7 +15460,7 @@ index 9f34c2e..2e06558 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -747,7 +772,6 @@ dev_rw_printer(ptal_t)
+@@ -747,7 +759,6 @@ dev_rw_printer(ptal_t)
  
  domain_use_interactive_fds(ptal_t)
  
@@ -15479,7 +15468,7 @@ index 9f34c2e..2e06558 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +779,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +766,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -15589,7 +15578,7 @@ index 53fc3af..25b3285 100644
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
 diff --git a/cyphesis.te b/cyphesis.te
-index 916427f..9d65864 100644
+index 916427f..556f1ac 100644
 --- a/cyphesis.te
 +++ b/cyphesis.te
 @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
@@ -15600,7 +15589,12 @@ index 916427f..9d65864 100644
  corenet_tcp_sendrecv_generic_if(cyphesis_t)
  corenet_tcp_sendrecv_generic_node(cyphesis_t)
  corenet_tcp_bind_generic_node(cyphesis_t)
-@@ -66,8 +65,6 @@ files_read_usr_files(cyphesis_t)
+@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
+ 
+ domain_use_interactive_fds(cyphesis_t)
+ 
+-files_read_etc_files(cyphesis_t)
+-files_read_usr_files(cyphesis_t)
  
  logging_send_syslog_msg(cyphesis_t)
  
@@ -15655,7 +15649,7 @@ index 6508280..a2860e3 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 395f97c..f35fbae 100644
+index 395f97c..e157463 100644
 --- a/cyrus.te
 +++ b/cyrus.te
 @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -15685,15 +15679,16 @@ index 395f97c..f35fbae 100644
  corenet_sendrecv_pop_server_packets(cyrus_t)
  corenet_tcp_bind_pop_port(cyrus_t)
  
-@@ -90,7 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
  
  files_list_var_lib(cyrus_t)
  files_read_etc_runtime_files(cyrus_t)
 -files_read_usr_files(cyrus_t)
- files_dontaudit_write_usr_dirs(cyrus_t)
+-files_dontaudit_write_usr_dirs(cyrus_t)
  
  fs_getattr_all_fs(cyrus_t)
-@@ -102,7 +103,6 @@ libs_exec_lib_files(cyrus_t)
+ fs_search_auto_mountpoints(cyrus_t)
+@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
  
  logging_send_syslog_msg(cyrus_t)
  
@@ -15701,7 +15696,7 @@ index 395f97c..f35fbae 100644
  miscfiles_read_generic_certs(cyrus_t)
  
  userdom_use_unpriv_users_fds(cyrus_t)
-@@ -116,6 +116,10 @@ optional_policy(`
+@@ -116,6 +115,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15712,7 +15707,7 @@ index 395f97c..f35fbae 100644
  	kerberos_keytab_template(cyrus, cyrus_t)
  ')
  
-@@ -128,6 +132,7 @@ optional_policy(`
+@@ -128,6 +131,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15730,7 +15725,7 @@ index 3b3d9a0..6c8106a 100644
  ')
 +
 diff --git a/daemontools.te b/daemontools.te
-index 0165962..8be5248 100644
+index 0165962..2569147 100644
 --- a/daemontools.te
 +++ b/daemontools.te
 @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
@@ -15744,16 +15739,17 @@ index 0165962..8be5248 100644
  
  logging_manage_generic_logs(svc_multilog_t)
  
-@@ -77,6 +80,8 @@ dev_read_urand(svc_run_t)
+@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
  corecmd_exec_bin(svc_run_t)
  corecmd_exec_shell(svc_run_t)
  
+-files_read_etc_files(svc_run_t)
 +term_write_console(svc_run_t)
 +
- files_read_etc_files(svc_run_t)
  files_read_etc_runtime_files(svc_run_t)
  files_search_pids(svc_run_t)
-@@ -109,6 +114,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
+ files_search_var_lib(svc_run_t)
+@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
  
  can_exec(svc_start_t, svc_start_exec_t)
  
@@ -15761,16 +15757,16 @@ index 0165962..8be5248 100644
  domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
  
  kernel_read_kernel_sysctls(svc_start_t)
-@@ -117,11 +123,14 @@ kernel_read_system_state(svc_start_t)
+@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
  corecmd_exec_bin(svc_start_t)
  corecmd_exec_shell(svc_start_t)
  
+-files_read_etc_files(svc_start_t)
 +corenet_tcp_bind_generic_node(svc_start_t)
 +corenet_tcp_bind_generic_port(svc_start_t)
 +
 +term_write_console(svc_start_t)
 +
- files_read_etc_files(svc_start_t)
  files_read_etc_runtime_files(svc_start_t)
  files_search_var(svc_start_t)
  files_search_pids(svc_start_t)
@@ -15778,6 +15774,18 @@ index 0165962..8be5248 100644
  logging_send_syslog_msg(svc_start_t)
 -
 -miscfiles_read_localization(svc_start_t)
+diff --git a/dante.te b/dante.te
+index 98a2d6a..fff0987 100644
+--- a/dante.te
++++ b/dante.te
+@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
+ 
+ domain_use_interactive_fds(dante_t)
+ 
+-files_read_etc_files(dante_t)
+ files_read_etc_runtime_files(dante_t)
+ 
+ fs_getattr_all_fs(dante_t)
 diff --git a/dbadm.te b/dbadm.te
 index a67870a..76435d4 100644
 --- a/dbadm.te
@@ -16493,7 +16501,7 @@ index afcf3a2..126d543 100644
 +	dontaudit $1 session_bus_type:dbus send_msg;
  ')
 diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..4dee5a0 100644
+index 2c2e7e1..4c346e6 100644
 --- a/dbus.te
 +++ b/dbus.te
 @@ -1,20 +1,18 @@
@@ -16615,7 +16623,7 @@ index 2c2e7e1..4dee5a0 100644
  mls_fd_use_all_levels(system_dbusd_t)
  mls_rangetrans_target(system_dbusd_t)
  mls_file_read_all_levels(system_dbusd_t)
-@@ -123,66 +115,156 @@ term_dontaudit_use_console(system_dbusd_t)
+@@ -123,66 +115,155 @@ term_dontaudit_use_console(system_dbusd_t)
  auth_use_nsswitch(system_dbusd_t)
  auth_read_pam_console_data(system_dbusd_t)
  
@@ -16629,7 +16637,6 @@ index 2c2e7e1..4dee5a0 100644
 +domain_read_all_domains_state(system_dbusd_t)
 +
 +files_list_home(system_dbusd_t)
-+files_read_usr_files(system_dbusd_t)
 +
  init_use_fds(system_dbusd_t)
  init_use_script_ptys(system_dbusd_t)
@@ -16730,7 +16737,7 @@ index 2c2e7e1..4dee5a0 100644
 +init_rw_stream_sockets(system_bus_type)
 +
 +ps_process_pattern(system_dbusd_t, system_bus_type)
-+
+ 
 +userdom_dontaudit_search_admin_dir(system_bus_type)
 +userdom_read_all_users_state(system_bus_type)
 +
@@ -16745,7 +16752,7 @@ index 2c2e7e1..4dee5a0 100644
 +optional_policy(`
 +	unconfined_dbus_send(system_bus_type)
 +')
- 
++
 +ifdef(`hide_broken_symptoms',`
 +	dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
 +')
@@ -16786,7 +16793,7 @@ index 2c2e7e1..4dee5a0 100644
  kernel_read_kernel_sysctls(session_bus_type)
  
  corecmd_list_bin(session_bus_type)
-@@ -191,20 +273,16 @@ corecmd_read_bin_files(session_bus_type)
+@@ -191,23 +272,18 @@ corecmd_read_bin_files(session_bus_type)
  corecmd_read_bin_pipes(session_bus_type)
  corecmd_read_bin_sockets(session_bus_type)
  
@@ -16807,8 +16814,11 @@ index 2c2e7e1..4dee5a0 100644
 +domain_read_all_domains_state(session_bus_type)
  
  files_list_home(session_bus_type)
- files_read_usr_files(session_bus_type)
-@@ -215,7 +293,6 @@ fs_getattr_xattr_fs(session_bus_type)
+-files_read_usr_files(session_bus_type)
+ files_dontaudit_search_var(session_bus_type)
+ 
+ fs_getattr_romfs(session_bus_type)
+@@ -215,7 +291,6 @@ fs_getattr_xattr_fs(session_bus_type)
  fs_list_inotifyfs(session_bus_type)
  fs_dontaudit_list_nfs(session_bus_type)
  
@@ -16816,7 +16826,7 @@ index 2c2e7e1..4dee5a0 100644
  selinux_validate_context(session_bus_type)
  selinux_compute_access_vector(session_bus_type)
  selinux_compute_create_context(session_bus_type)
-@@ -225,18 +302,39 @@ selinux_compute_user_contexts(session_bus_type)
+@@ -225,18 +300,37 @@ selinux_compute_user_contexts(session_bus_type)
  auth_read_pam_console_data(session_bus_type)
  
  logging_send_audit_msgs(session_bus_type)
@@ -16838,6 +16848,7 @@ index 2c2e7e1..4dee5a0 100644
 +userdom_tmpfs_filetrans(session_bus_type, file)
  
  optional_policy(`
+-	xserver_use_xdm_fds(session_bus_type)
 +	gnome_read_config(session_bus_type)
 +	gnome_read_gconf_home_files(session_bus_type)
 +')
@@ -16852,15 +16863,13 @@ index 2c2e7e1..4dee5a0 100644
 +
 +optional_policy(`
 +	xserver_search_xdm_lib(session_bus_type)
-+	xserver_use_xdm_fds(session_bus_type)
-+	xserver_rw_xdm_pipes(session_bus_type)
- 	xserver_use_xdm_fds(session_bus_type)
  	xserver_rw_xdm_pipes(session_bus_type)
++	xserver_use_xdm_fds(session_bus_type)
 +	xserver_append_xdm_home_files(session_bus_type)
  ')
  
  ########################################
-@@ -244,5 +342,6 @@ optional_policy(`
+@@ -244,5 +338,6 @@ optional_policy(`
  # Unconfined access to this module
  #
  
@@ -17041,7 +17050,7 @@ index 5606b40..cd18cf2 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ddclient_initrc_exec_t system_r;
 diff --git a/ddclient.te b/ddclient.te
-index 0b4b8b9..6f53812 100644
+index 0b4b8b9..2efb435 100644
 --- a/ddclient.te
 +++ b/ddclient.te
 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -17066,17 +17075,23 @@ index 0b4b8b9..6f53812 100644
  corenet_all_recvfrom_netlabel(ddclient_t)
  corenet_tcp_sendrecv_generic_if(ddclient_t)
  corenet_udp_sendrecv_generic_if(ddclient_t)
-@@ -83,6 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
+@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
  corenet_udp_sendrecv_generic_node(ddclient_t)
  corenet_tcp_sendrecv_all_ports(ddclient_t)
  corenet_udp_sendrecv_all_ports(ddclient_t)
 +corenet_tcp_bind_generic_node(ddclient_t)
 +corenet_udp_bind_generic_node(ddclient_t)
-+corenet_tcp_connect_all_ports(ddclient_t)
  
  corenet_sendrecv_all_client_packets(ddclient_t)
  corenet_tcp_connect_all_ports(ddclient_t)
-@@ -99,9 +105,11 @@ files_read_usr_files(ddclient_t)
+@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
+ 
+ domain_use_interactive_fds(ddclient_t)
+ 
+-files_read_etc_files(ddclient_t)
+ files_read_etc_runtime_files(ddclient_t)
+-files_read_usr_files(ddclient_t)
+ 
  fs_getattr_all_fs(ddclient_t)
  fs_search_auto_mountpoints(ddclient_t)
  
@@ -17089,6 +17104,20 @@ index 0b4b8b9..6f53812 100644
  
  sysnet_exec_ifconfig(ddclient_t)
  sysnet_dns_name_resolve(ddclient_t)
+diff --git a/ddcprobe.te b/ddcprobe.te
+index ceb9bf4..2496e02 100644
+--- a/ddcprobe.te
++++ b/ddcprobe.te
+@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
+ dev_read_raw_memory(ddcprobe_t)
+ dev_wx_raw_memory(ddcprobe_t)
+ 
+-files_read_etc_files(ddcprobe_t)
+ files_read_etc_runtime_files(ddcprobe_t)
+-files_read_usr_files(ddcprobe_t)
+ 
+ term_use_all_ttys(ddcprobe_t)
+ term_use_all_ptys(ddcprobe_t)
 diff --git a/denyhosts.if b/denyhosts.if
 index a7326da..c87b5b7 100644
 --- a/denyhosts.if
@@ -17131,7 +17160,7 @@ index a7326da..c87b5b7 100644
  	admin_pattern($1, denyhosts_var_lock_t)
  ')
 diff --git a/denyhosts.te b/denyhosts.te
-index bcb9770..bc1d203 100644
+index bcb9770..b53e611 100644
 --- a/denyhosts.te
 +++ b/denyhosts.te
 @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -17144,13 +17173,7 @@ index bcb9770..bc1d203 100644
  
  allow denyhosts_t self:capability sys_tty_config;
  allow denyhosts_t self:fifo_file rw_fifo_file_perms;
-@@ -44,11 +47,12 @@ logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
- 
- kernel_read_network_state(denyhosts_t)
- kernel_read_system_state(denyhosts_t)
-+kernel_read_network_state(denyhosts_t)
- 
-+corecmd_exec_shell(denyhosts_t)
+@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
  corecmd_exec_bin(denyhosts_t)
  corecmd_exec_shell(denyhosts_t)
  
@@ -17158,7 +17181,7 @@ index bcb9770..bc1d203 100644
  corenet_all_recvfrom_netlabel(denyhosts_t)
  corenet_tcp_sendrecv_generic_if(denyhosts_t)
  corenet_tcp_sendrecv_generic_node(denyhosts_t)
-@@ -59,11 +63,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
+@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
  
  dev_read_urand(denyhosts_t)
  
@@ -17172,7 +17195,7 @@ index bcb9770..bc1d203 100644
  sysnet_dns_name_resolve(denyhosts_t)
  sysnet_manage_config(denyhosts_t)
  sysnet_etc_filetrans_config(denyhosts_t)
-@@ -71,3 +75,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
+@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
  optional_policy(`
  	cron_system_entry(denyhosts_t, denyhosts_exec_t)
  ')
@@ -17513,7 +17536,7 @@ index d294865..3b4f593 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index ff933af..feb84e0 100644
+index ff933af..979a3de 100644
 --- a/devicekit.te
 +++ b/devicekit.te
 @@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
@@ -17558,18 +17581,20 @@ index ff933af..feb84e0 100644
  allow devicekit_disk_t self:process { getsched signal_perms };
  allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -81,7 +81,10 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
+@@ -81,10 +81,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
  manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
  files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
 +files_filetrans_named_content(devicekit_disk_t)
  
-+kernel_list_unlabeled(devicekit_disk_t)
 +kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
  kernel_getattr_message_if(devicekit_disk_t)
  kernel_list_unlabeled(devicekit_disk_t)
- kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
-@@ -98,6 +101,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+ kernel_read_fs_sysctls(devicekit_disk_t)
+ kernel_read_network_state(devicekit_disk_t)
+ kernel_read_software_raid_state(devicekit_disk_t)
+@@ -98,6 +99,7 @@ corecmd_getattr_all_executables(devicekit_disk_t)
  
  dev_getattr_all_chr_files(devicekit_disk_t)
  dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -17577,7 +17602,15 @@ index ff933af..feb84e0 100644
  dev_getattr_usbfs_dirs(devicekit_disk_t)
  dev_manage_generic_files(devicekit_disk_t)
  dev_read_urand(devicekit_disk_t)
-@@ -134,16 +138,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -117,7 +119,6 @@ files_manage_boot_dirs(devicekit_disk_t)
+ files_manage_isid_type_dirs(devicekit_disk_t)
+ files_manage_mnt_dirs(devicekit_disk_t)
+ files_read_etc_runtime_files(devicekit_disk_t)
+-files_read_usr_files(devicekit_disk_t)
+ 
+ fs_getattr_all_fs(devicekit_disk_t)
+ fs_list_inotifyfs(devicekit_disk_t)
+@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
@@ -17598,7 +17631,7 @@ index ff933af..feb84e0 100644
  	dbus_system_bus_client(devicekit_disk_t)
  
  	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +173,7 @@ optional_policy(`
+@@ -167,6 +170,7 @@ optional_policy(`
  
  optional_policy(`
  	mount_domtrans(devicekit_disk_t)
@@ -17606,7 +17639,7 @@ index ff933af..feb84e0 100644
  ')
  
  optional_policy(`
-@@ -180,6 +187,10 @@ optional_policy(`
+@@ -180,6 +184,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17617,7 +17650,7 @@ index ff933af..feb84e0 100644
  	udev_domtrans(devicekit_disk_t)
  	udev_read_db(devicekit_disk_t)
  ')
-@@ -188,17 +199,27 @@ optional_policy(`
+@@ -188,12 +196,19 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -17638,19 +17671,15 @@ index ff933af..feb84e0 100644
  allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
- allow devicekit_power_t self:netlink_kobject_uevent_socket create_socket_perms;
+@@ -242,17 +257,16 @@ domain_read_all_domains_state(devicekit_power_t)
  
-+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
-+logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
-+
- manage_dirs_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
- manage_files_pattern(devicekit_power_t, devicekit_tmp_t, devicekit_tmp_t)
- files_tmp_filetrans(devicekit_power_t, devicekit_tmp_t, { file dir })
-@@ -247,12 +268,13 @@ files_dontaudit_list_mnt(devicekit_power_t)
+ files_read_kernel_img(devicekit_power_t)
+ files_read_etc_runtime_files(devicekit_power_t)
+-files_read_usr_files(devicekit_power_t)
+ files_dontaudit_list_mnt(devicekit_power_t)
  
  fs_getattr_all_fs(devicekit_power_t)
  fs_list_inotifyfs(devicekit_power_t)
-+fs_getattr_all_fs(devicekit_power_t)
  
 -term_use_all_terms(devicekit_power_t)
 +term_use_all_inherited_terms(devicekit_power_t)
@@ -17662,7 +17691,7 @@ index ff933af..feb84e0 100644
  
  sysnet_domtrans_ifconfig(devicekit_power_t)
  sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +291,11 @@ optional_policy(`
+@@ -269,9 +283,11 @@ optional_policy(`
  
  optional_policy(`
  	cron_initrc_domtrans(devicekit_power_t)
@@ -17674,7 +17703,7 @@ index ff933af..feb84e0 100644
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +326,11 @@ optional_policy(`
+@@ -302,8 +318,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17687,15 +17716,7 @@ index ff933af..feb84e0 100644
  	hal_manage_pid_dirs(devicekit_power_t)
  	hal_manage_pid_files(devicekit_power_t)
  ')
-@@ -321,6 +348,7 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	policykit_dbus_chat(devicekit_power_t)
- 	policykit_domtrans_auth(devicekit_power_t)
- 	policykit_read_lib(devicekit_power_t)
- 	policykit_read_reload(devicekit_power_t)
-@@ -341,3 +369,9 @@ optional_policy(`
+@@ -341,3 +360,9 @@ optional_policy(`
  optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
@@ -17787,7 +17808,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index c93c3db..1125f7d 100644
+index c93c3db..cdb4d60 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -17808,7 +17829,15 @@ index c93c3db..1125f7d 100644
  corenet_all_recvfrom_netlabel(dhcpd_t)
  corenet_tcp_sendrecv_generic_if(dhcpd_t)
  corenet_udp_sendrecv_generic_if(dhcpd_t)
-@@ -102,8 +104,6 @@ auth_use_nsswitch(dhcpd_t)
+@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
+ 
+ domain_use_interactive_fds(dhcpd_t)
+ 
+-files_read_usr_files(dhcpd_t)
+ files_read_etc_runtime_files(dhcpd_t)
+ files_search_var_lib(dhcpd_t)
+ 
+@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
  
  logging_send_syslog_msg(dhcpd_t)
  
@@ -17817,7 +17846,7 @@ index c93c3db..1125f7d 100644
  sysnet_read_dhcp_config(dhcpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
-@@ -113,6 +113,19 @@ tunable_policy(`dhcpd_use_ldap',`
+@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
  	sysnet_use_ldap(dhcpd_t)
  ')
  
@@ -17825,17 +17854,18 @@ index c93c3db..1125f7d 100644
 +	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
 +')
 +
-+optional_policy(`
+ optional_policy(`
 +	# used for dynamic DNS
-+	bind_read_dnssec_keys(dhcpd_t)
-+')
-+
-+optional_policy(`
+ 	bind_read_dnssec_keys(dhcpd_t)
+ ')
+ 
+ optional_policy(`
 +	cobbler_dontaudit_rw_log(dhcpd_t)
 +')
 +
- optional_policy(`
- 	bind_read_dnssec_keys(dhcpd_t)
++optional_policy(`
+ 	dbus_system_bus_client(dhcpd_t)
+ 	dbus_connect_system_bus(dhcpd_t)
  ')
 diff --git a/dictd.if b/dictd.if
 index 3cc3494..cb0a1f4 100644
@@ -17883,6 +17913,17 @@ index fd4a602..43b800a 100644
  userdom_dontaudit_use_unpriv_user_fds(dictd_t)
  
  optional_policy(`
+diff --git a/dirmngr.te b/dirmngr.te
+index b3b2188..5f91705 100644
+--- a/dirmngr.te
++++ b/dirmngr.te
+@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
+ 
+ kernel_read_crypto_sysctls(dirmngr_t)
+ 
+-files_read_etc_files(dirmngr_t)
+ 
+ miscfiles_read_localization(dirmngr_t)
 diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
 new file mode 100644
 index 0000000..fdf5675
@@ -18439,10 +18480,10 @@ index 0000000..b214253
 +')
 diff --git a/dirsrv.te b/dirsrv.te
 new file mode 100644
-index 0000000..7f0b4f6
+index 0000000..217b0ef
 --- /dev/null
 +++ b/dirsrv.te
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,190 @@
 +policy_module(dirsrv,1.0.0)
 +
 +########################################
@@ -18555,7 +18596,6 @@ index 0000000..7f0b4f6
 +dev_read_sysfs(dirsrv_t)
 +dev_read_urand(dirsrv_t)
 +
-+files_read_etc_files(dirsrv_t)
 +files_read_usr_symlinks(dirsrv_t)
 +
 +fs_getattr_all_fs(dirsrv_t)
@@ -18619,8 +18659,6 @@ index 0000000..7f0b4f6
 +domain_use_interactive_fds(dirsrv_snmp_t)
 +
 +#files_manage_var_files(dirsrv_snmp_t)
-+files_read_etc_files(dirsrv_snmp_t)
-+files_read_usr_files(dirsrv_snmp_t)
 +
 +fs_getattr_tmpfs(dirsrv_snmp_t)
 +fs_search_tmpfs(dirsrv_snmp_t)
@@ -18686,10 +18724,10 @@ index 671d3c0..6d36c95 100644
  
  #####################################
 diff --git a/djbdns.te b/djbdns.te
-index 463d290..2f66c34 100644
+index 463d290..df50e4c 100644
 --- a/djbdns.te
 +++ b/djbdns.te
-@@ -48,11 +48,16 @@ corenet_udp_bind_generic_port(djbdns_domain)
+@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
  
  files_search_var(djbdns_domain)
  
@@ -18700,12 +18738,6 @@ index 463d290..2f66c34 100644
  ########################################
  #
  # axfrdns local policy
- #
- 
-+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
- allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;
- allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;
- 
 diff --git a/dkim.fc b/dkim.fc
 index 5818418..674367b 100644
 --- a/dkim.fc
@@ -18940,7 +18972,7 @@ index 19aa0b8..b303b37 100644
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
  ')
 diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..f33d9f5 100644
+index ba14bcf..363af2a 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -18970,7 +19002,7 @@ index ba14bcf..f33d9f5 100644
  userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
  userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
  
-@@ -98,11 +98,24 @@ optional_policy(`
+@@ -98,11 +98,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18984,18 +19016,10 @@ index ba14bcf..f33d9f5 100644
  
  optional_policy(`
 +	networkmanager_read_conf(dnsmasq_t)
-+	networkmanager_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
-+	ppp_read_pid_files(dnsmasq_t)
-+')
-+
-+optional_policy(`
  	networkmanager_read_pid_files(dnsmasq_t)
  ')
  
-@@ -124,6 +137,7 @@ optional_policy(`
+@@ -124,6 +129,7 @@ optional_policy(`
  
  optional_policy(`
  	virt_manage_lib_files(dnsmasq_t)
@@ -19084,10 +19108,10 @@ index 0000000..a952041
 +')
 diff --git a/dnssec.te b/dnssec.te
 new file mode 100644
-index 0000000..25daf6c
+index 0000000..7f715f8
 --- /dev/null
 +++ b/dnssec.te
-@@ -0,0 +1,59 @@
+@@ -0,0 +1,58 @@
 +policy_module(dnssec, 1.0.0)
 +
 +########################################
@@ -19132,7 +19156,6 @@ index 0000000..25daf6c
 +domain_use_interactive_fds(dnssec_trigger_t)
 +
 +files_read_etc_runtime_files(dnssec_trigger_t)
-+files_read_etc_files(dnssec_trigger_t)
 +
 +logging_send_syslog_msg(dnssec_trigger_t)
 +
@@ -19438,7 +19461,7 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..6344853 100644
+index a7bfaf0..c482695 100644
 --- a/dovecot.te
 +++ b/dovecot.te
 @@ -1,4 +1,4 @@
@@ -19688,7 +19711,7 @@ index a7bfaf0..6344853 100644
  	sendmail_domtrans(dovecot_t)
  ')
  
-@@ -221,46 +213,58 @@ optional_policy(`
+@@ -221,46 +213,57 @@ optional_policy(`
  
  ########################################
  #
@@ -19717,29 +19740,29 @@ index a7bfaf0..6344853 100644
 +dovecot_stream_connect_auth(dovecot_auth_t)
  
 -allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+-
+-files_search_pids(dovecot_auth_t)
+-files_read_usr_files(dovecot_auth_t)
+-files_read_var_lib_files(dovecot_auth_t)
 +logging_send_audit_msgs(dovecot_auth_t)
-+
-+auth_domtrans_chk_passwd(dovecot_auth_t)
-+auth_use_nsswitch(dovecot_auth_t)
-+
+ 
+ auth_domtrans_chk_passwd(dovecot_auth_t)
+ auth_use_nsswitch(dovecot_auth_t)
+ 
+-init_rw_utmp(dovecot_auth_t)
 +logging_send_syslog_msg(dovecot_auth_t)
  
- files_search_pids(dovecot_auth_t)
- files_read_usr_files(dovecot_auth_t)
+-logging_send_audit_msgs(dovecot_auth_t)
++files_search_pids(dovecot_auth_t)
 +files_read_usr_symlinks(dovecot_auth_t)
- files_read_var_lib_files(dovecot_auth_t)
++files_read_var_lib_files(dovecot_auth_t)
 +files_search_tmp(dovecot_auth_t)
  
--auth_domtrans_chk_passwd(dovecot_auth_t)
--auth_use_nsswitch(dovecot_auth_t)
+-seutil_dontaudit_search_config(dovecot_auth_t)
 +fs_getattr_xattr_fs(dovecot_auth_t)
++
++init_rw_utmp(dovecot_auth_t)
  
- init_rw_utmp(dovecot_auth_t)
- 
--logging_send_audit_msgs(dovecot_auth_t)
--
--seutil_dontaudit_search_config(dovecot_auth_t)
--
  sysnet_use_ldap(dovecot_auth_t)
  
  optional_policy(`
@@ -19756,7 +19779,7 @@ index a7bfaf0..6344853 100644
  	mysql_stream_connect(dovecot_auth_t)
  	mysql_read_config(dovecot_auth_t)
  	mysql_tcp_connect(dovecot_auth_t)
-@@ -272,14 +276,21 @@ optional_policy(`
+@@ -272,14 +275,21 @@ optional_policy(`
  
  optional_policy(`
  	postfix_manage_private_sockets(dovecot_auth_t)
@@ -19779,7 +19802,7 @@ index a7bfaf0..6344853 100644
  allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
  
  append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,31 +300,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -289,31 +299,34 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
  files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
  
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -19831,7 +19854,7 @@ index a7bfaf0..6344853 100644
  ')
  
  optional_policy(`
-@@ -326,5 +340,6 @@ optional_policy(`
+@@ -326,5 +339,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20363,6 +20386,42 @@ index a0da189..d8bc9d5 100644
  
  userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
  userdom_dontaudit_search_user_home_dirs(entropyd_t)
+diff --git a/evolution.te b/evolution.te
+index 94fb625..b94a09d 100644
+--- a/evolution.te
++++ b/evolution.te
+@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
+ 
+ domain_dontaudit_read_all_domains_state(evolution_t)
+ 
+-files_read_usr_files(evolution_t)
+ 
+ fs_search_auto_mountpoints(evolution_t)
+ 
+@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
+ 
+ dev_read_urand(evolution_alarm_t)
+ 
+-files_read_usr_files(evolution_alarm_t)
+ 
+ fs_search_auto_mountpoints(evolution_alarm_t)
+ 
+@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
+ 
+ dev_read_urand(evolution_exchange_t)
+ 
+-files_read_usr_files(evolution_exchange_t)
+ 
+ fs_search_auto_mountpoints(evolution_exchange_t)
+ 
+@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
+ 
+ dev_read_urand(evolution_server_t)
+ 
+-files_read_usr_files(evolution_server_t)
+ 
+ fs_search_auto_mountpoints(evolution_server_t)
+ 
 diff --git a/exim.if b/exim.if
 index 6041113..ef3b449 100644
 --- a/exim.if
@@ -20849,20 +20908,10 @@ index 50d0084..6565422 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..e985043 100644
+index 0872e50..d49f5ad 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
-@@ -60,12 +60,16 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
- files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
- 
-+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
-+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
-+
- kernel_read_system_state(fail2ban_t)
- 
+@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
  corecmd_exec_bin(fail2ban_t)
  corecmd_exec_shell(fail2ban_t)
  
@@ -20870,7 +20919,7 @@ index 0872e50..e985043 100644
  corenet_all_recvfrom_netlabel(fail2ban_t)
  corenet_tcp_sendrecv_generic_if(fail2ban_t)
  corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -80,7 +84,6 @@ domain_use_interactive_fds(fail2ban_t)
+@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
  domain_dontaudit_read_all_domains_state(fail2ban_t)
  
  files_read_etc_runtime_files(fail2ban_t)
@@ -20878,24 +20927,22 @@ index 0872e50..e985043 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -92,13 +95,14 @@ auth_use_nsswitch(fail2ban_t)
+@@ -92,12 +90,10 @@ auth_use_nsswitch(fail2ban_t)
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
  
 -miscfiles_read_localization(fail2ban_t)
--
- sysnet_manage_config(fail2ban_t)
- sysnet_etc_filetrans_config(fail2ban_t)
++mta_send_mail(fail2ban_t)
  
- mta_send_mail(fail2ban_t)
- 
-+sysnet_manage_config(fail2ban_t)
+ sysnet_manage_config(fail2ban_t)
+-sysnet_etc_filetrans_config(fail2ban_t)
+-
+-mta_send_mail(fail2ban_t)
 +sysnet_filetrans_named_content(fail2ban_t)
-+
+ 
  optional_policy(`
  	apache_read_log(fail2ban_t)
- ')
-@@ -108,6 +112,10 @@ optional_policy(`
+@@ -108,6 +104,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20906,7 +20953,7 @@ index 0872e50..e985043 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -137,14 +145,10 @@ corecmd_exec_bin(fail2ban_client_t)
+@@ -137,14 +137,10 @@ corecmd_exec_bin(fail2ban_client_t)
  
  domain_use_interactive_fds(fail2ban_client_t)
  
@@ -20921,6 +20968,18 @@ index 0872e50..e985043 100644
 -
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
+diff --git a/fcoe.te b/fcoe.te
+index 79b9273..dc7e983 100644
+--- a/fcoe.te
++++ b/fcoe.te
+@@ -31,7 +31,6 @@ manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
+ files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
+ 
+-files_read_etc_files(fcoemon_t)
+ 
+ dev_read_sysfs(fcoemon_t)
+ 
 diff --git a/fetchmail.fc b/fetchmail.fc
 index 2486e2a..ea07c4f 100644
 --- a/fetchmail.fc
@@ -20956,18 +21015,19 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..73521ff 100644
+index f0388cb..fd440f8 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
-@@ -50,10 +50,19 @@ logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
- allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
- mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
+@@ -39,8 +39,6 @@ allow fetchmail_t self:unix_stream_socket { accept listen };
  
-+manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+manage_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-+logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
-+
- manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ allow fetchmail_t fetchmail_etc_t:file read_file_perms;
+ 
+-read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+-
+ manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+ append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+ create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
  manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
  files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
  
@@ -20979,7 +21039,7 @@ index f0388cb..73521ff 100644
  kernel_read_kernel_sysctls(fetchmail_t)
  kernel_list_proc(fetchmail_t)
  kernel_getattr_proc_files(fetchmail_t)
-@@ -63,7 +72,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
+@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
  corecmd_exec_bin(fetchmail_t)
  corecmd_exec_shell(fetchmail_t)
  
@@ -20987,7 +21047,7 @@ index f0388cb..73521ff 100644
  corenet_all_recvfrom_netlabel(fetchmail_t)
  corenet_tcp_sendrecv_generic_if(fetchmail_t)
  corenet_tcp_sendrecv_generic_node(fetchmail_t)
-@@ -84,17 +92,20 @@ fs_search_auto_mountpoints(fetchmail_t)
+@@ -84,15 +86,17 @@ fs_search_auto_mountpoints(fetchmail_t)
  
  domain_use_interactive_fds(fetchmail_t)
  
@@ -21000,16 +21060,14 @@ index f0388cb..73521ff 100644
  miscfiles_read_generic_certs(fetchmail_t)
  
  userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
- userdom_search_user_home_dirs(fetchmail_t)
- 
- optional_policy(`
-+	kerberos_use(fetchmail_t)
-+')
+-userdom_search_user_home_dirs(fetchmail_t)
 +
 +optional_policy(`
- 	procmail_domtrans(fetchmail_t)
- ')
++	kerberos_use(fetchmail_t)
++')
  
+ optional_policy(`
+ 	procmail_domtrans(fetchmail_t)
 diff --git a/finger.te b/finger.te
 index af4b6d7..92245bf 100644
 --- a/finger.te
@@ -21227,23 +21285,22 @@ index e6866d1..941f4ef 100644
 +	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
  ')
 diff --git a/firewallgui.te b/firewallgui.te
-index c5ceab1..0d9c1ce 100644
+index c5ceab1..86b8098 100644
 --- a/firewallgui.te
 +++ b/firewallgui.te
-@@ -36,8 +36,11 @@ corecmd_exec_shell(firewallgui_t)
+@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
  dev_read_sysfs(firewallgui_t)
  dev_read_urand(firewallgui_t)
  
--files_list_kernel_modules(firewallgui_t)
 +files_manage_system_conf_files(firewallgui_t)
 +files_etc_filetrans_system_conf(firewallgui_t)
- files_read_usr_files(firewallgui_t)
 +files_search_kernel_modules(firewallgui_t)
-+files_list_kernel_modules(firewallgui_t)
+ files_list_kernel_modules(firewallgui_t)
+-files_read_usr_files(firewallgui_t)
  
  auth_use_nsswitch(firewallgui_t)
  
-@@ -60,12 +63,13 @@ optional_policy(`
+@@ -60,12 +62,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21398,7 +21455,7 @@ index 280f875..f3a67c9 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/firstboot.te b/firstboot.te
-index c12c067..0647c46 100644
+index c12c067..3b01d01 100644
 --- a/firstboot.te
 +++ b/firstboot.te
 @@ -1,7 +1,7 @@
@@ -21430,7 +21487,7 @@ index c12c067..0647c46 100644
  
  type firstboot_etc_t;
  files_config_file(firstboot_etc_t)
-@@ -32,18 +27,36 @@ files_config_file(firstboot_etc_t)
+@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
  allow firstboot_t self:capability { dac_override setgid };
  allow firstboot_t self:process setfscreate;
  allow firstboot_t self:fifo_file rw_fifo_file_perms;
@@ -21455,37 +21512,38 @@ index c12c067..0647c46 100644
  
  dev_read_urand(firstboot_t)
  
-+selinux_get_fs_mount(firstboot_t)
-+selinux_validate_context(firstboot_t)
-+selinux_compute_access_vector(firstboot_t)
-+selinux_compute_create_context(firstboot_t)
-+selinux_compute_relabel_context(firstboot_t)
-+selinux_compute_user_contexts(firstboot_t)
-+
-+auth_dontaudit_getattr_shadow(firstboot_t)
-+
+-files_exec_etc_files(firstboot_t)
+-files_manage_etc_files(firstboot_t)
+-files_manage_etc_runtime_files(firstboot_t)
+-files_read_usr_files(firstboot_t)
+-files_manage_var_dirs(firstboot_t)
+-files_manage_var_files(firstboot_t)
+-files_manage_var_symlinks(firstboot_t)
+-files_create_boot_flag(firstboot_t)
+-files_delete_boot_flag(firstboot_t)
+-
+ selinux_get_fs_mount(firstboot_t)
+ selinux_validate_context(firstboot_t)
+ selinux_compute_access_vector(firstboot_t)
+@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
+ 
+ auth_dontaudit_getattr_shadow(firstboot_t)
+ 
 +corecmd_exec_all_executables(firstboot_t)
 +
- files_exec_etc_files(firstboot_t)
- files_manage_etc_files(firstboot_t)
- files_manage_etc_runtime_files(firstboot_t)
-@@ -54,15 +67,6 @@ files_manage_var_symlinks(firstboot_t)
- files_create_boot_flag(firstboot_t)
- files_delete_boot_flag(firstboot_t)
- 
--selinux_get_fs_mount(firstboot_t)
--selinux_validate_context(firstboot_t)
--selinux_compute_access_vector(firstboot_t)
--selinux_compute_create_context(firstboot_t)
--selinux_compute_relabel_context(firstboot_t)
--selinux_compute_user_contexts(firstboot_t)
--
--auth_dontaudit_getattr_shadow(firstboot_t)
--
++files_exec_etc_files(firstboot_t)
++files_manage_etc_files(firstboot_t)
++files_manage_etc_runtime_files(firstboot_t)
++files_manage_var_dirs(firstboot_t)
++files_manage_var_files(firstboot_t)
++files_manage_var_symlinks(firstboot_t)
++files_create_boot_flag(firstboot_t)
++files_delete_boot_flag(firstboot_t)
++
  init_domtrans_script(firstboot_t)
  init_rw_utmp(firstboot_t)
  
-@@ -73,11 +77,11 @@ locallogin_use_fds(firstboot_t)
+@@ -73,11 +76,11 @@ locallogin_use_fds(firstboot_t)
  
  logging_send_syslog_msg(firstboot_t)
  
@@ -21500,7 +21558,7 @@ index c12c067..0647c46 100644
  userdom_manage_user_home_content_dirs(firstboot_t)
  userdom_manage_user_home_content_files(firstboot_t)
  userdom_manage_user_home_content_symlinks(firstboot_t)
-@@ -102,20 +106,18 @@ optional_policy(`
+@@ -102,20 +105,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21526,7 +21584,7 @@ index c12c067..0647c46 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..5794a7b 100644
+index c81b6e8..7575a9b 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -30,14 +30,10 @@ dev_list_usbfs(fprintd_t)
@@ -21544,20 +21602,16 @@ index c81b6e8..5794a7b 100644
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
  
-@@ -55,7 +51,17 @@ optional_policy(`
+@@ -54,8 +50,13 @@ optional_policy(`
+ 	')
  ')
  
++
  optional_policy(`
 -	policykit_domtrans_auth(fprintd_t)
-+	dbus_system_domain(fprintd_t, fprintd_exec_t)
-+')
-+
-+optional_policy(`
  	policykit_read_reload(fprintd_t)
  	policykit_read_lib(fprintd_t)
-+	policykit_dbus_chat(fprintd_t)
 +	policykit_domtrans_auth(fprintd_t)
-+	policykit_dbus_chat_auth(fprintd_t)
 +')
 +
 +optional_policy(`
@@ -21671,7 +21725,7 @@ index d062080..e098a40 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index e50f33c..fd43185 100644
+index e50f33c..45c02b7 100644
 --- a/ftp.te
 +++ b/ftp.te
 @@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
@@ -21746,18 +21800,21 @@ index e50f33c..fd43185 100644
  corenet_all_recvfrom_netlabel(ftpd_t)
  corenet_tcp_sendrecv_generic_if(ftpd_t)
  corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -223,6 +228,10 @@ corenet_tcp_bind_ftp_port(ftpd_t)
- 
+@@ -224,9 +229,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
  corenet_sendrecv_ftp_data_server_packets(ftpd_t)
  corenet_tcp_bind_ftp_data_port(ftpd_t)
+ 
 +corenet_tcp_bind_generic_port(ftpd_t)
 +corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
 +corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
-+corenet_sendrecv_ftp_server_packets(ftpd_t)
- 
++
  domain_use_interactive_fds(ftpd_t)
  
-@@ -245,7 +254,6 @@ logging_send_audit_msgs(ftpd_t)
+-files_read_etc_files(ftpd_t)
+ files_read_etc_runtime_files(ftpd_t)
+ files_search_var_lib(ftpd_t)
+ 
+@@ -245,7 +253,6 @@ logging_send_audit_msgs(ftpd_t)
  logging_send_syslog_msg(ftpd_t)
  logging_set_loginuid(ftpd_t)
  
@@ -21765,7 +21822,7 @@ index e50f33c..fd43185 100644
  miscfiles_read_public_files(ftpd_t)
  
  seutil_dontaudit_search_config(ftpd_t)
-@@ -255,31 +263,39 @@ sysnet_use_ldap(ftpd_t)
+@@ -255,31 +262,39 @@ sysnet_use_ldap(ftpd_t)
  userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
  userdom_dontaudit_search_user_home_dirs(ftpd_t)
  
@@ -21812,7 +21869,7 @@ index e50f33c..fd43185 100644
  ')
  
  tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,9 +315,9 @@ tunable_policy(`ftpd_connect_db',`
+@@ -299,9 +314,9 @@ tunable_policy(`ftpd_connect_db',`
  	corenet_sendrecv_mssql_client_packets(ftpd_t)
  	corenet_tcp_connect_mssql_port(ftpd_t)
  	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -21825,7 +21882,7 @@ index e50f33c..fd43185 100644
  ')
  
  tunable_policy(`ftp_home_dir',`
-@@ -360,7 +376,7 @@ optional_policy(`
+@@ -360,7 +375,7 @@ optional_policy(`
  	selinux_validate_context(ftpd_t)
  
  	kerberos_keytab_template(ftpd, ftpd_t)
@@ -21834,7 +21891,7 @@ index e50f33c..fd43185 100644
  ')
  
  optional_policy(`
-@@ -410,6 +426,7 @@ optional_policy(`
+@@ -410,21 +425,20 @@ optional_policy(`
  #
  
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -21842,8 +21899,8 @@ index e50f33c..fd43185 100644
  
  allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
  files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
-@@ -417,7 +434,7 @@ files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
- files_read_etc_files(ftpdctl_t)
+ 
+-files_read_etc_files(ftpdctl_t)
  files_search_pids(ftpdctl_t)
  
 -userdom_use_user_terminals(ftpdctl_t)
@@ -21851,7 +21908,18 @@ index e50f33c..fd43185 100644
  
  ########################################
  #
-@@ -441,6 +458,19 @@ files_read_etc_files(sftpd_t)
+ # Anon sftpd local policy
+ #
+ 
+-files_read_etc_files(anon_sftpd_t)
+ 
+ miscfiles_read_public_files(anon_sftpd_t)
+ 
+@@ -437,10 +451,22 @@ tunable_policy(`sftpd_anon_write',`
+ # Sftpd local policy
+ #
+ 
+-files_read_etc_files(sftpd_t)
  
  userdom_read_user_home_content_files(sftpd_t)
  userdom_read_user_home_content_symlinks(sftpd_t)
@@ -21871,7 +21939,7 @@ index e50f33c..fd43185 100644
  
  tunable_policy(`sftpd_enable_homedirs',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
-@@ -475,21 +505,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -475,21 +501,11 @@ tunable_policy(`sftpd_anon_write',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -21897,7 +21965,7 @@ index e50f33c..fd43185 100644
 -	fs_read_nfs_symlinks(ftpd_t)
 -')
 diff --git a/games.te b/games.te
-index 572fb12..9c05eee 100644
+index 572fb12..879c59a 100644
 --- a/games.te
 +++ b/games.te
 @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
@@ -21917,7 +21985,16 @@ index 572fb12..9c05eee 100644
  corenet_all_recvfrom_netlabel(games_t)
  corenet_tcp_sendrecv_generic_if(games_t)
  corenet_tcp_sendrecv_generic_node(games_t)
-@@ -151,7 +148,6 @@ init_dontaudit_rw_utmp(games_t)
+@@ -142,8 +139,6 @@ dev_write_sound(games_t)
+ files_list_var(games_t)
+ files_search_var_lib(games_t)
+ files_dontaudit_search_var(games_t)
+-files_read_etc_files(games_t)
+-files_read_usr_files(games_t)
+ files_read_var_files(games_t)
+ 
+ init_dontaudit_rw_utmp(games_t)
+@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
  logging_dontaudit_search_logs(games_t)
  
  miscfiles_read_man_pages(games_t)
@@ -21925,7 +22002,7 @@ index 572fb12..9c05eee 100644
  
  sysnet_dns_name_resolve(games_t)
  
-@@ -161,7 +157,7 @@ userdom_manage_user_tmp_symlinks(games_t)
+@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
  userdom_manage_user_tmp_sockets(games_t)
  userdom_dontaudit_read_user_home_content_files(games_t)
  
@@ -22011,7 +22088,7 @@ index 395238e..af76abb 100644
 +userdom_use_inherited_user_terminals(giftd_t)
 +userdom_home_manager(gitd_t)
 diff --git a/git.if b/git.if
-index 1e29af1..9f159d1 100644
+index 1e29af1..a1c464e 100644
 --- a/git.if
 +++ b/git.if
 @@ -79,3 +79,21 @@ interface(`git_read_generic_sys_content_files',`
@@ -22034,7 +22111,7 @@ index 1e29af1..9f159d1 100644
 +		gen_require(`
 +			type git_user_content_t;
 +		')
-+		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git"
++		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
 index 93b0301..8561970 100644
@@ -22179,7 +22256,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..8892bda 100644
+index e0a4f46..be03e22 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -22247,24 +22324,26 @@ index e0a4f46..8892bda 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,8 +109,12 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +109,19 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
 -corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
 -corenet_tcp_bind_armtechdaemon_port(glance_api_t)
+-
+-corenet_sendrecv_hplip_server_packets(glance_api_t)
+-corenet_tcp_bind_hplip_port(glance_api_t)
 +corenet_tcp_bind_generic_node(glance_api_t)
-+
-+corenet_tcp_bind_glance_port(glance_api_t)
-+corenet_tcp_connect_glance_registry_port(glance_api_t)
-+
-+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
  
- corenet_sendrecv_hplip_server_packets(glance_api_t)
- corenet_tcp_bind_hplip_port(glance_api_t)
-@@ -118,3 +123,7 @@ corenet_sendrecv_glance_registry_client_packets(glance_api_t)
++corenet_tcp_bind_glance_port(glance_api_t)
+ corenet_sendrecv_glance_registry_client_packets(glance_api_t)
  corenet_tcp_connect_glance_registry_port(glance_api_t)
  
++corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
++
++corenet_sendrecv_hplip_server_packets(glance_api_t)
++corenet_tcp_bind_hplip_port(glance_api_t)
++
  fs_getattr_xattr_fs(glance_api_t)
 +
 +optional_policy(`
@@ -22835,7 +22914,7 @@ index e39de43..52e5a3a 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..2d6e6bb 100644
+index d03fd43..f73c152 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,155 @@
@@ -23925,7 +24004,7 @@ index d03fd43..2d6e6bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +813,772 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +813,773 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -24617,6 +24696,7 @@ index d03fd43..2d6e6bb 100644
 +	filetrans_pattern($1, data_home_t,  gkeyringd_gnome_home_t, dir, "keyrings")
 +	filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
 +	filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
++	filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
 +	userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
 +	gnome_filetrans_gstreamer_home_content($1)
 +')
@@ -24703,7 +24783,7 @@ index d03fd43..2d6e6bb 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..3a0a272 100644
+index 20f726b..311d9cc 100644
 --- a/gnome.te
 +++ b/gnome.te
 @@ -1,18 +1,36 @@
@@ -24747,7 +24827,7 @@ index 20f726b..3a0a272 100644
  typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
  typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
  typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,233 @@ type gconfd_exec_t;
+@@ -29,107 +47,226 @@ type gconfd_exec_t;
  typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
  typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
  userdom_user_application_domain(gconfd_t, gconfd_exec_t)
@@ -24801,8 +24881,7 @@ index 20f726b..3a0a272 100644
 +manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
 +manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
 +userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
- 
--domain_use_interactive_fds(gnomedomain)
++
 +manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
 +manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
 +userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
@@ -24811,8 +24890,8 @@ index 20f726b..3a0a272 100644
 +read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
 +
 +dev_read_urand(gconfd_t)
-+
-+files_read_etc_files(gconfd_t)
+ 
+-domain_use_interactive_fds(gnomedomain)
  
 -files_read_etc_files(gnomedomain)
  
@@ -24857,8 +24936,6 @@ index 20f726b..3a0a272 100644
 -manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
 -manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
 -userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
-+files_read_etc_files(gconfdefaultsm_t)
-+files_read_usr_files(gconfdefaultsm_t)
  
 -userdom_manage_user_tmp_dirs(gconfd_t)
 -userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
@@ -24915,8 +24992,6 @@ index 20f726b..3a0a272 100644
 +domain_signal_all_domains(gnomesystemmm_t)
 +domain_sigstop_all_domains(gnomesystemmm_t)
 +
-+files_read_etc_files(gnomesystemmm_t)
-+files_read_usr_files(gnomesystemmm_t)
 +
 +fs_getattr_xattr_fs(gnomesystemmm_t)
 +
@@ -24993,8 +25068,7 @@ index 20f726b..3a0a272 100644
 +dev_read_urand(gkeyringd_domain)
  dev_read_sysfs(gkeyringd_domain)
  
-+files_read_etc_files(gkeyringd_domain)
- files_read_usr_files(gkeyringd_domain)
+-files_read_usr_files(gkeyringd_domain)
 +# for nscd?
 +files_search_pids(gkeyringd_domain)
  
@@ -25101,10 +25175,10 @@ index 3f55702..25c7ab8 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/gnomeclock.te b/gnomeclock.te
-index 6d79eb5..d58acfc 100644
+index 6d79eb5..174b784 100644
 --- a/gnomeclock.te
 +++ b/gnomeclock.te
-@@ -1,86 +1,91 @@
+@@ -1,86 +1,90 @@
 -policy_module(gnomeclock, 1.0.5)
 +policy_module(gnomeclock, 1.0.0)
  
@@ -25159,8 +25233,8 @@ index 6d79eb5..d58acfc 100644
 +dev_write_kmsg(gnomeclock_t)
 +dev_read_sysfs(gnomeclock_t)
  
+-files_read_usr_files(gnomeclock_t)
 +files_read_etc_runtime_files(gnomeclock_t)
- files_read_usr_files(gnomeclock_t)
  
  fs_getattr_xattr_fs(gnomeclock_t)
  
@@ -25541,7 +25615,7 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..29063e5 100644
+index 44cf341..d80e7c0 100644
 --- a/gpg.te
 +++ b/gpg.te
 @@ -1,47 +1,47 @@
@@ -25613,7 +25687,7 @@ index 44cf341..29063e5 100644
  
  type gpg_secret_t;
  typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -52,112 +52,112 @@ type gpg_helper_t;
+@@ -52,112 +52,107 @@ type gpg_helper_t;
  type gpg_helper_exec_t;
  typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
  typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
@@ -25675,10 +25749,6 @@ index 44cf341..29063e5 100644
  files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
  
 -manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
-+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
-+
-+# transition from the gpg domain to the helper domain
-+domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
 +
 +allow gpg_t gpg_secret_t:dir create_dir_perms;
  manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
@@ -25724,7 +25794,6 @@ index 44cf341..29063e5 100644
  
  domain_use_interactive_fds(gpg_t)
  
-+files_read_usr_files(gpg_t)
 +files_dontaudit_search_var(gpg_t)
 +
  auth_use_nsswitch(gpg_t)
@@ -25777,7 +25846,7 @@ index 44cf341..29063e5 100644
  ')
  
  optional_policy(`
-@@ -165,37 +165,49 @@ optional_policy(`
+@@ -165,37 +160,51 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -25801,6 +25870,8 @@ index 44cf341..29063e5 100644
 +# GPG helper local policy
  #
  
++domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
++
  allow gpg_helper_t self:process { getsched setsched };
 +
 +# for helper programs (which automatically fetch keys)
@@ -25838,7 +25909,7 @@ index 44cf341..29063e5 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +219,33 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +216,33 @@ tunable_policy(`use_samba_home_dirs',`
  
  ########################################
  #
@@ -25879,7 +25950,7 @@ index 44cf341..29063e5 100644
  corecmd_exec_shell(gpg_agent_t)
  
  dev_read_rand(gpg_agent_t)
-@@ -239,32 +255,27 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,32 +252,27 @@ domain_use_interactive_fds(gpg_agent_t)
  
  fs_dontaudit_list_inotifyfs(gpg_agent_t)
  
@@ -25904,14 +25975,14 @@ index 44cf341..29063e5 100644
  	userdom_manage_user_home_content_dirs(gpg_agent_t)
  	userdom_manage_user_home_content_files(gpg_agent_t)
 -	userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
- ')
- 
+-')
+-
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_dirs(gpg_agent_t)
 -	fs_manage_nfs_files(gpg_agent_t)
 -	fs_manage_nfs_symlinks(gpg_agent_t)
--')
--
+ ')
+ 
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_manage_cifs_dirs(gpg_agent_t)
 -	fs_manage_cifs_files(gpg_agent_t)
@@ -25921,7 +25992,7 @@ index 44cf341..29063e5 100644
  
  optional_policy(`
  	mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -277,8 +288,17 @@ optional_policy(`
+@@ -277,8 +285,17 @@ optional_policy(`
  
  allow gpg_pinentry_t self:process { getcap getsched setsched signal };
  allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -25940,7 +26011,7 @@ index 44cf341..29063e5 100644
  
  manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +307,91 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +304,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
  
@@ -25966,7 +26037,7 @@ index 44cf341..29063e5 100644
  
 -domain_use_interactive_fds(gpg_pinentry_t)
 -
- files_read_usr_files(gpg_pinentry_t)
+-files_read_usr_files(gpg_pinentry_t)
 +# read /etc/X11/qtrc
  
  fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
@@ -26036,7 +26107,6 @@ index 44cf341..29063e5 100644
 +
 +can_exec(gpg_web_t, gpg_exec_t)
 +
-+files_read_usr_files(gpg_web_t)
 +
 +
 +apache_dontaudit_rw_tmp_files(gpg_web_t)
@@ -26046,7 +26116,7 @@ index 44cf341..29063e5 100644
 +    miscfiles_manage_public_files(gpg_web_t)
  ')
 diff --git a/gpm.te b/gpm.te
-index 3226f52..bc3f49e 100644
+index 3226f52..68b2eb8 100644
 --- a/gpm.te
 +++ b/gpm.te
 @@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
@@ -26058,7 +26128,15 @@ index 3226f52..bc3f49e 100644
  
  type gpm_tmp_t;
  files_tmp_file(gpm_tmp_t)
-@@ -68,11 +68,9 @@ domain_use_interactive_fds(gpm_t)
+@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
+ dev_rw_input_dev(gpm_t)
+ dev_rw_mouse(gpm_t)
+ 
+-files_read_etc_files(gpm_t)
+ 
+ fs_getattr_all_fs(gpm_t)
+ fs_search_auto_mountpoints(gpm_t)
+@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
  
  logging_send_syslog_msg(gpm_t)
  
@@ -26072,18 +26150,11 @@ index 3226f52..bc3f49e 100644
  optional_policy(`
  	seutil_sigchld_newrole(gpm_t)
 diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..61d3e29 100644
+index 25f09ae..2200e6d 100644
 --- a/gpsd.te
 +++ b/gpsd.te
-@@ -60,14 +60,25 @@ dev_rw_realtime_clock(gpsd_t)
- 
- domain_dontaudit_read_all_domains_state(gpsd_t)
+@@ -62,13 +62,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
  
-+dev_read_sysfs(gpsd_t)
-+dev_rw_realtime_clock(gpsd_t)
-+
-+domain_dontaudit_read_all_domains_state(gpsd_t)
-+
  term_use_unallocated_ttys(gpsd_t)
  term_setattr_unallocated_ttys(gpsd_t)
 +term_use_usb_ttys(gpsd_t)
@@ -26094,14 +26165,10 @@ index 25f09ae..61d3e29 100644
  logging_send_syslog_msg(gpsd_t)
  
 -miscfiles_read_localization(gpsd_t)
-+optional_policy(`
-+	chronyd_rw_shm(gpsd_t)
-+	chronyd_stream_connect(gpsd_t)
-+	chronyd_dgram_send(gpsd_t)
-+')
- 
+-
  optional_policy(`
  	chronyd_rw_shm(gpsd_t)
+ 	chronyd_stream_connect(gpsd_t)
 diff --git a/guest.te b/guest.te
 index d928711..93d2d83 100644
 --- a/guest.te
@@ -26112,6 +26179,63 @@ index d928711..93d2d83 100644
  
 -#gen_user(guest_u, user, guest_r, s0, s0)
 +gen_user(guest_u, user, guest_r, s0, s0)
+diff --git a/hadoop.te b/hadoop.te
+index e62bcb7..f44ad99 100644
+--- a/hadoop.te
++++ b/hadoop.te
+@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
+ domain_use_interactive_fds(hadoop_t)
+ 
+ files_dontaudit_search_spool(hadoop_t)
+-files_read_usr_files(hadoop_t)
+ 
+ fs_getattr_xattr_fs(hadoop_t)
+ 
+@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
+ corecmd_exec_bin(hadoop_initrc_domain)
+ corecmd_exec_shell(hadoop_initrc_domain)
+ 
+-files_read_etc_files(hadoop_initrc_domain)
+-files_read_usr_files(hadoop_initrc_domain)
+ files_search_locks(hadoop_initrc_domain)
+ files_search_pids(hadoop_initrc_domain)
+ 
+@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
+ 
+ domain_use_interactive_fds(zookeeper_t)
+ 
+-files_read_usr_files(zookeeper_t)
+ 
+ auth_use_nsswitch(zookeeper_t)
+ 
+@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
+ dev_read_sysfs(zookeeper_server_t)
+ dev_read_urand(zookeeper_server_t)
+ 
+-files_read_usr_files(zookeeper_server_t)
+ 
+ fs_getattr_xattr_fs(zookeeper_server_t)
+ 
+diff --git a/hal.te b/hal.te
+index 0801fe1..85b6f3e 100644
+--- a/hal.te
++++ b/hal.te
+@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
+ # Common local policy
+ #
+ 
+-files_read_usr_files(hald_domain)
+ 
+ miscfiles_read_localization(hald_domain)
+ 
+@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+ 
+ dev_rw_input_dev(hald_keymap_t)
+ 
+-files_read_etc_files(hald_keymap_t)
+ 
+ logging_search_logs(hald_keymap_t)
+ 
 diff --git a/hddtemp.if b/hddtemp.if
 index 1728071..77e71ea 100644
 --- a/hddtemp.if
@@ -26241,17 +26365,15 @@ index 580b533..c267cea 100644
  	domain_system_change_exemption($1)
  	role_transition $2 icecast_initrc_exec_t system_r;
 diff --git a/icecast.te b/icecast.te
-index ac6f9d5..73f5015 100644
+index ac6f9d5..6097225 100644
 --- a/icecast.te
 +++ b/icecast.te
-@@ -65,12 +65,12 @@ dev_read_sysfs(icecast_t)
+@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
  dev_read_urand(icecast_t)
  dev_read_rand(icecast_t)
  
-+auth_use_nsswitch(icecast_t)
-+
- domain_use_interactive_fds(icecast_t)
- 
+-domain_use_interactive_fds(icecast_t)
+-
  auth_use_nsswitch(icecast_t)
  
 -miscfiles_read_localization(icecast_t)
@@ -26337,7 +26459,7 @@ index fbb54e7..b347964 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index 1a5ed62..5eebf38 100644
+index 1a5ed62..9762e4a 100644
 --- a/inetd.te
 +++ b/inetd.te
 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -26364,7 +26486,7 @@ index 1a5ed62..5eebf38 100644
  corenet_sendrecv_ircd_server_packets(inetd_t)
  corenet_tcp_bind_ircd_port(inetd_t)
  
-@@ -157,13 +162,13 @@ auth_use_nsswitch(inetd_t)
+@@ -157,8 +162,6 @@ auth_use_nsswitch(inetd_t)
  
  logging_send_syslog_msg(inetd_t)
  
@@ -26373,14 +26495,7 @@ index 1a5ed62..5eebf38 100644
  mls_fd_share_all_levels(inetd_t)
  mls_socket_read_to_clearance(inetd_t)
  mls_socket_write_to_clearance(inetd_t)
- mls_net_outbound_all_levels(inetd_t)
- mls_process_set_level(inetd_t)
-+#706086
-+mls_net_outbound_all_levels(inetd_t)
- 
- userdom_dontaudit_use_unpriv_user_fds(inetd_t)
- userdom_dontaudit_search_user_home_dirs(inetd_t)
-@@ -188,7 +193,7 @@ optional_policy(`
+@@ -188,7 +191,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -26389,7 +26504,7 @@ index 1a5ed62..5eebf38 100644
  ')
  
  optional_policy(`
-@@ -220,6 +225,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
+@@ -220,6 +223,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
  kernel_read_network_state(inetd_child_t)
  kernel_read_system_state(inetd_child_t)
  
@@ -26404,7 +26519,7 @@ index 1a5ed62..5eebf38 100644
  dev_read_urand(inetd_child_t)
  
  fs_getattr_xattr_fs(inetd_child_t)
-@@ -230,7 +243,11 @@ auth_use_nsswitch(inetd_child_t)
+@@ -230,7 +241,11 @@ auth_use_nsswitch(inetd_child_t)
  
  logging_send_syslog_msg(inetd_child_t)
  
@@ -26464,7 +26579,7 @@ index eb87f23..8e11e4b 100644
  
  	init_labeled_script_domtrans($1, innd_initrc_exec_t)
 diff --git a/inn.te b/inn.te
-index 5aab5d0..e694d0f 100644
+index 5aab5d0..5967395 100644
 --- a/inn.te
 +++ b/inn.te
 @@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
@@ -26475,16 +26590,7 @@ index 5aab5d0..e694d0f 100644
  
  ########################################
  #
-@@ -43,6 +44,8 @@ allow innd_t self:tcp_socket { accept listen };
- read_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- read_lnk_files_pattern(innd_t, innd_etc_t, innd_etc_t)
- 
-+can_exec(innd_t, innd_exec_t)
-+
- allow innd_t innd_log_t:dir setattr_dir_perms;
- append_files_pattern(innd_t, innd_log_t, innd_log_t)
- create_files_pattern(innd_t, innd_log_t, innd_log_t)
-@@ -54,7 +57,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
+@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
  manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
  manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
  manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
@@ -26493,7 +26599,7 @@ index 5aab5d0..e694d0f 100644
  
  manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
  manage_files_pattern(innd_t, news_spool_t, news_spool_t)
-@@ -65,7 +68,6 @@ can_exec(innd_t, innd_exec_t)
+@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t)
  kernel_read_kernel_sysctls(innd_t)
  kernel_read_system_state(innd_t)
  
@@ -26501,7 +26607,13 @@ index 5aab5d0..e694d0f 100644
  corenet_all_recvfrom_netlabel(innd_t)
  corenet_tcp_sendrecv_generic_if(innd_t)
  corenet_tcp_sendrecv_generic_node(innd_t)
-@@ -97,12 +99,11 @@ auth_use_nsswitch(innd_t)
+@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t)
+ 
+ files_list_spool(innd_t)
+ files_read_etc_runtime_files(innd_t)
+-files_read_usr_files(innd_t)
+ 
+ auth_use_nsswitch(innd_t)
  
  logging_send_syslog_msg(innd_t)
  
@@ -26515,6 +26627,18 @@ index 5aab5d0..e694d0f 100644
  
  mta_send_mail(innd_t)
  
+diff --git a/iodine.te b/iodine.te
+index 94ec5f8..801417b 100644
+--- a/iodine.te
++++ b/iodine.te
+@@ -43,7 +43,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
+ 
+ corecmd_exec_shell(iodined_t)
+ 
+-files_read_etc_files(iodined_t)
+ 
+ logging_send_syslog_msg(iodined_t)
+ 
 diff --git a/irc.if b/irc.if
 index ac00fb0..06cb083 100644
 --- a/irc.if
@@ -26568,7 +26692,7 @@ index ac00fb0..06cb083 100644
 +		userdom_user_home_dir_filetrans($1, irc_home_t, dir, "irclogs")
  ')
 diff --git a/irc.te b/irc.te
-index ecad9c7..8cbe5cf 100644
+index ecad9c7..f8d4f1d 100644
 --- a/irc.te
 +++ b/irc.te
 @@ -37,7 +37,32 @@ userdom_user_home_content(irc_log_home_t)
@@ -26628,7 +26752,15 @@ index ecad9c7..8cbe5cf 100644
  corenet_all_recvfrom_netlabel(irc_t)
  corenet_tcp_sendrecv_generic_if(irc_t)
  corenet_tcp_sendrecv_generic_node(irc_t)
-@@ -106,7 +124,6 @@ auth_use_nsswitch(irc_t)
+@@ -93,7 +111,6 @@ dev_read_rand(irc_t)
+ 
+ domain_use_interactive_fds(irc_t)
+ 
+-files_read_usr_files(irc_t)
+ 
+ fs_getattr_all_fs(irc_t)
+ fs_search_auto_mountpoints(irc_t)
+@@ -106,7 +123,6 @@ auth_use_nsswitch(irc_t)
  init_read_utmp(irc_t)
  init_dontaudit_lock_utmp(irc_t)
  
@@ -26636,7 +26768,7 @@ index ecad9c7..8cbe5cf 100644
  
  userdom_use_user_terminals(irc_t)
  
-@@ -114,6 +131,9 @@ userdom_manage_user_home_content_dirs(irc_t)
+@@ -114,6 +130,9 @@ userdom_manage_user_home_content_dirs(irc_t)
  userdom_manage_user_home_content_files(irc_t)
  userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
  
@@ -26646,7 +26778,7 @@ index ecad9c7..8cbe5cf 100644
  tunable_policy(`irc_use_any_tcp_ports',`
  	corenet_sendrecv_all_server_packets(irc_t)
  	corenet_tcp_bind_all_unreserved_ports(irc_t)
-@@ -122,18 +142,72 @@ tunable_policy(`irc_use_any_tcp_ports',`
+@@ -122,18 +141,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
  	corenet_tcp_sendrecv_all_ports(irc_t)
  ')
  
@@ -26706,7 +26838,6 @@ index ecad9c7..8cbe5cf 100644
 +# irssi-otr genkey.
 +dev_read_rand(irssi_t)
 +
-+files_read_usr_files(irssi_t)
 +
 +fs_search_auto_mountpoints(irssi_t)
 +
@@ -27089,7 +27220,7 @@ index 16b1666..01673a4 100644
 -	admin_pattern($1, jabberd_var_run_t)
  ')
 diff --git a/jabber.te b/jabber.te
-index bb12c90..c1ce1b7 100644
+index bb12c90..ff69343 100644
 --- a/jabber.te
 +++ b/jabber.te
 @@ -1,4 +1,4 @@
@@ -27098,7 +27229,7 @@ index bb12c90..c1ce1b7 100644
  
  ########################################
  #
-@@ -9,129 +9,138 @@ attribute jabberd_domain;
+@@ -9,129 +9,130 @@ attribute jabberd_domain;
  
  jabber_domain_template(jabberd)
  jabber_domain_template(jabberd_router)
@@ -27251,30 +27382,24 @@ index bb12c90..c1ce1b7 100644
 +corecmd_exec_bin(pyicqt_t)
  
 -fs_search_auto_mountpoints(jabberd_t)
-+dev_read_urand(pyicqt_t);
++dev_read_urand(pyicqt_t)
  
 -sysnet_read_config(jabberd_t)
-+files_read_usr_files(pyicqt_t)
++auth_use_nsswitch(pyicqt_t)
  
 -userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 -userdom_dontaudit_search_user_home_dirs(jabberd_t)
-+auth_use_nsswitch(pyicqt_t);
- 
-+# for RHEL5
-+libs_use_ld_so(pyicqt_t)
-+libs_use_shared_libs(pyicqt_t)
-+
 +# needed for pyicq-t-mysql
++optional_policy(`
++	corenet_tcp_connect_mysqld_port(pyicqt_t)
++')
+ 
  optional_policy(`
 -	udev_read_db(jabberd_t)
-+	corenet_tcp_connect_mysqld_port(pyicqt_t)
++	sysnet_use_ldap(pyicqt_t)
  ')
  
 -########################################
-+optional_policy(`
-+	sysnet_use_ldap(pyicqt_t)
-+')
-+
 +#######################################
  #
 -# Router local policy
@@ -27299,22 +27424,20 @@ index bb12c90..c1ce1b7 100644
 -corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
 -corenet_tcp_bind_jabber_client_port(jabberd_router_t)
 -corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
-+dev_read_urand(jabberd_domain)
-+dev_read_urand(jabberd_domain)
 +dev_read_sysfs(jabberd_domain)
++dev_read_urand(jabberd_domain)
  
 -# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
 -# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
 -# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
 -# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
 -# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
-+files_read_etc_files(jabberd_domain)
 +files_read_etc_runtime_files(jabberd_domain)
  
 -auth_use_nsswitch(jabberd_router_t)
 +sysnet_read_config(jabberd_domain)
 diff --git a/java.te b/java.te
-index b3fcfbb..b2c5451 100644
+index b3fcfbb..98cbfb4 100644
 --- a/java.te
 +++ b/java.te
 @@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
@@ -27326,7 +27449,15 @@ index b3fcfbb..b2c5451 100644
  
  attribute java_domain;
  
-@@ -112,7 +112,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s
+@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
+ dev_read_rand(java_domain)
+ dev_dontaudit_append_rand(java_domain)
+ 
+-files_read_usr_files(java_domain)
+ files_read_etc_runtime_files(java_domain)
+ 
+ fs_getattr_all_fs(java_domain)
+@@ -112,7 +111,7 @@ userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file s
  
  userdom_write_user_tmp_sockets(java_domain)
  
@@ -27793,12 +27924,15 @@ index 2fb7a20..c6ba007 100644
 +	')
 +')
 diff --git a/jockey.te b/jockey.te
-index d59ec10..1b5410d 100644
+index d59ec10..dec1b3b 100644
 --- a/jockey.te
 +++ b/jockey.te
-@@ -47,13 +47,18 @@ domain_use_interactive_fds(jockey_t)
- files_read_etc_files(jockey_t)
- files_read_usr_files(jockey_t)
+@@ -44,16 +44,19 @@ dev_read_urand(jockey_t)
+ 
+ domain_use_interactive_fds(jockey_t)
+ 
+-files_read_etc_files(jockey_t)
+-files_read_usr_files(jockey_t)
  
 -miscfiles_read_localization(jockey_t)
 +auth_read_passwd(jockey_t)
@@ -28099,7 +28233,7 @@ index 3a00b3a..15d521b 100644
 +	allow $1 kdump_unit_file_t:service all_service_perms;
  ')
 diff --git a/kdump.te b/kdump.te
-index 70f3007..6b6a6c4 100644
+index 70f3007..bacefd5 100644
 --- a/kdump.te
 +++ b/kdump.te
 @@ -1,4 +1,4 @@
@@ -28108,7 +28242,7 @@ index 70f3007..6b6a6c4 100644
  
  #######################################
  #
-@@ -15,30 +15,34 @@ files_config_file(kdump_etc_t)
+@@ -15,30 +15,33 @@ files_config_file(kdump_etc_t)
  type kdump_initrc_exec_t;
  init_script_file(kdump_initrc_exec_t)
  
@@ -28136,7 +28270,7 @@ index 70f3007..6b6a6c4 100644
 -allow kdump_t kdump_etc_t:file read_file_perms;
 +read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
  
- files_read_etc_files(kdump_t)
+-files_read_etc_files(kdump_t)
  files_read_etc_runtime_files(kdump_t)
  files_read_kernel_img(kdump_t)
  
@@ -28147,7 +28281,7 @@ index 70f3007..6b6a6c4 100644
  kernel_request_load_module(kdump_t)
  
  dev_read_framebuffer(kdump_t)
-@@ -48,22 +52,27 @@ term_use_console(kdump_t)
+@@ -48,22 +51,27 @@ term_use_console(kdump_t)
  
  #######################################
  #
@@ -28180,7 +28314,7 @@ index 70f3007..6b6a6c4 100644
  
  kernel_read_system_state(kdumpctl_t)
  
-@@ -71,6 +80,7 @@ corecmd_exec_bin(kdumpctl_t)
+@@ -71,46 +79,56 @@ corecmd_exec_bin(kdumpctl_t)
  corecmd_exec_shell(kdumpctl_t)
  
  dev_read_sysfs(kdumpctl_t)
@@ -28188,8 +28322,11 @@ index 70f3007..6b6a6c4 100644
  dev_manage_all_dev_nodes(kdumpctl_t)
  
  domain_use_interactive_fds(kdumpctl_t)
-@@ -81,36 +91,47 @@ files_read_etc_runtime_files(kdumpctl_t)
- files_read_usr_files(kdumpctl_t)
+ 
+ files_create_kernel_img(kdumpctl_t)
+-files_read_etc_files(kdumpctl_t)
+ files_read_etc_runtime_files(kdumpctl_t)
+-files_read_usr_files(kdumpctl_t)
  files_read_kernel_modules(kdumpctl_t)
  files_getattr_all_dirs(kdumpctl_t)
 +files_delete_kernel(kdumpctl_t)
@@ -28274,7 +28411,7 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..acb89ac 100644
+index e7f5c81..fb73b38 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
 @@ -1,4 +1,4 @@
@@ -28283,7 +28420,7 @@ index e7f5c81..acb89ac 100644
  
  ########################################
  #
-@@ -7,61 +7,66 @@ policy_module(kdumpgui, 1.1.4)
+@@ -7,61 +7,65 @@ policy_module(kdumpgui, 1.1.4)
  
  type kdumpgui_t;
  type kdumpgui_exec_t;
@@ -28330,7 +28467,7 @@ index e7f5c81..acb89ac 100644
 +# for blkid.tab
  files_manage_etc_runtime_files(kdumpgui_t)
  files_etc_filetrans_etc_runtime(kdumpgui_t, file)
- files_read_usr_files(kdumpgui_t)
+-files_read_usr_files(kdumpgui_t)
  
 +fs_read_dos_files(kdumpgui_t)
  fs_getattr_all_fs(kdumpgui_t)
@@ -28359,23 +28496,23 @@ index e7f5c81..acb89ac 100644
  
  optional_policy(`
  	bootloader_exec(kdumpgui_t)
-@@ -73,11 +78,11 @@ optional_policy(`
+@@ -69,15 +73,7 @@ optional_policy(`
  ')
  
  optional_policy(`
--	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
-+	consoletype_exec(kdumpgui_t)
-+')
- 
+-	consoletype_exec(kdumpgui_t)
+-')
+-
+-optional_policy(`
+ 	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
+-
 -	optional_policy(`
 -		policykit_dbus_chat(kdumpgui_t)
 -	')
-+optional_policy(`
-+	dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
  ')
  
  optional_policy(`
-@@ -87,4 +92,10 @@ optional_policy(`
+@@ -87,4 +83,10 @@ optional_policy(`
  optional_policy(`
  	kdump_manage_config(kdumpgui_t)
  	kdump_initrc_domtrans(kdumpgui_t)
@@ -29110,7 +29247,7 @@ index f9de9fc..138e1e2 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..6127834 100644
+index 3465a9a..fe2c2da 100644
 --- a/kerberos.te
 +++ b/kerberos.te
 @@ -1,4 +1,4 @@
@@ -29224,7 +29361,7 @@ index 3465a9a..6127834 100644
  corenet_all_recvfrom_netlabel(kadmind_t)
  corenet_tcp_sendrecv_generic_if(kadmind_t)
  corenet_udp_sendrecv_generic_if(kadmind_t)
-@@ -119,20 +128,28 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
+@@ -119,31 +128,39 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
  corenet_udp_sendrecv_all_ports(kadmind_t)
  corenet_tcp_bind_generic_node(kadmind_t)
  corenet_udp_bind_generic_node(kadmind_t)
@@ -29250,12 +29387,12 @@ index 3465a9a..6127834 100644
  
  domain_use_interactive_fds(kadmind_t)
  
- files_read_etc_files(kadmind_t)
+-files_read_etc_files(kadmind_t)
+-files_read_usr_files(kadmind_t)
 +files_read_usr_symlinks(kadmind_t)
- files_read_usr_files(kadmind_t)
  files_read_var_files(kadmind_t)
  
-@@ -140,10 +157,12 @@ selinux_validate_context(kadmind_t)
+ selinux_validate_context(kadmind_t)
  
  logging_send_syslog_msg(kadmind_t)
  
@@ -29269,7 +29406,7 @@ index 3465a9a..6127834 100644
  sysnet_use_ldap(kadmind_t)
  
  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
-@@ -154,6 +173,10 @@ optional_policy(`
+@@ -154,6 +171,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29280,7 +29417,7 @@ index 3465a9a..6127834 100644
  	nis_use_ypbind(kadmind_t)
  ')
  
-@@ -174,24 +197,27 @@ optional_policy(`
+@@ -174,24 +195,27 @@ optional_policy(`
  # Krb5kdc local policy
  #
  
@@ -29312,7 +29449,7 @@ index 3465a9a..6127834 100644
  logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
  
  allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
-@@ -203,38 +229,36 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
+@@ -203,42 +227,39 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
  manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
  files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
  
@@ -29359,7 +29496,11 @@ index 3465a9a..6127834 100644
  
  domain_use_interactive_fds(krb5kdc_t)
  
-@@ -247,10 +271,10 @@ selinux_validate_context(krb5kdc_t)
+-files_read_etc_files(krb5kdc_t)
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+ 
+@@ -247,10 +268,10 @@ selinux_validate_context(krb5kdc_t)
  logging_send_syslog_msg(krb5kdc_t)
  
  miscfiles_read_generic_certs(krb5kdc_t)
@@ -29371,7 +29512,7 @@ index 3465a9a..6127834 100644
  sysnet_use_ldap(krb5kdc_t)
  
  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
-@@ -261,11 +285,11 @@ optional_policy(`
+@@ -261,11 +282,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29385,7 +29526,7 @@ index 3465a9a..6127834 100644
  ')
  
  optional_policy(`
-@@ -273,6 +297,10 @@ optional_policy(`
+@@ -273,6 +294,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29396,7 +29537,7 @@ index 3465a9a..6127834 100644
  	udev_read_db(krb5kdc_t)
  ')
  
-@@ -281,10 +309,12 @@ optional_policy(`
+@@ -281,10 +306,12 @@ optional_policy(`
  # kpropd local policy
  #
  
@@ -29412,7 +29553,7 @@ index 3465a9a..6127834 100644
  
  allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
  
-@@ -303,14 +333,11 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
+@@ -303,26 +330,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
  
  corecmd_exec_bin(kpropd_t)
  
@@ -29428,7 +29569,10 @@ index 3465a9a..6127834 100644
  
  dev_read_urand(kpropd_t)
  
-@@ -321,8 +348,6 @@ selinux_validate_context(kpropd_t)
+-files_read_etc_files(kpropd_t)
+ files_search_tmp(kpropd_t)
+ 
+ selinux_validate_context(kpropd_t)
  
  logging_send_syslog_msg(kpropd_t)
  
@@ -29843,10 +29987,10 @@ index aa2a337..bb09e3c 100644
  	files_search_var_lib($1)
  	admin_pattern($1, kismet_var_lib_t)
 diff --git a/kismet.te b/kismet.te
-index ea64ed5..fb28673 100644
+index ea64ed5..e60f701 100644
 --- a/kismet.te
 +++ b/kismet.te
-@@ -81,25 +81,24 @@ kernel_read_network_state(kismet_t)
+@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
  
  corecmd_exec_bin(kismet_t)
  
@@ -29861,8 +30005,6 @@ index ea64ed5..fb28673 100644
 -corenet_sendrecv_kismet_client_packets(kismet_t)
 -corenet_tcp_connect_kismet_port(kismet_t)
 -corenet_tcp_sendrecv_kismet_port(kismet_t)
-+corenet_tcp_bind_rtsclient_port(kismet_t)
-+corenet_tcp_connect_rtsclient_port(kismet_t)
 +corenet_tcp_connect_pulseaudio_port(kismet_t)
  
 -auth_use_nsswitch(kismet_t)
@@ -29911,21 +30053,10 @@ index c530214..b949a9f 100644
  	files_list_pids($1)
  	admin_pattern($1, ksmtuned_var_run_t)
 diff --git a/ksmtuned.te b/ksmtuned.te
-index c1539b5..0af603d 100644
+index c1539b5..a090996 100644
 --- a/ksmtuned.te
 +++ b/ksmtuned.te
-@@ -32,6 +32,10 @@ create_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
- setattr_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
- logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
- 
-+manage_dirs_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+manage_files_pattern(ksmtuned_t, ksmtuned_log_t, ksmtuned_log_t)
-+logging_log_filetrans(ksmtuned_t, ksmtuned_log_t, { file dir })
-+
- manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
- files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
- 
-@@ -43,6 +47,7 @@ corecmd_exec_shell(ksmtuned_t)
+@@ -43,6 +43,7 @@ corecmd_exec_shell(ksmtuned_t)
  dev_rw_sysfs(ksmtuned_t)
  
  domain_read_all_domains_state(ksmtuned_t)
@@ -29933,7 +30064,7 @@ index c1539b5..0af603d 100644
  
  mls_file_read_to_clearance(ksmtuned_t)
  
-@@ -51,5 +56,3 @@ term_use_all_terms(ksmtuned_t)
+@@ -51,5 +52,3 @@ term_use_all_terms(ksmtuned_t)
  auth_use_nsswitch(ksmtuned_t)
  
  logging_send_syslog_msg(ksmtuned_t)
@@ -29990,10 +30121,18 @@ index 5297064..6ba8108 100644
  	domain_system_change_exemption($1)
  	role_transition $2 kudzu_initrc_exec_t system_r;
 diff --git a/kudzu.te b/kudzu.te
-index 9725f1a..0ed9942 100644
+index 9725f1a..34aa63b 100644
 --- a/kudzu.te
 +++ b/kudzu.te
-@@ -101,11 +101,10 @@ libs_read_lib_files(kudzu_t)
+@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
+ domain_use_interactive_fds(kudzu_t)
+ 
+ files_read_kernel_modules(kudzu_t)
+-files_read_usr_files(kudzu_t)
+ files_search_locks(kudzu_t)
+ files_manage_etc_files(kudzu_t)
+ files_manage_etc_runtime_files(kudzu_t)
+@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
  logging_send_syslog_msg(kudzu_t)
  
  miscfiles_read_hwdata(kudzu_t)
@@ -30006,7 +30145,7 @@ index 9725f1a..0ed9942 100644
  userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
  userdom_search_user_home_dirs(kudzu_t)
  
-@@ -122,10 +121,6 @@ optional_policy(`
+@@ -122,10 +120,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -30439,7 +30578,7 @@ index ee0c7cc..6ec5f73 100644
 +	allow $1 ldap_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index d7d9b09..bfc2aa2 100644
+index d7d9b09..562c288 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -30452,18 +30591,7 @@ index d7d9b09..bfc2aa2 100644
  type slapd_lock_t;
  files_lock_file(slapd_lock_t)
  
-@@ -73,6 +76,10 @@ manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
- 
-+manage_dirs_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+manage_files_pattern(slapd_t, slapd_log_t, slapd_log_t)
-+logging_log_filetrans(slapd_t, slapd_log_t, { file dir })
-+
- manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
- files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
-@@ -88,7 +95,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
  
@@ -30471,7 +30599,7 @@ index d7d9b09..bfc2aa2 100644
  corenet_all_recvfrom_netlabel(slapd_t)
  corenet_tcp_sendrecv_generic_if(slapd_t)
  corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +116,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
  fs_search_auto_mountpoints(slapd_t)
  
  files_read_etc_runtime_files(slapd_t)
@@ -30764,30 +30892,21 @@ index 98b5405..b1d3cdf 100644
 -
  sysnet_dns_name_resolve(lircd_t)
 diff --git a/livecd.if b/livecd.if
-index e354181..da499d4 100644
+index e354181..c6b2383 100644
 --- a/livecd.if
 +++ b/livecd.if
-@@ -38,11 +38,39 @@ interface(`livecd_domtrans',`
+@@ -38,11 +38,32 @@ interface(`livecd_domtrans',`
  #
  interface(`livecd_run',`
  	gen_require(`
--		attribute_role livecd_roles;
 +		type livecd_t;
 +		type livecd_exec_t;
-+		#attribute_role livecd_roles;
+ 		attribute_role livecd_roles;
  	')
  
  	livecd_domtrans($1)
--	roleattribute $2 livecd_roles;
-+	#roleattribute $2 livecd_roles;
-+	role $2 types livecd_t;
+ 	roleattribute $2 livecd_roles;
 +	role_transition $2 livecd_exec_t system_r;
-+
-+        seutil_run_setfiles_mac(livecd_t, system_r)
-+
-+        optional_policy(`
-+                mount_run(livecd_t, $2)
-+        ')
 +')
 +
 +########################################
@@ -30810,28 +30929,10 @@ index e354181..da499d4 100644
  
  ########################################
 diff --git a/livecd.te b/livecd.te
-index 33f64b5..09b5105 100644
+index 33f64b5..06b1661 100644
 --- a/livecd.te
 +++ b/livecd.te
-@@ -5,13 +5,14 @@ policy_module(livecd, 1.2.1)
- # Declarations
- #
- 
--attribute_role livecd_roles;
--roleattribute system_r livecd_roles;
-+#attribute_role livecd_roles;
-+#roleattribute system_r livecd_roles;
- 
- type livecd_t;
- type livecd_exec_t;
- application_domain(livecd_t, livecd_exec_t)
--role livecd_roles types livecd_t;
-+role system_r types livecd_t;
-+#role livecd_roles types livecd_t;
- 
- type livecd_tmp_t;
- files_tmp_file(livecd_tmp_t)
-@@ -21,7 +22,7 @@ files_tmp_file(livecd_tmp_t)
+@@ -21,7 +21,7 @@ files_tmp_file(livecd_tmp_t)
  # Local policy
  #
  
@@ -30840,20 +30941,22 @@ index 33f64b5..09b5105 100644
  
  domain_ptrace_all_domains(livecd_t)
  
-@@ -36,13 +37,5 @@ optional_policy(`
+@@ -35,12 +35,13 @@ sysnet_etc_filetrans_config(livecd_t)
+ optional_policy(`
  	hal_dbus_chat(livecd_t)
  ')
++
  optional_policy(`
 -	mount_run(livecd_t, livecd_roles)
--')
--
--optional_policy(`
++    mount_run(livecd_t, livecd_roles)
+ ')
+ 
+ optional_policy(`
 -	rpm_domtrans(livecd_t)
--')
--
--optional_policy(`
- 	unconfined_domain_noaudit(livecd_t)
++	seutil_run_setfiles_mac(livecd_t, livecd_roles)
  ')
+ 
+ optional_policy(`
 diff --git a/lldpad.if b/lldpad.if
 index d18c960..fb5b674 100644
 --- a/lldpad.if
@@ -30917,10 +31020,16 @@ index 648def0..0b6281d 100644
  optional_policy(`
  	fcoe_dgram_send_fcoemon(lldpad_t)
 diff --git a/loadkeys.te b/loadkeys.te
-index 6cbb977..fa49534 100644
+index 6cbb977..bd5406a 100644
 --- a/loadkeys.te
 +++ b/loadkeys.te
-@@ -31,14 +31,14 @@ files_read_etc_runtime_files(loadkeys_t)
+@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
+ corecmd_exec_bin(loadkeys_t)
+ corecmd_exec_shell(loadkeys_t)
+ 
+-files_read_etc_files(loadkeys_t)
+ files_read_etc_runtime_files(loadkeys_t)
+ 
  term_dontaudit_use_console(loadkeys_t)
  term_use_unallocated_ttys(loadkeys_t)
  
@@ -31021,7 +31130,7 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..8a2583b 100644
+index 7bab8e5..3a2c50c 100644
 --- a/logrotate.te
 +++ b/logrotate.te
 @@ -1,20 +1,18 @@
@@ -31083,7 +31192,7 @@ index 7bab8e5..8a2583b 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,29 +52,47 @@ allow logrotate_t self:msg { send receive };
+@@ -48,79 +52,91 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -31134,8 +31243,8 @@ index 7bab8e5..8a2583b 100644
 +# Read /proc/PID directories for all domains.
  domain_read_all_domains_state(logrotate_t)
  
- files_read_usr_files(logrotate_t)
-@@ -78,49 +100,44 @@ files_read_etc_runtime_files(logrotate_t)
+-files_read_usr_files(logrotate_t)
+ files_read_etc_runtime_files(logrotate_t)
  files_read_all_pids(logrotate_t)
  files_search_all(logrotate_t)
  files_read_var_lib_files(logrotate_t)
@@ -31203,7 +31312,7 @@ index 7bab8e5..8a2583b 100644
  ')
  
  optional_policy(`
-@@ -140,11 +157,11 @@ optional_policy(`
+@@ -140,11 +156,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31217,7 +31326,7 @@ index 7bab8e5..8a2583b 100644
  ')
  
  optional_policy(`
-@@ -178,7 +195,7 @@ optional_policy(`
+@@ -178,7 +194,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31226,7 +31335,7 @@ index 7bab8e5..8a2583b 100644
  ')
  
  optional_policy(`
-@@ -198,17 +215,14 @@ optional_policy(`
+@@ -198,17 +214,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31247,7 +31356,7 @@ index 7bab8e5..8a2583b 100644
  ')
  
  optional_policy(`
-@@ -228,10 +242,16 @@ optional_policy(`
+@@ -228,10 +241,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31264,7 +31373,7 @@ index 7bab8e5..8a2583b 100644
  	su_exec(logrotate_t)
  ')
  
-@@ -241,13 +261,11 @@ optional_policy(`
+@@ -241,13 +260,11 @@ optional_policy(`
  
  #######################################
  #
@@ -31284,7 +31393,7 @@ index 7bab8e5..8a2583b 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..ba62d5b 100644
+index 4256a4c..720b6cb 100644
 --- a/logwatch.te
 +++ b/logwatch.te
 @@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
@@ -31297,12 +31406,12 @@ index 4256a4c..ba62d5b 100644
  
  type logwatch_cache_t;
  files_type(logwatch_cache_t)
-@@ -67,10 +68,12 @@ files_list_var(logwatch_t)
+@@ -67,10 +68,11 @@ files_list_var(logwatch_t)
  files_search_all(logwatch_t)
  files_read_var_symlinks(logwatch_t)
  files_read_etc_runtime_files(logwatch_t)
+-files_read_usr_files(logwatch_t)
 +files_read_system_conf_files(logwatch_t)
- files_read_usr_files(logwatch_t)
  
  fs_getattr_all_dirs(logwatch_t)
  fs_getattr_all_fs(logwatch_t)
@@ -31310,7 +31419,7 @@ index 4256a4c..ba62d5b 100644
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
-@@ -92,17 +95,22 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +94,12 @@ libs_read_lib_files(logwatch_t)
  logging_read_all_logs(logwatch_t)
  logging_send_syslog_msg(logwatch_t) 
  
@@ -31325,17 +31434,7 @@ index 4256a4c..ba62d5b 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
- 
-+ifdef(`distro_redhat',`
-+	files_search_all(logwatch_t)
-+	files_getattr_all_files(logwatch_t)
-+	files_getattr_all_file_type_fs(logwatch_t)
-+')
-+
- tunable_policy(`use_nfs_home_dirs',`
- 	fs_list_nfs(logwatch_t)
- ')
-@@ -164,6 +172,8 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -164,6 +165,8 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -31357,10 +31456,10 @@ index 2fb9b2e..08974e3 100644
  
  /usr/share/printconf/.*	--	gen_context(system_u:object_r:printconf_t,s0)
 diff --git a/lpd.if b/lpd.if
-index 6256371..628b63c 100644
+index 6256371..7826e38 100644
 --- a/lpd.if
 +++ b/lpd.if
-@@ -1,44 +1,37 @@
+@@ -1,44 +1,49 @@
 -## <summary>Line printer daemon.</summary>
 +## <summary>Line printer daemon</summary>
  
@@ -31385,7 +31484,7 @@ index 6256371..628b63c 100644
  #
  interface(`lpd_role',`
  	gen_require(`
--		attribute_role lpr_roles;
+ 		attribute_role lpr_roles;
 -		type lpr_t, lpr_exec_t;
 +		type lpr_t, lpr_exec_t, print_spool_t;
  	')
@@ -31394,14 +31493,21 @@ index 6256371..628b63c 100644
 -	#
 -	# Declarations
 -	#
--
--	roleattribute $1 lpr_roles;
--
++    ########################################
++    # 
++    # Declarations
++    #            
+ 
+ 	roleattribute $1 lpr_roles;
+ 
 -	########################################
 -	#
 -	# Policy
 -	#
-+	role $1 types lpr_t;
++    ########################################
++    #
++    # Policy
++    #            
  
 +	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, lpr_exec_t, lpr_t)
@@ -31409,16 +31515,16 @@ index 6256371..628b63c 100644
  
 -	allow $2 lpr_t:process { ptrace signal_perms };
  	ps_process_pattern($2, lpr_t)
--
--	dontaudit lpr_t $2:unix_stream_socket { read write };
 +	allow $2 lpr_t:process signal_perms;
+ 
+-	dontaudit lpr_t $2:unix_stream_socket { read write };
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 lpr_t:process ptrace;
 +	')
  
  	optional_policy(`
  		cups_read_config($2)
-@@ -60,15 +53,13 @@ interface(`lpd_domtrans_checkpc',`
+@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
  		type checkpc_t, checkpc_exec_t;
  	')
  
@@ -31436,7 +31542,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,16 +75,16 @@ interface(`lpd_domtrans_checkpc',`
+@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
  #
  interface(`lpd_run_checkpc',`
  	gen_require(`
@@ -31456,7 +31562,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -112,7 +103,7 @@ interface(`lpd_list_spool',`
+@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
  
  ########################################
  ## <summary>
@@ -31465,7 +31571,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -131,8 +122,7 @@ interface(`lpd_read_spool',`
+@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
  
  ########################################
  ## <summary>
@@ -31475,7 +31581,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,7 +143,7 @@ interface(`lpd_manage_spool',`
+@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
  
  ########################################
  ## <summary>
@@ -31484,7 +31590,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -172,7 +162,7 @@ interface(`lpd_relabel_spool',`
+@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
  
  ########################################
  ## <summary>
@@ -31493,7 +31599,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -200,12 +190,11 @@ interface(`lpd_read_config',`
+@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
  ##	</summary>
  ## </param>
  #
@@ -31507,18 +31613,7 @@ index 6256371..628b63c 100644
  	domtrans_pattern($1, lpr_exec_t, lpr_t)
  ')
  
-@@ -228,16 +217,17 @@ template(`lpd_domtrans_lpr',`
- #
- interface(`lpd_run_lpr',`
- 	gen_require(`
--		attribute_role lpr_roles;
-+		type lpr_t;
- 	')
- 
- 	lpd_domtrans_lpr($1)
--	roleattribute $2 lpr_roles;
-+	role $2 types lpr_t;
- ')
+@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
  
  ########################################
  ## <summary>
@@ -31528,7 +31623,7 @@ index 6256371..628b63c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -250,6 +240,5 @@ interface(`lpd_exec_lpr',`
+@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
  		type lpr_exec_t;
  	')
  
@@ -31536,7 +31631,7 @@ index 6256371..628b63c 100644
  	can_exec($1, lpr_exec_t)
  ')
 diff --git a/lpd.te b/lpd.te
-index b9270f7..0fd2f4c 100644
+index b9270f7..15f3748 100644
 --- a/lpd.te
 +++ b/lpd.te
 @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -31612,7 +31707,15 @@ index b9270f7..0fd2f4c 100644
  corenet_all_recvfrom_netlabel(lpr_t)
  corenet_tcp_sendrecv_generic_if(lpr_t)
  corenet_tcp_sendrecv_generic_node(lpr_t)
-@@ -249,23 +242,27 @@ term_use_generic_ptys(lpr_t)
+@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
+ domain_use_interactive_fds(lpr_t)
+ 
+ files_search_spool(lpr_t)
+-files_read_usr_files(lpr_t)
+ files_list_home(lpr_t)
+ 
+ fs_getattr_all_fs(lpr_t)
+@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
  
  auth_use_nsswitch(lpr_t)
  
@@ -31647,7 +31750,7 @@ index b9270f7..0fd2f4c 100644
  
  	manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
  	manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
-@@ -279,17 +276,7 @@ tunable_policy(`use_lpd_server',`
+@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
  	allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
  ')
  
@@ -31666,7 +31769,7 @@ index b9270f7..0fd2f4c 100644
  
  optional_policy(`
  	cups_read_config(lpr_t)
-@@ -298,5 +285,13 @@ optional_policy(`
+@@ -298,5 +284,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31987,7 +32090,7 @@ index 108c0f1..d28241c 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index 8eaf51b..256819c 100644
+index 8eaf51b..5e9f5bb 100644
 --- a/mailman.te
 +++ b/mailman.te
 @@ -56,10 +56,7 @@ setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
@@ -32012,17 +32115,7 @@ index 8eaf51b..256819c 100644
  ########################################
  #
  # CGI local policy
-@@ -104,6 +97,9 @@ optional_policy(`
- 	apache_search_sys_script_state(mailman_cgi_t)
- 	apache_read_config(mailman_cgi_t)
- 	apache_dontaudit_rw_stream_sockets(mailman_cgi_t)
-+
-+	postfix_read_config(mailman_cgi_t)
-+
- ')
- 
- optional_policy(`
-@@ -115,8 +111,9 @@ optional_policy(`
+@@ -115,8 +108,9 @@ optional_policy(`
  # Mail local policy
  #
  
@@ -32034,25 +32127,17 @@ index 8eaf51b..256819c 100644
  
  manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
  manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -126,10 +123,17 @@ corenet_sendrecv_innd_client_packets(mailman_mail_t)
- corenet_tcp_connect_innd_port(mailman_mail_t)
+@@ -127,8 +121,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
  corenet_tcp_sendrecv_innd_port(mailman_mail_t)
  
-+manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-+files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
-+
  corenet_sendrecv_spamd_client_packets(mailman_mail_t)
- corenet_tcp_connect_spamd_port(mailman_mail_t)
+-corenet_tcp_connect_spamd_port(mailman_mail_t)
  corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
- 
-+corenet_tcp_connect_innd_port(mailman_mail_t)
 +corenet_tcp_connect_spamd_port(mailman_mail_t)
-+
+ 
  dev_read_urand(mailman_mail_t)
  
- fs_rw_anon_inodefs_files(mailman_mail_t)
-@@ -142,6 +146,10 @@ optional_policy(`
+@@ -142,6 +136,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32063,15 +32148,6 @@ index 8eaf51b..256819c 100644
  	cron_read_pipes(mailman_mail_t)
  ')
  
-@@ -163,6 +171,8 @@ corenet_sendrecv_innd_client_packets(mailman_queue_t)
- corenet_tcp_connect_innd_port(mailman_queue_t)
- corenet_tcp_sendrecv_innd_port(mailman_queue_t)
- 
-+corenet_tcp_connect_innd_port(mailman_queue_t)
-+
- auth_domtrans_chk_passwd(mailman_queue_t)
- 
- files_dontaudit_search_pids(mailman_queue_t)
 diff --git a/mailscanner.if b/mailscanner.if
 index 0293f34..bd1d48e 100644
 --- a/mailscanner.if
@@ -32154,7 +32230,7 @@ index 0293f34..bd1d48e 100644
 +	files_list_pids($1)
  ')
 diff --git a/mailscanner.te b/mailscanner.te
-index 725ba32..38269ae 100644
+index 725ba32..f0ceff1 100644
 --- a/mailscanner.te
 +++ b/mailscanner.te
 @@ -34,6 +34,7 @@ allow mscan_t self:process signal;
@@ -32165,7 +32241,15 @@ index 725ba32..38269ae 100644
  
  manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
  files_pid_filetrans(mscan_t, mscan_var_run_t, file)
-@@ -81,10 +82,9 @@ auth_use_nsswitch(mscan_t)
+@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
+ 
+ dev_read_urand(mscan_t)
+ 
+-files_read_usr_files(mscan_t)
+ 
+ fs_getattr_xattr_fs(mscan_t)
+ 
+@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
  
  logging_send_syslog_msg(mscan_t)
  
@@ -32177,7 +32261,7 @@ index 725ba32..38269ae 100644
  ')
  
  optional_policy(`
-@@ -97,5 +97,6 @@ optional_policy(`
+@@ -97,5 +96,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -32355,15 +32439,17 @@ index e08c55d..9e634bd 100644
 +
 +')
 diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..03f96e3 100644
+index 2de0f64..85c3827 100644
 --- a/mandb.fc
 +++ b/mandb.fc
-@@ -1 +1,5 @@
+@@ -1 +1,7 @@
  /etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/var/cache/man(/.*)?		gen_context(system_u:object_r:mandb_cache_t,s0)
++
++/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
 diff --git a/mandb.if b/mandb.if
 index 327f3f7..65bfa15 100644
 --- a/mandb.if
@@ -32581,10 +32667,10 @@ index 327f3f7..65bfa15 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..4e159c2 100644
+index 5a414e0..e2f4ce0 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,9 +10,12 @@ roleattribute system_r mandb_roles;
+@@ -10,25 +10,40 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -32595,10 +32681,16 @@ index 5a414e0..4e159c2 100644
 +type mandb_cache_t;
 +files_type(mandb_cache_t)
 +
++type mandb_lock_t;
++files_lock_file(mandb_lock_t)
++
  ########################################
  #
  # Local policy
-@@ -22,14 +25,17 @@ allow mandb_t self:process signal;
+ #
+ 
+-allow mandb_t self:process signal;
++allow mandb_t self:process { setsched signal };
  allow mandb_t self:fifo_file rw_fifo_file_perms;
  allow mandb_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -32606,6 +32698,10 @@ index 5a414e0..4e159c2 100644
 +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
 +files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
++can_exec(mandb_t, mandb_exec_t)
++
++allow mandb_t mandb_lock_t:file manage_file_perms;
++files_lock_filetrans(mandb_t, mandb_lock_t, file)
 +
  kernel_read_system_state(mandb_t)
  
@@ -32614,10 +32710,10 @@ index 5a414e0..4e159c2 100644
  domain_use_interactive_fds(mandb_t)
  
 -files_read_etc_files(mandb_t)
--
++files_search_locks(mandb_t)
+ 
  miscfiles_manage_man_cache(mandb_t)
  
- optional_policy(`
 diff --git a/mcelog.if b/mcelog.if
 index 9dbe694..f89651e 100644
 --- a/mcelog.if
@@ -32631,7 +32727,7 @@ index 9dbe694..f89651e 100644
  	admin_pattern($1, mcelog_var_run_t)
  ')
 diff --git a/mcelog.te b/mcelog.te
-index 13ea191..799df10 100644
+index 13ea191..b5fdecf 100644
 --- a/mcelog.te
 +++ b/mcelog.te
 @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -32648,19 +32744,8 @@ index 13ea191..799df10 100644
  type mcelog_t;
  type mcelog_exec_t;
  init_daemon_domain(mcelog_t, mcelog_exec_t)
-@@ -82,19 +75,31 @@ manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
- manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
- files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
+@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
  
-+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
-+logging_log_filetrans(mcelog_t, mcelog_log_t, { file dir })
-+
-+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_dirs_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
-+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file } )
-+
  kernel_read_system_state(mcelog_t)
  
 +corecmd_exec_shell(mcelog_t)
@@ -32683,7 +32768,7 @@ index 13ea191..799df10 100644
  
  tunable_policy(`mcelog_client',`
  	allow mcelog_t self:unix_stream_socket connectto;
-@@ -114,9 +119,6 @@ tunable_policy(`mcelog_server',`
+@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
  	allow mcelog_t self:unix_stream_socket { listen accept };
  ')
  
@@ -32824,10 +32909,10 @@ index 0000000..e76a9b5
 +')
 diff --git a/mcollective.te b/mcollective.te
 new file mode 100644
-index 0000000..5dd171f
+index 0000000..a04dd6b
 --- /dev/null
 +++ b/mcollective.te
-@@ -0,0 +1,30 @@
+@@ -0,0 +1,29 @@
 +policy_module(mcollective, 1.0.0)
 +
 +########################################
@@ -32857,7 +32942,6 @@ index 0000000..5dd171f
 +
 +domain_use_interactive_fds(mcollective_t)
 +
-+files_read_etc_files(mcollective_t)
 diff --git a/mediawiki.if b/mediawiki.if
 index 9771b4b..1c1d012 100644
 --- a/mediawiki.if
@@ -33270,10 +33354,10 @@ index cba62db..bdf319a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..64c2969 100644
+index 92508b2..38c718c 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,98 @@
+@@ -1,77 +1,96 @@
 -policy_module(milter, 1.4.2)
 +policy_module(milter, 1.4.0)
  
@@ -33379,10 +33463,9 @@ index 92508b2..64c2969 100644
 +corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
 +corenet_tcp_bind_rtsclient_port(greylist_milter_t)
  
+-files_read_usr_files(greylist_milter_t)
 +# perl getgroups() reads a bunch of files in /etc
-+files_read_etc_files(greylist_milter_t)
 +# Allow the milter to read a GeoIP database in /usr/share
- files_read_usr_files(greylist_milter_t)
 +# The milter runs from /var/lib/milter-greylist and maintains files there
  files_search_var_lib(greylist_milter_t)
  
@@ -33399,7 +33482,7 @@ index 92508b2..64c2969 100644
  
  optional_policy(`
  	mysql_stream_connect(greylist_milter_t)
-@@ -79,30 +100,48 @@ optional_policy(`
+@@ -79,30 +98,48 @@ optional_policy(`
  
  ########################################
  #
@@ -33777,10 +33860,10 @@ index 0000000..7f6f2d6
 +')
 diff --git a/mock.te b/mock.te
 new file mode 100644
-index 0000000..ecfd7be
+index 0000000..d27f8f3
 --- /dev/null
 +++ b/mock.te
-@@ -0,0 +1,247 @@
+@@ -0,0 +1,245 @@
 +policy_module(mock,1.0.0)
 +
 +## <desc>
@@ -33882,7 +33965,6 @@ index 0000000..ecfd7be
 +domain_use_interactive_fds(mock_t)
 +
 +files_read_etc_runtime_files(mock_t)
-+files_read_usr_files(mock_t)
 +files_dontaudit_list_boot(mock_t)
 +
 +fs_getattr_all_fs(mock_t)
@@ -34010,7 +34092,6 @@ index 0000000..ecfd7be
 +domain_dontaudit_read_all_domains_state(mock_build_t)
 +domain_use_interactive_fds(mock_build_t)
 +
-+files_read_usr_files(mock_build_t)
 +files_dontaudit_list_boot(mock_build_t)
 +
 +fs_getattr_all_fs(mock_build_t)
@@ -34029,10 +34110,14 @@ index 0000000..ecfd7be
 +	userdom_read_user_home_content_files(mock_build_t)
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..14e8f87 100644
+index cb4c13d..d744144 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
-@@ -31,8 +31,9 @@ files_read_etc_files(modemmanager_t)
+@@ -27,12 +27,12 @@ kernel_read_system_state(modemmanager_t)
+ dev_read_sysfs(modemmanager_t)
+ dev_rw_modem(modemmanager_t)
+ 
+-files_read_etc_files(modemmanager_t)
  
  term_use_generic_ptys(modemmanager_t)
  term_use_unallocated_ttys(modemmanager_t)
@@ -34253,10 +34338,10 @@ index 6ffaba2..0fa08be 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..cccec7e 100644
+index 6194b80..110cdc6 100644
 --- a/mozilla.if
 +++ b/mozilla.if
-@@ -1,146 +1,76 @@
+@@ -1,146 +1,75 @@
 -## <summary>Policy for Mozilla and related web browsers.</summary>
 +## <summary>Policy for Mozilla and related web browsers</summary>
  
@@ -34283,19 +34368,16 @@ index 6194b80..cccec7e 100644
  		type mozilla_t, mozilla_exec_t, mozilla_home_t;
 -		type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
 -		type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
--		attribute_role mozilla_roles;
-+		#attribute_role mozilla_roles;
+ 		attribute_role mozilla_roles;
  	')
  
 -	########################################
 -	#
 -	# Declarations
 -	#
-+	#roleattribute $1 mozilla_roles;
-+	role $1 types mozilla_t;
- 
--	roleattribute $1 mozilla_roles;
 -
+ 	roleattribute $1 mozilla_roles;
+ 
 -	########################################
 -	#
 -	# Policy
@@ -34439,7 +34521,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,15 +83,15 @@ interface(`mozilla_read_user_home_files',`
+@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
  		type mozilla_home_t;
  	')
  
@@ -34457,7 +34539,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -174,14 +104,13 @@ interface(`mozilla_write_user_home_files',`
+@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
  		type mozilla_home_t;
  	')
  
@@ -34474,7 +34556,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -194,14 +123,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
+@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
  		type mozilla_home_t;
  	')
  
@@ -34491,7 +34573,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -216,12 +143,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
+@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
  
  	dontaudit $1 mozilla_home_t:dir manage_dir_perms;
  	dontaudit $1 mozilla_home_t:file manage_file_perms;
@@ -34505,7 +34587,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -230,33 +156,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
+@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
  ## </param>
  #
  interface(`mozilla_exec_user_home_files',`
@@ -34542,7 +34624,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -265,27 +174,11 @@ interface(`mozilla_exec_user_plugin_home_files',`
+@@ -265,27 +173,11 @@ interface(`mozilla_exec_user_plugin_home_files',`
  ## </param>
  #
  interface(`mozilla_execmod_user_home_files',`
@@ -34572,7 +34654,7 @@ index 6194b80..cccec7e 100644
  ')
  
  ########################################
-@@ -303,102 +196,102 @@ interface(`mozilla_domtrans',`
+@@ -303,102 +195,98 @@ interface(`mozilla_domtrans',`
  		type mozilla_t, mozilla_exec_t;
  	')
  
@@ -34654,21 +34736,19 @@ index 6194b80..cccec7e 100644
  	gen_require(`
 -		attribute_role mozilla_plugin_roles;
 +		type mozilla_plugin_t;
++		attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
  	')
  
  	mozilla_domtrans_plugin($1)
--	roleattribute $2 mozilla_plugin_roles;
-+	role $2 types mozilla_plugin_t;
-+	role $2 types mozilla_plugin_config_t;
+ 	roleattribute $2 mozilla_plugin_roles;
++	roleattribute $2 mozilla_plugin_config_roles;
  ')
  
 -########################################
-+#######################################
- ## <summary>
+-## <summary>
 -##	Execute a domain transition to
 -##	run mozilla plugin config.
-+##  Execute qemu unconfined programs in the role.
- ## </summary>
+-## </summary>
 -## <param name="domain">
 -## <summary>
 -##	Domain allowed to transition.
@@ -34685,12 +34765,14 @@ index 6194b80..cccec7e 100644
 -')
 -
 -########################################
--## <summary>
++#######################################
+ ## <summary>
 -##	Execute mozilla plugin config in
 -##	the mozilla plugin config domain,
 -##	and allow the specified role the
 -##	mozilla plugin config domain.
--## </summary>
++##  Execute qemu unconfined programs in the role.
+ ## </summary>
 -## <param name="domain">
 -##	<summary>
 -##	Domain allowed to transition.
@@ -34712,22 +34794,17 @@ index 6194b80..cccec7e 100644
 -	')
 +interface(`mozilla_role_plugin',`
 +    gen_require(`
-+        type mozilla_plugin_t;
-+		type mozilla_plugin_config_t;
++		attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
 +    ')
  
 -	mozilla_domtrans_plugin_config($1)
 -	roleattribute $2 mozilla_plugin_config_roles;
-+    role $1 types mozilla_plugin_t;
-+    role $1 types mozilla_plugin_config_t;
-+
-+    optional_policy(`
-+    	lpd_run_lpr(mozilla_plugin_t, $1)
-+    ')
++    roleattribute $1 mozilla_plugin_roles;
++    roleattribute $1 mozilla_plugin_config_roles;
  ')
  
  ########################################
-@@ -424,8 +317,7 @@ interface(`mozilla_dbus_chat',`
+@@ -424,8 +312,7 @@ interface(`mozilla_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -34737,7 +34814,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -433,76 +325,90 @@ interface(`mozilla_dbus_chat',`
+@@ -433,76 +320,90 @@ interface(`mozilla_dbus_chat',`
  ##	</summary>
  ## </param>
  #
@@ -34857,7 +34934,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -510,19 +416,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
+@@ -510,19 +411,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -34882,7 +34959,7 @@ index 6194b80..cccec7e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +435,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +430,45 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -34953,7 +35030,7 @@ index 6194b80..cccec7e 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..8247246 100644
+index 6a306ee..d579caa 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -34962,7 +35039,7 @@ index 6a306ee..8247246 100644
  
  ########################################
  #
-@@ -6,23 +6,38 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,34 @@ policy_module(mozilla, 2.7.4)
  #
  
  ## <desc>
@@ -34976,10 +35053,7 @@ index 6a306ee..8247246 100644
  ## </desc>
 -gen_tunable(mozilla_execstack, false)
 +gen_tunable(mozilla_plugin_can_network_connect, false)
- 
--attribute_role mozilla_roles;
--attribute_role mozilla_plugin_roles;
--attribute_role mozilla_plugin_config_roles;
++
 +## <desc>
 +## <p>
 +## Allow confined web browsers to read home directory content
@@ -34993,36 +35067,39 @@ index 6a306ee..8247246 100644
 +## </p>
 +## </desc>
 +gen_tunable(mozilla_plugin_enable_homedirs, false)
-+
-+#attribute_role mozilla_roles;
  
+ attribute_role mozilla_roles;
+ attribute_role mozilla_plugin_roles;
+ attribute_role mozilla_plugin_config_roles;
+ 
++roleattribute system_r mozilla_roles;
++roleattribute system_r mozilla_plugin_roles;
++roleattribute system_r mozilla_plugin_config_roles;
++
  type mozilla_t;
  type mozilla_exec_t;
  typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
- typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
+@@ -24,6 +41,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
  userdom_user_application_domain(mozilla_t, mozilla_exec_t)
--role mozilla_roles types mozilla_t;
-+#role mozilla_roles types mozilla_t;
-+role system_r types mozilla_t;
-+
+ role mozilla_roles types mozilla_t;
+ 
 +type mozilla_conf_t;
 +files_config_file(mozilla_conf_t)
- 
++
  type mozilla_home_t;
  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
-@@ -31,29 +46,26 @@ userdom_user_home_content(mozilla_home_t)
+ typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
+@@ -31,29 +51,24 @@ userdom_user_home_content(mozilla_home_t)
  
  type mozilla_plugin_t;
  type mozilla_plugin_exec_t;
 -userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
--role mozilla_plugin_roles types mozilla_plugin_t;
--
--type mozilla_plugin_home_t;
--userdom_user_home_content(mozilla_plugin_home_t)
 +application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
-+#role mozilla_roles types mozilla_plugin_t;
-+role system_r types mozilla_plugin_t;
+ role mozilla_plugin_roles types mozilla_plugin_t;
  
+-type mozilla_plugin_home_t;
+-userdom_user_home_content(mozilla_plugin_home_t)
+-
  type mozilla_plugin_tmp_t;
 +userdom_user_tmp_content(mozilla_plugin_tmp_t)
  userdom_user_tmp_file(mozilla_plugin_tmp_t)
@@ -35043,12 +35120,11 @@ index 6a306ee..8247246 100644
 -userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
 -role mozilla_plugin_config_roles types mozilla_plugin_config_t;
 +application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
-+#role mozilla_roles types mozilla_plugin_config_t;
-+role system_r types mozilla_plugin_config_t;
++role mozilla_roles types mozilla_plugin_config_t;
  
  type mozilla_tmp_t;
  userdom_user_tmp_file(mozilla_tmp_t)
-@@ -63,10 +75,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
+@@ -63,10 +78,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
  typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
  userdom_user_tmpfs_file(mozilla_tmpfs_t)
  
@@ -35059,7 +35135,7 @@ index 6a306ee..8247246 100644
  ########################################
  #
  # Local policy
-@@ -75,23 +83,26 @@ optional_policy(`
+@@ -75,23 +86,26 @@ optional_policy(`
  allow mozilla_t self:capability { sys_nice setgid setuid };
  allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
  allow mozilla_t self:fifo_file rw_fifo_file_perms;
@@ -35098,7 +35174,7 @@ index 6a306ee..8247246 100644
  
  manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
  manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
-@@ -103,76 +114,70 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
+@@ -103,76 +117,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
  fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
  
@@ -35188,7 +35264,7 @@ index 6a306ee..8247246 100644
  domain_dontaudit_read_all_domains_state(mozilla_t)
  
  files_read_etc_runtime_files(mozilla_t)
- files_read_usr_files(mozilla_t)
+-files_read_usr_files(mozilla_t)
 -files_read_var_files(mozilla_t)
 +# /var/lib
  files_read_var_lib_files(mozilla_t)
@@ -35206,7 +35282,7 @@ index 6a306ee..8247246 100644
  
  term_dontaudit_getattr_pty_dirs(mozilla_t)
  
-@@ -181,56 +186,73 @@ auth_use_nsswitch(mozilla_t)
+@@ -181,56 +188,73 @@ auth_use_nsswitch(mozilla_t)
  logging_send_syslog_msg(mozilla_t)
  
  miscfiles_read_fonts(mozilla_t)
@@ -35317,7 +35393,7 @@ index 6a306ee..8247246 100644
  ')
  
  optional_policy(`
-@@ -244,19 +266,12 @@ optional_policy(`
+@@ -244,19 +268,12 @@ optional_policy(`
  
  optional_policy(`
  	cups_read_rw_config(mozilla_t)
@@ -35339,7 +35415,7 @@ index 6a306ee..8247246 100644
  
  	optional_policy(`
  		networkmanager_dbus_chat(mozilla_t)
-@@ -265,33 +280,32 @@ optional_policy(`
+@@ -265,33 +282,32 @@ optional_policy(`
  
  optional_policy(`
  	gnome_stream_connect_gconf(mozilla_t)
@@ -35387,7 +35463,7 @@ index 6a306ee..8247246 100644
  ')
  
  optional_policy(`
-@@ -300,63 +314,53 @@ optional_policy(`
+@@ -300,63 +316,53 @@ optional_policy(`
  
  ########################################
  #
@@ -35469,18 +35545,18 @@ index 6a306ee..8247246 100644
  allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
 -allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
+-
+-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
+-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
 +read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
  
--dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
--
 -can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
 +can_exec(mozilla_plugin_t, mozilla_exec_t)
  
  kernel_read_all_sysctls(mozilla_plugin_t)
  kernel_read_system_state(mozilla_plugin_t)
-@@ -366,155 +370,110 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
+@@ -366,155 +372,109 @@ kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
  
  corecmd_exec_bin(mozilla_plugin_t)
  corecmd_exec_shell(mozilla_plugin_t)
@@ -35595,7 +35671,7 @@ index 6a306ee..8247246 100644
 -files_exec_usr_files(mozilla_plugin_t)
 -files_list_mnt(mozilla_plugin_t)
  files_read_config_files(mozilla_plugin_t)
- files_read_usr_files(mozilla_plugin_t)
+-files_read_usr_files(mozilla_plugin_t)
 +files_list_mnt(mozilla_plugin_t)
 +files_exec_usr_files(mozilla_plugin_t)
 +fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
@@ -35694,7 +35770,7 @@ index 6a306ee..8247246 100644
  ')
  
  optional_policy(`
-@@ -523,36 +482,43 @@ optional_policy(`
+@@ -523,36 +483,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35729,21 +35805,21 @@ index 6a306ee..8247246 100644
 -	java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
  ')
  
-+#optional_policy(`
-+#	lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
-+#')
-+
  optional_policy(`
 -	lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
-+    mplayer_exec(mozilla_plugin_t)
-+    mplayer_manage_generic_home_content(mozilla_plugin_t)
-+    mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++	lpd_run_lpr(mozilla_plugin_t, mozilla_roles)
  ')
  
  optional_policy(`
 -	mplayer_exec(mozilla_plugin_t)
 -	mplayer_manage_generic_home_content(mozilla_plugin_t)
 -	mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++    mplayer_exec(mozilla_plugin_t)
++    mplayer_manage_generic_home_content(mozilla_plugin_t)
++    mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
++')
++
++optional_policy(`
 +	pulseaudio_exec(mozilla_plugin_t)
 +	pulseaudio_stream_connect(mozilla_plugin_t)
 +	pulseaudio_setattr_home_dir(mozilla_plugin_t)
@@ -35752,7 +35828,7 @@ index 6a306ee..8247246 100644
  ')
  
  optional_policy(`
-@@ -560,7 +526,7 @@ optional_policy(`
+@@ -560,7 +527,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35761,7 +35837,7 @@ index 6a306ee..8247246 100644
  ')
  
  optional_policy(`
-@@ -568,108 +534,100 @@ optional_policy(`
+@@ -568,108 +535,100 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35776,6 +35852,7 @@ index 6a306ee..8247246 100644
 +	xserver_read_user_xauth(mozilla_plugin_t)
 +	xserver_append_xdm_home_files(mozilla_plugin_t)
 +	xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
++	xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
  ')
  
  ########################################
@@ -35792,19 +35869,18 @@ index 6a306ee..8247246 100644
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
- 
+-
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
-+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
  
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
-+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
++allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
++allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
  
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
@@ -35814,29 +35890,30 @@ index 6a306ee..8247246 100644
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
 -userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
++ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
+ 
+-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
 +dev_search_sysfs(mozilla_plugin_config_t)
 +dev_read_urand(mozilla_plugin_config_t)
 +dev_dontaudit_read_rand(mozilla_plugin_config_t)
 +dev_dontaudit_rw_dri(mozilla_plugin_config_t)
  
--filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
+-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
 +fs_search_auto_mountpoints(mozilla_plugin_config_t)
 +fs_list_inotifyfs(mozilla_plugin_config_t)
  
--can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
+-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
 +can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
 +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
  
--ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
--
 -kernel_read_system_state(mozilla_plugin_config_t)
 -kernel_request_load_module(mozilla_plugin_config_t)
 +manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
 +manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
-+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
++manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
  
  corecmd_exec_bin(mozilla_plugin_config_t)
  corecmd_exec_shell(mozilla_plugin_config_t)
@@ -35851,7 +35928,7 @@ index 6a306ee..8247246 100644
  domain_use_interactive_fds(mozilla_plugin_config_t)
  
 -files_list_tmp(mozilla_plugin_config_t)
- files_read_usr_files(mozilla_plugin_config_t)
+-files_read_usr_files(mozilla_plugin_config_t)
  files_dontaudit_search_home(mozilla_plugin_config_t)
 +files_list_tmp(mozilla_plugin_config_t)
  
@@ -35942,20 +36019,18 @@ index 5fa77c7..a0e8661 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..bf055f0 100644
+index 7c8afcc..200cec1 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -74,6 +74,9 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -74,6 +74,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
  allow mpd_t self:unix_dgram_socket sendto;
  allow mpd_t self:tcp_socket { accept listen };
  allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
-+
-+read_files_pattern(mpd_t, mpd_etc_t, mpd_etc_t)
  
  allow mpd_t mpd_data_t:dir manage_dir_perms;
  allow mpd_t mpd_data_t:file manage_file_perms;
-@@ -110,7 +113,6 @@ kernel_read_kernel_sysctls(mpd_t)
+@@ -110,7 +111,6 @@ kernel_read_kernel_sysctls(mpd_t)
  
  corecmd_exec_bin(mpd_t)
  
@@ -35963,7 +36038,15 @@ index 7c8afcc..bf055f0 100644
  corenet_all_recvfrom_netlabel(mpd_t)
  corenet_tcp_sendrecv_generic_if(mpd_t)
  corenet_tcp_sendrecv_generic_node(mpd_t)
-@@ -150,7 +152,9 @@ auth_use_nsswitch(mpd_t)
+@@ -139,7 +139,6 @@ dev_read_sound(mpd_t)
+ dev_write_sound(mpd_t)
+ dev_read_sysfs(mpd_t)
+ 
+-files_read_usr_files(mpd_t)
+ 
+ fs_getattr_all_fs(mpd_t)
+ fs_list_inotifyfs(mpd_t)
+@@ -150,7 +149,9 @@ auth_use_nsswitch(mpd_t)
  
  logging_send_syslog_msg(mpd_t)
  
@@ -35974,7 +36057,7 @@ index 7c8afcc..bf055f0 100644
  
  tunable_policy(`mpd_enable_homedirs',`
  	userdom_search_user_home_dirs(mpd_t)
-@@ -199,6 +203,16 @@ optional_policy(`
+@@ -199,6 +200,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35992,7 +36075,7 @@ index 7c8afcc..bf055f0 100644
  ')
  
 diff --git a/mplayer.te b/mplayer.te
-index 9aca704..e8e71cb 100644
+index 9aca704..5db9491 100644
 --- a/mplayer.te
 +++ b/mplayer.te
 @@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
@@ -36004,7 +36087,15 @@ index 9aca704..e8e71cb 100644
  
  attribute_role mencoder_roles;
  attribute_role mplayer_roles;
-@@ -95,15 +95,15 @@ ifndef(`enable_mls',`
+@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
+ dev_rwx_zero(mencoder_t)
+ dev_read_video_dev(mencoder_t)
+ 
+-files_read_usr_files(mencoder_t)
+ 
+ fs_search_auto_mountpoints(mencoder_t)
+ 
+@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
  	fs_read_iso9660_files(mencoder_t)
  ')
  
@@ -36024,7 +36115,15 @@ index 9aca704..e8e71cb 100644
  	allow mencoder_t self:process { execmem execstack };
  ')
  
-@@ -211,15 +211,15 @@ ifndef(`enable_mls',`
+@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
+ files_read_non_security_files(mplayer_t)
+ files_list_home(mplayer_t)
+ files_read_etc_runtime_files(mplayer_t)
+-files_read_usr_files(mplayer_t)
+ 
+ fs_getattr_all_fs(mplayer_t)
+ fs_search_auto_mountpoints(mplayer_t)
+@@ -211,15 +209,15 @@ ifndef(`enable_mls',`
  	fs_read_iso9660_files(mplayer_t)
  ')
  
@@ -36044,7 +36143,7 @@ index 9aca704..e8e71cb 100644
  	allow mplayer_t self:process { execmem execstack };
  ')
  
-@@ -235,7 +235,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_symlinks(mplayer_t)
  ')
  
@@ -36054,7 +36153,7 @@ index 9aca704..e8e71cb 100644
  ')
  
 diff --git a/mrtg.te b/mrtg.te
-index c97c177..273b714 100644
+index c97c177..9411154 100644
 --- a/mrtg.te
 +++ b/mrtg.te
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
@@ -36065,16 +36164,15 @@ index c97c177..273b714 100644
  corenet_all_recvfrom_netlabel(mrtg_t)
  corenet_tcp_sendrecv_generic_if(mrtg_t)
  corenet_tcp_sendrecv_generic_node(mrtg_t)
-@@ -87,6 +86,8 @@ files_search_var(mrtg_t)
+@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
+ 
+ files_getattr_tmp_dirs(mrtg_t)
+ files_read_etc_runtime_files(mrtg_t)
+-files_read_usr_files(mrtg_t)
+ files_search_var(mrtg_t)
  files_search_locks(mrtg_t)
  files_search_var_lib(mrtg_t)
- files_search_spool(mrtg_t)
-+files_getattr_tmp_dirs(mrtg_t)
-+files_read_etc_runtime_files(mrtg_t)
- 
- fs_search_auto_mountpoints(mrtg_t)
- fs_getattr_all_fs(mrtg_t)
-@@ -105,13 +106,12 @@ libs_read_lib_files(mrtg_t)
+@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
  
  logging_send_syslog_msg(mrtg_t)
  
@@ -36091,21 +36189,23 @@ index c97c177..273b714 100644
  netutils_domtrans_ping(mrtg_t)
  
 diff --git a/mta.fc b/mta.fc
-index f42896c..2f102b2 100644
+index f42896c..8654c3c 100644
 --- a/mta.fc
 +++ b/mta.fc
-@@ -2,33 +2,40 @@ HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
+@@ -2,33 +2,42 @@ HOME_DIR/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
  HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
 -HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 -HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 +HOME_DIR/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
++HOME_DIR/.maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
  
 -/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
-+/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
 -/etc/aliases	--	gen_context(system_u:object_r:etc_aliases_t,s0)
++/bin/mail(x)?		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
++
 +/etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
  /etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 -/etc/mail(/.*)?	gen_context(system_u:object_r:etc_mail_t,s0)
@@ -36115,14 +36215,14 @@ index f42896c..2f102b2 100644
 +ifdef(`distro_redhat',`
 +/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
 +')
- 
--/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
++
 +/root/\.esmtp_queue	--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/\.forward		--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/\.mailrc		--	gen_context(system_u:object_r:mail_home_t,s0)
 +/root/Maildir(/.*)?		gen_context(system_u:object_r:mail_home_rw_t,s0)
-+
+ 
+-/usr/bin/esmtp	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 +/usr/bin/esmtp		-- gen_context(system_u:object_r:sendmail_exec_t,s0)
  /usr/bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
  
@@ -36148,7 +36248,7 @@ index f42896c..2f102b2 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..0005ac0 100644
+index ed81cac..7d1522c 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -37083,7 +37183,7 @@ index ed81cac..0005ac0 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1046,173 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1046,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -37208,6 +37308,7 @@ index ed81cac..0005ac0 100644
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
 +	userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 +	userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -37231,6 +37332,7 @@ index ed81cac..0005ac0 100644
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
 +	userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
++	userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
 +	userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
 +')
 +
@@ -37258,7 +37360,7 @@ index ed81cac..0005ac0 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..ed44eaf 100644
+index afd2fad..b2abfca 100644
 --- a/mta.te
 +++ b/mta.te
 @@ -1,4 +1,4 @@
@@ -37288,7 +37390,7 @@ index afd2fad..ed44eaf 100644
  
  type sendmail_exec_t;
  mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,79 @@ role system_r types system_mail_t;
+@@ -43,178 +43,78 @@ role system_r types system_mail_t;
  mta_base_mail_template(user)
  typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
  typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -37446,7 +37548,6 @@ index afd2fad..ed44eaf 100644
 +dev_read_urand(system_mail_t)
  
 -fs_rw_anon_inodefs_files(system_mail_t)
-+files_read_usr_files(system_mail_t)
  
 -selinux_getattr_fs(system_mail_t)
 +fs_rw_anon_inodefs_files(system_mail_t)
@@ -37504,7 +37605,7 @@ index afd2fad..ed44eaf 100644
  ')
  
  optional_policy(`
-@@ -223,18 +124,18 @@ optional_policy(`
+@@ -223,18 +123,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37526,7 +37627,7 @@ index afd2fad..ed44eaf 100644
  	courier_manage_spool_dirs(system_mail_t)
  	courier_manage_spool_files(system_mail_t)
  	courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +146,8 @@ optional_policy(`
+@@ -245,13 +145,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37541,7 +37642,7 @@ index afd2fad..ed44eaf 100644
  	fail2ban_rw_inherited_tmp_files(system_mail_t)
  ')
  
-@@ -264,10 +160,15 @@ optional_policy(`
+@@ -264,10 +159,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37557,7 +37658,7 @@ index afd2fad..ed44eaf 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -278,6 +179,15 @@ optional_policy(`
+@@ -278,6 +178,15 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -37573,7 +37674,7 @@ index afd2fad..ed44eaf 100644
  ')
  
  optional_policy(`
-@@ -293,42 +203,36 @@ optional_policy(`
+@@ -293,42 +202,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -37626,7 +37727,7 @@ index afd2fad..ed44eaf 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -337,40 +240,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -37675,7 +37776,7 @@ index afd2fad..ed44eaf 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,168 @@ optional_policy(`
+@@ -387,24 +276,166 @@ optional_policy(`
  
  ########################################
  #
@@ -37762,7 +37863,6 @@ index afd2fad..ed44eaf 100644
 +
 +dev_read_urand(user_mail_domain)
 +
-+files_read_usr_files(user_mail_domain)
 +
 +# Write to /var/spool/mail and /var/spool/mqueue.
 +manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
@@ -37785,7 +37885,6 @@ index afd2fad..ed44eaf 100644
 +
 +corecmd_exec_bin(user_mail_domain)
 +
-+files_read_etc_files(user_mail_domain)
 +files_search_spool(user_mail_domain)
 +# It wants to check for nscd
 +files_dontaudit_search_pids(user_mail_domain)
@@ -37852,10 +37951,10 @@ index afd2fad..ed44eaf 100644
 +	clamav_stream_connect(mta_user_agent)
 +')
 diff --git a/munin.fc b/munin.fc
-index eb4b72a..123ee4c 100644
+index eb4b72a..4968324 100644
 --- a/munin.fc
 +++ b/munin.fc
-@@ -1,77 +1,78 @@
+@@ -1,77 +1,79 @@
 -/etc/munin(/.*)?	gen_context(system_u:object_r:munin_etc_t,s0)
 -
 +/etc/munin(/.*)?			gen_context(system_u:object_r:munin_etc_t,s0)
@@ -37973,12 +38072,12 @@ index eb4b72a..123ee4c 100644
 -/var/run/munin.*	gen_context(system_u:object_r:munin_var_run_t,s0)
 -
 -/var/www/html/munin(/.*)?	gen_context(system_u:object_r:httpd_munin_content_t,s0)
--/var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 +/var/log/munin.*			gen_context(system_u:object_r:munin_log_t,s0)
 +/var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 +/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
-+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
-+/var/www/html/cgi/munin.*              gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
+ /var/www/html/munin/cgi(/.*)?	gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/html/cgi/munin.*       gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
++/var/www/cgi-bin/munin.*		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --git a/munin.if b/munin.if
 index b744fe3..4c1b6a8 100644
 --- a/munin.if
@@ -38143,7 +38242,7 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..be752a6 100644
+index 97370e4..d5f13d8 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -45,7 +45,7 @@ munin_plugin_template(unconfined)
@@ -38233,15 +38332,18 @@ index 97370e4..be752a6 100644
  ')
  
  optional_policy(`
-@@ -252,11 +245,17 @@ dev_read_sysfs(disk_munin_plugin_t)
- dev_read_urand(disk_munin_plugin_t)
+@@ -246,17 +239,17 @@ corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+ corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
  
- files_read_etc_runtime_files(disk_munin_plugin_t)
-+files_read_usr_files(disk_munin_plugin_t)
+-dev_getattr_all_blk_files(disk_munin_plugin_t)
++files_read_etc_runtime_files(disk_munin_plugin_t)
 +
-+dev_getattr_lvm_control(disk_munin_plugin_t)
-+dev_read_sysfs(disk_munin_plugin_t)
-+dev_read_urand(disk_munin_plugin_t)
+ dev_getattr_lvm_control(disk_munin_plugin_t)
+ dev_read_sysfs(disk_munin_plugin_t)
+ dev_read_urand(disk_munin_plugin_t)
+-
+-files_read_etc_runtime_files(disk_munin_plugin_t)
 +dev_read_all_blk_files(munin_disk_plugin_t)
  
  fs_getattr_all_fs(disk_munin_plugin_t)
@@ -38252,7 +38354,7 @@ index 97370e4..be752a6 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -275,27 +274,36 @@ optional_policy(`
+@@ -275,27 +268,36 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -38293,7 +38395,7 @@ index 97370e4..be752a6 100644
  ')
  
  optional_policy(`
-@@ -353,7 +361,11 @@ optional_policy(`
+@@ -353,7 +355,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38306,7 +38408,7 @@ index 97370e4..be752a6 100644
  ')
  
  optional_policy(`
-@@ -413,3 +425,4 @@ optional_policy(`
+@@ -413,3 +419,4 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -38902,7 +39004,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..8855ea2 100644
+index 9f6179e..dfa6623 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -38988,7 +39090,7 @@ index 9f6179e..8855ea2 100644
  logging_log_filetrans(mysqld_t, mysqld_log_t, file)
  
  manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +90,56 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+@@ -93,50 +90,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -38997,7 +39099,6 @@ index 9f6179e..8855ea2 100644
 +
  kernel_read_network_state(mysqld_t)
  kernel_read_system_state(mysqld_t)
-+kernel_read_network_state(mysqld_t)
 +kernel_read_kernel_sysctls(mysqld_t)
 +
 +corecmd_exec_bin(mysqld_t)
@@ -39037,7 +39138,7 @@ index 9f6179e..8855ea2 100644
 +
 +files_getattr_var_lib_dirs(mysqld_t)
  files_read_etc_runtime_files(mysqld_t)
- files_read_usr_files(mysqld_t)
+-files_read_usr_files(mysqld_t)
 +files_search_var_lib(mysqld_t)
  
  auth_use_nsswitch(mysqld_t)
@@ -39061,7 +39162,7 @@ index 9f6179e..8855ea2 100644
  ')
  
  optional_policy(`
-@@ -153,29 +156,22 @@ optional_policy(`
+@@ -153,29 +154,22 @@ optional_policy(`
  
  #######################################
  #
@@ -39096,16 +39197,16 @@ index 9f6179e..8855ea2 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +183,22 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +181,21 @@ dev_list_sysfs(mysqld_safe_t)
  
  domain_read_all_domains_state(mysqld_safe_t)
  
 -files_read_etc_files(mysqld_safe_t)
-+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
- files_read_usr_files(mysqld_safe_t)
+-files_read_usr_files(mysqld_safe_t)
 -files_search_pids(mysqld_safe_t)
- files_dontaudit_getattr_all_dirs(mysqld_safe_t)
--files_dontaudit_search_all_mountpoints(mysqld_safe_t)
+-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
+ files_dontaudit_search_all_mountpoints(mysqld_safe_t)
++files_dontaudit_getattr_all_dirs(mysqld_safe_t)
  
 +logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  logging_send_syslog_msg(mysqld_safe_t)
@@ -39124,7 +39225,7 @@ index 9f6179e..8855ea2 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +206,7 @@ optional_policy(`
+@@ -205,7 +203,7 @@ optional_policy(`
  
  ########################################
  #
@@ -39133,7 +39234,7 @@ index 9f6179e..8855ea2 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +215,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +212,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -39151,7 +39252,7 @@ index 9f6179e..8855ea2 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +228,23 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +225,22 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -39179,7 +39280,7 @@ index 9f6179e..8855ea2 100644
  dev_read_urand(mysqlmanagerd_t)
  
 -files_read_etc_files(mysqlmanagerd_t)
- files_read_usr_files(mysqlmanagerd_t)
+-files_read_usr_files(mysqlmanagerd_t)
 -files_search_pids(mysqlmanagerd_t)
 -files_search_var_lib(mysqlmanagerd_t)
  
@@ -39575,7 +39676,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..fd0b6d3 100644
+index 44ad3b7..7508aef 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -39587,7 +39688,7 @@ index 44ad3b7..fd0b6d3 100644
  
  type nagios_var_lib_t;
  files_type(nagios_var_lib_t)
-@@ -63,19 +63,21 @@ files_pid_file(nrpe_var_run_t)
+@@ -63,19 +63,20 @@ files_pid_file(nrpe_var_run_t)
  
  allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
  
@@ -39604,17 +39705,17 @@ index 44ad3b7..fd0b6d3 100644
  dev_read_urand(nagios_plugin_domain)
  dev_read_rand(nagios_plugin_domain)
  
- files_read_usr_files(nagios_plugin_domain)
- 
--miscfiles_read_localization(nagios_plugin_domain)
+-files_read_usr_files(nagios_plugin_domain)
 -
+-miscfiles_read_localization(nagios_plugin_domain)
+ 
 -userdom_use_user_terminals(nagios_plugin_domain)
 +userdom_use_inherited_user_ptys(nagios_plugin_domain)
 +userdom_use_inherited_user_ttys(nagios_plugin_domain)
  
  ########################################
  #
-@@ -123,7 +125,6 @@ kernel_read_software_raid_state(nagios_t)
+@@ -123,7 +124,6 @@ kernel_read_software_raid_state(nagios_t)
  corecmd_exec_bin(nagios_t)
  corecmd_exec_shell(nagios_t)
  
@@ -39622,7 +39723,7 @@ index 44ad3b7..fd0b6d3 100644
  corenet_all_recvfrom_netlabel(nagios_t)
  corenet_tcp_sendrecv_generic_if(nagios_t)
  corenet_tcp_sendrecv_generic_node(nagios_t)
-@@ -143,7 +144,6 @@ domain_read_all_domains_state(nagios_t)
+@@ -143,7 +143,6 @@ domain_read_all_domains_state(nagios_t)
  
  files_read_etc_runtime_files(nagios_t)
  files_read_kernel_symbol_table(nagios_t)
@@ -39630,7 +39731,7 @@ index 44ad3b7..fd0b6d3 100644
  files_search_spool(nagios_t)
  
  fs_getattr_all_fs(nagios_t)
-@@ -153,8 +153,6 @@ auth_use_nsswitch(nagios_t)
+@@ -153,8 +152,6 @@ auth_use_nsswitch(nagios_t)
  
  logging_send_syslog_msg(nagios_t)
  
@@ -39639,7 +39740,7 @@ index 44ad3b7..fd0b6d3 100644
  userdom_dontaudit_use_unpriv_user_fds(nagios_t)
  userdom_dontaudit_search_user_home_dirs(nagios_t)
  
-@@ -178,6 +176,7 @@ optional_policy(`
+@@ -178,6 +175,7 @@ optional_policy(`
  #
  # CGI local policy
  #
@@ -39647,7 +39748,7 @@ index 44ad3b7..fd0b6d3 100644
  optional_policy(`
  	apache_content_template(nagios)
  	typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -231,7 +230,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
+@@ -231,7 +229,6 @@ domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin
  
  kernel_read_kernel_sysctls(nrpe_t)
  kernel_read_software_raid_state(nrpe_t)
@@ -39655,7 +39756,7 @@ index 44ad3b7..fd0b6d3 100644
  
  corecmd_exec_bin(nrpe_t)
  corecmd_exec_shell(nrpe_t)
-@@ -253,7 +251,6 @@ domain_use_interactive_fds(nrpe_t)
+@@ -253,7 +250,6 @@ domain_use_interactive_fds(nrpe_t)
  domain_read_all_domains_state(nrpe_t)
  
  files_read_etc_runtime_files(nrpe_t)
@@ -39663,7 +39764,7 @@ index 44ad3b7..fd0b6d3 100644
  
  fs_getattr_all_fs(nrpe_t)
  fs_search_auto_mountpoints(nrpe_t)
-@@ -262,8 +259,6 @@ auth_use_nsswitch(nrpe_t)
+@@ -262,8 +258,6 @@ auth_use_nsswitch(nrpe_t)
  
  logging_send_syslog_msg(nrpe_t)
  
@@ -39672,7 +39773,7 @@ index 44ad3b7..fd0b6d3 100644
  userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
  
  optional_policy(`
-@@ -310,15 +305,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -310,15 +304,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
  #
  
  allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -39691,7 +39792,7 @@ index 44ad3b7..fd0b6d3 100644
  logging_send_syslog_msg(nagios_mail_plugin_t)
  
  sysnet_dns_name_resolve(nagios_mail_plugin_t)
-@@ -345,6 +340,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
+@@ -345,6 +339,7 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
  
  kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
  
@@ -39699,7 +39800,7 @@ index 44ad3b7..fd0b6d3 100644
  files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
  files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
  
-@@ -357,9 +353,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -357,9 +352,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
  # Services local policy
  #
  
@@ -39713,7 +39814,7 @@ index 44ad3b7..fd0b6d3 100644
  
  corecmd_exec_bin(nagios_services_plugin_t)
  
-@@ -411,6 +409,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -411,6 +408,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
  manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
  files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
  
@@ -39721,7 +39822,7 @@ index 44ad3b7..fd0b6d3 100644
  kernel_read_kernel_sysctls(nagios_system_plugin_t)
  
  corecmd_exec_bin(nagios_system_plugin_t)
-@@ -420,10 +419,10 @@ dev_read_sysfs(nagios_system_plugin_t)
+@@ -420,10 +418,10 @@ dev_read_sysfs(nagios_system_plugin_t)
  
  domain_read_all_domains_state(nagios_system_plugin_t)
  
@@ -39734,25 +39835,10 @@ index 44ad3b7..fd0b6d3 100644
  optional_policy(`
  	init_read_utmp(nagios_system_plugin_t)
  ')
-@@ -450,3 +449,26 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
- optional_policy(`
- 	unconfined_domain(nagios_unconfined_plugin_t)
- ')
-+
-+#######################################
-+#
-+# Event handler plugin plugin policy
-+#
-+
-+manage_files_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+manage_dirs_pattern(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, nagios_eventhandler_plugin_tmp_t)
-+files_tmp_filetrans(nagios_eventhandler_plugin_t, nagios_eventhandler_plugin_tmp_t, { dir file })
-+
-+corecmd_exec_bin(nagios_eventhandler_plugin_t)
-+corecmd_exec_shell(nagios_eventhandler_plugin_t)
-+
-+init_domtrans_script(nagios_eventhandler_plugin_t)
-+
+@@ -442,6 +440,14 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
+ 
+ init_domtrans_script(nagios_eventhandler_plugin_t)
+ 
 +systemd_exec_systemctl(nagios_eventhandler_plugin_t)
 +
 +allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
@@ -39761,6 +39847,16 @@ index 44ad3b7..fd0b6d3 100644
 +    unconfined_domain(nagios_eventhandler_plugin_t)
 +')
 +
+ ########################################
+ #
+ # Unconfined plugin policy
+@@ -450,3 +456,6 @@ init_domtrans_script(nagios_eventhandler_plugin_t)
+ optional_policy(`
+ 	unconfined_domain(nagios_unconfined_plugin_t)
+ ')
++
++
++
 diff --git a/namespace.fc b/namespace.fc
 new file mode 100644
 index 0000000..ce51c8d
@@ -39826,10 +39922,10 @@ index 0000000..8d7c751
 +')
 diff --git a/namespace.te b/namespace.te
 new file mode 100644
-index 0000000..ef7b846
+index 0000000..f6ffaa3
 --- /dev/null
 +++ b/namespace.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,40 @@
 +policy_module(namespace,1.0.0)
 +
 +########################################
@@ -39861,11 +39957,8 @@ index 0000000..ef7b846
 +
 +files_polyinstantiate_all(namespace_init_t)
 +
-+mcs_file_write_all(namespace_init_t)
-+
 +auth_use_nsswitch(namespace_init_t)
 +
-+
 +term_use_console(namespace_init_t)
 +
 +userdom_manage_user_home_content_dirs(namespace_init_t)
@@ -39874,57 +39967,26 @@ index 0000000..ef7b846
 +userdom_relabelto_user_home_files(namespace_init_t)
 +userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
 diff --git a/ncftool.if b/ncftool.if
-index db9578f..96e5824 100644
+index db9578f..4309e3d 100644
 --- a/ncftool.if
 +++ b/ncftool.if
-@@ -38,9 +38,19 @@ interface(`ncftool_domtrans',`
+@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
  #
  interface(`ncftool_run',`
  	gen_require(`
--		attribute_role ncftool_roles;
--	')
 +		type ncftool_t;
-+		#attribute_role ncftool_roles;
-+        ')
-+
-+        #ncftool_domtrans($1)
-+        #roleattribute $2 ncftool_roles;
+ 		attribute_role ncftool_roles;
+ 	')
  
  	ncftool_domtrans($1)
--	roleattribute $2 ncftool_roles;
-+        role $2 types ncftool_t;
-+
-+        optional_policy(`
-+                brctl_run(ncftool_t, $2)
-+        ')
-+
+ 	roleattribute $2 ncftool_roles;
  ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index b13c0b1..1161ce1 100644
+index b13c0b1..c8baed2 100644
 --- a/ncftool.te
 +++ b/ncftool.te
-@@ -5,15 +5,16 @@ policy_module(ncftool, 1.1.2)
- # Declarations
- #
- 
--attribute_role ncftool_roles;
--roleattribute system_r ncftool_roles;
-+#attribute_role ncftool_roles;
-+#roleattribute system_r ncftool_roles;
- 
- type ncftool_t;
- type ncftool_exec_t;
- application_domain(ncftool_t, ncftool_exec_t)
- domain_obj_id_change_exemption(ncftool_t)
- domain_system_change_exemption(ncftool_t)
--role ncftool_roles types ncftool_t;
-+#role ncftool_roles types ncftool_t;
-+role system_r types ncftool_t;
- 
- ########################################
- #
-@@ -22,6 +23,7 @@ role ncftool_roles types ncftool_t;
+@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
  
  allow ncftool_t self:capability net_admin;
  allow ncftool_t self:process signal;
@@ -39932,7 +39994,7 @@ index b13c0b1..1161ce1 100644
  allow ncftool_t self:fifo_file manage_fifo_file_perms;
  allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
  allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -41,27 +43,32 @@ domain_read_all_domains_state(ncftool_t)
+@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
  
  dev_read_sysfs(ncftool_t)
  
@@ -39940,18 +40002,14 @@ index b13c0b1..1161ce1 100644
 +files_manage_system_conf_files(ncftool_t)
 +files_relabelto_system_conf_files(ncftool_t)
  files_read_etc_runtime_files(ncftool_t)
- files_read_usr_files(ncftool_t)
+-files_read_usr_files(ncftool_t)
  
 -miscfiles_read_localization(ncftool_t)
 +term_use_all_inherited_terms(ncftool_t)
  
  sysnet_delete_dhcpc_pid(ncftool_t)
--sysnet_run_dhcpc(ncftool_t, ncftool_roles)
--sysnet_run_ifconfig(ncftool_t, ncftool_roles)
-+sysnet_domtrans_dhcpc(ncftool_t)
-+sysnet_domtrans_ifconfig(ncftool_t)
-+#sysnet_run_dhcpc(ncftool_t, ncftool_roles)
-+#sysnet_run_ifconfig(ncftool_t, ncftool_roles)
+ sysnet_run_dhcpc(ncftool_t, ncftool_roles)
+@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
  sysnet_etc_filetrans_config(ncftool_t)
  sysnet_manage_config(ncftool_t)
  sysnet_read_dhcpc_state(ncftool_t)
@@ -39960,19 +40018,7 @@ index b13c0b1..1161ce1 100644
  sysnet_read_dhcpc_pid(ncftool_t)
  sysnet_signal_dhcpc(ncftool_t)
  
- userdom_use_user_terminals(ncftool_t)
- userdom_read_user_tmp_files(ncftool_t)
- 
--optional_policy(`
--	brctl_run(ncftool_t, ncftool_roles)
--')
-+#optional_policy(`
-+#	brctl_run(ncftool_t, ncftool_roles)
-+#')
- 
- optional_policy(`
- 	consoletype_exec(ncftool_t)
-@@ -73,13 +80,18 @@ optional_policy(`
+@@ -73,11 +76,14 @@ optional_policy(`
  
  optional_policy(`
  	iptables_initrc_domtrans(ncftool_t)
@@ -39982,17 +40028,11 @@ index b13c0b1..1161ce1 100644
  optional_policy(`
 +	modutils_list_module_config(ncftool_t)
  	modutils_read_module_config(ncftool_t)
--	modutils_run_insmod(ncftool_t, ncftool_roles)
-+	modutils_domtrans_insmod(ncftool_t)
-+	#modutils_run_insmod(ncftool_t, ncftool_roles)
+ 	modutils_run_insmod(ncftool_t, ncftool_roles)
 +
  ')
  
  optional_policy(`
--	netutils_run(ncftool_t, ncftool_roles)
-+	netutils_domtrans(ncftool_t)
-+	#netutils_run(ncftool_t, ncftool_roles)
- ')
 diff --git a/nessus.te b/nessus.te
 index 56c0fbd..173a2c0 100644
 --- a/nessus.te
@@ -40429,7 +40469,7 @@ index 0e8508c..96dbf6f 100644
 +	files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..c0e8f13 100644
+index 0b48a30..1dc0c55 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -1,4 +1,4 @@
@@ -40460,7 +40500,7 @@ index 0b48a30..c0e8f13 100644
  type NetworkManager_log_t;
  logging_log_file(NetworkManager_log_t)
  
-@@ -39,35 +42,51 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,24 +42,40 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
  # Local policy
  #
  
@@ -40510,22 +40550,15 @@ index 0b48a30..c0e8f13 100644
  
  manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
- filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
- 
--allow NetworkManager_t NetworkManager_log_t:dir setattr_dir_perms;
--append_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
--create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
--setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
+@@ -68,6 +87,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+ setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
-+manage_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
-+logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
-+
 +can_exec(NetworkManager_t, NetworkManager_tmp_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,9 +100,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,9 +101,6 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
  
@@ -40535,7 +40568,7 @@ index 0b48a30..c0e8f13 100644
  kernel_read_system_state(NetworkManager_t)
  kernel_read_network_state(NetworkManager_t)
  kernel_read_kernel_sysctls(NetworkManager_t)
-@@ -91,7 +107,6 @@ kernel_request_load_module(NetworkManager_t)
+@@ -91,7 +108,6 @@ kernel_request_load_module(NetworkManager_t)
  kernel_read_debugfs(NetworkManager_t)
  kernel_rw_net_sysctls(NetworkManager_t)
  
@@ -40543,7 +40576,7 @@ index 0b48a30..c0e8f13 100644
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_generic_if(NetworkManager_t)
  corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +117,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +118,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
  corenet_tcp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_bind_generic_node(NetworkManager_t)
@@ -40569,7 +40602,7 @@ index 0b48a30..c0e8f13 100644
  dev_rw_sysfs(NetworkManager_t)
  dev_read_rand(NetworkManager_t)
  dev_read_urand(NetworkManager_t)
-@@ -125,13 +133,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +134,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
  dev_getattr_all_chr_files(NetworkManager_t)
  dev_rw_wireless(NetworkManager_t)
  
@@ -40583,7 +40616,7 @@ index 0b48a30..c0e8f13 100644
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
  fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +141,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +142,16 @@ mls_file_read_all_levels(NetworkManager_t)
  
  selinux_dontaudit_search_fs(NetworkManager_t)
  
@@ -40595,7 +40628,6 @@ index 0b48a30..c0e8f13 100644
 +
 +files_read_etc_runtime_files(NetworkManager_t)
 +files_read_system_conf_files(NetworkManager_t)
-+files_read_usr_files(NetworkManager_t)
 +files_read_usr_src_files(NetworkManager_t)
 +
  storage_getattr_fixed_disk_dev(NetworkManager_t)
@@ -41091,7 +41123,7 @@ index 46e55c3..1112fae 100644
 +	allow $1 nis_unit_file_t:service all_service_perms;
  ')
 diff --git a/nis.te b/nis.te
-index 3e4a31c..f1dd1fa 100644
+index 3e4a31c..0d16edc 100644
 --- a/nis.te
 +++ b/nis.te
 @@ -1,12 +1,10 @@
@@ -41187,8 +41219,11 @@ index 3e4a31c..f1dd1fa 100644
  
  dev_read_sysfs(ypbind_t)
  
-@@ -112,9 +113,9 @@ domain_use_interactive_fds(ypbind_t)
- files_read_etc_files(ypbind_t)
+@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
+ 
+ domain_use_interactive_fds(ypbind_t)
+ 
+-files_read_etc_files(ypbind_t)
  files_list_var(ypbind_t)
  
 -logging_send_syslog_msg(ypbind_t)
@@ -41199,7 +41234,7 @@ index 3e4a31c..f1dd1fa 100644
  
  sysnet_read_config(ypbind_t)
  
-@@ -124,7 +125,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
+@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
  optional_policy(`
  	dbus_system_bus_client(ypbind_t)
  	dbus_connect_system_bus(ypbind_t)
@@ -41207,7 +41242,7 @@ index 3e4a31c..f1dd1fa 100644
  	init_dbus_chat_script(ypbind_t)
  
  	optional_policy(`
-@@ -149,7 +149,8 @@ allow yppasswdd_t self:capability dac_override;
+@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override;
  dontaudit yppasswdd_t self:capability sys_tty_config;
  allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
  allow yppasswdd_t self:process { getsched setfscreate signal_perms };
@@ -41217,7 +41252,7 @@ index 3e4a31c..f1dd1fa 100644
  allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
  allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
  allow yppasswdd_t self:udp_socket create_socket_perms;
-@@ -160,14 +161,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
+@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
  manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
  manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
  
@@ -41233,7 +41268,7 @@ index 3e4a31c..f1dd1fa 100644
  corenet_all_recvfrom_netlabel(yppasswdd_t)
  corenet_tcp_sendrecv_generic_if(yppasswdd_t)
  corenet_udp_sendrecv_generic_if(yppasswdd_t)
-@@ -177,22 +177,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
+@@ -177,22 +176,11 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
  corenet_udp_sendrecv_all_ports(yppasswdd_t)
  corenet_tcp_bind_generic_node(yppasswdd_t)
  corenet_udp_bind_generic_node(yppasswdd_t)
@@ -41257,7 +41292,7 @@ index 3e4a31c..f1dd1fa 100644
  
  dev_read_sysfs(yppasswdd_t)
  
-@@ -203,11 +192,20 @@ selinux_get_fs_mount(yppasswdd_t)
+@@ -203,11 +191,19 @@ selinux_get_fs_mount(yppasswdd_t)
  
  auth_manage_shadow(yppasswdd_t)
  auth_relabel_shadow(yppasswdd_t)
@@ -41269,7 +41304,6 @@ index 3e4a31c..f1dd1fa 100644
 +
 +domain_use_interactive_fds(yppasswdd_t)
 +
-+files_read_etc_files(yppasswdd_t)
 +files_read_etc_runtime_files(yppasswdd_t)
 +files_relabel_etc_files(yppasswdd_t)
 +
@@ -41279,7 +41313,7 @@ index 3e4a31c..f1dd1fa 100644
  
  sysnet_read_config(yppasswdd_t)
  
-@@ -219,6 +217,10 @@ optional_policy(`
+@@ -219,6 +215,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -41290,7 +41324,7 @@ index 3e4a31c..f1dd1fa 100644
  	seutil_sigchld_newrole(yppasswdd_t)
  ')
  
-@@ -234,7 +236,8 @@ optional_policy(`
+@@ -234,7 +234,8 @@ optional_policy(`
  dontaudit ypserv_t self:capability sys_tty_config;
  allow ypserv_t self:fifo_file rw_fifo_file_perms;
  allow ypserv_t self:process signal_perms;
@@ -41300,7 +41334,7 @@ index 3e4a31c..f1dd1fa 100644
  allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
  allow ypserv_t self:tcp_socket connected_stream_socket_perms;
  allow ypserv_t self:udp_socket create_socket_perms;
-@@ -254,7 +257,6 @@ kernel_read_kernel_sysctls(ypserv_t)
+@@ -254,7 +255,6 @@ kernel_read_kernel_sysctls(ypserv_t)
  kernel_list_proc(ypserv_t)
  kernel_read_proc_symlinks(ypserv_t)
  
@@ -41308,7 +41342,7 @@ index 3e4a31c..f1dd1fa 100644
  corenet_all_recvfrom_netlabel(ypserv_t)
  corenet_tcp_sendrecv_generic_if(ypserv_t)
  corenet_udp_sendrecv_generic_if(ypserv_t)
-@@ -264,31 +266,28 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
+@@ -264,31 +264,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
  corenet_udp_sendrecv_all_ports(ypserv_t)
  corenet_tcp_bind_generic_node(ypserv_t)
  corenet_udp_bind_generic_node(ypserv_t)
@@ -41339,7 +41373,6 @@ index 3e4a31c..f1dd1fa 100644
 -fs_getattr_all_fs(ypserv_t)
 -fs_search_auto_mountpoints(ypserv_t)
 +files_read_var_files(ypserv_t)
-+files_read_etc_files(ypserv_t)
  
  logging_send_syslog_msg(ypserv_t)
  
@@ -41347,7 +41380,7 @@ index 3e4a31c..f1dd1fa 100644
  
  nis_domtrans_ypxfr(ypserv_t)
  
-@@ -310,8 +309,8 @@ optional_policy(`
+@@ -310,8 +306,8 @@ optional_policy(`
  # ypxfr local policy
  #
  
@@ -41358,7 +41391,7 @@ index 3e4a31c..f1dd1fa 100644
  allow ypxfr_t self:tcp_socket create_stream_socket_perms;
  allow ypxfr_t self:udp_socket create_socket_perms;
  allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -326,7 +325,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
+@@ -326,7 +322,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
  manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
  files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
  
@@ -41366,7 +41399,7 @@ index 3e4a31c..f1dd1fa 100644
  corenet_all_recvfrom_netlabel(ypxfr_t)
  corenet_tcp_sendrecv_generic_if(ypxfr_t)
  corenet_udp_sendrecv_generic_if(ypxfr_t)
-@@ -336,23 +334,20 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
+@@ -336,23 +331,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
  corenet_udp_sendrecv_all_ports(ypxfr_t)
  corenet_tcp_bind_generic_node(ypxfr_t)
  corenet_udp_bind_generic_node(ypxfr_t)
@@ -41384,7 +41417,7 @@ index 3e4a31c..f1dd1fa 100644
 -corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
 -corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
 -
- files_read_etc_files(ypxfr_t)
+-files_read_etc_files(ypxfr_t)
  files_search_usr(ypxfr_t)
  
  logging_send_syslog_msg(ypxfr_t)
@@ -41474,10 +41507,10 @@ index 0000000..7d11148
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..f0aaecf
+index 0000000..28b535e
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,322 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -41541,11 +41574,9 @@ index 0000000..f0aaecf
 +
 +fs_getattr_xattr_fs(nova_domain)
 +
-+files_read_usr_files(nova_domain)
 +
 +libs_exec_ldconfig(nova_domain)
 +
-+files_read_etc_files(nova_domain)
 +
 +
 +optional_policy(`
@@ -41828,7 +41859,7 @@ index ba64485..429bd79 100644
 +
 +/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
 diff --git a/nscd.if b/nscd.if
-index 8f2ab09..685270c 100644
+index 8f2ab09..7b8f5ad 100644
 --- a/nscd.if
 +++ b/nscd.if
 @@ -1,8 +1,8 @@
@@ -41920,30 +41951,19 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,28 +130,36 @@ interface(`nscd_socket_use',`
+@@ -135,28 +130,38 @@ interface(`nscd_socket_use',`
  ##	</summary>
  ## </param>
  #
 -interface(`nscd_shm_use',`
--	gen_require(`
--		type nscd_t, nscd_var_run_t;
--		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
 +interface(`nscd_use',`
 +	tunable_policy(`nscd_use_shm',`
 +		nscd_shm_use($1)
 +	',`
 +		nscd_socket_use($1)
- 	')
++	')
 +')
- 
--	allow $1 self:unix_stream_socket create_stream_socket_perms;
--
--	allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
--	allow $1 nscd_t:fd use;
--
--	files_search_pids($1)
--	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
--	dontaudit $1 nscd_var_run_t:file read_file_perms;
++
 +########################################
 +## <summary>
 +##	Do not audit attempts to write nscd sock files
@@ -41955,13 +41975,24 @@ index 8f2ab09..685270c 100644
 +## </param>
 +#
 +interface(`nscd_dontaudit_write_sock_file',`
-+	gen_require(`
-+		type nscd_t;
-+	')
+ 	gen_require(`
+ 		type nscd_t, nscd_var_run_t;
+-		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ 	')
  
+-	allow $1 self:unix_stream_socket create_stream_socket_perms;
+-
+-	allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+-	allow $1 nscd_t:fd use;
++	dontaudit $1 nscd_t:sock_file write;
++	dontaudit $1 nscd_var_run_t:sock_file write;
+ 
+-	files_search_pids($1)
+-	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+-	dontaudit $1 nscd_var_run_t:file read_file_perms;
+-
 -	allow $1 nscd_var_run_t:dir list_dir_perms;
 -	allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
-+	dontaudit $1 nscd_t:sock_file write;
  ')
  
  ########################################
@@ -41972,7 +42003,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -164,18 +167,35 @@ interface(`nscd_shm_use',`
+@@ -164,18 +169,35 @@ interface(`nscd_shm_use',`
  ##	</summary>
  ## </param>
  #
@@ -42015,7 +42046,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -193,7 +213,7 @@ interface(`nscd_dontaudit_search_pid',`
+@@ -193,7 +215,7 @@ interface(`nscd_dontaudit_search_pid',`
  
  ########################################
  ## <summary>
@@ -42024,7 +42055,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -212,7 +232,7 @@ interface(`nscd_read_pid',`
+@@ -212,7 +234,7 @@ interface(`nscd_read_pid',`
  
  ########################################
  ## <summary>
@@ -42033,7 +42064,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,20 +264,20 @@ interface(`nscd_unconfined',`
+@@ -244,20 +266,20 @@ interface(`nscd_unconfined',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -42058,7 +42089,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -275,8 +295,31 @@ interface(`nscd_initrc_domtrans',`
+@@ -275,8 +297,31 @@ interface(`nscd_initrc_domtrans',`
  
  ########################################
  ## <summary>
@@ -42092,7 +42123,7 @@ index 8f2ab09..685270c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,7 +328,7 @@ interface(`nscd_initrc_domtrans',`
+@@ -285,7 +330,7 @@ interface(`nscd_initrc_domtrans',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -42101,7 +42132,7 @@ index 8f2ab09..685270c 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -294,10 +337,14 @@ interface(`nscd_admin',`
+@@ -294,10 +339,14 @@ interface(`nscd_admin',`
  	gen_require(`
  		type nscd_t, nscd_log_t, nscd_var_run_t;
  		type nscd_initrc_exec_t;
@@ -42117,7 +42148,7 @@ index 8f2ab09..685270c 100644
  
  	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -310,5 +357,7 @@ interface(`nscd_admin',`
+@@ -310,5 +359,7 @@ interface(`nscd_admin',`
  	files_list_pids($1)
  	admin_pattern($1, nscd_var_run_t)
  
@@ -42715,7 +42746,7 @@ index 97df768..0398e70 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..bcc61b5 100644
+index a3e56f0..8903423 100644
 --- a/nslcd.te
 +++ b/nslcd.te
 @@ -1,4 +1,4 @@
@@ -42741,7 +42772,7 @@ index a3e56f0..bcc61b5 100644
  
  allow nslcd_t nslcd_conf_t:file read_file_perms;
  
-@@ -38,13 +38,10 @@ kernel_read_system_state(nslcd_t)
+@@ -38,12 +38,8 @@ kernel_read_system_state(nslcd_t)
  
  corenet_all_recvfrom_unlabeled(nslcd_t)
  corenet_all_recvfrom_netlabel(nslcd_t)
@@ -42753,11 +42784,9 @@ index a3e56f0..bcc61b5 100644
 -corenet_tcp_sendrecv_ldap_port(nslcd_t)
 +corenet_sendrecv_ldap_client_packets(nslcd_t)
  
-+files_read_etc_files(nslcd_t)
  files_read_usr_symlinks(nslcd_t)
  files_list_tmp(nslcd_t)
- 
-@@ -52,10 +49,14 @@ auth_use_nsswitch(nslcd_t)
+@@ -52,10 +48,14 @@ auth_use_nsswitch(nslcd_t)
  
  logging_send_syslog_msg(nslcd_t)
  
@@ -43270,10 +43299,10 @@ index 0000000..fce899a
 +')
 diff --git a/nsplugin.te b/nsplugin.te
 new file mode 100644
-index 0000000..caac07d
+index 0000000..7d839fe
 --- /dev/null
 +++ b/nsplugin.te
-@@ -0,0 +1,324 @@
+@@ -0,0 +1,318 @@
 +policy_module(nsplugin, 1.0.0)
 +
 +########################################
@@ -43320,10 +43349,6 @@ index 0000000..caac07d
 +domain_type(nsplugin_config_t)
 +domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
 +
-+application_executable_file(nsplugin_exec_t)
-+application_executable_file(nsplugin_config_exec_t)
-+
-+
 +########################################
 +#
 +# nsplugin local policy
@@ -43402,7 +43427,6 @@ index 0000000..caac07d
 +
 +files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
 +files_dontaudit_list_home(nsplugin_t)
-+files_read_usr_files(nsplugin_t)
 +files_read_config_files(nsplugin_t)
 +
 +fs_getattr_tmpfs(nsplugin_t)
@@ -43538,7 +43562,6 @@ index 0000000..caac07d
 +
 +domain_use_interactive_fds(nsplugin_config_t)
 +
-+files_read_usr_files(nsplugin_config_t)
 +files_dontaudit_search_home(nsplugin_config_t)
 +files_list_tmp(nsplugin_config_t)
 +
@@ -43599,7 +43622,7 @@ index 0000000..caac07d
 +	pulseaudio_setattr_home_dir(nsplugin_t)
 +')
 diff --git a/ntop.te b/ntop.te
-index 52757d8..6519e8f 100644
+index 52757d8..638c3d2 100644
 --- a/ntop.te
 +++ b/ntop.te
 @@ -58,7 +58,6 @@ kernel_read_system_state(ntop_t)
@@ -43610,6 +43633,14 @@ index 52757d8..6519e8f 100644
  corenet_all_recvfrom_netlabel(ntop_t)
  corenet_tcp_sendrecv_generic_if(ntop_t)
  corenet_raw_sendrecv_generic_if(ntop_t)
+@@ -81,7 +80,6 @@ dev_rw_generic_usb_dev(ntop_t)
+ 
+ domain_use_interactive_fds(ntop_t)
+ 
+-files_read_usr_files(ntop_t)
+ 
+ fs_getattr_all_fs(ntop_t)
+ fs_search_auto_mountpoints(ntop_t)
 diff --git a/ntp.fc b/ntp.fc
 index af3c91e..6882a3f 100644
 --- a/ntp.fc
@@ -43799,7 +43830,7 @@ index b59196f..d60b451 100644
 +	allow $1 ntpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ntp.te b/ntp.te
-index b90e343..b969766 100644
+index b90e343..71042cd 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -43836,7 +43867,12 @@ index b90e343..b969766 100644
  
  corecmd_exec_bin(ntpd_t)
  corecmd_exec_shell(ntpd_t)
-@@ -115,8 +113,11 @@ files_list_var_lib(ntpd_t)
+@@ -110,13 +108,15 @@ domain_use_interactive_fds(ntpd_t)
+ domain_dontaudit_list_all_domains_state(ntpd_t)
+ 
+ files_read_etc_runtime_files(ntpd_t)
+-files_read_usr_files(ntpd_t)
+ files_list_var_lib(ntpd_t)
  
  fs_getattr_all_fs(ntpd_t)
  fs_search_auto_mountpoints(ntpd_t)
@@ -43848,7 +43884,7 @@ index b90e343..b969766 100644
  
  auth_use_nsswitch(ntpd_t)
  
-@@ -124,8 +125,6 @@ init_exec_script_files(ntpd_t)
+@@ -124,8 +124,6 @@ init_exec_script_files(ntpd_t)
  
  logging_send_syslog_msg(ntpd_t)
  
@@ -43970,7 +44006,7 @@ index 0d3c270..709dda1 100644
 +	')
  ')
 diff --git a/numad.te b/numad.te
-index f5d145d..c2d4196 100644
+index f5d145d..97e1148 100644
 --- a/numad.te
 +++ b/numad.te
 @@ -1,4 +1,4 @@
@@ -43979,7 +44015,7 @@ index f5d145d..c2d4196 100644
  
  ########################################
  #
-@@ -8,37 +8,39 @@ policy_module(numad, 1.0.3)
+@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
  type numad_t;
  type numad_exec_t;
  init_daemon_domain(numad_t, numad_exec_t)
@@ -44004,7 +44040,7 @@ index f5d145d..c2d4196 100644
 +# numad local policy
  #
  
-+allow numad_t self:process { fork };
++allow numad_t self:capability sys_ptrace;
  allow numad_t self:fifo_file rw_fifo_file_perms;
 -allow numad_t self:msg { send receive };
  allow numad_t self:msgq create_msgq_perms;
@@ -44014,22 +44050,26 @@ index f5d145d..c2d4196 100644
 -allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(numad_t, numad_log_t, file)
 +manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
-+logging_log_filetrans(numad_t, numad_var_log_t, { file })
++logging_log_filetrans(numad_t, numad_var_log_t, file)
  
  manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
--files_pid_filetrans(numad_t, numad_var_run_t, file)
-+files_pid_filetrans(numad_t, numad_var_run_t, { file })
- 
- kernel_read_system_state(numad_t)
+ files_pid_filetrans(numad_t, numad_var_run_t, file)
+@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
  
  dev_read_sysfs(numad_t)
  
+-files_read_etc_files(numad_t)
 +domain_use_interactive_fds(numad_t)
++domain_read_all_domains_state(numad_t)
++domain_setpriority_all_domains(numad_t)
 +
- files_read_etc_files(numad_t)
++fs_manage_cgroup_dirs(numad_t)
++fs_rw_cgroup_files(numad_t)
  
 -miscfiles_read_localization(numad_t)
-+fs_search_cgroup_dirs(numad_t)
++tunable_policy(`deny_ptrace',`',`
++	virt_ptrace(numad_t)
++')
 diff --git a/nut.fc b/nut.fc
 index 379af96..371119d 100644
 --- a/nut.fc
@@ -44109,10 +44149,10 @@ index 57c0161..56660c5 100644
 -')
 +## <summary>nut - Network UPS Tools </summary>
 diff --git a/nut.te b/nut.te
-index 0c9deb7..7c6ea74 100644
+index 0c9deb7..87c7eb7 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -1,121 +1,106 @@
+@@ -1,121 +1,105 @@
 -policy_module(nut, 1.2.4)
 +policy_module(nut, 1.2.0)
  
@@ -44210,7 +44250,7 @@ index 0c9deb7..7c6ea74 100644
  corenet_tcp_bind_generic_port(nut_upsd_t)
 +corenet_tcp_bind_all_nodes(nut_upsd_t)
  
- files_read_usr_files(nut_upsd_t)
+-files_read_usr_files(nut_upsd_t)
  
  auth_use_nsswitch(nut_upsd_t)
  
@@ -44277,7 +44317,7 @@ index 0c9deb7..7c6ea74 100644
  mta_send_mail(nut_upsmon_t)
  
  optional_policy(`
-@@ -124,14 +109,27 @@ optional_policy(`
+@@ -124,14 +108,27 @@ optional_policy(`
  
  ########################################
  #
@@ -44307,7 +44347,7 @@ index 0c9deb7..7c6ea74 100644
  corecmd_exec_bin(nut_upsdrvctl_t)
  
  dev_read_sysfs(nut_upsdrvctl_t)
-@@ -144,17 +142,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
+@@ -144,17 +141,28 @@ auth_use_nsswitch(nut_upsdrvctl_t)
  
  init_sigchld(nut_upsdrvctl_t)
  
@@ -44378,7 +44418,7 @@ index 251d681..50ae2a9 100644
 +	filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
 +')
 diff --git a/nx.te b/nx.te
-index b1832ca..df4fbb8 100644
+index b1832ca..d181d03 100644
 --- a/nx.te
 +++ b/nx.te
 @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
@@ -44408,17 +44448,32 @@ index b1832ca..df4fbb8 100644
  corenet_all_recvfrom_netlabel(nx_server_t)
  corenet_tcp_sendrecv_generic_if(nx_server_t)
  corenet_tcp_sendrecv_generic_node(nx_server_t)
-@@ -71,10 +76,6 @@ files_read_etc_files(nx_server_t)
- files_read_etc_runtime_files(nx_server_t)
- files_read_usr_files(nx_server_t)
+@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
+ 
+ dev_read_urand(nx_server_t)
  
+-files_read_etc_files(nx_server_t)
+ files_read_etc_runtime_files(nx_server_t)
+-files_read_usr_files(nx_server_t)
+-
 -miscfiles_read_localization(nx_server_t)
 -
 -seutil_dontaudit_search_config(nx_server_t)
--
+ 
  sysnet_read_config(nx_server_t)
  
- ssh_basic_client_template(nx_server, nx_server_t, nx_server_r)
+diff --git a/oav.te b/oav.te
+index 75fdf58..1a9e754 100644
+--- a/oav.te
++++ b/oav.te
+@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
+ domain_use_interactive_fds(scannerdaemon_t)
+ 
+ files_exec_etc_files(scannerdaemon_t)
+-files_read_etc_files(scannerdaemon_t)
+ files_read_etc_runtime_files(scannerdaemon_t)
+ files_search_var_lib(scannerdaemon_t)
+ 
 diff --git a/obex.fc b/obex.fc
 index 03fa560..000c5fe 100644
 --- a/obex.fc
@@ -44923,10 +44978,16 @@ index 296a1d3..467700e 100644
 +userdom_stream_connect(oddjob_mkhomedir_t)
 +
 diff --git a/openct.te b/openct.te
-index 8467596..866bd6a 100644
+index 8467596..66f068f 100644
 --- a/openct.te
 +++ b/openct.te
-@@ -34,6 +34,8 @@ kernel_read_kernel_sysctls(openct_t)
+@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
+ 
+-can_exec(openct_t, openct_exec_t)
+-
+ kernel_read_kernel_sysctls(openct_t)
  kernel_list_proc(openct_t)
  kernel_read_proc_symlinks(openct_t)
  
@@ -44935,7 +44996,14 @@ index 8467596..866bd6a 100644
  dev_read_sysfs(openct_t)
  dev_rw_usbfs(openct_t)
  dev_rw_smartcard(openct_t)
-@@ -48,8 +50,6 @@ fs_search_auto_mountpoints(openct_t)
+@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t)
+ 
+ domain_use_interactive_fds(openct_t)
+ 
+-files_read_etc_files(openct_t)
+ 
+ fs_getattr_all_fs(openct_t)
+ fs_search_auto_mountpoints(openct_t)
  
  logging_send_syslog_msg(openct_t)
  
@@ -44944,6 +45012,18 @@ index 8467596..866bd6a 100644
  userdom_dontaudit_use_unpriv_user_fds(openct_t)
  userdom_dontaudit_search_user_home_dirs(openct_t)
  
+diff --git a/openhpi.te b/openhpi.te
+index 7f398c0..e66751b 100644
+--- a/openhpi.te
++++ b/openhpi.te
+@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
+ 
+ dev_read_urand(openhpid_t)
+ 
+-files_read_etc_files(openhpid_t)
+ 
+ logging_send_syslog_msg(openhpid_t)
+ 
 diff --git a/openhpid.fc b/openhpid.fc
 new file mode 100644
 index 0000000..9441fd7
@@ -45125,10 +45205,10 @@ index 0000000..598789a
 +
 diff --git a/openhpid.te b/openhpid.te
 new file mode 100644
-index 0000000..c4ecca7
+index 0000000..be2a88d
 --- /dev/null
 +++ b/openhpid.te
-@@ -0,0 +1,51 @@
+@@ -0,0 +1,50 @@
 +policy_module(openhpid, 1.0.0)
 +
 +########################################
@@ -45177,7 +45257,6 @@ index 0000000..c4ecca7
 +
 +dev_read_urand(openhpid_t)
 +
-+files_read_etc_files(openhpid_t)
 +
 +logging_send_syslog_msg(openhpid_t)
 diff --git a/openshift-origin.fc b/openshift-origin.fc
@@ -45895,10 +45974,10 @@ index 0000000..98ce2c3
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..d97b009
+index 0000000..4fe3c71
 --- /dev/null
 +++ b/openshift.te
-@@ -0,0 +1,383 @@
+@@ -0,0 +1,377 @@
 +policy_module(openshift,1.0.0)
 +
 +gen_require(`
@@ -46115,10 +46194,7 @@ index 0000000..d97b009
 +files_dontaudit_search_all_mountpoints(openshift_domain)
 +files_dontaudit_search_spool(openshift_domain)
 +files_dontaudit_search_all_dirs(openshift_domain)
-+files_dontaudit_list_var(openshift_domain)
-+files_read_etc_files(openshift_domain)
 +files_exec_etc_files(openshift_domain)
-+files_read_usr_files(openshift_domain)
 +files_exec_usr_files(openshift_domain)
 +files_dontaudit_getattr_non_security_sockets(openshift_domain)
 +files_dontaudit_setattr_non_security_dirs(openshift_domain)
@@ -46127,9 +46203,6 @@ index 0000000..d97b009
 +libs_exec_lib_files(openshift_domain)
 +libs_exec_ld_so(openshift_domain)
 +
-+term_use_ptmx(openshift_domain)
-+term_use_generic_ptys(openshift_domain)
-+
 +selinux_validate_context(openshift_domain)
 +
 +logging_inherit_append_all_logs(openshift_domain)
@@ -46142,6 +46215,7 @@ index 0000000..d97b009
 +mta_dontaudit_read_spool_symlinks(openshift_domain)
 +
 +term_dontaudit_search_ptys(openshift_domain)
++term_use_generic_ptys(openshift_domain)
 +term_use_ptmx(openshift_domain)
 +
 +userdom_use_inherited_user_ptys(openshift_domain)
@@ -46265,7 +46339,6 @@ index 0000000..d97b009
 +
 +domain_use_interactive_fds(openshift_cgroup_read_t)
 +
-+files_read_etc_files(openshift_cgroup_read_t)
 +
 +fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
 +
@@ -46674,7 +46747,7 @@ index 9b15730..14f29e4 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..b8995a2 100644
+index 508fedf..4068f7f 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -1,4 +1,4 @@
@@ -46760,10 +46833,11 @@ index 508fedf..b8995a2 100644
  
  corecmd_exec_bin(openvswitch_t)
  
-@@ -74,16 +69,22 @@ dev_read_urand(openvswitch_t)
+@@ -73,17 +68,22 @@ dev_read_urand(openvswitch_t)
+ 
  domain_use_interactive_fds(openvswitch_t)
  
- files_read_etc_files(openvswitch_t)
+-files_read_etc_files(openvswitch_t)
 +files_read_kernel_modules(openvswitch_t)
  
  fs_getattr_all_fs(openvswitch_t)
@@ -47297,7 +47371,7 @@ index bf59ef7..c050b37 100644
 +	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
  ')
 diff --git a/passenger.te b/passenger.te
-index 4e114ff..ca09bc0 100644
+index 4e114ff..fddaed2 100644
 --- a/passenger.te
 +++ b/passenger.te
 @@ -1,4 +1,4 @@
@@ -47371,12 +47445,11 @@ index 4e114ff..ca09bc0 100644
  
  corecmd_exec_bin(passenger_t)
  corecmd_exec_shell(passenger_t)
-@@ -66,14 +70,12 @@ dev_read_urand(passenger_t)
+@@ -66,14 +70,11 @@ dev_read_urand(passenger_t)
  
  domain_read_all_domains_state(passenger_t)
  
 -files_read_etc_files(passenger_t)
-+files_read_usr_files(passenger_t)
  
  auth_use_nsswitch(passenger_t)
  
@@ -47387,7 +47460,7 @@ index 4e114ff..ca09bc0 100644
  userdom_dontaudit_use_user_terminals(passenger_t)
  
  optional_policy(`
-@@ -90,14 +92,15 @@ optional_policy(`
+@@ -90,14 +91,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47573,7 +47646,7 @@ index d2fc677..920b13f 100644
 -	admin_pattern($1, pegasus_var_run_t)
 -')
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..d459c82 100644
+index 7bcf327..e440d35 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,4 +1,4 @@
@@ -47680,15 +47753,7 @@ index 7bcf327..d459c82 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -122,24 +115,31 @@ files_list_var_lib(pegasus_t)
- files_read_var_lib_files(pegasus_t)
- files_read_var_lib_symlinks(pegasus_t)
- 
-+hostname_exec(pegasus_t)
-+
- init_rw_utmp(pegasus_t)
- init_stream_connect_script(pegasus_t)
- 
+@@ -128,18 +121,23 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -47704,42 +47769,41 @@ index 7bcf327..d459c82 100644
 -	dbus_connect_system_bus(pegasus_t)
 +    dbus_system_bus_client(pegasus_t)
 +    dbus_connect_system_bus(pegasus_t)
-+
-+    optional_policy(`
-+	networkmanager_dbus_chat(pegasus_t)
-+    ')
-+')
  
 -	optional_policy(`
 -		networkmanager_dbus_chat(pegasus_t)
 -	')
++    optional_policy(`
++	networkmanager_dbus_chat(pegasus_t)
++    ')
++')
++
 +optional_policy(`
 +	corosync_stream_connect(pegasus_t)
  ')
  
  optional_policy(`
-@@ -151,6 +151,10 @@ optional_policy(`
+@@ -151,16 +149,15 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	rpm_exec(pegasus_t)
 +	ricci_stream_connect_modclusterd(pegasus_t)
-+')
-+
-+optional_policy(`
- 	rpm_exec(pegasus_t)
  ')
  
-@@ -159,8 +163,7 @@ optional_policy(`
+ optional_policy(`
+-	samba_manage_config(pegasus_t)
++	rpm_exec(pegasus_t)
  ')
  
  optional_policy(`
 -	seutil_sigchld_newrole(pegasus_t)
 -	seutil_dontaudit_read_config(pegasus_t)
-+	sysnet_domtrans_ifconfig(pegasus_t)
++	samba_manage_config(pegasus_t)
  ')
  
  optional_policy(`
-@@ -168,7 +171,7 @@ optional_policy(`
+@@ -168,7 +165,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48013,10 +48077,10 @@ index 0000000..8d681d1
 +')
 diff --git a/piranha.te b/piranha.te
 new file mode 100644
-index 0000000..be7f288
+index 0000000..34e591f
 --- /dev/null
 +++ b/piranha.te
-@@ -0,0 +1,295 @@
+@@ -0,0 +1,293 @@
 +policy_module(piranha, 1.0.0)
 +
 +########################################
@@ -48126,7 +48190,6 @@ index 0000000..be7f288
 +
 +domain_read_all_domains_state(piranha_web_t)
 +
-+files_read_usr_files(piranha_web_t)
 +
 +optional_policy(`
 +	consoletype_exec(piranha_web_t)
@@ -48306,7 +48369,6 @@ index 0000000..be7f288
 +corenet_tcp_bind_generic_node(piranha_domain)
 +corenet_udp_bind_generic_node(piranha_domain)
 +
-+files_read_etc_files(piranha_domain)
 +
 +corecmd_exec_bin(piranha_domain)
 +corecmd_exec_shell(piranha_domain)
@@ -48614,10 +48676,10 @@ index 0000000..848ddc9
 +')
 diff --git a/pkcsslotd.te b/pkcsslotd.te
 new file mode 100644
-index 0000000..9ab2c4d
+index 0000000..d6d79b9
 --- /dev/null
 +++ b/pkcsslotd.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,60 @@
 +policy_module(pkcsslotd, 1.0.0)
 +
 +########################################
@@ -48676,7 +48738,6 @@ index 0000000..9ab2c4d
 +
 +domain_use_interactive_fds(pkcsslotd_t)
 +
-+files_read_etc_files(pkcsslotd_t)
 +
 +logging_send_syslog_msg(pkcsslotd_t)
 diff --git a/pki.fc b/pki.fc
@@ -48996,10 +49057,10 @@ index 0000000..83c13cf
 +
 diff --git a/pki.te b/pki.te
 new file mode 100644
-index 0000000..dfebbd9
+index 0000000..352c7e4
 --- /dev/null
 +++ b/pki.te
-@@ -0,0 +1,289 @@
+@@ -0,0 +1,282 @@
 +policy_module(pki,10.0.11)
 +
 +########################################
@@ -49116,7 +49177,6 @@ index 0000000..dfebbd9
 +corenet_tcp_connect_ldap_port(pki_tomcat_t)
 +corenet_tcp_connect_smtp_port(pki_tomcat_t)
 +corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
-+corenet_tcp_connect_ldap_port(pki_tomcat_t)
 +
 +selinux_get_enforce_mode(pki_tomcat_t)
 +
@@ -49150,11 +49210,6 @@ index 0000000..dfebbd9
 +        hostname_exec(pki_tomcat_t)
 +')
 +
-+# install/ uninstall instance
-+# WHY? leak?
-+#allow load_policy_t pki_log_t:file write;
-+#allow setfiles_t pki_log_t:file write;
-+
 +#######################################
 +#
 +# tps local policy
@@ -49172,7 +49227,6 @@ index 0000000..dfebbd9
 +corenet_tcp_connect_pki_tks_port(pki_tps_t)
 +
 +files_exec_usr_files(pki_tps_t)
-+files_read_usr_files(pki_tps_t)
 +
 +# why do I need to add this?
 +#allow httpd_t httpd_config_t:file execute;
@@ -49593,7 +49647,7 @@ index 30e751f..17c097d 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..5772ef0 100644
+index b1f412b..3a3249a 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
 @@ -1,4 +1,4 @@
@@ -49637,7 +49691,14 @@ index b1f412b..5772ef0 100644
  logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
  
  manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
-@@ -77,12 +75,22 @@ term_getattr_pty_fs(plymouthd_t)
+@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
+ 
+ fs_getattr_all_fs(plymouthd_t)
+ 
+-files_read_etc_files(plymouthd_t)
+-files_read_usr_files(plymouthd_t)
+ 
+ term_getattr_pty_fs(plymouthd_t)
  term_use_all_terms(plymouthd_t)
  term_use_ptmx(plymouthd_t)
  
@@ -49662,7 +49723,7 @@ index b1f412b..5772ef0 100644
  ')
  
  optional_policy(`
-@@ -90,21 +98,19 @@ optional_policy(`
+@@ -90,35 +96,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49688,7 +49749,9 @@ index b1f412b..5772ef0 100644
  kernel_read_system_state(plymouth_t)
  kernel_stream_connect(plymouth_t)
  
-@@ -114,11 +120,12 @@ files_read_etc_files(plymouth_t)
+ domain_use_interactive_fds(plymouth_t)
+ 
+-files_read_etc_files(plymouth_t)
  
  term_use_ptmx(plymouth_t)
  
@@ -49704,7 +49767,7 @@ index b1f412b..5772ef0 100644
  		hal_dontaudit_write_log(plymouth_t)
  		hal_dontaudit_rw_pipes(plymouth_t)
 diff --git a/podsleuth.te b/podsleuth.te
-index a14b3bc..caa8e6c 100644
+index a14b3bc..b196183 100644
 --- a/podsleuth.te
 +++ b/podsleuth.te
 @@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
@@ -49717,7 +49780,15 @@ index a14b3bc..caa8e6c 100644
  allow podsleuth_t self:fifo_file rw_fifo_file_perms;
  allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
  allow podsleuth_t self:sem create_sem_perms;
-@@ -76,8 +77,6 @@ fs_getattr_tmpfs(podsleuth_t)
+@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
+ 
+ dev_read_urand(podsleuth_t)
+ 
+-files_read_etc_files(podsleuth_t)
+ 
+ fs_mount_dos_fs(podsleuth_t)
+ fs_unmount_dos_fs(podsleuth_t)
+@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t)
  fs_list_tmpfs(podsleuth_t)
  fs_rw_removable_blk_files(podsleuth_t)
  
@@ -50010,7 +50081,7 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 49694e8..946bfb5 100644
+index 49694e8..0372dfd 100644
 --- a/policykit.te
 +++ b/policykit.te
 @@ -1,4 +1,4 @@
@@ -50042,7 +50113,7 @@ index 49694e8..946bfb5 100644
  
  type policykit_resolve_t, policykit_domain;
  type policykit_resolve_exec_t;
-@@ -42,63 +37,64 @@ files_pid_file(policykit_var_run_t)
+@@ -42,48 +37,43 @@ files_pid_file(policykit_var_run_t)
  
  #######################################
  #
@@ -50105,10 +50176,7 @@ index 49694e8..946bfb5 100644
  
  domain_read_all_domains_state(policykit_t)
  
-+files_read_usr_files(policykit_t)
- files_dontaudit_search_all_mountpoints(policykit_t)
- 
- fs_list_inotifyfs(policykit_t)
+@@ -93,12 +83,17 @@ fs_list_inotifyfs(policykit_t)
  
  auth_use_nsswitch(policykit_t)
  
@@ -50126,7 +50194,7 @@ index 49694e8..946bfb5 100644
  	optional_policy(`
  		consolekit_dbus_chat(policykit_t)
  	')
-@@ -109,29 +105,43 @@ optional_policy(`
+@@ -109,29 +104,43 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50178,7 +50246,7 @@ index 49694e8..946bfb5 100644
  
  rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
  
-@@ -145,14 +155,12 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
+@@ -145,9 +154,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
  files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
  
@@ -50188,13 +50256,7 @@ index 49694e8..946bfb5 100644
  kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
  
  dev_read_video_dev(policykit_auth_t)
- 
- files_read_etc_runtime_files(policykit_auth_t)
-+files_read_usr_files(policykit_auth_t)
- files_search_home(policykit_auth_t)
- 
- fs_getattr_all_fs(policykit_auth_t)
-@@ -162,48 +170,58 @@ auth_rw_var_auth(policykit_auth_t)
+@@ -162,48 +168,58 @@ auth_rw_var_auth(policykit_auth_t)
  auth_use_nsswitch(policykit_auth_t)
  auth_domtrans_chk_passwd(policykit_auth_t)
  
@@ -50263,7 +50325,7 @@ index 49694e8..946bfb5 100644
  
  rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
  
-@@ -211,23 +229,21 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+@@ -211,23 +227,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
  
  manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
  
@@ -50271,7 +50333,6 @@ index 49694e8..946bfb5 100644
 -
 -domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
 -domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
-+files_read_usr_files(policykit_grant_t)
  
  auth_domtrans_chk_passwd(policykit_grant_t)
  auth_use_nsswitch(policykit_grant_t)
@@ -50291,7 +50352,7 @@ index 49694e8..946bfb5 100644
  	optional_policy(`
  		consolekit_dbus_chat(policykit_grant_t)
  	')
-@@ -235,26 +251,29 @@ optional_policy(`
+@@ -235,26 +248,28 @@ optional_policy(`
  
  ########################################
  #
@@ -50318,7 +50379,6 @@ index 49694e8..946bfb5 100644
 -domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
 -
 -mcs_ptrace_all(policykit_resolve_t)
-+files_read_usr_files(policykit_resolve_t)
  
  auth_use_nsswitch(policykit_resolve_t)
  
@@ -50327,7 +50387,7 @@ index 49694e8..946bfb5 100644
  userdom_read_all_users_state(policykit_resolve_t)
  
  optional_policy(`
-@@ -266,6 +285,7 @@ optional_policy(`
+@@ -266,6 +281,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50608,7 +50668,7 @@ index ae27bb7..d00f6ba 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
  ')
 diff --git a/polipo.te b/polipo.te
-index 316d53a..a0b37ad 100644
+index 316d53a..79b5c4f 100644
 --- a/polipo.te
 +++ b/polipo.te
 @@ -1,4 +1,4 @@
@@ -50684,7 +50744,7 @@ index 316d53a..a0b37ad 100644
  
  type polipo_cache_t;
  files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,112 +63,96 @@ files_type(polipo_cache_t)
  type polipo_log_t;
  logging_log_file(polipo_log_t)
  
@@ -50737,7 +50797,6 @@ index 316d53a..a0b37ad 100644
 -tunable_policy(`polipo_session_send_syslog_msg',`
 -	logging_send_syslog_msg(polipo_session_t)
 -')
-+files_read_usr_files(polipo_daemon)
  
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_read_nfs_files(polipo_session_t)
@@ -50789,24 +50848,24 @@ index 316d53a..a0b37ad 100644
  optional_policy(`
 -	cron_system_entry(polipo_system_t, polipo_exec_t)
 +	cron_system_entry(polipo_t, polipo_exec_t)
++')
++
++tunable_policy(`polipo_connect_all_unreserved',`
++    corenet_tcp_connect_all_unreserved_ports(polipo_t)
  ')
  
 -tunable_policy(`polipo_system_use_cifs',`
 -	fs_manage_cifs_files(polipo_system_t)
 -',`
 -	fs_dontaudit_read_cifs_files(polipo_system_t)
-+tunable_policy(`polipo_connect_all_unreserved',`
-+    corenet_tcp_connect_all_unreserved_ports(polipo_t)
++tunable_policy(`polipo_use_cifs',`
++	fs_manage_cifs_files(polipo_t)
  ')
  
 -tunable_policy(`polipo_system_use_nfs',`
 -	fs_manage_nfs_files(polipo_system_t)
 -',`
 -	fs_dontaudit_read_nfs_files(polipo_system_t)
-+tunable_policy(`polipo_use_cifs',`
-+	fs_manage_cifs_files(polipo_t)
-+')
-+
 +tunable_policy(`polipo_use_nfs',`
 +	fs_manage_nfs_files(polipo_t)
  ')
@@ -50849,6 +50908,26 @@ index 316d53a..a0b37ad 100644
  
 -miscfiles_read_localization(polipo_daemon)
 +userdom_home_manager(polipo_session_t)
+diff --git a/portage.te b/portage.te
+index a95fc4a..b9b5418 100644
+--- a/portage.te
++++ b/portage.te
+@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
+ 
+ files_manage_etc_files(gcc_config_t)
+ files_rw_etc_runtime_files(gcc_config_t)
+-files_read_usr_files(gcc_config_t)
+ files_search_var_lib(gcc_config_t)
+ files_search_pids(gcc_config_t)
+ # complains loudly about not being able to list
+@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
+ domain_use_interactive_fds(portage_fetch_t)
+ 
+ files_read_etc_runtime_files(portage_fetch_t)
+-files_read_usr_files(portage_fetch_t)
+ files_dontaudit_search_pids(portage_fetch_t)
+ 
+ fs_search_auto_mountpoints(portage_fetch_t)
 diff --git a/portmap.fc b/portmap.fc
 index cd45831..69406ee 100644
 --- a/portmap.fc
@@ -50940,7 +51019,7 @@ index 5ad5291..7f1ae2a 100644
  	portreserve_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/portreserve.te b/portreserve.te
-index a38b57a..614785d 100644
+index a38b57a..aa9d604 100644
 --- a/portreserve.te
 +++ b/portreserve.te
 @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -50951,6 +51030,13 @@ index a38b57a..614785d 100644
  corenet_all_recvfrom_netlabel(portreserve_t)
  corenet_tcp_sendrecv_generic_if(portreserve_t)
  corenet_udp_sendrecv_generic_if(portreserve_t)
+@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
+ corenet_tcp_bind_all_ports(portreserve_t)
+ corenet_udp_bind_all_ports(portreserve_t)
+ 
+-files_read_etc_files(portreserve_t)
+ 
+ userdom_dontaudit_search_user_home_content(portreserve_t)
 diff --git a/portslave.te b/portslave.te
 index e85e33d..a7d7c55 100644
 --- a/portslave.te
@@ -51908,7 +51994,7 @@ index 2e23946..41da729 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..ca44603 100644
+index 191a66f..0a90ce1 100644
 --- a/postfix.te
 +++ b/postfix.te
 @@ -1,4 +1,4 @@
@@ -52117,10 +52203,10 @@ index 191a66f..ca44603 100644
  
 -allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
 +allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
++
++allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
  
 -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
-+
 +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
 +
 +manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
@@ -52154,27 +52240,27 @@ index 191a66f..ca44603 100644
 -manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
- 
+-
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
 -manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
--
+ 
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
  delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 +rw_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
--
+ 
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
- 
--can_exec(postfix_master_t, postfix_exec_t)
 +kernel_read_all_sysctls(postfix_master_t)
  
+-can_exec(postfix_master_t, postfix_exec_t)
+-
 -domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
 -domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
 -
@@ -52182,7 +52268,7 @@ index 191a66f..ca44603 100644
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
  corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,50 +166,47 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -263,50 +166,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -52221,12 +52307,11 @@ index 191a66f..ca44603 100644
  
  domain_use_interactive_fds(postfix_master_t)
  
-+files_read_usr_files(postfix_master_t)
 +files_search_var_lib(postfix_master_t)
  files_search_tmp(postfix_master_t)
  
- mcs_file_read_all(postfix_master_t)
- 
+-mcs_file_read_all(postfix_master_t)
+-
  term_dontaudit_search_ptys(postfix_master_t)
  
 -miscfiles_read_man_pages(postfix_master_t)
@@ -52252,7 +52337,7 @@ index 191a66f..ca44603 100644
  optional_policy(`
  	cyrus_stream_connect(postfix_master_t)
  ')
-@@ -316,14 +216,11 @@ optional_policy(`
+@@ -316,14 +213,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52268,7 +52353,7 @@ index 191a66f..ca44603 100644
  	postgrey_search_spool(postfix_master_t)
  ')
  
-@@ -333,12 +230,14 @@ optional_policy(`
+@@ -333,12 +227,14 @@ optional_policy(`
  
  ########################################
  #
@@ -52285,7 +52370,7 @@ index 191a66f..ca44603 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,35 +254,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -355,35 +251,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  
  ########################################
  #
@@ -52330,7 +52415,7 @@ index 191a66f..ca44603 100644
  
  mta_read_aliases(postfix_cleanup_t)
  
-@@ -393,29 +291,45 @@ optional_policy(`
+@@ -393,29 +288,45 @@ optional_policy(`
  
  ########################################
  #
@@ -52382,7 +52467,7 @@ index 191a66f..ca44603 100644
  tunable_policy(`postfix_local_write_mail_spool',`
  	mta_manage_spool(postfix_local_t)
  ')
-@@ -423,6 +337,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
+@@ -423,6 +334,7 @@ tunable_policy(`postfix_local_write_mail_spool',`
  optional_policy(`
  	clamav_search_lib(postfix_local_t)
  	clamav_exec_clamscan(postfix_local_t)
@@ -52390,7 +52475,7 @@ index 191a66f..ca44603 100644
  ')
  
  optional_policy(`
-@@ -434,6 +349,7 @@ optional_policy(`
+@@ -434,6 +346,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52398,7 +52483,7 @@ index 191a66f..ca44603 100644
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
  	mailman_read_log(postfix_local_t)
-@@ -444,6 +360,10 @@ optional_policy(`
+@@ -444,6 +357,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -52409,7 +52494,7 @@ index 191a66f..ca44603 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -458,15 +378,17 @@ optional_policy(`
+@@ -458,15 +375,17 @@ optional_policy(`
  
  ########################################
  #
@@ -52433,7 +52518,7 @@ index 191a66f..ca44603 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +398,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -476,14 +395,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -52453,7 +52538,15 @@ index 191a66f..ca44603 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -500,21 +423,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -492,7 +412,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+ corecmd_read_bin_sockets(postfix_map_t)
+ 
+ files_list_home(postfix_map_t)
+-files_read_usr_files(postfix_map_t)
+ files_read_etc_runtime_files(postfix_map_t)
+ files_dontaudit_search_var(postfix_map_t)
+ 
+@@ -500,21 +419,22 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -52479,7 +52572,7 @@ index 191a66f..ca44603 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,6 +448,8 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -524,16 +444,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -52488,8 +52581,10 @@ index 191a66f..ca44603 100644
  allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
-@@ -533,7 +459,7 @@ mcs_file_write_all(postfix_pickup_t)
  
+-mcs_file_read_all(postfix_pickup_t)
+-mcs_file_write_all(postfix_pickup_t)
+-
  ########################################
  #
 -# Pipe local policy
@@ -52497,7 +52592,7 @@ index 191a66f..ca44603 100644
  #
  
  allow postfix_pipe_t self:process setrlimit;
-@@ -576,20 +502,28 @@ optional_policy(`
+@@ -576,19 +495,24 @@ optional_policy(`
  
  ########################################
  #
@@ -52520,16 +52615,14 @@ index 191a66f..ca44603 100644
  
 -allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
 -
- mcs_file_read_all(postfix_postdrop_t)
- mcs_file_write_all(postfix_postdrop_t)
- 
+-mcs_file_read_all(postfix_postdrop_t)
+-mcs_file_write_all(postfix_postdrop_t)
 +corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
 +corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-+
+ 
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
- 
-@@ -603,10 +537,7 @@ optional_policy(`
+@@ -603,10 +527,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -52541,7 +52634,7 @@ index 191a66f..ca44603 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -621,17 +552,23 @@ optional_policy(`
+@@ -621,17 +542,23 @@ optional_policy(`
  
  #######################################
  #
@@ -52568,7 +52661,7 @@ index 191a66f..ca44603 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +584,80 @@ optional_policy(`
+@@ -647,67 +574,77 @@ optional_policy(`
  
  ########################################
  #
@@ -52625,8 +52718,8 @@ index 191a66f..ca44603 100644
  
 -allow postfix_showq_t postfix_spool_t:file read_file_perms;
 -
- mcs_file_read_all(postfix_showq_t)
- 
+-mcs_file_read_all(postfix_showq_t)
+-
 +# to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
  term_use_all_ttys(postfix_showq_t)
@@ -52651,7 +52744,6 @@ index 191a66f..ca44603 100644
  
 +# for spampd
 +corenet_tcp_connect_spamd_port(postfix_master_t)
-+corenet_tcp_bind_spamd_port(postfix_master_t)
 +
 +files_search_all_mountpoints(postfix_smtp_t)
 +
@@ -52665,7 +52757,7 @@ index 191a66f..ca44603 100644
  ')
  
  optional_policy(`
-@@ -720,24 +670,28 @@ optional_policy(`
+@@ -720,24 +657,27 @@ optional_policy(`
  
  ########################################
  #
@@ -52694,13 +52786,12 @@ index 191a66f..ca44603 100644
  corecmd_exec_bin(postfix_smtpd_t)
  
 +# for OpenSSL certificates
-+files_read_usr_files(postfix_smtpd_t)
 +
 +# postfix checks the size of all mounted file systems
  fs_getattr_all_dirs(postfix_smtpd_t)
  fs_getattr_all_fs(postfix_smtpd_t)
  
-@@ -754,6 +708,7 @@ optional_policy(`
+@@ -754,6 +694,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -52708,7 +52799,7 @@ index 191a66f..ca44603 100644
  ')
  
  optional_policy(`
-@@ -764,31 +719,102 @@ optional_policy(`
+@@ -764,31 +705,100 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -52734,7 +52825,6 @@ index 191a66f..ca44603 100644
 +corecmd_exec_shell(postfix_virtual_t)
  corecmd_exec_bin(postfix_virtual_t)
  
-+files_read_usr_files(postfix_virtual_t)
 +
  mta_read_aliases(postfix_virtual_t)
  mta_delete_spool(postfix_virtual_t)
@@ -52795,7 +52885,6 @@ index 191a66f..ca44603 100644
 +corecmd_exec_shell(postfix_domain)
 +
 +files_read_etc_runtime_files(postfix_domain)
-+files_read_usr_files(postfix_domain)
 +files_read_usr_symlinks(postfix_domain)
 +files_search_spool(postfix_domain)
 +files_list_tmp(postfix_domain)
@@ -52839,7 +52928,7 @@ index 5de8173..985b877 100644
  	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index 70f0533..3eed489 100644
+index 70f0533..77d4cd9 100644
 --- a/postfixpolicyd.te
 +++ b/postfixpolicyd.te
 @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
@@ -52850,7 +52939,12 @@ index 70f0533..3eed489 100644
  corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
  corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
  corenet_tcp_bind_generic_node(postfix_policyd_t)
-@@ -52,6 +51,4 @@ files_read_usr_files(postfix_policyd_t)
+@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
+ corenet_tcp_bind_mysqld_port(postfix_policyd_t)
+ corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
+ 
+-files_read_etc_files(postfix_policyd_t)
+-files_read_usr_files(postfix_policyd_t)
  
  logging_send_syslog_msg(postfix_policyd_t)
  
@@ -52895,7 +52989,7 @@ index b9e71b5..a7502cd 100644
  	domain_system_change_exemption($1)
  	role_transition $2 postgrey_initrc_exec_t system_r;
 diff --git a/postgrey.te b/postgrey.te
-index 3b11496..8c3efb2 100644
+index 3b11496..04e3809 100644
 --- a/postgrey.te
 +++ b/postgrey.te
 @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -52915,7 +53009,15 @@ index 3b11496..8c3efb2 100644
  corenet_all_recvfrom_netlabel(postgrey_t)
  corenet_tcp_sendrecv_generic_if(postgrey_t)
  corenet_tcp_sendrecv_generic_node(postgrey_t)
-@@ -80,9 +79,9 @@ files_getattr_tmp_dirs(postgrey_t)
+@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t)
+ 
+ domain_use_interactive_fds(postgrey_t)
+ 
+-files_read_etc_files(postgrey_t)
+ files_read_etc_runtime_files(postgrey_t)
+-files_read_usr_files(postgrey_t)
+ files_getattr_tmp_dirs(postgrey_t)
+ 
  fs_getattr_all_fs(postgrey_t)
  fs_search_auto_mountpoints(postgrey_t)
  
@@ -53484,7 +53586,7 @@ index cd8b8b9..cde0d62 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index b2b5dba..2a04cb0 100644
+index b2b5dba..91e0a7a 100644
 --- a/ppp.te
 +++ b/ppp.te
 @@ -1,4 +1,4 @@
@@ -53668,22 +53770,20 @@ index b2b5dba..2a04cb0 100644
  corecmd_exec_bin(pppd_t)
  corecmd_exec_shell(pppd_t)
  
-@@ -146,37 +168,32 @@ domain_use_interactive_fds(pppd_t)
- files_exec_etc_files(pppd_t)
+@@ -147,36 +169,30 @@ files_exec_etc_files(pppd_t)
  files_manage_etc_runtime_files(pppd_t)
  files_dontaudit_write_etc_files(pppd_t)
-+files_read_usr_files(pppd_t)
  
 -fs_getattr_all_fs(pppd_t)
 -fs_search_auto_mountpoints(pppd_t)
-+# for scripts
- 
+-
 -term_use_unallocated_ttys(pppd_t)
 -term_setattr_unallocated_ttys(pppd_t)
 -term_ioctl_generic_ptys(pppd_t)
 -term_create_pty(pppd_t, pppd_devpts_t)
 -term_use_generic_ptys(pppd_t)
--
++# for scripts
+ 
 -init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
  init_read_utmp(pppd_t)
 -init_signal_script(pppd_t)
@@ -53715,7 +53815,7 @@ index b2b5dba..2a04cb0 100644
  
  optional_policy(`
  	ddclient_run(pppd_t, pppd_roles)
-@@ -190,7 +207,7 @@ optional_policy(`
+@@ -190,7 +206,7 @@ optional_policy(`
  
  optional_policy(`
  	tunable_policy(`pppd_can_insmod',`
@@ -53724,7 +53824,7 @@ index b2b5dba..2a04cb0 100644
  	')
  ')
  
-@@ -218,16 +235,19 @@ optional_policy(`
+@@ -218,16 +234,19 @@ optional_policy(`
  
  ########################################
  #
@@ -53747,7 +53847,7 @@ index b2b5dba..2a04cb0 100644
  
  allow pptp_t pppd_etc_t:dir list_dir_perms;
  allow pptp_t pppd_etc_t:file read_file_perms;
-@@ -236,45 +256,44 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
+@@ -236,45 +255,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
  allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
  allow pptp_t pppd_etc_rw_t:file read_file_perms;
  allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
@@ -53769,7 +53869,6 @@ index b2b5dba..2a04cb0 100644
 +files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
  
 +kernel_list_proc(pptp_t)
-+kernel_signal(pptp_t)
  kernel_read_kernel_sysctls(pptp_t)
  kernel_read_network_state(pptp_t)
 +kernel_read_proc_symlinks(pptp_t)
@@ -53805,7 +53904,7 @@ index b2b5dba..2a04cb0 100644
  fs_getattr_all_fs(pptp_t)
  fs_search_auto_mountpoints(pptp_t)
  
-@@ -282,12 +301,12 @@ term_ioctl_generic_ptys(pptp_t)
+@@ -282,12 +299,12 @@ term_ioctl_generic_ptys(pptp_t)
  term_search_ptys(pptp_t)
  term_use_ptmx(pptp_t)
  
@@ -53983,7 +54082,7 @@ index 20d4697..e6605c1 100644
 +	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
 +')
 diff --git a/prelink.te b/prelink.te
-index c0f047a..9f1d1b5 100644
+index c0f047a..e81b5b1 100644
 --- a/prelink.te
 +++ b/prelink.te
 @@ -1,4 +1,4 @@
@@ -54038,7 +54137,7 @@ index c0f047a..9f1d1b5 100644
  
  kernel_read_system_state(prelink_t)
  kernel_read_kernel_sysctls(prelink_t)
-@@ -75,25 +75,24 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
  corecmd_read_bin_symlinks(prelink_t)
  
  dev_read_urand(prelink_t)
@@ -54046,19 +54145,18 @@ index c0f047a..9f1d1b5 100644
  
 -files_getattr_all_files(prelink_t)
  files_list_all(prelink_t)
--files_manage_usr_files(prelink_t)
--files_manage_var_files(prelink_t)
 +files_getattr_all_files(prelink_t)
 +files_write_non_security_dirs(prelink_t)
- files_read_etc_files(prelink_t)
- files_read_etc_runtime_files(prelink_t)
--files_relabelfrom_usr_files(prelink_t)
++files_read_etc_runtime_files(prelink_t)
++files_dontaudit_read_all_symlinks(prelink_t)
+ files_manage_usr_files(prelink_t)
+ files_manage_var_files(prelink_t)
+-files_read_etc_files(prelink_t)
+-files_read_etc_runtime_files(prelink_t)
+ files_relabelfrom_usr_files(prelink_t)
 -files_search_var_lib(prelink_t)
 -files_write_non_security_dirs(prelink_t)
- files_dontaudit_read_all_symlinks(prelink_t)
-+files_manage_usr_files(prelink_t)
-+files_manage_var_files(prelink_t)
-+files_relabelfrom_usr_files(prelink_t)
+-files_dontaudit_read_all_symlinks(prelink_t)
  
 -fs_getattr_all_fs(prelink_t)
 -fs_search_auto_mountpoints(prelink_t)
@@ -54073,7 +54171,7 @@ index c0f047a..9f1d1b5 100644
  libs_exec_ld_so(prelink_t)
  libs_legacy_use_shared_libs(prelink_t)
  libs_manage_ld_so(prelink_t)
-@@ -102,32 +101,16 @@ libs_manage_shared_libs(prelink_t)
+@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
  libs_relabel_shared_libs(prelink_t)
  libs_delete_lib_symlinks(prelink_t)
  
@@ -54092,7 +54190,8 @@ index c0f047a..9f1d1b5 100644
  
 -ifdef(`hide_broken_symptoms',`
 -	miscfiles_read_man_pages(prelink_t)
--
++systemd_read_unit_files(prelink_t)
+ 
 -	optional_policy(`
 -		dbus_read_config(prelink_t)
 -	')
@@ -54102,8 +54201,7 @@ index c0f047a..9f1d1b5 100644
 -	fs_exec_nfs_files(prelink_t)
 -	fs_manage_nfs_files(prelink_t)
 -')
-+systemd_read_unit_files(prelink_t)
- 
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_exec_cifs_files(prelink_t)
 -	fs_manage_cifs_files(prelink_t)
@@ -54112,7 +54210,7 @@ index c0f047a..9f1d1b5 100644
  
  optional_policy(`
  	amanda_manage_lib(prelink_t)
-@@ -138,11 +121,12 @@ optional_policy(`
+@@ -138,11 +120,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54126,7 +54224,7 @@ index c0f047a..9f1d1b5 100644
  ')
  
  optional_policy(`
-@@ -155,17 +139,18 @@ optional_policy(`
+@@ -155,17 +138,18 @@ optional_policy(`
  
  ########################################
  #
@@ -54148,7 +54246,7 @@ index c0f047a..9f1d1b5 100644
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -174,7 +159,7 @@ optional_policy(`
+@@ -174,7 +158,7 @@ optional_policy(`
  
  	manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
  	files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
@@ -54157,20 +54255,19 @@ index c0f047a..9f1d1b5 100644
  
  	kernel_read_system_state(prelink_cron_system_t)
  
-@@ -184,8 +169,11 @@ optional_policy(`
+@@ -184,8 +168,10 @@ optional_policy(`
  	dev_list_sysfs(prelink_cron_system_t)
  	dev_read_sysfs(prelink_cron_system_t)
  
 -	files_rw_etc_dirs(prelink_cron_system_t)
  	files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
-+	files_read_etc_files(prelink_cron_system_t)
 +	files_search_var_lib(prelink_cron_system_t)
 +
 +	fs_search_cgroup_dirs(prelink_cron_system_t)
  
  	auth_use_nsswitch(prelink_cron_system_t)
  
-@@ -196,11 +184,20 @@ optional_policy(`
+@@ -196,11 +182,20 @@ optional_policy(`
  
  	logging_search_logs(prelink_cron_system_t)
  
@@ -54354,7 +54451,7 @@ index c83a838..f41a4f7 100644
  	admin_pattern($1, prelude_lml_tmp_t)
  ')
 diff --git a/prelude.te b/prelude.te
-index db864df..6cff94f 100644
+index db864df..f7eb5e0 100644
 --- a/prelude.te
 +++ b/prelude.te
 @@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -54374,7 +54471,15 @@ index db864df..6cff94f 100644
  corenet_all_recvfrom_netlabel(prelude_t)
  corenet_tcp_sendrecv_generic_if(prelude_t)
  corenet_tcp_sendrecv_generic_node(prelude_t)
-@@ -108,8 +107,6 @@ auth_use_nsswitch(prelude_t)
+@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
+ dev_read_urand(prelude_t)
+ 
+ files_read_etc_runtime_files(prelude_t)
+-files_read_usr_files(prelude_t)
+ files_search_spool(prelude_t)
+ files_search_tmp(prelude_t)
+ 
+@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
  logging_send_audit_msgs(prelude_t)
  logging_send_syslog_msg(prelude_t)
  
@@ -54383,7 +54488,7 @@ index db864df..6cff94f 100644
  optional_policy(`
  	mysql_stream_connect(prelude_t)
  	mysql_tcp_connect(prelude_t)
-@@ -141,7 +138,6 @@ kernel_read_system_state(prelude_audisp_t)
+@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
  
  corecmd_search_bin(prelude_audisp_t)
  
@@ -54391,7 +54496,7 @@ index db864df..6cff94f 100644
  corenet_all_recvfrom_netlabel(prelude_audisp_t)
  corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
  corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
-@@ -155,15 +151,12 @@ dev_read_urand(prelude_audisp_t)
+@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
  
  domain_use_interactive_fds(prelude_audisp_t)
  
@@ -54407,7 +54512,7 @@ index db864df..6cff94f 100644
  sysnet_dns_name_resolve(prelude_audisp_t)
  
  ########################################
-@@ -184,7 +177,6 @@ kernel_read_sysctl(prelude_correlator_t)
+@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
  
  corecmd_search_bin(prelude_correlator_t)
  
@@ -54415,12 +54520,12 @@ index db864df..6cff94f 100644
  corenet_all_recvfrom_netlabel(prelude_correlator_t)
  corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
  corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
-@@ -196,14 +188,11 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
+@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
  dev_read_rand(prelude_correlator_t)
  dev_read_urand(prelude_correlator_t)
  
 -files_read_etc_files(prelude_correlator_t)
- files_read_usr_files(prelude_correlator_t)
+-files_read_usr_files(prelude_correlator_t)
  files_search_spool(prelude_correlator_t)
  
  logging_send_syslog_msg(prelude_correlator_t)
@@ -54430,7 +54535,7 @@ index db864df..6cff94f 100644
  sysnet_dns_name_resolve(prelude_correlator_t)
  
  ########################################
-@@ -212,6 +201,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
+@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
  #
  
  allow prelude_lml_t self:capability dac_override;
@@ -54439,7 +54544,7 @@ index db864df..6cff94f 100644
  allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
  allow prelude_lml_t self:unix_stream_socket connectto;
  
-@@ -262,8 +253,6 @@ libs_read_lib_files(prelude_lml_t)
+@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
  logging_send_syslog_msg(prelude_lml_t)
  logging_read_generic_logs(prelude_lml_t)
  
@@ -54667,7 +54772,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..170ed82 100644
+index d447152..543fa5c 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -54702,7 +54807,7 @@ index d447152..170ed82 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,56 +44,69 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,56 +44,68 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -54746,9 +54851,9 @@ index d447152..170ed82 100644
 +corecmd_exec_shell(procmail_t)
 +
  files_read_etc_runtime_files(procmail_t)
+-files_read_usr_files(procmail_t)
 +files_search_pids(procmail_t)
 +# for spamassasin
- files_read_usr_files(procmail_t)
  
 -logging_send_syslog_msg(procmail_t)
 +application_exec_all(procmail_t)
@@ -54796,7 +54901,7 @@ index d447152..170ed82 100644
  optional_policy(`
  	clamav_domtrans_clamscan(procmail_t)
  	clamav_search_lib(procmail_t)
-@@ -100,12 +117,7 @@ optional_policy(`
+@@ -100,12 +116,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54810,7 +54915,7 @@ index d447152..170ed82 100644
  ')
  
  optional_policy(`
-@@ -113,16 +125,17 @@ optional_policy(`
+@@ -113,16 +124,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54833,7 +54938,7 @@ index d447152..170ed82 100644
  ')
  
  optional_policy(`
-@@ -131,6 +144,8 @@ optional_policy(`
+@@ -131,6 +143,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55012,10 +55117,18 @@ index 5427bb6..718c847 100644
  
  optional_policy(`
 diff --git a/ptchown.te b/ptchown.te
-index d67905e..d54cb62 100644
+index d67905e..2da9eca 100644
 --- a/ptchown.te
 +++ b/ptchown.te
-@@ -31,4 +31,4 @@ term_setattr_all_ptys(ptchown_t)
+@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
+ allow ptchown_t self:capability { chown fowner fsetid setuid };
+ allow ptchown_t self:process { getcap setcap };
+ 
+-files_read_etc_files(ptchown_t)
+ 
+ fs_rw_anon_inodefs_files(ptchown_t)
+ 
+@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
  term_use_generic_ptys(ptchown_t)
  term_use_ptmx(ptchown_t)
  
@@ -55045,7 +55158,7 @@ index 6864479..0e7d875 100644
 +/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
 diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..ec47fb6 100644
+index fa3dc8e..59808e5 100644
 --- a/pulseaudio.if
 +++ b/pulseaudio.if
 @@ -2,47 +2,44 @@
@@ -55330,7 +55443,7 @@ index fa3dc8e..ec47fb6 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -291,62 +300,72 @@ interface(`pulseaudio_manage_home_files',`
+@@ -291,62 +300,74 @@ interface(`pulseaudio_manage_home_files',`
  ##	</summary>
  ## </param>
  #
@@ -55347,7 +55460,9 @@ index fa3dc8e..ec47fb6 100644
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
 +	userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
-+	gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++	optional_policy(`
++		gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
++	')
  ')
  
  ########################################
@@ -55431,7 +55546,7 @@ index fa3dc8e..ec47fb6 100644
 +	ps_process_pattern($1, pulseaudio_t)
  ')
 diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..276636a 100644
+index e31bbe1..822ab6c 100644
 --- a/pulseaudio.te
 +++ b/pulseaudio.te
 @@ -1,4 +1,4 @@
@@ -55531,7 +55646,7 @@ index e31bbe1..276636a 100644
  
  can_exec(pulseaudio_t, pulseaudio_exec_t)
  
-@@ -85,24 +70,15 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t)
  
  corecmd_exec_bin(pulseaudio_t)
  
@@ -55561,9 +55676,10 @@ index e31bbe1..276636a 100644
  
  dev_read_sound(pulseaudio_t)
  dev_write_sound(pulseaudio_t)
-@@ -111,34 +87,35 @@ dev_read_urand(pulseaudio_t)
+ dev_read_sysfs(pulseaudio_t)
+ dev_read_urand(pulseaudio_t)
  
- files_read_usr_files(pulseaudio_t)
+-files_read_usr_files(pulseaudio_t)
  
 +fs_rw_anon_inodefs_files(pulseaudio_t)
  fs_getattr_tmpfs(pulseaudio_t)
@@ -55607,7 +55723,7 @@ index e31bbe1..276636a 100644
  ')
  
  optional_policy(`
-@@ -151,8 +128,9 @@ optional_policy(`
+@@ -151,8 +127,9 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -55619,7 +55735,7 @@ index e31bbe1..276636a 100644
  
  	optional_policy(`
  		consolekit_dbus_chat(pulseaudio_t)
-@@ -172,16 +150,33 @@ optional_policy(`
+@@ -172,16 +149,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55653,7 +55769,7 @@ index e31bbe1..276636a 100644
  	udev_read_state(pulseaudio_t)
  	udev_read_db(pulseaudio_t)
  ')
-@@ -194,7 +189,11 @@ optional_policy(`
+@@ -194,7 +188,11 @@ optional_policy(`
  	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
  ')
  
@@ -55666,7 +55782,7 @@ index e31bbe1..276636a 100644
  #
  # Client local policy
  #
-@@ -208,8 +207,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
  
  fs_getattr_tmpfs(pulseaudio_client)
  
@@ -55675,7 +55791,7 @@ index e31bbe1..276636a 100644
  corenet_tcp_sendrecv_generic_if(pulseaudio_client)
  corenet_tcp_sendrecv_generic_node(pulseaudio_client)
  
-@@ -218,36 +215,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
  corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
  
  pulseaudio_stream_connect(pulseaudio_client)
@@ -56072,7 +56188,7 @@ index 7cb8b1f..b7b5ee7 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index f2309f4..050d953 100644
+index f2309f4..b3f151c 100644
 --- a/puppet.te
 +++ b/puppet.te
 @@ -1,4 +1,4 @@
@@ -56163,7 +56279,7 @@ index f2309f4..050d953 100644
  logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
  
  manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
-@@ -91,30 +90,28 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
+@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
  
  kernel_dontaudit_search_sysctl(puppet_t)
  kernel_dontaudit_search_kernel_sysctl(puppet_t)
@@ -56200,7 +56316,9 @@ index f2309f4..050d953 100644
  
  files_manage_config_files(puppet_t)
  files_manage_config_dirs(puppet_t)
-@@ -124,10 +121,7 @@ files_read_usr_files(puppet_t)
+ files_manage_etc_dirs(puppet_t)
+ files_manage_etc_files(puppet_t)
+-files_read_usr_files(puppet_t)
  files_read_usr_symlinks(puppet_t)
  files_relabel_config_dirs(puppet_t)
  files_relabel_config_files(puppet_t)
@@ -56211,7 +56329,7 @@ index f2309f4..050d953 100644
  selinux_set_all_booleans(puppet_t)
  selinux_set_generic_booleans(puppet_t)
  selinux_validate_context(puppet_t)
-@@ -135,6 +129,8 @@ selinux_validate_context(puppet_t)
+@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t)
  term_dontaudit_getattr_unallocated_ttys(puppet_t)
  term_dontaudit_getattr_all_ttys(puppet_t)
  
@@ -56220,7 +56338,7 @@ index f2309f4..050d953 100644
  init_all_labeled_script_domtrans(puppet_t)
  init_domtrans_script(puppet_t)
  init_read_utmp(puppet_t)
-@@ -143,18 +139,15 @@ init_signull_script(puppet_t)
+@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
  logging_send_syslog_msg(puppet_t)
  
  miscfiles_read_hwdata(puppet_t)
@@ -56234,6 +56352,10 @@ index f2309f4..050d953 100644
  
  sysnet_run_ifconfig(puppet_t, system_r)
 -sysnet_use_ldap(puppet_t)
++
++usermanage_access_check_groupadd(puppet_t)
++usermanage_access_check_passwd(puppet_t)
++usermanage_access_check_useradd(puppet_t)
  
  tunable_policy(`puppet_manage_all_files',`
 -	files_manage_non_auth_files(puppet_t)
@@ -56241,18 +56363,12 @@ index f2309f4..050d953 100644
  ')
  
  optional_policy(`
-@@ -196,21 +189,92 @@ optional_policy(`
+@@ -196,21 +192,86 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	usermanage_domtrans_groupadd(puppet_t)
 -	usermanage_domtrans_useradd(puppet_t)
-+    usermanage_access_check_groupadd(puppet_t)
-+    usermanage_access_check_passwd(puppet_t)
-+    usermanage_access_check_useradd(puppet_t)
-+')
-+
-+optional_policy(`
 +	auth_filetrans_named_content(puppet_t)
 +')
 +
@@ -56340,7 +56456,7 @@ index f2309f4..050d953 100644
  
  allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
  manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
-@@ -221,6 +285,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
+@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
  allow puppetca_t puppet_var_run_t:dir search_dir_perms;
  
  kernel_read_system_state(puppetca_t)
@@ -56348,10 +56464,11 @@ index f2309f4..050d953 100644
  kernel_read_kernel_sysctls(puppetca_t)
  
  corecmd_exec_bin(puppetca_t)
-@@ -230,14 +295,12 @@ dev_read_urand(puppetca_t)
+@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
+ dev_read_urand(puppetca_t)
  dev_search_sysfs(puppetca_t)
  
- files_read_etc_files(puppetca_t)
+-files_read_etc_files(puppetca_t)
 -files_search_pids(puppetca_t)
  files_search_var_lib(puppetca_t)
  
@@ -56363,7 +56480,7 @@ index f2309f4..050d953 100644
  miscfiles_read_generic_certs(puppetca_t)
  
  seutil_read_file_contexts(puppetca_t)
-@@ -246,38 +309,52 @@ optional_policy(`
+@@ -246,38 +305,47 @@ optional_policy(`
  	hostname_exec(puppetca_t)
  ')
  
@@ -56371,11 +56488,6 @@ index f2309f4..050d953 100644
 +	mta_sendmail_access_check(puppetca_t)
 +')
 +
-+optional_policy(`
-+    usermanage_access_check_groupadd(puppet_t)
-+    usermanage_access_check_passwd(puppet_t)
-+    usermanage_access_check_useradd(puppet_t)
-+')
 +
  ########################################
  #
@@ -56432,7 +56544,7 @@ index f2309f4..050d953 100644
  
  kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
  kernel_read_network_state(puppetmaster_t)
-@@ -289,21 +366,23 @@ corecmd_exec_bin(puppetmaster_t)
+@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
  corecmd_exec_shell(puppetmaster_t)
  
  corenet_all_recvfrom_netlabel(puppetmaster_t)
@@ -56459,9 +56571,11 @@ index f2309f4..050d953 100644
  domain_read_all_domains_state(puppetmaster_t)
 +domain_obj_id_change_exemption(puppetmaster_t)
  
- files_read_usr_files(puppetmaster_t)
+-files_read_usr_files(puppetmaster_t)
  
-@@ -314,26 +393,27 @@ auth_use_nsswitch(puppetmaster_t)
+ selinux_validate_context(puppetmaster_t)
+ 
+@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
  logging_send_syslog_msg(puppetmaster_t)
  
  miscfiles_read_generic_certs(puppetmaster_t)
@@ -56471,32 +56585,34 @@ index f2309f4..050d953 100644
  
  sysnet_run_ifconfig(puppetmaster_t, system_r)
  
--optional_policy(`
--	hostname_exec(puppetmaster_t)
--')
 +mta_send_mail(puppetmaster_t)
- 
++
  optional_policy(`
--	mta_send_mail(puppetmaster_t)
+-	hostname_exec(puppetmaster_t)
 +	tunable_policy(`puppetmaster_use_db',`
 +		mysql_stream_connect(puppetmaster_t)
 +	')
  ')
  
  optional_policy(`
--	mysql_stream_connect(puppetmaster_t)
+-	mta_send_mail(puppetmaster_t)
 +	tunable_policy(`puppetmaster_use_db',`
 +		postgresql_stream_connect(puppetmaster_t)
 +	')
  ')
  
  optional_policy(`
+-	mysql_stream_connect(puppetmaster_t)
++	gnomeclock_dbus_chat(puppetmaster_t)
+ ')
+ 
+ optional_policy(`
 -	postgresql_stream_connect(puppetmaster_t)
 +	hostname_exec(puppetmaster_t)
  ')
  
  optional_policy(`
-@@ -342,3 +422,9 @@ optional_policy(`
+@@ -342,3 +416,9 @@ optional_policy(`
  	rpm_exec(puppetmaster_t)
  	rpm_read_db(puppetmaster_t)
  ')
@@ -56678,10 +56794,17 @@ index 3078e34..8f357cc 100644
 -
 -miscfiles_read_localization(pwauth_t)
 diff --git a/pxe.te b/pxe.te
-index 72db707..270bf8a 100644
+index 72db707..6dae5e5 100644
 --- a/pxe.te
 +++ b/pxe.te
-@@ -57,8 +57,6 @@ fs_search_auto_mountpoints(pxe_t)
+@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
+ 
+ domain_use_interactive_fds(pxe_t)
+ 
+-files_read_etc_files(pxe_t)
+ 
+ fs_getattr_all_fs(pxe_t)
+ fs_search_auto_mountpoints(pxe_t)
  
  logging_send_syslog_msg(pxe_t)
  
@@ -58608,19 +58731,15 @@ index cd51b96..f7e9c70 100644
 +    admin_pattern($1, qpidd_var_run_t)
  ')
 diff --git a/qpid.te b/qpid.te
-index 76f5b39..8bf531a 100644
+index 76f5b39..a5ba415 100644
 --- a/qpid.te
 +++ b/qpid.te
-@@ -37,18 +37,22 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
+@@ -37,37 +37,37 @@ manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
  manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
  fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
  
 -manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
 -manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
-+manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
-+fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
-+
 +manage_dirs_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
 +manage_files_pattern(qpidd_t, qpidd_var_lib_t,  qpidd_var_lib_t)
  files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
@@ -58638,8 +58757,9 @@ index 76f5b39..8bf531a 100644
 +corenet_tcp_bind_generic_node(qpidd_t)
  corenet_tcp_sendrecv_generic_if(qpidd_t)
  corenet_tcp_sendrecv_generic_node(qpidd_t)
- corenet_tcp_bind_generic_node(qpidd_t)
-@@ -57,17 +61,18 @@ corenet_sendrecv_amqp_server_packets(qpidd_t)
+-corenet_tcp_bind_generic_node(qpidd_t)
+ 
+ corenet_sendrecv_amqp_server_packets(qpidd_t)
  corenet_tcp_bind_amqp_port(qpidd_t)
  corenet_tcp_sendrecv_amqp_port(qpidd_t)
  
@@ -58909,7 +59029,7 @@ index afc0068..7616aa4 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..e08eabf 100644
+index 769d1fd..7e6e161 100644
 --- a/quantum.te
 +++ b/quantum.te
 @@ -21,6 +21,9 @@ files_tmp_file(quantum_tmp_t)
@@ -58922,11 +59042,10 @@ index 769d1fd..e08eabf 100644
  ########################################
  #
  # Local policy
-@@ -61,11 +64,13 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
+@@ -61,11 +64,12 @@ corenet_tcp_sendrecv_generic_node(quantum_t)
  corenet_tcp_sendrecv_all_ports(quantum_t)
  corenet_tcp_bind_generic_node(quantum_t)
  
-+corenet_tcp_bind_generic_node(quantum_t)
 +corenet_tcp_bind_quantum_port(quantum_t)
 +corenet_tcp_connect_mysqld_port(quantum_t)
 +
@@ -58938,7 +59057,7 @@ index 769d1fd..e08eabf 100644
  auth_use_nsswitch(quantum_t)
  
  libs_exec_ldconfig(quantum_t)
-@@ -73,8 +78,6 @@ libs_exec_ldconfig(quantum_t)
+@@ -73,8 +77,6 @@ libs_exec_ldconfig(quantum_t)
  logging_send_audit_msgs(quantum_t)
  logging_send_syslog_msg(quantum_t)
  
@@ -58947,7 +59066,7 @@ index 769d1fd..e08eabf 100644
  sysnet_domtrans_ifconfig(quantum_t)
  
  optional_policy(`
-@@ -94,3 +97,7 @@ optional_policy(`
+@@ -94,3 +96,7 @@ optional_policy(`
  
  	postgresql_tcp_connect(quantum_t)
  ')
@@ -59238,7 +59357,7 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index 4b2c272..0df6e21 100644
+index 4b2c272..1aee969 100644
 --- a/quota.te
 +++ b/quota.te
 @@ -1,16 +1,14 @@
@@ -59279,25 +59398,15 @@ index 4b2c272..0df6e21 100644
  allow quota_t quota_db_t:file { manage_file_perms quotaon };
  files_root_filetrans(quota_t, quota_db_t, file)
  files_boot_filetrans(quota_t, quota_db_t, file)
-@@ -48,7 +44,16 @@ files_var_filetrans(quota_t, quota_db_t, file)
+@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
  files_spool_filetrans(quota_t, quota_db_t, file)
  userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
  
 -kernel_request_load_module(quota_t)
-+optional_policy(`
-+	mta_spool_filetrans(quota_t, quota_db_t, file)
-+	mta_spool_filetrans(quota_t, quota_db_t, file)
-+	mta_spool_filetrans_queue(quota_t, quota_db_t, file)
-+')
-+
-+optional_policy(`
-+	openshift_lib_filetrans(quota_t, quota_db_t, file)
-+')
-+
  kernel_list_proc(quota_t)
  kernel_read_proc_symlinks(quota_t)
  kernel_read_kernel_sysctls(quota_t)
-@@ -58,14 +63,6 @@ dev_read_sysfs(quota_t)
+@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
  dev_getattr_all_blk_files(quota_t)
  dev_getattr_all_chr_files(quota_t)
  
@@ -59312,7 +59421,7 @@ index 4b2c272..0df6e21 100644
  fs_get_xattr_fs_quotas(quota_t)
  fs_set_xattr_fs_quotas(quota_t)
  fs_getattr_xattr_fs(quota_t)
-@@ -80,20 +77,24 @@ term_dontaudit_use_console(quota_t)
+@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
  
  domain_use_interactive_fds(quota_t)
  
@@ -59331,19 +59440,20 @@ index 4b2c272..0df6e21 100644
  logging_send_syslog_msg(quota_t)
  
 -userdom_use_user_terminals(quota_t)
++mta_spool_filetrans(quota_t, quota_db_t, file)
++mta_spool_filetrans_queue(quota_t, quota_db_t, file)
++
 +userdom_use_inherited_user_terminals(quota_t)
  userdom_dontaudit_use_unpriv_user_fds(quota_t)
  
  optional_policy(`
 -	mta_queue_filetrans(quota_t, quota_db_t, file)
 -	mta_spool_filetrans(quota_t, quota_db_t, file)
--')
--
--optional_policy(`
- 	seutil_sigchld_newrole(quota_t)
++	openshift_lib_filetrans(quota_t, quota_db_t, file)
  ')
  
-@@ -103,12 +104,12 @@ optional_policy(`
+ optional_policy(`
+@@ -103,12 +101,12 @@ optional_policy(`
  
  #######################################
  #
@@ -59358,7 +59468,7 @@ index 4b2c272..0df6e21 100644
  
  manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
  files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
-@@ -121,11 +122,9 @@ init_read_utmp(quota_nld_t)
+@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t)
  
  logging_send_syslog_msg(quota_nld_t)
  
@@ -59479,7 +59589,7 @@ index 4460582..60cf556 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 1e7927f..ff81482 100644
+index 1e7927f..5874c98 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -59505,7 +59615,15 @@ index 1e7927f..ff81482 100644
  corenet_all_recvfrom_netlabel(radiusd_t)
  corenet_tcp_sendrecv_generic_if(radiusd_t)
  corenet_udp_sendrecv_generic_if(radiusd_t)
-@@ -109,7 +112,6 @@ libs_exec_lib_files(radiusd_t)
+@@ -97,7 +100,6 @@ domain_use_interactive_fds(radiusd_t)
+ fs_getattr_all_fs(radiusd_t)
+ fs_search_auto_mountpoints(radiusd_t)
+ 
+-files_read_usr_files(radiusd_t)
+ files_read_etc_runtime_files(radiusd_t)
+ files_dontaudit_list_tmp(radiusd_t)
+ 
+@@ -109,7 +111,6 @@ libs_exec_lib_files(radiusd_t)
  
  logging_send_syslog_msg(radiusd_t)
  
@@ -59568,6 +59686,18 @@ index b31f2d7..046f5b8 100644
  userdom_dontaudit_use_unpriv_user_fds(radvd_t)
  userdom_dontaudit_search_user_home_dirs(radvd_t)
  
+diff --git a/raid.fc b/raid.fc
+index 5806046..01ca7cb 100644
+--- a/raid.fc
++++ b/raid.fc
+@@ -16,6 +16,7 @@
+ /usr/sbin/iprupdate	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /usr/sbin/mdadm	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /usr/sbin/mdmpd	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
++/usr/sbin/mdmon	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+ /usr/sbin/raid-check	--	gen_context(system_u:object_r:mdadm_exec_t,s0)
+ 
+ /var/run/mdadm(/.*)?	gen_context(system_u:object_r:mdadm_var_run_t,s0)
 diff --git a/raid.if b/raid.if
 index 951db7f..db0d815 100644
 --- a/raid.if
@@ -59693,7 +59823,7 @@ index 951db7f..db0d815 100644
 +	allow $1 mdadm_var_run_t:file manage_file_perms;
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..c27bb23 100644
+index 2c1730b..43e7487 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -26,7 +26,7 @@ dev_associate(mdadm_var_run_t)
@@ -59753,17 +59883,6 @@ index 2c1730b..c27bb23 100644
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
  userdom_dontaudit_use_user_terminals(mdadm_t)
-@@ -89,6 +91,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	cron_system_entry(mdadm_t, mdadm_exec_t)
-+')
-+
-+optional_policy(`
- 	gpm_dontaudit_getattr_gpmctl(mdadm_t)
- ')
- 
 diff --git a/razor.fc b/razor.fc
 index 6723f4d..6e26673 100644
 --- a/razor.fc
@@ -60274,7 +60393,7 @@ index 5ddedbc..4e15f29 100644
 +	')
  ')
 diff --git a/rdisc.te b/rdisc.te
-index 9196c1d..972b269 100644
+index 9196c1d..3dac4d9 100644
 --- a/rdisc.te
 +++ b/rdisc.te
 @@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
@@ -60285,7 +60404,11 @@ index 9196c1d..972b269 100644
  corenet_all_recvfrom_netlabel(rdisc_t)
  corenet_udp_sendrecv_generic_if(rdisc_t)
  corenet_raw_sendrecv_generic_if(rdisc_t)
-@@ -43,8 +42,6 @@ files_read_etc_files(rdisc_t)
+@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t)
+ 
+ domain_use_interactive_fds(rdisc_t)
+ 
+-files_read_etc_files(rdisc_t)
  
  logging_send_syslog_msg(rdisc_t)
  
@@ -60344,7 +60467,7 @@ index 661bb88..06f69c4 100644
 +')
 +
 diff --git a/readahead.te b/readahead.te
-index f1512d6..919a138 100644
+index f1512d6..ba3b9b2 100644
 --- a/readahead.te
 +++ b/readahead.te
 @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -60396,7 +60519,7 @@ index f1512d6..919a138 100644
  
  fs_getattr_all_fs(readahead_t)
  fs_search_auto_mountpoints(readahead_t)
-@@ -66,6 +80,7 @@ fs_read_cgroup_files(readahead_t)
+@@ -66,13 +80,12 @@ fs_read_cgroup_files(readahead_t)
  fs_read_tmpfs_files(readahead_t)
  fs_read_tmpfs_symlinks(readahead_t)
  fs_list_inotifyfs(readahead_t)
@@ -60404,15 +60527,14 @@ index f1512d6..919a138 100644
  fs_dontaudit_search_ramfs(readahead_t)
  fs_dontaudit_read_ramfs_pipes(readahead_t)
  fs_dontaudit_read_ramfs_files(readahead_t)
-@@ -74,6 +89,7 @@ fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
- mcs_file_read_all(readahead_t)
+ fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
  
+-mcs_file_read_all(readahead_t)
+-
  mls_file_read_all_levels(readahead_t)
-+mcs_file_read_all(readahead_t)
  
  storage_raw_read_fixed_disk(readahead_t)
- 
-@@ -84,13 +100,13 @@ auth_dontaudit_read_shadow(readahead_t)
+@@ -84,13 +97,13 @@ auth_dontaudit_read_shadow(readahead_t)
  init_use_fds(readahead_t)
  init_use_script_ptys(readahead_t)
  init_getattr_initctl(readahead_t)
@@ -60452,7 +60574,7 @@ index bff31df..e38693b 100644
  ## <param name="domain">
  ## <summary>
 diff --git a/realmd.te b/realmd.te
-index 9a8f052..c994751 100644
+index 9a8f052..5372646 100644
 --- a/realmd.te
 +++ b/realmd.te
 @@ -1,4 +1,4 @@
@@ -60476,7 +60598,7 @@ index 9a8f052..c994751 100644
  #
  
  allow realmd_t self:capability sys_nice;
-@@ -22,28 +23,32 @@ kernel_read_system_state(realmd_t)
+@@ -22,28 +23,30 @@ kernel_read_system_state(realmd_t)
  corecmd_exec_bin(realmd_t)
  corecmd_exec_shell(realmd_t)
  
@@ -60495,12 +60617,10 @@ index 9a8f052..c994751 100644
  dev_read_urand(realmd_t)
  
 -fs_getattr_all_fs(realmd_t)
--
-+files_read_etc_files(realmd_t)
- files_read_usr_files(realmd_t)
  
+-files_read_usr_files(realmd_t)
 +fs_getattr_all_fs(realmd_t)
-+
+ 
  auth_use_nsswitch(realmd_t)
  
  logging_send_syslog_msg(realmd_t)
@@ -60518,7 +60638,7 @@ index 9a8f052..c994751 100644
  optional_policy(`
  	dbus_system_domain(realmd_t, realmd_exec_t)
  
-@@ -67,17 +72,21 @@ optional_policy(`
+@@ -67,17 +70,21 @@ optional_policy(`
  
  optional_policy(`
  	nis_exec_ypbind(realmd_t)
@@ -60543,7 +60663,7 @@ index 9a8f052..c994751 100644
  ')
  
  optional_policy(`
-@@ -86,5 +95,9 @@ optional_policy(`
+@@ -86,5 +93,9 @@ optional_policy(`
  	sssd_manage_lib_files(realmd_t)
  	sssd_manage_public_files(realmd_t)
  	sssd_read_pid_files(realmd_t)
@@ -60632,7 +60752,7 @@ index a9ce68e..31be971 100644
 -	allow $1 remote_login_tmp_t:file relabel_file_perms;
 -')
 diff --git a/remotelogin.te b/remotelogin.te
-index c51a32c..18f59a7 100644
+index c51a32c..bef8238 100644
 --- a/remotelogin.te
 +++ b/remotelogin.te
 @@ -1,4 +1,4 @@
@@ -60655,7 +60775,7 @@ index c51a32c..18f59a7 100644
  #
  
  allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-@@ -23,32 +20,42 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
+@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
  allow remote_login_t self:process { setrlimit setexec };
  allow remote_login_t self:fd use;
  allow remote_login_t self:fifo_file rw_fifo_file_perms;
@@ -60705,7 +60825,12 @@ index c51a32c..18f59a7 100644
  
  domain_read_all_entry_files(remote_login_t)
  
-@@ -61,30 +68,32 @@ files_read_world_readable_symlinks(remote_login_t)
+ files_read_etc_runtime_files(remote_login_t)
+ files_list_home(remote_login_t)
+-files_read_usr_files(remote_login_t)
+ files_list_world_readable(remote_login_t)
+ files_read_world_readable_files(remote_login_t)
+ files_read_world_readable_symlinks(remote_login_t)
  files_read_world_readable_pipes(remote_login_t)
  files_read_world_readable_sockets(remote_login_t)
  files_list_mnt(remote_login_t)
@@ -60748,10 +60873,18 @@ index c51a32c..18f59a7 100644
  ')
  
 diff --git a/resmgr.te b/resmgr.te
-index 6f219b3..f38e183 100644
+index 6f219b3..6bef328 100644
 --- a/resmgr.te
 +++ b/resmgr.te
-@@ -54,8 +54,6 @@ storage_write_scsi_generic(resmgrd_t)
+@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
+ 
+ domain_use_interactive_fds(resmgrd_t)
+ 
+-files_read_etc_files(resmgrd_t)
+ 
+ fs_search_auto_mountpoints(resmgrd_t)
+ 
+@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
  
  logging_send_syslog_msg(resmgrd_t)
  
@@ -61682,7 +61815,7 @@ index 56bc01f..aee7ba7 100644
 +	relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..4efe231 100644
+index 2c2de9a..d8bf297 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -50,6 +50,10 @@ rhcs_domain_template(qdiskd)
@@ -61768,47 +61901,27 @@ index 2c2de9a..4efe231 100644
  
  storage_raw_read_fixed_disk(fenced_t)
  storage_raw_write_fixed_disk(fenced_t)
-@@ -159,8 +170,9 @@ storage_raw_read_removable_device(fenced_t)
- term_getattr_pty_fs(fenced_t)
+@@ -160,7 +171,7 @@ term_getattr_pty_fs(fenced_t)
  term_use_generic_ptys(fenced_t)
  term_use_ptmx(fenced_t)
-+term_use_generic_ptys(fenced_t)
  
 -auth_use_nsswitch(fenced_t)
 +logging_send_syslog_msg(fenced_t)
  
  tunable_policy(`fenced_can_network_connect',`
  	corenet_sendrecv_all_client_packets(fenced_t)
-@@ -186,11 +198,26 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	ccs_read_config(fenced_t)
-+	tunable_policy(`fenced_can_ssh',`
-+
-+		allow fenced_t self:capability { setuid setgid };
-+
-+		corenet_tcp_connect_ssh_port(fenced_t)
-+	')
+@@ -190,10 +201,6 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	gnome_read_generic_home_content(fenced_t)
-+		ssh_exec(fenced_t)
-+		ssh_read_user_home_files(fenced_t)
-+	')
-+
-+# needed by fence_scsi
-+optional_policy(`
-+	corosync_exec(fenced_t)
-+')
-+
-+optional_policy(`
-+	ccs_read_config(fenced_t)
+-')
+-
+-optional_policy(`
+ 	lvm_domtrans(fenced_t)
+ 	lvm_read_config(fenced_t)
  ')
- 
- optional_policy(`
-@@ -203,6 +230,13 @@ optional_policy(`
+@@ -203,6 +210,13 @@ optional_policy(`
  	snmp_manage_var_lib_dirs(fenced_t)
  ')
  
@@ -61822,16 +61935,17 @@ index 2c2de9a..4efe231 100644
  #######################################
  #
  # foghorn local policy
-@@ -225,6 +259,8 @@ dev_read_urand(foghorn_t)
+@@ -223,7 +237,8 @@ corenet_tcp_sendrecv_agentx_port(foghorn_t)
  
- files_read_usr_files(foghorn_t)
+ dev_read_urand(foghorn_t)
  
-+logging_send_syslog_msg(foghorn_t)
+-files_read_usr_files(foghorn_t)
 +
++logging_send_syslog_msg(foghorn_t)
+ 
  optional_policy(`
  	dbus_connect_system_bus(foghorn_t)
- ')
-@@ -257,6 +293,8 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -257,6 +272,8 @@ storage_getattr_removable_dev(gfs_controld_t)
  
  init_rw_script_tmp_files(gfs_controld_t)
  
@@ -61840,7 +61954,7 @@ index 2c2de9a..4efe231 100644
  optional_policy(`
  	lvm_exec(gfs_controld_t)
  	dev_rw_lvm_control(gfs_controld_t)
-@@ -275,10 +313,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
+@@ -275,10 +292,10 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
  
  dev_list_sysfs(groupd_t)
  
@@ -61853,7 +61967,7 @@ index 2c2de9a..4efe231 100644
  ######################################
  #
  # qdiskd local policy
-@@ -321,6 +359,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -321,6 +338,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
  
  auth_use_nsswitch(qdiskd_t)
  
@@ -61965,10 +62079,10 @@ index 0000000..bf11e25
 +')
 diff --git a/rhev.te b/rhev.te
 new file mode 100644
-index 0000000..51b00c0
+index 0000000..26f7884
 --- /dev/null
 +++ b/rhev.te
-@@ -0,0 +1,117 @@
+@@ -0,0 +1,116 @@
 +policy_module(rhev,1.0)
 +
 +########################################
@@ -62031,7 +62145,6 @@ index 0000000..51b00c0
 +
 +files_getattr_all_mountpoints(rhev_agentd_t)
 +files_search_all_mountpoints(rhev_agentd_t)
-+files_read_usr_files(rhev_agentd_t)
 +
 +auth_use_nsswitch(rhev_agentd_t)
 +
@@ -62191,7 +62304,7 @@ index 1a134a7..793a29f 100644
  	allow $1 rhgb_tmpfs_t:file rw_file_perms;
  ')
 diff --git a/rhgb.te b/rhgb.te
-index 3f32e4b..b729212 100644
+index 3f32e4b..f97ea42 100644
 --- a/rhgb.te
 +++ b/rhgb.te
 @@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
@@ -62202,7 +62315,19 @@ index 3f32e4b..b729212 100644
  corenet_all_recvfrom_netlabel(rhgb_t)
  corenet_tcp_sendrecv_generic_if(rhgb_t)
  corenet_tcp_sendrecv_generic_node(rhgb_t)
-@@ -89,7 +88,6 @@ libs_read_lib_files(rhgb_t)
+@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t)
+ 
+ domain_use_interactive_fds(rhgb_t)
+ 
+-files_read_etc_files(rhgb_t)
+ files_read_var_files(rhgb_t)
+ files_read_etc_runtime_files(rhgb_t)
+ files_search_tmp(rhgb_t)
+-files_read_usr_files(rhgb_t)
+ files_mounton_mnt(rhgb_t)
+ files_dontaudit_rw_root_dir(rhgb_t)
+ files_dontaudit_read_default_files(rhgb_t)
+@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t)
  
  logging_send_syslog_msg(rhgb_t)
  
@@ -62303,10 +62428,10 @@ index 0000000..88087b7
 +')
 diff --git a/rhnsd.te b/rhnsd.te
 new file mode 100644
-index 0000000..5b2757d
+index 0000000..0e965c3
 --- /dev/null
 +++ b/rhnsd.te
-@@ -0,0 +1,41 @@
+@@ -0,0 +1,40 @@
 +policy_module(rhnsd, 1.0.0)
 +
 +########################################
@@ -62340,7 +62465,6 @@ index 0000000..5b2757d
 +
 +corecmd_exec_bin(rhnsd_t)
 +
-+files_read_etc_files(rhnsd_t)
 +
 +logging_send_syslog_msg(rhnsd_t)
 +
@@ -62568,7 +62692,7 @@ index 6dbc905..92aac94 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..c254f12 100644
+index 1cedd70..48fec17 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -31,6 +31,7 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -62579,14 +62703,12 @@ index 1cedd70..c254f12 100644
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
  allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -52,21 +53,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
 +corenet_tcp_connect_http_port(rhsmcertd_t)
 +
-+files_list_tmp(rhsmcertd_t)
-+
  corecmd_exec_bin(rhsmcertd_t)
 +corecmd_exec_shell(rhsmcertd_t)
  
@@ -62596,16 +62718,16 @@ index 1cedd70..c254f12 100644
 +dev_read_raw_memory(rhsmcertd_t)
  
  files_list_tmp(rhsmcertd_t)
- files_read_etc_files(rhsmcertd_t)
- files_read_usr_files(rhsmcertd_t)
+-files_read_etc_files(rhsmcertd_t)
+-files_read_usr_files(rhsmcertd_t)
 +files_manage_generic_locks(rhsmcertd_t)
 +
 +auth_read_passwd(rhsmcertd_t)
-+
-+logging_send_syslog_msg(rhsmcertd_t)
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
++logging_send_syslog_msg(rhsmcertd_t)
++
 +miscfiles_read_certs(rhsmcertd_t)
  
  sysnet_dns_name_resolve(rhsmcertd_t)
@@ -62855,7 +62977,7 @@ index 2ab3ed1..23d579c 100644
  	role_transition $2 ricci_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/ricci.te b/ricci.te
-index 9702ed2..6d40389 100644
+index 9702ed2..fa21335 100644
 --- a/ricci.te
 +++ b/ricci.te
 @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -62953,8 +63075,11 @@ index 9702ed2..6d40389 100644
  allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
  
  kernel_read_kernel_sysctls(ricci_modstorage_t)
-@@ -483,13 +472,19 @@ files_read_etc_runtime_files(ricci_modstorage_t)
- files_read_usr_files(ricci_modstorage_t)
+@@ -480,16 +469,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
+ 
+ files_manage_etc_files(ricci_modstorage_t)
+ files_read_etc_runtime_files(ricci_modstorage_t)
+-files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
 +files_create_default_dir(ricci_modstorage_t)
@@ -63003,7 +63128,7 @@ index 050479d..0e1b364 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index d34cdec..991c738 100644
+index d34cdec..f41c9c5 100644
 --- a/rlogin.te
 +++ b/rlogin.te
 @@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
@@ -63033,18 +63158,15 @@ index d34cdec..991c738 100644
  corenet_all_recvfrom_netlabel(rlogind_t)
  corenet_tcp_sendrecv_generic_if(rlogind_t)
  corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -67,8 +67,10 @@ fs_getattr_all_fs(rlogind_t)
+@@ -67,6 +67,7 @@ fs_getattr_all_fs(rlogind_t)
  fs_search_auto_mountpoints(rlogind_t)
  
  auth_domtrans_chk_passwd(rlogind_t)
 +auth_signal_chk_passwd(rlogind_t)
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
-+auth_login_pgm_domain(rlogind_t)
  
- files_read_etc_runtime_files(rlogind_t)
- files_search_default(rlogind_t)
-@@ -77,30 +79,28 @@ init_rw_utmp(rlogind_t)
+@@ -77,30 +78,23 @@ init_rw_utmp(rlogind_t)
  
  logging_send_syslog_msg(rlogind_t)
  
@@ -63067,23 +63189,19 @@ index d34cdec..991c738 100644
 -	fs_read_nfs_files(rlogind_t)
 -	fs_read_nfs_symlinks(rlogind_t)
 -')
-+rlogin_read_home_content(rlogind_t)
- 
+-
 -tunable_policy(`use_samba_home_dirs',`
 -	fs_list_cifs(rlogind_t)
 -	fs_read_cifs_files(rlogind_t)
 -	fs_read_cifs_symlinks(rlogind_t)
-+optional_policy(`
-+	kerberos_keytab_template(rlogind, rlogind_t)
-+	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
- ')
+-')
++rlogin_read_home_content(rlogind_t)
  
  optional_policy(`
--	kerberos_keytab_template(rlogind, rlogind_t)
+ 	kerberos_keytab_template(rlogind, rlogind_t)
 -	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
 -	kerberos_manage_host_rcache(rlogind_t)
-+	remotelogin_domtrans(rlogind_t)
-+	remotelogin_signal(rlogind_t)
++	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
  ')
  
  optional_policy(`
@@ -63740,7 +63858,7 @@ index 3bd6446..a61764b 100644
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
  ')
 diff --git a/rpc.te b/rpc.te
-index e5212e6..fd96b3c 100644
+index e5212e6..43a888d 100644
 --- a/rpc.te
 +++ b/rpc.te
 @@ -1,4 +1,4 @@
@@ -63905,15 +64023,7 @@ index e5212e6..fd96b3c 100644
  kernel_read_sysctl(rpcd_t)
  kernel_rw_fs_sysctls(rpcd_t)
  kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -149,6 +90,7 @@ corecmd_exec_bin(rpcd_t)
- 
- files_manage_mounttab(rpcd_t)
- files_getattr_all_dirs(rpcd_t)
-+files_read_usr_files(rpcd_t)
- 
- fs_list_rpc(rpcd_t)
- fs_read_rpc_files(rpcd_t)
-@@ -160,13 +102,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -160,13 +101,14 @@ fs_getattr_all_fs(rpcd_t)
  
  storage_getattr_fixed_disk_dev(rpcd_t)
  
@@ -63931,7 +64041,7 @@ index e5212e6..fd96b3c 100644
  
  optional_policy(`
  	automount_signal(rpcd_t)
-@@ -174,19 +117,23 @@ optional_policy(`
+@@ -174,19 +116,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -63959,7 +64069,7 @@ index e5212e6..fd96b3c 100644
  ')
  
  ########################################
-@@ -195,41 +142,55 @@ optional_policy(`
+@@ -195,41 +141,54 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -63998,7 +64108,6 @@ index e5212e6..fd96b3c 100644
 +# cjp: this should really have its own type
  files_manage_mounttab(nfsd_t)
 +files_read_etc_runtime_files(nfsd_t)
-+files_read_usr_files(nfsd_t)
  
  fs_mount_nfsd_fs(nfsd_t)
  fs_getattr_all_fs(nfsd_t)
@@ -64022,7 +64131,7 @@ index e5212e6..fd96b3c 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -238,7 +199,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -238,7 +197,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -64030,7 +64139,7 @@ index e5212e6..fd96b3c 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +210,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -250,12 +208,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -64045,7 +64154,7 @@ index e5212e6..fd96b3c 100644
  ')
  
  ########################################
-@@ -271,6 +231,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -271,6 +229,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -64053,7 +64162,7 @@ index e5212e6..fd96b3c 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -279,25 +240,29 @@ kernel_signal(gssd_t)
+@@ -279,25 +238,29 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -64086,7 +64195,7 @@ index e5212e6..fd96b3c 100644
  ')
  
  optional_policy(`
-@@ -306,8 +271,7 @@ optional_policy(`
+@@ -306,8 +269,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(gssd, gssd_t)
@@ -64096,7 +64205,7 @@ index e5212e6..fd96b3c 100644
  ')
  
  optional_policy(`
-@@ -315,7 +279,7 @@ optional_policy(`
+@@ -315,7 +277,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64260,21 +64369,22 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..1f39c7c 100644
+index c49828c..a323332 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
-@@ -42,7 +42,8 @@ kernel_read_system_state(rpcbind_t)
+@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
  kernel_read_network_state(rpcbind_t)
  kernel_request_load_module(rpcbind_t)
  
 -corenet_all_recvfrom_unlabeled(rpcbind_t)
-+corecmd_exec_shell(rpcbind_t)
-+
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -65,9 +66,9 @@ domain_use_interactive_fds(rpcbind_t)
- files_read_etc_files(rpcbind_t)
+@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t)
+ 
+ domain_use_interactive_fds(rpcbind_t)
+ 
+-files_read_etc_files(rpcbind_t)
  files_read_etc_runtime_files(rpcbind_t)
  
 -logging_send_syslog_msg(rpcbind_t)
@@ -64286,10 +64396,10 @@ index c49828c..1f39c7c 100644
  sysnet_dns_name_resolve(rpcbind_t)
  
 diff --git a/rpm.fc b/rpm.fc
-index ebe91fc..ee55335 100644
+index ebe91fc..3916381 100644
 --- a/rpm.fc
 +++ b/rpm.fc
-@@ -1,61 +1,64 @@
+@@ -1,61 +1,65 @@
 -/bin/rpm	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
 -/etc/rc\.d/init\.d/bcfg2	--	gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
@@ -64373,6 +64483,7 @@ index ebe91fc..ee55335 100644
 +/var/lib/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 +/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/lib/dnf(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
  
 -/var/log/YaST2(/.*)?	gen_context(system_u:object_r:rpm_log_t,s0)
 -/var/log/yum\.log.*	--	gen_context(system_u:object_r:rpm_log_t,s0)
@@ -64918,7 +65029,7 @@ index 0628d50..bedc8ae 100644
 +	allow rpm_script_t $1:process sigchld;
  ')
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..b33a77d 100644
+index 5cbe81c..b86d966 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,11 @@
@@ -65188,15 +65299,7 @@ index 5cbe81c..b33a77d 100644
  allow rpm_script_t rpm_tmp_t:file read_file_perms;
  
  allow rpm_script_t rpm_script_tmp_t:dir mounton;
-@@ -260,6 +271,7 @@ manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
- files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
-+can_exec(rpm_script_t, rpm_script_tmp_t)
- 
- manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
- manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -267,8 +279,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
+@@ -267,8 +278,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
  fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -65207,7 +65310,7 @@ index 5cbe81c..b33a77d 100644
  
  kernel_read_crypto_sysctls(rpm_script_t)
  kernel_read_kernel_sysctls(rpm_script_t)
-@@ -277,38 +290,22 @@ kernel_read_network_state(rpm_script_t)
+@@ -277,45 +289,27 @@ kernel_read_network_state(rpm_script_t)
  kernel_list_all_proc(rpm_script_t)
  kernel_read_software_raid_state(rpm_script_t)
  
@@ -65250,7 +65353,14 @@ index 5cbe81c..b33a77d 100644
  fs_getattr_xattr_fs(rpm_script_t)
  fs_mount_xattr_fs(rpm_script_t)
  fs_unmount_xattr_fs(rpm_script_t)
-@@ -331,30 +328,49 @@ storage_raw_write_fixed_disk(rpm_script_t)
+ fs_search_auto_mountpoints(rpm_script_t)
+ 
+-mcs_killall(rpm_script_t)
+-
+ mls_file_read_all_levels(rpm_script_t)
+ mls_file_write_all_levels(rpm_script_t)
+ 
+@@ -331,30 +325,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
  
  term_getattr_unallocated_ttys(rpm_script_t)
  term_list_ptys(rpm_script_t)
@@ -65259,10 +65369,7 @@ index 5cbe81c..b33a77d 100644
  
  auth_dontaudit_getattr_shadow(rpm_script_t)
  auth_use_nsswitch(rpm_script_t)
-+# ideally we would not need this
-+files_manage_all_files(rpm_script_t)
-+files_relabel_all_files(rpm_script_t)
-+
+ 
 +corecmd_exec_all_executables(rpm_script_t)
 +can_exec(rpm_script_t, rpm_script_tmp_t)
 +can_exec(rpm_script_t, rpm_script_tmpfs_t)
@@ -65273,11 +65380,13 @@ index 5cbe81c..b33a77d 100644
 +domain_signal_all_domains(rpm_script_t)
 +domain_signull_all_domains(rpm_script_t)
 +
++# ideally we would not need this
++files_manage_all_files(rpm_script_t)
 +files_exec_etc_files(rpm_script_t)
 +files_read_etc_runtime_files(rpm_script_t)
 +files_exec_usr_files(rpm_script_t)
 +files_relabel_all_files(rpm_script_t)
- 
++
  init_domtrans_script(rpm_script_t)
  init_telinit(rpm_script_t)
  
@@ -65309,7 +65418,7 @@ index 5cbe81c..b33a77d 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -363,24 +379,24 @@ ifdef(`distro_redhat',`
+@@ -363,24 +375,24 @@ ifdef(`distro_redhat',`
  	')
  ')
  
@@ -65341,7 +65450,7 @@ index 5cbe81c..b33a77d 100644
  ')
  
  optional_policy(`
-@@ -388,8 +404,17 @@ optional_policy(`
+@@ -388,8 +400,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65361,7 +65470,7 @@ index 5cbe81c..b33a77d 100644
  ')
  
  optional_policy(`
-@@ -397,6 +422,7 @@ optional_policy(`
+@@ -397,6 +418,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65369,7 +65478,7 @@ index 5cbe81c..b33a77d 100644
  	unconfined_domtrans(rpm_script_t)
  
  	optional_policy(`
-@@ -409,6 +435,6 @@ optional_policy(`
+@@ -409,6 +431,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -65409,10 +65518,10 @@ index 7ad29c0..2e87d76 100644
  	domtrans_pattern($1, rshd_exec_t, rshd_t)
  ')
 diff --git a/rshd.te b/rshd.te
-index f842825..23c58c2 100644
+index f842825..24cf46d 100644
 --- a/rshd.te
 +++ b/rshd.te
-@@ -1,62 +1,76 @@
+@@ -1,62 +1,75 @@
 -policy_module(rshd, 1.7.1)
 +policy_module(rshd, 1.7.0)
  
@@ -65473,7 +65582,6 @@ index f842825..23c58c2 100644
  corecmd_read_bin_symlinks(rshd_t)
  
  files_list_home(rshd_t)
-+files_read_etc_files(rshd_t)
 +files_search_tmp(rshd_t)
 +
 +auth_login_pgm_domain(rshd_t)
@@ -65509,18 +65617,20 @@ index f842825..23c58c2 100644
  
  optional_policy(`
 diff --git a/rssh.te b/rssh.te
-index d1fd97f..88bd6f7 100644
+index d1fd97f..7ee8502 100644
 --- a/rssh.te
 +++ b/rssh.te
-@@ -60,7 +60,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
  kernel_read_system_state(rssh_t)
  kernel_read_kernel_sysctls(rssh_t)
  
 -files_read_etc_files(rssh_t)
  files_read_etc_runtime_files(rssh_t)
  files_list_home(rssh_t)
- files_read_usr_files(rssh_t)
-@@ -70,8 +69,6 @@ fs_search_auto_mountpoints(rssh_t)
+-files_read_usr_files(rssh_t)
+ files_list_var(rssh_t)
+ 
+ fs_search_auto_mountpoints(rssh_t)
  
  logging_send_syslog_msg(rssh_t)
  
@@ -65529,7 +65639,7 @@ index d1fd97f..88bd6f7 100644
  rssh_domtrans_chroot_helper(rssh_t)
  
  ssh_rw_tcp_sockets(rssh_t)
-@@ -95,5 +92,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
+@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
  auth_use_nsswitch(rssh_chroot_helper_t)
  
  logging_send_syslog_msg(rssh_chroot_helper_t)
@@ -66122,18 +66232,15 @@ index bd35afe..051addd 100644
 +	rtkit_daemon_dbus_chat($1)
  ')
 diff --git a/rtkit.te b/rtkit.te
-index 3f5a8ef..d7bffcc 100644
+index 3f5a8ef..29a8e9e 100644
 --- a/rtkit.te
 +++ b/rtkit.te
-@@ -31,8 +31,9 @@ auth_use_nsswitch(rtkit_daemon_t)
+@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
  
  logging_send_syslog_msg(rtkit_daemon_t)
  
 -miscfiles_read_localization(rtkit_daemon_t)
 -
-+optional_policy(`
-+	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
-+')
  optional_policy(`
  	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
  
@@ -66155,7 +66262,7 @@ index 0360ff0..e6cb34f 100644
  	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/rwho.te b/rwho.te
-index 9927d29..9ee5654 100644
+index 9927d29..6746952 100644
 --- a/rwho.te
 +++ b/rwho.te
 @@ -16,7 +16,7 @@ type rwho_log_t;
@@ -66175,7 +66282,14 @@ index 9927d29..9ee5654 100644
  corenet_all_recvfrom_netlabel(rwho_t)
  corenet_udp_sendrecv_generic_if(rwho_t)
  corenet_udp_sendrecv_generic_node(rwho_t)
-@@ -57,8 +56,7 @@ init_dontaudit_write_utmp(rwho_t)
+@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
+ 
+ domain_use_interactive_fds(rwho_t)
+ 
+-files_read_etc_files(rwho_t)
+ 
+ init_read_utmp(rwho_t)
+ init_dontaudit_write_utmp(rwho_t)
  
  logging_send_syslog_msg(rwho_t)
  
@@ -67044,7 +67158,7 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..7e70344 100644
+index 57c034b..27fd4cd 100644
 --- a/samba.te
 +++ b/samba.te
 @@ -1,4 +1,4 @@
@@ -67351,14 +67465,14 @@ index 57c034b..7e70344 100644
 +allow smbd_t self:udp_socket create_socket_perms;
 +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-+
-+allow smbd_t nmbd_t:process { signal signull };
  
 -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
-+allow smbd_t nmbd_var_run_t:file rw_file_perms;
-+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++allow smbd_t nmbd_t:process { signal signull };
  
 -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
++allow smbd_t nmbd_var_run_t:file rw_file_perms;
++stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
++
 +allow smbd_t samba_etc_t:file { rw_file_perms setattr };
  
  manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -67452,7 +67566,7 @@ index 57c034b..7e70344 100644
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
  fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +348,55 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -360,44 +348,54 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -67469,7 +67583,6 @@ index 57c034b..7e70344 100644
 +
 +files_list_var_lib(smbd_t)
 +files_read_etc_runtime_files(smbd_t)
-+files_read_usr_files(smbd_t)
 +files_search_spool(smbd_t)
 +# smbd seems to getattr all mountpoints
 +files_dontaudit_getattr_all_dirs(smbd_t)
@@ -67519,7 +67632,7 @@ index 57c034b..7e70344 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -413,20 +412,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -413,20 +411,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -67542,7 +67655,7 @@ index 57c034b..7e70344 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -435,6 +424,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -435,6 +423,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -67550,7 +67663,7 @@ index 57c034b..7e70344 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +432,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -442,17 +431,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -67568,7 +67681,7 @@ index 57c034b..7e70344 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -473,6 +452,11 @@ optional_policy(`
+@@ -473,6 +451,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67580,7 +67693,7 @@ index 57c034b..7e70344 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -493,9 +477,32 @@ optional_policy(`
+@@ -493,9 +476,32 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -67614,7 +67727,7 @@ index 57c034b..7e70344 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +513,11 @@ allow nmbd_t self:msg { send receive };
+@@ -506,9 +512,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -67629,7 +67742,7 @@ index 57c034b..7e70344 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +529,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -520,20 +528,14 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -67639,7 +67752,7 @@ index 57c034b..7e70344 100644
 +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
  
  manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
- manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 -files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -67652,7 +67765,7 @@ index 57c034b..7e70344 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +546,40 @@ kernel_read_network_state(nmbd_t)
+@@ -542,52 +544,39 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -67684,7 +67797,7 @@ index 57c034b..7e70344 100644
 +
  domain_use_interactive_fds(nmbd_t)
  
- files_read_usr_files(nmbd_t)
+-files_read_usr_files(nmbd_t)
  files_list_var_lib(nmbd_t)
  
 -fs_getattr_all_fs(nmbd_t)
@@ -67715,7 +67828,7 @@ index 57c034b..7e70344 100644
  ')
  
  optional_policy(`
-@@ -600,17 +592,24 @@ optional_policy(`
+@@ -600,17 +589,24 @@ optional_policy(`
  
  ########################################
  #
@@ -67735,22 +67848,21 @@ index 57c034b..7e70344 100644
 -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
 +allow smbcontrol_t nmbd_t:process { signal signull };
 +read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
- 
++
 +allow smbcontrol_t smbd_t:process { signal signull };
 +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
 +allow smbcontrol_t winbind_t:process { signal signull };
-+
+ 
 +files_search_var_lib(smbcontrol_t)
  samba_read_config(smbcontrol_t)
  samba_rw_var_files(smbcontrol_t)
  samba_search_var(smbcontrol_t)
-@@ -620,16 +619,13 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -620,16 +616,12 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
 -files_read_etc_files(smbcontrol_t)
 -files_search_var_lib(smbcontrol_t)
-+files_read_usr_files(smbcontrol_t)
  
  term_use_console(smbcontrol_t)
  
@@ -67763,7 +67875,7 @@ index 57c034b..7e70344 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +633,23 @@ optional_policy(`
+@@ -637,22 +629,23 @@ optional_policy(`
  
  ########################################
  #
@@ -67795,7 +67907,7 @@ index 57c034b..7e70344 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +658,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -661,26 +654,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -67831,7 +67943,7 @@ index 57c034b..7e70344 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +685,78 @@ fs_read_cifs_files(smbmount_t)
+@@ -692,58 +681,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -67912,7 +68024,6 @@ index 57c034b..7e70344 100644
  manage_files_pattern(swat_t, samba_var_t, samba_var_t)
 -manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
  files_var_filetrans(swat_t, samba_var_t, dir, "samba")
-+files_list_var_lib(swat_t)
  
  allow swat_t smbd_exec_t:file mmap_file_perms ;
  
@@ -67924,7 +68035,7 @@ index 57c034b..7e70344 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +765,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -752,17 +760,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -67948,7 +68059,7 @@ index 57c034b..7e70344 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,28 +779,19 @@ kernel_read_network_state(swat_t)
+@@ -770,36 +774,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -67983,15 +68094,15 @@ index 57c034b..7e70344 100644
  
  dev_read_urand(swat_t)
  
-@@ -799,7 +799,6 @@ files_list_var_lib(swat_t)
+ files_list_var_lib(swat_t)
  files_search_home(swat_t)
- files_read_usr_files(swat_t)
+-files_read_usr_files(swat_t)
  fs_getattr_xattr_fs(swat_t)
 -files_list_var_lib(swat_t)
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +810,11 @@ logging_send_syslog_msg(swat_t)
+@@ -811,10 +804,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -68005,7 +68116,7 @@ index 57c034b..7e70344 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -837,13 +837,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
+@@ -837,13 +831,15 @@ allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
  dontaudit winbind_t self:capability sys_tty_config;
  allow winbind_t self:process { signal_perms getsched setsched };
  allow winbind_t self:fifo_file rw_fifo_file_perms;
@@ -68025,7 +68136,7 @@ index 57c034b..7e70344 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +855,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -853,9 +849,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -68036,11 +68147,7 @@ index 57c034b..7e70344 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -863,26 +863,25 @@ manage_files_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_lnk_files_pattern(winbind_t, samba_var_t, samba_var_t)
- manage_sock_files_pattern(winbind_t, samba_var_t, samba_var_t)
- files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
-+files_list_var_lib(winbind_t)
+@@ -866,23 +860,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -68070,7 +68177,7 @@ index 57c034b..7e70344 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +890,18 @@ kernel_read_system_state(winbind_t)
+@@ -891,13 +883,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -68088,11 +68195,10 @@ index 57c034b..7e70344 100644
 +corenet_udp_sendrecv_all_ports(winbind_t)
 +corenet_tcp_bind_generic_node(winbind_t)
 +corenet_udp_bind_generic_node(winbind_t)
-+corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +909,7 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -905,10 +901,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -68100,11 +68206,10 @@ index 57c034b..7e70344 100644
 -
 -files_read_usr_symlinks(winbind_t)
 -files_list_var_lib(winbind_t)
-+files_read_usr_files(winbind_t)
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,11 +918,17 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -917,11 +909,17 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -68123,7 +68228,7 @@ index 57c034b..7e70344 100644
  userdom_dontaudit_use_unpriv_user_fds(winbind_t)
  userdom_manage_user_home_content_dirs(winbind_t)
  userdom_manage_user_home_content_files(winbind_t)
-@@ -936,6 +943,10 @@ optional_policy(`
+@@ -936,6 +934,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -68134,7 +68239,7 @@ index 57c034b..7e70344 100644
  	kerberos_use(winbind_t)
  ')
  
-@@ -952,31 +963,29 @@ optional_policy(`
+@@ -952,31 +954,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -68172,7 +68277,7 @@ index 57c034b..7e70344 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +999,38 @@ optional_policy(`
+@@ -990,25 +990,38 @@ optional_policy(`
  
  ########################################
  #
@@ -68225,7 +68330,7 @@ index 57c034b..7e70344 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
 diff --git a/sambagui.te b/sambagui.te
-index d9f8784..2b2c0dc 100644
+index d9f8784..9c40dbd 100644
 --- a/sambagui.te
 +++ b/sambagui.te
 @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@@ -68246,18 +68351,7 @@ index d9f8784..2b2c0dc 100644
  
  sysnet_use_ldap(sambagui_t)
  
-@@ -44,6 +44,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	dbus_system_domain(sambagui_t, sambagui_exec_t)
-+')
-+
-+optional_policy(`
- 	nscd_dontaudit_search_pid(sambagui_t)
- ')
- 
-@@ -61,6 +65,7 @@ optional_policy(`
+@@ -61,6 +61,7 @@ optional_policy(`
  	samba_manage_var_files(sambagui_t)
  	samba_read_secrets(sambagui_t)
  	samba_initrc_domtrans(sambagui_t)
@@ -68370,10 +68464,10 @@ index 0000000..577dfa7
 +')
 diff --git a/sandbox.te b/sandbox.te
 new file mode 100644
-index 0000000..db440d4
+index 0000000..3fc69d5
 --- /dev/null
 +++ b/sandbox.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,65 @@
 +policy_module(sandbox,1.0.0)
 +
 +attribute sandbox_domain;
@@ -68428,7 +68522,6 @@ index 0000000..db440d4
 +files_entrypoint_all_files(sandbox_domain)
 +
 +files_read_config_files(sandbox_domain)
-+files_read_usr_files(sandbox_domain)
 +files_read_var_files(sandbox_domain)
 +files_dontaudit_search_all_dirs(sandbox_domain)
 +
@@ -68847,10 +68940,10 @@ index 0000000..1b21b7b
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..7a746a3
+index 0000000..449a87c
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,464 @@
+@@ -0,0 +1,462 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@@ -68938,7 +69031,6 @@ index 0000000..7a746a3
 +domain_use_interactive_fds(sandbox_xserver_t)
 +
 +files_read_config_files(sandbox_xserver_t)
-+files_read_usr_files(sandbox_xserver_t)
 +files_search_home(sandbox_xserver_t)
 +fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
 +fs_list_inotifyfs(sandbox_xserver_t)
@@ -69021,7 +69113,6 @@ index 0000000..7a746a3
 +files_dontaudit_list_all_mountpoints(sandbox_x_domain)
 +files_entrypoint_all_files(sandbox_x_domain)
 +files_read_config_files(sandbox_x_domain)
-+files_read_usr_files(sandbox_x_domain)
 +files_read_usr_symlinks(sandbox_x_domain)
 +
 +fs_getattr_tmpfs(sandbox_x_domain)
@@ -69668,7 +69759,7 @@ index b2f388a..3e6a93f 100644
  	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/sasl.te b/sasl.te
-index a63b875..88a01c0 100644
+index a63b875..64a7c79 100644
 --- a/sasl.te
 +++ b/sasl.te
 @@ -1,4 +1,4 @@
@@ -69740,13 +69831,12 @@ index a63b875..88a01c0 100644
  fs_getattr_all_fs(saslauthd_t)
  fs_search_auto_mountpoints(saslauthd_t)
  
-@@ -73,33 +64,38 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -73,33 +64,37 @@ selinux_compute_access_vector(saslauthd_t)
  
  auth_use_pam(saslauthd_t)
  
 +domain_use_interactive_fds(saslauthd_t)
 +
-+files_read_etc_files(saslauthd_t)
 +files_dontaudit_read_etc_runtime_files(saslauthd_t)
 +files_search_var_lib(saslauthd_t)
 +files_dontaudit_getattr_home_dir(saslauthd_t)
@@ -70109,7 +70199,7 @@ index c21ddcc..ee00be2 100644
 +        can_exec($1, screen_exec_t)
 +')
 diff --git a/screen.te b/screen.te
-index f095081..86af6f6 100644
+index f095081..c0d7b61 100644
 --- a/screen.te
 +++ b/screen.te
 @@ -1,13 +1,11 @@
@@ -70186,7 +70276,7 @@ index f095081..86af6f6 100644
  kernel_read_kernel_sysctls(screen_domain)
  
  corecmd_list_bin(screen_domain)
-@@ -65,55 +58,41 @@ corecmd_read_bin_symlinks(screen_domain)
+@@ -65,55 +58,39 @@ corecmd_read_bin_symlinks(screen_domain)
  corecmd_read_bin_pipes(screen_domain)
  corecmd_read_bin_sockets(screen_domain)
  
@@ -70215,8 +70305,7 @@ index f095081..86af6f6 100644
 +files_search_tmp(screen_domain)
 +files_search_home(screen_domain)
  files_list_home(screen_domain)
- files_read_usr_files(screen_domain)
-+files_read_etc_files(screen_domain)
+-files_read_usr_files(screen_domain)
  
  fs_search_auto_mountpoints(screen_domain)
 -fs_getattr_all_fs(screen_domain)
@@ -70681,7 +70770,7 @@ index 88e753f..ca74cd9 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..a536819 100644
+index 5f35d78..9bef62c 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -1,18 +1,10 @@
@@ -70780,7 +70869,7 @@ index 5f35d78..a536819 100644
  
  fs_getattr_all_fs(sendmail_t)
  fs_search_auto_mountpoints(sendmail_t)
-@@ -93,35 +71,50 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -93,35 +71,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
  term_dontaudit_use_console(sendmail_t)
  term_dontaudit_use_generic_ptys(sendmail_t)
  
@@ -70790,7 +70879,6 @@ index 5f35d78..a536819 100644
 +
 +domain_use_interactive_fds(sendmail_t)
 +
-+files_read_usr_files(sendmail_t)
 +files_search_spool(sendmail_t)
 +# for piping mail to a command
 +files_read_etc_runtime_files(sendmail_t)
@@ -70837,7 +70925,7 @@ index 5f35d78..a536819 100644
  ')
  
  optional_policy(`
-@@ -166,6 +159,11 @@ optional_policy(`
+@@ -166,6 +158,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -70849,7 +70937,7 @@ index 5f35d78..a536819 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +185,13 @@ optional_policy(`
+@@ -187,21 +184,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71097,7 +71185,7 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..ab3ba4d 100644
+index 49b12ae..0a0f095 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -1,4 +1,4 @@
@@ -71186,7 +71274,15 @@ index 49b12ae..ab3ba4d 100644
  
  dev_read_urand(setroubleshootd_t)
  dev_read_sysfs(setroubleshootd_t)
-@@ -108,13 +114,13 @@ init_dontaudit_write_utmp(setroubleshootd_t)
+@@ -79,7 +85,6 @@ dev_getattr_mtrr_dev(setroubleshootd_t)
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+ domain_signull_all_domains(setroubleshootd_t)
+ 
+-files_read_usr_files(setroubleshootd_t)
+ files_list_all(setroubleshootd_t)
+ files_getattr_all_files(setroubleshootd_t)
+ files_getattr_all_pipes(setroubleshootd_t)
+@@ -108,13 +113,13 @@ init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
  
@@ -71202,7 +71298,7 @@ index 49b12ae..ab3ba4d 100644
  
  seutil_read_config(setroubleshootd_t)
  seutil_read_file_contexts(setroubleshootd_t)
-@@ -123,11 +129,7 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -123,11 +128,7 @@ seutil_read_bin_policy(setroubleshootd_t)
  userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
  
  optional_policy(`
@@ -71215,7 +71311,7 @@ index 49b12ae..ab3ba4d 100644
  ')
  
  optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +136,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -71234,7 +71330,7 @@ index 49b12ae..ab3ba4d 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +157,17 @@ optional_policy(`
  
  ########################################
  #
@@ -71253,7 +71349,7 @@ index 49b12ae..ab3ba4d 100644
  setroubleshoot_stream_connect(setroubleshoot_fixit_t)
  
  kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,7 +177,12 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +176,13 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
  corecmd_getattr_all_executables(setroubleshoot_fixit_t)
  
@@ -71264,9 +71360,11 @@ index 49b12ae..ab3ba4d 100644
 +seutil_domtrans_setsebool(setroubleshoot_fixit_t)
 +seutil_read_module_store(setroubleshoot_fixit_t)
  
- files_read_usr_files(setroubleshoot_fixit_t)
+-files_read_usr_files(setroubleshoot_fixit_t)
  files_list_tmp(setroubleshoot_fixit_t)
-@@ -175,23 +192,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+ 
+ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +190,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -71344,10 +71442,10 @@ index 0000000..c9d2d9c
 +
 diff --git a/sge.te b/sge.te
 new file mode 100644
-index 0000000..d43336f
+index 0000000..9a329a1
 --- /dev/null
 +++ b/sge.te
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,191 @@
 +policy_module(sge, 1.0.0)
 +
 +########################################
@@ -71513,8 +71611,6 @@ index 0000000..d43336f
 +
 +domain_read_all_domains_state(sge_domain)
 +
-+files_read_etc_files(sge_domain)
-+files_read_usr_files(sge_domain)
 +
 +dev_read_urand(sge_domain)
 +
@@ -71725,7 +71821,7 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index ca03de6..bcf990d 100644
+index ca03de6..bac98d6 100644
 --- a/shorewall.te
 +++ b/shorewall.te
 @@ -57,6 +57,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
@@ -71738,13 +71834,20 @@ index ca03de6..bcf990d 100644
  
  allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
  
-@@ -86,12 +89,13 @@ init_rw_utmp(shorewall_t)
+@@ -74,7 +77,6 @@ dev_read_urand(shorewall_t)
+ domain_read_all_domains_state(shorewall_t)
+ 
+ files_getattr_kernel_modules(shorewall_t)
+-files_read_usr_files(shorewall_t)
+ files_search_kernel_modules(shorewall_t)
+ 
+ fs_getattr_all_fs(shorewall_t)
+@@ -86,12 +88,11 @@ init_rw_utmp(shorewall_t)
  logging_read_generic_logs(shorewall_t)
  logging_send_syslog_msg(shorewall_t)
  
 -miscfiles_read_localization(shorewall_t)
-+auth_use_nsswitch(shorewall_t)
- 
+-
  sysnet_domtrans_ifconfig(shorewall_t)
  
 -userdom_dontaudit_list_user_home_dirs(shorewall_t)
@@ -71766,7 +71869,7 @@ index a91f33b..631dbc1 100644
 -/var/run/shutdown\.pid	--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
 +/var/run/shutdown\.pid		--	gen_context(system_u:object_r:shutdown_var_run_t,s0)
 diff --git a/shutdown.if b/shutdown.if
-index d1706bf..aa97fad 100644
+index d1706bf..87ab4a7 100644
 --- a/shutdown.if
 +++ b/shutdown.if
 @@ -1,30 +1,4 @@
@@ -71869,7 +71972,7 @@ index d1706bf..aa97fad 100644
 +    shutdown_run($2, $1)
 +
 +    allow $2 shutdown_t:process { ptrace signal_perms };
-+    ps_process_pattern($2, shutdown_t
++    ps_process_pattern($2, shutdown_t)
 +')
 +
 +########################################
@@ -72055,7 +72158,7 @@ index 66ac42a..f28fadc 100644
 -miscfiles_read_localization(slpd_t)
 +sysnet_dns_name_resolve(slpd_t)
 diff --git a/slrnpull.te b/slrnpull.te
-index 5437237..d46f779 100644
+index 5437237..3dfc982 100644
 --- a/slrnpull.te
 +++ b/slrnpull.te
 @@ -13,7 +13,7 @@ type slrnpull_var_run_t;
@@ -72067,7 +72170,15 @@ index 5437237..d46f779 100644
  
  type slrnpull_log_t;
  logging_log_file(slrnpull_log_t)
-@@ -52,8 +52,6 @@ fs_search_auto_mountpoints(slrnpull_t)
+@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t)
+ 
+ domain_use_interactive_fds(slrnpull_t)
+ 
+-files_read_etc_files(slrnpull_t)
+ files_search_spool(slrnpull_t)
+ 
+ fs_getattr_all_fs(slrnpull_t)
+@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t)
  
  logging_send_syslog_msg(slrnpull_t)
  
@@ -72096,10 +72207,10 @@ index e0644b5..ea347cc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..48444ed 100644
+index 9ade9c5..90cb567 100644
 --- a/smartmon.te
 +++ b/smartmon.te
-@@ -60,6 +60,11 @@ kernel_read_system_state(fsdaemon_t)
+@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
  
  corecmd_exec_all_executables(fsdaemon_t)
  
@@ -72111,7 +72222,12 @@ index 9ade9c5..48444ed 100644
  dev_read_sysfs(fsdaemon_t)
  dev_read_urand(fsdaemon_t)
  
-@@ -72,9 +77,12 @@ files_read_usr_files(fsdaemon_t)
+ domain_use_interactive_fds(fsdaemon_t)
+ 
+ files_exec_etc_files(fsdaemon_t)
+-files_read_etc_files(fsdaemon_t)
+ files_read_etc_runtime_files(fsdaemon_t)
+-files_read_usr_files(fsdaemon_t)
  
  fs_getattr_all_fs(fsdaemon_t)
  fs_search_auto_mountpoints(fsdaemon_t)
@@ -72124,7 +72240,7 @@ index 9ade9c5..48444ed 100644
  storage_raw_read_fixed_disk(fsdaemon_t)
  storage_raw_write_fixed_disk(fsdaemon_t)
  storage_raw_read_removable_device(fsdaemon_t)
-@@ -85,6 +93,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
+@@ -85,6 +91,8 @@ term_dontaudit_search_ptys(fsdaemon_t)
  
  application_signull(fsdaemon_t)
  
@@ -72133,7 +72249,7 @@ index 9ade9c5..48444ed 100644
  init_read_utmp(fsdaemon_t)
  
  libs_exec_ld_so(fsdaemon_t)
-@@ -92,7 +102,7 @@ libs_exec_lib_files(fsdaemon_t)
+@@ -92,7 +100,7 @@ libs_exec_lib_files(fsdaemon_t)
  
  logging_send_syslog_msg(fsdaemon_t)
  
@@ -72142,14 +72258,18 @@ index 9ade9c5..48444ed 100644
  
  sysnet_dns_name_resolve(fsdaemon_t)
  
-@@ -122,3 +132,7 @@ optional_policy(`
+@@ -116,9 +124,9 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
- 	udev_read_db(fsdaemon_t)
+-	seutil_sigchld_newrole(fsdaemon_t)
++	udev_read_db(fsdaemon_t)
  ')
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	udev_read_db(fsdaemon_t)
 +	virt_read_images(fsdaemon_t)
-+')
+ ')
 diff --git a/smokeping.if b/smokeping.if
 index 1fa51c1..82e111c 100644
 --- a/smokeping.if
@@ -72168,10 +72288,18 @@ index 1fa51c1..82e111c 100644
  	smokeping_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..3769d45 100644
+index a8b1aaf..a09f2fe 100644
 --- a/smokeping.te
 +++ b/smokeping.te
-@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
+@@ -39,7 +39,6 @@ corecmd_exec_bin(smokeping_t)
+ 
+ dev_read_urand(smokeping_t)
+ 
+-files_read_usr_files(smokeping_t)
+ files_search_tmp(smokeping_t)
+ 
+ auth_use_nsswitch(smokeping_t)
+@@ -47,8 +46,6 @@ auth_dontaudit_read_shadow(smokeping_t)
  
  logging_send_syslog_msg(smokeping_t)
  
@@ -72180,7 +72308,7 @@ index a8b1aaf..3769d45 100644
  mta_send_mail(smokeping_t)
  
  netutils_domtrans_ping(smokeping_t)
-@@ -70,6 +68,8 @@ optional_policy(`
+@@ -70,6 +67,8 @@ optional_policy(`
  	files_search_tmp(httpd_smokeping_cgi_script_t)
  	files_search_var_lib(httpd_smokeping_cgi_script_t)
  
@@ -72190,10 +72318,10 @@ index a8b1aaf..3769d45 100644
  
  	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
 diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..529487e 100644
+index 9c8f9a5..14f15a4 100644
 --- a/smoltclient.te
 +++ b/smoltclient.te
-@@ -51,14 +51,20 @@ fs_list_auto_mountpoints(smoltclient_t)
+@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
  
  files_getattr_generic_locks(smoltclient_t)
  files_read_etc_runtime_files(smoltclient_t)
@@ -72205,14 +72333,6 @@ index 9c8f9a5..529487e 100644
  
  miscfiles_read_hwdata(smoltclient_t)
 -miscfiles_read_localization(smoltclient_t)
-+
-+optional_policy(`
-+	abrt_stream_connect(smoltclient_t)
-+')
-+
-+optional_policy(`
-+	cron_system_entry(smoltclient_t, smoltclient_exec_t)
-+')
  
  optional_policy(`
  	abrt_stream_connect(smoltclient_t)
@@ -72686,7 +72806,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..cc44e06 100644
+index 81864ce..a56b827 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,11 +27,13 @@ files_type(snmpd_var_lib_t)
@@ -72720,15 +72840,25 @@ index 81864ce..cc44e06 100644
  corenet_all_recvfrom_netlabel(snmpd_t)
  corenet_tcp_sendrecv_generic_if(snmpd_t)
  corenet_udp_sendrecv_generic_if(snmpd_t)
-@@ -103,6 +106,7 @@ fs_getattr_all_fs(snmpd_t)
- files_list_all(snmpd_t)
- files_search_all_mountpoints(snmpd_t)
- fs_search_auto_mountpoints(snmpd_t)
-+files_search_all_mountpoints(snmpd_t)
- 
- storage_dontaudit_read_fixed_disk(snmpd_t)
- storage_dontaudit_read_removable_device(snmpd_t)
-@@ -112,16 +116,25 @@ auth_use_nsswitch(snmpd_t)
+@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
+ corenet_tcp_sendrecv_snmp_port(snmpd_t)
+ corenet_udp_sendrecv_snmp_port(snmpd_t)
+ 
+-corenet_sendrecv_snmp_client_packets(snmpd_t)
+ corenet_tcp_connect_agentx_port(snmpd_t)
+-corenet_sendrecv_snmp_server_packets(snmpd_t)
+ corenet_tcp_bind_agentx_port(snmpd_t)
+ corenet_udp_bind_agentx_port(snmpd_t)
+ corenet_tcp_sendrecv_agentx_port(snmpd_t)
+@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t)
+ domain_read_all_domains_state(snmpd_t)
+ domain_exec_all_entry_files(snmpd_t)
+ 
+-files_read_usr_files(snmpd_t)
+ files_read_etc_runtime_files(snmpd_t)
+ files_search_home(snmpd_t)
+ 
+@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
  
  init_read_utmp(snmpd_t)
  init_dontaudit_write_utmp(snmpd_t)
@@ -72742,19 +72872,6 @@ index 81864ce..cc44e06 100644
  
  seutil_dontaudit_search_config(snmpd_t)
  
- userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
- userdom_dontaudit_search_user_home_dirs(snmpd_t)
- 
-+ifdef(`distro_redhat',`
-+	optional_policy(`
-+		rpm_read_db(snmpd_t)
-+		rpm_dontaudit_manage_db(snmpd_t)
-+	')
-+')
-+
- optional_policy(`
- 	amanda_dontaudit_read_dumpdates(snmpd_t)
- ')
 diff --git a/snort.if b/snort.if
 index 7d86b34..5f58180 100644
 --- a/snort.if
@@ -72832,10 +72949,18 @@ index ccd28bb..b9e856e 100644
  
  userdom_dontaudit_use_unpriv_user_fds(snort_t)
 diff --git a/sosreport.te b/sosreport.te
-index 703efa3..ec61db7 100644
+index 703efa3..de313d7 100644
 --- a/sosreport.te
 +++ b/sosreport.te
-@@ -84,6 +84,10 @@ fs_list_inotifyfs(sosreport_t)
+@@ -70,7 +70,6 @@ files_list_all(sosreport_t)
+ files_read_config_files(sosreport_t)
+ files_read_generic_tmp_files(sosreport_t)
+ files_read_non_auth_files(sosreport_t)
+-files_read_usr_files(sosreport_t)
+ files_read_var_lib_files(sosreport_t)
+ files_read_var_symlinks(sosreport_t)
+ files_read_kernel_modules(sosreport_t)
+@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t)
  storage_dontaudit_read_fixed_disk(sosreport_t)
  storage_dontaudit_read_removable_device(sosreport_t)
  
@@ -72846,7 +72971,7 @@ index 703efa3..ec61db7 100644
  auth_use_nsswitch(sosreport_t)
  
  init_domtrans_script(sosreport_t)
-@@ -93,9 +97,8 @@ libs_domtrans_ldconfig(sosreport_t)
+@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t)
  logging_read_all_logs(sosreport_t)
  logging_send_syslog_msg(sosreport_t)
  
@@ -72857,7 +72982,7 @@ index 703efa3..ec61db7 100644
  
  optional_policy(`
  	abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +114,11 @@ optional_policy(`
+@@ -111,6 +113,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -72889,7 +73014,7 @@ index a5abc5a..b9eff74 100644
  	domain_system_change_exemption($1)
  	role_transition $2 soundd_initrc_exec_t system_r;
 diff --git a/soundserver.te b/soundserver.te
-index db1bc6f..40abb06 100644
+index db1bc6f..b6c0d16 100644
 --- a/soundserver.te
 +++ b/soundserver.te
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
@@ -72900,7 +73025,15 @@ index db1bc6f..40abb06 100644
  corenet_all_recvfrom_netlabel(soundd_t)
  corenet_tcp_sendrecv_generic_if(soundd_t)
  corenet_tcp_sendrecv_generic_node(soundd_t)
-@@ -89,8 +88,6 @@ fs_search_auto_mountpoints(soundd_t)
+@@ -81,7 +80,6 @@ dev_write_sound(soundd_t)
+ 
+ domain_use_interactive_fds(soundd_t)
+ 
+-files_read_etc_files(soundd_t)
+ files_read_etc_runtime_files(soundd_t)
+ 
+ fs_getattr_all_fs(soundd_t)
+@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t)
  
  logging_send_syslog_msg(soundd_t)
  
@@ -73387,7 +73520,7 @@ index 1499b0b..82fc7f6 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..18d0efc 100644
+index 4faa7e0..c7f47b3 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
 @@ -1,4 +1,4 @@
@@ -73466,7 +73599,7 @@ index 4faa7e0..18d0efc 100644
  type spamd_initrc_exec_t;
  init_script_file(spamd_initrc_exec_t)
  
-@@ -72,49 +39,154 @@ type spamd_log_t;
+@@ -72,87 +39,198 @@ type spamd_log_t;
  logging_log_file(spamd_log_t)
  
  type spamd_spool_t;
@@ -73627,8 +73760,8 @@ index 4faa7e0..18d0efc 100644
 -files_read_etc_files(spamassassin_t)
  files_read_etc_runtime_files(spamassassin_t)
  files_list_home(spamassassin_t)
- files_read_usr_files(spamassassin_t)
-@@ -122,37 +194,44 @@ files_dontaudit_search_var(spamassassin_t)
+-files_read_usr_files(spamassassin_t)
+ files_dontaudit_search_var(spamassassin_t)
  
  logging_send_syslog_msg(spamassassin_t)
  
@@ -73687,7 +73820,7 @@ index 4faa7e0..18d0efc 100644
  		nis_use_ypbind_uncond(spamassassin_t)
  	')
  ')
-@@ -160,6 +239,8 @@ optional_policy(`
+@@ -160,6 +238,8 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(spamassassin_t)
  	sendmail_stub(spamassassin_t)
@@ -73696,7 +73829,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  ########################################
-@@ -167,72 +248,88 @@ optional_policy(`
+@@ -167,72 +247,87 @@ optional_policy(`
  # Client local policy
  #
  
@@ -73786,7 +73919,7 @@ index 4faa7e0..18d0efc 100644
 +domain_use_interactive_fds(spamc_t)
  
  files_read_etc_runtime_files(spamc_t)
- files_read_usr_files(spamc_t)
+-files_read_usr_files(spamc_t)
  files_dontaudit_search_var(spamc_t)
 +# cjp: this may be removable:
  files_list_home(spamc_t)
@@ -73815,7 +73948,7 @@ index 4faa7e0..18d0efc 100644
  
  optional_policy(`
  	abrt_stream_connect(spamc_t)
-@@ -243,6 +340,7 @@ optional_policy(`
+@@ -243,6 +338,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -73823,7 +73956,7 @@ index 4faa7e0..18d0efc 100644
  	evolution_stream_connect(spamc_t)
  ')
  
-@@ -251,52 +349,55 @@ optional_policy(`
+@@ -251,52 +347,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -73904,7 +74037,7 @@ index 4faa7e0..18d0efc 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,6 +409,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,6 +407,7 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -73912,7 +74045,7 @@ index 4faa7e0..18d0efc 100644
  allow spamd_t spamd_var_lib_t:dir list_dir_perms;
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
-@@ -317,12 +419,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +417,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -73928,7 +74061,7 @@ index 4faa7e0..18d0efc 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +434,62 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +432,61 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -73964,29 +74097,29 @@ index 4faa7e0..18d0efc 100644
  dev_read_sysfs(spamd_t)
  dev_read_urand(spamd_t)
  
-+fs_getattr_all_fs(spamd_t)
-+fs_search_auto_mountpoints(spamd_t)
-+
-+auth_dontaudit_read_shadow(spamd_t)
-+
+-domain_use_interactive_fds(spamd_t)
+-
+-files_read_usr_files(spamd_t)
+-files_read_etc_runtime_files(spamd_t)
+-
+ fs_getattr_all_fs(spamd_t)
+ fs_search_auto_mountpoints(spamd_t)
+ 
+-auth_use_nsswitch(spamd_t)
+ auth_dontaudit_read_shadow(spamd_t)
+ 
 +corecmd_exec_bin(spamd_t)
 +
- domain_use_interactive_fds(spamd_t)
- 
- files_read_usr_files(spamd_t)
- files_read_etc_runtime_files(spamd_t)
++domain_use_interactive_fds(spamd_t)
++
++files_read_etc_runtime_files(spamd_t)
 +# /var/lib/spamassin
 +files_read_var_lib_files(spamd_t)
++
+ init_dontaudit_rw_utmp(spamd_t)
  
--fs_getattr_all_fs(spamd_t)
--fs_search_auto_mountpoints(spamd_t)
-+init_dontaudit_rw_utmp(spamd_t)
- 
- auth_use_nsswitch(spamd_t)
--auth_dontaudit_read_shadow(spamd_t)
--
--init_dontaudit_rw_utmp(spamd_t)
- 
++auth_use_nsswitch(spamd_t)
++
  libs_use_ld_so(spamd_t)
  libs_use_shared_libs(spamd_t)
  
@@ -74032,7 +74165,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  optional_policy(`
-@@ -421,21 +508,13 @@ optional_policy(`
+@@ -421,21 +505,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74056,7 +74189,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  optional_policy(`
-@@ -443,8 +522,8 @@ optional_policy(`
+@@ -443,8 +519,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74066,7 +74199,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  optional_policy(`
-@@ -455,7 +534,12 @@ optional_policy(`
+@@ -455,7 +531,12 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -74080,7 +74213,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  optional_policy(`
-@@ -463,9 +547,9 @@ optional_policy(`
+@@ -463,9 +544,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74091,7 +74224,7 @@ index 4faa7e0..18d0efc 100644
  ')
  
  optional_policy(`
-@@ -474,32 +558,29 @@ optional_policy(`
+@@ -474,32 +555,29 @@ optional_policy(`
  
  ########################################
  #
@@ -74131,7 +74264,12 @@ index 4faa7e0..18d0efc 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -513,20 +594,16 @@ files_read_usr_files(spamd_update_t)
+@@ -508,25 +586,20 @@ dev_read_urand(spamd_update_t)
+ 
+ domain_use_interactive_fds(spamd_update_t)
+ 
+-files_read_usr_files(spamd_update_t)
+ 
  auth_use_nsswitch(spamd_update_t)
  auth_dontaudit_read_shadow(spamd_update_t)
  
@@ -74158,10 +74296,18 @@ index 4faa7e0..18d0efc 100644
  ')
 +
 diff --git a/speedtouch.te b/speedtouch.te
-index 9025dbd..7e4c41f 100644
+index 9025dbd..388ce0a 100644
 --- a/speedtouch.te
 +++ b/speedtouch.te
-@@ -47,8 +47,6 @@ fs_search_auto_mountpoints(speedmgmt_t)
+@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
+ 
+ domain_use_interactive_fds(speedmgmt_t)
+ 
+-files_read_etc_files(speedmgmt_t)
+-files_read_usr_files(speedmgmt_t)
+ 
+ fs_getattr_all_fs(speedmgmt_t)
+ fs_search_auto_mountpoints(speedmgmt_t)
  
  logging_send_syslog_msg(speedmgmt_t)
  
@@ -74240,7 +74386,7 @@ index 5e1f053..e7820bc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 221c560..b20a9d9 100644
+index 221c560..6ea61f9 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -74277,28 +74423,40 @@ index 221c560..b20a9d9 100644
  ########################################
  #
  # Local policy
-@@ -87,6 +93,10 @@ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
- manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
- fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+@@ -80,13 +86,13 @@ setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
+ manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
+ logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
-+manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
-+files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
++manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
++fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 +
+ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
+ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
+ files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
+ 
+-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
+-
  manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
  files_pid_filetrans(squid_t, squid_var_run_t, file)
  
-@@ -96,7 +106,8 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -96,7 +102,6 @@ kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
  kernel_read_network_state(squid_t)
  
 -corenet_all_recvfrom_unlabeled(squid_t)
-+files_dontaudit_getattr_boot_dirs(squid_t)
-+
  corenet_all_recvfrom_netlabel(squid_t)
  corenet_tcp_sendrecv_generic_if(squid_t)
  corenet_udp_sendrecv_generic_if(squid_t)
-@@ -178,7 +189,6 @@ libs_exec_lib_files(squid_t)
+@@ -156,7 +161,6 @@ dev_read_urand(squid_t)
+ domain_use_interactive_fds(squid_t)
+ 
+ files_read_etc_runtime_files(squid_t)
+-files_read_usr_files(squid_t)
+ files_search_spool(squid_t)
+ files_dontaudit_getattr_tmp_dirs(squid_t)
+ files_getattr_home_dir(squid_t)
+@@ -178,7 +182,6 @@ libs_exec_lib_files(squid_t)
  logging_send_syslog_msg(squid_t)
  
  miscfiles_read_generic_certs(squid_t)
@@ -74306,7 +74464,7 @@ index 221c560..b20a9d9 100644
  
  userdom_use_unpriv_users_fds(squid_t)
  userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +210,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -200,6 +203,8 @@ tunable_policy(`squid_use_tproxy',`
  optional_policy(`
  	apache_content_template(squid)
  
@@ -74315,26 +74473,25 @@ index 221c560..b20a9d9 100644
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +221,22 @@ optional_policy(`
+@@ -209,18 +214,18 @@ optional_policy(`
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
  	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
  
+-	sysnet_dns_name_resolve(httpd_squid_script_t)
 +	corenet_tcp_connect_squid_port(httpd_squid_script_t)
-+
- 	sysnet_dns_name_resolve(httpd_squid_script_t)
  
 -	squid_read_config(httpd_squid_script_t)
+-')
++	sysnet_dns_name_resolve(httpd_squid_script_t)
+ 
+-optional_policy(`
+-	cron_system_entry(squid_t, squid_exec_t)
 +	optional_policy(`
 +		squid_read_config(httpd_squid_script_t)
 +	')
  ')
  
  optional_policy(`
--	cron_system_entry(squid_t, squid_exec_t)
-+	mysql_stream_connect(squid_t)
- ')
- 
- optional_policy(`
 -	kerberos_manage_host_rcache(squid_t)
 -	kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
 +    kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
@@ -74342,7 +74499,7 @@ index 221c560..b20a9d9 100644
  ')
  
  optional_policy(`
-@@ -238,3 +254,24 @@ optional_policy(`
+@@ -238,3 +243,24 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -74713,7 +74870,7 @@ index a240455..54c45f6 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..4253541 100644
+index 8b537aa..eaa7a83 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -74774,7 +74931,17 @@ index 8b537aa..4253541 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -94,14 +88,15 @@ selinux_validate_context(sssd_t)
+@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+ domain_obj_id_change_exemption(sssd_t)
+ 
+ files_list_tmp(sssd_t)
+-files_read_etc_files(sssd_t)
+ files_read_etc_runtime_files(sssd_t)
+-files_read_usr_files(sssd_t)
+ files_list_var_lib(sssd_t)
+ 
+ fs_list_inotifyfs(sssd_t)
+@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
  
  seutil_read_file_contexts(sssd_t)
  # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -74792,7 +74959,7 @@ index 8b537aa..4253541 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +107,30 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,30 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -74998,10 +75165,10 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..b87c79c
+index 0000000..79eac2b
 --- /dev/null
 +++ b/stapserver.te
-@@ -0,0 +1,100 @@
+@@ -0,0 +1,99 @@
 +policy_module(stapserver, 1.0.0)
 +
 +########################################
@@ -75065,7 +75232,6 @@ index 0000000..b87c79c
 +dev_read_urand(stapserver_t)
 +
 +files_list_tmp(stapserver_t)
-+files_read_usr_files(stapserver_t)
 +files_search_kernel_modules(stapserver_t)
 +
 +fs_search_cgroup_dirs(stapserver_t)
@@ -75348,7 +75514,7 @@ index c9824cb..1973f71 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..33023d7 100644
+index c8b80b2..c6580e4 100644
 --- a/sysstat.te
 +++ b/sysstat.te
 @@ -38,6 +38,7 @@ kernel_read_kernel_sysctls(sysstat_t)
@@ -75368,16 +75534,12 @@ index c8b80b2..33023d7 100644
  
  auth_use_nsswitch(sysstat_t)
  
-@@ -58,12 +59,13 @@ init_use_fds(sysstat_t)
+@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
  
- locallogin_use_fds(sysstat_t)
- 
--logging_send_syslog_msg(sysstat_t)
-+auth_use_nsswitch(sysstat_t)
+ logging_send_syslog_msg(sysstat_t)
  
 -miscfiles_read_localization(sysstat_t)
-+logging_send_syslog_msg(sysstat_t)
- 
+-
  userdom_dontaudit_list_user_home_dirs(sysstat_t)
  
  optional_policy(`
@@ -75560,7 +75722,7 @@ index 6c06a84..0000000
 -	rpm_exec(stapserver_t)
 -')
 diff --git a/tcpd.te b/tcpd.te
-index f388db3..92d5fe0 100644
+index f388db3..3c5c32e 100644
 --- a/tcpd.te
 +++ b/tcpd.te
 @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
@@ -75571,7 +75733,12 @@ index f388db3..92d5fe0 100644
  corenet_all_recvfrom_netlabel(tcpd_t)
  corenet_tcp_sendrecv_generic_if(tcpd_t)
  corenet_tcp_sendrecv_generic_node(tcpd_t)
-@@ -38,8 +37,6 @@ files_dontaudit_search_var(tcpd_t)
+@@ -33,13 +32,10 @@ fs_getattr_xattr_fs(tcpd_t)
+ 
+ corecmd_search_bin(tcpd_t)
+ 
+-files_read_etc_files(tcpd_t)
+ files_dontaudit_search_var(tcpd_t)
  
  logging_send_syslog_msg(tcpd_t)
  
@@ -76061,7 +76228,7 @@ index 42946bc..95a9aa3 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index e9c0964..6cc7ecd 100644
+index e9c0964..6e84ad8 100644
 --- a/telepathy.te
 +++ b/telepathy.te
 @@ -1,29 +1,28 @@
@@ -76104,7 +76271,7 @@ index e9c0964..6cc7ecd 100644
  
  telepathy_domain_template(gabble)
  
-@@ -67,176 +66,146 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,176 +66,145 @@ userdom_user_home_content(telepathy_sunshine_home_t)
  
  #######################################
  #
@@ -76158,10 +76325,10 @@ index e9c0964..6cc7ecd 100644
  dev_read_rand(telepathy_gabble_t)
  
  files_read_config_files(telepathy_gabble_t)
- files_read_usr_files(telepathy_gabble_t)
- 
-+fs_getattr_all_fs(telepathy_gabble_t)
+-files_read_usr_files(telepathy_gabble_t)
 +
++fs_getattr_all_fs(telepathy_gabble_t)
+ 
  miscfiles_read_all_certs(telepathy_gabble_t)
  
  tunable_policy(`telepathy_connect_all_ports',`
@@ -76330,7 +76497,7 @@ index e9c0964..6cc7ecd 100644
  
  optional_policy(`
  	dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +214,51 @@ optional_policy(`
+@@ -245,59 +213,51 @@ optional_policy(`
  		devicekit_dbus_chat_power(telepathy_mission_control_t)
  	')
  	optional_policy(`
@@ -76405,7 +76572,7 @@ index e9c0964..6cc7ecd 100644
  
  init_read_state(telepathy_msn_t)
  
-@@ -307,18 +268,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -307,18 +267,19 @@ logging_send_syslog_msg(telepathy_msn_t)
  
  miscfiles_read_all_certs(telepathy_msn_t)
  
@@ -76430,7 +76597,7 @@ index e9c0964..6cc7ecd 100644
  ')
  
  optional_policy(`
-@@ -329,43 +291,33 @@ optional_policy(`
+@@ -329,43 +290,33 @@ optional_policy(`
  	')
  ')
  
@@ -76479,7 +76646,7 @@ index e9c0964..6cc7ecd 100644
  ')
  
  optional_policy(`
-@@ -378,73 +330,53 @@ optional_policy(`
+@@ -378,73 +329,53 @@ optional_policy(`
  
  #######################################
  #
@@ -76563,7 +76730,7 @@ index e9c0964..6cc7ecd 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +384,41 @@ optional_policy(`
+@@ -452,31 +383,39 @@ optional_policy(`
  
  #######################################
  #
@@ -76588,8 +76755,6 @@ index e9c0964..6cc7ecd 100644
  dev_read_urand(telepathy_domain)
  
 -kernel_read_system_state(telepathy_domain)
-+files_read_etc_files(telepathy_domain)
-+files_read_usr_files(telepathy_domain)
  
  fs_getattr_all_fs(telepathy_domain)
  fs_search_auto_mountpoints(telepathy_domain)
@@ -76614,7 +76779,7 @@ index e9c0964..6cc7ecd 100644
  	xserver_rw_xdm_pipes(telepathy_domain)
  ')
 diff --git a/telnet.te b/telnet.te
-index 9f89916..6a317d0 100644
+index 9f89916..5f4c85e 100644
 --- a/telnet.te
 +++ b/telnet.te
 @@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
@@ -76652,13 +76817,7 @@ index 9f89916..6a317d0 100644
  files_read_etc_runtime_files(telnetd_t)
  files_search_home(telnetd_t)
  
-@@ -65,16 +67,18 @@ fs_getattr_xattr_fs(telnetd_t)
- auth_rw_login_records(telnetd_t)
- auth_use_nsswitch(telnetd_t)
- 
-+corecmd_search_bin(telnetd_t)
-+
- init_rw_utmp(telnetd_t)
+@@ -69,12 +71,12 @@ init_rw_utmp(telnetd_t)
  
  logging_send_syslog_msg(telnetd_t)
  
@@ -76673,7 +76832,7 @@ index 9f89916..6a317d0 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_nfs(telnetd_t)
-@@ -86,7 +90,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -86,7 +88,7 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
  	kerberos_keytab_template(telnetd, telnetd_t)
@@ -77222,10 +77381,10 @@ index 0000000..d000122
 +')
 diff --git a/thin.te b/thin.te
 new file mode 100644
-index 0000000..2b878d8
+index 0000000..555b49e
 --- /dev/null
 +++ b/thin.te
-@@ -0,0 +1,110 @@
+@@ -0,0 +1,108 @@
 +policy_module(thin, 1.0)
 +
 +########################################
@@ -77276,13 +77435,11 @@ index 0000000..2b878d8
 +dev_read_rand(thin_domain)
 +dev_read_urand(thin_domain)
 +
-+files_read_etc_files(thin_domain)
 +
 +auth_read_passwd(thin_domain)
 +
 +miscfiles_read_certs(thin_domain)
 +
-+files_read_usr_files(thin_domain)
 +
 +fs_search_auto_mountpoints(thin_domain)
 +
@@ -77360,10 +77517,10 @@ index 0000000..059e12c
 +/usr/lib/tumbler[^/]*/tumblerd		--	gen_context(system_u:object_r:thumb_exec_t,s0)
 diff --git a/thumb.if b/thumb.if
 new file mode 100644
-index 0000000..9127cec
+index 0000000..4902155
 --- /dev/null
 +++ b/thumb.if
-@@ -0,0 +1,125 @@
+@@ -0,0 +1,128 @@
 +
 +## <summary>policy for thumb</summary>
 +
@@ -77411,7 +77568,10 @@ index 0000000..9127cec
 +	thumb_domtrans($1)
 +	role $2 types thumb_t;
 +
-+	allow $1 thumb_t:process signal;
++	allow $1 thumb_t:process signal_perms;
++
++	dontaudit thumb_t $1:dir list_dir_perms;
++	dontaudit thumb_t $1:file read_file_perms;
 +')
 +
 +########################################
@@ -77491,10 +77651,10 @@ index 0000000..9127cec
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..0f9dcc7
+index 0000000..aab66c4
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,130 @@
+@@ -0,0 +1,127 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -77558,8 +77718,6 @@ index 0000000..0f9dcc7
 +
 +kernel_read_system_state(thumb_t)
 +
-+domain_use_interactive_fds(thumb_t)
-+
 +corecmd_exec_bin(thumb_t)
 +corecmd_exec_shell(thumb_t)
 +
@@ -77570,7 +77728,6 @@ index 0000000..0f9dcc7
 +
 +domain_use_interactive_fds(thumb_t)
 +
-+files_read_usr_files(thumb_t)
 +files_read_non_security_files(thumb_t)
 +
 +fs_getattr_all_fs(thumb_t)
@@ -77626,7 +77783,7 @@ index 0000000..0f9dcc7
 +	nscd_dontaudit_write_sock_file(thumb_t)
 +')
 diff --git a/thunderbird.te b/thunderbird.te
-index 4257ede..cddc4c6 100644
+index 4257ede..5b3949a 100644
 --- a/thunderbird.te
 +++ b/thunderbird.te
 @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
@@ -77637,7 +77794,15 @@ index 4257ede..cddc4c6 100644
  corenet_all_recvfrom_netlabel(thunderbird_t)
  corenet_tcp_sendrecv_generic_if(thunderbird_t)
  corenet_tcp_sendrecv_generic_node(thunderbird_t)
-@@ -98,7 +97,6 @@ fs_search_auto_mountpoints(thunderbird_t)
+@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t)
+ dev_dontaudit_search_sysfs(thunderbird_t)
+ 
+ files_list_tmp(thunderbird_t)
+-files_read_usr_files(thunderbird_t)
+ files_read_etc_runtime_files(thunderbird_t)
+ files_read_var_files(thunderbird_t)
+ files_read_var_symlinks(thunderbird_t)
+@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t)
  auth_use_nsswitch(thunderbird_t)
  
  miscfiles_read_fonts(thunderbird_t)
@@ -77645,7 +77810,7 @@ index 4257ede..cddc4c6 100644
  
  userdom_write_user_tmp_sockets(thunderbird_t)
  
-@@ -113,17 +111,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
+@@ -113,17 +110,8 @@ xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
  xserver_read_xdm_tmp_files(thunderbird_t)
  xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
  
@@ -77666,7 +77831,7 @@ index 4257ede..cddc4c6 100644
  ifndef(`enable_mls',`
  	fs_search_removable(thunderbird_t)
 diff --git a/timidity.te b/timidity.te
-index 67ca5c5..4254563 100644
+index 67ca5c5..a1ef2d2 100644
 --- a/timidity.te
 +++ b/timidity.te
 @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
@@ -77677,8 +77842,17 @@ index 67ca5c5..4254563 100644
  corenet_all_recvfrom_netlabel(timidity_t)
  corenet_tcp_sendrecv_generic_if(timidity_t)
  corenet_udp_sendrecv_generic_if(timidity_t)
+@@ -51,8 +50,6 @@ dev_write_sound(timidity_t)
+ 
+ domain_use_interactive_fds(timidity_t)
+ 
+-files_read_etc_files(timidity_t)
+-files_read_usr_files(timidity_t)
+ files_search_tmp(timidity_t)
+ 
+ fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..43988e5 100644
+index a4a949c..a0b1618 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
 @@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
@@ -77689,11 +77863,10 @@ index a4a949c..43988e5 100644
  
  ########################################
  #
-@@ -18,17 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
  
  kernel_list_unlabeled(tmpreaper_t)
  kernel_read_system_state(tmpreaper_t)
-+kernel_list_unlabeled(tmpreaper_t)
 +kernel_delete_unlabeled(tmpreaper_t)
  
  dev_read_urand(tmpreaper_t)
@@ -77715,19 +77888,18 @@ index a4a949c..43988e5 100644
 +files_getattr_all_dirs(tmpreaper_t)
 +files_getattr_all_files(tmpreaper_t)
  
- mcs_file_read_all(tmpreaper_t)
- mcs_file_write_all(tmpreaper_t)
-@@ -39,14 +48,20 @@ auth_use_nsswitch(tmpreaper_t)
+-mcs_file_read_all(tmpreaper_t)
+-mcs_file_write_all(tmpreaper_t)
+ mls_file_read_all_levels(tmpreaper_t)
+ mls_file_write_all_levels(tmpreaper_t)
+ 
+@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t)
  
  logging_send_syslog_msg(tmpreaper_t)
  
 -miscfiles_read_localization(tmpreaper_t)
  miscfiles_delete_man_pages(tmpreaper_t)
  
-+optional_policy(`
-+	cron_system_entry(tmpreaper_t, tmpreaper_exec_t)
-+')
-+
  ifdef(`distro_redhat',`
 -	userdom_list_all_user_home_content(tmpreaper_t)
 +	userdom_list_user_home_content(tmpreaper_t)
@@ -77740,7 +77912,7 @@ index a4a949c..43988e5 100644
  ')
  
  optional_policy(`
-@@ -54,6 +69,7 @@ optional_policy(`
+@@ -54,6 +62,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -77748,7 +77920,7 @@ index a4a949c..43988e5 100644
  	apache_list_cache(tmpreaper_t)
  	apache_delete_cache_dirs(tmpreaper_t)
  	apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +85,15 @@ optional_policy(`
+@@ -69,7 +78,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78185,10 +78357,10 @@ index 0000000..9abef48
 +')
 diff --git a/tomcat.te b/tomcat.te
 new file mode 100644
-index 0000000..0557ffc
+index 0000000..5a263b2
 --- /dev/null
 +++ b/tomcat.te
-@@ -0,0 +1,71 @@
+@@ -0,0 +1,69 @@
 +policy_module(tomcat, 1.0.0)
 +
 +########################################
@@ -78250,8 +78422,6 @@ index 0000000..0557ffc
 +fs_getattr_all_fs(tomcat_domain)
 +fs_read_hugetlbfs_files(tomcat_domain)
 +
-+files_read_etc_files(tomcat_domain)
-+files_read_usr_files(tomcat_domain)
 +
 +auth_read_passwd(tomcat_domain)
 +
@@ -78343,7 +78513,7 @@ index 61c2e07..5e1df41 100644
 +	')
  ')
 diff --git a/tor.te b/tor.te
-index 964a395..2a5bcc4 100644
+index 964a395..78962c4 100644
 --- a/tor.te
 +++ b/tor.te
 @@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
@@ -78370,16 +78540,7 @@ index 964a395..2a5bcc4 100644
  ########################################
  #
  # Local policy
-@@ -68,6 +78,8 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
- kernel_read_kernel_sysctls(tor_t)
- kernel_read_net_sysctls(tor_t)
- kernel_read_system_state(tor_t)
-+kernel_read_net_sysctls(tor_t)
-+kernel_read_kernel_sysctls(tor_t)
- 
- corenet_all_recvfrom_unlabeled(tor_t)
- corenet_all_recvfrom_netlabel(tor_t)
-@@ -77,7 +89,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
+@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
  corenet_udp_sendrecv_generic_node(tor_t)
  corenet_tcp_bind_generic_node(tor_t)
  corenet_udp_bind_generic_node(tor_t)
@@ -78387,12 +78548,7 @@ index 964a395..2a5bcc4 100644
  corenet_sendrecv_dns_server_packets(tor_t)
  corenet_udp_bind_dns_port(tor_t)
  corenet_udp_sendrecv_dns_port(tor_t)
-@@ -94,23 +105,27 @@ corenet_tcp_sendrecv_all_reserved_ports(tor_t)
- 
- dev_read_sysfs(tor_t)
- dev_read_urand(tor_t)
-+dev_read_sysfs(tor_t)
- 
+@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
  domain_use_interactive_fds(tor_t)
  
  files_read_etc_runtime_files(tor_t)
@@ -78419,7 +78575,7 @@ index 964a395..2a5bcc4 100644
  	seutil_sigchld_newrole(tor_t)
  ')
 diff --git a/transproxy.te b/transproxy.te
-index 20d1a28..e90a7e8 100644
+index 20d1a28..494a46d 100644
 --- a/transproxy.te
 +++ b/transproxy.te
 @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
@@ -78430,7 +78586,14 @@ index 20d1a28..e90a7e8 100644
  corenet_all_recvfrom_netlabel(transproxy_t)
  corenet_tcp_sendrecv_generic_if(transproxy_t)
  corenet_tcp_sendrecv_generic_node(transproxy_t)
-@@ -53,8 +52,6 @@ fs_search_auto_mountpoints(transproxy_t)
+@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t)
+ 
+ domain_use_interactive_fds(transproxy_t)
+ 
+-files_read_etc_files(transproxy_t)
+ 
+ fs_getattr_all_fs(transproxy_t)
+ fs_search_auto_mountpoints(transproxy_t)
  
  logging_send_syslog_msg(transproxy_t)
  
@@ -78502,7 +78665,7 @@ index e29db63..061fb98 100644
  	domain_system_change_exemption($1)
  	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 7116181..5355bfc 100644
+index 7116181..cf4f528 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -31,8 +31,9 @@ files_pid_file(tuned_var_run_t)
@@ -78533,9 +78696,11 @@ index 7116181..5355bfc 100644
  
  corecmd_exec_bin(tuned_t)
  corecmd_exec_shell(tuned_t)
-@@ -69,26 +71,39 @@ dev_rw_netcontrol(tuned_t)
+@@ -67,28 +69,40 @@ dev_read_urand(tuned_t)
+ dev_rw_sysfs(tuned_t)
+ dev_rw_netcontrol(tuned_t)
  
- files_read_usr_files(tuned_t)
+-files_read_usr_files(tuned_t)
  files_dontaudit_search_home(tuned_t)
 -files_dontaudit_list_tmp(tuned_t)
 +files_list_tmp(tuned_t)
@@ -78577,10 +78742,18 @@ index 7116181..5355bfc 100644
  	sysnet_domtrans_ifconfig(tuned_t)
  ')
 diff --git a/tvtime.te b/tvtime.te
-index 3292fcc..fff4b4a 100644
+index 3292fcc..3cc43ed 100644
 --- a/tvtime.te
 +++ b/tvtime.te
-@@ -69,21 +69,12 @@ fs_search_auto_mountpoints(tvtime_t)
+@@ -61,7 +61,6 @@ dev_read_realtime_clock(tvtime_t)
+ dev_read_sound(tvtime_t)
+ dev_read_urand(tvtime_t)
+ 
+-files_read_usr_files(tvtime_t)
+ 
+ fs_getattr_all_fs(tvtime_t)
+ fs_search_auto_mountpoints(tvtime_t)
+@@ -69,21 +68,12 @@ fs_search_auto_mountpoints(tvtime_t)
  auth_use_nsswitch(tvtime_t)
  
  miscfiles_read_fonts(tvtime_t)
@@ -78623,6 +78796,26 @@ index aa6ae96..9f86987 100644
  
  optional_policy(`
  	postfix_search_spool(tzdata_t)
+diff --git a/ucspitcp.te b/ucspitcp.te
+index 5e365c2..0fbc46e 100644
+--- a/ucspitcp.te
++++ b/ucspitcp.te
+@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
+ corenet_tcp_bind_generic_node(rblsmtpd_t)
+ corenet_udp_bind_generic_port(rblsmtpd_t)
+ 
+-files_read_etc_files(rblsmtpd_t)
+ files_search_var(rblsmtpd_t)
+ 
+ optional_policy(`
+@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t)
+ corenet_sendrecv_generic_server_packets(ucspitcp_t)
+ corenet_udp_bind_generic_port(ucspitcp_t)
+ 
+-files_read_etc_files(ucspitcp_t)
+ files_search_var(ucspitcp_t)
+ 
+ sysnet_read_config(ucspitcp_t)
 diff --git a/ulogd.if b/ulogd.if
 index 9b95c3e..a892845 100644
 --- a/ulogd.if
@@ -78641,7 +78834,7 @@ index 9b95c3e..a892845 100644
  	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/ulogd.te b/ulogd.te
-index c6acbbe..46f1120 100644
+index c6acbbe..bd23e7f 100644
 --- a/ulogd.te
 +++ b/ulogd.te
 @@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
@@ -78659,9 +78852,12 @@ index c6acbbe..46f1120 100644
  
  read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
  
-@@ -45,7 +47,6 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
- files_read_etc_files(ulogd_t)
- files_read_usr_files(ulogd_t)
+@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
+ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
+ 
+-files_read_etc_files(ulogd_t)
+-files_read_usr_files(ulogd_t)
  
 -miscfiles_read_localization(ulogd_t)
  
@@ -78681,7 +78877,7 @@ index ab5c1d0..d13105e 100644
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/uml.te b/uml.te
-index dc03cc5..fa862cf 100644
+index dc03cc5..423afe4 100644
 --- a/uml.te
 +++ b/uml.te
 @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
@@ -78707,7 +78903,18 @@ index dc03cc5..fa862cf 100644
  userdom_attach_admin_tun_iface(uml_t)
  
  tunable_policy(`use_nfs_home_dirs',`
-@@ -171,8 +176,6 @@ init_use_script_ptys(uml_switch_t)
+@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',`
+ ')
+ 
+ optional_policy(`
+-	seutil_use_newrole_fds(uml_t)
+-')
+-
+-optional_policy(`
+ 	virt_attach_tun_iface(uml_t)
+ ')
+ 
+@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t)
  
  logging_send_syslog_msg(uml_switch_t)
  
@@ -79284,7 +79491,7 @@ index cf118fd..3b93d32 100644
 +	can_exec($1, consolehelper_exec_t)
  ')
 diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..1b381f0 100644
+index 274ed9c..23b8929 100644
 --- a/userhelper.te
 +++ b/userhelper.te
 @@ -1,18 +1,15 @@
@@ -79309,7 +79516,7 @@ index 274ed9c..1b381f0 100644
  
  type userhelper_exec_t;
  application_executable_file(userhelper_exec_t)
-@@ -22,141 +19,68 @@ application_executable_file(consolehelper_exec_t)
+@@ -22,141 +19,67 @@ application_executable_file(consolehelper_exec_t)
  
  ########################################
  #
@@ -79364,7 +79571,6 @@ index 274ed9c..1b381f0 100644
  
 -term_list_ptys(consolehelper_type)
 +files_read_config_files(consolehelper_domain)
-+files_read_usr_files(consolehelper_domain)
  
 -auth_search_pam_console_data(consolehelper_type)
 -auth_read_pam_pid(consolehelper_type)
@@ -79493,61 +79699,44 @@ index 274ed9c..1b381f0 100644
 +	fs_search_cifs(consolehelper_domain)
  ')
 diff --git a/usernetctl.if b/usernetctl.if
-index 7deec55..325bb57 100644
+index 7deec55..c542887 100644
 --- a/usernetctl.if
 +++ b/usernetctl.if
-@@ -39,9 +39,26 @@ interface(`usernetctl_domtrans',`
+@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',`
  #
  interface(`usernetctl_run',`
  	gen_require(`
--		attribute_role usernetctl_roles;
 +		type usernetctl_t;
-+		#attribute_role usernetctl_roles;
+ 		attribute_role usernetctl_roles;
  	')
  
--	usernetctl_domtrans($1)
--	roleattribute $2 usernetctl_roles;
-+	#usernetctl_domtrans($1)
-+	#roleattribute $2 usernetctl_roles;
-+
-+	sysnet_run_ifconfig(usernetctl_t, $2)
-+	sysnet_run_dhcpc(usernetctl_t, $2)
-+
-+        optional_policy(`
-+                iptables_run(usernetctl_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                modutils_run_insmod(usernetctl_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                ppp_run(usernetctl_t, $2)
-+        ')
-+
- ')
 diff --git a/usernetctl.te b/usernetctl.te
-index dd3f01e..a2229f7 100644
+index dd3f01e..465c661 100644
 --- a/usernetctl.te
 +++ b/usernetctl.te
-@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.1)
- # Declarations
+@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1)
  #
  
--attribute_role usernetctl_roles;
-+#attribute_role usernetctl_roles;
+ attribute_role usernetctl_roles;
++roleattribute system_r usernetctl_roles;
  
  type usernetctl_t;
  type usernetctl_exec_t;
  application_domain(usernetctl_t, usernetctl_exec_t)
  domain_interactive_fd(usernetctl_t)
 -role usernetctl_roles types usernetctl_t;
-+#role usernetctl_roles types usernetctl_t;
-+role system_r types usernetctl_t;
  
  ########################################
  #
-@@ -48,31 +49,36 @@ auth_use_nsswitch(usernetctl_t)
+@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t)
+ files_read_etc_runtime_files(usernetctl_t)
+ files_list_pids(usernetctl_t)
+ files_list_home(usernetctl_t)
+-files_read_usr_files(usernetctl_t)
+ 
+ fs_search_auto_mountpoints(usernetctl_t)
+ 
+@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t)
  
  logging_send_syslog_msg(usernetctl_t)
  
@@ -79555,48 +79744,30 @@ index dd3f01e..a2229f7 100644
 -
  seutil_read_config(usernetctl_t)
  
--sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
--sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
 +sysnet_read_config(usernetctl_t)
 +
-+#sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
-+#sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
+ sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
+ sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
  
 -userdom_use_user_terminals(usernetctl_t)
-+userdom_use_inherited_user_terminals(usernetctl_t)
- 
- optional_policy(`
+-
+-optional_policy(`
 -	consoletype_run(usernetctl_t, usernetctl_roles)
-+#	consoletype_run(usernetctl_t, usernetctl_roles)
-+	consoletype_exec(usernetctl_t)
- ')
+-')
++userdom_use_inherited_user_terminals(usernetctl_t)
  
  optional_policy(`
  	hostname_exec(usernetctl_t)
+@@ -74,5 +69,9 @@ optional_policy(`
  ')
  
--optional_policy(`
--	iptables_run(usernetctl_t, usernetctl_roles)
--')
-+#optional_policy(`
-+#	iptables_run(usernetctl_t, usernetctl_roles)
-+#')
- 
--optional_policy(`
--	modutils_run_insmod(usernetctl_t, usernetctl_roles)
--')
-+#optional_policy(`
-+#	modutils_run_insmod(usernetctl_t, usernetctl_roles)
-+#')
- 
  optional_policy(`
--	ppp_run(usernetctl_t, usernetctl_roles)
 +	nis_use_ypbind(usernetctl_t)
- ')
++')
 +
-+#optional_policy(`
-+#	ppp_run(usernetctl_t, usernetctl_roles)
-+#')
++optional_policy(`
+ 	ppp_run(usernetctl_t, usernetctl_roles)
+ ')
 diff --git a/uucp.if b/uucp.if
 index af9acc0..0119768 100644
 --- a/uucp.if
@@ -79622,7 +79793,7 @@ index af9acc0..0119768 100644
  	admin_pattern($1, uucpd_log_t)
  
 diff --git a/uucp.te b/uucp.te
-index 380902c..3886551 100644
+index 380902c..75545d6 100644
 --- a/uucp.te
 +++ b/uucp.te
 @@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -79664,13 +79835,23 @@ index 380902c..3886551 100644
  
  optional_policy(`
  	cron_system_entry(uucpd_t, uucpd_exec_t)
-@@ -160,10 +164,17 @@ auth_use_nsswitch(uux_t)
+@@ -125,10 +129,6 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mta_send_mail(uucpd_t)
+-')
+-
+-optional_policy(`
+ 	ssh_exec(uucpd_t)
+ ')
+ 
+@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
  logging_search_logs(uux_t)
  logging_send_syslog_msg(uux_t)
  
 -miscfiles_read_localization(uux_t)
-+logging_send_syslog_msg(uux_t)
- 
+-
  optional_policy(`
  	mta_send_mail(uux_t)
  	mta_read_queue(uux_t)
@@ -79698,12 +79879,14 @@ index 6e48653..29e3648 100644
  	uuidd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/uuidd.te b/uuidd.te
-index e670f55..43199ee 100644
+index e670f55..2b332c5 100644
 --- a/uuidd.te
 +++ b/uuidd.te
-@@ -44,4 +44,3 @@ domain_use_interactive_fds(uuidd_t)
+@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
+ 
+ domain_use_interactive_fds(uuidd_t)
  
- files_read_etc_files(uuidd_t)
+-files_read_etc_files(uuidd_t)
  
 -miscfiles_read_localization(uuidd_t)
 diff --git a/uwimap.te b/uwimap.te
@@ -79774,7 +79957,7 @@ index 1c35171..2cba4df 100644
  	domain_system_change_exemption($1)
  	role_transition $2 varnishd_initrc_exec_t system_r;
 diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cb..cd79417 100644
+index 9d4d8cb..f50c3ff 100644
 --- a/varnishd.te
 +++ b/varnishd.te
 @@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -79804,7 +79987,15 @@ index 9d4d8cb..cd79417 100644
  allow varnishd_t self:fifo_file rw_fifo_file_perms;
  allow varnishd_t self:tcp_socket { accept listen };
  
-@@ -111,7 +111,7 @@ auth_use_nsswitch(varnishd_t)
+@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
+ 
+ dev_read_urand(varnishd_t)
+ 
+-files_read_usr_files(varnishd_t)
+ 
+ fs_getattr_all_fs(varnishd_t)
+ 
+@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t)
  
  logging_send_syslog_msg(varnishd_t)
  
@@ -79936,7 +80127,7 @@ index 31c752e..e9c041d 100644
  	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 77be35a..f9c0665 100644
+index 77be35a..4abe2aa 100644
 --- a/vdagent.te
 +++ b/vdagent.te
 @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -79947,18 +80138,20 @@ index 77be35a..f9c0665 100644
  allow vdagent_t self:fifo_file rw_fifo_file_perms;
  allow vdagent_t self:unix_stream_socket { accept listen };
  
-@@ -47,9 +48,14 @@ files_read_etc_files(vdagent_t)
+@@ -43,13 +44,15 @@ dev_rw_input_dev(vdagent_t)
+ dev_read_sysfs(vdagent_t)
+ dev_dontaudit_write_mtrr(vdagent_t)
+ 
+-files_read_etc_files(vdagent_t)
  
  init_read_state(vdagent_t)
  
 -logging_send_syslog_msg(vdagent_t)
 +systemd_read_logind_sessions_files(vdagent_t)
 +systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
  
 -miscfiles_read_localization(vdagent_t)
-+userdom_read_all_users_state(vdagent_t)
++term_use_virtio_console(vdagent_t)
 +
 +logging_send_syslog_msg(vdagent_t)
  
@@ -80135,7 +80328,7 @@ index c30da4c..014e40c 100644
 +/var/run/qemu-ga\.pid           --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..347f807 100644
+index 9dec06c..d8a2b54 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -81113,7 +81306,7 @@ index 9dec06c..347f807 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -860,94 +603,205 @@ interface(`virt_read_lib_files',`
+@@ -860,115 +603,223 @@ interface(`virt_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -81144,6 +81337,9 @@ index 9dec06c..347f807 100644
  ##	</summary>
  ## </param>
 -## <param name="private type">
+-##	<summary>
+-##	The type of the object to be created.
+-##	</summary>
 +#
 +interface(`virt_manage_images',`
 +	gen_require(`
@@ -81168,7 +81364,8 @@ index 9dec06c..347f807 100644
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
-+## </param>
+ ## </param>
+-## <param name="object">
 +#
 +interface(`virt_manage_default_image_type',`
 +    gen_require(`
@@ -81188,11 +81385,11 @@ index 9dec06c..347f807 100644
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The type of the object to be created.
+-##	The object class of the object being created.
 +##	Domain allowed to transition.
  ##	</summary>
  ## </param>
--## <param name="object">
+-## <param name="name" optional="true">
 +#
 +interface(`virt_systemctl',`
 +	gen_require(`
@@ -81209,37 +81406,58 @@ index 9dec06c..347f807 100644
 +
 +########################################
 +## <summary>
-+##	All of the rules required to administrate
-+##	an virt environment
++##	Ptrace the svirt domain
 +## </summary>
 +## <param name="domain">
  ##	<summary>
--##	The object class of the object being created.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <param name="name" optional="true">
-+## <param name="role">
- ##	<summary>
 -##	The name of the object being created.
-+##	Role allowed access.
++##	Domain allowed to transition.
  ##	</summary>
  ## </param>
 -## <infoflow type="write" weight="10"/>
-+## <rolecap/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_admin',`
++interface(`virt_ptrace',`
  	gen_require(`
 -		type virt_var_run_t;
++		attribute virt_domain;
+ 	')
+ 
+-	files_search_pids($1)
+-	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
++	allow $1 virt_domain:process ptrace;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read virt log files.
++##	All of the rules required to administrate
++##	an virt environment
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
+ ## <rolecap/>
+ #
+-interface(`virt_read_log',`
++interface(`virt_admin',`
+ 	gen_require(`
+-		type virt_log_t;
 +		type virtd_t, virtd_initrc_exec_t;
 +		attribute virt_domain;
 +		type virt_lxc_t;
 +		type virtd_unit_file_t;
  	')
  
--	files_search_pids($1)
--	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
+-	logging_search_logs($1)
+-	read_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virtd_t:process signal_perms;
 +	ps_process_pattern($1, virtd_t)
 +	tunable_policy(`deny_ptrace',`',`
@@ -81272,7 +81490,7 @@ index 9dec06c..347f807 100644
  
  ########################################
  ## <summary>
--##	Read virt log files.
+-##	Append virt log files.
 +##	Execute qemu in the svirt domain, and
 +##	allow the specified role the svirt domain.
  ## </summary>
@@ -81287,9 +81505,9 @@ index 9dec06c..347f807 100644
 +##	The role to be allowed the sandbox domain.
  ##	</summary>
  ## </param>
- ## <rolecap/>
++## <rolecap/>
  #
--interface(`virt_read_log',`
+-interface(`virt_append_log',`
 +interface(`virt_transition_svirt',`
  	gen_require(`
 -		type virt_log_t;
@@ -81300,7 +81518,7 @@ index 9dec06c..347f807 100644
  	')
  
 -	logging_search_logs($1)
--	read_files_pattern($1, virt_log_t, virt_log_t)
+-	append_files_pattern($1, virt_log_t, virt_log_t)
 +	allow $1 virt_domain:process transition;
 +	role $2 types virt_domain;
 +	role $2 types virt_bridgehelper_t;
@@ -81319,7 +81537,8 @@ index 9dec06c..347f807 100644
  
  ########################################
  ## <summary>
--##	Append virt log files.
+-##	Create, read, write, and delete
+-##	virt log files.
 +##	Do not audit attempts to write virt daemon unnamed pipes.
  ## </summary>
  ## <param name="domain">
@@ -81329,7 +81548,7 @@ index 9dec06c..347f807 100644
  ##	</summary>
  ## </param>
  #
--interface(`virt_append_log',`
+-interface(`virt_manage_log',`
 +interface(`virt_dontaudit_write_pipes',`
  	gen_require(`
 -		type virt_log_t;
@@ -81337,41 +81556,17 @@ index 9dec06c..347f807 100644
  	')
  
 -	logging_search_logs($1)
--	append_files_pattern($1, virt_log_t, virt_log_t)
-+	dontaudit $1 virtd_t:fd use;
-+	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	virt log files.
-+##	Send a sigkill to virtual machines
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -955,20 +809,17 @@ interface(`virt_append_log',`
- ##	</summary>
- ## </param>
- #
--interface(`virt_manage_log',`
-+interface(`virt_kill_svirt',`
- 	gen_require(`
--		type virt_log_t;
-+		attribute virt_domain;
- 	')
- 
--	logging_search_logs($1)
 -	manage_dirs_pattern($1, virt_log_t, virt_log_t)
 -	manage_files_pattern($1, virt_log_t, virt_log_t)
 -	manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
-+	allow $1 virt_domain:process sigkill;
++	dontaudit $1 virtd_t:fd use;
++	dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Search virt image directories.
-+##	Send a signal to virtual machines
++##	Send a sigkill to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -81380,7 +81575,7 @@ index 9dec06c..347f807 100644
  ## </param>
  #
 -interface(`virt_search_images',`
-+interface(`virt_signal_svirt',`
++interface(`virt_kill_svirt',`
  	gen_require(`
 -		attribute virt_image_type;
 +		attribute virt_domain;
@@ -81388,56 +81583,39 @@ index 9dec06c..347f807 100644
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir search_dir_perms;
-+	allow $1 virt_domain:process signal;
++	allow $1 virt_domain:process sigkill;
  ')
  
  ########################################
  ## <summary>
 -##	Read virt image files.
-+##	Manage virt home files.
++##	Send a signal to virtual machines
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -995,57 +845,57 @@ interface(`virt_search_images',`
+@@ -995,36 +845,17 @@ interface(`virt_search_images',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_read_images',`
-+interface(`virt_manage_home_files',`
++interface(`virt_signal_svirt',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		type virt_home_t;
- 	')
- 
+-	')
+-
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	list_dirs_pattern($1, virt_image_type, virt_image_type)
 -	read_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	read_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	userdom_search_user_home_dirs($1)
-+	manage_files_pattern($1, virt_home_t, virt_home_t)
-+')
- 
+-
 -	tunable_policy(`virt_use_nfs',`
 -		fs_list_nfs($1)
 -		fs_read_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+########################################
-+## <summary>
-+##	allow domain to read
-+##	virt tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_read_tmpfs_files',`
-+	gen_require(`
-+		attribute virt_tmpfs_type;
++		attribute virt_domain;
  	')
  
 -	tunable_policy(`virt_use_samba',`
@@ -81445,117 +81623,108 @@ index 9dec06c..347f807 100644
 -		fs_read_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
 -	')
-+	allow $1 virt_tmpfs_type:file read_file_perms;
++	allow $1 virt_domain:process signal;
  ')
  
  ########################################
  ## <summary>
 -##	Read and write all virt image
 -##	character files.
-+##	allow domain to manage
-+##	virt tmpfs files
++##	Manage virt home files.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+@@ -1032,58 +863,57 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_rw_all_image_chr_files',`
-+interface(`virt_manage_tmpfs_files',`
++interface(`virt_manage_home_files',`
  	gen_require(`
 -		attribute virt_image_type;
-+		attribute virt_tmpfs_type;
++		type virt_home_t;
  	')
  
 -	virt_search_lib($1)
 -	allow $1 virt_image_type:dir list_dir_perms;
 -	rw_chr_files_pattern($1, virt_image_type, virt_image_type)
-+	allow $1 virt_tmpfs_type:file manage_file_perms;
++	userdom_search_user_home_dirs($1)
++	manage_files_pattern($1, virt_home_t, virt_home_t)
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	svirt cache files.
-+##	Create .virt directory in the user home directory
-+##	with an correct label.
++##	allow domain to read
++##	virt tmpfs files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1053,15 +903,27 @@ interface(`virt_rw_all_image_chr_files',`
+-##	Domain allowed access.
++##	Domain allowed access
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_svirt_cache',`
 -	refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
 -	virt_manage_virt_cache($1)
-+interface(`virt_filetrans_home_content',`
++interface(`virt_read_tmpfs_files',`
 +	gen_require(`
-+		type virt_home_t;
-+		type svirt_home_t;
++		attribute virt_tmpfs_type;
 +	')
 +
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
-+
-+	optional_policy(`
-+		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
-+		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
-+		gnome_data_filetrans($1, svirt_home_t, dir, "images")
-+	')
++	allow $1 virt_tmpfs_type:file read_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt cache content.
-+##	Dontaudit attempts to Read virt_image_type devices.
++##	allow domain to manage
++##	virt tmpfs files
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1069,117 +931,103 @@ interface(`virt_manage_svirt_cache',`
+-##	Domain allowed access.
++##	Domain allowed access
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_virt_cache',`
-+interface(`virt_dontaudit_read_chr_dev',`
++interface(`virt_manage_tmpfs_files',`
  	gen_require(`
 -		type virt_cache_t;
-+		attribute virt_image_type;
++		attribute virt_tmpfs_type;
  	')
  
 -	files_search_var($1)
 -	manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_files_pattern($1, virt_cache_t, virt_cache_t)
 -	manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
-+	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++	allow $1 virt_tmpfs_type:file manage_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	virt image files.
-+##	Creates types and rules for a basic
-+##	virt_lxc process domain.
++##	Create .virt directory in the user home directory
++##	with an correct label.
  ## </summary>
--## <param name="domain">
-+## <param name="prefix">
+ ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Prefix for the domain.
+@@ -1091,95 +921,131 @@ interface(`virt_manage_virt_cache',`
  ##	</summary>
  ## </param>
  #
 -interface(`virt_manage_images',`
-+template(`virt_lxc_domain_template',`
++interface(`virt_filetrans_home_content',`
  	gen_require(`
 -		type virt_var_lib_t;
 -		attribute virt_image_type;
-+		attribute svirt_lxc_domain;
++		type virt_home_t;
++		type svirt_home_t;
  	')
  
 -	virt_search_lib($1)
@@ -81564,86 +81733,64 @@ index 9dec06c..347f807 100644
 -	manage_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
-+	type $1_t, svirt_lxc_domain;
-+	domain_type($1_t)
-+	domain_user_exemption_target($1_t)
-+	mls_rangetrans_target($1_t)
-+	mcs_constrained($1_t)
-+	role system_r types $1_t;
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
  
 -	tunable_policy(`virt_use_nfs',`
 -		fs_manage_nfs_dirs($1)
 -		fs_manage_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
-+	kernel_read_system_state($1_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute a qemu_exec_t in the callers domain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`virt_exec_qemu',`
-+	gen_require(`
-+		type qemu_exec_t;
- 	')
- 
+-	')
+-
 -	tunable_policy(`virt_use_samba',`
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_files($1)
 -		fs_read_cifs_symlinks($1)
-+	can_exec($1, qemu_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Transition to virt named content
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##      Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`virt_filetrans_named_content',`
-+	gen_require(`
-+		type virt_lxc_var_run_t;
-+		type virt_var_run_t;
++	optional_policy(`
++		gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
++		gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
++		gnome_data_filetrans($1, svirt_home_t, dir, "images")
  	')
-+
-+	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
-+	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
  ')
  
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an virt environment.
-+##	Execute qemu in the svirt domain, and
-+##	allow the specified role the svirt domain.
++##	Dontaudit attempts to Read virt_image_type devices.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
--##	Domain allowed access.
-+##	Domain allowed access
+ ##	Domain allowed access.
  ##	</summary>
  ## </param>
- ## <param name="role">
+-## <param name="role">
++#
++interface(`virt_dontaudit_read_chr_dev',`
++	gen_require(`
++		attribute virt_image_type;
++	')
++
++	dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
++')
++
++########################################
++## <summary>
++##	Creates types and rules for a basic
++##	virt_lxc process domain.
++## </summary>
++## <param name="prefix">
  ##	<summary>
 -##	Role allowed access.
-+##	The role to be allowed the sandbox domain.
++##	Prefix for the domain.
  ##	</summary>
  ## </param>
- ## <rolecap/>
+-## <rolecap/>
  #
 -interface(`virt_admin',`
-+interface(`virt_transition_svirt_lxc',`
++template(`virt_lxc_domain_template',`
  	gen_require(`
 -		attribute virt_domain, virt_image_type, virt_tmpfs_type;
 -		attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -81668,36 +81815,100 @@ index 9dec06c..347f807 100644
 -
 -	fs_search_tmpfs($1)
 -	admin_pattern($1, virt_tmpfs_type)
--
++	type $1_t, svirt_lxc_domain;
++	domain_type($1_t)
++	domain_user_exemption_target($1_t)
++	mls_rangetrans_target($1_t)
++	mcs_constrained($1_t)
++	role system_r types $1_t;
+ 
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
--
++	kernel_read_system_state($1_t)
++')
+ 
 -	files_search_etc($1)
 -	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
--
++########################################
++## <summary>
++##	Execute a qemu_exec_t in the callers domain
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_exec_qemu',`
++	gen_require(`
++		type qemu_exec_t;
++	')
+ 
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
--
++	can_exec($1, qemu_exec_t)
++')
+ 
 -	files_search_pids($1)
 -	admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
--
++########################################
++## <summary>
++##	Transition to virt named content
++## </summary>
++## <param name="domain">
++##	<summary>
++##      Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`virt_filetrans_named_content',`
++	gen_require(`
++		type virt_lxc_var_run_t;
++		type virt_var_run_t;
++	')
+ 
 -	files_search_var($1)
 -	admin_pattern($1, svirt_cache_t)
--
++	files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
++	files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
++')
+ 
 -	files_search_var_lib($1)
 -	admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
-+	allow $1 svirt_lxc_domain:process transition;
-+	role $2 types svirt_lxc_domain;
++########################################
++## <summary>
++##	Execute qemu in the svirt domain, and
++##	allow the specified role the svirt domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed the sandbox domain.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`virt_transition_svirt_lxc',`
++	gen_require(`
++		attribute svirt_lxc_domain;
++	')
  
 -	files_search_locks($1)
 -	admin_pattern($1, virt_lock_t)
--
++	allow $1 svirt_lxc_domain:process transition;
++	role $2 types svirt_lxc_domain;
+ 
 -	dev_list_all_dev_nodes($1)
 -	allow $1 virt_ptynode:chr_file rw_term_perms;
 +	allow svirt_lxc_domain $1:process sigchld;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..e096fc5 100644
+index 1f22fba..eaf5bf9 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,105 @@
@@ -81815,14 +82026,14 @@ index 1f22fba..e096fc5 100644
 +##  </p>
  ## </desc>
 -gen_tunable(virt_use_xserver, false)
-+gen_tunable(virt_use_rawip, false)
- 
+-
 -attribute virt_ptynode;
 -attribute virt_domain;
 -attribute virt_image_type;
 -attribute virt_tmp_type;
 -attribute virt_tmpfs_type;
--
++gen_tunable(virt_use_rawip, false)
+ 
 -attribute svirt_lxc_domain;
 +## <desc>
 +## <p>
@@ -82064,9 +82275,7 @@ index 1f22fba..e096fc5 100644
 -
 -miscfiles_read_localization(virt_domain)
 -miscfiles_read_public_files(virt_domain)
-+# it was a part of auth_use_nsswitch
-+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -sysnet_read_config(virt_domain)
 -
 -userdom_search_user_home_dirs(virt_domain)
@@ -82126,7 +82335,9 @@ index 1f22fba..e096fc5 100644
 -		xserver_stream_connect(virt_domain)
 -	')
 -')
--
++# it was a part of auth_use_nsswitch
++allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -optional_policy(`
 -	dbus_read_lib_files(virt_domain)
 -')
@@ -82170,7 +82381,9 @@ index 1f22fba..e096fc5 100644
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
++allow svirt_tcg_t self:process { execmem execstack };
++allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
+ 
 -filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 -
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
@@ -82194,9 +82407,7 @@ index 1f22fba..e096fc5 100644
 -corenet_sendrecv_all_server_packets(svirt_t)
 -corenet_udp_bind_all_ports(svirt_t)
 -corenet_tcp_bind_all_ports(svirt_t)
-+allow svirt_tcg_t self:process { execmem execstack };
-+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
- 
+-
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -82326,13 +82537,13 @@ index 1f22fba..e096fc5 100644
 -
 -stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
 -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
+-can_exec(virtd_t, virt_tmp_t)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
--can_exec(virtd_t, virt_tmp_t)
--
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
@@ -82361,17 +82572,15 @@ index 1f22fba..e096fc5 100644
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
-@@ -548,22 +370,25 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +370,22 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
 +# Init script handling
  domain_use_interactive_fds(virtd_t)
  domain_read_all_domains_state(virtd_t)
-+domain_read_all_domains_state(virtd_t)
  
- files_read_usr_files(virtd_t)
-+files_read_usr_files(virtd_t)
+-files_read_usr_files(virtd_t)
  files_read_etc_runtime_files(virtd_t)
  files_search_all(virtd_t)
  files_read_kernel_modules(virtd_t)
@@ -82391,7 +82600,7 @@ index 1f22fba..e096fc5 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +419,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +416,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -82411,7 +82620,7 @@ index 1f22fba..e096fc5 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +441,24 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +438,24 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -82446,7 +82655,7 @@ index 1f22fba..e096fc5 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +467,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +464,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -82455,7 +82664,7 @@ index 1f22fba..e096fc5 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -646,107 +480,330 @@ optional_policy(`
+@@ -646,107 +477,330 @@ optional_policy(`
  	consoletype_exec(virtd_t)
  ')
  
@@ -82658,7 +82867,6 @@ index 1f22fba..e096fc5 100644
 -		avahi_dbus_chat(virtd_t)
 -	')
 +files_read_mnt_symlinks(virt_domain)
-+files_read_usr_files(virt_domain)
 +files_read_var_files(virt_domain)
 +files_search_all(virt_domain)
  
@@ -82779,6 +82987,7 @@ index 1f22fba..e096fc5 100644
 +')
 +
 +tunable_policy(`virt_use_sysfs',`
++	allow svirt_t self:capability2 compromise_kernel;
 +	dev_rw_sysfs(virt_domain)
 +')
 +
@@ -82843,7 +83052,7 @@ index 1f22fba..e096fc5 100644
  
  manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +815,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -758,23 +812,14 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -82852,15 +83061,15 @@ index 1f22fba..e096fc5 100644
 -manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
  
--allow virsh_t svirt_lxc_domain:process transition;
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
  
+-allow virsh_t svirt_lxc_domain:process transition;
+-
 -can_exec(virsh_t, virsh_exec_t)
 -
 -virt_domtrans(virsh_t)
@@ -82872,7 +83081,7 @@ index 1f22fba..e096fc5 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,15 +833,9 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +830,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -82888,15 +83097,18 @@ index 1f22fba..e096fc5 100644
  
  dev_read_rand(virsh_t)
  dev_read_urand(virsh_t)
-@@ -804,6 +846,7 @@ files_read_etc_files(virsh_t)
- files_read_usr_files(virsh_t)
+ dev_read_sysfs(virsh_t)
+ 
+ files_read_etc_runtime_files(virsh_t)
+-files_read_etc_files(virsh_t)
+-files_read_usr_files(virsh_t)
  files_list_mnt(virsh_t)
  files_list_tmp(virsh_t)
 +# Some common macros (you might be able to remove some)
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +855,21 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +850,21 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -82927,7 +83139,7 @@ index 1f22fba..e096fc5 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,6 +887,10 @@ optional_policy(`
+@@ -847,6 +882,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82938,7 +83150,7 @@ index 1f22fba..e096fc5 100644
  	rpm_exec(virsh_t)
  ')
  
-@@ -854,7 +898,7 @@ optional_policy(`
+@@ -854,7 +893,7 @@ optional_policy(`
  	xen_manage_image_dirs(virsh_t)
  	xen_append_log(virsh_t)
  	xen_domtrans(virsh_t)
@@ -82947,7 +83159,7 @@ index 1f22fba..e096fc5 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +923,39 @@ optional_policy(`
+@@ -879,34 +918,39 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -82997,7 +83209,7 @@ index 1f22fba..e096fc5 100644
  
  manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +965,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -916,12 +960,15 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
  allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
  allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
@@ -83013,15 +83225,18 @@ index 1f22fba..e096fc5 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,7 +985,6 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,10 +980,8 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
 -files_associate_rootfs(svirt_lxc_file_t)
  files_search_all(virtd_lxc_t)
  files_getattr_all_files(virtd_lxc_t)
- files_read_usr_files(virtd_lxc_t)
-@@ -955,15 +1006,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+-files_read_usr_files(virtd_lxc_t)
+ files_relabel_rootfs(virtd_lxc_t)
+ files_mounton_non_security(virtd_lxc_t)
+ files_mount_all_file_type_fs(virtd_lxc_t)
+@@ -955,15 +1000,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -83040,7 +83255,7 @@ index 1f22fba..e096fc5 100644
  
  term_use_generic_ptys(virtd_lxc_t)
  term_use_ptmx(virtd_lxc_t)
-@@ -973,20 +1020,39 @@ auth_use_nsswitch(virtd_lxc_t)
+@@ -973,20 +1014,38 @@ auth_use_nsswitch(virtd_lxc_t)
  
  logging_send_syslog_msg(virtd_lxc_t)
  
@@ -83058,7 +83273,6 @@ index 1f22fba..e096fc5 100644
 +selinux_compute_create_context(virtd_lxc_t)
 +selinux_compute_relabel_context(virtd_lxc_t)
 +selinux_compute_user_contexts(virtd_lxc_t)
-+seutil_read_default_contexts(virtd_lxc_t)
 +
 +sysnet_exec_ifconfig(virtd_lxc_t)
 +
@@ -83086,7 +83300,7 @@ index 1f22fba..e096fc5 100644
  allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
  allow svirt_lxc_domain self:fifo_file manage_file_perms;
  allow svirt_lxc_domain self:sem create_sem_perms;
-@@ -995,19 +1061,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
+@@ -995,19 +1054,6 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
  allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
  allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
  
@@ -83106,7 +83320,7 @@ index 1f22fba..e096fc5 100644
  manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1068,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+@@ -1015,17 +1061,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
  rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
@@ -83125,7 +83339,7 @@ index 1f22fba..e096fc5 100644
  kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
  
  corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1087,21 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+@@ -1037,21 +1080,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
  files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
  files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
  files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
@@ -83135,7 +83349,7 @@ index 1f22fba..e096fc5 100644
  files_list_var_lib(svirt_lxc_domain)
  files_search_all(svirt_lxc_domain)
  files_read_config_files(svirt_lxc_domain)
- files_read_usr_files(svirt_lxc_domain)
+-files_read_usr_files(svirt_lxc_domain)
  files_read_usr_symlinks(svirt_lxc_domain)
 +files_search_locks(svirt_lxc_domain)
  
@@ -83152,7 +83366,7 @@ index 1f22fba..e096fc5 100644
  auth_dontaudit_read_login_records(svirt_lxc_domain)
  auth_dontaudit_write_login_records(svirt_lxc_domain)
  auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,11 +1113,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
+@@ -1063,11 +1105,14 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
  
  libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
  
@@ -83169,7 +83383,7 @@ index 1f22fba..e096fc5 100644
  
  optional_policy(`
  	udev_read_pid_files(svirt_lxc_domain)
-@@ -1078,81 +1131,63 @@ optional_policy(`
+@@ -1078,81 +1123,63 @@ optional_policy(`
  	apache_read_sys_content(svirt_lxc_domain)
  ')
  
@@ -83274,7 +83488,7 @@ index 1f22fba..e096fc5 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1200,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1192,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -83289,7 +83503,7 @@ index 1f22fba..e096fc5 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1218,8 @@ optional_policy(`
+@@ -1183,9 +1210,8 @@ optional_policy(`
  
  ########################################
  #
@@ -83300,7 +83514,7 @@ index 1f22fba..e096fc5 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1232,66 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1224,65 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -83328,7 +83542,6 @@ index 1f22fba..e096fc5 100644
 +corecmd_exec_shell(virt_qemu_ga_t)
 +corecmd_exec_bin(virt_qemu_ga_t)
 +
-+files_read_etc_files(virt_qemu_ga_t)
 +
 +dev_rw_sysfs(virt_qemu_ga_t)
 +
@@ -83384,7 +83597,7 @@ index 9ead775..b5285e7 100644
 -userdom_use_user_terminals(vlock_t)
 +userdom_use_inherited_user_terminals(vlock_t)
 diff --git a/vmware.te b/vmware.te
-index 3a56513..1fb1463 100644
+index 3a56513..5721057 100644
 --- a/vmware.te
 +++ b/vmware.te
 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -83407,7 +83620,7 @@ index 3a56513..1fb1463 100644
  corenet_all_recvfrom_netlabel(vmware_host_t)
  corenet_tcp_sendrecv_generic_if(vmware_host_t)
  corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -115,6 +116,7 @@ dev_getattr_all_blk_files(vmware_host_t)
+@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t)
  dev_read_sysfs(vmware_host_t)
  dev_read_urand(vmware_host_t)
  dev_rw_vmware(vmware_host_t)
@@ -83415,16 +83628,15 @@ index 3a56513..1fb1463 100644
  
  domain_use_interactive_fds(vmware_host_t)
  domain_dontaudit_read_all_domains_state(vmware_host_t)
-@@ -122,7 +124,7 @@ domain_dontaudit_read_all_domains_state(vmware_host_t)
+ 
  files_list_tmp(vmware_host_t)
- files_read_etc_files(vmware_host_t)
+-files_read_etc_files(vmware_host_t)
  files_read_etc_runtime_files(vmware_host_t)
 -files_read_usr_files(vmware_host_t)
-+files_read_usr_files(vmware_host_t) 
  
  fs_getattr_all_fs(vmware_host_t)
  fs_search_auto_mountpoints(vmware_host_t)
-@@ -138,8 +140,6 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,8 +138,6 @@ libs_exec_ld_so(vmware_host_t)
  
  logging_send_syslog_msg(vmware_host_t)
  
@@ -83433,7 +83645,7 @@ index 3a56513..1fb1463 100644
  sysnet_dns_name_resolve(vmware_host_t)
  sysnet_domtrans_ifconfig(vmware_host_t)
  
-@@ -149,11 +149,27 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
+@@ -149,12 +147,16 @@ userdom_dontaudit_search_user_home_dirs(vmware_host_t)
  netutils_domtrans_ping(vmware_host_t)
  
  optional_policy(`
@@ -83447,22 +83659,22 @@ index 3a56513..1fb1463 100644
 +
 +optional_policy(`
  	modutils_domtrans_insmod(vmware_host_t)
+-')
 +') 
-+
-+optional_policy(`
-+	samba_read_config(vmware_host_t)
-+')
-+
-+optional_policy(`
-+	seutil_sigchld_newrole(vmware_host_t)
-+')
-+
-+optional_policy(`
-+	shutdown_domtrans(vmware_host_t)
- ')
  
  optional_policy(`
-@@ -258,9 +274,8 @@ storage_raw_write_removable_device(vmware_t)
+ 	samba_read_config(vmware_host_t)
+@@ -244,9 +246,7 @@ dev_search_sysfs(vmware_t)
+ 
+ domain_use_interactive_fds(vmware_t)
+ 
+-files_read_etc_files(vmware_t)
+ files_read_etc_runtime_files(vmware_t)
+-files_read_usr_files(vmware_t)
+ files_list_home(vmware_t)
+ 
+ fs_getattr_all_fs(vmware_t)
+@@ -258,9 +258,8 @@ storage_raw_write_removable_device(vmware_t)
  libs_exec_ld_so(vmware_t)
  libs_read_lib_files(vmware_t)
  
@@ -83506,17 +83718,11 @@ index 137ac44..a0089e6 100644
  	domain_system_change_exemption($1)
  	role_transition $2 vnstatd_initrc_exec_t system_r;
 diff --git a/vnstatd.te b/vnstatd.te
-index febc3e5..9183e32 100644
+index febc3e5..ff18188 100644
 --- a/vnstatd.te
 +++ b/vnstatd.te
-@@ -34,9 +34,13 @@ allow vnstatd_t self:process signal;
- allow vnstatd_t self:fifo_file rw_fifo_file_perms;
- allow vnstatd_t self:unix_stream_socket { accept listen };
+@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
  
-+manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-+files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
-+
  manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
  manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
 -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
@@ -83524,7 +83730,7 @@ index febc3e5..9183e32 100644
  
  manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
  manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-@@ -47,14 +51,10 @@ kernel_read_system_state(vnstatd_t)
+@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t)
  
  domain_use_interactive_fds(vnstatd_t)
  
@@ -83539,7 +83745,7 @@ index febc3e5..9183e32 100644
  ########################################
  #
  # Client local policy
-@@ -64,23 +64,19 @@ allow vnstat_t self:process signal;
+@@ -64,23 +60,19 @@ allow vnstat_t self:process signal;
  allow vnstat_t self:fifo_file rw_fifo_file_perms;
  allow vnstat_t self:unix_stream_socket { accept listen };
  
@@ -83586,7 +83792,7 @@ index 524ac2f..076dcc3 100644
 -/var/run/vpnc(/.*)?	gen_context(system_u:object_r:vpnc_var_run_t,s0)
 +/var/run/vpnc(/.*)?		gen_context(system_u:object_r:vpnc_var_run_t,s0)
 diff --git a/vpn.if b/vpn.if
-index 7a7f342..a4e2f60 100644
+index 7a7f342..afedcba 100644
 --- a/vpn.if
 +++ b/vpn.if
 @@ -1,8 +1,8 @@
@@ -83618,23 +83824,15 @@ index 7a7f342..a4e2f60 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -39,16 +37,21 @@ interface(`vpn_domtrans',`
- #
+@@ -40,6 +38,7 @@ interface(`vpn_domtrans',`
  interface(`vpn_run',`
  	gen_require(`
--		attribute_role vpnc_roles;
-+		#attribute_role vpnc_roles;
+ 		attribute_role vpnc_roles;
 +		type vpnc_t;
  	')
  
-+	#vpn_domtrans($1)
-+	#roleattribute $2 vpnc_roles;
-+
  	vpn_domtrans($1)
--	roleattribute $2 vpnc_roles;
-+        role $2 types vpnc_t;
-+        sysnet_run_ifconfig(vpnc_t, $2)
- ')
+@@ -48,7 +47,7 @@ interface(`vpn_run',`
  
  ########################################
  ## <summary>
@@ -83643,7 +83841,7 @@ index 7a7f342..a4e2f60 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -66,7 +69,7 @@ interface(`vpn_kill',`
+@@ -66,7 +65,7 @@ interface(`vpn_kill',`
  
  ########################################
  ## <summary>
@@ -83652,7 +83850,7 @@ index 7a7f342..a4e2f60 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -84,7 +87,7 @@ interface(`vpn_signal',`
+@@ -84,7 +83,7 @@ interface(`vpn_signal',`
  
  ########################################
  ## <summary>
@@ -83661,7 +83859,7 @@ index 7a7f342..a4e2f60 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -103,7 +106,7 @@ interface(`vpn_signull',`
+@@ -103,7 +102,7 @@ interface(`vpn_signull',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -83671,33 +83869,30 @@ index 7a7f342..a4e2f60 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/vpn.te b/vpn.te
-index 9329eae..ddf48c0 100644
+index 9329eae..83fa097 100644
 --- a/vpn.te
 +++ b/vpn.te
-@@ -1,17 +1,19 @@
+@@ -1,4 +1,4 @@
 -policy_module(vpn, 1.15.1)
 +policy_module(vpn, 1.15.0)
  
  ########################################
  #
- # Declarations
+@@ -6,12 +6,12 @@ policy_module(vpn, 1.15.1)
  #
  
--attribute_role vpnc_roles;
-+#attribute_role vpnc_roles;
-+#roleattribute system_r vpnc_roles;
+ attribute_role vpnc_roles;
++roleattribute system_r vpnc_roles;
  
  type vpnc_t;
  type vpnc_exec_t;
  init_system_domain(vpnc_t, vpnc_exec_t)
  application_domain(vpnc_t, vpnc_exec_t)
 -role vpnc_roles types vpnc_t;
-+#role vpnc_roles types vpnc_t;
-+role system_r types vpnc_t;
  
  type vpnc_tmp_t;
  files_tmp_file(vpnc_tmp_t)
-@@ -28,9 +30,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
+@@ -28,9 +28,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
  allow vpnc_t self:process { getsched signal };
  allow vpnc_t self:fifo_file rw_fifo_file_perms;
  allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -83712,7 +83907,7 @@ index 9329eae..ddf48c0 100644
  allow vpnc_t self:socket create_socket_perms;
  
  manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
-@@ -47,7 +53,6 @@ kernel_read_all_sysctls(vpnc_t)
+@@ -47,7 +51,6 @@ kernel_read_all_sysctls(vpnc_t)
  kernel_request_load_module(vpnc_t)
  kernel_rw_net_sysctls(vpnc_t)
  
@@ -83720,7 +83915,7 @@ index 9329eae..ddf48c0 100644
  corenet_all_recvfrom_netlabel(vpnc_t)
  corenet_tcp_sendrecv_generic_if(vpnc_t)
  corenet_udp_sendrecv_generic_if(vpnc_t)
-@@ -58,38 +63,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
+@@ -58,38 +61,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
  corenet_tcp_sendrecv_all_ports(vpnc_t)
  corenet_udp_sendrecv_all_ports(vpnc_t)
  corenet_udp_bind_generic_node(vpnc_t)
@@ -83770,7 +83965,7 @@ index 9329eae..ddf48c0 100644
  
  auth_use_nsswitch(vpnc_t)
  
-@@ -103,16 +102,15 @@ locallogin_use_fds(vpnc_t)
+@@ -103,16 +100,15 @@ locallogin_use_fds(vpnc_t)
  logging_send_syslog_msg(vpnc_t)
  logging_dontaudit_search_logs(vpnc_t)
  
@@ -83779,8 +83974,7 @@ index 9329eae..ddf48c0 100644
 -seutil_dontaudit_search_config(vpnc_t)
 +seutil_use_newrole_fds(vpnc_t)
  
--sysnet_run_ifconfig(vpnc_t, vpnc_roles)
-+#sysnet_run_ifconfig(vpnc_t, vpnc_roles)
+ sysnet_run_ifconfig(vpnc_t, vpnc_roles)
  sysnet_etc_filetrans_config(vpnc_t)
  sysnet_manage_config(vpnc_t)
  
@@ -83791,7 +83985,7 @@ index 9329eae..ddf48c0 100644
  
  optional_policy(`
  	dbus_system_bus_client(vpnc_t)
-@@ -125,7 +123,3 @@ optional_policy(`
+@@ -125,7 +121,3 @@ optional_policy(`
  optional_policy(`
  	networkmanager_attach_tun_iface(vpnc_t)
  ')
@@ -83992,7 +84186,7 @@ index ebbdaf6..63c53ba 100644
  	corosync_initrc_domtrans(wdmd_t)
  	corosync_stream_connect(wdmd_t)
 diff --git a/webadm.te b/webadm.te
-index 708254f..2db084b 100644
+index 708254f..d26f598 100644
 --- a/webadm.te
 +++ b/webadm.te
 @@ -25,6 +25,9 @@ role webadm_r;
@@ -84018,11 +84212,7 @@ index 708254f..2db084b 100644
  files_dontaudit_search_all_dirs(webadm_t)
  files_list_var(webadm_t)
  
-@@ -40,10 +49,13 @@ seutil_domtrans_setfiles(webadm_t)
- 
- logging_send_audit_msgs(webadm_t)
- logging_send_syslog_msg(webadm_t)
-+logging_send_audit_msgs(webadm_t)
+@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
  
  userdom_dontaudit_search_user_home_dirs(webadm_t)
  
@@ -84034,10 +84224,10 @@ index 708254f..2db084b 100644
  tunable_policy(`webadm_manage_user_files',`
  	userdom_manage_user_home_content_files(webadm_t)
 diff --git a/webalizer.te b/webalizer.te
-index cdca8c7..bc76d1b 100644
+index cdca8c7..3c09628 100644
 --- a/webalizer.te
 +++ b/webalizer.te
-@@ -55,26 +55,38 @@ can_exec(webalizer_t, webalizer_exec_t)
+@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
  kernel_read_kernel_sysctls(webalizer_t)
  kernel_read_system_state(webalizer_t)
  
@@ -84072,14 +84262,11 @@ index cdca8c7..bc76d1b 100644
  
  optional_policy(`
  	apache_read_log(webalizer_t)
-+	apache_manage_sys_content(webalizer_t)
-+')
-+
-+optional_policy(`
-+	apache_read_log(webalizer_t)
  	apache_content_template(webalizer)
++	apache_manage_sys_content(webalizer_t)
  	manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
  	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
+ ')
 diff --git a/wine.if b/wine.if
 index fd2b6cc..4b83bb0 100644
 --- a/wine.if
@@ -84233,7 +84420,7 @@ index fd2b6cc..4b83bb0 100644
  
  ########################################
 diff --git a/wine.te b/wine.te
-index b51923c..335c8c2 100644
+index b51923c..22e9047 100644
 --- a/wine.te
 +++ b/wine.te
 @@ -48,7 +48,7 @@ domain_mmap_low(wine_t)
@@ -84245,19 +84432,8 @@ index b51923c..335c8c2 100644
  
  tunable_policy(`wine_mmap_zero_ignore',`
  	dontaudit wine_t self:memprotect mmap_zero;
-@@ -71,6 +71,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	rtkit_scheduled(wine_t)
-+')
-+
-+optional_policy(`
- 	unconfined_domain(wine_t)
- ')
- 
 diff --git a/wireshark.te b/wireshark.te
-index cf5cab6..f0f5dcb 100644
+index cf5cab6..d379bd6 100644
 --- a/wireshark.te
 +++ b/wireshark.te
 @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
@@ -84269,13 +84445,20 @@ index cf5cab6..f0f5dcb 100644
  allow wireshark_t self:process { signal getsched };
  allow wireshark_t self:fifo_file rw_fifo_file_perms;
  allow wireshark_t self:shm create_shm_perms;
-@@ -90,31 +90,17 @@ fs_search_auto_mountpoints(wireshark_t)
+@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t)
+ dev_read_sysfs(wireshark_t)
+ dev_read_urand(wireshark_t)
+ 
+-files_read_usr_files(wireshark_t)
+ 
+ fs_getattr_all_fs(wireshark_t)
+ fs_list_inotifyfs(wireshark_t)
+@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t)
  
  auth_use_nsswitch(wireshark_t)
  
 -libs_read_lib_files(wireshark_t)
-+auth_use_nsswitch(wireshark_t)
- 
+-
  miscfiles_read_fonts(wireshark_t)
 -miscfiles_read_localization(wireshark_t)
  
@@ -84443,10 +84626,10 @@ index 25b702d..177cf16 100644
 -	allow $1_wm_t $2:dbus send_msg;
 -')
 diff --git a/wm.te b/wm.te
-index 7c7f7fa..996a3d4 100644
+index 7c7f7fa..dfeac3e 100644
 --- a/wm.te
 +++ b/wm.te
-@@ -1,36 +1,42 @@
+@@ -1,36 +1,40 @@
 -policy_module(wm, 1.2.5)
 +policy_module(wm, 1.2.0)
 +
@@ -84476,13 +84659,12 @@ index 7c7f7fa..996a3d4 100644
 -
  dev_read_urand(wm_domain)
  
-+files_read_etc_files(wm_domain)
- files_read_usr_files(wm_domain)
- 
+-files_read_usr_files(wm_domain)
++
 +fs_getattr_tmpfs(wm_domain)
 +
 +application_signull(wm_domain)
-+
+ 
  miscfiles_read_fonts(wm_domain)
 -miscfiles_read_localization(wm_domain)
  
@@ -84820,7 +85002,7 @@ index f93558c..cc73c96 100644
  
  	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index ed40676..8358a63 100644
+index ed40676..8042769 100644
 --- a/xen.te
 +++ b/xen.te
 @@ -1,42 +1,34 @@
@@ -84940,7 +85122,7 @@ index ed40676..8358a63 100644
  type xend_var_run_t;
  files_pid_file(xend_var_run_t)
  files_mountpoint(xend_var_run_t)
-@@ -96,51 +102,51 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
+@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
  type xenstored_tmp_t;
  files_tmp_file(xenstored_tmp_t)
  
@@ -84995,7 +85177,6 @@ index ed40676..8358a63 100644
 +dev_rw_xen(blktap_t)
  
 -	logging_send_syslog_msg(blktap_t)
-+files_read_etc_files(blktap_t)
  
 -	miscfiles_read_localization(blktap_t)
 +logging_send_syslog_msg(blktap_t)
@@ -85008,7 +85189,7 @@ index ed40676..8358a63 100644
  
  #######################################
  #
-@@ -148,9 +154,7 @@ tunable_policy(`xend_run_blktap',`
+@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',`
  #
  
  manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
@@ -85019,7 +85200,7 @@ index ed40676..8358a63 100644
  logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
  
  manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
-@@ -160,28 +164,70 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
+@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
  
  ########################################
  #
@@ -85048,8 +85229,6 @@ index ed40676..8358a63 100644
 +
 +	dev_rw_xen(qemu_dm_t)
 +
-+	files_read_etc_files(qemu_dm_t)
-+	files_read_usr_files(qemu_dm_t)
 +
 +	fs_manage_xenfs_dirs(qemu_dm_t)
 +	fs_manage_xenfs_files(qemu_dm_t)
@@ -85100,7 +85279,7 @@ index ed40676..8358a63 100644
  
  allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
  dev_filetrans(xend_t, xenctl_t, fifo_file)
-@@ -190,33 +236,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
+@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
  manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
  files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
  
@@ -85145,7 +85324,7 @@ index ed40676..8358a63 100644
  
  kernel_read_kernel_sysctls(xend_t)
  kernel_read_system_state(xend_t)
-@@ -228,41 +278,31 @@ kernel_read_network_state(xend_t)
+@@ -228,57 +275,39 @@ kernel_read_network_state(xend_t)
  corecmd_exec_bin(xend_t)
  corecmd_exec_shell(xend_t)
  
@@ -85191,11 +85370,12 @@ index ed40676..8358a63 100644
  domain_dontaudit_read_all_domains_state(xend_t)
 -domain_dontaudit_ptrace_all_domains(xend_t)
  
- files_read_etc_files(xend_t)
+-files_read_etc_files(xend_t)
  files_read_kernel_symbol_table(xend_t)
-@@ -271,14 +311,8 @@ files_manage_etc_runtime_files(xend_t)
+ files_read_kernel_img(xend_t)
+ files_manage_etc_runtime_files(xend_t)
  files_etc_filetrans_etc_runtime(xend_t, file)
- files_read_usr_files(xend_t)
+-files_read_usr_files(xend_t)
  files_read_default_symlinks(xend_t)
 -files_search_mnt(xend_t)
  
@@ -85208,7 +85388,7 @@ index ed40676..8358a63 100644
  
  storage_read_scsi_generic(xend_t)
  
-@@ -295,7 +329,8 @@ locallogin_dontaudit_use_fds(xend_t)
+@@ -295,7 +324,8 @@ locallogin_dontaudit_use_fds(xend_t)
  
  logging_send_syslog_msg(xend_t)
  
@@ -85218,7 +85398,7 @@ index ed40676..8358a63 100644
  miscfiles_read_hwdata(xend_t)
  
  sysnet_domtrans_dhcpc(xend_t)
-@@ -308,23 +343,7 @@ sysnet_rw_dhcp_config(xend_t)
+@@ -308,23 +338,7 @@ sysnet_rw_dhcp_config(xend_t)
  
  userdom_dontaudit_search_user_home_dirs(xend_t)
  
@@ -85243,7 +85423,7 @@ index ed40676..8358a63 100644
  
  optional_policy(`
  	brctl_domtrans(xend_t)
-@@ -342,7 +361,7 @@ optional_policy(`
+@@ -342,7 +356,7 @@ optional_policy(`
  	mount_domtrans(xend_t)
  ')
  
@@ -85252,7 +85432,7 @@ index ed40676..8358a63 100644
  	netutils_domtrans(xend_t)
  ')
  
-@@ -351,6 +370,7 @@ optional_policy(`
+@@ -351,6 +365,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85260,7 +85440,7 @@ index ed40676..8358a63 100644
  	virt_search_images(xend_t)
  	virt_read_config(xend_t)
  ')
-@@ -365,13 +385,9 @@ allow xenconsoled_t self:process setrlimit;
+@@ -365,13 +380,9 @@ allow xenconsoled_t self:process setrlimit;
  allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
  allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
  
@@ -85276,16 +85456,23 @@ index ed40676..8358a63 100644
  manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
  manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
  files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
-@@ -384,8 +400,6 @@ dev_rw_xen(xenconsoled_t)
+@@ -384,10 +395,6 @@ dev_rw_xen(xenconsoled_t)
  dev_filetrans_xen(xenconsoled_t)
  dev_rw_sysfs(xenconsoled_t)
  
 -domain_dontaudit_ptrace_all_domains(xenconsoled_t)
 -
- files_read_etc_files(xenconsoled_t)
- files_read_usr_files(xenconsoled_t)
+-files_read_etc_files(xenconsoled_t)
+-files_read_usr_files(xenconsoled_t)
+ 
+ fs_list_tmpfs(xenconsoled_t)
+ fs_manage_xenfs_dirs(xenconsoled_t)
+@@ -395,15 +402,13 @@ fs_manage_xenfs_files(xenconsoled_t)
+ 
+ term_create_pty(xenconsoled_t, xen_devpts_t)
+ term_use_generic_ptys(xenconsoled_t)
+-term_use_console(xenconsoled_t)
  
-@@ -400,10 +414,9 @@ term_use_console(xenconsoled_t)
  init_use_fds(xenconsoled_t)
  init_use_script_ptys(xenconsoled_t)
  
@@ -85298,7 +85485,7 @@ index ed40676..8358a63 100644
  xen_stream_connect_xenstore(xenconsoled_t)
  
  optional_policy(`
-@@ -416,24 +429,26 @@ optional_policy(`
+@@ -416,24 +421,26 @@ optional_policy(`
  #
  
  allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
@@ -85329,12 +85516,13 @@ index ed40676..8358a63 100644
  manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
  manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
  manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
-@@ -449,156 +464,37 @@ dev_rw_xen(xenstored_t)
+@@ -448,157 +455,36 @@ dev_filetrans_xen(xenstored_t)
+ dev_rw_xen(xenstored_t)
  dev_read_sysfs(xenstored_t)
  
- files_read_etc_files(xenstored_t)
+-files_read_etc_files(xenstored_t)
+-files_read_usr_files(xenstored_t)
 +
- files_read_usr_files(xenstored_t)
  
  fs_search_xenfs(xenstored_t)
  fs_manage_xenfs_files(xenstored_t)
@@ -85501,7 +85689,7 @@ index ed40676..8358a63 100644
 -	fs_manage_xenfs_files(xm_ssh_t)
 -')
 diff --git a/xfs.te b/xfs.te
-index 0cea2cd..d9518f8 100644
+index 0cea2cd..7668014 100644
 --- a/xfs.te
 +++ b/xfs.te
 @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
@@ -85512,7 +85700,15 @@ index 0cea2cd..d9518f8 100644
  corenet_all_recvfrom_netlabel(xfs_t)
  corenet_tcp_sendrecv_generic_if(xfs_t)
  corenet_tcp_sendrecv_generic_node(xfs_t)
-@@ -71,7 +70,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
+@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t)
+ domain_use_interactive_fds(xfs_t)
+ 
+ files_read_etc_runtime_files(xfs_t)
+-files_read_usr_files(xfs_t)
+ 
+ auth_use_nsswitch(xfs_t)
+ 
+@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
  
  logging_send_syslog_msg(xfs_t)
  
@@ -85769,7 +85965,7 @@ index 2882821..cc48c69 100644
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --git a/xprint.te b/xprint.te
-index 3c44d84..14b42e5 100644
+index 3c44d84..ce5e69d 100644
 --- a/xprint.te
 +++ b/xprint.te
 @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
@@ -85780,7 +85976,17 @@ index 3c44d84..14b42e5 100644
  corenet_all_recvfrom_netlabel(xprint_t)
  corenet_tcp_sendrecv_generic_if(xprint_t)
  corenet_udp_sendrecv_generic_if(xprint_t)
-@@ -58,7 +57,6 @@ fs_search_auto_mountpoints(xprint_t)
+@@ -46,9 +45,7 @@ dev_read_urand(xprint_t)
+ 
+ domain_use_interactive_fds(xprint_t)
+ 
+-files_read_etc_files(xprint_t)
+ files_read_etc_runtime_files(xprint_t)
+-files_read_usr_files(xprint_t)
+ files_search_var_lib(xprint_t)
+ files_search_tmp(xprint_t)
+ 
+@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t)
  logging_send_syslog_msg(xprint_t)
  
  miscfiles_read_fonts(xprint_t)
@@ -85789,10 +85995,18 @@ index 3c44d84..14b42e5 100644
  sysnet_read_config(xprint_t)
  
 diff --git a/xscreensaver.te b/xscreensaver.te
-index c9c9650..4a24446 100644
+index c9c9650..485e77d 100644
 --- a/xscreensaver.te
 +++ b/xscreensaver.te
-@@ -35,9 +35,8 @@ init_read_utmp(xscreensaver_t)
+@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
+ 
+ kernel_read_system_state(xscreensaver_t)
+ 
+-files_read_usr_files(xscreensaver_t)
+ 
+ auth_use_nsswitch(xscreensaver_t)
+ auth_domtrans_chk_passwd(xscreensaver_t)
+@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t)
  logging_send_audit_msgs(xscreensaver_t)
  logging_send_syslog_msg(xscreensaver_t)
  
@@ -85986,7 +86200,7 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..af38ff2 100644
+index 46e4cd3..29d4996 100644
 --- a/zabbix.te
 +++ b/zabbix.te
 @@ -6,7 +6,7 @@ policy_module(zabbix, 1.5.3)
@@ -85998,40 +86212,35 @@ index 46e4cd3..af38ff2 100644
  ##	Determine whether zabbix can
  ##	connect to all TCP ports
  ##	</p>
-@@ -90,6 +90,12 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
- corenet_tcp_bind_zabbix_port(zabbix_t)
- corenet_tcp_sendrecv_zabbix_port(zabbix_t)
+@@ -95,12 +95,8 @@ corecmd_exec_shell(zabbix_t)
  
-+# needed by zabbix-server-mysql
-+corenet_tcp_connect_http_port(zabbix_t)
-+# to monitor ftp urls
-+corenet_tcp_connect_ftp_port(zabbix_t)
-+
-+
- corecmd_exec_bin(zabbix_t)
- corecmd_exec_shell(zabbix_t)
- 
-@@ -99,7 +105,6 @@ files_read_usr_files(zabbix_t)
+ dev_read_urand(zabbix_t)
  
+-files_read_usr_files(zabbix_t)
+-
  auth_use_nsswitch(zabbix_t)
  
 -miscfiles_read_localization(zabbix_t)
- 
+-
  zabbix_agent_tcp_connect(zabbix_t)
  
-@@ -115,7 +120,10 @@ optional_policy(`
+ tunable_policy(`zabbix_can_network',`
+@@ -110,12 +106,11 @@ tunable_policy(`zabbix_can_network',`
+ ')
+ 
+ optional_policy(`
+-	netutils_domtrans_ping(zabbix_t)
++	mysql_stream_connect(zabbix_t)
+ ')
  
  optional_policy(`
- 	mysql_stream_connect(zabbix_t)
+-	mysql_stream_connect(zabbix_t)
 -	mysql_tcp_connect(zabbix_t)
-+')
-+
-+optional_policy(`
 +	netutils_domtrans_ping(zabbix_t)
  ')
  
  optional_policy(`
-@@ -125,6 +133,7 @@ optional_policy(`
+@@ -125,6 +120,7 @@ optional_policy(`
  
  optional_policy(`
  	snmp_read_snmp_var_lib_files(zabbix_t)
@@ -86039,7 +86248,7 @@ index 46e4cd3..af38ff2 100644
  ')
  
  ########################################
-@@ -182,7 +191,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+@@ -182,7 +178,6 @@ domain_search_all_domains_state(zabbix_agent_t)
  files_getattr_all_dirs(zabbix_agent_t)
  files_getattr_all_files(zabbix_agent_t)
  files_read_all_symlinks(zabbix_agent_t)
@@ -86047,7 +86256,7 @@ index 46e4cd3..af38ff2 100644
  
  fs_getattr_all_fs(zabbix_agent_t)
  
-@@ -190,7 +198,6 @@ init_read_utmp(zabbix_agent_t)
+@@ -190,7 +185,6 @@ init_read_utmp(zabbix_agent_t)
  
  logging_search_logs(zabbix_agent_t)
  
@@ -86294,7 +86503,7 @@ index 36e32df..3d08962 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
  ')
 diff --git a/zarafa.te b/zarafa.te
-index a4479b1..0aa9870 100644
+index a4479b1..15774aa 100644
 --- a/zarafa.te
 +++ b/zarafa.te
 @@ -1,4 +1,4 @@
@@ -86419,7 +86628,7 @@ index a4479b1..0aa9870 100644
  manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
  manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
  files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
-@@ -109,70 +120,89 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
+@@ -109,70 +120,84 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
  
  stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
  
@@ -86434,7 +86643,7 @@ index a4479b1..0aa9870 100644
  corenet_tcp_bind_zarafa_port(zarafa_server_t)
 -corenet_tcp_sendrecv_zarafa_port(zarafa_server_t)
  
- files_read_usr_files(zarafa_server_t)
+-files_read_usr_files(zarafa_server_t)
  
 +auth_use_nsswitch(zarafa_server_t)
 +
@@ -86478,9 +86687,10 @@ index a4479b1..0aa9870 100644
 -corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
 +
 +auth_use_nsswitch(zarafa_spooler_t)
-+
-+########################################
-+#
+ 
+ ########################################
+ #
+-# Zarafa domain local policy
 +# zarafa_gateway local policy
 +#
 +
@@ -86492,9 +86702,10 @@ index a4479b1..0aa9870 100644
 +#######################################
 +#
 +# zarafa-ical local policy
-+#
-+
-+
+ #
+ 
+-allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
+-allow zarafa_domain self:process { setrlimit signal };
 +corenet_tcp_bind_http_cache_port(zarafa_ical_t)
 +
 +######################################
@@ -86502,15 +86713,12 @@ index a4479b1..0aa9870 100644
 +# zarafa-monitor local policy
 +#
 +
- 
- ########################################
- #
--# Zarafa domain local policy
++
++########################################
++#
 +# zarafa domains local policy
- #
- 
--allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
--allow zarafa_domain self:process { setrlimit signal };
++#
++
 +# bad permission on /etc/zarafa
 +allow zarafa_domain self:capability { dac_override chown setgid setuid };
 +allow zarafa_domain self:process signal;
@@ -86528,10 +86736,9 @@ index a4479b1..0aa9870 100644
 -
  dev_read_rand(zarafa_domain)
  dev_read_urand(zarafa_domain)
- 
+-
 -logging_send_syslog_msg(zarafa_domain)
-+files_read_etc_files(zarafa_domain)
- 
+-
 -miscfiles_read_localization(zarafa_domain)
 diff --git a/zebra.fc b/zebra.fc
 index 28ee4ca..e1b30b2 100644
@@ -86645,7 +86852,7 @@ index 3416401..ef64e73 100644
  	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/zebra.te b/zebra.te
-index b0803c2..ac46eb2 100644
+index b0803c2..13da3cf 100644
 --- a/zebra.te
 +++ b/zebra.te
 @@ -1,4 +1,4 @@
@@ -86720,7 +86927,7 @@ index b0803c2..ac46eb2 100644
  corenet_all_recvfrom_netlabel(zebra_t)
  corenet_tcp_sendrecv_generic_if(zebra_t)
  corenet_udp_sendrecv_generic_if(zebra_t)
-@@ -79,48 +78,43 @@ corenet_raw_sendrecv_generic_if(zebra_t)
+@@ -79,48 +78,42 @@ corenet_raw_sendrecv_generic_if(zebra_t)
  corenet_tcp_sendrecv_generic_node(zebra_t)
  corenet_udp_sendrecv_generic_node(zebra_t)
  corenet_raw_sendrecv_generic_node(zebra_t)
@@ -86750,27 +86957,27 @@ index b0803c2..ac46eb2 100644
  dev_read_sysfs(zebra_t)
  dev_rw_zero(zebra_t)
  
-+fs_getattr_all_fs(zebra_t)
-+fs_search_auto_mountpoints(zebra_t)
-+
-+term_list_ptys(zebra_t)
-+
- domain_use_interactive_fds(zebra_t)
+-domain_use_interactive_fds(zebra_t)
+-
+-files_read_etc_files(zebra_t)
+-files_read_etc_runtime_files(zebra_t)
+-
+ fs_getattr_all_fs(zebra_t)
+ fs_search_auto_mountpoints(zebra_t)
+ 
+ term_list_ptys(zebra_t)
  
+-logging_send_syslog_msg(zebra_t)
++domain_use_interactive_fds(zebra_t)
++
 +files_search_etc(zebra_t)
- files_read_etc_files(zebra_t)
- files_read_etc_runtime_files(zebra_t)
++files_read_etc_runtime_files(zebra_t)
  
--fs_getattr_all_fs(zebra_t)
--fs_search_auto_mountpoints(zebra_t)
--
--term_list_ptys(zebra_t)
+-miscfiles_read_localization(zebra_t)
 +auth_read_passwd(zebra_t)
++
++logging_send_syslog_msg(zebra_t)
  
- logging_send_syslog_msg(zebra_t)
- 
--miscfiles_read_localization(zebra_t)
--
  sysnet_read_config(zebra_t)
  
  userdom_dontaudit_use_unpriv_user_fds(zebra_t)
@@ -86781,7 +86988,7 @@ index b0803c2..ac46eb2 100644
  	manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
  ')
  
-@@ -139,3 +133,7 @@ optional_policy(`
+@@ -139,3 +132,7 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(zebra_t)
  ')
@@ -87164,10 +87371,10 @@ index 0000000..c72a70d
 +
 diff --git a/zoneminder.te b/zoneminder.te
 new file mode 100644
-index 0000000..a98b795
+index 0000000..67b461b
 --- /dev/null
 +++ b/zoneminder.te
-@@ -0,0 +1,122 @@
+@@ -0,0 +1,121 @@
 +policy_module(zoneminder, 1.0.0)
 +
 +########################################
@@ -87253,7 +87460,6 @@ index 0000000..a98b795
 +dev_read_video_dev(zoneminder_t)
 +dev_write_video_dev(zoneminder_t)
 +
-+files_read_usr_files(zoneminder_t)
 +
 +auth_use_nsswitch(zoneminder_t)
 +
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 01824b3..d82899f 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -14,12 +14,12 @@
 %define BUILD_MLS 1
 %endif
 %define POLICYVER 29
-%define POLICYCOREUTILSVER 2.1.13-53
+%define POLICYCOREUTILSVER 2.1.13-54
 %define CHECKPOLICYVER 2.1.11-3
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 1%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -252,9 +252,9 @@ fi;
 . %{_sysconfdir}/selinux/config; \
 if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
-   (cd /etc/selinux/%2/modules/active/modules; rm -f consolekit.pp ctdbd.pp fcoemon.pp isnsd.pp l2tpd.pp qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \
+   (cd /etc/selinux/%2/modules/active/modules; rm -f  ctdbd.pp fcoemon.pp isnsd.pp l2tpd.pp qemu.pp nsplugin.pp razor.pp pyzord.pp phpfpm.pp hotplug.pp consoletype.pp kudzu.pp howl.pp) \
    if [ %1 -ne 1 ]; then \
-	/usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp consolekit 2>/dev/null; \
+	/usr/sbin/semodule -n -s %2 -r matahari xfs kudzu kerneloops execmem openoffice ada tzdata hal hotplug howl java mono moilscanner gamin audio_entropy audioentropy iscsid polkit_auth polkit rtkit_daemon ModemManager telepathysofiasip ethereal passanger qpidd pyzor razor pki-selinux phpfpm consoletype ctdbd fcoemon isnsd l2tp  2>/dev/null; \
    fi \
    /usr/sbin/semodule -B -n -s %2; \
 else \
@@ -524,6 +524,43 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jan 14 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-4
+- Allow systemd-tmpfiles to relabel lpd spool files
+- Ad labeling for texlive bash scripts
+- Add xserver_filetrans_fonts_cache_home_content() interface
+- Remove duplicate rules from *.te
+- Add support for /var/lock/man-db.lock
+- Add support for /var/tmp/abrt(/.*)?
+- Add additional labeling for munin cgi scripts
+- Allow httpd_t to read munin conf files
+- Allow certwatch to read meminfo
+- Fix nscd_dontaudit_write_sock_file() interfac
+- Fix gnome_filetrans_home_content() to include also "fontconfig" dir as cache_home_t
+- llow mozilla_plugin_t to create HOMEDIR/.fontconfig with the proper labeling 
+
+* Fri Jan 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-3
+- Allow gnomeclock to talk to puppet over dbus
+- Allow numad access discovered by Dominic
+- Add support for HOME_DIR/.maildir
+- Fix attribute_role for mozilla_plugin_t domain to allow staff_r to access this domain
+- Allow udev to relabel udev_var_run_t lnk_files
+- New bin_t file in mcelog
+
+* Thu Jan 10 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-2
+- Remove all mcs overrides and replace with t1 != mcs_constrained_types
+- Add attribute_role for iptables
+- mcs_process_set_categories needs to be called for type
+- Implement additional role_attribute statements
+- Sodo domain is attempting to get the additributes of proc_kcore_t
+- Unbound uses port 8953
+- Allow svirt_t images to compromise_kernel when using pci-passthrough
+- Add label for dns lib files
+- Bluetooth aquires a dbus name
+- Remove redundant files_read_usr_file calling
+- Remove redundant files_read_etc_file calling
+- Fix mozilla_run_plugin()
+- Add role_attribute support for more domains
+
 * Wed Jan 9 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-1
 - Mass merge with upstream