From f5f6812fa46741892a05f6976af0896fb45a2faa Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Aug 21 2015 08:11:52 +0000
Subject: - Add ipmievd policy creaed by vmojzis@redhat.com

- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
- Allow NetworkManager to write audit log messages
- Add new policy for ipmievd (ipmitool).
- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
- Allow sandbox domain to be also /dev/mem writer
- Fix neverallow assertion for sys_module capability for openvswitch.
- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
- Fix neverallow assertion for sys_module capability.
- Add more attributes for sandbox domains to avoid neverallow assertion issues.
- Add neverallow asserition fixes related to storage.
- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
- Allow openhpid_t to read system state.
- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
- Added labels for files provided by rh-nginx18 collection
- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
- Add dev_raw_memory_writer() interface
- Add auth_reader_shadow() and auth_writer_shadow() interfaces
- Add dev_raw_memory_reader() interface.
- Add storage_rw_inherited_scsi_generic() interface.
- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.

---

diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index bd4d1a9..783906b 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -3194,7 +3194,7 @@ index 1d732f1..f6ff7aa 100644
 +	stapserver_manage_lib(useradd_t)
 +')
 diff --git a/policy/modules/apps/seunshare.if b/policy/modules/apps/seunshare.if
-index 1dc7a85..1a2084f 100644
+index 1dc7a85..e4f6fc2 100644
 --- a/policy/modules/apps/seunshare.if
 +++ b/policy/modules/apps/seunshare.if
 @@ -43,18 +43,18 @@ interface(`seunshare_run',`
@@ -3223,7 +3223,7 @@ index 1dc7a85..1a2084f 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -66,15 +66,45 @@ interface(`seunshare_run',`
+@@ -66,15 +66,47 @@ interface(`seunshare_run',`
  ##	</summary>
  ## </param>
  #
@@ -3243,6 +3243,8 @@ index 1dc7a85..1a2084f 100644
 -	seunshare_domtrans($1)
 +	kernel_read_system_state($1_seunshare_t)
 +
++    domain_dyntrans_type($1_seunshare_t)
++
 +	auth_use_nsswitch($1_seunshare_t)
 +
 +	logging_send_syslog_msg($1_seunshare_t)
@@ -6193,7 +6195,7 @@ index b31c054..d500876 100644
 +/usr/lib/udev/devices/null	-c	gen_context(system_u:object_r:null_device_t,s0)
 +/usr/lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index 76f285e..450a2b7 100644
+index 76f285e..68ef8e7 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -6894,7 +6896,57 @@ index 76f285e..450a2b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2725,7 +3149,7 @@ interface(`dev_write_misc',`
+@@ -2532,6 +2956,24 @@ interface(`dev_read_raw_memory',`
+ 
+ ########################################
+ ## <summary>
++##	Allow to be reader of raw memory devices (e.g. /dev/mem).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_raw_memory_reader',`
++	gen_require(`
++		attribute memory_raw_read;
++	')
++
++	typeattribute $1 memory_raw_read;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read raw memory devices
+ ##	(e.g. /dev/mem).
+ ## </summary>
+@@ -2573,6 +3015,24 @@ interface(`dev_write_raw_memory',`
+ 
+ ########################################
+ ## <summary>
++##	Allow to be writer of raw memory devices (e.g. /dev/mem).
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_raw_memory_writer',`
++	gen_require(`
++		attribute memory_raw_write;
++	')
++
++	typeattribute $1 memory_raw_write;
++')
++
++########################################
++## <summary>
+ ##	Read and execute raw memory devices (e.g. /dev/mem).
+ ## </summary>
+ ## <param name="domain">
+@@ -2725,7 +3185,7 @@ interface(`dev_write_misc',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -6903,7 +6955,7 @@ index 76f285e..450a2b7 100644
  ##	</summary>
  ## </param>
  #
-@@ -2811,6 +3235,78 @@ interface(`dev_rw_modem',`
+@@ -2811,6 +3271,78 @@ interface(`dev_rw_modem',`
  
  ########################################
  ## <summary>
@@ -6982,7 +7034,7 @@ index 76f285e..450a2b7 100644
  ##	Get the attributes of the mouse devices.
  ## </summary>
  ## <param name="domain">
-@@ -2903,20 +3399,20 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2903,20 +3435,20 @@ interface(`dev_getattr_mtrr_dev',`
  
  ########################################
  ## <summary>
@@ -7007,7 +7059,7 @@ index 76f285e..450a2b7 100644
  ##	</p>
  ## </desc>
  ## <param name="domain">
-@@ -2925,43 +3421,34 @@ interface(`dev_getattr_mtrr_dev',`
+@@ -2925,43 +3457,34 @@ interface(`dev_getattr_mtrr_dev',`
  ##	</summary>
  ## </param>
  #
@@ -7063,7 +7115,7 @@ index 76f285e..450a2b7 100644
  ##	range registers (MTRR).
  ## </summary>
  ## <param name="domain">
-@@ -2970,13 +3457,32 @@ interface(`dev_write_mtrr',`
+@@ -2970,13 +3493,32 @@ interface(`dev_write_mtrr',`
  ##	</summary>
  ## </param>
  #
@@ -7099,11 +7151,10 @@ index 76f285e..450a2b7 100644
  ')
  
  ########################################
-@@ -3144,7 +3650,43 @@ interface(`dev_create_null_dev',`
+@@ -3144,6 +3686,42 @@ interface(`dev_create_null_dev',`
  
  ########################################
  ## <summary>
--##	Do not audit attempts to get the attributes
 +##	Get the status of a null device service.
 +## </summary>
 +## <param name="domain">
@@ -7140,11 +7191,10 @@ index 76f285e..450a2b7 100644
 +
 +########################################
 +## <summary>
-+##	Do not audit attempts to get the attributes
+ ##	Do not audit attempts to get the attributes
  ##	of the BIOS non-volatile RAM device.
  ## </summary>
- ## <param name="domain">
-@@ -3163,6 +3705,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
+@@ -3163,6 +3741,24 @@ interface(`dev_dontaudit_getattr_nvram_dev',`
  
  ########################################
  ## <summary>
@@ -7169,7 +7219,7 @@ index 76f285e..450a2b7 100644
  ##	Read and write BIOS non-volatile RAM.
  ## </summary>
  ## <param name="domain">
-@@ -3254,7 +3814,25 @@ interface(`dev_rw_printer',`
+@@ -3254,7 +3850,25 @@ interface(`dev_rw_printer',`
  
  ########################################
  ## <summary>
@@ -7196,7 +7246,7 @@ index 76f285e..450a2b7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3262,12 +3840,13 @@ interface(`dev_rw_printer',`
+@@ -3262,12 +3876,13 @@ interface(`dev_rw_printer',`
  ##	</summary>
  ## </param>
  #
@@ -7213,7 +7263,7 @@ index 76f285e..450a2b7 100644
  ')
  
  ########################################
-@@ -3399,7 +3978,7 @@ interface(`dev_dontaudit_read_rand',`
+@@ -3399,7 +4014,7 @@ interface(`dev_dontaudit_read_rand',`
  
  ########################################
  ## <summary>
@@ -7222,7 +7272,7 @@ index 76f285e..450a2b7 100644
  ##	number generator devices (e.g., /dev/random)
  ## </summary>
  ## <param name="domain">
-@@ -3413,7 +3992,7 @@ interface(`dev_dontaudit_append_rand',`
+@@ -3413,7 +4028,7 @@ interface(`dev_dontaudit_append_rand',`
  		type random_device_t;
  	')
  
@@ -7231,213 +7281,760 @@ index 76f285e..450a2b7 100644
  ')
  
  ########################################
-@@ -3855,6 +4434,114 @@ interface(`dev_getattr_sysfs_dirs',`
+@@ -3855,7 +4470,7 @@ interface(`dev_getattr_sysfs_dirs',`
  
  ########################################
  ## <summary>
+-##	Search the sysfs directories.
 +##	Set the attributes of sysfs directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -3863,91 +4478,89 @@ interface(`dev_getattr_sysfs_dirs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_search_sysfs',`
 +interface(`dev_setattr_sysfs_dirs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	search_dirs_pattern($1, sysfs_t, sysfs_t)
 +	allow $1 sysfs_t:dir setattr_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to search sysfs.
 +##	Get attributes of sysfs filesystems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_search_sysfs',`
 +interface(`dev_getattr_sysfs_fs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	dontaudit $1 sysfs_t:dir search_dir_perms;
 +	allow $1 sysfs_t:filesystem getattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	List the contents of the sysfs directories.
 +##	Mount a filesystem on /sys
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allow access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_list_sysfs',`
 +interface(`dev_mounton_sysfs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	list_dirs_pattern($1, sysfs_t, sysfs_t)
 +	allow $1 sysfs_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write in a sysfs directories.
 +##	Dontaudit attempts to mount a filesystem on /sys
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_dontaudit_mounton_sysfs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	dontaudit $1 sysfs_t:dir mounton;
-+')
-+
-+########################################
-+## <summary>
-+##	Mount sysfs filesystems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_mount_sysfs_fs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	allow $1 sysfs_t:filesystem mount;
-+')
-+
-+########################################
-+## <summary>
-+##	Unmount sysfs filesystems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_unmount_sysfs_fs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	allow $1 sysfs_t:filesystem unmount;
-+')
-+
-+########################################
-+## <summary>
- ##	Search the sysfs directories.
  ## </summary>
  ## <param name="domain">
-@@ -3904,6 +4591,7 @@ interface(`dev_list_sysfs',`
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-# cjp: added for cpuspeed
+-interface(`dev_write_sysfs_dirs',`
++interface(`dev_dontaudit_mounton_sysfs',`
+ 	gen_require(`
  		type sysfs_t;
  	')
  
-+	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
- 	list_dirs_pattern($1, sysfs_t, sysfs_t)
+-	allow $1 sysfs_t:dir write;
++	dontaudit $1 sysfs_t:dir mounton;
  ')
  
-@@ -3928,6 +4616,24 @@ interface(`dev_write_sysfs_dirs',`
- 
  ########################################
  ## <summary>
-+##	Access check for a sysfs directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_access_check_sysfs',`
-+	gen_require(`
-+		type sysfs_t;
-+	')
-+
-+	allow $1 sysfs_t:dir audit_access;
-+')
-+
-+########################################
-+## <summary>
- ##	Do not audit attempts to write in a sysfs directory.
+-##	Do not audit attempts to write in a sysfs directory.
++##	Mount sysfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -3946,23 +4652,49 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_write_sysfs_dirs',`
++interface(`dev_mount_sysfs_fs',`
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	dontaudit $1 sysfs_t:dir write;
++	allow $1 sysfs_t:filesystem mount;
+ ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete sysfs
 -##	directories.
-+##	Read cpu online hardware state information.
++##	Unmount sysfs filesystems.
  ## </summary>
-+## <desc>
-+##	<p>
-+##	Allow the specified domain to read /sys/devices/system/cpu/online file.
-+##	</p>
-+## </desc>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -3955,68 +4568,53 @@ interface(`dev_dontaudit_write_sysfs_dirs',`
  ##	</summary>
  ## </param>
  #
 -interface(`dev_manage_sysfs_dirs',`
-+interface(`dev_read_cpu_online',`
-+	gen_require(`
-+		type cpu_online_t;
-+	')
-+
-+	dev_search_sysfs($1)
-+	read_files_pattern($1, cpu_online_t, cpu_online_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Relabel cpu online hardware state information.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_relabel_cpu_online',`
++interface(`dev_unmount_sysfs_fs',`
  	gen_require(`
-+		type cpu_online_t;
  		type sysfs_t;
  	')
  
 -	manage_dirs_pattern($1, sysfs_t, sysfs_t)
-+	dev_search_sysfs($1)
++	allow $1 sysfs_t:filesystem unmount;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read hardware state information.
++##	Search the sysfs directories.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read the contents of
+-##	the sysfs filesystem.  This filesystem contains
+-##	information, parameters, and other settings on the
+-##	hardware installed on the system.
+-##	</p>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_sysfs',`
++interface(`dev_search_sysfs',`
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	read_files_pattern($1, sysfs_t, sysfs_t)
+-	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+-	list_dirs_pattern($1, sysfs_t, sysfs_t)
++	search_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow caller to modify hardware state information.
++##	Do not audit attempts to search sysfs.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_sysfs',`
++interface(`dev_dontaudit_search_sysfs',`
+ 	gen_require(`
+ 		type sysfs_t;
+ 	')
+ 
+-	rw_files_pattern($1, sysfs_t, sysfs_t)
+-	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
+-
+-	list_dirs_pattern($1, sysfs_t, sysfs_t)
++	dontaudit $1 sysfs_t:dir search_dir_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write the TPM device.
++##	List the contents of the sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4024,114 +4622,97 @@ interface(`dev_rw_sysfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_tpm',`
++interface(`dev_list_sysfs',`
+ 	gen_require(`
+-		type device_t, tpm_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, tpm_device_t)
++	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++	list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read from pseudo random number generator devices (e.g., /dev/urandom).
++##	Write in a sysfs directories.
+ ## </summary>
+-## <desc>
+-##	<p>
+-##	Allow the specified domain to read from pseudo random number
+-##	generator devices (e.g., /dev/urandom).  Typically this is
+-##	used in situations when a cryptographically secure random
+-##	number is not necessarily needed.  One example is the Stack
+-##	Smashing Protector (SSP, formerly known as ProPolice) support
+-##	that may be compiled into programs.
+-##	</p>
+-##	<p>
+-##	Related interface:
+-##	</p>
+-##	<ul>
+-##		<li>dev_read_rand()</li>
+-##	</ul>
+-##	<p>
+-##	Related tunable:
+-##	</p>
+-##	<ul>
+-##		<li>global_ssp</li>
+-##	</ul>
+-## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_urand',`
++# cjp: added for cpuspeed
++interface(`dev_write_sysfs_dirs',`
+ 	gen_require(`
+-		type device_t, urandom_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	read_chr_files_pattern($1, device_t, urandom_device_t)
++	allow $1 sysfs_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read from pseudo
+-##	random devices (e.g., /dev/urandom)
++##	Access check for a sysfs directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_read_urand',`
++interface(`dev_access_check_sysfs',`
+ 	gen_require(`
+-		type urandom_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	dontaudit $1 urandom_device_t:chr_file { getattr read };
++	allow $1 sysfs_t:dir audit_access;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write to the pseudo random device (e.g., /dev/urandom). This
+-##	sets the random number generator seed.
++##	Do not audit attempts to write in a sysfs directory.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_write_urand',`
++interface(`dev_dontaudit_write_sysfs_dirs',`
+ 	gen_require(`
+-		type device_t, urandom_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	write_chr_files_pattern($1, device_t, urandom_device_t)
++	dontaudit $1 sysfs_t:dir write;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Getattr generic the USB devices.
++##	Read cpu online hardware state information.
+ ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read /sys/devices/system/cpu/online file.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_getattr_generic_usb_dev',`
++interface(`dev_read_cpu_online',`
+ 	gen_require(`
+-		type usb_device_t;
++		type cpu_online_t;
+ 	')
+ 
+-	getattr_chr_files_pattern($1, device_t, usb_device_t)
++	dev_search_sysfs($1)
++	read_files_pattern($1, cpu_online_t, cpu_online_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Setattr generic the USB devices.
++##	Relabel cpu online hardware state information.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4139,35 +4720,50 @@ interface(`dev_getattr_generic_usb_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_setattr_generic_usb_dev',`
++interface(`dev_relabel_cpu_online',`
+ 	gen_require(`
+-		type usb_device_t;
++		type cpu_online_t;
++		type sysfs_t;
+ 	')
+ 
+-	setattr_chr_files_pattern($1, device_t, usb_device_t)
++	dev_search_sysfs($1)
 +	allow $1 cpu_online_t:file relabel_file_perms;
  ')
  
 +
- ########################################
- ## <summary>
- ##	Read hardware state information.
-@@ -4016,6 +4748,62 @@ interface(`dev_rw_sysfs',`
- 
- ########################################
- ## <summary>
-+##	Relabel hardware state directories.
+ ########################################
+ ## <summary>
+-##	Read generic the USB devices.
++##	Read hardware state information.
+ ## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read the contents of
++##	the sysfs filesystem.  This filesystem contains
++##	information, parameters, and other settings on the
++##	hardware installed on the system.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
++## <infoflow type="read" weight="10"/>
+ #
+-interface(`dev_read_generic_usb_dev',`
++interface(`dev_read_sysfs',`
+ 	gen_require(`
+-		type usb_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	read_chr_files_pattern($1, device_t, usb_device_t)
++	read_files_pattern($1, sysfs_t, sysfs_t)
++	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++	list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read and write generic the USB devices.
++##	Allow caller to modify hardware state information.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4175,17 +4771,20 @@ interface(`dev_read_generic_usb_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_generic_usb_dev',`
++interface(`dev_rw_sysfs',`
+ 	gen_require(`
+-		type device_t, usb_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, usb_device_t)
++	rw_files_pattern($1, sysfs_t, sysfs_t)
++	read_lnk_files_pattern($1, sysfs_t, sysfs_t)
++
++	list_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Relabel generic the USB devices.
++##	Relabel hardware state directories.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4193,17 +4792,17 @@ interface(`dev_rw_generic_usb_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_relabel_generic_usb_dev',`
++interface(`dev_relabel_sysfs_dirs',`
+ 	gen_require(`
+-		type usb_device_t;
++		type sysfs_t;
+ 	')
+ 
+-	relabel_chr_files_pattern($1, device_t, usb_device_t)
++	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read USB monitor devices.
++##	Relabel hardware state files
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4211,7 +4810,251 @@ interface(`dev_relabel_generic_usb_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_usbmon_dev',`
++interface(`dev_relabel_all_sysfs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++	relabel_files_pattern($1, sysfs_t, sysfs_t)
++	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
++##	Allow caller to modify hardware state information.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_manage_sysfs_dirs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
++##	Read and write the TPM device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_tpm',`
++	gen_require(`
++		type device_t, tpm_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, tpm_device_t)
++')
++
++########################################
++## <summary>
++##	Read from pseudo random number generator devices (e.g., /dev/urandom).
++## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read from pseudo random number
++##	generator devices (e.g., /dev/urandom).  Typically this is
++##	used in situations when a cryptographically secure random
++##	number is not necessarily needed.  One example is the Stack
++##	Smashing Protector (SSP, formerly known as ProPolice) support
++##	that may be compiled into programs.
++##	</p>
++##	<p>
++##	Related interface:
++##	</p>
++##	<ul>
++##		<li>dev_read_rand()</li>
++##	</ul>
++##	<p>
++##	Related tunable:
++##	</p>
++##	<ul>
++##		<li>global_ssp</li>
++##	</ul>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <infoflow type="read" weight="10"/>
++#
++interface(`dev_read_urand',`
++	gen_require(`
++		type device_t, urandom_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read from pseudo
++##	random devices (e.g., /dev/urandom)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_read_urand',`
++	gen_require(`
++		type urandom_device_t;
++	')
++
++	dontaudit $1 urandom_device_t:chr_file { getattr read };
++')
++
++########################################
++## <summary>
++##	Write to the pseudo random device (e.g., /dev/urandom). This
++##	sets the random number generator seed.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_write_urand',`
++	gen_require(`
++		type device_t, urandom_device_t;
++	')
++
++	write_chr_files_pattern($1, device_t, urandom_device_t)
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to write to pseudo
++##	random devices (e.g., /dev/urandom)
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_write_urand',`
++	gen_require(`
++		type urandom_device_t;
++	')
++
++	dontaudit $1 urandom_device_t:chr_file write;
++')
++
++########################################
++## <summary>
++##	Getattr generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_generic_usb_dev',`
++	gen_require(`
++		type usb_device_t,device_t;
++	')
++
++	getattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
++##	Setattr generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_setattr_generic_usb_dev',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	setattr_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
++##	Read generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_generic_usb_dev',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	read_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
++##	Read and write generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_generic_usb_dev',`
++	gen_require(`
++		type device_t, usb_device_t;
++	')
++
++	rw_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
++##	Relabel generic the USB devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_relabel_generic_usb_dev',`
++	gen_require(`
++		type usb_device_t;
++	')
++
++	relabel_chr_files_pattern($1, device_t, usb_device_t)
++')
++
++########################################
++## <summary>
++##	Read USB monitor devices.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_read_usbmon_dev',`
+ 	gen_require(`
+ 		type device_t, usbmon_device_t;
+ 	')
+@@ -4267,15 +5110,169 @@ interface(`dev_mount_usbfs',`
+ #
+ interface(`dev_associate_usbfs',`
+ 	gen_require(`
+-		type usbfs_t;
++		type usbfs_t;
++	')
++
++	allow $1 usbfs_t:filesystem associate;
++')
++
++########################################
++## <summary>
++##	Get the attributes of a directory in the usb filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_getattr_usbfs_dirs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	allow $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to get the attributes
++##	of a directory in the usb filesystem.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_usbfs_dirs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	dontaudit $1 usbfs_t:dir getattr_dir_perms;
++')
++
++########################################
++## <summary>
++##	Search the directory containing USB hardware information.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7445,17 +8042,17 @@ index 76f285e..450a2b7 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_relabel_sysfs_dirs',`
++interface(`dev_search_usbfs',`
 +	gen_require(`
-+		type sysfs_t;
++		type usbfs_t;
 +	')
 +
-+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++	search_dirs_pattern($1, usbfs_t, usbfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Relabel hardware state files
++##	Allow caller to get a list of usb hardware.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7463,19 +8060,20 @@ index 76f285e..450a2b7 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_relabel_all_sysfs',`
++interface(`dev_list_usbfs',`
 +	gen_require(`
-+		type sysfs_t;
++		type usbfs_t;
 +	')
 +
-+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
-+	relabel_files_pattern($1, sysfs_t, sysfs_t)
-+	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	getattr_files_pattern($1, usbfs_t, usbfs_t)
++
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Allow caller to modify hardware state information.
++##	Set the attributes of usbfs filesystem.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -7483,266 +8081,425 @@ index 76f285e..450a2b7 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_manage_sysfs_dirs',`
++interface(`dev_setattr_usbfs_files',`
 +	gen_require(`
-+		type sysfs_t;
++		type usbfs_t;
 +	')
 +
-+	manage_dirs_pattern($1, sysfs_t, sysfs_t)
++	setattr_files_pattern($1, usbfs_t, usbfs_t)
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Read and write the TPM device.
- ## </summary>
- ## <param name="domain">
-@@ -4113,6 +4901,25 @@ interface(`dev_write_urand',`
- 
- ########################################
- ## <summary>
-+##	Do not audit attempts to write to pseudo
-+##	random devices (e.g., /dev/urandom)
++##	Read USB hardware information using
++##	the usbfs filesystem interface.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`dev_dontaudit_write_urand',`
++interface(`dev_read_usbfs',`
 +	gen_require(`
-+		type urandom_device_t;
++		type usbfs_t;
 +	')
 +
-+	dontaudit $1 urandom_device_t:chr_file write;
++	read_files_pattern($1, usbfs_t, usbfs_t)
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
 +')
 +
 +########################################
 +## <summary>
- ##	Getattr generic the USB devices.
++##	Allow caller to modify usb hardware configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_usbfs',`
++	gen_require(`
++		type usbfs_t;
++	')
++
++	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	rw_files_pattern($1, usbfs_t, usbfs_t)
++	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++')
++
++######################################
++## <summary>
++##	Read and write userio device.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_rw_userio_dev',`
++	gen_require(`
++		type device_t, userio_device_t;
+ 	')
+ 
+-	allow $1 usbfs_t:filesystem associate;
++	rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of a directory in the usb filesystem.
++##	Get the attributes of video4linux devices.
  ## </summary>
  ## <param name="domain">
-@@ -4123,7 +4930,7 @@ interface(`dev_write_urand',`
+ ##	<summary>
+@@ -4283,18 +5280,18 @@ interface(`dev_associate_usbfs',`
+ ##	</summary>
+ ## </param>
  #
- interface(`dev_getattr_generic_usb_dev',`
+-interface(`dev_getattr_usbfs_dirs',`
++interface(`dev_getattr_video_dev',`
  	gen_require(`
--		type usb_device_t;
-+		type usb_device_t,device_t;
+-		type usbfs_t;
++		type device_t, v4l_device_t;
  	')
  
- 	getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4409,9 +5216,9 @@ interface(`dev_rw_usbfs',`
- 	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+-	allow $1 usbfs_t:dir getattr_dir_perms;
++	getattr_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
--########################################
-+######################################
+ ########################################
  ## <summary>
--##	Get the attributes of video4linux devices.
-+##	Read and write userio device.
+ ##	Do not audit attempts to get the attributes
+-##	of a directory in the usb filesystem.
++##	of video4linux device nodes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4419,17 +5226,17 @@ interface(`dev_rw_usbfs',`
+@@ -4302,17 +5299,17 @@ interface(`dev_getattr_usbfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_rw_userio_dev',`
+-interface(`dev_dontaudit_getattr_usbfs_dirs',`
++interface(`dev_dontaudit_getattr_video_dev',`
  	gen_require(`
--		type device_t, v4l_device_t;
-+		type device_t, userio_device_t;
+-		type usbfs_t;
++		type v4l_device_t;
  	')
  
--	getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+	rw_chr_files_pattern($1, device_t, userio_device_t)
+-	dontaudit $1 usbfs_t:dir getattr_dir_perms;
++	dontaudit $1 v4l_device_t:chr_file getattr;
  ')
  
--######################################
-+########################################
+ ########################################
  ## <summary>
--##	Read and write userio device.
-+##	Get the attributes of video4linux devices.
+-##	Search the directory containing USB hardware information.
++##	Set the attributes of video4linux device nodes.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4437,12 +5244,12 @@ interface(`dev_getattr_video_dev',`
+@@ -4320,38 +5317,36 @@ interface(`dev_dontaudit_getattr_usbfs_dirs',`
  ##	</summary>
  ## </param>
  #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_getattr_video_dev',`
+-interface(`dev_search_usbfs',`
++interface(`dev_setattr_video_dev',`
  	gen_require(`
--		type device_t, userio_device_t;
+-		type usbfs_t;
 +		type device_t, v4l_device_t;
  	')
  
--	rw_chr_files_pattern($1, device_t, userio_device_t)
-+	getattr_chr_files_pattern($1, device_t, v4l_device_t)
+-	search_dirs_pattern($1, usbfs_t, usbfs_t)
++	setattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow caller to get a list of usb hardware.
++##	Do not audit attempts to set the attributes
++##	of video4linux device nodes.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_list_usbfs',`
++interface(`dev_dontaudit_setattr_video_dev',`
+ 	gen_require(`
+-		type usbfs_t;
++		type v4l_device_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+-	getattr_files_pattern($1, usbfs_t, usbfs_t)
+-
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	dontaudit $1 v4l_device_t:chr_file setattr;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of usbfs filesystem.
++##	Read the video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4359,19 +5354,17 @@ interface(`dev_list_usbfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_setattr_usbfs_files',`
++interface(`dev_read_video_dev',`
+ 	gen_require(`
+-		type usbfs_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	setattr_files_pattern($1, usbfs_t, usbfs_t)
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	read_chr_files_pattern($1, device_t, v4l_device_t)
  ')
  
  ########################################
-@@ -4539,6 +5346,134 @@ interface(`dev_write_video_dev',`
+ ## <summary>
+-##	Read USB hardware information using
+-##	the usbfs filesystem interface.
++##	Write the video4linux devices.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4379,19 +5372,17 @@ interface(`dev_setattr_usbfs_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_usbfs',`
++interface(`dev_write_video_dev',`
+ 	gen_require(`
+-		type usbfs_t;
++		type device_t, v4l_device_t;
+ 	')
+ 
+-	read_files_pattern($1, usbfs_t, usbfs_t)
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
++	write_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Allow caller to modify usb hardware configuration files.
 +##	Get the attributes of vfio devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4399,37 +5390,36 @@ interface(`dev_read_usbfs',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_usbfs',`
 +interface(`dev_getattr_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type usbfs_t;
 +		type device_t, vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	list_dirs_pattern($1, usbfs_t, usbfs_t)
+-	rw_files_pattern($1, usbfs_t, usbfs_t)
+-	read_lnk_files_pattern($1, usbfs_t, usbfs_t)
 +	getattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Get the attributes of video4linux devices.
 +##	Do not audit attempts to get the attributes
 +##	of vfio device nodes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_getattr_video_dev',`
 +interface(`dev_dontaudit_getattr_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
 +		type vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 +	dontaudit $1 vfio_device_t:chr_file getattr;
-+')
-+
+ ')
+ 
+-######################################
 +########################################
-+## <summary>
+ ## <summary>
+-##	Read and write userio device.
 +##	Set the attributes of vfio device nodes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4437,18 +5427,18 @@ interface(`dev_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_userio_dev',`
 +interface(`dev_setattr_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type device_t, userio_device_t;
 +		type device_t, vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, userio_device_t)
 +	setattr_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to get the attributes
+-##	of video4linux device nodes.
 +##	Do not audit attempts to set the attributes
 +##	of vfio device nodes.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4456,17 +5446,17 @@ interface(`dev_rw_userio_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_getattr_video_dev',`
 +interface(`dev_dontaudit_setattr_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type v4l_device_t;
 +		type vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 v4l_device_t:chr_file getattr;
 +	dontaudit $1 vfio_device_t:chr_file setattr;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of video4linux device nodes.
 +##	Read the vfio devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4474,36 +5464,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_setattr_video_dev',`
 +interface(`dev_read_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
 +		type device_t, vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	setattr_chr_files_pattern($1, device_t, v4l_device_t)
 +	read_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to set the attributes
+-##	of video4linux device nodes.
 +##	Write the vfio devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_dontaudit_setattr_video_dev',`
 +interface(`dev_write_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type v4l_device_t;
 +		type device_t, vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	dontaudit $1 v4l_device_t:chr_file setattr;
 +	write_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read the video4linux devices.
 +##	Read and write the VFIO devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -4511,17 +5500,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_read_video_dev',`
 +interface(`dev_rw_vfio_dev',`
-+	gen_require(`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
 +		type device_t, vfio_device_t;
-+	')
-+
+ 	')
+ 
+-	read_chr_files_pattern($1, device_t, v4l_device_t)
 +	rw_chr_files_pattern($1, device_t, vfio_device_t)
-+')
-+
-+########################################
-+## <summary>
- ##	Allow read/write the vhost net device
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Write the video4linux devices.
++##	Allow read/write the vhost net device
  ## </summary>
  ## <param name="domain">
-@@ -4557,6 +5492,24 @@ interface(`dev_rw_vhost',`
+ ##	<summary>
+@@ -4529,17 +5518,17 @@ interface(`dev_read_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_write_video_dev',`
++interface(`dev_rw_vhost',`
+ 	gen_require(`
+-		type device_t, v4l_device_t;
++		type device_t, vhost_device_t;
+ 	')
+ 
+-	write_chr_files_pattern($1, device_t, v4l_device_t)
++	rw_chr_files_pattern($1, device_t, vhost_device_t)
+ ')
  
  ########################################
  ## <summary>
+-##	Allow read/write the vhost net device
 +##	Allow read/write inheretid the vhost net device
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_rw_inherited_vhost',`
-+	gen_require(`
-+		type device_t, vhost_device_t;
-+	')
-+
-+	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write VMWare devices.
  ## </summary>
  ## <param name="domain">
-@@ -4630,6 +5583,24 @@ interface(`dev_write_watchdog',`
+ ##	<summary>
+@@ -4547,12 +5536,12 @@ interface(`dev_write_video_dev',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`dev_rw_vhost',`
++interface(`dev_rw_inherited_vhost',`
+ 	gen_require(`
+ 		type device_t, vhost_device_t;
+ 	')
+ 
+-	rw_chr_files_pattern($1, device_t, vhost_device_t)
++	allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+ ')
+ 
+ ########################################
+@@ -4630,6 +5619,24 @@ interface(`dev_write_watchdog',`
  
  ########################################
  ## <summary>
@@ -7767,7 +8524,7 @@ index 76f285e..450a2b7 100644
  ##	Read and write the the wireless device.
  ## </summary>
  ## <param name="domain">
-@@ -4762,6 +5733,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5769,44 @@ interface(`dev_rw_xserver_misc',`
  
  ########################################
  ## <summary>
@@ -7812,7 +8569,7 @@ index 76f285e..450a2b7 100644
  ##	Read and write to the zero device (/dev/zero).
  ## </summary>
  ## <param name="domain">
-@@ -4851,3 +5860,966 @@ interface(`dev_unconfined',`
+@@ -4851,3 +5896,966 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -10019,7 +10776,7 @@ index b876c48..a351aff 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76..1a36ae2 100644
+index f962f76..a226015 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -10760,7 +11517,7 @@ index f962f76..1a36ae2 100644
  ##	Do not audit attempts to get the attributes
  ##	of non security named sockets.
  ## </summary>
-@@ -1073,10 +1502,8 @@ interface(`files_relabel_all_files',`
+@@ -1073,13 +1502,12 @@ interface(`files_relabel_all_files',`
  	relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
  	relabel_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -10773,7 +11530,20 @@ index f962f76..1a36ae2 100644
  
  	# satisfy the assertions:
  	seutil_relabelto_bin_policy($1)
-@@ -1182,24 +1609,6 @@ interface(`files_list_all',`
++    auth_relabelto_shadow($1)
+ ')
+ 
+ ########################################
+@@ -1140,6 +1568,8 @@ interface(`files_manage_all_files',`
+ 	# satisfy the assertions:
+ 	seutil_create_bin_policy($1)
+ 	files_manage_kernel_modules($1)
++    auth_reader_shadow($1)
++    auth_writer_shadow($1)
+ ')
+ 
+ ########################################
+@@ -1182,24 +1612,6 @@ interface(`files_list_all',`
  
  ########################################
  ## <summary>
@@ -10798,17 +11568,18 @@ index f962f76..1a36ae2 100644
  ##	Do not audit attempts to search the
  ##	contents of any directories on extended
  ##	attribute filesystems.
-@@ -1443,9 +1852,6 @@ interface(`files_relabel_non_auth_files',`
- 	# device nodes with file types.
+@@ -1444,8 +1856,8 @@ interface(`files_relabel_non_auth_files',`
  	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
  	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
--
+ 
 -	# satisfy the assertions:
 -	seutil_relabelto_bin_policy($1)
++    # satisfy the assertions:
++    seutil_relabelto_bin_policy($1)
  ')
  
  #############################################
-@@ -1601,6 +2007,24 @@ interface(`files_setattr_all_mountpoints',`
+@@ -1601,6 +2013,24 @@ interface(`files_setattr_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10833,7 +11604,7 @@ index f962f76..1a36ae2 100644
  ##	Do not audit attempts to set the attributes on all mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1691,6 +2115,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1691,6 +2121,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
@@ -10858,7 +11629,14 @@ index f962f76..1a36ae2 100644
  ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1709,98 +2151,79 @@ interface(`files_dontaudit_write_all_mountpoints',`
+@@ -1703,104 +2151,86 @@ interface(`files_dontaudit_write_all_mountpoints',`
+ 	gen_require(`
+ 		attribute mountpoint;
+ 	')
++    dontaudit $1 self:capability  dac_override;
+ 
+ 	dontaudit $1 mountpoint:dir write;
+ ')
  
  ########################################
  ## <summary>
@@ -10978,7 +11756,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1808,17 +2231,127 @@ interface(`files_root_filetrans',`
+@@ -1808,18 +2238,128 @@ interface(`files_root_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -10995,6 +11773,7 @@ index f962f76..1a36ae2 100644
  ########################################
  ## <summary>
 -##	Do not audit attempts to read or write
+-##	files in the root directory.
 +##	Do not audit attempts to write to / dirs.
 +## </summary>
 +## <param name="domain">
@@ -11106,10 +11885,11 @@ index f962f76..1a36ae2 100644
 +########################################
 +## <summary>
 +##	Do not audit attempts to read or write
- ##	files in the root directory.
++##	files in the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1892,25 +2425,25 @@ interface(`files_delete_root_dir_entry',`
+ ##	<summary>
+@@ -1892,25 +2432,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -11141,7 +11921,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1923,7 +2456,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2463,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -11150,7 +11930,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -1946,6 +2479,42 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2486,42 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -11193,7 +11973,7 @@ index f962f76..1a36ae2 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2181,6 +2750,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2757,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -11218,7 +11998,7 @@ index f962f76..1a36ae2 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2645,6 +3232,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3239,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -11243,7 +12023,7 @@ index f962f76..1a36ae2 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2716,6 +3321,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3328,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -11251,7 +12031,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -2724,7 +3330,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3337,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11260,7 +12040,7 @@ index f962f76..1a36ae2 100644
  ##	</summary>
  ## </param>
  #
-@@ -2780,6 +3386,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3393,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -11286,7 +12066,7 @@ index f962f76..1a36ae2 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2798,6 +3423,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3430,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -11311,7 +12091,7 @@ index f962f76..1a36ae2 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2963,24 +3606,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3613,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -11336,7 +12116,7 @@ index f962f76..1a36ae2 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3021,9 +3646,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3653,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -11347,7 +12127,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3031,18 +3654,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3661,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -11369,7 +12149,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3060,6 +3682,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3689,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -11396,7 +12176,7 @@ index f962f76..1a36ae2 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3077,6 +3719,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3726,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -11404,7 +12184,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3098,6 +3741,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3748,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -11412,7 +12192,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3142,34 +3786,34 @@ interface(`files_etc_filetrans_etc_runtime',`
+@@ -3142,34 +3793,34 @@ interface(`files_etc_filetrans_etc_runtime',`
  #
  interface(`files_getattr_isid_type_dirs',`
  	gen_require(`
@@ -11455,7 +12235,7 @@ index f962f76..1a36ae2 100644
  ##	that have not yet been labeled.
  ## </summary>
  ## <param name="domain">
-@@ -3178,17 +3822,55 @@ interface(`files_dontaudit_search_isid_type_dirs',`
+@@ -3178,12 +3829,50 @@ interface(`files_dontaudit_search_isid_type_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11468,11 +12248,10 @@ index f962f76..1a36ae2 100644
  
 -	allow $1 file_t:dir list_dir_perms;
 +	allow $1 unlabeled_t:dir setattr;
- ')
- 
- ########################################
- ## <summary>
--##	Read and write directories on new filesystems
++')
++
++########################################
++## <summary>
 +##	Do not audit attempts to search directories on new filesystems
 +##	that have not yet been labeled.
 +## </summary>
@@ -11507,15 +12286,10 @@ index f962f76..1a36ae2 100644
 +	')
 +
 +	allow $1 unlabeled_t:dir list_dir_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write directories on new filesystems
- ##	that have not yet been labeled.
- ## </summary>
- ## <param name="domain">
-@@ -3199,10 +3881,10 @@ interface(`files_list_isid_type_dirs',`
+ ')
+ 
+ ########################################
+@@ -3199,10 +3888,10 @@ interface(`files_list_isid_type_dirs',`
  #
  interface(`files_rw_isid_type_dirs',`
  	gen_require(`
@@ -11528,7 +12302,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3218,10 +3900,66 @@ interface(`files_rw_isid_type_dirs',`
+@@ -3218,10 +3907,66 @@ interface(`files_rw_isid_type_dirs',`
  #
  interface(`files_delete_isid_type_dirs',`
  	gen_require(`
@@ -11571,9 +12345,8 @@ index f962f76..1a36ae2 100644
 +interface(`files_mounton_isid',`
 +	gen_require(`
 +		type unlabeled_t;
- 	')
- 
--	delete_dirs_pattern($1, file_t, file_t)
++	')
++
 +	allow $1 unlabeled_t:dir mounton;
 +')
 +
@@ -11591,13 +12364,14 @@ index f962f76..1a36ae2 100644
 +interface(`files_relabelfrom_isid_type',`
 +	gen_require(`
 +		type unlabeled_t;
-+	')
-+
+ 	')
+ 
+-	delete_dirs_pattern($1, file_t, file_t)
 +	dontaudit $1 unlabeled_t:dir_file_class_set relabelfrom;
  ')
  
  ########################################
-@@ -3237,10 +3975,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3237,10 +3982,10 @@ interface(`files_delete_isid_type_dirs',`
  #
  interface(`files_manage_isid_type_dirs',`
  	gen_require(`
@@ -11610,7 +12384,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3256,10 +3994,29 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3256,10 +4001,29 @@ interface(`files_manage_isid_type_dirs',`
  #
  interface(`files_mounton_isid_type_dirs',`
  	gen_require(`
@@ -11642,7 +12416,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3275,10 +4032,10 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3275,10 +4039,10 @@ interface(`files_mounton_isid_type_dirs',`
  #
  interface(`files_read_isid_type_files',`
  	gen_require(`
@@ -11655,7 +12429,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3294,10 +4051,10 @@ interface(`files_read_isid_type_files',`
+@@ -3294,10 +4058,10 @@ interface(`files_read_isid_type_files',`
  #
  interface(`files_delete_isid_type_files',`
  	gen_require(`
@@ -11668,7 +12442,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3313,10 +4070,10 @@ interface(`files_delete_isid_type_files',`
+@@ -3313,10 +4077,10 @@ interface(`files_delete_isid_type_files',`
  #
  interface(`files_delete_isid_type_symlinks',`
  	gen_require(`
@@ -11681,7 +12455,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3332,10 +4089,10 @@ interface(`files_delete_isid_type_symlinks',`
+@@ -3332,10 +4096,10 @@ interface(`files_delete_isid_type_symlinks',`
  #
  interface(`files_delete_isid_type_fifo_files',`
  	gen_require(`
@@ -11694,7 +12468,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3351,10 +4108,10 @@ interface(`files_delete_isid_type_fifo_files',`
+@@ -3351,10 +4115,10 @@ interface(`files_delete_isid_type_fifo_files',`
  #
  interface(`files_delete_isid_type_sock_files',`
  	gen_require(`
@@ -11707,7 +12481,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3370,10 +4127,10 @@ interface(`files_delete_isid_type_sock_files',`
+@@ -3370,10 +4134,10 @@ interface(`files_delete_isid_type_sock_files',`
  #
  interface(`files_delete_isid_type_blk_files',`
  	gen_require(`
@@ -11720,7 +12494,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3389,10 +4146,10 @@ interface(`files_delete_isid_type_blk_files',`
+@@ -3389,10 +4153,10 @@ interface(`files_delete_isid_type_blk_files',`
  #
  interface(`files_dontaudit_write_isid_chr_files',`
  	gen_require(`
@@ -11733,7 +12507,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3408,10 +4165,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
+@@ -3408,10 +4172,10 @@ interface(`files_dontaudit_write_isid_chr_files',`
  #
  interface(`files_delete_isid_type_chr_files',`
  	gen_require(`
@@ -11746,7 +12520,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3427,10 +4184,10 @@ interface(`files_delete_isid_type_chr_files',`
+@@ -3427,10 +4191,10 @@ interface(`files_delete_isid_type_chr_files',`
  #
  interface(`files_manage_isid_type_files',`
  	gen_require(`
@@ -11759,7 +12533,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3446,10 +4203,10 @@ interface(`files_manage_isid_type_files',`
+@@ -3446,10 +4210,10 @@ interface(`files_manage_isid_type_files',`
  #
  interface(`files_manage_isid_type_symlinks',`
  	gen_require(`
@@ -11772,7 +12546,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3465,10 +4222,29 @@ interface(`files_manage_isid_type_symlinks',`
+@@ -3465,10 +4229,29 @@ interface(`files_manage_isid_type_symlinks',`
  #
  interface(`files_rw_isid_type_blk_files',`
  	gen_require(`
@@ -11804,7 +12578,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3484,10 +4260,10 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3484,10 +4267,10 @@ interface(`files_rw_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_blk_files',`
  	gen_require(`
@@ -11817,7 +12591,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3503,10 +4279,10 @@ interface(`files_manage_isid_type_blk_files',`
+@@ -3503,10 +4286,10 @@ interface(`files_manage_isid_type_blk_files',`
  #
  interface(`files_manage_isid_type_chr_files',`
  	gen_require(`
@@ -11830,7 +12604,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -3552,6 +4328,27 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3552,6 +4335,27 @@ interface(`files_dontaudit_getattr_home_dir',`
  
  ########################################
  ## <summary>
@@ -11858,7 +12632,7 @@ index f962f76..1a36ae2 100644
  ##	Search home directories root (/home).
  ## </summary>
  ## <param name="domain">
-@@ -3814,20 +4611,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4618,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -11902,7 +12676,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -4217,6 +5032,175 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +5039,175 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -12078,7 +12852,7 @@ index f962f76..1a36ae2 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -4239,6 +5223,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5230,26 @@ interface(`files_associate_tmp',`
  
  ########################################
  ## <summary>
@@ -12105,7 +12879,7 @@ index f962f76..1a36ae2 100644
  ##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4252,17 +5256,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5263,37 @@ interface(`files_getattr_tmp_dirs',`
  		type tmp_t;
  	')
  
@@ -12144,7 +12918,7 @@ index f962f76..1a36ae2 100644
  ##	</summary>
  ## </param>
  #
-@@ -4289,6 +5313,8 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5320,8 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -12153,7 +12927,7 @@ index f962f76..1a36ae2 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4325,6 +5351,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5358,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -12161,7 +12935,7 @@ index f962f76..1a36ae2 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4334,7 +5361,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5368,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -12170,7 +12944,7 @@ index f962f76..1a36ae2 100644
  ##	</summary>
  ## </param>
  #
-@@ -4346,14 +5373,33 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,21 +5380,41 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -12187,8 +12961,9 @@ index f962f76..1a36ae2 100644
 +##  <summary>
 +##  Domain not to audit.
 +##  </summary>
-+## </param>
-+#
+ ## </param>
+ #
+-interface(`files_delete_tmp_dir_entry',`
 +interface(`files_rw_generic_tmp_dir',`
 +    gen_require(`
 +        type tmp_t;
@@ -12206,10 +12981,10 @@ index f962f76..1a36ae2 100644
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
- ## </param>
- #
- interface(`files_delete_tmp_dir_entry',`
-@@ -4361,6 +5407,7 @@ interface(`files_delete_tmp_dir_entry',`
++## </param>
++#
++interface(`files_delete_tmp_dir_entry',`
+ 	gen_require(`
  		type tmp_t;
  	')
  
@@ -12217,7 +12992,7 @@ index f962f76..1a36ae2 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4402,6 +5449,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5456,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -12250,7 +13025,7 @@ index f962f76..1a36ae2 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4456,6 +5529,42 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,6 +5536,42 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
@@ -12293,7 +13068,7 @@ index f962f76..1a36ae2 100644
  ##	Set the attributes of all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4474,6 +5583,60 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4474,6 +5590,60 @@ interface(`files_setattr_all_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -12354,7 +13129,7 @@ index f962f76..1a36ae2 100644
  ##	List all tmp directories.
  ## </summary>
  ## <param name="domain">
-@@ -4519,7 +5682,7 @@ interface(`files_relabel_all_tmp_dirs',`
+@@ -4519,7 +5689,7 @@ interface(`files_relabel_all_tmp_dirs',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -12363,7 +13138,7 @@ index f962f76..1a36ae2 100644
  ##	</summary>
  ## </param>
  #
-@@ -4579,7 +5742,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5749,7 @@ interface(`files_relabel_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -12372,7 +13147,7 @@ index f962f76..1a36ae2 100644
  ##	</summary>
  ## </param>
  #
-@@ -4611,6 +5774,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5781,44 @@ interface(`files_read_all_tmp_files',`
  
  ########################################
  ## <summary>
@@ -12417,7 +13192,7 @@ index f962f76..1a36ae2 100644
  ##	Create an object in the tmp directories, with a private
  ##	type using a type transition.
  ## </summary>
-@@ -4664,6 +5865,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5872,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12434,7 +13209,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -5112,6 +6323,24 @@ interface(`files_create_kernel_symbol_table',`
+@@ -5112,6 +6330,24 @@ interface(`files_create_kernel_symbol_table',`
  
  ########################################
  ## <summary>
@@ -12459,7 +13234,7 @@ index f962f76..1a36ae2 100644
  ##	Read system.map in the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -5241,6 +6470,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6477,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
@@ -12484,7 +13259,7 @@ index f962f76..1a36ae2 100644
  ##	Create, read, write, and delete directories
  ##	in the /var directory.
  ## </summary>
-@@ -5328,7 +6575,7 @@ interface(`files_dontaudit_rw_var_files',`
+@@ -5328,7 +6582,7 @@ interface(`files_dontaudit_rw_var_files',`
  		type var_t;
  	')
  
@@ -12493,7 +13268,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -5527,6 +6774,25 @@ interface(`files_rw_var_lib_dirs',`
+@@ -5527,6 +6781,25 @@ interface(`files_rw_var_lib_dirs',`
  
  ########################################
  ## <summary>
@@ -12519,7 +13294,7 @@ index f962f76..1a36ae2 100644
  ##	Create objects in the /var/lib directory
  ## </summary>
  ## <param name="domain">
-@@ -5596,6 +6862,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6869,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -12545,7 +13320,7 @@ index f962f76..1a36ae2 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5641,7 +6926,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6933,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -12554,7 +13329,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5649,12 +6934,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6941,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -12570,7 +13345,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -5672,6 +6958,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6965,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -12578,7 +13353,7 @@ index f962f76..1a36ae2 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5698,7 +6985,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6992,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -12606,7 +13381,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5706,13 +7012,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +7019,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -12623,7 +13398,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -5731,7 +7036,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +7043,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -12632,7 +13407,7 @@ index f962f76..1a36ae2 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5764,7 +7069,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +7076,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -12640,7 +13415,7 @@ index f962f76..1a36ae2 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5779,7 +7083,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +7090,7 @@ interface(`files_relabel_all_lock_dirs',`
  
  ########################################
  ## <summary>
@@ -12649,7 +13424,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5787,13 +7091,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +7098,33 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -12684,7 +13459,7 @@ index f962f76..1a36ae2 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5809,13 +7133,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +7140,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -12702,7 +13477,7 @@ index f962f76..1a36ae2 100644
  ')
  
  ########################################
-@@ -5834,9 +7157,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +7164,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -12713,7 +13488,7 @@ index f962f76..1a36ae2 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5878,8 +7199,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +7206,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -12723,7 +13498,7 @@ index f962f76..1a36ae2 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5901,8 +7221,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +7228,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -12733,7 +13508,7 @@ index f962f76..1a36ae2 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5939,8 +7258,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7265,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -12743,7 +13518,7 @@ index f962f76..1a36ae2 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5979,7 +7297,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7304,7 @@ interface(`files_setattr_pid_dirs',`
  		type var_run_t;
  	')
  
@@ -12752,7 +13527,7 @@ index f962f76..1a36ae2 100644
  	allow $1 var_run_t:dir setattr;
  ')
  
-@@ -5999,10 +7317,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7324,48 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -12801,7 +13576,7 @@ index f962f76..1a36ae2 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -6025,6 +7381,43 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7388,43 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -12845,7 +13620,7 @@ index f962f76..1a36ae2 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6039,7 +7432,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7439,7 @@ interface(`files_list_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -12854,7 +13629,7 @@ index f962f76..1a36ae2 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  ')
  
-@@ -6058,7 +7451,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7458,7 @@ interface(`files_read_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -12863,7 +13638,7 @@ index f962f76..1a36ae2 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	read_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6078,7 +7471,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7478,7 @@ interface(`files_write_generic_pid_pipes',`
  		type var_run_t;
  	')
  
@@ -12872,7 +13647,7 @@ index f962f76..1a36ae2 100644
  	allow $1 var_run_t:fifo_file write;
  ')
  
-@@ -6140,7 +7533,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7540,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -12880,7 +13655,7 @@ index f962f76..1a36ae2 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6169,6 +7561,24 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,6 +7568,24 @@ interface(`files_pid_filetrans_lock_dir',`
  
  ########################################
  ## <summary>
@@ -12905,7 +13680,7 @@ index f962f76..1a36ae2 100644
  ##	Read and write generic process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6182,7 +7592,7 @@ interface(`files_rw_generic_pids',`
+@@ -6182,7 +7599,7 @@ interface(`files_rw_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -12914,7 +13689,7 @@ index f962f76..1a36ae2 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	rw_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6249,55 +7659,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,55 +7666,43 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -12977,7 +13752,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6305,42 +7703,35 @@ interface(`files_delete_all_pids',`
+@@ -6305,42 +7710,35 @@ interface(`files_delete_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -13027,7 +13802,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6348,18 +7739,18 @@ interface(`files_manage_all_pids',`
+@@ -6348,18 +7746,18 @@ interface(`files_manage_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -13051,7 +13826,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6367,37 +7758,40 @@ interface(`files_mounton_all_poly_members',`
+@@ -6367,37 +7765,40 @@ interface(`files_mounton_all_poly_members',`
  ##	</summary>
  ## </param>
  #
@@ -13103,7 +13878,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6405,18 +7799,17 @@ interface(`files_dontaudit_search_spool',`
+@@ -6405,18 +7806,17 @@ interface(`files_dontaudit_search_spool',`
  ##	</summary>
  ## </param>
  #
@@ -13126,7 +13901,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6424,18 +7817,18 @@ interface(`files_list_spool',`
+@@ -6424,18 +7824,18 @@ interface(`files_list_spool',`
  ##	</summary>
  ## </param>
  #
@@ -13150,7 +13925,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6443,19 +7836,18 @@ interface(`files_manage_generic_spool_dirs',`
+@@ -6443,19 +7843,18 @@ interface(`files_manage_generic_spool_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13175,7 +13950,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6463,109 +7855,62 @@ interface(`files_read_generic_spool',`
+@@ -6463,109 +7862,62 @@ interface(`files_read_generic_spool',`
  ##	</summary>
  ## </param>
  #
@@ -13306,7 +14081,7 @@ index f962f76..1a36ae2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6573,10 +7918,944 @@ interface(`files_polyinstantiate_all',`
+@@ -6573,10 +7925,944 @@ interface(`files_polyinstantiate_all',`
  ##	</summary>
  ## </param>
  #
@@ -17276,7 +18051,7 @@ index 7be4ddf..9710b33 100644
 +/sys/kernel/debug -d	gen_context(system_u:object_r:debugfs_t,s0)
 +/sys/kernel/debug/.*	<<none>>
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index e100d88..991e1a5 100644
+index e100d88..d2fc766 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -126,6 +126,24 @@ interface(`kernel_setsched',`
@@ -17536,7 +18311,7 @@ index e100d88..991e1a5 100644
  ##	Do not audit attempts to list all proc directories.
  ## </summary>
  ## <param name="domain">
-@@ -1477,6 +1640,24 @@ interface(`kernel_dontaudit_list_all_proc',`
+@@ -1477,6 +1640,28 @@ interface(`kernel_dontaudit_list_all_proc',`
  
  ########################################
  ## <summary>
@@ -17551,9 +18326,13 @@ index e100d88..991e1a5 100644
 +interface(`kernel_read_all_proc',`
 +	gen_require(`
 +		attribute proc_type;
++        attribute can_dump_kernel;
++        attribute can_receive_kernel_messages;
 +	')
 +
 +	read_files_pattern($1, proc_type, proc_type)
++    typeattribute $1 can_dump_kernel;
++    typeattribute $1 can_receive_kernel_messages;
 +')
 +
 +########################################
@@ -17561,7 +18340,7 @@ index e100d88..991e1a5 100644
  ##	Do not audit attempts by caller to search
  ##	the base directory of sysctls.
  ## </summary>
-@@ -1672,7 +1853,7 @@ interface(`kernel_read_net_sysctls',`
+@@ -1672,7 +1857,7 @@ interface(`kernel_read_net_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17570,7 +18349,7 @@ index e100d88..991e1a5 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1693,7 +1874,7 @@ interface(`kernel_rw_net_sysctls',`
+@@ -1693,7 +1878,7 @@ interface(`kernel_rw_net_sysctls',`
  	')
  
  	rw_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_t)
@@ -17579,7 +18358,7 @@ index e100d88..991e1a5 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1715,7 +1896,6 @@ interface(`kernel_read_unix_sysctls',`
+@@ -1715,7 +1900,6 @@ interface(`kernel_read_unix_sysctls',`
  	')
  
  	read_files_pattern($1, { proc_t sysctl_t sysctl_net_t }, sysctl_net_unix_t)
@@ -17587,7 +18366,7 @@ index e100d88..991e1a5 100644
  	list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_net_t)
  ')
  
-@@ -1750,16 +1930,9 @@ interface(`kernel_rw_unix_sysctls',`
+@@ -1750,16 +1934,9 @@ interface(`kernel_rw_unix_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17605,7 +18384,7 @@ index e100d88..991e1a5 100644
  ')
  
  ########################################
-@@ -1771,16 +1944,9 @@ interface(`kernel_read_hotplug_sysctls',`
+@@ -1771,16 +1948,9 @@ interface(`kernel_read_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17623,7 +18402,7 @@ index e100d88..991e1a5 100644
  ')
  
  ########################################
-@@ -1792,16 +1958,9 @@ interface(`kernel_rw_hotplug_sysctls',`
+@@ -1792,16 +1962,9 @@ interface(`kernel_rw_hotplug_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17641,7 +18420,7 @@ index e100d88..991e1a5 100644
  ')
  
  ########################################
-@@ -1813,16 +1972,9 @@ interface(`kernel_read_modprobe_sysctls',`
+@@ -1813,16 +1976,9 @@ interface(`kernel_read_modprobe_sysctls',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -17659,7 +18438,7 @@ index e100d88..991e1a5 100644
  ')
  
  ########################################
-@@ -2085,9 +2237,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
+@@ -2085,9 +2241,28 @@ interface(`kernel_dontaudit_list_all_sysctls',`
  	')
  
  	dontaudit $1 sysctl_type:dir list_dir_perms;
@@ -17689,7 +18468,7 @@ index e100d88..991e1a5 100644
  ########################################
  ## <summary>
  ##	Allow caller to read all sysctls.
-@@ -2282,6 +2453,25 @@ interface(`kernel_list_unlabeled',`
+@@ -2282,6 +2457,25 @@ interface(`kernel_list_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17715,7 +18494,7 @@ index e100d88..991e1a5 100644
  ##	Read the process state (/proc/pid) of all unlabeled_t.
  ## </summary>
  ## <param name="domain">
-@@ -2306,7 +2496,7 @@ interface(`kernel_read_unlabeled_state',`
+@@ -2306,7 +2500,7 @@ interface(`kernel_read_unlabeled_state',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -17724,7 +18503,7 @@ index e100d88..991e1a5 100644
  ##	</summary>
  ## </param>
  #
-@@ -2488,6 +2678,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
+@@ -2488,6 +2682,24 @@ interface(`kernel_rw_unlabeled_blk_files',`
  
  ########################################
  ## <summary>
@@ -17749,7 +18528,7 @@ index e100d88..991e1a5 100644
  ##	Do not audit attempts by caller to get attributes for
  ##	unlabeled character devices.
  ## </summary>
-@@ -2525,6 +2733,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
+@@ -2525,6 +2737,24 @@ interface(`kernel_relabelfrom_unlabeled_dirs',`
  
  ########################################
  ## <summary>
@@ -17774,7 +18553,7 @@ index e100d88..991e1a5 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2667,16 +2893,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,16 +2897,34 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -17818,7 +18597,7 @@ index e100d88..991e1a5 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2694,6 +2938,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2942,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -17844,7 +18623,7 @@ index e100d88..991e1a5 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2803,6 +3066,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +3070,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -17878,7 +18657,7 @@ index e100d88..991e1a5 100644
  
  ########################################
  ## <summary>
-@@ -2958,6 +3248,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3252,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -17903,7 +18682,7 @@ index e100d88..991e1a5 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2972,5 +3280,628 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3284,628 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -18534,7 +19313,7 @@ index e100d88..991e1a5 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 8dbab4c..46d7f18 100644
+index 8dbab4c..a85c5d7 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -18690,7 +19469,7 @@ index 8dbab4c..46d7f18 100644
  
  corecmd_exec_shell(kernel_t)
  corecmd_list_bin(kernel_t)
-@@ -277,25 +315,53 @@ files_list_root(kernel_t)
+@@ -277,25 +315,54 @@ files_list_root(kernel_t)
  files_list_etc(kernel_t)
  files_list_home(kernel_t)
  files_read_usr_files(kernel_t)
@@ -18720,6 +19499,7 @@ index 8dbab4c..46d7f18 100644
 +
 +optional_policy(`
 +    abrt_filetrans_named_content(kernel_t)
++    abrt_dump_oops_domtrans(kernel_t)
 +')
 +
 +optional_policy(`
@@ -18744,7 +19524,7 @@ index 8dbab4c..46d7f18 100644
  ')
  
  optional_policy(`
-@@ -305,6 +371,19 @@ optional_policy(`
+@@ -305,6 +372,19 @@ optional_policy(`
  
  optional_policy(`
  	logging_send_syslog_msg(kernel_t)
@@ -18764,7 +19544,7 @@ index 8dbab4c..46d7f18 100644
  ')
  
  optional_policy(`
-@@ -312,6 +391,11 @@ optional_policy(`
+@@ -312,6 +392,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18776,7 +19556,7 @@ index 8dbab4c..46d7f18 100644
  	# nfs kernel server needs kernel UDP access. It is less risky and painful
  	# to just give it everything.
  	allow kernel_t self:tcp_socket create_stream_socket_perms;
-@@ -332,9 +416,6 @@ optional_policy(`
+@@ -332,9 +417,6 @@ optional_policy(`
  
  	sysnet_read_config(kernel_t)
  
@@ -18786,7 +19566,7 @@ index 8dbab4c..46d7f18 100644
  	rpc_udp_rw_nfs_sockets(kernel_t)
  
  	tunable_policy(`nfs_export_all_ro',`
-@@ -343,9 +424,7 @@ optional_policy(`
+@@ -343,9 +425,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -18797,7 +19577,7 @@ index 8dbab4c..46d7f18 100644
  	')
  
  	tunable_policy(`nfs_export_all_rw',`
-@@ -354,7 +433,7 @@ optional_policy(`
+@@ -354,7 +434,7 @@ optional_policy(`
  		fs_read_noxattr_fs_files(kernel_t)
  		fs_read_noxattr_fs_symlinks(kernel_t)
  
@@ -18806,7 +19586,7 @@ index 8dbab4c..46d7f18 100644
  	')
  ')
  
-@@ -367,6 +446,15 @@ optional_policy(`
+@@ -367,6 +447,15 @@ optional_policy(`
  	unconfined_domain_noaudit(kernel_t)
  ')
  
@@ -18822,7 +19602,7 @@ index 8dbab4c..46d7f18 100644
  ########################################
  #
  # Unlabeled process local policy
-@@ -399,14 +487,39 @@ if( ! secure_mode_insmod ) {
+@@ -399,14 +488,39 @@ if( ! secure_mode_insmod ) {
  # Rules for unconfined acccess to this module
  #
  
@@ -19433,10 +20213,10 @@ index 54f1827..6910c88 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 64c4cd0..542299c 100644
+index 64c4cd0..52070af 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
-@@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
+@@ -22,6 +22,30 @@ interface(`storage_getattr_fixed_disk_dev',`
  
  ########################################
  ## <summary>
@@ -19451,11 +20231,15 @@ index 64c4cd0..542299c 100644
 +#
 +interface(`storage_rw_inherited_fixed_disk_dev',`
 +	gen_require(`
-+		type fixed_disk_device_t;
++        type fixed_disk_device_t;
++        attribute fixed_disk_raw_read;
++        attribute fixed_disk_raw_write;
 +	')
 +
-+	allow $1 fixed_disk_device_t:chr_file  { read write };
-+	allow $1 fixed_disk_device_t:blk_file  { read write };
++    allow $1 fixed_disk_device_t:chr_file  { read write };
++    allow $1 fixed_disk_device_t:blk_file  { read write };
++    typeattribute $1 fixed_disk_raw_read;
++    typeattribute $1 fixed_disk_raw_write;
 +')
 +
 +########################################
@@ -19463,7 +20247,7 @@ index 64c4cd0..542299c 100644
  ##	Do not audit attempts made by the caller to get
  ##	the attributes of fixed disk device nodes.
  ## </summary>
-@@ -101,6 +121,8 @@ interface(`storage_raw_read_fixed_disk',`
+@@ -101,6 +125,8 @@ interface(`storage_raw_read_fixed_disk',`
  	dev_list_all_dev_nodes($1)
  	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
  	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
@@ -19472,7 +20256,7 @@ index 64c4cd0..542299c 100644
  	typeattribute $1 fixed_disk_raw_read;
  ')
  
-@@ -186,6 +208,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
+@@ -186,6 +212,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
  interface(`storage_raw_rw_fixed_disk',`
  	storage_raw_read_fixed_disk($1)
  	storage_raw_write_fixed_disk($1)
@@ -19480,7 +20264,7 @@ index 64c4cd0..542299c 100644
  ')
  
  ########################################
-@@ -205,6 +228,7 @@ interface(`storage_create_fixed_disk_dev',`
+@@ -205,6 +232,7 @@ interface(`storage_create_fixed_disk_dev',`
  
  	allow $1 self:capability mknod;
  	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
@@ -19488,7 +20272,7 @@ index 64c4cd0..542299c 100644
  	dev_add_entry_generic_dirs($1)
  ')
  
-@@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+@@ -274,6 +302,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
  	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
  ')
  
@@ -19537,7 +20321,7 @@ index 64c4cd0..542299c 100644
  ########################################
  ## <summary>
  ##	Create block devices in on a tmpfs filesystem with the
-@@ -295,6 +361,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
+@@ -295,6 +365,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
  
  ########################################
  ## <summary>
@@ -19563,7 +20347,43 @@ index 64c4cd0..542299c 100644
  ##	Relabel fixed disk device nodes.
  ## </summary>
  ## <param name="domain">
-@@ -716,6 +801,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -478,6 +567,35 @@ interface(`storage_write_scsi_generic',`
+ 	typeattribute $1 scsi_generic_write;
+ ')
+ 
++
++########################################
++## <summary>
++##	Allow the caller to directly read and write, in a
++##	generic fashion, from any SCSI device.
++##	This is extremly dangerous as it can bypass the
++##	SELinux protections for filesystem objects, and
++##	should only be used by trusted domains.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`storage_rw_inherited_scsi_generic',`
++	gen_require(`
++        attribute scsi_generic_read;
++		attribute scsi_generic_write;
++		type scsi_generic_device_t;
++	')
++
++	dev_list_all_dev_nodes($1)
++	allow $1 scsi_generic_device_t:chr_file rw_inherited_chr_file_perms;
++	allow $1 scsi_generic_device_t:chr_file rw_inherited_blk_file_perms;
++	typeattribute $1 scsi_generic_write;
++    typeattribute $1 scsi_generic_read;
++')
++
+ ########################################
+ ## <summary>
+ ##	Set attributes of the device nodes
+@@ -716,6 +834,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
  	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
  ')
  
@@ -19588,7 +20408,7 @@ index 64c4cd0..542299c 100644
  ########################################
  ## <summary>
  ##	Allow the caller to directly read
-@@ -813,3 +916,452 @@ interface(`storage_unconfined',`
+@@ -813,3 +949,452 @@ interface(`storage_unconfined',`
  
  	typeattribute $1 storage_unconfined_type;
  ')
@@ -29100,7 +29920,7 @@ index 2479587..890e1e2 100644
  /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
  /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 3efd5b6..9e85ea0 100644
+index 3efd5b6..3db526f 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -23,11 +23,17 @@ interface(`auth_role',`
@@ -29651,33 +30471,75 @@ index 3efd5b6..9e85ea0 100644
  ##	Read login records files (/var/log/wtmp).
  ## </summary>
  ## <param name="domain">
-@@ -1726,24 +1968,7 @@ interface(`auth_manage_login_records',`
+@@ -1726,24 +1968,63 @@ interface(`auth_manage_login_records',`
  
  	logging_rw_generic_log_dirs($1)
  	allow $1 wtmp_t:file manage_file_perms;
--')
--
--########################################
--## <summary>
++	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Relabel login record files.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--#
++##	Read access to the authlogin module.
+ ## </summary>
++## <desc>
++##	<p>
++##	Read access to the authlogin module.
++##	</p>
++##	<p>
++##	Currently, this only allows assertions for
++##	the shadow passwords file (/etc/shadow) to
++##	be passed.  No access is granted yet.
++##	</p>
++## </desc>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`auth_relabel_login_records',`
--	gen_require(`
++interface(`auth_reader_shadow',`
+ 	gen_require(`
 -		type wtmp_t;
--	')
--
++		attribute can_read_shadow_passwords;
+ 	')
+ 
 -	allow $1 wtmp_t:file relabel_file_perms;
-+	logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
++	typeattribute $1 can_read_shadow_passwords;
++')
++
++########################################
++## <summary>
++##	Write access to the authlogin module.
++## </summary>
++## <desc>
++##	<p>
++##	Write access to the authlogin module.
++##	</p>
++##	<p>
++##	Currently, this only allows assertions for
++##	the shadow passwords file (/etc/shadow) to
++##	be passed.  No access is granted yet.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`auth_writer_shadow',`
++	gen_require(`
++		attribute can_write_shadow_passwords;
++	')
++
++	typeattribute $1 can_write_shadow_passwords;
  ')
  
  ########################################
-@@ -1767,11 +1992,13 @@ interface(`auth_relabel_login_records',`
+@@ -1767,11 +2048,13 @@ interface(`auth_relabel_login_records',`
  ## <infoflow type="both" weight="10"/>
  #
  interface(`auth_use_nsswitch',`
@@ -29694,7 +30556,7 @@ index 3efd5b6..9e85ea0 100644
  ')
  
  ########################################
-@@ -1805,3 +2032,280 @@ interface(`auth_unconfined',`
+@@ -1805,3 +2088,280 @@ interface(`auth_unconfined',`
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index b1f2938..a121c91 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -80,7 +80,7 @@ index 1a93dc5..f2b26f5 100644
 -/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 -/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..158acba 100644
+index 058d908..7da78c7 100644
 --- a/abrt.if
 +++ b/abrt.if
 @@ -1,4 +1,26 @@
@@ -111,7 +111,33 @@ index 058d908..158acba 100644
  
  ######################################
  ## <summary>
-@@ -40,7 +62,7 @@ interface(`abrt_exec',`
+@@ -21,6 +43,25 @@ interface(`abrt_domtrans',`
+ 
+ ######################################
+ ## <summary>
++##	Execute abrt_dump_oops in the abrt_dump_oops_t domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`abrt_dump_oops_domtrans',`
++	gen_require(`
++		type abrt_dump_oops_t, abrt_dump_oops_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, abrt_dump_oops_exec_t, abrt_dump_oops_t)
++')
++
++######################################
++## <summary>
+ ##	Execute abrt in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -40,7 +81,7 @@ interface(`abrt_exec',`
  
  ########################################
  ## <summary>
@@ -120,7 +146,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -58,7 +80,7 @@ interface(`abrt_signull',`
+@@ -58,7 +99,7 @@ interface(`abrt_signull',`
  
  ########################################
  ## <summary>
@@ -129,7 +155,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
+@@ -71,12 +112,13 @@ interface(`abrt_read_state',`
  		type abrt_t;
  	')
  
@@ -144,7 +170,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
+@@ -116,8 +158,7 @@ interface(`abrt_dbus_chat',`
  
  #####################################
  ## <summary>
@@ -154,7 +180,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
+@@ -130,15 +171,13 @@ interface(`abrt_domtrans_helper',`
  		type abrt_helper_t, abrt_helper_exec_t;
  	')
  
@@ -172,7 +198,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
+@@ -163,8 +202,45 @@ interface(`abrt_run_helper',`
  
  ########################################
  ## <summary>
@@ -198,53 +224,53 @@ index 058d908..158acba 100644
 +########################################
 +## <summary>
 +##	Append abrt cache
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`abrt_append_cache',`
++	gen_require(`
++		type abrt_var_cache_t;
++	')
++
++	
++	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++')
++
++########################################
++## <summary>
++##	Read/Write inherited abrt cache
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
+@@ -172,15 +248,18 @@ interface(`abrt_run_helper',`
  ##	</summary>
  ## </param>
  #
 -interface(`abrt_cache_manage',`
 -	refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
 -	abrt_manage_cache($1)
-+interface(`abrt_append_cache',`
++interface(`abrt_rw_inherited_cache',`
 +	gen_require(`
 +		type abrt_var_cache_t;
 +	')
 +
 +	
-+	allow $1 abrt_var_cache_t:file append_inherited_file_perms;
++	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
  ')
  
  ########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	abrt cache content.
-+##	Read/Write inherited abrt cache
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`abrt_rw_inherited_cache',`
-+	gen_require(`
-+		type abrt_var_cache_t;
-+	')
-+
-+	
-+	allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
 +##	Manage abrt cache
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
+@@ -193,7 +272,6 @@ interface(`abrt_manage_cache',`
  		type abrt_var_cache_t;
  	')
  
@@ -252,7 +278,7 @@ index 058d908..158acba 100644
  	manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
  	manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
  	manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
-@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
+@@ -201,7 +279,7 @@ interface(`abrt_manage_cache',`
  
  ####################################
  ## <summary>
@@ -261,7 +287,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -218,9 +277,29 @@ interface(`abrt_read_config',`
+@@ -218,9 +296,29 @@ interface(`abrt_read_config',`
  	read_files_pattern($1, abrt_etc_t, abrt_etc_t)
  ')
  
@@ -292,7 +318,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -258,8 +337,7 @@ interface(`abrt_read_pid_files',`
+@@ -258,8 +356,7 @@ interface(`abrt_read_pid_files',`
  
  ######################################
  ## <summary>
@@ -302,7 +328,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,10 +354,52 @@ interface(`abrt_manage_pid_files',`
+@@ -276,10 +373,52 @@ interface(`abrt_manage_pid_files',`
  	manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
  ')
  
@@ -357,7 +383,7 @@ index 058d908..158acba 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -288,39 +408,174 @@ interface(`abrt_manage_pid_files',`
+@@ -288,39 +427,174 @@ interface(`abrt_manage_pid_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -546,7 +572,7 @@ index 058d908..158acba 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index eb50f07..d6d0e34 100644
+index eb50f07..f93be3c 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -989,7 +1015,7 @@ index eb50f07..d6d0e34 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -365,38 +456,60 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +456,64 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1011,7 +1037,7 @@ index eb50f07..d6d0e34 100644
  #
  
 -allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { ipc_lock fowner chown fsetid dac_override };
++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override };
  allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
 -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
 +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@@ -1034,13 +1060,17 @@ index eb50f07..d6d0e34 100644
 +kernel_read_debugfs(abrt_dump_oops_t)
  kernel_read_kernel_sysctls(abrt_dump_oops_t)
  kernel_read_ring_buffer(abrt_dump_oops_t)
- 
++kernel_read_security_state(abrt_dump_oops_t)
++
 +auth_read_passwd(abrt_dump_oops_t)
 +
 +dev_read_urand(abrt_dump_oops_t)
 +dev_read_rand(abrt_dump_oops_t)
-+
+ 
  domain_use_interactive_fds(abrt_dump_oops_t)
++domain_signull_all_domains(abrt_dump_oops_t)
++domain_ptrace_all_domains(abrt_dump_oops_t)
++domain_read_all_domains_state(abrt_dump_oops_t)
  
 +fs_getattr_all_fs(abrt_dump_oops_t)
  fs_list_inotifyfs(abrt_dump_oops_t)
@@ -1054,7 +1084,7 @@ index eb50f07..d6d0e34 100644
  
  #######################################
  #
-@@ -404,25 +517,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
+@@ -404,25 +521,60 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1117,7 +1147,7 @@ index eb50f07..d6d0e34 100644
  ')
  
  #######################################
-@@ -430,10 +578,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+@@ -430,10 +582,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
  # Global local policy
  #
  
@@ -3364,10 +3394,10 @@ index 0000000..6183b21
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 7caefc3..3ef1de6 100644
+index 7caefc3..239cefa 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,162 +1,207 @@
+@@ -1,162 +1,211 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3407,6 +3437,7 @@ index 7caefc3..3ef1de6 100644
 +/etc/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 +/etc/mock/koji(/.*)? 			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/etc/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
++/etc/opt/rh/rh-nginx18/nginx(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
  /etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/lighttpd	--	gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
  
@@ -3586,6 +3617,7 @@ index 7caefc3..3ef1de6 100644
 +/var/lib/moodle(/.*)?		    gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/mod_security(/.*)?     gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/opt/rh/rh-nginx18/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/lib/php/wsdlcache(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 +
@@ -3626,6 +3658,7 @@ index 7caefc3..3ef1de6 100644
 +/var/log/httpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/lighttpd(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/nginx(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
++/var/opt/rh/rh-nginx18/log(/.*)?     gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/log/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/roundcubemail(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/suphp\.log.*	--	gen_context(system_u:object_r:httpd_log_t,s0)
@@ -3663,6 +3696,7 @@ index 7caefc3..3ef1de6 100644
 +/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/opt/rh/rh-nginx18/run/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/thttpd\.pid    -- gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -9692,6 +9726,195 @@ index f5c1a48..f7b4f1d 100644
  	tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
  ')
 +
+diff --git a/blkmapd.fc b/blkmapd.fc
+new file mode 100644
+index 0000000..5e59fb4
+--- /dev/null
++++ b/blkmapd.fc
+@@ -0,0 +1,6 @@
++
++/etc/rc\.d/init\.d/blkmapd	--	gen_context(system_u:object_r:blkmapd_initrc_exec_t,s0)
++
++/usr/sbin/blkmapd		--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
++
++/var/run/blkmapd\.pid		--	gen_context(system_u:object_r:blkmapd_var_run_t,s0)
+diff --git a/blkmapd.if b/blkmapd.if
+new file mode 100644
+index 0000000..7666379
+--- /dev/null
++++ b/blkmapd.if
+@@ -0,0 +1,121 @@
++
++## <summary>The blkmapd daemon performs device discovery and mapping for pNFS block layout client.</summary>
++
++########################################
++## <summary>
++##	Execute blkmapd_exec_t in the blkmapd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`blkmapd_domtrans',`
++	gen_require(`
++		type blkmapd_t, blkmapd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, blkmapd_exec_t, blkmapd_t)
++')
++
++######################################
++## <summary>
++##	Execute blkmapd in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`blkmapd_exec',`
++	gen_require(`
++		type blkmapd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, blkmapd_exec_t)
++')
++
++########################################
++## <summary>
++##	Execute blkmapd server in the blkmapd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`blkmapd_initrc_domtrans',`
++	gen_require(`
++		type blkmapd_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, blkmapd_initrc_exec_t)
++')
++########################################
++## <summary>
++##	Read blkmapd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`blkmapd_read_pid_files',`
++	gen_require(`
++		type blkmapd_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, blkmapd_var_run_t, blkmapd_var_run_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an blkmapd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`blkmapd_admin',`
++	gen_require(`
++		type blkmapd_t;
++		type blkmapd_initrc_exec_t;
++		type blkmapd_var_run_t;
++	')
++
++	allow $1 blkmapd_t:process { signal_perms };
++	ps_process_pattern($1, blkmapd_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 blkmapd_t:process ptrace;
++    ')
++
++	blkmapd_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 blkmapd_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	files_search_pids($1)
++	admin_pattern($1, blkmapd_var_run_t)
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/blkmapd.te b/blkmapd.te
+new file mode 100644
+index 0000000..6cfb355
+--- /dev/null
++++ b/blkmapd.te
+@@ -0,0 +1,44 @@
++policy_module(blkmapd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type blkmapd_t;
++type blkmapd_exec_t;
++init_daemon_domain(blkmapd_t, blkmapd_exec_t)
++
++type blkmapd_initrc_exec_t;
++init_script_file(blkmapd_initrc_exec_t)
++
++type blkmapd_var_run_t;
++files_pid_file(blkmapd_var_run_t)
++
++
++########################################
++#
++# blkmapd local policy
++#
++
++allow blkmapd_t self:capability sys_rawio;
++
++manage_files_pattern(blkmapd_t, blkmapd_var_run_t, blkmapd_var_run_t)
++files_pid_filetrans(blkmapd_t, blkmapd_var_run_t, file)
++
++kernel_read_system_state(blkmapd_t)
++
++dev_list_sysfs(blkmapd_t)
++
++fs_list_rpc(blkmapd_t)
++fs_rw_rpc_named_pipes(blkmapd_t)
++
++storage_raw_read_fixed_disk(blkmapd_t)
++storage_raw_read_removable_device(blkmapd_t)
++
++
++logging_send_syslog_msg(blkmapd_t)
++
++optional_policy(`
++   rpc_read_nfs_state_data(blkmapd_t)
++')
 diff --git a/blueman.fc b/blueman.fc
 index c295d2e..4f84e9c 100644
 --- a/blueman.fc
@@ -35956,10 +36179,10 @@ index 6517fad..f183748 100644
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
  ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-index 4eb7041..2e4b08a 100644
+index 4eb7041..3ba4a51 100644
 --- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -5,24 +5,135 @@ policy_module(hypervkvp, 1.0.0)
+@@ -5,24 +5,139 @@ policy_module(hypervkvp, 1.0.0)
  # Declarations
  #
  
@@ -35997,7 +36220,7 @@ index 4eb7041..2e4b08a 100644
  #
 -# Local policy
 +# hyperv domain local policy
-+#
+ #
 +
 +allow hyperv_domain self:capability net_admin;
 +allow hyperv_domain self:netlink_socket create_socket_perms;
@@ -36011,12 +36234,13 @@ index 4eb7041..2e4b08a 100644
 +dev_read_sysfs(hyperv_domain)
 +
 +########################################
- #
++#
 +# hypervkvp local policy
  #
  
 -allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
 -allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
++allow hypervkvp_t self:capability sys_ptrace;
 +allow hypervkvp_t self:process setfscreate;
 +allow hypervkvp_t self:netlink_route_socket rw_netlink_socket_perms;
 +
@@ -36032,6 +36256,8 @@ index 4eb7041..2e4b08a 100644
 +kernel_read_network_state(hypervkvp_t)
 +kernel_rw_net_sysctls(hypervkvp_t)
 +
++corecmd_getattr_all_executables(hypervkvp_t)
++
 +domain_read_all_domains_state(hypervkvp_t)
 +
 +seutil_exec_setfiles(hypervkvp_t)
@@ -36074,6 +36300,7 @@ index 4eb7041..2e4b08a 100644
 +
 +optional_policy(`
 +    dbus_read_pid_files(hypervkvp_t)
++    dbus_system_bus_client(hypervkvp_t)
 +')
 +
 +optional_policy(`
@@ -36976,10 +37203,10 @@ index 0000000..71bde7d
 +
 diff --git a/ipa.te b/ipa.te
 new file mode 100644
-index 0000000..7d70dcb
+index 0000000..694c092
 --- /dev/null
 +++ b/ipa.te
-@@ -0,0 +1,113 @@
+@@ -0,0 +1,122 @@
 +policy_module(ipa, 1.0.0)
 +
 +########################################
@@ -37047,7 +37274,10 @@ index 0000000..7d70dcb
 +#
 +
 +
-+allow ipa_helper_t self:capability { dac_override chown };
++allow ipa_helper_t self:capability { net_admin dac_override chown };
++
++#kernel bug
++dontaudit ipa_helper_t self:capability2  block_suspend;
 +
 +allow ipa_helper_t self:process setfscreate;
 +allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
@@ -37065,6 +37295,8 @@ index 0000000..7d70dcb
 +
 +auth_use_nsswitch(ipa_helper_t)
 +
++files_list_tmp(ipa_helper_t)
++
 +ipa_manage_pid_files(ipa_helper_t)
 +ipa_read_lib(ipa_helper_t)
 +
@@ -37087,12 +37319,191 @@ index 0000000..7d70dcb
 +')
 +
 +optional_policy(`
++    rpm_read_db(ipa_helper_t)
++')
++
++optional_policy(`
 +    samba_read_config(ipa_helper_t)
 +')
 +
 +optional_policy(`
 +    sssd_manage_lib_files(ipa_helper_t)
 +')
+diff --git a/ipmievd.fc b/ipmievd.fc
+new file mode 100644
+index 0000000..caf1fe5
+--- /dev/null
++++ b/ipmievd.fc
+@@ -0,0 +1,5 @@
++/usr/lib/systemd/system/ipmievd\.service	--	gen_context(system_u:object_r:ipmievd_unit_file_t,s0)
++
++/usr/sbin/ipmievd				--	gen_context(system_u:object_r:ipmievd_exec_t,s0)
++
++/var/run/ipmievd\.pid				--	gen_context(system_u:object_r:ipmievd_var_run_t,s0)
+diff --git a/ipmievd.if b/ipmievd.if
+new file mode 100644
+index 0000000..e86db54
+--- /dev/null
++++ b/ipmievd.if
+@@ -0,0 +1,120 @@
++## <summary>IPMI event daemon for sending events to syslog.</summary>
++
++########################################
++## <summary>
++##	Execute ipmievd_exec_t in the ipmievd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ipmievd_domtrans',`
++	gen_require(`
++		type ipmievd_t, ipmievd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ipmievd_exec_t, ipmievd_t)
++')
++
++######################################
++## <summary>
++##	Execute ipmievd in the caller domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipmievd_exec',`
++	gen_require(`
++		type ipmievd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	can_exec($1, ipmievd_exec_t)
++')
++
++########################################
++## <summary>
++##	Read ipmievd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipmievd_read_pid_files',`
++	gen_require(`
++		type ipmievd_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, ipmievd_var_run_t, ipmievd_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute ipmievd server in the ipmievd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`ipmievd_systemctl',`
++	gen_require(`
++		type ipmievd_t;
++		type ipmievd_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_passwd_run($1)
++	allow $1 ipmievd_unit_file_t:file read_file_perms;
++	allow $1 ipmievd_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, ipmievd_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an ipmievd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`ipmievd_admin',`
++	gen_require(`
++		type ipmievd_t;
++		type ipmievd_var_run_t;
++	type ipmievd_unit_file_t;
++	')
++
++	allow $1 ipmievd_t:process { signal_perms };
++	ps_process_pattern($1, ipmievd_t)
++
++    tunable_policy(`deny_ptrace',`',`
++        allow $1 ipmievd_t:process ptrace;
++    ')
++
++	files_search_pids($1)
++	admin_pattern($1, ipmievd_var_run_t)
++
++	ipmievd_systemctl($1)
++	admin_pattern($1, ipmievd_unit_file_t)
++	allow $1 ipmievd_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/ipmievd.te b/ipmievd.te
+new file mode 100644
+index 0000000..f8428ca
+--- /dev/null
++++ b/ipmievd.te
+@@ -0,0 +1,32 @@
++policy_module(ipmievd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type ipmievd_t;
++type ipmievd_exec_t;
++init_daemon_domain(ipmievd_t, ipmievd_exec_t)
++
++type ipmievd_var_run_t;
++files_pid_file(ipmievd_var_run_t)
++
++type ipmievd_unit_file_t;
++systemd_unit_file(ipmievd_unit_file_t)
++
++########################################
++#
++# ipmievd local policy
++#
++
++allow ipmievd_t self:process { fork setpgid };
++allow ipmievd_t self:fifo_file rw_fifo_file_perms;
++
++manage_files_pattern(ipmievd_t, ipmievd_var_run_t, ipmievd_var_run_t)
++files_pid_filetrans(ipmievd_t, ipmievd_var_run_t, { file })
++
++dev_rw_ipmi_dev(ipmievd_t)
++
++logging_send_syslog_msg(ipmievd_t)
++
 diff --git a/irc.fc b/irc.fc
 index 48e7739..1bf0326 100644
 --- a/irc.fc
@@ -37572,7 +37983,7 @@ index 1a35420..8101022 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index ca020fa..d4ed777 100644
+index ca020fa..989eba9 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -37620,12 +38031,12 @@ index ca020fa..d4ed777 100644
  
  can_exec(iscsid_t, iscsid_exec_t)
  
++kernel_load_module(iscsid_t)
 +kernel_request_load_module(iscsid_t)
  kernel_read_network_state(iscsid_t)
  kernel_read_system_state(iscsid_t)
 -kernel_setsched(iscsid_t)
 +kernel_dontaudit_setsched(iscsid_t)
-+kernel_request_load_module(iscsid_t)
  
 -corenet_all_recvfrom_unlabeled(iscsid_t)
  corenet_all_recvfrom_netlabel(iscsid_t)
@@ -47145,10 +47556,10 @@ index 0000000..86467cf
 +')
 diff --git a/mirrormanager.te b/mirrormanager.te
 new file mode 100644
-index 0000000..841b732
+index 0000000..f59af1b
 --- /dev/null
 +++ b/mirrormanager.te
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,46 @@
 +policy_module(mirrormanager, 1.0.0)
 +
 +########################################
@@ -47158,7 +47569,7 @@ index 0000000..841b732
 +
 +type mirrormanager_t;
 +type mirrormanager_exec_t;
-+cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++application_domain(mirrormanager_t, mirrormanager_exec_t)
 +
 +type mirrormanager_log_t;
 +logging_log_file(mirrormanager_log_t)
@@ -47192,6 +47603,9 @@ index 0000000..841b732
 +manage_lnk_files_pattern(mirrormanager_t, mirrormanager_var_run_t, mirrormanager_var_run_t)
 +files_pid_filetrans(mirrormanager_t, mirrormanager_var_run_t, { dir })
 +
++optional_policy(`
++    cron_system_entry(mirrormanager_t, mirrormanager_exec_t)
++')
 diff --git a/mock.fc b/mock.fc
 new file mode 100644
 index 0000000..8d0e473
@@ -53015,7 +53429,7 @@ index b744fe3..cb0e2af 100644
 +	admin_pattern($1, munin_content_t)
  ')
 diff --git a/munin.te b/munin.te
-index b708708..dd6e04b 100644
+index b708708..f4c0e61 100644
 --- a/munin.te
 +++ b/munin.te
 @@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -53122,7 +53536,7 @@ index b708708..dd6e04b 100644
  ')
  
  optional_policy(`
-@@ -246,21 +234,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +234,25 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -53141,16 +53555,18 @@ index b708708..dd6e04b 100644
 -
 -files_read_etc_runtime_files(disk_munin_plugin_t)
 +dev_read_all_blk_files(disk_munin_plugin_t)
++dev_raw_memory_reader(disk_munin_plugin_t)
  
  fs_getattr_all_fs(disk_munin_plugin_t)
  fs_getattr_all_dirs(disk_munin_plugin_t)
  
 -storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
 +storage_raw_read_fixed_disk(disk_munin_plugin_t)
++storage_read_scsi_generic(disk_munin_plugin_t)
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -272,6 +262,10 @@ optional_policy(`
+@@ -272,6 +264,10 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -53161,7 +53577,7 @@ index b708708..dd6e04b 100644
  ####################################
  #
  # Mail local policy
-@@ -279,27 +273,39 @@ optional_policy(`
+@@ -279,27 +275,39 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -53205,7 +53621,7 @@ index b708708..dd6e04b 100644
  ')
  
  optional_policy(`
-@@ -339,7 +345,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +347,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -53214,7 +53630,7 @@ index b708708..dd6e04b 100644
  ')
  
  optional_policy(`
-@@ -348,6 +354,10 @@ optional_policy(`
+@@ -348,6 +356,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53225,7 +53641,7 @@ index b708708..dd6e04b 100644
  	lpd_exec_lpr(services_munin_plugin_t)
  ')
  
-@@ -361,7 +371,11 @@ optional_policy(`
+@@ -361,7 +373,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53238,7 +53654,7 @@ index b708708..dd6e04b 100644
  ')
  
  optional_policy(`
-@@ -393,6 +407,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +409,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -53246,7 +53662,7 @@ index b708708..dd6e04b 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -421,3 +436,33 @@ optional_policy(`
+@@ -421,3 +438,33 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -61436,10 +61852,19 @@ index 3b6920e..3e9b17f 100644
  userdom_dontaudit_search_user_home_dirs(openct_t)
  
 diff --git a/openhpi.te b/openhpi.te
-index 8de6191..af7f2a8 100644
+index 8de6191..1a01e99 100644
 --- a/openhpi.te
 +++ b/openhpi.te
-@@ -50,8 +50,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
+@@ -38,6 +38,8 @@ files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, dir)
+ manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
+ files_pid_filetrans(openhpid_t, openhpid_var_run_t, file)
+ 
++kernel_read_system_state(openhpid_t)
++
+ corenet_all_recvfrom_unlabeled(openhpid_t)
+ corenet_all_recvfrom_netlabel(openhpid_t)
+ corenet_tcp_sendrecv_generic_if(openhpid_t)
+@@ -50,8 +52,10 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
  
  dev_read_urand(openhpid_t)
  
@@ -63990,7 +64415,7 @@ index 9b15730..cb00f20 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 44dbc99..ac08330 100644
+index 44dbc99..eb8d420 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -9,11 +9,8 @@ type openvswitch_t;
@@ -64055,12 +64480,13 @@ index 44dbc99..ac08330 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -65,33 +68,45 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
+@@ -65,33 +68,46 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
  
 -can_exec(openvswitch_t, openvswitch_exec_t)
 -
++kernel_load_module(openvswitch_t)
  kernel_read_network_state(openvswitch_t)
  kernel_read_system_state(openvswitch_t)
 +kernel_request_load_module(openvswitch_t)
@@ -85125,7 +85551,7 @@ index 6dbc905..4b17c93 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index d32e1a2..e030327 100644
+index d32e1a2..2078892 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -18,6 +18,9 @@ logging_log_file(rhsmcertd_log_t)
@@ -85164,7 +85590,7 @@ index d32e1a2..e030327 100644
  manage_dirs_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  manage_files_pattern(rhsmcertd_t, rhsmcertd_var_lib_t, rhsmcertd_var_lib_t)
  
-@@ -50,25 +56,78 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
+@@ -50,25 +56,83 @@ manage_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
  files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  
  kernel_read_network_state(rhsmcertd_t)
@@ -85211,8 +85637,12 @@ index d32e1a2..e030327 100644
  
  sysnet_dns_name_resolve(rhsmcertd_t)
  
- optional_policy(`
--	rpm_read_db(rhsmcertd_t)
++ifdef(`hide_broken_symptoms',`
++    exec_files_pattern(rhsmcertd_t, rhsmcertd_tmp_t, rhsmcertd_tmp_t)
++    exec_files_pattern(rhsmcertd_t, rhsmcertd_var_run_t, rhsmcertd_var_run_t)
++')
++
++optional_policy(`
 +    dbus_system_domain(rhsmcertd_t,rhsmcertd_exec_t)
 +')
 +
@@ -85245,7 +85675,8 @@ index d32e1a2..e030327 100644
 +    virt_signull(rhsmcertd_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
+-	rpm_read_db(rhsmcertd_t)
 +    unconfined_signull(rhsmcertd_t)
  ')
 diff --git a/ricci.if b/ricci.if
@@ -91902,10 +92333,10 @@ index 0000000..b7db254
 +# Empty
 diff --git a/sandbox.if b/sandbox.if
 new file mode 100644
-index 0000000..1e7c447
+index 0000000..b21026b
 --- /dev/null
 +++ b/sandbox.if
-@@ -0,0 +1,80 @@
+@@ -0,0 +1,92 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@@ -91983,8 +92414,20 @@ index 0000000..1e7c447
 +
 +	application_type($1_t)
 +
++    # this is to satisfy the assertion:
++    dev_raw_memory_reader($1_t)
++    dev_raw_memory_writer($1_t)
++
 +	mls_rangetrans_target($1_t)
 +	mcs_constrained($1_t)
++
++    # this is to satisfy the assertion:
++    storage_rw_inherited_fixed_disk_dev($1_t)
++    storage_rw_inherited_scsi_generic($1_t)
++
++    # this is to satisfy the assertion:
++    auth_reader_shadow($1_t)
++    auth_writer_shadow($1_t)
 +')
 diff --git a/sandbox.te b/sandbox.te
 new file mode 100644
@@ -92066,7 +92509,7 @@ index 0000000..6caef63
 +/usr/share/sandbox/start --	gen_context(system_u:object_r:sandbox_exec_t,s0)
 diff --git a/sandboxX.if b/sandboxX.if
 new file mode 100644
-index 0000000..03bdcef
+index 0000000..5b65b7c
 --- /dev/null
 +++ b/sandboxX.if
 @@ -0,0 +1,395 @@
@@ -92157,7 +92600,7 @@ index 0000000..03bdcef
 +		attribute sandbox_type;
 +	')
 +
-+	type $1_t, sandbox_x_domain, sandbox_type;
++	type $1_t, sandbox_x_domain, sandbox_type, sandbox_web_type;
 +	application_type($1_t)
 +	mcs_constrained($1_t)
 +
@@ -92467,10 +92910,10 @@ index 0000000..03bdcef
 +')
 diff --git a/sandboxX.te b/sandboxX.te
 new file mode 100644
-index 0000000..a3319b0
+index 0000000..7a8e744
 --- /dev/null
 +++ b/sandboxX.te
-@@ -0,0 +1,501 @@
+@@ -0,0 +1,505 @@
 +policy_module(sandboxX,1.0.0)
 +
 +dbus_stub()
@@ -92764,6 +93207,10 @@ index 0000000..a3319b0
 +files_search_home(sandbox_x_t)
 +userdom_use_user_ptys(sandbox_x_t)
 +
++#1103622
++corenet_tcp_connect_xserver_port(sandbox_x_t)
++xserver_stream_connect(sandbox_x_t)
++
 +########################################
 +#
 +# sandbox_x_client_t local policy
@@ -108693,7 +109140,7 @@ index facdee8..a6dcaaa 100644
 +	typeattribute $1 sandbox_caps_domain;
  ')
 diff --git a/virt.te b/virt.te
-index f03dcf5..36afdd2 100644
+index f03dcf5..d15b4d3 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,150 +1,241 @@
@@ -110193,7 +110640,7 @@ index f03dcf5..36afdd2 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -974,194 +1171,325 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1171,326 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -110484,6 +110931,7 @@ index f03dcf5..36afdd2 100644
 +dontaudit svirt_lxc_net_t self:capability2  block_suspend ;
 +allow svirt_lxc_net_t self:process { execstack execmem };
 +manage_chr_files_pattern(svirt_lxc_net_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++kernel_load_module(svirt_lxc_net_t)
 +
 +tunable_policy(`virt_sandbox_use_sys_admin',`
 +	allow svirt_lxc_net_t self:capability sys_admin;
@@ -110660,7 +111108,7 @@ index f03dcf5..36afdd2 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1174,12 +1502,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1503,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -110675,7 +111123,7 @@ index f03dcf5..36afdd2 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1192,9 +1520,8 @@ optional_policy(`
+@@ -1192,9 +1521,8 @@ optional_policy(`
  
  ########################################
  #
@@ -110686,7 +111134,7 @@ index f03dcf5..36afdd2 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1207,5 +1534,242 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1535,242 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -111205,7 +111653,7 @@ index 20a1fb2..470ea95 100644
  	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/vmware.te b/vmware.te
-index 4ad1894..d72037f 100644
+index 4ad1894..840409e 100644
 --- a/vmware.te
 +++ b/vmware.te
 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -111218,7 +111666,11 @@ index 4ad1894..d72037f 100644
  dontaudit vmware_host_t self:capability sys_tty_config;
  allow vmware_host_t self:process { execstack execmem signal_perms };
  allow vmware_host_t self:fifo_file rw_fifo_file_perms;
-@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t)
+@@ -91,11 +92,12 @@ logging_log_filetrans(vmware_host_t, vmware_log_t, file)
+ 
+ can_exec(vmware_host_t, vmware_host_exec_t)
+ 
++kernel_load_module(vmware_host_t)
  kernel_read_kernel_sysctls(vmware_host_t)
  kernel_read_system_state(vmware_host_t)
  kernel_read_network_state(vmware_host_t)
@@ -111228,7 +111680,7 @@ index 4ad1894..d72037f 100644
  corenet_all_recvfrom_netlabel(vmware_host_t)
  corenet_tcp_sendrecv_generic_if(vmware_host_t)
  corenet_udp_sendrecv_generic_if(vmware_host_t)
-@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t)
+@@ -115,14 +117,13 @@ dev_getattr_all_blk_files(vmware_host_t)
  dev_read_sysfs(vmware_host_t)
  dev_read_urand(vmware_host_t)
  dev_rw_vmware(vmware_host_t)
@@ -111244,7 +111696,7 @@ index 4ad1894..d72037f 100644
  
  fs_getattr_all_fs(vmware_host_t)
  fs_search_auto_mountpoints(vmware_host_t)
-@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
+@@ -138,23 +139,27 @@ libs_exec_ld_so(vmware_host_t)
  
  logging_send_syslog_msg(vmware_host_t)
  
@@ -111276,7 +111728,7 @@ index 4ad1894..d72037f 100644
  
  optional_policy(`
  	samba_read_config(vmware_host_t)
-@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
+@@ -244,9 +249,7 @@ dev_search_sysfs(vmware_t)
  
  domain_use_interactive_fds(vmware_t)
  
@@ -111286,7 +111738,7 @@ index 4ad1894..d72037f 100644
  files_list_home(vmware_t)
  
  fs_getattr_all_fs(vmware_t)
-@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
+@@ -258,9 +261,8 @@ storage_raw_write_removable_device(vmware_t)
  libs_exec_ld_so(vmware_t)
  libs_read_lib_files(vmware_t)
  
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d5babb9..59f6779 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 142%{?dist}
+Release: 143%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -647,6 +647,35 @@ exit 0
 %endif
 
 %changelog
+* Fri Aug 21 2015 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-143
+- Add ipmievd policy creaed by vmojzis@redhat.com
+- Call kernel_load_module(vmware_host_t) to satisfy neverallow assertion for sys_moudle in MLS where unconfined is disabled.
+- Allow NetworkManager to write audit log messages
+- Add new policy for ipmievd (ipmitool).
+- mirrormanager needs to be application domain and cron_system_entry needs to be called in optional block.
+- Allow sandbox domain to be also /dev/mem writer
+- Fix neverallow assertion for sys_module capability for openvswitch.
+- kernel_load_module() needs to be called out of boolean for svirt_lxc_net_t.
+- Fix neverallow assertion for sys_module capability.
+- Add more attributes for sandbox domains to avoid neverallow assertion issues.  
+- Add neverallow asserition fixes related to storage.
+- Allow exec pidof under hypervkvp domain. Allow hypervkvp daemon create connection to the system DBUS
+- Allow openhpid_t to read system state.
+- Add temporary fixes for sandbox related to #1103622. It allows to run everything under one sandbox type.
+- Added labels for files provided by rh-nginx18 collection
+- Dontaudit block_suspend capability for ipa_helper_t, this is kernel bug. Allow ipa_helper_t capability net_admin. Allow ipa_helper_t to list /tmp. Allow ipa_helper_t to read rpm db.
+- Allow rhsmcertd exec rhsmcertd_var_run_t files and rhsmcerd_tmp_t files. This rules are in hide_broken_sympthons until we find better solution.
+- Update files_manage_all_files to contain auth_reader_shadow and auth_writer_shadow tosatisfy neverallow assertions.
+- Update files_relabel_all_files() interface to contain auth_relabelto_shadow() interface to satisfy neverallow assertion.
+- seunshare domains needs to have set_curr_context attribute to resolve neverallow assertion issues.
+- Add dev_raw_memory_writer() interface
+- Add auth_reader_shadow() and auth_writer_shadow() interfaces
+- Add dev_raw_memory_reader() interface.
+- Add storage_rw_inherited_scsi_generic() interface.
+- Update files_relabel_non_auth_files() to contain seutil_relabelto_bin_policy() to make neverallow assertion working.
+- Update kernel_read_all_proc() interface to contain can_dump_kernel and can_receive_kernel_messages attributes  to fix neverallow violated issue for proc_kcore_t and proc_kmsg_t.
+- Update storage_rw_inherited_fixed_disk_dev() interface to use proper attributes to fix neverallow violated issues caused by neverallow check during build process.
+
 * Tue Aug 18 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-142
 - Allow samba_net_t to manage samba_var_t sock files.
 - Allow httpd daemon to manage httpd_var_lib_t lnk_files.