diff --git a/policy-F16.patch b/policy-F16.patch
index ce2d8d9..3dbb7e8 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1048,7 +1048,7 @@ index 4f7bd3c..a29af21 100644
- unconfined_domain(kudzu_t)
')
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
-index 7090dae..c4bbe69 100644
+index 7090dae..0db59d1 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi
@@ -1098,7 +1098,18 @@ index 7090dae..c4bbe69 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -162,10 +163,20 @@ optional_policy(`
+@@ -154,6 +155,10 @@ optional_policy(`
+ ')
+
+ optional_policy(`
++ awstats_domtrans(logrotate_t)
++')
++
++optional_policy(`
+ asterisk_domtrans(logrotate_t)
+ ')
+
+@@ -162,10 +167,20 @@ optional_policy(`
')
optional_policy(`
@@ -1119,7 +1130,7 @@ index 7090dae..c4bbe69 100644
cups_domtrans(logrotate_t)
')
-@@ -203,7 +214,6 @@ optional_policy(`
+@@ -203,7 +218,6 @@ optional_policy(`
psad_domtrans(logrotate_t)
')
@@ -1127,7 +1138,7 @@ index 7090dae..c4bbe69 100644
optional_policy(`
samba_exec_log(logrotate_t)
')
-@@ -228,3 +238,14 @@ optional_policy(`
+@@ -228,3 +242,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -3901,6 +3912,36 @@ index 48cf11b..9787bd4 100644
-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
+diff --git a/policy/modules/apps/awstats.if b/policy/modules/apps/awstats.if
+index 283ff0d..53f9ba1 100644
+--- a/policy/modules/apps/awstats.if
++++ b/policy/modules/apps/awstats.if
+@@ -5,6 +5,25 @@
+
+ ########################################
+ ##
++## Execute the awstats program in the awstats domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`awstats_domtrans',`
++ gen_require(`
++ type awstats_t, awstats_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, awstats_exec_t, awstats_t)
++')
++
++########################################
++##
+ ## Read and write awstats unnamed pipes.
+ ##
+ ##
diff --git a/policy/modules/apps/cdrecord.te b/policy/modules/apps/cdrecord.te
index 46ea44f..f7183ef 100644
--- a/policy/modules/apps/cdrecord.te
@@ -4744,7 +4785,7 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..8136040 100644
+index f5afe78..19f3c30 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,731 @@
@@ -5404,11 +5445,10 @@ index f5afe78..8136040 100644
+## Search gkeyringd temporary directories.
+##
+##
- ##
--## Role allowed access
++##
+## Domain allowed access.
- ##
- ##
++##
++##
+#
+interface(`gnome_search_gkeyringd_tmp_dirs',`
+ gen_require(`
@@ -5423,22 +5463,18 @@ index f5afe78..8136040 100644
+##
+## search gconf homedir (.local)
+##
- ##
++##
##
--## User domain for the role
+-## Role allowed access
+## Domain allowed access.
##
##
- #
--interface(`gnome_role',`
++#
+interface(`gnome_search_gconf',`
- gen_require(`
-- type gconfd_t, gconfd_exec_t;
-- type gconf_tmp_t;
++ gen_require(`
+ type gconf_home_t;
- ')
-
-- role $1 types gconfd_t;
++ ')
++
+ allow $1 gconf_home_t:dir search_dir_perms;
+ userdom_search_user_home_dirs($1)
+')
@@ -5447,17 +5483,23 @@ index f5afe78..8136040 100644
+##
+## Set attributes of Gnome config dirs.
+##
-+##
-+##
+ ##
+ ##
+-## User domain for the role
+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`gnome_role',`
+interface(`gnome_setattr_config_dirs',`
-+ gen_require(`
+ gen_require(`
+- type gconfd_t, gconfd_exec_t;
+- type gconf_tmp_t;
+ type gnome_home_t;
-+ ')
+ ')
+- role $1 types gconfd_t;
+-
- domain_auto_trans($2, gconfd_exec_t, gconfd_t)
- allow gconfd_t $2:fd use;
- allow gconfd_t $2:fifo_file write;
@@ -5546,7 +5588,7 @@ index f5afe78..8136040 100644
##
##
##
-@@ -84,37 +770,42 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +770,60 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -5568,66 +5610,84 @@ index f5afe78..8136040 100644
-## gconf connection template.
+## Connect to gnome over an unix stream socket.
##
--##
+##
- ##
- ## Domain allowed access.
- ##
- ##
-+##
+##
++## Domain allowed access.
++##
++##
+ ##
+ ##
+## The type of the user domain.
+##
+##
++#
++interface(`gnome_stream_connect',`
++ gen_require(`
++ attribute gnome_home_type;
++ ')
++
++ # Connect to pulseaudit server
++ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++')
++
++########################################
++##
++## list gnome homedir content (.config)
++##
++##
++##
+ ## Domain allowed access.
+ ##
+ ##
#
-interface(`gnome_stream_connect_gconf',`
-+interface(`gnome_stream_connect',`
++interface(`gnome_list_home_config',`
gen_require(`
- type gconfd_t, gconf_tmp_t;
-+ attribute gnome_home_type;
++ type config_home_t;
')
- read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
- allow $1 gconfd_t:unix_stream_socket connectto;
-+ # Connect to pulseaudit server
-+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
++ allow $1 config_home_t:dir list_dir_perms;
')
########################################
##
-## Run gconfd in gconfd domain.
-+## list gnome homedir content (.config)
++## Set attributes of gnome homedir content (.config)
##
##
##
-@@ -122,17 +813,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +831,18 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
-interface(`gnome_domtrans_gconfd',`
-+interface(`gnome_list_home_config',`
++interface(`gnome_setattr_home_config',`
gen_require(`
- type gconfd_t, gconfd_exec_t;
+ type config_home_t;
')
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
-+ allow $1 config_home_t:dir list_dir_perms;
++ setattr_dirs_pattern($1, config_home_t, config_home_t)
++ userdom_search_user_home_dirs($1)
')
########################################
##
-## Set attributes of Gnome config dirs.
-+## Set attributes of gnome homedir content (.config)
++## read gnome homedir content (.config)
##
##
##
-@@ -140,51 +831,356 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +850,355 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
-interface(`gnome_setattr_config_dirs',`
-+interface(`gnome_setattr_home_config',`
++interface(`gnome_read_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5635,14 +5695,15 @@ index f5afe78..8136040 100644
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
- files_search_home($1)
-+ setattr_dirs_pattern($1, config_home_t, config_home_t)
-+ userdom_search_user_home_dirs($1)
++ list_dirs_pattern($1, config_home_t, config_home_t)
++ read_files_pattern($1, config_home_t, config_home_t)
++ read_lnk_files_pattern($1, config_home_t, config_home_t)
')
########################################
##
-## Read gnome homedir content (.config)
-+## read gnome homedir content (.config)
++## manage gnome homedir content (.config)
##
-##
+##
@@ -5652,7 +5713,7 @@ index f5afe78..8136040 100644
##
#
-template(`gnome_read_config',`
-+interface(`gnome_read_home_config',`
++interface(`gnome_manage_home_config',`
gen_require(`
- type gnome_home_t;
+ type config_home_t;
@@ -5661,9 +5722,7 @@ index f5afe78..8136040 100644
- list_dirs_pattern($1, gnome_home_t, gnome_home_t)
- read_files_pattern($1, gnome_home_t, gnome_home_t)
- read_lnk_files_pattern($1, gnome_home_t, gnome_home_t)
-+ list_dirs_pattern($1, config_home_t, config_home_t)
-+ read_files_pattern($1, config_home_t, config_home_t)
-+ read_lnk_files_pattern($1, config_home_t, config_home_t)
++ manage_files_pattern($1, config_home_t, config_home_t)
')
########################################
@@ -5678,12 +5737,12 @@ index f5afe78..8136040 100644
##
#
-interface(`gnome_manage_config',`
-+interface(`gnome_manage_home_config',`
++interface(`gnome_manage_home_config_dirs',`
+ gen_require(`
+ type config_home_t;
+ ')
+
-+ manage_files_pattern($1, config_home_t, config_home_t)
++ manage_dirs_pattern($1, config_home_t, config_home_t)
+')
+
+########################################
@@ -10573,7 +10632,7 @@ index 3cfb128..609921d 100644
+ ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..7c8de51 100644
+index 2533ea0..11187e0 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -67,6 +67,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
@@ -10620,7 +10679,7 @@ index 2533ea0..7c8de51 100644
+optional_policy(`
+# ~/.config/dconf/user
-+ gnome_read_home_config(telepathy_logger_t)
++ gnome_manage_home_config(telepathy_logger_t)
+')
+
#######################################
@@ -19216,7 +19275,7 @@ index be4de58..7e8b6ec 100644
init_exec(secadm_t)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..afb3532 100644
+index 2be17d2..a1156ed 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,53 @@ policy_module(staff, 2.2.0)
@@ -19273,7 +19332,7 @@ index 2be17d2..afb3532 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,19 +68,103 @@ optional_policy(`
+@@ -27,19 +68,107 @@ optional_policy(`
')
optional_policy(`
@@ -19343,6 +19402,10 @@ index 2be17d2..afb3532 100644
+')
+
+optional_policy(`
++ mta_role(staff_r, staff_t)
++')
++
++optional_policy(`
+ mysql_exec(staff_t)
+')
+
@@ -19379,7 +19442,7 @@ index 2be17d2..afb3532 100644
')
optional_policy(`
-@@ -48,10 +173,48 @@ optional_policy(`
+@@ -48,10 +177,48 @@ optional_policy(`
')
optional_policy(`
@@ -19428,7 +19491,7 @@ index 2be17d2..afb3532 100644
xserver_role(staff_r, staff_t)
')
-@@ -89,18 +252,10 @@ ifndef(`distro_redhat',`
+@@ -89,18 +256,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -19447,6 +19510,17 @@ index 2be17d2..afb3532 100644
java_role(staff_r, staff_t)
')
+@@ -121,10 +280,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(staff_r, staff_t)
+- ')
+-
+- optional_policy(`
+ pyzor_role(staff_r, staff_t)
+ ')
+
@@ -137,10 +292,6 @@ ifndef(`distro_redhat',`
')
@@ -21117,10 +21191,10 @@ index 0000000..1105ff5
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..42c1458 100644
+index e5bfdd4..77f4b39 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,82 @@ role user_r;
+@@ -12,15 +12,86 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -21167,6 +21241,10 @@ index e5bfdd4..42c1458 100644
+')
+
+optional_policy(`
++ mta_role(user_r, user_t)
++')
++
++optional_policy(`
+ netutils_run_ping_cond(user_t, user_r)
+ netutils_run_traceroute_cond(user_t, user_r)
+')
@@ -21203,7 +21281,7 @@ index e5bfdd4..42c1458 100644
vlock_run(user_t, user_r)
')
-@@ -62,19 +129,11 @@ ifndef(`distro_redhat',`
+@@ -62,19 +133,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -21224,6 +21302,17 @@ index e5bfdd4..42c1458 100644
')
optional_policy(`
+@@ -98,10 +161,6 @@ ifndef(`distro_redhat',`
+ ')
+
+ optional_policy(`
+- mta_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+ postgresql_role(user_r, user_t)
+ ')
+
@@ -118,11 +177,7 @@ ifndef(`distro_redhat',`
')
@@ -22655,7 +22744,7 @@ index 9e39aa5..83dbd34 100644
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
-index 6480167..1b928cb 100644
+index 6480167..b963935 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -13,17 +13,13 @@
@@ -23025,7 +23114,7 @@ index 6480167..1b928cb 100644
+ ')
+
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
-+ can_exec($1, httpd_sys_script_exec_t;
++ can_exec($1, httpd_sys_script_exec_t)
+')
+
########################################
@@ -24584,7 +24673,7 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..7cc09e8 100644
+index b3b0176..987245c 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -19,10 +19,11 @@ type asterisk_log_t;
@@ -24624,16 +24713,17 @@ index b3b0176..7cc09e8 100644
kernel_read_system_state(asterisk_t)
kernel_read_kernel_sysctls(asterisk_t)
-@@ -108,6 +110,8 @@ corenet_tcp_bind_generic_port(asterisk_t)
+@@ -108,6 +110,9 @@ corenet_tcp_bind_generic_port(asterisk_t)
corenet_udp_bind_generic_port(asterisk_t)
corenet_dontaudit_udp_bind_all_ports(asterisk_t)
corenet_sendrecv_generic_server_packets(asterisk_t)
+corenet_tcp_connect_festival_port(asterisk_t)
++corenet_tcp_connect_jabber_client_port(asterisk_t)
+corenet_tcp_connect_pktcable_port(asterisk_t)
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
-@@ -116,6 +120,7 @@ dev_rw_generic_usb_dev(asterisk_t)
+@@ -116,6 +121,7 @@ dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
dev_read_sound(asterisk_t)
dev_write_sound(asterisk_t)
@@ -24641,7 +24731,7 @@ index b3b0176..7cc09e8 100644
dev_read_urand(asterisk_t)
domain_use_interactive_fds(asterisk_t)
-@@ -125,6 +130,7 @@ files_search_spool(asterisk_t)
+@@ -125,6 +131,7 @@ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -24649,7 +24739,7 @@ index b3b0176..7cc09e8 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -141,6 +147,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -141,6 +148,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -47206,7 +47296,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..e1ae545 100644
+index 29b9295..6451f82 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -47228,12 +47318,14 @@ index 29b9295..e1ae545 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -75,10 +78,18 @@ files_search_pids(procmail_t)
+@@ -75,10 +78,20 @@ files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
+application_exec_all(procmail_t)
+
++init_read_utmp(procmail_t)
++
logging_send_syslog_msg(procmail_t)
+logging_append_all_logs(procmail_t)
@@ -47247,7 +47339,7 @@ index 29b9295..e1ae545 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +100,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -47258,7 +47350,7 @@ index 29b9295..e1ae545 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -125,6 +136,11 @@ optional_policy(`
+@@ -125,6 +138,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -54185,7 +54277,7 @@ index 078bcd7..2d60774 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index 22adaca..3b7fec1 100644
+index 22adaca..040ec9b 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,10 @@
@@ -54385,7 +54477,7 @@ index 22adaca..3b7fec1 100644
type ssh_t, ssh_exec_t, ssh_tmpfs_t, ssh_home_t;
type ssh_agent_exec_t, ssh_keysign_t, ssh_tmpfs_t;
type ssh_agent_tmp_t;
-@@ -327,7 +367,7 @@ template(`ssh_role_template',`
+@@ -327,17 +367,19 @@ template(`ssh_role_template',`
# allow ps to show ssh
ps_process_pattern($3, ssh_t)
@@ -54394,7 +54486,11 @@ index 22adaca..3b7fec1 100644
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
-@@ -338,6 +378,7 @@ template(`ssh_role_template',`
+ allow ssh_t $3:unix_stream_socket connectto;
++ allow ssh_t $3:key manage_key_perms;
+
+ # user can manage the keys and config
+ manage_files_pattern($3, ssh_home_t, ssh_home_t)
manage_lnk_files_pattern($3, ssh_home_t, ssh_home_t)
manage_sock_files_pattern($3, ssh_home_t, ssh_home_t)
userdom_search_user_home_dirs($1_t)
@@ -54402,7 +54498,7 @@ index 22adaca..3b7fec1 100644
##############################
#
-@@ -359,7 +400,7 @@ template(`ssh_role_template',`
+@@ -359,7 +401,7 @@ template(`ssh_role_template',`
stream_connect_pattern($3, ssh_agent_tmp_t, ssh_agent_tmp_t, $1_ssh_agent_t)
# Allow the user shell to signal the ssh program.
@@ -54411,7 +54507,7 @@ index 22adaca..3b7fec1 100644
# allow ps to show ssh
ps_process_pattern($3, $1_ssh_agent_t)
-@@ -381,7 +422,6 @@ template(`ssh_role_template',`
+@@ -381,7 +423,6 @@ template(`ssh_role_template',`
files_read_etc_files($1_ssh_agent_t)
files_read_etc_runtime_files($1_ssh_agent_t)
@@ -54419,7 +54515,7 @@ index 22adaca..3b7fec1 100644
libs_read_lib_files($1_ssh_agent_t)
-@@ -393,14 +433,13 @@ template(`ssh_role_template',`
+@@ -393,14 +434,13 @@ template(`ssh_role_template',`
seutil_dontaudit_read_config($1_ssh_agent_t)
# Write to the user domain tty.
@@ -54437,7 +54533,7 @@ index 22adaca..3b7fec1 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_ssh_agent_t)
-@@ -477,8 +516,27 @@ interface(`ssh_read_pipes',`
+@@ -477,8 +517,27 @@ interface(`ssh_read_pipes',`
type sshd_t;
')
@@ -54466,7 +54562,7 @@ index 22adaca..3b7fec1 100644
########################################
##
## Read and write a ssh server unnamed pipe.
-@@ -494,7 +552,7 @@ interface(`ssh_rw_pipes',`
+@@ -494,7 +553,7 @@ interface(`ssh_rw_pipes',`
type sshd_t;
')
@@ -54475,7 +54571,7 @@ index 22adaca..3b7fec1 100644
')
########################################
-@@ -586,6 +644,24 @@ interface(`ssh_domtrans',`
+@@ -586,6 +645,24 @@ interface(`ssh_domtrans',`
########################################
##
@@ -54500,7 +54596,7 @@ index 22adaca..3b7fec1 100644
## Execute the ssh client in the caller domain.
##
##
-@@ -618,7 +694,7 @@ interface(`ssh_setattr_key_files',`
+@@ -618,7 +695,7 @@ interface(`ssh_setattr_key_files',`
type sshd_key_t;
')
@@ -54509,7 +54605,7 @@ index 22adaca..3b7fec1 100644
files_search_pids($1)
')
-@@ -680,6 +756,32 @@ interface(`ssh_domtrans_keygen',`
+@@ -680,6 +757,32 @@ interface(`ssh_domtrans_keygen',`
domtrans_pattern($1, ssh_keygen_exec_t, ssh_keygen_t)
')
@@ -54542,7 +54638,7 @@ index 22adaca..3b7fec1 100644
########################################
##
## Read ssh server keys
-@@ -695,7 +797,7 @@ interface(`ssh_dontaudit_read_server_keys',`
+@@ -695,7 +798,7 @@ interface(`ssh_dontaudit_read_server_keys',`
type sshd_key_t;
')
@@ -54551,7 +54647,7 @@ index 22adaca..3b7fec1 100644
')
######################################
-@@ -735,3 +837,81 @@ interface(`ssh_delete_tmp',`
+@@ -735,3 +838,81 @@ interface(`ssh_delete_tmp',`
files_search_tmp($1)
delete_files_pattern($1, sshd_tmp_t, sshd_tmp_t)
')
@@ -62905,7 +63001,7 @@ index 94fd8dd..b5e5c70 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..8c027c2 100644
+index 29a9565..1c92ab6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -63084,7 +63180,7 @@ index 29a9565..8c027c2 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +247,137 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +247,138 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -63181,6 +63277,7 @@ index 29a9565..8c027c2 100644
+ seutil_read_file_contexts(init_t)
+
+ systemd_exec_systemctl(init_t)
++ systemd_manage_unit_dirs(init_t)
+ systemd_manage_all_unit_files(init_t)
+ systemd_logger_stream_connect(init_t)
+
@@ -63224,7 +63321,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -203,6 +385,17 @@ optional_policy(`
+@@ -203,6 +386,17 @@ optional_policy(`
')
optional_policy(`
@@ -63242,7 +63339,7 @@ index 29a9565..8c027c2 100644
unconfined_domain(init_t)
')
-@@ -212,7 +405,7 @@ optional_policy(`
+@@ -212,7 +406,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -63251,7 +63348,7 @@ index 29a9565..8c027c2 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +434,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +435,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -63267,7 +63364,7 @@ index 29a9565..8c027c2 100644
init_write_initctl(initrc_t)
-@@ -258,20 +454,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +455,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -63304,7 +63401,7 @@ index 29a9565..8c027c2 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +487,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +488,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -63312,7 +63409,7 @@ index 29a9565..8c027c2 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +498,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +499,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -63323,7 +63420,7 @@ index 29a9565..8c027c2 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +509,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +510,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -63340,7 +63437,7 @@ index 29a9565..8c027c2 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +528,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +529,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -63348,7 +63445,7 @@ index 29a9565..8c027c2 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +536,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +537,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -63360,7 +63457,7 @@ index 29a9565..8c027c2 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +555,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +556,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -63374,7 +63471,7 @@ index 29a9565..8c027c2 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +570,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +571,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -63383,7 +63480,7 @@ index 29a9565..8c027c2 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +584,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +585,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -63391,7 +63488,7 @@ index 29a9565..8c027c2 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +596,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +597,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -63399,7 +63496,7 @@ index 29a9565..8c027c2 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +617,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +618,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -63421,7 +63518,7 @@ index 29a9565..8c027c2 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +680,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +681,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -63432,7 +63529,7 @@ index 29a9565..8c027c2 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +704,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +705,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -63441,7 +63538,7 @@ index 29a9565..8c027c2 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +719,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +720,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -63449,7 +63546,7 @@ index 29a9565..8c027c2 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +749,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +750,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -63483,7 +63580,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -531,10 +783,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +784,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -63506,7 +63603,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -549,6 +813,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
')
')
@@ -63546,7 +63643,7 @@ index 29a9565..8c027c2 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +858,8 @@ optional_policy(`
+@@ -561,6 +859,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -63555,7 +63652,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -577,6 +876,7 @@ optional_policy(`
+@@ -577,6 +877,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -63563,7 +63660,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -589,6 +889,17 @@ optional_policy(`
+@@ -589,6 +890,17 @@ optional_policy(`
')
optional_policy(`
@@ -63581,7 +63678,7 @@ index 29a9565..8c027c2 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +916,13 @@ optional_policy(`
+@@ -605,9 +917,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -63595,7 +63692,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -632,6 +947,10 @@ optional_policy(`
+@@ -632,6 +948,10 @@ optional_policy(`
')
optional_policy(`
@@ -63606,7 +63703,7 @@ index 29a9565..8c027c2 100644
gpm_setattr_gpmctl(initrc_t)
')
-@@ -649,6 +968,11 @@ optional_policy(`
+@@ -649,6 +969,11 @@ optional_policy(`
')
optional_policy(`
@@ -63618,7 +63715,7 @@ index 29a9565..8c027c2 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1013,7 @@ optional_policy(`
+@@ -689,6 +1014,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -63626,7 +63723,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -706,7 +1031,13 @@ optional_policy(`
+@@ -706,7 +1032,13 @@ optional_policy(`
')
optional_policy(`
@@ -63640,7 +63737,7 @@ index 29a9565..8c027c2 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1060,10 @@ optional_policy(`
+@@ -729,6 +1061,10 @@ optional_policy(`
')
optional_policy(`
@@ -63651,7 +63748,7 @@ index 29a9565..8c027c2 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1073,20 @@ optional_policy(`
+@@ -738,10 +1074,20 @@ optional_policy(`
')
optional_policy(`
@@ -63672,7 +63769,7 @@ index 29a9565..8c027c2 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1095,10 @@ optional_policy(`
+@@ -750,6 +1096,10 @@ optional_policy(`
')
optional_policy(`
@@ -63683,7 +63780,7 @@ index 29a9565..8c027c2 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1120,6 @@ optional_policy(`
+@@ -771,8 +1121,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -63692,7 +63789,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -790,10 +1137,12 @@ optional_policy(`
+@@ -790,10 +1138,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -63705,7 +63802,7 @@ index 29a9565..8c027c2 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1154,6 @@ optional_policy(`
+@@ -805,7 +1155,6 @@ optional_policy(`
')
optional_policy(`
@@ -63713,7 +63810,7 @@ index 29a9565..8c027c2 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1163,26 @@ optional_policy(`
+@@ -815,11 +1164,26 @@ optional_policy(`
')
optional_policy(`
@@ -63741,7 +63838,7 @@ index 29a9565..8c027c2 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1192,25 @@ optional_policy(`
+@@ -829,6 +1193,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -63767,7 +63864,7 @@ index 29a9565..8c027c2 100644
')
optional_policy(`
-@@ -844,6 +1226,10 @@ optional_policy(`
+@@ -844,6 +1227,10 @@ optional_policy(`
')
optional_policy(`
@@ -63778,7 +63875,7 @@ index 29a9565..8c027c2 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1240,149 @@ optional_policy(`
+@@ -854,3 +1241,151 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -63834,6 +63931,8 @@ index 29a9565..8c027c2 100644
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
++ # need write to /var/run/systemd/notify
++ init_write_pid_socket(daemon)
+ dontaudit daemon init_t:unix_stream_socket { read ioctl getattr };
+')
+
@@ -68561,10 +68660,10 @@ index 0000000..9eaa38e
+/var/run/initramfs(/.*)? <>
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..eb3673d
+index 0000000..25872de
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,436 @@
+@@ -0,0 +1,454 @@
+## SELinux policy for systemd components
+
+#######################################
@@ -68945,6 +69044,24 @@ index 0000000..eb3673d
+
+########################################
+##
++## manage systemd unit dirs
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`systemd_manage_unit_dirs',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ manage_dirs_pattern($1, systemd_unit_file_type, systemd_unit_file_type)
++')
++
++########################################
++##
+## manage all systemd unit files
+##
+##
@@ -69003,10 +69120,10 @@ index 0000000..eb3673d
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..411793e
+index 0000000..0cb5eaa
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,372 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -69140,6 +69257,15 @@ index 0000000..411793e
+')
+
+optional_policy(`
++ # we label /run/user/$USER/dconf as config_home_t
++ gnome_manage_home_config_dirs(systemd_logind_t)
++')
++
++optional_policy(`
++ nis_use_ypbind(systemd_logind_t)
++')
++
++optional_policy(`
+ # It links /run/user/$USER/X11/display to /tmp/.X11-unix/X* sock_file
+ xserver_search_xdm_tmp_dirs(systemd_logind_t)
+')
@@ -69357,6 +69483,9 @@ index 0000000..411793e
+#
+# systemd_sysctl domains local policy
+#
++
++allow systemctl_domain systemd_unit_file_type:dir search_dir_perms;
++
+fs_list_cgroup_dirs(systemctl_domain)
+fs_read_cgroup_files(systemctl_domain)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 6bc15c9..29adf53 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -467,6 +467,18 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Sep 26 2011 Miroslav Grepl 3.10.0-34
+- Make mta_role() active
+- Allow asterisk to connect to jabber client port
+- Allow procmail to read utmp
+- Add NIS support for systemd_logind_t
+- Allow systemd_logind_t to manage /run/user/$USER/dconf dir which is labeled as config_home_t
+- Fix systemd_manage_unit_dirs() interface
+- Allow ssh_t to manage directories passed into it
+- init needs to be able to create and delete unit file directories
+- Fix typo in apache_exec_sys_script
+- Add ability for logrotate to transition to awstat domain
+
* Fri Sep 23 2011 Miroslav Grepl 3.10.0-33
- Change screen to use screen_domain attribute and allow screen_domains to read all process domain state
- Add SELinux support for ssh pre-auth net process in F17