diff --git a/policy-F16.patch b/policy-F16.patch
index 848fc92..f8bdf5a 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1,5 +1,5 @@
diff --git a/Makefile b/Makefile
-index b8486a0..72a53cc 100644
+index b8486a0..eadfda5 100644
--- a/Makefile
+++ b/Makefile
@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -19,6 +19,15 @@ index b8486a0..72a53cc 100644
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+@@ -406,7 +407,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke
+ @echo "#" >> $@
+ $(verbose) cat $@.in >> $@
+ $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+- | $(M4) -D self_contained_policy $(M4PARAM) $@.m4 - \
++ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \
+ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+ $(moddir)/kernel/corenetwork.te: $(moddir)/kernel/corenetwork.te.m4 $(moddir)/kernel/corenetwork.te.in
diff --git a/Rules.modular b/Rules.modular
index 168a14f..c2bf491 100644
--- a/Rules.modular
@@ -4944,10 +4953,10 @@ index 00a19e3..9f6139c 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..9a0377f 100644
+index f5afe78..89acd12 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
-@@ -1,44 +1,768 @@
+@@ -1,44 +1,786 @@
## GNU network object model environment (GNOME)
-############################################################
@@ -5395,23 +5404,41 @@ index f5afe78..9a0377f 100644
+
+#######################################
+##
-+## Manage gconf data home files
++## Read generic data home files.
+##
+##
-+##
-+## Domain allowed access.
-+##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`gnome_read_generic_data_home_files',`
++ gen_require(`
++ type data_home_t, gconf_home_t;
++ ')
++
++ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
++')
++
++#######################################
++##
++## Manage gconf data home files
++##
++##
++##
++## Domain allowed access.
++##
+##
+#
+interface(`gnome_manage_data',`
-+ gen_require(`
-+ type data_home_t;
-+ type gconf_home_t;
-+ ')
++ gen_require(`
++ type data_home_t;
++ type gconf_home_t;
++ ')
+
+ allow $1 gconf_home_t:dir search_dir_perms;
+ manage_dirs_pattern($1, data_home_t, data_home_t)
-+ manage_files_pattern($1, data_home_t, data_home_t)
++ manage_files_pattern($1, data_home_t, data_home_t)
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
+')
+
@@ -5734,7 +5761,7 @@ index f5afe78..9a0377f 100644
##
##
##
-@@ -46,37 +770,60 @@ interface(`gnome_role',`
+@@ -46,37 +788,60 @@ interface(`gnome_role',`
##
##
#
@@ -5806,7 +5833,7 @@ index f5afe78..9a0377f 100644
##
##
##
-@@ -84,37 +831,38 @@ template(`gnome_read_gconf_config',`
+@@ -84,37 +849,38 @@ template(`gnome_read_gconf_config',`
##
##
#
@@ -5856,7 +5883,7 @@ index f5afe78..9a0377f 100644
##
##
##
-@@ -122,17 +870,17 @@ interface(`gnome_stream_connect_gconf',`
+@@ -122,17 +888,17 @@ interface(`gnome_stream_connect_gconf',`
##
##
#
@@ -5878,7 +5905,7 @@ index f5afe78..9a0377f 100644
##
##
##
-@@ -140,51 +888,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +906,335 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -10685,17 +10712,16 @@ index 7590165..7e6f53c 100644
+ fs_mounton_fusefs(seunshare_domain)
+')
diff --git a/policy/modules/apps/telepathy.fc b/policy/modules/apps/telepathy.fc
-index b07ee19..5d12aa3 100644
+index b07ee19..a275bd6 100644
--- a/policy/modules/apps/telepathy.fc
+++ b/policy/modules/apps/telepathy.fc
-@@ -1,8 +1,12 @@
+@@ -1,8 +1,11 @@
HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
-HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
+HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
-+HOME_DIR/\.cache/telepathy/logger/sqlite-data-journal -- gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
++HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
-+HOME_DIR/\.cache/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
+HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
@@ -10895,7 +10921,7 @@ index 3cfb128..d49274d 100644
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
-index 2533ea0..58f8728 100644
+index 2533ea0..b4888b3 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -26,12 +26,18 @@ attribute telepathy_executable;
@@ -10927,22 +10953,23 @@ index 2533ea0..58f8728 100644
type telepathy_mission_control_cache_home_t;
userdom_user_home_content(telepathy_mission_control_cache_home_t)
-@@ -67,6 +76,14 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
+@@ -67,6 +76,15 @@ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
-+# ~/.cache/gabble/caps-cache.db-journal
++# ~/.cache/telepathy/gabble/caps-cache.db-journal
+optional_policy(`
-+ manage_dirs_pattern(telepathy_gabble_t, { telepathy_cache_home_t telepathy_gabble_cache_home_t } , { telepathy_cache_home_t telepathy_gabble_cache_home_t })
++ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
-+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, { dir file })
-+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_cache_home_t, dir)
++ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
++ # ~/.cache/wocky
++ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
+')
+
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
-@@ -112,6 +129,10 @@ optional_policy(`
+@@ -112,6 +130,10 @@ optional_policy(`
dbus_system_bus_client(telepathy_gabble_t)
')
@@ -10953,14 +10980,13 @@ index 2533ea0..58f8728 100644
#######################################
#
# Telepathy Idle local policy.
-@@ -147,10 +168,14 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
+@@ -147,10 +169,13 @@ tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
-+manage_dirs_pattern(telepathy_logger_t, { telepathy_cache_home_t telepathy_logger_cache_home_t }, { telepathy_cache_home_t telepathy_logger_cache_home_t })
++manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
-+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, { dir file })
-+gnome_cache_filetrans(telepathy_logger_t, telepathy_cache_home_t, dir)
++filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
@@ -11033,7 +11059,14 @@ index 2533ea0..58f8728 100644
dbus_system_bus_client(telepathy_msn_t)
optional_policy(`
-@@ -365,10 +418,9 @@ dev_read_urand(telepathy_domain)
+@@ -361,14 +414,16 @@ allow telepathy_domain self:fifo_file rw_fifo_file_perms;
+ allow telepathy_domain self:tcp_socket create_socket_perms;
+ allow telepathy_domain self:udp_socket create_socket_perms;
+
++manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
++gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
++
+ dev_read_urand(telepathy_domain)
kernel_read_system_state(telepathy_domain)
@@ -11045,7 +11078,7 @@ index 2533ea0..58f8728 100644
miscfiles_read_localization(telepathy_domain)
optional_policy(`
-@@ -376,5 +428,23 @@ optional_policy(`
+@@ -376,5 +431,23 @@ optional_policy(`
')
optional_policy(`
@@ -11166,10 +11199,10 @@ index 0000000..b78aa77
+
diff --git a/policy/modules/apps/thumb.te b/policy/modules/apps/thumb.te
new file mode 100644
-index 0000000..fc5b449
+index 0000000..cc502a0
--- /dev/null
+++ b/policy/modules/apps/thumb.te
-@@ -0,0 +1,123 @@
+@@ -0,0 +1,73 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -11182,15 +11215,6 @@ index 0000000..fc5b449
+application_domain(thumb_t, thumb_exec_t)
+ubac_constrained(thumb_t)
+
-+role system_r types thumb_t; # why is system_r needed
-+
-+# this is for liborc: ~/orcexec.*
-+# these should normally go to /tmp but it goes to ~ if not executable in /tmp
-+# there is also a bug in liborc where it does to ~ by default
-+# no longer needed orc fix available
-+# type thumb_home_t;
-+#userdom_user_home_content(thumb_home_t)
-+
+type thumb_tmp_t;
+files_tmp_file(thumb_tmp_t)
+ubac_constrained(thumb_tmp_t)
@@ -11200,42 +11224,24 @@ index 0000000..fc5b449
+# thumb local policy
+#
+
-+# execmem is for totem-video-thumbnailer
+allow thumb_t self:process { setsched signal setrlimit execmem };
-+
+allow thumb_t self:fifo_file manage_fifo_file_perms;
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
-+
-+# please reproduce this, because i cannot
-+# manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
-+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir)
-+
-+# for totem-video-thumbnailer
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
+allow thumb_t self:udp_socket create_socket_perms;
+allow thumb_t self:tcp_socket create_socket_perms;
+
-+# gst-plugin-scanner/liborc, ~/orcexec.*
-+# no longer need fix in latest orc package
-+# exec_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
-+# manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
-+# userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file)
-+
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
-+# please reproduce this, because it cannot
-+# userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, file)
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir })
+
+kernel_read_system_state(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
+
-+# /usr/libexec/gstreamer.*/gst-plugin-scanner
+corecmd_exec_bin(thumb_t)
+
-+# gst-plugin-scanner
+dev_read_sysfs(thumb_t)
+
+domain_use_interactive_fds(thumb_t)
@@ -11246,51 +11252,28 @@ index 0000000..fc5b449
+miscfiles_read_fonts(thumb_t)
+miscfiles_read_localization(thumb_t)
+
-+# totem-video-thumbnailer
+sysnet_read_config(thumb_t)
+
-+# read files to be thumbed
+userdom_read_user_tmp_files(thumb_t)
+userdom_read_user_home_content_files(thumb_t)
-+# .gnome_desktop_thumbnail.* is created by something in the user domain.
-+# probably libgnome.
+userdom_write_user_tmp_files(thumb_t)
+
+userdom_use_inherited_user_ptys(thumb_t)
+
-+# optional_policy(`
-+# gnome_read_gconf_home_files(thumb_t)
-+# gnome_read_gstreamer_home_content(thumb_t)
-+# ')
-+
-+# please reproduce this, because i cannot
-+# optional_policy(`
-+# gnome_read_gconf_home_files(thumb_t)
-+# ')
-+
-+# these two are inherited
-+# should probably create and call xserver_ra_inherited_xdm_home_files()
+xserver_read_xdm_home_files(thumb_t)
+xserver_append_xdm_home_files(thumb_t)
-+# seems to not be needed
+xserver_dontaudit_read_xdm_pid(thumb_t)
-+# this is required for totem-video-thumbnailer
-+# although thumb does not need to write xserver_tmp_t sock_files
-+# we probably want a xserver_connect to support but unix stream socket
-+# connections as well tcp connections
-+# allow thumb_t xserver_port_t:tcp_socket name_connect;
+xserver_stream_connect(thumb_t)
+
+optional_policy(`
-+ # This seems not strictly needed
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
++ dbus_dontaudit_chat_session_bus(thumb_t)
+')
+
+optional_policy(`
-+ # this seems to work
-+ # thumb_t tries to search data_home_t, config_home_t and gconf_home_t
++ # .config
+ gnome_dontaudit_search_config(thumb_t)
-+ # totem-video-thumbnailer
++ gnome_read_generic_data_home_files(thumb_t)
+ gnome_manage_gstreamer_home_files(thumb_t)
+')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
@@ -13563,25 +13546,40 @@ index 99b71cb..17d942f 100644
+allow corenet_unconfined_type port_type:{ dccp_socket tcp_socket udp_socket rawip_socket } name_bind;
+allow corenet_unconfined_type node_type:{ dccp_socket tcp_socket udp_socket rawip_socket } node_bind;
diff --git a/policy/modules/kernel/corenetwork.te.m4 b/policy/modules/kernel/corenetwork.te.m4
-index 35fed4f..e0c8f51 100644
+index 35fed4f..51ad69a 100644
--- a/policy/modules/kernel/corenetwork.te.m4
+++ b/policy/modules/kernel/corenetwork.te.m4
-@@ -81,7 +81,13 @@ declare_nodes($1_node_t,shift($*))
- define(`declare_ports',`dnl
- ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
- ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
+@@ -77,23 +77,37 @@ type $1_node_t alias node_$1_t, node_type;
+ declare_nodes($1_node_t,shift($*))
+ ')
+
+-# bindresvport in glibc starts searching for reserved ports at 512
+-define(`declare_ports',`dnl
+-ifelse(eval(range_start($3) < 1024),1,`typeattribute $1 reserved_port_type;
+-ifelse(eval(range_start($3) >= 512),1,`typeattribute $1 rpc_port_type;',`dnl')
-',`dnl')
-+',`
-+ifelse(eval(range_start($3) < 32768),1,`typeattribute $1 unreserved_port_type;',`
-+ ifelse(eval(range_start($3) > 61001),1,`typeattribute $1 unreserved_port_type;',`
-+ typeattribute $1 ephemeral_port_type;
-+ ')
-+ ')
-+')
++define(`declare_portcons',`dnl
portcon $2 $3 gen_context(system_u:object_r:$1,$4)
- ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+-ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
++ifelse(`$5',`',`',`declare_portcons($1,shiftn(4,$*))')dnl
++')
++
++define(`add_port_attribute',`dnl
++ifelse(eval(range_start($2) < 1024),1,`typeattribute $1 reserved_port_type;',`typeattribute $1 unreserved_port_type;')
++')
++
++define(`add_ephemeral_attribute',`dnl
++ifelse(eval(range_start($3) >= 32768 && range_start($3) < 61001),1,`typeattribute $1 ephemeral_port_type;
++',`ifelse(`$5',`',`',`add_ephemeral_attribute($1,shiftn(4,$*))')')dnl
++')
++
++# bindresvport in glibc starts searching for reserved ports at 512
++define(`add_rpc_attribute',`dnl
++ifelse(eval(range_start($3) >= 512 && range_start($3) < 1024),1,`typeattribute $1 rpc_port_type;
++',`ifelse(`$5',`',`',`add_rpc_attribute($1,shiftn(4,$*))')')dnl
')
-@@ -90,7 +96,7 @@ ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+
+ #
# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
#
define(`network_port',`
@@ -13589,7 +13587,14 @@ index 35fed4f..e0c8f51 100644
+type $1_port_t, port_type, defined_port_type;
type $1_client_packet_t, packet_type, client_packet_type;
type $1_server_packet_t, packet_type, server_packet_type;
- declare_ports($1_port_t,shift($*))dnl
+-declare_ports($1_port_t,shift($*))dnl
++ifelse(`$2',`',`',`add_port_attribute($1_port_t,$3)')dnl
++ifelse(`$2',`',`',`add_rpc_attribute($1_port_t,shift($*))')dnl
++ifelse(`$2',`',`',`add_ephemeral_attribute($1_port_t,shift($*))')dnl
++ifelse(`$2',`',`',`declare_portcons($1_port_t,shift($*))')dnl
+ ')
+
+ #
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 6cf8784..935a96c 100644
--- a/policy/modules/kernel/devices.fc
@@ -15075,10 +15080,45 @@ index 08f01e7..1c2562c 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..cf3d50b 100644
+index 6a1e4d1..3ded83e 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
-@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
+@@ -75,34 +75,6 @@ interface(`domain_base_type',`
+ interface(`domain_type',`
+ # start with basic domain
+ domain_base_type($1)
+-
+- ifdef(`distro_redhat',`
+- optional_policy(`
+- unconfined_use_fds($1)
+- ')
+- ')
+-
+- # send init a sigchld and signull
+- optional_policy(`
+- init_sigchld($1)
+- init_signull($1)
+- ')
+-
+- # these seem questionable:
+-
+- optional_policy(`
+- rpm_use_fds($1)
+- rpm_read_pipes($1)
+- ')
+-
+- optional_policy(`
+- selinux_dontaudit_getattr_fs($1)
+- selinux_dontaudit_read_fs($1)
+- ')
+-
+- optional_policy(`
+- seutil_dontaudit_read_config($1)
+- ')
+ ')
+
+ ########################################
+@@ -631,7 +603,7 @@ interface(`domain_read_all_domains_state',`
########################################
##
@@ -15087,7 +15127,7 @@ index 6a1e4d1..cf3d50b 100644
##
##
##
-@@ -655,7 +655,7 @@ interface(`domain_getattr_all_domains',`
+@@ -655,7 +627,7 @@ interface(`domain_getattr_all_domains',`
##
##
##
@@ -15096,7 +15136,7 @@ index 6a1e4d1..cf3d50b 100644
##
##
#
-@@ -1530,4 +1530,29 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1502,29 @@ interface(`domain_unconfined',`
typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
@@ -15127,7 +15167,7 @@ index 6a1e4d1..cf3d50b 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index fae1ab1..00e20f7 100644
+index fae1ab1..db2a183 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.1)
@@ -15220,7 +15260,7 @@ index fae1ab1..00e20f7 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,91 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,118 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -15312,6 +15352,33 @@ index fae1ab1..00e20f7 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
++ifdef(`distro_redhat',`
++ optional_policy(`
++ unconfined_use_fds(domain)
++ ')
++')
++
++# send init a sigchld and signull
++optional_policy(`
++ init_sigchld(domain)
++ init_signull(domain)
++')
++
++# these seem questionable:
++
++optional_policy(`
++ rpm_use_fds(domain)
++ rpm_read_pipes(domain)
++')
++
++optional_policy(`
++ selinux_dontaudit_getattr_fs(domain)
++ selinux_dontaudit_read_fs(domain)
++')
++
++optional_policy(`
++ seutil_dontaudit_read_config(domain)
++')
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index c19518a..12e8e9c 100644
--- a/policy/modules/kernel/files.fc
@@ -31557,7 +31624,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 1a1becd..0ca1861 100644
+index 1a1becd..843d5fd 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -31676,11 +31743,11 @@ index 1a1becd..0ca1861 100644
-
- seutil_read_config($1_dbusd_t)
- seutil_read_default_contexts($1_dbusd_t)
-
+-
- term_use_all_terms($1_dbusd_t)
-
- userdom_read_user_home_content_files($1_dbusd_t)
--
+
- ifdef(`hide_broken_symptoms', `
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
- ')
@@ -31848,7 +31915,7 @@ index 1a1becd..0ca1861 100644
##
##
##
-@@ -491,10 +433,31 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -491,10 +433,51 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -31882,6 +31949,26 @@ index 1a1becd..0ca1861 100644
+ ')
+
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
++')
++
++########################################
++##
++## Do not audit attempts to send dbus
++## messages to session bus types.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`dbus_dontaudit_chat_session_bus',`
++ gen_require(`
++ attribute session_bus_type;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1bff6ee..9540fee 100644
@@ -37457,10 +37544,10 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..86ba356 100644
+index 4fde46b..95d52e4 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,23 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -37479,15 +37566,16 @@ index 4fde46b..86ba356 100644
+files_read_etc_runtime_files(gnomeclock_t)
files_read_usr_files(gnomeclock_t)
--auth_use_nsswitch(gnomeclock_t)
+fs_getattr_xattr_fs(gnomeclock_t)
++
+ auth_use_nsswitch(gnomeclock_t)
-clock_domtrans(gnomeclock_t)
-+auth_use_nsswitch(gnomeclock_t)
++init_stream_send(gnomeclock_t)
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +40,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -59192,7 +59280,7 @@ index 7c5d8d8..d711fd5 100644
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..52df08a 100644
+index 3eca020..812f226 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,74 @@ policy_module(virt, 1.4.0)
@@ -59736,7 +59824,7 @@ index 3eca020..52df08a 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +635,319 @@ optional_policy(`
+@@ -457,8 +635,320 @@ optional_policy(`
')
optional_policy(`
@@ -59817,6 +59905,7 @@ index 3eca020..52df08a 100644
+ xen_manage_image_dirs(virsh_t)
+ xen_append_log(virsh_t)
+ xen_domtrans(virsh_t)
++ xen_read_pid_files_xenstored(virsh_t)
+ xen_stream_connect(virsh_t)
+ xen_stream_connect_xenstore(virsh_t)
+')
@@ -76509,10 +76598,37 @@ index a865da7..a5ed06e 100644
')
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
-index 77d41b6..4aa96c6 100644
+index 77d41b6..7ccb440 100644
--- a/policy/modules/system/xen.if
+++ b/policy/modules/system/xen.if
-@@ -87,6 +87,26 @@ interface(`xen_read_image_files',`
+@@ -55,6 +55,26 @@ interface(`xen_dontaudit_use_fds',`
+ dontaudit $1 xend_t:fd use;
+ ')
+
++#######################################
++##
++## Read xend pid files.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`xen_read_pid_files_xenstored',`
++ gen_require(`
++ type xenstored_var_run_t;
++ ')
++
++ files_search_pids($1)
++
++ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
++')
++
+ ########################################
+ ##
+ ## Read xend image files.
+@@ -87,6 +107,26 @@ interface(`xen_read_image_files',`
##
##
#
@@ -76539,7 +76655,7 @@ index 77d41b6..4aa96c6 100644
interface(`xen_rw_image_files',`
gen_require(`
type xen_image_t, xend_var_lib_t;
-@@ -213,8 +233,9 @@ interface(`xen_stream_connect',`
+@@ -213,8 +253,9 @@ interface(`xen_stream_connect',`
interface(`xen_domtrans_xm',`
gen_require(`
type xm_t, xm_exec_t;
@@ -76550,7 +76666,7 @@ index 77d41b6..4aa96c6 100644
domtrans_pattern($1, xm_exec_t, xm_t)
')
-@@ -230,7 +251,7 @@ interface(`xen_domtrans_xm',`
+@@ -230,7 +271,7 @@ interface(`xen_domtrans_xm',`
#
interface(`xen_stream_connect_xm',`
gen_require(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 70e048a..25fe1b9 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -246,7 +246,7 @@ Based off of reference policy: Checked out revision 2.20091117
%patch2 -p1
%patch3 -p1
%patch4 -p1 -b .execmem
-%patch5 -p1 -b .userdomain
+#%patch5 -p1 -b .userdomain
%patch6 -p1 -b .apache
#%patch7 -p1 -b .ptrace