diff --git a/container-selinux.tgz b/container-selinux.tgz
index 1fbd717..1eb1b31 100644
Binary files a/container-selinux.tgz and b/container-selinux.tgz differ
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 4b91b04..98ad5a3 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1791,7 +1791,7 @@ index cc8df9d7d..90467f3af 100644
+ files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
+')
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index 0fd5c5f2e..a14addb41 100644
+index 0fd5c5f2e..7ee6ec7a3 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -20,13 +20,20 @@ type bootloader_t;
@@ -1821,7 +1821,7 @@ index 0fd5c5f2e..a14addb41 100644
#
-allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
-+allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
++allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin sys_chroot mknod chown };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
@@ -2201,7 +2201,7 @@ index c6ca761c9..0c86bfd54 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index c44c3592a..cba535365 100644
+index c44c3592a..2a3a90bf4 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
@@ -2222,8 +2222,9 @@ index c44c3592a..cba535365 100644
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+-dontaudit netutils_t self:capability { dac_override sys_tty_config };
+allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
- dontaudit netutils_t self:capability { dac_override sys_tty_config };
++dontaudit netutils_t self:capability { sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
@@ -2419,7 +2420,7 @@ index 688abc2ae..3d89250a6 100644
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5cafe..1e3ace4cf 100644
+index 03ec5cafe..f483a97a6 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,13 +41,14 @@ template(`su_restricted_domain_template', `
@@ -2427,7 +2428,7 @@ index 03ec5cafe..1e3ace4cf 100644
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-+ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
++ allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -2615,7 +2616,7 @@ index 03ec5cafe..1e3ace4cf 100644
#######################################
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
-index 85bb77e05..a4302332a 100644
+index 85bb77e05..fdd7b656c 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -9,3 +9,82 @@ attribute su_domain_type;
@@ -2623,7 +2624,7 @@ index 85bb77e05..a4302332a 100644
type su_exec_t;
corecmd_executable_file(su_exec_t)
+
-+allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search dac_override fowner sys_nice sys_resource };
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_read_search fowner sys_nice sys_resource };
+dontaudit su_domain_type self:capability sys_tty_config;
+allow su_domain_type self:process { setexec setsched setrlimit };
+allow su_domain_type self:fifo_file rw_fifo_file_perms;
@@ -3189,7 +3190,7 @@ index 99e3903ea..fa68362ea 100644
##
##
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 1d732f1e7..7e03673be 100644
+index 1d732f1e7..9823c5a68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -26,6 +26,7 @@ type chfn_exec_t;
@@ -3229,7 +3230,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow chfn_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-+allow chfn_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
++allow chfn_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow chfn_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow chfn_t self:process { setrlimit setfscreate };
allow chfn_t self:fd use;
@@ -3316,7 +3317,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
-+allow groupadd_t self:capability { dac_read_search dac_override chown kill setuid sys_resource audit_write };
++allow groupadd_t self:capability { dac_read_search chown kill setuid sys_resource audit_write };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
@@ -3375,7 +3376,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow passwd_t self:capability { chown dac_override fsetid setuid setgid sys_nice sys_resource };
-+allow passwd_t self:capability { chown dac_read_search dac_read_search dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
++allow passwd_t self:capability { chown dac_read_search dac_read_search ipc_lock fsetid setuid setgid sys_nice sys_resource sys_admin };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
@@ -3474,7 +3475,7 @@ index 1d732f1e7..7e03673be 100644
#
-allow sysadm_passwd_t self:capability { chown dac_override fsetid setuid setgid sys_resource };
-+allow sysadm_passwd_t self:capability { chown dac_read_search dac_override fsetid setuid setgid sys_resource };
++allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sysadm_passwd_t self:process { setrlimit setfscreate };
allow sysadm_passwd_t self:fd use;
@@ -3518,7 +3519,7 @@ index 1d732f1e7..7e03673be 100644
-allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
-+allow useradd_t self:capability { dac_read_search dac_override chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
++allow useradd_t self:capability { dac_read_search chown kill fowner fsetid setuid sys_ptrace sys_resource sys_chroot };
+
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
+dontaudit useradd_t self:cap_userns { sys_ptrace };
@@ -3764,7 +3765,7 @@ index 1dc7a85d3..e4f6fc227 100644
+ corecmd_shell_domtrans($1_seunshare_t, $1_t)
')
diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te
-index 759016583..f50f79935 100644
+index 759016583..1b9a61d18 100644
--- a/policy/modules/apps/seunshare.te
+++ b/policy/modules/apps/seunshare.te
@@ -5,40 +5,65 @@ policy_module(seunshare, 1.1.0)
@@ -3781,7 +3782,7 @@ index 759016583..f50f79935 100644
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { fowner setgid setuid dac_read_search dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setgid setuid dac_read_search setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setcurrent setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -12602,7 +12603,7 @@ index b876c48ad..2e591a538 100644
+
+/sysroot/ostree/deploy/.*-atomic/deploy(/.*)? gen_context(system_u:object_r:root_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index f962f76ad..f2b8e4558 100644
+index f962f76ad..bb8b58852 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -19,6 +19,136 @@
@@ -13481,7 +13482,7 @@ index f962f76ad..f2b8e4558 100644
- type root_t;
+ attribute mountpoint;
')
-+ dontaudit $1 self:capability { dac_read_search dac_override };
++ dontaudit $1 self:capability { dac_read_search };
- allow $1 root_t:dir list_dir_perms;
- allow $1 root_t:lnk_file { read_lnk_file_perms ioctl lock };
@@ -25364,10 +25365,10 @@ index 000000000..48caabc7e
+allow domain unlabeled_t:packet { send recv };
+
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
-index 834a065de..ff9369756 100644
+index 834a065de..404a5c677 100644
--- a/policy/modules/roles/auditadm.te
+++ b/policy/modules/roles/auditadm.te
-@@ -7,7 +7,7 @@ policy_module(auditadm, 2.2.0)
+@@ -7,14 +7,14 @@ policy_module(auditadm, 2.2.0)
role auditadm_r;
role system_r;
@@ -25376,6 +25377,14 @@ index 834a065de..ff9369756 100644
########################################
#
+ # Local policy
+ #
+
+-allow auditadm_t self:capability { dac_read_search dac_override };
++allow auditadm_t self:capability { dac_read_search };
+
+ kernel_read_ring_buffer(auditadm_t)
+
@@ -22,16 +22,23 @@ corecmd_exec_shell(auditadm_t)
domain_kill_all_domains(auditadm_t)
@@ -25401,7 +25410,7 @@ index 834a065de..ff9369756 100644
consoletype_exec(auditadm_t)
')
diff --git a/policy/modules/roles/logadm.te b/policy/modules/roles/logadm.te
-index 3a45a3ef0..7499f24b5 100644
+index 3a45a3ef0..f31d79957 100644
--- a/policy/modules/roles/logadm.te
+++ b/policy/modules/roles/logadm.te
@@ -7,13 +7,12 @@ policy_module(logadm, 1.0.0)
@@ -25418,13 +25427,13 @@ index 3a45a3ef0..7499f24b5 100644
-allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
-
-+allow logadm_t self:capability { dac_override dac_read_search kill sys_nice };
++allow logadm_t self:capability { dac_read_search kill sys_nice };
logging_admin(logadm_t, logadm_r)
diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te
-index da111206f..621ec5afc 100644
+index da111206f..a5ac38465 100644
--- a/policy/modules/roles/secadm.te
+++ b/policy/modules/roles/secadm.te
-@@ -7,8 +7,11 @@ policy_module(secadm, 2.4.0)
+@@ -7,19 +7,25 @@ policy_module(secadm, 2.4.0)
role secadm_r;
@@ -25438,12 +25447,14 @@ index da111206f..621ec5afc 100644
########################################
#
-@@ -17,9 +20,12 @@ userdom_security_admin_template(secadm_t, secadm_r)
-
- allow secadm_t self:capability { dac_read_search dac_override };
+ # Local policy
+ #
-+kernel_read_system_state(secadm_t)
+-allow secadm_t self:capability { dac_read_search dac_override };
++allow secadm_t self:capability { dac_read_search };
+
++kernel_read_system_state(secadm_t)
+
corecmd_exec_shell(secadm_t)
dev_relabel_all_dev_nodes(secadm_t)
@@ -25909,7 +25920,7 @@ index ff9243078..36740eab3 100644
##
## Execute a generic bin program in the sysadm domain.
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 2522ca6c0..7aeed7254 100644
+index 2522ca6c0..c8ef8c8e4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -5,39 +5,107 @@ policy_module(sysadm, 2.6.1)
@@ -26335,7 +26346,7 @@ index 2522ca6c0..7aeed7254 100644
optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
-+ allow sysadm_screen_t self:capability { dac_read_search dac_override };
++ allow sysadm_screen_t self:capability { dac_read_search };
')
optional_policy(`
@@ -28342,7 +28353,7 @@ index 9d2f31168..2d782e051 100644
+ postgresql_filetrans_named_content($1)
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 03061349c..e30703d3c 100644
+index 03061349c..bb764b3d0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -19,25 +19,32 @@ gen_require(`
@@ -28394,6 +28405,15 @@ index 03061349c..e30703d3c 100644
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
+@@ -224,7 +234,7 @@ postgresql_view_object(user_sepgsql_view_t)
+ #
+ # postgresql Local policy
+ #
+-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
++allow postgresql_t self:capability { kill dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+ dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
+ allow postgresql_t self:process signal_perms;
+ allow postgresql_t self:fifo_file rw_fifo_file_perms;
@@ -236,7 +246,8 @@ allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -28624,7 +28644,7 @@ index 76d9f66ec..7528851ad 100644
+/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0)
+/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
-index fe0c68272..79d568a54 100644
+index fe0c68272..f0a61f830 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -32,10 +32,11 @@
@@ -28640,7 +28660,7 @@ index fe0c68272..79d568a54 100644
')
##############################
-@@ -47,10 +48,6 @@ template(`ssh_basic_client_template',`
+@@ -47,16 +48,12 @@ template(`ssh_basic_client_template',`
application_domain($1_ssh_t, ssh_exec_t)
role $3 types $1_ssh_t;
@@ -28651,6 +28671,13 @@ index fe0c68272..79d568a54 100644
##############################
#
# Client local policy
+ #
+
+- allow $1_ssh_t self:capability { setuid setgid dac_override dac_read_search };
++ allow $1_ssh_t self:capability { setuid setgid dac_read_search };
+ allow $1_ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_ssh_t self:fd use;
+ allow $1_ssh_t self:fifo_file rw_fifo_file_perms;
@@ -89,33 +86,38 @@ template(`ssh_basic_client_template',`
# or "regular" (not special like sshd_extern_t) servers
allow $2 ssh_server:unix_stream_socket rw_stream_socket_perms;
@@ -28755,7 +28782,7 @@ index fe0c68272..79d568a54 100644
files_pid_file($1_var_run_t)
- allow $1_t self:capability { kill sys_chroot sys_nice sys_resource chown dac_override fowner fsetid setgid setuid sys_tty_config };
-+ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search dac_override fowner fsetid net_admin setgid setuid sys_tty_config };
++ allow $1_t self:capability { kill sys_admin sys_chroot sys_nice sys_resource chown dac_read_search fowner fsetid net_admin setgid setuid sys_tty_config };
allow $1_t self:fifo_file rw_fifo_file_perms;
- allow $1_t self:process { signal getsched setsched setrlimit setexec setkeycreate };
+ allow $1_t self:process { getcap signal getsched setsched setrlimit setexec };
@@ -29357,7 +29384,7 @@ index fe0c68272..79d568a54 100644
+ ps_process_pattern($1, sshd_t)
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index cc877c7b0..b14a28d5c 100644
+index cc877c7b0..296d9c7dd 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,43 +6,69 @@ policy_module(ssh, 2.4.2)
@@ -29444,7 +29471,7 @@ index cc877c7b0..b14a28d5c 100644
type ssh_t;
type ssh_exec_t;
-@@ -67,15 +93,17 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
+@@ -67,25 +93,28 @@ userdom_user_application_domain(ssh_keysign_t, ssh_keysign_exec_t)
type ssh_tmpfs_t;
typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t };
typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t };
@@ -29465,7 +29492,11 @@ index cc877c7b0..b14a28d5c 100644
##############################
#
-@@ -86,6 +114,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+ # SSH client local policy
+ #
+
+-allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
++allow ssh_t self:capability { setuid setgid dac_read_search };
allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -29839,7 +29870,7 @@ index cc877c7b0..b14a28d5c 100644
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
-+allow ssh_keygen_t self:capability { dac_read_search dac_override };
++allow ssh_keygen_t self:capability { dac_read_search };
dontaudit ssh_keygen_t self:capability sys_tty_config;
allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
-
@@ -31986,7 +32017,7 @@ index 6bf0ecc2d..75b2f31f9 100644
+')
+
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 8b403774f..af9ee8070 100644
+index 8b403774f..fe21bfc46 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -26,28 +26,66 @@ gen_require(`
@@ -32246,7 +32277,7 @@ index 8b403774f..af9ee8070 100644
# Xauth local policy
#
-+allow xauth_t self:capability { dac_read_search dac_override };
++allow xauth_t self:capability { dac_read_search };
allow xauth_t self:process signal;
+allow xauth_t self:shm create_shm_perms;
allow xauth_t self:unix_stream_socket create_stream_socket_perms;
@@ -32351,7 +32382,7 @@ index 8b403774f..af9ee8070 100644
-allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
-+allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
++allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service net_admin sys_ptrace };
+allow xdm_t self:capability2 { block_suspend };
+allow xdm_t self:cap_userns { kill };
+dontaudit xdm_t self:capability sys_admin;
@@ -33025,7 +33056,7 @@ index 8b403774f..af9ee8070 100644
# NVIDIA Needs execstack
-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
-+allow xserver_t self:capability { sys_ptrace dac_read_search dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { sys_ptrace dac_read_search fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+
dontaudit xserver_t self:capability chown;
+#allow xserver_t self:capability2 compromise_kernel;
@@ -34736,7 +34767,7 @@ index 3efd5b669..a8cb6df3d 100644
+ allow $1 login_pgm:key manage_key_perms;
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 09b791dcc..2d255df93 100644
+index 09b791dcc..598dd5ed1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
@@ -34825,7 +34856,7 @@ index 09b791dcc..2d255df93 100644
#
-allow chkpwd_t self:capability { dac_override setuid };
-+allow chkpwd_t self:capability { dac_read_search dac_override setuid };
++allow chkpwd_t self:capability { dac_read_search setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
@@ -34947,7 +34978,7 @@ index 09b791dcc..2d255df93 100644
#
-allow updpwd_t self:capability { chown dac_override };
-+allow updpwd_t self:capability { chown dac_read_search dac_override };
++allow updpwd_t self:capability { chown dac_read_search };
allow updpwd_t self:process setfscreate;
allow updpwd_t self:fifo_file rw_fifo_file_perms;
allow updpwd_t self:unix_stream_socket create_stream_socket_perms;
@@ -35294,15 +35325,18 @@ index d475c2deb..55305d5f3 100644
+ files_etc_filetrans($1, adjtime_t, file, "adjtime" )
+')
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index edece47dc..2e7b81176 100644
+index edece47dc..d71651f31 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
-@@ -20,7 +20,7 @@ role system_r types hwclock_t;
+@@ -18,9 +18,9 @@ role system_r types hwclock_t;
+ # Local policy
+ #
- # Give hwclock the capabilities it requires. dac_override is a surprise,
+-# Give hwclock the capabilities it requires. dac_override is a surprise,
++# Give hwclock the capabilities it requires. is a surprise,
# but hwclock does require it.
-allow hwclock_t self:capability { dac_override sys_rawio sys_time sys_tty_config };
-+allow hwclock_t self:capability { dac_read_search dac_override sys_rawio sys_time sys_tty_config };
++allow hwclock_t self:capability { dac_read_search sys_rawio sys_time sys_tty_config };
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file rw_fifo_file_perms;
@@ -35461,7 +35495,7 @@ index 016a770b9..3fce820a5 100644
+ files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
+')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 3f48d300a..cb4f966c0 100644
+index 3f48d300a..cf67cf714 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -13,9 +13,15 @@ role system_r types fsadm_t;
@@ -35480,10 +35514,12 @@ index 3f48d300a..cb4f966c0 100644
type swapfile_t; # customizable
files_type(swapfile_t)
-@@ -26,6 +32,7 @@ files_type(swapfile_t)
+@@ -25,7 +31,8 @@ files_type(swapfile_t)
+ #
# ipc_lock is for losetup
- allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
++allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_read_search };
+dontaudit fsadm_t self:capability net_admin;
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
@@ -35686,7 +35722,7 @@ index e4376aa98..2c98c5647 100644
+ allow $1 getty_unit_file_t:service start;
+')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index f6743ea19..ef08ff3cf 100644
+index f6743ea19..abcc39a8c 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -27,13 +27,24 @@ files_tmp_file(getty_tmp_t)
@@ -35711,7 +35747,7 @@ index f6743ea19..ef08ff3cf 100644
# Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
-+allow getty_t self:capability { dac_read_search dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
++allow getty_t self:capability { dac_read_search chown setgid sys_resource sys_tty_config fowner fsetid };
dontaudit getty_t self:capability sys_tty_config;
allow getty_t self:process { getpgid setpgid getsession signal_perms };
allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -35888,18 +35924,21 @@ index 40eb10c60..2a0a32c2d 100644
corecmd_search_bin($1)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index b2097e743..0a49e14ba 100644
+index b2097e743..8d66956d0 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
-@@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
+@@ -23,9 +23,9 @@ files_pid_file(hotplug_var_run_t)
#
allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio };
-dontaudit hotplug_t self:capability { sys_module sys_admin sys_ptrace sys_tty_config };
+dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
- dontaudit hotplug_t self:capability { dac_override dac_read_search };
+-dontaudit hotplug_t self:capability { dac_override dac_read_search };
++dontaudit hotplug_t self:capability { dac_read_search };
allow hotplug_t self:process { setpgid getsession getattr signal_perms };
+ allow hotplug_t self:fifo_file rw_file_perms;
+ allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
@@ -52,7 +52,6 @@ kernel_rw_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
@@ -39655,7 +39694,7 @@ index 0d4c8d35e..537aa4274 100644
+ ps_process_pattern($1, ipsec_mgmt_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 312cd0417..56961b493 100644
+index 312cd0417..27a5d0650 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -39685,7 +39724,7 @@ index 312cd0417..56961b493 100644
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
-dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_t self:process { getcap setcap getsched signal setsched };
-+allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice net_raw setuid setgid };
++allow ipsec_t self:capability { net_admin dac_read_search setpcap sys_nice net_raw setuid setgid };
+dontaudit ipsec_t self:capability sys_tty_config;
+allow ipsec_t self:process { getcap setcap getsched signal signull setsched sigkill };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
@@ -39827,7 +39866,7 @@ index 312cd0417..56961b493 100644
-dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
-allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
-allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
-+allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice sys_ptrace };
++allow ipsec_mgmt_t self:capability { dac_read_search net_admin setpcap sys_nice sys_ptrace };
+dontaudit ipsec_mgmt_t self:capability sys_tty_config;
+allow ipsec_mgmt_t self:process { getsched setrlimit setsched signal };
+allow ipsec_mgmt_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -40140,10 +40179,10 @@ index c42fbc329..bf211dbee 100644
+ files_pid_filetrans($1, iptables_var_run_t, file, "xtables.lock")
+')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index be8ed1e6c..73e51f7ef 100644
+index be8ed1e6c..1afb965b8 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
-@@ -16,15 +16,21 @@ role iptables_roles types iptables_t;
+@@ -16,44 +16,61 @@ role iptables_roles types iptables_t;
type iptables_initrc_exec_t;
init_script_file(iptables_initrc_exec_t)
@@ -40168,7 +40207,11 @@ index be8ed1e6c..73e51f7ef 100644
########################################
#
# Iptables local policy
-@@ -35,25 +41,36 @@ dontaudit iptables_t self:capability sys_tty_config;
+ #
+
+-allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
++allow iptables_t self:capability { dac_read_search net_admin net_raw };
+ dontaudit iptables_t self:capability sys_tty_config;
allow iptables_t self:fifo_file rw_fifo_file_perms;
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
allow iptables_t self:netlink_socket create_socket_perms;
@@ -40928,7 +40971,7 @@ index 808ba93eb..b717d9709 100644
+ files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
+')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 54f8fa5c8..e14ec857c 100644
+index 54f8fa5c8..7a660a06c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -40953,7 +40996,7 @@ index 54f8fa5c8..e14ec857c 100644
#
-allow ldconfig_t self:capability { dac_override sys_chroot };
-+allow ldconfig_t self:capability { dac_read_search dac_override sys_chroot };
++allow ldconfig_t self:capability { dac_read_search sys_chroot };
+manage_dirs_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t)
@@ -41130,7 +41173,7 @@ index 0e3c2a977..ea9bd57dc 100644
+ userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
+')
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index 446fa9908..fcf08acb2 100644
+index 446fa9908..a0d1b1ff7 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -41165,7 +41208,7 @@ index 446fa9908..fcf08acb2 100644
-allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
-+allow local_login_t self:capability { dac_read_search dac_override chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++allow local_login_t self:capability { dac_read_search chown fowner fsetid kill setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow local_login_t self:process ~{ ptrace setcurrent setfscreate execmem execstack execheap };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
@@ -41267,7 +41310,7 @@ index 446fa9908..fcf08acb2 100644
#
-allow sulogin_t self:capability dac_override;
-+allow sulogin_t self:capability { dac_read_search dac_override sys_admin };
++allow sulogin_t self:capability { dac_read_search sys_admin };
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
@@ -42138,7 +42181,7 @@ index 4e9488463..2db173f77 100644
+')
+
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 59b04c1a2..ba742cd03 100644
+index 59b04c1a2..6ae1e2663 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -4,6 +4,29 @@ policy_module(logging, 1.20.1)
@@ -42221,8 +42264,12 @@ index 59b04c1a2..ba742cd03 100644
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
-@@ -94,8 +129,11 @@ ifdef(`enable_mls',`
- allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+@@ -91,11 +126,14 @@ ifdef(`enable_mls',`
+ # Auditctl local policy
+ #
+
+-allow auditctl_t self:capability { fsetid dac_read_search dac_override };
++allow auditctl_t self:capability { fsetid dac_read_search };
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+allow auditctl_t self:process getcap;
@@ -42304,7 +42351,7 @@ index 59b04c1a2..ba742cd03 100644
#
-allow audisp_t self:capability { dac_override setpcap sys_nice };
-+allow audisp_t self:capability { dac_read_search dac_override setpcap sys_nice };
++allow audisp_t self:capability { dac_read_search setpcap sys_nice };
allow audisp_t self:process { getcap signal_perms setcap setsched };
allow audisp_t self:fifo_file rw_fifo_file_perms;
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
@@ -42393,7 +42440,7 @@ index 59b04c1a2..ba742cd03 100644
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-+allow syslogd_t self:capability { sys_ptrace dac_read_search dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
++allow syslogd_t self:capability { sys_ptrace dac_read_search sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid net_raw };
dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:cap_userns sys_ptrace;
+allow syslogd_t self:capability2 { syslog block_suspend };
@@ -43095,7 +43142,7 @@ index 58bc27f22..90f567300 100644
+
+
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index 79048c410..924fa2e75 100644
+index 79048c410..d404d6528 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -43184,7 +43231,7 @@ index 79048c410..924fa2e75 100644
# rawio needed for dmraid
# net_admin for multipath
-allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
-+allow lvm_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
++allow lvm_t self:capability { dac_read_search fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio net_admin };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
# LVM will complain a lot if it cannot set its priority.
@@ -44006,7 +44053,7 @@ index 7449974f6..b79290062 100644
+ #files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.symbols.bin")
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a363b8b2..3a6ded940 100644
+index 7a363b8b2..69463d732 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
@@ -44112,7 +44159,7 @@ index 7a363b8b2..3a6ded940 100644
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-+allow insmod_t self:capability { dac_read_search dac_override mknod net_raw sys_nice sys_tty_config };
++allow insmod_t self:capability { dac_read_search mknod net_raw sys_nice sys_tty_config };
allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
allow insmod_t self:udp_socket create_socket_perms;
@@ -44687,7 +44734,7 @@ index 4584457b1..8f676d0c8 100644
')
+
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 459a0efbc..ed4756edc 100644
+index 459a0efbc..816066d07 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
@@ -44749,7 +44796,7 @@ index 459a0efbc..ed4756edc 100644
-# setuid/setgid needed to mount cifs
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+# setuid/setgid needed to mount cifs
-+allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
++allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_read_search chown sys_tty_config setuid setgid sys_nice };
+allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
+allow mount_t self:fifo_file rw_fifo_file_perms;
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
@@ -46088,7 +46135,7 @@ index 38220721d..abac74231 100644
+ allow semanage_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index dc4642022..0e7086c60 100644
+index dc4642022..5b26b2de2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -11,14 +11,16 @@ gen_require(`
@@ -46233,7 +46280,7 @@ index dc4642022..0e7086c60 100644
#
-allow checkpolicy_t self:capability dac_override;
-+allow checkpolicy_t self:capability { dac_read_search dac_override };
++allow checkpolicy_t self:capability { dac_read_search };
# able to create and modify binary policy files
manage_files_pattern(checkpolicy_t, policy_config_t, policy_config_t)
@@ -46259,7 +46306,7 @@ index dc4642022..0e7086c60 100644
#
-allow load_policy_t self:capability dac_override;
-+allow load_policy_t self:capability { dac_read_search dac_override };
++allow load_policy_t self:capability { dac_read_search };
# only allow read of policy config files
read_files_pattern(load_policy_t, { policy_src_t policy_config_t }, policy_config_t)
@@ -46311,7 +46358,7 @@ index dc4642022..0e7086c60 100644
#
-allow newrole_t self:capability { fowner setuid setgid dac_override };
-+allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search dac_override };
++allow newrole_t self:capability { fowner setpcap setuid setgid dac_read_search };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -46383,6 +46430,15 @@ index dc4642022..0e7086c60 100644
files_polyinstantiate_all(newrole_t)
')
+@@ -318,7 +362,7 @@ tunable_policy(`allow_polyinstantiation',`
+ # Restorecond local policy
+ #
+
+-allow restorecond_t self:capability { dac_override dac_read_search fowner };
++allow restorecond_t self:capability { dac_read_search fowner };
+ allow restorecond_t self:fifo_file rw_fifo_file_perms;
+
+ allow restorecond_t restorecond_var_run_t:file manage_file_perms;
@@ -328,9 +372,13 @@ kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
@@ -46434,10 +46490,11 @@ index dc4642022..0e7086c60 100644
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
# the failed access to the current directory
- dontaudit run_init_t self:capability { dac_override dac_read_search };
-
-+kernel_dontaudit_getattr_core_if(run_init_t)
+-dontaudit run_init_t self:capability { dac_override dac_read_search };
++dontaudit run_init_t self:capability { dac_read_search };
+
++kernel_dontaudit_getattr_core_if(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -46763,7 +46820,7 @@ index dc4642022..0e7086c60 100644
+#
+# Setfiles common policy
+#
-+allow setfiles_domain self:capability { dac_override dac_read_search fowner };
++allow setfiles_domain self:capability { dac_read_search fowner };
+dontaudit setfiles_domain self:capability sys_tty_config;
+allow setfiles_domain self:fifo_file rw_file_perms;
+dontaudit setfiles_domain self:dir relabelfrom;
@@ -46875,7 +46932,7 @@ index dc4642022..0e7086c60 100644
+ dbus_read_pid_files(setfiles_domain)
')
-+allow policy_manager_domain self:capability { dac_read_search dac_override sys_nice sys_resource };
++allow policy_manager_domain self:capability { dac_read_search sys_nice sys_resource };
+dontaudit policy_manager_domain self:capability sys_tty_config;
+allow policy_manager_domain self:process { signal setsched };
+allow policy_manager_domain self:unix_stream_socket create_stream_socket_perms;
@@ -47651,7 +47708,7 @@ index 2cea692c0..e3cb4f2ef 100644
+ files_etc_filetrans($1, net_conf_t, file)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index a392fc4bc..95c64150b 100644
+index a392fc4bc..d29b7f6fb 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
@@ -47699,7 +47756,7 @@ index a392fc4bc..95c64150b 100644
#
-allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
-dontaudit dhcpc_t self:capability { sys_tty_config sys_ptrace };
-+allow dhcpc_t self:capability { dac_read_search dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
++allow dhcpc_t self:capability { dac_read_search fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
@@ -50034,7 +50091,7 @@ index 000000000..634d9596a
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 000000000..1927b4fc0
+index 000000000..3660fe1c4
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,1025 @@
@@ -50195,7 +50252,7 @@ index 000000000..1927b4fc0
+# Systemd_logind local policy
+#
+
-+# dac_override is for /run/user/$USER ($USER ownership is $USER:$USER)
++# is for /run/user/$USER ($USER ownership is $USER:$USER)
+allow systemd_logind_t self:capability { chown kill dac_read_search dac_override fowner sys_tty_config sys_admin };
+allow systemd_logind_t self:capability2 block_suspend;
+allow systemd_logind_t self:process getcap;
@@ -50363,7 +50420,7 @@ index 000000000..1927b4fc0
+# systemd_machined local policy
+#
+
-+allow systemd_machined_t self:capability { dac_read_search dac_override setgid sys_admin sys_chroot sys_ptrace kill };
++allow systemd_machined_t self:capability { dac_read_search setgid sys_admin sys_chroot sys_ptrace kill };
+allow systemd_machined_t systemd_unit_file_t:service { status start };
+allow systemd_machined_t self:unix_dgram_socket create_socket_perms;
+
@@ -50481,7 +50538,7 @@ index 000000000..1927b4fc0
+# Local policy
+#
+
-+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search dac_override };
++allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_read_search };
+allow systemd_passwd_agent_t self:process { setsockcreate };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
@@ -50525,7 +50582,7 @@ index 000000000..1927b4fc0
+# Local policy
+#
+
-+allow systemd_tmpfiles_t self:capability { chown dac_read_search dac_override fsetid fowner mknod sys_admin };
++allow systemd_tmpfiles_t self:capability { chown dac_read_search fsetid fowner mknod sys_admin };
+allow systemd_tmpfiles_t self:process { setfscreate };
+
+allow systemd_tmpfiles_t self:unix_dgram_socket create_socket_perms;
@@ -50796,7 +50853,7 @@ index 000000000..1927b4fc0
+# Timedated policy
+#
+
-+allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search dac_override };
++allow systemd_timedated_t self:capability { sys_nice sys_time dac_read_search };
+allow systemd_timedated_t self:process { getattr getsched setfscreate };
+allow systemd_timedated_t self:fifo_file rw_fifo_file_perms;
+allow systemd_timedated_t self:unix_stream_socket create_stream_socket_perms;
@@ -51361,7 +51418,7 @@ index 9a1650d37..d7e8a0193 100644
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index 39f185f68..a313a7d1a 100644
+index 39f185f68..815aada78 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -51390,7 +51447,7 @@ index 39f185f68..a313a7d1a 100644
#
-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
-+allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
++allow udev_t self:capability { chown dac_read_search dac_override fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
+allow udev_t self:capability2 { block_suspend wake_alarm };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
@@ -52479,7 +52536,7 @@ index db7597682..c54480a1d 100644
+/var/tmp/hsperfdata_root gen_context(system_u:object_r:user_tmp_t,s0)
+
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 9dc60c6c0..6a26bba87 100644
+index 9dc60c6c0..1d1213e00 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -54094,15 +54151,17 @@ index 9dc60c6c0..6a26bba87 100644
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1240,7 +1714,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,8 +1714,8 @@ template(`userdom_admin_user_template',`
##
##
#
-template(`userdom_security_admin_template',`
+- allow $1 self:capability { dac_read_search dac_override };
+template(`userdom_security_admin',`
- allow $1 self:capability { dac_read_search dac_override };
++ allow $1 self:capability { dac_read_search };
corecmd_exec_shell($1)
+
@@ -1250,6 +1724,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
@@ -57575,7 +57634,7 @@ index 9dc60c6c0..6a26bba87 100644
+##
+#
+template(`userdom_security_admin_template',`
-+ allow $1 self:capability { dac_read_search dac_override };
++ allow $1 self:capability { dac_read_search };
+
+ corecmd_exec_shell($1)
+
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e27883e..a5dfd76 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -589,7 +589,7 @@ index 058d908e4..ee0c55969 100644
+')
+
diff --git a/abrt.te b/abrt.te
-index eb50f070f..5c05075a4 100644
+index eb50f070f..aa5b1112e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@@ -718,7 +718,7 @@ index eb50f070f..5c05075a4 100644
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
-dontaudit abrt_t self:capability sys_rawio;
-+allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
++allow abrt_t self:capability { chown dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
+
@@ -1082,7 +1082,7 @@ index eb50f070f..5c05075a4 100644
#
-allow abrt_dump_oops_t self:capability dac_override;
-+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search dac_override setuid setgid };
++allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_read_search setuid setgid };
+allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
+allow abrt_dump_oops_t self:process {setfscreate setcap};
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
@@ -1184,7 +1184,7 @@ index eb50f070f..5c05075a4 100644
# Upload watch local policy
#
-+allow abrt_upload_watch_t self:capability { dac_read_search dac_override chown fsetid };
++allow abrt_upload_watch_t self:capability { dac_read_search chown fsetid };
+
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1300,7 +1300,7 @@ index bd5ec9ab0..554177cd2 100644
+ allow $1 accountsd_unit_file_t:service all_service_perms;
')
diff --git a/accountsd.te b/accountsd.te
-index 3593510d8..7c13845fd 100644
+index 3593510d8..15ce4ef6c 100644
--- a/accountsd.te
+++ b/accountsd.te
@@ -4,6 +4,10 @@ gen_require(`
@@ -1334,7 +1334,7 @@ index 3593510d8..7c13845fd 100644
#
-allow accountsd_t self:capability { chown dac_override setuid setgid sys_ptrace };
-+allow accountsd_t self:capability { chown dac_read_search dac_override setuid setgid sys_ptrace };
++allow accountsd_t self:capability { chown dac_read_search setuid setgid sys_ptrace };
allow accountsd_t self:process signal;
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
@@ -1542,7 +1542,7 @@ index 3b41be699..97d99f979 100644
afs_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/afs.te b/afs.te
-index 90ce63748..8cf712d15 100644
+index 90ce63748..9855b3b11 100644
--- a/afs.te
+++ b/afs.te
@@ -72,7 +72,7 @@ role system_r types afs_vlserver_t;
@@ -1550,7 +1550,7 @@ index 90ce63748..8cf712d15 100644
#
-allow afs_t self:capability { dac_override sys_admin sys_nice sys_tty_config };
-+allow afs_t self:capability { dac_read_search dac_override sys_admin sys_nice sys_tty_config };
++allow afs_t self:capability { dac_read_search sys_admin sys_nice sys_tty_config };
allow afs_t self:process { setsched signal };
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket { accept listen };
@@ -1624,7 +1624,7 @@ index 90ce63748..8cf712d15 100644
#
-allow afs_fsserver_t self:capability { kill dac_override chown fowner sys_nice };
-+allow afs_fsserver_t self:capability { kill dac_read_search dac_override chown fowner sys_nice };
++allow afs_fsserver_t self:capability { kill dac_read_search chown fowner sys_nice };
dontaudit afs_fsserver_t self:capability fsetid;
allow afs_fsserver_t self:process { setsched signal_perms };
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
@@ -1810,7 +1810,7 @@ index 01cbb67df..94a4a2406 100644
files_list_etc($1)
diff --git a/aide.te b/aide.te
-index 03831e6e5..3d35fff8e 100644
+index 03831e6e5..d97de5ad7 100644
--- a/aide.te
+++ b/aide.te
@@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1826,7 +1826,7 @@ index 03831e6e5..3d35fff8e 100644
#
-allow aide_t self:capability { dac_override fowner };
-+allow aide_t self:capability { dac_read_search dac_override fowner ipc_lock sys_admin };
++allow aide_t self:capability { dac_read_search fowner ipc_lock sys_admin };
+allow aide_t self:process signal;
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
@@ -2220,7 +2220,7 @@ index ca8d8cf3b..053a30ad4 100644
#########################################
diff --git a/alsa.te b/alsa.te
-index 4b153f179..a799cd394 100644
+index 4b153f179..9a0043caa 100644
--- a/alsa.te
+++ b/alsa.te
@@ -15,6 +15,9 @@ role alsa_roles types alsa_t;
@@ -2253,7 +2253,7 @@ index 4b153f179..a799cd394 100644
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
-dontaudit alsa_t self:capability sys_admin;
-+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
++allow alsa_t self:capability { dac_read_search setgid setuid ipc_owner sys_nice };
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
+allow alsa_t self:process { getsched setsched signal_perms };
allow alsa_t self:sem create_sem_perms;
@@ -2321,7 +2321,7 @@ index 7f4dfbca3..e5c9f45b8 100644
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
diff --git a/amanda.te b/amanda.te
-index 519051c7d..89302e2d9 100644
+index 519051c7d..96bbc0825 100644
--- a/amanda.te
+++ b/amanda.te
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2358,7 +2358,7 @@ index 519051c7d..89302e2d9 100644
-allow amanda_t self:capability { chown dac_override setuid kill };
-allow amanda_t self:process { setpgid signal };
-+allow amanda_t self:capability { chown dac_read_search dac_override setuid kill sys_admin };
++allow amanda_t self:capability { chown dac_read_search setuid kill sys_admin };
+allow amanda_t self:process { getsched setsched setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket { accept listen };
@@ -2428,7 +2428,7 @@ index 519051c7d..89302e2d9 100644
#
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
-+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search dac_override };
++allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_read_search };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket create_socket_perms;
@@ -2531,7 +2531,7 @@ index 60d4f8c90..18ef0772c 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 91fa72ae1..1736250ae 100644
+index 91fa72ae1..2e9b8246a 100644
--- a/amavis.te
+++ b/amavis.te
@@ -39,14 +39,14 @@ type amavis_quarantine_t;
@@ -2547,7 +2547,7 @@ index 91fa72ae1..1736250ae 100644
#
-allow amavis_t self:capability { kill chown dac_override setgid setuid };
-+allow amavis_t self:capability { kill chown dac_read_search dac_override setgid setuid };
++allow amavis_t self:capability { kill chown dac_read_search setgid setuid };
dontaudit amavis_t self:capability sys_tty_config;
allow amavis_t self:process signal_perms;
allow amavis_t self:fifo_file rw_fifo_file_perms;
@@ -3284,7 +3284,7 @@ index 000000000..36251b926
+')
diff --git a/antivirus.te b/antivirus.te
new file mode 100644
-index 000000000..d202f695a
+index 000000000..28cdddda9
--- /dev/null
+++ b/antivirus.te
@@ -0,0 +1,274 @@
@@ -3354,7 +3354,7 @@ index 000000000..d202f695a
+# antivirus domain local policy
+#
+
-+allow antivirus_domain self:capability { dac_read_search dac_override chown kill fsetid setgid setuid sys_admin };
++allow antivirus_domain self:capability { dac_read_search chown kill fsetid setgid setuid sys_admin };
+dontaudit antivirus_domain self:capability sys_tty_config;
+allow antivirus_domain self:process signal_perms;
+
@@ -5615,7 +5615,7 @@ index f6eb4851f..3628a384f 100644
+ allow $1 httpd_t:process { noatsecure };
')
diff --git a/apache.te b/apache.te
-index 6649962b6..1a0189a44 100644
+index 6649962b6..721dab24b 100644
--- a/apache.te
+++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@@ -6253,7 +6253,7 @@ index 6649962b6..1a0189a44 100644
-allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
-dontaudit httpd_t self:capability net_admin;
-+allow httpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_nice sys_tty_config sys_chroot };
++allow httpd_t self:capability { chown dac_read_search kill setgid setuid sys_nice sys_tty_config sys_chroot };
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
@@ -7761,7 +7761,7 @@ index 6649962b6..1a0189a44 100644
#
-allow httpd_rotatelogs_t self:capability dac_override;
-+allow httpd_rotatelogs_t self:capability { dac_read_search dac_override };
++allow httpd_rotatelogs_t self:capability { dac_read_search };
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
@@ -8134,7 +8134,7 @@ index f3c0abac6..f6e25eda4 100644
+ files_etc_filetrans(apcupsd_t, apcupsd_power_t, file, "powerfail")
')
diff --git a/apcupsd.te b/apcupsd.te
-index 080bc4ddb..a78dbced6 100644
+index 080bc4ddb..b73cf151d 100644
--- a/apcupsd.te
+++ b/apcupsd.te
@@ -24,12 +24,18 @@ files_tmp_file(apcupsd_tmp_t)
@@ -8153,7 +8153,7 @@ index 080bc4ddb..a78dbced6 100644
#
-allow apcupsd_t self:capability { dac_override setgid sys_tty_config };
-+allow apcupsd_t self:capability { dac_read_search dac_override setgid sys_tty_config };
++allow apcupsd_t self:capability { dac_read_search setgid sys_tty_config };
allow apcupsd_t self:process signal;
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
@@ -8349,7 +8349,7 @@ index 1a7a97e5c..2c7252a39 100644
domain_system_change_exemption($1)
role_transition $2 apmd_initrc_exec_t system_r;
diff --git a/apm.te b/apm.te
-index 7fd431bcd..f944eccf1 100644
+index 7fd431bcd..ffb0792b8 100644
--- a/apm.te
+++ b/apm.te
@@ -35,12 +35,15 @@ files_type(apmd_var_lib_t)
@@ -8365,7 +8365,7 @@ index 7fd431bcd..f944eccf1 100644
#
-allow apm_t self:capability { dac_override sys_admin };
-+allow apm_t self:capability { dac_read_search dac_override sys_admin sys_resource };
++allow apm_t self:capability { dac_read_search sys_admin sys_resource };
kernel_read_system_state(apm_t)
@@ -8385,7 +8385,7 @@ index 7fd431bcd..f944eccf1 100644
-allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod sys_resource };
-+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
++dontaudit apmd_t self:capability { setuid dac_read_search sys_tty_config };
allow apmd_t self:process { signal_perms getsession };
allow apmd_t self:fifo_file rw_fifo_file_perms;
allow apmd_t self:netlink_socket create_socket_perms;
@@ -8478,7 +8478,7 @@ index cde81d248..2fe02018a 100644
')
diff --git a/apt.te b/apt.te
-index efa853059..ae5d0c9f2 100644
+index efa853059..68f2e3676 100644
--- a/apt.te
+++ b/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
@@ -8486,7 +8486,7 @@ index efa853059..ae5d0c9f2 100644
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
-+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid };
++allow apt_t self:capability { chown dac_read_search fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -8686,7 +8686,7 @@ index 2077053ea..198a02ab4 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 7e4135022..1e0f4c49b 100644
+index 7e4135022..a0ff3fc8f 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -8703,7 +8703,7 @@ index 7e4135022..1e0f4c49b 100644
#
-allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
-+allow asterisk_t self:capability { dac_read_search dac_override chown setgid setuid sys_nice net_admin };
++allow asterisk_t self:capability { dac_read_search chown setgid setuid sys_nice net_admin };
dontaudit asterisk_t self:capability { sys_module sys_tty_config };
allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -9046,7 +9046,7 @@ index f24e36960..4484a98da 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 27d2f400b..f74f75f1b 100644
+index 27d2f400b..bc3619c20 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -9064,7 +9064,7 @@ index 27d2f400b..f74f75f1b 100644
#
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
-+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search dac_override sys_admin };
++allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_read_search sys_admin };
+allow automount_t self:capability2 block_suspend;
dontaudit automount_t self:capability sys_tty_config;
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
@@ -9210,7 +9210,7 @@ index 9078c3d85..2f6b2503e 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index b8355b32f..51ce1b60f 100644
+index b8355b32f..7137937b9 100644
--- a/avahi.te
+++ b/avahi.te
@@ -13,17 +13,21 @@ type avahi_initrc_exec_t;
@@ -9233,7 +9233,7 @@ index b8355b32f..51ce1b60f 100644
#
-allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
-+allow avahi_t self:capability { dac_read_search dac_override setgid chown fowner kill net_admin net_raw setuid sys_chroot };
++allow avahi_t self:capability { dac_read_search setgid chown fowner kill net_admin net_raw setuid sys_chroot };
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
@@ -9345,7 +9345,7 @@ index c1b16c392..ffbf2cb8f 100644
+read_files_pattern(awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
+files_search_var_lib(awstats_script_t)
diff --git a/backup.te b/backup.te
-index 7811450b6..e78703340 100644
+index 7811450b6..c9da8d3d0 100644
--- a/backup.te
+++ b/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
@@ -9353,7 +9353,7 @@ index 7811450b6..e78703340 100644
#
-allow backup_t self:capability dac_override;
-+allow backup_t self:capability { dac_read_search dac_override };
++allow backup_t self:capability { dac_read_search };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
@@ -9400,7 +9400,7 @@ index dcd774ee4..c240ffaf6 100644
allow $1 bacula_t:process { ptrace signal_perms };
diff --git a/bacula.te b/bacula.te
-index f16b00008..1a7c80f01 100644
+index f16b00008..db82cfb6a 100644
--- a/bacula.te
+++ b/bacula.te
@@ -27,6 +27,9 @@ type bacula_store_t;
@@ -9426,7 +9426,7 @@ index f16b00008..1a7c80f01 100644
#
-allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid};
-+allow bacula_t self:capability { dac_read_search dac_override chown fowner fsetid setgid setuid};
++allow bacula_t self:capability { dac_read_search chown fowner fsetid setgid setuid};
allow bacula_t self:process signal;
allow bacula_t self:fifo_file rw_fifo_file_perms;
allow bacula_t self:tcp_socket { accept listen };
@@ -9950,7 +9950,7 @@ index 531a8f244..3fcf18722 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 124112346..57a8b4484 100644
+index 124112346..6a704537e 100644
--- a/bind.te
+++ b/bind.te
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -10092,7 +10092,7 @@ index 124112346..57a8b4484 100644
-allow ndc_t self:capability { dac_override net_admin };
-allow ndc_t self:process signal_perms;
-+allow ndc_t self:capability { dac_read_search dac_override net_admin };
++allow ndc_t self:capability { dac_read_search net_admin };
+allow ndc_t self:capability2 block_suspend;
+allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
@@ -10174,7 +10174,7 @@ index e73fb799e..2badfc0d9 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index f5c1a48b6..102fa8eae 100644
+index f5c1a48b6..dbc347918 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -33,11 +33,14 @@ files_pid_file(bitlbee_var_run_t)
@@ -10182,7 +10182,7 @@ index f5c1a48b6..102fa8eae 100644
#
-allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
-+allow bitlbee_t self:capability { dac_read_search dac_override kill setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_read_search kill setgid setuid sys_nice };
allow bitlbee_t self:process { setsched signal };
+
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -10710,7 +10710,7 @@ index c723a0ae0..1c29d21e7 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index 851769e55..9db73ae8a 100644
+index 851769e55..45de12d70 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -49,12 +49,15 @@ files_type(bluetooth_var_lib_t)
@@ -10726,7 +10726,7 @@ index 851769e55..9db73ae8a 100644
#
-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
-+allow bluetooth_t self:capability { dac_read_search dac_override net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_read_search net_bind_service net_admin net_raw setpcap sys_admin sys_tty_config ipc_lock };
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getcap setcap getsched signal_perms };
allow bluetooth_t self:fifo_file rw_fifo_file_perms;
@@ -12062,7 +12062,7 @@ index 8de2ab9c5..3b419455f 100644
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
')
diff --git a/cachefilesd.te b/cachefilesd.te
-index a3760bc92..22ed920b7 100644
+index a3760bc92..f2fc5b2f3 100644
--- a/cachefilesd.te
+++ b/cachefilesd.te
@@ -1,52 +1,125 @@
@@ -12138,7 +12138,7 @@ index a3760bc92..22ed920b7 100644
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
+# rules.
+#
-+allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search dac_override };
++allow cachefilesd_t self:capability { setuid setgid sys_admin dac_read_search };
+allow cachefilesd_t self:process signal_perms;
+# Allow manipulation of pid file
@@ -12200,7 +12200,7 @@ index a3760bc92..22ed920b7 100644
+# This governs what the kernel module is allowed to do the contents of the
+# cache.
+#
-+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
++allow cachefiles_kernel_t self:capability { dac_read_search };
-optional_policy(`
- rpm_use_script_fds(cachefilesd_t)
@@ -12227,7 +12227,7 @@ index cd9c52871..ba793b748 100644
')
diff --git a/calamaris.te b/calamaris.te
-index 7e574604b..8d8cd78e5 100644
+index 7e574604b..66915d96c 100644
--- a/calamaris.te
+++ b/calamaris.te
@@ -23,7 +23,7 @@ files_type(calamaris_www_t)
@@ -12235,7 +12235,7 @@ index 7e574604b..8d8cd78e5 100644
#
-allow calamaris_t self:capability dac_override;
-+allow calamaris_t self:capability { dac_read_search dac_override };
++allow calamaris_t self:capability { dac_read_search };
allow calamaris_t self:process { signal_perms setsched };
allow calamaris_t self:fifo_file rw_fifo_file_perms;
allow calamaris_t self:unix_stream_socket { accept listen };
@@ -12422,7 +12422,7 @@ index fbc20f694..4de4a005c 100644
ps_process_pattern($2, cdrecord_t)
')
diff --git a/cdrecord.te b/cdrecord.te
-index 16883c9c3..97e9a429e 100644
+index 16883c9c3..96f86d07b 100644
--- a/cdrecord.te
+++ b/cdrecord.te
@@ -29,7 +29,7 @@ role cdrecord_roles types cdrecord_t;
@@ -12430,7 +12430,7 @@ index 16883c9c3..97e9a429e 100644
#
-allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_override sys_rawio };
-+allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search dac_override sys_rawio };
++allow cdrecord_t self:capability { ipc_lock sys_nice setuid dac_read_search sys_rawio };
allow cdrecord_t self:process { getcap getsched setrlimit setsched sigkill };
allow cdrecord_t self:unix_stream_socket { accept listen };
@@ -12493,9 +12493,18 @@ index 0c53b189b..ef29f6e6c 100644
domain_system_change_exemption($1)
role_transition $2 certmaster_initrc_exec_t system_r;
diff --git a/certmaster.te b/certmaster.te
-index 4a878730b..113f3b32f 100644
+index 4a878730b..59890995f 100644
--- a/certmaster.te
+++ b/certmaster.te
+@@ -29,7 +29,7 @@ files_pid_file(certmaster_var_run_t)
+ # Local policy
+ #
+
+-allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
++allow certmaster_t self:capability { dac_read_search sys_tty_config };
+ allow certmaster_t self:tcp_socket { accept listen };
+
+ list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
dev_read_urand(certmaster_t)
@@ -12556,7 +12565,7 @@ index 008f8ef26..144c0740a 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index 550b287ce..c2433ff15 100644
+index 550b287ce..73104ec93 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,18 +18,26 @@ files_type(certmonger_var_lib_t)
@@ -12575,7 +12584,7 @@ index 550b287ce..c2433ff15 100644
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
-+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice };
++allow certmonger_t self:capability { chown dac_read_search setgid setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
+
@@ -12732,7 +12741,7 @@ index 550b287ce..c2433ff15 100644
+ ')
+')
diff --git a/certwatch.te b/certwatch.te
-index 171fafb99..e3986fd2e 100644
+index 171fafb99..38614a0e9 100644
--- a/certwatch.te
+++ b/certwatch.te
@@ -18,35 +18,47 @@ role certwatch_roles types certwatch_t;
@@ -12740,7 +12749,7 @@ index 171fafb99..e3986fd2e 100644
#
-allow certwatch_t self:capability sys_nice;
-+allow certwatch_t self:capability { dac_read_search dac_override sys_nice };
++allow certwatch_t self:capability { dac_read_search sys_nice };
allow certwatch_t self:process { setsched getsched };
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
@@ -13114,7 +13123,7 @@ index 85ca63f9a..1d1c99c8f 100644
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 80a88a27a..514eb47f2 100644
+index 80a88a27a..9d59bfa0e 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -13128,9 +13137,12 @@ index 80a88a27a..514eb47f2 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
+@@ -40,12 +40,14 @@ files_config_file(cgconfig_etc_t)
+ # cgclear local policy
+ #
- allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
+-allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
++allow cgclear_t self:capability { dac_read_search sys_admin };
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
@@ -13147,7 +13159,7 @@ index 80a88a27a..514eb47f2 100644
#
-allow cgconfig_t self:capability { dac_override fowner fsetid chown sys_admin sys_tty_config };
-+allow cgconfig_t self:capability { dac_read_search dac_override fowner fsetid chown sys_admin sys_tty_config };
++allow cgconfig_t self:capability { dac_read_search fowner fsetid chown sys_admin sys_tty_config };
allow cgconfig_t cgconfig_etc_t:file read_file_perms;
@@ -13168,7 +13180,7 @@ index 80a88a27a..514eb47f2 100644
#
# cgred local policy
#
-+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search dac_override sys_ptrace };
++allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_read_search sys_ptrace };
+allow cgred_t self:process signal_perms;
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
@@ -13358,7 +13370,7 @@ index 000000000..aa308eba6
+')
diff --git a/chrome.te b/chrome.te
new file mode 100644
-index 000000000..435a5cdc1
+index 000000000..ca526f823
--- /dev/null
+++ b/chrome.te
@@ -0,0 +1,256 @@
@@ -13396,7 +13408,7 @@ index 000000000..435a5cdc1
+# chrome_sandbox local policy
+#
+allow chrome_sandbox_t self:capability2 block_suspend;
-+allow chrome_sandbox_t self:capability { chown dac_read_search dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
++allow chrome_sandbox_t self:capability { chown dac_read_search fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
+dontaudit chrome_sandbox_t self:capability sys_nice;
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
+allow chrome_sandbox_t self:process setsched;
@@ -14465,7 +14477,7 @@ index 4cc4a5cd0..a6c632290 100644
+
')
diff --git a/clamav.te b/clamav.te
-index ce3836acd..10595e6e5 100644
+index ce3836acd..237fc8bf0 100644
--- a/clamav.te
+++ b/clamav.te
@@ -18,7 +18,7 @@ gen_tunable(clamav_read_all_non_security_files_clamscan, false)
@@ -14492,7 +14504,7 @@ index ce3836acd..10595e6e5 100644
#
-allow clamd_t self:capability { kill setgid setuid dac_override };
-+allow clamd_t self:capability { kill setgid setuid dac_read_search dac_override };
++allow clamd_t self:capability { kill setgid setuid dac_read_search };
dontaudit clamd_t self:capability sys_tty_config;
allow clamd_t self:process signal;
+
@@ -14570,7 +14582,7 @@ index ce3836acd..10595e6e5 100644
#
-allow freshclam_t self:capability { setgid setuid dac_override };
-+allow freshclam_t self:capability { setgid setuid dac_read_search dac_override };
++allow freshclam_t self:capability { setgid setuid dac_read_search };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -14598,7 +14610,7 @@ index ce3836acd..10595e6e5 100644
#
-allow clamscan_t self:capability { setgid setuid dac_override };
-+allow clamscan_t self:capability { setgid setuid dac_read_search dac_override };
++allow clamscan_t self:capability { setgid setuid dac_read_search };
allow clamscan_t self:fifo_file rw_fifo_file_perms;
allow clamscan_t self:unix_stream_socket create_stream_socket_perms;
allow clamscan_t self:unix_dgram_socket create_socket_perms;
@@ -14845,7 +14857,7 @@ index 000000000..55fe0d668
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 000000000..73f3eb8a0
+index 000000000..0763656a0
--- /dev/null
+++ b/cloudform.te
@@ -0,0 +1,250 @@
@@ -14915,7 +14927,7 @@ index 000000000..73f3eb8a0
+# cloud-init local policy
+#
+
-+allow cloud_init_t self:capability { fowner chown fsetid dac_read_search dac_override };
++allow cloud_init_t self:capability { fowner chown fsetid dac_read_search };
+
+allow cloud_init_t self:udp_socket create_socket_perms;
+
@@ -15024,7 +15036,7 @@ index 000000000..73f3eb8a0
+# deltacloudd local policy
+#
+
-+allow deltacloudd_t self:capability { dac_read_search dac_override setuid setgid };
++allow deltacloudd_t self:capability { dac_read_search setuid setgid };
+
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
+allow deltacloudd_t self:udp_socket create_socket_perms;
@@ -15264,7 +15276,7 @@ index c223f8132..8b567c191 100644
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
')
diff --git a/cobbler.te b/cobbler.te
-index 5f306dd44..36fb0e4e7 100644
+index 5f306dd44..0a4711b5d 100644
--- a/cobbler.te
+++ b/cobbler.te
@@ -62,11 +62,12 @@ files_tmp_file(cobbler_tmp_t)
@@ -15272,7 +15284,7 @@ index 5f306dd44..36fb0e4e7 100644
#
-allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
-+allow cobblerd_t self:capability { chown dac_read_search dac_override fowner fsetid sys_nice };
++allow cobblerd_t self:capability { chown dac_read_search fowner fsetid sys_nice };
dontaudit cobblerd_t self:capability sys_tty_config;
allow cobblerd_t self:process { getsched setsched signal };
allow cobblerd_t self:fifo_file rw_fifo_file_perms;
@@ -15595,7 +15607,7 @@ index 000000000..d5920c061
+')
diff --git a/cockpit.te b/cockpit.te
new file mode 100644
-index 000000000..08aaee4bb
+index 000000000..a830e90b5
--- /dev/null
+++ b/cockpit.te
@@ -0,0 +1,123 @@
@@ -15691,7 +15703,7 @@ index 000000000..08aaee4bb
+#
+
+# cockpit-session changes to the actual logged in user
-+allow cockpit_session_t self:capability { sys_admin dac_read_search dac_override setuid setgid sys_resource};
++allow cockpit_session_t self:capability { sys_admin dac_read_search setuid setgid sys_resource};
+allow cockpit_session_t self:process { setexec setsched signal_perms setrlimit };
+
+read_files_pattern(cockpit_session_t, cockpit_var_lib_t, cockpit_var_lib_t)
@@ -15925,7 +15937,7 @@ index 954309e64..67801421b 100644
')
+
diff --git a/collectd.te b/collectd.te
-index 6471fa8c4..90a9319c6 100644
+index 6471fa8c4..90d2b5324 100644
--- a/collectd.te
+++ b/collectd.te
@@ -26,43 +26,61 @@ files_type(collectd_var_lib_t)
@@ -15947,7 +15959,7 @@ index 6471fa8c4..90a9319c6 100644
#
-allow collectd_t self:capability { ipc_lock sys_nice };
-+allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search dac_override setuid setgid };
++allow collectd_t self:capability { ipc_lock net_raw net_admin sys_nice sys_ptrace dac_read_search setuid setgid };
allow collectd_t self:process { getsched setsched signal };
allow collectd_t self:fifo_file rw_fifo_file_perms;
allow collectd_t self:packet_socket create_socket_perms;
@@ -16121,7 +16133,7 @@ index 8e27a37c1..c69be28b9 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 9f2dfb233..86836f9cd 100644
+index 9f2dfb233..5f29a909f 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
@@ -16132,7 +16144,7 @@ index 9f2dfb233..86836f9cd 100644
type colord_tmp_t;
files_tmp_file(colord_tmp_t)
-@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
+@@ -18,18 +19,24 @@ files_tmpfs_file(colord_tmpfs_t)
type colord_var_lib_t;
files_type(colord_var_lib_t)
@@ -16142,8 +16154,10 @@ index 9f2dfb233..86836f9cd 100644
########################################
#
# Local policy
-@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
- allow colord_t self:capability { dac_read_search dac_override };
+ #
+
+-allow colord_t self:capability { dac_read_search dac_override };
++allow colord_t self:capability { dac_read_search };
dontaudit colord_t self:capability sys_admin;
allow colord_t self:process signal;
+
@@ -16749,7 +16763,7 @@ index 881d92f35..a2d588a51 100644
+ ')
')
diff --git a/condor.te b/condor.te
-index ce9f040e2..2a52b429f 100644
+index ce9f040e2..eaefb5a97 100644
--- a/condor.te
+++ b/condor.te
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
@@ -16775,7 +16789,7 @@ index ce9f040e2..2a52b429f 100644
# Global local policy
#
-+allow condor_domain self:capability { dac_read_search dac_override };
++allow condor_domain self:capability { dac_read_search };
+allow condor_domain self:capability2 block_suspend;
+
allow condor_domain self:process signal_perms;
@@ -16876,7 +16890,7 @@ index ce9f040e2..2a52b429f 100644
#
-allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-+allow condor_procd_t self:capability { fowner chown kill dac_read_search dac_override sys_ptrace };
++allow condor_procd_t self:capability { fowner chown kill dac_read_search sys_ptrace };
+allow condor_procd_t self:cap_userns { sys_ptrace };
allow condor_procd_t condor_domain:process sigkill;
@@ -16886,7 +16900,7 @@ index ce9f040e2..2a52b429f 100644
#
-allow condor_schedd_t self:capability { setuid chown setgid dac_override };
-+allow condor_schedd_t self:capability { setuid chown setgid dac_read_search dac_override };
++allow condor_schedd_t self:capability { setuid chown setgid dac_read_search };
allow condor_schedd_t condor_master_t:tcp_socket rw_stream_socket_perms;
allow condor_schedd_t condor_master_t:udp_socket getattr;
@@ -16915,7 +16929,7 @@ index ce9f040e2..2a52b429f 100644
#
-allow condor_startd_t self:capability { setuid net_admin setgid dac_override };
-+allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search dac_override };
++allow condor_startd_t self:capability { setuid net_admin setgid dac_read_search };
allow condor_startd_t self:process execmem;
manage_dirs_pattern(condor_startd_t, condor_startd_tmp_t, condor_startd_tmp_t)
@@ -17342,7 +17356,7 @@ index 5b830ec9c..78025c5e7 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index bd18063f6..94407f854 100644
+index bd18063f6..efa99d8f4 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -19,21 +19,23 @@ type consolekit_var_run_t;
@@ -17358,7 +17372,7 @@ index bd18063f6..94407f854 100644
#
-allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
-+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search dac_override sys_nice sys_ptrace };
++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_read_search sys_nice sys_ptrace };
+
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
@@ -17578,7 +17592,7 @@ index 694a037da..d8596812d 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index d5aa1e446..9a2570145 100644
+index d5aa1e446..94ca2cd02 100644
--- a/corosync.te
+++ b/corosync.te
@@ -28,12 +28,15 @@ logging_log_file(corosync_var_log_t)
@@ -17594,7 +17608,7 @@ index d5aa1e446..9a2570145 100644
#
-allow corosync_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
-+allow corosync_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
++allow corosync_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock };
# for hearbeat
allow corosync_t self:capability { net_raw chown };
allow corosync_t self:process { setpgid setrlimit setsched signal signull };
@@ -18189,7 +18203,7 @@ index 10f820fc7..acdb179e8 100644
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
')
diff --git a/courier.te b/courier.te
-index ae3bc70e9..d64452f77 100644
+index ae3bc70e9..3fe942539 100644
--- a/courier.te
+++ b/courier.te
@@ -18,7 +18,7 @@ type courier_etc_t;
@@ -18206,7 +18220,7 @@ index ae3bc70e9..d64452f77 100644
#
-allow courier_domain self:capability dac_override;
-+allow courier_domain self:capability { dac_read_search dac_override };
++allow courier_domain self:capability { dac_read_search };
dontaudit courier_domain self:capability sys_tty_config;
allow courier_domain self:process { setpgid signal_perms };
allow courier_domain self:fifo_file rw_fifo_file_perms;
@@ -19620,7 +19634,7 @@ index 1303b3036..f5bd4aee8 100644
+ logging_log_filetrans($1, var_log_t, file, "redhat-access-insights.log")
')
diff --git a/cron.te b/cron.te
-index 7de385956..e4c99bdd4 100644
+index 7de385956..f91dd2fe5 100644
--- a/cron.te
+++ b/cron.te
@@ -11,46 +11,54 @@ gen_require(`
@@ -19845,8 +19859,9 @@ index 7de385956..e4c99bdd4 100644
+# Cron daemon local policy
#
- allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
+-allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
++allow crond_t self:capability { chown fowner setgid setuid sys_nice dac_read_search };
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
@@ -20133,7 +20148,8 @@ index 7de385956..e4c99bdd4 100644
+# System cron process domain
#
- allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+-allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
++allow system_cronjob_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
+
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
@@ -20539,8 +20555,8 @@ index 7de385956..e4c99bdd4 100644
+# crontab common policy
+#
+
-+# dac_override is to create the file in the directory under /tmp
-+allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search dac_override };
++# is to create the file in the directory under /tmp
++allow crontab_domain self:capability { fowner setuid setgid chown dac_read_search };
+allow crontab_domain self:process { getcap setsched signal_perms };
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
+
@@ -20944,7 +20960,7 @@ index b25b01d12..06895f39a 100644
')
+
diff --git a/ctdb.te b/ctdb.te
-index 001b502e6..b264e198a 100644
+index 001b502e6..8f9d0e50f 100644
--- a/ctdb.te
+++ b/ctdb.te
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -20963,7 +20979,7 @@ index 001b502e6..b264e198a 100644
-allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
-allow ctdbd_t self:process { setpgid signal_perms setsched };
-+allow ctdbd_t self:capability { chown dac_override dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
++allow ctdbd_t self:capability { chown dac_read_search ipc_lock net_admin net_raw sys_nice sys_resource };
+allow ctdbd_t self:capability2 block_suspend;
+allow ctdbd_t self:process { setpgid setrlimit signal_perms setsched };
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
@@ -21351,7 +21367,7 @@ index 3023be7f6..5afde8039 100644
+ files_var_filetrans($1, cupsd_rw_etc_t, dir, "cups")
')
diff --git a/cups.te b/cups.te
-index c91813ccb..e0ba2f7d9 100644
+index c91813ccb..05ea50b72 100644
--- a/cups.te
+++ b/cups.te
@@ -5,19 +5,31 @@ policy_module(cups, 1.16.2)
@@ -21491,7 +21507,7 @@ index c91813ccb..e0ba2f7d9 100644
#
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
-+allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search kill fsetid fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { ipc_lock sys_admin dac_read_search dac_override kill fsetid fowner chown sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:capability2 block_suspend;
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
@@ -21746,7 +21762,7 @@ index c91813ccb..e0ba2f7d9 100644
#
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
-+allow cupsd_config_t self:capability { chown dac_read_search dac_override sys_tty_config };
++allow cupsd_config_t self:capability { chown dac_read_search sys_tty_config };
dontaudit cupsd_config_t self:capability sys_tty_config;
-allow cupsd_config_t self:process { getsched signal_perms };
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
@@ -21888,7 +21904,7 @@ index c91813ccb..e0ba2f7d9 100644
-allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
-+allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search dac_override };
++allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_read_search };
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
+allow cups_pdf_t cupsd_rw_etc_t:dir search;
@@ -22186,7 +22202,7 @@ index 64775fd37..91a60569c 100644
+ admin_pattern($1, cvs_home_t)
')
diff --git a/cvs.te b/cvs.te
-index 0f7755005..36e4a38cf 100644
+index 0f7755005..3e3f3cd61 100644
--- a/cvs.te
+++ b/cvs.te
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
@@ -22211,7 +22227,7 @@ index 0f7755005..36e4a38cf 100644
#
-allow cvs_t self:capability { setuid setgid };
-+allow cvs_t self:capability { dac_override dac_read_search setuid setgid };
++allow cvs_t self:capability { dac_read_search setuid setgid };
allow cvs_t self:process signal_perms;
allow cvs_t self:fifo_file rw_fifo_file_perms;
allow cvs_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -22259,7 +22275,7 @@ index 0f7755005..36e4a38cf 100644
-tunable_policy(`allow_cvs_read_shadow',`
- allow cvs_t self:capability dac_override;
+tunable_policy(`cvs_read_shadow',`
-+ allow cvs_t self:capability { dac_read_search dac_override };
++ allow cvs_t self:capability { dac_read_search };
auth_tunable_read_shadow(cvs_t)
')
@@ -22349,7 +22365,7 @@ index 83bfda6ed..92d9fb2e7 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index 4283f2de2..41de1bdf6 100644
+index 4283f2de2..fe348758e 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
@@ -22357,7 +22373,7 @@ index 4283f2de2..41de1bdf6 100644
#
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
-+allow cyrus_t self:capability { fsetid dac_read_search dac_override net_bind_service setgid setuid sys_resource };
++allow cyrus_t self:capability { fsetid dac_read_search net_bind_service setgid setuid sys_resource };
dontaudit cyrus_t self:capability sys_tty_config;
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow cyrus_t self:process setrlimit;
@@ -22500,7 +22516,7 @@ index 5a5e2902a..6321a1d0a 100644
fs_getattr_all_fs(dante_t)
diff --git a/dbadm.te b/dbadm.te
-index b60c464f1..3a5246a9b 100644
+index b60c464f1..51bf02f4a 100644
--- a/dbadm.te
+++ b/dbadm.te
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
@@ -22516,7 +22532,7 @@ index b60c464f1..3a5246a9b 100644
#
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
-+allow dbadm_t self:capability { dac_override dac_read_search };
++allow dbadm_t self:capability { dac_read_search };
files_dontaudit_search_all_dirs(dbadm_t)
files_delete_generic_locks(dbadm_t)
@@ -23545,7 +23561,7 @@ index 62d22cb46..c0c2ed47d 100644
+ manage_dirs_pattern($1, session_dbusd_tmp_t, session_dbusd_tmp_t)
')
diff --git a/dbus.te b/dbus.te
-index c9998c80d..d7910970e 100644
+index c9998c80d..328aa81d2 100644
--- a/dbus.te
+++ b/dbus.te
@@ -4,17 +4,15 @@ gen_require(`
@@ -23601,10 +23617,10 @@ index c9998c80d..d7910970e 100644
#
-allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
-+# dac_override: /var/run/dbus is owned by messagebus on Debian
-+# cjp: dac_override should probably go in a distro_debian
++# : /var/run/dbus is owned by messagebus on Debian
++# cjp: should probably go in a distro_debian
+allow system_dbusd_t self:capability2 block_suspend;
-+allow system_dbusd_t self:capability { sys_resource dac_read_search dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { sys_resource dac_read_search setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -24746,7 +24762,7 @@ index 8ce99ff48..1bc5d3aea 100644
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 77a5003c0..cb628f935 100644
+index 77a5003c0..27f168bb1 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
@@ -24799,7 +24815,7 @@ index 77a5003c0..cb628f935 100644
#
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
-+allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
++allow devicekit_disk_t self:capability { chown setuid setgid dac_read_search dac_read_search fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
+
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@@ -24902,7 +24918,7 @@ index 77a5003c0..cb628f935 100644
#
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
-+allow devicekit_power_t self:capability { dac_read_search dac_override net_admin sys_admin sys_tty_config sys_nice };
++allow devicekit_power_t self:capability { dac_read_search net_admin sys_admin sys_tty_config sys_nice };
+#allow devicekit_power_t self:capability2 compromise_kernel;
allow devicekit_power_t self:process { getsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
@@ -25084,7 +25100,7 @@ index c697edbcd..954c090bd 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 98a24b989..d6cb9e7ba 100644
+index 98a24b989..9ded26309 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -25102,7 +25118,7 @@ index 98a24b989..d6cb9e7ba 100644
#
-allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
-+allow dhcpd_t self:capability { chown dac_read_search dac_override fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
++allow dhcpd_t self:capability { chown dac_read_search fowner sys_chroot net_raw kill setgid setuid setpcap sys_resource };
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process { getcap setcap signal_perms };
allow dhcpd_t self:fifo_file rw_fifo_file_perms;
@@ -25154,7 +25170,7 @@ index 98a24b989..d6cb9e7ba 100644
+')
+
+ifdef(`distro_gentoo',`
-+ allow dhcpd_t self:capability { chown dac_read_search dac_override setgid setuid sys_chroot };
++ allow dhcpd_t self:capability { chown dac_read_search setgid setuid sys_chroot };
+')
+
+optional_policy(`
@@ -25415,7 +25431,7 @@ index 000000000..0d4e70492
+')
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
new file mode 100644
-index 000000000..09223afb3
+index 000000000..583d849ba
--- /dev/null
+++ b/dirsrv-admin.te
@@ -0,0 +1,167 @@
@@ -25456,7 +25472,7 @@ index 000000000..09223afb3
+#
+
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
-+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
++allow dirsrvadmin_t self:capability { dac_read_search sys_tty_config sys_resource };
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
+
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
@@ -25497,7 +25513,7 @@ index 000000000..09223afb3
+ apache_content_alias_template(dirsrvadmin, dirsrvadmin)
+
+ allow dirsrvadmin_script_t self:process { getsched getpgid };
-+ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
++ allow dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search };
+ allow dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
+ allow dirsrvadmin_script_t self:udp_socket create_socket_perms;
+ allow dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
@@ -25855,7 +25871,7 @@ index 000000000..b3784d85d
+')
diff --git a/dirsrv.te b/dirsrv.te
new file mode 100644
-index 000000000..22cafcd43
+index 000000000..f068532e7
--- /dev/null
+++ b/dirsrv.te
@@ -0,0 +1,207 @@
@@ -25912,7 +25928,7 @@ index 000000000..22cafcd43
+# dirsrv local policy
+#
+allow dirsrv_t self:process { getsched setsched setfscreate setrlimit signal_perms};
-+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search dac_override fowner };
++allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_read_search fowner };
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
+allow dirsrv_t self:sem create_sem_perms;
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
@@ -26027,7 +26043,7 @@ index 000000000..22cafcd43
+#
+# dirsrv-snmp local policy
+#
-+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
++allow dirsrv_snmp_t self:capability { dac_read_search };
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
+
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
@@ -26509,7 +26525,7 @@ index 19aa0b80b..a79982cd6 100644
+
+
diff --git a/dnsmasq.te b/dnsmasq.te
-index 37a3b7b30..78c681ce9 100644
+index 37a3b7b30..59eb2b7cb 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,12 +24,15 @@ logging_log_file(dnsmasq_var_log_t)
@@ -26525,7 +26541,7 @@ index 37a3b7b30..78c681ce9 100644
#
-allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net_raw };
-+allow dnsmasq_t self:capability { chown dac_read_search dac_override net_admin setgid setuid net_raw };
++allow dnsmasq_t self:capability { chown dac_read_search net_admin setgid setuid net_raw };
dontaudit dnsmasq_t self:capability sys_tty_config;
allow dnsmasq_t self:process { getcap setcap signal_perms };
allow dnsmasq_t self:fifo_file rw_fifo_file_perms;
@@ -27155,7 +27171,7 @@ index d5badb755..c2431fc73 100644
+ admin_pattern($1, dovecot_passwd_t)
')
diff --git a/dovecot.te b/dovecot.te
-index 0aabc7e66..994752cd2 100644
+index 0aabc7e66..e95d44512 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
@@ -27244,7 +27260,7 @@ index 0aabc7e66..994752cd2 100644
#
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
-+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
++allow dovecot_t self:capability { dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
dontaudit dovecot_t self:capability sys_tty_config;
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
-allow dovecot_t self:tcp_socket { accept listen };
@@ -27420,7 +27436,7 @@ index 0aabc7e66..994752cd2 100644
#
-allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
-+allow dovecot_auth_t self:capability { chown dac_read_search dac_override ipc_lock setgid setuid sys_nice };
++allow dovecot_auth_t self:capability { chown dac_read_search ipc_lock setgid setuid sys_nice };
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -27598,7 +27614,7 @@ index 0aabc7e66..994752cd2 100644
sendmail_domtrans(dovecot_deliver_t)
')
diff --git a/dpkg.te b/dpkg.te
-index 50af48c89..5ab49010f 100644
+index 50af48c89..bb58612b0 100644
--- a/dpkg.te
+++ b/dpkg.te
@@ -49,7 +49,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
@@ -27606,10 +27622,19 @@ index 50af48c89..5ab49010f 100644
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
-+allow dpkg_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
++allow dpkg_t self:capability { chown dac_read_search fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
+@@ -202,7 +202,7 @@ optional_policy(`
+ # Script Local policy
+ #
+
+-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
++allow dpkg_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+ allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow dpkg_script_t self:fd use;
+ allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
diff --git a/drbd.fc b/drbd.fc
index 671a3fb6f..47b4958d0 100644
--- a/drbd.fc
@@ -27772,7 +27797,7 @@ index 9a2163936..26c59868b 100644
')
+
diff --git a/drbd.te b/drbd.te
-index f2516cc07..af2c2ad81 100644
+index f2516cc07..b8c9fe764 100644
--- a/drbd.te
+++ b/drbd.te
@@ -18,38 +18,72 @@ files_type(drbd_var_lib_t)
@@ -27791,7 +27816,7 @@ index f2516cc07..af2c2ad81 100644
#
-allow drbd_t self:capability { kill net_admin };
-+allow drbd_t self:capability { dac_read_search dac_override kill net_admin sys_admin };
++allow drbd_t self:capability { dac_read_search kill net_admin sys_admin };
dontaudit drbd_t self:capability sys_tty_config;
allow drbd_t self:fifo_file rw_fifo_file_perms;
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -28352,7 +28377,7 @@ index 000000000..4498b1110
+
+sysnet_read_config(ejabberd_t)
diff --git a/entropyd.te b/entropyd.te
-index b8b8328c0..e3dc7c72c 100644
+index b8b8328c0..7e635921e 100644
--- a/entropyd.te
+++ b/entropyd.te
@@ -12,7 +12,7 @@ policy_module(entropyd, 1.8.0)
@@ -28369,7 +28394,7 @@ index b8b8328c0..e3dc7c72c 100644
#
-allow entropyd_t self:capability { dac_override ipc_lock sys_admin };
-+allow entropyd_t self:capability { dac_read_search dac_override ipc_lock sys_admin };
++allow entropyd_t self:capability { dac_read_search ipc_lock sys_admin };
dontaudit entropyd_t self:capability sys_tty_config;
allow entropyd_t self:process signal_perms;
@@ -28826,7 +28851,7 @@ index 9bbc6907a..4a8d0536b 100644
role_transition $2 exim_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/exim.te b/exim.te
-index 4086c51b9..3e7a99099 100644
+index 4086c51b9..34c52e39d 100644
--- a/exim.te
+++ b/exim.te
@@ -55,7 +55,7 @@ type exim_log_t;
@@ -28838,6 +28863,15 @@ index 4086c51b9..3e7a99099 100644
type exim_tmp_t;
files_tmp_file(exim_tmp_t)
+@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
+ # Local policy
+ #
+
+-allow exim_t self:capability { chown dac_override dac_read_search fowner setuid setgid sys_resource };
++allow exim_t self:capability { chown dac_read_search fowner setuid setgid sys_resource };
+ allow exim_t self:process { setrlimit setpgid };
+ allow exim_t self:fifo_file rw_fifo_file_perms;
+ allow exim_t self:unix_stream_socket { accept listen };
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
kernel_read_crypto_sysctls(exim_t)
kernel_read_kernel_sysctls(exim_t)
@@ -29212,14 +29246,16 @@ index 50d0084d4..94e193606 100644
fail2ban_run_client($1, $2)
diff --git a/fail2ban.te b/fail2ban.te
-index cf0e56772..7bebd2699 100644
+index cf0e56772..839025a07 100644
--- a/fail2ban.te
+++ b/fail2ban.te
-@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
+@@ -36,8 +36,8 @@ role fail2ban_client_roles types fail2ban_client_t;
+ # Server Local policy
#
- allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
+-allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
-allow fail2ban_t self:process signal;
++allow fail2ban_t self:capability { dac_read_search sys_tty_config };
+allow fail2ban_t self:process { setsched signal };
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
@@ -29298,7 +29334,7 @@ index cf0e56772..7bebd2699 100644
#
-allow fail2ban_client_t self:capability dac_read_search;
-+allow fail2ban_client_t self:capability { dac_read_search dac_override };
++allow fail2ban_client_t self:capability { dac_read_search };
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -29337,7 +29373,7 @@ index cf0e56772..7bebd2699 100644
+ apache_read_log(fail2ban_client_t)
+')
diff --git a/fcoe.te b/fcoe.te
-index ce358fb3f..cdc11a7f9 100644
+index ce358fb3f..f5316ffcf 100644
--- a/fcoe.te
+++ b/fcoe.te
@@ -20,25 +20,32 @@ files_pid_file(fcoemon_var_run_t)
@@ -29345,7 +29381,7 @@ index ce358fb3f..cdc11a7f9 100644
#
-allow fcoemon_t self:capability { dac_override kill net_admin };
-+allow fcoemon_t self:capability { net_admin net_raw dac_read_search dac_override };
++allow fcoemon_t self:capability { net_admin net_raw dac_read_search };
allow fcoemon_t self:fifo_file rw_fifo_file_perms;
allow fcoemon_t self:unix_stream_socket { accept listen };
allow fcoemon_t self:netlink_socket create_socket_perms;
@@ -29695,7 +29731,7 @@ index c62c5670a..a74f123da 100644
+ allow $1 firewalld_unit_file_t:service all_service_perms;
')
diff --git a/firewalld.te b/firewalld.te
-index 98072a3a1..42ee4d39c 100644
+index 98072a3a1..04cd1a61b 100644
--- a/firewalld.te
+++ b/firewalld.te
@@ -21,15 +21,21 @@ logging_log_file(firewalld_var_log_t)
@@ -29717,7 +29753,7 @@ index 98072a3a1..42ee4d39c 100644
#
-allow firewalld_t self:capability { dac_override net_admin };
-+allow firewalld_t self:capability { dac_read_search dac_override net_admin };
++allow firewalld_t self:capability { dac_read_search net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
@@ -29986,7 +30022,7 @@ index 280f875f0..f3a67c911 100644
##
##
diff --git a/firstboot.te b/firstboot.te
-index 5010f04e1..0341ae121 100644
+index 5010f04e1..8d5eae955 100644
--- a/firstboot.te
+++ b/firstboot.te
@@ -1,7 +1,7 @@
@@ -30022,7 +30058,7 @@ index 5010f04e1..0341ae121 100644
#
-allow firstboot_t self:capability { dac_override setgid };
-+allow firstboot_t self:capability { dac_read_search dac_override setgid };
++allow firstboot_t self:capability { dac_read_search setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
-allow firstboot_t self:tcp_socket { accept listen };
@@ -30669,7 +30705,7 @@ index 44981434b..84a4858b6 100644
ftp_run_ftpdctl($1, $2)
')
diff --git a/ftp.te b/ftp.te
-index 36838c202..34a9cedf3 100644
+index 36838c202..952bab750 100644
--- a/ftp.te
+++ b/ftp.te
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
@@ -30881,9 +30917,10 @@ index 36838c202..34a9cedf3 100644
')
-tunable_policy(`allow_ftpd_full_access',`
-+tunable_policy(`ftpd_full_access',`
- allow ftpd_t self:capability { dac_override dac_read_search };
+- allow ftpd_t self:capability { dac_override dac_read_search };
- files_manage_non_auth_files(ftpd_t)
++tunable_policy(`ftpd_full_access',`
++ allow ftpd_t self:capability { dac_read_search };
+ files_manage_non_security_dirs(ftpd_t)
+ files_manage_non_security_files(ftpd_t)
+')
@@ -32139,7 +32176,7 @@ index 000000000..d745c675f
+')
diff --git a/gear.te b/gear.te
new file mode 100644
-index 000000000..33dbdf7ec
+index 000000000..f6bf0a10e
--- /dev/null
+++ b/gear.te
@@ -0,0 +1,136 @@
@@ -32170,7 +32207,7 @@ index 000000000..33dbdf7ec
+#
+# gear local policy
+#
-+allow gear_t self:capability { chown net_admin fowner dac_read_search dac_override };
++allow gear_t self:capability { chown net_admin fowner dac_read_search };
+dontaudit gear_t self:capability sys_ptrace;
+allow gear_t self:capability2 block_suspend;
+allow gear_t self:process { getattr signal_perms };
@@ -33447,7 +33484,7 @@ index 000000000..450146018
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 000000000..cbcaf9aed
+index 000000000..5d279ca35
--- /dev/null
+++ b/glusterd.te
@@ -0,0 +1,324 @@
@@ -33519,7 +33556,7 @@ index 000000000..cbcaf9aed
+# Local policy
+#
+
-+allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace dac_override chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
++allow glusterd_t self:capability { sys_admin sys_resource sys_ptrace chown dac_read_search fowner fsetid ipc_lock kill setgid setuid net_admin mknod net_raw };
+
+allow glusterd_t self:capability2 block_suspend;
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms setsched getsched setfscreate};
@@ -36120,7 +36157,7 @@ index ab09d6195..e591cd040 100644
+ type_transition $1 gkeyringd_exec_t:process $2;
')
diff --git a/gnome.te b/gnome.te
-index 63893eb2d..566474488 100644
+index 63893eb2d..58b4cb17f 100644
--- a/gnome.te
+++ b/gnome.te
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
@@ -36254,7 +36291,7 @@ index 63893eb2d..566474488 100644
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
-+allow gconfdefaultsm_t self:capability { dac_read_search dac_override sys_nice };
++allow gconfdefaultsm_t self:capability { dac_read_search sys_nice };
+allow gconfdefaultsm_t self:process getsched;
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
@@ -36512,7 +36549,7 @@ index 3f55702fb..25c7ab82c 100644
##
##
diff --git a/gnomeclock.te b/gnomeclock.te
-index 7cd7435e6..8f26e9862 100644
+index 7cd7435e6..eb067c236 100644
--- a/gnomeclock.te
+++ b/gnomeclock.te
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
@@ -36537,7 +36574,7 @@ index 7cd7435e6..8f26e9862 100644
#
-allow gnomeclock_t self:capability { sys_nice sys_time };
-+allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search dac_override };
++allow gnomeclock_t self:capability { sys_nice sys_time dac_read_search };
allow gnomeclock_t self:process { getattr getsched signal };
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
-allow gnomeclock_t self:unix_stream_socket { accept listen };
@@ -37421,7 +37458,7 @@ index 0e97e82f1..4bcee621d 100644
+ miscfiles_manage_public_files(gpg_web_t)
')
diff --git a/gpm.te b/gpm.te
-index 69734fd15..a659808d0 100644
+index 69734fd15..8cda8e166 100644
--- a/gpm.te
+++ b/gpm.te
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
@@ -37438,7 +37475,7 @@ index 69734fd15..a659808d0 100644
#
-allow gpm_t self:capability { setpcap setuid dac_override sys_admin sys_tty_config };
-+allow gpm_t self:capability { setpcap setuid dac_read_search dac_override sys_admin sys_tty_config };
++allow gpm_t self:capability { setpcap setuid dac_read_search sys_admin sys_tty_config };
allow gpm_t self:process { signal signull getcap setcap };
allow gpm_t self:unix_stream_socket { accept listen };
@@ -37464,7 +37501,7 @@ index 69734fd15..a659808d0 100644
optional_policy(`
seutil_sigchld_newrole(gpm_t)
diff --git a/gpsd.te b/gpsd.te
-index fe3895ece..a820546e3 100644
+index fe3895ece..1a96553d4 100644
--- a/gpsd.te
+++ b/gpsd.te
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
@@ -37472,7 +37509,7 @@ index fe3895ece..a820546e3 100644
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
-+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
++dontaudit gpsd_t self:capability { sys_ptrace dac_read_search };
allow gpsd_t self:process { setsched signal_perms };
allow gpsd_t self:shm create_shm_perms;
allow gpsd_t self:unix_dgram_socket sendto;
@@ -37736,7 +37773,7 @@ index 000000000..8a2013af9
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
-index 000000000..79e22c58a
+index 000000000..86a4d31a1
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,74 @@
@@ -37764,7 +37801,7 @@ index 000000000..79e22c58a
+#
+# gssproxy local policy
+#
-+allow gssproxy_t self:capability { setuid setgid dac_read_search dac_override };
++allow gssproxy_t self:capability { setuid setgid dac_read_search };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
@@ -37862,7 +37899,7 @@ index e15137840..04d173d1d 100644
fs_getattr_xattr_fs(zookeeper_server_t)
diff --git a/hal.te b/hal.te
-index bbccc79f1..b02720214 100644
+index bbccc79f1..ef689e4b8 100644
--- a/hal.te
+++ b/hal.te
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
@@ -37873,6 +37910,15 @@ index bbccc79f1..b02720214 100644
miscfiles_read_localization(hald_domain)
+@@ -72,7 +71,7 @@ hal_stream_connect(hald_domain)
+ # Local policy
+ #
+
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability { sys_ptrace sys_tty_config };
+ allow hald_t self:process { getsched getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
@@ -116,7 +115,7 @@ kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -37887,7 +37933,7 @@ index bbccc79f1..b02720214 100644
#
-allow hald_acl_t self:capability { dac_override fowner sys_resource };
-+allow hald_acl_t self:capability { dac_read_search dac_override fowner sys_resource };
++allow hald_acl_t self:capability { dac_read_search fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -39079,7 +39125,7 @@ index 580b533ce..c267cea58 100644
domain_system_change_exemption($1)
role_transition $2 icecast_initrc_exec_t system_r;
diff --git a/icecast.te b/icecast.te
-index a9e573a50..9a9245f49 100644
+index a9e573a50..23f8b5d4c 100644
--- a/icecast.te
+++ b/icecast.te
@@ -32,7 +32,7 @@ files_pid_file(icecast_var_run_t)
@@ -39087,7 +39133,7 @@ index a9e573a50..9a9245f49 100644
#
-allow icecast_t self:capability { dac_override setgid setuid sys_nice };
-+allow icecast_t self:capability { dac_read_search dac_override setgid setuid sys_nice };
++allow icecast_t self:capability { dac_read_search setgid setuid sys_nice };
allow icecast_t self:process { getsched setsched signal };
allow icecast_t self:fifo_file rw_fifo_file_perms;
allow icecast_t self:unix_stream_socket create_stream_socket_perms;
@@ -39463,7 +39509,7 @@ index eb87f2341..d3d32c3ad 100644
init_labeled_script_domtrans($1, innd_initrc_exec_t)
diff --git a/inn.te b/inn.te
-index d39f0cc51..2422996ec 100644
+index d39f0cc51..81789dd86 100644
--- a/inn.te
+++ b/inn.te
@@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
@@ -39488,7 +39534,7 @@ index d39f0cc51..2422996ec 100644
#
-allow innd_t self:capability { dac_override kill setgid setuid };
-+allow innd_t self:capability { dac_read_search dac_override kill setgid setuid };
++allow innd_t self:capability { dac_read_search kill setgid setuid };
dontaudit innd_t self:capability sys_tty_config;
allow innd_t self:process { setsched signal_perms };
allow innd_t self:fifo_file rw_fifo_file_perms;
@@ -40089,7 +40135,7 @@ index 000000000..d611c53d4
+')
diff --git a/ipa.te b/ipa.te
new file mode 100644
-index 000000000..99cb86250
+index 000000000..49295fe45
--- /dev/null
+++ b/ipa.te
@@ -0,0 +1,275 @@
@@ -40186,7 +40232,7 @@ index 000000000..99cb86250
+#
+
+
-+allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
++allow ipa_helper_t self:capability { net_admin dac_read_search chown };
+
+#kernel bug
+dontaudit ipa_helper_t self:capability2 block_suspend;
@@ -41046,7 +41092,7 @@ index 1a354203e..8101022be 100644
logging_search_logs($1)
admin_pattern($1, iscsi_log_t)
diff --git a/iscsi.te b/iscsi.te
-index ca020faa9..c53375b3b 100644
+index ca020faa9..58233a218 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -5,12 +5,15 @@ policy_module(iscsi, 1.9.0)
@@ -41073,7 +41119,7 @@ index ca020faa9..c53375b3b 100644
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
-dontaudit iscsid_t self:capability sys_ptrace;
-+allow iscsid_t self:capability { dac_read_search dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
++allow iscsid_t self:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { accept connectto listen };
@@ -42969,7 +43015,7 @@ index 3a00b3a13..92f125fdf 100644
+')
+
diff --git a/kdump.te b/kdump.te
-index 715fc211c..794264a1d 100644
+index 715fc211c..e506a7f5d 100644
--- a/kdump.te
+++ b/kdump.te
@@ -12,35 +12,58 @@ init_system_domain(kdump_t, kdump_exec_t)
@@ -43004,7 +43050,7 @@ index 715fc211c..794264a1d 100644
#
-allow kdump_t self:capability { sys_boot dac_override };
-+allow kdump_t self:capability { sys_admin sys_boot dac_read_search dac_override };
++allow kdump_t self:capability { sys_admin sys_boot dac_read_search };
+#allow kdump_t self:capability2 compromise_kernel;
+
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
@@ -43050,7 +43096,7 @@ index 715fc211c..794264a1d 100644
+
+kdump_domtrans(kdumpctl_t)
+
-+allow kdumpctl_t self:capability { dac_read_search dac_override sys_chroot };
++allow kdumpctl_t self:capability { dac_read_search sys_chroot };
allow kdumpctl_t self:process setfscreate;
+
allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
@@ -44354,7 +44400,7 @@ index f6c00d8e6..79ea4d8d2 100644
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
')
diff --git a/kerberos.te b/kerberos.te
-index 8833d596d..9b9eb11ed 100644
+index 8833d596d..3030f9b78 100644
--- a/kerberos.te
+++ b/kerberos.te
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
@@ -44414,7 +44460,7 @@ index 8833d596d..9b9eb11ed 100644
-allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
-dontaudit kadmind_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
-+allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search dac_override sys_nice };
++allow kadmind_t self:capability { setuid setgid chown fowner dac_read_search sys_nice };
allow kadmind_t self:capability2 block_suspend;
+dontaudit kadmind_t self:capability sys_tty_config;
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
@@ -44539,7 +44585,7 @@ index 8833d596d..9b9eb11ed 100644
-allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
-dontaudit krb5kdc_t self:capability sys_tty_config;
+# Use capabilities. Surplus capabilities may be allowed.
-+allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search dac_override sys_nice };
++allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_read_search sys_nice };
allow krb5kdc_t self:capability2 block_suspend;
+dontaudit krb5kdc_t self:capability sys_tty_config;
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
@@ -45208,7 +45254,7 @@ index aa2a3379b..7ff229f32 100644
files_search_var_lib($1)
admin_pattern($1, kismet_var_lib_t)
diff --git a/kismet.te b/kismet.te
-index 8ad0d4d50..01e503790 100644
+index 8ad0d4d50..e4916885b 100644
--- a/kismet.te
+++ b/kismet.te
@@ -38,7 +38,7 @@ files_pid_file(kismet_var_run_t)
@@ -45216,7 +45262,7 @@ index 8ad0d4d50..01e503790 100644
#
-allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
-+allow kismet_t self:capability { dac_read_search dac_override kill net_admin net_raw setuid setgid };
++allow kismet_t self:capability { dac_read_search kill net_admin net_raw setuid setgid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_fifo_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
@@ -45870,7 +45916,7 @@ index 52970645f..6ba810834 100644
domain_system_change_exemption($1)
role_transition $2 kudzu_initrc_exec_t system_r;
diff --git a/kudzu.te b/kudzu.te
-index 16640364b..ee7a9a1d5 100644
+index 16640364b..a31b9ba5f 100644
--- a/kudzu.te
+++ b/kudzu.te
@@ -26,7 +26,7 @@ files_pid_file(kudzu_var_run_t)
@@ -45878,7 +45924,7 @@ index 16640364b..ee7a9a1d5 100644
#
-allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
-+allow kudzu_t self:capability { dac_read_search dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
++allow kudzu_t self:capability { dac_read_search sys_admin sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
@@ -46521,7 +46567,7 @@ index 3602712d0..af83a5b6b 100644
+ allow $1 slapd_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 4c2b1110e..8fa1510d7 100644
+index 4c2b1110e..7b306e4bb 100644
--- a/ldap.te
+++ b/ldap.te
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -46534,9 +46580,12 @@ index 4c2b1110e..8fa1510d7 100644
type slapd_keytab_t;
files_type(slapd_keytab_t)
-@@ -49,7 +52,7 @@ files_pid_file(slapd_var_run_t)
+@@ -47,9 +50,9 @@ files_pid_file(slapd_var_run_t)
+ # Local policy
+ #
- allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
+-allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
++allow slapd_t self:capability { kill setgid setuid net_raw dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
-allow slapd_t self:process setsched;
+allow slapd_t self:process { setsched signal } ;
@@ -46824,7 +46873,7 @@ index bd20e8cc9..3393a01e6 100644
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
-')
diff --git a/likewise.te b/likewise.te
-index d8c2442a8..f5dff3173 100644
+index d8c2442a8..0bd8a29a9 100644
--- a/likewise.te
+++ b/likewise.te
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
@@ -46862,7 +46911,7 @@ index d8c2442a8..f5dff3173 100644
#
-allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
-+allow lsassd_t self:capability { fowner chown fsetid dac_read_search dac_override sys_time };
++allow lsassd_t self:capability { fowner chown fsetid dac_read_search sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -46879,7 +46928,7 @@ index d8c2442a8..f5dff3173 100644
#
-allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
-+allow lwiod_t self:capability { fowner chown fsetid dac_read_search dac_override sys_resource };
++allow lwiod_t self:capability { fowner chown fsetid dac_read_search sys_resource };
allow lwiod_t self:process setrlimit;
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -46888,7 +46937,7 @@ index d8c2442a8..f5dff3173 100644
#
-allow netlogond_t self:capability dac_override;
-+allow netlogond_t self:capability { dac_read_search dac_override };
++allow netlogond_t self:capability { dac_read_search };
manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
@@ -47248,7 +47297,7 @@ index dff21a7c4..b6981c846 100644
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/lircd.te b/lircd.te
-index 483c87bb6..eecd4c158 100644
+index 483c87bb6..5c41c7557 100644
--- a/lircd.te
+++ b/lircd.te
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -47265,7 +47314,7 @@ index 483c87bb6..eecd4c158 100644
#
-allow lircd_t self:capability { chown kill sys_admin };
-+allow lircd_t self:capability { setuid setgid dac_read_search dac_override chown kill sys_admin };
++allow lircd_t self:capability { setuid setgid dac_read_search chown kill sys_admin };
allow lircd_t self:process signal;
allow lircd_t self:fifo_file rw_fifo_file_perms;
allow lircd_t self:tcp_socket { accept listen };
@@ -47494,9 +47543,18 @@ index 2a491d96c..3399d597a 100644
+ virt_dgram_send(lldpad_t)
+')
diff --git a/loadkeys.te b/loadkeys.te
-index d2f464375..ecbfa88ff 100644
+index d2f464375..5bacffd37 100644
--- a/loadkeys.te
+++ b/loadkeys.te
+@@ -17,7 +17,7 @@ role loadkeys_roles types loadkeys_t;
+ # Local policy
+ #
+
+-allow loadkeys_t self:capability { dac_override dac_read_search setuid sys_tty_config };
++allow loadkeys_t self:capability { dac_read_search setuid sys_tty_config };
+ allow loadkeys_t self:fifo_file rw_fifo_file_perms;
+
+ kernel_read_system_state(loadkeys_t)
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
corecmd_exec_bin(loadkeys_t)
corecmd_exec_shell(loadkeys_t)
@@ -47640,7 +47698,7 @@ index dd8e01af3..9cd6b0b8e 100644
##
##
diff --git a/logrotate.te b/logrotate.te
-index be0ab84b3..9ca958706 100644
+index be0ab84b3..af94fb163 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -5,16 +5,33 @@ policy_module(logrotate, 1.15.0)
@@ -47696,7 +47754,7 @@ index be0ab84b3..9ca958706 100644
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
+# Change ownership on log files.
-+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
++allow logrotate_t self:capability { chown dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
+dontaudit logrotate_t self:capability { sys_resource net_admin };
+
+# dontaudited due to systemctl command.
@@ -47984,7 +48042,7 @@ index be0ab84b3..9ca958706 100644
logging_read_all_logs(logrotate_mail_t)
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
diff --git a/logwatch.te b/logwatch.te
-index ab650340c..dd17cb0c5 100644
+index ab650340c..433d37810 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -15,7 +15,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
@@ -47997,6 +48055,15 @@ index ab650340c..dd17cb0c5 100644
type logwatch_cache_t;
files_type(logwatch_cache_t)
+@@ -37,7 +38,7 @@ role system_r types logwatch_mail_t;
+ # Local policy
+ #
+
+-allow logwatch_t self:capability { dac_override dac_read_search setgid };
++allow logwatch_t self:capability { dac_read_search setgid };
+ allow logwatch_t self:process signal;
+ allow logwatch_t self:fifo_file rw_fifo_file_perms;
+ allow logwatch_t self:unix_stream_socket { accept listen };
@@ -45,7 +46,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
@@ -48070,6 +48137,15 @@ index ab650340c..dd17cb0c5 100644
rpc_search_nfs_state_data(logwatch_t)
')
+@@ -173,7 +180,7 @@ optional_policy(`
+ # Mail local policy
+ #
+
+-allow logwatch_mail_t self:capability { dac_read_search dac_override };
++allow logwatch_mail_t self:capability { dac_read_search };
+
+ allow logwatch_mail_t logwatch_t:fd use;
+ allow logwatch_mail_t logwatch_t:fifo_file rw_fifo_file_perms;
@@ -187,6 +194,19 @@ dev_read_sysfs(logwatch_mail_t)
logging_read_all_logs(logwatch_mail_t)
@@ -48283,7 +48359,7 @@ index 62563717b..ce2acb881 100644
can_exec($1, lpr_exec_t)
')
diff --git a/lpd.te b/lpd.te
-index 39d31640e..1ec2cd26e 100644
+index 39d31640e..1648ef3c7 100644
--- a/lpd.te
+++ b/lpd.te
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -48300,7 +48376,7 @@ index 39d31640e..1ec2cd26e 100644
#
-allow checkpc_t self:capability { setgid setuid dac_override };
-+allow checkpc_t self:capability { setgid setuid dac_read_search dac_override };
++allow checkpc_t self:capability { setgid setuid dac_read_search };
allow checkpc_t self:process signal_perms;
allow checkpc_t self:unix_stream_socket create_socket_perms;
allow checkpc_t self:tcp_socket create_socket_perms;
@@ -48329,6 +48405,15 @@ index 39d31640e..1ec2cd26e 100644
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
+@@ -126,7 +124,7 @@ optional_policy(`
+ # Lpd local policy
+ #
+
+-allow lpd_t self:capability { setgid setuid dac_read_search dac_override chown fowner };
++allow lpd_t self:capability { setgid setuid dac_read_search chown fowner };
+ dontaudit lpd_t self:capability sys_tty_config;
+ allow lpd_t self:process signal_perms;
+ allow lpd_t self:fifo_file rw_fifo_file_perms;
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
kernel_read_kernel_sysctls(lpd_t)
kernel_read_system_state(lpd_t)
@@ -48365,7 +48450,7 @@ index 39d31640e..1ec2cd26e 100644
#
-allow lpr_t self:capability { setuid dac_override net_bind_service chown };
-+allow lpr_t self:capability { setuid dac_read_search dac_override net_bind_service chown };
++allow lpr_t self:capability { setuid dac_read_search net_bind_service chown };
allow lpr_t self:unix_stream_socket { accept listen };
allow lpd_t print_spool_t:file { read_file_perms rename_file_perms delete_file_perms };
@@ -49222,7 +49307,7 @@ index 108c0f1f5..a2485018e 100644
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
')
diff --git a/mailman.te b/mailman.te
-index ac81c7fa9..a9faca989 100644
+index ac81c7fa9..b01b07ac3 100644
--- a/mailman.te
+++ b/mailman.te
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
@@ -49282,7 +49367,7 @@ index ac81c7fa9..a9faca989 100644
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
-allow mailman_mail_t self:process { signal signull };
-+allow mailman_mail_t self:capability { kill dac_read_search dac_override setuid setgid sys_nice sys_tty_config };
++allow mailman_mail_t self:capability { kill dac_read_search setuid setgid sys_nice sys_tty_config };
+allow mailman_mail_t self:process { setsched signal signull };
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -49406,7 +49491,7 @@ index 214cb4498..bd1d48e4f 100644
+ files_list_pids($1)
')
diff --git a/mailscanner.te b/mailscanner.te
-index 6b6e2e130..3fb3393ba 100644
+index 6b6e2e130..df90ba417 100644
--- a/mailscanner.te
+++ b/mailscanner.te
@@ -29,11 +29,12 @@ files_pid_file(mscan_var_run_t)
@@ -49414,7 +49499,7 @@ index 6b6e2e130..3fb3393ba 100644
#
-allow mscan_t self:capability { setuid chown setgid dac_override };
-+allow mscan_t self:capability { setuid chown setgid dac_read_search dac_override };
++allow mscan_t self:capability { setuid chown setgid dac_read_search };
allow mscan_t self:process signal;
allow mscan_t self:fifo_file rw_fifo_file_perms;
@@ -50656,7 +50741,7 @@ index cba62db12..562833a81 100644
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
+')
diff --git a/milter.te b/milter.te
-index 4dc99f464..48e3f3813 100644
+index 4dc99f464..51867ef79 100644
--- a/milter.te
+++ b/milter.te
@@ -5,73 +5,117 @@ policy_module(milter, 1.5.0)
@@ -50762,7 +50847,7 @@ index 4dc99f464..48e3f3813 100644
+# It removes any existing socket (not owned by root) whilst running as root,
+# fixes permissions, renices itself and then calls setgid() and setuid() to
+# drop privileges
-+allow greylist_milter_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
++allow greylist_milter_t self:capability { chown dac_read_search setgid setuid sys_nice };
allow greylist_milter_t self:process { setsched getsched };
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
@@ -50818,7 +50903,7 @@ index 4dc99f464..48e3f3813 100644
-allow regex_milter_t self:capability { setuid setgid dac_override };
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
-+allow regex_milter_t self:capability { setuid setgid dac_read_search dac_override };
++allow regex_milter_t self:capability { setuid setgid dac_read_search };
+# The milter's socket directory lives under /var/spool
files_search_spool(regex_milter_t)
@@ -51666,7 +51751,7 @@ index 000000000..f5b98e6de
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 000000000..f647022cb
+index 000000000..4ba88ac4b
--- /dev/null
+++ b/mock.te
@@ -0,0 +1,288 @@
@@ -51716,7 +51801,7 @@ index 000000000..f647022cb
+# mock local policy
+#
+
-+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search dac_override sys_nice mknod fsetid setgid fowner };
++allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_read_search sys_nice mknod fsetid setgid fowner };
+allow mock_t self:capability2 block_suspend;
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
+# Needed because mock can run java and mono withing build environment
@@ -51874,7 +51959,7 @@ index 000000000..f647022cb
+#
+# mock_build local policy
+#
-+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search dac_override sys_nice mknod fsetid setgid fowner sys_ptrace };
++allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_read_search sys_nice mknod fsetid setgid fowner sys_ptrace };
+dontaudit mock_build_t self:capability audit_write;
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
@@ -53720,7 +53805,7 @@ index 6194b806b..e27c53d6e 100644
')
+
diff --git a/mozilla.te b/mozilla.te
-index 11ac8e4fc..7cba596af 100644
+index 11ac8e4fc..28c1c5f16 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -6,17 +6,56 @@ policy_module(mozilla, 2.8.0)
@@ -54620,7 +54705,7 @@ index 11ac8e4fc..7cba596af 100644
+# mozilla_plugin_config local policy
#
- allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
+-allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
@@ -54632,6 +54717,7 @@ index 11ac8e4fc..7cba596af 100644
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
++allow mozilla_plugin_config_t self:capability { dac_read_search sys_nice setuid setgid };
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
@@ -54861,7 +54947,7 @@ index 5fa77c7e6..2e01c7d0a 100644
domain_system_change_exemption($1)
role_transition $2 mpd_initrc_exec_t system_r;
diff --git a/mpd.te b/mpd.te
-index fe7252355..062ad640a 100644
+index fe7252355..68cf0d724 100644
--- a/mpd.te
+++ b/mpd.te
@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
@@ -54880,7 +54966,7 @@ index fe7252355..062ad640a 100644
#
-allow mpd_t self:capability { dac_override kill setgid setuid };
-+allow mpd_t self:capability { dac_read_search dac_override kill setgid setuid };
++allow mpd_t self:capability { dac_read_search kill setgid setuid };
allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
allow mpd_t self:fifo_file rw_fifo_file_perms;
allow mpd_t self:unix_stream_socket { accept connectto listen };
@@ -56401,7 +56487,7 @@ index ed81cac5a..cd52baf59 100644
+ mta_filetrans_admin_home_content($1)
+')
diff --git a/mta.te b/mta.te
-index ff1d68c6a..3f662fbef 100644
+index ff1d68c6a..d04527358 100644
--- a/mta.te
+++ b/mta.te
@@ -14,8 +14,6 @@ attribute mailserver_sender;
@@ -56519,7 +56605,7 @@ index ff1d68c6a..3f662fbef 100644
-
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
+# newalias required this, not sure if it is needed in 'if' file
-+allow system_mail_t self:capability { dac_read_search dac_override fowner };
++allow system_mail_t self:capability { dac_read_search fowner };
+dontaudit system_mail_t self:capability net_admin;
allow system_mail_t mail_home_t:file manage_file_perms;
@@ -56855,7 +56941,7 @@ index ff1d68c6a..3f662fbef 100644
optional_policy(`
- allow user_mail_t self:capability dac_override;
-+ allow user_mail_t self:capability {dac_read_search dac_override };
++ allow user_mail_t self:capability {dac_read_search };
+ # Read user temporary files.
+ # postfix seems to need write access if the file handle is opened read/write
@@ -57209,7 +57295,7 @@ index b744fe35e..cb0e2af61 100644
+ admin_pattern($1, munin_content_t)
')
diff --git a/munin.te b/munin.te
-index b70870816..1ea095ce8 100644
+index b70870816..e2a5280c3 100644
--- a/munin.te
+++ b/munin.te
@@ -44,41 +44,40 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
@@ -57266,7 +57352,7 @@ index b70870816..1ea095ce8 100644
#
-allow munin_t self:capability { chown dac_override kill setgid setuid sys_rawio };
-+allow munin_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_rawio };
++allow munin_t self:capability { chown dac_read_search kill setgid setuid sys_rawio };
dontaudit munin_t self:capability sys_tty_config;
allow munin_t self:process { getsched setsched signal_perms };
allow munin_t self:unix_stream_socket { accept connectto listen };
@@ -57369,7 +57455,7 @@ index b70870816..1ea095ce8 100644
#
-allow mail_munin_plugin_t self:capability dac_override;
-+allow mail_munin_plugin_t self:capability { dac_read_search dac_override };
++allow mail_munin_plugin_t self:capability { dac_read_search };
+
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -58107,7 +58193,7 @@ index 687af38bb..5381f1b39 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 7584bbe7c..9c33fb9ac 100644
+index 7584bbe7c..327af4639 100644
--- a/mysql.te
+++ b/mysql.te
@@ -6,20 +6,22 @@ policy_module(mysql, 1.14.1)
@@ -58163,7 +58249,7 @@ index 7584bbe7c..9c33fb9ac 100644
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
-+allow mysqld_t self:capability { dac_read_search dac_override ipc_lock setgid setuid sys_resource net_bind_service };
++allow mysqld_t self:capability { dac_read_search ipc_lock setgid setuid sys_resource net_bind_service };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -58301,7 +58387,7 @@ index 7584bbe7c..9c33fb9ac 100644
#
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
-+allow mysqld_safe_t self:capability { chown dac_read_search dac_override fowner kill sys_nice sys_resource };
++allow mysqld_safe_t self:capability { chown dac_read_search fowner kill sys_nice sys_resource };
+dontaudit mysqld_safe_t self:capability sys_ptrace;
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
@@ -58376,7 +58462,7 @@ index 7584bbe7c..9c33fb9ac 100644
#
-allow mysqlmanagerd_t self:capability { dac_override kill };
-+allow mysqlmanagerd_t self:capability { dac_read_search dac_override kill };
++allow mysqlmanagerd_t self:capability { dac_read_search kill };
allow mysqlmanagerd_t self:process signal;
allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
@@ -59560,7 +59646,7 @@ index 0641e970f..f3b111172 100644
+ admin_pattern($1, nrpe_etc_t)
')
diff --git a/nagios.te b/nagios.te
-index 7b3e682e6..00af8b3b9 100644
+index 7b3e682e6..3b5f4e6ec 100644
--- a/nagios.te
+++ b/nagios.te
@@ -5,6 +5,25 @@ policy_module(nagios, 1.13.0)
@@ -59649,7 +59735,7 @@ index 7b3e682e6..00af8b3b9 100644
#
-allow nagios_t self:capability { dac_override setgid setuid };
-+allow nagios_t self:capability { dac_read_search dac_override setgid setuid };
++allow nagios_t self:capability { dac_read_search setgid setuid };
dontaudit nagios_t self:capability sys_tty_config;
allow nagios_t self:process { setpgid signal_perms };
allow nagios_t self:fifo_file rw_fifo_file_perms;
@@ -59893,7 +59979,7 @@ index 7b3e682e6..00af8b3b9 100644
-allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
-+allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search dac_override };
++allow nagios_mail_plugin_t self:capability { setuid setgid dac_read_search };
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -59954,7 +60040,7 @@ index 7b3e682e6..00af8b3b9 100644
#
-allow nagios_system_plugin_t self:capability dac_override;
-+allow nagios_system_plugin_t self:capability { dac_read_search dac_override };
++allow nagios_system_plugin_t self:capability { dac_read_search };
dontaudit nagios_system_plugin_t self:capability { setuid setgid };
read_files_pattern(nagios_system_plugin_t, nagios_log_t, nagios_log_t)
@@ -60099,7 +60185,7 @@ index 000000000..8d7c75157
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 000000000..814e62e4f
+index 000000000..86c327621
--- /dev/null
+++ b/namespace.te
@@ -0,0 +1,41 @@
@@ -60120,7 +60206,7 @@ index 000000000..814e62e4f
+# namespace_init local policy
+#
+
-+allow namespace_init_t self:capability { dac_read_search dac_override};
++allow namespace_init_t self:capability { dac_read_search };
+
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
@@ -60879,7 +60965,7 @@ index 86dc29dfa..cb39739a5 100644
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
')
diff --git a/networkmanager.te b/networkmanager.te
-index 55f20095e..3ed3ed0b3 100644
+index 55f20095e..3299cc6c7 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -1,4 +1,4 @@
@@ -61333,7 +61419,7 @@ index 55f20095e..3ed3ed0b3 100644
#
-allow wpa_cli_t self:capability dac_override;
-+allow wpa_cli_t self:capability { dac_read_search dac_override };
++allow wpa_cli_t self:capability { dac_read_search };
allow wpa_cli_t self:unix_dgram_socket create_socket_perms;
allow wpa_cli_t NetworkManager_t:unix_dgram_socket sendto;
@@ -61790,7 +61876,7 @@ index 46e55c3ff..afe399a0e 100644
+ allow $1 nis_unit_file_t:service all_service_perms;
')
diff --git a/nis.te b/nis.te
-index 3a6b0352e..5145db555 100644
+index 3a6b0352e..062e20c8c 100644
--- a/nis.te
+++ b/nis.te
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
@@ -61909,7 +61995,7 @@ index 3a6b0352e..5145db555 100644
#
-allow yppasswdd_t self:capability dac_override;
-+allow yppasswdd_t self:capability { dac_read_search dac_override };
++allow yppasswdd_t self:capability { dac_read_search };
dontaudit yppasswdd_t self:capability sys_tty_config;
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
@@ -62186,7 +62272,7 @@ index 000000000..e32832705
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 000000000..2259a5192
+index 000000000..7b45d90d5
--- /dev/null
+++ b/nova.te
@@ -0,0 +1,203 @@
@@ -62257,7 +62343,7 @@ index 000000000..2259a5192
+# nova general domain local policy
+#
+
-+allow nova_domain self:capability { dac_read_search dac_override net_admin net_bind_service };
++allow nova_domain self:capability { dac_read_search net_admin net_bind_service };
+allow nova_domain self:process { getcap setcap signal_perms setfscreate };
+allow nova_domain self:fifo_file rw_fifo_file_perms;
+allow nova_domain self:tcp_socket create_stream_socket_perms;
@@ -63050,7 +63136,7 @@ index a9c60ff87..ad4f14ad6 100644
+ refpolicywarn(`$0($*) has been deprecated.')
')
diff --git a/nsd.te b/nsd.te
-index 47bb1d204..1e5567367 100644
+index 47bb1d204..56874943b 100644
--- a/nsd.te
+++ b/nsd.te
@@ -9,9 +9,7 @@ type nsd_t;
@@ -63091,7 +63177,7 @@ index 47bb1d204..1e5567367 100644
#
-allow nsd_t self:capability { chown dac_override kill setgid setuid };
-+allow nsd_t self:capability { chown dac_read_search dac_override kill setgid setuid net_admin };
++allow nsd_t self:capability { chown dac_read_search kill setgid setuid net_admin };
dontaudit nsd_t self:capability sys_tty_config;
allow nsd_t self:process signal_perms;
+allow nsd_t self:tcp_socket create_stream_socket_perms;
@@ -63177,7 +63263,7 @@ index 47bb1d204..1e5567367 100644
-allow nsd_crond_t self:capability { dac_override kill };
+# kill capability for root cron job and non-root daemon
-+allow nsd_crond_t self:capability { dac_read_search dac_override kill };
++allow nsd_crond_t self:capability { dac_read_search kill };
dontaudit nsd_crond_t self:capability sys_nice;
allow nsd_crond_t self:process { setsched signal_perms };
allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
@@ -63376,7 +63462,7 @@ index 97df768d9..852d1c6c7 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index 421bf1a56..1be3b6b30 100644
+index 421bf1a56..7b7c4a983 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
@@ -63390,7 +63476,7 @@ index 421bf1a56..1be3b6b30 100644
-allow nslcd_t self:capability { setgid setuid dac_override };
-allow nslcd_t self:process signal;
-allow nslcd_t self:unix_stream_socket { accept listen };
-+allow nslcd_t self:capability { chown dac_read_search dac_override setgid setuid sys_nice };
++allow nslcd_t self:capability { chown dac_read_search setgid setuid sys_nice };
+allow nslcd_t self:process { setsched signal signull };
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
@@ -63934,7 +64020,7 @@ index 000000000..bceb5271e
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
-index 000000000..7d839fe6e
+index 000000000..69a09ce2a
--- /dev/null
+++ b/nsplugin.te
@@ -0,0 +1,318 @@
@@ -64164,7 +64250,7 @@ index 000000000..7d839fe6e
+# nsplugin_config local policy
+#
+
-+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
++allow nsplugin_config_t self:capability { dac_read_search sys_nice setuid setgid };
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
@@ -64257,7 +64343,7 @@ index 000000000..7d839fe6e
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
diff --git a/ntop.te b/ntop.te
-index 8ec78595b..c696f6765 100644
+index 8ec78595b..828398142 100644
--- a/ntop.te
+++ b/ntop.te
@@ -29,10 +29,11 @@ files_pid_file(ntop_var_run_t)
@@ -64265,7 +64351,7 @@ index 8ec78595b..c696f6765 100644
#
-allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
-+allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search dac_override };
++allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin dac_read_search };
dontaudit ntop_t self:capability sys_tty_config;
allow ntop_t self:process signal_perms;
allow ntop_t self:fifo_file rw_fifo_file_perms;
@@ -64566,7 +64652,7 @@ index e96a309a5..42453089c 100644
+')
+
diff --git a/ntp.te b/ntp.te
-index f81b113c7..4e9e52e1c 100644
+index f81b113c7..06a05a689 100644
--- a/ntp.te
+++ b/ntp.te
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -64584,7 +64670,7 @@ index f81b113c7..4e9e52e1c 100644
#
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
-+allow ntpd_t self:capability { chown dac_read_search dac_override kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
++allow ntpd_t self:capability { chown dac_read_search kill setgid setuid sys_time ipc_lock ipc_owner sys_chroot sys_nice sys_resource };
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms getcap setcap setsched setrlimit };
allow ntpd_t self:fifo_file rw_fifo_file_perms;
@@ -65014,7 +65100,7 @@ index 57c0161ed..c554eb6e1 100644
+ ps_process_pattern($1, nut_t)
')
diff --git a/nut.te b/nut.te
-index 5b2cb0d59..605b54b72 100644
+index 5b2cb0d59..0b0be0a36 100644
--- a/nut.te
+++ b/nut.te
@@ -7,154 +7,155 @@ policy_module(nut, 1.3.0)
@@ -65058,7 +65144,7 @@ index 5b2cb0d59..605b54b72 100644
#
-allow nut_domain self:capability { setgid setuid dac_override kill };
-+allow nut_domain self:capability { setgid setuid dac_read_search dac_override };
++allow nut_domain self:capability { setgid setuid dac_read_search };
+
allow nut_domain self:process signal_perms;
-allow nut_domain self:fifo_file rw_fifo_file_perms;
@@ -65805,7 +65891,7 @@ index c87bd2a30..6180fba1f 100644
+ allow $1 oddjob_mkhomedir_exec_t:file entrypoint;
')
diff --git a/oddjob.te b/oddjob.te
-index e403097c6..c60887de2 100644
+index e403097c6..cba01335f 100644
--- a/oddjob.te
+++ b/oddjob.te
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
@@ -65877,7 +65963,7 @@ index e403097c6..c60887de2 100644
#
-allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
-+allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search dac_override };
++allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_read_search };
allow oddjob_mkhomedir_t self:process setfscreate;
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
@@ -66416,7 +66502,7 @@ index 000000000..7581b52a0
+')
diff --git a/openfortivpn.te b/openfortivpn.te
new file mode 100644
-index 000000000..5a3c62b83
+index 000000000..8479af48a
--- /dev/null
+++ b/openfortivpn.te
@@ -0,0 +1,67 @@
@@ -66444,7 +66530,7 @@ index 000000000..5a3c62b83
+#
+
+# User certificates are typically not world-readable and are owned by the user
-+allow openfortivpn_t self:capability { dac_read_search dac_override };
++allow openfortivpn_t self:capability { dac_read_search };
+
+# Talking to pppd via the PTY
+allow openfortivpn_t openfortivpn_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
@@ -67541,7 +67627,7 @@ index 000000000..c20cac397
+')
diff --git a/openshift.te b/openshift.te
new file mode 100644
-index 000000000..a98990f3a
+index 000000000..3ff5b7610
--- /dev/null
+++ b/openshift.te
@@ -0,0 +1,634 @@
@@ -68097,7 +68183,7 @@ index 000000000..a98990f3a
+#
+# openshift_cron local policy
+#
-+allow openshift_cron_t self:capability { dac_read_search dac_override net_admin sys_admin };
++allow openshift_cron_t self:capability { dac_read_search net_admin sys_admin };
+allow openshift_cron_t self:process signal_perms;
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
+allow openshift_cron_t self:udp_socket create_socket_perms;
@@ -68583,7 +68669,7 @@ index 6837e9a2b..8d6e33b00 100644
domain_system_change_exemption($1)
role_transition $2 openvpn_initrc_exec_t system_r;
diff --git a/openvpn.te b/openvpn.te
-index 63957a362..91dead6e7 100644
+index 63957a362..1a037b974 100644
--- a/openvpn.te
+++ b/openvpn.te
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
@@ -68624,7 +68710,7 @@ index 63957a362..91dead6e7 100644
#
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
-+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
++allow openvpn_t self:capability { dac_read_search ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
allow openvpn_t self:process { signal getsched setsched };
allow openvpn_t self:fifo_file rw_fifo_file_perms;
allow openvpn_t self:unix_dgram_socket sendto;
@@ -69486,7 +69572,7 @@ index 000000000..6ae382cb9
+
diff --git a/oracleasm.te b/oracleasm.te
new file mode 100644
-index 000000000..41f3e07b1
+index 000000000..16365762c
--- /dev/null
+++ b/oracleasm.te
@@ -0,0 +1,66 @@
@@ -69515,7 +69601,7 @@ index 000000000..41f3e07b1
+# oracleasm local policy
+#
+
-+allow oracleasm_t self:capability { dac_read_search dac_override fsetid fowner chown };
++allow oracleasm_t self:capability { dac_read_search fsetid fowner chown };
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
+
@@ -70024,7 +70110,7 @@ index 9682d9af8..f1f421f9e 100644
+ ')
')
diff --git a/pacemaker.te b/pacemaker.te
-index 6e6efb642..d56c04963 100644
+index 6e6efb642..9ab075fb4 100644
--- a/pacemaker.te
+++ b/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
@@ -70071,7 +70157,7 @@ index 6e6efb642..d56c04963 100644
#
-allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
-+allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search dac_override setuid };
++allow pacemaker_t self:capability { fowner fsetid kill chown dac_read_search setuid };
+allow pacemaker_t self:capability2 block_suspend;
allow pacemaker_t self:process { setrlimit signal setpgid };
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
@@ -70151,7 +70237,7 @@ index 6e097c919..503c97a2d 100644
domain_system_change_exemption($1)
role_transition $2 pads_initrc_exec_t system_r;
diff --git a/pads.te b/pads.te
-index 078adc478..f0c65e5de 100644
+index 078adc478..c1f2a1072 100644
--- a/pads.te
+++ b/pads.te
@@ -24,9 +24,12 @@ files_pid_file(pads_var_run_t)
@@ -70159,7 +70245,7 @@ index 078adc478..f0c65e5de 100644
#
-allow pads_t self:capability { dac_override net_raw };
-+allow pads_t self:capability { dac_read_search dac_override net_raw };
++allow pads_t self:capability { dac_read_search net_raw };
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
allow pads_t self:packet_socket create_socket_perms;
allow pads_t self:socket create_socket_perms;
@@ -70385,7 +70471,7 @@ index bf59ef731..0e333279c 100644
+')
+
diff --git a/passenger.te b/passenger.te
-index 08ec33bf2..e73b8a63d 100644
+index 08ec33bf2..e175fc6a9 100644
--- a/passenger.te
+++ b/passenger.te
@@ -1,4 +1,4 @@
@@ -70414,7 +70500,7 @@ index 08ec33bf2..e73b8a63d 100644
-allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
-allow passenger_t self:process { setpgid setsched sigkill signal };
-+allow passenger_t self:capability { chown dac_read_search dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
++allow passenger_t self:capability { chown dac_read_search fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
+allow passenger_t self:capability2 block_suspend;
+allow passenger_t self:process { setpgid setsched getsession signal_perms };
allow passenger_t self:fifo_file rw_fifo_file_perms;
@@ -70516,9 +70602,18 @@ index 08ec33bf2..e73b8a63d 100644
+ rpm_read_db(passenger_t)
')
diff --git a/pcmcia.te b/pcmcia.te
-index 8176e4aa4..2df178919 100644
+index 8176e4aa4..311e311b3 100644
--- a/pcmcia.te
+++ b/pcmcia.te
+@@ -29,7 +29,7 @@ role cardmgr_roles types cardmgr_t;
+ # Local policy
+ #
+
+-allow cardmgr_t self:capability { dac_read_search dac_override setuid net_admin sys_admin sys_nice sys_tty_config mknod };
++allow cardmgr_t self:capability { dac_read_search setuid net_admin sys_admin sys_nice sys_tty_config mknod };
+ dontaudit cardmgr_t self:capability sys_tty_config;
+ allow cardmgr_t self:process signal_perms;
+ allow cardmgr_t self:fifo_file rw_fifo_file_perms;
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
logging_send_syslog_msg(cardmgr_t)
@@ -70748,7 +70843,7 @@ index 000000000..abb250dba
+')
diff --git a/pcp.te b/pcp.te
new file mode 100644
-index 000000000..372915272
+index 000000000..140ec0d3a
--- /dev/null
+++ b/pcp.te
@@ -0,0 +1,313 @@
@@ -70803,7 +70898,7 @@ index 000000000..372915272
+# pcp domain local policy
+#
+
-+allow pcp_domain self:capability { setuid setgid dac_read_search dac_override };
++allow pcp_domain self:capability { setuid setgid dac_read_search };
+allow pcp_domain self:process signal_perms;
+allow pcp_domain self:tcp_socket create_stream_socket_perms;
+allow pcp_domain self:udp_socket create_socket_perms;
@@ -71088,14 +71183,16 @@ index 43d50f95b..6b1544f62 100644
########################################
diff --git a/pcscd.te b/pcscd.te
-index 1fb196410..a8026bdbf 100644
+index 1fb196410..f502f33d6 100644
--- a/pcscd.te
+++ b/pcscd.te
-@@ -22,10 +22,12 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+@@ -21,11 +21,13 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
+ # Local policy
#
- allow pcscd_t self:capability { dac_override dac_read_search fsetid };
+-allow pcscd_t self:capability { dac_override dac_read_search fsetid };
-allow pcscd_t self:process signal;
++allow pcscd_t self:capability { dac_read_search fsetid };
+allow pcscd_t self:capability2 { wake_alarm };
+allow pcscd_t self:process { signal signull };
allow pcscd_t self:fifo_file rw_fifo_file_perms;
@@ -71503,7 +71600,7 @@ index d2fc677c1..86dce34a2 100644
')
+
diff --git a/pegasus.te b/pegasus.te
-index 608f454d8..8cccfd762 100644
+index 608f454d8..8f0f5fd9c 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
@@ -71583,7 +71680,7 @@ index 608f454d8..8cccfd762 100644
+# pegasus openlmi account local policy
+#
+
-+allow pegasus_openlmi_account_t self:capability { chown dac_read_search dac_override fowner fsetid };
++allow pegasus_openlmi_account_t self:capability { chown dac_read_search fowner fsetid };
+allow pegasus_openlmi_account_t self:process setfscreate;
+
+auth_manage_passwd(pegasus_openlmi_account_t)
@@ -71620,7 +71717,7 @@ index 608f454d8..8cccfd762 100644
+# pegasus openlmi logicalfile local policy
+#
+
-+allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search dac_override };
++allow pegasus_openlmi_logicalfile_t self:capability { dac_read_search };
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
+
@@ -71847,7 +71944,7 @@ index 608f454d8..8cccfd762 100644
#
-allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
-+allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search dac_override net_admin net_bind_service sys_ptrace };
++allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_read_search net_admin net_bind_service sys_ptrace };
dontaudit pegasus_t self:capability sys_tty_config;
-allow pegasus_t self:process signal;
+allow pegasus_t self:process { setsched signal };
@@ -73700,7 +73797,7 @@ index 000000000..f69ae0298
+')
diff --git a/pki.te b/pki.te
new file mode 100644
-index 000000000..9c27847b2
+index 000000000..701ebda54
--- /dev/null
+++ b/pki.te
@@ -0,0 +1,285 @@
@@ -73778,7 +73875,7 @@ index 000000000..9c27847b2
+# pki-tomcat local policy
+#
+
-+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search dac_override sys_nice fsetid };
++allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid };
+dontaudit pki_tomcat_t self:capability net_admin;
+allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
+
@@ -73913,7 +74010,7 @@ index 000000000..9c27847b2
+#
+
+
-+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search dac_override fowner fsetid kill chown};
++allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown};
+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
+
+allow pki_apache_domain self:sem all_sem_perms;
@@ -74331,7 +74428,7 @@ index 30e751f18..61feb3a81 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/plymouthd.te b/plymouthd.te
-index 3078ce905..ac0b7a546 100644
+index 3078ce905..a1f9e1aa1 100644
--- a/plymouthd.te
+++ b/plymouthd.te
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
@@ -74354,7 +74451,7 @@ index 3078ce905..ac0b7a546 100644
allow plymouthd_t self:capability { sys_admin sys_tty_config };
-dontaudit plymouthd_t self:capability dac_override;
allow plymouthd_t self:capability2 block_suspend;
-+dontaudit plymouthd_t self:capability{ dac_read_search dac_override };
++dontaudit plymouthd_t self:capability{ dac_read_search };
allow plymouthd_t self:process { signal getsched };
+allow plymouthd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
@@ -74452,7 +74549,7 @@ index 3078ce905..ac0b7a546 100644
hal_dontaudit_write_log(plymouth_t)
hal_dontaudit_rw_pipes(plymouth_t)
diff --git a/podsleuth.te b/podsleuth.te
-index 9123f7152..232e28a75 100644
+index 9123f7152..77e5b9b59 100644
--- a/podsleuth.te
+++ b/podsleuth.te
@@ -28,8 +28,9 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
@@ -74461,7 +74558,7 @@ index 9123f7152..232e28a75 100644
-allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
-+allow podsleuth_t self:capability { kill dac_read_search dac_override sys_admin sys_rawio };
++allow podsleuth_t self:capability { kill dac_read_search sys_admin sys_rawio };
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
+
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
@@ -74776,7 +74873,7 @@ index 032a84d1c..be00a65f1 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index ee91778f7..fb9b69ae9 100644
+index ee91778f7..24c0eefd6 100644
--- a/policykit.te
+++ b/policykit.te
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
@@ -74831,7 +74928,8 @@ index ee91778f7..fb9b69ae9 100644
+# policykit local policy
#
- allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
+-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
++allow policykit_t self:capability { dac_read_search setgid setuid sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
-allow policykit_t self:unix_stream_socket { accept connectto listen };
+allow policykit_t self:unix_dgram_socket create_socket_perms;
@@ -75632,7 +75730,7 @@ index 9764bfef8..8870de713 100644
-miscfiles_read_localization(polipo_daemon)
diff --git a/portage.if b/portage.if
-index 67e8c12c4..058c99481 100644
+index 67e8c12c4..e76feca9b 100644
--- a/portage.if
+++ b/portage.if
@@ -67,9 +67,10 @@ interface(`portage_compile_domain',`
@@ -75643,12 +75741,12 @@ index 67e8c12c4..058c99481 100644
')
- allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
-+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search dac_override net_raw };
++ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_read_search net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
diff --git a/portage.te b/portage.te
-index b410c67c1..f1ec41d39 100644
+index b410c67c1..27d6cc52a 100644
--- a/portage.te
+++ b/portage.te
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
@@ -75664,7 +75762,7 @@ index b410c67c1..f1ec41d39 100644
allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
-+allow portage_fetch_t self:capability { dac_read_search dac_override fowner fsetid chown };
++allow portage_fetch_t self:capability { dac_read_search fowner fsetid chown };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket { accept listen };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
@@ -75767,9 +75865,18 @@ index 5ad529154..7f1ae2a78 100644
portreserve_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/portreserve.te b/portreserve.te
-index 00b01e2ea..10b45127a 100644
+index 00b01e2ea..1ef4b9938 100644
--- a/portreserve.te
+++ b/portreserve.te
+@@ -23,7 +23,7 @@ files_pid_file(portreserve_var_run_t)
+ # Local policy
+ #
+
+-allow portreserve_t self:capability { dac_read_search dac_override };
++allow portreserve_t self:capability { dac_read_search };
+ allow portreserve_t self:fifo_file rw_fifo_file_perms;
+ allow portreserve_t self:unix_stream_socket create_stream_socket_perms;
+ allow portreserve_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
corecmd_getattr_bin_files(portreserve_t)
@@ -75903,7 +76010,7 @@ index c0e878537..3070aa066 100644
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_t,s0)
diff --git a/postfix.if b/postfix.if
-index ded95ec3a..db49c5774 100644
+index ded95ec3a..210018ce4 100644
--- a/postfix.if
+++ b/postfix.if
@@ -1,4 +1,4 @@
@@ -75997,7 +76104,7 @@ index ded95ec3a..db49c5774 100644
- #
- # Declarations
- #
-+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search dac_override };
++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_read_search };
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
+ allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -76055,7 +76162,7 @@ index ded95ec3a..db49c5774 100644
- #
-
- allow postfix_$1_t self:capability dac_override;
-+ allow postfix_$1_t self:capability { dac_read_search dac_override };
++ allow postfix_$1_t self:capability { dac_read_search };
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
@@ -76788,7 +76895,7 @@ index ded95ec3a..db49c5774 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
')
diff --git a/postfix.te b/postfix.te
-index 5cfb83eca..87a1d852a 100644
+index 5cfb83eca..708c908d1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
@@ -76981,7 +77088,7 @@ index 5cfb83eca..87a1d852a 100644
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
+dontaudit postfix_master_t self:capability { net_admin };
+# chown is to set the correct ownership of queue dirs
-+allow postfix_master_t self:capability { chown dac_read_search dac_override kill setgid setuid net_bind_service sys_tty_config };
++allow postfix_master_t self:capability { chown dac_read_search kill setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
+
allow postfix_master_t self:process setrlimit;
@@ -77306,7 +77413,7 @@ index 5cfb83eca..87a1d852a 100644
-# Map local policy
+# Postfix map local policy
#
-+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
++allow postfix_map_t self:capability { dac_read_search setgid setuid };
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
@@ -77833,7 +77940,7 @@ index b9e71b537..a7502cd0e 100644
domain_system_change_exemption($1)
role_transition $2 postgrey_initrc_exec_t system_r;
diff --git a/postgrey.te b/postgrey.te
-index fd58805e5..248d22985 100644
+index fd58805e5..593a05367 100644
--- a/postgrey.te
+++ b/postgrey.te
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -77850,7 +77957,7 @@ index fd58805e5..248d22985 100644
#
-allow postgrey_t self:capability { chown dac_override setgid setuid };
-+allow postgrey_t self:capability { chown dac_read_search dac_override setgid setuid };
++allow postgrey_t self:capability { chown dac_read_search setgid setuid };
dontaudit postgrey_t self:capability sys_tty_config;
allow postgrey_t self:process signal_perms;
allow postgrey_t self:fifo_file create_fifo_file_perms;
@@ -78451,7 +78558,7 @@ index cd8b8b9cb..2cfa88a2d 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index d616ca3e3..0b38ca5d6 100644
+index d616ca3e3..0ad15efea 100644
--- a/ppp.te
+++ b/ppp.te
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
@@ -78535,7 +78642,7 @@ index d616ca3e3..0b38ca5d6 100644
#
-allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
-+allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search dac_override sys_nice sys_chroot };
++allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_read_search sys_nice sys_chroot };
dontaudit pppd_t self:capability sys_tty_config;
-allow pppd_t self:process { getsched setsched signal };
+dontaudit pppd_t self:capability2 block_suspend;
@@ -78711,7 +78818,8 @@ index d616ca3e3..0b38ca5d6 100644
+# PPTP Local policy
#
- allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
+-allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
++allow pptp_t self:capability { dac_read_search net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
allow pptp_t self:process signal;
allow pptp_t self:fifo_file rw_fifo_file_perms;
@@ -78975,7 +79083,7 @@ index 20d469793..e6605c100 100644
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
+')
diff --git a/prelink.te b/prelink.te
-index 8e262163b..c1d33acdf 100644
+index 8e262163b..c23cec013 100644
--- a/prelink.te
+++ b/prelink.te
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
@@ -78997,7 +79105,7 @@ index 8e262163b..c1d33acdf 100644
#
-allow prelink_t self:capability { chown dac_override fowner fsetid setfcap sys_resource };
-+allow prelink_t self:capability { chown dac_read_search dac_override fowner fsetid setfcap sys_resource };
++allow prelink_t self:capability { chown dac_read_search fowner fsetid setfcap sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
@@ -79365,7 +79473,7 @@ index c83a838d7..f41a4f7dd 100644
admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index 8f4460928..dd7065356 100644
+index 8f4460928..d3b9f0dd3 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -79382,7 +79490,7 @@ index 8f4460928..dd7065356 100644
#
-allow prelude_t self:capability { dac_override sys_tty_config };
-+allow prelude_t self:capability { dac_read_search dac_override sys_tty_config };
++allow prelude_t self:capability { dac_read_search sys_tty_config };
allow prelude_t self:fifo_file rw_fifo_file_perms;
allow prelude_t self:unix_stream_socket { accept listen };
allow prelude_t self:tcp_socket { accept listen };
@@ -79416,7 +79524,7 @@ index 8f4460928..dd7065356 100644
#
-allow prelude_audisp_t self:capability { dac_override ipc_lock setpcap };
-+allow prelude_audisp_t self:capability { dac_read_search dac_override ipc_lock setpcap };
++allow prelude_audisp_t self:capability { dac_read_search ipc_lock setpcap };
allow prelude_audisp_t self:process { getcap setcap };
allow prelude_audisp_t self:fifo_file rw_fifo_file_perms;
allow prelude_audisp_t self:unix_stream_socket { accept listen };
@@ -79449,7 +79557,7 @@ index 8f4460928..dd7065356 100644
#
-allow prelude_correlator_t self:capability dac_override;
-+allow prelude_correlator_t self:capability { dac_read_search dac_override };
++allow prelude_correlator_t self:capability { dac_read_search };
allow prelude_correlator_t self:tcp_socket { accept listen };
manage_dirs_pattern(prelude_correlator_t, prelude_spool_t, prelude_spool_t)
@@ -79481,7 +79589,7 @@ index 8f4460928..dd7065356 100644
#
-allow prelude_lml_t self:capability dac_override;
-+allow prelude_lml_t self:capability { dac_read_search dac_override };
++allow prelude_lml_t self:capability { dac_read_search };
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
@@ -79755,7 +79863,7 @@ index 00edeab17..166e9c333 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
')
diff --git a/procmail.te b/procmail.te
-index cc426e62a..91a1f537e 100644
+index cc426e62a..ee83a78ce 100644
--- a/procmail.te
+++ b/procmail.te
@@ -14,7 +14,7 @@ type procmail_home_t;
@@ -79772,7 +79880,7 @@ index cc426e62a..91a1f537e 100644
#
-allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
-+allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search dac_override };
++allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_read_search };
allow procmail_t self:process { setsched signal signull };
allow procmail_t self:fifo_file rw_fifo_file_perms;
-allow procmail_t self:tcp_socket { accept listen };
@@ -80230,7 +80338,7 @@ index 000000000..8231f4ff5
+')
diff --git a/prosody.te b/prosody.te
new file mode 100644
-index 000000000..5a9f1d42c
+index 000000000..06eb94871
--- /dev/null
+++ b/prosody.te
@@ -0,0 +1,99 @@
@@ -80272,7 +80380,7 @@ index 000000000..5a9f1d42c
+#
+# prosody local policy
+#
-+allow prosody_t self:capability { setuid setgid dac_read_search dac_override };
++allow prosody_t self:capability { setuid setgid dac_read_search };
+allow prosody_t self:process { signal_perms execmem };
+allow prosody_t self:tcp_socket create_stream_socket_perms;
+
@@ -80493,7 +80601,7 @@ index d4dcf782c..3cce82e50 100644
admin_pattern($1, psad_tmp_t)
')
diff --git a/psad.te b/psad.te
-index b5d717b09..9fd153b1c 100644
+index b5d717b09..99f6fddac 100644
--- a/psad.te
+++ b/psad.te
@@ -32,7 +32,7 @@ files_tmp_file(psad_tmp_t)
@@ -80501,7 +80609,7 @@ index b5d717b09..9fd153b1c 100644
#
-allow psad_t self:capability { net_admin net_raw setuid setgid dac_override };
-+allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search dac_override };
++allow psad_t self:capability { net_admin net_raw setuid setgid dac_read_search };
dontaudit psad_t self:capability sys_tty_config;
allow psad_t self:process signal_perms;
allow psad_t self:fifo_file rw_fifo_file_perms;
@@ -80549,7 +80657,7 @@ index 28d2abc03..c2cfb5eaa 100644
-miscfiles_read_localization(ptchown_t)
+auth_read_passwd(ptchown_t)
diff --git a/publicfile.te b/publicfile.te
-index 3246befff..dd66a21cb 100644
+index 3246befff..edce6258a 100644
--- a/publicfile.te
+++ b/publicfile.te
@@ -17,7 +17,7 @@ files_type(publicfile_content_t)
@@ -80557,7 +80665,7 @@ index 3246befff..dd66a21cb 100644
#
-allow publicfile_t self:capability { dac_override setgid setuid sys_chroot };
-+allow publicfile_t self:capability { dac_read_search dac_override setgid setuid sys_chroot };
++allow publicfile_t self:capability { dac_read_search setgid setuid sys_chroot };
allow publicfile_t publicfile_content_t:dir list_dir_perms;
allow publicfile_t publicfile_content_t:file read_file_perms;
@@ -81672,7 +81780,7 @@ index 7cb8b1f9c..bef72173b 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
')
diff --git a/puppet.te b/puppet.te
-index 618dcfeed..d5d0cfcb8 100644
+index 618dcfeed..5bd88a99d 100644
--- a/puppet.te
+++ b/puppet.te
@@ -6,25 +6,32 @@ policy_module(puppet, 1.4.0)
@@ -81838,7 +81946,7 @@ index 618dcfeed..d5d0cfcb8 100644
-
-tunable_policy(`puppet_manage_all_files',`
- files_manage_non_auth_files(puppet_t)
-+allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search dac_override sys_nice sys_tty_config };
++allow puppetagent_t self:capability { fowner fsetid setuid setgid dac_read_search sys_nice sys_tty_config };
+allow puppetagent_t self:process { signal signull getsched setsched };
+allow puppetagent_t self:fifo_file rw_fifo_file_perms;
+allow puppetagent_t self:netlink_route_socket create_netlink_socket_perms;
@@ -82015,7 +82123,7 @@ index 618dcfeed..d5d0cfcb8 100644
#
-allow puppetca_t self:capability { dac_override setgid setuid };
-+allow puppetca_t self:capability { dac_read_search dac_override setgid setuid };
++allow puppetca_t self:capability { dac_read_search setgid setuid };
allow puppetca_t self:fifo_file rw_fifo_file_perms;
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
@@ -82065,7 +82173,8 @@ index 618dcfeed..d5d0cfcb8 100644
+# Pupper master personal policy
#
- allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
+-allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
++allow puppetmaster_t self:capability { dac_read_search setuid setgid fowner chown fsetid sys_tty_config };
allow puppetmaster_t self:process { signal_perms getsched setsched };
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
@@ -82956,7 +83065,7 @@ index 86ea53ce1..a2dcf7bb2 100644
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/qemu.if b/qemu.if
-index eaf56b8b0..889472688 100644
+index eaf56b8b0..408cdccaf 100644
--- a/qemu.if
+++ b/qemu.if
@@ -1,19 +1,21 @@
@@ -82987,7 +83096,7 @@ index eaf56b8b0..889472688 100644
#
type $1_t;
-@@ -22,9 +24,12 @@ template(`qemu_domain_template',`
+@@ -22,12 +24,15 @@ template(`qemu_domain_template',`
type $1_tmp_t;
files_tmp_file($1_tmp_t)
@@ -83000,7 +83109,11 @@ index eaf56b8b0..889472688 100644
+ # Local Policy
#
- allow $1_t self:capability { dac_read_search dac_override };
+- allow $1_t self:capability { dac_read_search dac_override };
++ allow $1_t self:capability { dac_read_search };
+ allow $1_t self:process { execstack execmem signal getsched };
+ allow $1_t self:fifo_file rw_file_perms;
+ allow $1_t self:shm create_shm_perms;
@@ -39,9 +44,12 @@ template(`qemu_domain_template',`
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
@@ -84769,7 +84882,7 @@ index afc00688d..589a7fdde 100644
+ ')
')
diff --git a/quantum.te b/quantum.te
-index 8644d8b3f..97a9b7e76 100644
+index 8644d8b3f..62bdc516a 100644
--- a/quantum.te
+++ b/quantum.te
@@ -5,92 +5,183 @@ policy_module(quantum, 1.1.0)
@@ -84859,7 +84972,7 @@ index 8644d8b3f..97a9b7e76 100644
-
-dev_list_sysfs(quantum_t)
-dev_read_urand(quantum_t)
-+allow neutron_t self:capability { chown dac_read_search dac_override sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
++allow neutron_t self:capability { chown dac_read_search sys_ptrace kill setgid setuid sys_resource net_admin sys_admin net_raw net_bind_service};
+allow neutron_t self:capability2 block_suspend;
+allow neutron_t self:process { setsched setrlimit setcap signal_perms };
+
@@ -85302,7 +85415,7 @@ index da6421861..3fb8575ca 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
')
diff --git a/quota.te b/quota.te
-index f47c8e81f..ba74734da 100644
+index f47c8e81f..ffee08201 100644
--- a/quota.te
+++ b/quota.te
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
@@ -85335,7 +85448,7 @@ index f47c8e81f..ba74734da 100644
#
-allow quota_t self:capability { sys_admin dac_override };
-+allow quota_t self:capability { sys_admin dac_read_search dac_override };
++allow quota_t self:capability { sys_admin dac_read_search };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
@@ -85769,7 +85882,7 @@ index 44605825c..4c66c2502 100644
+
')
diff --git a/radius.te b/radius.te
-index 403a4fed1..193195e3c 100644
+index 403a4fed1..5357a7e46 100644
--- a/radius.te
+++ b/radius.te
@@ -5,6 +5,13 @@ policy_module(radius, 1.13.0)
@@ -85799,7 +85912,7 @@ index 403a4fed1..193195e3c 100644
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
-+allow radiusd_t self:capability { chown dac_read_search dac_override fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
++allow radiusd_t self:capability { chown dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config sys_ptrace };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getsched setrlimit setsched sigkill signal ptrace};
@@ -85958,7 +86071,7 @@ index ac7058d1e..48739ac1b 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radvd.te b/radvd.te
-index 6d162e4e6..502ca16ba 100644
+index 6d162e4e6..01b5af0e0 100644
--- a/radvd.te
+++ b/radvd.te
@@ -22,7 +22,7 @@ files_pid_file(radvd_var_run_t)
@@ -85966,7 +86079,7 @@ index 6d162e4e6..502ca16ba 100644
#
-allow radvd_t self:capability { kill setgid setuid net_raw net_admin };
-+allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search dac_override };
++allow radvd_t self:capability { kill setgid setuid net_raw net_admin dac_read_search };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:fifo_file rw_fifo_file_perms;
@@ -86224,7 +86337,7 @@ index 951db7f1b..00e699da4 100644
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf.anacbak")
')
diff --git a/raid.te b/raid.te
-index c99753f2c..55294acec 100644
+index c99753f2c..082d5f686 100644
--- a/raid.te
+++ b/raid.te
@@ -15,54 +15,104 @@ role mdadm_roles types mdadm_t;
@@ -86258,7 +86371,7 @@ index c99753f2c..55294acec 100644
-allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
-dontaudit mdadm_t self:capability sys_tty_config;
-allow mdadm_t self:process { getsched setsched signal_perms };
-+allow mdadm_t self:capability { dac_read_search dac_override sys_admin ipc_lock };
++allow mdadm_t self:capability { dac_read_search sys_admin ipc_lock };
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -87304,7 +87417,7 @@ index 661bb88fd..06f69c4ad 100644
+')
+
diff --git a/readahead.te b/readahead.te
-index c0b02c91c..af81d71a7 100644
+index c0b02c91c..df24ae78e 100644
--- a/readahead.te
+++ b/readahead.te
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -87315,6 +87428,15 @@ index c0b02c91c..af81d71a7 100644
init_daemon_run_dir(readahead_var_run_t, "readahead")
########################################
+@@ -22,7 +23,7 @@ init_daemon_run_dir(readahead_var_run_t, "readahead")
+ # Local policy
+ #
+
+-allow readahead_t self:capability { sys_admin fowner dac_override dac_read_search };
++allow readahead_t self:capability { sys_admin fowner dac_read_search };
+ dontaudit readahead_t self:capability { net_admin sys_tty_config };
+ allow readahead_t self:process { setsched signal_perms };
+
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
@@ -88146,7 +88268,7 @@ index a9ce68e33..92520aa92 100644
+ allow $1 remote_login_t:process signull;
')
diff --git a/remotelogin.te b/remotelogin.te
-index ae308717f..15a669cd4 100644
+index ae308717f..c627cdf7d 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,81 +10,89 @@ domain_interactive_fd(remote_login_t)
@@ -88163,7 +88285,7 @@ index ae308717f..15a669cd4 100644
#
-allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
-+allow remote_login_t self:capability { dac_read_search dac_read_search dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
++allow remote_login_t self:capability { dac_read_search dac_read_search chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow remote_login_t self:process { setrlimit setexec };
allow remote_login_t self:fd use;
@@ -88262,7 +88384,7 @@ index ae308717f..15a669cd4 100644
')
diff --git a/resmgr.te b/resmgr.te
-index f6eb358ad..b6319191c 100644
+index f6eb358ad..472496379 100644
--- a/resmgr.te
+++ b/resmgr.te
@@ -23,7 +23,7 @@ files_pid_file(resmgrd_var_run_t)
@@ -88270,7 +88392,7 @@ index f6eb358ad..b6319191c 100644
#
-allow resmgrd_t self:capability { dac_override sys_admin sys_rawio };
-+allow resmgrd_t self:capability { dac_read_search dac_override sys_admin sys_rawio };
++allow resmgrd_t self:capability { dac_read_search sys_admin sys_rawio };
dontaudit resmgrd_t self:capability sys_tty_config;
allow resmgrd_t self:process signal_perms;
@@ -88518,7 +88640,7 @@ index 1c2f9aa12..a4133dc92 100644
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
+')
diff --git a/rgmanager.te b/rgmanager.te
-index c8a1e16e4..f9d6fb341 100644
+index c8a1e16e4..8804d048a 100644
--- a/rgmanager.te
+++ b/rgmanager.te
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
@@ -88554,7 +88676,7 @@ index c8a1e16e4..f9d6fb341 100644
#
-allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
-+allow rgmanager_t self:capability { dac_read_search dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
++allow rgmanager_t self:capability { dac_read_search net_raw sys_resource sys_admin sys_nice ipc_lock };
allow rgmanager_t self:process { setsched signal };
+
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
@@ -89754,7 +89876,7 @@ index c8bdea28d..beb2872e3 100644
+ allow $1 haproxy_unit_file_t:service {status start};
')
diff --git a/rhcs.te b/rhcs.te
-index 6cf79c449..0dbfae6d5 100644
+index 6cf79c449..14be26dce 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -20,6 +20,35 @@ gen_tunable(fenced_can_network_connect, false)
@@ -89874,7 +89996,7 @@ index 6cf79c449..0dbfae6d5 100644
+# cluster domain local policy
+#
+
-+allow cluster_t self:capability { dac_read_search dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
++allow cluster_t self:capability { dac_read_search fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
+# for hearbeat
+allow cluster_t self:capability { net_raw chown };
+allow cluster_t self:capability2 block_suspend;
@@ -90094,7 +90216,7 @@ index 6cf79c449..0dbfae6d5 100644
#
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
-+allow dlm_controld_t self:capability { dac_read_search dac_override net_admin sys_admin sys_resource };
++allow dlm_controld_t self:capability { dac_read_search net_admin sys_admin sys_resource };
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
+files_pid_filetrans(dlm_controld_t, dlm_controld_var_run_t, dir)
@@ -90296,7 +90418,7 @@ index 6cf79c449..0dbfae6d5 100644
+#
+
+# bug in haproxy and process vs pid owner
-+allow haproxy_t self:capability { dac_read_search dac_override kill };
++allow haproxy_t self:capability { dac_read_search kill };
+
+allow haproxy_t self:capability { chown fowner setgid setuid sys_chroot sys_resource net_admin net_raw };
+allow haproxy_t self:capability2 block_suspend;
@@ -91591,7 +91713,7 @@ index 2ab3ed1d4..23d579cde 100644
role_transition $2 ricci_initrc_exec_t system_r;
allow $2 system_r;
diff --git a/ricci.te b/ricci.te
-index 0ba2569a5..161850d41 100644
+index 0ba2569a5..98b952398 100644
--- a/ricci.te
+++ b/ricci.te
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -91697,7 +91819,7 @@ index 0ba2569a5..161850d41 100644
#
-allow ricci_modservice_t self:capability { dac_override sys_nice };
-+allow ricci_modservice_t self:capability {dac_read_search dac_override sys_nice };
++allow ricci_modservice_t self:capability {dac_read_search sys_nice };
allow ricci_modservice_t self:process setsched;
allow ricci_modservice_t self:fifo_file rw_fifo_file_perms;
@@ -92089,7 +92211,7 @@ index 050479dea..0e1b364fb 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index ee2794858..34d2ee96f 100644
+index ee2794858..248d080f6 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -31,10 +31,12 @@ files_pid_file(rlogind_var_run_t)
@@ -92097,7 +92219,7 @@ index ee2794858..34d2ee96f 100644
#
-allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
-+allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
++allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search };
allow rlogind_t self:process signal_perms;
allow rlogind_t self:fifo_file rw_fifo_file_perms;
-allow rlogind_t self:tcp_socket { accept listen };
@@ -93077,7 +93199,7 @@ index 0bf13c220..79a2a9c48 100644
+ allow $1 gssd_t:process { noatsecure rlimitinh };
+')
diff --git a/rpc.te b/rpc.te
-index 2da9fca2f..49c37e8ea 100644
+index 2da9fca2f..9099c9800 100644
--- a/rpc.te
+++ b/rpc.te
@@ -6,22 +6,27 @@ policy_module(rpc, 1.15.1)
@@ -93201,7 +93323,7 @@ index 2da9fca2f..49c37e8ea 100644
#
-allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
-+allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search dac_override setgid setuid };
++allow rpcd_t self:capability { setpcap sys_admin chown dac_read_search setgid setuid };
allow rpcd_t self:capability2 block_suspend;
+
allow rpcd_t self:process { getcap setcap };
@@ -93282,10 +93404,12 @@ index 2da9fca2f..49c37e8ea 100644
')
########################################
-@@ -202,41 +232,63 @@ optional_policy(`
+@@ -201,42 +231,64 @@ optional_policy(`
+ # NFSD local policy
#
- allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
++allow nfsd_t self:capability { dac_read_search sys_admin sys_resource };
+dontaudit nfsd_t self:capability sys_rawio;
allow nfsd_t exports_t:file read_file_perms;
@@ -93384,7 +93508,7 @@ index 2da9fca2f..49c37e8ea 100644
#
-allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
-+allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice };
++allow gssd_t self:capability { dac_read_search setuid setgid sys_nice };
allow gssd_t self:process { getsched setsched };
allow gssd_t self:fifo_file rw_fifo_file_perms;
@@ -94476,7 +94600,7 @@ index ef3b22507..79518530e 100644
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
diff --git a/rpm.te b/rpm.te
-index 6fc360e60..219964375 100644
+index 6fc360e60..32a4ca12d 100644
--- a/rpm.te
+++ b/rpm.te
@@ -1,15 +1,13 @@
@@ -94539,7 +94663,7 @@ index 6fc360e60..219964375 100644
-allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+allow rpm_t self:capability2 block_suspend;
-+allow rpm_t self:capability { chown dac_read_search dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
++allow rpm_t self:capability { chown dac_read_search fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
@@ -94732,10 +94856,12 @@ index 6fc360e60..219964375 100644
')
########################################
-@@ -239,18 +252,20 @@ optional_policy(`
+@@ -238,19 +251,21 @@ optional_policy(`
+ # rpm-script Local policy
#
- allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
++allow rpm_script_t self:capability { chown dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
+
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
@@ -95010,7 +95136,7 @@ index 7ad29c046..2e87d76b4 100644
domtrans_pattern($1, rshd_exec_t, rshd_t)
')
diff --git a/rshd.te b/rshd.te
-index 864e089a0..f919bc537 100644
+index 864e089a0..f9ad3ab47 100644
--- a/rshd.te
+++ b/rshd.te
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
@@ -95035,7 +95161,7 @@ index 864e089a0..f919bc537 100644
-
-allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
-allow rshd_t self:process { signal_perms setsched setpgid setexec };
-+allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search dac_override };
++allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_read_search };
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
allow rshd_t self:fifo_file rw_fifo_file_perms;
allow rshd_t self:tcp_socket create_stream_socket_perms;
@@ -95434,7 +95560,7 @@ index f1140efe4..642e062f4 100644
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
')
diff --git a/rsync.te b/rsync.te
-index abeb302a7..b27a47979 100644
+index abeb302a7..55ee48de0 100644
--- a/rsync.te
+++ b/rsync.te
@@ -6,67 +6,46 @@ policy_module(rsync, 1.13.0)
@@ -95524,8 +95650,12 @@ index abeb302a7..b27a47979 100644
files_type(rsync_data_t)
type rsync_log_t;
-@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
- allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
+@@ -83,18 +62,28 @@ files_pid_file(rsync_var_run_t)
+ # Local policy
+ #
+
+-allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
++allow rsync_t self:capability { chown dac_read_search fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
-allow rsync_t self:tcp_socket { accept listen };
@@ -95624,7 +95754,7 @@ index abeb302a7..b27a47979 100644
+')
+
+tunable_policy(`rsync_full_access',`
-+ allow rsync_t self:capability { dac_override dac_read_search };
++ allow rsync_t self:capability { dac_read_search };
+ files_manage_non_auth_files(rsync_t)
')
@@ -97090,7 +97220,7 @@ index 50d07fb2e..a34db489c 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index 2b7c441e7..5d52fba0f 100644
+index 2b7c441e7..8f17d3b19 100644
--- a/samba.te
+++ b/samba.te
@@ -6,99 +6,86 @@ policy_module(samba, 1.16.3)
@@ -97318,7 +97448,8 @@ index 2b7c441e7..5d52fba0f 100644
+# Samba net local policy
#
-
- allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
+-allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
++allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search };
allow samba_net_t self:capability2 block_suspend;
allow samba_net_t self:process { getsched setsched };
-allow samba_net_t self:unix_stream_socket { accept listen };
@@ -97407,7 +97538,7 @@ index 2b7c441e7..5d52fba0f 100644
#
-allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search net_admin };
++allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_read_search net_admin };
dontaudit smbd_t self:capability sys_tty_config;
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+dontaudit smbd_t self:capability2 block_suspend;
@@ -97740,7 +97871,7 @@ index 2b7c441e7..5d52fba0f 100644
+userdom_home_filetrans_user_home_dir(smbd_t)
+
+tunable_policy(`samba_export_all_ro',`
-+ allow nmbd_t self:capability { dac_read_search dac_override };
++ allow nmbd_t self:capability { dac_read_search };
+ fs_read_noxattr_fs_files(smbd_t)
+ files_read_non_security_files(smbd_t)
+ files_dontaudit_list_security_dirs(smbd_t)
@@ -97754,7 +97885,7 @@ index 2b7c441e7..5d52fba0f 100644
+')
+
+tunable_policy(`samba_export_all_rw',`
-+ allow nmbd_t self:capability { dac_read_search dac_override };
++ allow nmbd_t self:capability { dac_read_search };
+ fs_manage_noxattr_fs_files(smbd_t)
+ files_manage_non_security_files(smbd_t)
+ files_manage_non_security_dirs(smbd_t)
@@ -97959,7 +98090,7 @@ index 2b7c441e7..5d52fba0f 100644
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
-allow smbmount_t self:process signal_perms;
-allow smbmount_t self:tcp_socket { accept listen };
-+allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search dac_override chown }; # FIXME: is all of this really necessary?
++allow smbmount_t self:capability { sys_rawio sys_admin dac_read_search chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
@@ -98056,7 +98187,7 @@ index 2b7c441e7..5d52fba0f 100644
#
-allow swat_t self:capability { dac_override setuid setgid sys_resource };
-+allow swat_t self:capability { dac_read_search dac_override setuid setgid sys_resource };
++allow swat_t self:capability { dac_read_search setuid setgid sys_resource };
+allow swat_t self:capability2 block_suspend;
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
@@ -98196,7 +98327,7 @@ index 2b7c441e7..5d52fba0f 100644
-allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
-dontaudit winbind_t self:capability sys_tty_config;
-+allow winbind_t self:capability { kill dac_read_search dac_override ipc_lock setuid sys_nice };
++allow winbind_t self:capability { kill dac_read_search ipc_lock setuid sys_nice };
+allow winbind_t self:capability2 block_suspend;
+dontaudit winbind_t self:capability { net_admin sys_tty_config };
allow winbind_t self:process { signal_perms getsched setsched };
@@ -98441,7 +98572,7 @@ index 2b7c441e7..5d52fba0f 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index e18b0a284..1b1db014d 100644
+index e18b0a284..fc24be67c 100644
--- a/sambagui.te
+++ b/sambagui.te
@@ -18,7 +18,7 @@ role sambagui_roles types sambagui_t;
@@ -98449,7 +98580,7 @@ index e18b0a284..1b1db014d 100644
#
-allow sambagui_t self:capability dac_override;
-+allow sambagui_t self:capability { dac_read_search dac_override };
++allow sambagui_t self:capability { dac_read_search };
allow sambagui_t self:fifo_file rw_fifo_file_perms;
kernel_read_system_state(sambagui_t)
@@ -98496,9 +98627,18 @@ index f0236d67d..37665a1b6 100644
########################################
diff --git a/samhain.te b/samhain.te
-index c41ce4bff..8837e4c41 100644
+index c41ce4bff..4b010abe6 100644
--- a/samhain.te
+++ b/samhain.te
+@@ -48,7 +48,7 @@ ifdef(`enable_mls',`
+ # Common samhain domain local policy
+ #
+
+-allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
++allow samhain_domain self:capability { dac_read_search fowner ipc_lock };
+ dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
+ allow samhain_domain self:fd use;
+ allow samhain_domain self:process { setsched setrlimit signull };
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
init_read_utmp(samhain_domain)
@@ -99891,7 +100031,7 @@ index cd6c213d2..6d3cdc4d9 100644
+ ')
')
diff --git a/sanlock.te b/sanlock.te
-index 0045465a0..ee3b9930a 100644
+index 0045465a0..8bd1398d1 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -6,25 +6,44 @@ policy_module(sanlock, 1.1.0)
@@ -99968,7 +100108,7 @@ index 0045465a0..ee3b9930a 100644
#
-
-allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
-+allow sanlock_t self:capability { chown dac_read_search dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
++allow sanlock_t self:capability { chown dac_read_search ipc_lock kill setgid setuid sys_nice sys_resource };
allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
+
allow sanlock_t self:fifo_file rw_fifo_file_perms;
@@ -100071,7 +100211,7 @@ index 0045465a0..ee3b9930a 100644
+# sanlk_resetd local policy
+#
+
-+allow sanlk_resetd_t self:capability { dac_read_search dac_override };
++allow sanlk_resetd_t self:capability { dac_read_search };
+allow sanlk_resetd_t self:fifo_file rw_fifo_file_perms;
+allow sanlk_resetd_t sanlock_t:unix_stream_socket connectto;
+
@@ -100145,7 +100285,7 @@ index 8c3c151cb..93b722789 100644
domain_system_change_exemption($1)
role_transition $2 saslauthd_initrc_exec_t system_r;
diff --git a/sasl.te b/sasl.te
-index 6c3bc2059..eb05a4920 100644
+index 6c3bc2059..accb664a4 100644
--- a/sasl.te
+++ b/sasl.te
@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
@@ -100240,7 +100380,7 @@ index 6c3bc2059..eb05a4920 100644
-tunable_policy(`allow_saslauthd_read_shadow',`
- allow saslauthd_t self:capability dac_override;
+tunable_policy(`saslauthd_read_shadow',`
-+ allow saslauthd_t self:capability { dac_read_search dac_override };
++ allow saslauthd_t self:capability { dac_read_search };
auth_tunable_read_shadow(saslauthd_t)
')
@@ -100406,7 +100546,7 @@ index 000000000..7a058a82a
+')
diff --git a/sbd.te b/sbd.te
new file mode 100644
-index 000000000..55576aaf6
+index 000000000..01266ebaf
--- /dev/null
+++ b/sbd.te
@@ -0,0 +1,55 @@
@@ -100431,7 +100571,7 @@ index 000000000..55576aaf6
+#
+# sbd local policy
+#
-+allow sbd_t self:capability { dac_read_search dac_override ipc_lock sys_boot sys_nice sys_admin};
++allow sbd_t self:capability { dac_read_search ipc_lock sys_boot sys_nice sys_admin};
+allow sbd_t self:process { fork setsched signal_perms };
+allow sbd_t self:fifo_file rw_fifo_file_perms;
+allow sbd_t self:unix_stream_socket create_stream_socket_perms;
@@ -100675,7 +100815,7 @@ index 98c9e0a88..562666e06 100644
files_search_pids($1)
admin_pattern($1, sblim_var_run_t)
diff --git a/sblim.te b/sblim.te
-index 299756bc8..5719ae912 100644
+index 299756bc8..936d9c0dd 100644
--- a/sblim.te
+++ b/sblim.te
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
@@ -100757,7 +100897,7 @@ index 299756bc8..5719ae912 100644
-allow sblim_gatherd_t self:capability dac_override;
-allow sblim_gatherd_t self:process signal;
-+allow sblim_gatherd_t self:capability { dac_read_search dac_override sys_nice sys_ptrace };
++allow sblim_gatherd_t self:capability { dac_read_search sys_nice sys_ptrace };
+allow sblim_gatherd_t self:process { setsched signal };
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
@@ -101009,7 +101149,7 @@ index be5cce2d3..b81f5dfef 100644
+')
+
diff --git a/screen.te b/screen.te
-index 5466a7327..33598f3b3 100644
+index 5466a7327..0ae2eef60 100644
--- a/screen.te
+++ b/screen.te
@@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
@@ -101045,7 +101185,7 @@ index 5466a7327..33598f3b3 100644
-allow screen_domain self:capability { setuid setgid fsetid };
+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
-+dontaudit screen_domain self:capability { dac_read_search dac_override };
++dontaudit screen_domain self:capability { dac_read_search };
allow screen_domain self:process signal_perms;
-allow screen_domain self:fd use;
allow screen_domain self:fifo_file rw_fifo_file_perms;
@@ -101193,7 +101333,7 @@ index c78a569c3..900745118 100644
- allow sectoolm_t $2:unix_dgram_socket sendto;
-')
diff --git a/sectoolm.te b/sectoolm.te
-index 4bc8c13ea..e05d74d48 100644
+index 4bc8c13ea..c30b36dbc 100644
--- a/sectoolm.te
+++ b/sectoolm.te
@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
@@ -101214,7 +101354,7 @@ index 4bc8c13ea..e05d74d48 100644
#
-allow sectoolm_t self:capability { dac_override net_admin sys_nice };
-+allow sectoolm_t self:capability { dac_read_search dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:capability { dac_read_search net_admin sys_nice sys_ptrace };
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
@@ -101597,7 +101737,7 @@ index 35ad2a733..afdc7da29 100644
+ admin_pattern($1, mail_spool_t)
')
diff --git a/sendmail.te b/sendmail.te
-index 12700b413..8ba299515 100644
+index 12700b413..debacc88b 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
@@ -101609,7 +101749,7 @@ index 12700b413..8ba299515 100644
#
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
-+allow sendmail_t self:capability { dac_read_search dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
++allow sendmail_t self:capability { dac_read_search setuid setgid net_bind_service sys_nice chown sys_tty_config };
+dontaudit sendmail_t self:capability net_admin;
+dontaudit sendmail_t self:capability2 block_suspend;
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
@@ -102376,7 +102516,7 @@ index 000000000..c9d2d9c42
+
diff --git a/sge.te b/sge.te
new file mode 100644
-index 000000000..1c1ec06e5
+index 000000000..0b167701a
--- /dev/null
+++ b/sge.te
@@ -0,0 +1,196 @@
@@ -102426,7 +102566,7 @@ index 000000000..1c1ec06e5
+# sge_execd local policy
+#
+
-+allow sge_execd_t self:capability { dac_read_search dac_override kill setuid chown setgid };
++allow sge_execd_t self:capability { dac_read_search kill setuid chown setgid };
+allow sge_execd_t self:process { setsched signal setpgid };
+
+allow sge_execd_t sge_shepherd_t:process signal;
@@ -102459,7 +102599,7 @@ index 000000000..1c1ec06e5
+# sge_shepherd local policy
+#
+
-+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search dac_override };
++allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_read_search };
+allow sge_shepherd_t self:process { setsched setrlimit setpgid };
+allow sge_shepherd_t self:process signal_perms;
+
@@ -102760,7 +102900,7 @@ index 1aeef8ac3..d5ce40a96 100644
admin_pattern($1, shorewall_etc_t)
diff --git a/shorewall.te b/shorewall.te
-index 7710b9f76..04af4ec4d 100644
+index 7710b9f76..fbf1ac1a0 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -32,8 +32,9 @@ logging_log_file(shorewall_log_t)
@@ -102768,7 +102908,7 @@ index 7710b9f76..04af4ec4d 100644
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
-+allow shorewall_t self:capability { dac_read_search dac_override net_admin net_raw setuid setgid sys_nice sys_admin };
++allow shorewall_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_nice sys_admin };
dontaudit shorewall_t self:capability sys_tty_config;
+allow shorewall_t self:process signal_perms;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
@@ -102996,7 +103136,7 @@ index d1706bf87..3aa7c9fd1 100644
##
##
diff --git a/shutdown.te b/shutdown.te
-index e2544e147..2196974f5 100644
+index e2544e147..4f0e2a974 100644
--- a/shutdown.te
+++ b/shutdown.te
@@ -24,7 +24,7 @@ files_pid_file(shutdown_var_run_t)
@@ -103004,7 +103144,7 @@ index e2544e147..2196974f5 100644
#
-allow shutdown_t self:capability { dac_override kill setuid sys_nice sys_tty_config };
-+allow shutdown_t self:capability { dac_read_search dac_override kill setuid sys_nice sys_tty_config };
++allow shutdown_t self:capability { dac_read_search kill setuid sys_nice sys_tty_config };
allow shutdown_t self:process { setsched signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
@@ -103045,9 +103185,18 @@ index e2544e147..2196974f5 100644
+ xserver_xdm_append_log(shutdown_t)
')
diff --git a/slocate.te b/slocate.te
-index 7292dc064..26fc8f4bc 100644
+index 7292dc064..bd269f1f2 100644
--- a/slocate.te
+++ b/slocate.te
+@@ -20,7 +20,7 @@ files_pid_file(locate_var_run_t)
+ # Local policy
+ #
+
+-allow locate_t self:capability { chown dac_read_search dac_override fowner fsetid };
++allow locate_t self:capability { chown dac_read_search fowner fsetid };
+ allow locate_t self:process { execmem execheap execstack signal setsched };
+ allow locate_t self:fifo_file rw_fifo_file_perms;
+ allow locate_t self:unix_stream_socket create_socket_perms;
@@ -44,8 +44,12 @@ dev_getattr_all_blk_files(locate_t)
dev_getattr_all_chr_files(locate_t)
@@ -103233,7 +103382,7 @@ index e0644b5cf..ea347ccd5 100644
domain_system_change_exemption($1)
role_transition $2 fsdaemon_initrc_exec_t system_r;
diff --git a/smartmon.te b/smartmon.te
-index 9cf6582d2..052179c3f 100644
+index 9cf6582d2..730889136 100644
--- a/smartmon.te
+++ b/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
@@ -103241,7 +103390,7 @@ index 9cf6582d2..052179c3f 100644
#
-allow fsdaemon_t self:capability { dac_override kill setpcap setgid sys_rawio sys_admin };
-+allow fsdaemon_t self:capability { dac_read_search dac_override kill setpcap setgid sys_rawio sys_admin };
++allow fsdaemon_t self:capability { dac_read_search kill setpcap setgid sys_rawio sys_admin };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
@@ -103344,13 +103493,15 @@ index 1fa51c11f..82e111c80 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/smokeping.te b/smokeping.te
-index ec031a031..61a9f8c08 100644
+index ec031a031..26325cbda 100644
--- a/smokeping.te
+++ b/smokeping.te
-@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
+@@ -23,7 +23,8 @@ files_type(smokeping_var_lib_t)
+ # Local policy
#
- dontaudit smokeping_t self:capability { dac_read_search dac_override };
+-dontaudit smokeping_t self:capability { dac_read_search dac_override };
++dontaudit smokeping_t self:capability { dac_read_search };
+allow smokeping_t self:process signal_perms;
allow smokeping_t self:fifo_file rw_fifo_file_perms;
allow smokeping_t self:unix_stream_socket { accept listen };
@@ -104009,7 +104160,7 @@ index 000000000..88490d5c6
+
diff --git a/snapper.te b/snapper.te
new file mode 100644
-index 000000000..5c2cbe02d
+index 000000000..11b39923c
--- /dev/null
+++ b/snapper.te
@@ -0,0 +1,83 @@
@@ -104038,7 +104189,7 @@ index 000000000..5c2cbe02d
+# snapperd local policy
+#
+
-+allow snapperd_t self:capability { dac_read_search dac_override sys_admin };
++allow snapperd_t self:capability { dac_read_search sys_admin };
+allow snapperd_t self:process setsched;
+
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
@@ -104261,7 +104412,7 @@ index 7a9cc9df7..23cb6589e 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 9dcaeb875..e8446db05 100644
+index 9dcaeb875..9cc669708 100644
--- a/snmp.te
+++ b/snmp.te
@@ -26,15 +26,17 @@ files_type(snmpd_var_lib_t)
@@ -104269,7 +104420,7 @@ index 9dcaeb875..e8446db05 100644
#
-allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
-+allow snmpd_t self:capability { chown dac_read_search dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
++allow snmpd_t self:capability { chown dac_read_search kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
+
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
allow snmpd_t self:process { signal_perms getsched setsched };
@@ -104394,7 +104545,7 @@ index 7d86b3485..5f581804e 100644
+ files_list_pids($1)
')
diff --git a/snort.te b/snort.te
-index 1af72df55..d545f2aea 100644
+index 1af72df55..dc8379039 100644
--- a/snort.te
+++ b/snort.te
@@ -29,13 +29,16 @@ files_pid_file(snort_var_run_t)
@@ -104402,7 +104553,7 @@ index 1af72df55..d545f2aea 100644
#
-allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
-+allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search dac_override };
++allow snort_t self:capability { setgid setuid net_admin net_raw dac_read_search };
dontaudit snort_t self:capability sys_tty_config;
allow snort_t self:process signal_perms;
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
@@ -104495,7 +104646,7 @@ index 634c6b4fa..f6db7a796 100644
+')
+
diff --git a/sosreport.te b/sosreport.te
-index f2f507dae..0ac6752b4 100644
+index f2f507dae..7429d39a0 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -13,15 +13,15 @@ type sosreport_exec_t;
@@ -104522,7 +104673,7 @@ index f2f507dae..0ac6752b4 100644
#
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
-+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search dac_override };
++allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_read_search };
dontaudit sosreport_t self:capability sys_ptrace;
-allow sosreport_t self:process { setsched signull };
+allow sosreport_t self:process { setpgid setsched signal_perms };
@@ -104733,7 +104884,7 @@ index a5abc5a8d..b9eff74cb 100644
domain_system_change_exemption($1)
role_transition $2 soundd_initrc_exec_t system_r;
diff --git a/soundserver.te b/soundserver.te
-index 0919e0c86..df28aadba 100644
+index 0919e0c86..afe83dbf7 100644
--- a/soundserver.te
+++ b/soundserver.te
@@ -32,7 +32,7 @@ files_pid_file(soundd_var_run_t)
@@ -104741,7 +104892,7 @@ index 0919e0c86..df28aadba 100644
#
-allow soundd_t self:capability dac_override;
-+allow soundd_t self:capability { dac_read_search dac_override };
++allow soundd_t self:capability { dac_read_search };
dontaudit soundd_t self:capability sys_tty_config;
allow soundd_t self:process { setpgid signal_perms };
allow soundd_t self:shm create_shm_perms;
@@ -105291,7 +105442,7 @@ index 1499b0bbf..e695a62f3 100644
- spamassassin_role($2, $1)
')
diff --git a/spamassassin.te b/spamassassin.te
-index cc58e3578..85e9f5961 100644
+index cc58e3578..befb6796c 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -7,50 +7,30 @@ policy_module(spamassassin, 2.6.1)
@@ -105643,7 +105794,7 @@ index cc58e3578..85e9f5961 100644
+spamassassin_filetrans_home_content(spamc_t)
+spamassassin_filetrans_admin_home_content(spamc_t)
+# for /root/.pyzor
-+allow spamc_t self:capability { dac_read_search dac_override };
++allow spamc_t self:capability { dac_read_search };
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
@@ -105768,7 +105919,7 @@ index cc58e3578..85e9f5961 100644
+# setuids to the user running spamc. Comment this if you are not
+# using this ability.
+
-+allow spamd_t self:capability { kill setuid setgid dac_read_search dac_override sys_tty_config };
++allow spamd_t self:capability { kill setuid setgid dac_read_search sys_tty_config };
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
@@ -106017,7 +106168,7 @@ index cc58e3578..85e9f5961 100644
')
optional_policy(`
-@@ -474,32 +584,32 @@ optional_policy(`
+@@ -474,32 +584,31 @@ optional_policy(`
########################################
#
@@ -106029,7 +106180,6 @@ index cc58e3578..85e9f5961 100644
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
+allow spamd_update_t self:capability dac_read_search;
-+dontaudit spamd_update_t self:capability dac_override;
manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
@@ -106060,7 +106210,7 @@ index cc58e3578..85e9f5961 100644
corecmd_exec_bin(spamd_update_t)
corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +618,26 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +617,26 @@ dev_read_urand(spamd_update_t)
domain_use_interactive_fds(spamd_update_t)
@@ -106424,7 +106574,7 @@ index 5e1f0534c..e7820bce3 100644
domain_system_change_exemption($1)
role_transition $2 squid_initrc_exec_t system_r;
diff --git a/squid.te b/squid.te
-index 03472ed9b..9148ef5ae 100644
+index 03472ed9b..deade60a1 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -106464,7 +106614,7 @@ index 03472ed9b..9148ef5ae 100644
#
-allow squid_t self:capability { setgid kill setuid dac_override sys_resource };
-+allow squid_t self:capability { setgid kill setuid dac_read_search dac_override sys_resource };
++allow squid_t self:capability { setgid kill setuid dac_read_search sys_resource };
dontaudit squid_t self:capability sys_tty_config;
allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
allow squid_t self:fifo_file rw_fifo_file_perms;
@@ -107396,7 +107546,7 @@ index a24045518..47530e258 100644
- admin_pattern($1, sssd_log_t)
')
diff --git a/sssd.te b/sssd.te
-index 2d8db1fa3..a9de15cf6 100644
+index 2d8db1fa3..3bf241d0c 100644
--- a/sssd.te
+++ b/sssd.te
@@ -28,51 +28,65 @@ logging_log_file(sssd_var_log_t)
@@ -107418,7 +107568,7 @@ index 2d8db1fa3..a9de15cf6 100644
#
-allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
-+allow sssd_t self:capability { ipc_lock chown dac_read_search dac_override kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
++allow sssd_t self:capability { ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:capability2 block_suspend;
-allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid};
@@ -107771,7 +107921,7 @@ diff --git a/systemtap.te b/stapserver.te
similarity index 63%
rename from systemtap.te
rename to stapserver.te
-index ffde36864..f33142fd5 100644
+index ffde36864..e2f0d931f 100644
--- a/systemtap.te
+++ b/stapserver.te
@@ -1,4 +1,4 @@
@@ -107812,7 +107962,7 @@ index ffde36864..f33142fd5 100644
+allow stapserver_t self:capability { setuid setgid };
+allow stapserver_t self:process setsched;
+
-+allow stapserver_t self:capability { dac_read_search dac_override kill sys_ptrace};
++allow stapserver_t self:capability { dac_read_search kill sys_ptrace};
+allow stapserver_t self:process { setrlimit signal };
+
allow stapserver_t self:fifo_file rw_fifo_file_perms;
@@ -108567,9 +108717,18 @@ index 000000000..6e39c4fff
+
+
diff --git a/sxid.te b/sxid.te
-index 01a9d0acd..154872e4b 100644
+index 01a9d0acd..4a6834400 100644
--- a/sxid.te
+++ b/sxid.te
+@@ -20,7 +20,7 @@ files_tmp_file(sxid_tmp_t)
+ # Local policy
+ #
+
+-allow sxid_t self:capability { dac_override dac_read_search fsetid };
++allow sxid_t self:capability { dac_read_search fsetid };
+ dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
+ allow sxid_t self:process signal_perms;
+ allow sxid_t self:fifo_file rw_fifo_file_perms;
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
@@ -108597,7 +108756,7 @@ index 01a9d0acd..154872e4b 100644
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index b92f6775a..a2690e315 100644
+index b92f6775a..46c689d97 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -20,13 +20,11 @@ logging_log_file(sysstat_log_t)
@@ -108605,7 +108764,7 @@ index b92f6775a..a2690e315 100644
#
-allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
-+allow sysstat_t self:capability { dac_read_search dac_override sys_admin sys_resource sys_tty_config };
++allow sysstat_t self:capability { dac_read_search sys_admin sys_resource sys_tty_config };
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
@@ -109066,7 +109225,7 @@ index b42ec1d83..91b8f71dc 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/tcsd.te b/tcsd.te
-index b26d44a8c..5a79afdb5 100644
+index b26d44a8c..3d950454a 100644
--- a/tcsd.te
+++ b/tcsd.te
@@ -20,7 +20,7 @@ files_type(tcsd_var_lib_t)
@@ -109074,7 +109233,7 @@ index b26d44a8c..5a79afdb5 100644
#
-allow tcsd_t self:capability { dac_override setuid };
-+allow tcsd_t self:capability { dac_read_search dac_override setuid };
++allow tcsd_t self:capability { dac_read_search setuid };
allow tcsd_t self:process { signal sigkill };
allow tcsd_t self:tcp_socket { accept listen };
@@ -110139,7 +110298,7 @@ index 9afcbc95c..7b8ddb489 100644
xserver_rw_xdm_pipes(telepathy_domain)
')
diff --git a/telnet.te b/telnet.te
-index d7c863369..0d3d4392a 100644
+index d7c863369..78e6fccc2 100644
--- a/telnet.te
+++ b/telnet.te
@@ -27,19 +27,22 @@ files_pid_file(telnetd_var_run_t)
@@ -110147,7 +110306,7 @@ index d7c863369..0d3d4392a 100644
#
-allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
-+allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search dac_override };
++allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_read_search };
allow telnetd_t self:process signal_perms;
allow telnetd_t self:fifo_file rw_fifo_file_perms;
-allow telnetd_t self:tcp_socket { accept listen };
@@ -110513,7 +110672,7 @@ index 9957e300d..51af58690 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index cfaa2a19c..a9bc6f1ff 100644
+index cfaa2a19c..ed8204d13 100644
--- a/tftp.te
+++ b/tftp.te
@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
@@ -110643,7 +110802,7 @@ index cfaa2a19c..a9bc6f1ff 100644
-tunable_policy(`tftp_enable_homedir',`
- allow tftpd_t self:capability { dac_override dac_read_search };
+tunable_policy(`tftp_home_dir',`
-+ allow tftpd_t self:capability { dac_override dac_read_search };
++ allow tftpd_t self:capability { dac_read_search };
+ # allow access to /home
files_list_home(tftpd_t)
@@ -110709,7 +110868,7 @@ index 5406b6ee8..dc5b46e28 100644
admin_pattern($1, tgtd_tmpfs_t)
')
diff --git a/tgtd.te b/tgtd.te
-index d01096386..7308fa94b 100644
+index d01096386..ae473b2b2 100644
--- a/tgtd.te
+++ b/tgtd.te
@@ -29,8 +29,8 @@ files_pid_file(tgtd_var_run_t)
@@ -110718,7 +110877,7 @@ index d01096386..7308fa94b 100644
-allow tgtd_t self:capability sys_resource;
-allow tgtd_t self:capability2 block_suspend;
-+allow tgtd_t self:capability { dac_read_search dac_override ipc_lock sys_resource sys_rawio sys_admin };
++allow tgtd_t self:capability { dac_read_search ipc_lock sys_resource sys_rawio sys_admin };
+allow tgtd_t self:capability2 { block_suspend wake_alarm };
allow tgtd_t self:process { setrlimit signal };
allow tgtd_t self:fifo_file rw_fifo_file_perms;
@@ -110851,7 +111010,7 @@ index 000000000..5e3637e63
+')
diff --git a/thin.te b/thin.te
new file mode 100644
-index 000000000..e66fc8c34
+index 000000000..78550f3b3
--- /dev/null
+++ b/thin.te
@@ -0,0 +1,115 @@
@@ -110930,7 +111089,7 @@ index 000000000..e66fc8c34
+# thin local policy
+#
+
-+allow thin_t self:capability { setuid kill setgid dac_read_search dac_override };
++allow thin_t self:capability { setuid kill setgid dac_read_search };
+allow thin_t self:capability2 block_suspend;
+
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -111367,9 +111526,18 @@ index 5e867da56..b25ea6e08 100644
ifndef(`enable_mls',`
fs_search_removable(thunderbird_t)
diff --git a/timidity.te b/timidity.te
-index 97cd15589..49321a5bf 100644
+index 97cd15589..7c0a19c8a 100644
--- a/timidity.te
+++ b/timidity.te
+@@ -18,7 +18,7 @@ files_tmpfs_file(timidity_tmpfs_t)
+ # Local policy
+ #
+
+-allow timidity_t self:capability { dac_override dac_read_search };
++allow timidity_t self:capability { dac_read_search };
+ dontaudit timidity_t self:capability sys_tty_config;
+ allow timidity_t self:process { signal_perms getsched };
+ allow timidity_t self:shm create_shm_perms;
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
kernel_read_kernel_sysctls(timidity_t)
kernel_read_system_state(timidity_t)
@@ -111677,10 +111845,10 @@ index 000000000..761cc35b0
+ mount_domtrans(tlp_t)
+')
diff --git a/tmpreaper.te b/tmpreaper.te
-index 585a77f95..a7cb3263d 100644
+index 585a77f95..9858c8b8d 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
-@@ -5,9 +5,34 @@ policy_module(tmpreaper, 1.7.1)
+@@ -5,20 +5,46 @@ policy_module(tmpreaper, 1.7.1)
# Declarations
#
@@ -111715,7 +111883,12 @@ index 585a77f95..a7cb3263d 100644
########################################
#
-@@ -19,6 +44,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
+ # Local Policy
+ #
+
+-allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
++allow tmpreaper_t self:capability { dac_read_search fowner };
+ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
kernel_list_unlabeled(tmpreaper_t)
kernel_read_system_state(tmpreaper_t)
@@ -112248,7 +112421,7 @@ index 000000000..e5cec8fda
+')
diff --git a/tomcat.te b/tomcat.te
new file mode 100644
-index 000000000..31baf3bb8
+index 000000000..d503f1b51
--- /dev/null
+++ b/tomcat.te
@@ -0,0 +1,124 @@
@@ -112309,7 +112482,7 @@ index 000000000..31baf3bb8
+# tomcat domain local policy
+#
+
-+allow tomcat_t self:capability { dac_override setuid kill };
++allow tomcat_t self:capability { setuid kill };
+
+allow tomcat_t self:process { execmem setcap setsched signal signull };
+
@@ -112460,7 +112633,7 @@ index 61c2e07d6..3b860953c 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index 5ceacde8c..a3959403d 100644
+index 5ceacde8c..363931dc2 100644
--- a/tor.te
+++ b/tor.te
@@ -13,6 +13,20 @@ policy_module(tor, 1.9.0)
@@ -112553,7 +112726,7 @@ index 5ceacde8c..a3959403d 100644
+')
+
+tunable_policy(`tor_can_onion_services',`
-+ allow tor_t self:capability { dac_read_search dac_override };
++ allow tor_t self:capability { dac_read_search };
+')
+
optional_policy(`
@@ -112588,7 +112761,7 @@ index 34973ee4c..1c9a4c613 100644
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
diff --git a/tripwire.te b/tripwire.te
-index 03aa6b7f0..53c0c7366 100644
+index 03aa6b7f0..d262808fc 100644
--- a/tripwire.te
+++ b/tripwire.te
@@ -47,7 +47,7 @@ role twprint_roles types twprint_t;
@@ -112596,7 +112769,7 @@ index 03aa6b7f0..53c0c7366 100644
#
-allow tripwire_t self:capability { setgid setuid dac_override };
-+allow tripwire_t self:capability { setgid setuid dac_read_search dac_override };
++allow tripwire_t self:capability { setgid setuid dac_read_search };
allow tripwire_t tripwire_etc_t:dir list_dir_perms;
allow tripwire_t tripwire_etc_t:file read_file_perms;
@@ -112659,7 +112832,7 @@ index e29db63a2..061fb983c 100644
domain_system_change_exemption($1)
role_transition $2 tuned_initrc_exec_t system_r;
diff --git a/tuned.te b/tuned.te
-index 393a33073..76390e2f6 100644
+index 393a33073..1664e51c0 100644
--- a/tuned.te
+++ b/tuned.te
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -112680,7 +112853,7 @@ index 393a33073..76390e2f6 100644
-dontaudit tuned_t self:capability { dac_override sys_tty_config };
-allow tuned_t self:process { setsched signal };
+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
-+dontaudit tuned_t self:capability { dac_read_search dac_override sys_tty_config };
++dontaudit tuned_t self:capability { dac_read_search sys_tty_config };
+allow tuned_t self:process { setsched signal };
allow tuned_t self:fifo_file rw_fifo_file_perms;
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -113310,7 +113483,7 @@ index b68bd49ff..da0c6912f 100644
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
diff --git a/updfstab.te b/updfstab.te
-index 5ceb91249..232e9ac93 100644
+index 5ceb91249..793032477 100644
--- a/updfstab.te
+++ b/updfstab.te
@@ -14,7 +14,7 @@ init_system_domain(updfstab_t, updfstab_exec_t)
@@ -113318,7 +113491,7 @@ index 5ceb91249..232e9ac93 100644
#
-allow updfstab_t self:capability dac_override;
-+allow updfstab_t self:capability { dac_read_search dac_override };
++allow updfstab_t self:capability { dac_read_search };
dontaudit updfstab_t self:capability { sys_admin sys_tty_config };
allow updfstab_t self:process signal_perms;
allow updfstab_t self:fifo_file rw_fifo_file_perms;
@@ -113579,7 +113752,7 @@ index c416a833e..cd83b89ee 100644
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 98b51fd0b..c7e44cada 100644
+index 98b51fd0b..d33d87f30 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -1,4 +1,4 @@
@@ -113628,7 +113801,7 @@ index 98b51fd0b..c7e44cada 100644
- # Consolehelper local policy
+ # Local policy
#
-+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search dac_override chown sys_tty_config };
++ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_read_search chown sys_tty_config };
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_userhelper_t self:process setexec;
+ allow $1_userhelper_t self:fd use;
@@ -113905,7 +114078,7 @@ index 98b51fd0b..c7e44cada 100644
##
## Execute the consolehelper program
diff --git a/userhelper.te b/userhelper.te
-index 42cfce06e..b7e3e2532 100644
+index 42cfce06e..b9f267a10 100644
--- a/userhelper.te
+++ b/userhelper.te
@@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
@@ -113938,7 +114111,7 @@ index 42cfce06e..b7e3e2532 100644
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
+allow consolehelper_domain self:shm create_shm_perms;
-+allow consolehelper_domain self:capability { setgid setuid dac_read_search dac_override sys_nice };
++allow consolehelper_domain self:capability { setgid setuid dac_read_search sys_nice };
+allow consolehelper_domain self:process { signal_perms getsched setsched };
-domain_use_interactive_fds(consolehelper_type)
@@ -114124,7 +114297,7 @@ index 7deec55cf..c542887da 100644
')
diff --git a/usernetctl.te b/usernetctl.te
-index f973af82b..860643991 100644
+index f973af82b..5e354edc5 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -6,19 +6,19 @@ policy_module(usernetctl, 1.7.0)
@@ -114145,7 +114318,7 @@ index f973af82b..860643991 100644
#
-allow usernetctl_t self:capability { setuid setgid dac_override };
-+allow usernetctl_t self:capability { setuid setgid dac_read_search dac_override };
++allow usernetctl_t self:capability { setuid setgid dac_read_search };
allow usernetctl_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow usernetctl_t self:fd use;
allow usernetctl_t self:fifo_file rw_fifo_file_perms;
@@ -114338,7 +114511,7 @@ index f8e52fc97..b283c25f7 100644
-miscfiles_read_localization(uuidd_t)
diff --git a/uwimap.te b/uwimap.te
-index acdc78ae7..9e5ee472d 100644
+index acdc78ae7..7f295e597 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -20,7 +20,7 @@ files_pid_file(imapd_var_run_t)
@@ -114346,7 +114519,7 @@ index acdc78ae7..9e5ee472d 100644
#
-allow imapd_t self:capability { dac_override setgid setuid sys_resource };
-+allow imapd_t self:capability { dac_read_search dac_override setgid setuid sys_resource };
++allow imapd_t self:capability { dac_read_search setgid setuid sys_resource };
dontaudit imapd_t self:capability sys_tty_config;
allow imapd_t self:process signal_perms;
allow imapd_t self:fifo_file rw_fifo_file_perms;
@@ -114414,7 +114587,7 @@ index 1c35171d8..2cba4dfea 100644
domain_system_change_exemption($1)
role_transition $2 varnishd_initrc_exec_t system_r;
diff --git a/varnishd.te b/varnishd.te
-index 9d4d8cbb0..e73bd982c 100644
+index 9d4d8cbb0..80e6c6fb4 100644
--- a/varnishd.te
+++ b/varnishd.te
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
@@ -114439,7 +114612,7 @@ index 9d4d8cbb0..e73bd982c 100644
#
-allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
-+allow varnishd_t self:capability { kill dac_read_search dac_override ipc_lock setuid setgid chown fowner fsetid };
++allow varnishd_t self:capability { kill dac_read_search ipc_lock setuid setgid chown fowner fsetid };
dontaudit varnishd_t self:capability sys_tty_config;
-allow varnishd_t self:process signal;
+allow varnishd_t self:process { execmem signal };
@@ -114464,7 +114637,7 @@ index 9d4d8cbb0..e73bd982c 100644
tunable_policy(`varnishd_connect_any',`
corenet_sendrecv_all_client_packets(varnishd_t)
diff --git a/vbetool.te b/vbetool.te
-index 2a61f7526..fa84e40b9 100644
+index 2a61f7526..99b151a18 100644
--- a/vbetool.te
+++ b/vbetool.te
@@ -26,7 +26,8 @@ role vbetool_roles types vbetool_t;
@@ -114472,7 +114645,7 @@ index 2a61f7526..fa84e40b9 100644
#
-allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
-+allow vbetool_t self:capability { dac_read_search dac_override sys_tty_config sys_admin };
++allow vbetool_t self:capability { dac_read_search sys_tty_config sys_admin };
+#allow vbetool_t self:capability2 compromise_kernel;
allow vbetool_t self:process execmem;
@@ -114648,7 +114821,7 @@ index 22edd58f8..c3a536427 100644
domain_system_change_exemption($1)
role_transition $2 vhostmd_initrc_exec_t system_r;
diff --git a/vhostmd.te b/vhostmd.te
-index 3d11c6a3d..c5d84287e 100644
+index 3d11c6a3d..3590f3ef9 100644
--- a/vhostmd.te
+++ b/vhostmd.te
@@ -23,7 +23,7 @@ files_pid_file(vhostmd_var_run_t)
@@ -114656,7 +114829,7 @@ index 3d11c6a3d..c5d84287e 100644
#
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
-+allow vhostmd_t self:capability { dac_read_search dac_override ipc_lock setuid setgid };
++allow vhostmd_t self:capability { dac_read_search ipc_lock setuid setgid };
allow vhostmd_t self:process { setsched getsched signal };
allow vhostmd_t self:fifo_file rw_fifo_file_perms;
@@ -117063,7 +117236,7 @@ index facdee8b3..2a619ba9e 100644
+ dgram_send_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
')
diff --git a/virt.te b/virt.te
-index f03dcf567..cf9950e36 100644
+index f03dcf567..6b27ef4c9 100644
--- a/virt.te
+++ b/virt.te
@@ -1,451 +1,424 @@
@@ -117737,7 +117910,7 @@ index f03dcf567..cf9950e36 100644
#
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-+allow virtd_t self:capability { chown dac_read_search dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
++allow virtd_t self:capability { chown dac_read_search fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+#allow virtd_t self:capability2 compromise_kernel;
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
+ifdef(`hide_broken_symptoms',`
@@ -118447,7 +118620,7 @@ index f03dcf567..cf9950e36 100644
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
-allow virsh_t self:process { getcap getsched setsched setcap signal };
-+allow virsh_t self:capability { setpcap dac_read_search dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
++allow virsh_t self:capability { setpcap dac_read_search ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
allow virsh_t self:fifo_file rw_fifo_file_perms;
-allow virsh_t self:unix_stream_socket { accept connectto listen };
@@ -118612,7 +118785,7 @@ index f03dcf567..cf9950e36 100644
-# Lxc local policy
+# virt_lxc local policy
#
-+allow virtd_lxc_t self:capability { dac_read_search dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
++allow virtd_lxc_t self:capability { dac_read_search net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
+allow virtd_lxc_t self:process { setsockcreate transition setpgid signal_perms };
+#allow virtd_lxc_t self:capability2 compromise_kernel;
@@ -119062,7 +119235,7 @@ index f03dcf567..cf9950e36 100644
-kernel_read_network_state(svirt_lxc_net_t)
-kernel_read_irq_sysctls(svirt_lxc_net_t)
-+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
+allow svirt_qemu_net_t self:process { execstack execmem };
@@ -119370,7 +119543,7 @@ index f03dcf567..cf9950e36 100644
+virt_sandbox_domain_template(svirt_kvm_net)
+typeattribute svirt_kvm_net_t sandbox_net_domain;
+
-+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
+
+tunable_policy(`virt_sandbox_use_netlink',`
@@ -119450,8 +119623,8 @@ index f03dcf567..cf9950e36 100644
+ systemd_dbus_chat_logind(sandbox_net_domain)
+')
+
-+allow sandbox_caps_domain self:capability { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
-+allow sandbox_caps_domain self:cap_userns { chown dac_read_search dac_override fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:capability { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
++allow sandbox_caps_domain self:cap_userns { chown dac_read_search fowner kill setgid setuid setpcap net_bind_service net_raw sys_chroot mknod audit_write setfcap };
+
+list_dirs_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
+read_files_pattern(svirt_sandbox_domain, container_ro_file_t, container_ro_file_t)
@@ -119736,7 +119909,7 @@ index 20a1fb296..470ea9528 100644
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
diff --git a/vmware.te b/vmware.te
-index 4ad18944a..b5891580a 100644
+index 4ad18944a..c3b3f8c0c 100644
--- a/vmware.te
+++ b/vmware.te
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -119745,7 +119918,7 @@ index 4ad18944a..b5891580a 100644
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
+allow vmware_host_t self:capability { net_admin sys_module };
-+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search dac_override };
++allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_read_search };
dontaudit vmware_host_t self:capability sys_tty_config;
allow vmware_host_t self:process { execstack execmem signal_perms };
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
@@ -119816,7 +119989,7 @@ index 4ad18944a..b5891580a 100644
#
-allow vmware_t self:capability { dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
-+allow vmware_t self:capability { dac_read_search dac_override setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
++allow vmware_t self:capability { dac_read_search setgid sys_nice sys_resource setuid sys_admin sys_rawio chown };
dontaudit vmware_t self:capability sys_tty_config;
allow vmware_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow vmware_t self:process { execmem execstack };
@@ -120024,7 +120197,7 @@ index 7a7f34297..afedcba80 100644
##
##
diff --git a/vpn.te b/vpn.te
-index 95b26d126..3d74e70cc 100644
+index 95b26d126..ac16df363 100644
--- a/vpn.te
+++ b/vpn.te
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
@@ -120035,7 +120208,12 @@ index 95b26d126..3d74e70cc 100644
type vpnc_t;
type vpnc_exec_t;
-@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
+@@ -24,13 +25,17 @@ files_pid_file(vpnc_var_run_t)
+ # Local policy
+ #
+
+-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
++allow vpnc_t self:capability { dac_read_search net_admin ipc_lock net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -120563,7 +120741,7 @@ index 4815a93f4..24dcf5174 100644
+ rhcs_rw_cluster_tmpfs(wdmd_t)
')
diff --git a/webadm.te b/webadm.te
-index 2a6cae773..d2752d9bb 100644
+index 2a6cae773..0b771ed70 100644
--- a/webadm.te
+++ b/webadm.te
@@ -25,12 +25,21 @@ role webadm_r;
@@ -120579,7 +120757,7 @@ index 2a6cae773..d2752d9bb 100644
#
-allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
-+allow webadm_t self:capability { dac_override dac_read_search kill sys_nice sys_resource };
++allow webadm_t self:capability { dac_read_search kill sys_nice sys_resource };
+
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
@@ -120628,7 +120806,7 @@ index 64baf679e..76c753b1a 100644
-/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
+/var/www/usage(/.*)? gen_context(system_u:object_r:webalizer_rw_content_t,s0)
diff --git a/webalizer.te b/webalizer.te
-index ae919b9a5..cdd9359d1 100644
+index ae919b9a5..12097d0e4 100644
--- a/webalizer.te
+++ b/webalizer.te
@@ -33,7 +33,7 @@ files_type(webalizer_write_t)
@@ -120636,7 +120814,7 @@ index ae919b9a5..cdd9359d1 100644
#
-allow webalizer_t self:capability dac_override;
-+allow webalizer_t self:capability { dac_read_search dac_override };
++allow webalizer_t self:capability { dac_read_search };
allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow webalizer_t self:fd use;
allow webalizer_t self:fifo_file rw_fifo_file_perms;
@@ -121605,7 +121783,7 @@ index f93558c5a..16e29c141 100644
files_search_pids($1)
diff --git a/xen.te b/xen.te
-index 6f736a993..c1ba3ba4b 100644
+index 6f736a993..ca29783fb 100644
--- a/xen.te
+++ b/xen.te
@@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
@@ -121848,7 +122026,7 @@ index 6f736a993..c1ba3ba4b 100644
-dontaudit xend_t self:capability { sys_ptrace };
-allow xend_t self:process { setrlimit signal sigkill };
-dontaudit xend_t self:process ptrace;
-+allow xend_t self:capability { dac_read_search dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
++allow xend_t self:capability { dac_read_search ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
+allow xend_t self:process { signal sigkill };
+
+# needed by qemu_dm
@@ -122049,7 +122227,7 @@ index 6f736a993..c1ba3ba4b 100644
#
-allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
-+allow xenconsoled_t self:capability { dac_read_search dac_override fsetid ipc_lock };
++allow xenconsoled_t self:capability { dac_read_search fsetid ipc_lock };
allow xenconsoled_t self:process setrlimit;
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
@@ -122101,7 +122279,7 @@ index 6f736a993..c1ba3ba4b 100644
-allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
-allow xenstored_t self:unix_stream_socket { accept listen };
-+allow xenstored_t self:capability { dac_read_search dac_override ipc_lock sys_resource };
++allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource };
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
@@ -122305,7 +122483,7 @@ index 6f736a993..c1ba3ba4b 100644
- fs_manage_xenfs_files(xm_ssh_t)
-')
diff --git a/xfs.te b/xfs.te
-index 0928c5d6a..b9bcf8824 100644
+index 0928c5d6a..99a430031 100644
--- a/xfs.te
+++ b/xfs.te
@@ -23,7 +23,7 @@ files_pid_file(xfs_var_run_t)
@@ -122313,7 +122491,7 @@ index 0928c5d6a..b9bcf8824 100644
#
-allow xfs_t self:capability { dac_override setgid setuid };
-+allow xfs_t self:capability { dac_read_search dac_override setgid setuid };
++allow xfs_t self:capability { dac_read_search setgid setuid };
dontaudit xfs_t self:capability sys_tty_config;
allow xfs_t self:process { signal_perms setpgid };
allow xfs_t self:unix_stream_socket { accept listen };
@@ -122656,7 +122834,7 @@ index 04096a050..98a8205a7 100644
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
diff --git a/yam.te b/yam.te
-index 2695db25c..c1ec89384 100644
+index 2695db25c..311159866 100644
--- a/yam.te
+++ b/yam.te
@@ -26,7 +26,7 @@ files_tmp_file(yam_tmp_t)
@@ -122664,7 +122842,7 @@ index 2695db25c..c1ec89384 100644
#
-allow yam_t self:capability { chown fowner fsetid dac_override };
-+allow yam_t self:capability { chown fowner fsetid dac_read_search dac_override };
++allow yam_t self:capability { chown fowner fsetid dac_read_search };
allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow yam_t self:fd use;
allow yam_t self:fifo_file rw_fifo_file_perms;
@@ -122875,7 +123053,7 @@ index dd63de028..38ce6208e 100644
- admin_pattern($1, zabbix_tmpfs_t)
')
diff --git a/zabbix.te b/zabbix.te
-index 7f496c617..bf2ae51d0 100644
+index 7f496c617..ad28abbc1 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -6,27 +6,32 @@ policy_module(zabbix, 1.6.0)
@@ -122969,7 +123147,7 @@ index 7f496c617..bf2ae51d0 100644
-allow zabbix_t self:sem create_sem_perms;
-allow zabbix_t self:shm create_shm_perms;
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
-+allow zabbix_t self:capability { dac_read_search dac_override };
++allow zabbix_t self:capability { dac_read_search };
+
+manage_dirs_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
+manage_files_pattern(zabbix_t, zabbix_var_lib_t, zabbix_var_lib_t)
@@ -123423,7 +123601,7 @@ index 36e32df6d..3d089626e 100644
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
')
diff --git a/zarafa.te b/zarafa.te
-index 3fded1c4d..8bea5e820 100644
+index 3fded1c4d..7bcf05a6c 100644
--- a/zarafa.te
+++ b/zarafa.te
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
@@ -123634,7 +123812,7 @@ index 3fded1c4d..8bea5e820 100644
+#
+
+# bad permission on /etc/zarafa
-+allow zarafa_domain self:capability { kill dac_read_search dac_override chown setgid setuid };
++allow zarafa_domain self:capability { kill dac_read_search chown setgid setuid };
+allow zarafa_domain self:process { signal_perms };
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
-allow zarafa_domain self:tcp_socket { accept listen };
@@ -124374,7 +124552,7 @@ index 000000000..fb0519ebf
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 000000000..c9ad1b330
+index 000000000..ba9ab9a8a
--- /dev/null
+++ b/zoneminder.te
@@ -0,0 +1,187 @@
@@ -124435,7 +124613,7 @@ index 000000000..c9ad1b330
+#
+# zoneminder local policy
+#
-+allow zoneminder_t self:capability { chown dac_read_search dac_override };
++allow zoneminder_t self:capability { chown dac_read_search };
+allow zoneminder_t self:process { signal_perms setpgid };
+allow zoneminder_t self:shm create_shm_perms;
+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 110607f..c66eaa8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.13.1
-Release: 287%{?dist}
+Release: 288%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -682,6 +682,9 @@ exit 0
%endif
%changelog
+* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-288
+- Remove all unnecessary dac_override capability in SELinux modules
+
* Fri Sep 22 2017 Lukas Vrabec - 3.13.1-287
- Allow init noatsecure httpd_t
- Allow mysqld_t domain to mmap mysqld db files. BZ(1483331)