diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 740b5b2..ce9e5bc 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2291,4 +2291,25 @@ watchdog = module
 #
 oracleasm = module
 
+# Layer: contrib
+# Module: redis
+# 
+# redis policy
+#
+redis = module
+
+# Layer: contrib
+# Module: hypervkvp
+# 
+# hypervkvp policy
+#
+hypervkvp = module
+
+# Layer: contrib
+# Module: lsm
+# 
+# lsm policy
+#
+lsm = module
+
 
diff --git a/permissivedomains.te b/permissivedomains.te
index 2549561..3370d89 100644
--- a/permissivedomains.te
+++ b/permissivedomains.te
@@ -15,3 +15,27 @@ optional_policy(`
 
         permissive prosody_t;
 ')
+
+optional_policy(`
+    gen_require(`
+                type redis_t;
+        ')
+
+        permissive redis_t;
+')
+
+optional_policy(`
+    gen_require(`
+                type hypervkvp_t;
+        ')
+
+        permissive hypervkvp_t;
+')
+
+optional_policy(`
+    gen_require(`
+                type lsmd_t;
+        ')
+
+        permissive lsmd_t;
+')
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index 6adc2cb..81c1286 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1820,7 +1820,7 @@ index 688abc2..3d89250 100644
  /usr/bin/kdesu		--	gen_context(system_u:object_r:su_exec_t,s0)
 +/usr/bin/su		--	gen_context(system_u:object_r:su_exec_t,s0)
 diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 03ec5ca..bfc85a0 100644
+index 03ec5ca..025c177 100644
 --- a/policy/modules/admin/su.if
 +++ b/policy/modules/admin/su.if
 @@ -89,7 +89,6 @@ template(`su_restricted_domain_template', `
@@ -1843,41 +1843,234 @@ index 03ec5ca..bfc85a0 100644
  	optional_policy(`
  		cron_read_pipes($1_su_t)
  	')
-@@ -208,7 +202,7 @@ template(`su_role_template',`
+@@ -172,14 +166,6 @@ template(`su_role_template',`
+ 	role $2 types $1_su_t;
  
- 	auth_domtrans_chk_passwd($1_su_t)
- 	auth_dontaudit_read_shadow($1_su_t)
+ 	allow $3 $1_su_t:process signal;
+-
+-	allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
+-	dontaudit $1_su_t self:capability sys_tty_config;
+-	allow $1_su_t self:process { setexec setsched setrlimit };
+-	allow $1_su_t self:fifo_file rw_fifo_file_perms;
+-	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
+-	allow $1_su_t self:key { search write };
+-
+ 	allow $1_su_t $3:key search;
+ 
+ 	# Transition from the user domain to this domain.
+@@ -194,125 +180,12 @@ template(`su_role_template',`
+ 	allow $3 $1_su_t:process sigchld;
+ 
+ 	kernel_read_system_state($1_su_t)
+-	kernel_read_kernel_sysctls($1_su_t)
+-	kernel_search_key($1_su_t)
+-	kernel_link_key($1_su_t)
+-
+-	# for SSP
+-	dev_read_urand($1_su_t)
+-
+-	fs_search_auto_mountpoints($1_su_t)
+ 
+-	# needed for pam_rootok
+-	selinux_compute_access_vector($1_su_t)
+-
+-	auth_domtrans_chk_passwd($1_su_t)
+-	auth_dontaudit_read_shadow($1_su_t)
 -	auth_use_nsswitch($1_su_t)
+-	auth_rw_faillog($1_su_t)
+-
+-	corecmd_search_bin($1_su_t)
+-
+-	domain_use_interactive_fds($1_su_t)
+-
+-	files_read_etc_files($1_su_t)
+-	files_read_etc_runtime_files($1_su_t)
+-	files_search_var_lib($1_su_t)
+-	files_dontaudit_getattr_tmp_dirs($1_su_t)
+-
+-	init_dontaudit_use_fds($1_su_t)
+-	# Write to utmp.
+-	init_rw_utmp($1_su_t)
 +	auth_use_pam($1_su_t)
- 	auth_rw_faillog($1_su_t)
  
- 	corecmd_search_bin($1_su_t)
-@@ -228,10 +222,10 @@ template(`su_role_template',`
+ 	mls_file_write_all_levels($1_su_t)
  
  	logging_send_syslog_msg($1_su_t)
- 
+-
 -	miscfiles_read_localization($1_su_t)
- 
- 	userdom_use_user_terminals($1_su_t)
- 	userdom_search_user_home_dirs($1_su_t)
-+	userdom_search_admin_dir($1_su_t)
- 
- 	ifdef(`distro_redhat',`
- 		# RHEL5 and possibly newer releases incl. Fedora
-@@ -277,12 +271,7 @@ template(`su_role_template',`
- 		')
- 	')
- 
+-
+-	userdom_use_user_terminals($1_su_t)
+-	userdom_search_user_home_dirs($1_su_t)
+-
+-	ifdef(`distro_redhat',`
+-		# RHEL5 and possibly newer releases incl. Fedora
+-		auth_domtrans_upd_passwd($1_su_t)
+-
+-		optional_policy(`
+-			locallogin_search_keys($1_su_t)
+-		')
+-	')
+-
+-	ifdef(`distro_rhel4',`
+-		domain_role_change_exemption($1_su_t)
+-		domain_subj_id_change_exemption($1_su_t)
+-		domain_obj_id_change_exemption($1_su_t)
+-
+-		selinux_get_fs_mount($1_su_t)
+-		selinux_validate_context($1_su_t)
+-		selinux_compute_create_context($1_su_t)
+-		selinux_compute_relabel_context($1_su_t)
+-		selinux_compute_user_contexts($1_su_t)
+-
+-		# Relabel ttys and ptys.
+-		term_relabel_all_ttys($1_su_t)
+-		term_relabel_all_ptys($1_su_t)
+-		# Close and re-open ttys and ptys to get the fd into the correct domain.
+-		term_use_all_ttys($1_su_t)
+-		term_use_all_ptys($1_su_t)
+-
+-		seutil_read_config($1_su_t)
+-		seutil_read_default_contexts($1_su_t)
+-
+-		if(secure_mode) {
+-			# Only allow transitions to unprivileged user domains.
+-			userdom_spec_domtrans_unpriv_users($1_su_t)
+-		} else {
+-			# Allow transitions to all user domains
+-			userdom_spec_domtrans_all_users($1_su_t)
+-		}
+-
+-		optional_policy(`
+-			unconfined_domtrans($1_su_t)
+-			unconfined_signal($1_su_t)
+-		')
+-	')
+-
 -	ifdef(`hide_broken_symptoms',`
 -		# dontaudit leaked sockets from parent
 -		dontaudit $1_su_t $3:socket_class_set { read write };
 -	')
 -
 -	tunable_policy(`allow_polyinstantiation',`
-+	tunable_policy(`polyinstantiation_enabled',`
- 		fs_mount_xattr_fs($1_su_t)
- 		fs_unmount_xattr_fs($1_su_t)
- 	')
+-		fs_mount_xattr_fs($1_su_t)
+-		fs_unmount_xattr_fs($1_su_t)
+-	')
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_search_nfs($1_su_t)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_search_cifs($1_su_t)
+-	')
+-
+-	optional_policy(`
+-		cron_read_pipes($1_su_t)
+-	')
+-
+-	optional_policy(`
+-		kerberos_use($1_su_t)
+-	')
+-
+-	optional_policy(`
+-		# used when the password has expired
+-		usermanage_read_crack_db($1_su_t)
+-	')
+-
+-	# Modify .Xauthority file (via xauth program).
+-	optional_policy(`
+-		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
+-		xserver_domtrans_xauth($1_su_t)
+-	')
+ ')
+ 
+ #######################################
+diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
+index 85bb77e..0df3b43 100644
+--- a/policy/modules/admin/su.te
++++ b/policy/modules/admin/su.te
+@@ -9,3 +9,81 @@ attribute su_domain_type;
+ 
+ type su_exec_t;
+ corecmd_executable_file(su_exec_t)
++
++allow su_domain_type self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
++dontaudit su_domain_type self:capability sys_tty_config;
++allow su_domain_type self:process { setexec setsched setrlimit };
++allow su_domain_type self:fifo_file rw_fifo_file_perms;
++allow su_domain_type self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++allow su_domain_type self:key { search write };
++
++kernel_read_kernel_sysctls(su_domain_type)
++kernel_search_key(su_domain_type)
++kernel_link_key(su_domain_type)
++
++# for SSP
++dev_read_urand(su_domain_type)
++dev_dontaudit_getattr_all(su_domain_type)
++
++fs_search_auto_mountpoints(su_domain_type)
++
++# needed for pam_rootok
++selinux_compute_access_vector(su_domain_type)
++
++corecmd_search_bin(su_domain_type)
++
++domain_use_interactive_fds(su_domain_type)
++
++files_read_etc_files(su_domain_type)
++files_read_etc_runtime_files(su_domain_type)
++files_search_var_lib(su_domain_type)
++files_dontaudit_getattr_tmp_dirs(su_domain_type)
++
++init_dontaudit_use_fds(su_domain_type)
++# Write to utmp.
++init_rw_utmp(su_domain_type)
++
++userdom_use_user_terminals(su_domain_type)
++userdom_search_user_home_dirs(su_domain_type)
++userdom_search_admin_dir(su_domain_type)
++
++ifdef(`distro_redhat',`
++	# RHEL5 and possibly newer releases incl. Fedora
++	auth_domtrans_upd_passwd(su_domain_type)
++
++	optional_policy(`
++		locallogin_search_keys(su_domain_type)
++	')
++')
++
++tunable_policy(`polyinstantiation_enabled',`
++	fs_mount_xattr_fs(su_domain_type)
++	fs_unmount_xattr_fs(su_domain_type)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++	fs_search_nfs(su_domain_type)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++	fs_search_cifs(su_domain_type)
++')
++
++optional_policy(`
++	cron_read_pipes(su_domain_type)
++')
++
++optional_policy(`
++	kerberos_use(su_domain_type)
++')
++
++optional_policy(`
++	# used when the password has expired
++	usermanage_read_crack_db(su_domain_type)
++')
++
++# Modify .Xauthority file (via xauth program).
++optional_policy(`
++	xserver_user_home_dir_filetrans_user_xauth(su_domain_type)
++	xserver_domtrans_xauth(su_domain_type)
++')
 diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
 index 7bddc02..2b59ed0 100644
 --- a/policy/modules/admin/sudo.fc
@@ -3046,7 +3239,7 @@ index 7590165..19aaaed 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..51181b8 100644
+index 644d4d7..f9bcd44 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3350,7 +3543,15 @@ index 644d4d7..51181b8 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +457,15 @@ ifdef(`distro_suse', `
+@@ -342,6 +416,7 @@ ifdef(`distro_redhat', `
+ /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgengui.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3367,7 +3568,7 @@ index 644d4d7..51181b8 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +475,12 @@ ifdef(`distro_suse', `
+@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -8283,7 +8484,7 @@ index 6529bd9..831344c 100644
 +allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
  allow devices_unconfined_type mtrr_device_t:file *;
 diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..57cc8d1 100644
+index 6a1e4d1..84e8030 100644
 --- a/policy/modules/kernel/domain.if
 +++ b/policy/modules/kernel/domain.if
 @@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -8426,7 +8627,7 @@ index 6a1e4d1..57cc8d1 100644
  ##	Unconfined access to domains.
  ## </summary>
  ## <param name="domain">
-@@ -1530,4 +1561,45 @@ interface(`domain_unconfined',`
+@@ -1530,4 +1561,63 @@ interface(`domain_unconfined',`
  	typeattribute $1 can_change_object_identity;
  	typeattribute $1 set_curr_context;
  	typeattribute $1 process_uncond_exempt;
@@ -8471,9 +8672,27 @@ index 6a1e4d1..57cc8d1 100644
 +	')
 +
 +	allow $1 domain:process transition;
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to access check /proc
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`domain_dontaudit_access_check',`
++	gen_require(`
++		attribute domain;
++	')
++
++	dontaudit $1 domain:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index cf04cb5..bcaf613 100644
+index cf04cb5..2b917b5 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,29 @@ policy_module(domain, 1.11.0)
@@ -8610,7 +8829,7 @@ index cf04cb5..bcaf613 100644
  
  # Create/access any System V IPC objects.
  allow unconfined_domain_type domain:{ sem msgq shm } *;
-@@ -166,5 +231,295 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
+@@ -166,5 +231,296 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
  
@@ -8887,6 +9106,7 @@ index cf04cb5..bcaf613 100644
 +dontaudit domain domain:process { noatsecure siginh rlimitinh } ;
 +
 +optional_policy(`
++	rpm_rw_script_inherited_pipes(domain)
 +	rpm_use_fds(domain)
 +	rpm_read_pipes(domain)
 +	rpm_search_log(domain)
@@ -17141,7 +17361,7 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..98d1e34 100644
+index 88d0028..897634a 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
 @@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
@@ -17580,7 +17800,7 @@ index 88d0028..98d1e34 100644
  	virt_stream_connect(sysadm_t)
 +	virt_filetrans_home_content(sysadm_t)
 +	virt_manage_pid_dirs(sysadm_t)
-+	virt_transition_svirt_lxc(sysadm_t, sysadm_r)
++	virt_transition_svirt_sandbox(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
@@ -18395,7 +18615,7 @@ index 0000000..cf6582f
 +
 diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
 new file mode 100644
-index 0000000..d74943c
+index 0000000..36f6ee2
 --- /dev/null
 +++ b/policy/modules/roles/unconfineduser.te
 @@ -0,0 +1,332 @@
@@ -18722,7 +18942,7 @@ index 0000000..d74943c
 +
 +optional_policy(`
 +	virt_transition_svirt(unconfined_t, unconfined_r)
-+	virt_transition_svirt_lxc(unconfined_t, unconfined_r)
++	virt_transition_svirt_sandbox(unconfined_t, unconfined_r)
 +')
 +
 +optional_policy(`
@@ -20222,7 +20442,7 @@ index fe0c682..225aaa7 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..3448145 100644
+index 5fc0391..7931fba 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,43 +6,54 @@ policy_module(ssh, 2.3.3)
@@ -20235,15 +20455,15 @@ index 5fc0391..3448145 100644
 +##      <p>
 +##      allow host key based authentication
 +##      </p>
- ## </desc>
--gen_tunable(allow_ssh_keysign, false)
++## </desc>
 +gen_tunable(ssh_keysign, false)
 +
 +## <desc>
 +##	<p>
 +##	Allow ssh logins as sysadm_r:sysadm_t
 +##	</p>
-+## </desc>
+ ## </desc>
+-gen_tunable(allow_ssh_keysign, false)
 +gen_tunable(ssh_sysadm_login, false)
  
  ## <desc>
@@ -20379,8 +20599,12 @@ index 5fc0391..3448145 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -156,38 +177,42 @@ logging_read_generic_logs(ssh_t)
+@@ -154,40 +175,46 @@ files_read_var_files(ssh_t)
+ logging_send_syslog_msg(ssh_t)
+ logging_read_generic_logs(ssh_t)
  
++term_use_ptmx(ssh_t)
++
  auth_use_nsswitch(ssh_t)
  
 -miscfiles_read_localization(ssh_t)
@@ -20441,7 +20665,7 @@ index 5fc0391..3448145 100644
  ')
  
  optional_policy(`
-@@ -195,6 +220,7 @@ optional_policy(`
+@@ -195,6 +222,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -20449,7 +20673,7 @@ index 5fc0391..3448145 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +232,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -206,6 +234,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -20457,7 +20681,7 @@ index 5fc0391..3448145 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +250,54 @@ optional_policy(`
+@@ -223,33 +252,54 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
@@ -20521,7 +20745,7 @@ index 5fc0391..3448145 100644
  ')
  
  optional_policy(`
-@@ -257,11 +305,24 @@ optional_policy(`
+@@ -257,11 +307,28 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20543,11 +20767,15 @@ index 5fc0391..3448145 100644
  
  optional_policy(`
 -	kerberos_keytab_template(sshd, sshd_t)
++    lvm_domtrans(sshd_t)
++')
++
++optional_policy(`
 +	nx_read_home_files(sshd_t)
  ')
  
  optional_policy(`
-@@ -269,6 +330,10 @@ optional_policy(`
+@@ -269,6 +336,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20558,7 +20786,7 @@ index 5fc0391..3448145 100644
  	rpm_use_script_fds(sshd_t)
  ')
  
-@@ -279,13 +344,69 @@ optional_policy(`
+@@ -279,13 +350,69 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20593,8 +20821,8 @@ index 5fc0391..3448145 100644
  
  optional_policy(`
 +	kernel_write_proc_files(sshd_t)
-+	virt_transition_svirt_lxc(sshd_t, system_r)
-+	virt_stream_connect_lxc(sshd_t)
++	virt_transition_svirt_sandbox(sshd_t, system_r)
++	virt_stream_connect_sandbox(sshd_t)
 +	virt_stream_connect(sshd_t)
 +')
 +
@@ -20628,7 +20856,7 @@ index 5fc0391..3448145 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +415,26 @@ optional_policy(`
+@@ -294,19 +421,26 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -20656,7 +20884,7 @@ index 5fc0391..3448145 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +451,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -323,6 +457,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -20669,7 +20897,7 @@ index 5fc0391..3448145 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +465,138 @@ optional_policy(`
+@@ -331,3 +471,138 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -20966,7 +21194,7 @@ index d1f64a0..8f50bb9 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 6bf0ecc..ba9536c 100644
+index 6bf0ecc..9b46e11 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -18,100 +18,37 @@
@@ -21195,14 +21423,18 @@ index 6bf0ecc..ba9536c 100644
  		class x_synthetic_event all_x_synthetic_event_perms;
 +		class x_client destroy;
 +		class x_server manage;
-+		class x_screen { saver_setattr saver_hide saver_show };
++		class x_screen { saver_setattr saver_hide saver_show show_cursor hide_cursor };
 +		class x_pointer { get_property set_property manage };
-+		class x_keyboard { read manage };
++		class x_keyboard { read manage freeze };
  	')
  
  	##############################
-@@ -386,6 +328,15 @@ template(`xserver_common_x_domain_template',`
- 	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
+@@ -383,9 +325,18 @@ template(`xserver_common_x_domain_template',`
+ 	allow $2 $1_input_xevent_t:{ x_event x_synthetic_event } receive;
+ 	# can receive default events
+ 	allow $2 client_xevent_t:{ x_event x_synthetic_event } receive;
+-	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
++	allow $2 xevent_t:{ x_event x_synthetic_event } { send receive };
  	# dont audit send failures
  	dontaudit $2 input_xevent_type:x_event send;
 +
@@ -21211,9 +21443,9 @@ index 6bf0ecc..ba9536c 100644
 +
 +	allow $2 root_xdrawable_t:x_drawable write;
 +	allow $2 xserver_t:x_server manage;
-+	allow $2 xserver_t:x_screen { saver_setattr saver_hide saver_show };
++	allow $2 xserver_t:x_screen { show_cursor hide_cursor saver_setattr saver_hide saver_show };
 +	allow $2 xserver_t:x_pointer { get_property set_property manage };
-+	allow $2 xserver_t:x_keyboard { read manage };
++	allow $2 xserver_t:x_keyboard { read manage freeze };
  ')
  
  #######################################
@@ -21894,32 +22126,36 @@ index 6bf0ecc..ba9536c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1261,13 +1621,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1261,13 +1621,27 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
 -		type xserver_t;
-+		type xserver_t, root_xdrawable_t;
++		type xserver_t, root_xdrawable_t, xevent_t;
  		class x_device all_x_device_perms;
  		class x_pointer all_x_pointer_perms;
  		class x_keyboard all_x_keyboard_perms;
 +		class x_screen all_x_screen_perms;
 +		class x_drawable { manage };
 +		attribute x_domain;
-+		class x_drawable { read manage setattr show };
-+		class x_resource { write read };
++		class x_drawable all_x_drawable_perms;
++		class x_resource all_x_resource_perms;
++		class x_synthetic_event all_x_synthetic_event_perms;
++		class x_cursor all_x_cursor_perms;
  	')
  
  	allow $1 xserver_t:{ x_device x_pointer x_keyboard } *;
 +	allow $1 xserver_t:{ x_screen } setattr;
 +	
-+	allow $1 x_domain:x_drawable { read manage setattr show };
-+	allow $1 x_domain:x_resource { write read };
-+	allow $1 root_xdrawable_t:x_drawable { manage read };
++	allow $1 x_domain:x_cursor all_x_cursor_perms;
++	allow $1 x_domain:x_drawable all_x_drawable_perms;
++	allow $1 x_domain:x_resource all_x_resource_perms;
++	allow $1 root_xdrawable_t:x_drawable all_x_drawable_perms;
++	allow $1 xevent_t:x_synthetic_event all_x_synthetic_event_perms;
  ')
  
  ########################################
-@@ -1284,10 +1654,622 @@ interface(`xserver_manage_core_devices',`
+@@ -1284,10 +1658,623 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -22419,6 +22655,7 @@ index 6bf0ecc..ba9536c 100644
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-l")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-c")
++	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauthority-n")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".xauth")
 +	userdom_user_home_dir_filetrans($1, xauth_home_t, file, ".Xauth")
 +	userdom_user_home_dir_filetrans($1, xdm_home_t, file, ".xsession-errors")
@@ -22545,7 +22782,7 @@ index 6bf0ecc..ba9536c 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..027e384 100644
+index 2696452..93b05fa 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -22796,7 +23033,7 @@ index 2696452..027e384 100644
  ')
  
  ########################################
-@@ -247,48 +321,83 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -22859,6 +23096,12 @@ index 2696452..027e384 100644
 +userdom_use_inherited_user_terminals(xauth_t)
  userdom_read_user_tmp_files(xauth_t)
 +userdom_read_all_users_state(xauth_t)
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-l")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-c")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauthority-n")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".xauth")
++userdom_user_home_dir_filetrans(xauth_t, xauth_home_t, file, ".Xauth")
  
  xserver_rw_xdm_tmp_files(xauth_t)
  
@@ -22891,7 +23134,7 @@ index 2696452..027e384 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +408,109 @@ optional_policy(`
+@@ -299,64 +414,109 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -23011,7 +23254,7 @@ index 2696452..027e384 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +519,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -23043,7 +23286,7 @@ index 2696452..027e384 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +551,48 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23067,6 +23310,7 @@ index 2696452..027e384 100644
  dev_setattr_apm_bios_dev(xdm_t)
  dev_rw_dri(xdm_t)
  dev_rw_agp(xdm_t)
++dev_rw_wireless(xdm_t)
  dev_getattr_xserver_misc_dev(xdm_t)
  dev_setattr_xserver_misc_dev(xdm_t)
 +dev_rw_xserver_misc(xdm_t)
@@ -23096,7 +23340,7 @@ index 2696452..027e384 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +603,28 @@ files_list_mnt(xdm_t)
+@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23125,7 +23369,7 @@ index 2696452..027e384 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +633,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23174,7 +23418,7 @@ index 2696452..027e384 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +680,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -23325,7 +23569,7 @@ index 2696452..027e384 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +831,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -23352,7 +23596,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -514,12 +858,56 @@ optional_policy(`
+@@ -514,12 +865,57 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23395,6 +23639,7 @@ index 2696452..027e384 100644
 +	gnome_stream_connect_gkeyringd(xdm_t)
 +	gnome_exec_gstreamer_home_files(xdm_t)
 +	gnome_exec_keyringd(xdm_t)
++	gnome_delete_gkeyringd_tmp_content(xdm_t)
 +	gnome_manage_config(xdm_t)
 +	gnome_manage_gconf_home_files(xdm_t)
 +	#gnome_filetrans_home_content(xdm_t)
@@ -23409,7 +23654,7 @@ index 2696452..027e384 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +925,78 @@ optional_policy(`
+@@ -537,28 +933,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23497,7 +23742,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -570,6 +1008,14 @@ optional_policy(`
+@@ -570,6 +1016,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23512,7 +23757,16 @@ index 2696452..027e384 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -594,8 +1040,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+ type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
+ 
+ allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
+-allow xserver_t input_xevent_t:x_event send;
++allow xserver_t xevent_type:x_event send;
+ 
+ # setuid/setgid for the wrapper program to change UID
+ # sys_rawio is for iopl access - should not be needed for frame-buffer
+@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -23525,7 +23779,7 @@ index 2696452..027e384 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1057,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -23541,7 +23795,7 @@ index 2696452..027e384 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1073,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -23552,7 +23806,7 @@ index 2696452..027e384 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1088,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -23574,7 +23828,7 @@ index 2696452..027e384 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1108,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -23588,7 +23842,7 @@ index 2696452..027e384 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1134,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -23620,7 +23874,7 @@ index 2696452..027e384 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,7 +1166,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -23638,7 +23892,7 @@ index 2696452..027e384 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -708,20 +1189,18 @@ init_getpgid(xserver_t)
+@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -23662,7 +23916,7 @@ index 2696452..027e384 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1208,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -23671,7 +23925,7 @@ index 2696452..027e384 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1252,44 @@ optional_policy(`
+@@ -775,16 +1260,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23717,7 +23971,7 @@ index 2696452..027e384 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1298,10 @@ optional_policy(`
+@@ -793,6 +1306,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23728,7 +23982,7 @@ index 2696452..027e384 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1317,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -23742,7 +23996,7 @@ index 2696452..027e384 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1328,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -23751,7 +24005,7 @@ index 2696452..027e384 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1341,21 @@ init_use_fds(xserver_t)
+@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -23786,7 +24040,7 @@ index 2696452..027e384 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1406,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -23795,7 +24049,7 @@ index 2696452..027e384 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1460,31 @@ allow x_domain self:x_resource { read write };
+@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -23827,7 +24081,7 @@ index 2696452..027e384 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1506,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -25879,10 +26133,10 @@ index 9dfecf7..6d00f5c 100644
 +
 +/usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..8c37105 100644
+index f6cbda9..51e9aef 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,47 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
  
  kernel_list_proc(hostname_t)
  kernel_read_proc_symlinks(hostname_t)
@@ -25909,8 +26163,7 @@ index f6cbda9..8c37105 100644
  term_dontaudit_use_console(hostname_t)
 -term_use_all_ttys(hostname_t)
 -term_use_all_ptys(hostname_t)
-+term_use_all_inherited_ttys(hostname_t)
-+term_use_all_inherited_ptys(hostname_t)
++term_use_all_inherited_terms(hostname_t)
  
  init_use_fds(hostname_t)
  init_use_script_fds(hostname_t)
@@ -28832,7 +29085,7 @@ index 0d4c8d3..a89c4a2 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..a0ba260 100644
+index 9e54bf9..bc0e6c2 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -28914,7 +29167,7 @@ index 9e54bf9..a0ba260 100644
  term_use_console(ipsec_t)
  term_dontaudit_use_all_ttys(ipsec_t)
  
-@@ -165,11 +176,13 @@ auth_use_nsswitch(ipsec_t)
+@@ -165,16 +176,22 @@ auth_use_nsswitch(ipsec_t)
  init_use_fds(ipsec_t)
  init_use_script_ptys(ipsec_t)
  
@@ -28929,7 +29182,16 @@ index 9e54bf9..a0ba260 100644
  
  userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
  userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -187,10 +200,10 @@ optional_policy(`
+ 
+ optional_policy(`
++    iptables_domtrans(ipsec_t)
++')
++
++optional_policy(`
+ 	seutil_sigchld_newrole(ipsec_t)
+ ')
+ 
+@@ -187,10 +204,10 @@ optional_policy(`
  # ipsec_mgmt Local policy
  #
  
@@ -28944,7 +29206,7 @@ index 9e54bf9..a0ba260 100644
  allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
  allow ipsec_mgmt_t self:udp_socket create_socket_perms;
  allow ipsec_mgmt_t self:key_socket create_socket_perms;
-@@ -210,6 +223,7 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
+@@ -210,10 +227,11 @@ allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
  files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
  
  manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
@@ -28952,7 +29214,12 @@ index 9e54bf9..a0ba260 100644
  manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
  
  allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
-@@ -246,6 +260,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
+-files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
++files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, { dir sock_file })
+ 
+ # _realsetup needs to be able to cat /var/run/pluto.pid,
+ # run ps on that pid, and delete the file
+@@ -246,6 +264,16 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
  kernel_getattr_core_if(ipsec_mgmt_t)
  kernel_getattr_message_if(ipsec_mgmt_t)
  
@@ -28969,7 +29236,7 @@ index 9e54bf9..a0ba260 100644
  files_read_kernel_symbol_table(ipsec_mgmt_t)
  files_getattr_kernel_modules(ipsec_mgmt_t)
  
-@@ -255,6 +279,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
+@@ -255,6 +283,8 @@ files_getattr_kernel_modules(ipsec_mgmt_t)
  corecmd_exec_bin(ipsec_mgmt_t)
  corecmd_exec_shell(ipsec_mgmt_t)
  
@@ -28978,7 +29245,7 @@ index 9e54bf9..a0ba260 100644
  dev_read_rand(ipsec_mgmt_t)
  dev_read_urand(ipsec_mgmt_t)
  
-@@ -278,9 +304,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
+@@ -278,9 +308,10 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
  fs_list_tmpfs(ipsec_mgmt_t)
  
  term_use_console(ipsec_mgmt_t)
@@ -28990,7 +29257,7 @@ index 9e54bf9..a0ba260 100644
  
  init_read_utmp(ipsec_mgmt_t)
  init_use_script_ptys(ipsec_mgmt_t)
-@@ -290,15 +317,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
+@@ -290,15 +321,18 @@ init_labeled_script_domtrans(ipsec_mgmt_t, ipsec_initrc_exec_t)
  
  logging_send_syslog_msg(ipsec_mgmt_t)
  
@@ -29014,7 +29281,7 @@ index 9e54bf9..a0ba260 100644
  
  optional_policy(`
  	consoletype_exec(ipsec_mgmt_t)
-@@ -322,6 +352,10 @@ optional_policy(`
+@@ -322,6 +356,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29025,7 +29292,7 @@ index 9e54bf9..a0ba260 100644
  	modutils_domtrans_insmod(ipsec_mgmt_t)
  ')
  
-@@ -335,7 +369,7 @@ optional_policy(`
+@@ -335,7 +373,7 @@ optional_policy(`
  #
  
  allow racoon_t self:capability { net_admin net_bind_service };
@@ -29034,7 +29301,7 @@ index 9e54bf9..a0ba260 100644
  allow racoon_t self:unix_dgram_socket { connect create ioctl write };
  allow racoon_t self:netlink_selinux_socket { bind create read };
  allow racoon_t self:udp_socket create_socket_perms;
-@@ -370,13 +404,12 @@ kernel_request_load_module(racoon_t)
+@@ -370,13 +408,12 @@ kernel_request_load_module(racoon_t)
  corecmd_exec_shell(racoon_t)
  corecmd_exec_bin(racoon_t)
  
@@ -29054,7 +29321,7 @@ index 9e54bf9..a0ba260 100644
  corenet_udp_bind_isakmp_port(racoon_t)
  corenet_udp_bind_ipsecnat_port(racoon_t)
  
-@@ -401,10 +434,11 @@ locallogin_use_fds(racoon_t)
+@@ -401,10 +438,11 @@ locallogin_use_fds(racoon_t)
  logging_send_syslog_msg(racoon_t)
  logging_send_audit_msgs(racoon_t)
  
@@ -29067,7 +29334,7 @@ index 9e54bf9..a0ba260 100644
  auth_can_read_shadow_passwords(racoon_t)
  tunable_policy(`racoon_read_shadow',`
  	auth_tunable_read_shadow(racoon_t)
-@@ -438,9 +472,9 @@ corenet_setcontext_all_spds(setkey_t)
+@@ -438,9 +476,9 @@ corenet_setcontext_all_spds(setkey_t)
  
  locallogin_use_fds(setkey_t)
  
@@ -29784,7 +30051,7 @@ index 808ba93..9d8f729 100644
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..f0cbd38 100644
+index 23a645e..52a8540 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -29817,21 +30084,23 @@ index 23a645e..f0cbd38 100644
  files_etc_filetrans(ldconfig_t, ld_so_cache_t, file)
  
  manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t)
-@@ -75,10 +77,14 @@ kernel_read_system_state(ldconfig_t)
+@@ -75,11 +77,15 @@ kernel_read_system_state(ldconfig_t)
  
  fs_getattr_xattr_fs(ldconfig_t)
  
 +files_list_var_lib(ldconfig_t)
++files_dontaudit_leaks(ldconfig_t)
 +files_manage_var_lib_symlinks(ldconfig_t)
 +
  corecmd_search_bin(ldconfig_t)
  
  domain_use_interactive_fds(ldconfig_t)
  
+-files_search_var_lib(ldconfig_t)
 +files_search_home(ldconfig_t)
- files_search_var_lib(ldconfig_t)
  files_read_etc_files(ldconfig_t)
  files_read_usr_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
 @@ -90,11 +96,11 @@ files_delete_etc_files(ldconfig_t)
  init_use_script_ptys(ldconfig_t)
  init_read_script_tmp_files(ldconfig_t)
@@ -30664,7 +30933,7 @@ index 4e94884..9b82ed0 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..692b00d 100644
+index 39ea221..aae7b7d 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
@@ -30880,7 +31149,7 @@ index 39ea221..692b00d 100644
  
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,22 +426,31 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -386,22 +426,34 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -30910,12 +31179,15 @@ index 39ea221..692b00d 100644
 +ifdef(`hide_broken_symptoms',`
 +	kernel_rw_unix_dgram_sockets(syslogd_t)
 +')
++
++corecmd_exec_bin(syslogd_t)
++corecmd_exec_shell(syslogd_t)
  
 -corenet_all_recvfrom_unlabeled(syslogd_t)
  corenet_all_recvfrom_netlabel(syslogd_t)
  corenet_udp_sendrecv_generic_if(syslogd_t)
  corenet_udp_sendrecv_generic_node(syslogd_t)
-@@ -427,9 +476,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -427,9 +479,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -30943,7 +31215,7 @@ index 39ea221..692b00d 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -442,14 +508,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -442,14 +511,19 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -30963,7 +31235,7 @@ index 39ea221..692b00d 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +532,10 @@ init_use_fds(syslogd_t)
+@@ -461,11 +535,10 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -30977,7 +31249,7 @@ index 39ea221..692b00d 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +572,36 @@ optional_policy(`
+@@ -502,15 +575,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31004,6 +31276,10 @@ index 39ea221..692b00d 100644
  ')
  
  optional_policy(`
++    psad_search_lib_files(syslogd_t)
++')
++
++optional_policy(`
  	seutil_sigchld_newrole(syslogd_t)
 +	snmp_read_snmp_var_lib_files(syslogd_t)
 +	snmp_dontaudit_write_snmp_var_lib_files(syslogd_t)
@@ -31014,7 +31290,7 @@ index 39ea221..692b00d 100644
  ')
  
  optional_policy(`
-@@ -521,3 +612,26 @@ optional_policy(`
+@@ -521,3 +619,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -31042,10 +31318,10 @@ index 39ea221..692b00d 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..7daaff3 100644
+index 879bb1e..5aa4eeb 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,34 @@ ifdef(`distro_gentoo',`
+@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
  /etc/lvmtab(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  /etc/lvmtab\.d(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  
@@ -31062,6 +31338,7 @@ index 879bb1e..7daaff3 100644
  # /sbin
  #
 +/sbin/mount\.crypt	--	gen_context(system_u:object_r:lvm_exec_t,s0)
++/sbin/umount\.crypt	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/cryptsetup	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmraid		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/dmsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -31081,7 +31358,7 @@ index 879bb1e..7daaff3 100644
  /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +94,71 @@ ifdef(`distro_gentoo',`
+@@ -88,8 +95,71 @@ ifdef(`distro_gentoo',`
  #
  # /usr
  #
@@ -31155,7 +31432,7 @@ index 879bb1e..7daaff3 100644
  
  #
  # /var
-@@ -97,5 +166,8 @@ ifdef(`distro_gentoo',`
+@@ -97,5 +167,8 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -32571,7 +32848,7 @@ index 4584457..e432df3 100644
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
  ')
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..4e5bf09 100644
+index 6a50270..d941116 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
 @@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
@@ -32656,7 +32933,7 @@ index 6a50270..4e5bf09 100644
  
 +manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
 +manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,dir,"mount")
++files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
 +files_var_filetrans(mount_t,mount_var_run_t,dir)
 +dev_filetrans(mount_t, mount_var_run_t, dir)
 +
@@ -33740,7 +34017,7 @@ index 3822072..ec95692 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..063ef61 100644
+index ec01d0b..59ed766 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -34268,7 +34545,7 @@ index ec01d0b..063ef61 100644
  ')
  
  ########################################
-@@ -522,108 +598,189 @@ ifdef(`distro_ubuntu',`
+@@ -522,108 +598,191 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -34536,6 +34813,8 @@ index ec01d0b..063ef61 100644
 +
 +files_rw_inherited_generic_pid_files(setfiles_domain)
 +files_rw_inherited_generic_pid_files(policy_manager_domain)
++files_create_boot_flag(policy_manager_domain, ".autorelabel")
++files_delete_boot_flag(policy_manager_domain)
 +
  optional_policy(`
 -	hotplug_use_fds(setfiles_t)
@@ -34956,7 +35235,7 @@ index 6944526..ec17624 100644
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..a5086e8 100644
+index b7686d5..087fe08 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
 @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
@@ -35052,7 +35331,7 @@ index b7686d5..a5086e8 100644
  corenet_tcp_sendrecv_all_ports(dhcpc_t)
  corenet_udp_sendrecv_all_ports(dhcpc_t)
  corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,23 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
  corenet_tcp_connect_all_ports(dhcpc_t)
  corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
  corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
@@ -35075,10 +35354,11 @@ index b7686d5..a5086e8 100644
  files_dontaudit_search_locks(dhcpc_t)
  files_getattr_generic_locks(dhcpc_t)
 +files_rw_inherited_tmp_file(dhcpc_t)
++files_dontaudit_rw_inherited_locks(dhcpc_t)
  
  fs_getattr_all_fs(dhcpc_t)
  fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +151,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
  term_dontaudit_use_unallocated_ttys(dhcpc_t)
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
@@ -35095,7 +35375,7 @@ index b7686d5..a5086e8 100644
  
  modutils_run_insmod(dhcpc_t, dhcpc_roles)
  
-@@ -156,7 +179,14 @@ ifdef(`distro_ubuntu',`
+@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -35111,7 +35391,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -174,10 +204,6 @@ optional_policy(`
+@@ -174,10 +205,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35122,7 +35402,7 @@ index b7686d5..a5086e8 100644
  	hotplug_getattr_config_dirs(dhcpc_t)
  	hotplug_search_config(dhcpc_t)
  
-@@ -190,23 +216,36 @@ optional_policy(`
+@@ -190,23 +217,36 @@ optional_policy(`
  optional_policy(`
  	netutils_run_ping(dhcpc_t, dhcpc_roles)
  	netutils_run(dhcpc_t, dhcpc_roles)
@@ -35159,7 +35439,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -216,7 +255,11 @@ optional_policy(`
+@@ -216,7 +256,11 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -35172,7 +35452,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -228,6 +271,10 @@ optional_policy(`
+@@ -228,6 +272,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35183,7 +35463,7 @@ index b7686d5..a5086e8 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -259,12 +306,21 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -35193,6 +35473,8 @@ index b7686d5..a5086e8 100644
 +allow ifconfig_t self:netlink_socket create_socket_perms;
  allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
  allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
++allow ifconfig_t self:tun_socket { relabelfrom relabelto create_socket_perms };
++
  allow ifconfig_t self:tcp_socket { create ioctl };
  
 +can_exec(ifconfig_t, ifconfig_exec_t)
@@ -35205,7 +35487,7 @@ index b7686d5..a5086e8 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -274,14 +330,29 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -35226,6 +35508,7 @@ index b7686d5..a5086e8 100644
 +read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
 +
 +files_dontaudit_rw_inherited_pipes(ifconfig_t)
++files_dontaudit_rw_inherited_locks(ifconfig_t)
 +files_dontaudit_read_root_files(ifconfig_t)
 +files_rw_inherited_tmp_file(ifconfig_t)
 +
@@ -35235,7 +35518,7 @@ index b7686d5..a5086e8 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +365,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -35263,7 +35546,7 @@ index b7686d5..a5086e8 100644
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +389,22 @@ ifdef(`distro_ubuntu',`
+@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -35286,7 +35569,7 @@ index b7686d5..a5086e8 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +415,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
@@ -35300,7 +35583,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -339,7 +428,15 @@ optional_policy(`
+@@ -339,7 +432,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35317,7 +35600,7 @@ index b7686d5..a5086e8 100644
  ')
  
  optional_policy(`
-@@ -360,3 +457,13 @@ optional_policy(`
+@@ -360,3 +461,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -35333,10 +35616,10 @@ index b7686d5..a5086e8 100644
 +')
 diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
 new file mode 100644
-index 0000000..2cd29ba
+index 0000000..431619e
 --- /dev/null
 +++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,43 @@
+@@ -0,0 +1,44 @@
 +/etc/hostname			--		gen_context(system_u:object_r:hostname_etc_t,s0)
 +/etc/machine-info		--		gen_context(system_u:object_r:hostname_etc_t,s0)
 +
@@ -35351,6 +35634,7 @@ index 0000000..2cd29ba
 +/usr/bin/systemd-tmpfiles			--		gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
 +/usr/bin/systemd-tty-ask-password-agent		--		gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
 +
++/usr/lib/dracut/modules.d/.*\.service	gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system(/.*)?		gen_context(system_u:object_r:systemd_unit_file_t,s0)
 +/usr/lib/systemd/system/systemd-vconsole-setup\.service		gen_context(system_u:object_r:systemd_vconsole_unit_file_t,s0)
 +/usr/lib/systemd/system/.*halt.*	--	gen_context(system_u:object_r:power_unit_file_t,s0)
@@ -38717,7 +39001,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2bf0cab 100644
+index 3c5dba7..fc2fb65 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -39792,15 +40076,17 @@ index 3c5dba7..2bf0cab 100644
 +	allow $1_usertype self:netlink_kobject_uevent_socket create_socket_perms;
 +	dontaudit $1_usertype self:netlink_audit_socket create_socket_perms;
 +
-+    seutil_read_file_contexts($1_t)
-+    seutil_read_default_contexts($1_t)
++	seutil_read_file_contexts($1_t)
++	seutil_read_default_contexts($1_t)
 +
  	##############################
  	#
  	# Local policy
-@@ -908,41 +1116,97 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,42 +1115,99 @@ template(`userdom_restricted_xwindows_user_template',`
+ 	#
  	# Local policy
  	#
++	kernel_stream_connect($1_usertype)
  
 -	auth_role($1_r, $1_t)
 -	auth_search_pam_console_data($1_t)
@@ -39909,7 +40195,7 @@ index 3c5dba7..2bf0cab 100644
  		')
  
  		optional_policy(`
-@@ -951,12 +1215,29 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -951,12 +1216,29 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
@@ -39940,7 +40226,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  #######################################
-@@ -990,27 +1271,33 @@ template(`userdom_unpriv_user_template', `
+@@ -990,27 +1272,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -39978,7 +40264,7 @@ index 3c5dba7..2bf0cab 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1308,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1021,23 +1309,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -40030,26 +40316,26 @@ index 3c5dba7..2bf0cab 100644
 +
 +	optional_policy(`
 +		gpm_stream_connect($1_usertype)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
-+		mount_run_fusermount($1_t, $1_r)
-+		mount_read_pid_files($1_t)
 +	')
 +
 +	optional_policy(`
-+		wine_role_template($1, $1_r, $1_t)
++		mount_run_fusermount($1_t, $1_r)
++		mount_read_pid_files($1_t)
 +	')
 +
 +	optional_policy(`
++		wine_role_template($1, $1_r, $1_t)
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1370,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1046,7 +1371,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -40060,7 +40346,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  ')
  
-@@ -1082,7 +1408,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1082,7 +1409,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -40069,7 +40355,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	##############################
-@@ -1109,6 +1435,7 @@ template(`userdom_admin_user_template',`
+@@ -1109,6 +1436,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -40077,7 +40363,7 @@ index 3c5dba7..2bf0cab 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1117,6 +1444,9 @@ template(`userdom_admin_user_template',`
+@@ -1117,6 +1445,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -40087,7 +40373,7 @@ index 3c5dba7..2bf0cab 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1461,7 @@ template(`userdom_admin_user_template',`
+@@ -1131,6 +1462,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -40095,7 +40381,7 @@ index 3c5dba7..2bf0cab 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1479,14 @@ template(`userdom_admin_user_template',`
+@@ -1148,10 +1480,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -40110,7 +40396,7 @@ index 3c5dba7..2bf0cab 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1497,38 @@ template(`userdom_admin_user_template',`
+@@ -1162,29 +1498,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -40153,7 +40439,7 @@ index 3c5dba7..2bf0cab 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1538,8 @@ template(`userdom_admin_user_template',`
+@@ -1194,6 +1539,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -40162,7 +40448,7 @@ index 3c5dba7..2bf0cab 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1547,17 @@ template(`userdom_admin_user_template',`
+@@ -1201,13 +1548,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -40181,7 +40467,7 @@ index 3c5dba7..2bf0cab 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1253,6 +1603,8 @@ template(`userdom_security_admin_template',`
+@@ -1253,6 +1604,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -40190,7 +40476,7 @@ index 3c5dba7..2bf0cab 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1617,10 @@ template(`userdom_security_admin_template',`
+@@ -1265,8 +1618,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -40202,7 +40488,7 @@ index 3c5dba7..2bf0cab 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1631,31 @@ template(`userdom_security_admin_template',`
+@@ -1277,29 +1632,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -40245,7 +40531,7 @@ index 3c5dba7..2bf0cab 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1716,17 @@ interface(`userdom_user_home_content',`
+@@ -1360,14 +1717,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -40264,7 +40550,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1408,6 +1767,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1408,6 +1768,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -40316,7 +40602,7 @@ index 3c5dba7..2bf0cab 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1916,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1512,11 +1917,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -40348,7 +40634,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +1982,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1558,6 +1983,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -40363,7 +40649,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1573,9 +2005,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1573,9 +2006,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -40375,7 +40661,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1632,6 +2066,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1632,6 +2067,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -40418,7 +40704,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2181,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1711,6 +2182,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -40427,7 +40713,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1744,10 +2216,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1744,10 +2217,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -40442,7 +40728,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1772,7 +2246,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1772,7 +2247,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -40469,7 +40755,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,53 +2274,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1782,53 +2275,70 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -40552,7 +40838,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1848,6 +2357,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1848,6 +2358,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -40578,7 +40864,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2406,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1878,14 +2407,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -40616,7 +40902,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2446,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1896,11 +2447,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -40634,7 +40920,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -1941,7 +2494,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1941,7 +2495,25 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -40661,7 +40947,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1951,17 +2522,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1951,17 +2523,15 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  #
  interface(`userdom_delete_all_user_home_content_files',`
  	gen_require(`
@@ -40682,7 +40968,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,12 +2538,48 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1969,12 +2539,48 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -40733,7 +41019,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2010,8 +2615,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2010,8 +2616,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -40743,7 +41029,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2027,21 +2631,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -2027,20 +2632,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -40757,19 +41043,18 @@ index 3c5dba7..2bf0cab 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
+-	')
+-
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
--	')
 -')
--
+ 
  ########################################
  ## <summary>
- ##	Do not audit attempts to execute user home files.
-@@ -2123,7 +2721,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2123,7 +2722,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -40778,7 +41063,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2729,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2131,19 +2730,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -40802,7 +41087,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2747,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2151,12 +2748,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -40818,7 +41103,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2393,11 +2989,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2393,11 +2990,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -40833,7 +41118,7 @@ index 3c5dba7..2bf0cab 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3013,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2417,7 +3014,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -40842,7 +41127,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2664,6 +3260,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2664,6 +3261,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -40868,7 +41153,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3295,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2680,13 +3296,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -40884,7 +41169,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3323,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2707,7 +3324,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -40893,7 +41178,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3331,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2715,14 +3332,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -40928,7 +41213,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2817,6 +3449,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2817,6 +3450,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -40953,7 +41238,7 @@ index 3c5dba7..2bf0cab 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3485,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2835,22 +3486,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -40996,7 +41281,7 @@ index 3c5dba7..2bf0cab 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3521,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2859,14 +3522,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -41034,7 +41319,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2885,8 +3566,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2885,8 +3567,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -41064,7 +41349,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -2958,69 +3658,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2958,69 +3659,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -41165,7 +41450,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3727,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3028,12 +3728,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -41180,7 +41465,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3097,7 +3796,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3097,7 +3797,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -41189,7 +41474,7 @@ index 3c5dba7..2bf0cab 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3812,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3113,29 +3813,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -41223,7 +41508,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3217,7 +3900,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3217,7 +3901,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -41250,7 +41535,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3272,7 +3973,64 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3272,7 +3974,64 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -41316,7 +41601,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3290,7 +4048,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
+@@ -3290,7 +4049,7 @@ interface(`userdom_dontaudit_use_user_ttys',`
  		type user_tty_device_t;
  	')
  
@@ -41325,7 +41610,7 @@ index 3c5dba7..2bf0cab 100644
  ')
  
  ########################################
-@@ -3309,6 +4067,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3309,6 +4068,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -41333,7 +41618,7 @@ index 3c5dba7..2bf0cab 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3385,6 +4144,42 @@ interface(`userdom_signal_all_users',`
+@@ -3385,6 +4145,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -41376,7 +41661,7 @@ index 3c5dba7..2bf0cab 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,7 +4200,7 @@ interface(`userdom_sigchld_all_users',`
+@@ -3405,7 +4201,7 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -41385,7 +41670,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3413,17 +4208,17 @@ interface(`userdom_sigchld_all_users',`
+@@ -3413,17 +4209,17 @@ interface(`userdom_sigchld_all_users',`
  ##	</summary>
  ## </param>
  #
@@ -41406,7 +41691,7 @@ index 3c5dba7..2bf0cab 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3431,11 +4226,1516 @@ interface(`userdom_create_all_users_keys',`
+@@ -3431,11 +4227,1516 @@ interface(`userdom_create_all_users_keys',`
  ##	</summary>
  ## </param>
  #
@@ -42927,7 +43212,7 @@ index 3c5dba7..2bf0cab 100644
 +	dontaudit $1 user_home_type:dir_file_class_set audit_access;
  ')
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..211263f 100644
+index e2b538b..3a775a7 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
 @@ -7,48 +7,42 @@ policy_module(userdomain, 4.8.5)
@@ -43015,7 +43300,7 @@ index e2b538b..211263f 100644
  type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
  fs_associate_tmpfs(user_home_dir_t)
  files_type(user_home_dir_t)
-@@ -70,26 +82,226 @@ ubac_constrained(user_home_dir_t)
+@@ -70,26 +82,227 @@ ubac_constrained(user_home_dir_t)
  
  type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t };
  typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t };
@@ -43073,6 +43358,7 @@ index e2b538b..211263f 100644
 +allow userdomain userdomain:fifo_file rw_inherited_fifo_file_perms;
 +
 +# Nautilus causes this avc
++domain_dontaudit_access_check(unpriv_userdomain)
 +dontaudit unpriv_userdomain self:dir setattr;
 +allow unpriv_userdomain self:key manage_key_perms;
 +
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index e9e4180..aa2e445 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..4e4cbd4 100644
+index e4f84de..2fe1152 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,40 @@
+@@ -1,30 +1,41 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -22,6 +22,7 @@ index e4f84de..4e4cbd4 100644
 +/usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
 +/usr/sbin/abrt-dbus		--	gen_context(system_u:object_r:abrt_exec_t,s0)
 +/usr/sbin/abrt-harvest.*	--	gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-upload-watch --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
  
 -/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
  /usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -518,7 +519,7 @@ index 058d908..702b716 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..da5b191 100644
+index cc43d25..f71a133 100644
 --- a/abrt.te
 +++ b/abrt.te
 @@ -1,4 +1,4 @@
@@ -527,7 +528,7 @@ index cc43d25..da5b191 100644
  
  ########################################
  #
-@@ -6,105 +6,116 @@ policy_module(abrt, 1.3.4)
+@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
  #
  
  ## <desc>
@@ -549,6 +550,14 @@ index cc43d25..da5b191 100644
 -##	the abrt_handle_event_t domain to
 -##	handle ABRT event scripts.
 -##	</p>
++## <p>
++## Allow abrt-handle-upload to modify public files
++## used for public file transfer services in /var/spool/abrt-upload/.
++## </p>
++## </desc>
++gen_tunable(abrt_upload_watch_anon_write, true)
++
++## <desc>
 +##  <p>
 +##  Allow ABRT to run in abrt_handle_event_t domain
 +##  to handle ABRT event scripts
@@ -660,7 +669,13 @@ index cc43d25..da5b191 100644
 -ifdef(`enable_mcs',`
 -	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
 -')
--
++# Support for abrt-upload-watch
++abrt_basic_types_template(abrt_upload_watch)
++init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
++
++type abrt_upload_watch_tmp_t;
++files_tmp_file(abrt_upload_watch_tmp_t)
+ 
  ########################################
  #
 -# Local policy
@@ -689,7 +704,7 @@ index cc43d25..da5b191 100644
  manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  
-@@ -112,23 +123,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -112,23 +138,25 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -718,7 +733,7 @@ index cc43d25..da5b191 100644
  kernel_request_load_module(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
  
-@@ -137,16 +150,14 @@ corecmd_exec_shell(abrt_t)
+@@ -137,16 +165,14 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -737,7 +752,7 @@ index cc43d25..da5b191 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +174,37 @@ files_getattr_all_files(abrt_t)
+@@ -163,29 +189,37 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -778,7 +793,7 @@ index cc43d25..da5b191 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +212,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -193,15 +227,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -795,7 +810,7 @@ index cc43d25..da5b191 100644
  ')
  
  optional_policy(`
-@@ -209,6 +224,16 @@ optional_policy(`
+@@ -209,6 +239,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -812,7 +827,7 @@ index cc43d25..da5b191 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +245,7 @@ optional_policy(`
+@@ -220,6 +260,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -820,7 +835,7 @@ index cc43d25..da5b191 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +256,7 @@ optional_policy(`
+@@ -230,6 +271,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -828,7 +843,7 @@ index cc43d25..da5b191 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +267,17 @@ optional_policy(`
+@@ -240,9 +282,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -847,7 +862,7 @@ index cc43d25..da5b191 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +288,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -253,9 +303,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -862,7 +877,7 @@ index cc43d25..da5b191 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +307,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -268,6 +322,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -870,7 +885,7 @@ index cc43d25..da5b191 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +316,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -276,15 +331,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -891,7 +906,7 @@ index cc43d25..da5b191 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +337,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -292,11 +352,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -918,7 +933,7 @@ index cc43d25..da5b191 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +373,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -314,10 +388,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -932,7 +947,7 @@ index cc43d25..da5b191 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +391,11 @@ optional_policy(`
+@@ -330,10 +406,11 @@ optional_policy(`
  
  #######################################
  #
@@ -946,7 +961,7 @@ index cc43d25..da5b191 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +414,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -352,46 +429,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1008,31 +1023,59 @@ index cc43d25..da5b191 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +472,18 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -400,16 +487,47 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
 +logging_send_syslog_msg(abrt_watch_log_t)
 +
-+optional_policy(`
-+	unconfined_domain(abrt_watch_log_t)
-+')
++#optional_policy(`
++#	unconfined_domain(abrt_watch_log_t)
++#')
  
  #######################################
  #
 -# Global local policy
-+# Local policy for all abrt domain
++# abrt-upload-watch local policy
  #
  
 -kernel_read_system_state(abrt_domain)
-+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
-+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
++allow abrt_upload_watch_t self:capability dac_override;
+ 
+-files_read_etc_files(abrt_domain)
++manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
++files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
++
++read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
  
- files_read_etc_files(abrt_domain)
--
 -logging_send_syslog_msg(abrt_domain)
--
++manage_dirs_pattern(abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_cache_t)
++
++corecmd_exec_bin(abrt_upload_watch_t)
++
++dev_read_urand(abrt_upload_watch_t)
++
++auth_read_passwd(abrt_upload_watch_t)
++
++tunable_policy(`abrt_upload_watch_anon_write',`
++    miscfiles_manage_public_files(abrt_upload_watch_t)
++')
+ 
 -miscfiles_read_localization(abrt_domain)
++optional_policy(`
++    dbus_system_bus_client(abrt_upload_watch_t)
++')
++
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
++allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
++
++files_read_etc_files(abrt_domain)
 diff --git a/accountsd.fc b/accountsd.fc
 index f9d8d7a..0682710 100644
 --- a/accountsd.fc
@@ -1980,7 +2023,7 @@ index 7f4dfbc..4d750fa 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index ed45974..95b56a6 100644
+index ed45974..cd5a4fa 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,13 @@ attribute_role amanda_recover_roles;
@@ -1990,7 +2033,7 @@ index ed45974..95b56a6 100644
 +type amanda_exec_t;
  type amanda_inetd_exec_t;
 -inetd_service_domain(amanda_t, amanda_inetd_exec_t)
-+init_daemon_domain(amanda_t, amanda_exec_t)
++init_daemon_domain(amanda_t, amanda_inetd_exec_t)
 +role system_r types amanda_t;
  
 -type amanda_exec_t;
@@ -3240,7 +3283,7 @@ index 550a69e..53e5708 100644
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --git a/apache.if b/apache.if
-index 83e899c..c5be77c 100644
+index 83e899c..fac6fe5 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -3256,7 +3299,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -13,118 +13,100 @@
+@@ -13,118 +13,101 @@
  #
  template(`apache_content_template',`
  	gen_require(`
@@ -3411,6 +3454,7 @@ index 83e899c..c5be77c 100644
 -		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
 +		# apache runs the script:
 +		domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++		allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
  	')
  ')
  
@@ -3421,7 +3465,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="role">
  ##	<summary>
-@@ -133,47 +115,61 @@ template(`apache_content_template',`
+@@ -133,47 +116,61 @@ template(`apache_content_template',`
  ## </param>
  ## <param name="domain">
  ##	<summary>
@@ -3512,7 +3556,7 @@ index 83e899c..c5be77c 100644
  		domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
  	')
  
-@@ -184,7 +180,7 @@ interface(`apache_role',`
+@@ -184,7 +181,7 @@ interface(`apache_role',`
  
  ########################################
  ## <summary>
@@ -3521,7 +3565,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -204,7 +200,7 @@ interface(`apache_read_user_scripts',`
+@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
  
  ########################################
  ## <summary>
@@ -3530,7 +3574,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -224,7 +220,7 @@ interface(`apache_read_user_content',`
+@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
  
  ########################################
  ## <summary>
@@ -3539,7 +3583,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,27 +237,47 @@ interface(`apache_domtrans',`
+@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
  	domtrans_pattern($1, httpd_exec_t, httpd_t)
  ')
  
@@ -3594,7 +3638,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -279,7 +295,7 @@ interface(`apache_signal',`
+@@ -279,7 +296,7 @@ interface(`apache_signal',`
  
  ########################################
  ## <summary>
@@ -3603,7 +3647,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -297,7 +313,7 @@ interface(`apache_signull',`
+@@ -297,7 +314,7 @@ interface(`apache_signull',`
  
  ########################################
  ## <summary>
@@ -3612,7 +3656,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -315,8 +331,7 @@ interface(`apache_sigchld',`
+@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
  
  ########################################
  ## <summary>
@@ -3622,7 +3666,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -334,8 +349,8 @@ interface(`apache_use_fds',`
+@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
  
  ########################################
  ## <summary>
@@ -3633,7 +3677,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -348,13 +363,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
+@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
  		type httpd_t;
  	')
  
@@ -3650,7 +3694,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -372,8 +387,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
+@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -3661,7 +3705,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -391,8 +406,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
+@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -3671,7 +3715,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -417,7 +431,8 @@ interface(`apache_manage_all_content',`
+@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
  
  ########################################
  ## <summary>
@@ -3681,7 +3725,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -435,7 +450,8 @@ interface(`apache_setattr_cache_dirs',`
+@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -3691,7 +3735,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -453,7 +469,8 @@ interface(`apache_list_cache',`
+@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
  
  ########################################
  ## <summary>
@@ -3701,7 +3745,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -471,7 +488,8 @@ interface(`apache_rw_cache_files',`
+@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
  
  ########################################
  ## <summary>
@@ -3711,7 +3755,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -489,7 +507,8 @@ interface(`apache_delete_cache_dirs',`
+@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
  
  ########################################
  ## <summary>
@@ -3721,7 +3765,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -507,49 +526,51 @@ interface(`apache_delete_cache_files',`
+@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
  
  ########################################
  ## <summary>
@@ -3784,7 +3828,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -570,8 +591,8 @@ interface(`apache_manage_config',`
+@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
  
  ########################################
  ## <summary>
@@ -3795,7 +3839,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -608,16 +629,38 @@ interface(`apache_domtrans_helper',`
+@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
  #
  interface(`apache_run_helper',`
  	gen_require(`
@@ -3837,7 +3881,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -639,7 +682,8 @@ interface(`apache_read_log',`
+@@ -639,7 +683,8 @@ interface(`apache_read_log',`
  
  ########################################
  ## <summary>
@@ -3847,7 +3891,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -657,10 +701,29 @@ interface(`apache_append_log',`
+@@ -657,10 +702,29 @@ interface(`apache_append_log',`
  	append_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
@@ -3879,7 +3923,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -678,8 +741,8 @@ interface(`apache_dontaudit_append_log',`
+@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
  
  ########################################
  ## <summary>
@@ -3890,7 +3934,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -698,47 +761,49 @@ interface(`apache_manage_log',`
+@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
  	read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
  ')
  
@@ -3953,7 +3997,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -752,11 +817,13 @@ interface(`apache_list_modules',`
+@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
  	')
  
  	allow $1 httpd_modules_t:dir list_dir_perms;
@@ -3968,7 +4012,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -776,46 +843,63 @@ interface(`apache_exec_modules',`
+@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
  
  ########################################
  ## <summary>
@@ -4049,7 +4093,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -829,13 +913,14 @@ interface(`apache_list_sys_content',`
+@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
  	')
  
  	list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
@@ -4066,7 +4110,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -844,6 +929,7 @@ interface(`apache_list_sys_content',`
+@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
  ## </param>
  ## <rolecap/>
  #
@@ -4074,7 +4118,7 @@ index 83e899c..c5be77c 100644
  interface(`apache_manage_sys_content',`
  	gen_require(`
  		type httpd_sys_content_t;
-@@ -855,32 +941,98 @@ interface(`apache_manage_sys_content',`
+@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
  	manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
  ')
  
@@ -4181,7 +4225,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -888,10 +1040,17 @@ interface(`apache_manage_sys_rw_content',`
+@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
  ##	</summary>
  ## </param>
  #
@@ -4200,7 +4244,7 @@ index 83e899c..c5be77c 100644
  	')
  
  	tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -901,9 +1060,8 @@ interface(`apache_domtrans_sys_script',`
+@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
  
  ########################################
  ## <summary>
@@ -4212,7 +4256,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -941,7 +1099,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
  ########################################
  ## <summary>
  ##	Execute all user scripts in the user
@@ -4221,7 +4265,7 @@ index 83e899c..c5be77c 100644
  ##	to the specified role.
  ## </summary>
  ## <param name="domain">
-@@ -954,6 +1112,7 @@ interface(`apache_domtrans_all_scripts',`
+@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -4229,7 +4273,7 @@ index 83e899c..c5be77c 100644
  #
  interface(`apache_run_all_scripts',`
  	gen_require(`
-@@ -966,7 +1125,8 @@ interface(`apache_run_all_scripts',`
+@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
  
  ########################################
  ## <summary>
@@ -4239,7 +4283,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -979,12 +1139,13 @@ interface(`apache_read_squirrelmail_data',`
+@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
  		type httpd_squirrelmail_t;
  	')
  
@@ -4255,7 +4299,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1002,7 +1163,7 @@ interface(`apache_append_squirrelmail_data',`
+@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
  
  ########################################
  ## <summary>
@@ -4264,7 +4308,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1015,13 +1176,12 @@ interface(`apache_search_sys_content',`
+@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
  		type httpd_sys_content_t;
  	')
  
@@ -4279,7 +4323,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1041,7 +1201,7 @@ interface(`apache_read_sys_content',`
+@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
  
  ########################################
  ## <summary>
@@ -4288,7 +4332,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1059,8 +1219,7 @@ interface(`apache_search_sys_scripts',`
+@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
  
  ########################################
  ## <summary>
@@ -4298,7 +4342,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1229,22 @@ interface(`apache_search_sys_scripts',`
+@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
  ## <rolecap/>
  #
  interface(`apache_manage_all_user_content',`
@@ -4324,7 +4368,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1262,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4334,7 +4378,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1280,29 @@ interface(`apache_read_tmp_files',`
+@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4366,7 +4410,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1315,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4375,7 +4419,7 @@ index 83e899c..c5be77c 100644
  ')
  
  ########################################
-@@ -1136,6 +1324,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4385,7 +4429,7 @@ index 83e899c..c5be77c 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1356,30 @@ interface(`apache_cgi_domain',`
+@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4418,7 +4462,7 @@ index 83e899c..c5be77c 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1396,19 @@ interface(`apache_cgi_domain',`
+@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
@@ -4447,7 +4491,7 @@ index 83e899c..c5be77c 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1418,10 @@ interface(`apache_admin',`
+@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
@@ -4461,7 +4505,7 @@ index 83e899c..c5be77c 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1432,129 @@ interface(`apache_admin',`
+@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -7156,6 +7200,19 @@ index 3590e2f..e1494bd 100644
  ')
  
  optional_policy(`
+diff --git a/apt.if b/apt.if
+index e2414c4..970736b 100644
+--- a/apt.if
++++ b/apt.if
+@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+ 
+ 	files_search_var($1)
+ 	allow $1 apt_var_cache_t:dir list_dir_perms;
+-	dontaudit $1 apt_var_cache_t:dir write_dir_perms;
++	dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
+ 	allow $1 apt_var_cache_t:file read_file_perms;
+ ')
+ 
 diff --git a/apt.te b/apt.te
 index e2d8d52..d82403c 100644
 --- a/apt.te
@@ -7380,7 +7437,7 @@ index 7268a04..6ffd87d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..0be374d 100644
+index 5439f1c..4f8a8a5 100644
 --- a/asterisk.te
 +++ b/asterisk.te
 @@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7392,7 +7449,25 @@ index 5439f1c..0be374d 100644
  
  type asterisk_tmp_t;
  files_tmp_file(asterisk_tmp_t)
-@@ -72,11 +72,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
+ read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
+ 
+-append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
+-setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
++logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
+ 
+ manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
+ manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
++files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
+ 
+ manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+ manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
+@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
  
  manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
  
@@ -7402,11 +7477,11 @@ index 5439f1c..0be374d 100644
  manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
 -files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
 -
-+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file })
++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
  can_exec(asterisk_t, asterisk_exec_t)
  
  kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +87,6 @@ kernel_request_load_module(asterisk_t)
+@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
  corecmd_exec_bin(asterisk_t)
  corecmd_exec_shell(asterisk_t)
  
@@ -7414,7 +7489,7 @@ index 5439f1c..0be374d 100644
  corenet_all_recvfrom_netlabel(asterisk_t)
  corenet_tcp_sendrecv_generic_if(asterisk_t)
  corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +134,6 @@ dev_read_urand(asterisk_t)
+@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
  
  domain_use_interactive_fds(asterisk_t)
  
@@ -7422,7 +7497,7 @@ index 5439f1c..0be374d 100644
  files_search_spool(asterisk_t)
  files_dontaudit_search_home(asterisk_t)
  
-@@ -148,8 +146,6 @@ auth_use_nsswitch(asterisk_t)
+@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
  
  logging_send_syslog_msg(asterisk_t)
  
@@ -8357,7 +8432,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..d4fb2a4 100644
+index 076ffee..1672ca4 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8390,7 +8465,18 @@ index 076ffee..d4fb2a4 100644
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
  allow named_t self:fifo_file rw_fifo_file_perms;
  allow named_t self:unix_stream_socket { accept listen };
-@@ -110,7 +114,6 @@ kernel_read_network_state(named_t)
+@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+ 
+ can_exec(named_t, named_exec_t)
+ 
+-append_files_pattern(named_t, named_log_t, named_log_t)
+-create_files_pattern(named_t, named_log_t, named_log_t)
+-setattr_files_pattern(named_t, named_log_t, named_log_t)
++manage_files_pattern(named_t, named_log_t, named_log_t)
+ logging_log_filetrans(named_t, named_log_t, file)
+ 
+ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
  
  corecmd_search_bin(named_t)
  
@@ -8398,7 +8484,7 @@ index 076ffee..d4fb2a4 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +142,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
  dev_read_sysfs(named_t)
  dev_read_rand(named_t)
  dev_read_urand(named_t)
@@ -8406,7 +8492,7 @@ index 076ffee..d4fb2a4 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -170,6 +174,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -8422,7 +8508,7 @@ index 076ffee..d4fb2a4 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +196,7 @@ optional_policy(`
+@@ -183,6 +194,7 @@ optional_policy(`
  
  optional_policy(`
  	kerberos_keytab_template(named, named_t)
@@ -8430,7 +8516,7 @@ index 076ffee..d4fb2a4 100644
  ')
  
  optional_policy(`
-@@ -209,7 +223,8 @@ optional_policy(`
+@@ -209,7 +221,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -8440,7 +8526,7 @@ index 076ffee..d4fb2a4 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +238,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -8452,7 +8538,7 @@ index 076ffee..d4fb2a4 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +265,7 @@ init_use_script_ptys(ndc_t)
+@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -8648,10 +8734,10 @@ index bc5c984..63a4b1d 100644
 +	xserver_read_state_xdm(blueman_t)
 +')
 diff --git a/bluetooth.fc b/bluetooth.fc
-index 2b9c7f3..63e4860 100644
+index 2b9c7f3..0086b95 100644
 --- a/bluetooth.fc
 +++ b/bluetooth.fc
-@@ -5,10 +5,13 @@
+@@ -5,10 +5,14 @@
  /etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
  /etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
  
@@ -8662,6 +8748,7 @@ index 2b9c7f3..63e4860 100644
  /usr/bin/hidd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/bin/rfcomm	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
 +/usr/bin/pand	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
++/usr/libexec/bluetooth/bluetoothd 	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  
  /usr/sbin/bluetoothd	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
  /usr/sbin/hciattach	--	gen_context(system_u:object_r:bluetooth_exec_t,s0)
@@ -8782,7 +8869,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..9c48d18 100644
+index 6f09d24..231de05 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -8795,7 +8882,17 @@ index 6f09d24..9c48d18 100644
  ########################################
  #
  # Local policy
-@@ -90,14 +93,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
+@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
+ 
+ manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+ manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
+-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
++manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
++files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
+ 
+ manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+ manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
+@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
  
  can_exec(bluetooth_t, bluetooth_helper_exec_t)
  
@@ -8822,7 +8919,7 @@ index 6f09d24..9c48d18 100644
  
  dev_read_sysfs(bluetooth_t)
  dev_rw_usbfs(bluetooth_t)
-@@ -110,7 +123,6 @@ domain_use_interactive_fds(bluetooth_t)
+@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
  domain_dontaudit_search_all_domains_state(bluetooth_t)
  
  files_read_etc_runtime_files(bluetooth_t)
@@ -8830,7 +8927,7 @@ index 6f09d24..9c48d18 100644
  
  fs_getattr_all_fs(bluetooth_t)
  fs_search_auto_mountpoints(bluetooth_t)
-@@ -122,7 +134,6 @@ auth_use_nsswitch(bluetooth_t)
+@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
  
  logging_send_syslog_msg(bluetooth_t)
  
@@ -8838,12 +8935,13 @@ index 6f09d24..9c48d18 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -130,8 +141,12 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
  userdom_dontaudit_use_user_terminals(bluetooth_t)
  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
 +# machine-info
 +systemd_hostnamed_read_config(bluetooth_t)
++systemd_dbus_chat_hostnamed(bluetooth_t)
 +
  optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
@@ -8851,7 +8949,7 @@ index 6f09d24..9c48d18 100644
  
  	optional_policy(`
  		cups_dbus_chat(bluetooth_t)
-@@ -199,7 +214,6 @@ dev_read_urand(bluetooth_helper_t)
+@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -12419,7 +12517,7 @@ index 954309e..f4db2ca 100644
  ')
 +
 diff --git a/collectd.te b/collectd.te
-index 6471fa8..b2709d1 100644
+index 6471fa8..dc0423c 100644
 --- a/collectd.te
 +++ b/collectd.te
 @@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
@@ -12437,16 +12535,17 @@ index 6471fa8..b2709d1 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +44,8 @@ allow collectd_t self:process { getsched setsched signal };
+@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
  allow collectd_t self:fifo_file rw_fifo_file_perms;
  allow collectd_t self:packet_socket create_socket_perms;
  allow collectd_t self:unix_stream_socket { accept listen };
 +allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 +allow collectd_t self:udp_socket create_socket_perms;
++allow collectd_t self:rawip_socket create_socket_perms;
  
  manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
  manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
-@@ -46,23 +54,25 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
+@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
  manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
  files_pid_filetrans(collectd_t, collectd_var_run_t, file)
  
@@ -12454,6 +12553,9 @@ index 6471fa8..b2709d1 100644
 +kernel_read_all_sysctls(collectd_t)
 +kernel_read_all_proc(collectd_t)
 +kernel_list_all_proc(collectd_t)
++
++auth_getattr_passwd(collectd_t)
++auth_read_passwd(collectd_t)
  
 -kernel_read_network_state(collectd_t)
 -kernel_read_net_sysctls(collectd_t)
@@ -12479,7 +12581,7 @@ index 6471fa8..b2709d1 100644
  
  logging_send_syslog_msg(collectd_t)
  
-@@ -75,16 +85,26 @@ tunable_policy(`collectd_tcp_network_connect',`
+@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
  ')
  
  optional_policy(`
@@ -12726,7 +12828,7 @@ index 3f6e4dc..88c4f19 100644
  
  mta_getattr_spool(comsat_t)
 diff --git a/condor.fc b/condor.fc
-index 23dc348..7cc536b 100644
+index 23dc348..c4450f7 100644
 --- a/condor.fc
 +++ b/condor.fc
 @@ -1,4 +1,5 @@
@@ -12735,6 +12837,15 @@ index 23dc348..7cc536b 100644
  
  /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)
  /usr/sbin/condor_master	--	gen_context(system_u:object_r:condor_master_exec_t,s0)
+@@ -8,6 +9,8 @@
+ /usr/sbin/condor_startd	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
+ /usr/sbin/condor_starter	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
+ 
++/etc/condor(/.*)?       gen_context(system_u:object_r:condor_etc_rw_t,s0)
++
+ /var/lib/condor(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
+ 
+ /var/lib/condor/execute(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
 diff --git a/condor.if b/condor.if
 index 3fe3cb8..5fe84a6 100644
 --- a/condor.if
@@ -13192,10 +13303,20 @@ index 3fe3cb8..5fe84a6 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index 3f2b672..95daaa7 100644
+index 3f2b672..39f85e7 100644
 --- a/condor.te
 +++ b/condor.te
-@@ -46,6 +46,9 @@ files_lock_file(condor_var_lock_t)
+@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
+ type condor_startd_tmpfs_t;
+ files_tmpfs_file(condor_startd_tmpfs_t)
+ 
++type condor_etc_rw_t;
++files_config_file(condor_etc_rw_t)
++
+ type condor_log_t;
+ logging_log_file(condor_log_t)
+ 
+@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
  type condor_var_run_t;
  files_pid_file(condor_var_run_t)
  
@@ -13205,7 +13326,7 @@ index 3f2b672..95daaa7 100644
  condor_domain_template(collector)
  condor_domain_template(negotiator)
  condor_domain_template(procd)
-@@ -57,10 +60,15 @@ condor_domain_template(startd)
+@@ -57,15 +63,20 @@ condor_domain_template(startd)
  # Global local policy
  #
  
@@ -13220,16 +13341,22 @@ index 3f2b672..95daaa7 100644
 +allow condor_domain self:udp_socket create_socket_perms;
 +allow condor_domain self:unix_stream_socket create_stream_socket_perms;
 +allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
++
++rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
  
  manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
- append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-@@ -86,13 +94,12 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
+-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
++manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
+ logging_log_filetrans(condor_domain, condor_log_t, { dir file })
+ 
+ manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
+@@ -86,13 +97,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
  
  kernel_read_kernel_sysctls(condor_domain)
  kernel_read_network_state(condor_domain)
 -kernel_read_system_state(condor_domain)
-+
-+
  
  corecmd_exec_bin(condor_domain)
  corecmd_exec_shell(condor_domain)
@@ -13239,18 +13366,19 @@ index 3f2b672..95daaa7 100644
  corenet_tcp_sendrecv_generic_if(condor_domain)
  corenet_tcp_sendrecv_generic_node(condor_domain)
  
-@@ -106,9 +113,7 @@ dev_read_rand(condor_domain)
+@@ -106,9 +114,9 @@ dev_read_rand(condor_domain)
  dev_read_sysfs(condor_domain)
  dev_read_urand(condor_domain)
  
 -logging_send_syslog_msg(condor_domain)
--
--miscfiles_read_localization(condor_domain)
 +auth_read_passwd(condor_domain)
  
+-miscfiles_read_localization(condor_domain)
++sysnet_dns_name_resolve(condor_domain)
+ 
  tunable_policy(`condor_tcp_network_connect',`
  	corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +130,7 @@ optional_policy(`
+@@ -125,7 +133,7 @@ optional_policy(`
  # Master local policy
  #
  
@@ -13259,25 +13387,27 @@ index 3f2b672..95daaa7 100644
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -133,6 +138,8 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +141,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
 +can_exec(condor_master_t, condor_master_exec_t)
 +
++kernel_read_system_state(condor_master_t)
++
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -150,7 +157,7 @@ corenet_tcp_sendrecv_amqp_port(condor_master_t)
+@@ -152,6 +164,8 @@ domain_read_all_domains_state(condor_master_t)
  
- domain_read_all_domains_state(condor_master_t)
- 
--auth_use_nsswitch(condor_master_t)
-+auth_read_passwd(condor_master_t)
+ auth_use_nsswitch(condor_master_t)
  
++logging_send_syslog_msg(condor_master_t)
++
  optional_policy(`
  	mta_send_mail(condor_master_t)
-@@ -169,6 +176,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+ 	mta_read_config(condor_master_t)
+@@ -169,6 +183,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -13286,7 +13416,7 @@ index 3f2b672..95daaa7 100644
  #####################################
  #
  # Negotiator local policy
-@@ -178,6 +187,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +194,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -13295,7 +13425,17 @@ index 3f2b672..95daaa7 100644
  ######################################
  #
  # Procd local policy
-@@ -201,6 +212,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -185,7 +203,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+ 
+ allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
+ 
+-allow condor_procd_t condor_startd_t:process sigkill;
++allow condor_procd_t condor_domain:process sigkill;
++
+ 
+ domain_read_all_domains_state(condor_procd_t)
+ 
+@@ -201,6 +220,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -13304,7 +13444,7 @@ index 3f2b672..95daaa7 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -209,6 +222,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +230,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -13313,7 +13453,7 @@ index 3f2b672..95daaa7 100644
  #####################################
  #
  # Startd local policy
-@@ -233,11 +248,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +256,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -13326,7 +13466,7 @@ index 3f2b672..95daaa7 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -249,3 +263,7 @@ optional_policy(`
+@@ -249,3 +271,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -15389,7 +15529,7 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..9436993 100644
+index 28e1b86..f871609 100644
 --- a/cron.te
 +++ b/cron.te
 @@ -1,4 +1,4 @@
@@ -15630,7 +15770,7 @@ index 28e1b86..9436993 100644
  logging_log_filetrans(crond_t, cron_log_t, file)
  
  manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,72 +180,67 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
  
  manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
  manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -15701,6 +15841,7 @@ index 28e1b86..9436993 100644
 +# Read from /var/spool/cron.
  files_search_var_lib(crond_t)
  files_search_default(crond_t)
++files_read_all_locks(crond_t)
  
 -mls_fd_share_all_levels(crond_t)
 +fs_manage_cgroup_dirs(crond_t)
@@ -15733,7 +15874,7 @@ index 28e1b86..9436993 100644
  auth_use_nsswitch(crond_t)
  
  logging_send_audit_msgs(crond_t)
-@@ -311,41 +249,46 @@ logging_set_loginuid(crond_t)
+@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
@@ -15796,7 +15937,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -353,102 +296,136 @@ optional_policy(`
+@@ -353,102 +297,136 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -15964,7 +16105,7 @@ index 28e1b86..9436993 100644
  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
  allow system_cronjob_t cron_spool_t:file rw_file_perms;
  
-@@ -457,11 +434,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
  kernel_read_software_raid_state(system_cronjob_t)
  
@@ -15977,7 +16118,7 @@ index 28e1b86..9436993 100644
  corenet_all_recvfrom_netlabel(system_cronjob_t)
  corenet_tcp_sendrecv_generic_if(system_cronjob_t)
  corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +458,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
  fs_getattr_all_pipes(system_cronjob_t)
  fs_getattr_all_sockets(system_cronjob_t)
  
@@ -15985,7 +16126,7 @@ index 28e1b86..9436993 100644
  domain_dontaudit_read_all_domains_state(system_cronjob_t)
  
  files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +469,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
  files_getattr_all_symlinks(system_cronjob_t)
  files_getattr_all_pipes(system_cronjob_t)
  files_getattr_all_sockets(system_cronjob_t)
@@ -16008,7 +16149,7 @@ index 28e1b86..9436993 100644
  init_domtrans_script(system_cronjob_t)
  
  auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +493,26 @@ logging_read_generic_logs(system_cronjob_t)
+@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
  logging_send_audit_msgs(system_cronjob_t)
  logging_send_syslog_msg(system_cronjob_t)
  
@@ -16038,7 +16179,7 @@ index 28e1b86..9436993 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +522,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -16056,7 +16197,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -546,10 +541,6 @@ optional_policy(`
+@@ -546,10 +542,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -16067,7 +16208,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -581,6 +572,7 @@ optional_policy(`
+@@ -581,6 +573,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -16075,7 +16216,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -588,15 +580,19 @@ optional_policy(`
+@@ -588,15 +581,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16097,7 +16238,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -606,6 +602,7 @@ optional_policy(`
+@@ -606,6 +603,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -16105,7 +16246,7 @@ index 28e1b86..9436993 100644
  ')
  
  optional_policy(`
-@@ -613,12 +610,24 @@ optional_policy(`
+@@ -613,12 +611,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16132,7 +16273,7 @@ index 28e1b86..9436993 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +635,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -16166,7 +16307,7 @@ index 28e1b86..9436993 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +668,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -16954,7 +17095,7 @@ index 06da9a0..6d69a2f 100644
 +	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..ab0eee9 100644
+index 9f34c2e..09ef91c 100644
 --- a/cups.te
 +++ b/cups.te
 @@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
@@ -16984,7 +17125,7 @@ index 9f34c2e..ab0eee9 100644
  files_config_file(cupsd_etc_t)
  
  type cupsd_initrc_exec_t;
-@@ -33,9 +38,13 @@ type cupsd_lock_t;
+@@ -33,13 +38,15 @@ type cupsd_lock_t;
  files_lock_file(cupsd_lock_t)
  
  type cupsd_log_t;
@@ -16997,9 +17138,14 @@ index 9f34c2e..ab0eee9 100644
 +
 +type cupsd_lpd_t, cups_domain;
  type cupsd_lpd_exec_t;
- domain_type(cupsd_lpd_t)
- domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
-@@ -47,7 +56,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
+-domain_type(cupsd_lpd_t)
+-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
+-role system_r types cupsd_lpd_t;
++init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
+ 
+ type cupsd_lpd_tmp_t;
+ files_tmp_file(cupsd_lpd_tmp_t)
+@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
  type cupsd_lpd_var_run_t;
  files_pid_file(cupsd_lpd_var_run_t)
  
@@ -17008,7 +17154,7 @@ index 9f34c2e..ab0eee9 100644
  type cups_pdf_exec_t;
  cups_backend(cups_pdf_t, cups_pdf_exec_t)
  
-@@ -55,29 +64,17 @@ type cups_pdf_tmp_t;
+@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
  files_tmp_file(cups_pdf_tmp_t)
  
  type cupsd_tmp_t;
@@ -17042,7 +17188,7 @@ index 9f34c2e..ab0eee9 100644
  
  type ptal_t;
  type ptal_exec_t;
-@@ -97,21 +94,49 @@ ifdef(`enable_mls',`
+@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
  ')
  
@@ -17096,7 +17242,7 @@ index 9f34c2e..ab0eee9 100644
  allow cupsd_t self:appletalk_socket create_socket_perms;
  
  allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
-@@ -120,11 +145,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
+@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
  read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
  
  manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
@@ -17110,8 +17256,15 @@ index 9f34c2e..ab0eee9 100644
  
  allow cupsd_t cupsd_exec_t:dir search_dir_perms;
  allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -139,22 +166,23 @@ read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
- setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
+ files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
+ 
+ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+-setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
++manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
  logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
  
 +manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -17138,7 +17291,7 @@ index 9f34c2e..ab0eee9 100644
  
  stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
  allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +190,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
  can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
  
  kernel_read_system_state(cupsd_t)
@@ -17150,7 +17303,7 @@ index 9f34c2e..ab0eee9 100644
  corenet_all_recvfrom_netlabel(cupsd_t)
  corenet_tcp_sendrecv_generic_if(cupsd_t)
  corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +215,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_bind_all_rpc_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
  
@@ -17175,7 +17328,7 @@ index 9f34c2e..ab0eee9 100644
  dev_rw_input_dev(cupsd_t)
  dev_rw_generic_usb_dev(cupsd_t)
  dev_rw_usbfs(cupsd_t)
-@@ -206,7 +240,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
  files_getattr_boot_dirs(cupsd_t)
  files_list_spool(cupsd_t)
  files_read_etc_runtime_files(cupsd_t)
@@ -17183,7 +17336,7 @@ index 9f34c2e..ab0eee9 100644
  files_exec_usr_files(cupsd_t)
  # for /var/lib/defoma
  files_read_var_lib_files(cupsd_t)
-@@ -215,16 +248,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
  files_read_var_files(cupsd_t)
  files_read_var_symlinks(cupsd_t)
@@ -17203,7 +17356,7 @@ index 9f34c2e..ab0eee9 100644
  
  mls_fd_use_all_levels(cupsd_t)
  mls_file_downgrade(cupsd_t)
-@@ -235,6 +269,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
  
  term_search_ptys(cupsd_t)
  term_use_unallocated_ttys(cupsd_t)
@@ -17212,7 +17365,7 @@ index 9f34c2e..ab0eee9 100644
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -247,21 +283,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -17238,7 +17391,7 @@ index 9f34c2e..ab0eee9 100644
  userdom_dontaudit_search_user_home_content(cupsd_t)
  
  optional_policy(`
-@@ -275,6 +310,8 @@ optional_policy(`
+@@ -275,6 +305,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -17247,7 +17400,7 @@ index 9f34c2e..ab0eee9 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +322,10 @@ optional_policy(`
+@@ -285,8 +317,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -17258,7 +17411,7 @@ index 9f34c2e..ab0eee9 100644
  	')
  ')
  
-@@ -299,8 +338,8 @@ optional_policy(`
+@@ -299,8 +333,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17268,7 +17421,7 @@ index 9f34c2e..ab0eee9 100644
  ')
  
  optional_policy(`
-@@ -309,7 +348,6 @@ optional_policy(`
+@@ -309,7 +343,6 @@ optional_policy(`
  
  optional_policy(`
  	lpd_exec_lpr(cupsd_t)
@@ -17276,7 +17429,7 @@ index 9f34c2e..ab0eee9 100644
  	lpd_read_config(cupsd_t)
  	lpd_relabel_spool(cupsd_t)
  ')
-@@ -337,7 +375,11 @@ optional_policy(`
+@@ -337,7 +370,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17289,7 +17442,7 @@ index 9f34c2e..ab0eee9 100644
  ')
  
  ########################################
-@@ -345,12 +387,11 @@ optional_policy(`
+@@ -345,12 +382,11 @@ optional_policy(`
  # Configuration daemon local policy
  #
  
@@ -17305,7 +17458,7 @@ index 9f34c2e..ab0eee9 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -375,18 +416,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
@@ -17326,7 +17479,7 @@ index 9f34c2e..ab0eee9 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +434,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -17347,7 +17500,7 @@ index 9f34c2e..ab0eee9 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +451,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -17359,7 +17512,7 @@ index 9f34c2e..ab0eee9 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +478,12 @@ optional_policy(`
+@@ -452,9 +473,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17373,7 +17526,7 @@ index 9f34c2e..ab0eee9 100644
  ')
  
  optional_policy(`
-@@ -490,10 +519,6 @@ optional_policy(`
+@@ -490,10 +514,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -17384,7 +17537,7 @@ index 9f34c2e..ab0eee9 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +536,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -511,31 +531,22 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -17417,7 +17570,7 @@ index 9f34c2e..ab0eee9 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -546,7 +562,6 @@ optional_policy(`
+@@ -546,7 +557,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17425,7 +17578,7 @@ index 9f34c2e..ab0eee9 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +577,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -562,148 +572,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -17577,7 +17730,7 @@ index 9f34c2e..ab0eee9 100644
  
  ########################################
  #
-@@ -731,7 +621,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -731,7 +616,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -17585,7 +17738,7 @@ index 9f34c2e..ab0eee9 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +630,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -741,13 +625,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -17599,7 +17752,7 @@ index 9f34c2e..ab0eee9 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +642,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -755,8 +637,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -17608,7 +17761,7 @@ index 9f34c2e..ab0eee9 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +654,4 @@ optional_policy(`
+@@ -769,3 +649,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
@@ -17658,10 +17811,10 @@ index 9fa7ffb..fd3262c 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cvs_initrc_exec_t system_r;
 diff --git a/cvs.te b/cvs.te
-index 53fc3af..25b3285 100644
+index 53fc3af..989aabf 100644
 --- a/cvs.te
 +++ b/cvs.te
-@@ -11,7 +11,7 @@ policy_module(cvs, 1.9.1)
+@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
  ##	password files.
  ##	</p>
  ## </desc>
@@ -17670,7 +17823,12 @@ index 53fc3af..25b3285 100644
  
  type cvs_t;
  type cvs_exec_t;
-@@ -58,6 +58,14 @@ kernel_read_network_state(cvs_t)
+ inetd_tcp_service_domain(cvs_t, cvs_exec_t)
++init_domain(cvs_t, cvs_exec_t)
+ application_executable_file(cvs_exec_t)
+ 
+ type cvs_data_t; # customizable
+@@ -58,6 +59,14 @@ kernel_read_network_state(cvs_t)
  corecmd_exec_bin(cvs_t)
  corecmd_exec_shell(cvs_t)
  
@@ -17685,7 +17843,7 @@ index 53fc3af..25b3285 100644
  dev_read_urand(cvs_t)
  
  files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +78,18 @@ auth_use_nsswitch(cvs_t)
+@@ -70,18 +79,18 @@ auth_use_nsswitch(cvs_t)
  
  init_read_utmp(cvs_t)
  
@@ -17707,7 +17865,7 @@ index 53fc3af..25b3285 100644
  	allow cvs_t self:capability dac_override;
  	auth_tunable_read_shadow(cvs_t)
  ')
-@@ -103,4 +111,5 @@ optional_policy(`
+@@ -103,4 +112,5 @@ optional_policy(`
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -19055,6 +19213,19 @@ index 2c2e7e1..493ab48 100644
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
+diff --git a/dcc.fc b/dcc.fc
+index 62d3c4e..cef59a7 100644
+--- a/dcc.fc
++++ b/dcc.fc
+@@ -10,6 +10,8 @@
+ /usr/libexec/dcc/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
+ /usr/libexec/dcc/dccm	--	gen_context(system_u:object_r:dccm_exec_t,s0)
+ 
++/usr/libexec/dcc/start-dccifd   --  gen_context(system_u:object_r:dccifd_exec_t,s0)
++
+ /usr/sbin/dbclean	--	gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
+ /usr/sbin/dccd	--	gen_context(system_u:object_r:dccd_exec_t,s0)
+ /usr/sbin/dccifd	--	gen_context(system_u:object_r:dccifd_exec_t,s0)
 diff --git a/dcc.if b/dcc.if
 index a5c21e0..4639421 100644
 --- a/dcc.if
@@ -19068,7 +19239,7 @@ index a5c21e0..4639421 100644
  	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
  ')
 diff --git a/dcc.te b/dcc.te
-index 15d908f..147dd14 100644
+index 15d908f..cecb0da 100644
 --- a/dcc.te
 +++ b/dcc.te
 @@ -45,7 +45,7 @@ type dcc_var_t;
@@ -19102,7 +19273,16 @@ index 15d908f..147dd14 100644
  
  ########################################
  #
-@@ -123,6 +126,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
+@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
+ 
+ allow dcc_client_t dcc_client_map_t:file rw_file_perms;
+ 
++domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
++
+ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
+ files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
+@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
  
  kernel_read_system_state(dcc_client_t)
  
@@ -19115,7 +19295,7 @@ index 15d908f..147dd14 100644
  files_read_etc_runtime_files(dcc_client_t)
  
  fs_getattr_all_fs(dcc_client_t)
-@@ -131,12 +140,10 @@ auth_use_nsswitch(dcc_client_t)
+@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
  
  logging_send_syslog_msg(dcc_client_t)
  
@@ -19130,7 +19310,7 @@ index 15d908f..147dd14 100644
  ')
  
  optional_policy(`
-@@ -160,15 +167,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
+@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
  
  kernel_read_system_state(dcc_dbclean_t)
  
@@ -19152,7 +19332,7 @@ index 15d908f..147dd14 100644
  
  ########################################
  #
-@@ -202,7 +212,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
+@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
  kernel_read_system_state(dccd_t)
  kernel_read_kernel_sysctls(dccd_t)
  
@@ -19160,7 +19340,7 @@ index 15d908f..147dd14 100644
  corenet_all_recvfrom_netlabel(dccd_t)
  corenet_udp_sendrecv_generic_if(dccd_t)
  corenet_udp_sendrecv_generic_node(dccd_t)
-@@ -227,8 +236,6 @@ auth_use_nsswitch(dccd_t)
+@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
  
  logging_send_syslog_msg(dccd_t)
  
@@ -19169,7 +19349,7 @@ index 15d908f..147dd14 100644
  userdom_dontaudit_use_unpriv_user_fds(dccd_t)
  userdom_dontaudit_search_user_home_dirs(dccd_t)
  
-@@ -269,6 +276,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
+@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
  kernel_read_system_state(dccifd_t)
  kernel_read_kernel_sysctls(dccifd_t)
  
@@ -19181,7 +19361,7 @@ index 15d908f..147dd14 100644
  dev_read_sysfs(dccifd_t)
  
  domain_use_interactive_fds(dccifd_t)
-@@ -282,8 +294,6 @@ auth_use_nsswitch(dccifd_t)
+@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
  
  logging_send_syslog_msg(dccifd_t)
  
@@ -19190,7 +19370,7 @@ index 15d908f..147dd14 100644
  userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
  userdom_dontaudit_search_user_home_dirs(dccifd_t)
  
-@@ -324,6 +334,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
+@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
  kernel_read_system_state(dccm_t)
  kernel_read_kernel_sysctls(dccm_t)
  
@@ -19202,7 +19382,7 @@ index 15d908f..147dd14 100644
  dev_read_sysfs(dccm_t)
  
  domain_use_interactive_fds(dccm_t)
-@@ -337,8 +352,6 @@ auth_use_nsswitch(dccm_t)
+@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
  
  logging_send_syslog_msg(dccm_t)
  
@@ -22992,7 +23172,7 @@ index 6041113..ef3b449 100644
  	role_transition $2 exim_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/exim.te b/exim.te
-index 19325ce..5957aad 100644
+index 19325ce..b5c157f 100644
 --- a/exim.te
 +++ b/exim.te
 @@ -49,7 +49,7 @@ type exim_log_t;
@@ -23049,7 +23229,18 @@ index 19325ce..5957aad 100644
  ')
  
  optional_policy(`
-@@ -218,6 +216,7 @@ optional_policy(`
+@@ -192,8 +190,9 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	mailman_read_data_files(exim_t)
++	mailman_manage_data_files(exim_t)
+ 	mailman_domtrans(exim_t)
++	mailman_read_log(exim_t)
+ ')
+ 
+ optional_policy(`
+@@ -218,6 +217,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -23461,7 +23652,7 @@ index 79b9273..76b7ed5 100644
  logging_send_syslog_msg(fcoemon_t)
  
 diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..ea07c4f 100644
+index 2486e2a..fef9bff 100644
 --- a/fetchmail.fc
 +++ b/fetchmail.fc
 @@ -1,4 +1,5 @@
@@ -23470,6 +23661,12 @@ index 2486e2a..ea07c4f 100644
  
  /etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
  
+@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
+ 
+ /var/mail/\.fetchmail-UIDL-cache	--	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
+ 
+-/var/run/fetchmail/.*	--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
++/var/run/fetchmail.*	    gen_context(system_u:object_r:fetchmail_var_run_t,s0)
 diff --git a/fetchmail.if b/fetchmail.if
 index c3f7916..cab3954 100644
 --- a/fetchmail.if
@@ -23495,7 +23692,7 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..df501ec 100644
+index f0388cb..8e7f99e 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
 @@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
@@ -23515,18 +23712,20 @@ index f0388cb..df501ec 100644
  manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
  append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
  create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -54,6 +52,11 @@ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
+@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
  
+ manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+ manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
+-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
++files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
++
 +list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
 +read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
 +userdom_search_user_home_dirs(fetchmail_t)
 +userdom_search_admin_dir(fetchmail_t)
-+
+ 
  kernel_read_kernel_sysctls(fetchmail_t)
  kernel_list_proc(fetchmail_t)
- kernel_getattr_proc_files(fetchmail_t)
 @@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
  corecmd_exec_bin(fetchmail_t)
  corecmd_exec_shell(fetchmail_t)
@@ -24146,7 +24345,7 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..fcb022d 100644
+index c81b6e8..34e1f1c 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
@@ -24157,8 +24356,11 @@ index c81b6e8..fcb022d 100644
  
  manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
  manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -30,14 +31,10 @@ dev_list_usbfs(fprintd_t)
+@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
+ 
+ dev_list_usbfs(fprintd_t)
  dev_read_sysfs(fprintd_t)
++dev_read_urand(fprintd_t)
  dev_rw_generic_usb_dev(fprintd_t)
  
 -files_read_usr_files(fprintd_t)
@@ -24172,7 +24374,7 @@ index c81b6e8..fcb022d 100644
  userdom_use_user_ptys(fprintd_t)
  userdom_read_all_users_state(fprintd_t)
  
-@@ -54,8 +51,13 @@ optional_policy(`
+@@ -54,8 +52,13 @@ optional_policy(`
  	')
  ')
  
@@ -24901,7 +25103,7 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..79bc951 100644
+index e0a4f46..95cf77c 100644
 --- a/glance.te
 +++ b/glance.te
 @@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
@@ -24935,7 +25137,7 @@ index e0a4f46..79bc951 100644
  allow glance_domain self:fifo_file rw_fifo_file_perms;
  allow glance_domain self:unix_stream_socket create_stream_socket_perms;
  allow glance_domain self:tcp_socket { accept listen };
-@@ -56,27 +58,22 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
+@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
  manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
  
@@ -24954,6 +25156,7 @@ index e0a4f46..79bc951 100644
  corecmd_exec_shell(glance_domain)
  
  dev_read_urand(glance_domain)
++dev_read_sysfs(glance_domain)
  
 -files_read_etc_files(glance_domain)
 -files_read_usr_files(glance_domain)
@@ -24966,7 +25169,7 @@ index e0a4f46..79bc951 100644
  sysnet_dns_name_resolve(glance_domain)
  
  ########################################
-@@ -88,8 +85,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
+@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
  manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
  files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
  
@@ -24981,7 +25184,7 @@ index e0a4f46..79bc951 100644
  
  logging_send_syslog_msg(glance_registry_t)
  
-@@ -108,13 +111,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
+@@ -108,13 +112,21 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
  files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
  can_exec(glance_api_t, glance_tmp_t)
  
@@ -25188,10 +25391,10 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..7244e2c
+index 0000000..a19c35c
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,167 @@
+@@ -0,0 +1,170 @@
 +policy_module(glusterfs, 1.0.1)
 +
 +## <desc>
@@ -25273,7 +25476,8 @@ index 0000000..7244e2c
 +
 +manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
 +manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
-+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
++manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
++files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
 +
 +manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -25320,6 +25524,8 @@ index 0000000..7244e2c
 +dev_read_sysfs(glusterd_t)
 +dev_read_urand(glusterd_t)
 +
++domain_read_all_domains_state(glusterd_t)
++
 +domain_use_interactive_fds(glusterd_t)
 +
 +fs_mount_all_fs(glusterd_t)
@@ -25639,7 +25845,7 @@ index e39de43..5818f74 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..e334392 100644
+index d03fd43..71aa685 100644
 --- a/gnome.if
 +++ b/gnome.if
 @@ -1,123 +1,155 @@
@@ -26721,7 +26927,7 @@ index d03fd43..e334392 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -704,12 +795,830 @@ interface(`gnome_stream_connect_gkeyringd',`
+@@ -704,12 +795,851 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
@@ -26818,6 +27024,27 @@ index d03fd43..e334392 100644
 +
 +#######################################
 +## <summary>
++##  Delete gkeyringd temporary
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`gnome_delete_gkeyringd_tmp_content',`
++    gen_require(`
++        type gkeyringd_tmp_t;
++    ')
++
++    files_search_tmp($1)
++    delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++    delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++    delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++')
++
++#######################################
++## <summary>
 +##  Manage gkeyringd temporary directories.
 +## </summary>
 +## <param name="domain">
@@ -26832,7 +27059,7 @@ index d03fd43..e334392 100644
 +    ')
 +
 +    files_search_tmp($1)
-+	manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
++    manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
 +')
 +
 +########################################
@@ -29413,6 +29640,177 @@ index e207823..4e0f8ba 100644
  userdom_dontaudit_use_unpriv_user_fds(howl_t)
  userdom_dontaudit_search_user_home_dirs(howl_t)
  
+diff --git a/hypervkvp.fc b/hypervkvp.fc
+new file mode 100644
+index 0000000..3f82945
+--- /dev/null
++++ b/hypervkvp.fc
+@@ -0,0 +1,6 @@
++/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
++
++/usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++/usr/sbin/hypervkvpd		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
++
++/var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
+diff --git a/hypervkvp.if b/hypervkvp.if
+new file mode 100644
+index 0000000..17c3627
+--- /dev/null
++++ b/hypervkvp.if
+@@ -0,0 +1,111 @@
++
++## <summary>policy for hypervkvp</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the hypervkvp domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`hypervkvp_domtrans',`
++	gen_require(`
++		type hypervkvp_t, hypervkvp_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
++')
++
++########################################
++## <summary>
++##	Search hypervkvp lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hypervkvp_search_lib',`
++	gen_require(`
++		type hypervkvp_var_lib_t;
++	')
++
++	allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read hypervkvp lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hypervkvp_read_lib_files',`
++	gen_require(`
++		type hypervkvp_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
++	read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Create, read, write, and delete
++##	hypervkvp lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hypervkvp_manage_lib_files',`
++	gen_require(`
++		type hypervkvp_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an hypervkvp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`hypervkvp_admin',`
++	gen_require(`
++		type hypervkvp_t;
++		type hypervkvp_unit_file_t;
++	')
++
++	allow $1 hypervkvp_t:process signal_perms;
++	ps_process_pattern($1, hypervkvp_t)
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $1 hypervkvp_t:process ptrace;
++	')
++
++	hypervkvp_manage_lib_files($1)
++
++	hypervkvp_systemctl($1)
++	admin_pattern($1, hypervkvp_unit_file_t)
++	allow $1 hypervkvp_unit_file_t:service all_service_perms;
++')
+diff --git a/hypervkvp.te b/hypervkvp.te
+new file mode 100644
+index 0000000..63591db
+--- /dev/null
++++ b/hypervkvp.te
+@@ -0,0 +1,36 @@
++policy_module(hypervkvp, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type hypervkvp_t;
++type hypervkvp_exec_t;
++init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
++
++type hypervkvp_initrc_exec_t;
++init_script_file(hypervkvp_initrc_exec_t)
++
++type hypervkvp_var_lib_t;
++files_type(hypervkvp_var_lib_t)
++
++########################################
++#
++# hypervkvp local policy
++#
++#
++allow hypervkvp_t self:capability net_admin;
++allow hypervkvp_t self:netlink_socket create_socket_perms;
++allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
++allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
++files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
++
++logging_send_syslog_msg(hypervkvp_t)
++
++miscfiles_read_localization(hypervkvp_t)
++
++sysnet_dns_name_resolve(hypervkvp_t)
 diff --git a/i18n_input.te b/i18n_input.te
 index 3bed8fa..a738d7f 100644
 --- a/i18n_input.te
@@ -29554,14 +29952,16 @@ index 05387d1..08a489c 100644
  userdom_dontaudit_search_user_home_dirs(imazesrv_t)
  
 diff --git a/inetd.if b/inetd.if
-index fbb54e7..b347964 100644
+index fbb54e7..05c3777 100644
 --- a/inetd.if
 +++ b/inetd.if
-@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
  
  	domtrans_pattern(inetd_t, $2, $1)
  	allow inetd_t $1:process { siginh sigkill };
 +
++    init_domain($1, $2)
++
 +	optional_policy(`
 +		abrt_stream_connect($1)
 +	')
@@ -29772,7 +30172,7 @@ index ca07a87..6ea129c 100644
 +
  /usr/sbin/iodined	--	gen_context(system_u:object_r:iodined_exec_t,s0)
 diff --git a/iodine.if b/iodine.if
-index a0bfbd0..6f5dbdf 100644
+index a0bfbd0..47f7c75 100644
 --- a/iodine.if
 +++ b/iodine.if
 @@ -2,6 +2,30 @@
@@ -29794,7 +30194,7 @@ index a0bfbd0..6f5dbdf 100644
 +    ')
 +
 +        systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++        systemd_read_fifo_file_passwd_run($1)
 +        allow $1 iodined_unit_file_t:file read_file_perms;
 +        allow $1 iodined_unit_file_t:service manage_service_perms;
 +
@@ -31427,7 +31827,7 @@ index a49ae4e..913a0e3 100644
 -/usr/sbin/kexec	--	gen_context(system_u:object_r:kdump_exec_t,s0)
 +/var/crash(/.*)?		gen_context(system_u:object_r:kdump_crash_t,s0)
 diff --git a/kdump.if b/kdump.if
-index 3a00b3a..b835e95 100644
+index 3a00b3a..7cc27b6 100644
 --- a/kdump.if
 +++ b/kdump.if
 @@ -1,4 +1,4 @@
@@ -31498,7 +31898,7 @@ index 3a00b3a..b835e95 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -56,10 +100,66 @@ interface(`kdump_read_config',`
+@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
  	allow $1 kdump_etc_t:file read_file_perms;
  ')
  
@@ -31519,6 +31919,7 @@ index 3a00b3a..b835e95 100644
 +
 +	files_search_var($1)
 +	read_files_pattern($1, kdump_crash_t, kdump_crash_t)
++    list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
 +')
 +
 +
@@ -31567,7 +31968,7 @@ index 3a00b3a..b835e95 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -76,10 +176,31 @@ interface(`kdump_manage_config',`
+@@ -76,10 +177,31 @@ interface(`kdump_manage_config',`
  	allow $1 kdump_etc_t:file manage_file_perms;
  ')
  
@@ -31601,7 +32002,7 @@ index 3a00b3a..b835e95 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -88,19 +209,24 @@ interface(`kdump_manage_config',`
+@@ -88,19 +210,24 @@ interface(`kdump_manage_config',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -31631,7 +32032,7 @@ index 3a00b3a..b835e95 100644
  
  	init_labeled_script_domtrans($1, kdump_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -110,6 +236,10 @@ interface(`kdump_admin',`
+@@ -110,6 +237,10 @@ interface(`kdump_admin',`
  	files_search_etc($1)
  	admin_pattern($1, kdump_etc_t)
  
@@ -33625,11 +34026,124 @@ index c1539b5..fd0a17f 100644
 +    fs_read_cifs_files(ksmtuned_t)
 +	samba_read_share_files(ksmtuned_t)
 +')
+diff --git a/ktalk.fc b/ktalk.fc
+index 38ecb07..451067e 100644
+--- a/ktalk.fc
++++ b/ktalk.fc
+@@ -1,3 +1,5 @@
++/usr/lib/systemd/system/ntalk.*  --  gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
++
+ /usr/bin/ktalkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+ 
+ /usr/sbin/in\.talkd	--	gen_context(system_u:object_r:ktalkd_exec_t,s0)
+diff --git a/ktalk.if b/ktalk.if
+index 19777b8..63d46d3 100644
+--- a/ktalk.if
++++ b/ktalk.if
+@@ -1 +1,81 @@
+-## <summary>KDE Talk daemon.</summary>
++
++## <summary>talk-server - daemon programs for the Internet talk </summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the ktalkd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ktalk_domtrans',`
++	gen_require(`
++		type ktalkd_t, ktalkd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
++')
++########################################
++## <summary>
++##	Execute ktalkd server in the ktalkd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`ktalk_systemctl',`
++	gen_require(`
++		type ktalkd_t;
++		type ktalkd_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 ktalkd_unit_file_t:file read_file_perms;
++	allow $1 ktalkd_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, ktalkd_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an ktalkd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`ktalk_admin',`
++	gen_require(`
++		type ktalkd_t;
++	    type ktalkd_unit_file_t;
++	')
++
++	allow $1 ktalkd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, ktalkd_t)
++
++	ktalk_systemctl($1)
++	admin_pattern($1, ktalkd_unit_file_t)
++	allow $1 ktalkd_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
 diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..2c4c979 100644
+index 2cf3815..cb979b0 100644
 --- a/ktalk.te
 +++ b/ktalk.te
-@@ -35,16 +35,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
+@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
+ 
+ type ktalkd_t;
+ type ktalkd_exec_t;
++init_domain(ktalkd_t, ktalkd_exec_t)
+ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
+ 
+ type ktalkd_log_t;
+ logging_log_file(ktalkd_log_t)
+ 
++type ktalkd_unit_file_t;
++systemd_unit_file(ktalkd_unit_file_t)
++
+ type ktalkd_tmp_t;
+ files_tmp_file(ktalkd_tmp_t)
+ 
+@@ -35,16 +39,23 @@ kernel_read_kernel_sysctls(ktalkd_t)
  kernel_read_system_state(ktalkd_t)
  kernel_read_network_state(ktalkd_t)
  
@@ -35194,11 +35708,20 @@ index 7bab8e5..b88bbf3 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..a8dde53 100644
+index 4256a4c..30e3cd2 100644
 --- a/logwatch.te
 +++ b/logwatch.te
-@@ -7,7 +7,8 @@ policy_module(logwatch, 1.11.6)
+@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
+ # Declarations
+ #
  
++## <desc>
++## <p>
++## Allow epylog to send mail
++## </p>
++## </desc>
++gen_tunable(logwatch_can_sendmail, false)
++
  type logwatch_t;
  type logwatch_exec_t;
 -init_system_domain(logwatch_t, logwatch_exec_t)
@@ -35207,7 +35730,7 @@ index 4256a4c..a8dde53 100644
  
  type logwatch_cache_t;
  files_type(logwatch_cache_t)
-@@ -37,7 +38,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
  manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
  manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
  
@@ -35217,7 +35740,7 @@ index 4256a4c..a8dde53 100644
  files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
  
  manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +69,11 @@ files_list_var(logwatch_t)
+@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
  files_search_all(logwatch_t)
  files_read_var_symlinks(logwatch_t)
  files_read_etc_runtime_files(logwatch_t)
@@ -35230,7 +35753,7 @@ index 4256a4c..a8dde53 100644
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
-@@ -92,13 +95,12 @@ libs_read_lib_files(logwatch_t)
+@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
  logging_read_all_logs(logwatch_t)
  logging_send_syslog_msg(logwatch_t) 
  
@@ -35245,7 +35768,7 @@ index 4256a4c..a8dde53 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
-@@ -137,6 +139,11 @@ optional_policy(`
+@@ -137,6 +146,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -35257,7 +35780,21 @@ index 4256a4c..a8dde53 100644
  	rpc_search_nfs_state_data(logwatch_t)
  ')
  
-@@ -164,6 +171,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -145,6 +159,13 @@ optional_policy(`
+ 	samba_read_share_files(logwatch_t)
+ ')
+ 
++tunable_policy(`logwatch_can_sendmail',`
++    corenet_tcp_connect_smtp_port(logwatch_t)
++    corenet_sendrecv_smtp_client_packets(logwatch_t)
++    corenet_tcp_connect_pop_port(logwatch_t)
++    corenet_sendrecv_pop_client_packets(logwatch_t)
++')
++
+ ########################################
+ #
+ # Mail local policy
+@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -35611,6 +36148,165 @@ index b9270f7..15f3748 100644
 +optional_policy(`
 +	mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
  ')
+diff --git a/lsm.fc b/lsm.fc
+new file mode 100644
+index 0000000..81cd4e0
+--- /dev/null
++++ b/lsm.fc
+@@ -0,0 +1,5 @@
++/usr/bin/lsmd		--	gen_context(system_u:object_r:lsmd_exec_t,s0)
++
++/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
++
++/var/run/lsm(/.*)?	    gen_context(system_u:object_r:lsmd_var_run_t,s0)
+diff --git a/lsm.if b/lsm.if
+new file mode 100644
+index 0000000..e8d4ce2
+--- /dev/null
++++ b/lsm.if
+@@ -0,0 +1,104 @@
++
++## <summary>libStorageMgmt  plug-in  daemon </summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the lsmd domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`lsmd_domtrans',`
++	gen_require(`
++		type lsmd_t, lsmd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, lsmd_exec_t, lsmd_t)
++')
++########################################
++## <summary>
++##	Read lsmd PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`lsmd_read_pid_files',`
++	gen_require(`
++		type lsmd_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute lsmd server in the lsmd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`lsmd_systemctl',`
++	gen_require(`
++		type lsmd_t;
++		type lsmd_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++    systemd_read_fifo_file_passwd_run($1)
++	allow $1 lsmd_unit_file_t:file read_file_perms;
++	allow $1 lsmd_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, lsmd_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an lsmd environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`lsmd_admin',`
++	gen_require(`
++		type lsmd_t;
++		type lsmd_var_run_t;
++	type lsmd_unit_file_t;
++	')
++
++	allow $1 lsmd_t:process { ptrace signal_perms };
++	ps_process_pattern($1, lsmd_t)
++
++	files_search_pids($1)
++	admin_pattern($1, lsmd_var_run_t)
++
++	lsmd_systemctl($1)
++	admin_pattern($1, lsmd_unit_file_t)
++	allow $1 lsmd_unit_file_t:service all_service_perms;
++
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/lsm.te b/lsm.te
+new file mode 100644
+index 0000000..fc42149
+--- /dev/null
++++ b/lsm.te
+@@ -0,0 +1,32 @@
++policy_module(lsm, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type lsmd_t;
++type lsmd_exec_t;
++init_daemon_domain(lsmd_t, lsmd_exec_t)
++
++type lsmd_var_run_t;
++files_pid_file(lsmd_var_run_t)
++
++type lsmd_unit_file_t;
++systemd_unit_file(lsmd_unit_file_t)
++
++########################################
++#
++# lsmd local policy
++#
++allow lsmd_t self:capability { setgid  };
++allow lsmd_t self:process { fork };
++allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
++files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
++
++logging_send_syslog_msg(lsmd_t)
 diff --git a/mailman.fc b/mailman.fc
 index 7fa381b..bbe6b01 100644
 --- a/mailman.fc
@@ -35940,7 +36636,7 @@ index 108c0f1..a248501 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index 8eaf51b..3229e0f 100644
+index 8eaf51b..a057913 100644
 --- a/mailman.te
 +++ b/mailman.te
 @@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
@@ -35985,7 +36681,7 @@ index 8eaf51b..3229e0f 100644
  ########################################
  #
  # CGI local policy
-@@ -115,8 +112,9 @@ optional_policy(`
+@@ -115,20 +112,23 @@ optional_policy(`
  # Mail local policy
  #
  
@@ -35997,7 +36693,12 @@ index 8eaf51b..3229e0f 100644
  
  manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
  manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
-@@ -127,8 +125,8 @@ corenet_tcp_connect_innd_port(mailman_mail_t)
+ files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
+ 
++can_exec(mailman_mail_t, mailman_mail_exec_t)
++
+ corenet_sendrecv_innd_client_packets(mailman_mail_t)
+ corenet_tcp_connect_innd_port(mailman_mail_t)
  corenet_tcp_sendrecv_innd_port(mailman_mail_t)
  
  corenet_sendrecv_spamd_client_packets(mailman_mail_t)
@@ -36007,7 +36708,7 @@ index 8eaf51b..3229e0f 100644
  
  dev_read_urand(mailman_mail_t)
  
-@@ -142,6 +140,10 @@ optional_policy(`
+@@ -142,6 +142,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36018,7 +36719,7 @@ index 8eaf51b..3229e0f 100644
  	cron_read_pipes(mailman_mail_t)
  ')
  
-@@ -182,3 +184,9 @@ optional_policy(`
+@@ -182,3 +186,9 @@ optional_policy(`
  optional_policy(`
  	su_exec(mailman_queue_t)
  ')
@@ -37467,10 +38168,10 @@ index 0000000..8d0e473
 +/var/cache/mock(/.*)?		gen_context(system_u:object_r:mock_cache_t,s0)
 diff --git a/mock.if b/mock.if
 new file mode 100644
-index 0000000..895f325
+index 0000000..6568bfe
 --- /dev/null
 +++ b/mock.if
-@@ -0,0 +1,305 @@
+@@ -0,0 +1,310 @@
 +## <summary>policy for mock</summary>
 +
 +########################################
@@ -37717,9 +38418,14 @@ index 0000000..895f325
 +
 +	ps_process_pattern($2, mock_t)
 +	allow $2 mock_t:process signal_perms;
++
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 mock_t:process ptrace;
 +	')
++
++    optional_policy(`
++        mock_read_lib_files($2)
++    ')
 +')
 +
 +#######################################
@@ -39137,7 +39843,7 @@ index 6194b80..3209b1c 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..2288b0e 100644
+index 6a306ee..2108bc7 100644
 --- a/mozilla.te
 +++ b/mozilla.te
 @@ -1,4 +1,4 @@
@@ -39581,7 +40287,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -300,221 +324,183 @@ optional_policy(`
+@@ -300,221 +324,184 @@ optional_policy(`
  
  ########################################
  #
@@ -39849,6 +40555,7 @@ index 6a306ee..2288b0e 100644
 +term_getattr_all_ttys(mozilla_plugin_t)
 +term_getattr_all_ptys(mozilla_plugin_t)
 +term_getattr_ptmx(mozilla_plugin_t)
++term_dontaudit_use_ptmx(mozilla_plugin_t)
  
 +userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
 +userdom_rw_user_tmpfs_files(mozilla_plugin_t)
@@ -39904,7 +40611,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -523,36 +509,44 @@ optional_policy(`
+@@ -523,36 +510,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39919,13 +40626,6 @@ index 6a306ee..2288b0e 100644
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_connect_session_bus(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
-+')
-+
-+optional_policy(`
-+	gnome_manage_config(mozilla_plugin_t)
-+	gnome_read_usr_config(mozilla_plugin_t)
-+	gnome_filetrans_home_content(mozilla_plugin_t)
-+	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
  ')
  
  optional_policy(`
@@ -39933,6 +40633,13 @@ index 6a306ee..2288b0e 100644
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
 -	gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
++	gnome_manage_config(mozilla_plugin_t)
++	gnome_read_usr_config(mozilla_plugin_t)
++	gnome_filetrans_home_content(mozilla_plugin_t)
++	gnome_exec_gstreamer_home_files(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
  ')
  
@@ -39962,7 +40669,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -560,7 +554,7 @@ optional_policy(`
+@@ -560,7 +555,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39971,7 +40678,7 @@ index 6a306ee..2288b0e 100644
  ')
  
  optional_policy(`
-@@ -568,108 +562,126 @@ optional_policy(`
+@@ -568,108 +563,128 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -40000,12 +40707,12 @@ index 6a306ee..2288b0e 100644
 -allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
 -allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
 -allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
-+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
- 
+-
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
 -allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
--
++allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
+ 
 -manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
 -manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
 -manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
@@ -40077,6 +40784,8 @@ index 6a306ee..2288b0e 100644
  fs_getattr_all_fs(mozilla_plugin_config_t)
 -fs_search_auto_mountpoints(mozilla_plugin_config_t)
 -fs_list_inotifyfs(mozilla_plugin_config_t)
++
++term_dontaudit_use_ptmx(mozilla_plugin_config_t)
  
  auth_use_nsswitch(mozilla_plugin_config_t)
  
@@ -42528,10 +43237,17 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..92138ca 100644
+index 97370e4..3549b8f 100644
 --- a/munin.te
 +++ b/munin.te
-@@ -40,12 +40,15 @@ munin_plugin_template(services)
+@@ -37,15 +37,22 @@ munin_plugin_template(disk)
+ munin_plugin_template(mail)
+ munin_plugin_template(selinux)
+ munin_plugin_template(services)
++
++type services_munin_plugin_tmpfs_t;
++files_tmpfs_file(services_munin_plugin_tmpfs_t)
++
  munin_plugin_template(system)
  munin_plugin_template(unconfined)
  
@@ -42548,7 +43264,7 @@ index 97370e4..92138ca 100644
  allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
  
  allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +61,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
  
  manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
  
@@ -42573,7 +43289,7 @@ index 97370e4..92138ca 100644
  
  optional_policy(`
  	nscd_use(munin_plugin_domain)
-@@ -114,7 +111,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -42582,7 +43298,7 @@ index 97370e4..92138ca 100644
  
  manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
  manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +127,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
  corecmd_exec_bin(munin_t)
  corecmd_exec_shell(munin_t)
  
@@ -42590,7 +43306,7 @@ index 97370e4..92138ca 100644
  corenet_all_recvfrom_netlabel(munin_t)
  corenet_tcp_sendrecv_generic_if(munin_t)
  corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +149,6 @@ domain_use_interactive_fds(munin_t)
+@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
  domain_read_all_domains_state(munin_t)
  
  files_read_etc_runtime_files(munin_t)
@@ -42598,7 +43314,7 @@ index 97370e4..92138ca 100644
  files_list_spool(munin_t)
  
  fs_getattr_all_fs(munin_t)
-@@ -165,7 +160,6 @@ logging_send_syslog_msg(munin_t)
+@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
  logging_read_all_logs(munin_t)
  
  miscfiles_read_fonts(munin_t)
@@ -42606,7 +43322,7 @@ index 97370e4..92138ca 100644
  miscfiles_setattr_fonts_cache_dirs(munin_t)
  
  sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +167,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_user_home_dirs(munin_t)
  
@@ -42620,7 +43336,7 @@ index 97370e4..92138ca 100644
  
  optional_policy(`
  	cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +200,6 @@ optional_policy(`
+@@ -213,7 +204,6 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -42628,7 +43344,7 @@ index 97370e4..92138ca 100644
  ')
  
  optional_policy(`
-@@ -242,21 +228,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -42656,7 +43372,7 @@ index 97370e4..92138ca 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -268,6 +256,10 @@ optional_policy(`
+@@ -268,6 +260,10 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -42667,7 +43383,7 @@ index 97370e4..92138ca 100644
  ####################################
  #
  # Mail local policy
-@@ -275,27 +267,36 @@ optional_policy(`
+@@ -275,27 +271,36 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -42708,7 +43424,17 @@ index 97370e4..92138ca 100644
  ')
  
  optional_policy(`
-@@ -331,7 +332,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+ allow services_munin_plugin_t self:udp_socket create_socket_perms;
+ allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
+ 
++manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
++
+ corenet_sendrecv_all_client_packets(services_munin_plugin_t)
+ corenet_tcp_connect_all_ports(services_munin_plugin_t)
+ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -42717,7 +43443,7 @@ index 97370e4..92138ca 100644
  ')
  
  optional_policy(`
-@@ -353,7 +354,11 @@ optional_policy(`
+@@ -353,7 +361,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -42730,7 +43456,7 @@ index 97370e4..92138ca 100644
  ')
  
  optional_policy(`
-@@ -385,6 +390,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -42738,7 +43464,7 @@ index 97370e4..92138ca 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +419,31 @@ optional_policy(`
+@@ -413,3 +426,31 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -42771,7 +43497,7 @@ index 97370e4..92138ca 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index c48dc17..f93fa69 100644
+index c48dc17..6355fb4 100644
 --- a/mysql.fc
 +++ b/mysql.fc
 @@ -1,11 +1,24 @@
@@ -42807,7 +43533,7 @@ index c48dc17..f93fa69 100644
  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
  /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  
-@@ -13,13 +26,15 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -13,13 +26,16 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
  
  /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -42823,6 +43549,7 @@ index c48dc17..f93fa69 100644
 +/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
  
 -/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
++/var/log/mariadb(/.*)?   gen_context(system_u:object_r:mysqld_log_t,s0)
 +/var/log/mysql.*		gen_context(system_u:object_r:mysqld_log_t,s0)
  
 -/var/run/mysqld.*	gen_context(system_u:object_r:mysqld_var_run_t,s0)
@@ -43362,7 +44089,7 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..0f6abcb 100644
+index 9f6179e..3c7bbd8 100644
 --- a/mysql.te
 +++ b/mysql.te
 @@ -1,4 +1,4 @@
@@ -43535,7 +44262,7 @@ index 9f6179e..0f6abcb 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -153,29 +160,22 @@ optional_policy(`
+@@ -153,29 +160,24 @@ optional_policy(`
  
  #######################################
  #
@@ -43561,6 +44288,8 @@ index 9f6179e..0f6abcb 100644
  
 -allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
 -logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
++list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
++manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
 +manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
  
  manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
@@ -43571,7 +44300,7 @@ index 9f6179e..0f6abcb 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -187,17 +187,21 @@ dev_list_sysfs(mysqld_safe_t)
+@@ -187,17 +189,21 @@ dev_list_sysfs(mysqld_safe_t)
  
  domain_read_all_domains_state(mysqld_safe_t)
  
@@ -43599,7 +44328,7 @@ index 9f6179e..0f6abcb 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +209,7 @@ optional_policy(`
+@@ -205,7 +211,7 @@ optional_policy(`
  
  ########################################
  #
@@ -43608,7 +44337,7 @@ index 9f6179e..0f6abcb 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +218,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -214,11 +220,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -43626,7 +44355,7 @@ index 9f6179e..0f6abcb 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +231,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -226,31 +233,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -45205,7 +45934,7 @@ index 0e8508c..0b68b86 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..2de59df 100644
+index 0b48a30..2b6c69a 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
 @@ -1,4 +1,4 @@
@@ -45245,7 +45974,7 @@ index 0b48a30..2de59df 100644
 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 +# networkmanager will ptrace itself if gdb is installed
 +# and it receives a unexpected signal (rh bug #204161)
-+allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
 +dontaudit NetworkManager_t self:capability sys_tty_config;
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
@@ -46227,10 +46956,10 @@ index 0000000..02dc6dc
 +/var/run/nova(/.*)?     gen_context(system_u:object_r:nova_var_run_t,s0)
 diff --git a/nova.if b/nova.if
 new file mode 100644
-index 0000000..cf8f660
+index 0000000..28936b4
 --- /dev/null
 +++ b/nova.if
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,57 @@
 +## <summary>openstack-nova</summary>
 +
 +######################################
@@ -46285,13 +47014,15 @@ index 0000000..cf8f660
 +
 +	kernel_read_system_state(nova_$1_t)
 +
++    logging_send_syslog_msg(nova_$1_t)
++
 +')
 diff --git a/nova.te b/nova.te
 new file mode 100644
-index 0000000..fc9f771
+index 0000000..d5b54e5
 --- /dev/null
 +++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,320 @@
 +policy_module(nova, 1.0.0)
 +
 +########################################
@@ -46305,6 +47036,7 @@ index 0000000..fc9f771
 +#
 +
 +attribute nova_domain;
++attribute nova_sudo_domain;
 +
 +nova_domain_template(ajax)
 +nova_domain_template(api)
@@ -46318,6 +47050,12 @@ index 0000000..fc9f771
 +nova_domain_template(vncproxy)
 +nova_domain_template(volume)
 +
++typeattribute nova_api_t nova_sudo_domain;
++typeattribute nova_cert_t nova_sudo_domain;
++typeattribute nova_console_t nova_sudo_domain;
++typeattribute nova_network_t nova_sudo_domain;
++typeattribute nova_volume_t nova_sudo_domain;
++
 +type nova_log_t;
 +logging_log_file(nova_log_t)
 +
@@ -46349,6 +47087,8 @@ index 0000000..fc9f771
 +corenet_tcp_connect_amqp_port(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
 +
++kernel_read_network_state(nova_domain)
++
 +corecmd_exec_bin(nova_domain)
 +corecmd_exec_shell(nova_domain)
 +corenet_tcp_connect_mysqld_port(nova_domain)
@@ -46362,6 +47102,7 @@ index 0000000..fc9f771
 +
 +optional_policy(`
 +	sysnet_read_config(nova_domain)
++	sysnet_exec_ifconfig(nova_domain)
 +')
 +
 +######################################
@@ -46369,9 +47110,9 @@ index 0000000..fc9f771
 +# nova ajax local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_ajax_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_ajax_t)
++#')
 +
 +#######################################
 +#
@@ -46400,15 +47141,6 @@ index 0000000..fc9f771
 +
 +miscfiles_read_certs(nova_api_t)
 +
-+ifdef(`hide_broken_symptoms',`
-+	optional_policy(`
-+		sudo_exec(nova_api_t)
-+		allow nova_api_t self:capability { setuid sys_resource setgid };
-+		allow nova_api_t self:process { setsched setrlimit };
-+		logging_send_audit_msgs(nova_api_t)
-+	')
-+')
-+
 +optional_policy(`
 +	iptables_domtrans(nova_api_t)
 +')
@@ -46417,9 +47149,9 @@ index 0000000..fc9f771
 +	ssh_exec_keygen(nova_api_t)
 +')
 +
-+optional_policy(`
-+	unconfined_domain(nova_api_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_api_t)
++#')
 +
 +######################################
 +#
@@ -46478,9 +47210,9 @@ index 0000000..fc9f771
 +# nova direct local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_direct_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_direct_t)
++#')
 +
 +#######################################
 +#
@@ -46520,15 +47252,6 @@ index 0000000..fc9f771
 +
 +logging_send_syslog_msg(nova_network_t)
 +
-+ifdef(`hide_broken_symptoms',`
-+    optional_policy(`
-+        sudo_exec(nova_network_t)
-+        allow nova_network_t self:capability { setuid sys_resource setgid };
-+        allow nova_network_t self:process { setsched setrlimit };
-+        logging_send_audit_msgs(nova_network_t)
-+    ')
-+')
-+
 +optional_policy(`
 +	brctl_domtrans(nova_network_t)
 +')
@@ -46539,16 +47262,16 @@ index 0000000..fc9f771
 +')
 +
 +optional_policy(`
-+    iptables_domtrans(nova_network_t)
++	iptables_domtrans(nova_network_t)
 +')
 +
 +optional_policy(`
 +	sysnet_domtrans_ifconfig(nova_network_t)
 +')
 +
-+optional_policy(`
-+	unconfined_domain(nova_network_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_network_t)
++#')
 +
 +#######################################
 +#
@@ -46572,18 +47295,18 @@ index 0000000..fc9f771
 +allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
 +allow nova_scheduler_t self:udp_socket create_socket_perms;
 +
-+optional_policy(`
-+	unconfined_domain(nova_scheduler_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_scheduler_t)
++#')
 +
 +#######################################
 +#
 +# nova vncproxy local policy
 +#
 +
-+optional_policy(`
-+	unconfined_domain(nova_vncproxy_t)
-+')
++#optional_policy(`
++#	unconfined_domain(nova_vncproxy_t)
++#')
 +
 +#######################################
 +#
@@ -46602,22 +47325,22 @@ index 0000000..fc9f771
 +	lvm_domtrans(nova_volume_t)
 +')
 +
-+ifdef(`hide_broken_symptoms',`
-+	require {
-+		type sudo_exec_t;
-+	}
-+
-+	allow nova_volume_t sudo_exec_t:file { read execute open execute_no_trans };
-+
-+	allow nova_volume_t self:capability { setuid sys_resource setgid audit_write };
-+	allow nova_volume_t self:process { setsched setrlimit };
-+
-+	logging_send_audit_msgs(nova_volume_t)
++#optional_policy(`
++#    unconfined_domain(nova_volume_t)
++#')
 +
-+')
++#######################################
++#
++# nova sudo domain local policy
++#
 +
-+optional_policy(`
-+    unconfined_domain(nova_volume_t)
++ifdef(`hide_broken_symptoms',`
++	optional_policy(`
++		sudo_exec(nova_sudo_domain)
++        allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
++		allow nova_sudo_domain self:process { setsched setrlimit };
++		logging_send_audit_msgs(nova_sudo_domain)
++	')
 +')
 +
 diff --git a/nscd.fc b/nscd.fc
@@ -49863,10 +50586,17 @@ index 296a1d3..edc3e32 100644
 +userdom_stream_connect(oddjob_mkhomedir_t)
 +
 diff --git a/openct.te b/openct.te
-index 8467596..66f068f 100644
+index 8467596..428ae48 100644
 --- a/openct.te
 +++ b/openct.te
-@@ -28,12 +28,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
+ 
+ dontaudit openct_t self:capability sys_tty_config;
+ allow openct_t self:process signal_perms;
++allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
  manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
  files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
  
@@ -49881,7 +50611,7 @@ index 8467596..66f068f 100644
  dev_read_sysfs(openct_t)
  dev_rw_usbfs(openct_t)
  dev_rw_smartcard(openct_t)
-@@ -41,15 +41,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
  
  domain_use_interactive_fds(openct_t)
  
@@ -50090,10 +50820,10 @@ index 0000000..598789a
 +
 diff --git a/openhpid.te b/openhpid.te
 new file mode 100644
-index 0000000..be2a88d
+index 0000000..51acfae
 --- /dev/null
 +++ b/openhpid.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,47 @@
 +policy_module(openhpid, 1.0.0)
 +
 +########################################
@@ -50120,7 +50850,7 @@ index 0000000..be2a88d
 +#
 +
 +allow openhpid_t self:capability { kill };
-+allow openhpid_t self:process { fork signal };
++allow openhpid_t self:process signal_perms;
 +
 +allow openhpid_t self:fifo_file rw_fifo_file_perms;
 +allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
@@ -50138,11 +50868,8 @@ index 0000000..be2a88d
 +corenet_tcp_bind_generic_node(openhpid_t)
 +corenet_tcp_bind_openhpid_port(openhpid_t)
 +
-+domain_use_interactive_fds(openhpid_t)
-+
 +dev_read_urand(openhpid_t)
 +
-+
 +logging_send_syslog_msg(openhpid_t)
 diff --git a/openshift-origin.fc b/openshift-origin.fc
 new file mode 100644
@@ -50917,7 +51644,7 @@ index 0000000..fdc4a03
 +')
 diff --git a/openshift.te b/openshift.te
 new file mode 100644
-index 0000000..c1eed44
+index 0000000..9724884
 --- /dev/null
 +++ b/openshift.te
 @@ -0,0 +1,549 @@
@@ -51019,7 +51746,7 @@ index 0000000..c1eed44
 +unconfined_domain_noaudit(openshift_initrc_t)
 +mcs_process_set_categories(openshift_initrc_t)
 +
-+virt_lxc_domain(openshift_initrc_t)
++virt_sandbox_domain(openshift_initrc_t)
 +
 +systemd_dbus_chat_logind(openshift_initrc_t)
 +
@@ -51534,7 +52261,7 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..8a6fbc2 100644
+index 3270ff9..60a7af6 100644
 --- a/openvpn.te
 +++ b/openvpn.te
 @@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
@@ -51551,7 +52278,22 @@ index 3270ff9..8a6fbc2 100644
  ##	<p>
  ##	Determine whether openvpn can
  ##	read generic user home content files.
-@@ -26,12 +33,18 @@ files_config_file(openvpn_etc_t)
+@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
+ ## </desc>
+ gen_tunable(openvpn_enable_homedirs, false)
+ 
++## <desc>
++##  <p>
++##  Determine whether openvpn can
++##  connect to the TCP network.
++##  </p>
++## </desc>
++gen_tunable(openvpn_can_network_connect, false)
++
+ attribute_role openvpn_roles;
+ 
+ type openvpn_t;
+@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
  type openvpn_etc_rw_t;
  files_config_file(openvpn_etc_rw_t)
  
@@ -51570,7 +52312,7 @@ index 3270ff9..8a6fbc2 100644
  type openvpn_var_log_t;
  logging_log_file(openvpn_var_log_t)
  
-@@ -43,7 +56,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
  # Local policy
  #
  
@@ -51579,7 +52321,7 @@ index 3270ff9..8a6fbc2 100644
  allow openvpn_t self:process { signal getsched setsched };
  allow openvpn_t self:fifo_file rw_fifo_file_perms;
  allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,6 +75,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -62,6 +83,12 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
  allow openvpn_t openvpn_status_t:file manage_file_perms;
  logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
  
@@ -51592,7 +52334,7 @@ index 3270ff9..8a6fbc2 100644
  manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
  append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
  create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
-@@ -83,7 +102,6 @@ kernel_request_load_module(openvpn_t)
+@@ -83,7 +110,6 @@ kernel_request_load_module(openvpn_t)
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
  
@@ -51600,8 +52342,11 @@ index 3270ff9..8a6fbc2 100644
  corenet_all_recvfrom_netlabel(openvpn_t)
  corenet_tcp_sendrecv_generic_if(openvpn_t)
  corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -105,11 +123,12 @@ corenet_tcp_bind_http_port(openvpn_t)
+@@ -103,13 +129,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+ corenet_sendrecv_http_server_packets(openvpn_t)
+ corenet_tcp_bind_http_port(openvpn_t)
  corenet_sendrecv_http_client_packets(openvpn_t)
++corenet_tcp_connect_squid_port(openvpn_t)
  corenet_tcp_connect_http_port(openvpn_t)
  corenet_tcp_sendrecv_http_port(openvpn_t)
 -
@@ -51614,7 +52359,7 @@ index 3270ff9..8a6fbc2 100644
  corenet_rw_tun_tap_dev(openvpn_t)
  
  dev_read_rand(openvpn_t)
-@@ -121,18 +140,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -121,18 +149,24 @@ fs_search_auto_mountpoints(openvpn_t)
  
  auth_use_pam(openvpn_t)
  
@@ -51642,7 +52387,18 @@ index 3270ff9..8a6fbc2 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -155,3 +180,27 @@ optional_policy(`
+@@ -143,6 +177,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
+ 	fs_read_cifs_files(openvpn_t)
+ ')
+ 
++tunable_policy(`openvpn_can_network_connect',`
++    corenet_tcp_connect_all_ports(openvpn_t)
++')
++
+ optional_policy(`
+ 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
+ ')
+@@ -155,3 +193,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
  	')
  ')
@@ -51971,7 +52727,7 @@ index 9b15730..eedd136 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..f025b03 100644
+index 508fedf..a499612 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
 @@ -1,4 +1,4 @@
@@ -51994,7 +52750,13 @@ index 508fedf..f025b03 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -24,20 +21,27 @@ logging_log_file(openvswitch_log_t)
+@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
+ type openvswitch_log_t;
+ logging_log_file(openvswitch_log_t)
+ 
++type openvswitch_tmp_t;
++files_tmp_file(openvswitch_tmp_t)
++
  type openvswitch_var_run_t;
  files_pid_file(openvswitch_var_run_t)
  
@@ -52018,19 +52780,19 @@ index 508fedf..f025b03 100644
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
-+
-+can_exec(openvswitch_t, openvswitch_exec_t)
  
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
++can_exec(openvswitch_t, openvswitch_exec_t)
++
 +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,9 +49,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -52041,7 +52803,14 @@ index 508fedf..f025b03 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-@@ -57,33 +59,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
++manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
++files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
++
+ manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
  
@@ -53116,7 +53885,7 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..ca01f2f 100644
+index 7bcf327..c850b64 100644
 --- a/pegasus.te
 +++ b/pegasus.te
 @@ -1,17 +1,16 @@
@@ -53140,7 +53909,7 @@ index 7bcf327..ca01f2f 100644
  type pegasus_cache_t;
  files_type(pegasus_cache_t)
  
-@@ -30,20 +29,237 @@ files_type(pegasus_mof_t)
+@@ -30,20 +29,238 @@ files_type(pegasus_mof_t)
  type pegasus_var_run_t;
  files_pid_file(pegasus_var_run_t)
  
@@ -53173,8 +53942,8 @@ index 7bcf327..ca01f2f 100644
 +allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
 +allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
 +
-+list_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
-+rw_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
++manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
 +
 +corecmd_exec_bin(pegasus_openlmi_domain)
 +corecmd_exec_shell(pegasus_openlmi_domain)
@@ -53309,6 +54078,7 @@ index 7bcf327..ca01f2f 100644
 +# pegasus openlmi storage local policy
 +#
 +
++allow pegasus_openlmi_storage_t self:capability sys_admin;
 +
 +manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
 +manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
@@ -53383,7 +54153,7 @@ index 7bcf327..ca01f2f 100644
  allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
  
  manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
-@@ -54,22 +270,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
+@@ -54,22 +271,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
  manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
  manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
@@ -53414,7 +54184,7 @@ index 7bcf327..ca01f2f 100644
  
  kernel_read_network_state(pegasus_t)
  kernel_read_kernel_sysctls(pegasus_t)
-@@ -80,27 +296,21 @@ kernel_read_net_sysctls(pegasus_t)
+@@ -80,27 +297,21 @@ kernel_read_net_sysctls(pegasus_t)
  kernel_read_xen_state(pegasus_t)
  kernel_write_xen_state(pegasus_t)
  
@@ -53447,7 +54217,7 @@ index 7bcf327..ca01f2f 100644
  
  corecmd_exec_bin(pegasus_t)
  corecmd_exec_shell(pegasus_t)
-@@ -114,6 +324,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -114,6 +325,7 @@ files_getattr_all_dirs(pegasus_t)
  
  auth_use_nsswitch(pegasus_t)
  auth_domtrans_chk_passwd(pegasus_t)
@@ -53455,7 +54225,7 @@ index 7bcf327..ca01f2f 100644
  
  domain_use_interactive_fds(pegasus_t)
  domain_read_all_domains_state(pegasus_t)
-@@ -128,18 +339,25 @@ init_stream_connect_script(pegasus_t)
+@@ -128,18 +340,25 @@ init_stream_connect_script(pegasus_t)
  logging_send_audit_msgs(pegasus_t)
  logging_send_syslog_msg(pegasus_t)
  
@@ -53487,7 +54257,7 @@ index 7bcf327..ca01f2f 100644
  ')
  
  optional_policy(`
-@@ -151,16 +369,24 @@ optional_policy(`
+@@ -151,16 +370,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -53516,7 +54286,7 @@ index 7bcf327..ca01f2f 100644
  ')
  
  optional_policy(`
-@@ -168,7 +394,7 @@ optional_policy(`
+@@ -168,7 +395,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -54387,17 +55157,19 @@ index 977b972..0000000
 -miscfiles_read_localization(pkcs_slotd_t)
 diff --git a/pkcsslotd.fc b/pkcsslotd.fc
 new file mode 100644
-index 0000000..38fa01d
+index 0000000..29d7c1c
 --- /dev/null
 +++ b/pkcsslotd.fc
-@@ -0,0 +1,7 @@
-+/usr/lib/systemd/system/pkcsslotd.service		--	gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
+@@ -0,0 +1,9 @@
++/usr/lib/systemd/system/pkcsslotd.*		--	gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
 +
 +/usr/sbin/pkcsslotd		--	gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
 +
 +/var/lib/opencryptoki(/.*)?		gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
 +
 +/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
++
++/var/run/pkcsslotd.*    --  gen_context(system_u:object_r:pkcsslotd_var_run_t,s0)
 diff --git a/pkcsslotd.if b/pkcsslotd.if
 new file mode 100644
 index 0000000..848ddc9
@@ -54561,10 +55333,10 @@ index 0000000..848ddc9
 +')
 diff --git a/pkcsslotd.te b/pkcsslotd.te
 new file mode 100644
-index 0000000..f788d35
+index 0000000..2ce92e0
 --- /dev/null
 +++ b/pkcsslotd.te
-@@ -0,0 +1,66 @@
+@@ -0,0 +1,67 @@
 +policy_module(pkcsslotd, 1.0.0)
 +
 +########################################
@@ -54599,7 +55371,7 @@ index 0000000..f788d35
 +# pkcsslotd local policy
 +#
 +
-+allow pkcsslotd_t self:capability { chown kill };
++allow pkcsslotd_t self:capability { fsetid chown kill };
 +
 +allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
 +allow pkcsslotd_t self:sem create_sem_perms;
@@ -54624,7 +55396,8 @@ index 0000000..f788d35
 +
 +manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
 +manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { file  dir })
++manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
++files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file  dir })
 +
 +domain_use_interactive_fds(pkcsslotd_t)
 +
@@ -56642,7 +57415,7 @@ index ae27bb7..d00f6ba 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
  ')
 diff --git a/polipo.te b/polipo.te
-index 316d53a..79b5c4f 100644
+index 316d53a..388d659 100644
 --- a/polipo.te
 +++ b/polipo.te
 @@ -1,4 +1,4 @@
@@ -56756,10 +57529,14 @@ index 316d53a..79b5c4f 100644
 -userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
 -
 -auth_use_nsswitch(polipo_session_t)
+-
+-userdom_use_user_terminals(polipo_session_t)
 +allow polipo_daemon self:fifo_file rw_fifo_file_perms;
 +allow polipo_daemon self:tcp_socket { listen accept };
  
--userdom_use_user_terminals(polipo_session_t)
+-tunable_policy(`polipo_session_send_syslog_msg',`
+-	logging_send_syslog_msg(polipo_session_t)
+-')
 +corenet_tcp_bind_generic_node(polipo_daemon)
 +corenet_tcp_sendrecv_generic_if(polipo_daemon)
 +corenet_tcp_sendrecv_generic_node(polipo_daemon)
@@ -56767,10 +57544,7 @@ index 316d53a..79b5c4f 100644
 +corenet_tcp_bind_http_cache_port(polipo_daemon)
 +corenet_sendrecv_http_cache_server_packets(polipo_daemon)
 +corenet_tcp_connect_http_port(polipo_daemon)
- 
--tunable_policy(`polipo_session_send_syslog_msg',`
--	logging_send_syslog_msg(polipo_session_t)
--')
++corenet_tcp_connect_tor_port(polipo_daemon)
  
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_read_nfs_files(polipo_session_t)
@@ -56882,6 +57656,18 @@ index 316d53a..79b5c4f 100644
  
 -miscfiles_read_localization(polipo_daemon)
 +userdom_home_manager(polipo_session_t)
+diff --git a/portage.if b/portage.if
+index 67e8c12..18b89d7 100644
+--- a/portage.if
++++ b/portage.if
+@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
+ 		class dbus send_msg;
+ 		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
+ 		type portage_tmpfs_t;
++		type portage_sandbox_t;
+ 	')
+ 
+ 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
 diff --git a/portage.te b/portage.te
 index a95fc4a..b9b5418 100644
 --- a/portage.te
@@ -60114,7 +60900,7 @@ index 20d4697..e6605c1 100644
 +	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
 +')
 diff --git a/prelink.te b/prelink.te
-index c0f047a..6f22887 100644
+index c0f047a..e04bdd6 100644
 --- a/prelink.te
 +++ b/prelink.te
 @@ -1,4 +1,4 @@
@@ -60287,7 +61073,7 @@ index c0f047a..6f22887 100644
  
  	kernel_read_system_state(prelink_cron_system_t)
  
-@@ -184,8 +168,11 @@ optional_policy(`
+@@ -184,23 +168,36 @@ optional_policy(`
  	dev_list_sysfs(prelink_cron_system_t)
  	dev_read_sysfs(prelink_cron_system_t)
  
@@ -60300,7 +61086,11 @@ index c0f047a..6f22887 100644
  
  	auth_use_nsswitch(prelink_cron_system_t)
  
-@@ -196,11 +183,20 @@ optional_policy(`
+ 	init_telinit(prelink_cron_system_t)
+ 	init_exec(prelink_cron_system_t)
++	init_reload_services(prelink_cron_system_t)
+ 
+ 	libs_exec_ld_so(prelink_cron_system_t)
  
  	logging_search_logs(prelink_cron_system_t)
  
@@ -61006,7 +61796,7 @@ index 0000000..96a0d9f
 +/var/run/prosody(/.*)?		gen_context(system_u:object_r:prosody_var_run_t,s0)
 diff --git a/prosody.if b/prosody.if
 new file mode 100644
-index 0000000..8867237
+index 0000000..f1e1209
 --- /dev/null
 +++ b/prosody.if
 @@ -0,0 +1,239 @@
@@ -61144,7 +61934,7 @@ index 0000000..8867237
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++        systemd_read_fifo_file_passwd_run($1)
 +	allow $1 prosody_unit_file_t:file read_file_perms;
 +	allow $1 prosody_unit_file_t:service manage_service_perms;
 +
@@ -61331,7 +62121,7 @@ index 0000000..4f6badd
 +
 +miscfiles_read_localization(prosody_t)
 diff --git a/psad.if b/psad.if
-index d4dcf78..59ab964 100644
+index d4dcf78..3cce82e 100644
 --- a/psad.if
 +++ b/psad.if
 @@ -93,9 +93,8 @@ interface(`psad_manage_config',`
@@ -61401,7 +62191,7 @@ index d4dcf78..59ab964 100644
  ##	Read and write psad fifo files.
  ## </summary>
  ## <param name="domain">
-@@ -198,6 +236,26 @@ interface(`psad_rw_fifo_file',`
+@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
  
  #######################################
  ## <summary>
@@ -61425,10 +62215,29 @@ index d4dcf78..59ab964 100644
 +
 +#######################################
 +## <summary>
++##  Allow search to psad lib files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
++interface(`psad_search_lib_files',`
++    gen_require(`
++        type psad_t, psad_var_lib_t;
++    ')
++
++    files_search_var_lib($1)
++    search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
++')
++
++#######################################
++## <summary>
  ##	Read and write psad temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -235,30 +293,34 @@ interface(`psad_rw_tmp_files',`
+@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
  interface(`psad_admin',`
  	gen_require(`
  		type psad_t, psad_var_run_t, psad_var_log_t;
@@ -66060,7 +66869,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..7054723 100644
+index 3698b51..8c4ba04 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -66118,7 +66927,7 @@ index 3698b51..7054723 100644
  
  corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
  corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +80,42 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -68,20 +80,44 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
  
@@ -66139,6 +66948,8 @@ index 3698b51..7054723 100644
 +fs_getattr_all_dirs(rabbitmq_beam_t)
 +fs_getattr_cgroup(rabbitmq_beam_t)
 +
++corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
++
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
  
@@ -66165,7 +66976,7 @@ index 3698b51..7054723 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +133,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -99,8 +135,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -66554,7 +67365,7 @@ index 951db7f..7736755 100644
 +	allow $1 mdadm_exec_t:file { getattr_file_perms execute };
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..1e9ad6b 100644
+index 2c1730b..0bf7d02 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,12 @@ role mdadm_roles types mdadm_t;
@@ -66635,7 +67446,7 @@ index 2c1730b..1e9ad6b 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +91,19 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -70,15 +91,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -66653,10 +67464,11 @@ index 2c1730b..1e9ad6b 100644
  
 -miscfiles_read_localization(mdadm_t)
 +systemd_exec_systemctl(mdadm_t)
++systemd_start_systemd_services(mdadm_t)
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -97,9 +122,17 @@ optional_policy(`
+@@ -97,9 +123,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -67658,6 +68470,368 @@ index 9a8f052..3baa71a 100644
 +
 +	unconfined_domain_noaudit(realmd_consolehelper_t)
  ')
+diff --git a/redis.fc b/redis.fc
+new file mode 100644
+index 0000000..638d6b4
+--- /dev/null
++++ b/redis.fc
+@@ -0,0 +1,11 @@
++/etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
++
++/usr/lib/systemd/system/redis.*		--	gen_context(system_u:object_r:redis_unit_file_t,s0)
++
++/usr/sbin/redis-server		--	gen_context(system_u:object_r:redis_exec_t,s0)
++
++/var/lib/redis(/.*)?		gen_context(system_u:object_r:redis_var_lib_t,s0)
++
++/var/log/redis(/.*)?		gen_context(system_u:object_r:redis_log_t,s0)
++
++/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
+diff --git a/redis.if b/redis.if
+new file mode 100644
+index 0000000..72a2d7b
+--- /dev/null
++++ b/redis.if
+@@ -0,0 +1,271 @@
++
++## <summary>redis-server SELinux policy</summary>
++
++########################################
++## <summary>
++##	Execute TEMPLATE in the redis domin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`redis_domtrans',`
++	gen_require(`
++		type redis_t, redis_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1, redis_exec_t, redis_t)
++')
++
++########################################
++## <summary>
++##	Execute redis server in the redis domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_initrc_domtrans',`
++	gen_require(`
++		type redis_initrc_exec_t;
++	')
++
++	init_labeled_script_domtrans($1, redis_initrc_exec_t)
++')
++########################################
++## <summary>
++##	Read redis's log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`redis_read_log',`
++	gen_require(`
++		type redis_log_t;
++	')
++
++	logging_search_logs($1)
++	read_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++##	Append to redis log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_append_log',`
++	gen_require(`
++		type redis_log_t;
++	')
++
++	logging_search_logs($1)
++	append_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++##	Manage redis log files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_manage_log',`
++	gen_require(`
++		type redis_log_t;
++	')
++
++	logging_search_logs($1)
++	manage_dirs_pattern($1, redis_log_t, redis_log_t)
++	manage_files_pattern($1, redis_log_t, redis_log_t)
++	manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
++')
++
++########################################
++## <summary>
++##	Search redis lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_search_lib',`
++	gen_require(`
++		type redis_var_lib_t;
++	')
++
++	allow $1 redis_var_lib_t:dir search_dir_perms;
++	files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++##	Read redis lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_read_lib_files',`
++	gen_require(`
++		type redis_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage redis lib files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_manage_lib_files',`
++	gen_require(`
++		type redis_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Manage redis lib directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_manage_lib_dirs',`
++	gen_require(`
++		type redis_var_lib_t;
++	')
++
++	files_search_var_lib($1)
++	manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
++')
++
++########################################
++## <summary>
++##	Read redis PID files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`redis_read_pid_files',`
++	gen_require(`
++		type redis_var_run_t;
++	')
++
++	files_search_pids($1)
++	read_files_pattern($1, redis_var_run_t, redis_var_run_t)
++')
++
++########################################
++## <summary>
++##	Execute redis server in the redis domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++#
++interface(`redis_systemctl',`
++	gen_require(`
++		type redis_t;
++		type redis_unit_file_t;
++	')
++
++	systemd_exec_systemctl($1)
++        systemd_read_fifo_file_password_run($1)
++	allow $1 redis_unit_file_t:file read_file_perms;
++	allow $1 redis_unit_file_t:service manage_service_perms;
++
++	ps_process_pattern($1, redis_t)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate
++##	an redis environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`redis_admin',`
++	gen_require(`
++		type redis_t;
++		type redis_initrc_exec_t;
++		type redis_log_t;
++		type redis_var_lib_t;
++		type redis_var_run_t;
++	type redis_unit_file_t;
++	')
++
++	allow $1 redis_t:process { ptrace signal_perms };
++	ps_process_pattern($1, redis_t)
++
++	redis_initrc_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 redis_initrc_exec_t system_r;
++	allow $2 system_r;
++
++	logging_search_logs($1)
++	admin_pattern($1, redis_log_t)
++
++	files_search_var_lib($1)
++	admin_pattern($1, redis_var_lib_t)
++
++	files_search_pids($1)
++	admin_pattern($1, redis_var_run_t)
++
++	redis_systemctl($1)
++	admin_pattern($1, redis_unit_file_t)
++	allow $1 redis_unit_file_t:service all_service_perms;
++	optional_policy(`
++		systemd_passwd_agent_exec($1)
++		systemd_read_fifo_file_passwd_run($1)
++	')
++')
+diff --git a/redis.te b/redis.te
+new file mode 100644
+index 0000000..e5e9cf7
+--- /dev/null
++++ b/redis.te
+@@ -0,0 +1,62 @@
++policy_module(redis, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type redis_t;
++type redis_exec_t;
++init_daemon_domain(redis_t, redis_exec_t)
++
++type redis_initrc_exec_t;
++init_script_file(redis_initrc_exec_t)
++
++type redis_log_t;
++logging_log_file(redis_log_t)
++
++type redis_var_lib_t;
++files_type(redis_var_lib_t)
++
++type redis_var_run_t;
++files_pid_file(redis_var_run_t)
++
++type redis_unit_file_t;
++systemd_unit_file(redis_unit_file_t)
++
++########################################
++#
++# redis local policy
++#
++
++allow redis_t self:process { setrlimit signal_perms };
++allow redis_t self:fifo_file rw_fifo_file_perms;
++allow redis_t self:unix_stream_socket create_stream_socket_perms;
++allow redis_t self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
++manage_files_pattern(redis_t, redis_log_t, redis_log_t)
++manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
++
++manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
++
++manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
++
++kernel_read_system_state(redis_t)
++
++corenet_tcp_bind_generic_node(redis_t)
++corenet_tcp_bind_redis_port(redis_t)
++
++dev_read_sysfs(redis_t)
++dev_read_urand(redis_t)
++
++logging_send_syslog_msg(redis_t)
++
++miscfiles_read_localization(redis_t)
++
++sysnet_dns_name_resolve(redis_t)
++
 diff --git a/remotelogin.fc b/remotelogin.fc
 index 327baf0..d8691bd 100644
 --- a/remotelogin.fc
@@ -68441,7 +69615,7 @@ index 47de2d6..98a4280 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..4699b1b 100644
+index 56bc01f..b8d154e 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -68470,7 +69644,7 @@ index 56bc01f..4699b1b 100644
  	')
  
  	##############################
-@@ -43,11 +43,6 @@ template(`rhcs_domain_template',`
+@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
  	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
  
@@ -68482,9 +69656,11 @@ index 56bc01f..4699b1b 100644
  	logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
  
  	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
-@@ -56,20 +51,19 @@ template(`rhcs_domain_template',`
+ 	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+ 	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- 	files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+-	files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
++	files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
  
 -	optional_policy(`
 -		dbus_system_bus_client($1_t)
@@ -70372,7 +71548,7 @@ index 6dbc905..d803796 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..f8ae4cc 100644
+index 1cedd70..6508b1e 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,7 +30,8 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -70385,7 +71561,7 @@ index 1cedd70..f8ae4cc 100644
  allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
  allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
  
-@@ -52,21 +53,35 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,21 +53,37 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
@@ -70408,6 +71584,8 @@ index 1cedd70..f8ae4cc 100644
  
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
++init_read_state(rhsmcertd_t)
++
 +logging_send_syslog_msg(rhsmcertd_t)
 +
 +miscfiles_read_certs(rhsmcertd_t)
@@ -72102,7 +73280,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..a323332 100644
+index c49828c..56cb0c2 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
@@ -72121,7 +73299,7 @@ index c49828c..a323332 100644
  files_read_etc_runtime_files(rpcbind_t)
  
 -logging_send_syslog_msg(rpcbind_t)
-+auth_read_passwd(rpcbind_t)
++auth_use_nsswitch(rpcbind_t)
  
 -miscfiles_read_localization(rpcbind_t)
 +logging_send_syslog_msg(rpcbind_t)
@@ -72250,7 +73428,7 @@ index ebe91fc..6392cad 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index 0628d50..84f2fd7 100644
+index 0628d50..39e36fb 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -72385,10 +73563,28 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,6 +186,42 @@ interface(`rpm_rw_pipes',`
+@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
  
  ########################################
  ## <summary>
++##	Read and write an unnamed RPM script pipe.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_rw_script_inherited_pipes',`
++	gen_require(`
++		type rpm_script_t;
++	')
++
++	allow $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
++')
++
++########################################
++## <summary>
 +##	dontaudit read and write an leaked file descriptors
 +## </summary>
 +## <param name="domain">
@@ -72428,7 +73624,7 @@ index 0628d50..84f2fd7 100644
  ##	Send and receive messages from
  ##	rpm over dbus.
  ## </summary>
-@@ -224,7 +265,7 @@ interface(`rpm_dontaudit_dbus_chat',`
+@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -72437,7 +73633,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -244,7 +285,7 @@ interface(`rpm_script_dbus_chat',`
+@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -72446,7 +73642,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -263,7 +304,8 @@ interface(`rpm_search_log',`
+@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
  
  #####################################
  ## <summary>
@@ -72456,17 +73652,19 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -276,14 +318,30 @@ interface(`rpm_append_log',`
+@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
  		type rpm_log_t;
  	')
  
 -	logging_search_logs($1)
 -	append_files_pattern($1, rpm_log_t, rpm_log_t)
 +	allow $1 rpm_log_t:file append_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	rpm log files.
 +##	Create, read, write, and delete the RPM log.
 +## </summary>
 +## <param name="domain">
@@ -72481,17 +73679,15 @@ index 0628d50..84f2fd7 100644
 +	')
 +
 +    read_files_pattern($1, rpm_log_t, rpm_log_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	rpm log files.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -302,7 +360,7 @@ interface(`rpm_manage_log',`
+@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
  
  ########################################
  ## <summary>
@@ -72500,7 +73696,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -320,8 +378,8 @@ interface(`rpm_use_script_fds',`
+@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
  
  ########################################
  ## <summary>
@@ -72511,7 +73707,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -335,12 +393,15 @@ interface(`rpm_manage_script_tmp_files',`
+@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -72528,7 +73724,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,14 +414,13 @@ interface(`rpm_append_tmp_files',`
+@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
  		type rpm_tmp_t;
  	')
  
@@ -72546,7 +73742,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -374,12 +434,14 @@ interface(`rpm_manage_tmp_files',`
+@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -72562,7 +73758,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -399,7 +461,7 @@ interface(`rpm_read_script_tmp_files',`
+@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -72571,7 +73767,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,8 +482,7 @@ interface(`rpm_read_cache',`
+@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
  
  ########################################
  ## <summary>
@@ -72581,7 +73777,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -442,7 +503,7 @@ interface(`rpm_manage_cache',`
+@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
  
  ########################################
  ## <summary>
@@ -72590,7 +73786,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -459,11 +520,12 @@ interface(`rpm_read_db',`
+@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
  	allow $1 rpm_var_lib_t:dir list_dir_perms;
  	read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
  	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -72604,7 +73800,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -482,8 +544,7 @@ interface(`rpm_delete_db',`
+@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
  
  ########################################
  ## <summary>
@@ -72614,7 +73810,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -503,8 +564,28 @@ interface(`rpm_manage_db',`
+@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
  
  ########################################
  ## <summary>
@@ -72644,7 +73840,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -517,7 +598,7 @@ interface(`rpm_dontaudit_manage_db',`
+@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
  		type rpm_var_lib_t;
  	')
  
@@ -72653,7 +73849,7 @@ index 0628d50..84f2fd7 100644
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
-@@ -543,8 +624,7 @@ interface(`rpm_read_pid_files',`
+@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
  
  #####################################
  ## <summary>
@@ -72663,7 +73859,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -563,8 +643,7 @@ interface(`rpm_manage_pid_files',`
+@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
  
  ######################################
  ## <summary>
@@ -72673,7 +73869,7 @@ index 0628d50..84f2fd7 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,94 +652,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -72767,16 +73963,16 @@ index 0628d50..84f2fd7 100644
  
 -	allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { rpm_t rpm_script_t })
--
++	typeattribute $1 rpm_transition_domain;
++	allow $1 rpm_script_t:process transition;
+ 
 -	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
 -	domain_system_change_exemption($1)
 -	role_transition $2 rpm_initrc_exec_t system_r;
 -	allow $2 system_r;
 -
 -	admin_pattern($1, rpm_file_t)
-+	typeattribute $1 rpm_transition_domain;
-+	allow $1 rpm_script_t:process transition;
- 
+-
 -	files_list_var($1)
 -	admin_pattern($1, rpm_cache_t)
 -
@@ -73737,7 +74933,7 @@ index f1140ef..ebc2190 100644
 +	files_etc_filetrans($1, rsync_etc_t, $2, $3)
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..0820cb2 100644
+index e3e7c96..ec50426 100644
 --- a/rsync.te
 +++ b/rsync.te
 @@ -1,4 +1,4 @@
@@ -73746,7 +74942,7 @@ index e3e7c96..0820cb2 100644
  
  ########################################
  #
-@@ -6,67 +6,46 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
  #
  
  ## <desc>
@@ -73822,7 +75018,6 @@ index e3e7c96..0820cb2 100644
 -init_daemon_domain(rsync_t, rsync_exec_t)
 -application_domain(rsync_t, rsync_exec_t)
 -role rsync_roles types rsync_t;
-+init_domain(rsync_t, rsync_exec_t)
 +application_executable_file(rsync_exec_t)
 +role system_r types rsync_t;
  
@@ -73834,7 +75029,7 @@ index e3e7c96..0820cb2 100644
  files_type(rsync_data_t)
  
  type rsync_log_t;
-@@ -86,15 +65,25 @@ files_pid_file(rsync_var_run_t)
+@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
  allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
  allow rsync_t self:process signal_perms;
  allow rsync_t self:fifo_file rw_fifo_file_perms;
@@ -73865,7 +75060,7 @@ index e3e7c96..0820cb2 100644
  logging_log_filetrans(rsync_t, rsync_log_t, file)
  
  manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
-@@ -108,91 +97,80 @@ kernel_read_kernel_sysctls(rsync_t)
+@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
  kernel_read_system_state(rsync_t)
  kernel_read_network_state(rsync_t)
  
@@ -79155,7 +80350,7 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..46356db 100644
+index 49b12ae..e5948ba 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
 @@ -1,4 +1,4 @@
@@ -79252,7 +80447,15 @@ index 49b12ae..46356db 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -107,27 +112,24 @@ init_read_utmp(setroubleshootd_t)
+@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
+ term_dontaudit_use_all_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_ttys(setroubleshootd_t)
+ 
++mls_dbus_recv_all_levels(setroubleshootd_t)
++
+ auth_use_nsswitch(setroubleshootd_t)
+ 
+ init_read_utmp(setroubleshootd_t)
  init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
@@ -79285,7 +80488,7 @@ index 49b12ae..46356db 100644
  ')
  
  optional_policy(`
-@@ -135,10 +137,18 @@ optional_policy(`
+@@ -135,10 +139,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -79304,7 +80507,7 @@ index 49b12ae..46356db 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -148,15 +158,17 @@ optional_policy(`
+@@ -148,15 +160,17 @@ optional_policy(`
  
  ########################################
  #
@@ -79323,7 +80526,7 @@ index 49b12ae..46356db 100644
  setroubleshoot_stream_connect(setroubleshoot_fixit_t)
  
  kernel_read_system_state(setroubleshoot_fixit_t)
-@@ -165,9 +177,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -165,9 +179,15 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
  corecmd_exec_shell(setroubleshoot_fixit_t)
  corecmd_getattr_all_executables(setroubleshoot_fixit_t)
  
@@ -79340,7 +80543,7 @@ index 49b12ae..46356db 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +193,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -175,23 +195,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -81193,10 +82396,64 @@ index 634c6b4..e1edfd9 100644
  
  ########################################
 diff --git a/sosreport.te b/sosreport.te
-index 703efa3..de313d7 100644
+index 703efa3..f9d6ed6 100644
 --- a/sosreport.te
 +++ b/sosreport.te
-@@ -70,7 +70,6 @@ files_list_all(sosreport_t)
+@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+ type sosreport_tmpfs_t;
+ files_tmpfs_file(sosreport_tmpfs_t)
+ 
++type sosreport_var_run_t;
++files_pid_file(sosreport_var_run_t)
++
+ optional_policy(`
+ 	pulseaudio_tmpfs_content(sosreport_tmpfs_t)
+ ')
+@@ -29,10 +32,13 @@ optional_policy(`
+ #
+ 
+ allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
++dontaudit sosreport_t self:capability { sys_ptrace };
+ allow sosreport_t self:process { setsched signull };
+ allow sosreport_t self:fifo_file rw_fifo_file_perms;
+ allow sosreport_t self:tcp_socket { accept listen };
+ allow sosreport_t self:unix_stream_socket { accept listen };
++allow sosreport_t self:rawip_socket create_socket_perms;
++allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+ files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
+ files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
+ 
++manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
++files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
++
+ manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
+ fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
+ 
+@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t)
+ dev_read_urand(sosreport_t)
+ dev_read_raw_memory(sosreport_t)
+ dev_read_sysfs(sosreport_t)
++dev_rw_generic_usb_dev(sosreport_t)
++dev_getattr_all_chr_files(sosreport_t)
++dev_getattr_all_blk_files(sosreport_t)
+ 
+ domain_getattr_all_domains(sosreport_t)
+ domain_read_all_domains_state(sosreport_t)
+@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t)
+ domain_getattr_all_pipes(sosreport_t)
+ 
+ files_getattr_all_sockets(sosreport_t)
++files_getattr_all_files(sosreport_t)
++files_getattr_all_pipes(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
  files_read_config_files(sosreport_t)
  files_read_generic_tmp_files(sosreport_t)
  files_read_non_auth_files(sosreport_t)
@@ -81204,10 +82461,20 @@ index 703efa3..de313d7 100644
  files_read_var_lib_files(sosreport_t)
  files_read_var_symlinks(sosreport_t)
  files_read_kernel_modules(sosreport_t)
-@@ -84,6 +83,10 @@ fs_list_inotifyfs(sosreport_t)
+@@ -79,27 +95,41 @@ files_manage_etc_runtime_files(sosreport_t)
+ files_etc_filetrans_etc_runtime(sosreport_t, file)
+ 
+ fs_getattr_all_fs(sosreport_t)
++fs_getattr_all_dirs(sosreport_t)
+ fs_list_inotifyfs(sosreport_t)
+ 
  storage_dontaudit_read_fixed_disk(sosreport_t)
  storage_dontaudit_read_removable_device(sosreport_t)
  
++term_getattr_pty_fs(sosreport_t)
++term_getattr_all_ptys(sosreport_t)
++term_use_generic_ptys(sosreport_t)
++
 +# some config files do not have configfile attribute
 +# sosreport needs to read various files on system
 +files_read_non_security_files(sosreport_t)
@@ -81215,7 +82482,10 @@ index 703efa3..de313d7 100644
  auth_use_nsswitch(sosreport_t)
  
  init_domtrans_script(sosreport_t)
-@@ -93,9 +96,8 @@ libs_domtrans_ldconfig(sosreport_t)
++init_getattr_initctl(sosreport_t)
+ 
+ libs_domtrans_ldconfig(sosreport_t)
+ 
  logging_read_all_logs(sosreport_t)
  logging_send_syslog_msg(sosreport_t)
  
@@ -81226,7 +82496,16 @@ index 703efa3..de313d7 100644
  
  optional_policy(`
  	abrt_manage_pid_files(sosreport_t)
-@@ -111,6 +113,11 @@ optional_policy(`
+ 	abrt_manage_cache(sosreport_t)
++	abrt_stream_connect(sosreport_t)
++')
++
++optional_policy(`
++	brctl_domtrans(sosreport_t)
+ ')
+ 
+ optional_policy(`
+@@ -111,6 +141,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -83191,7 +84470,7 @@ index a240455..54c5c1f 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..e9632c3 100644
+index 8b537aa..3bce4df 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -83280,7 +84559,7 @@ index 8b537aa..e9632c3 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +105,31 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
@@ -83290,6 +84569,7 @@ index 8b537aa..e9632c3 100644
  sysnet_use_ldap(sssd_t)
  
 +userdom_manage_tmp_role(system_r, sssd_t)
++userdom_manage_all_users_keys(sssd_t)
 +
  optional_policy(`
  	dbus_system_bus_client(sssd_t)
@@ -83843,10 +85123,10 @@ index c6aaac7..a5600a8 100644
  sysnet_dns_name_resolve(svnserve_t)
 diff --git a/swift.fc b/swift.fc
 new file mode 100644
-index 0000000..e5433ad
+index 0000000..744f0ce
 --- /dev/null
 +++ b/swift.fc
-@@ -0,0 +1,28 @@
+@@ -0,0 +1,29 @@
 +/usr/bin/swift-account-auditor		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-reaper		--	gen_context(system_u:object_r:swift_exec_t,s0)
 +/usr/bin/swift-account-replicator	--	gen_context(system_u:object_r:swift_exec_t,s0)
@@ -83866,7 +85146,8 @@ index 0000000..e5433ad
 +
 +/usr/lib/systemd/system/openstack-swift.*      --  gen_context(system_u:object_r:swift_unit_file_t,s0)
 +
-+/var/run/swift(/.*)?		gen_context(system_u:object_r:swift_var_run_t,s0)
++/var/cache/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_cache_t,s0)
++/var/run/swift(/.*)?			--	gen_context(system_u:object_r:swift_var_run_t,s0)
 +
 +# This seems to be a de-facto standard when using swift.
 +/srv/node(/.*)?		gen_context(system_u:object_r:swift_data_t,s0)
@@ -84006,10 +85287,10 @@ index 0000000..015c2c9
 +')
 diff --git a/swift.te b/swift.te
 new file mode 100644
-index 0000000..39f1ca1
+index 0000000..c7b2bf6
 --- /dev/null
 +++ b/swift.te
-@@ -0,0 +1,53 @@
+@@ -0,0 +1,69 @@
 +policy_module(swift, 1.0.0)
 +
 +########################################
@@ -84021,6 +85302,9 @@ index 0000000..39f1ca1
 +type swift_exec_t;
 +init_daemon_domain(swift_t, swift_exec_t)
 +
++type swift_var_cache_t;
++files_type(swift_var_cache_t)
++
 +type swift_var_run_t;
 +files_pid_file(swift_var_run_t)
 +
@@ -84035,10 +85319,18 @@ index 0000000..39f1ca1
 +# swift local policy
 +#
 +
++allow swift_t self:process signal;
++
 +allow swift_t self:fifo_file rw_fifo_file_perms;
++allow swift_t self:tcp_socket create_stream_socket_perms;
 +allow swift_t self:unix_stream_socket create_stream_socket_perms;
 +allow swift_t self:unix_dgram_socket create_socket_perms;
 +
++manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
++files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
++
 +manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
 +manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
 +manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
@@ -84051,6 +85343,7 @@ index 0000000..39f1ca1
 +
 +kernel_dgram_send(swift_t)
 +kernel_read_system_state(swift_t)
++kernel_read_network_state(swift_t)
 +
 +corecmd_exec_shell(swift_t)
 +
@@ -84058,11 +85351,15 @@ index 0000000..39f1ca1
 +
 +domain_use_interactive_fds(swift_t)
 +
++files_dontaudit_search_home(swift_t)
++
 +auth_use_nsswitch(swift_t)
 +
 +libs_exec_ldconfig(swift_t)
 +
 +logging_send_syslog_msg(swift_t)
++
++userdom_dontaudit_search_user_home_dirs(swift_t)
 diff --git a/swift_alias.fc b/swift_alias.fc
 new file mode 100644
 index 0000000..b7db254
@@ -84141,7 +85438,7 @@ index c9824cb..1973f71 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..f041061 100644
+index c8b80b2..c81d332 100644
 --- a/sysstat.te
 +++ b/sysstat.te
 @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
@@ -84163,8 +85460,12 @@ index c8b80b2..f041061 100644
  corecmd_exec_bin(sysstat_t)
  
  dev_read_sysfs(sysstat_t)
-@@ -49,8 +48,10 @@ files_read_etc_runtime_files(sysstat_t)
- fs_getattr_xattr_fs(sysstat_t)
+@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
+ files_search_var(sysstat_t)
+ files_read_etc_runtime_files(sysstat_t)
+ 
+-fs_getattr_xattr_fs(sysstat_t)
++fs_getattr_all_fs(sysstat_t)
  fs_list_inotifyfs(sysstat_t)
  
 +storage_getattr_fixed_disk_dev(sysstat_t)
@@ -84481,7 +85782,7 @@ index c7de0cf..9813503 100644
 +/usr/libexec/telepathy-stream-engine	--	gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
 +/usr/libexec/telepathy-sunshine		--	gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/telepathy.if b/telepathy.if
-index 42946bc..3d30062 100644
+index 42946bc..741f2f4 100644
 --- a/telepathy.if
 +++ b/telepathy.if
 @@ -2,45 +2,39 @@
@@ -84561,7 +85862,7 @@ index 42946bc..3d30062 100644
  		type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
  		type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
  		type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
-@@ -63,91 +62,79 @@ template(`telepathy_role_template',`
+@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
  		type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
  		type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
  		type telepathy_msn_exec_t;
@@ -84667,11 +85968,15 @@ index 42946bc..3d30062 100644
  ## <param name="domain">
 -##	<summary>
 +## 	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`telepathy_gabble_dbus_chat',`
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="domain">
++##      <summary>
++##      Domain allowed access.
++##      </summary>
++## </param>
++#
 +interface(`telepathy_gabble_stream_connect_to', `
 +	gen_require(`
 +		type telepathy_gabble_t;
@@ -84687,15 +85992,16 @@ index 42946bc..3d30062 100644
 +## </summary>
 +## <param name="domain">
 +## 	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`telepathy_gabble_dbus_chat',`
 +interface(`telepathy_gabble_dbus_chat', `
  	gen_require(`
  		type telepathy_gabble_t;
  		class dbus send_msg;
-@@ -159,10 +146,10 @@ interface(`telepathy_gabble_dbus_chat',`
+@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -84708,7 +86014,7 @@ index 42946bc..3d30062 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-@@ -173,15 +160,12 @@ interface(`telepathy_mission_control_read_state',`
+@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
  	')
  
  	kernel_search_proc($1)
@@ -84726,7 +86032,7 @@ index 42946bc..3d30062 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -189,19 +173,18 @@ interface(`telepathy_mission_control_read_state',`
+@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
  ##	</summary>
  ## </param>
  #
@@ -84749,7 +86055,7 @@ index 42946bc..3d30062 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -209,11 +192,138 @@ interface(`telepathy_msn_stream_connect',`
+@@ -209,11 +197,138 @@ interface(`telepathy_msn_stream_connect',`
  ##	</summary>
  ## </param>
  #
@@ -84891,7 +86197,7 @@ index 42946bc..3d30062 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index e9c0964..91c1898 100644
+index e9c0964..ff77783 100644
 --- a/telepathy.te
 +++ b/telepathy.te
 @@ -1,29 +1,28 @@
@@ -85392,7 +86698,7 @@ index e9c0964..91c1898 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +382,40 @@ optional_policy(`
+@@ -452,31 +382,43 @@ optional_policy(`
  
  #######################################
  #
@@ -85420,10 +86726,12 @@ index e9c0964..91c1898 100644
  
  fs_getattr_all_fs(telepathy_domain)
  fs_search_auto_mountpoints(telepathy_domain)
--
--miscfiles_read_localization(telepathy_domain)
 +fs_rw_inherited_tmpfs_files(telepathy_domain)
  
+-miscfiles_read_localization(telepathy_domain)
++userdom_search_user_tmp_dirs(telepathy_domain)
++userdom_search_user_home_dirs(telepathy_domain)
+ 
  optional_policy(`
  	automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
  ')
@@ -85431,7 +86739,7 @@ index e9c0964..91c1898 100644
  optional_policy(`
 +	gnome_read_generic_cache_files(telepathy_domain)
 +	gnome_write_generic_cache_files(telepathy_domain)
-+    gnome_filetrans_config_home_content(telepathy_domain)
++	gnome_filetrans_config_home_content(telepathy_domain)
 +')
 +
 +optional_policy(`
@@ -85961,7 +87269,7 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index c93c973..b04d201 100644
+index c93c973..4ec1eb0 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -85973,7 +87281,7 @@ index c93c973..b04d201 100644
  allow tgtd_t self:capability2 block_suspend;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,7 +58,6 @@ kernel_read_system_state(tgtd_t)
+@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t)
  kernel_read_fs_sysctls(tgtd_t)
  
  corenet_all_recvfrom_netlabel(tgtd_t)
@@ -85981,7 +87289,11 @@ index c93c973..b04d201 100644
  corenet_tcp_sendrecv_generic_if(tgtd_t)
  corenet_tcp_sendrecv_generic_node(tgtd_t)
  corenet_tcp_bind_generic_node(tgtd_t)
-@@ -69,16 +68,16 @@ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
+ 
+ corenet_sendrecv_iscsi_server_packets(tgtd_t)
+ corenet_tcp_bind_iscsi_port(tgtd_t)
++corenet_tcp_connect_isns_port(tgtd_t)
+ corenet_tcp_sendrecv_iscsi_port(tgtd_t)
  
  dev_read_sysfs(tgtd_t)
  
@@ -86371,10 +87683,10 @@ index 0000000..8b2dfff
 +')
 diff --git a/thumb.te b/thumb.te
 new file mode 100644
-index 0000000..bf58d50
+index 0000000..ec3eb8f
 --- /dev/null
 +++ b/thumb.te
-@@ -0,0 +1,146 @@
+@@ -0,0 +1,147 @@
 +policy_module(thumb, 1.0.0)
 +
 +########################################
@@ -86449,6 +87761,7 @@ index 0000000..bf58d50
 +dev_rw_xserver_misc(thumb_t)
 +
 +domain_use_interactive_fds(thumb_t)
++domain_dontaudit_read_all_domains_state(thumb_t)
 +
 +files_read_non_security_files(thumb_t)
 +
@@ -87915,7 +89228,7 @@ index 1ec5e99..88e287d 100644
 +	allow $1 usbmuxd_unit_file_t:service all_service_perms;
 +')
 diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..285680c 100644
+index 8840be6..d2c7596 100644
 --- a/usbmuxd.te
 +++ b/usbmuxd.te
 @@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
@@ -87935,7 +89248,15 @@ index 8840be6..285680c 100644
  ########################################
  #
  # Local policy
-@@ -38,6 +42,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
+@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
+ allow usbmuxd_t self:capability { kill setgid setuid };
+ allow usbmuxd_t self:process { signal signull };
+ allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
++allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+ manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+ manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
+@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
  
  auth_use_nsswitch(usbmuxd_t)
  
@@ -89035,10 +90356,10 @@ index 0be8535..b96e329 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..898ce74 100644
+index c30da4c..b81eaa0 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,87 @@
+@@ -1,52 +1,86 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -89091,7 +90412,6 @@ index c30da4c..898ce74 100644
  /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/virtlockd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/virsh		--	gen_context(system_u:object_r:virsh_exec_t,s0)
-+/usr/bin/virt-sandbox-service.*	--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/condor_vm-gahp	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/sbin/xl		--	gen_context(system_u:object_r:virsh_exec_t,s0)
 +/usr/sbin/xm		--	gen_context(system_u:object_r:virsh_exec_t,s0)
@@ -89107,14 +90427,14 @@ index c30da4c..898ce74 100644
 -/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
 -/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
 -/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-
+-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
  
--/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
--
 -/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
@@ -89166,7 +90486,7 @@ index c30da4c..898ce74 100644
 +/var/run/qga\.state             --      gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..bdba959 100644
+index 9dec06c..4e31afe 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -90308,17 +91628,17 @@ index 9dec06c..bdba959 100644
 -## <infoflow type="write" weight="10"/>
  #
 -interface(`virt_pid_filetrans',`
-+interface(`virt_stream_connect_lxc',`
++interface(`virt_stream_connect_sandbox',`
  	gen_require(`
 -		type virt_var_run_t;
-+		attribute svirt_lxc_domain;
-+		type svirt_lxc_file_t;
++		attribute svirt_sandbox_domain;
++		type svirt_sandbox_file_t;
  	')
  
  	files_search_pids($1)
 -	filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
-+	stream_connect_pattern($1, svirt_lxc_file_t, svirt_lxc_file_t, svirt_lxc_domain)
-+	ps_process_pattern(svirt_lxc_domain, $1)
++	stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
++	ps_process_pattern(svirt_sandbox_domain, $1)
  ')
  
 +
@@ -90642,16 +91962,16 @@ index 9dec06c..bdba959 100644
 -	manage_files_pattern($1, virt_image_type, virt_image_type)
 -	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
 -	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
--
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
++	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
++	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
+ 
 -	tunable_policy(`virt_use_nfs',`
 -		fs_manage_nfs_dirs($1)
 -		fs_manage_nfs_files($1)
 -		fs_read_nfs_symlinks($1)
 -	')
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
-+	userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
-+	filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
- 
+-
 -	tunable_policy(`virt_use_samba',`
 -		fs_manage_cifs_files($1)
 -		fs_manage_cifs_files($1)
@@ -90700,7 +92020,7 @@ index 9dec06c..bdba959 100644
 -## <rolecap/>
  #
 -interface(`virt_admin',`
-+template(`virt_lxc_domain_template',`
++template(`virt_sandbox_domain_template',`
  	gen_require(`
 -		attribute virt_domain, virt_image_type, virt_tmpfs_type;
 -		attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
@@ -90710,14 +92030,14 @@ index 9dec06c..bdba959 100644
 -		type virt_var_run_t, virt_tmp_t, virt_log_t;
 -		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
 -		type virt_etc_t, svirt_cache_t;
-+		attribute svirt_lxc_domain;
++		attribute svirt_sandbox_domain;
  	')
  
 -	allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
 -	allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
 -	ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
-+	type $1_t, svirt_lxc_domain;
++	type $1_t, svirt_sandbox_domain;
 +	domain_type($1_t)
 +	domain_user_exemption_target($1_t)
 +	mls_rangetrans_target($1_t)
@@ -90743,14 +92063,14 @@ index 9dec06c..bdba959 100644
 +##	</summary>
 +## </param>
 +#
-+template(`virt_lxc_domain',`
++template(`virt_sandbox_domain',`
 +	gen_require(`
-+		attribute svirt_lxc_domain;
++		attribute svirt_sandbox_domain;
 +	')
  
 -	files_search_tmp($1)
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
-+	typeattribute  $1 svirt_lxc_domain;
++	typeattribute  $1 svirt_sandbox_domain;
 +')
  
 -	files_search_etc($1)
@@ -90819,16 +92139,16 @@ index 9dec06c..bdba959 100644
 +## </param>
 +## <rolecap/>
 +#
-+interface(`virt_transition_svirt_lxc',`
++interface(`virt_transition_svirt_sandbox',`
 +	gen_require(`
-+		attribute svirt_lxc_domain;
++		attribute svirt_sandbox_domain;
 +	')
 +
-+	allow $1 svirt_lxc_domain:process transition;
-+	role $2 types svirt_lxc_domain;
-+	allow $1 svirt_lxc_domain:unix_dgram_socket sendto;
++	allow $1 svirt_sandbox_domain:process transition;
++	role $2 types svirt_sandbox_domain;
++	allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
 +
-+	allow svirt_lxc_domain $1:process sigchld;
++	allow svirt_sandbox_domain $1:process sigchld;
 +')
  
 -	files_search_locks($1)
@@ -90853,7 +92173,7 @@ index 9dec06c..bdba959 100644
 +	allow $1 svirt_image_t:chr_file rw_file_perms;
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..cd628f9 100644
+index 1f22fba..d48d354 100644
 --- a/virt.te
 +++ b/virt.te
 @@ -1,94 +1,104 @@
@@ -91115,7 +92435,7 @@ index 1f22fba..cd628f9 100644
 -# Common virt domain local policy
 +# Declarations
  #
-+attribute svirt_lxc_domain;
++attribute svirt_sandbox_domain;
  
 -allow virt_domain self:process { signal getsched signull };
 -allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -91268,8 +92588,8 @@ index 1f22fba..cd628f9 100644
 -	dev_rw_sysfs(virt_domain)
 -')
 +# virt lxc container files
-+type svirt_lxc_file_t;
-+files_mountpoint(svirt_lxc_file_t)
++type svirt_sandbox_file_t alias svirt_lxc_file_t;
++files_mountpoint(svirt_sandbox_file_t)
  
 -tunable_policy(`virt_use_usb',`
 -	dev_rw_usbfs(virt_domain)
@@ -91334,11 +92654,11 @@ index 1f22fba..cd628f9 100644
 -manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
 -manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
--
--filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
 +allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
  
+-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
+-
 -stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
 -
 -corenet_udp_sendrecv_generic_if(svirt_t)
@@ -91388,7 +92708,7 @@ index 1f22fba..cd628f9 100644
  allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 -allow virtd_t self:unix_stream_socket { accept connectto listen };
 -allow virtd_t self:tcp_socket { accept listen };
-+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
 +allow virtd_t self:tcp_socket create_stream_socket_perms;
  allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
  allow virtd_t self:rawip_socket create_socket_perms;
@@ -91436,7 +92756,7 @@ index 1f22fba..cd628f9 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +308,28 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -448,42 +308,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -91460,6 +92780,7 @@ index 1f22fba..cd628f9 100644
  allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 -
++allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
  allow virtd_t virt_ptynode:chr_file rw_term_perms;
  
  manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
@@ -91482,28 +92803,28 @@ index 1f22fba..cd628f9 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +342,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -496,16 +343,11 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
 -manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
--stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 +manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
 +stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
  
+-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
+-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+-
 -can_exec(virtd_t, virt_tmp_t)
 -
 -kernel_read_crypto_sysctls(virtd_t)
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +354,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -513,6 +355,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -91511,7 +92832,7 @@ index 1f22fba..cd628f9 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +362,16 @@ corecmd_exec_shell(virtd_t)
+@@ -520,24 +363,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -91539,7 +92860,7 @@ index 1f22fba..cd628f9 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +382,23 @@ dev_rw_vhost(virtd_t)
+@@ -548,22 +383,23 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -91568,7 +92889,7 @@ index 1f22fba..cd628f9 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +429,18 @@ term_use_ptmx(virtd_t)
+@@ -594,15 +430,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -91588,7 +92909,7 @@ index 1f22fba..cd628f9 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +451,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -613,18 +452,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -91625,7 +92946,7 @@ index 1f22fba..cd628f9 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +479,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -633,7 +480,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -91634,7 +92955,7 @@ index 1f22fba..cd628f9 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,95 +504,326 @@ optional_policy(`
+@@ -658,20 +505,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -91648,95 +92969,82 @@ index 1f22fba..cd628f9 100644
  	optional_policy(`
  		networkmanager_dbus_chat(virtd_t)
  	')
-+')
-+
-+optional_policy(`
-+	dmidecode_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
-+	dnsmasq_domtrans(virtd_t)
-+	dnsmasq_signal(virtd_t)
-+	dnsmasq_kill(virtd_t)
-+	dnsmasq_signull(virtd_t)
-+	dnsmasq_create_pid_dirs(virtd_t)
+-
+-	optional_policy(`
+-		policykit_dbus_chat(virtd_t)
+-	')
+ ')
+ 
+ optional_policy(`
+@@ -684,14 +523,20 @@ optional_policy(`
+ 	dnsmasq_kill(virtd_t)
+ 	dnsmasq_signull(virtd_t)
+ 	dnsmasq_create_pid_dirs(virtd_t)
+-	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
+-	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
 +	dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
-+	dnsmasq_manage_pid_files(virtd_t)
-+')
-+
-+optional_policy(`
+ 	dnsmasq_manage_pid_files(virtd_t)
+ ')
+ 
+ optional_policy(`
 +	firewalld_dbus_chat(virtd_t)
 +')
 +
 +optional_policy(`
-+	iptables_domtrans(virtd_t)
-+	iptables_initrc_domtrans(virtd_t)
+ 	iptables_domtrans(virtd_t)
+ 	iptables_initrc_domtrans(virtd_t)
 +	iptables_systemctl(virtd_t)
 +
 +	# Manages /etc/sysconfig/system-config-firewall
-+	iptables_manage_config(virtd_t)
-+')
-+
-+optional_policy(`
-+	kerberos_keytab_template(virtd, virtd_t)
-+')
-+
-+optional_policy(`
-+	lvm_domtrans(virtd_t)
-+')
-+
-+optional_policy(`
+ 	iptables_manage_config(virtd_t)
+ ')
+ 
+@@ -704,11 +549,13 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	# Run mount in the mount_t domain.
-+	mount_domtrans(virtd_t)
-+	mount_signal(virtd_t)
-+')
-+
-+optional_policy(`
+ 	mount_domtrans(virtd_t)
+ 	mount_signal(virtd_t)
+ ')
+ 
+ optional_policy(`
 +	policykit_dbus_chat(virtd_t)
-+	policykit_domtrans_auth(virtd_t)
-+	policykit_domtrans_resolve(virtd_t)
-+	policykit_read_lib(virtd_t)
-+')
-+
-+optional_policy(`
-+	qemu_exec(virtd_t)
-+')
-+
-+optional_policy(`
+ 	policykit_domtrans_auth(virtd_t)
+ 	policykit_domtrans_resolve(virtd_t)
+ 	policykit_read_lib(virtd_t)
+@@ -719,10 +566,18 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
 +	sanlock_stream_connect(virtd_t)
 +')
 +
 +optional_policy(`
-+	sasl_connect(virtd_t)
-+')
-+
-+optional_policy(`
+ 	sasl_connect(virtd_t)
+ ')
+ 
+ optional_policy(`
 +	setrans_manage_pid_files(virtd_t)
 +')
 +
 +optional_policy(`
-+	kernel_read_xen_state(virtd_t)
-+	kernel_write_xen_state(virtd_t)
-+
-+	xen_exec(virtd_t)
-+	xen_stream_connect(virtd_t)
-+	xen_stream_connect_xenstore(virtd_t)
-+	xen_read_image_files(virtd_t)
-+')
-+
-+optional_policy(`
-+	udev_domtrans(virtd_t)
-+	udev_read_db(virtd_t)
-+')
-+
+ 	kernel_read_xen_state(virtd_t)
+ 	kernel_write_xen_state(virtd_t)
+ 
+@@ -737,44 +592,262 @@ optional_policy(`
+ 	udev_read_db(virtd_t)
+ ')
+ 
 +optional_policy(`
 +	unconfined_domain(virtd_t)
 +')
 +
-+########################################
-+#
+ ########################################
+ #
+-# Virsh local policy
 +# virtual domains common policy
-+#
+ #
 +allow virt_domain self:capability2 compromise_kernel;
 +allow virt_domain self:process { setrlimit signal_perms getsched setsched };
 +allow virt_domain self:fifo_file rw_fifo_file_perms;
@@ -91745,12 +93053,21 @@ index 1f22fba..cd628f9 100644
 +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
 +allow virt_domain self:tcp_socket create_stream_socket_perms;
 +allow virt_domain self:udp_socket create_socket_perms;
-+
++allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
+ 
+-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
+-allow virsh_t self:process { getcap getsched setsched setcap signal };
+-allow virsh_t self:fifo_file rw_fifo_file_perms;
+-allow virsh_t self:unix_stream_socket { accept connectto listen };
+-allow virsh_t self:tcp_socket { accept listen };
 +list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
 +read_files_pattern(virt_domain, virt_content_t, virt_content_t)
 +dontaudit virt_domain virt_content_t:file write_file_perms;
 +dontaudit virt_domain virt_content_t:dir write;
-+
+ 
+-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
+-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
 +userdom_search_user_home_content(virt_domain)
 +userdom_read_user_home_content_symlinks(virt_domain)
 +userdom_read_all_users_state(virt_domain)
@@ -91764,7 +93081,13 @@ index 1f22fba..cd628f9 100644
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
-+
+ 
+-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -91795,13 +93118,19 @@ index 1f22fba..cd628f9 100644
 +stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
-+
+ 
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
-+
+ 
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+ 
+-allow virsh_t svirt_lxc_domain:process transition;
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-+
+ 
+-can_exec(virsh_t, virsh_exec_t)
 +corecmd_exec_bin(virt_domain)
 +corecmd_exec_shell(virt_domain)
 +
@@ -91848,10 +93177,7 @@ index 1f22fba..cd628f9 100644
 +storage_raw_read_removable_device(virt_domain)
 +
 +sysnet_read_config(virt_domain)
- 
--	optional_policy(`
--		policykit_dbus_chat(virtd_t)
--	')
++
 +term_use_all_inherited_terms(virt_domain)
 +term_getattr_pty_fs(virt_domain)
 +term_use_generic_ptys(virt_domain)
@@ -91859,78 +93185,53 @@ index 1f22fba..cd628f9 100644
 +
 +tunable_policy(`virt_use_execmem',`
 +	allow virt_domain self:process { execmem execstack };
- ')
- 
- optional_policy(`
--	dmidecode_domtrans(virtd_t)
++')
++
++optional_policy(`
 +	alsa_read_rw_config(virt_domain)
- ')
- 
- optional_policy(`
--	dnsmasq_domtrans(virtd_t)
--	dnsmasq_signal(virtd_t)
--	dnsmasq_kill(virtd_t)
--	dnsmasq_signull(virtd_t)
--	dnsmasq_create_pid_dirs(virtd_t)
--	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
--	dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
--	dnsmasq_manage_pid_files(virtd_t)
++')
++
++optional_policy(`
 +	ptchown_domtrans(virt_domain)
- ')
- 
- optional_policy(`
--	iptables_domtrans(virtd_t)
--	iptables_initrc_domtrans(virtd_t)
--	iptables_manage_config(virtd_t)
++')
++
++optional_policy(`
 +	pulseaudio_dontaudit_exec(virt_domain)
- ')
- 
- optional_policy(`
--	kerberos_keytab_template(virtd, virtd_t)
++')
++
++optional_policy(`
 +	virt_read_config(virt_domain)
 +	virt_read_lib_files(virt_domain)
 +	virt_read_content(virt_domain)
 +	virt_stream_connect(virt_domain)
 +	virt_read_pid_symlinks(virt_domain)
 +	virt_domtrans_bridgehelper(virt_domain)
- ')
++')
  
- optional_policy(`
--	lvm_domtrans(virtd_t)
++optional_policy(`
 +	xserver_rw_shm(virt_domain)
- ')
- 
--optional_policy(`
--	mount_domtrans(virtd_t)
--	mount_signal(virtd_t)
++')
++
 +tunable_policy(`virt_use_comm',`
 +	term_use_unallocated_ttys(virt_domain)
 +	dev_rw_printer(virt_domain)
- ')
- 
--optional_policy(`
--	policykit_domtrans_auth(virtd_t)
--	policykit_domtrans_resolve(virtd_t)
--	policykit_read_lib(virtd_t)
++')
++
 +tunable_policy(`virt_use_fusefs',`
 +	fs_manage_fusefs_dirs(virt_domain)
 +	fs_manage_fusefs_files(virt_domain)
 +	fs_read_fusefs_symlinks(virt_domain)
 +	fs_getattr_fusefs(virt_domain)
- ')
- 
--optional_policy(`
--	qemu_exec(virtd_t)
++')
++
 +tunable_policy(`virt_use_nfs',`
 +	fs_manage_nfs_dirs(virt_domain)
 +	fs_manage_nfs_files(virt_domain)
 +	fs_manage_nfs_named_sockets(virt_domain)
 +	fs_read_nfs_symlinks(virt_domain)
 +	fs_getattr_nfs(virt_domain)
- ')
- 
--optional_policy(`
--	sasl_connect(virtd_t)
++')
++
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_dirs(virt_domain)
 +	fs_manage_cifs_files(virt_domain)
@@ -91942,102 +93243,81 @@ index 1f22fba..cd628f9 100644
 +tunable_policy(`virt_use_usb',`
 +	dev_rw_usbfs(virt_domain)
 +	dev_read_sysfs(virt_domain)
++	fs_getattr_dos_fs(virt_domain)
 +	fs_manage_dos_dirs(virt_domain)
 +	fs_manage_dos_files(virt_domain)
- ')
- 
- optional_policy(`
--	kernel_read_xen_state(virtd_t)
--	kernel_write_xen_state(virtd_t)
++')
++
++optional_policy(`
 +    tunable_policy(`virt_use_sanlock',`
 +        sanlock_stream_connect(virt_domain)
 +    ')
 +')
- 
--	xen_exec(virtd_t)
--	xen_stream_connect(virtd_t)
--	xen_stream_connect_xenstore(virtd_t)
--	xen_read_image_files(virtd_t)
++
 +tunable_policy(`virt_use_rawip',`
 +	allow virt_domain self:rawip_socket create_socket_perms;
- ')
- 
- optional_policy(`
--	udev_domtrans(virtd_t)
--	udev_read_db(virtd_t)
++')
++
++optional_policy(`
 +	tunable_policy(`virt_use_xserver',`
 +		xserver_stream_connect(virt_domain)
 +	')
- ')
- 
- ########################################
- #
--# Virsh local policy
++')
++
++########################################
++#
 +# xm local policy
- #
++#
 +type virsh_t;
 +type virsh_exec_t;
 +init_system_domain(virsh_t, virsh_exec_t)
 +typealias virsh_t alias xm_t;
 +typealias virsh_exec_t alias xm_exec_t;
- 
--allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
--allow virsh_t self:process { getcap getsched setsched setcap signal };
++
 +allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
 +allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
- allow virsh_t self:fifo_file rw_fifo_file_perms;
--allow virsh_t self:unix_stream_socket { accept connectto listen };
--allow virsh_t self:tcp_socket { accept listen };
++allow virsh_t self:fifo_file rw_fifo_file_perms;
 +allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virsh_t self:tcp_socket create_stream_socket_perms;
 +
-+ps_process_pattern(virsh_t, svirt_lxc_domain)
++ps_process_pattern(virsh_t, svirt_sandbox_domain)
 +
 +can_exec(virsh_t, virsh_exec_t)
-+virt_domtrans(virsh_t)
-+virt_manage_images(virsh_t)
-+virt_manage_config(virsh_t)
-+virt_stream_connect(virsh_t)
-+
+ virt_domtrans(virsh_t)
+ virt_manage_images(virsh_t)
+ virt_manage_config(virsh_t)
+ virt_stream_connect(virsh_t)
+ 
+-kernel_read_crypto_sysctls(virsh_t)
 +manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
 +manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
 +manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
 +files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
- 
- manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
- manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
-@@ -758,23 +835,16 @@ manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
-+virt_transition_svirt_lxc(virsh_t, system_r)
- 
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
--
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
++
++manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
++
++manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++virt_transition_svirt_sandbox(virsh_t, system_r)
++
 +manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +virt_filetrans_named_content(virsh_t)
 +filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
- 
--allow virsh_t svirt_lxc_domain:process transition;
++
 +dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
- 
--can_exec(virsh_t, virsh_exec_t)
--
--virt_domtrans(virsh_t)
--virt_manage_images(virsh_t)
--virt_manage_config(virsh_t)
--virt_stream_connect(virsh_t)
--
--kernel_read_crypto_sysctls(virsh_t)
++
 +kernel_write_proc_files(virsh_t)
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +855,18 @@ kernel_write_xen_state(virsh_t)
+@@ -785,25 +858,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -92064,7 +93344,7 @@ index 1f22fba..cd628f9 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,24 +875,22 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -812,24 +878,22 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -92096,7 +93376,7 @@ index 1f22fba..cd628f9 100644
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
  	fs_manage_nfs_files(virsh_t)
-@@ -847,14 +908,20 @@ optional_policy(`
+@@ -847,14 +911,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -92118,7 +93398,7 @@ index 1f22fba..cd628f9 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,34 +946,45 @@ optional_policy(`
+@@ -879,49 +949,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -92148,7 +93428,7 @@ index 1f22fba..cd628f9 100644
 +allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
 +allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
  allow virtd_lxc_t self:packet_socket create_socket_perms;
-+ps_process_pattern(virtd_lxc_t, svirt_lxc_domain)
++ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
 +allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
  
 -allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
@@ -92165,19 +93445,30 @@ index 1f22fba..cd628f9 100644
 -manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
 -files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
+-
+-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
+-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
+-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
 +manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
 +files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
 +filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
- 
- manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -916,12 +994,17 @@ manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
- allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
- allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
-+files_associate_rootfs(svirt_lxc_file_t)
++
++manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
++allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
++allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
++files_associate_rootfs(svirt_sandbox_file_t)
 +
 +seutil_read_file_contexts(virtd_lxc_t)
  
@@ -92191,7 +93482,7 @@ index 1f22fba..cd628f9 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,10 +1016,8 @@ dev_read_urand(virtd_lxc_t)
+@@ -933,17 +1019,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -92202,15 +93493,16 @@ index 1f22fba..cd628f9 100644
  files_relabel_rootfs(virtd_lxc_t)
  files_mounton_non_security(virtd_lxc_t)
  files_mount_all_file_type_fs(virtd_lxc_t)
-@@ -944,6 +1025,7 @@ files_unmount_all_file_type_fs(virtd_lxc_t)
+ files_unmount_all_file_type_fs(virtd_lxc_t)
  files_list_isid_type_dirs(virtd_lxc_t)
- files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
+-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
++files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
  
 +fs_read_fusefs_files(virtd_lxc_t)
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,15 +1037,11 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -955,8 +1040,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -92218,48 +93510,53 @@ index 1f22fba..cd628f9 100644
 +
  selinux_mount_fs(virtd_lxc_t)
  selinux_unmount_fs(virtd_lxc_t)
--selinux_get_enforce_mode(virtd_lxc_t)
--selinux_get_fs_mount(virtd_lxc_t)
--selinux_validate_context(virtd_lxc_t)
--selinux_compute_access_vector(virtd_lxc_t)
--selinux_compute_create_context(virtd_lxc_t)
--selinux_compute_relabel_context(virtd_lxc_t)
--selinux_compute_user_contexts(virtd_lxc_t)
 +seutil_read_config(virtd_lxc_t)
++
++term_use_generic_ptys(virtd_lxc_t)
++term_use_ptmx(virtd_lxc_t)
++term_relabel_pty_fs(virtd_lxc_t)
++
++auth_use_nsswitch(virtd_lxc_t)
++
++logging_send_syslog_msg(virtd_lxc_t)
++
++seutil_domtrans_setfiles(virtd_lxc_t)
++seutil_read_default_contexts(virtd_lxc_t)
++
+ selinux_get_enforce_mode(virtd_lxc_t)
+ selinux_get_fs_mount(virtd_lxc_t)
+ selinux_validate_context(virtd_lxc_t)
+@@ -965,194 +1065,247 @@ selinux_compute_create_context(virtd_lxc_t)
+ selinux_compute_relabel_context(virtd_lxc_t)
+ selinux_compute_user_contexts(virtd_lxc_t)
  
- term_use_generic_ptys(virtd_lxc_t)
- term_use_ptmx(virtd_lxc_t)
-@@ -973,21 +1051,39 @@ auth_use_nsswitch(virtd_lxc_t)
+-term_use_generic_ptys(virtd_lxc_t)
+-term_use_ptmx(virtd_lxc_t)
+-term_relabel_pty_fs(virtd_lxc_t)
++sysnet_exec_ifconfig(virtd_lxc_t)
  
- logging_send_syslog_msg(virtd_lxc_t)
+-auth_use_nsswitch(virtd_lxc_t)
++userdom_read_admin_home_files(virtd_lxc_t)
  
--miscfiles_read_localization(virtd_lxc_t)
--
- seutil_domtrans_setfiles(virtd_lxc_t)
--seutil_read_config(virtd_lxc_t)
- seutil_read_default_contexts(virtd_lxc_t)
+-logging_send_syslog_msg(virtd_lxc_t)
++optional_policy(`
++	dbus_system_bus_client(virtd_lxc_t)
++	init_dbus_chat(virtd_lxc_t)
++')
  
--sysnet_domtrans_ifconfig(virtd_lxc_t)
-+selinux_get_enforce_mode(virtd_lxc_t)
-+selinux_get_fs_mount(virtd_lxc_t)
-+selinux_validate_context(virtd_lxc_t)
-+selinux_compute_access_vector(virtd_lxc_t)
-+selinux_compute_create_context(virtd_lxc_t)
-+selinux_compute_relabel_context(virtd_lxc_t)
-+selinux_compute_user_contexts(virtd_lxc_t)
-+
-+sysnet_exec_ifconfig(virtd_lxc_t)
-+
-+userdom_read_admin_home_files(virtd_lxc_t)
-+
+-miscfiles_read_localization(virtd_lxc_t)
 +optional_policy(`
 +	gnome_read_generic_cache_files(virtd_lxc_t)
 +')
-+
+ 
+-seutil_domtrans_setfiles(virtd_lxc_t)
+-seutil_read_config(virtd_lxc_t)
+-seutil_read_default_contexts(virtd_lxc_t)
 +optional_policy(`
 +	setrans_manage_pid_files(virtd_lxc_t)
 +')
-+
+ 
+-sysnet_domtrans_ifconfig(virtd_lxc_t)
 +optional_policy(`
 +	unconfined_domain(virtd_lxc_t)
 +')
@@ -92267,134 +93564,202 @@ index 1f22fba..cd628f9 100644
  ########################################
  #
 -# Common virt lxc domain local policy
-+# virt_lxc_domain local policy
- #
--
++# svirt_sandbox_domain local policy
+ #
++allow svirt_sandbox_domain self:key manage_key_perms;
++allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
++allow svirt_sandbox_domain self:fifo_file manage_file_perms;
++allow svirt_sandbox_domain self:sem create_sem_perms;
++allow svirt_sandbox_domain self:shm create_shm_perms;
++allow svirt_sandbox_domain self:msgq create_msgq_perms;
++allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
++allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
++
++
++allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
++allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
++allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
++
++allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
++allow svirt_sandbox_domain virtd_lxc_t:fd use;
++allow svirt_sandbox_domain virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_sandbox_domain virt_lxc_var_run_t:file read_file_perms;
++allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
++
++manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
++can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
++allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
++allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
++
++kernel_getattr_proc(svirt_sandbox_domain)
++kernel_list_all_proc(svirt_sandbox_domain)
++kernel_read_all_sysctls(svirt_sandbox_domain)
++kernel_rw_net_sysctls(svirt_sandbox_domain)
++kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
++
++corecmd_exec_all_executables(svirt_sandbox_domain)
++
++files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
++files_dontaudit_getattr_all_files(svirt_sandbox_domain)
++files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
++files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
++files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
++files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
++files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
++files_entrypoint_all_files(svirt_sandbox_domain)
++files_list_var(svirt_sandbox_domain)
++files_list_var_lib(svirt_sandbox_domain)
++files_search_all(svirt_sandbox_domain)
++files_read_config_files(svirt_sandbox_domain)
++files_read_usr_symlinks(svirt_sandbox_domain)
++files_search_locks(svirt_sandbox_domain)
++
++fs_getattr_all_fs(svirt_sandbox_domain)
++fs_list_inotifyfs(svirt_sandbox_domain)
++fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
++fs_read_fusefs_files(svirt_sandbox_domain)
++
++auth_dontaudit_read_passwd(svirt_sandbox_domain)
++auth_dontaudit_read_login_records(svirt_sandbox_domain)
++auth_dontaudit_write_login_records(svirt_sandbox_domain)
++auth_search_pam_console_data(svirt_sandbox_domain)
++
++clock_read_adjtime(svirt_sandbox_domain)
++
++init_read_utmp(svirt_sandbox_domain)
++init_dontaudit_write_utmp(svirt_sandbox_domain)
++
++libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
++
++miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
++miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
++miscfiles_read_fonts(svirt_sandbox_domain)
++miscfiles_read_hwdata(svirt_sandbox_domain)
++
++systemd_read_unit_files(svirt_sandbox_domain)
++
++userdom_use_inherited_user_terminals(svirt_sandbox_domain)
++userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
++userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
++
++optional_policy(`
++	apache_exec_modules(svirt_sandbox_domain)
++	apache_read_sys_content(svirt_sandbox_domain)
++')
+ 
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
-+allow svirt_lxc_domain self:key manage_key_perms;
-+allow svirt_lxc_domain self:process { getattr signal_perms getsched setsched setcap setpgid setrlimit };
- allow svirt_lxc_domain self:fifo_file manage_file_perms;
- allow svirt_lxc_domain self:sem create_sem_perms;
- allow svirt_lxc_domain self:shm create_shm_perms;
-@@ -995,18 +1091,16 @@ allow svirt_lxc_domain self:msgq create_msgq_perms;
- allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
- allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
- 
+-allow svirt_lxc_domain self:fifo_file manage_file_perms;
+-allow svirt_lxc_domain self:sem create_sem_perms;
+-allow svirt_lxc_domain self:shm create_shm_perms;
+-allow svirt_lxc_domain self:msgq create_msgq_perms;
+-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
+-
 -allow svirt_lxc_domain virtd_lxc_t:fd use;
 -allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
 -allow svirt_lxc_domain virtd_lxc_t:process sigchld;
 -
 -allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
- 
+-
 -allow svirt_lxc_domain virsh_t:fd use;
 -allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
 -allow svirt_lxc_domain virsh_t:process sigchld;
-+allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
-+allow virtd_t svirt_lxc_domain:process { signal_perms getattr };
-+allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched setrlimit transition signal_perms };
- 
+-
 -allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
 -allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:process sigchld;
-+allow svirt_lxc_domain virtd_lxc_t:fd use;
-+allow svirt_lxc_domain virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_domain virt_lxc_var_run_t:file read_file_perms;
-+allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
- 
- manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
-@@ -1015,17 +1109,14 @@ manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
- rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
--
-+can_exec(svirt_lxc_domain, svirt_lxc_file_t)
- allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
- allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
- 
+-
+-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
+-
+-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
+-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
+-
 -can_exec(svirt_lxc_domain, svirt_lxc_file_t)
 -
- kernel_getattr_proc(svirt_lxc_domain)
- kernel_list_all_proc(svirt_lxc_domain)
+-kernel_getattr_proc(svirt_lxc_domain)
+-kernel_list_all_proc(svirt_lxc_domain)
 -kernel_read_kernel_sysctls(svirt_lxc_domain)
-+kernel_read_all_sysctls(svirt_lxc_domain)
- kernel_rw_net_sysctls(svirt_lxc_domain)
+-kernel_rw_net_sysctls(svirt_lxc_domain)
 -kernel_read_system_state(svirt_lxc_domain)
- kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
- 
- corecmd_exec_all_executables(svirt_lxc_domain)
-@@ -1037,21 +1128,20 @@ files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
- files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
- files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
- files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
+-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
+-
+-corecmd_exec_all_executables(svirt_lxc_domain)
+-
+-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
+-files_dontaudit_getattr_all_files(svirt_lxc_domain)
+-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
+-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
+-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
+-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
+-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
 -# files_entrypoint_all_files(svirt_lxc_domain)
-+files_entrypoint_all_files(svirt_lxc_domain)
- files_list_var(svirt_lxc_domain)
- files_list_var_lib(svirt_lxc_domain)
- files_search_all(svirt_lxc_domain)
- files_read_config_files(svirt_lxc_domain)
+-files_list_var(svirt_lxc_domain)
+-files_list_var_lib(svirt_lxc_domain)
+-files_search_all(svirt_lxc_domain)
+-files_read_config_files(svirt_lxc_domain)
 -files_read_usr_files(svirt_lxc_domain)
- files_read_usr_symlinks(svirt_lxc_domain)
-+files_search_locks(svirt_lxc_domain)
- 
- fs_getattr_all_fs(svirt_lxc_domain)
- fs_list_inotifyfs(svirt_lxc_domain)
-+fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
-+fs_read_fusefs_files(svirt_lxc_net_t)
- 
+-files_read_usr_symlinks(svirt_lxc_domain)
+-
+-fs_getattr_all_fs(svirt_lxc_domain)
+-fs_list_inotifyfs(svirt_lxc_domain)
+-
 -# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
 -# fs_rw_inherited_cifs_files(svirt_lxc_domain)
 -# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
 -
-+auth_dontaudit_read_passwd(svirt_lxc_domain)
- auth_dontaudit_read_login_records(svirt_lxc_domain)
- auth_dontaudit_write_login_records(svirt_lxc_domain)
- auth_search_pam_console_data(svirt_lxc_domain)
-@@ -1063,96 +1153,93 @@ init_dontaudit_write_utmp(svirt_lxc_domain)
- 
- libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
- 
+-auth_dontaudit_read_login_records(svirt_lxc_domain)
+-auth_dontaudit_write_login_records(svirt_lxc_domain)
+-auth_search_pam_console_data(svirt_lxc_domain)
+-
+-clock_read_adjtime(svirt_lxc_domain)
+-
+-init_read_utmp(svirt_lxc_domain)
+-init_dontaudit_write_utmp(svirt_lxc_domain)
+-
+-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
+-
 -miscfiles_read_localization(svirt_lxc_domain)
- miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
- miscfiles_read_fonts(svirt_lxc_domain)
-+miscfiles_read_hwdata(svirt_lxc_domain)
-+
-+systemd_read_unit_files(svirt_lxc_domain)
-+
-+userdom_use_inherited_user_terminals(svirt_lxc_domain)
-+userdom_dontaudit_append_inherited_admin_home_file(svirt_lxc_domain)
-+userdom_dontaudit_read_inherited_admin_home_files(svirt_lxc_domain)
-+
+-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
+-miscfiles_read_fonts(svirt_lxc_domain)
+-
+-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	apache_exec_modules(svirt_lxc_domain)
-+	apache_read_sys_content(svirt_lxc_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
 +
 +optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+')
- 
--mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
-+optional_policy(`
-+	ssh_use_ptys(svirt_lxc_net_t)
++	ssh_use_ptys(svirt_sandbox_domain)
 +')
  
  optional_policy(`
- 	udev_read_pid_files(svirt_lxc_domain)
+-	udev_read_pid_files(svirt_lxc_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
-+	userhelper_dontaudit_write_config(svirt_lxc_domain)
++	userhelper_dontaudit_write_config(svirt_sandbox_domain)
  ')
  
--########################################
--#
+ ########################################
+ #
 -# Lxc net local policy
--#
-+virt_lxc_domain_template(svirt_lxc_net)
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_lxc_net)
  
 -allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
 +allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
@@ -92450,13 +93815,13 @@ index 1f22fba..cd628f9 100644
 -
  files_read_kernel_modules(svirt_lxc_net_t)
  
-+fs_noxattr_type(svirt_lxc_file_t)
++fs_noxattr_type(svirt_sandbox_file_t)
  fs_mount_cgroup(svirt_lxc_net_t)
  fs_manage_cgroup_dirs(svirt_lxc_net_t)
 -fs_rw_cgroup_files(svirt_lxc_net_t)
 +fs_manage_cgroup_files(svirt_lxc_net_t)
 +
-+term_pty(svirt_lxc_file_t)
++term_pty(svirt_sandbox_file_t)
  
  auth_use_nsswitch(svirt_lxc_net_t)
  
@@ -92469,14 +93834,62 @@ index 1f22fba..cd628f9 100644
 -optional_policy(`
 -	rpm_read_db(svirt_lxc_net_t)
 -')
--
+ 
 -#######################################
--#
++########################################
+ #
 -# Prot exec local policy
--#
--
++# svirt_lxc_net_t local policy
+ #
++virt_sandbox_domain_template(svirt_qemu_net)
++
++allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid net_raw net_admin net_bind_service sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
++dontaudit svirt_qemu_net_t self:capability2 block_suspend;
++allow svirt_qemu_net_t self:process { execstack execmem };
++allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
++allow svirt_qemu_net_t self:udp_socket create_socket_perms;
++allow svirt_qemu_net_t self:tcp_socket create_stream_socket_perms;
++allow svirt_qemu_net_t self:netlink_route_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:packet_socket create_socket_perms;
++allow svirt_qemu_net_t self:socket create_socket_perms;
++allow svirt_qemu_net_t self:rawip_socket create_socket_perms;
++allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
++allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
+ 
 -allow svirt_prot_exec_t self:process { execmem execstack };
--
++kernel_read_network_state(svirt_qemu_net_t)
++kernel_read_irq_sysctls(svirt_qemu_net_t)
++
++dev_read_sysfs(svirt_qemu_net_t)
++dev_getattr_mtrr_dev(svirt_qemu_net_t)
++dev_read_rand(svirt_qemu_net_t)
++dev_read_urand(svirt_qemu_net_t)
++
++corenet_tcp_bind_generic_node(svirt_qemu_net_t)
++corenet_udp_bind_generic_node(svirt_qemu_net_t)
++corenet_tcp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_sendrecv_all_ports(svirt_qemu_net_t)
++corenet_udp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_bind_all_ports(svirt_qemu_net_t)
++corenet_tcp_connect_all_ports(svirt_qemu_net_t)
++
++files_read_kernel_modules(svirt_qemu_net_t)
++
++fs_noxattr_type(svirt_sandbox_file_t)
++fs_mount_cgroup(svirt_qemu_net_t)
++fs_manage_cgroup_dirs(svirt_qemu_net_t)
++fs_manage_cgroup_files(svirt_qemu_net_t)
++
++term_pty(svirt_sandbox_file_t)
++
++auth_use_nsswitch(svirt_qemu_net_t)
++
++rpm_read_db(svirt_qemu_net_t)
++
++logging_send_audit_msgs(svirt_qemu_net_t)
++
++userdom_use_user_ptys(svirt_qemu_net_t)
+ 
  ########################################
  #
 -# Qmf local policy
@@ -92491,7 +93904,7 @@ index 1f22fba..cd628f9 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1252,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1165,12 +1318,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -92506,7 +93919,7 @@ index 1f22fba..cd628f9 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1270,8 @@ optional_policy(`
+@@ -1183,9 +1336,8 @@ optional_policy(`
  
  ########################################
  #
@@ -92517,7 +93930,7 @@ index 1f22fba..cd628f9 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1284,121 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1198,5 +1350,120 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -92640,7 +94053,6 @@ index 1f22fba..cd628f9 100644
 +	userdom_transition(virtd_t)
 +	userdom_transition(virtd_lxc_t)
 +')
-+
 diff --git a/vlock.te b/vlock.te
 index 9ead775..b5285e7 100644
 --- a/vlock.te
@@ -93063,10 +94475,20 @@ index 9329eae..824e86f 100644
 -	seutil_use_newrole_fds(vpnc_t)
 -')
 diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..c58abd5 100644
+index 29f79e8..9e403ee 100644
 --- a/watchdog.te
 +++ b/watchdog.te
-@@ -63,7 +63,6 @@ domain_signull_all_domains(watchdog_t)
+@@ -30,7 +30,8 @@ allow watchdog_t self:fifo_file rw_fifo_file_perms;
+ allow watchdog_t self:tcp_socket { accept listen };
+ 
+ allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
++manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
++logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
+ 
+ manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
+ files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
+@@ -63,7 +64,6 @@ domain_signull_all_domains(watchdog_t)
  domain_signal_all_domains(watchdog_t)
  domain_kill_all_domains(watchdog_t)
  
@@ -93074,7 +94496,7 @@ index 29f79e8..c58abd5 100644
  files_manage_etc_runtime_files(watchdog_t)
  files_etc_filetrans_etc_runtime(watchdog_t, file)
  
-@@ -75,8 +74,6 @@ auth_append_login_records(watchdog_t)
+@@ -75,8 +75,6 @@ auth_append_login_records(watchdog_t)
  
  logging_send_syslog_msg(watchdog_t)
  
@@ -93590,7 +95012,7 @@ index 304ae09..c1d10a1 100644
 -/usr/bin/twm	--	gen_context(system_u:object_r:wm_exec_t,s0)
 +/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
 diff --git a/wm.if b/wm.if
-index 25b702d..177cf16 100644
+index 25b702d..36b2f81 100644
 --- a/wm.if
 +++ b/wm.if
 @@ -1,4 +1,4 @@
@@ -93599,7 +95021,7 @@ index 25b702d..177cf16 100644
  
  #######################################
  ## <summary>
-@@ -29,58 +29,44 @@
+@@ -29,54 +29,46 @@
  #
  template(`wm_role_template',`
  	gen_require(`
@@ -93650,6 +95072,8 @@ index 25b702d..177cf16 100644
 +
 +	kernel_read_system_state($1_wm_t)
 +
++	auth_use_nsswitch($1_wm_t)
++
  	mls_file_read_all_levels($1_wm_t)
  	mls_file_write_all_levels($1_wm_t)
  	mls_xwin_read_all_levels($1_wm_t)
@@ -93667,14 +95091,10 @@ index 25b702d..177cf16 100644
 -		')
 -	')
 -
--	optional_policy(`
--		pulseaudio_run($1_wm_t, $2)
--	')
--
  	optional_policy(`
- 		xserver_role($2, $1_wm_t)
- 		xserver_manage_core_devices($1_wm_t)
-@@ -89,7 +75,7 @@ template(`wm_role_template',`
+ 		pulseaudio_run($1_wm_t, $2)
+ 	')
+@@ -89,7 +81,7 @@ template(`wm_role_template',`
  
  ########################################
  ## <summary>
@@ -93683,7 +95103,7 @@ index 25b702d..177cf16 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -102,33 +88,5 @@ interface(`wm_exec',`
+@@ -102,33 +94,5 @@ interface(`wm_exec',`
  		type wm_exec_t;
  	')
  
@@ -93718,10 +95138,10 @@ index 25b702d..177cf16 100644
 -	allow $1_wm_t $2:dbus send_msg;
 -')
 diff --git a/wm.te b/wm.te
-index 7c7f7fa..dfeac3e 100644
+index 7c7f7fa..20ce90b 100644
 --- a/wm.te
 +++ b/wm.te
-@@ -1,36 +1,40 @@
+@@ -1,36 +1,88 @@
 -policy_module(wm, 1.2.5)
 +policy_module(wm, 1.2.0)
 +
@@ -93743,28 +95163,75 @@ index 7c7f7fa..dfeac3e 100644
 +corecmd_executable_file(wm_exec_t)
  
  allow wm_domain self:fifo_file rw_fifo_file_perms;
- allow wm_domain self:process getsched;
+-allow wm_domain self:process getsched;
++allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
++allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
++
  allow wm_domain self:shm create_shm_perms;
  allow wm_domain self:unix_dgram_socket create_socket_perms;
  
 -kernel_read_system_state(wm_domain)
 -
  dev_read_urand(wm_domain)
- 
--files_read_usr_files(wm_domain)
++dev_read_sound(wm_domain)
++dev_write_sound(wm_domain)
++dev_rw_wireless(wm_domain)
++dev_read_sysfs(wm_domain)
 +
-+fs_getattr_tmpfs(wm_domain)
++fs_getattr_all_fs(wm_domain)
 +
++corecmd_dontaudit_access_all_executables(wm_domain)
++corecmd_getattr_all_executables(wm_domain)
+ 
+-files_read_usr_files(wm_domain)
 +application_signull(wm_domain)
++
++init_read_state(wm_domain)
  
  miscfiles_read_fonts(wm_domain)
 -miscfiles_read_localization(wm_domain)
  
 -userdom_manage_user_tmp_sockets(wm_domain)
 -userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
++systemd_dbus_chat_logind(wm_domain)
++systemd_read_logind_sessions_files(wm_domain)
++systemd_write_inhibit_pipes(wm_domain)
++systemd_login_read_pid_files(wm_domain)
++
++userdom_read_user_home_content_files(wm_domain)
++
++udev_read_pid_files(wm_domain)
++
++optional_policy(`
++	gnome_stream_connect_gkeyringd(wm_domain)
++')
++
 +optional_policy(`
 +	dbus_system_bus_client(wm_domain)
 +	dbus_session_bus_client(wm_domain)
++	optional_policy(`
++		accountsd_dbus_chat(wm_domain)
++	')
++	
++	optional_policy(`
++		bluetooth_dbus_chat(wm_domain)
++	')		
++
++	optional_policy(`
++		devicekit_dbus_chat_power(wm_domain)
++	')
++
++	optional_policy(`
++		networkmanager_dbus_chat(wm_domain)
++	')
++
++	optional_policy(`
++		policykit_dbus_chat(wm_domain)
++	')
++
++	optional_policy(`
++		systemd_dbus_chat_logind(wm_domain)
++	')
 +')
 +
 +optional_policy(`
@@ -93772,13 +95239,15 @@ index 7c7f7fa..dfeac3e 100644
 +')
 +
 +optional_policy(`
-+	xserver_manage_core_devices(wm_domain)
++	userhelper_exec_console(wm_domain)
 +')
-+
  
 -userdom_manage_user_home_content_dirs(wm_domain)
 -userdom_manage_user_home_content_files(wm_domain)
 -userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
++optional_policy(`
++	xserver_manage_core_devices(wm_domain)
++')
 diff --git a/xen.fc b/xen.fc
 index 42d83b0..7977c2c 100644
 --- a/xen.fc
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1d7d795..609d27e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 70%{?dist}
+Release: 76%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -69,6 +69,33 @@ SELinux Base package
 %ghost %config(noreplace) %{_sysconfdir}/selinux/config
 %ghost %{_sysconfdir}/sysconfig/selinux
 %{_usr}/lib/tmpfiles.d/selinux-policy.conf
+%{_rpmconfigdir}/macros.d/selinux-policy.macros
+
+%package sandbox
+Summary: SELinux policy sandbox
+Group: System Environment/Base
+Requires(pre): selinux-policy-base = %{version}-%{release}
+
+%description sandbox
+SELinux sandbox policy used for the policycoreutils-sandbox package
+
+%files sandbox
+%defattr(-,root,root,-)
+%verify(not md5 size mtime) /usr/share/selinux/packages/sandbox.pp
+
+%post sandbox
+rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+semodule -n -i /usr/share/selinux/packages/sandbox.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+fi;
+exit 0
+
+%preun sandbox
+semodule -n -d sandbox 2>/dev/null
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+fi;exit 0
 
 %package devel
 Summary: SELinux policy devel
@@ -157,7 +184,8 @@ bzip2 -c %{buildroot}/%{_usr}/share/selinux/%1/base.pp  > %{buildroot}/%{_syscon
 rm -f %{buildroot}/%{_usr}/share/selinux/%1/base.pp  \
 for i in %{buildroot}/%{_usr}/share/selinux/%1/*.pp; do bzip2 -c $i > %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/`basename $i`; done \
 rm -f %{buildroot}/%{_usr}/share/selinux/%1/*pp*  \
-touch %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp.disabled \
+mkdir -p %{buildroot}%{_usr}/share/selinux/packages \
+mv %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp %{buildroot}/usr/share/selinux/packages \
 /usr/sbin/semodule -s %1 -n -B -p %{buildroot}; \
 /usr/bin/sha512sum %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} | cut -d' ' -f 1 > %{buildroot}%{_sysconfdir}/selinux/%1/.policy.sha512; \
 rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/contexts/netfilter_contexts  \
@@ -187,7 +215,6 @@ rm -f %{buildroot}/%{_sysconfigdir}/selinux/%1/modules/active/policy.kern
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/users_extra \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/homedir_template \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/*.pp \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/modules/active/modules/sandbox.pp.disabled \
 %ghost %{_sysconfdir}/selinux/%1/modules/active/*.local \
 %ghost %{_sysconfdir}/selinux/%1/modules/active/*.bin \
 %ghost %{_sysconfdir}/selinux/%1/modules/active/seusers \
@@ -236,7 +263,7 @@ fi; \
 if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then \
     continue; \
 fi; \
-if /sbin/restorecon -R /home/*/.cache /home/*/.config 2> /dev/null;then \
+if /sbin/restorecon -R /home/*/.config 2> /dev/null;then \
     continue; \
 fi;
 
@@ -263,8 +290,6 @@ if [ -e /etc/selinux/%2/.rebuild ]; then \
    rm /etc/selinux/%2/.rebuild; \
    (cd /etc/selinux/%2/modules/active/modules; rm -f l2tpd.pp shutdown.pp amavis.pp clamav.pp gnomeclock.pp matahari.pp xfs.pp kudzu.pp kerneloops.pp execmem.pp openoffice.pp ada.pp tzdata.pp hal.pp hotplug.pp howl.pp java.pp mono.pp moilscanner.pp gamin.pp audio_entropy.pp audioentropy.pp iscsid.pp polkit_auth.pp polkit.pp rtkit_daemon.pp ModemManager.pp telepathysofiasip.pp ethereal.pp passanger.pp qpidd.pp pyzor.pp razor.pp pki-selinux.pp phpfpm.pp consoletype.pp ctdbd.pp fcoemon.pp isnsd.pp rgmanager.pp corosync.pp aisexec.pp pacemaker.pp ) \
    /usr/sbin/semodule -B -n -s %2; \
-else \
-    touch /etc/selinux/%2/modules/active/modules/sandbox.disabled \
 fi; \
 [ "${SELINUXTYPE}" == "%2" ] && selinuxenabled && load_policy; \
 if [ %1 -eq 1 ]; then \
@@ -360,7 +385,9 @@ mkdir %{buildroot}%{_usr}/share/selinux/devel/html
 htmldir=`compgen -d %{buildroot}%{_usr}/share/man/man8/`
 mv ${htmldir}/* %{buildroot}%{_usr}/share/selinux/devel/html
 rm -rf ${htmldir}
-mkdir %{buildroot}%{_usr}/share/selinux/packages/
+
+mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
+echo '%%_selinux_policy_version %{version}-%{release}' > %{buildroot}%{_rpmconfigdir}/macros.d/selinux-policy.macros
 
 rm -rf selinux_config
 %clean
@@ -438,7 +465,11 @@ exit 0
 selinuxenabled && semodule -nB
 exit 0
 
-%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-7.fc19
+%triggerpostun -- selinux-policy-targeted < 3.12.1-74
+rm -f /etc/selinux/*/modules/active/modules/sandbox.pp.disabled 2>/dev/null
+exit 0
+
+%triggerpostun targeted -- selinux-policy-targeted < 3.12.1-75
 restorecon -R -p /home
 exit 0
 
@@ -538,6 +569,117 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Sep 4 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-76
+- Cleanup related to init_domain()+inetd_domain fixes
+- Use just init_domain instead of init_daemon_domain in inetd_core_service_domain
+- svirt domains neeed to create kobject_uevint_sockets
+- Lots of new access required for sosreport
+- Allow tgtd_t to connect to isns ports
+- Allow init_t to transition to all inetd domains:
+- openct needs to be able to create netlink_object_uevent_sockets
+- Dontaudit leaks into ldconfig_t
+- Dontaudit su domains getattr on /dev devices, move su domains to attribute based calls
+- Move kernel_stream_connect into all Xwindow using users
+- Dontaudit inherited lock files in ifconfig o dhcpc_t
+
+* Tue Sep 3 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-75
+- Also sock_file trans rule is needed in lsm
+- Fix labeling for fetchmail pid files/dirs
+- Add additional fixes for abrt-upload-watch
+- Fix polipo.te
+- Fix transition rules in asterisk policy
+- Add fowner capability to networkmanager policy
+- Allow polipo to connect to tor ports
+- Cleanup lsmd.if
+- Cleanup openhpid policy
+- Fix kdump_read_crash() interface
+- Make more domains as init domain
+- Fix cupsd.te
+- Fix requires in rpm_rw_script_inherited_pipes
+- Fix interfaces in lsm.if
+- Allow munin service plugins to manage own tmpfs files/dirs
+- Allow virtd_t also relabel unix stream sockets for virt_image_type
+- Make ktalk as init domain
+- Fix to define ktalkd_unit_file_t correctly
+- Fix ktalk.fc
+- Add systemd support for talk-server
+- Allow glusterd to create sock_file in /run
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+- Add fixes for hypervkvp policy
+- Add logwatch_can_sendmail boolean
+- Allow mysqld_safe_t to handle also symlinks in /var/log/mariadb
+- Allow xdm_t to delete gkeyringd_tmp_t files on logout
+
+* Thu Aug 29 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74
+- Add selinux-policy-sandbox pkg
+
+* Tue Aug 27 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-73
+0 
+- Allow rhsmcertd to read init state
+- Allow fsetid for pkcsslotd
+- Fix labeling for /usr/lib/systemd/system/pkcsslotd.service
+- Allow fetchmail to create own pid with correct labeling
+- Fix rhcs_domain_template()
+- Allow roles which can run mock to read mock lib files to view results
+- Allow rpcbind to use nsswitch
+- Fix lsm.if summary
+- Fix collectd_t can read /etc/passwd file
+- Label systemd unit files under dracut correctly
+- Add support for pam_mount to mount user's encrypted home When a user logs in and logs out using ssh
+- Add support for .Xauthority-n
+- Label umount.crypt as lvm_exec_t
+- Allow syslogd to search psad lib files
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+
+* Fri Aug 23 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-72
+- Add policy for lsmd
+- Add support for /var/log/mariadb dir and allow mysqld_safe to list this directory
+- Update condor_master rules to allow read system state info and allow logging
+- Add labeling for /etc/condor and allow condor domain to write it (bug)
+- Allow condor domains to manage own logs
+- Allow glusterd to read domains state
+- Fix initial hypervkvp policy
+- Add policy for hypervkvpd
+- Fix redis.if summary
+
+* Wed Aug 21 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-71
+- Allow boinc to connect to  @/tmp/.X11-unix/X0
+- Allow beam.smp to connect to tcp/5984
+- Allow named to manage own log files
+- Add label for /usr/libexec/dcc/start-dccifd  and domtrans to dccifd_t
+- Add virt_transition_userdomain boolean decl
+- Allow httpd_t to sendto unix_dgram sockets on its children
+- Allow nova domains to execute ifconfig
+- bluetooth wants to create fifo_files in /tmp
+- exim needs to be able to manage mailman data
+- Allow sysstat to getattr on all file systems
+- Looks like bluetoothd has moved
+- Allow collectd to send ping packets
+- Allow svirt_lxc domains to getpgid
+- Remove virt-sandbox-service labeling as virsh_exec_t, since it no longer does virsh_t stuff
+- Allow frpintd_t to read /dev/urandom
+- Allow asterisk_t to create sock_file in /var/run
+- Allow usbmuxd to use netlink_kobject
+- sosreport needs to getattr on lots of devices, and needs access to netlink_kobject_uevent_socket
+- More cleanup of svirt_lxc policy
+- virtd_lxc_t now talks to dbus
+- Dontaudit leaked ptmx_t
+- Allow processes to use inherited fifo files
+- Allow openvpn_t to connect to squid ports
+- Allow prelink_cron_system_t to ask systemd to reloaddd miscfiles_dontaudit_access_check_cert()
+- Allow ssh_t to use /dev/ptmx
+- Make sure /run/pluto dir is created with correct labeling
+- Allow syslog to run shell and bin_t commands
+- Allow ip to relabel tun_sockets
+- Allow mount to create directories in files under /run
+- Allow processes to use inherited fifo files
+- Allow user roles to connect to the journal socket
+
 * Thu Aug 8 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-70
 - selinux_set_enforce_mode needs to be used with type
 - Add append to the dontaudit for unix_stream_socket of xdm_t leak
@@ -546,7 +688,7 @@ SELinux Reference policy mls base module.
 - Label 10933 as a pop port, for dovecot
 - New policy to allow selinux_server.py to run as semanage_t as a dbus service
 - Add fixes to make netlabelctl working on MLS
-- AVC's required for running sepolicy gui as staff_t
+- AVCs required for running sepolicy gui as staff_t
 - Dontaudit attempts to read symlinks, sepolicy gui is likely to cause this type of AVC
 - New dbus server to be used with new gui
 - After modifying some files in /etc/mail, I saw this needed on the next boot