diff --git a/policy-F16.patch b/policy-F16.patch
index cd7b7d7..62292e3 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -218,10 +218,35 @@ index 4705ab6..262b5ba 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
-index 358ce7c..0f1d444 100644
+index 358ce7c..e5dc022 100644
--- a/policy/mcs
+++ b/policy/mcs
-@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
+@@ -69,16 +69,20 @@ gen_levels(1,mcs_num_cats)
+ # - /proc/pid operations are not constrained.
+
+ mlsconstrain file { read ioctl lock execute execute_no_trans }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain file { write setattr append unlink link rename }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { search read ioctl lock }
+- (( h1 dom h2 ) or ( t1 == mcsreadall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcsreadall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
+- (( h1 dom h2 ) or ( t1 == mcswriteall ) or ( t2 == domain ));
++ (( h1 dom h2 ) or ( t1 == mcswriteall ) or
++ (( t1 != mcsuntrustedproc ) and (t2 == domain)));
+
+ # New filesystem object labels must be dominated by the relabeling subject
+ # clearance, also the objects are single-level.
+@@ -86,10 +90,10 @@ mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
# new file labels must be dominated by the relabeling subject clearance
@@ -234,7 +259,7 @@ index 358ce7c..0f1d444 100644
(( h1 dom h2 ) and ( l2 eq h2 ));
mlsconstrain process { transition dyntransition }
-@@ -101,6 +101,9 @@ mlsconstrain process { ptrace }
+@@ -101,6 +105,9 @@ mlsconstrain process { ptrace }
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
@@ -244,7 +269,7 @@ index 358ce7c..0f1d444 100644
#
# MCS policy for SELinux-enabled databases
#
-@@ -144,4 +147,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
+@@ -144,4 +151,10 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@@ -281,6 +306,27 @@ index e66c296..61f738b 100644
+
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
+diff --git a/policy/modules/admin/amanda.fc b/policy/modules/admin/amanda.fc
+index e3e0701..3fd0282 100644
+--- a/policy/modules/admin/amanda.fc
++++ b/policy/modules/admin/amanda.fc
+@@ -7,11 +7,11 @@
+
+ /root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
+
+-/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
+-/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
+-/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+-/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+-/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
++/usr/lib/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
++/usr/lib/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
++/usr/lib/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
++/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
++/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
+
+ /usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
+
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index 46d467c..3305e15 100644
--- a/policy/modules/admin/amanda.te
@@ -1426,6 +1472,29 @@ index e0791b9..373882d 100644
+ term_dontaudit_use_all_ttys(traceroute_t)
+ term_dontaudit_use_all_ptys(traceroute_t)
+')
+diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
+index db46387..b665b08 100644
+--- a/policy/modules/admin/portage.fc
++++ b/policy/modules/admin/portage.fc
+@@ -5,12 +5,12 @@
+ /usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+ /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+-/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
+-/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
+-/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
+-/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
+-/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
+-/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
++/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
+ /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 8aaa46d..8714d7f 100644
--- a/policy/modules/admin/portage.if
@@ -2649,7 +2718,7 @@ index d5aaf0e..689b2fd 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..7300952 100644
+index 6a5004b..1ef8f1c 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2677,7 +2746,7 @@ index 6a5004b..7300952 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,7 +44,9 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -2688,7 +2757,13 @@ index 6a5004b..7300952 100644
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
-@@ -52,7 +60,9 @@ optional_policy(`
+ userdom_delete_user_home_content_dirs(tmpreaper_t)
+ userdom_delete_user_home_content_files(tmpreaper_t)
++ userdom_delete_user_home_content_sock_files(tmpreaper_t)
+ userdom_delete_user_home_content_symlinks(tmpreaper_t)
+ ')
+
+@@ -52,7 +61,9 @@ optional_policy(`
')
optional_policy(`
@@ -2698,7 +2773,7 @@ index 6a5004b..7300952 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +76,17 @@ optional_policy(`
+@@ -66,9 +77,17 @@ optional_policy(`
')
optional_policy(`
@@ -2800,6 +2875,19 @@ index 74354da..f04565f 100644
+optional_policy(`
+ modutils_read_module_deps(usbmodules_t)
+')
+diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
+index c467144..fb794f9 100644
+--- a/policy/modules/admin/usermanage.fc
++++ b/policy/modules/admin/usermanage.fc
+@@ -10,7 +10,7 @@ ifdef(`distro_gentoo',`
+ /usr/bin/vigr -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+ /usr/bin/vipw -- gen_context(system_u:object_r:admin_passwd_exec_t,s0)
+
+-/usr/lib(64)?/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
++/usr/lib/cracklib_dict.* -- gen_context(system_u:object_r:crack_db_t,s0)
+
+ /usr/sbin/crack_[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
+ /usr/sbin/cracklib-[a-z]* -- gen_context(system_u:object_r:crack_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 81fb26f..cd18ca8 100644
--- a/policy/modules/admin/usermanage.if
@@ -2815,7 +2903,7 @@ index 81fb26f..cd18ca8 100644
optional_policy(`
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index 441cf22..b123de0 100644
+index 441cf22..4e2205c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -79,8 +79,8 @@ selinux_compute_create_context(chfn_t)
@@ -2920,7 +3008,15 @@ index 441cf22..b123de0 100644
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -469,8 +471,7 @@ selinux_compute_create_context(useradd_t)
+@@ -460,6 +462,7 @@ fs_search_auto_mountpoints(useradd_t)
+ fs_getattr_xattr_fs(useradd_t)
+
+ mls_file_upgrade(useradd_t)
++mls_process_read_to_clearance(useradd_t)
+
+ # Allow access to context for shadow file
+ selinux_get_fs_mount(useradd_t)
+@@ -469,8 +472,7 @@ selinux_compute_create_context(useradd_t)
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
@@ -2930,7 +3026,7 @@ index 441cf22..b123de0 100644
auth_domtrans_chk_passwd(useradd_t)
auth_rw_lastlog(useradd_t)
-@@ -498,20 +499,16 @@ seutil_domtrans_setfiles(useradd_t)
+@@ -498,20 +500,16 @@ seutil_domtrans_setfiles(useradd_t)
userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
@@ -3004,6 +3100,15 @@ index 39c75fb..057d8b1 100644
optional_policy(`
unconfined_domain(ada_t)
+diff --git a/policy/modules/apps/authbind.fc b/policy/modules/apps/authbind.fc
+index 48cf11b..9787bd4 100644
+--- a/policy/modules/apps/authbind.fc
++++ b/policy/modules/apps/authbind.fc
+@@ -1,3 +1,3 @@
+ /etc/authbind(/.*)? gen_context(system_u:object_r:authbind_etc_t,s0)
+
+-/usr/lib(64)?/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
++/usr/lib/authbind/helper -- gen_context(system_u:object_r:authbind_exec_t,s0)
diff --git a/policy/modules/apps/awstats.te b/policy/modules/apps/awstats.te
index 1f42250..3d36ae2 100644
--- a/policy/modules/apps/awstats.te
@@ -3064,13 +3169,13 @@ index 1403835..128f634 100644
# Handle nfs home dirs
diff --git a/policy/modules/apps/chrome.fc b/policy/modules/apps/chrome.fc
new file mode 100644
-index 0000000..432fb25
+index 0000000..1f468aa
--- /dev/null
+++ b/policy/modules/apps/chrome.fc
@@ -0,0 +1,3 @@
+ /opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
+
-+/usr/lib(64)?/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
++/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
diff --git a/policy/modules/apps/chrome.if b/policy/modules/apps/chrome.if
new file mode 100644
index 0000000..e921f24
@@ -3346,10 +3451,10 @@ index cd70958..126d7ea 100644
# until properly implemented
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644
-index 0000000..4540090
+index 0000000..6f3570a
--- /dev/null
+++ b/policy/modules/apps/execmem.fc
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,48 @@
+
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -3368,17 +3473,15 @@ index 0000000..4540090
+ifdef(`distro_gentoo',`
+/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+')
-+/usr/lib(64)?/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/chromium-browser/chromium-browser gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib64/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0)
-+/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/usr/lib/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/opt/secondlife-install/bin/SLPlugin -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -4724,7 +4827,7 @@ index f5afe78..b1b6bf6 100644
+')
+
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
-index 2505654..ca56b50 100644
+index 2505654..d0792a8 100644
--- a/policy/modules/apps/gnome.te
+++ b/policy/modules/apps/gnome.te
@@ -5,12 +5,26 @@ policy_module(gnome, 2.1.0)
@@ -4799,7 +4902,7 @@ index 2505654..ca56b50 100644
##############################
#
# Local Policy
-@@ -75,3 +110,151 @@ optional_policy(`
+@@ -75,3 +110,153 @@ optional_policy(`
xserver_use_xdm_fds(gconfd_t)
xserver_rw_xdm_pipes(gconfd_t)
')
@@ -4861,6 +4964,8 @@ index 2505654..ca56b50 100644
+allow gnomesystemmm_t self:capability { sys_nice sys_ptrace };
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
+
++kernel_read_system_state(gnomesystemmm_t)
++
+corecmd_search_bin(gnomesystemmm_t)
+
+domain_kill_all_domains(gnomesystemmm_t)
@@ -4952,15 +5057,22 @@ index 2505654..ca56b50 100644
+
+userdom_use_inherited_user_terminals(gnome_domain)
diff --git a/policy/modules/apps/gpg.fc b/policy/modules/apps/gpg.fc
-index e9853d4..717d163 100644
+index e9853d4..6864b58 100644
--- a/policy/modules/apps/gpg.fc
+++ b/policy/modules/apps/gpg.fc
-@@ -1,4 +1,5 @@
+@@ -1,9 +1,10 @@
HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
+ /usr/bin/kgpg -- gen_context(system_u:object_r:gpg_exec_t,s0)
+ /usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
+
+-/usr/lib(64)?/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
+-/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
++/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
++/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 40e0a2a..f4a103c 100644
--- a/policy/modules/apps/gpg.if
@@ -5394,7 +5506,7 @@ index 66beb80..9c45e44 100644
+ automount_dontaudit_getattr_tmp_dirs(irssi_t)
+')
diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
-index 86c1768..cd76e6a 100644
+index 86c1768..5d2130c 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -5,10 +5,13 @@
@@ -5411,7 +5523,13 @@ index 86c1768..cd76e6a 100644
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -33,6 +36,9 @@
+@@ -27,12 +30,14 @@
+ /usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/opera -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib/opera(/.*)?/works -- gen_context(system_u:object_r:java_exec_t,s0)
+-/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
+ /usr/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -5733,14 +5851,14 @@ index 0bac996..ca2388d 100644
diff --git a/policy/modules/apps/mediawiki.fc b/policy/modules/apps/mediawiki.fc
new file mode 100644
-index 0000000..bf872ef
+index 0000000..d56fd69
--- /dev/null
+++ b/policy/modules/apps/mediawiki.fc
@@ -0,0 +1,10 @@
+
-+/usr/lib(64)?/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-+/usr/lib(64)?/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
-+/usr/lib(64)?/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tex -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
++/usr/lib/mediawiki/math/texvc_tes -- gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
+
+/var/www/wiki(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0)
+
@@ -5862,7 +5980,7 @@ index 7b08e13..515a88a 100644
optional_policy(`
xserver_role($1_r, $1_mono_t)
diff --git a/policy/modules/apps/mozilla.fc b/policy/modules/apps/mozilla.fc
-index 93ac529..aafece7 100644
+index 93ac529..35b51ab 100644
--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -1,6 +1,7 @@
@@ -5873,11 +5991,28 @@ index 93ac529..aafece7 100644
HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
-@@ -27,3 +28,4 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
- /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
- /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
-+/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
+@@ -18,12 +19,12 @@ HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
+ #
+ # /lib
+ #
+-/usr/lib(64)?/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+-/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 9a6d67d..d88c02c 100644
--- a/policy/modules/apps/mozilla.if
@@ -6545,7 +6680,7 @@ index 0000000..4af1aa0
+userdom_user_home_dir_filetrans_user_home_content(namespace_init_t, { dir file lnk_file fifo_file sock_file })
diff --git a/policy/modules/apps/nsplugin.fc b/policy/modules/apps/nsplugin.fc
new file mode 100644
-index 0000000..717eb3f
+index 0000000..22e6c96
--- /dev/null
+++ b/policy/modules/apps/nsplugin.fc
@@ -0,0 +1,11 @@
@@ -6557,9 +6692,9 @@ index 0000000..717eb3f
+
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
-+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
-+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
-+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
++/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
++/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
++/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff --git a/policy/modules/apps/nsplugin.if b/policy/modules/apps/nsplugin.if
new file mode 100644
index 0000000..37449c0
@@ -7377,12 +7512,11 @@ index 0000000..6cc919e
+
diff --git a/policy/modules/apps/openoffice.fc b/policy/modules/apps/openoffice.fc
new file mode 100644
-index 0000000..0c53a12
+index 0000000..4428be4
--- /dev/null
+++ b/policy/modules/apps/openoffice.fc
-@@ -0,0 +1,4 @@
+@@ -0,0 +1,3 @@
+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
-+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+/opt/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
+
diff --git a/policy/modules/apps/openoffice.if b/policy/modules/apps/openoffice.if
@@ -8425,10 +8559,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..c62f0f8
+index 0000000..88efdca
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,475 @@
+@@ -0,0 +1,479 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8698,6 +8832,10 @@ index 0000000..c62f0f8
+')
+
+optional_policy(`
++ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
++')
++
++optional_policy(`
+ gnome_read_gconf_config(sandbox_x_domain)
+')
+
@@ -9877,10 +10015,23 @@ index 03fc701..f58654e 100644
-userdom_use_user_terminals(vlock_t)
+userdom_use_inherited_user_terminals(vlock_t)
diff --git a/policy/modules/apps/vmware.fc b/policy/modules/apps/vmware.fc
-index 5872ea2..028c994 100644
+index 5872ea2..179960c 100644
--- a/policy/modules/apps/vmware.fc
+++ b/policy/modules/apps/vmware.fc
-@@ -66,5 +66,6 @@ ifdef(`distro_gentoo',`
+@@ -39,12 +39,6 @@ ifdef(`distro_redhat',`
+ /usr/lib/vmware-tools/sbin64/vmware.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ ')
+
+-/usr/lib64/vmware/config -- gen_context(system_u:object_r:vmware_sys_conf_t,s0)
+-/usr/lib64/vmware/bin/vmware-mks -- gen_context(system_u:object_r:vmware_exec_t,s0)
+-/usr/lib64/vmware/bin/vmware-ui -- gen_context(system_u:object_r:vmware_exec_t,s0)
+-/usr/lib64/vmware/bin/vmplayer -- gen_context(system_u:object_r:vmware_exec_t,s0)
+-/usr/lib64/vmware/bin/vmware-vmx -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+-
+ /usr/sbin/vmware-guest.* -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
+ /usr/sbin/vmware-serverd -- gen_context(system_u:object_r:vmware_exec_t,s0)
+
+@@ -66,5 +60,6 @@ ifdef(`distro_gentoo',`
/var/log/vmware.* -- gen_context(system_u:object_r:vmware_log_t,s0)
/var/log/vnetlib.* -- gen_context(system_u:object_r:vmware_log_t,s0)
@@ -10170,7 +10321,7 @@ index 223ad43..d400ef6 100644
# Reading dotfiles...
# cjp: ?
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..4593351 100644
+index 34c9d01..d0c0d02 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -10193,7 +10344,7 @@ index 34c9d01..4593351 100644
/etc/sysconfig/crond -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/init -- gen_context(system_u:object_r:bin_t,s0)
/etc/sysconfig/libvirtd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -128,8 +128,8 @@ ifdef(`distro_debian',`
+@@ -128,18 +128,15 @@ ifdef(`distro_debian',`
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
@@ -10203,7 +10354,18 @@ index 34c9d01..4593351 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -177,6 +177,8 @@ ifdef(`distro_gentoo',`
+
+-/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
+-/lib64/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+-
+ ifdef(`distro_gentoo',`
+ /lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+-/lib64/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
++/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+
+ /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -177,6 +174,8 @@ ifdef(`distro_gentoo',`
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -10212,23 +10374,105 @@ index 34c9d01..4593351 100644
#
# /usr
#
-@@ -232,6 +234,9 @@ ifdef(`distro_gentoo',`
- /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -244,9 +249,13 @@ ifdef(`distro_gentoo',`
+@@ -196,47 +195,49 @@ ifdef(`distro_gentoo',`
+ /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/wicd/monitor\.py -- gen_context(system_u:object_r:bin_t, s0)
+-/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
+-
+-/usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-
+-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
+-
+-/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mailman/mail(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/misc/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nagios/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/xulrunner[^/]* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/updater -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xulrunner[^/]*/crashreporter -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/[^/]*/run-mozilla\.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -244,9 +245,13 @@ ifdef(`distro_gentoo',`
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
-+/usr/lib(64)?/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
+
- /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/local/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
@@ -10236,7 +10480,7 @@ index 34c9d01..4593351 100644
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -283,6 +292,7 @@ ifdef(`distro_gentoo',`
+@@ -283,6 +288,7 @@ ifdef(`distro_gentoo',`
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
@@ -10244,15 +10488,27 @@ index 34c9d01..4593351 100644
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,6 +317,7 @@ ifdef(`distro_redhat', `
- /usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -291,7 +297,7 @@ ifdef(`distro_gentoo',`
+ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+-/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
++/usr/X11R6/lib/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+
+ ifdef(`distro_gentoo', `
+ /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
+@@ -304,9 +310,8 @@ ifdef(`distro_redhat', `
+ /etc/gdm/[^/]+/.* gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin32(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vmware-tools/(s)?bin64(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -316,9 +327,11 @@ ifdef(`distro_redhat', `
+@@ -316,9 +321,11 @@ ifdef(`distro_redhat', `
/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -10264,6 +10520,23 @@ index 34c9d01..4593351 100644
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
+@@ -360,7 +367,7 @@ ifdef(`distro_redhat', `
+ ifdef(`distro_suse', `
+ /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib/ssh/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+
+@@ -373,7 +380,6 @@ ifdef(`distro_suse', `
+
+ /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib64/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
+
+ /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
+ /var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if
index 9e9263a..24018ce 100644
--- a/policy/modules/kernel/corecommands.if
@@ -11049,7 +11322,7 @@ index 3ff4f60..89ffda6 100644
+allow devices_unconfined_type device_node:{ blk_file chr_file lnk_file } *;
allow devices_unconfined_type mtrr_device_t:file *;
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index aad8c52..edc8af9 100644
+index aad8c52..e957e76 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -474,6 +474,25 @@ interface(`domain_signal_all_domains',`
@@ -11146,10 +11419,17 @@ index aad8c52..edc8af9 100644
## dontaudit checking for execute on all entry point files
## </summary>
## <param name="domain">
-@@ -1473,3 +1528,22 @@ interface(`domain_unconfined',`
+@@ -1472,4 +1527,29 @@ interface(`domain_unconfined',`
+ typeattribute $1 can_change_object_identity;
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
- ')
++
++ mcs_file_read_all($1)
++ mcs_file_write_all($1)
++ mcs_killall($1)
++ mcs_ptrace_all($1)
++ mcs_socket_write_all_levels($1)
++')
+
+########################################
+## <summary>
@@ -11168,7 +11448,7 @@ index aad8c52..edc8af9 100644
+ ')
+
+ dontaudit $1 domain:socket_class_set { read write };
-+')
+ ')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index bc534c1..b70ea07 100644
--- a/policy/modules/kernel/domain.te
@@ -11354,7 +11634,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..0f1470f 100644
+index 16108f6..e76bf67 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -11400,7 +11680,28 @@ index 16108f6..0f1470f 100644
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -153,6 +164,17 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -101,10 +112,9 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /initrd -d gen_context(system_u:object_r:root_t,s0)
+
+ #
+-# /lib(64)?
++# /lib
+ #
+ /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+-/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+
+ #
+ # /lost+found
+@@ -145,7 +155,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+ /opt -d gen_context(system_u:object_r:usr_t,s0)
+ /opt/.* gen_context(system_u:object_r:usr_t,s0)
+
+-/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
++/opt/(.*/)?var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+
+ #
+ # /proc
+@@ -153,6 +163,17 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -11418,7 +11719,7 @@ index 16108f6..0f1470f 100644
#
# /selinux
#
-@@ -166,12 +188,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -166,12 +187,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -11431,7 +11732,7 @@ index 16108f6..0f1470f 100644
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -211,7 +227,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -211,7 +226,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -11439,7 +11740,7 @@ index 16108f6..0f1470f 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -227,6 +242,8 @@ ifndef(`distro_redhat',`
+@@ -227,6 +241,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -11448,7 +11749,14 @@ index 16108f6..0f1470f 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -243,7 +260,7 @@ ifndef(`distro_redhat',`
+@@ -237,13 +253,14 @@ ifndef(`distro_redhat',`
+ /var/lost\+found/.* <<none>>
+
+ /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
++/var/run -l gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
+ /var/run/.* gen_context(system_u:object_r:var_run_t,s0)
+ /var/run/.*\.*pid <<none>>
+
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -11466,7 +11774,7 @@ index 16108f6..0f1470f 100644
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..a595aa7 100644
+index 958ca84..cec6add 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -11619,7 +11927,32 @@ index 958ca84..a595aa7 100644
########################################
## <summary>
## Read and write symbolic links
-@@ -2453,6 +2560,24 @@ interface(`files_delete_etc_files',`
+@@ -2300,6 +2407,24 @@ interface(`files_rw_etc_dirs',`
+ allow $1 etc_t:dir rw_dir_perms;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit remove dir /etc directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_remove_etc_dir',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ dontaudit $1 etc_t:dir rmdir;
++')
++
+ ##########################################
+ ## <summary>
+ ## Manage generic directories in /etc
+@@ -2453,6 +2578,24 @@ interface(`files_delete_etc_files',`
########################################
## <summary>
@@ -11644,7 +11977,7 @@ index 958ca84..a595aa7 100644
## Execute generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2583,6 +2708,31 @@ interface(`files_create_boot_flag',`
+@@ -2583,6 +2726,31 @@ interface(`files_create_boot_flag',`
########################################
## <summary>
@@ -11676,7 +12009,7 @@ index 958ca84..a595aa7 100644
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -2623,6 +2773,24 @@ interface(`files_read_etc_runtime_files',`
+@@ -2623,6 +2791,24 @@ interface(`files_read_etc_runtime_files',`
########################################
## <summary>
@@ -11701,7 +12034,7 @@ index 958ca84..a595aa7 100644
## Do not audit attempts to read files
## in /etc that are dynamically
## created on boot, such as mtab.
-@@ -3104,6 +3272,7 @@ interface(`files_getattr_home_dir',`
+@@ -3104,6 +3290,7 @@ interface(`files_getattr_home_dir',`
')
allow $1 home_root_t:dir getattr;
@@ -11709,7 +12042,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -3124,6 +3293,7 @@ interface(`files_dontaudit_getattr_home_dir',`
+@@ -3124,6 +3311,7 @@ interface(`files_dontaudit_getattr_home_dir',`
')
dontaudit $1 home_root_t:dir getattr;
@@ -11717,7 +12050,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -3287,6 +3457,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
+@@ -3287,6 +3475,24 @@ interface(`files_dontaudit_getattr_lost_found_dirs',`
dontaudit $1 lost_found_t:dir getattr;
')
@@ -11742,7 +12075,7 @@ index 958ca84..a595aa7 100644
########################################
## <summary>
## Create, read, write, and delete objects in
-@@ -3365,6 +3553,43 @@ interface(`files_list_mnt',`
+@@ -3365,6 +3571,43 @@ interface(`files_list_mnt',`
allow $1 mnt_t:dir list_dir_perms;
')
@@ -11786,7 +12119,7 @@ index 958ca84..a595aa7 100644
########################################
## <summary>
## Mount a filesystem on /mnt.
-@@ -3438,6 +3663,24 @@ interface(`files_read_mnt_files',`
+@@ -3438,6 +3681,24 @@ interface(`files_read_mnt_files',`
read_files_pattern($1, mnt_t, mnt_t)
')
@@ -11811,7 +12144,7 @@ index 958ca84..a595aa7 100644
########################################
## <summary>
## Create, read, write, and delete symbolic links in /mnt.
-@@ -3729,6 +3972,99 @@ interface(`files_read_world_readable_sockets',`
+@@ -3729,6 +3990,99 @@ interface(`files_read_world_readable_sockets',`
allow $1 readable_t:sock_file read_sock_file_perms;
')
@@ -11911,7 +12244,7 @@ index 958ca84..a595aa7 100644
########################################
## <summary>
## Allow the specified type to associate
-@@ -3914,6 +4250,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -3914,6 +4268,32 @@ interface(`files_manage_generic_tmp_dirs',`
########################################
## <summary>
@@ -11944,7 +12277,7 @@ index 958ca84..a595aa7 100644
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3968,7 +4330,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3968,7 +4348,7 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
@@ -11953,7 +12286,7 @@ index 958ca84..a595aa7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3976,17 +4338,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -3976,17 +4356,17 @@ interface(`files_rw_generic_tmp_sockets',`
## </summary>
## </param>
#
@@ -11975,7 +12308,7 @@ index 958ca84..a595aa7 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -3994,45 +4356,123 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -3994,22 +4374,100 @@ interface(`files_setattr_all_tmp_dirs',`
## </summary>
## </param>
#
@@ -12000,36 +12333,31 @@ index 958ca84..a595aa7 100644
## <summary>
-## Domain not to audit.
+## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_dontaudit_getattr_all_tmp_files',`
++#
+interface(`files_relabel_all_tmp_dirs',`
- gen_require(`
- attribute tmpfile;
++ gen_require(`
++ attribute tmpfile;
+ type var_t;
- ')
-
-- dontaudit $1 tmpfile:file getattr;
++ ')
++
+ allow $1 var_t:dir search_dir_perms;
+ relabel_dirs_pattern($1, tmpfile, tmpfile)
- ')
-
- ########################################
- ## <summary>
--## Allow attempts to get the attributes
--## of all tmp files.
++')
++
++########################################
++## <summary>
+## Relabel all tmp files.
- ## </summary>
- ## <param name="domain">
- ## <summary>
- ## Domain allowed access.
- ## </summary>
- ## </param>
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
+## <rolecap/>
- #
--interface(`files_getattr_all_tmp_files',`
++#
+interface(`files_relabel_all_tmp_files',`
+ gen_require(`
+ attribute tmpfile;
@@ -12084,33 +12412,10 @@ index 958ca84..a595aa7 100644
+## <param name="domain">
+## <summary>
+## Domain not to audit.
-+## </summary>
-+## </param>
-+#
-+interface(`files_dontaudit_getattr_all_tmp_files',`
-+ gen_require(`
-+ attribute tmpfile;
-+ ')
-+
-+ dontaudit $1 tmpfile:file getattr;
-+')
-+
-+########################################
-+## <summary>
-+## Allow attempts to get the attributes
-+## of all tmp files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`files_getattr_all_tmp_files',`
- gen_require(`
- attribute tmpfile;
- ')
-@@ -4127,6 +4567,15 @@ interface(`files_purge_tmp',`
+ ## </summary>
+ ## </param>
+ #
+@@ -4127,6 +4585,15 @@ interface(`files_purge_tmp',`
delete_lnk_files_pattern($1, tmpfile, tmpfile)
delete_fifo_files_pattern($1, tmpfile, tmpfile)
delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -12126,7 +12431,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -4736,6 +5185,24 @@ interface(`files_read_var_files',`
+@@ -4736,6 +5203,24 @@ interface(`files_read_var_files',`
########################################
## <summary>
@@ -12151,7 +12456,7 @@ index 958ca84..a595aa7 100644
## Read and write files in the /var directory.
## </summary>
## <param name="domain">
-@@ -5071,6 +5538,25 @@ interface(`files_manage_mounttab',`
+@@ -5071,6 +5556,25 @@ interface(`files_manage_mounttab',`
########################################
## <summary>
@@ -12177,7 +12482,7 @@ index 958ca84..a595aa7 100644
## Search the locks directory (/var/lock).
## </summary>
## <param name="domain">
-@@ -5084,6 +5570,7 @@ interface(`files_search_locks',`
+@@ -5084,6 +5588,7 @@ interface(`files_search_locks',`
type var_t, var_lock_t;
')
@@ -12185,7 +12490,7 @@ index 958ca84..a595aa7 100644
search_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5108,6 +5595,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5108,6 +5613,26 @@ interface(`files_dontaudit_search_locks',`
########################################
## <summary>
@@ -12212,7 +12517,7 @@ index 958ca84..a595aa7 100644
## Add and remove entries in the /var/lock
## directories.
## </summary>
-@@ -5122,6 +5629,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5122,6 +5647,7 @@ interface(`files_rw_lock_dirs',`
type var_t, var_lock_t;
')
@@ -12220,7 +12525,7 @@ index 958ca84..a595aa7 100644
rw_dirs_pattern($1, var_t, var_lock_t)
')
-@@ -5142,6 +5650,7 @@ interface(`files_getattr_generic_locks',`
+@@ -5142,6 +5668,7 @@ interface(`files_getattr_generic_locks',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:dir list_dir_perms;
@@ -12228,7 +12533,7 @@ index 958ca84..a595aa7 100644
getattr_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5156,12 +5665,13 @@ interface(`files_getattr_generic_locks',`
+@@ -5156,12 +5683,13 @@ interface(`files_getattr_generic_locks',`
## </param>
#
interface(`files_delete_generic_locks',`
@@ -12246,7 +12551,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -5181,6 +5691,7 @@ interface(`files_manage_generic_locks',`
+@@ -5181,6 +5709,7 @@ interface(`files_manage_generic_locks',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12254,7 +12559,7 @@ index 958ca84..a595aa7 100644
manage_files_pattern($1, var_lock_t, var_lock_t)
')
-@@ -5207,6 +5718,27 @@ interface(`files_delete_all_locks',`
+@@ -5207,6 +5736,27 @@ interface(`files_delete_all_locks',`
########################################
## <summary>
@@ -12282,7 +12587,7 @@ index 958ca84..a595aa7 100644
## Read all lock files.
## </summary>
## <param name="domain">
-@@ -5224,6 +5756,7 @@ interface(`files_read_all_locks',`
+@@ -5224,6 +5774,7 @@ interface(`files_read_all_locks',`
allow $1 { var_t var_lock_t }:dir search_dir_perms;
allow $1 lockfile:dir list_dir_perms;
read_files_pattern($1, lockfile, lockfile)
@@ -12290,7 +12595,7 @@ index 958ca84..a595aa7 100644
read_lnk_files_pattern($1, lockfile, lockfile)
')
-@@ -5244,6 +5777,7 @@ interface(`files_manage_all_locks',`
+@@ -5244,6 +5795,7 @@ interface(`files_manage_all_locks',`
')
allow $1 { var_t var_lock_t }:dir search_dir_perms;
@@ -12298,7 +12603,7 @@ index 958ca84..a595aa7 100644
manage_dirs_pattern($1, lockfile, lockfile)
manage_files_pattern($1, lockfile, lockfile)
manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5276,6 +5810,7 @@ interface(`files_lock_filetrans',`
+@@ -5276,6 +5828,7 @@ interface(`files_lock_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -12306,10 +12611,13 @@ index 958ca84..a595aa7 100644
filetrans_pattern($1, var_lock_t, $2, $3)
')
-@@ -5335,6 +5870,43 @@ interface(`files_search_pids',`
- search_dirs_pattern($1, var_t, var_run_t)
- ')
+@@ -5333,6 +5886,44 @@ interface(`files_search_pids',`
+ ')
+ search_dirs_pattern($1, var_t, var_run_t)
++ read_lnk_files_pattern($1, var_t, var_run_t)
++')
++
+######################################
+## <summary>
+## Add and remove entries from pid directories.
@@ -12345,12 +12653,10 @@ index 958ca84..a595aa7 100644
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:dir create_dir_perms;
-+')
-+
+ ')
+
########################################
- ## <summary>
- ## Do not audit attempts to search
-@@ -5542,6 +6114,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6133,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
@@ -12413,7 +12719,7 @@ index 958ca84..a595aa7 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5559,6 +6187,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6206,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -12458,7 +12764,7 @@ index 958ca84..a595aa7 100644
')
########################################
-@@ -5844,3 +6510,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6529,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -12808,7 +13114,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..be9572b 100644
+index dfe361a..79b4c0f 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12821,7 +13127,7 @@ index dfe361a..be9572b 100644
########################################
## <summary>
-+## Relabelto cgroup directories.
++## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -12843,7 +13149,7 @@ index dfe361a..be9572b 100644
## list cgroup directories.
## </summary>
## <param name="domain">
-@@ -665,6 +685,7 @@ interface(`fs_list_cgroup_dirs', `
+@@ -665,9 +685,29 @@ interface(`fs_list_cgroup_dirs', `
')
list_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -12851,7 +13157,29 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -684,6 +705,7 @@ interface(`fs_delete_cgroup_dirs', `
++#######################################
++## <summary>
++## Dontaudit list cgroup directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_search_cgroup_dirs', `
++ gen_require(`
++ type cgroup_t;
++ ')
++
++ dontaudit $1 cgroup_t:dir search_dir_perms;
++ dev_dontaudit_search_sysfs($1)
++')
++
+ ########################################
+ ## <summary>
+ ## Delete cgroup directories.
+@@ -684,6 +724,7 @@ interface(`fs_delete_cgroup_dirs', `
')
delete_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -12859,7 +13187,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -704,6 +726,7 @@ interface(`fs_manage_cgroup_dirs',`
+@@ -704,6 +745,7 @@ interface(`fs_manage_cgroup_dirs',`
')
manage_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -12867,7 +13195,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -724,6 +747,7 @@ interface(`fs_read_cgroup_files',`
+@@ -724,6 +766,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
@@ -12875,7 +13203,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -743,6 +767,7 @@ interface(`fs_write_cgroup_files', `
+@@ -743,6 +786,7 @@ interface(`fs_write_cgroup_files', `
')
write_files_pattern($1, cgroup_t, cgroup_t)
@@ -12883,7 +13211,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -763,6 +788,7 @@ interface(`fs_rw_cgroup_files',`
+@@ -763,6 +807,7 @@ interface(`fs_rw_cgroup_files',`
')
rw_files_pattern($1, cgroup_t, cgroup_t)
@@ -12891,7 +13219,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -803,6 +829,7 @@ interface(`fs_manage_cgroup_files',`
+@@ -803,6 +848,7 @@ interface(`fs_manage_cgroup_files',`
')
manage_files_pattern($1, cgroup_t, cgroup_t)
@@ -12899,7 +13227,7 @@ index dfe361a..be9572b 100644
dev_search_sysfs($1)
')
-@@ -1052,6 +1079,24 @@ interface(`fs_list_noxattr_fs',`
+@@ -1052,6 +1098,24 @@ interface(`fs_list_noxattr_fs',`
########################################
## <summary>
@@ -12924,7 +13252,7 @@ index dfe361a..be9572b 100644
## Create, read, write, and delete all noxattrfs directories.
## </summary>
## <param name="domain">
-@@ -1088,6 +1133,42 @@ interface(`fs_read_noxattr_fs_files',`
+@@ -1088,6 +1152,42 @@ interface(`fs_read_noxattr_fs_files',`
########################################
## <summary>
@@ -12967,7 +13295,7 @@ index dfe361a..be9572b 100644
## Dont audit attempts to write to noxattrfs files.
## </summary>
## <param name="domain">
-@@ -1227,6 +1308,42 @@ interface(`fs_dontaudit_append_cifs_files',`
+@@ -1227,6 +1327,42 @@ interface(`fs_dontaudit_append_cifs_files',`
########################################
## <summary>
@@ -13010,7 +13338,7 @@ index dfe361a..be9572b 100644
## Do not audit attempts to read or
## write files on a CIFS or SMB filesystem.
## </summary>
-@@ -1241,7 +1358,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
+@@ -1241,7 +1377,7 @@ interface(`fs_dontaudit_rw_cifs_files',`
type cifs_t;
')
@@ -13019,7 +13347,7 @@ index dfe361a..be9572b 100644
')
########################################
-@@ -1504,6 +1621,25 @@ interface(`fs_cifs_domtrans',`
+@@ -1504,6 +1640,25 @@ interface(`fs_cifs_domtrans',`
domain_auto_transition_pattern($1, cifs_t, $2)
')
@@ -13045,7 +13373,7 @@ index dfe361a..be9572b 100644
#######################################
## <summary>
## Create, read, write, and delete dirs
-@@ -1659,6 +1795,25 @@ interface(`fs_search_dos',`
+@@ -1659,6 +1814,25 @@ interface(`fs_search_dos',`
########################################
## <summary>
@@ -13071,7 +13399,7 @@ index dfe361a..be9572b 100644
## Create, read, write, and delete dirs
## on a DOS filesystem.
## </summary>
-@@ -1774,6 +1929,24 @@ interface(`fs_unmount_fusefs',`
+@@ -1774,6 +1948,24 @@ interface(`fs_unmount_fusefs',`
########################################
## <summary>
@@ -13096,7 +13424,7 @@ index dfe361a..be9572b 100644
## Search directories
## on a FUSEFS filesystem.
## </summary>
-@@ -1892,6 +2065,26 @@ interface(`fs_manage_fusefs_files',`
+@@ -1892,6 +2084,26 @@ interface(`fs_manage_fusefs_files',`
########################################
## <summary>
@@ -13123,7 +13451,7 @@ index dfe361a..be9572b 100644
## Do not audit attempts to create,
## read, write, and delete files
## on a FUSEFS filesystem.
-@@ -1931,7 +2124,26 @@ interface(`fs_read_fusefs_symlinks',`
+@@ -1931,7 +2143,26 @@ interface(`fs_read_fusefs_symlinks',`
########################################
## <summary>
@@ -13151,7 +13479,7 @@ index dfe361a..be9572b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1946,6 +2158,41 @@ interface(`fs_rw_hugetlbfs_files',`
+@@ -1946,6 +2177,41 @@ interface(`fs_rw_hugetlbfs_files',`
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
')
@@ -13193,7 +13521,7 @@ index dfe361a..be9572b 100644
########################################
## <summary>
-@@ -1999,6 +2246,7 @@ interface(`fs_list_inotifyfs',`
+@@ -1999,6 +2265,7 @@ interface(`fs_list_inotifyfs',`
')
allow $1 inotifyfs_t:dir list_dir_perms;
@@ -13201,7 +13529,7 @@ index dfe361a..be9572b 100644
')
########################################
-@@ -2331,6 +2579,7 @@ interface(`fs_read_nfs_files',`
+@@ -2331,6 +2598,7 @@ interface(`fs_read_nfs_files',`
type nfs_t;
')
@@ -13209,7 +13537,7 @@ index dfe361a..be9572b 100644
allow $1 nfs_t:dir list_dir_perms;
read_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2369,6 +2618,7 @@ interface(`fs_write_nfs_files',`
+@@ -2369,6 +2637,7 @@ interface(`fs_write_nfs_files',`
type nfs_t;
')
@@ -13217,7 +13545,7 @@ index dfe361a..be9572b 100644
allow $1 nfs_t:dir list_dir_perms;
write_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2395,6 +2645,25 @@ interface(`fs_exec_nfs_files',`
+@@ -2395,6 +2664,25 @@ interface(`fs_exec_nfs_files',`
########################################
## <summary>
@@ -13243,7 +13571,7 @@ index dfe361a..be9572b 100644
## Append files
## on a NFS filesystem.
## </summary>
-@@ -2435,6 +2704,42 @@ interface(`fs_dontaudit_append_nfs_files',`
+@@ -2435,6 +2723,42 @@ interface(`fs_dontaudit_append_nfs_files',`
########################################
## <summary>
@@ -13286,7 +13614,7 @@ index dfe361a..be9572b 100644
## Do not audit attempts to read or
## write files on a NFS filesystem.
## </summary>
-@@ -2449,7 +2754,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
+@@ -2449,7 +2773,7 @@ interface(`fs_dontaudit_rw_nfs_files',`
type nfs_t;
')
@@ -13295,7 +13623,7 @@ index dfe361a..be9572b 100644
')
########################################
-@@ -2637,6 +2942,24 @@ interface(`fs_dontaudit_read_removable_files',`
+@@ -2637,6 +2961,24 @@ interface(`fs_dontaudit_read_removable_files',`
########################################
## <summary>
@@ -13320,7 +13648,7 @@ index dfe361a..be9572b 100644
## Read removable storage symbolic links.
## </summary>
## <param name="domain">
-@@ -2653,6 +2976,25 @@ interface(`fs_read_removable_symlinks',`
+@@ -2653,6 +2995,25 @@ interface(`fs_read_removable_symlinks',`
read_lnk_files_pattern($1, removable_t, removable_t)
')
@@ -13346,7 +13674,7 @@ index dfe361a..be9572b 100644
########################################
## <summary>
## Read and write block nodes on removable filesystems.
-@@ -2779,6 +3121,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2779,6 +3140,7 @@ interface(`fs_manage_nfs_dirs',`
type nfs_t;
')
@@ -13354,7 +13682,7 @@ index dfe361a..be9572b 100644
allow $1 nfs_t:dir manage_dir_perms;
')
-@@ -2819,6 +3162,7 @@ interface(`fs_manage_nfs_files',`
+@@ -2819,6 +3181,7 @@ interface(`fs_manage_nfs_files',`
type nfs_t;
')
@@ -13362,7 +13690,7 @@ index dfe361a..be9572b 100644
manage_files_pattern($1, nfs_t, nfs_t)
')
-@@ -2845,7 +3189,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
+@@ -2845,7 +3208,7 @@ interface(`fs_dontaudit_manage_nfs_files',`
#########################################
## <summary>
## Create, read, write, and delete symbolic links
@@ -13371,7 +13699,7 @@ index dfe361a..be9572b 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2859,6 +3203,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -2859,6 +3222,7 @@ interface(`fs_manage_nfs_symlinks',`
type nfs_t;
')
@@ -13379,7 +13707,7 @@ index dfe361a..be9572b 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',`
+@@ -3772,6 +4136,42 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
@@ -13401,10 +13729,28 @@ index dfe361a..be9572b 100644
+
+########################################
+## <summary>
++## Relabel files on tmpfs filesystems.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fs_relabel_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
++')
++
++########################################
++## <summary>
## Create, read, write, and delete
## tmpfs directories
## </summary>
-@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3989,6 +4389,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
########################################
## <summary>
@@ -13429,7 +13775,7 @@ index dfe361a..be9572b 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4689,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -13438,7 +13784,7 @@ index dfe361a..be9572b 100644
')
########################################
-@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5101,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -15698,10 +16044,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..77c513d
+index 0000000..805d0ea
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,499 @@
+@@ -0,0 +1,503 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -16035,9 +16381,9 @@ index 0000000..77c513d
+ lpd_run_checkpc(unconfined_t, unconfined_r)
+')
+
-+optional_policy(`
-+ mock_role(unconfined_r, unconfined_t)
-+')
++#optional_policy(`
++# mock_role(unconfined_r, unconfined_t)
++#')
+
+optional_policy(`
+ modutils_run_update_mods(unconfined_t, unconfined_r)
@@ -16089,6 +16435,10 @@ index 0000000..77c513d
+')
+
+optional_policy(`
++ quota_run(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ rpm_run(unconfined_t, unconfined_r)
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
@@ -16202,10 +16552,10 @@ index 0000000..77c513d
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..10d03a3 100644
+index e5bfdd4..0e1c254 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,67 @@ role user_r;
+@@ -12,15 +12,72 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -16229,6 +16579,7 @@ index e5bfdd4..10d03a3 100644
+
+optional_policy(`
+ gnome_role(user_r, user_t)
++
+')
+
+optional_policy(`
@@ -16258,6 +16609,10 @@ index e5bfdd4..10d03a3 100644
+')
+
+optional_policy(`
++ ssh_role_template(user, user_r, user_t)
++')
++
++optional_policy(`
screen_role_template(user, user_r, user_t)
')
@@ -16273,7 +16628,7 @@ index e5bfdd4..10d03a3 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +114,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +119,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -16284,16 +16639,20 @@ index e5bfdd4..10d03a3 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +166,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +171,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- spamassassin_role(user_r, user_t)
+- ')
+-
+- optional_policy(`
+- ssh_role_template(user, user_r, user_t)
+ spamassassin_role(user_r, user_t)
')
optional_policy(`
-@@ -157,3 +205,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +206,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -17338,6 +17697,19 @@ index 0000000..3d0fd88
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
+')
+
+diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
+index d96fdfa..e07158f 100644
+--- a/policy/modules/services/amavis.fc
++++ b/policy/modules/services/amavis.fc
+@@ -4,7 +4,7 @@
+ /etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:amavis_initrc_exec_t,s0)
+
+ /usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+-/usr/lib(64)?/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
++/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:amavis_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index ceb2142..e31d92a 100644
--- a/policy/modules/services/amavis.if
@@ -17431,7 +17803,7 @@ index c3a1903..19fb14a 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..7ba3b11 100644
+index 9e39aa5..ec27284 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -2,7 +2,7 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
@@ -17443,14 +17815,26 @@ index 9e39aa5..7ba3b11 100644
/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
-@@ -24,7 +24,6 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
+@@ -24,13 +24,12 @@ HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_u
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
- /usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
- /usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
- /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+-/usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+-/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
++/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
++/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
+ /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -43,8 +42,9 @@ ifdef(`distro_suse', `
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -19073,7 +19457,7 @@ index 1ea99b2..49e6c74 100644
+ stream_connect_pattern($1, apmd_var_run_t, apmd_var_run_t, apmd_t)
')
diff --git a/policy/modules/services/apm.te b/policy/modules/services/apm.te
-index 1c8c27e..6ddb10d 100644
+index 1c8c27e..a960ba0 100644
--- a/policy/modules/services/apm.te
+++ b/policy/modules/services/apm.te
@@ -4,6 +4,7 @@ policy_module(apm, 1.11.0)
@@ -19110,7 +19494,16 @@ index 1c8c27e..6ddb10d 100644
dev_read_realtime_clock(apmd_t)
dev_read_urand(apmd_t)
dev_rw_apm_bios(apmd_t)
-@@ -127,9 +131,6 @@ logging_send_audit_msgs(apmd_t)
+@@ -114,6 +118,8 @@ files_dontaudit_getattr_all_symlinks(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_pipes(apmd_t) # Excessive?
+ files_dontaudit_getattr_all_sockets(apmd_t) # Excessive?
+
++auth_use_nsswitch(apmd_t)
++
+ init_domtrans_script(apmd_t)
+ init_rw_utmp(apmd_t)
+ init_telinit(apmd_t)
+@@ -127,9 +133,6 @@ logging_send_audit_msgs(apmd_t)
miscfiles_read_localization(apmd_t)
miscfiles_read_hwdata(apmd_t)
@@ -19120,7 +19513,7 @@ index 1c8c27e..6ddb10d 100644
seutil_dontaudit_read_config(apmd_t)
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
-@@ -142,9 +143,8 @@ ifdef(`distro_redhat',`
+@@ -142,9 +145,8 @@ ifdef(`distro_redhat',`
can_exec(apmd_t, apmd_var_run_t)
@@ -19131,7 +19524,7 @@ index 1c8c27e..6ddb10d 100644
')
optional_policy(`
-@@ -155,6 +155,15 @@ ifdef(`distro_redhat',`
+@@ -155,6 +157,15 @@ ifdef(`distro_redhat',`
netutils_domtrans(apmd_t)
')
@@ -19147,7 +19540,7 @@ index 1c8c27e..6ddb10d 100644
',`
# for ifconfig which is run all the time
kernel_dontaudit_search_sysctl(apmd_t)
-@@ -205,6 +214,11 @@ optional_policy(`
+@@ -205,6 +216,11 @@ optional_policy(`
')
optional_policy(`
@@ -19159,7 +19552,7 @@ index 1c8c27e..6ddb10d 100644
pcmcia_domtrans_cardmgr(apmd_t)
pcmcia_domtrans_cardctl(apmd_t)
')
-@@ -218,9 +232,9 @@ optional_policy(`
+@@ -218,9 +234,9 @@ optional_policy(`
udev_read_state(apmd_t) #necessary?
')
@@ -19214,9 +19607,18 @@ index 8b8143e..c1a2b96 100644
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
-index b3b0176..51cb893 100644
+index b3b0176..e343da3 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
+@@ -39,7 +39,7 @@ files_pid_file(asterisk_var_run_t)
+ #
+
+ # dac_override for /var/run/asterisk
+-allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin };
++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin };
+ dontaudit asterisk_t self:capability sys_tty_config;
+ allow asterisk_t self:process { getsched setsched signal_perms getcap setcap };
+ allow asterisk_t self:fifo_file rw_fifo_file_perms;
@@ -76,10 +76,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file)
@@ -19239,6 +19641,25 @@ index b3b0176..51cb893 100644
corenet_tcp_connect_postgresql_port(asterisk_t)
corenet_tcp_connect_snmp_port(asterisk_t)
corenet_tcp_connect_sip_port(asterisk_t)
+@@ -125,6 +128,7 @@ files_search_spool(asterisk_t)
+ # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
+ # are labeled usr_t
+ files_read_usr_files(asterisk_t)
++files_dontaudit_search_home(asterisk_t)
+
+ fs_getattr_all_fs(asterisk_t)
+ fs_list_inotifyfs(asterisk_t)
+@@ -141,6 +145,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+ userdom_dontaudit_search_user_home_dirs(asterisk_t)
+
+ optional_policy(`
++ alsa_read_rw_config(asterisk_t)
++')
++
++optional_policy(`
+ mysql_stream_connect(asterisk_t)
+ ')
+
diff --git a/policy/modules/services/automount.if b/policy/modules/services/automount.if
index d80a16b..a43e006 100644
--- a/policy/modules/services/automount.if
@@ -19591,7 +20012,7 @@ index f4e7ad3..68aebc4 100644
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
-index 3e45431..fa57a6f 100644
+index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -14,6 +14,7 @@
@@ -19629,7 +20050,7 @@ index 3e45431..fa57a6f 100644
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain allowed access.
++## Domain to not audit.
+## </summary>
+## </param>
+#
@@ -22023,10 +22444,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..36d4c6d
+index 0000000..694e975
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,76 @@
+@@ -0,0 +1,77 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -22051,6 +22472,7 @@ index 0000000..36d4c6d
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow colord_t self:udp_socket create_socket_perms;
++allow colord_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
+manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
@@ -22398,6 +22820,35 @@ index 7d2cf85..92b621a 100644
')
optional_policy(`
+diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
+index f1bf79a..7be46b4 100644
+--- a/policy/modules/services/courier.fc
++++ b/policy/modules/services/courier.fc
+@@ -6,15 +6,15 @@
+ /usr/sbin/courierldapaliasd -- gen_context(system_u:object_r:courier_exec_t,s0)
+ /usr/sbin/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+
+-/usr/lib(64)?/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
+-/usr/lib(64)?/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
+-/usr/lib(64)?/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib(64)?/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib(64)?/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
+-/usr/lib(64)?/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib(64)?/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
+-/usr/lib(64)?/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
+-/usr/lib(64)?/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
++/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
++/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
++/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
++/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
++/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
++/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
+
+ /var/lib/courier(/.*)? -- gen_context(system_u:object_r:courier_var_lib_t,s0)
+
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 9971337..f081899 100644
--- a/policy/modules/services/courier.if
@@ -22804,7 +23255,7 @@ index 35241ed..b6c4cc9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..220ba1b 100644
+index f7583ab..254e671 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -22933,7 +23384,7 @@ index f7583ab..220ba1b 100644
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
-+auth_read_var_auth(crond_t)
++auth_manage_var_auth(crond_t)
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
@@ -23210,10 +23661,22 @@ index f7583ab..220ba1b 100644
')
diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
-index 1b492ed..76480c2 100644
+index 1b492ed..c79454d 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
-@@ -56,6 +56,7 @@
+@@ -28,11 +28,8 @@
+
+ # keep as separate lines to ensure proper sorting
+ /usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+-/usr/lib64/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
+ /usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+-/usr/lib64/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
+ /usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+-/usr/lib64/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
+
+ /usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+ /usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
+@@ -56,6 +53,7 @@
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -23221,7 +23684,7 @@ index 1b492ed..76480c2 100644
/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
-@@ -64,10 +65,16 @@
+@@ -64,10 +62,16 @@
/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
@@ -23291,7 +23754,7 @@ index 305ddf4..777091a 100644
admin_pattern($1, ptal_etc_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
-index 0f28095..1c96265 100644
+index 0f28095..cda064a 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -23392,7 +23855,18 @@ index 0f28095..1c96265 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -425,11 +434,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -393,6 +402,10 @@ dev_read_sysfs(cupsd_config_t)
+ dev_read_urand(cupsd_config_t)
+ dev_read_rand(cupsd_config_t)
+ dev_rw_generic_usb_dev(cupsd_config_t)
++ifdef(`hide_broken_symptoms', `
++ dev_rw_generic_chr_files(cupsd_config_t)
++')
++
+
+ files_search_all_mountpoints(cupsd_config_t)
+
+@@ -425,11 +438,10 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -23405,7 +23879,7 @@ index 0f28095..1c96265 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +461,10 @@ optional_policy(`
+@@ -453,6 +465,10 @@ optional_policy(`
')
optional_policy(`
@@ -23416,7 +23890,7 @@ index 0f28095..1c96265 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +479,10 @@ optional_policy(`
+@@ -467,6 +483,10 @@ optional_policy(`
')
optional_policy(`
@@ -23427,7 +23901,7 @@ index 0f28095..1c96265 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -587,13 +603,17 @@ auth_use_nsswitch(cups_pdf_t)
+@@ -587,13 +607,17 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -23447,7 +23921,7 @@ index 0f28095..1c96265 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_auto_mountpoints(cups_pdf_t)
-@@ -606,6 +626,10 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -606,6 +630,10 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files(cups_pdf_t)
')
@@ -23458,7 +23932,7 @@ index 0f28095..1c96265 100644
########################################
#
# HPLIP local policy
-@@ -639,7 +663,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
+@@ -639,7 +667,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
@@ -23467,7 +23941,7 @@ index 0f28095..1c96265 100644
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -685,6 +709,7 @@ domain_use_interactive_fds(hplip_t)
+@@ -685,6 +713,7 @@ domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -23475,7 +23949,7 @@ index 0f28095..1c96265 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +721,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +725,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -23580,6 +24054,17 @@ index 9d44538..7e9057e 100644
## </param>
#
interface(`cyphesis_domtrans',`
+diff --git a/policy/modules/services/cyrus.fc b/policy/modules/services/cyrus.fc
+index 445d93d..a5bce33 100644
+--- a/policy/modules/services/cyrus.fc
++++ b/policy/modules/services/cyrus.fc
+@@ -1,5 +1,5 @@
+ /etc/rc\.d/init\.d/cyrus -- gen_context(system_u:object_r:cyrus_initrc_exec_t,s0)
+
+-/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
++/usr/lib/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+ /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index e182bf4..aab657c 100644
--- a/policy/modules/services/cyrus.te
@@ -23625,6 +24110,18 @@ index a8b93c0..831ce70 100644
type dante_var_run_t;
files_pid_file(dante_var_run_t)
+diff --git a/policy/modules/services/dbus.fc b/policy/modules/services/dbus.fc
+index 81eba14..d0ab56c 100644
+--- a/policy/modules/services/dbus.fc
++++ b/policy/modules/services/dbus.fc
+@@ -3,7 +3,6 @@
+ /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+ /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+-/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
+ /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+ /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 0d5711c..85a1dc0 100644
--- a/policy/modules/services/dbus.if
@@ -24173,7 +24670,7 @@ index 418a5a0..28d9e41 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..22b862e 100644
+index f706b99..30954ba 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -24188,7 +24685,35 @@ index f706b99..22b862e 100644
## </param>
#
interface(`devicekit_domtrans',`
-@@ -118,6 +118,44 @@ interface(`devicekit_dbus_chat_power',`
+@@ -81,6 +81,27 @@ interface(`devicekit_dbus_chat_disk',`
+
+ ########################################
+ ## <summary>
++## Dontaudit Send and receive messages from
++## devicekit disk over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`devicekit_dontaudit_dbus_chat_disk',`
++ gen_require(`
++ type devicekit_disk_t;
++ class dbus send_msg;
++ ')
++
++ dontaudit $1 devicekit_disk_t:dbus send_msg;
++ dontaudit devicekit_disk_t $1:dbus send_msg;
++')
++
++########################################
++## <summary>
+ ## Send signal devicekit power
+ ## </summary>
+ ## <param name="domain">
+@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
@@ -24233,7 +24758,7 @@ index f706b99..22b862e 100644
########################################
## <summary>
## Read devicekit PID files.
-@@ -139,22 +177,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',`
########################################
## <summary>
@@ -24293,7 +24818,7 @@ index f706b99..22b862e 100644
## </summary>
## </param>
## <rolecap/>
-@@ -165,21 +233,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +254,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -24586,7 +25111,7 @@ index d4424ad..2e09383 100644
')
diff --git a/policy/modules/services/dirsrv-admin.fc b/policy/modules/services/dirsrv-admin.fc
new file mode 100644
-index 0000000..2ce40a0
+index 0000000..051e1e6
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.fc
@@ -0,0 +1,11 @@
@@ -24598,8 +25123,8 @@ index 0000000..2ce40a0
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
-+/usr/lib64/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
-+/usr/lib64/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
++/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
+
diff --git a/policy/modules/services/dirsrv-admin.if b/policy/modules/services/dirsrv-admin.if
new file mode 100644
@@ -27403,10 +27928,11 @@ index 7382f85..0b39a8b 100644
+git_role_template(git_shell)
+gen_user(git_shell_u, user, git_shell_r, s0, s0)
diff --git a/policy/modules/services/gnomeclock.fc b/policy/modules/services/gnomeclock.fc
-index 462de63..aaa94fc 100644
+index 462de63..5df751b 100644
--- a/policy/modules/services/gnomeclock.fc
+++ b/policy/modules/services/gnomeclock.fc
-@@ -1,2 +1,5 @@
+@@ -1,2 +1,6 @@
++
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
@@ -27442,10 +27968,19 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..9939628 100644
+index 4fde46b..6ee7b93 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
-@@ -15,18 +15,22 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+@@ -9,24 +9,31 @@ type gnomeclock_t;
+ type gnomeclock_exec_t;
+ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
+
++systemd_systemctl_domain(gnomeclock)
++permissive gnomeclock_systemctl_t;
++
+ ########################################
+ #
+ # gnomeclock local policy
#
allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace };
@@ -27471,7 +28006,7 @@ index 4fde46b..9939628 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,10 +39,28 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -27500,6 +28035,28 @@ index 4fde46b..9939628 100644
policykit_dbus_chat(gnomeclock_t)
policykit_domtrans_auth(gnomeclock_t)
policykit_read_lib(gnomeclock_t)
+ policykit_read_reload(gnomeclock_t)
+ ')
++
++#######################################
++#
++# gnomeclock systemctl local policy
++#
++
++files_dontaudit_remove_etc_dir(gnomeclock_systemctl_t)
++files_manage_etc_symlinks(gnomeclock_systemctl_t)
++
++fs_dontaudit_search_cgroup_dirs(gnomeclock_systemctl_t)
++
++# needed by systemctl
++init_stream_connect(gnomeclock_systemctl_t)
++init_read_state(gnomeclock_systemctl_t)
++
++systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
++
++optional_policy(`
++ ntpd_read_unit_file(gnomeclock_systemctl_t)
++')
diff --git a/policy/modules/services/gpm.if b/policy/modules/services/gpm.if
index 7d97298..d6b2959 100644
--- a/policy/modules/services/gpm.if
@@ -28130,6 +28687,88 @@ index df48e5e..6985546 100644
gen_require(`
type inetd_t;
')
+diff --git a/policy/modules/services/inn.fc b/policy/modules/services/inn.fc
+index 8ca038d..8507ee2 100644
+--- a/policy/modules/services/inn.fc
++++ b/policy/modules/services/inn.fc
+@@ -19,45 +19,43 @@
+
+ /var/lib/news(/.*)? gen_context(system_u:object_r:innd_var_lib_t,s0)
+
+-/usr/lib(64)?/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib(64)?/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/actsync -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/archive -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/batcher -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/buffchan -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/convdate -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/ctlinnd -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/cvtbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/expire -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/expireover -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/fastrm -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/filechan -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/getlist -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/grephistory -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/inews -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/innconfval -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/inndf -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/inndstart -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/innfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/innxbatch -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/innxmit -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/makedbz -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/makehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/newsrequeue -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/nnrpd -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/nntpget -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/ovdb_recover -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/overchan -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/prunehistory -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/rnews -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/shlock -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/shrinkfile -- gen_context(system_u:object_r:innd_exec_t,s0)
++/usr/lib/news/bin/startinnfeed -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+ # cjp: split these to fix an ordering
+ # problem with a match in corecommands
+ /usr/lib/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+ /usr/lib/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib64/news/bin/innd -- gen_context(system_u:object_r:innd_exec_t,s0)
+-/usr/lib64/news/bin/sm -- gen_context(system_u:object_r:innd_exec_t,s0)
+
+ /var/log/news(/.*)? gen_context(system_u:object_r:innd_log_t,s0)
+
diff --git a/policy/modules/services/inn.if b/policy/modules/services/inn.if
index ebc9e0d..2f3d8dc 100644
--- a/policy/modules/services/inn.if
@@ -29070,7 +29709,7 @@ index ca5cfdf..554ad30 100644
auth_use_nsswitch(ktalkd_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
-index c62f23e..335fda1 100644
+index c62f23e..92f3475 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,8 @@
@@ -29079,7 +29718,7 @@ index c62f23e..335fda1 100644
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
+
-+/etc/rc\.d/init\.d/sldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
@@ -29450,6 +30089,31 @@ index 93c14ca..c08de17 100644
fs_list_auto_mountpoints(lpr_t)
fs_read_cifs_files(lpr_t)
fs_read_cifs_symlinks(lpr_t)
+diff --git a/policy/modules/services/mailman.fc b/policy/modules/services/mailman.fc
+index 14ad189..b0c5d98 100644
+--- a/policy/modules/services/mailman.fc
++++ b/policy/modules/services/mailman.fc
+@@ -1,4 +1,4 @@
+-/usr/lib(64)?/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+ /usr/lib/mailman/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+
+ /var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+@@ -25,10 +25,10 @@ ifdef(`distro_debian', `
+ ifdef(`distro_redhat', `
+ /etc/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+
+-/usr/lib(64)?/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
+-/usr/lib(64)?/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
+-/usr/lib(64)?/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+-/usr/lib(64)?/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman/bin/qrunner -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
++/usr/lib/mailman/cgi-bin/.* -- gen_context(system_u:object_r:mailman_cgi_exec_t,s0)
++/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
++/usr/lib/mailman/scripts/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
+
+ /var/spool/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
+ ')
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index 67c7fdd..84b7626 100644
--- a/policy/modules/services/mailman.if
@@ -29526,7 +30190,7 @@ index af4d572..0fd2357 100644
+')
diff --git a/policy/modules/services/matahari.fc b/policy/modules/services/matahari.fc
new file mode 100644
-index 0000000..8d13eb6
+index 0000000..bce824e
--- /dev/null
+++ b/policy/modules/services/matahari.fc
@@ -0,0 +1,15 @@
@@ -29543,16 +30207,43 @@ index 0000000..8d13eb6
+/var/lib/matahari(/.*)? gen_context(system_u:object_r:matahari_var_lib_t,s0)
+
+/var/run/matahari(/.*)? gen_context(system_u:object_r:matahari_var_run_t,s0)
-+/var/run/matahari.pid gen_context(system_u:object_r:matahari_var_run_t,s0)
-+
++/var/run/matahari\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
++/var/run/matahari-broker\.pid -- gen_context(system_u:object_r:matahari_var_run_t,s0)
diff --git a/policy/modules/services/matahari.if b/policy/modules/services/matahari.if
new file mode 100644
-index 0000000..8e22c5e
+index 0000000..9343f3f
--- /dev/null
+++ b/policy/modules/services/matahari.if
-@@ -0,0 +1,220 @@
+@@ -0,0 +1,247 @@
+## <summary>policy for matahari</summary>
+
++######################################
++## <summary>
++## Creates types and rules for a basic
++## matahari init daemon domain.
++## </summary>
++## <param name="prefix">
++## <summary>
++## Prefix for the domain.
++## </summary>
++## </param>
++#
++template(`matahari_domain_template',`
++ gen_require(`
++ attribute matahari_domain;
++ ')
++
++ ##############################
++ #
++ # Declarations
++ #
++
++ type matahari_$1_t, matahari_domain;
++ type matahari_$1_exec_t;
++ init_daemon_domain(matahari_$1_t, matahari_$1_exec_t)
++
++')
++
+########################################
+## <summary>
+## Search matahari lib directories.
@@ -29773,10 +30464,10 @@ index 0000000..8e22c5e
+')
diff --git a/policy/modules/services/matahari.te b/policy/modules/services/matahari.te
new file mode 100644
-index 0000000..dbc94ac
+index 0000000..fd4a08b
--- /dev/null
+++ b/policy/modules/services/matahari.te
-@@ -0,0 +1,112 @@
+@@ -0,0 +1,83 @@
+policy_module(matahari,1.0.0)
+
+########################################
@@ -29784,17 +30475,11 @@ index 0000000..dbc94ac
+# Declarations
+#
+
-+type matahari_hostd_t;
-+type matahari_hostd_exec_t;
-+init_daemon_domain(matahari_hostd_t, matahari_hostd_exec_t)
-+
-+type matahari_netd_t;
-+type matahari_netd_exec_t;
-+init_daemon_domain(matahari_netd_t, matahari_netd_exec_t)
++attribute matahari_domain;
+
-+type matahari_serviced_t;
-+type matahari_serviced_exec_t;
-+init_daemon_domain(matahari_serviced_t, matahari_serviced_exec_t)
++matahari_domain_template(hostd)
++matahari_domain_template(netd)
++matahari_domain_template(serviced)
+
+type matahari_initrc_exec_t;
+init_script_file(matahari_initrc_exec_t)
@@ -29809,32 +30494,18 @@ index 0000000..dbc94ac
+#
+# matahari_hostd local policy
+#
-+allow matahari_hostd_t self:capability sys_ptrace;
-+allow matahari_hostd_t self:process { signal };
+
-+allow matahari_hostd_t self:fifo_file rw_fifo_file_perms;
-+allow matahari_hostd_t self:unix_stream_socket create_stream_socket_perms;
++allow matahari_hostd_t self:capability sys_ptrace;
+
+kernel_read_network_state(matahari_hostd_t)
-+kernel_read_system_state(matahari_hostd_t)
-+
-+corenet_tcp_connect_matahari_port(matahari_hostd_t)
++kernel_read_network_state(matahari_hostd_t)
+
+dev_read_sysfs(matahari_hostd_t)
-+dev_read_urand(matahari_hostd_t)
+dev_rw_mtrr(matahari_hostd_t)
+
+domain_use_interactive_fds(matahari_hostd_t)
+domain_read_all_domains_state(matahari_hostd_t)
+
-+files_read_etc_files(matahari_hostd_t)
-+
-+logging_send_syslog_msg(matahari_hostd_t)
-+
-+miscfiles_read_localization(matahari_hostd_t)
-+
-+sysnet_dns_name_resolve(matahari_hostd_t)
-+
+optional_policy(`
+ dbus_system_bus_client(matahari_hostd_t)
+')
@@ -29843,52 +30514,43 @@ index 0000000..dbc94ac
+#
+# matahari_netd local policy
+#
-+allow matahari_netd_t self:process { signal };
-+
-+allow matahari_netd_t self:fifo_file rw_fifo_file_perms;
-+allow matahari_netd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+kernel_read_system_state(matahari_netd_t)
-+
-+corenet_tcp_connect_matahari_port(matahari_netd_t)
-+
-+dev_read_urand(matahari_netd_t)
+
+domain_use_interactive_fds(matahari_netd_t)
+
-+files_read_etc_files(matahari_netd_t)
-+
-+logging_send_syslog_msg(matahari_netd_t)
-+
-+miscfiles_read_localization(matahari_netd_t)
-+
-+sysnet_dns_name_resolve(matahari_netd_t)
++optional_policy(`
++ dbus_system_bus_client(matahari_netd_t)
++')
+
+########################################
+#
+# matahari_serviced local policy
+#
-+allow matahari_serviced_t self:process { signal };
+
-+allow matahari_serviced_t self:fifo_file rw_fifo_file_perms;
-+allow matahari_serviced_t self:unix_stream_socket create_stream_socket_perms;
++domain_use_interactive_fds(matahari_serviced_t)
++
++#######################################
++#
++# matahari domain local policy
++#
+
-+kernel_read_system_state(matahari_serviced_t)
++allow matahari_domain self:process { signal };
+
-+corenet_tcp_connect_matahari_port(matahari_serviced_t)
++allow matahari_domain self:fifo_file rw_fifo_file_perms;
++allow matahari_domain self:unix_stream_socket create_stream_socket_perms;
+
-+dev_read_urand(matahari_serviced_t)
++kernel_read_system_state(matahari_domain)
+
-+domain_use_interactive_fds(matahari_serviced_t)
++corenet_tcp_connect_matahari_port(matahari_domain)
+
-+files_read_etc_files(matahari_serviced_t)
++dev_read_urand(matahari_domain)
+
-+logging_send_syslog_msg(matahari_serviced_t)
++files_read_etc_files(matahari_domain)
+
-+miscfiles_read_localization(matahari_serviced_t)
++logging_send_syslog_msg(matahari_domain)
+
-+sysnet_dns_name_resolve(matahari_serviced_t)
++miscfiles_read_localization(matahari_domain)
+
++sysnet_dns_name_resolve(matahari_domain)
diff --git a/policy/modules/services/memcached.if b/policy/modules/services/memcached.if
index db4fd6f..5008a6c 100644
--- a/policy/modules/services/memcached.if
@@ -31095,7 +31757,7 @@ index 0000000..0b9257a
+ xserver_dontaudit_read_xdm_pid(mpd_t)
+')
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
-index 256166a..15daf47 100644
+index 256166a..df99841 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -1,4 +1,5 @@
@@ -31105,7 +31767,7 @@ index 256166a..15daf47 100644
/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
-@@ -11,6 +12,9 @@ ifdef(`distro_redhat',`
+@@ -11,9 +12,12 @@ ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
@@ -31114,7 +31776,11 @@ index 256166a..15daf47 100644
+
/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
- /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+-/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 343cee3..3d7edf0 100644
--- a/policy/modules/services/mta.if
@@ -32135,6 +32801,147 @@ index 0a0d63c..91de41a 100644
########################################
#
# MySQL Manager Policy
+diff --git a/policy/modules/services/nagios.fc b/policy/modules/services/nagios.fc
+index 1fc9905..c9ae263 100644
+--- a/policy/modules/services/nagios.fc
++++ b/policy/modules/services/nagios.fc
+@@ -6,8 +6,8 @@
+ /usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ /usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
+
+-/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+ /var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+ /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+@@ -19,70 +19,70 @@
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+ ')
+-/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+-/usr/lib(64)?/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
+
+ # admin plugins
+-/usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
+
+ # check disk plugins
+-/usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+ # mail plugins
+-/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
+
+ # system plugins
+-/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+ # services plugins
+-/usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+
+ # unconfined plugins
+-/usr/lib(64)?/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
++/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
diff --git a/policy/modules/services/nagios.if b/policy/modules/services/nagios.if
index 8581040..2367841 100644
--- a/policy/modules/services/nagios.if
@@ -32364,6 +33171,19 @@ index bf64a4c..8a9789c 100644
kernel_read_kernel_sysctls(nagios_system_plugin_t)
corecmd_exec_bin(nagios_system_plugin_t)
+diff --git a/policy/modules/services/nessus.fc b/policy/modules/services/nessus.fc
+index 74da57f..b94bb3b 100644
+--- a/policy/modules/services/nessus.fc
++++ b/policy/modules/services/nessus.fc
+@@ -1,7 +1,7 @@
+
+ /etc/nessus/nessusd\.conf -- gen_context(system_u:object_r:nessusd_etc_t,s0)
+
+-/usr/lib(64)?/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
++/usr/lib/nessus/plugins/.* -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
+ /usr/sbin/nessusd -- gen_context(system_u:object_r:nessusd_exec_t,s0)
+
diff --git a/policy/modules/services/networkmanager.fc b/policy/modules/services/networkmanager.fc
index 386543b..1b34e21 100644
--- a/policy/modules/services/networkmanager.fc
@@ -32652,7 +33472,7 @@ index 0619395..6000a3f 100644
########################################
diff --git a/policy/modules/services/nis.fc b/policy/modules/services/nis.fc
-index 15448d5..0c97dab 100644
+index 15448d5..181300b 100644
--- a/policy/modules/services/nis.fc
+++ b/policy/modules/services/nis.fc
@@ -1,5 +1,5 @@
@@ -32662,7 +33482,11 @@ index 15448d5..0c97dab 100644
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
-@@ -11,6 +11,7 @@
+@@ -7,10 +7,10 @@
+ /sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
+
+ /usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
+-/usr/lib64/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
@@ -33021,11 +33845,50 @@ index ded9fb6..9d1e60a 100644
manage_files_pattern(ntop_t, ntop_var_run_t, ntop_var_run_t)
files_pid_filetrans(ntop_t, ntop_var_run_t, file)
+diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
+index e79dccc..50202ef 100644
+--- a/policy/modules/services/ntp.fc
++++ b/policy/modules/services/ntp.fc
+@@ -10,6 +10,8 @@
+
+ /etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
+
++/lib/systemd/system/ntpd\.service -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
++
+ /usr/sbin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
+ /usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
+
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
-index e80f8c0..694b002 100644
+index e80f8c0..be0d107 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
-@@ -140,11 +140,10 @@ interface(`ntp_rw_shm',`
+@@ -98,6 +98,25 @@ interface(`ntp_initrc_domtrans',`
+ init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
+ ')
+
++#####################################
++## <summary>
++## Allow domain to read ntpd systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ntpd_read_unit_file',`
++ gen_require(`
++ type ntpd_unit_file_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 ntpd_unit_file_t:file read_file_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Read and write ntpd shared memory.
+@@ -140,11 +159,10 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
@@ -33040,10 +33903,20 @@ index e80f8c0..694b002 100644
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
-index c61adc8..b5b5992 100644
+index c61adc8..11909b0 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
-@@ -96,9 +96,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
+@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
+ type ntpd_initrc_exec_t;
+ init_script_file(ntpd_initrc_exec_t)
+
++type ntpd_unit_file_t;
++systemd_unit_file(ntpd_unit_file_t)
++
+ type ntpd_key_t;
+ files_type(ntpd_key_t)
+
+@@ -96,9 +99,12 @@ corenet_sendrecv_ntp_client_packets(ntpd_t)
dev_read_sysfs(ntpd_t)
# for SSP
dev_read_urand(ntpd_t)
@@ -33169,11 +34042,12 @@ index b4c5f86..0f1549d 100644
optional_policy(`
cron_system_entry(oav_update_t, oav_update_exec_t)
diff --git a/policy/modules/services/oddjob.fc b/policy/modules/services/oddjob.fc
-index bdf8c89..5ee1598 100644
+index bdf8c89..0132b08 100644
--- a/policy/modules/services/oddjob.fc
+++ b/policy/modules/services/oddjob.fc
@@ -1,4 +1,5 @@
- /usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+-/usr/lib(64)?/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
++/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
+/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
@@ -33598,18 +34472,18 @@ index b246bdd..07baada 100644
files_search_spool(pads_t)
diff --git a/policy/modules/services/passenger.fc b/policy/modules/services/passenger.fc
new file mode 100644
-index 0000000..fbd07f6
+index 0000000..498c07f
--- /dev/null
+++ b/policy/modules/services/passenger.fc
@@ -0,0 +1,16 @@
+
-+/usr/lib(64)?/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
-+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
-+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
-+/usr/lib(64)?/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
++/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
+
+
+/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
@@ -34728,7 +35602,7 @@ index 9759ed8..48a5431 100644
admin_pattern($1, plymouthd_var_run_t)
')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
-index 06e217d..179e320 100644
+index 06e217d..dc27c14 100644
--- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te
@@ -8,6 +8,7 @@ policy_module(plymouthd, 1.0.1)
@@ -34760,12 +35634,13 @@ index 06e217d..179e320 100644
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
manage_files_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
files_pid_filetrans(plymouthd_t, plymouthd_var_run_t, { file dir })
-@@ -60,10 +68,22 @@ domain_use_interactive_fds(plymouthd_t)
+@@ -60,10 +68,23 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t)
+
++logging_link_generic_logs(plymouthd_t)
+logging_delete_generic_logs(plymouthd_t)
+
miscfiles_read_localization(plymouthd_t)
@@ -34783,7 +35658,7 @@ index 06e217d..179e320 100644
########################################
#
# Plymouth private policy
-@@ -74,6 +94,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
+@@ -74,6 +95,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t)
@@ -34791,7 +35666,7 @@ index 06e217d..179e320 100644
domain_use_interactive_fds(plymouth_t)
-@@ -87,7 +108,7 @@ sysnet_read_config(plymouth_t)
+@@ -87,7 +109,7 @@ sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t)
@@ -35891,6 +36766,23 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
+diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
+index f03fad4..1865d8f 100644
+--- a/policy/modules/services/postgresql.fc
++++ b/policy/modules/services/postgresql.fc
+@@ -11,9 +11,9 @@
+ /usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+ /usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+-/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+-/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+-/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
++/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
++/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+ ifdef(`distro_debian', `
+ /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 09aeffa..dd70b14 100644
--- a/policy/modules/services/postgresql.if
@@ -39128,10 +40020,10 @@ index 33e72e8..b71d193 100644
')
diff --git a/policy/modules/services/rlogin.fc b/policy/modules/services/rlogin.fc
-index 2785337..c3c2775 100644
+index 2785337..d7f6b82 100644
--- a/policy/modules/services/rlogin.fc
+++ b/policy/modules/services/rlogin.fc
-@@ -1,4 +1,7 @@
+@@ -1,7 +1,10 @@
HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
@@ -39139,6 +40031,10 @@ index 2785337..c3c2775 100644
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+-/usr/lib(64)?/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
++/usr/lib/telnetlogin -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+
+ /usr/sbin/in\.rlogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
index 63e78c6..ffa4f37 100644
--- a/policy/modules/services/rlogin.if
@@ -40681,7 +41577,7 @@ index bcdd16c..7c379a8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..610a762 100644
+index 086cd5f..79347e7 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -40716,7 +41612,24 @@ index 086cd5f..610a762 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -112,8 +118,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -85,6 +91,7 @@ files_getattr_all_files(setroubleshootd_t)
+ files_getattr_all_pipes(setroubleshootd_t)
+ files_getattr_all_sockets(setroubleshootd_t)
+ files_read_all_symlinks(setroubleshootd_t)
++files_read_mnt_files(setroubleshootd_t)
+
+ fs_getattr_all_dirs(setroubleshootd_t)
+ fs_getattr_all_files(setroubleshootd_t)
+@@ -104,6 +111,8 @@ auth_use_nsswitch(setroubleshootd_t)
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+
++libs_exec_ld_so(setroubleshootd_t)
++
+ miscfiles_read_localization(setroubleshootd_t)
+
+ locallogin_dontaudit_use_fds(setroubleshootd_t)
+@@ -112,8 +121,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -40725,7 +41638,7 @@ index 086cd5f..610a762 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,6 +125,18 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +128,18 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -40744,7 +41657,7 @@ index 086cd5f..610a762 100644
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +168,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +171,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -40752,7 +41665,7 @@ index 086cd5f..610a762 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +181,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +184,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -41670,6 +42583,18 @@ index ec1eb1e..7e51d2b 100644
')
optional_policy(`
+diff --git a/policy/modules/services/squid.fc b/policy/modules/services/squid.fc
+index 6cc4a90..2015152 100644
+--- a/policy/modules/services/squid.fc
++++ b/policy/modules/services/squid.fc
+@@ -2,7 +2,6 @@
+ /etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
+ /usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+-/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+ /usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
+ /usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
+
diff --git a/policy/modules/services/squid.if b/policy/modules/services/squid.if
index d2496bd..1d0c078 100644
--- a/policy/modules/services/squid.if
@@ -42120,7 +43045,7 @@ index 22adaca..68ad7a7 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..efa5535 100644
+index 2dad3c8..c71bdb9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -42244,16 +43169,18 @@ index 2dad3c8..efa5535 100644
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -138,6 +144,8 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
+@@ -138,7 +144,10 @@ corenet_tcp_sendrecv_generic_node(ssh_t)
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
+corenet_tcp_bind_generic_node(ssh_t)
+corenet_tcp_bind_all_unreserved_ports(ssh_t)
++dev_read_rand(ssh_t)
dev_read_urand(ssh_t)
-@@ -162,21 +170,28 @@ logging_read_generic_logs(ssh_t)
+ fs_getattr_all_fs(ssh_t)
+@@ -162,21 +171,28 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
miscfiles_read_localization(ssh_t)
@@ -42288,7 +43215,7 @@ index 2dad3c8..efa5535 100644
')
tunable_policy(`use_nfs_home_dirs',`
-@@ -196,10 +211,15 @@ tunable_policy(`user_tcp_server',`
+@@ -196,10 +212,15 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
@@ -42304,16 +43231,18 @@ index 2dad3c8..efa5535 100644
##############################
#
# ssh_keysign_t local policy
-@@ -209,7 +229,7 @@ tunable_policy(`allow_ssh_keysign',`
+@@ -209,8 +230,9 @@ tunable_policy(`allow_ssh_keysign',`
allow ssh_keysign_t self:capability { setgid setuid };
allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
- allow ssh_keysign_t sshd_key_t:file { getattr read };
+ allow ssh_keysign_t sshd_key_t:file read_file_perms;
++ dev_read_rand(ssh_keysign_t)
dev_read_urand(ssh_keysign_t)
-@@ -232,33 +252,42 @@ optional_policy(`
+ files_read_etc_files(ssh_keysign_t)
+@@ -232,33 +254,43 @@ optional_policy(`
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -42358,6 +43287,7 @@ index 2dad3c8..efa5535 100644
-',`
- userdom_spec_domtrans_unpriv_users(sshd_t)
- userdom_signal_unpriv_users(sshd_t)
++ userdom_spec_domtrans_all_users(sshd_t)
+')
+
+optional_policy(`
@@ -42365,7 +43295,7 @@ index 2dad3c8..efa5535 100644
')
optional_policy(`
-@@ -266,11 +295,24 @@ optional_policy(`
+@@ -266,11 +298,24 @@ optional_policy(`
')
optional_policy(`
@@ -42391,7 +43321,7 @@ index 2dad3c8..efa5535 100644
')
optional_policy(`
-@@ -284,6 +326,11 @@ optional_policy(`
+@@ -284,6 +329,11 @@ optional_policy(`
')
optional_policy(`
@@ -42403,7 +43333,7 @@ index 2dad3c8..efa5535 100644
unconfined_shell_domtrans(sshd_t)
')
-@@ -292,26 +339,26 @@ optional_policy(`
+@@ -292,26 +342,26 @@ optional_policy(`
')
ifdef(`TODO',`
@@ -42449,7 +43379,7 @@ index 2dad3c8..efa5535 100644
') dnl endif TODO
########################################
-@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +372,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -42476,8 +43406,11 @@ index 2dad3c8..efa5535 100644
dev_read_urand(ssh_keygen_t)
term_dontaudit_use_console(ssh_keygen_t)
-@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+@@ -351,9 +407,10 @@ auth_use_nsswitch(ssh_keygen_t)
+ logging_send_syslog_msg(ssh_keygen_t)
+
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_use_user_terminals(ssh_keygen_t)
optional_policy(`
- nscd_socket_use(ssh_keygen_t)
@@ -42701,6 +43634,21 @@ index f646c66..5370bb8 100644
')
+
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
+diff --git a/policy/modules/services/sysstat.fc b/policy/modules/services/sysstat.fc
+index 08d999c..bca4388 100644
+--- a/policy/modules/services/sysstat.fc
++++ b/policy/modules/services/sysstat.fc
+@@ -1,7 +1,7 @@
+
+-/usr/lib(64)?/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+-/usr/lib(64)?/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+-/usr/lib(64)?/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
++/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
++/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
++/usr/lib/sysstat/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
+
+ /var/log/atsar(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
+ /var/log/sa(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
diff --git a/policy/modules/services/sysstat.te b/policy/modules/services/sysstat.te
index 52f0d6c..6bfbf45 100644
--- a/policy/modules/services/sysstat.te
@@ -43244,7 +44192,7 @@ index a0794bf..37c056b 100644
')
+
diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
-index 831b4a3..a206464 100644
+index 831b4a3..8590730 100644
--- a/policy/modules/services/ulogd.fc
+++ b/policy/modules/services/ulogd.fc
@@ -1,7 +1,7 @@
@@ -43252,7 +44200,7 @@ index 831b4a3..a206464 100644
/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
-/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
-+/usr/lib(64)?/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
++/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
@@ -44906,7 +45854,7 @@ index aa6e5a8..42a0efb 100644
########################################
## <summary>
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index 6f1e3c7..ecfe665 100644
+index 6f1e3c7..62b0b98 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,23 @@
@@ -44954,7 +45902,7 @@ index 6f1e3c7..ecfe665 100644
#
# /opt
#
-@@ -47,21 +54,23 @@ ifdef(`distro_redhat',`
+@@ -47,28 +54,30 @@ ifdef(`distro_redhat',`
# /tmp
#
@@ -44983,6 +45931,14 @@ index 6f1e3c7..ecfe665 100644
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
ifdef(`distro_debian', `
+ /usr/sbin/gdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ ')
+
+-/usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ /usr/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+
@@ -89,17 +98,44 @@ ifdef(`distro_debian', `
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -48716,10 +49672,17 @@ index 882c6a2..d0ff4ec 100644
')
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..f97fbb7 100644
+index 354ce93..4955c6b 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
-@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
+@@ -27,12 +27,25 @@ ifdef(`distro_gentoo',`
+ ifdef(`distro_gentoo', `
+ /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+ /lib32/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+-/lib64/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
++/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
+ ')
+
#
# /sbin
#
@@ -49459,7 +50422,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..b4fdd42 100644
+index ea29513..9740a9f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49625,7 +50588,7 @@ index ea29513..b4fdd42 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,113 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,119 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -49677,12 +50640,15 @@ index ea29513..b4fdd42 100644
+ files_relabel_all_pid_files(init_t)
+ files_unlink_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
++ files_list_locks(init_t)
+ files_create_lock_dirs(init_t)
++ files_relabel_all_lock_dirs(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_dirs(init_t)
++ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
@@ -49706,6 +50672,9 @@ index ea29513..b4fdd42 100644
+
+ seutil_read_file_contexts(init_t)
+
++ systemd_exec_systemctl(init_t)
++ systemd_read_unit_files(init_t)
++
+ # needs to remain
+ logging_create_devlog_dev(init_t)
+
@@ -49739,7 +50708,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -199,10 +350,25 @@ optional_policy(`
+@@ -199,10 +356,25 @@ optional_policy(`
')
optional_policy(`
@@ -49765,7 +50734,7 @@ index ea29513..b4fdd42 100644
unconfined_domain(init_t)
')
-@@ -212,7 +378,7 @@ optional_policy(`
+@@ -212,7 +384,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49774,7 +50743,7 @@ index ea29513..b4fdd42 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +407,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +413,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49790,7 +50759,7 @@ index ea29513..b4fdd42 100644
init_write_initctl(initrc_t)
-@@ -258,20 +427,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +433,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -49827,7 +50796,7 @@ index ea29513..b4fdd42 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +460,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +466,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -49835,7 +50804,7 @@ index ea29513..b4fdd42 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +473,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +479,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -49843,7 +50812,7 @@ index ea29513..b4fdd42 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +481,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +487,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -49859,7 +50828,7 @@ index ea29513..b4fdd42 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +499,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +505,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49867,7 +50836,7 @@ index ea29513..b4fdd42 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +507,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +513,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -49879,7 +50848,7 @@ index ea29513..b4fdd42 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +526,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +532,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -49893,7 +50862,7 @@ index ea29513..b4fdd42 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +541,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +547,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -49902,7 +50871,7 @@ index ea29513..b4fdd42 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +555,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +561,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -49910,7 +50879,7 @@ index ea29513..b4fdd42 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +567,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +573,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -49918,7 +50887,7 @@ index ea29513..b4fdd42 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +588,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +594,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -49940,7 +50909,18 @@ index ea29513..b4fdd42 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -478,7 +671,7 @@ ifdef(`distro_redhat',`
+@@ -458,6 +657,10 @@ ifdef(`distro_gentoo',`
+ sysnet_setattr_config(initrc_t)
+
+ optional_policy(`
++ abrt_manage_pid_files(initrc_t)
++ ')
++
++ optional_policy(`
+ alsa_read_lib(initrc_t)
+ ')
+
+@@ -478,7 +681,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -49949,7 +50929,7 @@ index ea29513..b4fdd42 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +686,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +696,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -49957,7 +50937,7 @@ index ea29513..b4fdd42 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +718,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +728,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -49981,7 +50961,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -531,10 +742,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +752,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -49999,7 +50979,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -549,6 +767,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +777,39 @@ ifdef(`distro_suse',`
')
')
@@ -50039,7 +51019,7 @@ index ea29513..b4fdd42 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +812,8 @@ optional_policy(`
+@@ -561,6 +822,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -50048,7 +51028,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -577,6 +830,7 @@ optional_policy(`
+@@ -577,6 +840,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -50056,7 +51036,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -589,6 +843,11 @@ optional_policy(`
+@@ -589,6 +853,11 @@ optional_policy(`
')
optional_policy(`
@@ -50068,7 +51048,7 @@ index ea29513..b4fdd42 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +864,13 @@ optional_policy(`
+@@ -605,9 +874,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -50082,7 +51062,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -649,6 +912,11 @@ optional_policy(`
+@@ -649,6 +922,11 @@ optional_policy(`
')
optional_policy(`
@@ -50094,7 +51074,7 @@ index ea29513..b4fdd42 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +974,13 @@ optional_policy(`
+@@ -706,7 +984,13 @@ optional_policy(`
')
optional_policy(`
@@ -50108,7 +51088,7 @@ index ea29513..b4fdd42 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1003,10 @@ optional_policy(`
+@@ -729,6 +1013,10 @@ optional_policy(`
')
optional_policy(`
@@ -50119,7 +51099,7 @@ index ea29513..b4fdd42 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1016,20 @@ optional_policy(`
+@@ -738,10 +1026,20 @@ optional_policy(`
')
optional_policy(`
@@ -50140,7 +51120,7 @@ index ea29513..b4fdd42 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1038,10 @@ optional_policy(`
+@@ -750,6 +1048,10 @@ optional_policy(`
')
optional_policy(`
@@ -50151,7 +51131,7 @@ index ea29513..b4fdd42 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1063,6 @@ optional_policy(`
+@@ -771,8 +1073,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -50160,7 +51140,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -781,14 +1071,21 @@ optional_policy(`
+@@ -781,14 +1081,21 @@ optional_policy(`
')
optional_policy(`
@@ -50182,7 +51162,7 @@ index ea29513..b4fdd42 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1097,6 @@ optional_policy(`
+@@ -800,7 +1107,6 @@ optional_policy(`
')
optional_policy(`
@@ -50190,7 +51170,7 @@ index ea29513..b4fdd42 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1106,19 @@ optional_policy(`
+@@ -810,11 +1116,19 @@ optional_policy(`
')
optional_policy(`
@@ -50211,7 +51191,7 @@ index ea29513..b4fdd42 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1128,25 @@ optional_policy(`
+@@ -824,6 +1138,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -50237,7 +51217,7 @@ index ea29513..b4fdd42 100644
')
optional_policy(`
-@@ -849,3 +1172,42 @@ optional_policy(`
+@@ -849,3 +1182,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -50281,18 +51261,44 @@ index ea29513..b4fdd42 100644
+init_stream_connect(initrc_t)
+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
-index 07eba2b..942bea1 100644
+index 07eba2b..a75297a 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
-@@ -25,6 +25,7 @@
+@@ -12,12 +12,12 @@
+
+ /sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+
+-/usr/lib(64)?/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+-/usr/lib(64)?/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+-/usr/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/lib/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/lib/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
++/usr/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+ /usr/libexec/ipsec/_plutoload -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+ /usr/libexec/ipsec/_plutorun -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+@@ -25,16 +25,19 @@
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
- /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
- /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
-@@ -35,6 +36,8 @@
+-/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+-/usr/local/lib(64)?/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/local/lib/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/local/lib/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/local/lib/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
++/usr/local/lib/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
+
+ /usr/sbin/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
@@ -50809,7 +51815,7 @@ index 663a47b..ad0b864 100644
+ allow $1 iscsid_t:sem create_sem_perms;
+')
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
-index 1d1c399..67d0dec 100644
+index 1d1c399..b8f623a 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
@@ -50820,7 +51826,18 @@ index 1d1c399..67d0dec 100644
allow iscsid_t self:process { setrlimit setsched signal };
allow iscsid_t self:fifo_file rw_fifo_file_perms;
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -64,6 +65,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
+@@ -44,8 +45,9 @@ allow iscsid_t self:tcp_socket create_stream_socket_perms;
+
+ can_exec(iscsid_t, iscsid_exec_t)
+
++manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+ manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
+-files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
++files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
+
+ manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
+ logging_log_filetrans(iscsid_t, iscsi_log_t, file)
+@@ -64,6 +66,7 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
kernel_read_network_state(iscsid_t)
kernel_read_system_state(iscsid_t)
@@ -50828,7 +51845,7 @@ index 1d1c399..67d0dec 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -76,6 +78,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
+@@ -76,6 +79,8 @@ corenet_tcp_connect_isns_port(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
@@ -50837,7 +51854,7 @@ index 1d1c399..67d0dec 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
-@@ -91,5 +95,5 @@ logging_send_syslog_msg(iscsid_t)
+@@ -91,5 +96,5 @@ logging_send_syslog_msg(iscsid_t)
miscfiles_read_localization(iscsid_t)
optional_policy(`
@@ -50845,18 +51862,36 @@ index 1d1c399..67d0dec 100644
+ tgtd_manage_semaphores(iscsid_t)
')
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
-index 9df8c4d..010ec0e 100644
+index 9df8c4d..6b49c76 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
-@@ -44,6 +44,7 @@ ifdef(`distro_redhat',`
+@@ -37,17 +37,12 @@ ifdef(`distro_redhat',`
+ #
+ /lib -d gen_context(system_u:object_r:lib_t,s0)
+ /lib/.* gen_context(system_u:object_r:lib_t,s0)
+-/lib64 -d gen_context(system_u:object_r:lib_t,s0)
+-/lib64/.* gen_context(system_u:object_r:lib_t,s0)
+ /lib/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+-/lib64/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:lib_t,s0)
+-/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_debian',`
/lib32 -l gen_context(system_u:object_r:lib_t,s0)
-@@ -90,6 +91,7 @@ ifdef(`distro_gentoo',`
+-/lib64 -l gen_context(system_u:object_r:lib_t,s0)
+ ')
+
+ ifdef(`distro_gentoo',`
+@@ -62,7 +57,6 @@ ifdef(`distro_gentoo',`
+ #
+ /opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
+@@ -90,6 +84,7 @@ ifdef(`distro_gentoo',`
')
ifdef(`distro_redhat',`
@@ -50864,7 +51899,21 @@ index 9df8c4d..010ec0e 100644
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
-@@ -129,15 +131,13 @@ ifdef(`distro_redhat',`
+@@ -118,64 +113,62 @@ ifdef(`distro_redhat',`
+ /usr/(.*/)?java/.+\.jsa -- gen_context(system_u:object_r:lib_t,s0)
+
+ /usr/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/usr/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+
+-/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
++/usr/(.*/)?lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+
+ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -50872,30 +51921,88 @@ index 9df8c4d..010ec0e 100644
-/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -151,9 +151,10 @@ ifdef(`distro_redhat',`
- /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/catalyst/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/ADM_plugins/videoFilter/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(.*/)?lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ati-fglrx/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nero/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
+-/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/(local/)?lib/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/lib32 -l gen_context(system_u:object_r:lib_t,s0)
++/lib -l gen_context(system_u:object_r:lib_t,s0)
+ ')
+
+ ifdef(`distro_gentoo',`
+@@ -194,94 +187,92 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
+ /usr/lib/allegro/(.*/)?alleg-vga\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/extensions(/.*)?/libqfaservices.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -50904,23 +52011,145 @@ index 9df8c4d..010ec0e 100644
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
-
- /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
- /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib/VBoxVMM\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib64/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
+-/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/valgrind/vg.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libicudata\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libsts645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libvclplug_gen645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libwrp645li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libswd680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/librecentfile\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+-/usr/lib(64)?/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/analogue_osc_1416\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/bandpass_a_iir_1893\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/bandpass_iir_1892\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/butterworth_1902\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/fm_osc_1415\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/gsm_1215\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/gverb_1216\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/hermes_filter_1200\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/highpass_iir_1890\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/lowpass_iir_1891\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/notch_iir_1894\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/pitch_scale_1193\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/pitch_scale_1194\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/sc1_1425\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/sc2_1426\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-@@ -302,13 +303,8 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+-/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/(.*/)?nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+-/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/python2.4/site-packages/M2Crypto/__m2crypto\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # vmware
+-/usr/lib(64)?/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vmware/lib(/.*)?/libgdk-x11-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vmware/lib(/.*)?/libvmware-gksu.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/virtualbox/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?Adobe/(.*/)?intellinux/sidecars/* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -302,13 +293,7 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -50932,38 +52161,43 @@ index 9df8c4d..010ec0e 100644
-/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
') dnl end distro_redhat
#
-@@ -319,14 +315,150 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
- /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+@@ -316,17 +301,152 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
+ #
+ /var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
--/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+-/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+-/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-
+-/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/ftp/lib/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
-+/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+/var/lib/spamassassin/compiled/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
+
ifdef(`distro_suse',`
/var/lib/samba/bin/.+\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
+-/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
- /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
++/var/spool/postfix/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
- /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+-/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
++/var/spool/postfix/lib/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+
-+/usr/lib(64)?/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmyth[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/mythtv/filters/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib64/jvm/java(.*/)bin(/.*)?/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz10\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -50971,23 +52205,23 @@ index 9df8c4d..010ec0e 100644
+
+/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/googleearth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/google/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
++/usr/lib/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/oracle/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+
+/opt/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -50999,80 +52233,80 @@ index 9df8c4d..010ec0e 100644
+
+/usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ICAClient/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/midori/.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libav.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/libADM.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ifdef(`fixed',`
-+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavcodec.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libavutil.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libgsm\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libImlib2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libjackserver\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+# Flash plugin, Macromedia
+HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/php/modules/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/httpd/modules/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+')
+/opt/VBoxGuestAdditions.*/lib/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/python.*/site-packages/pymedia/muxer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/games/darwinia/lib/libSDL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/ocp-.*/mixclip\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Unify/SQLBase/libgptsblmsui11\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
@@ -51080,9 +52314,9 @@ index 9df8c4d..010ec0e 100644
+
+/opt/real/RealPlayer/codecs(/.*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/vdpau/libvdpau_nvidia\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/libGTL.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib/nsr/(.*/)?.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/opt/lgtonmc/bin/.*\.so(\.[0-9])? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -51435,7 +52669,7 @@ index 571599b..ddaf246 100644
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index c7cfb62..6160239 100644
+index c7cfb62..ee89659 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -545,6 +545,44 @@ interface(`logging_send_syslog_msg',`
@@ -51538,10 +52772,29 @@ index c7cfb62..6160239 100644
')
########################################
-@@ -824,6 +899,25 @@ interface(`logging_read_generic_logs',`
+@@ -824,6 +899,44 @@ interface(`logging_read_generic_logs',`
########################################
## <summary>
++## Link generic log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_link_generic_logs',`
++ gen_require(`
++ type var_log_t;
++ ')
++
++ allow $1 var_log_t:file link;
++')
++
++########################################
++## <summary>
+## Delete generic log files.
+## </summary>
+## <param name="domain">
@@ -51564,7 +52817,7 @@ index c7cfb62..6160239 100644
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -971,6 +1065,7 @@ interface(`logging_admin_syslog',`
+@@ -971,6 +1084,7 @@ interface(`logging_admin_syslog',`
type syslogd_initrc_exec_t;
')
@@ -51572,7 +52825,7 @@ index c7cfb62..6160239 100644
allow $1 syslogd_t:process { ptrace signal_perms };
allow $1 klogd_t:process { ptrace signal_perms };
ps_process_pattern($1, syslogd_t)
-@@ -996,6 +1091,8 @@ interface(`logging_admin_syslog',`
+@@ -996,6 +1110,8 @@ interface(`logging_admin_syslog',`
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
logging_manage_all_logs($1)
@@ -51864,7 +53117,7 @@ index 58bc27f..b95f0c0 100644
+ allow $1 clvmd_tmpfs_t:file unlink;
+')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..090189c 100644
+index a0a0ebf..e7fd4ec 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -52011,12 +53264,13 @@ index a0a0ebf..090189c 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -299,15 +321,20 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,15 +321,22 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
--userdom_use_user_terminals(lvm_t)
+userdom_use_inherited_user_terminals(lvm_t)
+ userdom_use_user_terminals(lvm_t)
++userdom_rw_semaphores(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
@@ -52036,7 +53290,7 @@ index a0a0ebf..090189c 100644
')
optional_policy(`
-@@ -331,6 +358,10 @@ optional_policy(`
+@@ -331,14 +360,26 @@ optional_policy(`
')
optional_policy(`
@@ -52047,7 +53301,12 @@ index a0a0ebf..090189c 100644
modutils_domtrans_insmod(lvm_t)
')
-@@ -339,6 +370,10 @@ optional_policy(`
+ optional_policy(`
++ raid_read_mdadm_pid(lvm_t)
++')
++
++optional_policy(`
+ rpm_manage_script_tmp_files(lvm_t)
')
optional_policy(`
@@ -52059,7 +53318,7 @@ index a0a0ebf..090189c 100644
')
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
-index 172287e..2683ce9 100644
+index 172287e..ec1f0e8 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -9,7 +9,7 @@ ifdef(`distro_gentoo',`
@@ -52071,6 +53330,15 @@ index 172287e..2683ce9 100644
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
+@@ -34,7 +34,7 @@ ifdef(`distro_redhat',`
+ #
+ /usr/lib/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
+
+-/usr/lib(64)?/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
++/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+
+ /usr/local/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+ /usr/local/share/man(/.*)? gen_context(system_u:object_r:man_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..1dfa62a 100644
--- a/policy/modules/system/miscfiles.if
@@ -52114,6 +53382,21 @@ index 703944c..1d3a6a9 100644
attribute cert_type;
#
+diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
+index 532181a..2410551 100644
+--- a/policy/modules/system/modutils.fc
++++ b/policy/modules/system/modutils.fc
+@@ -10,10 +10,8 @@ ifdef(`distro_gentoo',`
+ ')
+
+ /lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+-/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+
+ /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+-/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+
+ /sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
+ /sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..def8d5a 100644
--- a/policy/modules/system/modutils.if
@@ -53021,6 +54304,35 @@ index ed9c70d..b961d53 100644
/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
+index c817fda..8bcb1fd 100644
+--- a/policy/modules/system/raid.if
++++ b/policy/modules/system/raid.if
+@@ -21,6 +21,24 @@ interface(`raid_domtrans_mdadm',`
+
+ ########################################
+ ## <summary>
++## read the mdadm pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`raid_read_mdadm_pid',`
++ gen_require(`
++ type mdadm_var_run_t;
++ ')
++
++ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete the mdadm pid files.
+ ## </summary>
+ ## <desc>
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 73cc8cf..020e663 100644
--- a/policy/modules/system/raid.te
@@ -53095,7 +54407,7 @@ index 73cc8cf..020e663 100644
+# unconfined_domain(mdadm_t)
+#')
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
-index 2cc4bda..9e81136 100644
+index 2cc4bda..167c358 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -6,13 +6,13 @@
@@ -53115,7 +54427,14 @@ index 2cc4bda..9e81136 100644
#
# /root
-@@ -38,11 +38,20 @@
+@@ -32,17 +32,26 @@
+ /usr/bin/checkpolicy -- gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+ /usr/bin/newrole -- gen_context(system_u:object_r:newrole_exec_t,s0)
+
+-/usr/lib(64)?/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
++/usr/lib/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
+
+ /usr/sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0)
/usr/sbin/restorecond -- gen_context(system_u:object_r:restorecond_exec_t,s0)
/usr/sbin/run_init -- gen_context(system_u:object_r:run_init_exec_t,s0)
/usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
@@ -54549,17 +55868,19 @@ index df32316..e372b51 100644
+')
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
-index 0000000..266e9b0
+index 0000000..c7476cb
--- /dev/null
+++ b/policy/modules/system/systemd.fc
-@@ -0,0 +1,12 @@
+@@ -0,0 +1,14 @@
+/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+
++/bin/systemctl -- gen_context(system_u:object_r:systemd_systemctl_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/usr/bin/systemd-gnome-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
++/lib/systemd/system(/.*)? -- gen_context(system_u:object_r:systemd_unit_file_t,s0)
+/lib/systemd/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+
+/var/run/systemd/ask-password-block/[^/]* -p gen_context(system_u:object_r:systemd_device_t,s0)
@@ -54567,14 +55888,120 @@ index 0000000..266e9b0
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..aabfb0d
+index 0000000..4dfe28c
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,140 @@
+@@ -0,0 +1,246 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
+## <summary>
++## Create a domain for processes which are started
++## exuting systemctl.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Type to be used as a domain.
++## </summary>
++## </param>
++#
++interface(`systemd_systemctl_domain',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ role system_r;
++ ')
++
++ type $1_systemctl_t;
++ domain_type($1_systemctl_t)
++ domain_entry_file($1_systemctl_t, systemd_systemctl_exec_t)
++
++ role system_r types $1_systemctl_t;
++
++ domtrans_pattern($1_t, systemd_systemctl_exec_t , $1_systemctl_t)
++')
++
++########################################
++## <summary>
++## Execute systemctl in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_exec_systemctl',`
++ gen_require(`
++ type systemd_systemctl_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1, systemd_systemctl_exec_t)
++')
++
++#######################################
++## <summary>
++## Create a file type used for systemd unit files.
++## </summary>
++## <param name="script_file">
++## <summary>
++## Type to be used for an unit file.
++## </summary>
++## </param>
++#
++interface(`systemd_unit_file',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ typeattribute $1 systemd_unit_file_type;
++ files_type($1)
++')
++
++######################################
++## <summary>
++## Allow domain to read all systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 systemd_unit_file_type:file read_file_perms;
++')
++
++#####################################
++## <summary>
++## Dontaudit domain to read all systemd unit files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_dontaudit_read_unit_files',`
++ gen_require(`
++ attribute systemd_unit_file_type;
++ ')
++
++ dontaudit $1 systemd_unit_file_type:file read_file_perms;
++')
++
++#######################################
++## <summary>
+## Execute a domain transition to run systemd-tmpfiles.
+## </summary>
+## <param name="domain">
@@ -54713,10 +56140,10 @@ index 0000000..aabfb0d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..d5b6aff
+index 0000000..ef7eddd
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,162 @@
+@@ -0,0 +1,180 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -54725,6 +56152,8 @@ index 0000000..d5b6aff
+# Declarations
+#
+
++attribute systemd_unit_file_type;
++
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
+
@@ -54741,6 +56170,14 @@ index 0000000..d5b6aff
+type systemd_notify_exec_t;
+init_systemd_domain(systemd_notify_t, systemd_notify_exec_t)
+
++# type for systemd unit files
++type systemd_unit_file_t;
++systemd_unit_file(systemd_unit_file_t)
++
++# executable for systemctl
++type systemd_systemctl_exec_t;
++corecmd_executable_file(systemd_systemctl_exec_t)
++
+#
+# Type for systemd pipes in /dev/.systemd/ directory
+#
@@ -54841,6 +56278,14 @@ index 0000000..d5b6aff
+miscfiles_relabel_man_pages(systemd_tmpfiles_t)
+miscfiles_read_localization(systemd_tmpfiles_t)
+
++ifdef(`distro_redhat',`
++ userdom_list_user_home_content(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_dirs(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_files(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_sock_files(systemd_tmpfiles_t)
++ userdom_delete_user_home_content_symlinks(systemd_tmpfiles_t)
++')
++
+optional_policy(`
+ auth_rw_login_records(systemd_tmpfiles_t)
+')
@@ -56030,7 +57475,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..d514493 100644
+index 28b88de..359a84b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -57566,7 +59011,32 @@ index 28b88de..d514493 100644
')
########################################
-@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1779,6 +2170,24 @@ interface(`userdom_delete_user_home_content_files',`
+
+ ########################################
+ ## <summary>
++## Delete sock files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_delete_user_home_content_sock_files',`
++ gen_require(`
++ type user_home_t;
++ ')
++
++ allow $1 user_home_t:sock_file delete_file_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to write user home files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1810,8 +2219,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57576,7 +59046,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2235,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57590,19 +59060,18 @@ index 28b88de..d514493 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2584,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57611,7 +59080,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2837,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57627,7 +59096,7 @@ index 28b88de..d514493 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2865,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -57654,7 +59123,7 @@ index 28b88de..d514493 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2955,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -57679,7 +59148,7 @@ index 28b88de..d514493 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2991,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -57722,7 +59191,7 @@ index 28b88de..d514493 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3027,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -57760,7 +59229,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3247,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57769,7 +59238,7 @@ index 28b88de..d514493 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3263,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57785,7 +59254,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3351,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57794,7 +59263,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3406,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57841,7 +59310,7 @@ index 28b88de..d514493 100644
')
########################################
-@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3481,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57849,7 +59318,7 @@ index 28b88de..d514493 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3560,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -57874,7 +59343,7 @@ index 28b88de..d514493 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3630,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
@@ -59045,10 +60514,10 @@ index df29ca1..2a5c03d 100644
+# Nautilus causes this avc
+dontaudit unpriv_userdomain self:dir setattr;
diff --git a/policy/modules/system/xen.fc b/policy/modules/system/xen.fc
-index a865da7..2e7f2b0 100644
+index a865da7..0818ff0 100644
--- a/policy/modules/system/xen.fc
+++ b/policy/modules/system/xen.fc
-@@ -1,7 +1,5 @@
+@@ -1,12 +1,10 @@
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
-/usr/bin/virsh -- gen_context(system_u:object_r:xm_exec_t,s0)
@@ -59056,6 +60525,12 @@ index a865da7..2e7f2b0 100644
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
+
+-/usr/lib(64)?/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
++/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if
index 77d41b6..4aa96c6 100644
--- a/policy/modules/system/xen.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 7afe7c5..20e6ab4 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,21 @@ exit 0
%endif
%changelog
+* Mon Apr 11 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-14
+- Add Dan's patch to remove 64 bit variants
+- Allow colord to use unix_dgram_socket
+- Allow apps that search pids to read /var/run if it is a lnk_file
+- iscsid_t creates its own directory
+- Allow init to list var_lock_t dir
+- apm needs to verify user accounts auth_use_nsswitch
+- Add labeling for systemd unit files
+- Allow gnomeclok to enable ntpd service using systemctl - systemd_systemctl_t domain was added
+- Add label for matahari-broker.pid file
+- We want to remove untrustedmcsprocess from ability to read /proc/pid
+- Fixes for matahari policy
+- Allow system_tmpfiles_t to delete user_home_t files in the /tmp dir
+- Allow sshd to transition to sysadm_t if ssh_sysadm_login is turned on
+
* Tue Apr 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-13
- Fix typo