diff --git a/policy-rawhide.patch b/policy-rawhide.patch
index b43bd59..38ea852 100644
--- a/policy-rawhide.patch
+++ b/policy-rawhide.patch
@@ -58144,10 +58144,18 @@ index 3a45f23..f4754f0 100644
# fork
# setexec
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index f462e95..e8f76cb 100644
+index f462e95..20fb556 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
-@@ -393,6 +393,10 @@ class system
+@@ -329,6 +329,7 @@ class process
+ execheap
+ setkeycreate
+ setsockcreate
++ ptrace_child
+ }
+
+
+@@ -393,6 +394,10 @@ class system
syslog_mod
syslog_console
module_request
@@ -58158,7 +58166,7 @@ index f462e95..e8f76cb 100644
}
#
-@@ -445,6 +449,8 @@ class capability2
+@@ -445,6 +450,8 @@ class capability2
mac_override # unused by SELinux
mac_admin # unused by SELinux
syslog
@@ -58167,7 +58175,7 @@ index f462e95..e8f76cb 100644
}
#
-@@ -860,3 +866,20 @@ inherits database
+@@ -860,3 +867,20 @@ inherits database
implement
execute
}
@@ -73296,7 +73304,7 @@ index b17e27a..d193a52 100644
+ ssh_rw_dgram_sockets(chroot_user_t)
+')
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index fc86b7c..7da0fde 100644
+index fc86b7c..f393f76 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,13 +2,35 @@
@@ -73354,7 +73362,7 @@ index fc86b7c..7da0fde 100644
/etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/wdm(/.*)? gen_context(system_u:object_r:xdm_rw_etc_t,s0)
-@@ -46,23 +75,24 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+@@ -46,23 +75,25 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
# /tmp
#
@@ -73376,6 +73384,7 @@ index fc86b7c..7da0fde 100644
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/(s)?bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/(s)?bin/lightdm* -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[mxgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -73385,21 +73394,24 @@ index fc86b7c..7da0fde 100644
/usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -90,24 +120,43 @@ ifndef(`distro_debian',`
+@@ -90,24 +121,47 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
++/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/[mxkwg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
+
++/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/cache/[mg]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
-/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mkwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[mg]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -73412,6 +73424,7 @@ index fc86b7c..7da0fde 100644
+/var/run/[kgm]dm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --git a/policy_contrib-rawhide.patch b/policy_contrib-rawhide.patch
index d1693f6..5a8340e 100644
--- a/policy_contrib-rawhide.patch
+++ b/policy_contrib-rawhide.patch
@@ -1,8 +1,8 @@
diff --git a/abrt.fc b/abrt.fc
-index 1bd5812..196cfc9 100644
+index 1bd5812..b5fe639 100644
--- a/abrt.fc
+++ b/abrt.fc
-@@ -1,13 +1,16 @@
+@@ -1,12 +1,16 @@
/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
@@ -16,13 +16,13 @@ index 1bd5812..196cfc9 100644
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
-
-+/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
++/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
++/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
+
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
-
-@@ -15,6 +18,19 @@
+@@ -15,6 +19,19 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -316,7 +316,7 @@ index 0b827c5..ac79ca6 100644
+ dontaudit $1 abrt_t:sock_file write;
')
diff --git a/abrt.te b/abrt.te
-index 30861ec..cb6f88a 100644
+index 30861ec..410772e 100644
--- a/abrt.te
+++ b/abrt.te
@@ -5,13 +5,34 @@ policy_module(abrt, 1.2.0)
@@ -587,7 +587,7 @@ index 30861ec..cb6f88a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +327,146 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +327,145 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -729,7 +729,6 @@ index 30861ec..cb6f88a 100644
+
+kernel_read_system_state(abrt_domain)
+
-+files_read_etc_files(abrt_domain)
+
+logging_send_syslog_msg(abrt_domain)
+
@@ -936,10 +935,16 @@ index e66c296..993a1e9 100644
+ dontaudit $1 acct_data_t:dir list_dir_perms;
+')
diff --git a/acct.te b/acct.te
-index 63ef90e..1627428 100644
+index 63ef90e..622d6d3 100644
--- a/acct.te
+++ b/acct.te
-@@ -55,6 +55,8 @@ files_list_usr(acct_t)
+@@ -49,12 +49,13 @@ corecmd_exec_shell(acct_t)
+
+ domain_use_interactive_fds(acct_t)
+
+-files_read_etc_files(acct_t)
+ files_read_etc_runtime_files(acct_t)
+ files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
@@ -1395,7 +1400,7 @@ index 1392679..25e02df 100644
+ ps_process_pattern($1, alsa_t)
+')
diff --git a/alsa.te b/alsa.te
-index dc1b088..b688045 100644
+index dc1b088..d1f2a62 100644
--- a/alsa.te
+++ b/alsa.te
@@ -22,6 +22,9 @@ files_type(alsa_var_lib_t)
@@ -1408,8 +1413,16 @@ index dc1b088..b688045 100644
########################################
#
# Local policy
+@@ -59,7 +62,6 @@ dev_read_sysfs(alsa_t)
+
+ corecmd_exec_bin(alsa_t)
+
+-files_read_etc_files(alsa_t)
+ files_read_usr_files(alsa_t)
+
+ term_dontaudit_use_console(alsa_t)
diff --git a/amanda.te b/amanda.te
-index bec220e..ae601d8 100644
+index bec220e..1d26add 100644
--- a/amanda.te
+++ b/amanda.te
@@ -58,7 +58,7 @@ optional_policy(`
@@ -1429,7 +1442,23 @@ index bec220e..ae601d8 100644
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
-@@ -207,5 +208,10 @@ logging_search_logs(amanda_recover_t)
+@@ -120,7 +121,6 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
+ dev_getattr_all_blk_files(amanda_t)
+ dev_getattr_all_chr_files(amanda_t)
+
+-files_read_etc_files(amanda_t)
+ files_read_etc_runtime_files(amanda_t)
+ files_list_all(amanda_t)
+ files_read_all_files(amanda_t)
+@@ -193,7 +193,6 @@ corenet_sendrecv_amanda_client_packets(amanda_recover_t)
+
+ domain_use_interactive_fds(amanda_recover_t)
+
+-files_read_etc_files(amanda_recover_t)
+ files_read_etc_runtime_files(amanda_recover_t)
+ files_search_tmp(amanda_recover_t)
+ files_search_pids(amanda_recover_t)
+@@ -207,5 +206,10 @@ logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
@@ -1461,7 +1490,7 @@ index e31d92a..e515cb8 100644
domain_system_change_exemption($1)
role_transition $2 amavis_initrc_exec_t system_r;
diff --git a/amavis.te b/amavis.te
-index 5a9b451..b310d7a 100644
+index 5a9b451..5f1d427 100644
--- a/amavis.te
+++ b/amavis.te
@@ -38,7 +38,7 @@ type amavis_quarantine_t;
@@ -1473,7 +1502,7 @@ index 5a9b451..b310d7a 100644
########################################
#
-@@ -128,6 +128,7 @@ corenet_tcp_connect_razor_port(amavis_t)
+@@ -128,15 +128,16 @@ corenet_tcp_connect_razor_port(amavis_t)
dev_read_rand(amavis_t)
dev_read_urand(amavis_t)
@@ -1481,7 +1510,9 @@ index 5a9b451..b310d7a 100644
domain_use_interactive_fds(amavis_t)
-@@ -137,6 +138,7 @@ files_read_usr_files(amavis_t)
+-files_read_etc_files(amavis_t)
+ files_read_etc_runtime_files(amavis_t)
+ files_read_usr_files(amavis_t)
fs_getattr_xattr_fs(amavis_t)
@@ -1489,7 +1520,7 @@ index 5a9b451..b310d7a 100644
auth_dontaudit_read_shadow(amavis_t)
# uses uptime which reads utmp - redhat bug 561383
-@@ -153,24 +155,28 @@ sysnet_use_ldap(amavis_t)
+@@ -153,24 +154,28 @@ sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_user_home_dirs(amavis_t)
@@ -2467,7 +2498,7 @@ index 6480167..d30bdbf 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/apache.te b/apache.te
-index a36a01d..bde887f 100644
+index a36a01d..6a85ab0 100644
--- a/apache.te
+++ b/apache.te
@@ -18,6 +18,8 @@ policy_module(apache, 2.3.2)
@@ -2855,7 +2886,7 @@ index a36a01d..bde887f 100644
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_shell(httpd_t)
-@@ -398,6 +575,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -398,59 +575,112 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -2863,7 +2894,11 @@ index a36a01d..bde887f 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -409,48 +587,101 @@ files_read_etc_files(httpd_t)
+ # for modules that want to access /etc/mtab
+ files_read_etc_runtime_files(httpd_t)
+ # Allow httpd_t to have access to files such as nisswitch.conf
+-files_read_etc_files(httpd_t)
+ # for tomcat
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -2969,7 +3004,7 @@ index a36a01d..bde887f 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -461,27 +692,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -461,27 +691,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -3033,7 +3068,7 @@ index a36a01d..bde887f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -491,7 +756,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -491,7 +755,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -3056,7 +3091,7 @@ index a36a01d..bde887f 100644
')
tunable_policy(`httpd_setrlimit',`
-@@ -511,9 +791,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -511,9 +790,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -3077,7 +3112,7 @@ index a36a01d..bde887f 100644
')
optional_policy(`
-@@ -525,6 +815,9 @@ optional_policy(`
+@@ -525,6 +814,9 @@ optional_policy(`
')
optional_policy(`
@@ -3087,7 +3122,7 @@ index a36a01d..bde887f 100644
cobbler_search_lib(httpd_t)
')
-@@ -540,6 +833,24 @@ optional_policy(`
+@@ -540,6 +832,24 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -3112,7 +3147,7 @@ index a36a01d..bde887f 100644
optional_policy(`
dbus_system_bus_client(httpd_t)
-@@ -549,13 +860,24 @@ optional_policy(`
+@@ -549,13 +859,24 @@ optional_policy(`
')
optional_policy(`
@@ -3138,7 +3173,7 @@ index a36a01d..bde887f 100644
')
optional_policy(`
-@@ -568,7 +890,21 @@ optional_policy(`
+@@ -568,7 +889,21 @@ optional_policy(`
')
optional_policy(`
@@ -3160,7 +3195,7 @@ index a36a01d..bde887f 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -579,6 +915,7 @@ optional_policy(`
+@@ -579,6 +914,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -3168,7 +3203,7 @@ index a36a01d..bde887f 100644
')
optional_policy(`
-@@ -589,6 +926,33 @@ optional_policy(`
+@@ -589,6 +925,33 @@ optional_policy(`
')
optional_policy(`
@@ -3202,7 +3237,7 @@ index a36a01d..bde887f 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -603,6 +967,11 @@ optional_policy(`
+@@ -603,6 +966,11 @@ optional_policy(`
')
optional_policy(`
@@ -3214,7 +3249,7 @@ index a36a01d..bde887f 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -615,6 +984,12 @@ optional_policy(`
+@@ -615,6 +983,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -3227,7 +3262,7 @@ index a36a01d..bde887f 100644
########################################
#
# Apache helper local policy
-@@ -628,7 +1003,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -628,7 +1002,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -3240,7 +3275,7 @@ index a36a01d..bde887f 100644
########################################
#
-@@ -666,28 +1045,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -666,28 +1044,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -3284,7 +3319,7 @@ index a36a01d..bde887f 100644
')
########################################
-@@ -697,6 +1078,7 @@ optional_policy(`
+@@ -697,6 +1077,7 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -3292,7 +3327,7 @@ index a36a01d..bde887f 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -711,14 +1093,23 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -711,19 +1092,27 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3316,7 +3351,12 @@ index a36a01d..bde887f 100644
# for shell scripts
corecmd_exec_bin(httpd_suexec_t)
corecmd_exec_shell(httpd_suexec_t)
-@@ -752,13 +1143,31 @@ tunable_policy(`httpd_can_network_connect',`
+
+-files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+ files_dontaudit_search_pids(httpd_suexec_t)
+ files_search_home(httpd_suexec_t)
+@@ -752,13 +1141,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -3349,7 +3389,7 @@ index a36a01d..bde887f 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -781,6 +1190,25 @@ optional_policy(`
+@@ -781,6 +1188,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3375,7 +3415,7 @@ index a36a01d..bde887f 100644
########################################
#
# Apache system script local policy
-@@ -801,12 +1229,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -801,12 +1227,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -3393,7 +3433,7 @@ index a36a01d..bde887f 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -815,18 +1248,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -815,18 +1246,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -3450,7 +3490,7 @@ index a36a01d..bde887f 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -834,14 +1299,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -834,14 +1297,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -3491,7 +3531,7 @@ index a36a01d..bde887f 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -854,10 +1344,20 @@ optional_policy(`
+@@ -854,10 +1342,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -3512,7 +3552,15 @@ index a36a01d..bde887f 100644
')
########################################
-@@ -903,11 +1403,146 @@ optional_policy(`
+@@ -873,7 +1371,6 @@ kernel_read_kernel_sysctls(httpd_rotatelogs_t)
+ kernel_dontaudit_list_proc(httpd_rotatelogs_t)
+ kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
+
+-files_read_etc_files(httpd_rotatelogs_t)
+
+ logging_search_logs(httpd_rotatelogs_t)
+
+@@ -903,11 +1400,144 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -3556,7 +3604,6 @@ index a36a01d..bde887f 100644
+
+domain_use_interactive_fds(httpd_passwd_t)
+
-+files_read_etc_files(httpd_passwd_t)
+
+auth_use_nsswitch(httpd_passwd_t)
+
@@ -3593,7 +3640,6 @@ index a36a01d..bde887f 100644
+application_exec_all(httpd_script_type)
+
+files_exec_etc_files(httpd_script_type)
-+files_read_etc_files(httpd_script_type)
+files_search_home(httpd_script_type)
+
+libs_exec_ld_so(httpd_script_type)
@@ -4066,7 +4112,7 @@ index c804110..06a516f 100644
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
')
diff --git a/arpwatch.te b/arpwatch.te
-index 804135f..0f7ec8d 100644
+index 804135f..d94d72e 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -4098,6 +4144,14 @@ index 804135f..0f7ec8d 100644
kernel_read_proc_symlinks(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+@@ -74,7 +79,6 @@ corecmd_read_bin_symlinks(arpwatch_t)
+
+ domain_use_interactive_fds(arpwatch_t)
+
+-files_read_etc_files(arpwatch_t)
+ files_read_usr_files(arpwatch_t)
+ files_search_var_lib(arpwatch_t)
+
diff --git a/asterisk.if b/asterisk.if
index b6168fd..313c6e4 100644
--- a/asterisk.if
@@ -4118,7 +4172,7 @@ index b6168fd..313c6e4 100644
domain_system_change_exemption($1)
role_transition $2 asterisk_initrc_exec_t system_r;
diff --git a/asterisk.te b/asterisk.te
-index 3b4613b..8ba2e55 100644
+index 3b4613b..3bd044f 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -20,10 +20,11 @@ type asterisk_log_t;
@@ -4174,7 +4228,12 @@ index 3b4613b..8ba2e55 100644
dev_rw_generic_usb_dev(asterisk_t)
dev_read_sysfs(asterisk_t)
-@@ -127,6 +134,7 @@ files_search_spool(asterisk_t)
+@@ -122,11 +129,11 @@ dev_read_urand(asterisk_t)
+
+ domain_use_interactive_fds(asterisk_t)
+
+-files_read_etc_files(asterisk_t)
+ files_search_spool(asterisk_t)
# demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm
# are labeled usr_t
files_read_usr_files(asterisk_t)
@@ -4182,7 +4241,7 @@ index 3b4613b..8ba2e55 100644
fs_getattr_all_fs(asterisk_t)
fs_list_inotifyfs(asterisk_t)
-@@ -143,6 +151,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
+@@ -143,6 +150,10 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
@@ -4278,7 +4337,7 @@ index d80a16b..ef740ef 100644
+ allow $1 automount_unit_file_t:service all_service_perms;
')
diff --git a/automount.te b/automount.te
-index 39799db..48901a2 100644
+index 39799db..8c012e9 100644
--- a/automount.te
+++ b/automount.te
@@ -22,6 +22,9 @@ type automount_tmp_t;
@@ -4299,7 +4358,15 @@ index 39799db..48901a2 100644
files_search_boot(automount_t)
# Automount is slowly adding all mount functionality internally
files_search_all(automount_t)
-@@ -143,10 +147,6 @@ logging_search_logs(automount_t)
+@@ -113,7 +117,6 @@ files_dontaudit_write_var_dirs(automount_t)
+ files_getattr_all_dirs(automount_t)
+ files_list_mnt(automount_t)
+ files_getattr_home_dir(automount_t)
+-files_read_etc_files(automount_t)
+ files_read_etc_runtime_files(automount_t)
+ # for if the mount point is not labelled
+ files_getattr_isid_type_dirs(automount_t)
+@@ -143,10 +146,6 @@ logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
miscfiles_read_generic_certs(automount_t)
@@ -4310,7 +4377,7 @@ index 39799db..48901a2 100644
userdom_dontaudit_use_unpriv_user_fds(automount_t)
userdom_dontaudit_search_user_home_dirs(automount_t)
-@@ -155,6 +155,13 @@ optional_policy(`
+@@ -155,6 +154,13 @@ optional_policy(`
')
optional_policy(`
@@ -4398,7 +4465,7 @@ index 61c74bc..17b3ecc 100644
+ allow $1 avahi_unit_file_t:service all_service_perms;
')
diff --git a/avahi.te b/avahi.te
-index a7a0e71..3b01eed 100644
+index a7a0e71..a70fe55 100644
--- a/avahi.te
+++ b/avahi.te
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -4420,7 +4487,15 @@ index a7a0e71..3b01eed 100644
corecmd_exec_bin(avahi_t)
corecmd_exec_shell(avahi_t)
-@@ -104,6 +109,10 @@ optional_policy(`
+@@ -74,7 +79,6 @@ fs_list_inotifyfs(avahi_t)
+
+ domain_use_interactive_fds(avahi_t)
+
+-files_read_etc_files(avahi_t)
+ files_read_etc_runtime_files(avahi_t)
+ files_read_usr_files(avahi_t)
+
+@@ -104,6 +108,10 @@ optional_policy(`
')
optional_policy(`
@@ -4682,10 +4757,10 @@ index 0000000..5ff58fd
+')
diff --git a/bcfg2.te b/bcfg2.te
new file mode 100644
-index 0000000..7c301dc
+index 0000000..e18dc4f
--- /dev/null
+++ b/bcfg2.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,54 @@
+policy_module(bcfg2, 1.0.0)
+
+########################################
@@ -4733,7 +4808,6 @@ index 0000000..7c301dc
+
+domain_use_interactive_fds(bcfg2_t)
+
-+files_read_etc_files(bcfg2_t)
+files_read_usr_files(bcfg2_t)
+
+auth_use_nsswitch(bcfg2_t)
@@ -4921,7 +4995,7 @@ index 44a1e3d..9b50c13 100644
+ allow $1 named_unit_file_t:service all_service_perms;
')
diff --git a/bind.te b/bind.te
-index 4deca04..04d55e9 100644
+index 4deca04..6137526 100644
--- a/bind.te
+++ b/bind.te
@@ -6,6 +6,13 @@ policy_module(bind, 1.11.0)
@@ -4977,7 +5051,15 @@ index 4deca04..04d55e9 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +159,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -131,7 +143,6 @@ dev_read_urand(named_t)
+
+ domain_use_interactive_fds(named_t)
+
+-files_read_etc_files(named_t)
+ files_read_etc_runtime_files(named_t)
+
+ fs_getattr_all_fs(named_t)
+@@ -147,6 +158,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
@@ -4988,7 +5070,7 @@ index 4deca04..04d55e9 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -154,6 +170,12 @@ tunable_policy(`named_write_master_zones',`
+@@ -154,6 +169,12 @@ tunable_policy(`named_write_master_zones',`
')
optional_policy(`
@@ -5001,7 +5083,7 @@ index 4deca04..04d55e9 100644
init_dbus_chat_script(named_t)
sysnet_dbus_chat_dhcpc(named_t)
-@@ -206,10 +228,11 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
+@@ -206,10 +227,11 @@ allow ndc_t dnssec_t:lnk_file { getattr read };
stream_connect_pattern(ndc_t, named_var_run_t, named_var_run_t, named_t)
allow ndc_t named_conf_t:file read_file_perms;
@@ -5014,7 +5096,12 @@ index 4deca04..04d55e9 100644
kernel_read_kernel_sysctls(ndc_t)
corenet_all_recvfrom_unlabeled(ndc_t)
-@@ -228,6 +251,8 @@ files_search_pids(ndc_t)
+@@ -223,11 +245,12 @@ corenet_sendrecv_rndc_client_packets(ndc_t)
+
+ domain_use_interactive_fds(ndc_t)
+
+-files_read_etc_files(ndc_t)
+ files_search_pids(ndc_t)
fs_getattr_xattr_fs(ndc_t)
@@ -5023,7 +5110,7 @@ index 4deca04..04d55e9 100644
init_use_fds(ndc_t)
init_use_script_ptys(ndc_t)
-@@ -235,16 +260,16 @@ logging_send_syslog_msg(ndc_t)
+@@ -235,16 +258,16 @@ logging_send_syslog_msg(ndc_t)
miscfiles_read_localization(ndc_t)
@@ -5081,7 +5168,7 @@ index de0bd67..1df2048 100644
domain_system_change_exemption($1)
role_transition $2 bitlbee_initrc_exec_t system_r;
diff --git a/bitlbee.te b/bitlbee.te
-index f4e7ad3..c323651 100644
+index f4e7ad3..df0296d 100644
--- a/bitlbee.te
+++ b/bitlbee.te
@@ -22,29 +22,47 @@ files_tmp_file(bitlbee_tmp_t)
@@ -5146,7 +5233,7 @@ index f4e7ad3..c323651 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
-@@ -69,6 +90,11 @@ corenet_tcp_connect_http_port(bitlbee_t)
+@@ -69,11 +90,15 @@ corenet_tcp_connect_http_port(bitlbee_t)
corenet_tcp_sendrecv_http_port(bitlbee_t)
corenet_tcp_connect_http_cache_port(bitlbee_t)
corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
@@ -5158,6 +5245,11 @@ index f4e7ad3..c323651 100644
dev_read_rand(bitlbee_t)
dev_read_urand(bitlbee_t)
+
+-files_read_etc_files(bitlbee_t)
+ files_search_pids(bitlbee_t)
+ # grant read-only access to the user help files
+ files_read_usr_files(bitlbee_t)
diff --git a/blueman.fc b/blueman.fc
new file mode 100644
index 0000000..98ba16a
@@ -5275,10 +5367,10 @@ index 0000000..a66b2ff
+')
diff --git a/blueman.te b/blueman.te
new file mode 100644
-index 0000000..6ed024b
+index 0000000..5000a2a
--- /dev/null
+++ b/blueman.te
-@@ -0,0 +1,56 @@
+@@ -0,0 +1,55 @@
+policy_module(blueman, 1.0.0)
+
+########################################
@@ -5314,7 +5406,6 @@ index 0000000..6ed024b
+
+domain_use_interactive_fds(blueman_t)
+
-+files_read_etc_files(blueman_t)
+files_read_usr_files(blueman_t)
+
+auth_use_nsswitch(blueman_t)
@@ -5488,7 +5579,7 @@ index 3e45431..540f783 100644
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
')
diff --git a/bluetooth.te b/bluetooth.te
-index d3019b3..7e206e7 100644
+index d3019b3..59440d1 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -4,12 +4,13 @@ policy_module(bluetooth, 3.4.0)
@@ -5516,7 +5607,15 @@ index d3019b3..7e206e7 100644
########################################
#
# Bluetooth services local policy
-@@ -144,6 +148,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
+@@ -127,7 +131,6 @@ corecmd_exec_shell(bluetooth_t)
+ domain_use_interactive_fds(bluetooth_t)
+ domain_dontaudit_search_all_domains_state(bluetooth_t)
+
+-files_read_etc_files(bluetooth_t)
+ files_read_etc_runtime_files(bluetooth_t)
+ files_read_usr_files(bluetooth_t)
+
+@@ -144,6 +147,10 @@ userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
optional_policy(`
@@ -5527,7 +5626,12 @@ index d3019b3..7e206e7 100644
dbus_system_bus_client(bluetooth_t)
dbus_connect_system_bus(bluetooth_t)
-@@ -217,6 +225,8 @@ files_read_etc_runtime_files(bluetooth_helper_t)
+@@ -212,11 +219,12 @@ corecmd_exec_shell(bluetooth_helper_t)
+
+ domain_read_all_domains_state(bluetooth_helper_t)
+
+-files_read_etc_files(bluetooth_helper_t)
+ files_read_etc_runtime_files(bluetooth_helper_t)
files_read_usr_files(bluetooth_helper_t)
files_dontaudit_list_default(bluetooth_helper_t)
@@ -5538,24 +5642,28 @@ index d3019b3..7e206e7 100644
logging_send_syslog_msg(bluetooth_helper_t)
diff --git a/boinc.fc b/boinc.fc
new file mode 100644
-index 0000000..c095160
+index 0000000..e59e51b
--- /dev/null
+++ b/boinc.fc
-@@ -0,0 +1,8 @@
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
+
-+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
++/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
+
-+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
++/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
+
-+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
++/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
-+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
++
++/var/log/boinc\.log -- gen_context(system_u:object_r:boinc_log_t,s0)
diff --git a/boinc.if b/boinc.if
new file mode 100644
-index 0000000..9fe3f9e
+index 0000000..6d7e034
--- /dev/null
+++ b/boinc.if
-@@ -0,0 +1,154 @@
+@@ -0,0 +1,189 @@
+## policy for boinc
+
+########################################
@@ -5673,6 +5781,30 @@ index 0000000..9fe3f9e
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
+')
+
++#######################################
++##
++## Execute boinc server in the boinc domain.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`boinc_systemctl',`
++ gen_require(`
++ type boinc_t;
++ type boinc_unit_file_t;
++ ')
++
++ systemd_exec_systemctl($1)
++ systemd_read_fifo_file_password_run($1)
++ allow $1 boinc_unit_file_t:file read_file_perms;
++ allow $1 boinc_unit_file_t:service manage_service_perms;
++
++ ps_process_pattern($1, boinc_t)
++')
++
+########################################
+##
+## All of the rules required to administrate
@@ -5693,6 +5825,7 @@ index 0000000..9fe3f9e
+interface(`boinc_admin',`
+ gen_require(`
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
++ type boinc_unit_file_t;
+ ')
+
+ allow $1 boinc_t:process signal_perms;
@@ -5709,13 +5842,23 @@ index 0000000..9fe3f9e
+
+ files_list_var_lib($1)
+ admin_pattern($1, boinc_var_lib_t)
++
++ boinc_systemctl($1)
++ admin_pattern($1, boinc_unit_file_t)
++
++ allow $1 boinc_unit_file_t:service all_service_perms;
++
++ optional_policy(`
++ systemd_passwd_agent_exec($1)
++ systemd_read_fifo_file_passwd_run($1)
++ ')
+')
diff --git a/boinc.te b/boinc.te
new file mode 100644
-index 0000000..b1c752c
+index 0000000..20156f6
--- /dev/null
+++ b/boinc.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,200 @@
+policy_module(boinc, 1.0.0)
+
+########################################
@@ -5741,6 +5884,12 @@ index 0000000..b1c752c
+type boinc_var_lib_t;
+files_type(boinc_var_lib_t)
+
++type boinc_log_t;
++logging_log_file(boinc_log_t)
++
++type boinc_unit_file_t;
++systemd_unit_file(boinc_unit_file_t)
++
+type boinc_project_t;
+domain_type(boinc_project_t)
+role system_r types boinc_project_t;
@@ -5761,6 +5910,7 @@ index 0000000..b1c752c
+
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
++manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
+
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_domain)
@@ -5816,6 +5966,9 @@ index 0000000..b1c752c
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+
++manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
++logging_log_filetrans(boinc_t, boinc_log_t, { file })
++
+kernel_search_vm_sysctl(boinc_t)
+
+files_getattr_all_dirs(boinc_t)
@@ -6233,6 +6386,18 @@ index 0000000..e7d2a5b
+dev_search_sysfs(cachefiles_kernel_t)
+
+init_sigchld_script(cachefiles_kernel_t)
+diff --git a/calamaris.te b/calamaris.te
+index b13fb66..bef8664 100644
+--- a/calamaris.te
++++ b/calamaris.te
+@@ -51,7 +51,6 @@ corenet_udp_sendrecv_all_ports(calamaris_t)
+ dev_read_urand(calamaris_t)
+
+ files_search_pids(calamaris_t)
+-files_read_etc_files(calamaris_t)
+ files_read_usr_files(calamaris_t)
+ files_read_var_files(calamaris_t)
+ files_read_etc_runtime_files(calamaris_t)
diff --git a/callweaver.fc b/callweaver.fc
new file mode 100644
index 0000000..3e15c63
@@ -6620,10 +6785,10 @@ index 0000000..e07d3b8
+')
diff --git a/callweaver.te b/callweaver.te
new file mode 100644
-index 0000000..4cfc9f8
+index 0000000..4129562
--- /dev/null
+++ b/callweaver.te
-@@ -0,0 +1,77 @@
+@@ -0,0 +1,76 @@
+policy_module(callweaver,1.0.0)
+
+########################################
@@ -6692,7 +6857,6 @@ index 0000000..4cfc9f8
+
+domain_use_interactive_fds(callweaver_t)
+
-+files_read_etc_files(callweaver_t)
+
+term_getattr_pty_fs(callweaver_t)
+term_use_generic_ptys(callweaver_t)
@@ -6924,7 +7088,7 @@ index 7a6e5ba..7475aa5 100644
admin_pattern($1, certmonger_var_run_t)
')
diff --git a/certmonger.te b/certmonger.te
-index c3e3f79..40ecdf0 100644
+index c3e3f79..0b4158f 100644
--- a/certmonger.te
+++ b/certmonger.te
@@ -18,12 +18,17 @@ files_pid_file(certmonger_var_run_t)
@@ -6946,7 +7110,7 @@ index c3e3f79..40ecdf0 100644
allow certmonger_t self:process { getsched setsched sigkill };
allow certmonger_t self:fifo_file rw_file_perms;
allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
-@@ -38,10 +43,17 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+@@ -38,19 +43,31 @@ manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
@@ -6961,10 +7125,13 @@ index c3e3f79..40ecdf0 100644
corenet_tcp_sendrecv_all_ports(certmonger_t)
corenet_tcp_connect_certmaster_port(certmonger_t)
+corenet_tcp_connect_http_port(certmonger_t)
++corenet_tcp_connect_pki_ca_port(certmonger_t)
dev_read_urand(certmonger_t)
-@@ -51,6 +63,11 @@ files_read_etc_files(certmonger_t)
+ domain_use_interactive_fds(certmonger_t)
+
+-files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)
@@ -7229,10 +7396,10 @@ index 0000000..2972c77
+')
diff --git a/cfengine.te b/cfengine.te
new file mode 100644
-index 0000000..0de6133
+index 0000000..4a07a67
--- /dev/null
+++ b/cfengine.te
-@@ -0,0 +1,101 @@
+@@ -0,0 +1,100 @@
+policy_module(cfengine, 1.0.0)
+
+########################################
@@ -7288,7 +7455,6 @@ index 0000000..0de6133
+sysnet_dns_name_resolve(cfengine_domain)
+sysnet_domtrans_ifconfig(cfengine_domain)
+
-+files_read_etc_files(cfengine_domain)
+
+########################################
+#
@@ -7384,7 +7550,7 @@ index 33facaf..1d39797 100644
admin_pattern($1, cgrules_etc_t)
files_list_etc($1)
diff --git a/cgroup.te b/cgroup.te
-index 806191a..f7ad195 100644
+index 806191a..c577c98 100644
--- a/cgroup.te
+++ b/cgroup.te
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -7398,7 +7564,15 @@ index 806191a..f7ad195 100644
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
type cgconfig_initrc_exec_t;
-@@ -72,12 +72,15 @@ fs_mount_cgroup(cgconfig_t)
+@@ -64,7 +64,6 @@ kernel_list_unlabeled(cgconfig_t)
+ kernel_read_system_state(cgconfig_t)
+
+ # /etc/nsswitch.conf, /etc/passwd
+-files_read_etc_files(cgconfig_t)
+
+ fs_manage_cgroup_dirs(cgconfig_t)
+ fs_manage_cgroup_files(cgconfig_t)
+@@ -72,12 +71,15 @@ fs_mount_cgroup(cgconfig_t)
fs_mounton_cgroup(cgconfig_t)
fs_unmount_cgroup(cgconfig_t)
@@ -7415,7 +7589,7 @@ index 806191a..f7ad195 100644
allow cgred_t self:netlink_socket { write bind create read };
allow cgred_t self:unix_dgram_socket { write create connect };
-@@ -86,6 +89,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
+@@ -86,6 +88,9 @@ logging_log_filetrans(cgred_t, cgred_log_t, file)
allow cgred_t cgrules_etc_t:file read_file_perms;
@@ -7425,7 +7599,11 @@ index 806191a..f7ad195 100644
# rc script creates pid file
manage_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
manage_sock_files_pattern(cgred_t, cgred_var_run_t, cgred_var_run_t)
-@@ -104,6 +110,8 @@ files_read_etc_files(cgred_t)
+@@ -100,10 +105,11 @@ files_getattr_all_files(cgred_t)
+ files_getattr_all_sockets(cgred_t)
+ files_read_all_symlinks(cgred_t)
+ # /etc/group
+-files_read_etc_files(cgred_t)
fs_write_cgroup_files(cgred_t)
@@ -8195,7 +8373,7 @@ index bbac14a..87840b4 100644
+
')
diff --git a/clamav.te b/clamav.te
-index 5b7a1d7..d9ae236 100644
+index 5b7a1d7..d5c0e45 100644
--- a/clamav.te
+++ b/clamav.te
@@ -1,9 +1,23 @@
@@ -8272,7 +8450,15 @@ index 5b7a1d7..d9ae236 100644
corenet_sendrecv_clamd_server_packets(clamd_t)
dev_read_rand(clamd_t)
-@@ -127,13 +149,6 @@ logging_send_syslog_msg(clamd_t)
+@@ -117,7 +139,6 @@ dev_read_urand(clamd_t)
+
+ domain_use_interactive_fds(clamd_t)
+
+-files_read_etc_files(clamd_t)
+ files_read_etc_runtime_files(clamd_t)
+ files_search_spool(clamd_t)
+
+@@ -127,13 +148,6 @@ logging_send_syslog_msg(clamd_t)
miscfiles_read_localization(clamd_t)
@@ -8286,7 +8472,7 @@ index 5b7a1d7..d9ae236 100644
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -142,13 +157,31 @@ optional_policy(`
+@@ -142,13 +156,31 @@ optional_policy(`
')
optional_policy(`
@@ -8319,7 +8505,7 @@ index 5b7a1d7..d9ae236 100644
')
########################################
-@@ -178,10 +211,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
+@@ -178,10 +210,16 @@ files_pid_filetrans(freshclam_t, clamd_var_run_t, file)
# log files (own logfiles only)
manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t)
@@ -8338,7 +8524,7 @@ index 5b7a1d7..d9ae236 100644
corenet_all_recvfrom_unlabeled(freshclam_t)
corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_generic_if(freshclam_t)
-@@ -189,6 +228,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
+@@ -189,6 +227,7 @@ corenet_tcp_sendrecv_generic_node(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
corenet_tcp_sendrecv_clamd_port(freshclam_t)
corenet_tcp_connect_http_port(freshclam_t)
@@ -8346,7 +8532,15 @@ index 5b7a1d7..d9ae236 100644
corenet_sendrecv_http_client_packets(freshclam_t)
dev_read_rand(freshclam_t)
-@@ -207,16 +247,22 @@ miscfiles_read_localization(freshclam_t)
+@@ -196,7 +235,6 @@ dev_read_urand(freshclam_t)
+
+ domain_use_interactive_fds(freshclam_t)
+
+-files_read_etc_files(freshclam_t)
+ files_read_etc_runtime_files(freshclam_t)
+
+ auth_use_nsswitch(freshclam_t)
+@@ -207,16 +245,22 @@ miscfiles_read_localization(freshclam_t)
clamav_stream_connect(freshclam_t)
@@ -8373,7 +8567,7 @@ index 5b7a1d7..d9ae236 100644
########################################
#
# clamscam local policy
-@@ -242,15 +288,33 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
+@@ -242,17 +286,34 @@ files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { file dir })
manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
@@ -8405,9 +8599,11 @@ index 5b7a1d7..d9ae236 100644
kernel_read_kernel_sysctls(clamscan_t)
+kernel_read_system_state(clamscan_t)
- files_read_etc_files(clamscan_t)
+-files_read_etc_files(clamscan_t)
files_read_etc_runtime_files(clamscan_t)
-@@ -264,10 +328,15 @@ miscfiles_read_public_files(clamscan_t)
+ files_search_var_lib(clamscan_t)
+
+@@ -264,10 +325,15 @@ miscfiles_read_public_files(clamscan_t)
clamav_stream_connect(clamscan_t)
@@ -8440,17 +8636,16 @@ index b40f3f7..3676ecc 100644
#
diff --git a/cloudform.fc b/cloudform.fc
new file mode 100644
-index 0000000..3fe384f
+index 0000000..7182054
--- /dev/null
+++ b/cloudform.fc
-@@ -0,0 +1,22 @@
+@@ -0,0 +1,19 @@
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
+
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
-+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
+
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
+
@@ -8460,11 +8655,9 @@ index 0000000..3fe384f
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
+/var/log/iwhd\.log -- gen_context(system_u:object_r:iwhd_log_t,s0)
+/var/log/mongodb(/.*)? gen_context(system_u:object_r:mongod_log_t,s0)
-+/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
+
+/var/run/mongodb(/.*)? gen_context(system_u:object_r:mongod_var_run_t,s0)
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
-+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
diff --git a/cloudform.if b/cloudform.if
new file mode 100644
@@ -8514,10 +8707,10 @@ index 0000000..7f55959
+')
diff --git a/cloudform.te b/cloudform.te
new file mode 100644
-index 0000000..787b40a
+index 0000000..579dff8
--- /dev/null
+++ b/cloudform.te
-@@ -0,0 +1,236 @@
+@@ -0,0 +1,192 @@
+policy_module(cloudform, 1.0)
+########################################
+#
@@ -8529,10 +8722,6 @@ index 0000000..787b40a
+cloudform_domain_template(deltacloudd)
+cloudform_domain_template(iwhd)
+cloudform_domain_template(mongod)
-+cloudform_domain_template(thin)
-+
-+type thin_log_t;
-+logging_log_file(thin_log_t)
+
+type deltacloudd_log_t;
+logging_log_file(deltacloudd_log_t)
@@ -8567,9 +8756,6 @@ index 0000000..787b40a
+type mongod_var_run_t;
+files_pid_file(mongod_var_run_t)
+
-+type thin_var_run_t;
-+files_pid_file(thin_var_run_t)
-+
+type iwhd_log_t;
+logging_log_file(iwhd_log_t)
+
@@ -8717,43 +8903,6 @@ index 0000000..787b40a
+ sysnet_dns_name_resolve(mongod_t)
+')
+
-+########################################
-+#
-+# thin local policy
-+#
-+
-+allow thin_t self:capability { setuid kill setgid dac_override };
-+
-+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
-+allow thin_t self:udp_socket create_socket_perms;
-+allow thin_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
-+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
-+logging_log_filetrans(thin_t, thin_log_t, { file dir })
-+
-+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
-+files_pid_filetrans(thin_t, thin_var_run_t, { file })
-+
-+corecmd_exec_bin(thin_t)
-+
-+corenet_tcp_bind_generic_node(thin_t)
-+corenet_tcp_bind_ntop_port(thin_t)
-+corenet_tcp_connect_postgresql_port(thin_t)
-+corenet_tcp_connect_all_ports(iwhd_t)
-+
-+files_read_usr_files(thin_t)
-+
-+fs_search_auto_mountpoints(thin_t)
-+
-+init_read_utmp(thin_t)
-+
-+kernel_read_kernel_sysctls(thin_t)
-+
-+optional_policy(`
-+ sysnet_read_config(thin_t)
-+')
-+
diff --git a/cmirrord.if b/cmirrord.if
index f8463c0..126b293 100644
--- a/cmirrord.if
@@ -9649,7 +9798,7 @@ index 733e4e6..fa2c3cb 100644
+ ps_process_pattern($1, colord_t)
+')
diff --git a/colord.te b/colord.te
-index 74505cc..dbd4f7f 100644
+index 74505cc..2bafa23 100644
--- a/colord.te
+++ b/colord.te
@@ -8,6 +8,7 @@ policy_module(colord, 1.0.0)
@@ -9706,8 +9855,11 @@ index 74505cc..dbd4f7f 100644
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
-@@ -65,19 +80,35 @@ files_list_mnt(colord_t)
- files_read_etc_files(colord_t)
+@@ -62,22 +77,37 @@ dev_rw_generic_usb_dev(colord_t)
+ domain_use_interactive_fds(colord_t)
+
+ files_list_mnt(colord_t)
+-files_read_etc_files(colord_t)
files_read_usr_files(colord_t)
+fs_search_all(colord_t)
@@ -9743,7 +9895,7 @@ index 74505cc..dbd4f7f 100644
fs_read_cifs_files(colord_t)
')
-@@ -89,6 +120,12 @@ optional_policy(`
+@@ -89,6 +119,12 @@ optional_policy(`
')
optional_policy(`
@@ -9756,7 +9908,7 @@ index 74505cc..dbd4f7f 100644
policykit_dbus_chat(colord_t)
policykit_domtrans_auth(colord_t)
policykit_read_lib(colord_t)
-@@ -96,5 +133,20 @@ optional_policy(`
+@@ -96,5 +132,20 @@ optional_policy(`
')
optional_policy(`
@@ -9777,6 +9929,18 @@ index 74505cc..dbd4f7f 100644
+optional_policy(`
+ zoneminder_rw_tmpfs_files(colord_t)
+')
+diff --git a/comsat.te b/comsat.te
+index 3d121fd..fbad020 100644
+--- a/comsat.te
++++ b/comsat.te
+@@ -51,7 +51,6 @@ dev_read_urand(comsat_t)
+
+ fs_getattr_xattr_fs(comsat_t)
+
+-files_read_etc_files(comsat_t)
+ files_list_usr(comsat_t)
+ files_search_spool(comsat_t)
+ files_search_home(comsat_t)
diff --git a/condor.fc b/condor.fc
new file mode 100644
index 0000000..b3a5b51
@@ -10139,10 +10303,10 @@ index 0000000..168f664
+')
diff --git a/condor.te b/condor.te
new file mode 100644
-index 0000000..1bba4b7
+index 0000000..206443e
--- /dev/null
+++ b/condor.te
-@@ -0,0 +1,232 @@
+@@ -0,0 +1,231 @@
+policy_module(condor, 1.0.0)
+
+########################################
@@ -10239,7 +10403,6 @@ index 0000000..1bba4b7
+dev_read_urand(condor_domain)
+dev_read_sysfs(condor_domain)
+
-+files_read_etc_files(condor_domain)
+
+logging_send_syslog_msg(condor_domain)
+
@@ -10508,7 +10671,7 @@ index fd15dfe..aac1e5d 100644
+ ps_process_pattern($1, consolekit_t)
+')
diff --git a/consolekit.te b/consolekit.te
-index 6f2896d..c202601 100644
+index 6f2896d..5a5a3bb 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -15,12 +15,19 @@ logging_log_file(consolekit_log_t)
@@ -10531,15 +10694,17 @@ index 6f2896d..c202601 100644
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
-@@ -43,7 +50,6 @@ dev_read_sysfs(consolekit_t)
+@@ -43,9 +50,7 @@ dev_read_sysfs(consolekit_t)
domain_read_all_domains_state(consolekit_t)
domain_use_interactive_fds(consolekit_t)
-domain_dontaudit_ptrace_all_domains(consolekit_t)
- files_read_etc_files(consolekit_t)
+-files_read_etc_files(consolekit_t)
files_read_usr_files(consolekit_t)
-@@ -69,15 +75,17 @@ logging_send_audit_msgs(consolekit_t)
+ # needs to read /var/lib/dbus/machine-id
+ files_read_var_lib_files(consolekit_t)
+@@ -69,15 +74,17 @@ logging_send_audit_msgs(consolekit_t)
miscfiles_read_localization(consolekit_t)
@@ -10562,7 +10727,7 @@ index 6f2896d..c202601 100644
')
optional_policy(`
-@@ -97,7 +105,7 @@ optional_policy(`
+@@ -97,7 +104,7 @@ optional_policy(`
')
optional_policy(`
@@ -10571,7 +10736,7 @@ index 6f2896d..c202601 100644
')
optional_policy(`
-@@ -108,9 +116,10 @@ optional_policy(`
+@@ -108,9 +115,10 @@ optional_policy(`
')
optional_policy(`
@@ -10584,7 +10749,7 @@ index 6f2896d..c202601 100644
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
-@@ -126,6 +135,5 @@ optional_policy(`
+@@ -126,6 +134,5 @@ optional_policy(`
')
optional_policy(`
@@ -10619,7 +10784,7 @@ index 3a6d7eb..bb32bf0 100644
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0)
diff --git a/corosync.if b/corosync.if
-index 5220c9d..11e5dc4 100644
+index 5220c9d..25babd6 100644
--- a/corosync.if
+++ b/corosync.if
@@ -18,6 +18,25 @@ interface(`corosync_domtrans',`
@@ -10648,7 +10813,15 @@ index 5220c9d..11e5dc4 100644
#######################################
##
## Allow the specified domain to read corosync's log files.
-@@ -58,6 +77,29 @@ interface(`corosync_stream_connect',`
+@@ -52,12 +71,37 @@ interface(`corosync_read_log',`
+ interface(`corosync_stream_connect',`
+ gen_require(`
+ type corosync_t, corosync_var_run_t;
++ type corosync_var_lib_t;
+ ')
+
+ files_search_pids($1)
++ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
')
@@ -10678,7 +10851,7 @@ index 5220c9d..11e5dc4 100644
######################################
##
## All of the rules required to administrate
-@@ -80,11 +122,16 @@ interface(`corosyncd_admin',`
+@@ -80,11 +124,16 @@ interface(`corosyncd_admin',`
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
type corosync_initrc_exec_t;
@@ -10696,7 +10869,7 @@ index 5220c9d..11e5dc4 100644
init_labeled_script_domtrans($1, corosync_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 corosync_initrc_exec_t system_r;
-@@ -103,4 +150,8 @@ interface(`corosyncd_admin',`
+@@ -103,4 +152,8 @@ interface(`corosyncd_admin',`
files_list_pids($1)
admin_pattern($1, corosync_var_run_t)
@@ -10706,7 +10879,7 @@ index 5220c9d..11e5dc4 100644
+ allow $1 corosync_unit_file_t:service all_service_perms;
')
diff --git a/corosync.te b/corosync.te
-index 04969e5..a1944e6 100644
+index 04969e5..628bbf2 100644
--- a/corosync.te
+++ b/corosync.te
@@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0)
@@ -10780,11 +10953,10 @@ index 04969e5..a1944e6 100644
corenet_udp_bind_netsupport_port(corosync_t)
-@@ -73,9 +89,12 @@ dev_read_urand(corosync_t)
+@@ -73,9 +89,11 @@ dev_read_urand(corosync_t)
domain_read_all_domains_state(corosync_t)
files_manage_mounttab(corosync_t)
-+files_read_etc_files(corosync_t)
+files_read_usr_files(corosync_t)
auth_use_nsswitch(corosync_t)
@@ -10793,7 +10965,7 @@ index 04969e5..a1944e6 100644
init_read_script_state(corosync_t)
init_rw_script_tmp_files(corosync_t)
-@@ -83,19 +102,49 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +101,49 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -11116,10 +11288,10 @@ index 0000000..3e17383
+')
diff --git a/couchdb.te b/couchdb.te
new file mode 100644
-index 0000000..4a80b5c
+index 0000000..7fa117a
--- /dev/null
+++ b/couchdb.te
-@@ -0,0 +1,85 @@
+@@ -0,0 +1,84 @@
+policy_module(couchdb, 1.0.0)
+
+########################################
@@ -11195,7 +11367,6 @@ index 0000000..4a80b5c
+
+domain_use_interactive_fds(couchdb_t)
+
-+files_read_etc_files(couchdb_t)
+files_read_usr_files(couchdb_t)
+
+fs_getattr_xattr_fs(couchdb_t)
@@ -11454,7 +11625,7 @@ index 3559a05..50c8036 100644
/var/log/prelink.log -- gen_context(system_u:object_r:cron_log_t,s0)
diff --git a/cron.if b/cron.if
-index 6e12dc7..bd94df7 100644
+index 6e12dc7..38dac8e 100644
--- a/cron.if
+++ b/cron.if
@@ -12,6 +12,11 @@
@@ -11497,7 +11668,7 @@ index 6e12dc7..bd94df7 100644
kernel_read_system_state($1_t)
-@@ -50,6 +59,8 @@ template(`cron_common_crontab_template',`
+@@ -50,20 +59,25 @@ template(`cron_common_crontab_template',`
selinux_dontaudit_search_fs($1_t)
fs_getattr_xattr_fs($1_t)
@@ -11506,7 +11677,8 @@ index 6e12dc7..bd94df7 100644
domain_use_interactive_fds($1_t)
-@@ -58,12 +69,16 @@ template(`cron_common_crontab_template',`
+- files_read_etc_files($1_t)
+ files_read_usr_files($1_t)
files_dontaudit_search_pids($1_t)
auth_domtrans_chk_passwd($1_t)
@@ -11523,7 +11695,7 @@ index 6e12dc7..bd94df7 100644
miscfiles_read_localization($1_t)
-@@ -72,9 +87,10 @@ template(`cron_common_crontab_template',`
+@@ -72,9 +86,10 @@ template(`cron_common_crontab_template',`
userdom_manage_user_tmp_dirs($1_t)
userdom_manage_user_tmp_files($1_t)
# Access terminals.
@@ -11535,7 +11707,7 @@ index 6e12dc7..bd94df7 100644
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -101,10 +117,12 @@ template(`cron_common_crontab_template',`
+@@ -101,10 +116,12 @@ template(`cron_common_crontab_template',`
## User domain for the role
##
##
@@ -11548,7 +11720,7 @@ index 6e12dc7..bd94df7 100644
')
role $1 types { cronjob_t crontab_t };
-@@ -115,9 +133,20 @@ interface(`cron_role',`
+@@ -115,9 +132,20 @@ interface(`cron_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, crontab_t)
@@ -11570,7 +11742,7 @@ index 6e12dc7..bd94df7 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(crontab_t, $2)
-@@ -150,29 +179,21 @@ interface(`cron_role',`
+@@ -150,29 +178,21 @@ interface(`cron_role',`
## User domain for the role
##
##
@@ -11607,7 +11779,7 @@ index 6e12dc7..bd94df7 100644
optional_policy(`
gen_require(`
-@@ -180,9 +201,8 @@ interface(`cron_unconfined_role',`
+@@ -180,9 +200,8 @@ interface(`cron_unconfined_role',`
')
dbus_stub(unconfined_cronjob_t)
@@ -11618,7 +11790,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -199,6 +219,7 @@ interface(`cron_unconfined_role',`
+@@ -199,6 +218,7 @@ interface(`cron_unconfined_role',`
## User domain for the role
##
##
@@ -11626,7 +11798,7 @@ index 6e12dc7..bd94df7 100644
#
interface(`cron_admin_role',`
gen_require(`
-@@ -219,7 +240,10 @@ interface(`cron_admin_role',`
+@@ -219,7 +239,10 @@ interface(`cron_admin_role',`
# crontab shows up in user ps
ps_process_pattern($2, admin_crontab_t)
@@ -11638,7 +11810,7 @@ index 6e12dc7..bd94df7 100644
# Run helper programs as the user domain
#corecmd_bin_domtrans(admin_crontab_t, $2)
-@@ -263,6 +287,9 @@ interface(`cron_system_entry',`
+@@ -263,6 +286,9 @@ interface(`cron_system_entry',`
domtrans_pattern(crond_t, $2, $1)
role system_r types $1;
@@ -11648,7 +11820,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -303,7 +330,7 @@ interface(`cron_exec',`
+@@ -303,7 +329,7 @@ interface(`cron_exec',`
########################################
##
@@ -11657,7 +11829,7 @@ index 6e12dc7..bd94df7 100644
##
##
##
-@@ -321,6 +348,29 @@ interface(`cron_initrc_domtrans',`
+@@ -321,6 +347,29 @@ interface(`cron_initrc_domtrans',`
########################################
##
@@ -11687,7 +11859,7 @@ index 6e12dc7..bd94df7 100644
## Inherit and use a file descriptor
## from the cron daemon.
##
-@@ -358,6 +408,24 @@ interface(`cron_sigchld',`
+@@ -358,6 +407,24 @@ interface(`cron_sigchld',`
########################################
##
@@ -11712,7 +11884,7 @@ index 6e12dc7..bd94df7 100644
## Read a cron daemon unnamed pipe.
##
##
-@@ -376,6 +444,47 @@ interface(`cron_read_pipes',`
+@@ -376,6 +443,47 @@ interface(`cron_read_pipes',`
########################################
##
@@ -11760,7 +11932,7 @@ index 6e12dc7..bd94df7 100644
## Do not audit attempts to write cron daemon unnamed pipes.
##
##
-@@ -407,7 +516,43 @@ interface(`cron_rw_pipes',`
+@@ -407,7 +515,43 @@ interface(`cron_rw_pipes',`
type crond_t;
')
@@ -11805,7 +11977,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -467,6 +612,25 @@ interface(`cron_search_spool',`
+@@ -467,6 +611,25 @@ interface(`cron_search_spool',`
########################################
##
@@ -11831,7 +12003,7 @@ index 6e12dc7..bd94df7 100644
## Manage pid files used by cron
##
##
-@@ -480,6 +644,7 @@ interface(`cron_manage_pid_files',`
+@@ -480,6 +643,7 @@ interface(`cron_manage_pid_files',`
type crond_var_run_t;
')
@@ -11839,7 +12011,7 @@ index 6e12dc7..bd94df7 100644
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
')
-@@ -535,7 +700,7 @@ interface(`cron_write_system_job_pipes',`
+@@ -535,7 +699,7 @@ interface(`cron_write_system_job_pipes',`
type system_cronjob_t;
')
@@ -11848,7 +12020,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -553,7 +718,7 @@ interface(`cron_rw_system_job_pipes',`
+@@ -553,7 +717,7 @@ interface(`cron_rw_system_job_pipes',`
type system_cronjob_t;
')
@@ -11857,7 +12029,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -586,11 +751,14 @@ interface(`cron_rw_system_job_stream_sockets',`
+@@ -586,11 +750,14 @@ interface(`cron_rw_system_job_stream_sockets',`
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -11873,7 +12045,7 @@ index 6e12dc7..bd94df7 100644
')
########################################
-@@ -626,7 +794,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
+@@ -626,7 +793,47 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
interface(`cron_dontaudit_write_system_job_tmp_files',`
gen_require(`
type system_cronjob_tmp_t;
@@ -11922,7 +12094,7 @@ index 6e12dc7..bd94df7 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/cron.te b/cron.te
-index b357856..de056ab 100644
+index b357856..3155d2a 100644
--- a/cron.te
+++ b/cron.te
@@ -1,4 +1,4 @@
@@ -12082,7 +12254,7 @@ index b357856..de056ab 100644
manage_files_pattern(crond_t, cron_log_t, cron_log_t)
logging_log_filetrans(crond_t, cron_log_t, file)
-@@ -187,12 +204,16 @@ fs_list_inotifyfs(crond_t)
+@@ -187,27 +204,47 @@ fs_list_inotifyfs(crond_t)
# need auth_chkpwd to check for locked accounts.
auth_domtrans_chk_passwd(crond_t)
@@ -12099,7 +12271,10 @@ index b357856..de056ab 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +224,28 @@ files_list_usr(crond_t)
+-files_read_etc_files(crond_t)
+ files_read_generic_spool(crond_t)
+ files_list_usr(crond_t)
+ # Read from /var/spool/cron.
files_search_var_lib(crond_t)
files_search_default(crond_t)
@@ -12128,7 +12303,7 @@ index b357856..de056ab 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,20 +258,23 @@ miscfiles_read_localization(crond_t)
+@@ -220,20 +257,23 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -12157,7 +12332,7 @@ index b357856..de056ab 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -241,7 +282,7 @@ ifdef(`distro_redhat', `
+@@ -241,7 +281,7 @@ ifdef(`distro_redhat', `
')
')
@@ -12166,7 +12341,7 @@ index b357856..de056ab 100644
files_polyinstantiate_all(crond_t)
')
-@@ -250,11 +291,27 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +290,27 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -12194,7 +12369,7 @@ index b357856..de056ab 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +321,8 @@ optional_policy(`
+@@ -264,6 +320,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -12203,7 +12378,7 @@ index b357856..de056ab 100644
')
optional_policy(`
-@@ -286,15 +345,25 @@ optional_policy(`
+@@ -286,15 +344,25 @@ optional_policy(`
')
optional_policy(`
@@ -12229,7 +12404,7 @@ index b357856..de056ab 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +375,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +374,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -12250,7 +12425,7 @@ index b357856..de056ab 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +407,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +406,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -12258,7 +12433,7 @@ index b357856..de056ab 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,11 +419,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,11 +418,16 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -12276,7 +12451,7 @@ index b357856..de056ab 100644
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
-@@ -365,6 +449,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +448,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -12284,7 +12459,15 @@ index b357856..de056ab 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +476,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -376,7 +460,6 @@ fs_getattr_all_sockets(system_cronjob_t)
+ domain_dontaudit_read_all_domains_state(system_cronjob_t)
+
+ files_exec_etc_files(system_cronjob_t)
+-files_read_etc_files(system_cronjob_t)
+ files_read_etc_runtime_files(system_cronjob_t)
+ files_list_all(system_cronjob_t)
+ files_getattr_all_dirs(system_cronjob_t)
+@@ -391,6 +474,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -12292,7 +12475,7 @@ index b357856..de056ab 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +499,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +497,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -12304,7 +12487,7 @@ index b357856..de056ab 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +527,8 @@ optional_policy(`
+@@ -439,6 +525,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -12313,7 +12496,7 @@ index b357856..de056ab 100644
')
optional_policy(`
-@@ -446,6 +536,14 @@ optional_policy(`
+@@ -446,6 +534,14 @@ optional_policy(`
')
optional_policy(`
@@ -12328,7 +12511,7 @@ index b357856..de056ab 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,6 +554,10 @@ optional_policy(`
+@@ -456,6 +552,10 @@ optional_policy(`
')
optional_policy(`
@@ -12339,7 +12522,7 @@ index b357856..de056ab 100644
lpd_list_spool(system_cronjob_t)
')
-@@ -464,7 +566,9 @@ optional_policy(`
+@@ -464,7 +564,9 @@ optional_policy(`
')
optional_policy(`
@@ -12349,7 +12532,7 @@ index b357856..de056ab 100644
')
optional_policy(`
-@@ -472,6 +576,10 @@ optional_policy(`
+@@ -472,6 +574,10 @@ optional_policy(`
')
optional_policy(`
@@ -12360,7 +12543,7 @@ index b357856..de056ab 100644
postfix_read_config(system_cronjob_t)
')
-@@ -480,7 +588,7 @@ optional_policy(`
+@@ -480,7 +586,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -12369,7 +12552,7 @@ index b357856..de056ab 100644
')
optional_policy(`
-@@ -495,6 +603,7 @@ optional_policy(`
+@@ -495,6 +601,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -12377,7 +12560,7 @@ index b357856..de056ab 100644
')
optional_policy(`
-@@ -502,7 +611,18 @@ optional_policy(`
+@@ -502,7 +609,18 @@ optional_policy(`
')
optional_policy(`
@@ -12396,7 +12579,7 @@ index b357856..de056ab 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +715,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -12990,7 +13173,7 @@ index 305ddf4..11d010a 100644
+ filetrans_pattern($1, cups_etc_t, cups_rw_etc_t, file, "ppds.dat")
')
diff --git a/cups.te b/cups.te
-index 6e7f1b6..a699948 100644
+index 6e7f1b6..f8cf711 100644
--- a/cups.te
+++ b/cups.te
@@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t)
@@ -13059,13 +13242,13 @@ index 6e7f1b6..a699948 100644
term_use_unallocated_ttys(cupsd_t)
term_search_ptys(cupsd_t)
-@@ -220,11 +228,13 @@ corecmd_exec_bin(cupsd_t)
+@@ -220,11 +228,12 @@ corecmd_exec_bin(cupsd_t)
domain_use_interactive_fds(cupsd_t)
+files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
- files_read_etc_files(cupsd_t)
+-files_read_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
# read python modules
files_read_usr_files(cupsd_t)
@@ -13073,7 +13256,7 @@ index 6e7f1b6..a699948 100644
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
files_list_world_readable(cupsd_t)
-@@ -270,12 +280,6 @@ files_dontaudit_list_home(cupsd_t)
+@@ -270,12 +279,6 @@ files_dontaudit_list_home(cupsd_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_user_home_content(cupsd_t)
@@ -13086,7 +13269,7 @@ index 6e7f1b6..a699948 100644
optional_policy(`
apm_domtrans_client(cupsd_t)
')
-@@ -287,6 +291,8 @@ optional_policy(`
+@@ -287,6 +290,8 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(cupsd_t)
@@ -13095,7 +13278,7 @@ index 6e7f1b6..a699948 100644
userdom_dbus_send_all_users(cupsd_t)
optional_policy(`
-@@ -297,8 +303,10 @@ optional_policy(`
+@@ -297,8 +302,10 @@ optional_policy(`
hal_dbus_chat(cupsd_t)
')
@@ -13106,7 +13289,7 @@ index 6e7f1b6..a699948 100644
')
')
-@@ -311,10 +319,23 @@ optional_policy(`
+@@ -311,10 +318,23 @@ optional_policy(`
')
optional_policy(`
@@ -13130,7 +13313,7 @@ index 6e7f1b6..a699948 100644
mta_send_mail(cupsd_t)
')
-@@ -322,6 +343,8 @@ optional_policy(`
+@@ -322,6 +342,8 @@ optional_policy(`
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
@@ -13139,7 +13322,7 @@ index 6e7f1b6..a699948 100644
')
optional_policy(`
-@@ -371,8 +394,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
+@@ -371,8 +393,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir })
allow cupsd_config_t cupsd_var_run_t:file read_file_perms;
@@ -13150,7 +13333,15 @@ index 6e7f1b6..a699948 100644
domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
-@@ -425,11 +449,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
+@@ -407,7 +430,6 @@ domain_use_interactive_fds(cupsd_config_t)
+ domain_dontaudit_search_all_domains_state(cupsd_config_t)
+
+ files_read_usr_files(cupsd_config_t)
+-files_read_etc_files(cupsd_config_t)
+ files_read_etc_runtime_files(cupsd_config_t)
+ files_read_var_symlinks(cupsd_config_t)
+
+@@ -425,11 +447,11 @@ seutil_dontaudit_search_config(cupsd_config_t)
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
@@ -13164,7 +13355,7 @@ index 6e7f1b6..a699948 100644
ifdef(`distro_redhat',`
optional_policy(`
rpm_read_db(cupsd_config_t)
-@@ -453,6 +477,10 @@ optional_policy(`
+@@ -453,6 +475,10 @@ optional_policy(`
')
optional_policy(`
@@ -13175,7 +13366,7 @@ index 6e7f1b6..a699948 100644
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
hal_dontaudit_use_fds(hplip_t)
-@@ -467,6 +495,10 @@ optional_policy(`
+@@ -467,6 +493,10 @@ optional_policy(`
')
optional_policy(`
@@ -13186,7 +13377,7 @@ index 6e7f1b6..a699948 100644
policykit_dbus_chat(cupsd_config_t)
userdom_read_all_users_state(cupsd_config_t)
')
-@@ -537,6 +569,7 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
+@@ -537,13 +567,13 @@ corenet_udp_sendrecv_all_ports(cupsd_lpd_t)
corenet_tcp_bind_generic_node(cupsd_lpd_t)
corenet_udp_bind_generic_node(cupsd_lpd_t)
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
@@ -13194,7 +13385,22 @@ index 6e7f1b6..a699948 100644
dev_read_urand(cupsd_lpd_t)
dev_read_rand(cupsd_lpd_t)
-@@ -587,23 +620,22 @@ auth_use_nsswitch(cups_pdf_t)
+
+ fs_getattr_xattr_fs(cupsd_lpd_t)
+
+-files_read_etc_files(cupsd_lpd_t)
+
+ auth_use_nsswitch(cupsd_lpd_t)
+
+@@ -577,7 +607,6 @@ fs_rw_anon_inodefs_files(cups_pdf_t)
+
+ kernel_read_system_state(cups_pdf_t)
+
+-files_read_etc_files(cups_pdf_t)
+ files_read_usr_files(cups_pdf_t)
+
+ corecmd_exec_shell(cups_pdf_t)
+@@ -587,23 +616,22 @@ auth_use_nsswitch(cups_pdf_t)
miscfiles_read_localization(cups_pdf_t)
miscfiles_read_fonts(cups_pdf_t)
@@ -13227,7 +13433,7 @@ index 6e7f1b6..a699948 100644
')
########################################
-@@ -661,10 +693,10 @@ corenet_tcp_bind_generic_node(hplip_t)
+@@ -661,10 +689,10 @@ corenet_tcp_bind_generic_node(hplip_t)
corenet_udp_bind_generic_node(hplip_t)
corenet_tcp_bind_hplip_port(hplip_t)
corenet_tcp_connect_hplip_port(hplip_t)
@@ -13241,8 +13447,11 @@ index 6e7f1b6..a699948 100644
dev_read_sysfs(hplip_t)
dev_rw_printer(hplip_t)
-@@ -685,6 +717,9 @@ domain_use_interactive_fds(hplip_t)
- files_read_etc_files(hplip_t)
+@@ -682,9 +710,11 @@ corecmd_exec_bin(hplip_t)
+
+ domain_use_interactive_fds(hplip_t)
+
+-files_read_etc_files(hplip_t)
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
+files_dontaudit_write_usr_dirs(hplip_t)
@@ -13251,7 +13460,7 @@ index 6e7f1b6..a699948 100644
logging_send_syslog_msg(hplip_t)
-@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
+@@ -696,8 +726,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_user_home_dirs(hplip_t)
userdom_dontaudit_search_user_home_content(hplip_t)
@@ -13264,6 +13473,14 @@ index 6e7f1b6..a699948 100644
optional_policy(`
dbus_system_bus_client(hplip_t)
+@@ -760,7 +792,6 @@ fs_search_auto_mountpoints(ptal_t)
+
+ domain_use_interactive_fds(ptal_t)
+
+-files_read_etc_files(ptal_t)
+ files_read_etc_runtime_files(ptal_t)
+
+ logging_send_syslog_msg(ptal_t)
diff --git a/cvs.if b/cvs.if
index c43ff4c..5da88b5 100644
--- a/cvs.if
@@ -13314,7 +13531,7 @@ index c43ff4c..5da88b5 100644
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/cvs.te b/cvs.te
-index 88e7e97..08d7ec0 100644
+index 88e7e97..4742d3a 100644
--- a/cvs.te
+++ b/cvs.te
@@ -10,7 +10,7 @@ policy_module(cvs, 1.9.0)
@@ -13340,7 +13557,12 @@ index 88e7e97..08d7ec0 100644
manage_dirs_pattern(cvs_t, cvs_data_t, cvs_data_t)
manage_files_pattern(cvs_t, cvs_data_t, cvs_data_t)
-@@ -81,6 +81,8 @@ files_read_etc_runtime_files(cvs_t)
+@@ -76,11 +76,12 @@ auth_use_nsswitch(cvs_t)
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
+
+-files_read_etc_files(cvs_t)
+ files_read_etc_runtime_files(cvs_t)
# for identd; cjp: this should probably only be inetd_child rules?
files_search_home(cvs_t)
@@ -13349,7 +13571,7 @@ index 88e7e97..08d7ec0 100644
logging_send_syslog_msg(cvs_t)
logging_send_audit_msgs(cvs_t)
-@@ -88,9 +90,11 @@ miscfiles_read_localization(cvs_t)
+@@ -88,9 +89,11 @@ miscfiles_read_localization(cvs_t)
mta_send_mail(cvs_t)
@@ -13362,7 +13584,7 @@ index 88e7e97..08d7ec0 100644
allow cvs_t self:capability dac_override;
auth_tunable_read_shadow(cvs_t)
')
-@@ -112,4 +116,5 @@ optional_policy(`
+@@ -112,4 +115,5 @@ optional_policy(`
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
@@ -13388,7 +13610,7 @@ index e4e86d0..7c30655 100644
domain_system_change_exemption($1)
role_transition $2 cyrus_initrc_exec_t system_r;
diff --git a/cyrus.te b/cyrus.te
-index a531e6f..6b0ffc2 100644
+index a531e6f..ec075b8 100644
--- a/cyrus.te
+++ b/cyrus.te
@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
@@ -13408,7 +13630,15 @@ index a531e6f..6b0ffc2 100644
corenet_tcp_bind_pop_port(cyrus_t)
corenet_tcp_bind_sieve_port(cyrus_t)
corenet_tcp_connect_all_ports(cyrus_t)
-@@ -119,6 +120,10 @@ optional_policy(`
+@@ -93,7 +94,6 @@ corecmd_exec_bin(cyrus_t)
+ domain_use_interactive_fds(cyrus_t)
+
+ files_list_var_lib(cyrus_t)
+-files_read_etc_files(cyrus_t)
+ files_read_etc_runtime_files(cyrus_t)
+ files_read_usr_files(cyrus_t)
+
+@@ -119,6 +119,10 @@ optional_policy(`
')
optional_policy(`
@@ -13419,7 +13649,7 @@ index a531e6f..6b0ffc2 100644
kerberos_keytab_template(cyrus, cyrus_t)
')
-@@ -135,6 +140,7 @@ optional_policy(`
+@@ -135,6 +139,7 @@ optional_policy(`
')
optional_policy(`
@@ -13530,6 +13760,18 @@ index 1875064..2adc35f 100644
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
+diff --git a/dbskk.te b/dbskk.te
+index 1445f97..f874b4d 100644
+--- a/dbskk.te
++++ b/dbskk.te
+@@ -60,7 +60,6 @@ dev_read_urand(dbskkd_t)
+
+ fs_getattr_xattr_fs(dbskkd_t)
+
+-files_read_etc_files(dbskkd_t)
+
+ auth_use_nsswitch(dbskkd_t)
+
diff --git a/dbus.fc b/dbus.fc
index e6345ce..31f269b 100644
--- a/dbus.fc
@@ -13896,7 +14138,7 @@ index fb4bf82..115133d 100644
+ dontaudit $1 session_bus_type:dbus send_msg;
')
diff --git a/dbus.te b/dbus.te
-index 8e7ba54..088e2ca 100644
+index 8e7ba54..9201358 100644
--- a/dbus.te
+++ b/dbus.te
@@ -10,6 +10,7 @@ gen_require(`
@@ -13948,7 +14190,7 @@ index 8e7ba54..088e2ca 100644
fs_getattr_all_fs(system_dbusd_t)
fs_list_inotifyfs(system_dbusd_t)
fs_search_auto_mountpoints(system_dbusd_t)
-@@ -110,6 +115,8 @@ auth_read_pam_console_data(system_dbusd_t)
+@@ -110,17 +115,20 @@ auth_read_pam_console_data(system_dbusd_t)
corecmd_list_bin(system_dbusd_t)
corecmd_read_bin_pipes(system_dbusd_t)
corecmd_read_bin_sockets(system_dbusd_t)
@@ -13957,7 +14199,10 @@ index 8e7ba54..088e2ca 100644
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
-@@ -120,7 +127,9 @@ files_read_usr_files(system_dbusd_t)
+
+-files_read_etc_files(system_dbusd_t)
+ files_list_home(system_dbusd_t)
+ files_read_usr_files(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -13967,7 +14212,7 @@ index 8e7ba54..088e2ca 100644
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
-@@ -135,11 +144,27 @@ seutil_sigchld_newrole(system_dbusd_t)
+@@ -135,11 +143,27 @@ seutil_sigchld_newrole(system_dbusd_t)
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
@@ -13995,7 +14240,7 @@ index 8e7ba54..088e2ca 100644
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
-@@ -150,12 +175,161 @@ optional_policy(`
+@@ -150,12 +174,160 @@ optional_policy(`
')
optional_policy(`
@@ -14094,7 +14339,6 @@ index 8e7ba54..088e2ca 100644
+domain_use_interactive_fds(session_bus_type)
+domain_read_all_domains_state(session_bus_type)
+
-+files_read_etc_files(session_bus_type)
+files_list_home(session_bus_type)
+files_read_usr_files(session_bus_type)
+files_dontaudit_search_var(session_bus_type)
@@ -14170,7 +14414,7 @@ index 784753e..bf65e7d 100644
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
')
diff --git a/dcc.te b/dcc.te
-index 5178337..b309a53 100644
+index 5178337..d83413e 100644
--- a/dcc.te
+++ b/dcc.te
@@ -36,7 +36,7 @@ type dcc_var_t;
@@ -14182,7 +14426,15 @@ index 5178337..b309a53 100644
type dccd_t;
type dccd_exec_t;
-@@ -110,7 +110,7 @@ logging_send_syslog_msg(cdcc_t)
+@@ -101,7 +101,6 @@ corenet_udp_sendrecv_generic_if(cdcc_t)
+ corenet_udp_sendrecv_generic_node(cdcc_t)
+ corenet_udp_sendrecv_all_ports(cdcc_t)
+
+-files_read_etc_files(cdcc_t)
+ files_read_etc_runtime_files(cdcc_t)
+
+ auth_use_nsswitch(cdcc_t)
+@@ -110,7 +109,7 @@ logging_send_syslog_msg(cdcc_t)
miscfiles_read_localization(cdcc_t)
@@ -14191,7 +14443,15 @@ index 5178337..b309a53 100644
########################################
#
-@@ -152,7 +152,7 @@ logging_send_syslog_msg(dcc_client_t)
+@@ -141,7 +140,6 @@ corenet_udp_sendrecv_generic_node(dcc_client_t)
+ corenet_udp_sendrecv_all_ports(dcc_client_t)
+ corenet_udp_bind_generic_node(dcc_client_t)
+
+-files_read_etc_files(dcc_client_t)
+ files_read_etc_runtime_files(dcc_client_t)
+
+ fs_getattr_all_fs(dcc_client_t)
+@@ -152,7 +150,7 @@ logging_send_syslog_msg(dcc_client_t)
miscfiles_read_localization(dcc_client_t)
@@ -14200,7 +14460,15 @@ index 5178337..b309a53 100644
optional_policy(`
amavis_read_spool_files(dcc_client_t)
-@@ -197,7 +197,7 @@ logging_send_syslog_msg(dcc_dbclean_t)
+@@ -188,7 +186,6 @@ corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
+ corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
+ corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
+
+-files_read_etc_files(dcc_dbclean_t)
+ files_read_etc_runtime_files(dcc_dbclean_t)
+
+ auth_use_nsswitch(dcc_dbclean_t)
+@@ -197,7 +194,7 @@ logging_send_syslog_msg(dcc_dbclean_t)
miscfiles_read_localization(dcc_dbclean_t)
@@ -14209,6 +14477,30 @@ index 5178337..b309a53 100644
########################################
#
+@@ -251,7 +248,6 @@ dev_read_sysfs(dccd_t)
+
+ domain_use_interactive_fds(dccd_t)
+
+-files_read_etc_files(dccd_t)
+ files_read_etc_runtime_files(dccd_t)
+
+ fs_getattr_all_fs(dccd_t)
+@@ -316,7 +312,6 @@ dev_read_sysfs(dccifd_t)
+
+ domain_use_interactive_fds(dccifd_t)
+
+-files_read_etc_files(dccifd_t)
+ files_read_etc_runtime_files(dccifd_t)
+
+ fs_getattr_all_fs(dccifd_t)
+@@ -380,7 +375,6 @@ dev_read_sysfs(dccm_t)
+
+ domain_use_interactive_fds(dccm_t)
+
+-files_read_etc_files(dccm_t)
+ files_read_etc_runtime_files(dccm_t)
+
+ fs_getattr_all_fs(dccm_t)
diff --git a/ddclient.if b/ddclient.if
index 0a1a61b..64742c6 100644
--- a/ddclient.if
@@ -14371,7 +14663,7 @@ index 567865f..b5e9376 100644
admin_pattern($1, denyhosts_var_lock_t)
')
diff --git a/denyhosts.te b/denyhosts.te
-index 8ba9425..02f4190 100644
+index 8ba9425..b06678c 100644
--- a/denyhosts.te
+++ b/denyhosts.te
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -14396,7 +14688,7 @@ index 8ba9425..02f4190 100644
corecmd_exec_bin(denyhosts_t)
corenet_all_recvfrom_unlabeled(denyhosts_t)
-@@ -53,20 +59,30 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
+@@ -53,20 +59,29 @@ corenet_tcp_sendrecv_generic_if(denyhosts_t)
corenet_tcp_sendrecv_generic_node(denyhosts_t)
corenet_tcp_bind_generic_node(denyhosts_t)
corenet_tcp_connect_smtp_port(denyhosts_t)
@@ -14405,7 +14697,7 @@ index 8ba9425..02f4190 100644
dev_read_urand(denyhosts_t)
- files_read_etc_files(denyhosts_t)
+-files_read_etc_files(denyhosts_t)
+files_read_usr_files(denyhosts_t)
+
+auth_use_nsswitch(denyhosts_t)
@@ -14755,7 +15047,7 @@ index f706b99..aa049fc 100644
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
')
diff --git a/devicekit.te b/devicekit.te
-index 1819518..04bd8a8 100644
+index 1819518..b2dd360 100644
--- a/devicekit.te
+++ b/devicekit.te
@@ -8,14 +8,17 @@ policy_module(devicekit, 1.2.0)
@@ -14786,7 +15078,15 @@ index 1819518..04bd8a8 100644
########################################
#
# DeviceKit local policy
-@@ -62,7 +68,8 @@ optional_policy(`
+@@ -42,7 +48,6 @@ kernel_read_system_state(devicekit_t)
+ dev_read_sysfs(devicekit_t)
+ dev_read_urand(devicekit_t)
+
+-files_read_etc_files(devicekit_t)
+
+ miscfiles_read_localization(devicekit_t)
+
+@@ -62,7 +67,8 @@ optional_policy(`
# DeviceKit disk local policy
#
@@ -14796,7 +15096,7 @@ index 1819518..04bd8a8 100644
allow devicekit_disk_t self:process { getsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -75,10 +82,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -75,10 +81,14 @@ manage_dirs_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir)
@@ -14811,7 +15111,7 @@ index 1819518..04bd8a8 100644
kernel_getattr_message_if(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
-@@ -97,6 +108,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
+@@ -97,6 +107,7 @@ dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
dev_getattr_all_chr_files(devicekit_disk_t)
dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -14819,7 +15119,7 @@ index 1819518..04bd8a8 100644
domain_getattr_all_pipes(devicekit_disk_t)
domain_getattr_all_sockets(devicekit_disk_t)
-@@ -105,14 +117,17 @@ domain_read_all_domains_state(devicekit_disk_t)
+@@ -105,14 +116,16 @@ domain_read_all_domains_state(devicekit_disk_t)
files_dontaudit_read_all_symlinks(devicekit_disk_t)
files_getattr_all_sockets(devicekit_disk_t)
@@ -14830,7 +15130,7 @@ index 1819518..04bd8a8 100644
+files_manage_boot_dirs(devicekit_disk_t)
files_manage_isid_type_dirs(devicekit_disk_t)
files_manage_mnt_dirs(devicekit_disk_t)
- files_read_etc_files(devicekit_disk_t)
+-files_read_etc_files(devicekit_disk_t)
files_read_etc_runtime_files(devicekit_disk_t)
files_read_usr_files(devicekit_disk_t)
@@ -14838,7 +15138,7 @@ index 1819518..04bd8a8 100644
fs_list_inotifyfs(devicekit_disk_t)
fs_manage_fusefs_dirs(devicekit_disk_t)
fs_mount_all_fs(devicekit_disk_t)
-@@ -127,14 +142,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -127,14 +140,17 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
storage_raw_read_removable_device(devicekit_disk_t)
storage_raw_write_removable_device(devicekit_disk_t)
@@ -14857,7 +15157,7 @@ index 1819518..04bd8a8 100644
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
-@@ -170,6 +188,10 @@ optional_policy(`
+@@ -170,6 +186,10 @@ optional_policy(`
')
optional_policy(`
@@ -14868,7 +15168,7 @@ index 1819518..04bd8a8 100644
udev_domtrans(devicekit_disk_t)
udev_read_db(devicekit_disk_t)
')
-@@ -178,55 +200,85 @@ optional_policy(`
+@@ -178,55 +198,84 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
@@ -14936,7 +15236,7 @@ index 1819518..04bd8a8 100644
+dev_getattr_all_chr_files(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
- files_read_etc_files(devicekit_power_t)
+-files_read_etc_files(devicekit_power_t)
+files_read_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
+files_dontaudit_list_mnt(devicekit_power_t)
@@ -14959,7 +15259,7 @@ index 1819518..04bd8a8 100644
userdom_read_all_users_state(devicekit_power_t)
-@@ -235,7 +287,12 @@ optional_policy(`
+@@ -235,7 +284,12 @@ optional_policy(`
')
optional_policy(`
@@ -14972,7 +15272,7 @@ index 1819518..04bd8a8 100644
')
optional_policy(`
-@@ -261,14 +318,21 @@ optional_policy(`
+@@ -261,14 +315,21 @@ optional_policy(`
')
optional_policy(`
@@ -14995,7 +15295,7 @@ index 1819518..04bd8a8 100644
policykit_dbus_chat(devicekit_power_t)
policykit_domtrans_auth(devicekit_power_t)
policykit_read_lib(devicekit_power_t)
-@@ -276,9 +340,31 @@ optional_policy(`
+@@ -276,9 +337,31 @@ optional_policy(`
')
optional_policy(`
@@ -15117,7 +15417,7 @@ index 5e2cea8..2ab8a14 100644
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
')
diff --git a/dhcp.te b/dhcp.te
-index 54b794f..6d3ed6e 100644
+index 54b794f..def601e 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -19,6 +19,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -15151,7 +15451,15 @@ index 54b794f..6d3ed6e 100644
corenet_udp_bind_all_unreserved_ports(dhcpd_t)
dev_read_sysfs(dhcpd_t)
-@@ -110,12 +113,21 @@ sysnet_read_dhcp_config(dhcpd_t)
+@@ -94,7 +97,6 @@ corecmd_exec_bin(dhcpd_t)
+
+ domain_use_interactive_fds(dhcpd_t)
+
+-files_read_etc_files(dhcpd_t)
+ files_read_usr_files(dhcpd_t)
+ files_read_etc_runtime_files(dhcpd_t)
+ files_search_var_lib(dhcpd_t)
+@@ -110,12 +112,21 @@ sysnet_read_dhcp_config(dhcpd_t)
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
userdom_dontaudit_search_user_home_dirs(dhcpd_t)
@@ -15193,10 +15501,17 @@ index a0d23ce..83a7ca5 100644
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/dictd.te b/dictd.te
-index d2d9359..ee10625 100644
+index d2d9359..c0e30db 100644
--- a/dictd.te
+++ b/dictd.te
-@@ -73,23 +73,15 @@ files_search_var_lib(dictd_t)
+@@ -66,30 +66,21 @@ fs_search_auto_mountpoints(dictd_t)
+
+ domain_use_interactive_fds(dictd_t)
+
+-files_read_etc_files(dictd_t)
+ files_read_etc_runtime_files(dictd_t)
+ files_read_usr_files(dictd_t)
+ files_search_var_lib(dictd_t)
# for checking for nscd
files_dontaudit_search_pids(dictd_t)
@@ -16249,7 +16564,7 @@ index 9bd812b..53f895e 100644
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
')
diff --git a/dnsmasq.te b/dnsmasq.te
-index fdaeeba..1a2a666 100644
+index fdaeeba..fa7f1b8 100644
--- a/dnsmasq.te
+++ b/dnsmasq.te
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -16278,7 +16593,15 @@ index fdaeeba..1a2a666 100644
corenet_all_recvfrom_unlabeled(dnsmasq_t)
corenet_all_recvfrom_netlabel(dnsmasq_t)
-@@ -88,6 +94,8 @@ logging_send_syslog_msg(dnsmasq_t)
+@@ -76,7 +82,6 @@ dev_read_urand(dnsmasq_t)
+
+ domain_use_interactive_fds(dnsmasq_t)
+
+-files_read_etc_files(dnsmasq_t)
+ files_read_etc_runtime_files(dnsmasq_t)
+
+ fs_getattr_all_fs(dnsmasq_t)
+@@ -88,6 +93,8 @@ logging_send_syslog_msg(dnsmasq_t)
miscfiles_read_localization(dnsmasq_t)
@@ -16287,7 +16610,7 @@ index fdaeeba..1a2a666 100644
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
-@@ -96,7 +104,20 @@ optional_policy(`
+@@ -96,7 +103,20 @@ optional_policy(`
')
optional_policy(`
@@ -16308,7 +16631,7 @@ index fdaeeba..1a2a666 100644
')
optional_policy(`
-@@ -113,5 +134,7 @@ optional_policy(`
+@@ -113,5 +133,7 @@ optional_policy(`
optional_policy(`
virt_manage_lib_files(dnsmasq_t)
@@ -16610,7 +16933,7 @@ index e1d7dc5..df96c0d 100644
admin_pattern($1, dovecot_var_run_t)
diff --git a/dovecot.te b/dovecot.te
-index 2df7766..d536976 100644
+index 2df7766..479b994 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -18,7 +18,7 @@ type dovecot_auth_tmp_t;
@@ -16686,7 +17009,14 @@ index 2df7766..d536976 100644
corenet_tcp_bind_sieve_port(dovecot_t)
corenet_tcp_connect_all_ports(dovecot_t)
corenet_tcp_connect_postgresql_port(dovecot_t)
-@@ -135,6 +143,7 @@ files_dontaudit_list_default(dovecot_t)
+@@ -128,13 +136,13 @@ corecmd_exec_bin(dovecot_t)
+
+ domain_use_interactive_fds(dovecot_t)
+
+-files_read_etc_files(dovecot_t)
+ files_search_spool(dovecot_t)
+ files_search_tmp(dovecot_t)
+ files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
files_search_all_mountpoints(dovecot_t)
@@ -16694,7 +17024,7 @@ index 2df7766..d536976 100644
init_getattr_utmp(dovecot_t)
-@@ -145,6 +154,7 @@ logging_send_syslog_msg(dovecot_t)
+@@ -145,6 +153,7 @@ logging_send_syslog_msg(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -16702,7 +17032,7 @@ index 2df7766..d536976 100644
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_manage_user_home_content_dirs(dovecot_t)
userdom_manage_user_home_content_files(dovecot_t)
-@@ -153,6 +163,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
+@@ -153,6 +162,7 @@ userdom_manage_user_home_content_pipes(dovecot_t)
userdom_manage_user_home_content_sockets(dovecot_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_t, { dir file lnk_file fifo_file sock_file })
@@ -16710,7 +17040,7 @@ index 2df7766..d536976 100644
mta_manage_spool(dovecot_t)
optional_policy(`
-@@ -160,10 +171,24 @@ optional_policy(`
+@@ -160,10 +170,24 @@ optional_policy(`
')
optional_policy(`
@@ -16735,7 +17065,7 @@ index 2df7766..d536976 100644
seutil_sigchld_newrole(dovecot_t)
')
-@@ -180,8 +205,8 @@ optional_policy(`
+@@ -180,8 +204,8 @@ optional_policy(`
# dovecot auth local policy
#
@@ -16746,7 +17076,7 @@ index 2df7766..d536976 100644
allow dovecot_auth_t self:fifo_file rw_fifo_file_perms;
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -190,6 +215,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
+@@ -190,6 +214,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
@@ -16756,7 +17086,7 @@ index 2df7766..d536976 100644
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
-@@ -201,9 +229,12 @@ dovecot_stream_connect_auth(dovecot_auth_t)
+@@ -201,22 +228,25 @@ dovecot_stream_connect_auth(dovecot_auth_t)
kernel_read_all_sysctls(dovecot_auth_t)
kernel_read_system_state(dovecot_auth_t)
@@ -16769,7 +17099,12 @@ index 2df7766..d536976 100644
dev_read_urand(dovecot_auth_t)
auth_domtrans_chk_passwd(dovecot_auth_t)
-@@ -216,7 +247,8 @@ files_read_usr_files(dovecot_auth_t)
+ auth_use_nsswitch(dovecot_auth_t)
+
+-files_read_etc_files(dovecot_auth_t)
+ files_read_etc_runtime_files(dovecot_auth_t)
+ files_search_pids(dovecot_auth_t)
+ files_read_usr_files(dovecot_auth_t)
files_read_usr_symlinks(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
@@ -16779,7 +17114,7 @@ index 2df7766..d536976 100644
init_rw_utmp(dovecot_auth_t)
-@@ -236,6 +268,8 @@ optional_policy(`
+@@ -236,6 +266,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(dovecot_auth_t)
mysql_stream_connect(dovecot_auth_t)
@@ -16788,7 +17123,7 @@ index 2df7766..d536976 100644
')
optional_policy(`
-@@ -243,6 +277,8 @@ optional_policy(`
+@@ -243,6 +275,8 @@ optional_policy(`
')
optional_policy(`
@@ -16797,7 +17132,7 @@ index 2df7766..d536976 100644
postfix_search_spool(dovecot_auth_t)
')
-@@ -250,23 +286,42 @@ optional_policy(`
+@@ -250,23 +284,42 @@ optional_policy(`
#
# dovecot deliver local policy
#
@@ -16821,6 +17156,7 @@ index 2df7766..d536976 100644
+files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
+
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
++read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
+dovecot_stream_connect(dovecot_deliver_t)
+
@@ -16829,9 +17165,9 @@ index 2df7766..d536976 100644
kernel_read_all_sysctls(dovecot_deliver_t)
kernel_read_system_state(dovecot_deliver_t)
+-files_read_etc_files(dovecot_deliver_t)
+corecmd_exec_bin(dovecot_deliver_t)
+
- files_read_etc_files(dovecot_deliver_t)
files_read_etc_runtime_files(dovecot_deliver_t)
auth_use_nsswitch(dovecot_deliver_t)
@@ -16842,7 +17178,7 @@ index 2df7766..d536976 100644
miscfiles_read_localization(dovecot_deliver_t)
-@@ -283,24 +338,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
+@@ -283,24 +336,21 @@ userdom_manage_user_home_content_pipes(dovecot_deliver_t)
userdom_manage_user_home_content_sockets(dovecot_deliver_t)
userdom_user_home_dir_filetrans_user_home_content(dovecot_deliver_t, { dir file lnk_file fifo_file sock_file })
@@ -17542,10 +17878,10 @@ index 0000000..a446210
+')
diff --git a/dspam.te b/dspam.te
new file mode 100644
-index 0000000..d409571
+index 0000000..fe2a993
--- /dev/null
+++ b/dspam.te
-@@ -0,0 +1,95 @@
+@@ -0,0 +1,94 @@
+
+policy_module(dspam, 1.0.0)
+
@@ -17602,7 +17938,6 @@ index 0000000..d409571
+# need to add the port tcp/10026 to corenetwork.te.in
+#allow dspam_t port_t:tcp_socket name_connect;
+
-+files_read_etc_files(dspam_t)
+
+auth_use_nsswitch(dspam_t)
+
@@ -17642,10 +17977,18 @@ index 0000000..d409571
+')
+
diff --git a/entropyd.te b/entropyd.te
-index b6ac808..053caed 100644
+index b6ac808..63ba594 100644
--- a/entropyd.te
+++ b/entropyd.te
-@@ -52,6 +52,8 @@ domain_use_interactive_fds(entropyd_t)
+@@ -42,7 +42,6 @@ dev_write_urand(entropyd_t)
+ dev_read_rand(entropyd_t)
+ dev_write_rand(entropyd_t)
+
+-files_read_etc_files(entropyd_t)
+ files_read_usr_files(entropyd_t)
+
+ fs_getattr_all_fs(entropyd_t)
+@@ -52,6 +51,8 @@ domain_use_interactive_fds(entropyd_t)
logging_send_syslog_msg(entropyd_t)
@@ -17655,10 +17998,17 @@ index b6ac808..053caed 100644
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
diff --git a/evolution.te b/evolution.te
-index 73cb712..61483ec 100644
+index 73cb712..14f0228 100644
--- a/evolution.te
+++ b/evolution.te
-@@ -188,6 +188,8 @@ files_read_var_files(evolution_t)
+@@ -181,13 +181,14 @@ dev_read_urand(evolution_t)
+
+ domain_dontaudit_read_all_domains_state(evolution_t)
+
+-files_read_etc_files(evolution_t)
+ files_read_usr_files(evolution_t)
+ files_read_usr_symlinks(evolution_t)
+ files_read_var_files(evolution_t)
fs_search_auto_mountpoints(evolution_t)
@@ -17667,7 +18017,7 @@ index 73cb712..61483ec 100644
logging_send_syslog_msg(evolution_t)
miscfiles_read_localization(evolution_t)
-@@ -201,7 +203,7 @@ userdom_rw_user_tmp_files(evolution_t)
+@@ -201,7 +202,7 @@ userdom_rw_user_tmp_files(evolution_t)
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_sockets(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
@@ -17676,7 +18026,12 @@ index 73cb712..61483ec 100644
# FIXME: suppress access to .local/.icons/.themes until properly implemented
# FIXME: suppress access to .gaim/blist.xml (buddy list synchronization)
# until properly implemented
-@@ -362,6 +364,8 @@ files_read_usr_files(evolution_alarm_t)
+@@ -357,11 +358,12 @@ allow evolution_alarm_t evolution_server_orbit_tmp_t:sock_file write;
+
+ dev_read_urand(evolution_alarm_t)
+
+-files_read_etc_files(evolution_alarm_t)
+ files_read_usr_files(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
@@ -17685,7 +18040,13 @@ index 73cb712..61483ec 100644
miscfiles_read_localization(evolution_alarm_t)
# Access evolution home
-@@ -445,6 +449,8 @@ files_read_usr_files(evolution_exchange_t)
+@@ -439,12 +441,13 @@ corecmd_exec_bin(evolution_exchange_t)
+
+ dev_read_urand(evolution_exchange_t)
+
+-files_read_etc_files(evolution_exchange_t)
+ files_read_usr_files(evolution_exchange_t)
+
# Access evolution home
fs_search_auto_mountpoints(evolution_exchange_t)
@@ -17694,7 +18055,13 @@ index 73cb712..61483ec 100644
miscfiles_read_localization(evolution_exchange_t)
userdom_write_user_tmp_sockets(evolution_exchange_t)
-@@ -525,6 +531,8 @@ files_read_usr_files(evolution_server_t)
+@@ -519,12 +522,13 @@ corenet_sendrecv_http_cache_client_packets(evolution_server_t)
+
+ dev_read_urand(evolution_server_t)
+
+-files_read_etc_files(evolution_server_t)
+ # Obtain weather data via http (read server name from xml file in /usr)
+ files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
@@ -17703,7 +18070,7 @@ index 73cb712..61483ec 100644
miscfiles_read_localization(evolution_server_t)
# Look in /etc/pki
miscfiles_read_generic_certs(evolution_server_t)
-@@ -586,7 +594,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
+@@ -586,7 +590,8 @@ corenet_tcp_connect_http_port(evolution_webcal_t)
corenet_sendrecv_http_client_packets(evolution_webcal_t)
corenet_sendrecv_http_cache_client_packets(evolution_webcal_t)
@@ -17832,7 +18199,7 @@ index 6bef7f8..ba138e8 100644
+ admin_pattern($1, exim_var_run_t)
+')
diff --git a/exim.te b/exim.te
-index f28f64b..681d083 100644
+index f28f64b..6a30d96 100644
--- a/exim.te
+++ b/exim.te
@@ -35,11 +35,14 @@ mta_mailserver_user_agent(exim_t)
@@ -17860,15 +18227,16 @@ index f28f64b..681d083 100644
corecmd_search_bin(exim_t)
-@@ -108,6 +111,7 @@ domain_use_interactive_fds(exim_t)
+@@ -108,7 +111,7 @@ domain_use_interactive_fds(exim_t)
files_search_usr(exim_t)
files_search_var(exim_t)
+-files_read_etc_files(exim_t)
+files_read_usr_files(exim_t)
- files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
files_getattr_all_mountpoints(exim_t)
-@@ -162,6 +166,10 @@ optional_policy(`
+
+@@ -162,6 +165,10 @@ optional_policy(`
')
optional_policy(`
@@ -17879,7 +18247,7 @@ index f28f64b..681d083 100644
kerberos_keytab_template(exim, exim_t)
')
-@@ -171,6 +179,10 @@ optional_policy(`
+@@ -171,6 +178,10 @@ optional_policy(`
')
optional_policy(`
@@ -17890,7 +18258,7 @@ index f28f64b..681d083 100644
tunable_policy(`exim_can_connect_db',`
mysql_stream_connect(exim_t)
')
-@@ -184,6 +196,7 @@ optional_policy(`
+@@ -184,6 +195,7 @@ optional_policy(`
optional_policy(`
procmail_domtrans(exim_t)
@@ -17999,7 +18367,7 @@ index f590a1f..b1b13b0 100644
+ admin_pattern($1, fail2ban_tmp_t)
')
diff --git a/fail2ban.te b/fail2ban.te
-index 2a69e5e..78841e5 100644
+index 2a69e5e..64f9d4f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -23,12 +23,19 @@ files_type(fail2ban_var_lib_t)
@@ -18045,15 +18413,17 @@ index 2a69e5e..78841e5 100644
kernel_read_system_state(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
-@@ -66,6 +78,7 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
+@@ -66,8 +78,8 @@ corenet_sendrecv_whois_client_packets(fail2ban_t)
dev_read_urand(fail2ban_t)
domain_use_interactive_fds(fail2ban_t)
+domain_dontaudit_read_all_domains_state(fail2ban_t)
- files_read_etc_files(fail2ban_t)
+-files_read_etc_files(fail2ban_t)
files_read_etc_runtime_files(fail2ban_t)
-@@ -85,6 +98,9 @@ miscfiles_read_localization(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
+ files_list_var(fail2ban_t)
+@@ -85,6 +97,9 @@ miscfiles_read_localization(fail2ban_t)
mta_send_mail(fail2ban_t)
@@ -18063,7 +18433,7 @@ index 2a69e5e..78841e5 100644
optional_policy(`
apache_read_log(fail2ban_t)
')
-@@ -94,5 +110,45 @@ optional_policy(`
+@@ -94,5 +109,44 @@ optional_policy(`
')
optional_policy(`
@@ -18097,7 +18467,6 @@ index 2a69e5e..78841e5 100644
+corecmd_exec_bin(fail2ban_client_t)
+
+# nsswitch.conf, passwd
-+files_read_etc_files(fail2ban_client_t)
+files_read_usr_files(fail2ban_client_t)
+files_search_pids(fail2ban_client_t)
+
@@ -18334,7 +18703,7 @@ index ac6626e..8fb83ef 100644
')
diff --git a/finger.te b/finger.te
-index 9b7036a..0cf2dbf 100644
+index 9b7036a..b223fa8 100644
--- a/finger.te
+++ b/finger.te
@@ -66,6 +66,7 @@ term_getattr_all_ttys(fingerd_t)
@@ -18345,6 +18714,14 @@ index 9b7036a..0cf2dbf 100644
corecmd_exec_bin(fingerd_t)
corecmd_exec_shell(fingerd_t)
+@@ -73,7 +74,6 @@ corecmd_exec_shell(fingerd_t)
+ domain_use_interactive_fds(fingerd_t)
+
+ files_search_home(fingerd_t)
+-files_read_etc_files(fingerd_t)
+ files_read_etc_runtime_files(fingerd_t)
+
+ init_read_utmp(fingerd_t)
diff --git a/firewalld.fc b/firewalld.fc
new file mode 100644
index 0000000..f440549
@@ -18655,10 +19032,10 @@ index 0000000..2bd5790
+')
diff --git a/firewallgui.te b/firewallgui.te
new file mode 100644
-index 0000000..c97a6ea
+index 0000000..3d0c142
--- /dev/null
+++ b/firewallgui.te
-@@ -0,0 +1,75 @@
+@@ -0,0 +1,74 @@
+policy_module(firewallgui,1.0.0)
+
+########################################
@@ -18700,7 +19077,6 @@ index 0000000..c97a6ea
+
+files_manage_system_conf_files(firewallgui_t)
+files_etc_filetrans_system_conf(firewallgui_t)
-+files_read_etc_files(firewallgui_t)
+files_read_usr_files(firewallgui_t)
+files_search_kernel_modules(firewallgui_t)
+files_list_kernel_modules(firewallgui_t)
@@ -18863,7 +19239,7 @@ index ebad8c4..640293e 100644
')
-
diff --git a/fprintd.te b/fprintd.te
-index 7df52c7..26422af 100644
+index 7df52c7..5b9e374 100644
--- a/fprintd.te
+++ b/fprintd.te
@@ -8,6 +8,7 @@ policy_module(fprintd, 1.1.0)
@@ -18887,7 +19263,15 @@ index 7df52c7..26422af 100644
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
-@@ -54,4 +56,5 @@ optional_policy(`
+@@ -33,7 +35,6 @@ dev_list_usbfs(fprintd_t)
+ dev_rw_generic_usb_dev(fprintd_t)
+ dev_read_sysfs(fprintd_t)
+
+-files_read_etc_files(fprintd_t)
+ files_read_usr_files(fprintd_t)
+
+ fs_getattr_all_fs(fprintd_t)
+@@ -54,4 +55,5 @@ optional_policy(`
policykit_read_lib(fprintd_t)
policykit_dbus_chat(fprintd_t)
policykit_domtrans_auth(fprintd_t)
@@ -20362,10 +20746,10 @@ index 0000000..e15bbb0
+
diff --git a/glusterd.te b/glusterd.te
new file mode 100644
-index 0000000..8dfb74a
+index 0000000..81fda2d
--- /dev/null
+++ b/glusterd.te
-@@ -0,0 +1,104 @@
+@@ -0,0 +1,103 @@
+policy_module(glusterd, 1.0.0)
+
+########################################
@@ -20454,7 +20838,6 @@ index 0000000..8dfb74a
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
-+files_read_etc_files(glusterd_t)
+files_read_usr_files(glusterd_t)
+files_rw_pid_dirs(glusterd_t)
+
@@ -22501,7 +22884,7 @@ index 6d50300..46cc164 100644
##
## Send generic signals to user gpg processes.
diff --git a/gpg.te b/gpg.te
-index 156820c..9cbbfd4 100644
+index 156820c..970165a 100644
--- a/gpg.te
+++ b/gpg.te
@@ -1,9 +1,10 @@
@@ -22616,7 +22999,15 @@ index 156820c..9cbbfd4 100644
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
-@@ -116,22 +140,26 @@ logging_send_syslog_msg(gpg_t)
+@@ -106,7 +130,6 @@ fs_list_inotifyfs(gpg_t)
+
+ domain_use_interactive_fds(gpg_t)
+
+-files_read_etc_files(gpg_t)
+ files_read_usr_files(gpg_t)
+ files_dontaudit_search_var(gpg_t)
+
+@@ -116,22 +139,26 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
@@ -22651,7 +23042,7 @@ index 156820c..9cbbfd4 100644
')
optional_policy(`
-@@ -140,15 +168,19 @@ optional_policy(`
+@@ -140,15 +167,19 @@ optional_policy(`
')
optional_policy(`
@@ -22675,7 +23066,11 @@ index 156820c..9cbbfd4 100644
########################################
#
# GPG helper local policy
-@@ -184,7 +216,7 @@ files_read_etc_files(gpg_helper_t)
+@@ -180,11 +211,10 @@ corenet_tcp_bind_generic_node(gpg_helper_t)
+ corenet_udp_bind_generic_node(gpg_helper_t)
+ corenet_tcp_connect_all_ports(gpg_helper_t)
+
+-files_read_etc_files(gpg_helper_t)
auth_use_nsswitch(gpg_helper_t)
@@ -22684,7 +23079,7 @@ index 156820c..9cbbfd4 100644
tunable_policy(`use_nfs_home_dirs',`
fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -198,15 +230,17 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -198,15 +228,17 @@ tunable_policy(`use_samba_home_dirs',`
#
# GPG agent local policy
#
@@ -22703,7 +23098,7 @@ index 156820c..9cbbfd4 100644
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
-@@ -232,34 +266,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
+@@ -232,34 +264,25 @@ fs_dontaudit_list_inotifyfs(gpg_agent_t)
miscfiles_read_localization(gpg_agent_t)
# Write to the user domain tty.
@@ -22742,7 +23137,7 @@ index 156820c..9cbbfd4 100644
optional_policy(`
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
-@@ -294,6 +319,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
+@@ -294,6 +317,7 @@ fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
# read /proc/meminfo
kernel_read_system_state(gpg_pinentry_t)
@@ -22750,7 +23145,15 @@ index 156820c..9cbbfd4 100644
corecmd_exec_bin(gpg_pinentry_t)
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
-@@ -325,13 +351,15 @@ miscfiles_read_localization(gpg_pinentry_t)
+@@ -310,7 +334,6 @@ dev_read_rand(gpg_pinentry_t)
+
+ files_read_usr_files(gpg_pinentry_t)
+ # read /etc/X11/qtrc
+-files_read_etc_files(gpg_pinentry_t)
+
+ fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
+ fs_getattr_tmpfs(gpg_pinentry_t)
+@@ -325,13 +348,15 @@ miscfiles_read_localization(gpg_pinentry_t)
# for .Xauthority
userdom_read_user_home_content_files(gpg_pinentry_t)
userdom_read_user_tmpfs_files(gpg_pinentry_t)
@@ -22771,7 +23174,7 @@ index 156820c..9cbbfd4 100644
')
optional_policy(`
-@@ -340,6 +368,12 @@ optional_policy(`
+@@ -340,6 +365,12 @@ optional_policy(`
')
optional_policy(`
@@ -22784,7 +23187,7 @@ index 156820c..9cbbfd4 100644
pulseaudio_exec(gpg_pinentry_t)
pulseaudio_rw_home_files(gpg_pinentry_t)
pulseaudio_setattr_home_dir(gpg_pinentry_t)
-@@ -349,4 +383,28 @@ optional_policy(`
+@@ -349,4 +380,28 @@ optional_policy(`
optional_policy(`
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
@@ -22980,10 +23383,15 @@ index 2d0b4e1..69fb7c1 100644
########################################
diff --git a/hadoop.te b/hadoop.te
-index c81c58a..cbeafaa 100644
+index c81c58a..99bc7cb 100644
--- a/hadoop.te
+++ b/hadoop.te
-@@ -156,15 +156,19 @@ files_read_usr_files(hadoop_t)
+@@ -151,20 +151,23 @@ dev_read_urand(hadoop_t)
+ domain_use_interactive_fds(hadoop_t)
+
+ files_dontaudit_search_spool(hadoop_t)
+-files_read_etc_files(hadoop_t)
+ files_read_usr_files(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
@@ -23008,8 +23416,11 @@ index c81c58a..cbeafaa 100644
optional_policy(`
nis_use_ypbind(hadoop_t)
-@@ -336,17 +340,17 @@ domain_use_interactive_fds(zookeeper_t)
- files_read_etc_files(zookeeper_t)
+@@ -333,20 +336,19 @@ dev_read_urand(zookeeper_t)
+
+ domain_use_interactive_fds(zookeeper_t)
+
+-files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)
+auth_use_nsswitch(zookeeper_t)
@@ -23030,7 +23441,15 @@ index c81c58a..cbeafaa 100644
')
########################################
-@@ -432,4 +436,6 @@ miscfiles_read_localization(zookeeper_server_t)
+@@ -421,7 +423,6 @@ dev_read_rand(zookeeper_server_t)
+ dev_read_sysfs(zookeeper_server_t)
+ dev_read_urand(zookeeper_server_t)
+
+-files_read_etc_files(zookeeper_server_t)
+ files_read_usr_files(zookeeper_server_t)
+
+ fs_getattr_xattr_fs(zookeeper_server_t)
+@@ -432,4 +433,6 @@ miscfiles_read_localization(zookeeper_server_t)
sysnet_read_config(zookeeper_server_t)
@@ -23077,7 +23496,7 @@ index 7cf6763..9d2be6b 100644
+ dontaudit $1 hald_var_run_t:file read_inherited_file_perms;
+')
diff --git a/hal.te b/hal.te
-index e0476cb..8c6d661 100644
+index e0476cb..987f2c2 100644
--- a/hal.te
+++ b/hal.te
@@ -54,6 +54,9 @@ files_pid_file(hald_var_run_t)
@@ -23107,6 +23526,38 @@ index e0476cb..8c6d661 100644
kernel_search_network_sysctl(hald_t)
kernel_setsched(hald_t)
kernel_request_load_module(hald_t)
+@@ -139,7 +143,6 @@ domain_read_all_domains_state(hald_t)
+ domain_dontaudit_ptrace_all_domains(hald_t)
+
+ files_exec_etc_files(hald_t)
+-files_read_etc_files(hald_t)
+ files_rw_etc_runtime_files(hald_t)
+ files_manage_mnt_dirs(hald_t)
+ files_manage_mnt_files(hald_t)
+@@ -372,7 +375,6 @@ dev_setattr_generic_usb_dev(hald_acl_t)
+ dev_setattr_usbfs_files(hald_acl_t)
+
+ files_read_usr_files(hald_acl_t)
+-files_read_etc_files(hald_acl_t)
+
+ fs_getattr_all_fs(hald_acl_t)
+
+@@ -418,7 +420,6 @@ dev_write_raw_memory(hald_mac_t)
+ dev_read_sysfs(hald_mac_t)
+
+ files_read_usr_files(hald_mac_t)
+-files_read_etc_files(hald_mac_t)
+
+ auth_use_nsswitch(hald_mac_t)
+
+@@ -465,7 +466,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
+ dev_rw_input_dev(hald_keymap_t)
+
+-files_read_etc_files(hald_keymap_t)
+ files_read_usr_files(hald_keymap_t)
+
+ miscfiles_read_localization(hald_keymap_t)
diff --git a/hddtemp.if b/hddtemp.if
index 87b4531..901d905 100644
--- a/hddtemp.if
@@ -23202,7 +23653,7 @@ index ecab47a..6eddc6d 100644
-
')
diff --git a/icecast.te b/icecast.te
-index fdb7e9a..a1f2938 100644
+index fdb7e9a..795a6f1 100644
--- a/icecast.te
+++ b/icecast.te
@@ -5,6 +5,14 @@ policy_module(icecast, 1.1.0)
@@ -23220,7 +23671,7 @@ index fdb7e9a..a1f2938 100644
type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)
-@@ -39,7 +47,18 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
+@@ -39,12 +47,22 @@ files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
kernel_read_system_state(icecast_t)
@@ -23239,6 +23690,11 @@ index fdb7e9a..a1f2938 100644
# Init script handling
domain_use_interactive_fds(icecast_t)
+
+-files_read_etc_files(icecast_t)
+
+ auth_use_nsswitch(icecast_t)
+
diff --git a/ifplugd.if b/ifplugd.if
index dfb4232..35343f8 100644
--- a/ifplugd.if
@@ -23307,7 +23763,7 @@ index df48e5e..161814e 100644
########################################
diff --git a/inetd.te b/inetd.te
-index 10f25d3..307b8eb 100644
+index 10f25d3..99e3a15 100644
--- a/inetd.te
+++ b/inetd.te
@@ -38,9 +38,9 @@ ifdef(`enable_mcs',`
@@ -23353,7 +23809,15 @@ index 10f25d3..307b8eb 100644
corenet_sendrecv_swat_server_packets(inetd_t)
corenet_sendrecv_tftp_server_packets(inetd_t)
-@@ -150,7 +153,10 @@ miscfiles_read_localization(inetd_t)
+@@ -137,7 +140,6 @@ corecmd_read_bin_symlinks(inetd_t)
+
+ domain_use_interactive_fds(inetd_t)
+
+-files_read_etc_files(inetd_t)
+ files_read_etc_runtime_files(inetd_t)
+
+ auth_use_nsswitch(inetd_t)
+@@ -150,7 +152,10 @@ miscfiles_read_localization(inetd_t)
mls_fd_share_all_levels(inetd_t)
mls_socket_read_to_clearance(inetd_t)
mls_socket_write_to_clearance(inetd_t)
@@ -23364,7 +23828,7 @@ index 10f25d3..307b8eb 100644
sysnet_read_config(inetd_t)
-@@ -177,6 +183,10 @@ optional_policy(`
+@@ -177,6 +182,10 @@ optional_policy(`
')
optional_policy(`
@@ -23375,6 +23839,14 @@ index 10f25d3..307b8eb 100644
udev_read_db(inetd_t)
')
+@@ -223,7 +232,6 @@ dev_read_urand(inetd_child_t)
+
+ fs_getattr_xattr_fs(inetd_child_t)
+
+-files_read_etc_files(inetd_child_t)
+ files_read_etc_runtime_files(inetd_child_t)
+
+ auth_use_nsswitch(inetd_child_t)
diff --git a/inn.if b/inn.if
index ebc9e0d..2c4b5da 100644
--- a/inn.if
@@ -23528,7 +24000,7 @@ index 4f9dc90..81a0fc6 100644
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/irc.te b/irc.te
-index 6e2dbd2..f174f68 100644
+index 6e2dbd2..e3c7e9b 100644
--- a/irc.te
+++ b/irc.te
@@ -19,7 +19,31 @@ userdom_user_home_content(irc_home_t)
@@ -23564,7 +24036,15 @@ index 6e2dbd2..f174f68 100644
########################################
#
-@@ -83,20 +107,75 @@ seutil_use_newrole_fds(irc_t)
+@@ -62,7 +86,6 @@ domain_use_interactive_fds(irc_t)
+
+ files_dontaudit_search_pids(irc_t)
+ files_search_var(irc_t)
+-files_read_etc_files(irc_t)
+ files_read_usr_files(irc_t)
+
+ fs_getattr_xattr_fs(irc_t)
+@@ -83,20 +106,75 @@ seutil_use_newrole_fds(irc_t)
sysnet_read_config(irc_t)
# Write to the user domain tty.
@@ -23689,7 +24169,7 @@ index 14d9670..358255e 100644
+/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
+/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
diff --git a/iscsi.te b/iscsi.te
-index 8bcfa2f..93450ef 100644
+index 8bcfa2f..b3547c6 100644
--- a/iscsi.te
+++ b/iscsi.te
@@ -31,7 +31,6 @@ files_pid_file(iscsi_var_run_t)
@@ -23708,7 +24188,7 @@ index 8bcfa2f..93450ef 100644
corenet_all_recvfrom_unlabeled(iscsid_t)
corenet_all_recvfrom_netlabel(iscsid_t)
-@@ -75,9 +75,12 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
+@@ -75,14 +75,16 @@ corenet_tcp_sendrecv_all_ports(iscsid_t)
corenet_tcp_connect_http_port(iscsid_t)
corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
@@ -23721,6 +24201,11 @@ index 8bcfa2f..93450ef 100644
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
+
+-files_read_etc_files(iscsid_t)
+
+ auth_use_nsswitch(iscsid_t)
+
diff --git a/isnsd.fc b/isnsd.fc
new file mode 100644
index 0000000..3e29080
@@ -24180,10 +24665,10 @@ index 9878499..8643cd3 100644
- admin_pattern($1, jabberd_var_run_t)
')
diff --git a/jabber.te b/jabber.te
-index 53e53ca..91bdd44 100644
+index 53e53ca..635f84e 100644
--- a/jabber.te
+++ b/jabber.te
-@@ -1,94 +1,154 @@
+@@ -1,94 +1,153 @@
-policy_module(jabber, 1.9.0)
+policy_module(jabber, 1.8.0)
@@ -24387,7 +24872,6 @@ index 53e53ca..91bdd44 100644
+dev_read_urand(jabberd_domain)
+dev_read_sysfs(jabberd_domain)
+
-+files_read_etc_files(jabberd_domain)
+files_read_etc_runtime_files(jabberd_domain)
+
+logging_send_syslog_msg(jabberd_domain)
@@ -25745,6 +26229,18 @@ index 835b16b..8a98c76 100644
+ files_list_tmp($1)
admin_pattern($1, kerneloops_tmp_t)
')
+diff --git a/kerneloops.te b/kerneloops.te
+index 6b35547..97b6483 100644
+--- a/kerneloops.te
++++ b/kerneloops.te
+@@ -40,7 +40,6 @@ corenet_tcp_sendrecv_all_ports(kerneloops_t)
+ corenet_tcp_bind_http_port(kerneloops_t)
+ corenet_tcp_connect_http_port(kerneloops_t)
+
+-files_read_etc_files(kerneloops_t)
+
+ auth_use_nsswitch(kerneloops_t)
+
diff --git a/keyboardd.fc b/keyboardd.fc
new file mode 100644
index 0000000..485aacc
@@ -26159,10 +26655,15 @@ index c18c920..582f7f3 100644
kismet_manage_pid_files($1)
kismet_manage_lib($1)
diff --git a/kismet.te b/kismet.te
-index 9dd6880..4b7fa27 100644
+index 9dd6880..cb634e4 100644
--- a/kismet.te
+++ b/kismet.te
-@@ -91,7 +91,7 @@ files_read_usr_files(kismet_t)
+@@ -86,12 +86,11 @@ corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+ auth_use_nsswitch(kismet_t)
+
+-files_read_etc_files(kismet_t)
+ files_read_usr_files(kismet_t)
miscfiles_read_localization(kismet_t)
@@ -26205,7 +26706,7 @@ index 6fd0b4c..568f842 100644
files_list_pids($1)
admin_pattern($1, ksmtuned_var_run_t)
diff --git a/ksmtuned.te b/ksmtuned.te
-index a73b7a1..d845f46 100644
+index a73b7a1..9707887 100644
--- a/ksmtuned.te
+++ b/ksmtuned.te
@@ -9,6 +9,9 @@ type ksmtuned_t;
@@ -26233,7 +26734,7 @@ index a73b7a1..d845f46 100644
manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
-@@ -31,9 +38,19 @@ kernel_read_system_state(ksmtuned_t)
+@@ -31,9 +38,18 @@ kernel_read_system_state(ksmtuned_t)
dev_rw_sysfs(ksmtuned_t)
domain_read_all_domains_state(ksmtuned_t)
@@ -26241,24 +26742,27 @@ index a73b7a1..d845f46 100644
corecmd_exec_bin(ksmtuned_t)
+corecmd_exec_shell(ksmtuned_t)
-
- files_read_etc_files(ksmtuned_t)
-
++
++
+mls_file_read_to_clearance(ksmtuned_t)
+
+term_use_all_inherited_terms(ksmtuned_t)
+
+auth_use_nsswitch(ksmtuned_t)
-+
+
+-files_read_etc_files(ksmtuned_t)
+logging_send_syslog_msg(ksmtuned_t)
-+
+
miscfiles_read_localization(ksmtuned_t)
diff --git a/ktalk.te b/ktalk.te
-index ca5cfdf..554ad30 100644
+index ca5cfdf..cdaeee8 100644
--- a/ktalk.te
+++ b/ktalk.te
-@@ -68,7 +68,7 @@ fs_getattr_xattr_fs(ktalkd_t)
- files_read_etc_files(ktalkd_t)
+@@ -65,10 +65,9 @@ dev_read_urand(ktalkd_t)
+
+ fs_getattr_xattr_fs(ktalkd_t)
+
+-files_read_etc_files(ktalkd_t)
term_search_ptys(ktalkd_t)
-term_use_all_terms(ktalkd_t)
@@ -26791,7 +27295,7 @@ index 3aa8fa7..9539b76 100644
+ allow $1 ldap_unit_file_t:service all_service_perms;
')
diff --git a/ldap.te b/ldap.te
-index 64fd1ff..47c43ab 100644
+index 64fd1ff..fe76c32 100644
--- a/ldap.te
+++ b/ldap.te
@@ -10,7 +10,7 @@ type slapd_exec_t;
@@ -26851,7 +27355,13 @@ index 64fd1ff..47c43ab 100644
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-@@ -106,6 +123,7 @@ files_read_usr_files(slapd_t)
+@@ -100,12 +117,12 @@ fs_search_auto_mountpoints(slapd_t)
+
+ domain_use_interactive_fds(slapd_t)
+
+-files_read_etc_files(slapd_t)
+ files_read_etc_runtime_files(slapd_t)
+ files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
@@ -26859,7 +27369,7 @@ index 64fd1ff..47c43ab 100644
logging_send_syslog_msg(slapd_t)
-@@ -117,6 +135,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
+@@ -117,6 +134,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
kerberos_keytab_template(slapd, slapd_t)
@@ -27444,7 +27954,7 @@ index 572b5db..1e55f43 100644
+userdom_use_inherited_user_terminals(lockdev_t)
+
diff --git a/logrotate.te b/logrotate.te
-index 7090dae..51123b2 100644
+index 7090dae..0b9e946 100644
--- a/logrotate.te
+++ b/logrotate.te
@@ -29,9 +29,7 @@ files_type(logrotate_var_lib_t)
@@ -27490,7 +28000,15 @@ index 7090dae..51123b2 100644
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
-@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t)
+@@ -93,7 +95,6 @@ domain_getattr_all_entry_files(logrotate_t)
+ domain_read_all_domains_state(logrotate_t)
+
+ files_read_usr_files(logrotate_t)
+-files_read_etc_files(logrotate_t)
+ files_read_etc_runtime_files(logrotate_t)
+ files_read_all_pids(logrotate_t)
+ files_search_all(logrotate_t)
+@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t)
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
@@ -27498,7 +28016,7 @@ index 7090dae..51123b2 100644
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
-@@ -116,17 +119,17 @@ miscfiles_read_localization(logrotate_t)
+@@ -116,17 +118,17 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -27523,7 +28041,7 @@ index 7090dae..51123b2 100644
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
-@@ -138,7 +141,7 @@ ifdef(`distro_debian', `
+@@ -138,7 +140,7 @@ ifdef(`distro_debian', `
')
optional_policy(`
@@ -27532,7 +28050,7 @@ index 7090dae..51123b2 100644
')
optional_policy(`
-@@ -154,6 +157,10 @@ optional_policy(`
+@@ -154,6 +156,10 @@ optional_policy(`
')
optional_policy(`
@@ -27543,7 +28061,7 @@ index 7090dae..51123b2 100644
asterisk_domtrans(logrotate_t)
')
-@@ -162,10 +169,20 @@ optional_policy(`
+@@ -162,10 +168,20 @@ optional_policy(`
')
optional_policy(`
@@ -27564,7 +28082,7 @@ index 7090dae..51123b2 100644
cups_domtrans(logrotate_t)
')
-@@ -178,6 +195,10 @@ optional_policy(`
+@@ -178,6 +194,10 @@ optional_policy(`
')
optional_policy(`
@@ -27575,7 +28093,7 @@ index 7090dae..51123b2 100644
icecast_signal(logrotate_t)
')
-@@ -194,15 +215,19 @@ optional_policy(`
+@@ -194,15 +214,19 @@ optional_policy(`
')
optional_policy(`
@@ -27596,7 +28114,7 @@ index 7090dae..51123b2 100644
optional_policy(`
samba_exec_log(logrotate_t)
-@@ -228,3 +253,14 @@ optional_policy(`
+@@ -228,3 +252,14 @@ optional_policy(`
optional_policy(`
varnishd_manage_log(logrotate_t)
')
@@ -27628,7 +28146,7 @@ index 3c7b1e8..1e155f5 100644
+
+/var/run/epylog\.pid gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --git a/logwatch.te b/logwatch.te
-index 75ce30f..47aa9f5 100644
+index 75ce30f..57f0320 100644
--- a/logwatch.te
+++ b/logwatch.te
@@ -7,6 +7,7 @@ policy_module(logwatch, 1.11.0)
@@ -27662,15 +28180,17 @@ index 75ce30f..47aa9f5 100644
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -58,6 +68,7 @@ files_list_var(logwatch_t)
+@@ -56,8 +66,8 @@ domain_read_all_domains_state(logwatch_t)
+
+ files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
- files_read_etc_files(logwatch_t)
+-files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
+files_read_system_conf_files(logwatch_t)
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
-@@ -70,6 +81,10 @@ fs_getattr_all_fs(logwatch_t)
+@@ -70,6 +80,10 @@ fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
@@ -27681,7 +28201,7 @@ index 75ce30f..47aa9f5 100644
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -92,11 +107,14 @@ sysnet_dns_name_resolve(logwatch_t)
+@@ -92,11 +106,14 @@ sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -27697,7 +28217,7 @@ index 75ce30f..47aa9f5 100644
files_getattr_all_file_type_fs(logwatch_t)
')
-@@ -145,3 +163,24 @@ optional_policy(`
+@@ -145,3 +162,24 @@ optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -27807,7 +28327,7 @@ index a4f32f5..628b63c 100644
## in the caller domain.
##
diff --git a/lpd.te b/lpd.te
-index a03b63a..e154044 100644
+index a03b63a..9b3ca81 100644
--- a/lpd.te
+++ b/lpd.te
@@ -45,14 +45,14 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -27836,7 +28356,15 @@ index a03b63a..e154044 100644
allow checkpc_t printconf_t:dir list_dir_perms;
kernel_read_system_state(checkpc_t)
-@@ -111,7 +111,7 @@ init_use_fds(checkpc_t)
+@@ -102,7 +102,6 @@ corecmd_exec_bin(checkpc_t)
+
+ domain_use_interactive_fds(checkpc_t)
+
+-files_read_etc_files(checkpc_t)
+ files_read_etc_runtime_files(checkpc_t)
+
+ init_use_script_ptys(checkpc_t)
+@@ -111,7 +110,7 @@ init_use_fds(checkpc_t)
sysnet_read_config(checkpc_t)
@@ -27845,7 +28373,7 @@ index a03b63a..e154044 100644
optional_policy(`
cron_system_entry(checkpc_t, checkpc_exec_t)
-@@ -143,9 +143,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
+@@ -143,9 +142,10 @@ manage_dirs_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
manage_files_pattern(lpd_t, lpd_tmp_t, lpd_tmp_t)
files_tmp_filetrans(lpd_t, lpd_tmp_t, { file dir })
@@ -27857,7 +28385,23 @@ index a03b63a..e154044 100644
# Write to /var/spool/lpd.
manage_files_pattern(lpd_t, print_spool_t, print_spool_t)
-@@ -275,19 +276,20 @@ miscfiles_read_localization(lpr_t)
+@@ -197,7 +197,6 @@ files_list_var_lib(lpd_t)
+ files_read_var_lib_files(lpd_t)
+ files_read_var_lib_symlinks(lpd_t)
+ # config files for lpd are of type etc_t, probably should change this
+-files_read_etc_files(lpd_t)
+
+ logging_send_syslog_msg(lpd_t)
+
+@@ -256,7 +255,6 @@ domain_use_interactive_fds(lpr_t)
+
+ files_search_spool(lpr_t)
+ # for lpd config files (should have a new type)
+-files_read_etc_files(lpr_t)
+ # for test print
+ files_read_usr_files(lpr_t)
+ #Added to cover read_content macro
+@@ -275,19 +273,20 @@ miscfiles_read_localization(lpr_t)
userdom_read_user_tmp_symlinks(lpr_t)
# Write to the user domain tty.
@@ -27883,7 +28427,7 @@ index a03b63a..e154044 100644
# Send SIGHUP to lpd.
allow lpr_t lpd_t:process signal;
-@@ -305,17 +307,7 @@ tunable_policy(`use_lpd_server',`
+@@ -305,17 +304,7 @@ tunable_policy(`use_lpd_server',`
read_lnk_files_pattern(lpr_t, printconf_t, printconf_t)
')
@@ -27902,7 +28446,7 @@ index a03b63a..e154044 100644
optional_policy(`
cups_read_config(lpr_t)
-@@ -324,5 +316,13 @@ optional_policy(`
+@@ -324,5 +313,13 @@ optional_policy(`
')
optional_policy(`
@@ -29076,10 +29620,10 @@ index db4fd6f..650014e 100644
admin_pattern($1, memcached_var_run_t)
')
diff --git a/memcached.te b/memcached.te
-index b681608..be4b196 100644
+index b681608..9ad4b2e 100644
--- a/memcached.te
+++ b/memcached.te
-@@ -42,7 +42,8 @@ corenet_udp_bind_memcache_port(memcached_t)
+@@ -42,12 +42,12 @@ corenet_udp_bind_memcache_port(memcached_t)
manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t)
@@ -29089,6 +29633,11 @@ index b681608..be4b196 100644
kernel_read_kernel_sysctls(memcached_t)
kernel_read_system_state(memcached_t)
+
+-files_read_etc_files(memcached_t)
+
+ term_dontaudit_use_all_ptys(memcached_t)
+ term_dontaudit_use_all_ttys(memcached_t)
diff --git a/milter.fc b/milter.fc
index 1ec5a6c..cbcad00 100644
--- a/milter.fc
@@ -29583,10 +30132,10 @@ index 0000000..7f6f2d6
+')
diff --git a/mock.te b/mock.te
new file mode 100644
-index 0000000..621fc5a
+index 0000000..00d38c5
--- /dev/null
+++ b/mock.te
-@@ -0,0 +1,253 @@
+@@ -0,0 +1,251 @@
+policy_module(mock,1.0.0)
+
+##
@@ -29687,7 +30236,6 @@ index 0000000..621fc5a
+domain_read_all_domains_state(mock_t)
+domain_use_interactive_fds(mock_t)
+
-+files_read_etc_files(mock_t)
+files_read_etc_runtime_files(mock_t)
+files_read_usr_files(mock_t)
+files_dontaudit_list_boot(mock_t)
@@ -29819,7 +30367,6 @@ index 0000000..621fc5a
+domain_dontaudit_read_all_domains_state(mock_build_t)
+domain_use_interactive_fds(mock_build_t)
+
-+files_read_etc_files(mock_build_t)
+files_read_usr_files(mock_build_t)
+files_dontaudit_list_boot(mock_build_t)
+
@@ -30290,7 +30837,7 @@ index b397fde..30bfefb 100644
+')
+
diff --git a/mozilla.te b/mozilla.te
-index 0724816..8a17b85 100644
+index 0724816..843cde4 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -12,14 +12,22 @@ policy_module(mozilla, 2.5.3)
@@ -30354,7 +30901,15 @@ index 0724816..8a17b85 100644
corenet_tcp_sendrecv_ipp_port(mozilla_t)
corenet_tcp_connect_http_port(mozilla_t)
corenet_tcp_connect_http_cache_port(mozilla_t)
-@@ -155,6 +176,8 @@ fs_rw_tmpfs_files(mozilla_t)
+@@ -140,7 +161,6 @@ domain_dontaudit_read_all_domains_state(mozilla_t)
+
+ files_read_etc_runtime_files(mozilla_t)
+ files_read_usr_files(mozilla_t)
+-files_read_etc_files(mozilla_t)
+ # /var/lib
+ files_read_var_lib_files(mozilla_t)
+ # interacting with gstreamer
+@@ -155,6 +175,8 @@ fs_rw_tmpfs_files(mozilla_t)
term_dontaudit_getattr_pty_dirs(mozilla_t)
@@ -30363,7 +30918,7 @@ index 0724816..8a17b85 100644
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-@@ -164,29 +187,23 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
+@@ -164,29 +186,23 @@ miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
# Browse the web, connect to printer
sysnet_dns_name_resolve(mozilla_t)
@@ -30400,7 +30955,7 @@ index 0724816..8a17b85 100644
# Uploads, local html
tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
-@@ -263,6 +280,7 @@ optional_policy(`
+@@ -263,6 +279,7 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(mozilla_t)
gnome_manage_config(mozilla_t)
@@ -30408,7 +30963,7 @@ index 0724816..8a17b85 100644
')
optional_policy(`
-@@ -283,7 +301,8 @@ optional_policy(`
+@@ -283,7 +300,8 @@ optional_policy(`
')
optional_policy(`
@@ -30418,7 +30973,7 @@ index 0724816..8a17b85 100644
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
')
-@@ -297,25 +316,35 @@ optional_policy(`
+@@ -297,25 +315,35 @@ optional_policy(`
# mozilla_plugin local policy
#
@@ -30462,7 +31017,7 @@ index 0724816..8a17b85 100644
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
-@@ -323,31 +352,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
+@@ -323,31 +351,47 @@ manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plug
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
@@ -30516,7 +31071,7 @@ index 0724816..8a17b85 100644
dev_read_video_dev(mozilla_plugin_t)
dev_write_video_dev(mozilla_plugin_t)
dev_read_sysfs(mozilla_plugin_t)
-@@ -356,6 +401,7 @@ dev_write_sound(mozilla_plugin_t)
+@@ -356,6 +400,7 @@ dev_write_sound(mozilla_plugin_t)
# for nvidia driver
dev_rw_xserver_misc(mozilla_plugin_t)
dev_dontaudit_rw_dri(mozilla_plugin_t)
@@ -30524,7 +31079,7 @@ index 0724816..8a17b85 100644
domain_use_interactive_fds(mozilla_plugin_t)
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
-@@ -363,15 +409,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
+@@ -363,15 +408,23 @@ domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
@@ -30548,7 +31103,7 @@ index 0724816..8a17b85 100644
logging_send_syslog_msg(mozilla_plugin_t)
miscfiles_read_localization(mozilla_plugin_t)
-@@ -384,35 +438,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
+@@ -384,35 +437,27 @@ sysnet_dns_name_resolve(mozilla_plugin_t)
term_getattr_all_ttys(mozilla_plugin_t)
term_getattr_all_ptys(mozilla_plugin_t)
@@ -30596,7 +31151,7 @@ index 0724816..8a17b85 100644
optional_policy(`
alsa_read_rw_config(mozilla_plugin_t)
-@@ -422,24 +468,36 @@ optional_policy(`
+@@ -422,24 +467,37 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(mozilla_plugin_t)
dbus_session_bus_client(mozilla_plugin_t)
@@ -30613,6 +31168,7 @@ index 0724816..8a17b85 100644
gnome_manage_config(mozilla_plugin_t)
+ gnome_read_usr_config(mozilla_plugin_t)
+ gnome_filetrans_home_content(mozilla_plugin_t)
++ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
')
optional_policy(`
@@ -30637,7 +31193,7 @@ index 0724816..8a17b85 100644
')
optional_policy(`
-@@ -447,10 +505,102 @@ optional_policy(`
+@@ -447,10 +505,104 @@ optional_policy(`
pulseaudio_stream_connect(mozilla_plugin_t)
pulseaudio_setattr_home_dir(mozilla_plugin_t)
pulseaudio_manage_home_files(mozilla_plugin_t)
@@ -30666,7 +31222,7 @@ index 0724816..8a17b85 100644
+ xserver_read_user_xauth(mozilla_plugin_t)
+ xserver_append_xdm_home_files(mozilla_plugin_t)
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
- ')
++')
+
+########################################
+#
@@ -30704,7 +31260,6 @@ index 0724816..8a17b85 100644
+
+domain_use_interactive_fds(mozilla_plugin_config_t)
+
-+files_read_etc_files(mozilla_plugin_config_t)
+files_read_usr_files(mozilla_plugin_config_t)
+files_dontaudit_search_home(mozilla_plugin_config_t)
+files_list_tmp(mozilla_plugin_config_t)
@@ -30740,6 +31295,9 @@ index 0724816..8a17b85 100644
+ userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
+')
+
++tunable_policy(`selinuxuser_execmod',`
++ userdom_execmod_user_home_files(mozilla_plugin_t)
+ ')
diff --git a/mpd.fc b/mpd.fc
index ddc14d6..c74bf3d 100644
--- a/mpd.fc
@@ -30863,7 +31421,7 @@ index d8ea41d..8bdc526 100644
+ domtrans_pattern($1, mplayer_exec_t, $2)
+')
diff --git a/mplayer.te b/mplayer.te
-index 0cdea57..55015bf 100644
+index 0cdea57..85c6ad2 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -10,7 +10,7 @@ policy_module(mplayer, 2.4.0)
@@ -30961,7 +31519,15 @@ index 0cdea57..55015bf 100644
manage_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
manage_lnk_files_pattern(mplayer_t, mplayer_tmpfs_t, mplayer_tmpfs_t)
-@@ -222,10 +184,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
+@@ -206,7 +168,6 @@ domain_use_interactive_fds(mplayer_t)
+ # Access to DVD/CD/V4L
+ storage_raw_read_removable_device(mplayer_t)
+
+-files_read_etc_files(mplayer_t)
+ files_dontaudit_list_non_security(mplayer_t)
+ files_dontaudit_getattr_non_security_files(mplayer_t)
+ files_read_non_security_files(mplayer_t)
+@@ -222,10 +183,14 @@ fs_dontaudit_getattr_all_fs(mplayer_t)
fs_search_auto_mountpoints(mplayer_t)
fs_list_inotifyfs(mplayer_t)
@@ -30977,7 +31543,7 @@ index 0cdea57..55015bf 100644
# Read media files
userdom_list_user_tmp(mplayer_t)
userdom_read_user_tmp_files(mplayer_t)
-@@ -233,6 +199,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
+@@ -233,6 +198,7 @@ userdom_read_user_tmp_symlinks(mplayer_t)
userdom_read_user_home_content_files(mplayer_t)
userdom_read_user_home_content_symlinks(mplayer_t)
userdom_write_user_tmp_sockets(mplayer_t)
@@ -30985,7 +31551,7 @@ index 0cdea57..55015bf 100644
xserver_user_x_domain_template(mplayer, mplayer_t, mplayer_tmpfs_t)
-@@ -243,62 +210,31 @@ ifdef(`enable_mls',`',`
+@@ -243,62 +209,31 @@ ifdef(`enable_mls',`',`
fs_read_removable_symlinks(mplayer_t)
')
@@ -31057,7 +31623,7 @@ index 0cdea57..55015bf 100644
optional_policy(`
diff --git a/mrtg.te b/mrtg.te
-index 0e19d80..a3a38b1 100644
+index 0e19d80..7f822c5 100644
--- a/mrtg.te
+++ b/mrtg.te
@@ -43,9 +43,12 @@ read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
@@ -31073,7 +31639,15 @@ index 0e19d80..a3a38b1 100644
manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
-@@ -112,9 +115,10 @@ miscfiles_read_localization(mrtg_t)
+@@ -88,7 +91,6 @@ files_getattr_tmp_dirs(mrtg_t)
+ # for uptime
+ files_read_etc_runtime_files(mrtg_t)
+ # read config files
+-files_read_etc_files(mrtg_t)
+
+ fs_search_auto_mountpoints(mrtg_t)
+ fs_getattr_xattr_fs(mrtg_t)
+@@ -112,9 +114,10 @@ miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
@@ -32243,7 +32817,7 @@ index c358d8f..7c097ec 100644
init_labeled_script_domtrans($1, munin_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/munin.te b/munin.te
-index f17583b..601d1dd 100644
+index f17583b..d6ebc6b 100644
--- a/munin.te
+++ b/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@@ -32297,7 +32871,15 @@ index f17583b..601d1dd 100644
kernel_read_system_state(munin_t)
kernel_read_network_state(munin_t)
-@@ -116,6 +126,7 @@ logging_read_all_logs(munin_t)
+@@ -101,7 +111,6 @@ dev_read_urand(munin_t)
+ domain_use_interactive_fds(munin_t)
+ domain_read_all_domains_state(munin_t)
+
+-files_read_etc_files(munin_t)
+ files_read_etc_runtime_files(munin_t)
+ files_read_usr_files(munin_t)
+ files_list_spool(munin_t)
+@@ -116,6 +125,7 @@ logging_read_all_logs(munin_t)
miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
@@ -32305,7 +32887,7 @@ index f17583b..601d1dd 100644
sysnet_exec_ifconfig(munin_t)
-@@ -145,6 +156,7 @@ optional_policy(`
+@@ -145,6 +155,7 @@ optional_policy(`
optional_policy(`
mta_read_config(munin_t)
mta_send_mail(munin_t)
@@ -32313,7 +32895,7 @@ index f17583b..601d1dd 100644
mta_read_queue(munin_t)
')
-@@ -159,6 +171,7 @@ optional_policy(`
+@@ -159,6 +170,7 @@ optional_policy(`
optional_policy(`
postfix_list_spool(munin_t)
@@ -32321,7 +32903,7 @@ index f17583b..601d1dd 100644
')
optional_policy(`
-@@ -182,6 +195,7 @@ optional_policy(`
+@@ -182,6 +194,7 @@ optional_policy(`
# local policy for disk plugins
#
@@ -32329,9 +32911,11 @@ index f17583b..601d1dd 100644
allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
-@@ -192,13 +206,13 @@ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
+@@ -190,15 +203,14 @@ corecmd_exec_shell(disk_munin_plugin_t)
+
+ corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
- files_read_etc_files(disk_munin_plugin_t)
+-files_read_etc_files(disk_munin_plugin_t)
files_read_etc_runtime_files(disk_munin_plugin_t)
+files_read_usr_files(disk_munin_plugin_t)
@@ -32346,7 +32930,7 @@ index f17583b..601d1dd 100644
sysnet_read_config(disk_munin_plugin_t)
-@@ -221,30 +235,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -221,30 +233,43 @@ rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
dev_read_urand(mail_munin_plugin_t)
@@ -32397,7 +32981,7 @@ index f17583b..601d1dd 100644
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -255,13 +282,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
+@@ -255,13 +280,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t)
@@ -32412,7 +32996,7 @@ index f17583b..601d1dd 100644
cups_stream_connect(services_munin_plugin_t)
')
-@@ -279,6 +303,10 @@ optional_policy(`
+@@ -279,6 +301,10 @@ optional_policy(`
')
optional_policy(`
@@ -32423,7 +33007,7 @@ index f17583b..601d1dd 100644
postgresql_stream_connect(services_munin_plugin_t)
')
-@@ -286,6 +314,10 @@ optional_policy(`
+@@ -286,6 +312,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t)
')
@@ -32434,7 +33018,7 @@ index f17583b..601d1dd 100644
##################################
#
# local policy for system plugins
-@@ -295,21 +327,53 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
+@@ -295,21 +325,52 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -32483,7 +33067,6 @@ index f17583b..601d1dd 100644
+corecmd_exec_shell(munin_plugin_domain)
+
+files_search_var_lib(munin_plugin_domain)
-+files_read_etc_files(munin_plugin_domain)
+files_read_usr_files(munin_plugin_domain)
+
+fs_getattr_all_fs(munin_plugin_domain)
@@ -32761,7 +33344,7 @@ index e9c0982..404ed6d 100644
+ mysql_stream_connect($1)
')
diff --git a/mysql.te b/mysql.te
-index 1cf05a3..c7badcf 100644
+index 1cf05a3..7289391 100644
--- a/mysql.te
+++ b/mysql.te
@@ -29,6 +29,12 @@ files_type(mysqld_db_t)
@@ -32814,7 +33397,15 @@ index 1cf05a3..c7badcf 100644
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
-@@ -122,13 +137,8 @@ miscfiles_read_localization(mysqld_t)
+@@ -110,7 +125,6 @@ domain_use_interactive_fds(mysqld_t)
+
+ files_getattr_var_lib_dirs(mysqld_t)
+ files_read_etc_runtime_files(mysqld_t)
+-files_read_etc_files(mysqld_t)
+ files_read_usr_files(mysqld_t)
+ files_search_var_lib(mysqld_t)
+
+@@ -122,13 +136,8 @@ miscfiles_read_localization(mysqld_t)
sysnet_read_config(mysqld_t)
@@ -32829,7 +33420,7 @@ index 1cf05a3..c7badcf 100644
')
tunable_policy(`mysql_connect_any',`
-@@ -154,10 +164,11 @@ optional_policy(`
+@@ -154,10 +163,11 @@ optional_policy(`
#
allow mysqld_safe_t self:capability { chown dac_override fowner kill };
@@ -32842,7 +33433,7 @@ index 1cf05a3..c7badcf 100644
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
-@@ -170,26 +181,34 @@ kernel_read_system_state(mysqld_safe_t)
+@@ -170,26 +180,33 @@ kernel_read_system_state(mysqld_safe_t)
kernel_read_kernel_sysctls(mysqld_safe_t)
corecmd_exec_bin(mysqld_safe_t)
@@ -32852,8 +33443,8 @@ index 1cf05a3..c7badcf 100644
domain_read_all_domains_state(mysqld_safe_t)
+-files_read_etc_files(mysqld_safe_t)
+files_dontaudit_search_all_mountpoints(mysqld_safe_t)
- files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_dontaudit_getattr_all_dirs(mysqld_safe_t)
@@ -32878,6 +33469,14 @@ index 1cf05a3..c7badcf 100644
########################################
#
# MySQL Manager Policy
+@@ -231,7 +248,6 @@ corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
+
+ dev_read_urand(mysqlmanagerd_t)
+
+-files_read_etc_files(mysqlmanagerd_t)
+ files_read_usr_files(mysqlmanagerd_t)
+
+ miscfiles_read_localization(mysqlmanagerd_t)
diff --git a/nagios.fc b/nagios.fc
index 1238f2e..d80b4db 100644
--- a/nagios.fc
@@ -33091,7 +33690,7 @@ index 8581040..7d8e93b 100644
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/nagios.te b/nagios.te
-index 1fadd94..1f9d8e1 100644
+index 1fadd94..d680d93 100644
--- a/nagios.te
+++ b/nagios.te
@@ -1,10 +1,12 @@
@@ -33145,7 +33744,11 @@ index 1fadd94..1f9d8e1 100644
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-@@ -107,13 +121,11 @@ files_read_etc_files(nagios_t)
+@@ -103,17 +117,14 @@ domain_use_interactive_fds(nagios_t)
+ # for ps
+ domain_read_all_domains_state(nagios_t)
+
+-files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t)
@@ -33160,7 +33763,7 @@ index 1fadd94..1f9d8e1 100644
auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t)
-@@ -124,10 +136,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+@@ -124,10 +135,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t)
@@ -33173,7 +33776,7 @@ index 1fadd94..1f9d8e1 100644
netutils_kill_ping(nagios_t)
')
-@@ -143,6 +155,7 @@ optional_policy(`
+@@ -143,6 +154,7 @@ optional_policy(`
#
# Nagios CGI local policy
#
@@ -33181,7 +33784,7 @@ index 1fadd94..1f9d8e1 100644
optional_policy(`
apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t;
-@@ -180,29 +193,31 @@ optional_policy(`
+@@ -180,29 +192,31 @@ optional_policy(`
#
allow nrpe_t self:capability { setuid setgid };
@@ -33218,15 +33821,16 @@ index 1fadd94..1f9d8e1 100644
dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t)
-@@ -212,6 +227,7 @@ domain_read_all_domains_state(nrpe_t)
+@@ -211,7 +225,7 @@ domain_use_interactive_fds(nrpe_t)
+ domain_read_all_domains_state(nrpe_t)
files_read_etc_runtime_files(nrpe_t)
- files_read_etc_files(nrpe_t)
+-files_read_etc_files(nrpe_t)
+files_read_usr_files(nrpe_t)
fs_getattr_all_fs(nrpe_t)
fs_search_auto_mountpoints(nrpe_t)
-@@ -252,7 +268,6 @@ optional_policy(`
+@@ -252,11 +266,9 @@ optional_policy(`
corecmd_read_bin_files(nagios_admin_plugin_t)
corecmd_read_bin_symlinks(nagios_admin_plugin_t)
@@ -33234,7 +33838,11 @@ index 1fadd94..1f9d8e1 100644
dev_getattr_all_chr_files(nagios_admin_plugin_t)
dev_getattr_all_blk_files(nagios_admin_plugin_t)
-@@ -271,19 +286,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+-files_read_etc_files(nagios_admin_plugin_t)
+ # for check_file_age plugin
+ files_getattr_all_dirs(nagios_admin_plugin_t)
+ files_getattr_all_files(nagios_admin_plugin_t)
+@@ -271,20 +283,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -33251,10 +33859,11 @@ index 1fadd94..1f9d8e1 100644
-dev_read_urand(nagios_mail_plugin_t)
-
- files_read_etc_files(nagios_mail_plugin_t)
+-files_read_etc_files(nagios_mail_plugin_t)
logging_send_syslog_msg(nagios_mail_plugin_t)
-@@ -300,7 +311,7 @@ optional_policy(`
+
+@@ -300,7 +307,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -33263,7 +33872,7 @@ index 1fadd94..1f9d8e1 100644
')
######################################
-@@ -311,7 +322,9 @@ optional_policy(`
+@@ -311,7 +318,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -33274,7 +33883,7 @@ index 1fadd94..1f9d8e1 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,11 +336,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,11 +332,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
# local policy for service check plugins
#
@@ -33288,7 +33897,7 @@ index 1fadd94..1f9d8e1 100644
corecmd_exec_bin(nagios_services_plugin_t)
-@@ -342,6 +355,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -342,6 +351,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -33297,7 +33906,7 @@ index 1fadd94..1f9d8e1 100644
')
optional_policy(`
-@@ -365,6 +380,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
+@@ -365,6 +376,8 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
@@ -33306,7 +33915,7 @@ index 1fadd94..1f9d8e1 100644
kernel_read_system_state(nagios_system_plugin_t)
kernel_read_kernel_sysctls(nagios_system_plugin_t)
-@@ -372,12 +389,15 @@ corecmd_exec_bin(nagios_system_plugin_t)
+@@ -372,11 +385,13 @@ corecmd_exec_bin(nagios_system_plugin_t)
corecmd_exec_shell(nagios_system_plugin_t)
dev_read_sysfs(nagios_system_plugin_t)
@@ -33314,16 +33923,15 @@ index 1fadd94..1f9d8e1 100644
domain_read_all_domains_state(nagios_system_plugin_t)
- files_read_etc_files(nagios_system_plugin_t)
-
+-files_read_etc_files(nagios_system_plugin_t)
++
+fs_getattr_all_fs(nagios_system_plugin_t)
+
+auth_read_passwd(nagios_system_plugin_t)
-+
+
# needed by check_users plugin
optional_policy(`
- init_read_utmp(nagios_system_plugin_t)
-@@ -391,3 +411,52 @@ optional_policy(`
+@@ -391,3 +406,52 @@ optional_policy(`
optional_policy(`
unconfined_domain(nagios_unconfined_plugin_t)
')
@@ -33441,10 +34049,10 @@ index 0000000..8d7c751
+')
diff --git a/namespace.te b/namespace.te
new file mode 100644
-index 0000000..2f7149c
+index 0000000..3857701
--- /dev/null
+++ b/namespace.te
-@@ -0,0 +1,45 @@
+@@ -0,0 +1,44 @@
+policy_module(namespace,1.0.0)
+
+########################################
@@ -33474,7 +34082,6 @@ index 0000000..2f7149c
+domain_use_interactive_fds(namespace_init_t)
+domain_obj_id_change_exemption(namespace_init_t)
+
-+files_read_etc_files(namespace_init_t)
+files_polyinstantiate_all(namespace_init_t)
+
+mcs_file_write_all(namespace_init_t)
@@ -33829,7 +34436,7 @@ index 2324d9e..da61d01 100644
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireed-settings.conf")
+')
diff --git a/networkmanager.te b/networkmanager.te
-index 0619395..ff617f1 100644
+index 0619395..d7078ce 100644
--- a/networkmanager.te
+++ b/networkmanager.te
@@ -12,6 +12,15 @@ init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -33914,20 +34521,20 @@ index 0619395..ff617f1 100644
fs_getattr_all_fs(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
-@@ -113,10 +144,11 @@ corecmd_exec_shell(NetworkManager_t)
+@@ -113,10 +144,10 @@ corecmd_exec_shell(NetworkManager_t)
corecmd_exec_bin(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
-domain_read_confined_domains_state(NetworkManager_t)
+domain_read_all_domains_state(NetworkManager_t)
- files_read_etc_files(NetworkManager_t)
+-files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
+files_read_system_conf_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
-@@ -128,35 +160,44 @@ init_domtrans_script(NetworkManager_t)
+@@ -128,35 +159,44 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -33974,7 +34581,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -176,10 +217,17 @@ optional_policy(`
+@@ -176,10 +216,17 @@ optional_policy(`
')
optional_policy(`
@@ -33992,7 +34599,7 @@ index 0619395..ff617f1 100644
')
')
-@@ -191,6 +239,7 @@ optional_policy(`
+@@ -191,6 +238,7 @@ optional_policy(`
dnsmasq_kill(NetworkManager_t)
dnsmasq_signal(NetworkManager_t)
dnsmasq_signull(NetworkManager_t)
@@ -34000,7 +34607,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -202,23 +251,45 @@ optional_policy(`
+@@ -202,23 +250,45 @@ optional_policy(`
')
optional_policy(`
@@ -34046,7 +34653,7 @@ index 0619395..ff617f1 100644
openvpn_domtrans(NetworkManager_t)
openvpn_kill(NetworkManager_t)
openvpn_signal(NetworkManager_t)
-@@ -234,6 +305,10 @@ optional_policy(`
+@@ -234,6 +304,10 @@ optional_policy(`
')
optional_policy(`
@@ -34057,7 +34664,7 @@ index 0619395..ff617f1 100644
ppp_initrc_domtrans(NetworkManager_t)
ppp_domtrans(NetworkManager_t)
ppp_manage_pid_files(NetworkManager_t)
-@@ -241,6 +316,7 @@ optional_policy(`
+@@ -241,6 +315,7 @@ optional_policy(`
ppp_signal(NetworkManager_t)
ppp_signull(NetworkManager_t)
ppp_read_config(NetworkManager_t)
@@ -34065,7 +34672,7 @@ index 0619395..ff617f1 100644
')
optional_policy(`
-@@ -254,6 +330,10 @@ optional_policy(`
+@@ -254,6 +329,10 @@ optional_policy(`
')
optional_policy(`
@@ -34076,7 +34683,7 @@ index 0619395..ff617f1 100644
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
')
-@@ -263,6 +343,7 @@ optional_policy(`
+@@ -263,6 +342,7 @@ optional_policy(`
vpn_kill(NetworkManager_t)
vpn_signal(NetworkManager_t)
vpn_signull(NetworkManager_t)
@@ -34427,10 +35034,10 @@ index 0000000..0d11800
+')
diff --git a/nova.te b/nova.te
new file mode 100644
-index 0000000..415b098
+index 0000000..2c10bbf
--- /dev/null
+++ b/nova.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,327 @@
+policy_module(nova, 1.0.0)
+
+########################################
@@ -34500,7 +35107,6 @@ index 0000000..415b098
+
+libs_exec_ldconfig(nova_domain)
+
-+files_read_etc_files(nova_domain)
+
+miscfiles_read_localization(nova_domain)
+
@@ -34882,7 +35488,7 @@ index 85188dc..783accb 100644
+ allow $1 ncsd_unit_file_t:service all_service_perms;
')
diff --git a/nscd.te b/nscd.te
-index 7936e09..bf34c78 100644
+index 7936e09..d1861d5 100644
--- a/nscd.te
+++ b/nscd.te
@@ -4,6 +4,13 @@ gen_require(`
@@ -34926,15 +35532,17 @@ index 7936e09..bf34c78 100644
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
-@@ -90,6 +102,7 @@ selinux_compute_create_context(nscd_t)
+@@ -90,8 +102,8 @@ selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
+domain_search_all_domains_state(nscd_t)
- files_read_etc_files(nscd_t)
+-files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
-@@ -112,6 +125,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
+ # Needed to read files created by firstboot "/etc/hesiod.conf"
+ files_read_etc_runtime_files(nscd_t)
+@@ -112,6 +124,10 @@ userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
@@ -34945,7 +35553,7 @@ index 7936e09..bf34c78 100644
cron_read_system_job_tmp_files(nscd_t)
')
-@@ -127,3 +144,17 @@ optional_policy(`
+@@ -127,3 +143,17 @@ optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')
@@ -34982,7 +35590,7 @@ index 53cc800..5348e92 100644
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
diff --git a/nsd.te b/nsd.te
-index 4b15536..e829ac3 100644
+index 4b15536..da79065 100644
--- a/nsd.te
+++ b/nsd.te
@@ -18,15 +18,11 @@ domain_type(nsd_crond_t)
@@ -35034,9 +35642,11 @@ index 4b15536..e829ac3 100644
can_exec(nsd_t, nsd_exec_t)
-@@ -81,15 +76,18 @@ domain_use_interactive_fds(nsd_t)
+@@ -79,17 +74,19 @@ dev_read_sysfs(nsd_t)
+
+ domain_use_interactive_fds(nsd_t)
- files_read_etc_files(nsd_t)
+-files_read_etc_files(nsd_t)
files_read_etc_runtime_files(nsd_t)
+files_search_var_lib(nsd_t)
@@ -35054,7 +35664,7 @@ index 4b15536..e829ac3 100644
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
userdom_dontaudit_search_user_home_dirs(nsd_t)
-@@ -121,8 +119,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
+@@ -121,8 +118,6 @@ allow nsd_crond_t self:udp_socket create_socket_perms;
allow nsd_crond_t nsd_conf_t:file read_file_perms;
@@ -35063,7 +35673,11 @@ index 4b15536..e829ac3 100644
files_search_var_lib(nsd_crond_t)
allow nsd_crond_t nsd_t:process signal;
-@@ -159,6 +155,8 @@ files_read_etc_files(nsd_crond_t)
+@@ -155,10 +150,11 @@ dev_read_urand(nsd_crond_t)
+
+ domain_dontaudit_read_all_domains_state(nsd_crond_t)
+
+-files_read_etc_files(nsd_crond_t)
files_read_etc_runtime_files(nsd_crond_t)
files_search_var_lib(nsd_t)
@@ -35110,7 +35724,7 @@ index 23c769c..0398e70 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/nslcd.te b/nslcd.te
-index 4e28d58..bee3070 100644
+index 4e28d58..0551354 100644
--- a/nslcd.te
+++ b/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -35131,10 +35745,11 @@ index 4e28d58..bee3070 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,9 +37,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -36,10 +36,22 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
kernel_read_system_state(nslcd_t)
- files_read_etc_files(nslcd_t)
+-files_read_etc_files(nslcd_t)
+files_read_usr_symlinks(nslcd_t)
+files_list_tmp(nslcd_t)
@@ -35651,10 +36266,10 @@ index 0000000..fce899a
+')
diff --git a/nsplugin.te b/nsplugin.te
new file mode 100644
-index 0000000..5f14e91
+index 0000000..d19d3da
--- /dev/null
+++ b/nsplugin.te
-@@ -0,0 +1,328 @@
+@@ -0,0 +1,326 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -35783,7 +36398,6 @@ index 0000000..5f14e91
+
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
+files_dontaudit_list_home(nsplugin_t)
-+files_read_etc_files(nsplugin_t)
+files_read_usr_files(nsplugin_t)
+files_read_config_files(nsplugin_t)
+
@@ -35921,7 +36535,6 @@ index 0000000..5f14e91
+
+domain_use_interactive_fds(nsplugin_config_t)
+
-+files_read_etc_files(nsplugin_config_t)
+files_read_usr_files(nsplugin_config_t)
+files_dontaudit_search_home(nsplugin_config_t)
+files_list_tmp(nsplugin_config_t)
@@ -35983,6 +36596,18 @@ index 0000000..5f14e91
+ pulseaudio_manage_home_files(nsplugin_t)
+ pulseaudio_setattr_home_dir(nsplugin_t)
+')
+diff --git a/ntop.te b/ntop.te
+index ded9fb6..2d30258 100644
+--- a/ntop.te
++++ b/ntop.te
+@@ -85,7 +85,6 @@ dev_rw_generic_usb_dev(ntop_t)
+
+ domain_use_interactive_fds(ntop_t)
+
+-files_read_etc_files(ntop_t)
+ files_read_usr_files(ntop_t)
+
+ fs_getattr_all_fs(ntop_t)
diff --git a/ntp.fc b/ntp.fc
index e79dccc..e8d3e38 100644
--- a/ntp.fc
@@ -36104,7 +36729,7 @@ index e80f8c0..0044e73 100644
+ allow $1 ntpd_unit_file_t:service all_service_perms;
')
diff --git a/ntp.te b/ntp.te
-index c61adc8..09bb140 100644
+index c61adc8..b3dd6cc 100644
--- a/ntp.te
+++ b/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
@@ -36133,6 +36758,14 @@ index c61adc8..09bb140 100644
auth_use_nsswitch(ntpd_t)
+@@ -110,7 +117,6 @@ corecmd_exec_shell(ntpd_t)
+ domain_use_interactive_fds(ntpd_t)
+ domain_dontaudit_list_all_domains_state(ntpd_t)
+
+-files_read_etc_files(ntpd_t)
+ files_read_etc_runtime_files(ntpd_t)
+ files_read_usr_files(ntpd_t)
+ files_list_var_lib(ntpd_t)
diff --git a/numad.fc b/numad.fc
new file mode 100644
index 0000000..be6fcb0
@@ -36614,19 +37247,28 @@ index bd76ec2..28c4f00 100644
##
## Execute a domain transition to run oddjob_mkhomedir.
diff --git a/oddjob.te b/oddjob.te
-index 36df5a2..f2c3fc1 100644
+index 36df5a2..2fee791 100644
--- a/oddjob.te
+++ b/oddjob.te
-@@ -53,6 +53,8 @@ selinux_compute_create_context(oddjob_t)
+@@ -51,7 +51,8 @@ mcs_process_set_categories(oddjob_t)
- files_read_etc_files(oddjob_t)
+ selinux_compute_create_context(oddjob_t)
-+auth_use_nsswitch(oddjob_t)
+-files_read_etc_files(oddjob_t)
+
++auth_use_nsswitch(oddjob_t)
+
miscfiles_read_localization(oddjob_t)
- locallogin_dontaudit_use_fds(oddjob_t)
-@@ -99,8 +101,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
+@@ -78,7 +79,6 @@ allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
+
+ kernel_read_system_state(oddjob_mkhomedir_t)
+
+-files_read_etc_files(oddjob_mkhomedir_t)
+
+ auth_use_nsswitch(oddjob_mkhomedir_t)
+
+@@ -99,8 +99,7 @@ seutil_read_default_contexts(oddjob_mkhomedir_t)
# Add/remove user home directories
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
@@ -37357,10 +37999,10 @@ index 0000000..e05c78f
+')
diff --git a/pacemaker.te b/pacemaker.te
new file mode 100644
-index 0000000..99ab306
+index 0000000..0fcbb7f
--- /dev/null
+++ b/pacemaker.te
-@@ -0,0 +1,49 @@
+@@ -0,0 +1,53 @@
+policy_module(pacemaker, 1.0.0)
+
+########################################
@@ -37403,13 +38045,17 @@ index 0000000..99ab306
+
+domain_use_interactive_fds(pacemaker_t)
+
-+files_read_etc_files(pacemaker_t)
+
+auth_use_nsswitch(pacemaker_t)
+
+logging_send_syslog_msg(pacemaker_t)
+
+miscfiles_read_localization(pacemaker_t)
++
++optional_policy(`
++ corosync_stream_connect(pacemaker_t)
++')
++
diff --git a/pads.fc b/pads.fc
index 0870c56..6d5fb1d 100644
--- a/pads.fc
@@ -37575,7 +38221,7 @@ index f68b573..30b3188 100644
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
+')
diff --git a/passenger.te b/passenger.te
-index 3470036..56099c9 100644
+index 3470036..0592ca4 100644
--- a/passenger.te
+++ b/passenger.te
@@ -49,6 +49,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
@@ -37590,10 +38236,11 @@ index 3470036..56099c9 100644
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
-@@ -64,9 +69,12 @@ corecmd_exec_shell(passenger_t)
+@@ -63,10 +68,12 @@ corecmd_exec_shell(passenger_t)
+
dev_read_urand(passenger_t)
- files_read_etc_files(passenger_t)
+-files_read_etc_files(passenger_t)
+files_read_usr_files(passenger_t)
auth_use_nsswitch(passenger_t)
@@ -37603,7 +38250,7 @@ index 3470036..56099c9 100644
miscfiles_read_localization(passenger_t)
userdom_dontaudit_use_user_terminals(passenger_t)
-@@ -75,3 +83,9 @@ optional_policy(`
+@@ -75,3 +82,9 @@ optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
')
@@ -37695,7 +38342,7 @@ index ceafba6..a401838 100644
+ udev_read_db(pcscd_t)
+')
diff --git a/pegasus.te b/pegasus.te
-index 3185114..95cabdd 100644
+index 3185114..6fc91e8 100644
--- a/pegasus.te
+++ b/pegasus.te
@@ -16,7 +16,7 @@ type pegasus_tmp_t;
@@ -37747,7 +38394,7 @@ index 3185114..95cabdd 100644
corenet_all_recvfrom_unlabeled(pegasus_t)
corenet_all_recvfrom_netlabel(pegasus_t)
-@@ -95,6 +99,7 @@ files_getattr_all_dirs(pegasus_t)
+@@ -95,11 +99,11 @@ files_getattr_all_dirs(pegasus_t)
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
@@ -37755,7 +38402,12 @@ index 3185114..95cabdd 100644
domain_use_interactive_fds(pegasus_t)
domain_read_all_domains_state(pegasus_t)
-@@ -121,10 +126,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
+
+-files_read_etc_files(pegasus_t)
+ files_list_var_lib(pegasus_t)
+ files_read_var_lib_files(pegasus_t)
+ files_read_var_lib_symlinks(pegasus_t)
+@@ -121,10 +125,30 @@ userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_user_home_dirs(pegasus_t)
optional_policy(`
@@ -37786,7 +38438,7 @@ index 3185114..95cabdd 100644
seutil_sigchld_newrole(pegasus_t)
seutil_dontaudit_read_config(pegasus_t)
')
-@@ -136,3 +161,14 @@ optional_policy(`
+@@ -136,3 +160,14 @@ optional_policy(`
optional_policy(`
unconfined_signull(pegasus_t)
')
@@ -38067,10 +38719,10 @@ index 0000000..548d0a2
+')
diff --git a/piranha.te b/piranha.te
new file mode 100644
-index 0000000..44c7098
+index 0000000..355013e
--- /dev/null
+++ b/piranha.te
-@@ -0,0 +1,302 @@
+@@ -0,0 +1,301 @@
+policy_module(piranha, 1.0.0)
+
+########################################
@@ -38363,7 +39015,6 @@ index 0000000..44c7098
+corenet_tcp_bind_generic_node(piranha_domain)
+corenet_udp_bind_generic_node(piranha_domain)
+
-+files_read_etc_files(piranha_domain)
+
+corecmd_exec_bin(piranha_domain)
+corecmd_exec_shell(piranha_domain)
@@ -38754,7 +39405,7 @@ index 48ff1e8..be00a65 100644
+ allow $1 policykit_auth_t:process signal;
')
diff --git a/policykit.te b/policykit.te
-index 44db896..9e61080 100644
+index 44db896..5bf2bf0 100644
--- a/policykit.te
+++ b/policykit.te
@@ -1,51 +1,73 @@
@@ -38844,16 +39495,16 @@ index 44db896..9e61080 100644
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
policykit_domtrans_resolve(policykit_t)
-@@ -56,56 +78,112 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
+@@ -56,56 +78,110 @@ manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
+kernel_read_system_state(policykit_t)
kernel_read_kernel_sysctls(policykit_t)
+-files_read_etc_files(policykit_t)
+domain_read_all_domains_state(policykit_t)
+
- files_read_etc_files(policykit_t)
files_read_usr_files(policykit_t)
+files_dontaudit_search_all_mountpoints(policykit_t)
+
@@ -38942,7 +39593,7 @@ index 44db896..9e61080 100644
+
+dev_read_video_dev(policykit_auth_t)
- files_read_etc_files(policykit_auth_t)
+-files_read_etc_files(policykit_auth_t)
files_read_usr_files(policykit_auth_t)
+files_search_home(policykit_auth_t)
@@ -38969,7 +39620,7 @@ index 44db896..9e61080 100644
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -118,14 +196,26 @@ optional_policy(`
+@@ -118,14 +194,26 @@ optional_policy(`
hal_read_state(policykit_auth_t)
')
@@ -38998,8 +39649,11 @@ index 44db896..9e61080 100644
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -145,19 +235,18 @@ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t
- files_read_etc_files(policykit_grant_t)
+@@ -142,22 +230,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
+
+ manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
+
+-files_read_etc_files(policykit_grant_t)
files_read_usr_files(policykit_grant_t)
-auth_use_nsswitch(policykit_grant_t)
@@ -39023,7 +39677,7 @@ index 44db896..9e61080 100644
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,9 +256,8 @@ optional_policy(`
+@@ -167,9 +253,8 @@ optional_policy(`
# polkit_resolve local policy
#
@@ -39035,8 +39689,11 @@ index 44db896..9e61080 100644
allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
-@@ -185,14 +273,8 @@ corecmd_search_bin(policykit_resolve_t)
- files_read_etc_files(policykit_resolve_t)
+@@ -182,17 +267,10 @@ read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t
+ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
+ corecmd_search_bin(policykit_resolve_t)
+
+-files_read_etc_files(policykit_resolve_t)
files_read_usr_files(policykit_resolve_t)
-mcs_ptrace_all(policykit_resolve_t)
@@ -39050,7 +39707,7 @@ index 44db896..9e61080 100644
userdom_read_all_users_state(policykit_resolve_t)
optional_policy(`
-@@ -207,4 +289,3 @@ optional_policy(`
+@@ -207,4 +285,3 @@ optional_policy(`
kernel_search_proc(policykit_resolve_t)
hal_read_state(policykit_resolve_t)
')
@@ -39672,19 +40329,28 @@ index 3cdcd9f..2061efe 100644
/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
diff --git a/portmap.te b/portmap.te
-index c1db652..418c2ec 100644
+index c1db652..faa16a6 100644
--- a/portmap.te
+++ b/portmap.te
-@@ -75,6 +75,8 @@ domain_use_interactive_fds(portmap_t)
+@@ -73,7 +73,8 @@ fs_search_auto_mountpoints(portmap_t)
- files_read_etc_files(portmap_t)
+ domain_use_interactive_fds(portmap_t)
-+auth_use_nsswitch(portmap_t)
+-files_read_etc_files(portmap_t)
+
++auth_use_nsswitch(portmap_t)
+
logging_send_syslog_msg(portmap_t)
- miscfiles_read_localization(portmap_t)
-@@ -142,7 +144,7 @@ logging_send_syslog_msg(portmap_helper_t)
+@@ -133,7 +134,6 @@ corenet_tcp_connect_all_ports(portmap_helper_t)
+
+ domain_dontaudit_use_interactive_fds(portmap_helper_t)
+
+-files_read_etc_files(portmap_helper_t)
+ files_rw_generic_pids(portmap_helper_t)
+
+ init_rw_utmp(portmap_helper_t)
+@@ -142,7 +142,7 @@ logging_send_syslog_msg(portmap_helper_t)
sysnet_read_config(portmap_helper_t)
@@ -40254,7 +40920,7 @@ index 46bee12..99499ef 100644
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
+')
diff --git a/postfix.te b/postfix.te
-index 69cbd06..080e2e1 100644
+index 69cbd06..fca2d47 100644
--- a/postfix.te
+++ b/postfix.te
@@ -1,10 +1,19 @@
@@ -40441,7 +41107,7 @@ index 69cbd06..080e2e1 100644
allow postfix_local_t self:process { setsched setrlimit };
# connect to master process
-@@ -273,6 +303,8 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
+@@ -273,12 +303,13 @@ stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, post
# for .forward - maybe we need a new type for it?
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
@@ -40450,7 +41116,13 @@ index 69cbd06..080e2e1 100644
allow postfix_local_t postfix_spool_t:file rw_file_perms;
corecmd_exec_shell(postfix_local_t)
-@@ -286,10 +318,15 @@ mta_read_aliases(postfix_local_t)
+ corecmd_exec_bin(postfix_local_t)
+
+-files_read_etc_files(postfix_local_t)
+
+ logging_dontaudit_search_logs(postfix_local_t)
+
+@@ -286,10 +317,15 @@ mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
mta_read_config(postfix_local_t)
@@ -40469,7 +41141,7 @@ index 69cbd06..080e2e1 100644
optional_policy(`
clamav_search_lib(postfix_local_t)
-@@ -297,6 +334,14 @@ optional_policy(`
+@@ -297,6 +333,14 @@ optional_policy(`
')
optional_policy(`
@@ -40484,7 +41156,7 @@ index 69cbd06..080e2e1 100644
# for postalias
mailman_manage_data_files(postfix_local_t)
mailman_append_log(postfix_local_t)
-@@ -304,9 +349,22 @@ optional_policy(`
+@@ -304,9 +348,22 @@ optional_policy(`
')
optional_policy(`
@@ -40507,7 +41179,15 @@ index 69cbd06..080e2e1 100644
########################################
#
# Postfix map local policy
-@@ -379,18 +437,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
+@@ -348,7 +405,6 @@ corecmd_read_bin_sockets(postfix_map_t)
+
+ files_list_home(postfix_map_t)
+ files_read_usr_files(postfix_map_t)
+-files_read_etc_files(postfix_map_t)
+ files_read_etc_runtime_files(postfix_map_t)
+ files_dontaudit_search_var(postfix_map_t)
+
+@@ -379,18 +435,24 @@ stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, p
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
rw_sock_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
@@ -40533,7 +41213,7 @@ index 69cbd06..080e2e1 100644
allow postfix_pipe_t self:process setrlimit;
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -401,6 +465,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
+@@ -401,6 +463,8 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
domtrans_pattern(postfix_pipe_t, postfix_postdrop_exec_t, postfix_postdrop_t)
@@ -40542,7 +41222,7 @@ index 69cbd06..080e2e1 100644
optional_policy(`
dovecot_domtrans_deliver(postfix_pipe_t)
')
-@@ -420,6 +486,7 @@ optional_policy(`
+@@ -420,6 +484,7 @@ optional_policy(`
optional_policy(`
spamassassin_domtrans_client(postfix_pipe_t)
@@ -40550,7 +41230,7 @@ index 69cbd06..080e2e1 100644
')
optional_policy(`
-@@ -436,11 +503,17 @@ allow postfix_postdrop_t self:capability sys_resource;
+@@ -436,11 +501,17 @@ allow postfix_postdrop_t self:capability sys_resource;
allow postfix_postdrop_t self:tcp_socket create;
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -40568,7 +41248,7 @@ index 69cbd06..080e2e1 100644
corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
-@@ -487,8 +560,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
+@@ -487,8 +558,8 @@ write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
# to write the mailq output, it really should not need read access!
@@ -40579,7 +41259,7 @@ index 69cbd06..080e2e1 100644
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
-@@ -519,7 +592,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +590,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
@@ -40592,7 +41272,7 @@ index 69cbd06..080e2e1 100644
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +616,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +614,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -40603,7 +41283,7 @@ index 69cbd06..080e2e1 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -558,6 +637,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
+@@ -558,6 +635,8 @@ allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -40612,7 +41292,7 @@ index 69cbd06..080e2e1 100644
files_search_all_mountpoints(postfix_smtp_t)
optional_policy(`
-@@ -565,6 +646,14 @@ optional_policy(`
+@@ -565,6 +644,14 @@ optional_policy(`
')
optional_policy(`
@@ -40627,7 +41307,7 @@ index 69cbd06..080e2e1 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -581,17 +670,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
+@@ -581,17 +668,25 @@ stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t },
corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
# for prng_exch
@@ -40654,7 +41334,7 @@ index 69cbd06..080e2e1 100644
')
optional_policy(`
-@@ -599,6 +696,12 @@ optional_policy(`
+@@ -599,6 +694,12 @@ optional_policy(`
')
optional_policy(`
@@ -40667,7 +41347,7 @@ index 69cbd06..080e2e1 100644
postgrey_stream_connect(postfix_smtpd_t)
')
-@@ -611,7 +714,6 @@ optional_policy(`
+@@ -611,7 +712,6 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -40675,7 +41355,15 @@ index 69cbd06..080e2e1 100644
allow postfix_virtual_t self:process { setsched setrlimit };
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +732,76 @@ mta_delete_spool(postfix_virtual_t)
+@@ -622,7 +722,6 @@ stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }
+ corecmd_exec_shell(postfix_virtual_t)
+ corecmd_exec_bin(postfix_virtual_t)
+
+-files_read_etc_files(postfix_virtual_t)
+ files_read_usr_files(postfix_virtual_t)
+
+ mta_read_aliases(postfix_virtual_t)
+@@ -630,3 +729,75 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -40730,7 +41418,6 @@ index 69cbd06..080e2e1 100644
+
+corecmd_exec_shell(postfix_domain)
+
-+files_read_etc_files(postfix_domain)
+files_read_etc_runtime_files(postfix_domain)
+files_read_usr_files(postfix_domain)
+files_read_usr_symlinks(postfix_domain)
@@ -41044,7 +41731,7 @@ index de4bdb7..a4cad0b 100644
+ allow $1 pppd_unit_file_t:service all_service_perms;
')
diff --git a/ppp.te b/ppp.te
-index bcbf9ac..92cec2b 100644
+index bcbf9ac..fd793b3 100644
--- a/ppp.te
+++ b/ppp.te
@@ -19,14 +19,15 @@ gen_tunable(pppd_can_insmod, false)
@@ -41146,7 +41833,14 @@ index bcbf9ac..92cec2b 100644
# allow running ip-up and ip-down scripts and running chat.
corecmd_exec_bin(pppd_t)
-@@ -170,6 +178,9 @@ init_dontaudit_write_utmp(pppd_t)
+@@ -163,13 +171,15 @@ files_manage_etc_runtime_files(pppd_t)
+ files_dontaudit_write_etc_files(pppd_t)
+
+ # for scripts
+-files_read_etc_files(pppd_t)
+
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
init_signal_script(pppd_t)
auth_use_nsswitch(pppd_t)
@@ -41156,7 +41850,7 @@ index bcbf9ac..92cec2b 100644
logging_send_syslog_msg(pppd_t)
logging_send_audit_msgs(pppd_t)
-@@ -180,24 +191,34 @@ sysnet_exec_ifconfig(pppd_t)
+@@ -180,24 +190,34 @@ sysnet_exec_ifconfig(pppd_t)
sysnet_manage_config(pppd_t)
sysnet_etc_filetrans_config(pppd_t)
@@ -41194,7 +41888,7 @@ index bcbf9ac..92cec2b 100644
')
optional_policy(`
-@@ -247,14 +268,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
+@@ -247,14 +267,18 @@ allow pptp_t pppd_log_t:file append_file_perms;
allow pptp_t pptp_log_t:file manage_file_perms;
logging_log_filetrans(pptp_t, pptp_log_t, file)
@@ -41214,8 +41908,16 @@ index bcbf9ac..92cec2b 100644
dev_read_sysfs(pptp_t)
+@@ -273,7 +297,6 @@ corenet_tcp_connect_generic_port(pptp_t)
+ corenet_tcp_connect_all_reserved_ports(pptp_t)
+ corenet_sendrecv_generic_client_packets(pptp_t)
+
+-files_read_etc_files(pptp_t)
+
+ fs_getattr_all_fs(pptp_t)
+ fs_search_auto_mountpoints(pptp_t)
diff --git a/prelink.te b/prelink.te
-index af55369..e97defd 100644
+index af55369..f977b84 100644
--- a/prelink.te
+++ b/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -41240,7 +41942,7 @@ index af55369..e97defd 100644
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
-@@ -73,6 +74,7 @@ corecmd_mmap_all_executables(prelink_t)
+@@ -73,11 +74,11 @@ corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
@@ -41248,7 +41950,12 @@ index af55369..e97defd 100644
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
-@@ -86,6 +88,8 @@ files_relabelfrom_usr_files(prelink_t)
+ files_write_non_security_dirs(prelink_t)
+-files_read_etc_files(prelink_t)
+ files_read_etc_runtime_files(prelink_t)
+ files_dontaudit_read_all_symlinks(prelink_t)
+ files_manage_usr_files(prelink_t)
+@@ -86,6 +87,8 @@ files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -41257,7 +41964,7 @@ index af55369..e97defd 100644
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
-@@ -98,7 +102,15 @@ libs_delete_lib_symlinks(prelink_t)
+@@ -98,7 +101,15 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
@@ -41274,7 +41981,7 @@ index af55369..e97defd 100644
optional_policy(`
amanda_manage_lib(prelink_t)
-@@ -109,6 +121,15 @@ optional_policy(`
+@@ -109,6 +120,15 @@ optional_policy(`
')
optional_policy(`
@@ -41290,7 +41997,7 @@ index af55369..e97defd 100644
rpm_manage_tmp_files(prelink_t)
')
-@@ -129,6 +150,7 @@ optional_policy(`
+@@ -129,6 +149,7 @@ optional_policy(`
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
@@ -41298,8 +42005,11 @@ index af55369..e97defd 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,17 +170,33 @@ optional_policy(`
- files_read_etc_files(prelink_cron_system_t)
+@@ -145,20 +166,35 @@ optional_policy(`
+ corecmd_exec_shell(prelink_cron_system_t)
+
+ files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
+- files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
+ fs_search_cgroup_dirs(prelink_cron_system_t)
@@ -41403,7 +42113,7 @@ index 2316653..f41a4f7 100644
+ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/prelude.te b/prelude.te
-index b1bc02c..f1cdaed 100644
+index b1bc02c..818d0a9 100644
--- a/prelude.te
+++ b/prelude.te
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -41415,7 +42125,31 @@ index b1bc02c..f1cdaed 100644
type prelude_log_t;
logging_log_file(prelude_log_t)
-@@ -210,8 +210,8 @@ prelude_manage_spool(prelude_correlator_t)
+@@ -95,7 +95,6 @@ corenet_tcp_connect_mysqld_port(prelude_t)
+ dev_read_rand(prelude_t)
+ dev_read_urand(prelude_t)
+
+-files_read_etc_files(prelude_t)
+ files_read_etc_runtime_files(prelude_t)
+ files_read_usr_files(prelude_t)
+ files_search_tmp(prelude_t)
+@@ -156,7 +155,6 @@ dev_read_urand(prelude_audisp_t)
+ # Init script handling
+ domain_use_interactive_fds(prelude_audisp_t)
+
+-files_read_etc_files(prelude_audisp_t)
+ files_read_etc_runtime_files(prelude_audisp_t)
+ files_search_tmp(prelude_audisp_t)
+
+@@ -192,7 +190,6 @@ corenet_tcp_connect_prelude_port(prelude_correlator_t)
+ dev_read_rand(prelude_correlator_t)
+ dev_read_urand(prelude_correlator_t)
+
+-files_read_etc_files(prelude_correlator_t)
+ files_read_usr_files(prelude_correlator_t)
+ files_search_spool(prelude_correlator_t)
+
+@@ -210,8 +207,8 @@ prelude_manage_spool(prelude_correlator_t)
#
allow prelude_lml_t self:capability dac_override;
@@ -41426,7 +42160,7 @@ index b1bc02c..f1cdaed 100644
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
-@@ -236,6 +236,8 @@ kernel_read_sysctl(prelude_lml_t)
+@@ -236,6 +233,8 @@ kernel_read_sysctl(prelude_lml_t)
corecmd_exec_bin(prelude_lml_t)
@@ -41435,6 +42169,22 @@ index b1bc02c..f1cdaed 100644
corenet_tcp_sendrecv_generic_if(prelude_lml_t)
corenet_tcp_sendrecv_generic_node(prelude_lml_t)
corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+@@ -247,7 +246,6 @@ dev_read_rand(prelude_lml_t)
+ dev_read_urand(prelude_lml_t)
+
+ files_list_etc(prelude_lml_t)
+-files_read_etc_files(prelude_lml_t)
+ files_read_etc_runtime_files(prelude_lml_t)
+
+ fs_getattr_all_fs(prelude_lml_t)
+@@ -283,7 +281,6 @@ optional_policy(`
+
+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+- files_read_etc_files(httpd_prewikka_script_t)
+ files_search_tmp(httpd_prewikka_script_t)
+
+ kernel_read_sysctl(httpd_prewikka_script_t)
diff --git a/privoxy.if b/privoxy.if
index afd1751..5aff531 100644
--- a/privoxy.if
@@ -41453,7 +42203,7 @@ index afd1751..5aff531 100644
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/privoxy.te b/privoxy.te
-index 2dbf4d4..50ce8a5 100644
+index 2dbf4d4..54a6eca 100644
--- a/privoxy.te
+++ b/privoxy.te
@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
@@ -41475,7 +42225,15 @@ index 2dbf4d4..50ce8a5 100644
corenet_sendrecv_http_cache_client_packets(privoxy_t)
corenet_sendrecv_squid_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy_t)
-@@ -87,7 +89,7 @@ miscfiles_read_localization(privoxy_t)
+@@ -76,7 +78,6 @@ fs_search_auto_mountpoints(privoxy_t)
+
+ domain_use_interactive_fds(privoxy_t)
+
+-files_read_etc_files(privoxy_t)
+
+ auth_use_nsswitch(privoxy_t)
+
+@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
@@ -41522,7 +42280,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/procmail.te b/procmail.te
-index 29b9295..624afe6 100644
+index 29b9295..59d1db3 100644
--- a/procmail.te
+++ b/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -41544,15 +42302,15 @@ index 29b9295..624afe6 100644
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
read_lnk_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -67,7 +70,6 @@ auth_use_nsswitch(procmail_t)
+@@ -67,18 +70,26 @@ auth_use_nsswitch(procmail_t)
corecmd_exec_bin(procmail_t)
corecmd_exec_shell(procmail_t)
-corecmd_read_bin_symlinks(procmail_t)
- files_read_etc_files(procmail_t)
+-files_read_etc_files(procmail_t)
files_read_etc_runtime_files(procmail_t)
-@@ -75,10 +77,20 @@ files_search_pids(procmail_t)
+ files_search_pids(procmail_t)
# for spamassasin
files_read_usr_files(procmail_t)
@@ -41573,7 +42331,7 @@ index 29b9295..624afe6 100644
# only works until we define a different type for maildir
userdom_manage_user_home_content_dirs(procmail_t)
userdom_manage_user_home_content_files(procmail_t)
-@@ -87,8 +99,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
+@@ -87,8 +98,8 @@ userdom_manage_user_home_content_pipes(procmail_t)
userdom_manage_user_home_content_sockets(procmail_t)
userdom_user_home_dir_filetrans_user_home_content(procmail_t, { dir file lnk_file fifo_file sock_file })
@@ -41584,7 +42342,7 @@ index 29b9295..624afe6 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -97,21 +109,19 @@ ifdef(`hide_broken_symptoms',`
+@@ -97,21 +108,19 @@ ifdef(`hide_broken_symptoms',`
mta_dontaudit_rw_queue(procmail_t)
')
@@ -41614,7 +42372,7 @@ index 29b9295..624afe6 100644
')
optional_policy(`
-@@ -125,6 +135,11 @@ optional_policy(`
+@@ -125,6 +134,11 @@ optional_policy(`
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
@@ -41946,7 +42704,7 @@ index f40c64d..a3352d3 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
')
diff --git a/pulseaudio.te b/pulseaudio.te
-index 901ac9b..e53b4b7 100644
+index 901ac9b..2094fc8 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -41,7 +41,13 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -41972,7 +42730,14 @@ index 901ac9b..e53b4b7 100644
can_exec(pulseaudio_t, pulseaudio_exec_t)
-@@ -83,8 +89,8 @@ fs_rw_anon_inodefs_files(pulseaudio_t)
+@@ -76,15 +82,14 @@ dev_write_sound(pulseaudio_t)
+ dev_read_sysfs(pulseaudio_t)
+ dev_read_urand(pulseaudio_t)
+
+-files_read_etc_files(pulseaudio_t)
+ files_read_usr_files(pulseaudio_t)
+
+ fs_rw_anon_inodefs_files(pulseaudio_t)
fs_getattr_tmpfs(pulseaudio_t)
fs_list_inotifyfs(pulseaudio_t)
@@ -41983,7 +42748,7 @@ index 901ac9b..e53b4b7 100644
auth_use_nsswitch(pulseaudio_t)
-@@ -92,10 +98,29 @@ logging_send_syslog_msg(pulseaudio_t)
+@@ -92,10 +97,29 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
@@ -42017,7 +42782,7 @@ index 901ac9b..e53b4b7 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -125,16 +150,35 @@ optional_policy(`
+@@ -125,16 +149,35 @@ optional_policy(`
')
optional_policy(`
@@ -42053,7 +42818,7 @@ index 901ac9b..e53b4b7 100644
udev_read_state(pulseaudio_t)
udev_read_db(pulseaudio_t)
')
-@@ -146,3 +190,7 @@ optional_policy(`
+@@ -146,3 +189,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -42216,7 +42981,7 @@ index 2855a44..2f72e9a 100644
+ allow $1 puppet_var_run_t:dir search_dir_perms;
+')
diff --git a/puppet.te b/puppet.te
-index d792d53..e67606e 100644
+index d792d53..561e0e7 100644
--- a/puppet.te
+++ b/puppet.te
@@ -13,6 +13,13 @@ policy_module(puppet, 1.2.1)
@@ -42335,7 +43100,7 @@ index d792d53..e67606e 100644
portage_domtrans(puppet_t)
portage_domtrans_fetch(puppet_t)
portage_domtrans_gcc_config(puppet_t)
-@@ -164,8 +194,131 @@ optional_policy(`
+@@ -164,8 +194,130 @@ optional_policy(`
')
optional_policy(`
@@ -42442,7 +43207,6 @@ index d792d53..e67606e 100644
+dev_read_urand(puppetca_t)
+dev_search_sysfs(puppetca_t)
+
-+files_read_etc_files(puppetca_t)
+files_search_var_lib(puppetca_t)
+
+selinux_validate_context(puppetca_t)
@@ -42469,7 +43233,7 @@ index d792d53..e67606e 100644
')
########################################
-@@ -184,24 +337,32 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
+@@ -184,24 +336,32 @@ allow puppetmaster_t self:udp_socket create_socket_perms;
list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
@@ -42504,7 +43268,7 @@ index d792d53..e67606e 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -213,22 +374,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
+@@ -213,22 +373,48 @@ corenet_tcp_sendrecv_generic_node(puppetmaster_t)
corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -42556,7 +43320,7 @@ index d792d53..e67606e 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -239,3 +426,9 @@ optional_policy(`
+@@ -239,3 +425,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -42657,10 +43421,10 @@ index 0000000..86d25ea
+')
diff --git a/pwauth.te b/pwauth.te
new file mode 100644
-index 0000000..11bb8e1
+index 0000000..8d2c891
--- /dev/null
+++ b/pwauth.te
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,41 @@
+policy_module(pwauth, 1.0.0)
+
+########################################
@@ -42691,7 +43455,6 @@ index 0000000..11bb8e1
+
+domain_use_interactive_fds(pwauth_t)
+
-+files_read_etc_files(pwauth_t)
+
+auth_domtrans_chkpwd(pwauth_t)
+auth_use_nsswitch(pwauth_t)
@@ -42807,7 +43570,7 @@ index 494f7e2..2c411af 100644
+ admin_pattern($1, pyzor_var_lib_t)
+')
diff --git a/pyzor.te b/pyzor.te
-index c8fb70b..a272112 100644
+index c8fb70b..764de6b 100644
--- a/pyzor.te
+++ b/pyzor.te
@@ -1,42 +1,66 @@
@@ -42910,13 +43673,13 @@ index c8fb70b..a272112 100644
########################################
#
-@@ -74,12 +98,16 @@ corenet_tcp_connect_http_port(pyzor_t)
+@@ -74,12 +98,15 @@ corenet_tcp_connect_http_port(pyzor_t)
dev_read_urand(pyzor_t)
+-files_read_etc_files(pyzor_t)
+fs_getattr_xattr_fs(pyzor_t)
+
- files_read_etc_files(pyzor_t)
auth_use_nsswitch(pyzor_t)
@@ -42927,7 +43690,7 @@ index c8fb70b..a272112 100644
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
-@@ -109,8 +137,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
+@@ -109,8 +136,8 @@ allow pyzord_t pyzor_etc_t:dir list_dir_perms;
can_exec(pyzord_t, pyzor_exec_t)
manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
@@ -42938,6 +43701,14 @@ index c8fb70b..a272112 100644
kernel_read_kernel_sysctls(pyzord_t)
kernel_read_system_state(pyzord_t)
+@@ -128,7 +155,6 @@ corenet_udp_bind_generic_node(pyzord_t)
+ corenet_udp_bind_pyzor_port(pyzord_t)
+ corenet_sendrecv_pyzor_server_packets(pyzord_t)
+
+-files_read_etc_files(pyzord_t)
+
+ auth_use_nsswitch(pyzord_t)
+
diff --git a/qemu.if b/qemu.if
index 268d691..da3a26d 100644
--- a/qemu.if
@@ -43294,7 +44065,7 @@ index a55bf44..c6dee66 100644
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
+')
diff --git a/qmail.te b/qmail.te
-index 355b2a2..88e6f40 100644
+index 355b2a2..2eb3c5c 100644
--- a/qmail.te
+++ b/qmail.te
@@ -47,7 +47,7 @@ qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
@@ -43343,7 +44114,15 @@ index 355b2a2..88e6f40 100644
allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -121,13 +121,17 @@ mta_append_spool(qmail_local_t)
+@@ -109,7 +109,6 @@ kernel_read_system_state(qmail_local_t)
+ corecmd_exec_bin(qmail_local_t)
+ corecmd_exec_shell(qmail_local_t)
+
+-files_read_etc_files(qmail_local_t)
+ files_read_etc_runtime_files(qmail_local_t)
+
+ auth_use_nsswitch(qmail_local_t)
+@@ -121,13 +120,17 @@ mta_append_spool(qmail_local_t)
qmail_domtrans_queue(qmail_local_t)
optional_policy(`
@@ -43362,7 +44141,14 @@ index 355b2a2..88e6f40 100644
#
allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -150,15 +154,15 @@ files_search_tmp(qmail_lspawn_t)
+@@ -143,22 +146,21 @@ read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
+
+ corecmd_search_bin(qmail_lspawn_t)
+
+-files_read_etc_files(qmail_lspawn_t)
+ files_search_pids(qmail_lspawn_t)
+ files_search_tmp(qmail_lspawn_t)
+
########################################
#
# qmail-queue local policy
@@ -43380,7 +44166,7 @@ index 355b2a2..88e6f40 100644
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -175,7 +179,7 @@ optional_policy(`
+@@ -175,7 +177,7 @@ optional_policy(`
########################################
#
# qmail-remote local policy
@@ -43389,7 +44175,7 @@ index 355b2a2..88e6f40 100644
#
allow qmail_remote_t self:tcp_socket create_socket_perms;
-@@ -202,7 +206,7 @@ sysnet_read_config(qmail_remote_t)
+@@ -202,7 +204,7 @@ sysnet_read_config(qmail_remote_t)
########################################
#
# qmail-rspawn local policy
@@ -43398,7 +44184,7 @@ index 355b2a2..88e6f40 100644
#
allow qmail_rspawn_t self:process signal_perms;
-@@ -217,7 +221,7 @@ corecmd_search_bin(qmail_rspawn_t)
+@@ -217,7 +219,7 @@ corecmd_search_bin(qmail_rspawn_t)
########################################
#
# qmail-send local policy
@@ -43407,7 +44193,7 @@ index 355b2a2..88e6f40 100644
#
allow qmail_send_t self:process signal_perms;
-@@ -236,7 +240,7 @@ optional_policy(`
+@@ -236,7 +238,7 @@ optional_policy(`
########################################
#
# qmail-smtpd local policy
@@ -43416,7 +44202,7 @@ index 355b2a2..88e6f40 100644
#
allow qmail_smtpd_t self:process signal_perms;
-@@ -265,7 +269,7 @@ optional_policy(`
+@@ -265,12 +267,11 @@ optional_policy(`
########################################
#
# splogger local policy
@@ -43425,7 +44211,12 @@ index 355b2a2..88e6f40 100644
#
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
-@@ -279,13 +283,13 @@ miscfiles_read_localization(qmail_splogger_t)
+
+-files_read_etc_files(qmail_splogger_t)
+
+ init_dontaudit_use_script_fds(qmail_splogger_t)
+
+@@ -279,13 +280,13 @@ miscfiles_read_localization(qmail_splogger_t)
########################################
#
# qmail-start local policy
@@ -43441,7 +44232,7 @@ index 355b2a2..88e6f40 100644
can_exec(qmail_start_t, qmail_start_exec_t)
-@@ -303,7 +307,7 @@ optional_policy(`
+@@ -303,7 +304,7 @@ optional_policy(`
########################################
#
# tcp-env local policy
@@ -44020,10 +44811,10 @@ index 0000000..010b2be
+')
diff --git a/quantum.te b/quantum.te
new file mode 100644
-index 0000000..616ed06
+index 0000000..a5fa6b6
--- /dev/null
+++ b/quantum.te
-@@ -0,0 +1,83 @@
+@@ -0,0 +1,82 @@
+policy_module(quantum, 1.0.0)
+
+########################################
@@ -44086,7 +44877,6 @@ index 0000000..616ed06
+
+domain_use_interactive_fds(quantum_t)
+
-+files_read_etc_files(quantum_t)
+files_read_usr_files(quantum_t)
+
+auth_use_nsswitch(quantum_t)
@@ -44253,7 +45043,7 @@ index bf75d99..3fb8575 100644
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
+')
diff --git a/quota.te b/quota.te
-index 5dd42f5..b4ebb85 100644
+index 5dd42f5..634182b 100644
--- a/quota.te
+++ b/quota.te
@@ -7,7 +7,8 @@ policy_module(quota, 1.5.0)
@@ -44303,7 +45093,7 @@ index 5dd42f5..b4ebb85 100644
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
-@@ -82,3 +97,34 @@ optional_policy(`
+@@ -82,3 +97,33 @@ optional_policy(`
optional_policy(`
udev_read_db(quota_t)
')
@@ -44322,7 +45112,6 @@ index 5dd42f5..b4ebb85 100644
+
+kernel_read_network_state(quota_nld_t)
+
-+files_read_etc_files(quota_nld_t)
+
+auth_use_nsswitch(quota_nld_t)
+
@@ -44488,7 +45277,7 @@ index 75e5dc4..87d75fe 100644
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/radius.te b/radius.te
-index b1ed1bf..4719120 100644
+index b1ed1bf..7658e20 100644
--- a/radius.te
+++ b/radius.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
@@ -44507,7 +45296,15 @@ index b1ed1bf..4719120 100644
corenet_tcp_connect_mysqld_port(radiusd_t)
corenet_tcp_connect_snmp_port(radiusd_t)
corenet_sendrecv_radius_server_packets(radiusd_t)
-@@ -113,6 +115,8 @@ logging_send_syslog_msg(radiusd_t)
+@@ -99,7 +101,6 @@ corecmd_exec_shell(radiusd_t)
+ domain_use_interactive_fds(radiusd_t)
+
+ files_read_usr_files(radiusd_t)
+-files_read_etc_files(radiusd_t)
+ files_read_etc_runtime_files(radiusd_t)
+
+ auth_use_nsswitch(radiusd_t)
+@@ -113,6 +114,8 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
@@ -44539,6 +45336,18 @@ index be05bff..7b00e1e 100644
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
domain_system_change_exemption($1)
+diff --git a/radvd.te b/radvd.te
+index f9a2162..8f0c6bc 100644
+--- a/radvd.te
++++ b/radvd.te
+@@ -61,7 +61,6 @@ fs_search_auto_mountpoints(radvd_t)
+
+ domain_use_interactive_fds(radvd_t)
+
+-files_read_etc_files(radvd_t)
+ files_list_usr(radvd_t)
+
+ auth_use_nsswitch(radvd_t)
diff --git a/raid.fc b/raid.fc
index ed9c70d..c298507 100644
--- a/raid.fc
@@ -44589,7 +45398,7 @@ index b1a85b5..db0d815 100644
##
##
diff --git a/raid.te b/raid.te
-index 641f677..6e754eb 100644
+index 641f677..1e3cf4c 100644
--- a/raid.te
+++ b/raid.te
@@ -10,11 +10,9 @@ type mdadm_exec_t;
@@ -44633,7 +45442,7 @@ index 641f677..6e754eb 100644
kernel_rw_software_raid_state(mdadm_t)
kernel_getattr_core_if(mdadm_t)
-@@ -52,14 +52,17 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
+@@ -52,14 +52,16 @@ dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
# unfortunately needed for DMI decoding:
dev_read_raw_memory(mdadm_t)
@@ -44642,7 +45451,7 @@ index 641f677..6e754eb 100644
+domain_read_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
- files_read_etc_files(mdadm_t)
+-files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
-files_dontaudit_getattr_all_files(mdadm_t)
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
@@ -44653,7 +45462,7 @@ index 641f677..6e754eb 100644
fs_dontaudit_list_tmpfs(mdadm_t)
mls_file_read_all_levels(mdadm_t)
-@@ -69,10 +72,13 @@ mls_file_write_all_levels(mdadm_t)
+@@ -69,10 +71,13 @@ mls_file_write_all_levels(mdadm_t)
storage_manage_fixed_disk(mdadm_t)
storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
@@ -44667,7 +45476,7 @@ index 641f677..6e754eb 100644
init_dontaudit_getattr_initctl(mdadm_t)
logging_send_syslog_msg(mdadm_t)
-@@ -86,6 +92,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
+@@ -86,6 +91,10 @@ userdom_dontaudit_use_user_terminals(mdadm_t)
mta_send_mail(mdadm_t)
optional_policy(`
@@ -45179,7 +45988,7 @@ index b4ac57e..ef944a4 100644
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
diff --git a/remotelogin.te b/remotelogin.te
-index 0a76027..a475797 100644
+index 0a76027..a3bc03a 100644
--- a/remotelogin.te
+++ b/remotelogin.te
@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
@@ -45212,7 +46021,15 @@ index 0a76027..a475797 100644
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t)
+@@ -64,7 +59,6 @@ corecmd_read_bin_sockets(remote_login_t)
+
+ domain_read_all_entry_files(remote_login_t)
+
+-files_read_etc_files(remote_login_t)
+ files_read_etc_runtime_files(remote_login_t)
+ files_list_home(remote_login_t)
+ files_read_usr_files(remote_login_t)
+@@ -77,7 +71,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
@@ -45221,7 +46038,7 @@ index 0a76027..a475797 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,34 +82,28 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,34 +81,28 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
@@ -45808,7 +46625,7 @@ index de37806..3e870b7 100644
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
diff --git a/rhcs.te b/rhcs.te
-index 93c896a..cdee904 100644
+index 93c896a..708da10 100644
--- a/rhcs.te
+++ b/rhcs.te
@@ -12,7 +12,16 @@ policy_module(rhcs, 1.1.0)
@@ -45937,7 +46754,7 @@ index 93c896a..cdee904 100644
')
optional_policy(`
-@@ -114,13 +154,43 @@ optional_policy(`
+@@ -114,13 +154,42 @@ optional_policy(`
lvm_read_config(fenced_t)
')
@@ -45960,7 +46777,6 @@ index 93c896a..cdee904 100644
+
+dev_read_urand(foghorn_t)
+
-+files_read_etc_files(foghorn_t)
+files_read_usr_files(foghorn_t)
+
+optional_policy(`
@@ -45982,7 +46798,7 @@ index 93c896a..cdee904 100644
allow gfs_controld_t self:shm create_shm_perms;
allow gfs_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -139,10 +209,6 @@ storage_getattr_removable_dev(gfs_controld_t)
+@@ -139,10 +208,6 @@ storage_getattr_removable_dev(gfs_controld_t)
init_rw_script_tmp_files(gfs_controld_t)
optional_policy(`
@@ -45993,7 +46809,7 @@ index 93c896a..cdee904 100644
lvm_exec(gfs_controld_t)
dev_rw_lvm_control(gfs_controld_t)
')
-@@ -154,9 +220,10 @@ optional_policy(`
+@@ -154,12 +219,12 @@ optional_policy(`
allow groupd_t self:capability { sys_nice sys_resource };
allow groupd_t self:process setsched;
@@ -46004,8 +46820,11 @@ index 93c896a..cdee904 100644
+
dev_list_sysfs(groupd_t)
- files_read_etc_files(groupd_t)
-@@ -168,8 +235,7 @@ init_rw_script_tmp_files(groupd_t)
+-files_read_etc_files(groupd_t)
+
+ init_rw_script_tmp_files(groupd_t)
+
+@@ -168,8 +233,7 @@ init_rw_script_tmp_files(groupd_t)
# qdiskd local policy
#
@@ -46015,7 +46834,7 @@ index 93c896a..cdee904 100644
allow qdiskd_t self:tcp_socket create_stream_socket_perms;
allow qdiskd_t self:udp_socket create_socket_perms;
-@@ -182,7 +248,7 @@ kernel_read_system_state(qdiskd_t)
+@@ -182,7 +246,7 @@ kernel_read_system_state(qdiskd_t)
kernel_read_software_raid_state(qdiskd_t)
kernel_getattr_core_if(qdiskd_t)
@@ -46024,16 +46843,17 @@ index 93c896a..cdee904 100644
corecmd_exec_shell(qdiskd_t)
dev_read_sysfs(qdiskd_t)
-@@ -199,6 +265,8 @@ files_dontaudit_getattr_all_sockets(qdiskd_t)
- files_dontaudit_getattr_all_pipes(qdiskd_t)
- files_read_etc_files(qdiskd_t)
+@@ -197,7 +261,8 @@ domain_dontaudit_getattr_all_sockets(qdiskd_t)
-+fs_list_hugetlbfs(qdiskd_t)
+ files_dontaudit_getattr_all_sockets(qdiskd_t)
+ files_dontaudit_getattr_all_pipes(qdiskd_t)
+-files_read_etc_files(qdiskd_t)
+
++fs_list_hugetlbfs(qdiskd_t)
+
storage_raw_read_removable_device(qdiskd_t)
storage_raw_write_removable_device(qdiskd_t)
- storage_raw_read_fixed_disk(qdiskd_t)
-@@ -207,10 +275,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
+@@ -207,10 +272,6 @@ storage_raw_write_fixed_disk(qdiskd_t)
auth_use_nsswitch(qdiskd_t)
optional_policy(`
@@ -46044,7 +46864,7 @@ index 93c896a..cdee904 100644
netutils_domtrans_ping(qdiskd_t)
')
-@@ -223,18 +287,28 @@ optional_policy(`
+@@ -223,18 +284,28 @@ optional_policy(`
# rhcs domains common policy
#
@@ -46658,7 +47478,7 @@ index f7826f9..23d579c 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/ricci.te b/ricci.te
-index 33e72e8..8e98863 100644
+index 33e72e8..858e0be 100644
--- a/ricci.te
+++ b/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -46704,7 +47524,15 @@ index 33e72e8..8e98863 100644
corecmd_exec_bin(ricci_t)
-@@ -170,6 +175,10 @@ optional_policy(`
+@@ -123,7 +128,6 @@ dev_read_urand(ricci_t)
+
+ domain_read_all_domains_state(ricci_t)
+
+-files_read_etc_files(ricci_t)
+ files_read_etc_runtime_files(ricci_t)
+ files_create_boot_flag(ricci_t)
+
+@@ -170,6 +174,10 @@ optional_policy(`
')
optional_policy(`
@@ -46715,7 +47543,7 @@ index 33e72e8..8e98863 100644
unconfined_use_fds(ricci_t)
')
-@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t)
+@@ -193,15 +201,17 @@ corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
@@ -46725,8 +47553,9 @@ index 33e72e8..8e98863 100644
domain_read_all_domains_state(ricci_modcluster_t)
-@@ -202,6 +212,8 @@ files_read_etc_runtime_files(ricci_modcluster_t)
- files_read_etc_files(ricci_modcluster_t)
+ files_search_locks(ricci_modcluster_t)
+ files_read_etc_runtime_files(ricci_modcluster_t)
+-files_read_etc_files(ricci_modcluster_t)
files_search_usr(ricci_modcluster_t)
+auth_use_nsswitch(ricci_modcluster_t)
@@ -46734,7 +47563,7 @@ index 33e72e8..8e98863 100644
init_exec(ricci_modcluster_t)
init_domtrans_script(ricci_modcluster_t)
-@@ -209,13 +221,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
@@ -46751,7 +47580,7 @@ index 33e72e8..8e98863 100644
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,7 +241,15 @@ optional_policy(`
+@@ -233,7 +239,15 @@ optional_policy(`
')
optional_policy(`
@@ -46768,7 +47597,7 @@ index 33e72e8..8e98863 100644
')
optional_policy(`
-@@ -241,8 +257,7 @@ optional_policy(`
+@@ -241,8 +255,7 @@ optional_policy(`
')
optional_policy(`
@@ -46778,7 +47607,7 @@ index 33e72e8..8e98863 100644
')
########################################
-@@ -261,6 +276,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +274,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -46789,7 +47618,7 @@ index 33e72e8..8e98863 100644
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +291,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +289,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -46797,16 +47626,39 @@ index 33e72e8..8e98863 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -363,6 +383,8 @@ corecmd_exec_bin(ricci_modrpm_t)
- files_search_usr(ricci_modrpm_t)
- files_read_etc_files(ricci_modrpm_t)
+@@ -283,7 +301,6 @@ corenet_tcp_connect_ricci_modcluster_port(ricci_modclusterd_t)
-+logging_send_syslog_msg(ricci_modrpm_t)
+ domain_read_all_domains_state(ricci_modclusterd_t)
+
+-files_read_etc_files(ricci_modclusterd_t)
+ files_read_etc_runtime_files(ricci_modclusterd_t)
+
+ fs_getattr_xattr_fs(ricci_modclusterd_t)
+@@ -334,7 +351,6 @@ corecmd_exec_bin(ricci_modlog_t)
+
+ domain_read_all_domains_state(ricci_modlog_t)
+
+-files_read_etc_files(ricci_modlog_t)
+ files_search_usr(ricci_modlog_t)
+
+ logging_read_generic_logs(ricci_modlog_t)
+@@ -361,7 +377,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
+ corecmd_exec_bin(ricci_modrpm_t)
+
+ files_search_usr(ricci_modrpm_t)
+-files_read_etc_files(ricci_modrpm_t)
+
++logging_send_syslog_msg(ricci_modrpm_t)
+
miscfiles_read_localization(ricci_modrpm_t)
- optional_policy(`
-@@ -394,10 +416,10 @@ files_search_usr(ricci_modservice_t)
+@@ -388,16 +405,15 @@ kernel_read_system_state(ricci_modservice_t)
+ corecmd_exec_bin(ricci_modservice_t)
+ corecmd_exec_shell(ricci_modservice_t)
+
+-files_read_etc_files(ricci_modservice_t)
+ files_read_etc_runtime_files(ricci_modservice_t)
+ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -46819,7 +47671,7 @@ index 33e72e8..8e98863 100644
miscfiles_read_localization(ricci_modservice_t)
optional_policy(`
-@@ -405,6 +427,10 @@ optional_policy(`
+@@ -405,6 +421,10 @@ optional_policy(`
')
optional_policy(`
@@ -46830,7 +47682,7 @@ index 33e72e8..8e98863 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -418,7 +444,6 @@ optional_policy(`
+@@ -418,7 +438,6 @@ optional_policy(`
#
allow ricci_modstorage_t self:process { setsched signal };
@@ -46838,7 +47690,7 @@ index 33e72e8..8e98863 100644
allow ricci_modstorage_t self:capability { mknod sys_nice };
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
allow ricci_modstorage_t self:unix_dgram_socket create_socket_perms;
-@@ -444,22 +469,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +463,22 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -46868,7 +47720,7 @@ index 33e72e8..8e98863 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,12 +496,24 @@ optional_policy(`
+@@ -471,12 +490,24 @@ optional_policy(`
')
optional_policy(`
@@ -46941,7 +47793,7 @@ index 63e78c6..fdd8228 100644
type rlogind_home_t;
')
diff --git a/rlogin.te b/rlogin.te
-index d654552..706700d 100644
+index d654552..f8415f4 100644
--- a/rlogin.te
+++ b/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -46970,7 +47822,7 @@ index d654552..706700d 100644
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -69,8 +67,10 @@ fs_getattr_xattr_fs(rlogind_t)
+@@ -69,10 +67,11 @@ fs_getattr_xattr_fs(rlogind_t)
fs_search_auto_mountpoints(rlogind_t)
auth_domtrans_chk_passwd(rlogind_t)
@@ -46979,9 +47831,11 @@ index d654552..706700d 100644
auth_use_nsswitch(rlogind_t)
+auth_login_pgm_domain(rlogind_t)
- files_read_etc_files(rlogind_t)
+-files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,27 +88,24 @@ seutil_read_config(rlogind_t)
+ files_search_home(rlogind_t)
+ files_search_default(rlogind_t)
+@@ -88,27 +87,24 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -47073,7 +47927,7 @@ index 5c70c0c..b0c22f7 100644
/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+
diff --git a/rpc.if b/rpc.if
-index dddabcf..fa20a5d 100644
+index dddabcf..758d5bd 100644
--- a/rpc.if
+++ b/rpc.if
@@ -32,7 +32,11 @@ interface(`rpc_stub',`
@@ -47089,7 +47943,15 @@ index dddabcf..fa20a5d 100644
########################################
#
# Declarations
-@@ -152,7 +156,7 @@ interface(`rpc_dontaudit_getattr_exports',`
+@@ -95,7 +99,6 @@ template(`rpc_domain_template', `
+ fs_rw_rpc_named_pipes($1_t)
+ fs_search_auto_mountpoints($1_t)
+
+- files_read_etc_files($1_t)
+ files_read_etc_runtime_files($1_t)
+ files_search_var($1_t)
+ files_search_var_lib($1_t)
+@@ -152,7 +155,7 @@ interface(`rpc_dontaudit_getattr_exports',`
type exports_t;
')
@@ -47098,7 +47960,7 @@ index dddabcf..fa20a5d 100644
')
########################################
-@@ -188,7 +192,7 @@ interface(`rpc_write_exports',`
+@@ -188,7 +191,7 @@ interface(`rpc_write_exports',`
type exports_t;
')
@@ -47107,7 +47969,7 @@ index dddabcf..fa20a5d 100644
')
########################################
-@@ -229,6 +233,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -229,6 +232,29 @@ interface(`rpc_initrc_domtrans_nfsd',`
########################################
##
@@ -47137,7 +47999,7 @@ index dddabcf..fa20a5d 100644
## Execute domain in rpcd domain.
##
##
-@@ -246,6 +273,32 @@ interface(`rpc_domtrans_rpcd',`
+@@ -246,6 +272,32 @@ interface(`rpc_domtrans_rpcd',`
allow rpcd_t $1:process signal;
')
@@ -47170,7 +48032,7 @@ index dddabcf..fa20a5d 100644
#######################################
##
## Execute domain in rpcd domain.
-@@ -266,6 +319,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
+@@ -266,6 +318,29 @@ interface(`rpc_initrc_domtrans_rpcd',`
########################################
##
@@ -47200,7 +48062,7 @@ index dddabcf..fa20a5d 100644
## Read NFS exported content.
##
##
-@@ -282,7 +358,7 @@ interface(`rpc_read_nfs_content',`
+@@ -282,7 +357,7 @@ interface(`rpc_read_nfs_content',`
allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
@@ -47209,7 +48071,7 @@ index dddabcf..fa20a5d 100644
')
########################################
-@@ -329,7 +405,7 @@ interface(`rpc_manage_nfs_ro_content',`
+@@ -329,7 +404,7 @@ interface(`rpc_manage_nfs_ro_content',`
########################################
##
@@ -47218,7 +48080,7 @@ index dddabcf..fa20a5d 100644
##
##
##
-@@ -337,17 +413,17 @@ interface(`rpc_manage_nfs_ro_content',`
+@@ -337,17 +412,17 @@ interface(`rpc_manage_nfs_ro_content',`
##
##
#
@@ -47239,7 +48101,7 @@ index dddabcf..fa20a5d 100644
##
##
##
-@@ -355,17 +431,13 @@ interface(`rpc_tcp_rw_nfs_sockets',`
+@@ -355,17 +430,13 @@ interface(`rpc_tcp_rw_nfs_sockets',`
##
##
#
@@ -47260,7 +48122,7 @@ index dddabcf..fa20a5d 100644
##
##
##
-@@ -373,13 +445,18 @@ interface(`rpc_udp_rw_nfs_sockets',`
+@@ -373,13 +444,18 @@ interface(`rpc_udp_rw_nfs_sockets',`
##
##
#
@@ -47282,7 +48144,7 @@ index dddabcf..fa20a5d 100644
##
##
##
-@@ -387,13 +464,13 @@ interface(`rpc_udp_send_nfs',`
+@@ -387,13 +463,13 @@ interface(`rpc_udp_send_nfs',`
##
##
#
@@ -47298,7 +48160,7 @@ index dddabcf..fa20a5d 100644
')
########################################
-@@ -432,4 +509,5 @@ interface(`rpc_manage_nfs_state_data',`
+@@ -432,4 +508,5 @@ interface(`rpc_manage_nfs_state_data',`
files_search_var_lib($1)
manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
@@ -48232,6 +49094,26 @@ index 4c091ca..a58f123 100644
/usr/bin/rssh -- gen_context(system_u:object_r:rssh_exec_t,s0)
+
+/usr/libexec/rssh_chroot_helper -- gen_context(system_u:object_r:rssh_chroot_helper_exec_t,s0)
+diff --git a/rssh.te b/rssh.te
+index ffb9605..11dbdb2 100644
+--- a/rssh.te
++++ b/rssh.te
+@@ -63,7 +63,6 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
+ kernel_read_system_state(rssh_t)
+ kernel_read_kernel_sysctls(rssh_t)
+
+-files_read_etc_files(rssh_t)
+ files_read_etc_runtime_files(rssh_t)
+ files_list_home(rssh_t)
+ files_read_usr_files(rssh_t)
+@@ -95,7 +94,6 @@ allow rssh_chroot_helper_t self:unix_stream_socket create_stream_socket_perms;
+
+ domain_use_interactive_fds(rssh_chroot_helper_t)
+
+-files_read_etc_files(rssh_chroot_helper_t)
+
+ auth_use_nsswitch(rssh_chroot_helper_t)
+
diff --git a/rsync.if b/rsync.if
index 3386f29..8d8f6c5 100644
--- a/rsync.if
@@ -48309,7 +49191,7 @@ index 3386f29..8d8f6c5 100644
+ files_etc_filetrans($1, rsync_etc_t, $2)
+')
diff --git a/rsync.te b/rsync.te
-index ba98794..77a6381 100644
+index ba98794..19a06d9 100644
--- a/rsync.te
+++ b/rsync.te
@@ -7,6 +7,27 @@ policy_module(rsync, 1.11.1)
@@ -48358,7 +49240,15 @@ index ba98794..77a6381 100644
allow rsync_t rsync_data_t:dir list_dir_perms;
read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
-@@ -105,7 +126,7 @@ logging_send_syslog_msg(rsync_t)
+@@ -95,7 +116,6 @@ dev_read_urand(rsync_t)
+
+ fs_getattr_xattr_fs(rsync_t)
+
+-files_read_etc_files(rsync_t)
+ files_search_home(rsync_t)
+
+ auth_use_nsswitch(rsync_t)
+@@ -105,7 +125,7 @@ logging_send_syslog_msg(rsync_t)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -48367,7 +49257,7 @@ index ba98794..77a6381 100644
miscfiles_manage_public_files(rsync_t)
')
-@@ -121,13 +142,39 @@ optional_policy(`
+@@ -121,13 +141,39 @@ optional_policy(`
inetd_service_domain(rsync_t, rsync_exec_t)
')
@@ -48852,7 +49742,7 @@ index 82cb169..9642fe3 100644
+ allow $1 samba_unit_file_t:service all_service_perms;
')
diff --git a/samba.te b/samba.te
-index fc22785..350850b 100644
+index fc22785..98b89c4 100644
--- a/samba.te
+++ b/samba.te
@@ -12,7 +12,7 @@ policy_module(samba, 1.14.1)
@@ -48899,7 +49789,15 @@ index fc22785..350850b 100644
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
-@@ -211,26 +219,35 @@ auth_manage_cache(samba_net_t)
+@@ -203,7 +211,6 @@ dev_read_urand(samba_net_t)
+
+ domain_use_interactive_fds(samba_net_t)
+
+-files_read_etc_files(samba_net_t)
+ files_read_usr_symlinks(samba_net_t)
+
+ auth_use_nsswitch(samba_net_t)
+@@ -211,26 +218,35 @@ auth_manage_cache(samba_net_t)
logging_send_syslog_msg(samba_net_t)
@@ -48938,7 +49836,7 @@ index fc22785..350850b 100644
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -249,6 +266,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+@@ -249,6 +265,7 @@ allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow smbd_t nmbd_t:process { signal signull };
allow smbd_t nmbd_var_run_t:file rw_file_perms;
@@ -48946,7 +49844,7 @@ index fc22785..350850b 100644
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
-@@ -263,12 +281,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
+@@ -263,12 +280,13 @@ filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -48961,7 +49859,7 @@ index fc22785..350850b 100644
allow smbd_t smbcontrol_t:process { signal signull };
-@@ -279,7 +298,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
+@@ -279,7 +297,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
@@ -48970,7 +49868,7 @@ index fc22785..350850b 100644
allow smbd_t swat_t:process signal;
-@@ -316,6 +335,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
+@@ -316,6 +334,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
@@ -48978,7 +49876,7 @@ index fc22785..350850b 100644
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
# For redhat bug 566984
-@@ -323,15 +343,18 @@ dev_getattr_all_blk_files(smbd_t)
+@@ -323,26 +342,29 @@ dev_getattr_all_blk_files(smbd_t)
dev_getattr_all_chr_files(smbd_t)
fs_getattr_all_fs(smbd_t)
@@ -48997,7 +49895,11 @@ index fc22785..350850b 100644
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -343,6 +366,7 @@ files_read_usr_files(smbd_t)
+
+ files_list_var_lib(smbd_t)
+-files_read_etc_files(smbd_t)
+ files_read_etc_runtime_files(smbd_t)
+ files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# smbd seems to getattr all mountpoints
files_dontaudit_getattr_all_dirs(smbd_t)
@@ -49005,7 +49907,7 @@ index fc22785..350850b 100644
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -354,6 +378,8 @@ logging_send_syslog_msg(smbd_t)
+@@ -354,6 +376,8 @@ logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -49014,7 +49916,7 @@ index fc22785..350850b 100644
userdom_use_unpriv_users_fds(smbd_t)
userdom_search_user_home_content(smbd_t)
userdom_signal_all_users(smbd_t)
-@@ -368,8 +394,13 @@ ifdef(`hide_broken_symptoms', `
+@@ -368,8 +392,13 @@ ifdef(`hide_broken_symptoms', `
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')
@@ -49029,7 +49931,7 @@ index fc22785..350850b 100644
')
tunable_policy(`samba_domain_controller',`
-@@ -385,12 +416,7 @@ tunable_policy(`samba_domain_controller',`
+@@ -385,12 +414,7 @@ tunable_policy(`samba_domain_controller',`
')
tunable_policy(`samba_enable_home_dirs',`
@@ -49043,7 +49945,7 @@ index fc22785..350850b 100644
')
# Support Samba sharing of NFS mount points
-@@ -411,6 +437,11 @@ tunable_policy(`samba_share_fusefs',`
+@@ -411,6 +435,11 @@ tunable_policy(`samba_share_fusefs',`
')
optional_policy(`
@@ -49055,7 +49957,7 @@ index fc22785..350850b 100644
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -421,6 +452,11 @@ optional_policy(`
+@@ -421,6 +450,11 @@ optional_policy(`
')
optional_policy(`
@@ -49067,7 +49969,7 @@ index fc22785..350850b 100644
lpd_exec_lpr(smbd_t)
')
-@@ -444,26 +480,26 @@ optional_policy(`
+@@ -444,26 +478,26 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -49106,7 +50008,7 @@ index fc22785..350850b 100644
########################################
#
# nmbd Local policy
-@@ -483,8 +519,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -483,8 +517,11 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -49119,7 +50021,7 @@ index fc22785..350850b 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -496,8 +535,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+@@ -496,8 +533,6 @@ manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
allow nmbd_t smbcontrol_t:process signal;
@@ -49128,7 +50030,15 @@ index fc22785..350850b 100644
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -554,18 +591,21 @@ optional_policy(`
+@@ -528,7 +563,6 @@ fs_search_auto_mountpoints(nmbd_t)
+ domain_use_interactive_fds(nmbd_t)
+
+ files_read_usr_files(nmbd_t)
+-files_read_etc_files(nmbd_t)
+ files_list_var_lib(nmbd_t)
+
+ auth_use_nsswitch(nmbd_t)
+@@ -554,18 +588,21 @@ optional_policy(`
# smbcontrol local policy
#
@@ -49154,15 +50064,15 @@ index fc22785..350850b 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -573,11 +613,21 @@ samba_read_winbind_pid(smbcontrol_t)
+@@ -573,11 +610,20 @@ samba_read_winbind_pid(smbcontrol_t)
domain_use_interactive_fds(smbcontrol_t)
+-files_read_etc_files(smbcontrol_t)
+dev_read_urand(smbcontrol_t)
+
+term_use_console(smbcontrol_t)
+
- files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -49177,7 +50087,7 @@ index fc22785..350850b 100644
########################################
#
-@@ -596,7 +646,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
+@@ -596,7 +642,7 @@ allow smbmount_t samba_etc_t:file read_file_perms;
can_exec(smbmount_t, smbmount_exec_t)
@@ -49186,7 +50096,13 @@ index fc22785..350850b 100644
allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-@@ -643,19 +693,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -637,25 +683,26 @@ files_list_mnt(smbmount_t)
+ files_mounton_mnt(smbmount_t)
+ files_manage_etc_runtime_files(smbmount_t)
+ files_etc_filetrans_etc_runtime(smbmount_t, file)
+-files_read_etc_files(smbmount_t)
+
+ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -49211,7 +50127,7 @@ index fc22785..350850b 100644
########################################
#
# SWAT Local policy
-@@ -676,7 +728,8 @@ samba_domtrans_nmbd(swat_t)
+@@ -676,7 +723,8 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -49221,7 +50137,7 @@ index fc22785..350850b 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -691,12 +744,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -691,12 +739,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -49236,7 +50152,7 @@ index fc22785..350850b 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -709,6 +764,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -709,6 +759,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -49244,7 +50160,15 @@ index fc22785..350850b 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -751,8 +807,12 @@ logging_send_syslog_msg(swat_t)
+@@ -736,7 +787,6 @@ corenet_sendrecv_ipp_client_packets(swat_t)
+ dev_read_urand(swat_t)
+
+ files_list_var_lib(swat_t)
+-files_read_etc_files(swat_t)
+ files_search_home(swat_t)
+ files_read_usr_files(swat_t)
+ fs_getattr_xattr_fs(swat_t)
+@@ -751,8 +801,12 @@ logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)
@@ -49257,16 +50181,17 @@ index fc22785..350850b 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -782,7 +842,7 @@ allow winbind_t self:udp_socket create_socket_perms;
+@@ -782,7 +836,8 @@ allow winbind_t self:udp_socket create_socket_perms;
allow winbind_t nmbd_t:process { signal signull };
-allow winbind_t nmbd_var_run_t:file read_file_perms;
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
++samba_stream_connect_nmbd(winbind_t)
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -805,15 +865,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -805,15 +860,19 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -49291,7 +50216,7 @@ index fc22785..350850b 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -832,6 +896,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -832,6 +891,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -49299,9 +50224,11 @@ index fc22785..350850b 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -849,10 +914,14 @@ domain_use_interactive_fds(winbind_t)
+@@ -847,12 +907,15 @@ auth_manage_cache(winbind_t)
- files_read_etc_files(winbind_t)
+ domain_use_interactive_fds(winbind_t)
+
+-files_read_etc_files(winbind_t)
files_read_usr_symlinks(winbind_t)
+files_list_var_lib(winbind_t)
@@ -49314,7 +50241,7 @@ index fc22785..350850b 100644
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
-@@ -863,6 +932,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
+@@ -863,6 +926,11 @@ userdom_manage_user_home_content_sockets(winbind_t)
userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
@@ -49326,7 +50253,7 @@ index fc22785..350850b 100644
kerberos_use(winbind_t)
')
-@@ -901,9 +975,10 @@ auth_use_nsswitch(winbind_helper_t)
+@@ -901,9 +969,10 @@ auth_use_nsswitch(winbind_helper_t)
logging_send_syslog_msg(winbind_helper_t)
@@ -49339,7 +50266,7 @@ index fc22785..350850b 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -921,19 +996,34 @@ optional_policy(`
+@@ -921,19 +990,34 @@ optional_policy(`
#
optional_policy(`
@@ -49385,15 +50312,15 @@ index fc22785..350850b 100644
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
diff --git a/sambagui.te b/sambagui.te
-index 1898dbd..ba62525 100644
+index 1898dbd..1651a2f 100644
--- a/sambagui.te
+++ b/sambagui.te
-@@ -27,16 +27,20 @@ corecmd_exec_bin(sambagui_t)
+@@ -27,16 +27,19 @@ corecmd_exec_bin(sambagui_t)
dev_dontaudit_read_urand(sambagui_t)
+-files_read_etc_files(sambagui_t)
+files_read_usr_files(sambagui_t)
- files_read_etc_files(sambagui_t)
files_search_var_lib(sambagui_t)
files_read_usr_files(sambagui_t)
@@ -49409,7 +50336,7 @@ index 1898dbd..ba62525 100644
optional_policy(`
consoletype_exec(sambagui_t)
')
-@@ -56,6 +60,7 @@ optional_policy(`
+@@ -56,6 +59,7 @@ optional_policy(`
samba_manage_var_files(sambagui_t)
samba_read_secrets(sambagui_t)
samba_initrc_domtrans(sambagui_t)
@@ -50416,7 +51343,7 @@ index cfe3172..3eb745d 100644
+
')
diff --git a/sanlock.te b/sanlock.te
-index e02eb6c..c4130e0 100644
+index e02eb6c..d3d5c26 100644
--- a/sanlock.te
+++ b/sanlock.te
@@ -1,4 +1,4 @@
@@ -50460,7 +51387,7 @@ index e02eb6c..c4130e0 100644
allow sanlock_t self:fifo_file rw_fifo_file_perms;
allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
-@@ -58,6 +59,7 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+@@ -58,15 +59,17 @@ manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
kernel_read_system_state(sanlock_t)
@@ -50468,7 +51395,9 @@ index e02eb6c..c4130e0 100644
domain_use_interactive_fds(sanlock_t)
-@@ -67,6 +69,8 @@ storage_raw_rw_fixed_disk(sanlock_t)
+-files_read_etc_files(sanlock_t)
+
+ storage_raw_rw_fixed_disk(sanlock_t)
dev_read_urand(sanlock_t)
@@ -50477,7 +51406,7 @@ index e02eb6c..c4130e0 100644
init_read_utmp(sanlock_t)
init_dontaudit_write_utmp(sanlock_t)
-@@ -75,19 +79,25 @@ logging_send_syslog_msg(sanlock_t)
+@@ -75,19 +78,25 @@ logging_send_syslog_msg(sanlock_t)
miscfiles_read_localization(sanlock_t)
tunable_policy(`sanlock_use_nfs',`
@@ -51135,7 +52064,7 @@ index 7e94c7c..ca74cd9 100644
+ admin_pattern($1, mail_spool_t)
+')
diff --git a/sendmail.te b/sendmail.te
-index 22dac1f..e2f2d7d 100644
+index 22dac1f..ba891c5 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -19,9 +19,8 @@ mta_sendmail_mailserver(sendmail_t)
@@ -51150,7 +52079,12 @@ index 22dac1f..e2f2d7d 100644
########################################
#
-@@ -84,12 +83,14 @@ files_read_usr_files(sendmail_t)
+@@ -79,17 +78,18 @@ corecmd_exec_bin(sendmail_t)
+
+ domain_use_interactive_fds(sendmail_t)
+
+-files_read_etc_files(sendmail_t)
+ files_read_usr_files(sendmail_t)
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
@@ -51165,7 +52099,7 @@ index 22dac1f..e2f2d7d 100644
auth_use_nsswitch(sendmail_t)
-@@ -103,7 +104,7 @@ miscfiles_read_generic_certs(sendmail_t)
+@@ -103,7 +103,7 @@ miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
@@ -51174,7 +52108,7 @@ index 22dac1f..e2f2d7d 100644
mta_read_config(sendmail_t)
mta_etc_filetrans_aliases(sendmail_t)
-@@ -115,6 +116,10 @@ mta_manage_spool(sendmail_t)
+@@ -115,6 +115,10 @@ mta_manage_spool(sendmail_t)
mta_sendmail_exec(sendmail_t)
optional_policy(`
@@ -51185,7 +52119,7 @@ index 22dac1f..e2f2d7d 100644
cron_read_pipes(sendmail_t)
')
-@@ -128,7 +133,14 @@ optional_policy(`
+@@ -128,7 +132,14 @@ optional_policy(`
')
optional_policy(`
@@ -51200,7 +52134,7 @@ index 22dac1f..e2f2d7d 100644
')
optional_policy(`
-@@ -149,7 +161,9 @@ optional_policy(`
+@@ -149,7 +160,9 @@ optional_policy(`
')
optional_policy(`
@@ -51210,7 +52144,7 @@ index 22dac1f..e2f2d7d 100644
postfix_read_config(sendmail_t)
postfix_search_spool(sendmail_t)
')
-@@ -168,20 +182,13 @@ optional_policy(`
+@@ -168,20 +181,13 @@ optional_policy(`
')
optional_policy(`
@@ -51306,7 +52240,7 @@ index bcdd16c..039b0c8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 086cd5f..4e69f51 100644
+index 086cd5f..4a9afaa 100644
--- a/setroubleshoot.te
+++ b/setroubleshoot.te
@@ -13,6 +13,7 @@ init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -51352,7 +52286,13 @@ index 086cd5f..4e69f51 100644
corenet_all_recvfrom_unlabeled(setroubleshootd_t)
corenet_all_recvfrom_netlabel(setroubleshootd_t)
-@@ -85,6 +92,7 @@ files_getattr_all_files(setroubleshootd_t)
+@@ -79,12 +86,12 @@ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+ domain_signull_all_domains(setroubleshootd_t)
+
+ files_read_usr_files(setroubleshootd_t)
+-files_read_etc_files(setroubleshootd_t)
+ files_list_all(setroubleshootd_t)
+ files_getattr_all_files(setroubleshootd_t)
files_getattr_all_pipes(setroubleshootd_t)
files_getattr_all_sockets(setroubleshootd_t)
files_read_all_symlinks(setroubleshootd_t)
@@ -51360,7 +52300,7 @@ index 086cd5f..4e69f51 100644
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
-@@ -95,6 +103,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
+@@ -95,6 +102,7 @@ fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
@@ -51368,7 +52308,7 @@ index 086cd5f..4e69f51 100644
term_dontaudit_use_all_ptys(setroubleshootd_t)
term_dontaudit_use_all_ttys(setroubleshootd_t)
-@@ -104,6 +113,8 @@ auth_use_nsswitch(setroubleshootd_t)
+@@ -104,6 +112,8 @@ auth_use_nsswitch(setroubleshootd_t)
init_read_utmp(setroubleshootd_t)
init_dontaudit_write_utmp(setroubleshootd_t)
@@ -51377,7 +52317,7 @@ index 086cd5f..4e69f51 100644
miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
-@@ -112,8 +123,6 @@ logging_send_audit_msgs(setroubleshootd_t)
+@@ -112,8 +122,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -51386,7 +52326,7 @@ index 086cd5f..4e69f51 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,10 +130,23 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,10 +129,23 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -51410,7 +52350,7 @@ index 086cd5f..4e69f51 100644
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
-@@ -151,7 +173,12 @@ kernel_read_system_state(setroubleshoot_fixit_t)
+@@ -151,10 +172,14 @@ kernel_read_system_state(setroubleshoot_fixit_t)
corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
@@ -51422,8 +52362,11 @@ index 086cd5f..4e69f51 100644
+seutil_read_module_store(setroubleshoot_fixit_t)
files_read_usr_files(setroubleshoot_fixit_t)
- files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +191,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+-files_read_etc_files(setroubleshoot_fixit_t)
+ files_list_tmp(setroubleshoot_fixit_t)
+
+ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -164,6 +189,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -51459,10 +52402,10 @@ index 0000000..839f1b3
+
diff --git a/sge.te b/sge.te
new file mode 100644
-index 0000000..803c998
+index 0000000..fc15a71
--- /dev/null
+++ b/sge.te
-@@ -0,0 +1,195 @@
+@@ -0,0 +1,194 @@
+policy_module(sge, 1.0.0)
+
+########################################
@@ -51626,7 +52569,6 @@ index 0000000..803c998
+
+domain_read_all_domains_state(sge_domain)
+
-+files_read_etc_files(sge_domain)
+files_read_usr_files(sge_domain)
+
+dev_read_urand(sge_domain)
@@ -51751,7 +52693,7 @@ index 781ad7e..d5ce40a 100644
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/shorewall.te b/shorewall.te
-index 4723c6b..7b0d35f 100644
+index 4723c6b..b0c2be4 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
@@ -51773,7 +52715,15 @@ index 4723c6b..7b0d35f 100644
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
-@@ -83,13 +86,22 @@ fs_getattr_all_fs(shorewall_t)
+@@ -75,7 +78,6 @@ dev_read_urand(shorewall_t)
+ domain_read_all_domains_state(shorewall_t)
+
+ files_getattr_kernel_modules(shorewall_t)
+-files_read_etc_files(shorewall_t)
+ files_read_usr_files(shorewall_t)
+ files_search_kernel_modules(shorewall_t)
+
+@@ -83,13 +85,22 @@ fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
@@ -51914,7 +52864,7 @@ index d0604cf..b66057c 100644
##
##
diff --git a/shutdown.te b/shutdown.te
-index 8966ec9..d3528a0 100644
+index 8966ec9..7b4a2d4 100644
--- a/shutdown.te
+++ b/shutdown.te
@@ -7,6 +7,7 @@ policy_module(shutdown, 1.1.0)
@@ -51936,7 +52886,7 @@ index 8966ec9..d3528a0 100644
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
-@@ -33,18 +34,22 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
+@@ -33,18 +34,21 @@ files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
@@ -51944,7 +52894,7 @@ index 8966ec9..d3528a0 100644
+
domain_use_interactive_fds(shutdown_t)
- files_read_etc_files(shutdown_t)
+-files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
+files_delete_boot_flag(shutdown_t)
+
@@ -51962,7 +52912,7 @@ index 8966ec9..d3528a0 100644
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
-@@ -54,10 +59,24 @@ logging_send_audit_msgs(shutdown_t)
+@@ -54,10 +58,24 @@ logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
@@ -51987,6 +52937,18 @@ index 8966ec9..d3528a0 100644
xserver_dontaudit_write_log(shutdown_t)
+ xserver_xdm_append_log(shutdown_t)
')
+diff --git a/slocate.te b/slocate.te
+index a225c02..b53997a 100644
+--- a/slocate.te
++++ b/slocate.te
+@@ -43,7 +43,6 @@ files_getattr_all_files(locate_t)
+ files_getattr_all_pipes(locate_t)
+ files_getattr_all_sockets(locate_t)
+ files_read_etc_runtime_files(locate_t)
+-files_read_etc_files(locate_t)
+
+ fs_getattr_all_fs(locate_t)
+ fs_getattr_all_files(locate_t)
diff --git a/slrnpull.te b/slrnpull.te
index e5e72fd..92eecec 100644
--- a/slrnpull.te
@@ -52101,8 +53063,28 @@ index 8265278..017b923 100644
smokeping_initrc_domtrans($1)
domain_system_change_exemption($1)
+diff --git a/smokeping.te b/smokeping.te
+index 740994a..55643cb 100644
+--- a/smokeping.te
++++ b/smokeping.te
+@@ -40,7 +40,6 @@ corecmd_read_bin_symlinks(smokeping_t)
+
+ dev_read_urand(smokeping_t)
+
+-files_read_etc_files(smokeping_t)
+ files_read_usr_files(smokeping_t)
+ files_search_tmp(smokeping_t)
+
+@@ -73,5 +72,7 @@ optional_policy(`
+ files_search_tmp(httpd_smokeping_cgi_script_t)
+ files_search_var_lib(httpd_smokeping_cgi_script_t)
+
++ auth_read_passwd(httpd_smokeping_cgi_script_t)
++
+ sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
+ ')
diff --git a/smoltclient.te b/smoltclient.te
-index bc00875..2efc0d7 100644
+index bc00875..7c8590e 100644
--- a/smoltclient.te
+++ b/smoltclient.te
@@ -8,7 +8,6 @@ policy_module(smoltclient, 1.1.0)
@@ -52113,7 +53095,7 @@ index bc00875..2efc0d7 100644
type smoltclient_tmp_t;
files_tmp_file(smoltclient_tmp_t)
-@@ -39,6 +38,7 @@ corecmd_exec_shell(smoltclient_t)
+@@ -39,22 +38,32 @@ corecmd_exec_shell(smoltclient_t)
corenet_tcp_connect_http_port(smoltclient_t)
dev_read_sysfs(smoltclient_t)
@@ -52121,10 +53103,10 @@ index bc00875..2efc0d7 100644
fs_getattr_all_fs(smoltclient_t)
fs_getattr_all_dirs(smoltclient_t)
-@@ -46,15 +46,25 @@ fs_list_auto_mountpoints(smoltclient_t)
+ fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
- files_read_etc_files(smoltclient_t)
+-files_read_etc_files(smoltclient_t)
+files_read_etc_runtime_files(smoltclient_t)
files_read_usr_files(smoltclient_t)
@@ -52285,7 +53267,7 @@ index 275f9fb..f1343b7 100644
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/snmp.te b/snmp.te
-index 595942d..7580a6a 100644
+index 595942d..5273d6c 100644
--- a/snmp.te
+++ b/snmp.te
@@ -4,6 +4,7 @@ policy_module(snmp, 1.12.1)
@@ -52337,15 +53319,18 @@ index 595942d..7580a6a 100644
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-@@ -83,7 +87,6 @@ dev_getattr_usbfs_dirs(snmpd_t)
+@@ -83,10 +87,8 @@ dev_getattr_usbfs_dirs(snmpd_t)
domain_use_interactive_fds(snmpd_t)
domain_signull_all_domains(snmpd_t)
domain_read_all_domains_state(snmpd_t)
-domain_dontaudit_ptrace_all_domains(snmpd_t)
domain_exec_all_entry_files(snmpd_t)
- files_read_etc_files(snmpd_t)
-@@ -94,15 +97,19 @@ files_search_home(snmpd_t)
+-files_read_etc_files(snmpd_t)
+ files_read_usr_files(snmpd_t)
+ files_read_etc_runtime_files(snmpd_t)
+ files_search_home(snmpd_t)
+@@ -94,15 +96,19 @@ files_search_home(snmpd_t)
fs_getattr_all_dirs(snmpd_t)
fs_getattr_all_fs(snmpd_t)
fs_search_auto_mountpoints(snmpd_t)
@@ -52366,7 +53351,7 @@ index 595942d..7580a6a 100644
logging_send_syslog_msg(snmpd_t)
-@@ -115,7 +122,7 @@ sysnet_read_config(snmpd_t)
+@@ -115,7 +121,7 @@ sysnet_read_config(snmpd_t)
userdom_dontaudit_use_unpriv_user_fds(snmpd_t)
userdom_dontaudit_search_user_home_dirs(snmpd_t)
@@ -52375,7 +53360,7 @@ index 595942d..7580a6a 100644
optional_policy(`
rpm_read_db(snmpd_t)
rpm_dontaudit_manage_db(snmpd_t)
-@@ -140,6 +147,10 @@ optional_policy(`
+@@ -140,6 +146,10 @@ optional_policy(`
')
optional_policy(`
@@ -52466,7 +53451,7 @@ index 94c01b5..f64bd93 100644
########################################
diff --git a/sosreport.te b/sosreport.te
-index b66e657..1a8e3bc 100644
+index b66e657..9214bcc 100644
--- a/sosreport.te
+++ b/sosreport.te
@@ -21,7 +21,7 @@ files_tmpfs_file(sosreport_tmpfs_t)
@@ -52478,7 +53463,15 @@ index b66e657..1a8e3bc 100644
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
-@@ -74,13 +74,17 @@ files_read_all_symlinks(sosreport_t)
+@@ -64,7 +64,6 @@ files_getattr_all_sockets(sosreport_t)
+ files_exec_etc_files(sosreport_t)
+ files_list_all(sosreport_t)
+ files_read_config_files(sosreport_t)
+-files_read_etc_files(sosreport_t)
+ files_read_generic_tmp_files(sosreport_t)
+ files_read_usr_files(sosreport_t)
+ files_read_var_lib_files(sosreport_t)
+@@ -74,13 +73,17 @@ files_read_all_symlinks(sosreport_t)
# for blkid.tab
files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
@@ -52497,7 +53490,7 @@ index b66e657..1a8e3bc 100644
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
-@@ -92,13 +96,11 @@ logging_send_syslog_msg(sosreport_t)
+@@ -92,13 +95,11 @@ logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
@@ -52512,7 +53505,7 @@ index b66e657..1a8e3bc 100644
')
optional_policy(`
-@@ -110,6 +112,11 @@ optional_policy(`
+@@ -110,6 +111,11 @@ optional_policy(`
')
optional_policy(`
@@ -52821,7 +53814,7 @@ index c954f31..82fc7f6 100644
+ admin_pattern($1, spamd_var_run_t)
')
diff --git a/spamassassin.te b/spamassassin.te
-index 1bbf73b..716877c 100644
+index 1bbf73b..2269290 100644
--- a/spamassassin.te
+++ b/spamassassin.te
@@ -6,52 +6,41 @@ policy_module(spamassassin, 2.5.0)
@@ -53004,7 +53997,15 @@ index 1bbf73b..716877c 100644
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -144,6 +218,9 @@ tunable_policy(`spamassassin_can_network',`
+@@ -114,7 +188,6 @@ corecmd_read_bin_sockets(spamassassin_t)
+
+ domain_use_interactive_fds(spamassassin_t)
+
+-files_read_etc_files(spamassassin_t)
+ files_read_etc_runtime_files(spamassassin_t)
+ files_list_home(spamassassin_t)
+ files_read_usr_files(spamassassin_t)
+@@ -144,6 +217,9 @@ tunable_policy(`spamassassin_can_network',`
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -53014,7 +54015,7 @@ index 1bbf73b..716877c 100644
sysnet_read_config(spamassassin_t)
')
-@@ -154,25 +231,13 @@ tunable_policy(`spamd_enable_home_dirs',`
+@@ -154,25 +230,13 @@ tunable_policy(`spamd_enable_home_dirs',`
userdom_manage_user_home_content_symlinks(spamd_t)
')
@@ -53041,7 +54042,7 @@ index 1bbf73b..716877c 100644
nis_use_ypbind_uncond(spamassassin_t)
')
')
-@@ -180,6 +245,8 @@ optional_policy(`
+@@ -180,6 +244,8 @@ optional_policy(`
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -53050,7 +54051,7 @@ index 1bbf73b..716877c 100644
')
########################################
-@@ -202,15 +269,32 @@ allow spamc_t self:unix_stream_socket connectto;
+@@ -202,15 +268,32 @@ allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -53083,7 +54084,7 @@ index 1bbf73b..716877c 100644
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -222,6 +306,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
+@@ -222,6 +305,7 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
corenet_udp_sendrecv_all_ports(spamc_t)
corenet_tcp_connect_all_ports(spamc_t)
corenet_sendrecv_all_client_packets(spamc_t)
@@ -53091,7 +54092,13 @@ index 1bbf73b..716877c 100644
fs_search_auto_mountpoints(spamc_t)
-@@ -240,9 +325,14 @@ files_read_usr_files(spamc_t)
+@@ -234,15 +318,19 @@ corecmd_read_bin_sockets(spamc_t)
+
+ domain_use_interactive_fds(spamc_t)
+
+-files_read_etc_files(spamc_t)
+ files_read_etc_runtime_files(spamc_t)
+ files_read_usr_files(spamc_t)
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -53106,7 +54113,7 @@ index 1bbf73b..716877c 100644
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -250,27 +340,35 @@ seutil_read_config(spamc_t)
+@@ -250,27 +338,35 @@ seutil_read_config(spamc_t)
sysnet_read_config(spamc_t)
@@ -53148,7 +54155,7 @@ index 1bbf73b..716877c 100644
')
########################################
-@@ -282,7 +380,7 @@ optional_policy(`
+@@ -282,7 +378,7 @@ optional_policy(`
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -53157,7 +54164,7 @@ index 1bbf73b..716877c 100644
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -298,10 +396,17 @@ allow spamd_t self:unix_dgram_socket sendto;
+@@ -298,10 +394,17 @@ allow spamd_t self:unix_dgram_socket sendto;
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -53176,7 +54183,7 @@ index 1bbf73b..716877c 100644
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -310,11 +415,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -310,11 +413,15 @@ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -53194,7 +54201,14 @@ index 1bbf73b..716877c 100644
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-@@ -363,23 +472,23 @@ files_read_var_lib_files(spamd_t)
+@@ -356,30 +463,29 @@ corecmd_exec_bin(spamd_t)
+ domain_use_interactive_fds(spamd_t)
+
+ files_read_usr_files(spamd_t)
+-files_read_etc_files(spamd_t)
+ files_read_etc_runtime_files(spamd_t)
+ # /var/lib/spamassin
+ files_read_var_lib_files(spamd_t)
init_dontaudit_rw_utmp(spamd_t)
@@ -53226,7 +54240,7 @@ index 1bbf73b..716877c 100644
')
optional_policy(`
-@@ -395,7 +504,9 @@ optional_policy(`
+@@ -395,7 +501,9 @@ optional_policy(`
')
optional_policy(`
@@ -53236,7 +54250,7 @@ index 1bbf73b..716877c 100644
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -404,25 +515,17 @@ optional_policy(`
+@@ -404,25 +512,17 @@ optional_policy(`
')
optional_policy(`
@@ -53264,7 +54278,7 @@ index 1bbf73b..716877c 100644
postgresql_stream_connect(spamd_t)
')
-@@ -433,6 +536,10 @@ optional_policy(`
+@@ -433,6 +533,10 @@ optional_policy(`
optional_policy(`
razor_domtrans(spamd_t)
@@ -53275,7 +54289,7 @@ index 1bbf73b..716877c 100644
')
optional_policy(`
-@@ -440,6 +547,7 @@ optional_policy(`
+@@ -440,6 +544,7 @@ optional_policy(`
')
optional_policy(`
@@ -53283,7 +54297,7 @@ index 1bbf73b..716877c 100644
sendmail_stub(spamd_t)
mta_read_config(spamd_t)
')
-@@ -447,3 +555,51 @@ optional_policy(`
+@@ -447,3 +552,50 @@ optional_policy(`
optional_policy(`
udev_read_db(spamd_t)
')
@@ -53319,7 +54333,6 @@ index 1bbf73b..716877c 100644
+
+domain_use_interactive_fds(spamd_update_t)
+
-+files_read_etc_files(spamd_update_t)
+files_read_usr_files(spamd_update_t)
+
+auth_use_nsswitch(spamd_update_t)
@@ -53375,7 +54388,7 @@ index d2496bd..c7614d7 100644
init_labeled_script_domtrans($1, squid_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/squid.te b/squid.te
-index d24bd07..daf200c 100644
+index d24bd07..624dd50 100644
--- a/squid.te
+++ b/squid.te
@@ -29,7 +29,7 @@ type squid_cache_t;
@@ -53422,7 +54435,15 @@ index d24bd07..daf200c 100644
files_dontaudit_getattr_boot_dirs(squid_t)
-@@ -169,7 +178,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
+@@ -145,7 +154,6 @@ corecmd_exec_shell(squid_t)
+
+ domain_use_interactive_fds(squid_t)
+
+-files_read_etc_files(squid_t)
+ files_read_etc_runtime_files(squid_t)
+ files_read_usr_files(squid_t)
+ files_search_spool(squid_t)
+@@ -169,7 +177,8 @@ userdom_dontaudit_search_user_home_dirs(squid_t)
tunable_policy(`squid_connect_any',`
corenet_tcp_connect_all_ports(squid_t)
corenet_tcp_bind_all_ports(squid_t)
@@ -53432,7 +54453,7 @@ index d24bd07..daf200c 100644
')
tunable_policy(`squid_use_tproxy',`
-@@ -185,6 +195,7 @@ optional_policy(`
+@@ -185,6 +194,7 @@ optional_policy(`
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@@ -53440,7 +54461,7 @@ index d24bd07..daf200c 100644
sysnet_dns_name_resolve(httpd_squid_script_t)
-@@ -206,3 +217,7 @@ optional_policy(`
+@@ -206,3 +216,7 @@ optional_policy(`
optional_policy(`
udev_read_db(squid_t)
')
@@ -53547,7 +54568,7 @@ index 941380a..e1095f0 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/sssd.te b/sssd.te
-index 8ffa257..20d8944 100644
+index 8ffa257..ac9bf23 100644
--- a/sssd.te
+++ b/sssd.te
@@ -17,6 +17,7 @@ files_pid_file(sssd_public_t)
@@ -53584,7 +54605,7 @@ index 8ffa257..20d8944 100644
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
-@@ -48,18 +52,25 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+@@ -48,18 +52,24 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -53603,14 +54624,14 @@ index 8ffa257..20d8944 100644
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
- files_read_etc_files(sssd_t)
+-files_read_etc_files(sssd_t)
+files_read_etc_runtime_files(sssd_t)
files_read_usr_files(sssd_t)
+files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
-@@ -68,10 +79,14 @@ selinux_validate_context(sssd_t)
+@@ -68,10 +78,14 @@ selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
mls_file_read_to_clearance(sssd_t)
@@ -53626,7 +54647,7 @@ index 8ffa257..20d8944 100644
init_read_utmp(sssd_t)
-@@ -79,6 +94,12 @@ logging_send_syslog_msg(sssd_t)
+@@ -79,6 +93,12 @@ logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_localization(sssd_t)
@@ -53639,7 +54660,7 @@ index 8ffa257..20d8944 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -87,4 +108,19 @@ optional_policy(`
+@@ -87,4 +107,19 @@ optional_policy(`
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
@@ -53660,7 +54681,7 @@ index 8ffa257..20d8944 100644
+
+
diff --git a/stunnel.te b/stunnel.te
-index f646c66..dd0efe6 100644
+index f646c66..6fef759 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -40,7 +40,7 @@ allow stunnel_t self:udp_socket create_socket_perms;
@@ -53672,7 +54693,15 @@ index f646c66..dd0efe6 100644
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
-@@ -120,4 +120,5 @@ ifdef(`distro_gentoo', `
+@@ -106,7 +106,6 @@ ifdef(`distro_gentoo', `
+
+ dev_read_urand(stunnel_t)
+
+- files_read_etc_files(stunnel_t)
+ files_read_etc_runtime_files(stunnel_t)
+ files_search_home(stunnel_t)
+
+@@ -120,4 +119,5 @@ ifdef(`distro_gentoo', `
gen_require(`
type stunnel_port_t;
')
@@ -53916,7 +54945,7 @@ index 32822ab..bc5b962 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/sysstat.te b/sysstat.te
-index 200ea66..1404284 100644
+index 200ea66..04e4828 100644
--- a/sysstat.te
+++ b/sysstat.te
@@ -18,8 +18,7 @@ logging_log_file(sysstat_log_t)
@@ -53937,7 +54966,13 @@ index 200ea66..1404284 100644
corecmd_exec_bin(sysstat_t)
dev_read_urand(sysstat_t)
-@@ -51,12 +51,16 @@ fs_getattr_xattr_fs(sysstat_t)
+@@ -45,18 +45,21 @@ files_search_var(sysstat_t)
+ # for mtab
+ files_read_etc_runtime_files(sysstat_t)
+ #for fstab
+-files_read_etc_files(sysstat_t)
+
+ fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
term_use_console(sysstat_t)
@@ -53955,7 +54990,7 @@ index 200ea66..1404284 100644
miscfiles_read_localization(sysstat_t)
userdom_dontaudit_list_user_home_dirs(sysstat_t)
-@@ -65,6 +69,3 @@ optional_policy(`
+@@ -65,6 +68,3 @@ optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
')
@@ -53979,6 +55014,18 @@ index 595f5a7..4e518cf 100644
tcsd_initrc_domtrans($1)
domain_system_change_exemption($1)
+diff --git a/tcsd.te b/tcsd.te
+index ee9f3c6..2832d96 100644
+--- a/tcsd.te
++++ b/tcsd.te
+@@ -38,7 +38,6 @@ dev_read_urand(tcsd_t)
+ # Access /dev/tpm0.
+ dev_rw_tpm(tcsd_t)
+
+-files_read_etc_files(tcsd_t)
+ files_read_usr_files(tcsd_t)
+
+ auth_use_nsswitch(tcsd_t)
diff --git a/telepathy.fc b/telepathy.fc
index b07ee19..a275bd6 100644
--- a/telepathy.fc
@@ -54469,7 +55516,7 @@ index 58e7ec0..e4119f7 100644
+ allow $1 telnetd_devpts_t:chr_file rw_inherited_term_perms;
+')
diff --git a/telnet.te b/telnet.te
-index f40e67b..0634c00 100644
+index f40e67b..e4cae03 100644
--- a/telnet.te
+++ b/telnet.te
@@ -24,21 +24,20 @@ files_pid_file(telnetd_var_run_t)
@@ -54497,7 +55544,15 @@ index f40e67b..0634c00 100644
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -81,15 +80,10 @@ miscfiles_read_localization(telnetd_t)
+@@ -68,7 +67,6 @@ auth_use_nsswitch(telnetd_t)
+ corecmd_search_bin(telnetd_t)
+
+ files_read_usr_files(telnetd_t)
+-files_read_etc_files(telnetd_t)
+ files_read_etc_runtime_files(telnetd_t)
+ # for identd; cjp: this should probably only be inetd_child rules?
+ files_search_home(telnetd_t)
+@@ -81,15 +79,10 @@ miscfiles_read_localization(telnetd_t)
seutil_read_config(telnetd_t)
@@ -54515,7 +55570,7 @@ index f40e67b..0634c00 100644
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
-@@ -98,3 +92,13 @@ tunable_policy(`use_nfs_home_dirs',`
+@@ -98,3 +91,13 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
@@ -54691,7 +55746,7 @@ index 38bb312..cab8c77 100644
+ tftp_manage_config($1)
')
diff --git a/tftp.te b/tftp.te
-index d50c10d..4ee4bd3 100644
+index d50c10d..787bfb2 100644
--- a/tftp.te
+++ b/tftp.te
@@ -26,21 +26,26 @@ files_type(tftpdir_t)
@@ -54723,7 +55778,15 @@ index d50c10d..4ee4bd3 100644
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
-@@ -94,6 +99,10 @@ tunable_policy(`tftp_anon_write',`
+@@ -72,7 +77,6 @@ fs_search_auto_mountpoints(tftpd_t)
+
+ domain_use_interactive_fds(tftpd_t)
+
+-files_read_etc_files(tftpd_t)
+ files_read_etc_runtime_files(tftpd_t)
+ files_read_var_files(tftpd_t)
+ files_read_var_symlinks(tftpd_t)
+@@ -94,6 +98,10 @@ tunable_policy(`tftp_anon_write',`
')
optional_policy(`
@@ -54798,6 +55861,181 @@ index 80fe75c..cdeafc5 100644
+optional_policy(`
+ iscsi_manage_semaphores(tgtd_t)
+')
+diff --git a/thin.fc b/thin.fc
+new file mode 100644
+index 0000000..62d2c77
+--- /dev/null
++++ b/thin.fc
+@@ -0,0 +1,10 @@
++/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
++/usr/bin/thinStarter -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
++
++/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
++
++/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
++/var/log/thin\.log -- gen_context(system_u:object_r:thin_log_t,s0)
++
++/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
++/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
+diff --git a/thin.if b/thin.if
+new file mode 100644
+index 0000000..6de86e5
+--- /dev/null
++++ b/thin.if
+@@ -0,0 +1,42 @@
++## thin policy
++
++#######################################
++##
++## Creates types and rules for a basic
++## thin daemon domain.
++##
++##
++##
++## Prefix for the domain.
++##
++##
++#
++template(`thin_domain_template',`
++ gen_require(`
++ attribute thin_domain;
++ ')
++
++ type $1_t, thin_domain;
++ type $1_exec_t;
++ init_daemon_domain($1_t, $1_exec_t)
++
++ can_exec($1_t, $1_exec_t)
++')
++
++######################################
++##
++## Execute mongod in the caller domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`thin_exec',`
++ gen_require(`
++ type thin_exec_t;
++ ')
++
++ can_exec($1, thin_exec_t)
++')
+diff --git a/thin.te b/thin.te
+new file mode 100644
+index 0000000..d1903e6
+--- /dev/null
++++ b/thin.te
+@@ -0,0 +1,105 @@
++policy_module(thin, 1.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute thin_domain;
++
++thin_domain_template(thin)
++
++type thin_log_t;
++logging_log_file(thin_log_t)
++
++type thin_var_run_t;
++files_pid_file(thin_var_run_t)
++
++thin_domain_template(thin_aeolus_configserver)
++
++type thin_aeolus_configserver_lib_t;
++files_type(thin_aeolus_configserver_lib_t)
++
++type thin_aeolus_configserver_log_t;
++logging_log_file(thin_aeolus_configserver_log_t)
++
++type thin_aeolus_configserver_var_run_t;
++files_pid_file(thin_aeolus_configserver_var_run_t)
++
++########################################
++#
++# thin_domain local policy
++#
++
++allow thin_domain self:fifo_file rw_fifo_file_perms;
++allow thin_domain self:tcp_socket create_stream_socket_perms;
++
++# we want to stay in a new thin domain if we call thin binary from a script
++# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
++can_exec(thin_domain, thin_exec_t)
++
++kernel_read_system_state(thin_domain)
++
++corecmd_exec_bin(thin_domain)
++
++dev_read_rand(thin_domain)
++dev_read_urand(thin_domain)
++
++files_read_etc_files(thin_domain)
++
++auth_read_passwd(thin_domain)
++
++miscfiles_read_certs(thin_domain)
++miscfiles_read_localization(thin_domain)
++
++files_read_usr_files(thin_domain)
++
++fs_search_auto_mountpoints(thin_domain)
++
++init_read_utmp(thin_domain)
++
++kernel_read_kernel_sysctls(thin_domain)
++
++optional_policy(`
++ sysnet_read_config(thin_domain)
++')
++
++########################################
++#
++# thin local policy
++#
++
++allow thin_t self:capability { setuid kill setgid dac_override };
++
++allow thin_t self:netlink_route_socket r_netlink_socket_perms;
++allow thin_t self:udp_socket create_socket_perms;
++allow thin_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_files_pattern(thin_t, thin_log_t, thin_log_t)
++manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
++logging_log_filetrans(thin_t, thin_log_t, { file dir })
++
++manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
++files_pid_filetrans(thin_t, thin_var_run_t, { file })
++
++corenet_tcp_bind_generic_node(thin_t)
++corenet_tcp_bind_ntop_port(thin_t)
++corenet_tcp_connect_postgresql_port(thin_t)
++
++
++#######################################
++#
++# thin aeolus configserver local policy
++#
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
++files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
++logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
++
++manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
++files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
diff --git a/thumb.fc b/thumb.fc
new file mode 100644
index 0000000..3a7c395
@@ -54952,10 +56190,10 @@ index 0000000..9127cec
+')
diff --git a/thumb.te b/thumb.te
new file mode 100644
-index 0000000..f6538d0
+index 0000000..c759103
--- /dev/null
+++ b/thumb.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,110 @@
+policy_module(thumb, 1.0.0)
+
+########################################
@@ -55022,7 +56260,6 @@ index 0000000..f6538d0
+
+domain_use_interactive_fds(thumb_t)
+
-+files_read_etc_files(thumb_t)
+files_read_usr_files(thumb_t)
+files_read_non_security_files(thumb_t)
+
@@ -55068,10 +56305,18 @@ index 0000000..f6538d0
+ gnome_exec_gstreamer_home_files(thumb_t)
+')
diff --git a/thunderbird.te b/thunderbird.te
-index bf37d98..204ac7e 100644
+index bf37d98..2feb849 100644
--- a/thunderbird.te
+++ b/thunderbird.te
-@@ -112,17 +112,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
+@@ -82,7 +82,6 @@ dev_dontaudit_search_sysfs(thunderbird_t)
+
+ files_list_tmp(thunderbird_t)
+ files_read_usr_files(thunderbird_t)
+-files_read_etc_files(thunderbird_t)
+ files_read_etc_runtime_files(thunderbird_t)
+ files_read_var_files(thunderbird_t)
+ files_read_var_symlinks(thunderbird_t)
+@@ -112,17 +111,7 @@ xserver_read_xdm_tmp_files(thunderbird_t)
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
# Access ~/.thunderbird
@@ -55091,7 +56336,7 @@ index bf37d98..204ac7e 100644
tunable_policy(`mail_read_content && use_nfs_home_dirs',`
files_list_home(thunderbird_t)
diff --git a/tmpreaper.te b/tmpreaper.te
-index 0521d5a..3d3f88a 100644
+index 0521d5a..1d41128 100644
--- a/tmpreaper.te
+++ b/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.6.0)
@@ -55102,7 +56347,7 @@ index 0521d5a..3d3f88a 100644
application_domain(tmpreaper_t, tmpreaper_exec_t)
role system_r types tmpreaper_t;
-@@ -18,33 +19,46 @@ role system_r types tmpreaper_t;
+@@ -18,33 +19,45 @@ role system_r types tmpreaper_t;
allow tmpreaper_t self:process { fork sigchld };
allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
@@ -55113,7 +56358,7 @@ index 0521d5a..3d3f88a 100644
fs_getattr_xattr_fs(tmpreaper_t)
+fs_list_all(tmpreaper_t)
- files_read_etc_files(tmpreaper_t)
+-files_read_etc_files(tmpreaper_t)
files_read_var_lib_files(tmpreaper_t)
files_purge_tmp(tmpreaper_t)
+files_delete_all_non_security_files(tmpreaper_t)
@@ -55153,7 +56398,7 @@ index 0521d5a..3d3f88a 100644
')
optional_policy(`
-@@ -52,7 +66,9 @@ optional_policy(`
+@@ -52,7 +65,9 @@ optional_policy(`
')
optional_policy(`
@@ -55163,7 +56408,7 @@ index 0521d5a..3d3f88a 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +82,13 @@ optional_policy(`
+@@ -66,9 +81,13 @@ optional_policy(`
')
optional_policy(`
@@ -55748,7 +56993,7 @@ index 904f13e..26f16dd 100644
+ ')
')
diff --git a/tor.te b/tor.te
-index c842cad..799fac3 100644
+index c842cad..d59fe83 100644
--- a/tor.te
+++ b/tor.te
@@ -36,12 +36,16 @@ logging_log_file(tor_var_log_t)
@@ -55776,7 +57021,7 @@ index c842cad..799fac3 100644
corenet_udp_bind_dns_port(tor_t)
corenet_sendrecv_tor_server_packets(tor_t)
corenet_sendrecv_dns_server_packets(tor_t)
-@@ -95,9 +100,11 @@ corenet_tcp_connect_all_ports(tor_t)
+@@ -95,13 +100,14 @@ corenet_tcp_connect_all_ports(tor_t)
corenet_sendrecv_all_client_packets(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
@@ -55788,6 +57033,10 @@ index c842cad..799fac3 100644
domain_use_interactive_fds(tor_t)
+-files_read_etc_files(tor_t)
+ files_read_etc_runtime_files(tor_t)
+ files_read_usr_files(tor_t)
+
diff --git a/tripwire.te b/tripwire.te
index 2ae8b62..a8e786b 100644
--- a/tripwire.te
@@ -55884,7 +57133,7 @@ index 54b8605..a04f013 100644
admin_pattern($1, tuned_var_run_t)
')
diff --git a/tuned.te b/tuned.te
-index db9d2a5..c7b09c0 100644
+index db9d2a5..28c4b84 100644
--- a/tuned.te
+++ b/tuned.te
@@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
@@ -55900,7 +57149,7 @@ index db9d2a5..c7b09c0 100644
type tuned_log_t;
logging_log_file(tuned_log_t)
-@@ -23,23 +29,39 @@ files_pid_file(tuned_var_run_t)
+@@ -23,30 +29,49 @@ files_pid_file(tuned_var_run_t)
# tuned local policy
#
@@ -55944,7 +57193,7 @@ index db9d2a5..c7b09c0 100644
# to allow cpu tuning
dev_rw_netcontrol(tuned_t)
-@@ -47,6 +69,10 @@ files_read_etc_files(tuned_t)
+-files_read_etc_files(tuned_t)
files_read_usr_files(tuned_t)
files_dontaudit_search_home(tuned_t)
@@ -55955,7 +57204,7 @@ index db9d2a5..c7b09c0 100644
logging_send_syslog_msg(tuned_t)
miscfiles_read_localization(tuned_t)
-@@ -58,6 +84,14 @@ optional_policy(`
+@@ -58,6 +83,14 @@ optional_policy(`
fstools_domtrans(tuned_t)
')
@@ -56190,10 +57439,17 @@ index 74354da..f04565f 100644
+ modutils_read_module_deps(usbmodules_t)
+')
diff --git a/usbmuxd.te b/usbmuxd.te
-index 4440aa6..34ffbfd 100644
+index 4440aa6..65b2c3a 100644
--- a/usbmuxd.te
+++ b/usbmuxd.te
-@@ -40,3 +40,7 @@ miscfiles_read_localization(usbmuxd_t)
+@@ -33,10 +33,13 @@ kernel_read_system_state(usbmuxd_t)
+ dev_read_sysfs(usbmuxd_t)
+ dev_rw_generic_usb_dev(usbmuxd_t)
+
+-files_read_etc_files(usbmuxd_t)
+
+ miscfiles_read_localization(usbmuxd_t)
+
auth_use_nsswitch(usbmuxd_t)
logging_send_syslog_msg(usbmuxd_t)
@@ -56211,7 +57467,7 @@ index e70b0e8..cd83b89 100644
/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
diff --git a/userhelper.if b/userhelper.if
-index 65baaac..821bcea 100644
+index 65baaac..77560a1 100644
--- a/userhelper.if
+++ b/userhelper.if
@@ -25,6 +25,7 @@ template(`userhelper_role_template',`
@@ -56222,7 +57478,15 @@ index 65baaac..821bcea 100644
')
########################################
-@@ -121,6 +122,9 @@ template(`userhelper_role_template',`
+@@ -89,7 +90,6 @@ template(`userhelper_role_template',`
+
+ files_list_var_lib($1_userhelper_t)
+ # Read the /etc/security/default_type file
+- files_read_etc_files($1_userhelper_t)
+ # Read /var.
+ files_read_var_files($1_userhelper_t)
+ files_read_var_symlinks($1_userhelper_t)
+@@ -121,6 +121,9 @@ template(`userhelper_role_template',`
auth_manage_pam_pid($1_userhelper_t)
auth_manage_var_auth($1_userhelper_t)
auth_search_pam_console_data($1_userhelper_t)
@@ -56232,7 +57496,7 @@ index 65baaac..821bcea 100644
# Inherit descriptors from the current session.
init_use_fds($1_userhelper_t)
-@@ -145,18 +149,6 @@ template(`userhelper_role_template',`
+@@ -145,18 +148,6 @@ template(`userhelper_role_template',`
')
optional_policy(`
@@ -56251,7 +57515,7 @@ index 65baaac..821bcea 100644
tunable_policy(`! secure_mode',`
#if we are not in secure mode then we can transition to sysadm_t
sysadm_bin_spec_domtrans($1_userhelper_t)
-@@ -255,3 +247,88 @@ interface(`userhelper_exec',`
+@@ -255,3 +246,88 @@ interface(`userhelper_exec',`
can_exec($1, userhelper_exec_t)
')
@@ -56461,7 +57725,7 @@ index d45c715..2d4f1ba 100644
+
')
diff --git a/usernetctl.te b/usernetctl.te
-index 19c70bb..35b12a6 100644
+index 19c70bb..1434b51 100644
--- a/usernetctl.te
+++ b/usernetctl.te
@@ -5,13 +5,14 @@ policy_module(usernetctl, 1.6.0)
@@ -56481,7 +57745,15 @@ index 19c70bb..35b12a6 100644
########################################
#
-@@ -60,31 +61,33 @@ miscfiles_read_localization(usernetctl_t)
+@@ -42,7 +43,6 @@ corecmd_exec_shell(usernetctl_t)
+
+ domain_dontaudit_read_all_domains_state(usernetctl_t)
+
+-files_read_etc_files(usernetctl_t)
+ files_exec_etc_files(usernetctl_t)
+ files_read_etc_runtime_files(usernetctl_t)
+ files_list_pids(usernetctl_t)
+@@ -60,31 +60,33 @@ miscfiles_read_localization(usernetctl_t)
seutil_read_config(usernetctl_t)
sysnet_read_config(usernetctl_t)
@@ -56546,7 +57818,7 @@ index ebc5414..8f8ac45 100644
logging_list_logs($1)
admin_pattern($1, uucpd_log_t)
diff --git a/uucp.te b/uucp.te
-index d4349e9..2f0887d 100644
+index d4349e9..f015de0 100644
--- a/uucp.te
+++ b/uucp.te
@@ -24,7 +24,7 @@ type uucpd_ro_t;
@@ -56558,7 +57830,15 @@ index d4349e9..2f0887d 100644
type uucpd_log_t;
logging_log_file(uucpd_log_t)
-@@ -125,6 +125,8 @@ optional_policy(`
+@@ -91,7 +91,6 @@ fs_getattr_xattr_fs(uucpd_t)
+ corecmd_exec_bin(uucpd_t)
+ corecmd_exec_shell(uucpd_t)
+
+-files_read_etc_files(uucpd_t)
+ files_search_home(uucpd_t)
+ files_search_spool(uucpd_t)
+
+@@ -125,15 +124,18 @@ optional_policy(`
allow uux_t self:capability { setuid setgid };
allow uux_t self:fifo_file write_fifo_file_perms;
@@ -56567,7 +57847,9 @@ index d4349e9..2f0887d 100644
uucp_append_log(uux_t)
uucp_manage_spool(uux_t)
-@@ -134,6 +136,8 @@ files_read_etc_files(uux_t)
+ corecmd_exec_bin(uux_t)
+
+-files_read_etc_files(uux_t)
fs_rw_anon_inodefs_files(uux_t)
@@ -56576,7 +57858,7 @@ index d4349e9..2f0887d 100644
logging_send_syslog_msg(uux_t)
miscfiles_read_localization(uux_t)
-@@ -145,5 +149,5 @@ optional_policy(`
+@@ -145,5 +147,5 @@ optional_policy(`
')
optional_policy(`
@@ -56883,7 +58165,7 @@ index 1f872b5..8af4bce 100644
-
')
diff --git a/vhostmd.te b/vhostmd.te
-index 32a3c13..803eea6 100644
+index 32a3c13..759f08c 100644
--- a/vhostmd.te
+++ b/vhostmd.te
@@ -24,8 +24,8 @@ files_pid_file(vhostmd_var_run_t)
@@ -56905,24 +58187,24 @@ index 32a3c13..803eea6 100644
kernel_read_system_state(vhostmd_t)
kernel_read_network_state(vhostmd_t)
kernel_write_xen_state(vhostmd_t)
-@@ -44,9 +45,16 @@ corecmd_exec_shell(vhostmd_t)
+@@ -44,9 +45,15 @@ corecmd_exec_shell(vhostmd_t)
corenet_tcp_connect_soundd_port(vhostmd_t)
+-files_read_etc_files(vhostmd_t)
+dev_read_rand(vhostmd_t)
+dev_read_urand(vhostmd_t)
+dev_read_sysfs(vhostmd_t)
+
+# 579803
+files_list_tmp(vhostmd_t)
- files_read_etc_files(vhostmd_t)
files_read_usr_files(vhostmd_t)
+dev_read_rand(vhostmd_t)
dev_read_sysfs(vhostmd_t)
auth_use_nsswitch(vhostmd_t)
-@@ -66,6 +74,7 @@ optional_policy(`
+@@ -66,6 +73,7 @@ optional_policy(`
optional_policy(`
virt_stream_connect(vhostmd_t)
@@ -57682,7 +58964,7 @@ index 7c5d8d8..85b7d8b 100644
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
')
diff --git a/virt.te b/virt.te
-index ad3068a..caef8cf 100644
+index ad3068a..452693b 100644
--- a/virt.te
+++ b/virt.te
@@ -5,56 +5,87 @@ policy_module(virt, 1.4.2)
@@ -58043,7 +59325,7 @@ index ad3068a..caef8cf 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -247,22 +375,32 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -247,22 +375,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -58062,7 +59344,7 @@ index ad3068a..caef8cf 100644
+domain_read_all_domains_state(virtd_t)
files_read_usr_files(virtd_t)
- files_read_etc_files(virtd_t)
+-files_read_etc_files(virtd_t)
+files_read_usr_files(virtd_t)
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
@@ -58077,7 +59359,7 @@ index ad3068a..caef8cf 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -270,6 +408,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -270,6 +407,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -58096,7 +59378,7 @@ index ad3068a..caef8cf 100644
mcs_process_set_categories(virtd_t)
-@@ -284,6 +434,8 @@ term_use_ptmx(virtd_t)
+@@ -284,6 +433,8 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
@@ -58105,7 +59387,7 @@ index ad3068a..caef8cf 100644
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
-@@ -293,17 +445,32 @@ modutils_read_module_config(virtd_t)
+@@ -293,17 +444,32 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -58138,7 +59420,7 @@ index ad3068a..caef8cf 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -322,6 +489,10 @@ optional_policy(`
+@@ -322,6 +488,10 @@ optional_policy(`
')
optional_policy(`
@@ -58149,7 +59431,7 @@ index ad3068a..caef8cf 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -335,19 +506,30 @@ optional_policy(`
+@@ -335,19 +505,30 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(virtd_t)
')
@@ -58181,7 +59463,7 @@ index ad3068a..caef8cf 100644
# Manages /etc/sysconfig/system-config-firewall
iptables_manage_config(virtd_t)
-@@ -362,6 +544,12 @@ optional_policy(`
+@@ -362,6 +543,12 @@ optional_policy(`
')
optional_policy(`
@@ -58194,7 +59476,7 @@ index ad3068a..caef8cf 100644
policykit_dbus_chat(virtd_t)
policykit_domtrans_auth(virtd_t)
policykit_domtrans_resolve(virtd_t)
-@@ -369,11 +557,11 @@ optional_policy(`
+@@ -369,11 +556,11 @@ optional_policy(`
')
optional_policy(`
@@ -58211,7 +59493,7 @@ index ad3068a..caef8cf 100644
')
optional_policy(`
-@@ -384,6 +572,7 @@ optional_policy(`
+@@ -384,6 +571,7 @@ optional_policy(`
kernel_read_xen_state(virtd_t)
kernel_write_xen_state(virtd_t)
@@ -58219,7 +59501,7 @@ index ad3068a..caef8cf 100644
xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t)
xen_read_image_files(virtd_t)
-@@ -403,20 +592,36 @@ optional_policy(`
+@@ -403,20 +591,36 @@ optional_policy(`
# virtual domains common policy
#
@@ -58259,7 +59541,7 @@ index ad3068a..caef8cf 100644
corecmd_exec_bin(virt_domain)
corecmd_exec_shell(virt_domain)
-@@ -427,10 +632,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+@@ -427,10 +631,12 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -58273,7 +59555,7 @@ index ad3068a..caef8cf 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -438,10 +645,12 @@ dev_write_sound(virt_domain)
+@@ -438,10 +644,11 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -58281,12 +59563,12 @@ index ad3068a..caef8cf 100644
domain_use_interactive_fds(virt_domain)
- files_read_etc_files(virt_domain)
+-files_read_etc_files(virt_domain)
+files_read_mnt_symlinks(virt_domain)
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -449,25 +658,430 @@ files_search_all(virt_domain)
+@@ -449,25 +656,426 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -58374,7 +59656,6 @@ index ad3068a..caef8cf 100644
+files_read_usr_files(virsh_t)
+files_list_mnt(virsh_t)
+# Some common macros (you might be able to remove some)
-+files_read_etc_files(virsh_t)
+
+fs_getattr_all_fs(virsh_t)
+fs_manage_xenfs_dirs(virsh_t)
@@ -58492,7 +59773,6 @@ index ad3068a..caef8cf 100644
+
+files_search_all(virtd_lxc_t)
+files_getattr_all_files(virtd_lxc_t)
-+files_read_etc_files(virtd_lxc_t)
+files_read_usr_files(virtd_lxc_t)
+files_relabel_rootfs(virtd_lxc_t)
+files_mounton_non_security(virtd_lxc_t)
@@ -58687,7 +59967,6 @@ index ad3068a..caef8cf 100644
+
+domain_use_interactive_fds(virt_qmf_t)
+
-+files_read_etc_files(virt_qmf_t)
+
+logging_send_syslog_msg(virt_qmf_t)
+
@@ -58717,7 +59996,6 @@ index ad3068a..caef8cf 100644
+
+corenet_rw_tun_tap_dev(virt_bridgehelper_t)
+
-+files_read_etc_files(virt_bridgehelper_t)
+
+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
diff --git a/vlock.te b/vlock.te
@@ -58876,7 +60154,7 @@ index 7b93e07..a4e2f60 100644
########################################
diff --git a/vpn.te b/vpn.te
-index 83a80ba..d2585bb 100644
+index 83a80ba..a7aefa0 100644
--- a/vpn.te
+++ b/vpn.te
@@ -5,13 +5,15 @@ policy_module(vpn, 1.15.0)
@@ -58907,7 +60185,7 @@ index 83a80ba..d2585bb 100644
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
-@@ -80,8 +82,8 @@ domain_use_interactive_fds(vpnc_t)
+@@ -80,18 +82,19 @@ domain_use_interactive_fds(vpnc_t)
fs_getattr_xattr_fs(vpnc_t)
fs_getattr_tmpfs(vpnc_t)
@@ -58918,7 +60196,10 @@ index 83a80ba..d2585bb 100644
corecmd_exec_all_executables(vpnc_t)
-@@ -92,6 +94,8 @@ files_dontaudit_search_home(vpnc_t)
+ files_exec_etc_files(vpnc_t)
+ files_read_etc_runtime_files(vpnc_t)
+-files_read_etc_files(vpnc_t)
+ files_dontaudit_search_home(vpnc_t)
auth_use_nsswitch(vpnc_t)
@@ -58927,7 +60208,7 @@ index 83a80ba..d2585bb 100644
libs_exec_ld_so(vpnc_t)
libs_exec_lib_files(vpnc_t)
-@@ -105,12 +109,13 @@ miscfiles_read_localization(vpnc_t)
+@@ -105,12 +108,13 @@ miscfiles_read_localization(vpnc_t)
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
@@ -59105,10 +60386,10 @@ index 0000000..8e3570d
+')
diff --git a/wdmd.te b/wdmd.te
new file mode 100644
-index 0000000..df9a759
+index 0000000..14c5c0a
--- /dev/null
+++ b/wdmd.te
-@@ -0,0 +1,46 @@
+@@ -0,0 +1,45 @@
+policy_module(wdmd,1.0.0)
+
+########################################
@@ -59146,7 +60427,6 @@ index 0000000..df9a759
+
+domain_use_interactive_fds(wdmd_t)
+
-+files_read_etc_files(wdmd_t)
+
+fs_read_anon_inodefs_files(wdmd_t)
+
@@ -59169,10 +60449,16 @@ index 0ecc786..e0f21c3 100644
files_dontaudit_search_all_dirs(webadm_t)
files_manage_generic_locks(webadm_t)
diff --git a/webalizer.te b/webalizer.te
-index 32b4f76..ecb9d3a 100644
+index 32b4f76..d11a7ca 100644
--- a/webalizer.te
+++ b/webalizer.te
-@@ -75,18 +75,22 @@ files_read_etc_runtime_files(webalizer_t)
+@@ -69,24 +69,27 @@ fs_search_auto_mountpoints(webalizer_t)
+ fs_getattr_xattr_fs(webalizer_t)
+ fs_rw_anon_inodefs_files(webalizer_t)
+
+-files_read_etc_files(webalizer_t)
+ files_read_etc_runtime_files(webalizer_t)
+
logging_list_logs(webalizer_t)
logging_send_syslog_msg(webalizer_t)
@@ -59329,7 +60615,7 @@ index 7a17516..56fbcc2 100644
')
diff --git a/wireshark.te b/wireshark.te
-index fc0adf8..01473bc 100644
+index fc0adf8..1647930 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -31,18 +31,19 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
@@ -59362,7 +60648,15 @@ index fc0adf8..01473bc 100644
corenet_tcp_connect_generic_port(wireshark_t)
corenet_tcp_sendrecv_generic_if(wireshark_t)
-@@ -84,6 +84,8 @@ fs_search_auto_mountpoints(wireshark_t)
+@@ -76,7 +76,6 @@ dev_read_rand(wireshark_t)
+ dev_read_sysfs(wireshark_t)
+ dev_read_urand(wireshark_t)
+
+-files_read_etc_files(wireshark_t)
+ files_read_usr_files(wireshark_t)
+
+ fs_list_inotifyfs(wireshark_t)
+@@ -84,6 +83,8 @@ fs_search_auto_mountpoints(wireshark_t)
libs_read_lib_files(wireshark_t)
@@ -59371,7 +60665,7 @@ index fc0adf8..01473bc 100644
miscfiles_read_fonts(wireshark_t)
miscfiles_read_localization(wireshark_t)
-@@ -92,23 +94,8 @@ seutil_use_newrole_fds(wireshark_t)
+@@ -92,23 +93,8 @@ seutil_use_newrole_fds(wireshark_t)
sysnet_read_config(wireshark_t)
userdom_manage_user_home_content_files(wireshark_t)
@@ -59397,10 +60691,18 @@ index fc0adf8..01473bc 100644
# Manual transition from userhelper
optional_policy(`
diff --git a/wm.if b/wm.if
-index b3efef7..50c1a74 100644
+index b3efef7..75d280c 100644
--- a/wm.if
+++ b/wm.if
-@@ -77,6 +77,11 @@ template(`wm_role_template',`
+@@ -59,7 +59,6 @@ template(`wm_role_template',`
+
+ dev_read_urand($1_wm_t)
+
+- files_read_etc_files($1_wm_t)
+ files_read_usr_files($1_wm_t)
+
+ fs_getattr_tmpfs($1_wm_t)
+@@ -77,6 +76,11 @@ template(`wm_role_template',`
miscfiles_read_fonts($1_wm_t)
miscfiles_read_localization($1_wm_t)
@@ -59821,6 +61123,18 @@ index d995c70..1282d4c 100644
- unconfined_domain(xend_t)
- ')
')
+diff --git a/xfs.te b/xfs.te
+index 11c1b12..2eb8770 100644
+--- a/xfs.te
++++ b/xfs.te
+@@ -57,7 +57,6 @@ fs_search_auto_mountpoints(xfs_t)
+
+ domain_use_interactive_fds(xfs_t)
+
+-files_read_etc_files(xfs_t)
+ files_read_etc_runtime_files(xfs_t)
+ files_read_usr_files(xfs_t)
+
diff --git a/xguest.te b/xguest.te
index e88b95f..6b9303f 100644
--- a/xguest.te
@@ -59993,10 +61307,18 @@ index 1487a4e..f6b4217 100644
userdom_read_user_home_content_files(xscreensaver_t)
diff --git a/yam.te b/yam.te
-index 223ad43..26e5b2c 100644
+index 223ad43..9e53fad 100644
--- a/yam.te
+++ b/yam.te
-@@ -83,6 +83,8 @@ fs_search_auto_mountpoints(yam_t)
+@@ -71,7 +71,6 @@ corenet_sendrecv_rsync_client_packets(yam_t)
+ # mktemp
+ dev_read_urand(yam_t)
+
+-files_read_etc_files(yam_t)
+ files_read_etc_runtime_files(yam_t)
+ # /usr/share/createrepo/genpkgmetadata.py:
+ files_exec_usr_files(yam_t)
+@@ -83,6 +82,8 @@ fs_search_auto_mountpoints(yam_t)
# Content can also be on ISO image files.
fs_read_iso9660_files(yam_t)
@@ -60005,7 +61327,7 @@ index 223ad43..26e5b2c 100644
logging_send_syslog_msg(yam_t)
miscfiles_read_localization(yam_t)
-@@ -92,7 +94,7 @@ seutil_read_config(yam_t)
+@@ -92,7 +93,7 @@ seutil_read_config(yam_t)
sysnet_dns_name_resolve(yam_t)
sysnet_read_config(yam_t)
@@ -60086,7 +61408,7 @@ index c9981d1..38ce620 100644
init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/zabbix.te b/zabbix.te
-index 8c0bd70..e5191a2 100644
+index 8c0bd70..be5502f 100644
--- a/zabbix.te
+++ b/zabbix.te
@@ -5,6 +5,13 @@ policy_module(zabbix, 1.5.0)
@@ -60144,7 +61466,7 @@ index 8c0bd70..e5191a2 100644
# shared memory
rw_files_pattern(zabbix_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
fs_tmpfs_filetrans(zabbix_t, zabbix_tmpfs_t, file)
-@@ -58,26 +75,54 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
+@@ -58,26 +75,53 @@ manage_dirs_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
@@ -60160,16 +61482,16 @@ index 8c0bd70..e5191a2 100644
+corenet_tcp_connect_http_port(zabbix_t)
+# to monitor ftp urls
+corenet_tcp_connect_ftp_port(zabbix_t)
-+
-+dev_read_urand(zabbix_t)
- files_read_etc_files(zabbix_t)
-+files_read_usr_files(zabbix_t)
+-files_read_etc_files(zabbix_t)
++dev_read_urand(zabbix_t)
-miscfiles_read_localization(zabbix_t)
-+auth_use_nsswitch(zabbix_t)
++files_read_usr_files(zabbix_t)
-sysnet_dns_name_resolve(zabbix_t)
++auth_use_nsswitch(zabbix_t)
++
+miscfiles_read_localization(zabbix_t)
zabbix_agent_tcp_connect(zabbix_t)
@@ -60202,6 +61524,14 @@ index 8c0bd70..e5191a2 100644
########################################
#
# zabbix agent local policy
+@@ -121,7 +165,6 @@ domain_search_all_domains_state(zabbix_agent_t)
+ files_getattr_all_dirs(zabbix_agent_t)
+ files_getattr_all_files(zabbix_agent_t)
+ files_read_all_symlinks(zabbix_agent_t)
+-files_read_etc_files(zabbix_agent_t)
+
+ fs_getattr_all_fs(zabbix_agent_t)
+
diff --git a/zarafa.fc b/zarafa.fc
index 3defaa1..7436a1c 100644
--- a/zarafa.fc
@@ -60828,10 +62158,10 @@ index 0000000..b34b8b4
+
diff --git a/zoneminder.te b/zoneminder.te
new file mode 100644
-index 0000000..9562539
+index 0000000..d12357b
--- /dev/null
+++ b/zoneminder.te
-@@ -0,0 +1,124 @@
+@@ -0,0 +1,123 @@
+policy_module(zoneminder, 1.0.0)
+
+########################################
@@ -60916,7 +62246,6 @@ index 0000000..9562539
+dev_read_video_dev(zoneminder_t)
+dev_write_video_dev(zoneminder_t)
+
-+files_read_etc_files(zoneminder_t)
+files_read_usr_files(zoneminder_t)
+
+auth_use_nsswitch(zoneminder_t)
@@ -60977,10 +62306,10 @@ index 702e768..2a4f2cc 100644
interface(`zosremote_run',`
gen_require(`
diff --git a/zosremote.te b/zosremote.te
-index f9a06d2..3d407c6 100644
+index f9a06d2..aed9d14 100644
--- a/zosremote.te
+++ b/zosremote.te
-@@ -16,7 +16,7 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
+@@ -16,10 +16,9 @@ logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t)
#
allow zos_remote_t self:process signal;
@@ -60988,4 +62317,7 @@ index f9a06d2..3d407c6 100644
+allow zos_remote_t self:fifo_file rw_fifo_file_perms;
allow zos_remote_t self:unix_stream_socket create_stream_socket_perms;
- files_read_etc_files(zos_remote_t)
+-files_read_etc_files(zos_remote_t)
+
+ auth_use_nsswitch(zos_remote_t)
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 700b953..7846eb8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.11.0
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -491,6 +491,26 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Jun 27 2012 Miroslav Grepl 3.11.0-7
+- add ptrace_child access to process
+- remove files_read_etc_files() calling from all policies which have auth_use_nsswith()
+- Allow boinc domains to manage boinc_lib_t lnk_files
+- Add support for boinc-client.service unit file
+- Add support for boinc.log
+- Allow mozilla_plugin execmod on mozilla home files if allow_ex
+- Allow dovecot_deliver_t to read dovecot_var_run_t
+- Allow ldconfig and insmod to manage kdumpctl tmp files
+- Move thin policy out from cloudform.pp and add a new thin poli
+- pacemaker needs to communicate with corosync streams
+- abrt is now started on demand by dbus
+- Allow certmonger to talk directly to Dogtag servers
+- Change labeling for /var/lib/cobbler/webui_sessions to httpd_c
+- Allow mozila_plugin to execute gstreamer home files
+- Allow useradd to delete all file types stored in the users hom
+- rhsmcertd reads the rpm database
+- Add support for lightdm
+
+
* Mon Jun 25 2012 Miroslav Grepl 3.11.0-6
- Add tomcat policy
- Remove pyzor/razor policy