diff --git a/modules-targeted-contrib.conf b/modules-targeted-contrib.conf
index 6a7d743..fc7838f 100644
--- a/modules-targeted-contrib.conf
+++ b/modules-targeted-contrib.conf
@@ -2337,3 +2337,24 @@ rtas = module
 # journalctl policy
 #
 journalctl = module
+
+# Layer: contrib
+# Module: gdomap
+# 
+# gdomap policy
+#
+gdomap = module
+
+# Layer: contrib
+# Module: minidlna
+# 
+# minidlna policy
+#
+minidlna = module
+
+# Layer: contrib
+# Module: minissdpd
+# 
+# minissdpd policy
+#
+minissdpd = module
diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch
index cbdf5f0..ac72c68 100644
--- a/policy-rawhide-base.patch
+++ b/policy-rawhide-base.patch
@@ -1,5 +1,5 @@
 diff --git a/Makefile b/Makefile
-index 85d4cfb..7bfdfc6 100644
+index ec7b5cb..7ff79da 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
@@ -10,7 +10,7 @@ index 85d4cfb..7bfdfc6 100644
  LOADPOLICY ?= $(tc_usrsbindir)/load_policy
  SETFILES ?= $(tc_sbindir)/setfiles
  XMLLINT ?= $(BINDIR)/xmllint
-@@ -249,7 +250,7 @@ seusers := $(appconf)/seusers
+@@ -250,7 +251,7 @@ seusers := $(appconf)/seusers
  appdir := $(contextpath)
  user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
  user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
@@ -19,7 +19,7 @@ index 85d4cfb..7bfdfc6 100644
  net_contexts := $(builddir)net_contexts
  
  all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
-@@ -608,15 +609,17 @@ resetlabels:
+@@ -609,15 +610,17 @@ resetlabels:
  # Clean everything
  #
  bare: clean
@@ -767,7 +767,7 @@ index 3a45f23..f4754f0 100644
  # fork
  # setexec
 diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
-index 28802c5..1afd77b 100644
+index a94b169..1afd77b 100644
 --- a/policy/flask/access_vectors
 +++ b/policy/flask/access_vectors
 @@ -329,6 +329,7 @@ class process
@@ -815,17 +815,7 @@ index 28802c5..1afd77b 100644
  }
  
  # Define the access vector interpretation for controlling
-@@ -827,6 +839,9 @@ class kernel_service
- 
- class tun_socket
- inherits socket
-+{
-+	attach_queue
-+}
- 
- class x_pointer
- inherits x_device
-@@ -862,3 +877,18 @@ inherits database
+@@ -865,3 +877,18 @@ inherits database
  	implement
  	execute
  }
@@ -1112,7 +1102,7 @@ index 216b3d1..275d3d9 100644
 +
  ') dnl end enable_mcs
 diff --git a/policy/mls b/policy/mls
-index d218387..c2541c2 100644
+index f11e5e2..656f7a7 100644
 --- a/policy/mls
 +++ b/policy/mls
 @@ -195,7 +195,8 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
@@ -1136,10 +1126,10 @@ index d218387..c2541c2 100644
  # MLS policy for the process class
  #
 diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
-index 7a6f06f..5745bb2 100644
+index 2626ebf..5745bb2 100644
 --- a/policy/modules/admin/bootloader.fc
 +++ b/policy/modules/admin/bootloader.fc
-@@ -1,9 +1,16 @@
+@@ -1,11 +1,16 @@
 +/etc/default/grub	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 +/etc/lilo\.conf.*		gen_context(system_u:object_r:bootloader_etc_t,s0)
 +/etc/yaboot\.conf.*		gen_context(system_u:object_r:bootloader_etc_t,s0)
@@ -1160,9 +1150,11 @@ index 7a6f06f..5745bb2 100644
 +/usr/sbin/zipl		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
  
 -/usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+-/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 +/var/lib/os-prober(/.*)?	gen_context(system_u:object_r:bootloader_var_lib_t,s0)
 diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
-index cc8df9d..34c2a4e 100644
+index cc8df9d..90467f3 100644
 --- a/policy/modules/admin/bootloader.if
 +++ b/policy/modules/admin/bootloader.if
 @@ -19,6 +19,24 @@ interface(`bootloader_domtrans',`
@@ -1190,27 +1182,17 @@ index cc8df9d..34c2a4e 100644
  ########################################
  ## <summary>
  ##	Execute bootloader interactively and do
-@@ -38,16 +56,26 @@ interface(`bootloader_domtrans',`
+@@ -38,16 +56,18 @@ interface(`bootloader_domtrans',`
  #
  interface(`bootloader_run',`
  	gen_require(`
--		attribute_role bootloader_roles;
 +		type bootloader_t;
-+		#attribute_role bootloader_roles;
+ 		attribute_role bootloader_roles;
  	')
  
-+	#bootloader_domtrans($1)
-+	#roleattribute $2 bootloader_roles;
-+
  	bootloader_domtrans($1)
--	roleattribute $2 bootloader_roles;
-+
-+        role $2 types bootloader_t;
+ 	roleattribute $2 bootloader_roles;
 +
-+        ifdef(`distro_redhat',`
-+                # for mke2fs
-+		mount_run(bootloader_t, $2)
-+	')
  ')
  
  ########################################
@@ -1220,7 +1202,7 @@ index cc8df9d..34c2a4e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -55,36 +83,37 @@ interface(`bootloader_run',`
+@@ -55,36 +75,37 @@ interface(`bootloader_run',`
  ##	</summary>
  ## </param>
  #
@@ -1266,7 +1248,7 @@ index cc8df9d..34c2a4e 100644
  ##	configuration file.
  ## </summary>
  ## <param name="domain">
-@@ -94,12 +123,12 @@ interface(`bootloader_read_config',`
+@@ -94,12 +115,12 @@ interface(`bootloader_read_config',`
  ## </param>
  ## <rolecap/>
  #
@@ -1281,7 +1263,7 @@ index cc8df9d..34c2a4e 100644
  ')
  
  ########################################
-@@ -119,7 +148,7 @@ interface(`bootloader_rw_tmp_files',`
+@@ -119,7 +140,7 @@ interface(`bootloader_rw_tmp_files',`
  	')
  
  	files_search_tmp($1)
@@ -1290,7 +1272,7 @@ index cc8df9d..34c2a4e 100644
  ')
  
  ########################################
-@@ -141,3 +170,24 @@ interface(`bootloader_create_runtime_file',`
+@@ -141,3 +162,24 @@ interface(`bootloader_create_runtime_file',`
  	allow $1 boot_runtime_t:file { create_file_perms rw_file_perms };
  	files_boot_filetrans($1, boot_runtime_t, file)
  ')
@@ -1316,26 +1298,13 @@ index cc8df9d..34c2a4e 100644
 +	files_etc_filetrans($1,bootloader_etc_t,file, "zipl.conf")
 +')
 diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
-index e3dbbb8..a99f6e9 100644
+index 0fd5c5f..32514ee 100644
 --- a/policy/modules/admin/bootloader.te
 +++ b/policy/modules/admin/bootloader.te
-@@ -5,8 +5,8 @@ policy_module(bootloader, 1.13.2)
- # Declarations
- #
- 
--attribute_role bootloader_roles;
--roleattribute system_r bootloader_roles;
-+#attribute_role bootloader_roles;
-+#roleattribute system_r bootloader_roles;
- 
- #
- # boot_runtime_t is the type for /boot/kernel.h,
-@@ -19,14 +19,21 @@ files_type(boot_runtime_t)
- type bootloader_t;
+@@ -20,13 +20,20 @@ type bootloader_t;
  type bootloader_exec_t;
  application_domain(bootloader_t, bootloader_exec_t)
--role bootloader_roles types bootloader_t;
-+#role bootloader_roles types bootloader_t;
+ role bootloader_roles types bootloader_t;
 +role system_r types bootloader_t;
 +
 +type bootloader_var_run_t;
@@ -1448,17 +1417,7 @@ index e3dbbb8..a99f6e9 100644
  userdom_dontaudit_search_user_home_dirs(bootloader_t)
  
  ifdef(`distro_debian',`
-@@ -166,7 +191,8 @@ ifdef(`distro_redhat',`
- 	files_manage_isid_type_chr_files(bootloader_t)
- 
- 	# for mke2fs
--	mount_run(bootloader_t, bootloader_roles)
-+	#mount_run(bootloader_t, bootloader_roles)
-+	mount_domtrans(bootloader_t)
- 
- 	optional_policy(`
- 		unconfined_domain(bootloader_t)
-@@ -174,6 +200,10 @@ ifdef(`distro_redhat',`
+@@ -174,6 +199,10 @@ ifdef(`distro_redhat',`
  ')
  
  optional_policy(`
@@ -1469,7 +1428,7 @@ index e3dbbb8..a99f6e9 100644
  	fstools_exec(bootloader_t)
  ')
  
-@@ -183,6 +213,14 @@ optional_policy(`
+@@ -183,6 +212,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1484,7 +1443,7 @@ index e3dbbb8..a99f6e9 100644
  	kudzu_domtrans(bootloader_t)
  ')
  
-@@ -195,17 +233,18 @@ optional_policy(`
+@@ -195,17 +232,18 @@ optional_policy(`
  
  optional_policy(`
  	modutils_exec_insmod(bootloader_t)
@@ -1746,10 +1705,10 @@ index c6ca761..0c86bfd 100644
  ')
  
 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index 8128de8..b0a385b 100644
+index c44c359..c7fe2c6 100644
 --- a/policy/modules/admin/netutils.te
 +++ b/policy/modules/admin/netutils.te
-@@ -7,10 +7,10 @@ policy_module(netutils, 1.11.2)
+@@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1)
  
  ## <desc>
  ## <p>
@@ -1804,12 +1763,8 @@ index 8128de8..b0a385b 100644
  userdom_use_all_users_fds(netutils_t)
  
  optional_policy(`
-@@ -106,13 +109,14 @@ optional_policy(`
- #
- 
- allow ping_t self:capability { setuid net_raw };
-+allow ping_t self:process setcap;
-+
+@@ -110,11 +113,10 @@ allow ping_t self:capability { setuid net_raw };
+ allow ping_t self:process { getcap setcap };
  dontaudit ping_t self:capability sys_tty_config;
  allow ping_t self:tcp_socket create_socket_perms;
 -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -1822,7 +1777,7 @@ index 8128de8..b0a385b 100644
  corenet_all_recvfrom_netlabel(ping_t)
  corenet_tcp_sendrecv_generic_if(ping_t)
  corenet_raw_sendrecv_generic_if(ping_t)
-@@ -122,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
+@@ -124,6 +126,7 @@ corenet_raw_bind_generic_node(ping_t)
  corenet_tcp_sendrecv_all_ports(ping_t)
  
  fs_dontaudit_getattr_xattr_fs(ping_t)
@@ -1830,7 +1785,7 @@ index 8128de8..b0a385b 100644
  
  domain_use_interactive_fds(ping_t)
  
-@@ -129,14 +134,13 @@ files_read_etc_files(ping_t)
+@@ -131,14 +134,13 @@ files_read_etc_files(ping_t)
  files_dontaudit_search_var(ping_t)
  
  kernel_read_system_state(ping_t)
@@ -1848,7 +1803,7 @@ index 8128de8..b0a385b 100644
  
  ifdef(`hide_broken_symptoms',`
  	init_dontaudit_use_fds(ping_t)
-@@ -147,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -149,11 +151,25 @@ ifdef(`hide_broken_symptoms',`
  	')
  ')
  
@@ -1874,7 +1829,7 @@ index 8128de8..b0a385b 100644
  	pcmcia_use_cardmgr_fds(ping_t)
  ')
  
-@@ -159,6 +177,15 @@ optional_policy(`
+@@ -161,6 +177,15 @@ optional_policy(`
  	hotplug_use_fds(ping_t)
  ')
  
@@ -1890,7 +1845,7 @@ index 8128de8..b0a385b 100644
  ########################################
  #
  # Traceroute local policy
-@@ -172,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
+@@ -174,7 +199,6 @@ allow traceroute_t self:udp_socket create_socket_perms;
  kernel_read_system_state(traceroute_t)
  kernel_read_network_state(traceroute_t)
  
@@ -1898,7 +1853,7 @@ index 8128de8..b0a385b 100644
  corenet_all_recvfrom_netlabel(traceroute_t)
  corenet_tcp_sendrecv_generic_if(traceroute_t)
  corenet_udp_sendrecv_generic_if(traceroute_t)
-@@ -196,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -198,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
  domain_use_interactive_fds(traceroute_t)
  
  files_read_etc_files(traceroute_t)
@@ -1906,7 +1861,7 @@ index 8128de8..b0a385b 100644
  files_dontaudit_search_var(traceroute_t)
  
  init_use_fds(traceroute_t)
-@@ -204,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
+@@ -206,11 +231,17 @@ auth_use_nsswitch(traceroute_t)
  
  logging_send_syslog_msg(traceroute_t)
  
@@ -2483,7 +2438,7 @@ index f82f0ce..204bdc8 100644
  /usr/sbin/pwunconv	--	gen_context(system_u:object_r:admin_passwd_exec_t,s0)
  /usr/sbin/useradd	--	gen_context(system_u:object_r:useradd_exec_t,s0)
 diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
-index 99e3903..7270808 100644
+index 99e3903..fa68362 100644
 --- a/policy/modules/admin/usermanage.if
 +++ b/policy/modules/admin/usermanage.if
 @@ -17,10 +17,6 @@ interface(`usermanage_domtrans_chfn',`
@@ -2497,26 +2452,15 @@ index 99e3903..7270808 100644
  ')
  
  ########################################
-@@ -41,11 +37,16 @@ interface(`usermanage_domtrans_chfn',`
- #
+@@ -42,6 +38,7 @@ interface(`usermanage_domtrans_chfn',`
  interface(`usermanage_run_chfn',`
  	gen_require(`
--		attribute_role chfn_roles;
-+		#attribute_role chfn_roles;
+ 		attribute_role chfn_roles;
 +		type chfn_t;
  	')
  
-+	#usermanage_domtrans_chfn($1)
-+	#roleattribute $2 chfn_roles;
-+
  	usermanage_domtrans_chfn($1)
--	roleattribute $2 chfn_roles;
-+        role $2 types chfn_t;
-+
- ')
- 
- ########################################
-@@ -65,10 +66,25 @@ interface(`usermanage_domtrans_groupadd',`
+@@ -65,10 +62,25 @@ interface(`usermanage_domtrans_groupadd',`
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, groupadd_exec_t, groupadd_t)
@@ -2544,29 +2488,15 @@ index 99e3903..7270808 100644
  ')
  
  ########################################
-@@ -90,11 +106,19 @@ interface(`usermanage_domtrans_groupadd',`
+@@ -90,6 +102,7 @@ interface(`usermanage_domtrans_groupadd',`
  #
  interface(`usermanage_run_groupadd',`
  	gen_require(`
--		attribute_role groupadd_roles;
 +		type groupadd_t;
-+		#attribute_role groupadd_roles;
+ 		attribute_role groupadd_roles;
  	')
  
-+	#usermanage_domtrans_groupadd($1)
-+	#roleattribute $2 groupadd_roles;
- 	usermanage_domtrans_groupadd($1)
--	roleattribute $2 groupadd_roles;
-+        role $2 types groupadd_t;
-+
-+        optional_policy(`
-+                nscd_run(groupadd_t, $2)
-+        ')
-+
- ')
- 
- ########################################
-@@ -114,10 +138,6 @@ interface(`usermanage_domtrans_passwd',`
+@@ -114,10 +127,6 @@ interface(`usermanage_domtrans_passwd',`
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, passwd_exec_t, passwd_t)
@@ -2577,26 +2507,18 @@ index 99e3903..7270808 100644
  ')
  
  ########################################
-@@ -174,11 +194,35 @@ interface(`usermanage_check_exec_passwd',`
+@@ -174,6 +183,7 @@ interface(`usermanage_check_exec_passwd',`
  #
  interface(`usermanage_run_passwd',`
  	gen_require(`
--		attribute_role passwd_roles;
 +		type passwd_t;
-+		#attribute_role passwd_roles;
+ 		attribute_role passwd_roles;
  	')
  
-+	#usermanage_domtrans_passwd($1)
-+	#roleattribute $2 passwd_roles;
-+
- 	usermanage_domtrans_passwd($1)
--	roleattribute $2 passwd_roles;
-+        role $2 types passwd_t;
-+        auth_run_chk_passwd(passwd_t, $2)
-+')
-+
-+########################################
-+## <summary>
+@@ -183,6 +193,25 @@ interface(`usermanage_run_passwd',`
+ 
+ ########################################
+ ## <summary>
 +##	Check access to the passwd executable
 +## </summary>
 +## <param name="domain">
@@ -2612,33 +2534,22 @@ index 99e3903..7270808 100644
 +
 +	corecmd_search_bin($1)
 +	allow $1 passwd_exec_t:file { getattr_file_perms execute };
- ')
- 
- ########################################
-@@ -221,11 +265,20 @@ interface(`usermanage_domtrans_admin_passwd',`
++')
++
++########################################
++## <summary>
+ ##	Execute password admin functions in
+ ##	the admin passwd domain.
+ ## </summary>
+@@ -221,6 +250,7 @@ interface(`usermanage_domtrans_admin_passwd',`
  #
  interface(`usermanage_run_admin_passwd',`
  	gen_require(`
--		attribute_role sysadm_passwd_roles;
 +		type sysadm_passwd_t;
-+		#attribute_role sysadm_passwd_roles;
+ 		attribute_role sysadm_passwd_roles;
  	')
  
-+	#usermanage_domtrans_admin_passwd($1)
-+	#roleattribute $2 sysadm_passwd_roles;
-+
- 	usermanage_domtrans_admin_passwd($1)
--	roleattribute $2 sysadm_passwd_roles;
-+        role $2 types sysadm_passwd_t;
-+
-+        optional_policy(`
-+                nscd_run(sysadm_passwd_t, $2)
-+        ')
-+
- ')
- 
- ########################################
-@@ -263,10 +316,6 @@ interface(`usermanage_domtrans_useradd',`
+@@ -263,10 +293,6 @@ interface(`usermanage_domtrans_useradd',`
  
  	corecmd_search_bin($1)
  	domtrans_pattern($1, useradd_exec_t, useradd_t)
@@ -2649,29 +2560,18 @@ index 99e3903..7270808 100644
  ')
  
  ########################################
-@@ -306,11 +355,38 @@ interface(`usermanage_check_exec_useradd',`
- #
+@@ -307,6 +333,7 @@ interface(`usermanage_check_exec_useradd',`
  interface(`usermanage_run_useradd',`
  	gen_require(`
--		attribute_role useradd_roles;
-+		#attribute_role useradd_roles;
+ 		attribute_role useradd_roles;
 +		type useradd_t;
  	')
  
-+	#usermanage_domtrans_useradd($1)
-+	#roleattribute $2 useradd_roles;
-+
  	usermanage_domtrans_useradd($1)
--	roleattribute $2 useradd_roles;
-+    role $2 types useradd_t;
-+
-+    optional_policy(`
-+         nscd_run(useradd_t, $2)
-+    ')
-+')
-+
-+########################################
-+## <summary>
+@@ -315,6 +342,25 @@ interface(`usermanage_run_useradd',`
+ 
+ ########################################
+ ## <summary>
 +##	Check access to the useradd executable.
 +## </summary>
 +## <param name="domain">
@@ -2687,92 +2587,52 @@ index 99e3903..7270808 100644
 +
 +	corecmd_search_bin($1)
 +	allow $1 useradd_exec_t:file { getattr_file_perms execute };
- ')
- 
- ########################################
++')
++
++########################################
++## <summary>
+ ##	Read the crack database.
+ ## </summary>
+ ## <param name="domain">
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..3053e39 100644
+index 1d732f1..7ba0bd8 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
-@@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
- # Declarations
- #
- 
--attribute_role chfn_roles;
--role system_r types chfn_t;
-+#attribute_role chfn_roles;
-+#role system_r types chfn_t;
- 
--attribute_role groupadd_roles;
-+#attribute_role groupadd_roles;
- 
--attribute_role passwd_roles;
--roleattribute system_r passwd_roles;
-+#attribute_role passwd_roles;
-+#roleattribute system_r passwd_roles;
- 
--attribute_role sysadm_passwd_roles;
--roleattribute system_r sysadm_passwd_roles;
-+#attribute_role sysadm_passwd_roles;
-+#roleattribute system_r sysadm_passwd_roles;
- 
--attribute_role useradd_roles;
-+#attribute_role useradd_roles;
- 
- type admin_passwd_exec_t;
- files_type(admin_passwd_exec_t)
-@@ -25,7 +25,8 @@ type chfn_t;
- type chfn_exec_t;
+@@ -26,6 +26,7 @@ type chfn_exec_t;
  domain_obj_id_change_exemption(chfn_t)
  application_domain(chfn_t, chfn_exec_t)
--role chfn_roles types chfn_t;
-+#role chfn_roles types chfn_t;
+ role chfn_roles types chfn_t;
 +role system_r types chfn_t;
  
  type crack_t;
  type crack_exec_t;
-@@ -42,18 +43,22 @@ type groupadd_t;
- type groupadd_exec_t;
- domain_obj_id_change_exemption(groupadd_t)
+@@ -44,9 +45,11 @@ domain_obj_id_change_exemption(groupadd_t)
  init_system_domain(groupadd_t, groupadd_exec_t)
--role groupadd_roles types groupadd_t;
-+#role groupadd_roles types groupadd_t;
-+
+ role groupadd_roles types groupadd_t;
  
++
  type passwd_t;
  type passwd_exec_t;
  domain_obj_id_change_exemption(passwd_t)
 +domain_system_change_exemption(passwd_t)
  application_domain(passwd_t, passwd_exec_t)
--role passwd_roles types passwd_t;
-+#role passwd_roles types passwd_t;
-+role system_r types passwd_t;
- 
- type sysadm_passwd_t;
- domain_obj_id_change_exemption(sysadm_passwd_t)
- application_domain(sysadm_passwd_t, admin_passwd_exec_t)
--role sysadm_passwd_roles types sysadm_passwd_t;
-+#role sysadm_passwd_roles types sysadm_passwd_t;
-+role system_r types sysadm_passwd_t;
- 
- type sysadm_passwd_tmp_t;
- files_tmp_file(sysadm_passwd_tmp_t)
-@@ -61,8 +66,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
+ role passwd_roles types passwd_t;
+ 
+@@ -61,9 +64,13 @@ files_tmp_file(sysadm_passwd_tmp_t)
  type useradd_t;
  type useradd_exec_t;
  domain_obj_id_change_exemption(useradd_t)
 +domain_system_change_exemption(useradd_t)
  init_system_domain(useradd_t, useradd_exec_t)
--role useradd_roles types useradd_t;
-+#role useradd_roles types useradd_t;
-+role system_r types useradd_t;
-+
+ role useradd_roles types useradd_t;
+ 
 +type useradd_var_run_t;
 +files_pid_file(useradd_var_run_t)
- 
++
  ########################################
  #
-@@ -86,6 +96,7 @@ allow chfn_t self:unix_stream_socket connectto;
+ # Chfn local policy
+@@ -86,6 +93,7 @@ allow chfn_t self:unix_stream_socket connectto;
  
  kernel_read_system_state(chfn_t)
  kernel_read_kernel_sysctls(chfn_t)
@@ -2780,7 +2640,7 @@ index d555767..3053e39 100644
  
  selinux_get_fs_mount(chfn_t)
  selinux_validate_context(chfn_t)
-@@ -94,25 +105,29 @@ selinux_compute_create_context(chfn_t)
+@@ -94,25 +102,29 @@ selinux_compute_create_context(chfn_t)
  selinux_compute_relabel_context(chfn_t)
  selinux_compute_user_contexts(chfn_t)
  
@@ -2797,12 +2657,11 @@ index d555767..3053e39 100644
  dev_read_urand(chfn_t)
 +dev_dontaudit_getattr_all(chfn_t)
  
--auth_run_chk_passwd(chfn_t, chfn_roles)
--auth_dontaudit_read_shadow(chfn_t)
--auth_use_nsswitch(chfn_t)
 +auth_manage_passwd(chfn_t)
 +auth_use_pam(chfn_t)
-+#auth_run_chk_passwd(chfn_t, chfn_roles)
+ auth_run_chk_passwd(chfn_t, chfn_roles)
+-auth_dontaudit_read_shadow(chfn_t)
+-auth_use_nsswitch(chfn_t)
 +#auth_dontaudit_read_shadow(chfn_t)
 +#auth_use_nsswitch(chfn_t)
  
@@ -2816,40 +2675,42 @@ index d555767..3053e39 100644
  files_read_etc_runtime_files(chfn_t)
  files_dontaudit_search_var(chfn_t)
  files_dontaudit_search_home(chfn_t)
-@@ -120,19 +135,29 @@ files_dontaudit_search_home(chfn_t)
+@@ -120,13 +132,15 @@ files_dontaudit_search_home(chfn_t)
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(chfn_t)
-+init_dontaudit_getattr_initctl(chfn_t)
- 
+-
 -miscfiles_read_localization(chfn_t)
++init_dontaudit_getattr_initctl(chfn_t)
  
  logging_send_syslog_msg(chfn_t)
  
--# uses unix_chkpwd for checking passwords
--seutil_dontaudit_search_config(chfn_t)
+ seutil_read_file_contexts(chfn_t)
+ 
 +userdom_manage_user_tmp_files(chfn_t)
 +userdom_tmp_filetrans_user_tmp(chfn_t, { file })
- 
++
  userdom_use_unpriv_users_fds(chfn_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
- userdom_dontaudit_search_user_home_content(chfn_t)
+@@ -136,6 +150,16 @@ optional_policy(`
+ 	nscd_run(chfn_t, chfn_roles)
+ ')
  
 +optional_policy(`
 +	rssh_exec(chfn_t)
 +')
 +
-+
 +optional_policy(`
 +	# allow to exec tmux
 +	screen_exec(chfn_t)
 +')
 +
++
  ########################################
  #
  # Crack local policy
-@@ -209,8 +234,8 @@ selinux_compute_create_context(groupadd_t)
+@@ -212,8 +236,8 @@ selinux_compute_create_context(groupadd_t)
  selinux_compute_relabel_context(groupadd_t)
  selinux_compute_user_contexts(groupadd_t)
  
@@ -2860,7 +2721,7 @@ index d555767..3053e39 100644
  
  init_use_fds(groupadd_t)
  init_read_utmp(groupadd_t)
-@@ -218,8 +243,8 @@ init_dontaudit_write_utmp(groupadd_t)
+@@ -221,8 +245,8 @@ init_dontaudit_write_utmp(groupadd_t)
  
  domain_use_interactive_fds(groupadd_t)
  
@@ -2870,15 +2731,13 @@ index d555767..3053e39 100644
  files_read_etc_runtime_files(groupadd_t)
  files_read_usr_symlinks(groupadd_t)
  
-@@ -229,14 +254,15 @@ corecmd_exec_bin(groupadd_t)
+@@ -232,14 +256,14 @@ corecmd_exec_bin(groupadd_t)
  logging_send_audit_msgs(groupadd_t)
  logging_send_syslog_msg(groupadd_t)
  
 -miscfiles_read_localization(groupadd_t)
  
--auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+#auth_run_chk_passwd(groupadd_t, groupadd_roles)
-+auth_domtrans_chk_passwd(groupadd_t)
+ auth_run_chk_passwd(groupadd_t, groupadd_roles)
  auth_rw_lastlog(groupadd_t)
  auth_use_nsswitch(groupadd_t)
 +auth_manage_passwd(groupadd_t)
@@ -2889,17 +2748,7 @@ index d555767..3053e39 100644
  auth_relabel_shadow(groupadd_t)
  auth_etc_filetrans_shadow(groupadd_t)
  
-@@ -253,7 +279,8 @@ optional_policy(`
- ')
- 
- optional_policy(`
--	nscd_run(groupadd_t, groupadd_roles)
-+#	nscd_run(groupadd_t, groupadd_roles)
-+	nscd_domtrans(groupadd_t)
- ')
- 
- optional_policy(`
-@@ -285,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
+@@ -288,6 +312,7 @@ allow passwd_t self:shm create_shm_perms;
  allow passwd_t self:sem create_sem_perms;
  allow passwd_t self:msgq create_msgq_perms;
  allow passwd_t self:msg { send receive };
@@ -2907,7 +2756,7 @@ index d555767..3053e39 100644
  
  allow passwd_t crack_db_t:dir list_dir_perms;
  read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-@@ -293,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
+@@ -296,6 +321,7 @@ kernel_read_kernel_sysctls(passwd_t)
  
  # for SSP
  dev_read_urand(passwd_t)
@@ -2915,7 +2764,7 @@ index d555767..3053e39 100644
  
  fs_getattr_xattr_fs(passwd_t)
  fs_search_auto_mountpoints(passwd_t)
-@@ -307,26 +336,38 @@ selinux_compute_create_context(passwd_t)
+@@ -310,26 +336,32 @@ selinux_compute_create_context(passwd_t)
  selinux_compute_relabel_context(passwd_t)
  selinux_compute_user_contexts(passwd_t)
  
@@ -2924,20 +2773,13 @@ index d555767..3053e39 100644
 +term_use_all_inherited_terms(passwd_t)
 +term_getattr_all_ptys(passwd_t)
  
--auth_run_chk_passwd(passwd_t, passwd_roles)
+ auth_run_chk_passwd(passwd_t, passwd_roles)
 +auth_manage_passwd(passwd_t)
  auth_manage_shadow(passwd_t)
  auth_relabel_shadow(passwd_t)
  auth_etc_filetrans_shadow(passwd_t)
 -auth_use_nsswitch(passwd_t)
 +auth_use_pam(passwd_t)
-+
-+#auth_run_chk_passwd(passwd_t, passwd_roles)
-+#auth_manage_passwd(passwd_t)
-+#auth_manage_shadow(passwd_t)
-+#auth_relabel_shadow(passwd_t)
-+#auth_etc_filetrans_shadow(passwd_t)
-+#auth_use_nsswitch(passwd_t)
  
  # allow checking if a shell is executable
  corecmd_check_exec_shell(passwd_t)
@@ -2959,7 +2801,7 @@ index d555767..3053e39 100644
  # /usr/bin/passwd asks for w access to utmp, but it will operate
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(passwd_t)
-@@ -335,12 +376,11 @@ init_use_fds(passwd_t)
+@@ -338,12 +370,11 @@ init_use_fds(passwd_t)
  logging_send_audit_msgs(passwd_t)
  logging_send_syslog_msg(passwd_t)
  
@@ -2973,26 +2815,21 @@ index d555767..3053e39 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -352,6 +383,13 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
 +userdom_stream_connect(passwd_t)
- 
- optional_policy(`
--	nscd_run(passwd_t, passwd_roles)
++
++optional_policy(`
 +	gnome_exec_keyringd(passwd_t)
 +	gnome_manage_cache_home_dir(passwd_t)
 +	gnome_stream_connect_gkeyringd(passwd_t)
 +')
-+
-+optional_policy(`
-+	#nscd_run(passwd_t, passwd_roles)
-+	nscd_domtrans(passwd_t)
- ')
  
- ########################################
-@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
+ optional_policy(`
+ 	nscd_run(passwd_t, passwd_roles)
+@@ -401,9 +439,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -3005,7 +2842,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -416,7 +455,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -3013,7 +2850,7 @@ index d555767..3053e39 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -426,12 +464,9 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -3026,16 +2863,7 @@ index d555767..3053e39 100644
  userdom_use_unpriv_users_fds(sysadm_passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
- userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
- 
- optional_policy(`
--	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
-+	nscd_domtrans(sysadm_passwd_t)
-+	#nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
- ')
- 
- ########################################
-@@ -443,7 +489,8 @@ optional_policy(`
+@@ -446,7 +481,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -3045,7 +2873,7 @@ index d555767..3053e39 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -461,6 +497,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -3056,7 +2884,7 @@ index d555767..3053e39 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
+@@ -468,29 +508,27 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -3093,11 +2921,9 @@ index d555767..3053e39 100644
 +term_use_all_inherited_terms(useradd_t)
 +term_getattr_all_ptys(useradd_t)
  
--auth_run_chk_passwd(useradd_t, useradd_roles)
-+#auth_run_chk_passwd(useradd_t, useradd_roles)
-+auth_domtrans_chk_passwd(useradd_t)
+ auth_run_chk_passwd(useradd_t, useradd_roles)
  auth_rw_lastlog(useradd_t)
- auth_rw_faillog(useradd_t)
+@@ -498,6 +536,7 @@ auth_rw_faillog(useradd_t)
  auth_use_nsswitch(useradd_t)
  # these may be unnecessary due to the above
  # domtrans_chk_passwd() call.
@@ -3105,7 +2931,7 @@ index d555767..3053e39 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
+@@ -508,33 +547,32 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3120,17 +2946,11 @@ index d555767..3053e39 100644
  seutil_read_config(useradd_t)
  seutil_read_file_contexts(useradd_t)
  seutil_read_default_contexts(useradd_t)
--seutil_run_semanage(useradd_t, useradd_roles)
--seutil_run_setfiles(useradd_t, useradd_roles)
-+seutil_domtrans_semanage(useradd_t)
-+seutil_domtrans_setfiles(useradd_t)
-+seutil_domtrans_loadpolicy(useradd_t)
-+#seutil_manage_bin_policy(useradd_t)
-+#seutil_manage_module_store(useradd_t)
 +seutil_get_semanage_trans_lock(useradd_t)
 +seutil_get_semanage_read_lock(useradd_t)
-+#seutil_run_semanage(useradd_t, useradd_roles)
-+#seutil_run_setfiles(useradd_t, useradd_roles)
+ seutil_run_semanage(useradd_t, useradd_roles)
+ seutil_run_setfiles(useradd_t, useradd_roles)
++seutil_run_loadpolicy(useradd_t, useradd_roles)
  
  userdom_use_unpriv_users_fds(useradd_t)
  # Add/remove user home directories
@@ -3156,21 +2976,15 @@ index d555767..3053e39 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +596,12 @@ optional_policy(`
+@@ -549,10 +587,19 @@ optional_policy(`
  ')
  
  optional_policy(`
--	nscd_run(useradd_t, useradd_roles)
-+	nscd_domtrans(useradd_t)
-+#	nscd_run(useradd_t, useradd_roles)
++    openshift_manage_content(useradd_t)
 +')
 +
 +optional_policy(`
-+    openshift_manage_content(useradd_t)
- ')
- 
- optional_policy(`
-@@ -550,6 +609,11 @@ optional_policy(`
+ 	puppet_rw_tmp(useradd_t)
  ')
  
  optional_policy(`
@@ -3182,7 +2996,7 @@ index d555767..3053e39 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +623,12 @@ optional_policy(`
+@@ -562,3 +609,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -3363,7 +3177,7 @@ index 7590165..fb30c11 100644
 +	fs_mounton_fusefs(seunshare_domain)
 +')
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 644d4d7..6e7dd83 100644
+index 33e0f8d..7238b9d 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -1,9 +1,10 @@
@@ -3431,8 +3245,8 @@ index 644d4d7..6e7dd83 100644
  /etc/X11/xdm/GiveConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/TakeConsole	--	gen_context(system_u:object_r:bin_t,s0)
  /etc/X11/xdm/Xsetup_0		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -134,10 +146,12 @@ ifdef(`distro_debian',`
- 
+@@ -135,10 +147,12 @@ ifdef(`distro_debian',`
+ /lib/nut/.*			--	gen_context(system_u:object_r:bin_t,s0)
  /lib/readahead(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 -/lib/systemd/systemd.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -3445,7 +3259,7 @@ index 644d4d7..6e7dd83 100644
  
  ifdef(`distro_gentoo',`
  /lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -151,7 +165,7 @@ ifdef(`distro_gentoo',`
+@@ -152,7 +166,7 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -3454,7 +3268,7 @@ index 644d4d7..6e7dd83 100644
  /sbin/.*				gen_context(system_u:object_r:bin_t,s0)
  /sbin/insmod_ksymoops_clean	--	gen_context(system_u:object_r:bin_t,s0)
  /sbin/mkfs\.cramfs		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -167,6 +181,7 @@ ifdef(`distro_gentoo',`
+@@ -168,6 +182,7 @@ ifdef(`distro_gentoo',`
  /opt/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  
  /opt/google/talkplugin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3462,7 +3276,7 @@ index 644d4d7..6e7dd83 100644
  
  /opt/gutenprint/cups/lib/filter(/.*)?	gen_context(system_u:object_r:bin_t,s0)
  
-@@ -178,33 +193,49 @@ ifdef(`distro_gentoo',`
+@@ -179,34 +194,50 @@ ifdef(`distro_gentoo',`
  /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
  ')
  
@@ -3497,6 +3311,7 @@ index 644d4d7..6e7dd83 100644
  /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  
+ /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/jvm/java(.*/)bin(/.*)		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib(.*/)?bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
@@ -3521,22 +3336,23 @@ index 644d4d7..6e7dd83 100644
  /usr/lib/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/emacsen-common/.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/gimp/.*/plug-ins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
-@@ -215,18 +246,31 @@ ifdef(`distro_gentoo',`
+@@ -218,19 +249,32 @@ ifdef(`distro_gentoo',`
  /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/misc/sftp-server	--	gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib/nagios/plugins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 -/usr/lib/netsaint/plugins(/.*)?		gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/news/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/nspluginwrapper/np.*		gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
--/usr/lib/pm-utils(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/negate -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/urlize  --  gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/utils.sh -- gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nagios/plugins/utils.pm  --  gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/netsaint/plugins(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/news/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib/NetworkManager/nm\-.*	--	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/news/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/nspluginwrapper/np.*		gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib/pm-utils(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/nspluginwrapper/np.*	gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/ocf(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 +/usr/lib/portage/bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -3560,7 +3376,7 @@ index 644d4d7..6e7dd83 100644
  /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/exo-1/exo-helper-1 --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/xfce4/panel/migrate	--	gen_context(system_u:object_r:bin_t,s0)
-@@ -241,10 +285,15 @@ ifdef(`distro_gentoo',`
+@@ -245,10 +289,15 @@ ifdef(`distro_gentoo',`
  /usr/lib/debug/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/bin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/debug/usr/sbin(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
@@ -3576,7 +3392,7 @@ index 644d4d7..6e7dd83 100644
  /usr/lib/[^/]*/run-mozilla\.sh --	gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/[^/]*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
  /usr/lib/thunderbird.*/mozilla-xremote-client -- gen_context(system_u:object_r:bin_t,s0)
-@@ -257,10 +306,17 @@ ifdef(`distro_gentoo',`
+@@ -261,10 +310,17 @@ ifdef(`distro_gentoo',`
  
  /usr/libexec/openssh/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
  
@@ -3597,7 +3413,7 @@ index 644d4d7..6e7dd83 100644
  /usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
  /usr/sbin/smrsh			--	gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -276,10 +332,15 @@ ifdef(`distro_gentoo',`
+@@ -280,10 +336,15 @@ ifdef(`distro_gentoo',`
  /usr/share/cluster/.*\.sh		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/ocf-shellfuncs --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/cluster/svclib_nfslock --	gen_context(system_u:object_r:bin_t,s0)
@@ -3613,7 +3429,7 @@ index 644d4d7..6e7dd83 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -294,16 +355,22 @@ ifdef(`distro_gentoo',`
+@@ -298,16 +359,22 @@ ifdef(`distro_gentoo',`
  /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
@@ -3638,7 +3454,7 @@ index 644d4d7..6e7dd83 100644
  
  ifdef(`distro_debian',`
  /usr/lib/ConsoleKit/.*		--	gen_context(system_u:object_r:bin_t,s0)
-@@ -321,20 +388,27 @@ ifdef(`distro_redhat', `
+@@ -325,20 +392,27 @@ ifdef(`distro_redhat', `
  /etc/gdm/[^/]+			-d	gen_context(system_u:object_r:bin_t,s0)
  /etc/gdm/[^/]+/.*			gen_context(system_u:object_r:bin_t,s0)
  
@@ -3667,7 +3483,7 @@ index 644d4d7..6e7dd83 100644
  /usr/share/pwlib/make/ptlib-config --	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/pydict/pydict\.py	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/rhn/rhn_applet/applet\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -342,6 +416,7 @@ ifdef(`distro_redhat', `
+@@ -346,6 +420,7 @@ ifdef(`distro_redhat', `
  /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
  /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3675,7 +3491,7 @@ index 644d4d7..6e7dd83 100644
  /usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
-@@ -383,11 +458,15 @@ ifdef(`distro_suse', `
+@@ -387,11 +462,15 @@ ifdef(`distro_suse', `
  #
  # /var
  #
@@ -3692,7 +3508,7 @@ index 644d4d7..6e7dd83 100644
  /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
  
  /var/qmail/bin			-d	gen_context(system_u:object_r:bin_t,s0)
-@@ -397,3 +476,12 @@ ifdef(`distro_suse', `
+@@ -401,3 +480,12 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -3963,7 +3779,7 @@ index 9e9263a..77e6c8c 100644
 +	filetrans_pattern($1, bin_t, $2, $3, $4)
 +')
 diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
-index 43090a0..a784e8e 100644
+index 20c76cf..cc63dcc 100644
 --- a/policy/modules/kernel/corecommands.te
 +++ b/policy/modules/kernel/corecommands.te
 @@ -13,7 +13,8 @@ attribute exec_type;
@@ -5547,10 +5363,10 @@ index 8e0f9cd..b9f45b9 100644
  
  define(`create_packet_interfaces',``
 diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 4edc40d..7070ee2 100644
+index b191055..62570b0 100644
 --- a/policy/modules/kernel/corenetwork.te.in
 +++ b/policy/modules/kernel/corenetwork.te.in
-@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.18.4)
+@@ -5,6 +5,7 @@ policy_module(corenetwork, 1.19.2)
  # Declarations
  #
  
@@ -5657,7 +5473,7 @@ index 4edc40d..7070ee2 100644
  network_port(cvs, tcp,2401,s0, udp,2401,s0)
  network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
  network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -119,19 +142,26 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
+@@ -119,20 +142,27 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0,
  network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
  network_port(dict, tcp,2628,s0)
  network_port(distccd, tcp,3632,s0)
@@ -5677,6 +5493,7 @@ index 4edc40d..7070ee2 100644
 +network_port(ftp, tcp,21,s0, tcp,989,s0, udp,989,s0, tcp,990,s0, udp,990,s0)
  network_port(ftp_data, tcp,20,s0)
  network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
+ network_port(gdomap, tcp,538,s0, udp,538,s0)
  network_port(gds_db, tcp,3050,s0, udp,3050,s0)
  network_port(giftd, tcp,1213,s0)
  network_port(git, tcp,9418,s0, udp,9418,s0)
@@ -5686,7 +5503,7 @@ index 4edc40d..7070ee2 100644
  network_port(gopher, tcp,70,s0, udp,70,s0)
  network_port(gpsd, tcp,2947,s0)
  network_port(hadoop_datanode, tcp,50010,s0)
-@@ -139,45 +169,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
+@@ -140,45 +170,52 @@ network_port(hadoop_namenode, tcp,8020,s0)
  network_port(hddtemp, tcp,7634,s0)
  network_port(howl, tcp,5335,s0, udp,5353,s0)
  network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
@@ -5753,7 +5570,7 @@ index 4edc40d..7070ee2 100644
  network_port(msnp, tcp,1863,s0, udp,1863,s0)
  network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
  network_port(ms_streaming, tcp,1755,s0, udp,1755,s0)
-@@ -185,26 +222,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
+@@ -186,26 +223,34 @@ network_port(munin, tcp,4949,s0, udp,4949,s0)
  network_port(mxi, tcp,8005,s0, udp,8005,s0)
  network_port(mysqld, tcp,1186,s0, tcp,3306,s0, tcp,63132-63164,s0)
  network_port(mysqlmanagerd, tcp,2273,s0)
@@ -5792,7 +5609,7 @@ index 4edc40d..7070ee2 100644
  network_port(portmap, udp,111,s0, tcp,111,s0)
  network_port(postfix_policyd, tcp,10031,s0)
  network_port(postgresql, tcp,5432,s0)
-@@ -214,38 +259,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
+@@ -215,39 +260,45 @@ network_port(prelude, tcp,4690,s0, udp,4690,s0)
  network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
@@ -5807,7 +5624,7 @@ index 4edc40d..7070ee2 100644
  network_port(radsec, tcp,2083,s0)
  network_port(razor, tcp,2703,s0)
 +network_port(time, tcp,37,s0, udp,37,s0)
-+network_port(redis, tcp,6379,s0)
+ network_port(redis, tcp,6379,s0)
  network_port(repository, tcp, 6363, s0)
  network_port(ricci, tcp,11111,s0, udp,11111,s0)
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
@@ -5845,7 +5662,7 @@ index 4edc40d..7070ee2 100644
  network_port(ssh, tcp,22,s0)
  network_port(stunnel) # no defined portcon
  network_port(svn, tcp,3690,s0, udp,3690,s0)
-@@ -257,8 +309,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
+@@ -259,8 +310,9 @@ network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
  network_port(tcs, tcp, 30003, s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -5855,8 +5672,8 @@ index 4edc40d..7070ee2 100644
 +network_port(tram, tcp, 4567, s0)
  network_port(transproxy, tcp,8081,s0)
  network_port(trisoap, tcp,10200,s0, udp,10200,s0)
- network_port(ups, tcp,3493,s0)
-@@ -268,10 +321,10 @@ network_port(varnishd, tcp,6081-6082,s0)
+ network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
+@@ -271,10 +323,10 @@ network_port(varnishd, tcp,6081-6082,s0)
  network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
  network_port(virtual_places, tcp,1533,s0, udp,1533,s0)
  network_port(virt_migration, tcp,49152-49216,s0)
@@ -5869,7 +5686,7 @@ index 4edc40d..7070ee2 100644
  network_port(winshadow, tcp,3161,s0, udp,3261,s0)
  network_port(wsdapi, tcp,5357,s0, udp,5357,s0)
  network_port(wsicopy, tcp,3378,s0, udp,3378,s0)
-@@ -292,12 +345,16 @@ network_port(zope, tcp,8021,s0)
+@@ -295,12 +347,16 @@ network_port(zope, tcp,8021,s0)
  # Defaults for reserved ports.	Earlier portcon entries take precedence;
  # these entries just cover any remaining reserved ports not otherwise declared.
  
@@ -5888,7 +5705,7 @@ index 4edc40d..7070ee2 100644
  
  ########################################
  #
-@@ -330,6 +387,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
+@@ -333,6 +389,8 @@ sid netif gen_context(system_u:object_r:netif_t,s0 - mls_systemhigh)
  
  build_option(`enable_mls',`
  network_interface(lo, lo, s0 - mls_systemhigh)
@@ -5897,7 +5714,7 @@ index 4edc40d..7070ee2 100644
  ',`
  typealias netif_t alias { lo_netif_t netif_lo_t };
  ')
-@@ -342,9 +401,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -345,9 +403,28 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
  allow corenet_unconfined_type node_type:node *;
  allow corenet_unconfined_type netif_type:netif *;
  allow corenet_unconfined_type packet_type:packet *;
@@ -8582,7 +8399,7 @@ index 76f285e..b708d28 100644
 +	filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
 +')
 diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
-index 6529bd9..831344c 100644
+index 0b1a871..e6b93c4 100644
 --- a/policy/modules/kernel/devices.te
 +++ b/policy/modules/kernel/devices.te
 @@ -15,11 +15,12 @@ attribute devices_unconfined_type;
@@ -9327,7 +9144,7 @@ index cf04cb5..369ddc2 100644
 +	')
 +')
 diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c2c6e05..058bb58 100644
+index b876c48..7f5b8f8 100644
 --- a/policy/modules/kernel/files.fc
 +++ b/policy/modules/kernel/files.fc
 @@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -9566,14 +9383,14 @@ index c2c6e05..058bb58 100644
  /var/tmp/.*			<<none>>
  /var/tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
  /var/tmp/lost\+found/.*		<<none>>
-@@ -270,3 +292,5 @@ ifndef(`distro_redhat',`
- ifdef(`distro_debian',`
+@@ -271,3 +293,5 @@ ifdef(`distro_debian',`
  /var/run/motd		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+ /var/run/motd\.dynamic	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 64ff4d7..36fa375 100644
+index f962f76..ed3cc8d 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -19,6 +19,136 @@
@@ -10179,11 +9996,11 @@ index 64ff4d7..36fa375 100644
  ')
  
  #############################################
-@@ -1583,6 +1935,24 @@ interface(`files_getattr_all_mountpoints',`
+@@ -1691,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
  
  ########################################
  ## <summary>
-+##	List the directory of all mount points.
++##	Write all mount points.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -10191,48 +10008,41 @@ index 64ff4d7..36fa375 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_list_all_mountpoints',`
-+	gen_require(`
-+		attribute mountpoint;
-+	')
++interface(`files_write_all_mountpoints',`
++    gen_require(`
++        attribute mountpoint;
++    ')
 +
-+	allow $1 mountpoint:dir list_dir_perms;
++	allow $1 mountpoint:dir write;
 +')
 +
 +########################################
 +## <summary>
- ##	Set the attributes of all mount points.
+ ##	Do not audit attempts to write to mount points.
  ## </summary>
  ## <param name="domain">
-@@ -1673,6 +2043,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
+@@ -1709,6 +2079,42 @@ interface(`files_dontaudit_write_all_mountpoints',`
  
  ########################################
  ## <summary>
-+##	Write all mount points.
++##	Do not audit attempts to unmount all mount points.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain allowed access.
++##	Domain to not audit.
 +##	</summary>
 +## </param>
 +#
-+interface(`files_write_all_mountpoints',`
-+    gen_require(`
-+        attribute mountpoint;
-+    ')
++interface(`files_dontaudit_unmount_all_mountpoints',`
++	gen_require(`
++		attribute mountpoint;
++	')
 +
-+	allow $1 mountpoint:dir write;
++	dontaudit $1 mountpoint:filesystem unmount;
 +')
 +
 +########################################
 +## <summary>
- ##	Do not audit attempts to write to mount points.
- ## </summary>
- ## <param name="domain">
-@@ -1691,6 +2079,24 @@ interface(`files_dontaudit_write_all_mountpoints',`
- 
- ########################################
- ## <summary>
 +##	Write all file type directories.
 +## </summary>
 +## <param name="domain">
@@ -10254,7 +10064,7 @@ index 64ff4d7..36fa375 100644
  ##	List the contents of the root directory.
  ## </summary>
  ## <param name="domain">
-@@ -1874,25 +2280,25 @@ interface(`files_delete_root_dir_entry',`
+@@ -1892,25 +2298,25 @@ interface(`files_delete_root_dir_entry',`
  
  ########################################
  ## <summary>
@@ -10286,7 +10096,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1905,7 +2311,7 @@ interface(`files_relabel_rootfs',`
+@@ -1923,7 +2329,7 @@ interface(`files_relabel_rootfs',`
  		type root_t;
  	')
  
@@ -10295,7 +10105,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -1928,6 +2334,24 @@ interface(`files_unmount_rootfs',`
+@@ -1946,6 +2352,24 @@ interface(`files_unmount_rootfs',`
  
  ########################################
  ## <summary>
@@ -10320,7 +10130,7 @@ index 64ff4d7..36fa375 100644
  ##	Get attributes of the /boot directory.
  ## </summary>
  ## <param name="domain">
-@@ -2163,6 +2587,24 @@ interface(`files_relabelfrom_boot_files',`
+@@ -2181,6 +2605,24 @@ interface(`files_relabelfrom_boot_files',`
  	relabelfrom_files_pattern($1, boot_t, boot_t)
  ')
  
@@ -10345,7 +10155,7 @@ index 64ff4d7..36fa375 100644
  ######################################
  ## <summary>
  ##	Read symbolic links in the /boot directory.
-@@ -2627,6 +3069,24 @@ interface(`files_rw_etc_dirs',`
+@@ -2645,6 +3087,24 @@ interface(`files_rw_etc_dirs',`
  	allow $1 etc_t:dir rw_dir_perms;
  ')
  
@@ -10370,7 +10180,7 @@ index 64ff4d7..36fa375 100644
  ##########################################
  ## <summary>
  ## 	Manage generic directories in /etc
-@@ -2698,6 +3158,7 @@ interface(`files_read_etc_files',`
+@@ -2716,6 +3176,7 @@ interface(`files_read_etc_files',`
  	allow $1 etc_t:dir list_dir_perms;
  	read_files_pattern($1, etc_t, etc_t)
  	read_lnk_files_pattern($1, etc_t, etc_t)
@@ -10378,7 +10188,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -2706,7 +3167,7 @@ interface(`files_read_etc_files',`
+@@ -2724,7 +3185,7 @@ interface(`files_read_etc_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -10387,7 +10197,7 @@ index 64ff4d7..36fa375 100644
  ##	</summary>
  ## </param>
  #
-@@ -2762,6 +3223,25 @@ interface(`files_manage_etc_files',`
+@@ -2780,6 +3241,25 @@ interface(`files_manage_etc_files',`
  
  ########################################
  ## <summary>
@@ -10413,7 +10223,7 @@ index 64ff4d7..36fa375 100644
  ##	Delete system configuration files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2780,6 +3260,24 @@ interface(`files_delete_etc_files',`
+@@ -2798,6 +3278,24 @@ interface(`files_delete_etc_files',`
  
  ########################################
  ## <summary>
@@ -10438,7 +10248,7 @@ index 64ff4d7..36fa375 100644
  ##	Execute generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2945,24 +3443,6 @@ interface(`files_delete_boot_flag',`
+@@ -2963,24 +3461,6 @@ interface(`files_delete_boot_flag',`
  
  ########################################
  ## <summary>
@@ -10463,7 +10273,7 @@ index 64ff4d7..36fa375 100644
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3003,9 +3483,7 @@ interface(`files_read_etc_runtime_files',`
+@@ -3021,9 +3501,7 @@ interface(`files_read_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10474,7 +10284,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3013,18 +3491,17 @@ interface(`files_read_etc_runtime_files',`
+@@ -3031,18 +3509,17 @@ interface(`files_read_etc_runtime_files',`
  ##	</summary>
  ## </param>
  #
@@ -10496,7 +10306,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3042,6 +3519,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
+@@ -3060,6 +3537,26 @@ interface(`files_dontaudit_write_etc_runtime_files',`
  
  ########################################
  ## <summary>
@@ -10523,7 +10333,7 @@ index 64ff4d7..36fa375 100644
  ##	Read and write files in /etc that are dynamically
  ##	created on boot, such as mtab.
  ## </summary>
-@@ -3059,6 +3556,7 @@ interface(`files_rw_etc_runtime_files',`
+@@ -3077,6 +3574,7 @@ interface(`files_rw_etc_runtime_files',`
  
  	allow $1 etc_t:dir list_dir_perms;
  	rw_files_pattern($1, etc_t, etc_runtime_t)
@@ -10531,7 +10341,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -3080,6 +3578,7 @@ interface(`files_manage_etc_runtime_files',`
+@@ -3098,6 +3596,7 @@ interface(`files_manage_etc_runtime_files',`
  	')
  
  	manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t)
@@ -10539,7 +10349,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -3132,6 +3631,25 @@ interface(`files_getattr_isid_type_dirs',`
+@@ -3150,6 +3649,25 @@ interface(`files_getattr_isid_type_dirs',`
  
  ########################################
  ## <summary>
@@ -10565,7 +10375,7 @@ index 64ff4d7..36fa375 100644
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -3205,11 +3723,10 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3223,11 +3741,10 @@ interface(`files_delete_isid_type_dirs',`
  
  	delete_dirs_pattern($1, file_t, file_t)
  ')
@@ -10579,7 +10389,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3217,18 +3734,18 @@ interface(`files_delete_isid_type_dirs',`
+@@ -3235,18 +3752,18 @@ interface(`files_delete_isid_type_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -10602,7 +10412,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3236,17 +3753,17 @@ interface(`files_manage_isid_type_dirs',`
+@@ -3254,17 +3771,17 @@ interface(`files_manage_isid_type_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -10623,7 +10433,7 @@ index 64ff4d7..36fa375 100644
  ##	that have not yet been labeled.
  ## </summary>
  ## <param name="domain">
-@@ -3255,12 +3772,69 @@ interface(`files_mounton_isid_type_dirs',`
+@@ -3273,12 +3790,69 @@ interface(`files_mounton_isid_type_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -10695,7 +10505,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -3455,6 +4029,25 @@ interface(`files_rw_isid_type_blk_files',`
+@@ -3473,6 +4047,25 @@ interface(`files_rw_isid_type_blk_files',`
  
  ########################################
  ## <summary>
@@ -10721,7 +10531,7 @@ index 64ff4d7..36fa375 100644
  ##	Create, read, write, and delete block device nodes
  ##	on new filesystems that have not yet been labeled.
  ## </summary>
-@@ -3796,20 +4389,38 @@ interface(`files_list_mnt',`
+@@ -3814,20 +4407,38 @@ interface(`files_list_mnt',`
  
  ######################################
  ## <summary>
@@ -10765,7 +10575,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -4199,6 +4810,171 @@ interface(`files_read_world_readable_sockets',`
+@@ -4217,6 +4828,171 @@ interface(`files_read_world_readable_sockets',`
  	allow $1 readable_t:sock_file read_sock_file_perms;
  ')
  
@@ -10937,7 +10747,7 @@ index 64ff4d7..36fa375 100644
  ########################################
  ## <summary>
  ##	Allow the specified type to associate
-@@ -4221,6 +4997,26 @@ interface(`files_associate_tmp',`
+@@ -4239,6 +5015,26 @@ interface(`files_associate_tmp',`
  
  ########################################
  ## <summary>
@@ -10964,7 +10774,7 @@ index 64ff4d7..36fa375 100644
  ##	Get the	attributes of the tmp directory (/tmp).
  ## </summary>
  ## <param name="domain">
-@@ -4234,17 +5030,37 @@ interface(`files_getattr_tmp_dirs',`
+@@ -4252,17 +5048,37 @@ interface(`files_getattr_tmp_dirs',`
  		type tmp_t;
  	')
  
@@ -11003,7 +10813,7 @@ index 64ff4d7..36fa375 100644
  ##	</summary>
  ## </param>
  #
-@@ -4271,6 +5087,7 @@ interface(`files_search_tmp',`
+@@ -4289,6 +5105,7 @@ interface(`files_search_tmp',`
  		type tmp_t;
  	')
  
@@ -11011,7 +10821,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 tmp_t:dir search_dir_perms;
  ')
  
-@@ -4307,6 +5124,7 @@ interface(`files_list_tmp',`
+@@ -4325,6 +5142,7 @@ interface(`files_list_tmp',`
  		type tmp_t;
  	')
  
@@ -11019,7 +10829,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 tmp_t:dir list_dir_perms;
  ')
  
-@@ -4316,7 +5134,7 @@ interface(`files_list_tmp',`
+@@ -4334,7 +5152,7 @@ interface(`files_list_tmp',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11028,7 +10838,7 @@ index 64ff4d7..36fa375 100644
  ##	</summary>
  ## </param>
  #
-@@ -4328,6 +5146,25 @@ interface(`files_dontaudit_list_tmp',`
+@@ -4346,6 +5164,25 @@ interface(`files_dontaudit_list_tmp',`
  	dontaudit $1 tmp_t:dir list_dir_perms;
  ')
  
@@ -11054,7 +10864,7 @@ index 64ff4d7..36fa375 100644
  ########################################
  ## <summary>
  ##	Remove entries from the tmp directory.
-@@ -4343,6 +5180,7 @@ interface(`files_delete_tmp_dir_entry',`
+@@ -4361,6 +5198,7 @@ interface(`files_delete_tmp_dir_entry',`
  		type tmp_t;
  	')
  
@@ -11062,7 +10872,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 tmp_t:dir del_entry_dir_perms;
  ')
  
-@@ -4384,6 +5222,32 @@ interface(`files_manage_generic_tmp_dirs',`
+@@ -4402,6 +5240,32 @@ interface(`files_manage_generic_tmp_dirs',`
  
  ########################################
  ## <summary>
@@ -11095,7 +10905,7 @@ index 64ff4d7..36fa375 100644
  ##	Manage temporary files and directories in /tmp.
  ## </summary>
  ## <param name="domain">
-@@ -4438,7 +5302,7 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4456,7 +5320,7 @@ interface(`files_rw_generic_tmp_sockets',`
  
  ########################################
  ## <summary>
@@ -11104,7 +10914,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4446,17 +5310,17 @@ interface(`files_rw_generic_tmp_sockets',`
+@@ -4464,17 +5328,17 @@ interface(`files_rw_generic_tmp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -11126,7 +10936,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4464,59 +5328,53 @@ interface(`files_setattr_all_tmp_dirs',`
+@@ -4482,59 +5346,53 @@ interface(`files_setattr_all_tmp_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11197,7 +11007,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4524,12 +5382,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
+@@ -4542,12 +5400,108 @@ interface(`files_dontaudit_getattr_all_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -11308,7 +11118,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -4561,7 +5515,7 @@ interface(`files_relabel_all_tmp_files',`
+@@ -4579,7 +5533,7 @@ interface(`files_relabel_all_tmp_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -11317,7 +11127,7 @@ index 64ff4d7..36fa375 100644
  ##	</summary>
  ## </param>
  #
-@@ -4593,6 +5547,44 @@ interface(`files_read_all_tmp_files',`
+@@ -4611,6 +5565,44 @@ interface(`files_read_all_tmp_files',`
  
  ########################################
  ## <summary>
@@ -11362,7 +11172,7 @@ index 64ff4d7..36fa375 100644
  ##	Create an object in the tmp directories, with a private
  ##	type using a type transition.
  ## </summary>
-@@ -4646,6 +5638,16 @@ interface(`files_purge_tmp',`
+@@ -4664,6 +5656,16 @@ interface(`files_purge_tmp',`
  	delete_lnk_files_pattern($1, tmpfile, tmpfile)
  	delete_fifo_files_pattern($1, tmpfile, tmpfile)
  	delete_sock_files_pattern($1, tmpfile, tmpfile)
@@ -11379,7 +11189,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -5223,6 +6225,24 @@ interface(`files_list_var',`
+@@ -5241,6 +6243,24 @@ interface(`files_list_var',`
  
  ########################################
  ## <summary>
@@ -11404,7 +11214,7 @@ index 64ff4d7..36fa375 100644
  ##	Create, read, write, and delete directories
  ##	in the /var directory.
  ## </summary>
-@@ -5578,6 +6598,25 @@ interface(`files_read_var_lib_symlinks',`
+@@ -5596,6 +6616,25 @@ interface(`files_read_var_lib_symlinks',`
  	read_lnk_files_pattern($1, { var_t var_lib_t }, var_lib_t)
  ')
  
@@ -11430,7 +11240,7 @@ index 64ff4d7..36fa375 100644
  # cjp: the next two interfaces really need to be fixed
  # in some way.  They really neeed their own types.
  
-@@ -5623,7 +6662,7 @@ interface(`files_manage_mounttab',`
+@@ -5641,7 +6680,7 @@ interface(`files_manage_mounttab',`
  
  ########################################
  ## <summary>
@@ -11439,7 +11249,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5631,12 +6670,13 @@ interface(`files_manage_mounttab',`
+@@ -5649,12 +6688,13 @@ interface(`files_manage_mounttab',`
  ##	</summary>
  ## </param>
  #
@@ -11455,7 +11265,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -5654,6 +6694,7 @@ interface(`files_search_locks',`
+@@ -5672,6 +6712,7 @@ interface(`files_search_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11463,7 +11273,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 var_lock_t:lnk_file read_lnk_file_perms;
  	search_dirs_pattern($1, var_t, var_lock_t)
  ')
-@@ -5680,7 +6721,26 @@ interface(`files_dontaudit_search_locks',`
+@@ -5698,7 +6739,26 @@ interface(`files_dontaudit_search_locks',`
  
  ########################################
  ## <summary>
@@ -11491,7 +11301,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5688,13 +6748,12 @@ interface(`files_dontaudit_search_locks',`
+@@ -5706,13 +6766,12 @@ interface(`files_dontaudit_search_locks',`
  ##	</summary>
  ## </param>
  #
@@ -11508,7 +11318,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -5713,7 +6772,7 @@ interface(`files_rw_lock_dirs',`
+@@ -5731,7 +6790,7 @@ interface(`files_rw_lock_dirs',`
  		type var_t, var_lock_t;
  	')
  
@@ -11517,7 +11327,7 @@ index 64ff4d7..36fa375 100644
  	rw_dirs_pattern($1, var_t, var_lock_t)
  ')
  
-@@ -5746,7 +6805,6 @@ interface(`files_create_lock_dirs',`
+@@ -5764,7 +6823,6 @@ interface(`files_create_lock_dirs',`
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
@@ -11525,7 +11335,7 @@ index 64ff4d7..36fa375 100644
  #
  interface(`files_relabel_all_lock_dirs',`
  	gen_require(`
-@@ -5761,7 +6819,7 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5779,7 +6837,7 @@ interface(`files_relabel_all_lock_dirs',`
  
  ########################################
  ## <summary>
@@ -11534,7 +11344,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -5769,13 +6827,33 @@ interface(`files_relabel_all_lock_dirs',`
+@@ -5787,13 +6845,33 @@ interface(`files_relabel_all_lock_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -11569,7 +11379,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 var_lock_t:dir list_dir_perms;
  	getattr_files_pattern($1, var_lock_t, var_lock_t)
  ')
-@@ -5791,13 +6869,12 @@ interface(`files_getattr_generic_locks',`
+@@ -5809,13 +6887,12 @@ interface(`files_getattr_generic_locks',`
  ## </param>
  #
  interface(`files_delete_generic_locks',`
@@ -11587,7 +11397,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -5816,9 +6893,7 @@ interface(`files_manage_generic_locks',`
+@@ -5834,9 +6911,7 @@ interface(`files_manage_generic_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11598,7 +11408,7 @@ index 64ff4d7..36fa375 100644
  	manage_files_pattern($1, var_lock_t, var_lock_t)
  ')
  
-@@ -5860,8 +6935,7 @@ interface(`files_read_all_locks',`
+@@ -5878,8 +6953,7 @@ interface(`files_read_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11608,7 +11418,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 lockfile:dir list_dir_perms;
  	read_files_pattern($1, lockfile, lockfile)
  	read_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5883,8 +6957,7 @@ interface(`files_manage_all_locks',`
+@@ -5901,8 +6975,7 @@ interface(`files_manage_all_locks',`
  		type var_t, var_lock_t;
  	')
  
@@ -11618,7 +11428,7 @@ index 64ff4d7..36fa375 100644
  	manage_dirs_pattern($1, lockfile, lockfile)
  	manage_files_pattern($1, lockfile, lockfile)
  	manage_lnk_files_pattern($1, lockfile, lockfile)
-@@ -5921,8 +6994,7 @@ interface(`files_lock_filetrans',`
+@@ -5939,8 +7012,7 @@ interface(`files_lock_filetrans',`
  		type var_t, var_lock_t;
  	')
  
@@ -11628,7 +11438,7 @@ index 64ff4d7..36fa375 100644
  	filetrans_pattern($1, var_lock_t, $2, $3, $4)
  ')
  
-@@ -5961,7 +7033,7 @@ interface(`files_setattr_pid_dirs',`
+@@ -5979,7 +7051,7 @@ interface(`files_setattr_pid_dirs',`
  		type var_run_t;
  	')
  
@@ -11637,7 +11447,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 var_run_t:dir setattr;
  ')
  
-@@ -5981,10 +7053,48 @@ interface(`files_search_pids',`
+@@ -5999,10 +7071,48 @@ interface(`files_search_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11686,7 +11496,7 @@ index 64ff4d7..36fa375 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to search
-@@ -6007,6 +7117,25 @@ interface(`files_dontaudit_search_pids',`
+@@ -6025,6 +7135,25 @@ interface(`files_dontaudit_search_pids',`
  
  ########################################
  ## <summary>
@@ -11712,7 +11522,7 @@ index 64ff4d7..36fa375 100644
  ##	List the contents of the runtime process
  ##	ID directories (/var/run).
  ## </summary>
-@@ -6021,7 +7150,7 @@ interface(`files_list_pids',`
+@@ -6039,7 +7168,7 @@ interface(`files_list_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11721,7 +11531,7 @@ index 64ff4d7..36fa375 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  ')
  
-@@ -6040,7 +7169,7 @@ interface(`files_read_generic_pids',`
+@@ -6058,7 +7187,7 @@ interface(`files_read_generic_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -11730,7 +11540,7 @@ index 64ff4d7..36fa375 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	read_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6060,7 +7189,7 @@ interface(`files_write_generic_pid_pipes',`
+@@ -6078,7 +7207,7 @@ interface(`files_write_generic_pid_pipes',`
  		type var_run_t;
  	')
  
@@ -11739,7 +11549,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 var_run_t:fifo_file write;
  ')
  
-@@ -6122,7 +7251,6 @@ interface(`files_pid_filetrans',`
+@@ -6140,7 +7269,6 @@ interface(`files_pid_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -11747,7 +11557,7 @@ index 64ff4d7..36fa375 100644
  	filetrans_pattern($1, var_run_t, $2, $3, $4)
  ')
  
-@@ -6151,7 +7279,7 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6169,7 +7297,7 @@ interface(`files_pid_filetrans_lock_dir',`
  
  ########################################
  ## <summary>
@@ -11756,7 +11566,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6159,12 +7287,30 @@ interface(`files_pid_filetrans_lock_dir',`
+@@ -6177,12 +7305,30 @@ interface(`files_pid_filetrans_lock_dir',`
  ##	</summary>
  ## </param>
  #
@@ -11789,7 +11599,7 @@ index 64ff4d7..36fa375 100644
  	list_dirs_pattern($1, var_t, var_run_t)
  	rw_files_pattern($1, var_run_t, var_run_t)
  ')
-@@ -6231,6 +7377,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6249,6 +7395,116 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -11906,7 +11716,7 @@ index 64ff4d7..36fa375 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -6243,12 +7499,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -6261,12 +7517,86 @@ interface(`files_dontaudit_ioctl_all_pids',`
  interface(`files_read_all_pids',`
  	gen_require(`
  		attribute pidfile;
@@ -11995,7 +11805,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -6268,8 +7598,8 @@ interface(`files_delete_all_pids',`
+@@ -6286,8 +7616,8 @@ interface(`files_delete_all_pids',`
  		type var_t, var_run_t;
  	')
  
@@ -12005,7 +11815,7 @@ index 64ff4d7..36fa375 100644
  	allow $1 var_run_t:dir rmdir;
  	allow $1 var_run_t:lnk_file delete_lnk_file_perms;
  	delete_files_pattern($1, pidfile, pidfile)
-@@ -6293,36 +7623,80 @@ interface(`files_delete_all_pid_dirs',`
+@@ -6311,36 +7641,80 @@ interface(`files_delete_all_pid_dirs',`
  		type var_t, var_run_t;
  	')
  
@@ -12097,7 +11907,7 @@ index 64ff4d7..36fa375 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -6330,12 +7704,33 @@ interface(`files_manage_all_pids',`
+@@ -6348,12 +7722,33 @@ interface(`files_manage_all_pids',`
  ##	</summary>
  ## </param>
  #
@@ -12134,7 +11944,7 @@ index 64ff4d7..36fa375 100644
  ')
  
  ########################################
-@@ -6562,3 +7957,491 @@ interface(`files_unconfined',`
+@@ -6580,3 +7975,491 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -12627,10 +12437,10 @@ index 64ff4d7..36fa375 100644
 +	allow $1 etc_t:service status;
 +')
 diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
-index 148d87a..ccbcb66 100644
+index 1a03abd..92d1a8f 100644
 --- a/policy/modules/kernel/files.te
 +++ b/policy/modules/kernel/files.te
-@@ -5,12 +5,16 @@ policy_module(files, 1.17.5)
+@@ -5,12 +5,16 @@ policy_module(files, 1.18.1)
  # Declarations
  #
  
@@ -12734,7 +12544,7 @@ index 148d87a..ccbcb66 100644
  files_mountpoint(root_t)
  files_poly_parent(root_t)
  kernel_rootfs_mountpoint(root_t)
-@@ -133,52 +158,63 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
+@@ -133,45 +158,54 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
  #
  type src_t;
  files_mountpoint(src_t)
@@ -12787,10 +12597,9 @@ index 148d87a..ccbcb66 100644
  type var_lock_t;
 +files_base_file(var_lock_t)
  files_lock_file(var_lock_t)
-+files_mountpoint(var_lock_t)
+ files_mountpoint(var_lock_t)
  
- #
- # var_run_t is the type of /var/run, usually
+@@ -180,6 +214,7 @@ files_mountpoint(var_lock_t)
  # used for pid and other runtime files.
  #
  type var_run_t;
@@ -12798,7 +12607,7 @@ index 148d87a..ccbcb66 100644
  files_pid_file(var_run_t)
  files_mountpoint(var_run_t)
  
-@@ -186,7 +222,9 @@ files_mountpoint(var_run_t)
+@@ -187,7 +222,9 @@ files_mountpoint(var_run_t)
  # var_spool_t is the type of /var/spool
  #
  type var_spool_t;
@@ -12808,7 +12617,7 @@ index 148d87a..ccbcb66 100644
  
  ########################################
  #
-@@ -225,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
+@@ -226,10 +263,11 @@ fs_associate_tmpfs(tmpfsfile)
  # Create/access any file in a labeled filesystem;
  allow files_unconfined_type file_type:{ file chr_file } ~execmod;
  allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
@@ -12822,41 +12631,45 @@ index 148d87a..ccbcb66 100644
  	allow files_unconfined_type file_type:file execmod;
  ')
 diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc
-index cda5588..924f856 100644
+index d7c11a0..1fb5480 100644
 --- a/policy/modules/kernel/filesystem.fc
 +++ b/policy/modules/kernel/filesystem.fc
-@@ -1,9 +1,12 @@
+@@ -1,23 +1,23 @@
 -/cgroup			-d	gen_context(system_u:object_r:cgroup_t,s0)
 -/cgroup/.*			<<none>>
 +# ecryptfs does not support xattr
 +HOME_DIR/\.ecryptfs(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
 +HOME_DIR/\.Private(/.*)?	gen_context(system_u:object_r:ecryptfs_t,s0)
-+
-+/cgroup(/.*)?			gen_context(system_u:object_r:cgroup_t,s0)
  
  /dev/hugepages		-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
  /dev/hugepages(/.*)?		<<none>>
 -/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
-+/dev/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0-mls_systemhigh)
- /dev/shm/.*			<<none>>
+-/dev/shm/.*			<<none>>
  
- /lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
-@@ -12,5 +15,11 @@
- /lib/udev/devices/shm/.*	<<none>>
- 
- # for systemd systems:
--/sys/fs/cgroup		-d	gen_context(system_u:object_r:cgroup_t,s0)
--/sys/fs/cgroup/.*		<<none>>
-+/sys/fs/cgroup(/.*)?		gen_context(system_u:object_r:cgroup_t,s0)
-+
+-/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
+-/lib/udev/devices/hugepages/.*	<<none>>
+-/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
+-/lib/udev/devices/shm/.*	<<none>>
 +/usr/lib/udev/devices/hugepages -d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/usr/lib/udev/devices/hugepages/.*	<<none>>
 +/usr/lib/udev/devices/shm	-d	gen_context(system_u:object_r:tmpfs_t,s0)
 +/usr/lib/udev/devices/shm/.*	<<none>>
 +/var/run/[^/]*/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
 +/var/run/[^/]*/gvfs/.*	<<none>>
+ 
++# for systemd systems:
+ /sys/fs/cgroup	-d	gen_context(system_u:object_r:cgroup_t,s0)
+ /sys/fs/cgroup/.*	<<none>>
+ 
+ /sys/fs/pstore	-d	gen_context(system_u:object_r:pstore_t,s0)
+ /sys/fs/pstore/.*	<<none>>
+ 
+-ifdef(`distro_debian',`
+ /var/run/shm		-d	gen_context(system_u:object_r:tmpfs_t,s0)
+ /var/run/shm/.*			<<none>>
+-')
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index 8416beb..c6cd3eb 100644
+index 8416beb..75c7b9d 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',`
@@ -13616,34 +13429,55 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2719,6 +3255,26 @@ interface(`fs_search_rpc',`
+@@ -2719,6 +3255,47 @@ interface(`fs_search_rpc',`
  
  ########################################
  ## <summary>
 +##	Do not audit attempts to list removable storage directories.
 +## </summary>
++## <desc>
++##	<p>
++##	Do not audit attempts to list removable storage directories
++##	</p>
++##	<p>
++##	This interface has been deprecated, and will
++##	be removed in the future.
++##	</p>
++## </desc>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`fs_list_pstorefs',`
++	refpolicywarn(`$0($*) has been deprecated.')
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to list removable storage directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`fs_list_pstore',`
 +	gen_require(`
-+		type pstorefs_t;
++		type pstore_t;
 +	')
 +
-+	allow $1 pstorefs_t:dir list_dir_perms;
++	allow $1 pstore_t:dir list_dir_perms;
 +')
 +
-+
-+
 +########################################
 +## <summary>
  ##	Search removable storage directories.
  ## </summary>
  ## <param name="domain">
-@@ -2741,7 +3297,7 @@ interface(`fs_search_removable',`
+@@ -2741,7 +3318,7 @@ interface(`fs_search_removable',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13652,7 +13486,7 @@ index 8416beb..c6cd3eb 100644
  ##	</summary>
  ## </param>
  #
-@@ -2777,7 +3333,7 @@ interface(`fs_read_removable_files',`
+@@ -2777,7 +3354,7 @@ interface(`fs_read_removable_files',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -13661,7 +13495,7 @@ index 8416beb..c6cd3eb 100644
  ##	</summary>
  ## </param>
  #
-@@ -2970,6 +3526,7 @@ interface(`fs_manage_nfs_dirs',`
+@@ -2970,6 +3547,7 @@ interface(`fs_manage_nfs_dirs',`
  		type nfs_t;
  	')
  
@@ -13669,7 +13503,7 @@ index 8416beb..c6cd3eb 100644
  	allow $1 nfs_t:dir manage_dir_perms;
  ')
  
-@@ -3010,6 +3567,7 @@ interface(`fs_manage_nfs_files',`
+@@ -3010,6 +3588,7 @@ interface(`fs_manage_nfs_files',`
  		type nfs_t;
  	')
  
@@ -13677,7 +13511,7 @@ index 8416beb..c6cd3eb 100644
  	manage_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3050,6 +3608,7 @@ interface(`fs_manage_nfs_symlinks',`
+@@ -3050,6 +3629,7 @@ interface(`fs_manage_nfs_symlinks',`
  		type nfs_t;
  	')
  
@@ -13685,7 +13519,7 @@ index 8416beb..c6cd3eb 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3137,6 +3696,24 @@ interface(`fs_nfs_domtrans',`
+@@ -3137,6 +3717,24 @@ interface(`fs_nfs_domtrans',`
  
  ########################################
  ## <summary>
@@ -13710,7 +13544,7 @@ index 8416beb..c6cd3eb 100644
  ##	Mount a NFS server pseudo filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -3255,17 +3832,53 @@ interface(`fs_list_nfsd_fs',`
+@@ -3255,17 +3853,53 @@ interface(`fs_list_nfsd_fs',`
  ##	</summary>
  ## </param>
  #
@@ -13767,7 +13601,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3273,12 +3886,12 @@ interface(`fs_getattr_nfsd_files',`
+@@ -3273,12 +3907,12 @@ interface(`fs_getattr_nfsd_files',`
  ##	</summary>
  ## </param>
  #
@@ -13782,7 +13616,7 @@ index 8416beb..c6cd3eb 100644
  ')
  
  ########################################
-@@ -3392,7 +4005,7 @@ interface(`fs_search_ramfs',`
+@@ -3392,7 +4026,7 @@ interface(`fs_search_ramfs',`
  
  ########################################
  ## <summary>
@@ -13791,7 +13625,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3429,7 +4042,7 @@ interface(`fs_manage_ramfs_dirs',`
+@@ -3429,7 +4063,7 @@ interface(`fs_manage_ramfs_dirs',`
  
  ########################################
  ## <summary>
@@ -13800,7 +13634,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3447,7 +4060,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
+@@ -3447,7 +4081,7 @@ interface(`fs_dontaudit_read_ramfs_files',`
  
  ########################################
  ## <summary>
@@ -13809,7 +13643,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3815,6 +4428,24 @@ interface(`fs_unmount_tmpfs',`
+@@ -3815,6 +4449,24 @@ interface(`fs_unmount_tmpfs',`
  
  ########################################
  ## <summary>
@@ -13834,7 +13668,7 @@ index 8416beb..c6cd3eb 100644
  ##	Get the attributes of a tmpfs
  ##	filesystem.
  ## </summary>
-@@ -3908,7 +4539,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3908,7 +4560,7 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  
  ########################################
  ## <summary>
@@ -13843,7 +13677,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3916,17 +4547,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+@@ -3916,17 +4568,17 @@ interface(`fs_dontaudit_getattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13864,7 +13698,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3934,17 +4565,17 @@ interface(`fs_mounton_tmpfs',`
+@@ -3934,17 +4586,17 @@ interface(`fs_mounton_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -13885,7 +13719,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3952,17 +4583,36 @@ interface(`fs_setattr_tmpfs_dirs',`
+@@ -3952,17 +4604,36 @@ interface(`fs_setattr_tmpfs_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -13925,7 +13759,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3970,31 +4620,48 @@ interface(`fs_search_tmpfs',`
+@@ -3970,31 +4641,48 @@ interface(`fs_search_tmpfs',`
  ##	</summary>
  ## </param>
  #
@@ -13981,7 +13815,7 @@ index 8416beb..c6cd3eb 100644
  ')
  
  ########################################
-@@ -4105,7 +4772,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
+@@ -4105,7 +4793,7 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
  		type tmpfs_t;
  	')
  
@@ -13990,7 +13824,7 @@ index 8416beb..c6cd3eb 100644
  ')
  
  ########################################
-@@ -4165,6 +4832,24 @@ interface(`fs_rw_tmpfs_files',`
+@@ -4165,6 +4853,24 @@ interface(`fs_rw_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -14015,7 +13849,7 @@ index 8416beb..c6cd3eb 100644
  ##	Read tmpfs link files.
  ## </summary>
  ## <param name="domain">
-@@ -4202,7 +4887,7 @@ interface(`fs_rw_tmpfs_chr_files',`
+@@ -4202,7 +4908,7 @@ interface(`fs_rw_tmpfs_chr_files',`
  
  ########################################
  ## <summary>
@@ -14024,7 +13858,7 @@ index 8416beb..c6cd3eb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -4221,6 +4906,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -4221,6 +4927,60 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
  
  ########################################
  ## <summary>
@@ -14085,7 +13919,7 @@ index 8416beb..c6cd3eb 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4278,6 +5017,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
+@@ -4278,6 +5038,44 @@ interface(`fs_relabel_tmpfs_blk_file',`
  
  ########################################
  ## <summary>
@@ -14130,7 +13964,7 @@ index 8416beb..c6cd3eb 100644
  ##	Read and write, create and delete generic
  ##	files on tmpfs filesystems.
  ## </summary>
-@@ -4297,6 +5074,25 @@ interface(`fs_manage_tmpfs_files',`
+@@ -4297,6 +5095,25 @@ interface(`fs_manage_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -14156,7 +13990,7 @@ index 8416beb..c6cd3eb 100644
  ##	Read and write, create and delete symbolic
  ##	links on tmpfs filesystems.
  ## </summary>
-@@ -4503,6 +5299,8 @@ interface(`fs_mount_all_fs',`
+@@ -4503,6 +5320,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -14165,7 +13999,7 @@ index 8416beb..c6cd3eb 100644
  ')
  
  ########################################
-@@ -4549,7 +5347,7 @@ interface(`fs_unmount_all_fs',`
+@@ -4549,7 +5368,7 @@ interface(`fs_unmount_all_fs',`
  ## <desc>
  ##	<p>
  ##	Allow the specified domain to
@@ -14174,7 +14008,7 @@ index 8416beb..c6cd3eb 100644
  ##	Example attributes:
  ##	</p>
  ##	<ul>
-@@ -4596,6 +5394,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
+@@ -4596,6 +5415,26 @@ interface(`fs_dontaudit_getattr_all_fs',`
  
  ########################################
  ## <summary>
@@ -14201,7 +14035,7 @@ index 8416beb..c6cd3eb 100644
  ##	Get the quotas of all filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4671,6 +5489,25 @@ interface(`fs_getattr_all_dirs',`
+@@ -4671,6 +5510,25 @@ interface(`fs_getattr_all_dirs',`
  
  ########################################
  ## <summary>
@@ -14227,7 +14061,7 @@ index 8416beb..c6cd3eb 100644
  ##	Search all directories with a filesystem type.
  ## </summary>
  ## <param name="domain">
-@@ -4912,3 +5749,43 @@ interface(`fs_unconfined',`
+@@ -4912,3 +5770,43 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -14272,7 +14106,7 @@ index 8416beb..c6cd3eb 100644
 +	fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct")
 +')
 diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
-index 9e603f5..1198b51 100644
+index e7d1738..79f6c51 100644
 --- a/policy/modules/kernel/filesystem.te
 +++ b/policy/modules/kernel/filesystem.te
 @@ -32,8 +32,11 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
@@ -14312,9 +14146,9 @@ index 9e603f5..1198b51 100644
 -type cgroup_t;
 +type cgroup_t alias cgroupfs_t;
  fs_type(cgroup_t)
- files_type(cgroup_t)
  files_mountpoint(cgroup_t)
-@@ -89,6 +98,11 @@ fs_noxattr_type(ecryptfs_t)
+ dev_associate_sysfs(cgroup_t)
+@@ -88,6 +97,11 @@ fs_noxattr_type(ecryptfs_t)
  files_mountpoint(ecryptfs_t)
  genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
  
@@ -14326,7 +14160,7 @@ index 9e603f5..1198b51 100644
  type futexfs_t;
  fs_type(futexfs_t)
  genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -97,6 +111,7 @@ type hugetlbfs_t;
+@@ -96,6 +110,7 @@ type hugetlbfs_t;
  fs_type(hugetlbfs_t)
  files_mountpoint(hugetlbfs_t)
  fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
@@ -14334,7 +14168,7 @@ index 9e603f5..1198b51 100644
  
  type ibmasmfs_t;
  fs_type(ibmasmfs_t)
-@@ -119,12 +134,17 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
+@@ -118,13 +133,14 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
  
  type nfsd_fs_t;
  fs_type(nfsd_fs_t)
@@ -14345,14 +14179,12 @@ index 9e603f5..1198b51 100644
  fs_type(oprofilefs_t)
  genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
  
-+type pstorefs_t;
-+fs_type(pstorefs_t)
-+genfscon pstore / gen_context(system_u:object_r:pstorefs_t,s0)
-+
- type ramfs_t;
- fs_type(ramfs_t)
- files_mountpoint(ramfs_t)
-@@ -145,11 +165,6 @@ fs_type(spufs_t)
+-type pstore_t;
++type pstore_t alias pstorefs_t;
+ fs_type(pstore_t)
+ files_mountpoint(pstore_t)
+ dev_associate_sysfs(pstore_t)
+@@ -150,11 +166,6 @@ fs_type(spufs_t)
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -14364,7 +14196,7 @@ index 9e603f5..1198b51 100644
  type sysv_t;
  fs_noxattr_type(sysv_t)
  files_mountpoint(sysv_t)
-@@ -167,6 +182,8 @@ type vxfs_t;
+@@ -172,6 +183,8 @@ type vxfs_t;
  fs_noxattr_type(vxfs_t)
  files_mountpoint(vxfs_t)
  genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
@@ -14373,7 +14205,7 @@ index 9e603f5..1198b51 100644
  
  #
  # tmpfs_t is the type for tmpfs filesystems
-@@ -176,6 +193,8 @@ fs_type(tmpfs_t)
+@@ -182,6 +195,8 @@ fs_type(tmpfs_t)
  files_type(tmpfs_t)
  files_mountpoint(tmpfs_t)
  files_poly_parent(tmpfs_t)
@@ -14382,7 +14214,7 @@ index 9e603f5..1198b51 100644
  
  # Use a transition SID based on the allocating task SID and the
  # filesystem SID to label inodes in the following filesystem types,
-@@ -255,6 +274,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
+@@ -261,6 +276,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
  type removable_t;
  allow removable_t noxattrfs:filesystem associate;
  fs_noxattr_type(removable_t)
@@ -14391,7 +14223,7 @@ index 9e603f5..1198b51 100644
  files_mountpoint(removable_t)
  
  #
-@@ -274,6 +295,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
+@@ -280,6 +297,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
  genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -14408,7 +14240,7 @@ index 7be4ddf..f7021a0 100644
 +
 +/sys/class/net/ib.* 		gen_context(system_u:object_r:sysctl_net_t,s0)
 diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index 649e458..d47750f 100644
+index e100d88..fe5be66 100644
 --- a/policy/modules/kernel/kernel.if
 +++ b/policy/modules/kernel/kernel.if
 @@ -286,7 +286,7 @@ interface(`kernel_rw_unix_dgram_sockets',`
@@ -14605,16 +14437,7 @@ index 649e458..d47750f 100644
  ##	Allow caller to relabel unlabeled files.
  ## </summary>
  ## <param name="domain">
-@@ -2632,7 +2738,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
- 	allow $1 unlabeled_t:association { sendto recvfrom };
- 
- 	# temporary hack until labeling on packets is supported
--	allow $1 unlabeled_t:packet { send recv };
-+#	allow $1 unlabeled_t:packet { send recv };
- ')
- 
- ########################################
-@@ -2670,6 +2776,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
+@@ -2667,6 +2773,24 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
  
  ########################################
  ## <summary>
@@ -14639,7 +14462,7 @@ index 649e458..d47750f 100644
  ##	Receive TCP packets from an unlabeled connection.
  ## </summary>
  ## <desc>
-@@ -2697,6 +2821,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
+@@ -2694,6 +2818,25 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
  
  ########################################
  ## <summary>
@@ -14665,7 +14488,7 @@ index 649e458..d47750f 100644
  ##	Do not audit attempts to receive TCP packets from an unlabeled
  ##	connection.
  ## </summary>
-@@ -2806,6 +2949,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
+@@ -2803,6 +2946,33 @@ interface(`kernel_raw_recvfrom_unlabeled',`
  
  	allow $1 unlabeled_t:rawip_socket recvfrom;
  ')
@@ -14699,7 +14522,7 @@ index 649e458..d47750f 100644
  
  ########################################
  ## <summary>
-@@ -2961,6 +3131,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
+@@ -2958,6 +3128,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
  
  ########################################
  ## <summary>
@@ -14724,7 +14547,7 @@ index 649e458..d47750f 100644
  ##	Unconfined access to kernel module resources.
  ## </summary>
  ## <param name="domain">
-@@ -2975,5 +3163,300 @@ interface(`kernel_unconfined',`
+@@ -2972,5 +3160,300 @@ interface(`kernel_unconfined',`
  	')
  
  	typeattribute $1 kern_unconfined;
@@ -15027,7 +14850,7 @@ index 649e458..d47750f 100644
 +	list_dirs_pattern($1, sysctl_vm_overcommit_t, sysctl_vm_overcommit_t)
  ')
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 6fac350..5a087a7 100644
+index 8dbab4c..88cbe95 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
 @@ -25,6 +25,9 @@ attribute kern_unconfined;
@@ -15370,7 +15193,7 @@ index b08a6e8..43d504b 100644
 +	refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.')
 +')
 diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
-index 5cbeb54..8067370 100644
+index 2da98c2..31bed0a 100644
 --- a/policy/modules/kernel/mcs.te
 +++ b/policy/modules/kernel/mcs.te
 @@ -11,3 +11,4 @@ attribute mcssetcats;
@@ -15386,7 +15209,7 @@ index 7be4ddf..4d4c577 100644
 -# This module currently does not have any file contexts.
 +/selinux    -l	gen_context(system_u:object_r:security_t,s0)
 diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 81440c5..a02d444 100644
+index 6d0811d..6947c0a 100644
 --- a/policy/modules/kernel/selinux.if
 +++ b/policy/modules/kernel/selinux.if
 @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -15454,17 +15277,15 @@ index 81440c5..a02d444 100644
  	allow $1 security_t:filesystem getattr;
  ')
  
-@@ -220,6 +234,9 @@ interface(`selinux_search_fs',`
- 		type security_t;
+@@ -221,6 +235,7 @@ interface(`selinux_search_fs',`
  	')
  
-+	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir search_dir_perms;
  ')
  
-@@ -243,6 +260,28 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -244,6 +259,28 @@ interface(`selinux_dontaudit_search_fs',`
  
  ########################################
  ## <summary>
@@ -15493,7 +15314,7 @@ index 81440c5..a02d444 100644
  ##	Do not audit attempts to read
  ##	generic selinuxfs entries
  ## </summary>
-@@ -257,6 +296,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -258,6 +295,7 @@ interface(`selinux_dontaudit_read_fs',`
  		type security_t;
  	')
  
@@ -15501,24 +15322,27 @@ index 81440c5..a02d444 100644
  	dontaudit $1 security_t:dir search_dir_perms;
  	dontaudit $1 security_t:file read_file_perms;
  ')
-@@ -278,6 +318,8 @@ interface(`selinux_get_enforce_mode',`
- 		type security_t;
+@@ -280,8 +318,10 @@ interface(`selinux_get_enforce_mode',`
  	')
  
+ 	dev_search_sysfs($1)
 +	selinux_get_fs_mount($1)
-+	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file read_file_perms;
++	allow $1 security_t:lnk_file read_lnk_file_perms;
  ')
-@@ -308,21 +350,9 @@ interface(`selinux_set_enforce_mode',`
+ 
+ ########################################
+@@ -310,22 +350,12 @@ interface(`selinux_set_enforce_mode',`
  	gen_require(`
  		type security_t;
  		attribute can_setenforce;
 -		bool secure_mode_policyload;
  	')
  
--	allow $1 security_t:dir list_dir_perms;
--	allow $1 security_t:file rw_file_perms;
+ 	dev_search_sysfs($1)
+ 	allow $1 security_t:dir list_dir_perms;
+ 	allow $1 security_t:file rw_file_perms;
  	typeattribute $1 can_setenforce;
 -
 -	if(!secure_mode_policyload) {
@@ -15532,18 +15356,17 @@ index 81440c5..a02d444 100644
  ')
  
  ########################################
-@@ -339,21 +369,14 @@ interface(`selinux_load_policy',`
+@@ -342,22 +372,13 @@ interface(`selinux_load_policy',`
  	gen_require(`
  		type security_t;
  		attribute can_load_policy;
 -		bool secure_mode_policyload;
  	')
  
-+	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
-+	allow $1 security_t:lnk_file read_lnk_file_perms;
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
++	allow $1 security_t:lnk_file read_lnk_file_perms;
  	typeattribute $1 can_load_policy;
 -
 -	if(!secure_mode_policyload) {
@@ -15557,17 +15380,15 @@ index 81440c5..a02d444 100644
  ')
  
  ########################################
-@@ -371,6 +394,9 @@ interface(`selinux_read_policy',`
- 		type security_t;
- 	')
- 
-+	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
-+	allow $1 security_t:lnk_file read_lnk_file_perms;
+@@ -378,6 +399,7 @@ interface(`selinux_read_policy',`
+ 	dev_search_sysfs($1)
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file read_file_perms;
++	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:security read_policy;
-@@ -433,17 +459,16 @@ interface(`selinux_set_boolean',`
+ ')
+ 
+@@ -438,19 +460,15 @@ interface(`selinux_set_boolean',`
  interface(`selinux_set_generic_booleans',`
  	gen_require(`
  		type security_t;
@@ -15575,8 +15396,8 @@ index 81440c5..a02d444 100644
  	')
  
 +	typeattribute $1 can_setbool;
-+	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
+-
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
@@ -15590,7 +15411,7 @@ index 81440c5..a02d444 100644
  ')
  
  ########################################
-@@ -472,23 +497,16 @@ interface(`selinux_set_all_booleans',`
+@@ -479,25 +497,16 @@ interface(`selinux_set_all_booleans',`
  	gen_require(`
  		type security_t, secure_mode_policyload_t;
  		attribute boolean_type;
@@ -15600,7 +15421,8 @@ index 81440c5..a02d444 100644
  
 +	typeattribute $1 can_setbool;
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
+-
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
 -	allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
@@ -15621,77 +15443,77 @@ index 81440c5..a02d444 100644
  ')
  
  ########################################
-@@ -519,6 +537,9 @@ interface(`selinux_set_parameters',`
+@@ -528,7 +537,9 @@ interface(`selinux_set_parameters',`
  		attribute can_setsecparam;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security setsecparam;
-@@ -542,6 +563,9 @@ interface(`selinux_validate_context',`
+@@ -552,7 +563,9 @@ interface(`selinux_validate_context',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security check_context;
-@@ -584,6 +608,9 @@ interface(`selinux_compute_access_vector',`
+@@ -595,7 +608,9 @@ interface(`selinux_compute_access_vector',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_av;
-@@ -605,6 +632,9 @@ interface(`selinux_compute_create_context',`
+@@ -617,7 +632,9 @@ interface(`selinux_compute_create_context',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_create;
-@@ -626,6 +656,9 @@ interface(`selinux_compute_member',`
+@@ -639,7 +656,9 @@ interface(`selinux_compute_member',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_member;
-@@ -655,6 +688,9 @@ interface(`selinux_compute_relabel_context',`
+@@ -669,7 +688,9 @@ interface(`selinux_compute_relabel_context',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_relabel;
-@@ -675,6 +711,9 @@ interface(`selinux_compute_user_contexts',`
+@@ -690,7 +711,9 @@ interface(`selinux_compute_user_contexts',`
  		type security_t;
  	')
  
 +	dev_getattr_sysfs_fs($1)
-+	dev_search_sysfs($1)
+ 	dev_search_sysfs($1)
 +	allow $1 security_t:lnk_file read_lnk_file_perms;
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_user;
-@@ -696,4 +735,29 @@ interface(`selinux_unconfined',`
+@@ -712,4 +735,29 @@ interface(`selinux_unconfined',`
  	')
  
  	typeattribute $1 selinux_unconfined_type;
@@ -15722,7 +15544,7 @@ index 81440c5..a02d444 100644
  ')
 +
 diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
-index 522ab32..cb9c3a2 100644
+index e0a973b..0fcd621 100644
 --- a/policy/modules/kernel/selinux.te
 +++ b/policy/modules/kernel/selinux.te
 @@ -17,6 +17,7 @@ gen_bool(secure_mode_policyload,false)
@@ -15817,7 +15639,7 @@ index 54f1827..cc2de1a 100644
 +/usr/lib/udev/devices/loop.* -b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 +/usr/lib/udev/devices/fuse   -c	gen_context(system_u:object_r:fuse_device_t,s0)
 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..38b597e 100644
+index 64c4cd0..bb2156a 100644
 --- a/policy/modules/kernel/storage.if
 +++ b/policy/modules/kernel/storage.if
 @@ -22,6 +22,26 @@ interface(`storage_getattr_fixed_disk_dev',`
@@ -15872,8 +15694,8 @@ index 1700ef2..38b597e 100644
  	dev_add_entry_generic_dirs($1)
  ')
  
-@@ -269,6 +293,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
- 	dev_filetrans($1, fixed_disk_device_t, blk_file)
+@@ -274,6 +298,48 @@ interface(`storage_dev_filetrans_fixed_disk',`
+ 	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
  ')
  
 +#######################################
@@ -15921,7 +15743,7 @@ index 1700ef2..38b597e 100644
  ########################################
  ## <summary>
  ##	Create block devices in on a tmpfs filesystem with the
-@@ -711,6 +777,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
+@@ -716,6 +782,24 @@ interface(`storage_dontaudit_raw_write_removable_device',`
  	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
  ')
  
@@ -15946,7 +15768,7 @@ index 1700ef2..38b597e 100644
  ########################################
  ## <summary>
  ##	Allow the caller to directly read
-@@ -808,3 +892,401 @@ interface(`storage_unconfined',`
+@@ -813,3 +897,401 @@ interface(`storage_unconfined',`
  
  	typeattribute $1 storage_unconfined_type;
  ')
@@ -16363,10 +16185,10 @@ index 156c333..02f5a3c 100644
 +	dev_manage_generic_blk_files(fixed_disk_raw_write)
 +')
 diff --git a/policy/modules/kernel/terminal.fc b/policy/modules/kernel/terminal.fc
-index 7d45d15..22c9cfe 100644
+index 0ea25b6..e2ac77c 100644
 --- a/policy/modules/kernel/terminal.fc
 +++ b/policy/modules/kernel/terminal.fc
-@@ -14,11 +14,12 @@
+@@ -14,11 +14,11 @@
  /dev/ip2[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/isdn.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  /dev/ptmx		-c	gen_context(system_u:object_r:ptmx_t,s0)
@@ -16376,11 +16198,10 @@ index 7d45d15..22c9cfe 100644
  /dev/tty		-c	gen_context(system_u:object_r:devtty_t,s0)
  /dev/ttySG.*		-c	gen_context(system_u:object_r:tty_device_t,s0)
 +/dev/ttyUSB[0-9]+	-c	gen_context(system_u:object_r:usbtty_device_t,s0)
-+/dev/vport[0-9]p[0-9]+  -c	gen_context(system_u:object_r:virtio_device_t,s0)
+ /dev/vport[0-9]p[0-9]+	-c	gen_context(system_u:object_r:virtio_device_t,s0)
  /dev/xvc[^/]*		-c	gen_context(system_u:object_r:tty_device_t,s0)
  
- /dev/pty/.*		-c	gen_context(system_u:object_r:bsdpty_device_t,s0)
-@@ -41,3 +42,7 @@ ifdef(`distro_gentoo',`
+@@ -42,3 +42,7 @@ ifdef(`distro_gentoo',`
  # used by init scripts to initally populate udev /dev
  /lib/udev/devices/console -c	gen_context(system_u:object_r:console_device_t,s0)
  ')
@@ -16389,7 +16210,7 @@ index 7d45d15..22c9cfe 100644
 +
 +/usr/lib/udev/devices/pts -d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index 771bce1..5bbf50b 100644
+index cbb729b..a6adfc1 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -124,7 +124,7 @@ interface(`term_user_tty',`
@@ -16739,11 +16560,10 @@ index 771bce1..5bbf50b 100644
  ##	</summary>
  ## </param>
  #
-@@ -1512,3 +1693,436 @@ interface(`term_dontaudit_use_all_user_ttys',`
- 	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
+@@ -1513,21 +1694,435 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	term_dontaudit_use_all_ttys($1)
  ')
-+
+ 
 +####################################
 +## <summary>
 +##      Getattr on the virtio console.
@@ -16762,17 +16582,27 @@ index 771bce1..5bbf50b 100644
 +        allow $1 virtio_device_t:chr_file getattr_chr_file_perms;
 +')
 +
-+#####################################
-+## <summary>
+ #####################################
+ ## <summary>
+-##	Read from and write virtio console.
 +##      Read from and write to the virtio console.
-+## </summary>
-+## <param name="domain">
+ ## </summary>
+ ## <param name="domain">
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
 +##      <summary>
 +##      Domain allowed access.
 +##      </summary>
-+## </param>
-+#
-+interface(`term_use_virtio_console',`
+ ## </param>
+ #
+ interface(`term_use_virtio_console',`
+-	gen_require(`
+-		type virtio_device_t;
+-	')
+-
+-	dev_list_all_dev_nodes($1)
+-	allow $1 virtio_device_t:chr_file rw_term_perms;
 +        gen_require(`
 +                type virtio_device_t;
 +        ')
@@ -16793,16 +16623,16 @@ index 771bce1..5bbf50b 100644
 +#
 +interface(`term_filetrans_all_named_dev',`
 +
-+gen_require(`
-+	type tty_device_t;
-+	type bsdpty_device_t;
-+	type console_device_t;
-+	type ptmx_t;
-+	type devtty_t;
-+	type virtio_device_t;
-+	type devpts_t;
-+	type usbtty_device_t;
-+')
++    gen_require(`
++	    type tty_device_t;
++	    type bsdpty_device_t;
++	    type console_device_t;
++	    type ptmx_t;
++    	type devtty_t;
++	    type virtio_device_t;
++	    type devpts_t;
++	    type usbtty_device_t;
++    ')
 +
 +	dev_filetrans($1, devtty_t, chr_file, "tty")
 +	dev_filetrans($1, tty_device_t, chr_file, "tty0")
@@ -17175,9 +17005,9 @@ index 771bce1..5bbf50b 100644
 +	dev_filetrans($1, tty_device_t, chr_file, "xvc7")
 +	dev_filetrans($1, tty_device_t, chr_file, "xvc8")
 +	dev_filetrans($1, tty_device_t, chr_file, "xvc9")
-+')
+ ')
 diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
-index c0b88bf..a97d7cc 100644
+index 66e116a..a0a5d90 100644
 --- a/policy/modules/kernel/terminal.te
 +++ b/policy/modules/kernel/terminal.te
 @@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@@ -17188,20 +17018,15 @@ index c0b88bf..a97d7cc 100644
  
  #
  # devtty_t is the type of /dev/tty.
-@@ -54,5 +55,11 @@ dev_node(tty_device_t)
- #
- # usbtty_device_t is the type of /dev/usr/tty*
- #
--type usbtty_device_t, serial_device;
--dev_node(usbtty_device_t)
-+type usbtty_device_t;
-+term_tty(usbtty_device_t)
-+
+@@ -57,5 +58,8 @@ dev_node(tty_device_t)
+ type usbtty_device_t, serial_device;
+ dev_node(usbtty_device_t)
+ 
 +#
 +# virtio_device_t is the type of /dev/vport[0-9]p[0-9]
 +#
-+type virtio_device_t, serial_device;
-+dev_node(virtio_device_t)
+ type virtio_device_t, serial_device;
+ dev_node(virtio_device_t)
 diff --git a/policy/modules/kernel/unlabelednet.fc b/policy/modules/kernel/unlabelednet.fc
 new file mode 100644
 index 0000000..f310b9d
@@ -17327,10 +17152,10 @@ index 234a940..d340f20 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 5da7870..4f46291 100644
+index 0fef1fc..faffbc3 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
-@@ -8,12 +8,71 @@ policy_module(staff, 2.3.1)
+@@ -8,12 +8,71 @@ policy_module(staff, 2.4.0)
  role staff_r;
  
  userdom_unpriv_user_template(staff)
@@ -17402,7 +17227,7 @@ index 5da7870..4f46291 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -23,11 +82,110 @@ optional_policy(`
+@@ -23,11 +82,106 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17447,10 +17272,6 @@ index 5da7870..4f46291 100644
 +')
 +
 +optional_policy(`
-+	gnome_role(staff_r, staff_t)
-+')
-+
-+optional_policy(`
 +	irc_role(staff_r, staff_t)
 +')
 +
@@ -17514,7 +17335,7 @@ index 5da7870..4f46291 100644
  ')
  
  optional_policy(`
-@@ -35,15 +193,31 @@ optional_policy(`
+@@ -35,15 +189,31 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17548,7 +17369,7 @@ index 5da7870..4f46291 100644
  ')
  
  optional_policy(`
-@@ -52,10 +226,55 @@ optional_policy(`
+@@ -52,10 +222,55 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17604,7 +17425,7 @@ index 5da7870..4f46291 100644
  	xserver_role(staff_r, staff_t)
  ')
  
-@@ -65,10 +284,6 @@ ifndef(`distro_redhat',`
+@@ -65,10 +280,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17615,7 +17436,7 @@ index 5da7870..4f46291 100644
  		cdrecord_role(staff_r, staff_t)
  	')
  
-@@ -78,10 +293,6 @@ ifndef(`distro_redhat',`
+@@ -78,10 +289,6 @@ ifndef(`distro_redhat',`
  
  	optional_policy(`
  		dbus_role_template(staff, staff_r, staff_t)
@@ -17626,7 +17447,7 @@ index 5da7870..4f46291 100644
  	')
  
  	optional_policy(`
-@@ -101,10 +312,6 @@ ifndef(`distro_redhat',`
+@@ -101,10 +308,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17637,7 +17458,7 @@ index 5da7870..4f46291 100644
  		java_role(staff_r, staff_t)
  	')
  
-@@ -125,10 +332,6 @@ ifndef(`distro_redhat',`
+@@ -125,10 +328,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17648,7 +17469,7 @@ index 5da7870..4f46291 100644
  		pyzor_role(staff_r, staff_t)
  	')
  
-@@ -141,10 +344,6 @@ ifndef(`distro_redhat',`
+@@ -141,10 +340,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -17659,7 +17480,7 @@ index 5da7870..4f46291 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -176,3 +375,22 @@ ifndef(`distro_redhat',`
+@@ -176,3 +371,22 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -17711,10 +17532,10 @@ index ff92430..36740ea 100644
  ## <summary>
  ##	Execute a generic bin program in the sysadm domain.
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 88d0028..f520b74 100644
+index 2522ca6..de53b7b 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -5,39 +5,85 @@ policy_module(sysadm, 2.5.1)
+@@ -5,39 +5,85 @@ policy_module(sysadm, 2.6.1)
  # Declarations
  #
  
@@ -17896,21 +17717,18 @@ index 88d0028..f520b74 100644
  	dmesg_exec(sysadm_t)
  ')
  
-@@ -156,11 +215,11 @@ optional_policy(`
+@@ -156,6 +215,10 @@ optional_policy(`
  ')
  
  optional_policy(`
--	fstools_run(sysadm_t, sysadm_r)
 +	firewalld_dbus_chat(sysadm_t)
++')
++
++optional_policy(`
+ 	fstools_run(sysadm_t, sysadm_r)
  ')
  
- optional_policy(`
--	git_role(sysadm_r, sysadm_t)
-+	fstools_run(sysadm_t, sysadm_r)
- ')
- 
- optional_policy(`
-@@ -179,6 +238,13 @@ optional_policy(`
+@@ -175,6 +238,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -17924,7 +17742,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -186,15 +252,20 @@ optional_policy(`
+@@ -182,15 +252,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17936,19 +17754,19 @@ index 88d0028..f520b74 100644
 -	libs_run_ldconfig(sysadm_t, sysadm_r)
 +	kerberos_exec_kadmind(sysadm_t)
 +	kerberos_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
++	kudzu_run(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
 -	lockdev_role(sysadm_r, sysadm_t)
-+	kudzu_run(sysadm_t, sysadm_r)
-+')
-+
-+optional_policy(`
 +	libs_run_ldconfig(sysadm_t, sysadm_r)
  ')
  
  optional_policy(`
-@@ -214,22 +285,20 @@ optional_policy(`
+@@ -210,22 +285,20 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -17977,7 +17795,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -241,14 +310,27 @@ optional_policy(`
+@@ -237,14 +310,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18005,7 +17823,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -256,10 +338,20 @@ optional_policy(`
+@@ -252,10 +338,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18026,7 +17844,7 @@ index 88d0028..f520b74 100644
  	portage_run(sysadm_t, sysadm_r)
  	portage_run_fetch(sysadm_t, sysadm_r)
  	portage_run_gcc_config(sysadm_t, sysadm_r)
-@@ -270,35 +362,41 @@ optional_policy(`
+@@ -266,35 +362,41 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18075,7 +17893,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -312,6 +410,7 @@ optional_policy(`
+@@ -308,6 +410,7 @@ optional_policy(`
  
  optional_policy(`
  	screen_role_template(sysadm, sysadm_r, sysadm_t)
@@ -18083,7 +17901,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -319,12 +418,20 @@ optional_policy(`
+@@ -315,12 +418,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18105,7 +17923,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -349,7 +456,18 @@ optional_policy(`
+@@ -345,7 +456,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18125,7 +17943,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -360,19 +478,15 @@ optional_policy(`
+@@ -356,19 +478,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18147,7 +17965,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -384,10 +498,6 @@ optional_policy(`
+@@ -380,10 +498,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18158,7 +17976,7 @@ index 88d0028..f520b74 100644
  	usermanage_run_admin_passwd(sysadm_t, sysadm_r)
  	usermanage_run_groupadd(sysadm_t, sysadm_r)
  	usermanage_run_useradd(sysadm_t, sysadm_r)
-@@ -395,6 +505,9 @@ optional_policy(`
+@@ -391,6 +505,9 @@ optional_policy(`
  
  optional_policy(`
  	virt_stream_connect(sysadm_t)
@@ -18168,7 +17986,7 @@ index 88d0028..f520b74 100644
  ')
  
  optional_policy(`
-@@ -402,31 +515,34 @@ optional_policy(`
+@@ -398,31 +515,34 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18209,7 +18027,7 @@ index 88d0028..f520b74 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -439,10 +555,6 @@ ifndef(`distro_redhat',`
+@@ -435,10 +555,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -18220,12 +18038,12 @@ index 88d0028..f520b74 100644
  		dbus_role_template(sysadm, sysadm_r, sysadm_t)
  
  		optional_policy(`
-@@ -463,15 +575,75 @@ ifndef(`distro_redhat',`
+@@ -459,15 +575,75 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
 -		gpg_role(sysadm_r, sysadm_t)
-+		gnome_role(sysadm_r, sysadm_t)
++		gnome_role_template(sysadm, sysadm_r, sysadm_t)
 +		gnome_filetrans_admin_home_content(sysadm_t)
  	')
  
@@ -19322,11 +19140,11 @@ index 3835596..fbca2be 100644
  ########################################
  ## <summary>
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index cdfddf4..ad1f001 100644
+index 6d77e81..8e30f51 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
 @@ -1,5 +1,12 @@
- policy_module(unprivuser, 2.3.1)
+ policy_module(unprivuser, 2.4.0)
  
 +## <desc>
 +## <p>
@@ -19338,7 +19156,7 @@ index cdfddf4..ad1f001 100644
  # this module should be named user, but that is
  # a compile error since user is a keyword.
  
-@@ -12,12 +19,100 @@ role user_r;
+@@ -12,12 +19,96 @@ role user_r;
  
  userdom_unpriv_user_template(user)
  
@@ -19384,10 +19202,6 @@ index cdfddf4..ad1f001 100644
 +')
 +
 +optional_policy(`
-+	gnome_role(user_r, user_t)
-+')
-+
-+optional_policy(`
 +	journalctl_role(user_r, user_t)
 +')
 +
@@ -19440,7 +19254,7 @@ index cdfddf4..ad1f001 100644
  ')
  
  optional_policy(`
-@@ -25,6 +120,18 @@ optional_policy(`
+@@ -25,6 +116,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -19459,7 +19273,7 @@ index cdfddf4..ad1f001 100644
  	vlock_run(user_t, user_r)
  ')
  
-@@ -102,10 +209,6 @@ ifndef(`distro_redhat',`
+@@ -102,10 +205,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -19470,7 +19284,7 @@ index cdfddf4..ad1f001 100644
  		postgresql_role(user_r, user_t)
  	')
  
-@@ -128,7 +231,6 @@ ifndef(`distro_redhat',`
+@@ -128,7 +227,6 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		ssh_role_template(user, user_r, user_t)
  	')
@@ -19478,7 +19292,7 @@ index cdfddf4..ad1f001 100644
  	optional_policy(`
  		su_role_template(user, user_r, user_t)
  	')
-@@ -161,3 +263,15 @@ ifndef(`distro_redhat',`
+@@ -161,3 +259,15 @@ ifndef(`distro_redhat',`
  		wireshark_role(user_r, user_t)
  	')
  ')
@@ -19859,7 +19673,7 @@ index 9d2f311..9e87525 100644
 +	postgresql_filetrans_named_content($1)
  ')
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 346d011..3e23acb 100644
+index 0306134..bf53ec7 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
 @@ -19,25 +19,32 @@ gen_require(`
@@ -20812,10 +20626,10 @@ index fe0c682..c0413e8 100644
 +	ps_process_pattern($1, sshd_t)
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 5fc0391..692569b 100644
+index cc877c7..f2db99e 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
-@@ -6,43 +6,61 @@ policy_module(ssh, 2.3.3)
+@@ -6,43 +6,64 @@ policy_module(ssh, 2.4.2)
  #
  
  ## <desc>
@@ -20872,39 +20686,43 @@ index 5fc0391..692569b 100644
  ssh_server_template(sshd)
  init_daemon_domain(sshd_t, sshd_exec_t)
 +mls_trusted_object(sshd_t)
- 
--type sshd_key_t;
--files_type(sshd_key_t)
++
 +type sshd_initrc_exec_t;
 +init_script_file(sshd_initrc_exec_t)
++
++type sshd_unit_file_t;
++systemd_unit_file(sshd_unit_file_t)
+ 
+ type sshd_key_t;
+ files_type(sshd_key_t)
  
 -type sshd_tmp_t;
 -files_tmp_file(sshd_tmp_t)
 -files_poly_parent(sshd_tmp_t)
-+type sshd_unit_file_t;
-+systemd_unit_file(sshd_unit_file_t)
- 
+-
 -ifdef(`enable_mcs',`
 -	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 -')
-+type sshd_key_t;
-+files_type(sshd_key_t)
++type sshd_keytab_t;
++files_type(sshd_keytab_t)
  
  type ssh_t;
  type ssh_exec_t;
-@@ -73,6 +91,11 @@ type ssh_home_t;
+@@ -73,9 +94,11 @@ type ssh_home_t;
  typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t };
  typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
  userdom_user_home_content(ssh_home_t)
 +files_poly_parent(ssh_home_t)
-+
+ 
+-type sshd_keytab_t;
+-files_type(sshd_keytab_t)
 +ifdef(`enable_mcs',`
 +	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 +')
  
  ##############################
  #
-@@ -83,6 +106,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
+@@ -86,6 +109,7 @@ allow ssh_t self:capability { setuid setgid dac_override dac_read_search };
  allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow ssh_t self:fd use;
  allow ssh_t self:fifo_file rw_fifo_file_perms;
@@ -20912,7 +20730,7 @@ index 5fc0391..692569b 100644
  allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
  allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow ssh_t self:shm create_shm_perms;
-@@ -90,15 +114,11 @@ allow ssh_t self:sem create_sem_perms;
+@@ -93,15 +117,11 @@ allow ssh_t self:sem create_sem_perms;
  allow ssh_t self:msgq create_msgq_perms;
  allow ssh_t self:msg { send receive };
  allow ssh_t self:tcp_socket create_stream_socket_perms;
@@ -20929,7 +20747,7 @@ index 5fc0391..692569b 100644
  manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
  manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t)
-@@ -107,33 +127,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
+@@ -110,33 +130,42 @@ fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }
  
  manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
  manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
@@ -20977,7 +20795,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_t)
  
  fs_getattr_all_fs(ssh_t)
-@@ -154,40 +183,46 @@ files_read_var_files(ssh_t)
+@@ -157,40 +186,46 @@ files_read_var_files(ssh_t)
  logging_send_syslog_msg(ssh_t)
  logging_read_generic_logs(ssh_t)
  
@@ -21043,7 +20861,7 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -195,6 +230,7 @@ optional_policy(`
+@@ -198,6 +233,7 @@ optional_policy(`
  	xserver_domtrans_xauth(ssh_t)
  ')
  
@@ -21051,7 +20869,7 @@ index 5fc0391..692569b 100644
  ##############################
  #
  # ssh_keysign_t local policy
-@@ -206,6 +242,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+@@ -209,6 +245,7 @@ allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
  allow ssh_keysign_t sshd_key_t:file { getattr read };
  
  dev_read_urand(ssh_keysign_t)
@@ -21059,17 +20877,19 @@ index 5fc0391..692569b 100644
  
  files_read_etc_files(ssh_keysign_t)
  
-@@ -223,33 +260,54 @@ optional_policy(`
+@@ -226,39 +263,56 @@ optional_policy(`
  # so a tunnel can point to another ssh tunnel
  allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
  allow sshd_t self:key { search link write };
--
++allow sshd_t self:process setcurrent;
+ 
+ allow sshd_t sshd_keytab_t:file read_file_perms;
+ 
 -manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 -manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 -manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 -files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
-+allow sshd_t self:process setcurrent;
- 
+-
  kernel_search_key(sshd_t)
  kernel_link_key(sshd_t)
  
@@ -21089,6 +20909,9 @@ index 5fc0391..692569b 100644
 +corenet_tcp_bind_vnc_port(sshd_t)
  corenet_sendrecv_xserver_server_packets(sshd_t)
  
+-ifdef(`distro_debian',`
+-	allow sshd_t self:process { getcap setcap };
+-')
 +auth_exec_login_program(sshd_t)
 +
 +userdom_read_user_home_content_files(sshd_t)
@@ -21097,7 +20920,7 @@ index 5fc0391..692569b 100644
 +userdom_spec_domtrans_unpriv_users(sshd_t)
 +userdom_signal_unpriv_users(sshd_t)
 +userdom_dyntransition_unpriv_users(sshd_t)
-+
+ 
  tunable_policy(`ssh_sysadm_login',`
  	# Relabel and access ptys created by sshd
  	# ioctl is necessary for logout() processing for utmp entry and for w to
@@ -21123,14 +20946,10 @@ index 5fc0391..692569b 100644
  ')
  
  optional_policy(`
-@@ -257,11 +315,28 @@ optional_policy(`
+@@ -266,6 +320,15 @@ optional_policy(`
  ')
  
  optional_policy(`
-+	kerberos_keytab_template(sshd, sshd_t)
-+')
-+
-+optional_policy(`
 +	ftp_dyntrans_sftpd(sshd_t)
 +	ftp_dyntrans_anon_sftpd(sshd_t)
 +')
@@ -21143,28 +20962,26 @@ index 5fc0391..692569b 100644
  	inetd_tcp_service_domain(sshd_t, sshd_exec_t)
  ')
  
+@@ -275,6 +338,18 @@ optional_policy(`
+ ')
+ 
  optional_policy(`
--	kerberos_keytab_template(sshd, sshd_t)
 +    lvm_domtrans(sshd_t)
 +')
 +
 +optional_policy(`
-+	nx_read_home_files(sshd_t)
- ')
- 
- optional_policy(`
-@@ -269,6 +344,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
 +	munin_read_var_lib_files(sshd_t)
 +')
 +
 +optional_policy(`
- 	rpm_use_script_fds(sshd_t)
++	nx_read_home_files(sshd_t)
++')
++
++optional_policy(`
+ 	oddjob_domtrans_mkhomedir(sshd_t)
  ')
  
-@@ -279,13 +358,93 @@ optional_policy(`
+@@ -289,13 +364,93 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21258,7 +21075,7 @@ index 5fc0391..692569b 100644
  ########################################
  #
  # ssh_keygen local policy
-@@ -294,19 +453,29 @@ optional_policy(`
+@@ -304,19 +459,29 @@ optional_policy(`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -21289,7 +21106,7 @@ index 5fc0391..692569b 100644
  dev_read_urand(ssh_keygen_t)
  
  term_dontaudit_use_console(ssh_keygen_t)
-@@ -323,6 +492,12 @@ auth_use_nsswitch(ssh_keygen_t)
+@@ -333,6 +498,12 @@ auth_use_nsswitch(ssh_keygen_t)
  logging_send_syslog_msg(ssh_keygen_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
@@ -21302,7 +21119,7 @@ index 5fc0391..692569b 100644
  
  optional_policy(`
  	seutil_sigchld_newrole(ssh_keygen_t)
-@@ -331,3 +506,140 @@ optional_policy(`
+@@ -341,3 +512,140 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ssh_keygen_t)
  ')
@@ -21444,7 +21261,7 @@ index 5fc0391..692569b 100644
 +	xserver_rw_xdm_pipes(ssh_agent_type)
 +')
 diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
-index d1f64a0..9a5dab5 100644
+index 8274418..830bb6f 100644
 --- a/policy/modules/services/xserver.fc
 +++ b/policy/modules/services/xserver.fc
 @@ -2,13 +2,35 @@
@@ -21524,15 +21341,12 @@ index d1f64a0..9a5dab5 100644
  # /usr
  #
  
--/usr/(s)?bin/gdm(3)?	--      gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
--/usr/(s)?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/sbin/mdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/gdm3?	--      gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/gdm(3)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/s?bin/lightdm*	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-+/usr/s?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/s?bin/lxdm(-binary)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+-/usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +/usr/s?bin/[mxgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 +
  /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -21548,7 +21362,7 @@ index d1f64a0..9a5dab5 100644
  
  /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
  
-@@ -92,25 +128,49 @@ ifndef(`distro_debian',`
+@@ -92,18 +128,31 @@ ifndef(`distro_debian',`
  
  /var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
  /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
@@ -21576,6 +21390,7 @@ index d1f64a0..9a5dab5 100644
 +
 +/var/spool/[mg]dm(/.*)?	 	gen_context(system_u:object_r:xdm_spool_t,s0)
  
+ /var/run/gdm(3)?(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/[kgm]dm(/.*)?	 	gen_context(system_u:object_r:xdm_var_run_t,s0)
 +/var/run/gdm_socket		-s	gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -21583,10 +21398,7 @@ index d1f64a0..9a5dab5 100644
  /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
- /var/run/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
--/var/run/slim(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/slim(/.*)?     	gen_context(system_u:object_r:xdm_var_run_t,s0)
-+/var/run/slim.*     	--  	gen_context(system_u:object_r:xdm_var_run_t,s0)
+@@ -112,6 +161,16 @@ ifndef(`distro_debian',`
  /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
  /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
  
@@ -23196,7 +23008,7 @@ index 6bf0ecc..5a7e2a4 100644
 +	dontaudit $1 xserver_log_t:dir search_dir_perms;
 +')
 diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
-index 2696452..adbe339 100644
+index 8b40377..4a84226 100644
 --- a/policy/modules/services/xserver.te
 +++ b/policy/modules/services/xserver.te
 @@ -26,28 +26,59 @@ gen_require(`
@@ -23324,7 +23136,7 @@ index 2696452..adbe339 100644
  typealias xauth_tmp_t alias { auditadm_xauth_tmp_t secadm_xauth_tmp_t };
  userdom_user_tmp_file(xauth_tmp_t)
  
-@@ -154,19 +195,28 @@ files_type(xconsole_device_t)
+@@ -155,19 +196,28 @@ dev_associate(xconsole_device_t)
  fs_associate_tmpfs(xconsole_device_t)
  files_associate_tmp(xconsole_device_t)
  
@@ -23356,7 +23168,7 @@ index 2696452..adbe339 100644
  
  type xdm_var_lib_t;
  files_type(xdm_var_lib_t)
-@@ -174,13 +224,27 @@ files_type(xdm_var_lib_t)
+@@ -175,13 +225,27 @@ files_type(xdm_var_lib_t)
  type xdm_var_run_t;
  files_pid_file(xdm_var_run_t)
  
@@ -23385,7 +23197,7 @@ index 2696452..adbe339 100644
  # type for /var/lib/xkb
  type xkb_var_lib_t;
  files_type(xkb_var_lib_t)
-@@ -193,14 +257,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
+@@ -194,14 +258,12 @@ typealias xserver_t alias { auditadm_xserver_t secadm_xserver_t xdm_xserver_t };
  init_system_domain(xserver_t, xserver_exec_t)
  ubac_constrained(xserver_t)
  
@@ -23404,7 +23216,7 @@ index 2696452..adbe339 100644
  userdom_user_tmpfs_file(xserver_tmpfs_t)
  
  type xsession_exec_t;
-@@ -225,21 +287,33 @@ optional_policy(`
+@@ -226,21 +288,33 @@ optional_policy(`
  #
  
  allow iceauth_t iceauth_home_t:file manage_file_perms;
@@ -23419,16 +23231,12 @@ index 2696452..adbe339 100644
 -userdom_use_user_terminals(iceauth_t)
 +userdom_use_inherited_user_terminals(iceauth_t)
  userdom_read_user_tmp_files(iceauth_t)
--
++userdom_read_all_users_state(iceauth_t)
++userdom_home_manager(iceauth_t)
+ 
 -tunable_policy(`use_nfs_home_dirs',`
 -	fs_manage_nfs_files(iceauth_t)
 -')
--
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_files(iceauth_t)
-+userdom_read_all_users_state(iceauth_t)
-+userdom_home_manager(iceauth_t)
-+
 +ifdef(`hide_broken_symptoms',`
 +	dev_dontaudit_read_urand(iceauth_t)
 +	dev_dontaudit_rw_dri(iceauth_t)
@@ -23436,7 +23244,9 @@ index 2696452..adbe339 100644
 +	fs_dontaudit_list_inotifyfs(iceauth_t)
 +	fs_dontaudit_rw_anon_inodefs_files(iceauth_t)
 +	term_dontaudit_use_unallocated_ttys(iceauth_t)
-+
+ 
+-tunable_policy(`use_samba_home_dirs',`
+-	fs_manage_cifs_files(iceauth_t)
 +	userdom_dontaudit_read_user_home_content_files(iceauth_t)
 +	userdom_dontaudit_write_user_home_content_files(iceauth_t)
 +	userdom_dontaudit_write_user_tmp_files(iceauth_t)
@@ -23447,7 +23257,7 @@ index 2696452..adbe339 100644
  ')
  
  ########################################
-@@ -247,48 +321,89 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -248,48 +322,89 @@ tunable_policy(`use_samba_home_dirs',`
  # Xauth local policy
  #
  
@@ -23548,7 +23358,7 @@ index 2696452..adbe339 100644
  	ssh_sigchld(xauth_t)
  	ssh_read_pipes(xauth_t)
  	ssh_dontaudit_rw_tcp_sockets(xauth_t)
-@@ -299,64 +414,109 @@ optional_policy(`
+@@ -300,64 +415,109 @@ optional_policy(`
  # XDM Local policy
  #
  
@@ -23668,7 +23478,7 @@ index 2696452..adbe339 100644
  
  # connect to xdm xserver over stream socket
  stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -365,20 +525,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
+@@ -366,20 +526,29 @@ stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
  delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
  
@@ -23700,7 +23510,7 @@ index 2696452..adbe339 100644
  corenet_all_recvfrom_netlabel(xdm_t)
  corenet_tcp_sendrecv_generic_if(xdm_t)
  corenet_udp_sendrecv_generic_if(xdm_t)
-@@ -388,38 +557,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
+@@ -389,38 +558,49 @@ corenet_tcp_sendrecv_all_ports(xdm_t)
  corenet_udp_sendrecv_all_ports(xdm_t)
  corenet_tcp_bind_generic_node(xdm_t)
  corenet_udp_bind_generic_node(xdm_t)
@@ -23754,7 +23564,7 @@ index 2696452..adbe339 100644
  
  files_read_etc_files(xdm_t)
  files_read_var_files(xdm_t)
-@@ -430,9 +610,28 @@ files_list_mnt(xdm_t)
+@@ -431,9 +611,28 @@ files_list_mnt(xdm_t)
  files_read_usr_files(xdm_t)
  # Poweroff wants to create the /poweroff file when run from xdm
  files_create_boot_flag(xdm_t)
@@ -23783,7 +23593,7 @@ index 2696452..adbe339 100644
  
  storage_dontaudit_read_fixed_disk(xdm_t)
  storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -441,28 +640,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
+@@ -442,28 +641,45 @@ storage_dontaudit_raw_read_removable_device(xdm_t)
  storage_dontaudit_raw_write_removable_device(xdm_t)
  storage_dontaudit_setattr_removable_dev(xdm_t)
  storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -23832,7 +23642,7 @@ index 2696452..adbe339 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xdm_t)
  userdom_create_all_users_keys(xdm_t)
-@@ -471,24 +687,144 @@ userdom_read_user_home_content_files(xdm_t)
+@@ -472,24 +688,144 @@ userdom_read_user_home_content_files(xdm_t)
  # Search /proc for any user domain processes.
  userdom_read_all_users_state(xdm_t)
  userdom_signal_all_users(xdm_t)
@@ -23983,7 +23793,7 @@ index 2696452..adbe339 100644
  tunable_policy(`xdm_sysadm_login',`
  	userdom_xsession_spec_domtrans_all_users(xdm_t)
  	# FIXME:
-@@ -502,11 +838,26 @@ tunable_policy(`xdm_sysadm_login',`
+@@ -503,11 +839,26 @@ tunable_policy(`xdm_sysadm_login',`
  ')
  
  optional_policy(`
@@ -24010,12 +23820,14 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -514,12 +865,57 @@ optional_policy(`
- ')
- 
+@@ -517,9 +868,34 @@ optional_policy(`
  optional_policy(`
-+	dbus_system_bus_client(xdm_t)
-+	dbus_connect_system_bus(xdm_t)
+ 	dbus_system_bus_client(xdm_t)
+ 	dbus_connect_system_bus(xdm_t)
++    
++    optional_policy(`
++        accountsd_dbus_chat(xdm_t)
++    ')
 +
 +	optional_policy(`
 +		bluetooth_dbus_chat(xdm_t)
@@ -24037,16 +23849,14 @@ index 2696452..adbe339 100644
 +	optional_policy(`
 +		gnomeclock_dbus_chat(xdm_t)
 +	')
-+
-+	optional_policy(`
+ 
+ 	optional_policy(`
+-		accountsd_dbus_chat(xdm_t)
 +		networkmanager_dbus_chat(xdm_t)
-+	')
-+')
-+
-+optional_policy(`
- 	# Talk to the console mouse server.
- 	gpm_stream_connect(xdm_t)
- 	gpm_setattr_gpmctl(xdm_t)
+ 	')
+ ')
+ 
+@@ -530,6 +906,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24056,7 +23866,6 @@ index 2696452..adbe339 100644
 +	gnome_delete_gkeyringd_tmp_content(xdm_t)
 +	gnome_manage_config(xdm_t)
 +	gnome_manage_gconf_home_files(xdm_t)
-+	#gnome_filetrans_home_content(xdm_t)
 +	gnome_read_config(xdm_t)
 +	gnome_read_usr_config(xdm_t)
 +	gnome_read_gconf_config(xdm_t)
@@ -24068,7 +23877,7 @@ index 2696452..adbe339 100644
  	hostname_exec(xdm_t)
  ')
  
-@@ -537,28 +933,78 @@ optional_policy(`
+@@ -547,28 +937,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24156,7 +23965,7 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -570,6 +1016,14 @@ optional_policy(`
+@@ -580,6 +1020,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24171,7 +23980,7 @@ index 2696452..adbe339 100644
  	xfs_stream_connect(xdm_t)
  ')
  
-@@ -584,7 +1038,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
+@@ -594,7 +1042,7 @@ type_transition xserver_t xserver_t:x_colormap root_xcolormap_t;
  type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
  
  allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
@@ -24180,7 +23989,7 @@ index 2696452..adbe339 100644
  
  # setuid/setgid for the wrapper program to change UID
  # sys_rawio is for iopl access - should not be needed for frame-buffer
-@@ -594,8 +1048,11 @@ allow xserver_t input_xevent_t:x_event send;
+@@ -604,8 +1052,11 @@ allow xserver_t input_xevent_t:x_event send;
  # execheap needed until the X module loader is fixed.
  # NVIDIA Needs execstack
  
@@ -24193,7 +24002,7 @@ index 2696452..adbe339 100644
  allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow xserver_t self:fd use;
  allow xserver_t self:fifo_file rw_fifo_file_perms;
-@@ -608,8 +1065,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -618,8 +1069,15 @@ allow xserver_t self:unix_dgram_socket { create_socket_perms sendto };
  allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
  allow xserver_t self:tcp_socket create_stream_socket_perms;
  allow xserver_t self:udp_socket create_socket_perms;
@@ -24209,7 +24018,7 @@ index 2696452..adbe339 100644
  manage_dirs_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
  manage_sock_files_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t)
-@@ -617,6 +1081,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
+@@ -627,6 +1085,10 @@ files_tmp_filetrans(xserver_t, xserver_tmp_t, { file dir sock_file })
  
  filetrans_pattern(xserver_t, xserver_tmp_t, xserver_tmp_t, sock_file)
  
@@ -24220,7 +24029,7 @@ index 2696452..adbe339 100644
  manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
  manage_lnk_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -628,12 +1096,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
+@@ -638,12 +1100,19 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
  files_search_var_lib(xserver_t)
  
@@ -24242,7 +24051,7 @@ index 2696452..adbe339 100644
  
  kernel_read_system_state(xserver_t)
  kernel_read_device_sysctls(xserver_t)
-@@ -641,12 +1116,12 @@ kernel_read_modprobe_sysctls(xserver_t)
+@@ -651,12 +1120,12 @@ kernel_read_modprobe_sysctls(xserver_t)
  # Xorg wants to check if kernel is tainted
  kernel_read_kernel_sysctls(xserver_t)
  kernel_write_proc_files(xserver_t)
@@ -24256,7 +24065,7 @@ index 2696452..adbe339 100644
  corenet_all_recvfrom_netlabel(xserver_t)
  corenet_tcp_sendrecv_generic_if(xserver_t)
  corenet_udp_sendrecv_generic_if(xserver_t)
-@@ -667,23 +1142,28 @@ dev_rw_apm_bios(xserver_t)
+@@ -677,23 +1146,28 @@ dev_rw_apm_bios(xserver_t)
  dev_rw_agp(xserver_t)
  dev_rw_framebuffer(xserver_t)
  dev_manage_dri_dev(xserver_t)
@@ -24288,7 +24097,7 @@ index 2696452..adbe339 100644
  
  # brought on by rhgb
  files_search_mnt(xserver_t)
-@@ -694,7 +1174,16 @@ fs_getattr_xattr_fs(xserver_t)
+@@ -704,7 +1178,16 @@ fs_getattr_xattr_fs(xserver_t)
  fs_search_nfs(xserver_t)
  fs_search_auto_mountpoints(xserver_t)
  fs_search_ramfs(xserver_t)
@@ -24306,7 +24115,7 @@ index 2696452..adbe339 100644
  mls_xwin_read_to_clearance(xserver_t)
  
  selinux_validate_context(xserver_t)
-@@ -708,20 +1197,18 @@ init_getpgid(xserver_t)
+@@ -718,20 +1201,18 @@ init_getpgid(xserver_t)
  term_setattr_unallocated_ttys(xserver_t)
  term_use_unallocated_ttys(xserver_t)
  
@@ -24330,7 +24139,7 @@ index 2696452..adbe339 100644
  
  userdom_search_user_home_dirs(xserver_t)
  userdom_use_user_ttys(xserver_t)
-@@ -729,8 +1216,6 @@ userdom_setattr_user_ttys(xserver_t)
+@@ -739,8 +1220,6 @@ userdom_setattr_user_ttys(xserver_t)
  userdom_read_user_tmp_files(xserver_t)
  userdom_rw_user_tmpfs_files(xserver_t)
  
@@ -24339,7 +24148,7 @@ index 2696452..adbe339 100644
  ifndef(`distro_redhat',`
  	allow xserver_t self:process { execmem execheap execstack };
  	domain_mmap_low_uncond(xserver_t)
-@@ -775,16 +1260,44 @@ optional_policy(`
+@@ -785,16 +1264,44 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24385,7 +24194,7 @@ index 2696452..adbe339 100644
  	unconfined_domtrans(xserver_t)
  ')
  
-@@ -793,6 +1306,10 @@ optional_policy(`
+@@ -803,6 +1310,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24396,7 +24205,7 @@ index 2696452..adbe339 100644
  	xfs_stream_connect(xserver_t)
  ')
  
-@@ -808,10 +1325,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
+@@ -818,10 +1329,10 @@ allow xserver_t xdm_t:shm rw_shm_perms;
  
  # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open
  # handle of a file inside the dir!!!
@@ -24410,7 +24219,7 @@ index 2696452..adbe339 100644
  
  # Label pid and temporary files with derived types.
  manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -819,7 +1336,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
+@@ -829,7 +1340,7 @@ manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
  
  # Run xkbcomp.
@@ -24419,7 +24228,7 @@ index 2696452..adbe339 100644
  can_exec(xserver_t, xkb_var_lib_t)
  
  # VNC v4 module in X server
-@@ -832,26 +1349,21 @@ init_use_fds(xserver_t)
+@@ -842,26 +1353,21 @@ init_use_fds(xserver_t)
  # to read ROLE_home_t - examine this in more detail
  # (xauth?)
  userdom_read_user_home_content_files(xserver_t)
@@ -24454,7 +24263,7 @@ index 2696452..adbe339 100644
  ')
  
  optional_policy(`
-@@ -902,7 +1414,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
+@@ -912,7 +1418,7 @@ allow x_domain xproperty_t:x_property { getattr create read write append destroy
  allow x_domain root_xdrawable_t:x_drawable { getattr setattr list_child add_child remove_child send receive hide show };
  # operations allowed on my windows
  allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -24463,7 +24272,7 @@ index 2696452..adbe339 100644
  # operations allowed on all windows
  allow x_domain x_domain:x_drawable { getattr get_property set_property remove_child };
  
-@@ -956,11 +1468,31 @@ allow x_domain self:x_resource { read write };
+@@ -966,11 +1472,31 @@ allow x_domain self:x_resource { read write };
  # can mess with the screensaver
  allow x_domain xserver_t:x_screen { getattr saver_getattr };
  
@@ -24495,7 +24304,7 @@ index 2696452..adbe339 100644
  tunable_policy(`! xserver_object_manager',`
  	# should be xserver_unconfined(x_domain),
  	# but typeattribute doesnt work in conditionals
-@@ -982,18 +1514,150 @@ tunable_policy(`! xserver_object_manager',`
+@@ -992,18 +1518,150 @@ tunable_policy(`! xserver_object_manager',`
  	allow x_domain xevent_type:{ x_event x_synthetic_event } *;
  ')
  
@@ -24819,7 +24628,7 @@ index c6fdab7..af71c62 100644
  	sudo_sigchld(application_domain_type)
  ')
 diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..003b09a 100644
+index 2479587..39239cf 100644
 --- a/policy/modules/system/authlogin.fc
 +++ b/policy/modules/system/authlogin.fc
 @@ -1,14 +1,28 @@
@@ -24882,7 +24691,7 @@ index 28ad538..003b09a 100644
  
  /var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
  
-@@ -30,20 +55,24 @@ ifdef(`distro_gentoo', `
+@@ -30,21 +55,25 @@ ifdef(`distro_gentoo', `
  
  /var/lib/abl(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/lib/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
@@ -24910,7 +24719,8 @@ index 28ad538..003b09a 100644
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
  /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 -/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
- /var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+ /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
 index 3efd5b6..08c3e93 100644
 --- a/policy/modules/system/authlogin.if
@@ -25742,10 +25552,10 @@ index 3efd5b6..08c3e93 100644
 +	allow $1 login_pgm:process sigchld;
 +')
 diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index 104037e..348e8cf 100644
+index 09b791d..c3d52f9 100644
 --- a/policy/modules/system/authlogin.te
 +++ b/policy/modules/system/authlogin.te
-@@ -5,6 +5,19 @@ policy_module(authlogin, 2.4.2)
+@@ -5,6 +5,19 @@ policy_module(authlogin, 2.5.1)
  # Declarations
  #
  
@@ -26240,7 +26050,7 @@ index d475c2d..55305d5 100644
 +	files_etc_filetrans($1, adjtime_t, file, "adjtime" )
 +')
 diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
-index 3694bfe..7fcd27a 100644
+index edece47..cb014fd 100644
 --- a/policy/modules/system/clock.te
 +++ b/policy/modules/system/clock.te
 @@ -46,18 +46,19 @@ fs_search_auto_mountpoints(hwclock_t)
@@ -26278,7 +26088,7 @@ index 3694bfe..7fcd27a 100644
  ')
  
 diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
-index a97a096..bf726c3 100644
+index 948ce2a..1b38e87 100644
 --- a/policy/modules/system/fstools.fc
 +++ b/policy/modules/system/fstools.fc
 @@ -1,4 +1,3 @@
@@ -26294,8 +26104,8 @@ index a97a096..bf726c3 100644
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-@@ -35,13 +33,53 @@
- /sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+@@ -36,14 +34,53 @@
+ /sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/sbin/xfs_growfs    --  gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -26332,7 +26142,7 @@ index a97a096..bf726c3 100644
 +/usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/mkraid	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/mkreiserfs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-+/usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+ /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/partprobe	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 +/usr/sbin/raidautorun	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -26378,7 +26188,7 @@ index 016a770..1effeb4 100644
 +	files_pid_filetrans($1, fsadm_var_run_t, dir, "blkid")
 +')
 diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
-index 6c4b6ee..f512b72 100644
+index 3f48d30..3701405 100644
 --- a/policy/modules/system/fstools.te
 +++ b/policy/modules/system/fstools.te
 @@ -13,6 +13,9 @@ role system_r types fsadm_t;
@@ -26568,7 +26378,7 @@ index e4376aa..2c98c56 100644
 +	allow $1 getty_unit_file_t:service start;
 +')
 diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
-index fc38c9c..4740426 100644
+index f6743ea..c23209c 100644
 --- a/policy/modules/system/getty.te
 +++ b/policy/modules/system/getty.te
 @@ -27,6 +27,17 @@ files_tmp_file(getty_tmp_t)
@@ -26646,10 +26456,10 @@ index 9dfecf7..6d00f5c 100644
 +
 +/usr/bin/hostname	--	gen_context(system_u:object_r:hostname_exec_t,s0)
 diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
-index f6cbda9..51e9aef 100644
+index 24a7889..d97f6d5 100644
 --- a/policy/modules/system/hostname.te
 +++ b/policy/modules/system/hostname.te
-@@ -23,39 +23,46 @@ dontaudit hostname_t self:capability sys_tty_config;
+@@ -23,33 +23,36 @@ dontaudit hostname_t self:capability sys_tty_config;
  
  kernel_list_proc(hostname_t)
  kernel_read_proc_symlinks(hostname_t)
@@ -26687,8 +26497,9 @@ index f6cbda9..51e9aef 100644
  
 -miscfiles_read_localization(hostname_t)
  
+ sysnet_dontaudit_rw_dhcpc_udp_sockets(hostname_t)
  sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
- sysnet_read_config(hostname_t)
+@@ -57,6 +60,10 @@ sysnet_read_config(hostname_t)
  sysnet_dns_name_resolve(hostname_t)
  
  optional_policy(`
@@ -26726,7 +26537,7 @@ index 40eb10c..2a0a32c 100644
  
  	corecmd_search_bin($1)
 diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
-index bb5c4a6..7ebb938 100644
+index b2097e7..0a49e14 100644
 --- a/policy/modules/system/hotplug.te
 +++ b/policy/modules/system/hotplug.te
 @@ -23,7 +23,7 @@ files_pid_file(hotplug_var_run_t)
@@ -26781,7 +26592,7 @@ index bb5c4a6..7ebb938 100644
  ')
  
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 9a4d3a7..9d960bb 100644
+index bc0ffc8..8de430d 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
 @@ -1,6 +1,9 @@
@@ -26806,7 +26617,7 @@ index 9a4d3a7..9d960bb 100644
  /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
  # because nowadays, /sbin/init is often a symlink to /sbin/upstart
  /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
-@@ -42,19 +50,33 @@ ifdef(`distro_gentoo', `
+@@ -42,20 +50,34 @@ ifdef(`distro_gentoo', `
  #
  /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
  
@@ -26832,6 +26643,7 @@ index 9a4d3a7..9d960bb 100644
  # /var
  #
 +/var/lib/systemd(/.*)?	gen_context(system_u:object_r:init_var_lib_t,s0)
+ /var/run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
  /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
@@ -26840,13 +26652,13 @@ index 9a4d3a7..9d960bb 100644
  
  ifdef(`distro_debian',`
  /var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-@@ -73,3 +95,4 @@ ifdef(`distro_suse', `
+@@ -74,3 +96,4 @@ ifdef(`distro_suse', `
  /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
  /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 24e7804..76da5dd 100644
+index 79a45f6..edf52ea 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -1,5 +1,21 @@
@@ -27546,7 +27358,7 @@ index 24e7804..76da5dd 100644
  ##	pty is generally opened by the open_init_pty
  ##	portion of the run_init program so that the
  ##	daemon does not require direct access to
-@@ -1526,6 +1826,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1547,6 +1847,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -27572,7 +27384,7 @@ index 24e7804..76da5dd 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1584,6 +1903,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1605,6 +1924,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -27597,7 +27409,7 @@ index 24e7804..76da5dd 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1656,6 +1993,43 @@ interface(`init_read_utmp',`
+@@ -1677,6 +2014,43 @@ interface(`init_read_utmp',`
  
  ########################################
  ## <summary>
@@ -27641,7 +27453,7 @@ index 24e7804..76da5dd 100644
  ##	Do not audit attempts to write utmp.
  ## </summary>
  ## <param name="domain">
-@@ -1744,7 +2118,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1765,7 +2139,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -27650,7 +27462,7 @@ index 24e7804..76da5dd 100644
  ')
  
  ########################################
-@@ -1785,6 +2159,133 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1806,6 +2180,133 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
  ')
  
@@ -27784,7 +27596,7 @@ index 24e7804..76da5dd 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1819,3 +2320,360 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1840,3 +2341,360 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -28146,7 +27958,7 @@ index 24e7804..76da5dd 100644
 +	files_etc_filetrans($1, machineid_t, file, "machine-id" )
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index dd3be8d..0996734 100644
+index 17eda24..885091e 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -11,10 +11,31 @@ gen_require(`
@@ -28638,19 +28450,19 @@ index dd3be8d..0996734 100644
  ')
  
  ########################################
-@@ -225,8 +525,9 @@ optional_policy(`
+@@ -225,9 +525,9 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 -allow initrc_t self:capability ~{ sys_admin sys_module };
--dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 +allow initrc_t self:capability ~{ sys_ptrace audit_control audit_write sys_admin sys_module };
-+allow initrc_t self:capability2 block_suspend;
+ allow initrc_t self:capability2 block_suspend;
+-dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 +dontaudit initrc_t self:capability { sys_ptrace sys_module }; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
  
-@@ -257,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -258,12 +558,16 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -28667,7 +28479,7 @@ index dd3be8d..0996734 100644
  
  manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
  manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-@@ -278,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -279,23 +583,36 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -28710,7 +28522,7 @@ index dd3be8d..0996734 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -302,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -303,9 +620,11 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -28722,7 +28534,7 @@ index dd3be8d..0996734 100644
  dev_rw_sysfs(initrc_t)
  dev_list_usbfs(initrc_t)
  dev_read_framebuffer(initrc_t)
-@@ -312,8 +632,10 @@ dev_write_framebuffer(initrc_t)
+@@ -313,8 +632,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -28733,7 +28545,7 @@ index dd3be8d..0996734 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -321,8 +643,7 @@ dev_manage_generic_files(initrc_t)
+@@ -322,8 +643,7 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -28743,7 +28555,7 @@ index dd3be8d..0996734 100644
  
  domain_kill_all_domains(initrc_t)
  domain_signal_all_domains(initrc_t)
-@@ -331,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
+@@ -332,7 +652,6 @@ domain_sigstop_all_domains(initrc_t)
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
@@ -28751,7 +28563,7 @@ index dd3be8d..0996734 100644
  domain_getsession_all_domains(initrc_t)
  domain_use_interactive_fds(initrc_t)
  # for lsof which is used by alsa shutdown:
-@@ -339,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -340,6 +659,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -28759,7 +28571,7 @@ index dd3be8d..0996734 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -346,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
+@@ -347,14 +667,15 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -28777,7 +28589,7 @@ index dd3be8d..0996734 100644
  files_read_usr_files(initrc_t)
  files_manage_urandom_seed(initrc_t)
  files_manage_generic_spool(initrc_t)
-@@ -363,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -364,8 +685,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -28791,7 +28603,7 @@ index dd3be8d..0996734 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -374,10 +700,11 @@ fs_mount_all_fs(initrc_t)
+@@ -375,10 +700,11 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -28805,7 +28617,7 @@ index dd3be8d..0996734 100644
  mcs_process_set_categories(initrc_t)
  
  mls_file_read_all_levels(initrc_t)
-@@ -386,6 +713,7 @@ mls_process_read_up(initrc_t)
+@@ -387,6 +713,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -28813,7 +28625,7 @@ index dd3be8d..0996734 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -397,6 +725,7 @@ term_use_all_terms(initrc_t)
+@@ -398,6 +725,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -28821,7 +28633,7 @@ index dd3be8d..0996734 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -415,20 +744,18 @@ logging_read_all_logs(initrc_t)
+@@ -416,20 +744,18 @@ logging_read_all_logs(initrc_t)
  logging_append_all_logs(initrc_t)
  logging_read_audit_config(initrc_t)
  
@@ -28845,7 +28657,7 @@ index dd3be8d..0996734 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -450,7 +777,6 @@ ifdef(`distro_gentoo',`
+@@ -451,7 +777,6 @@ ifdef(`distro_gentoo',`
  	allow initrc_t self:process setfscreate;
  	dev_create_null_dev(initrc_t)
  	dev_create_zero_dev(initrc_t)
@@ -28853,7 +28665,7 @@ index dd3be8d..0996734 100644
  	term_create_console_dev(initrc_t)
  
  	# unfortunately /sbin/rc does stupid tricks
-@@ -485,6 +811,10 @@ ifdef(`distro_gentoo',`
+@@ -486,6 +811,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -28864,7 +28676,7 @@ index dd3be8d..0996734 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -505,7 +835,7 @@ ifdef(`distro_redhat',`
+@@ -506,7 +835,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -28873,7 +28685,7 @@ index dd3be8d..0996734 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -520,6 +850,7 @@ ifdef(`distro_redhat',`
+@@ -521,6 +850,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -28881,7 +28693,7 @@ index dd3be8d..0996734 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -540,6 +871,7 @@ ifdef(`distro_redhat',`
+@@ -541,6 +871,7 @@ ifdef(`distro_redhat',`
  	miscfiles_rw_localization(initrc_t)
  	miscfiles_setattr_localization(initrc_t)
  	miscfiles_relabel_localization(initrc_t)
@@ -28889,7 +28701,7 @@ index dd3be8d..0996734 100644
  
  	miscfiles_read_fonts(initrc_t)
  	miscfiles_read_hwdata(initrc_t)
-@@ -549,8 +881,44 @@ ifdef(`distro_redhat',`
+@@ -550,8 +881,44 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -28934,7 +28746,7 @@ index dd3be8d..0996734 100644
  	')
  
  	optional_policy(`
-@@ -558,14 +926,31 @@ ifdef(`distro_redhat',`
+@@ -559,14 +926,31 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -28966,7 +28778,7 @@ index dd3be8d..0996734 100644
  	')
  ')
  
-@@ -576,6 +961,39 @@ ifdef(`distro_suse',`
+@@ -577,6 +961,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -29006,7 +28818,7 @@ index dd3be8d..0996734 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -588,6 +1006,8 @@ optional_policy(`
+@@ -589,6 +1006,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -29015,7 +28827,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -609,6 +1029,7 @@ optional_policy(`
+@@ -610,6 +1029,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -29023,7 +28835,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -625,6 +1046,17 @@ optional_policy(`
+@@ -626,6 +1046,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29041,7 +28853,7 @@ index dd3be8d..0996734 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -641,9 +1073,13 @@ optional_policy(`
+@@ -642,9 +1073,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -29055,7 +28867,7 @@ index dd3be8d..0996734 100644
  	')
  
  	optional_policy(`
-@@ -656,15 +1092,11 @@ optional_policy(`
+@@ -657,15 +1092,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29073,7 +28885,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -685,6 +1117,15 @@ optional_policy(`
+@@ -686,6 +1117,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29089,7 +28901,7 @@ index dd3be8d..0996734 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -725,6 +1166,7 @@ optional_policy(`
+@@ -726,6 +1166,7 @@ optional_policy(`
  	lpd_list_spool(initrc_t)
  
  	lpd_read_config(initrc_t)
@@ -29097,7 +28909,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -742,7 +1184,13 @@ optional_policy(`
+@@ -743,7 +1184,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29112,7 +28924,7 @@ index dd3be8d..0996734 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -765,6 +1213,10 @@ optional_policy(`
+@@ -766,6 +1213,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29123,7 +28935,7 @@ index dd3be8d..0996734 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -774,10 +1226,20 @@ optional_policy(`
+@@ -775,10 +1226,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29144,7 +28956,7 @@ index dd3be8d..0996734 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -786,6 +1248,10 @@ optional_policy(`
+@@ -787,6 +1248,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29155,7 +28967,7 @@ index dd3be8d..0996734 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -807,8 +1273,6 @@ optional_policy(`
+@@ -808,8 +1273,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -29164,7 +28976,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -817,6 +1281,10 @@ optional_policy(`
+@@ -818,6 +1281,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29175,7 +28987,7 @@ index dd3be8d..0996734 100644
  	# shorewall-init script run /var/lib/shorewall/firewall
  	shorewall_lib_domtrans(initrc_t)
  ')
-@@ -826,10 +1294,12 @@ optional_policy(`
+@@ -827,10 +1294,12 @@ optional_policy(`
  	squid_manage_logs(initrc_t)
  ')
  
@@ -29188,7 +29000,7 @@ index dd3be8d..0996734 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -856,12 +1326,33 @@ optional_policy(`
+@@ -857,12 +1326,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29223,7 +29035,7 @@ index dd3be8d..0996734 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -871,6 +1362,18 @@ optional_policy(`
+@@ -872,6 +1362,18 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -29242,7 +29054,7 @@ index dd3be8d..0996734 100644
  ')
  
  optional_policy(`
-@@ -886,6 +1389,10 @@ optional_policy(`
+@@ -887,6 +1389,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29253,7 +29065,7 @@ index dd3be8d..0996734 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -896,3 +1403,218 @@ optional_policy(`
+@@ -897,3 +1403,218 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -29714,7 +29526,7 @@ index 0d4c8d3..e6ffda3 100644
 +    ps_process_pattern($1, ipsec_mgmt_t)
 +')
 diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
-index 9e54bf9..ceb7f99 100644
+index 312cd04..3e655ec 100644
 --- a/policy/modules/system/ipsec.te
 +++ b/policy/modules/system/ipsec.te
 @@ -48,6 +48,9 @@ init_system_domain(ipsec_mgmt_t, ipsec_mgmt_exec_t)
@@ -29999,34 +29811,41 @@ index 9e54bf9..ceb7f99 100644
 +userdom_use_inherited_user_terminals(setkey_t)
 +userdom_read_user_tmp_files(setkey_t)
 diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
-index 1b93eb7..b2532aa 100644
+index 73a1c4e..e0d3d07 100644
 --- a/policy/modules/system/iptables.fc
 +++ b/policy/modules/system/iptables.fc
-@@ -1,21 +1,27 @@
+@@ -1,22 +1,28 @@
  /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
 -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 +/etc/rc\.d/init\.d/ebtables		--  gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-+
-+/usr/lib/systemd/system/iptables.* 		--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
-+/usr/lib/systemd/system/ip6tables.* 		--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
  
- /sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/lib/systemd/system/iptables.* 		--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
++/usr/lib/systemd/system/ip6tables.* 	--	gen_context(system_u:object_r:iptables_unit_file_t,s0)
++
++/sbin/ebtables			    --	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ip6?tables.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipchains.*		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables.*		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables-restore.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-+/sbin/ip6?tables-multi.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ip6?tables-multi.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm			    --	gen_context(system_u:object_r:iptables_exec_t,s0)
  /sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
- 
-+/usr/sbin/ebtables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+-/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/ipvsadm-save		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
++/sbin/xtables-multi		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
+ 
+-/usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/conntrack		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ebtables		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ebtables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 -/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30036,7 +29855,7 @@ index 1b93eb7..b2532aa 100644
 +/usr/sbin/ip6?tables.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ip6?tables-restore.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ip6?tables-multi.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-+/usr/sbin/ipvsadm		--	gen_context(system_u:object_r:iptables_exec_t,s0)
++/usr/sbin/ipvsadm		    --	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ipvsadm-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/usr/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -30086,7 +29905,7 @@ index c42fbc3..174cfdb 100644
  ## <summary>
  ##	Set the attributes of iptables config files.
 diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
-index 5dfa44b..cafb28e 100644
+index be8ed1e..121cda3 100644
 --- a/policy/modules/system/iptables.te
 +++ b/policy/modules/system/iptables.te
 @@ -16,15 +16,15 @@ role iptables_roles types iptables_t;
@@ -30708,7 +30527,7 @@ index 808ba93..9d8f729 100644
 +	files_etc_filetrans($1, ld_so_cache_t, file, "ld.so.preload~")
 +')
 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
-index 23a645e..52a8540 100644
+index 54f8fa5..b4c7957 100644
 --- a/policy/modules/system/libraries.te
 +++ b/policy/modules/system/libraries.te
 @@ -32,14 +32,14 @@ files_tmp_file(ldconfig_tmp_t)
@@ -30897,7 +30716,7 @@ index 0e3c2a9..ea9bd57 100644
 +	userdom_admin_home_dir_filetrans($1, local_login_home_t, file, ".hushlogin")
 +')
 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index c04ac46..ed59137 100644
+index 446fa99..6f7dc10 100644
 --- a/policy/modules/system/locallogin.te
 +++ b/policy/modules/system/locallogin.te
 @@ -13,9 +13,8 @@ auth_login_entry_type(local_login_t)
@@ -31590,10 +31409,10 @@ index 4e94884..9b82ed0 100644
 +    logging_log_filetrans($1, var_log_t, dir, "anaconda")
 +')
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 39ea221..616d6a8 100644
+index 59b04c1..b4f9029 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -4,6 +4,21 @@ policy_module(logging, 1.19.6)
+@@ -4,6 +4,21 @@ policy_module(logging, 1.20.1)
  #
  # Declarations
  #
@@ -31774,23 +31593,24 @@ index 39ea221..616d6a8 100644
  
  mls_file_read_all_levels(klogd_t)
  
-@@ -354,12 +392,12 @@ optional_policy(`
- # chown fsetid for syslog-ng
+@@ -355,13 +393,12 @@ optional_policy(`
  # sys_admin for the integrated klog of syslog-ng and metalog
+ # sys_nice for rsyslog
  # cjp: why net_admin!
--allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
 +allow syslogd_t self:capability { sys_ptrace dac_override sys_resource sys_tty_config ipc_lock net_admin setgid setuid sys_admin sys_nice chown fsetid setuid setgid };
  dontaudit syslogd_t self:capability sys_tty_config;
 +allow syslogd_t self:capability2 { syslog block_suspend };
  # setpgid for metalog
  # setrlimit for syslog-ng
 -# getsched for syslog-ng
--allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+-# setsched for rsyslog
+-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
 +allow syslogd_t self:process { signal_perms getcap setcap setpgid getsched setsched setrlimit };
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -369,6 +407,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
+@@ -371,6 +408,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -31798,15 +31618,7 @@ index 39ea221..616d6a8 100644
  
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-@@ -377,6 +416,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
- # create/append log files.
- manage_files_pattern(syslogd_t, var_log_t, var_log_t)
- rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
-+files_search_spool(syslogd_t)
- 
- # Allow access for syslog-ng
- allow syslogd_t var_log_t:dir { create setattr };
-@@ -386,28 +426,41 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -389,30 +427,42 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
  
@@ -31823,12 +31635,13 @@ index 39ea221..616d6a8 100644
  
 +kernel_rw_stream_socket_perms(syslogd_t)
  kernel_read_system_state(syslogd_t)
-+kernel_read_network_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
  kernel_read_kernel_sysctls(syslogd_t)
  kernel_read_proc_symlinks(syslogd_t)
  # Allow access to /proc/kmsg for syslog-ng
  kernel_read_messages(syslogd_t)
 +kernel_request_load_module(syslogd_t)
+ kernel_read_vm_sysctls(syslogd_t)
  kernel_clear_ring_buffer(syslogd_t)
  kernel_change_ring_buffer_level(syslogd_t)
 +kernel_read_ring_buffer(syslogd_t)
@@ -31851,7 +31664,7 @@ index 39ea221..616d6a8 100644
  # syslog-ng can listen and connect on tcp port 514 (rsh)
  corenet_tcp_sendrecv_generic_if(syslogd_t)
  corenet_tcp_sendrecv_generic_node(syslogd_t)
-@@ -417,6 +470,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
+@@ -422,6 +472,8 @@ corenet_tcp_bind_rsh_port(syslogd_t)
  corenet_tcp_connect_rsh_port(syslogd_t)
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -31860,7 +31673,7 @@ index 39ea221..616d6a8 100644
  corenet_tcp_connect_syslogd_port(syslogd_t)
  corenet_tcp_connect_postgresql_port(syslogd_t)
  corenet_tcp_connect_mysqld_port(syslogd_t)
-@@ -427,9 +482,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
+@@ -432,9 +484,26 @@ corenet_sendrecv_syslogd_server_packets(syslogd_t)
  corenet_sendrecv_postgresql_client_packets(syslogd_t)
  corenet_sendrecv_mysqld_client_packets(syslogd_t)
  
@@ -31888,7 +31701,7 @@ index 39ea221..616d6a8 100644
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
-@@ -442,14 +514,19 @@ files_read_kernel_symbol_table(syslogd_t)
+@@ -447,14 +516,19 @@ files_read_kernel_symbol_table(syslogd_t)
  files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
  
  fs_getattr_all_fs(syslogd_t)
@@ -31908,7 +31721,7 @@ index 39ea221..616d6a8 100644
  # for sending messages to logged in users
  init_read_utmp(syslogd_t)
  init_dontaudit_write_utmp(syslogd_t)
-@@ -461,11 +538,11 @@ init_use_fds(syslogd_t)
+@@ -466,11 +540,11 @@ init_use_fds(syslogd_t)
  
  # cjp: this doesnt make sense
  logging_send_syslog_msg(syslogd_t)
@@ -31923,7 +31736,7 @@ index 39ea221..616d6a8 100644
  
  ifdef(`distro_gentoo',`
  	# default gentoo syslog-ng config appends kernel
-@@ -502,15 +579,40 @@ optional_policy(`
+@@ -507,15 +581,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -31964,7 +31777,7 @@ index 39ea221..616d6a8 100644
  ')
  
  optional_policy(`
-@@ -521,3 +623,26 @@ optional_policy(`
+@@ -526,3 +625,26 @@ optional_policy(`
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -31992,10 +31805,10 @@ index 39ea221..616d6a8 100644
 +
 +logging_stream_connect_syslog(syslog_client_type)
 diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
-index 879bb1e..b250b3e 100644
+index 6b91740..b250b3e 100644
 --- a/policy/modules/system/lvm.fc
 +++ b/policy/modules/system/lvm.fc
-@@ -23,28 +23,35 @@ ifdef(`distro_gentoo',`
+@@ -23,6 +23,8 @@ ifdef(`distro_gentoo',`
  /etc/lvmtab(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  /etc/lvmtab\.d(/.*)?		gen_context(system_u:object_r:lvm_metadata_t,s0)
  
@@ -32004,10 +31817,7 @@ index 879bb1e..b250b3e 100644
  #
  # /lib
  #
- /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
- /lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-+/lib/udev/udisks-lvm-pv-export	--	gen_context(system_u:object_r:lvm_exec_t,s0)
- 
+@@ -33,19 +35,23 @@ ifdef(`distro_gentoo',`
  #
  # /sbin
  #
@@ -32032,7 +31842,7 @@ index 879bb1e..b250b3e 100644
  /sbin/lvmiopversion	--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsadc		--	gen_context(system_u:object_r:lvm_exec_t,s0)
  /sbin/lvmsar		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-@@ -88,8 +95,72 @@ ifdef(`distro_gentoo',`
+@@ -89,8 +95,72 @@ ifdef(`distro_gentoo',`
  #
  # /usr
  #
@@ -32107,7 +31917,7 @@ index 879bb1e..b250b3e 100644
  
  #
  # /var
-@@ -97,5 +168,8 @@ ifdef(`distro_gentoo',`
+@@ -98,5 +168,8 @@ ifdef(`distro_gentoo',`
  /var/cache/multipathd(/.*)?	gen_context(system_u:object_r:lvm_metadata_t,s0)
  /var/lib/multipath(/.*)?	gen_context(system_u:object_r:lvm_var_lib_t,s0)
  /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
@@ -32216,7 +32026,7 @@ index 58bc27f..51e9872 100644
 +	allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index e8c59a5..b22837c 100644
+index 79048c4..55d6ce4 100644
 --- a/policy/modules/system/lvm.te
 +++ b/policy/modules/system/lvm.te
 @@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -32473,8 +32283,8 @@ index e8c59a5..b22837c 100644
 +
 +optional_policy(`
  	udev_read_db(lvm_t)
+ 	udev_read_pid_files(lvm_t)
  ')
- 
 diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
 index 9fe8e01..83acb32 100644
 --- a/policy/modules/system/miscfiles.fc
@@ -32771,10 +32581,10 @@ index fc28bc3..416ac0f 100644
 +	files_var_filetrans($1, public_content_t, dir, "ftp")
 +')
 diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
-index d6293de..8f8d80d 100644
+index 1361961..be6b7fc 100644
 --- a/policy/modules/system/miscfiles.te
 +++ b/policy/modules/system/miscfiles.te
-@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.10.2)
+@@ -4,7 +4,6 @@ policy_module(miscfiles, 1.11.0)
  #
  # Declarations
  #
@@ -32921,10 +32731,10 @@ index 7449974..6375786 100644
 +	files_kernel_modules_filetrans($1, modules_dep_t, file, "modules.dep.bin")
 +')
 diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
-index 7a49e28..82004c9 100644
+index 7a363b8..6f9d5d5 100644
 --- a/policy/modules/system/modutils.te
 +++ b/policy/modules/system/modutils.te
-@@ -5,7 +5,7 @@ policy_module(modutils, 1.13.3)
+@@ -5,7 +5,7 @@ policy_module(modutils, 1.14.0)
  # Declarations
  #
  
@@ -33188,10 +32998,10 @@ index 7a49e28..82004c9 100644
  
  ifdef(`distro_gentoo',`
 diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..f035d9f 100644
+index a38605e..f035d9f 100644
 --- a/policy/modules/system/mount.fc
 +++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,26 @@
+@@ -1,6 +1,26 @@
 +/bin/fusermount    		--      gen_context(system_u:object_r:fusermount_exec_t,s0)
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
@@ -33199,7 +33009,8 @@ index 72c746e..f035d9f 100644
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/dev/\.mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
 +/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
-+
+ 
+-/var/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
 +/sbin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +/sbin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 +
@@ -33220,7 +33031,7 @@ index 72c746e..f035d9f 100644
 +/usr/sbin/umount\.ecryptfs_private	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 +/usr/sbin/umount\.ecryptfs	--	gen_context(system_u:object_r:mount_ecryptfs_exec_t,s0)
 diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
-index 4584457..e432df3 100644
+index 4584457..fb1c881 100644
 --- a/policy/modules/system/mount.if
 +++ b/policy/modules/system/mount.if
 @@ -16,6 +16,13 @@ interface(`mount_domtrans',`
@@ -33237,46 +33048,18 @@ index 4584457..e432df3 100644
  ')
  
  ########################################
-@@ -38,11 +45,122 @@ interface(`mount_domtrans',`
- #
+@@ -39,6 +46,7 @@ interface(`mount_domtrans',`
  interface(`mount_run',`
  	gen_require(`
--		attribute_role mount_roles;
-+		#attribute_role mount_roles;
+ 		attribute_role mount_roles;
 +		type mount_t;
  	')
  
-+	#mount_domtrans($1)
-+	#roleattribute $2 mount_roles;
-+
  	mount_domtrans($1)
--	roleattribute $2 mount_roles;
-+        role $2 types mount_t;
-+
-+        optional_policy(`
-+                fstools_run(mount_t, $2)
-+        ')
-+
-+	optional_policy(`
-+                lvm_run(mount_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                modutils_run_insmod(mount_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                rpc_run_rpcd(mount_t, $2)
-+        ')
-+
-+        optional_policy(`
-+                samba_run_smbmount(mount_t, $2)
-+        ')
-+
-+')
-+
-+########################################
-+## <summary>
+@@ -47,6 +55,92 @@ interface(`mount_run',`
+ 
+ ########################################
+ ## <summary>
 +##	Execute fusermount in the mount domain, and
 +##	allow the specified role the mount domain,
 +##	and use the caller's terminal.
@@ -33359,10 +33142,14 @@ index 4584457..e432df3 100644
 +
 +	allow $1 mount_var_run_t:file manage_file_perms;
 +	files_search_pids($1)
- ')
- 
- ########################################
-@@ -91,7 +209,7 @@ interface(`mount_signal',`
++')
++
++########################################
++## <summary>
+ ##	Execute mount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -91,7 +185,7 @@ interface(`mount_signal',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -33371,7 +33158,7 @@ index 4584457..e432df3 100644
  ##	</summary>
  ## </param>
  #
-@@ -131,45 +249,138 @@ interface(`mount_send_nfs_client_request',`
+@@ -131,45 +225,184 @@ interface(`mount_send_nfs_client_request',`
  
  ########################################
  ## <summary>
@@ -33445,7 +33232,7 @@ index 4584457..e432df3 100644
 -	mount_domtrans_unconfined($1)
 -	role $2 types unconfined_mount_t;
 +	can_exec($1, fusermount_exec_t)
-+')
+ ')
 +
 +########################################
 +## <summary>
@@ -33525,12 +33312,58 @@ index 4584457..e432df3 100644
 +
 +        corecmd_search_bin($1)
 +        domtrans_pattern($1, mount_ecryptfs_exec_t, mount_ecryptfs_t)
- ')
++')
++
++#######################################
++## <summary>
++##  Execute mount in the unconfined mount domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++#
++interface(`mount_domtrans_unconfined',`
++    gen_require(`
++        type unconfined_mount_t, mount_exec_t;
++    ')
++
++    domtrans_pattern($1, mount_exec_t, unconfined_mount_t)
++')
++
++#######################################
++## <summary>
++##  Execute mount in the unconfined mount domain, and
++##  allow the specified role the unconfined mount domain,
++##  and use the caller's terminal.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  Role allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`mount_run_unconfined',`
++    gen_require(`
++        type unconfined_mount_t;
++    ')
++
++    mount_domtrans_unconfined($1)
++    role $2 types unconfined_mount_t;
++')
++
 diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
-index 6a50270..d941116 100644
+index 459a0ef..9a50d63 100644
 --- a/policy/modules/system/mount.te
 +++ b/policy/modules/system/mount.te
-@@ -5,40 +5,58 @@ policy_module(mount, 1.15.1)
+@@ -5,13 +5,6 @@ policy_module(mount, 1.16.1)
  # Declarations
  #
  
@@ -33541,24 +33374,19 @@ index 6a50270..d941116 100644
 -## </desc>
 -gen_tunable(allow_mount_anyfile, false)
 -
--attribute_role mount_roles;
--roleattribute system_r mount_roles;
-+#attribute_role mount_roles;
-+#roleattribute system_r mount_roles;
+ attribute_role mount_roles;
+ roleattribute system_r mount_roles;
  
- type mount_t;
- type mount_exec_t;
+@@ -20,14 +13,37 @@ type mount_exec_t;
  init_system_domain(mount_t, mount_exec_t)
--role mount_roles types mount_t;
-+#role mount_roles types mount_t;
-+role system_r types mount_t;
-+
+ role mount_roles types mount_t;
+ 
 +type fusermount_exec_t;
 +domain_entry_file(mount_t, fusermount_exec_t)
 +
 +typealias mount_t alias mount_ntfs_t;
 +typealias mount_exec_t alias mount_ntfs_exec_t;
- 
++
  type mount_loopback_t; # customizable
  files_type(mount_loopback_t)
 +typealias mount_loopback_t alias mount_loop_t;
@@ -33566,13 +33394,8 @@ index 6a50270..d941116 100644
  type mount_tmp_t;
  files_tmp_file(mount_tmp_t)
  
--# causes problems with interfaces when
--# this is optionally declared in monolithic
--# policy--duplicate type declaration
--type unconfined_mount_t;
--application_domain(unconfined_mount_t, mount_exec_t)
-+type mount_var_run_t;
-+files_pid_file(mount_var_run_t)
+ type mount_var_run_t;
+ files_pid_file(mount_var_run_t)
 +dev_associate(mount_var_run_t)
 +
 +# showmount - show mount information for an NFS server
@@ -33590,8 +33413,9 @@ index 6a50270..d941116 100644
 +type mount_ecryptfs_tmpfs_t;
 +files_tmpfs_file(mount_ecryptfs_tmpfs_t)
  
- ########################################
- #
+ # causes problems with interfaces when
+ # this is optionally declared in monolithic
+@@ -40,8 +56,12 @@ application_domain(unconfined_mount_t, mount_exec_t)
  # mount local policy
  #
  
@@ -33606,33 +33430,26 @@ index 6a50270..d941116 100644
  
  allow mount_t mount_loopback_t:file read_file_perms;
  
-@@ -49,9 +67,24 @@ can_exec(mount_t, mount_exec_t)
- 
- files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
- 
-+manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
-+files_pid_filetrans(mount_t,mount_var_run_t,{ dir file })
-+files_var_filetrans(mount_t,mount_var_run_t,dir)
+@@ -56,9 +76,18 @@ create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+ create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+ rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+ files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
 +dev_filetrans(mount_t, mount_var_run_t, dir)
 +
-+# In order to mount reiserfs_t
-+kernel_dontaudit_getattr_core_if(mount_t)
-+kernel_list_unlabeled(mount_t)
-+kernel_mount_unlabeled(mount_t)
-+kernel_unmount_unlabeled(mount_t)
+ 
  kernel_read_system_state(mount_t)
 +kernel_read_network_state(mount_t)
  kernel_read_kernel_sysctls(mount_t)
--kernel_dontaudit_getattr_core_if(mount_t)
 +kernel_relabelfrom_unlabeled_fs(mount_t)
++kernel_list_unlabeled(mount_t)
 +kernel_manage_debugfs(mount_t)
-+kernel_setsched(mount_t)
++kernel_mount_unlabeled(mount_t)
++kernel_unmount_unlabeled(mount_t)
 +kernel_use_fds(mount_t)
+ kernel_setsched(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
  kernel_dontaudit_write_debugfs_dirs(mount_t)
- kernel_dontaudit_write_proc_dirs(mount_t)
- # To load binfmt_misc kernel module
-@@ -60,31 +93,47 @@ kernel_request_load_module(mount_t)
+@@ -69,31 +98,47 @@ kernel_request_load_module(mount_t)
  # required for mount.smbfs
  corecmd_exec_bin(mount_t)
  
@@ -33683,7 +33500,7 @@ index 6a50270..d941116 100644
  files_read_isid_type_files(mount_t)
  # For reading cert files
  files_read_usr_files(mount_t)
-@@ -92,28 +141,39 @@ files_list_mnt(mount_t)
+@@ -101,28 +146,39 @@ files_list_all_mountpoints(mount_t)
  files_dontaudit_write_all_mountpoints(mount_t)
  files_dontaudit_setattr_all_mountpoints(mount_t)
  
@@ -33729,7 +33546,7 @@ index 6a50270..d941116 100644
  term_dontaudit_manage_pty_dirs(mount_t)
  
  auth_use_nsswitch(mount_t)
-@@ -121,16 +181,21 @@ auth_use_nsswitch(mount_t)
+@@ -130,16 +186,21 @@ auth_use_nsswitch(mount_t)
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
  init_dontaudit_getattr_initctl(mount_t)
@@ -33753,7 +33570,7 @@ index 6a50270..d941116 100644
  
  ifdef(`distro_redhat',`
  	optional_policy(`
-@@ -146,26 +211,27 @@ ifdef(`distro_ubuntu',`
+@@ -155,26 +216,27 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -33793,7 +33610,7 @@ index 6a50270..d941116 100644
  	corenet_tcp_bind_generic_port(mount_t)
  	corenet_udp_bind_generic_port(mount_t)
  	corenet_tcp_bind_reserved_port(mount_t)
-@@ -179,6 +245,9 @@ optional_policy(`
+@@ -188,6 +250,9 @@ optional_policy(`
  	fs_search_rpc(mount_t)
  
  	rpc_stub(mount_t)
@@ -33803,7 +33620,7 @@ index 6a50270..d941116 100644
  ')
  
  optional_policy(`
-@@ -186,6 +255,40 @@ optional_policy(`
+@@ -195,6 +260,40 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33844,7 +33661,7 @@ index 6a50270..d941116 100644
  	ifdef(`hide_broken_symptoms',`
  		# for a bug in the X server
  		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -194,24 +297,132 @@ optional_policy(`
+@@ -203,28 +302,136 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -33853,29 +33670,26 @@ index 6a50270..d941116 100644
 +
 +# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
 +optional_policy(`
-+#	lvm_run(mount_t, mount_roles)
-+	lvm_domtrans(mount_t)
++	lvm_run(mount_t, mount_roles)
 +')
 +
 +optional_policy(`
-+	#modutils_run_insmod(mount_t, mount_roles)
-+	modutils_domtrans_insmod(mount_t)
-+	modutils_read_module_deps(mount_t)
++	modutils_run_insmod(mount_t, mount_roles)
+ 	modutils_read_module_deps(mount_t)
+ ')
+ 
+ optional_policy(`
++	fstools_run(mount_t, mount_roles)
 +')
 +
 +optional_policy(`
-+	fstools_domtrans(mount_t)
-+	#fstools_run(mount_t, mount_roles)
++	rhcs_stream_connect_gfs_controld(mount_t)
 +')
 +
 +optional_policy(`
-+	rhcs_stream_connect_gfs_controld(mount_t)
++	rpc_run_rpcd(mount_t, mount_roles)
 +')
 +
-+#optional_policy(`
-+#	rpc_run_rpcd(mount_t, mount_roles)
-+#')
-+
 +optional_policy(`
  	puppet_rw_tmp(mount_t)
  ')
@@ -33887,16 +33701,10 @@ index 6a50270..d941116 100644
  ')
  
  optional_policy(`
--	samba_run_smbmount(mount_t, mount_roles)
 +	samba_read_config(mount_t)
-+	samba_domtrans_smbmount(mount_t)
-+	#samba_run_smbmount(mount_t, mount_roles)
+ 	samba_run_smbmount(mount_t, mount_roles)
  ')
  
--########################################
--#
--# Unconfined mount local policy
--#
 +optional_policy(`
 +	ssh_exec(mount_t)
 +	ssh_append_home_files(mount_t)
@@ -33907,7 +33715,7 @@ index 6a50270..d941116 100644
 +')
 +
 +optional_policy(`
-+	userhelper_exec_console(mount_t)
++	userhelper_exec_consolehelper(mount_t)
 +')
 +
 +optional_policy(`
@@ -33917,12 +33725,10 @@ index 6a50270..d941116 100644
 +optional_policy(`
 +	virt_read_blk_images(mount_t)
 +')
- 
- optional_policy(`
--	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
--	unconfined_domain(unconfined_mount_t)
++
++optional_policy(`
 +	vmware_exec_host(mount_t)
- ')
++')
 +
 +optional_policy(`
 +	unconfined_domain(mount_t)
@@ -33951,10 +33757,8 @@ index 6a50270..d941116 100644
 +corenet_udp_bind_all_rpc_ports(showmount_t)
 +corenet_tcp_connect_all_ports(showmount_t)
 +
-+files_read_etc_files(showmount_t)
 +files_read_etc_runtime_files(showmount_t)
 +
-+
 +sysnet_dns_name_resolve(showmount_t)
 +
 +userdom_use_inherited_user_terminals(showmount_t)
@@ -33984,6 +33788,18 @@ index 6a50270..d941116 100644
 +fs_read_ecryptfs_files(mount_ecryptfs_t)
 +
 +auth_use_nsswitch(mount_ecryptfs_t)
++
+ ########################################
+ #
+ # Unconfined mount local policy
+ #
+ 
+ optional_policy(`
+-	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+-	unconfined_domain(unconfined_mount_t)
++    files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
++    unconfined_domain(unconfined_mount_t)
+ ')
 diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
 index b263a8a..15576ab 100644
 --- a/policy/modules/system/netlabel.fc
@@ -34700,7 +34516,7 @@ index 3822072..270bde3 100644
 +	allow semanage_t $1:dbus send_msg;
 +')
 diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
-index ec01d0b..ececda2 100644
+index dc46420..86595e5 100644
 --- a/policy/modules/system/selinuxutil.te
 +++ b/policy/modules/system/selinuxutil.te
 @@ -11,14 +11,16 @@ gen_require(`
@@ -35228,7 +35044,7 @@ index ec01d0b..ececda2 100644
  ')
  
  ########################################
-@@ -522,108 +598,192 @@ ifdef(`distro_ubuntu',`
+@@ -522,111 +598,192 @@ ifdef(`distro_ubuntu',`
  # Setfiles local policy
  #
  
@@ -35253,6 +35069,8 @@ index ec01d0b..ececda2 100644
 -kernel_dontaudit_list_all_sysctls(setfiles_t)
 -
 -dev_relabel_all_dev_nodes(setfiles_t)
+-# to handle when /dev/console needs to be relabeled
+-dev_rw_generic_chr_files(setfiles_t)
 -
 -domain_use_interactive_fds(setfiles_t)
 -domain_dontaudit_search_all_domains_state(setfiles_t)
@@ -35262,6 +35080,7 @@ index ec01d0b..ececda2 100644
 -files_list_all(setfiles_t)
 -files_relabel_all_files(setfiles_t)
 -files_read_usr_symlinks(setfiles_t)
+-files_dontaudit_read_all_symlinks(setfiles_t)
 -
 -fs_getattr_xattr_fs(setfiles_t)
 -fs_list_all(setfiles_t)
@@ -35563,7 +35382,7 @@ index 1447687..d5e6fb9 100644
  seutil_read_config(setrans_t)
  
 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
-index 346a7cc..42a48b6 100644
+index 40edc18..7cc0c8a 100644
 --- a/policy/modules/system/sysnetwork.fc
 +++ b/policy/modules/system/sysnetwork.fc
 @@ -17,16 +17,17 @@ ifdef(`distro_debian',`
@@ -35609,15 +35428,15 @@ index 346a7cc..42a48b6 100644
  /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
  
  #
-@@ -72,3 +87,6 @@ ifdef(`distro_redhat',`
- ifdef(`distro_gentoo',`
- /var/lib/dhcpc(/.*)?		gen_context(system_u:object_r:dhcpc_state_t,s0)
+@@ -77,3 +92,6 @@ ifdef(`distro_debian',`
+ /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
  ')
-+
+ 
 +/var/run/netns(/.*)?		gen_context(system_u:object_r:ifconfig_var_run_t,s0)
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
++
 diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
-index 6944526..0bd8d93 100644
+index 2cea692..7bb31c4 100644
 --- a/policy/modules/system/sysnetwork.if
 +++ b/policy/modules/system/sysnetwork.if
 @@ -38,11 +38,30 @@ interface(`sysnet_domtrans_dhcpc',`
@@ -35651,7 +35470,7 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
-@@ -250,6 +269,7 @@ interface(`sysnet_read_dhcpc_state',`
+@@ -269,6 +288,7 @@ interface(`sysnet_read_dhcpc_state',`
  		type dhcpc_state_t;
  	')
  
@@ -35659,7 +35478,7 @@ index 6944526..0bd8d93 100644
  	read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
  ')
  
-@@ -271,6 +291,43 @@ interface(`sysnet_delete_dhcpc_state',`
+@@ -290,6 +310,43 @@ interface(`sysnet_delete_dhcpc_state',`
  	delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
  ')
  
@@ -35703,7 +35522,7 @@ index 6944526..0bd8d93 100644
  #######################################
  ## <summary>
  ##	Set the attributes of network config files.
-@@ -292,6 +349,44 @@ interface(`sysnet_setattr_config',`
+@@ -311,6 +368,44 @@ interface(`sysnet_setattr_config',`
  
  #######################################
  ## <summary>
@@ -35748,7 +35567,7 @@ index 6944526..0bd8d93 100644
  ##	Read network config files.
  ## </summary>
  ## <desc>
-@@ -331,6 +426,7 @@ interface(`sysnet_read_config',`
+@@ -356,6 +451,7 @@ interface(`sysnet_read_config',`
  
  	ifdef(`distro_redhat',`
  		allow $1 net_conf_t:dir list_dir_perms;
@@ -35756,7 +35575,7 @@ index 6944526..0bd8d93 100644
  		read_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -415,6 +511,40 @@ interface(`sysnet_etc_filetrans_config',`
+@@ -440,6 +536,40 @@ interface(`sysnet_etc_filetrans_config',`
  	files_etc_filetrans($1, net_conf_t, file, $2)
  ')
  
@@ -35797,15 +35616,15 @@ index 6944526..0bd8d93 100644
  #######################################
  ## <summary>
  ##	Create, read, write, and delete network config files.
-@@ -433,6 +563,7 @@ interface(`sysnet_manage_config',`
- 	allow $1 net_conf_t:file manage_file_perms;
+@@ -463,6 +593,7 @@ interface(`sysnet_manage_config',`
+ 	')
  
  	ifdef(`distro_redhat',`
 +		allow $1 net_conf_t:dir list_dir_perms;
  		manage_files_pattern($1, net_conf_t, net_conf_t)
  	')
  ')
-@@ -471,6 +602,7 @@ interface(`sysnet_delete_dhcpc_pid',`
+@@ -501,6 +632,7 @@ interface(`sysnet_delete_dhcpc_pid',`
  		type dhcpc_var_run_t;
  	')
  
@@ -35813,7 +35632,7 @@ index 6944526..0bd8d93 100644
  	allow $1 dhcpc_var_run_t:file unlink;
  ')
  
-@@ -580,6 +712,25 @@ interface(`sysnet_signull_ifconfig',`
+@@ -610,6 +742,25 @@ interface(`sysnet_signull_ifconfig',`
  
  ########################################
  ## <summary>
@@ -35839,7 +35658,7 @@ index 6944526..0bd8d93 100644
  ##	Read the DHCP configuration files.
  ## </summary>
  ## <param name="domain">
-@@ -596,6 +747,7 @@ interface(`sysnet_read_dhcp_config',`
+@@ -626,6 +777,7 @@ interface(`sysnet_read_dhcp_config',`
  	files_search_etc($1)
  	allow $1 dhcp_etc_t:dir list_dir_perms;
  	read_files_pattern($1, dhcp_etc_t, dhcp_etc_t)
@@ -35847,7 +35666,7 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
-@@ -681,8 +833,6 @@ interface(`sysnet_dns_name_resolve',`
+@@ -711,8 +863,6 @@ interface(`sysnet_dns_name_resolve',`
  	allow $1 self:udp_socket create_socket_perms;
  	allow $1 self:netlink_route_socket r_netlink_socket_perms;
  
@@ -35856,7 +35675,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -692,6 +842,8 @@ interface(`sysnet_dns_name_resolve',`
+@@ -722,6 +872,8 @@ interface(`sysnet_dns_name_resolve',`
  	corenet_tcp_connect_dns_port($1)
  	corenet_sendrecv_dns_client_packets($1)
  
@@ -35865,7 +35684,7 @@ index 6944526..0bd8d93 100644
  	sysnet_read_config($1)
  
  	optional_policy(`
-@@ -720,8 +872,6 @@ interface(`sysnet_use_ldap',`
+@@ -750,8 +902,6 @@ interface(`sysnet_use_ldap',`
  
  	allow $1 self:tcp_socket create_socket_perms;
  
@@ -35874,7 +35693,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
  	corenet_tcp_sendrecv_ldap_port($1)
-@@ -733,6 +883,9 @@ interface(`sysnet_use_ldap',`
+@@ -763,6 +913,9 @@ interface(`sysnet_use_ldap',`
  	dev_read_urand($1)
  
  	sysnet_read_config($1)
@@ -35884,7 +35703,7 @@ index 6944526..0bd8d93 100644
  ')
  
  ########################################
-@@ -754,7 +907,6 @@ interface(`sysnet_use_portmap',`
+@@ -784,7 +937,6 @@ interface(`sysnet_use_portmap',`
  	allow $1 self:udp_socket create_socket_perms;
  
  	corenet_all_recvfrom_unlabeled($1)
@@ -35892,7 +35711,7 @@ index 6944526..0bd8d93 100644
  	corenet_tcp_sendrecv_generic_if($1)
  	corenet_udp_sendrecv_generic_if($1)
  	corenet_tcp_sendrecv_generic_node($1)
-@@ -766,3 +918,76 @@ interface(`sysnet_use_portmap',`
+@@ -796,3 +948,76 @@ interface(`sysnet_use_portmap',`
  
  	sysnet_read_config($1)
  ')
@@ -35970,10 +35789,10 @@ index 6944526..0bd8d93 100644
 +	files_etc_filetrans($1, net_conf_t, file, "ntp.conf")
 +')
 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index b7686d5..087fe08 100644
+index a392fc4..72131e5 100644
 --- a/policy/modules/system/sysnetwork.te
 +++ b/policy/modules/system/sysnetwork.te
-@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.14.6)
+@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4)
  # Declarations
  #
  
@@ -35998,7 +35817,7 @@ index b7686d5..087fe08 100644
  
  type dhcpc_state_t;
  files_type(dhcpc_state_t)
-@@ -36,18 +45,22 @@ type ifconfig_exec_t;
+@@ -36,8 +45,12 @@ type ifconfig_exec_t;
  init_system_domain(ifconfig_t, ifconfig_exec_t)
  role system_r types ifconfig_t;
  
@@ -36010,8 +35829,9 @@ index b7686d5..087fe08 100644
 -files_type(net_conf_t)
 +files_config_file(net_conf_t)
  
- ########################################
- #
+ ifdef(`distro_debian',`
+ 	init_daemon_run_dir(net_conf_t, "network")
+@@ -48,10 +61,10 @@ ifdef(`distro_debian',`
  # DHCP client local policy
  #
  allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service setpcap sys_nice sys_resource sys_tty_config };
@@ -36024,7 +35844,7 @@ index b7686d5..087fe08 100644
  
  allow dhcpc_t self:fifo_file rw_fifo_file_perms;
  allow dhcpc_t self:tcp_socket create_stream_socket_perms;
-@@ -60,8 +73,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
+@@ -64,8 +77,11 @@ read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  exec_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
  
  allow dhcpc_t dhcp_state_t:file read_file_perms;
@@ -36036,7 +35856,7 @@ index b7686d5..087fe08 100644
  
  # create pid file
  manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-@@ -70,6 +86,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
+@@ -74,6 +90,8 @@ files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
  
  # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
  # in /etc created by dhcpcd will be labelled net_conf_t.
@@ -36045,7 +35865,7 @@ index b7686d5..087fe08 100644
  sysnet_manage_config(dhcpc_t)
  files_etc_filetrans(dhcpc_t, net_conf_t, file)
  
-@@ -91,14 +109,13 @@ kernel_rw_net_sysctls(dhcpc_t)
+@@ -95,14 +113,13 @@ kernel_rw_net_sysctls(dhcpc_t)
  corecmd_exec_bin(dhcpc_t)
  corecmd_exec_shell(dhcpc_t)
  
@@ -36066,12 +35886,13 @@ index b7686d5..087fe08 100644
  corenet_tcp_sendrecv_all_ports(dhcpc_t)
  corenet_udp_sendrecv_all_ports(dhcpc_t)
  corenet_tcp_bind_all_nodes(dhcpc_t)
-@@ -108,21 +125,24 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+@@ -112,22 +129,25 @@ corenet_udp_bind_dhcpc_port(dhcpc_t)
+ corenet_udp_bind_all_unreserved_ports(dhcpc_t)
  corenet_tcp_connect_all_ports(dhcpc_t)
  corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
- corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
++corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+ corenet_sendrecv_all_server_packets(dhcpc_t)
 +corenet_dontaudit_udp_bind_all_reserved_ports(dhcpc_t)
-+corenet_udp_bind_all_unreserved_ports(dhcpc_t)	
  
  dev_read_sysfs(dhcpc_t)
  # for SSP:
@@ -36093,7 +35914,7 @@ index b7686d5..087fe08 100644
  
  fs_getattr_all_fs(dhcpc_t)
  fs_search_auto_mountpoints(dhcpc_t)
-@@ -132,11 +152,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
+@@ -137,11 +157,15 @@ term_dontaudit_use_all_ptys(dhcpc_t)
  term_dontaudit_use_unallocated_ttys(dhcpc_t)
  term_dontaudit_use_generic_ptys(dhcpc_t)
  
@@ -36110,7 +35931,7 @@ index b7686d5..087fe08 100644
  
  modutils_run_insmod(dhcpc_t, dhcpc_roles)
  
-@@ -156,7 +180,14 @@ ifdef(`distro_ubuntu',`
+@@ -161,7 +185,14 @@ ifdef(`distro_ubuntu',`
  ')
  
  optional_policy(`
@@ -36126,7 +35947,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -174,10 +205,6 @@ optional_policy(`
+@@ -179,10 +210,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36137,7 +35958,7 @@ index b7686d5..087fe08 100644
  	hotplug_getattr_config_dirs(dhcpc_t)
  	hotplug_search_config(dhcpc_t)
  
-@@ -190,23 +217,36 @@ optional_policy(`
+@@ -195,23 +222,36 @@ optional_policy(`
  optional_policy(`
  	netutils_run_ping(dhcpc_t, dhcpc_roles)
  	netutils_run(dhcpc_t, dhcpc_roles)
@@ -36174,7 +35995,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -216,7 +256,11 @@ optional_policy(`
+@@ -221,7 +261,11 @@ optional_policy(`
  
  optional_policy(`
  	seutil_sigchld_newrole(dhcpc_t)
@@ -36187,7 +36008,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -228,6 +272,10 @@ optional_policy(`
+@@ -233,6 +277,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36198,7 +36019,7 @@ index b7686d5..087fe08 100644
  	vmware_append_log(dhcpc_t)
  ')
  
-@@ -259,12 +307,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -264,12 +312,23 @@ allow ifconfig_t self:msgq create_msgq_perms;
  allow ifconfig_t self:msg { send receive };
  # Create UDP sockets, necessary when called from dhcpc
  allow ifconfig_t self:udp_socket create_socket_perms;
@@ -36222,7 +36043,7 @@ index b7686d5..087fe08 100644
  kernel_use_fds(ifconfig_t)
  kernel_read_system_state(ifconfig_t)
  kernel_read_network_state(ifconfig_t)
-@@ -274,14 +333,30 @@ kernel_rw_net_sysctls(ifconfig_t)
+@@ -279,14 +338,30 @@ kernel_rw_net_sysctls(ifconfig_t)
  
  corenet_rw_tun_tap_dev(ifconfig_t)
  
@@ -36253,7 +36074,7 @@ index b7686d5..087fe08 100644
  
  fs_getattr_xattr_fs(ifconfig_t)
  fs_search_auto_mountpoints(ifconfig_t)
-@@ -294,22 +369,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
+@@ -299,24 +374,22 @@ term_dontaudit_use_all_ptys(ifconfig_t)
  term_dontaudit_use_ptmx(ifconfig_t)
  term_dontaudit_use_generic_ptys(ifconfig_t)
  
@@ -36271,17 +36092,18 @@ index b7686d5..087fe08 100644
 -miscfiles_read_localization(ifconfig_t)
 -
 -modutils_domtrans_insmod(ifconfig_t)
- 
+-
  seutil_use_runinit_fds(ifconfig_t)
  
--userdom_use_user_terminals(ifconfig_t)
 +sysnet_dns_name_resolve(ifconfig_t)
-+
+ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+ 
+-userdom_use_user_terminals(ifconfig_t)
 +userdom_use_inherited_user_terminals(ifconfig_t)
  userdom_use_all_users_fds(ifconfig_t)
  
  ifdef(`distro_ubuntu',`
-@@ -318,7 +393,22 @@ ifdef(`distro_ubuntu',`
+@@ -325,7 +398,22 @@ ifdef(`distro_ubuntu',`
  	')
  ')
  
@@ -36304,12 +36126,11 @@ index b7686d5..087fe08 100644
  	optional_policy(`
  		dev_dontaudit_rw_cardmgr(ifconfig_t)
  	')
-@@ -329,8 +419,11 @@ ifdef(`hide_broken_symptoms',`
+@@ -336,7 +424,11 @@ ifdef(`hide_broken_symptoms',`
  ')
  
  optional_policy(`
--	hal_dontaudit_rw_pipes(ifconfig_t)
--	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
+-	devicekit_read_pid_files(ifconfig_t)
 +    dnsmasq_domtrans(ifconfig_t)
 +')
 +
@@ -36318,7 +36139,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -339,7 +432,15 @@ optional_policy(`
+@@ -350,7 +442,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36335,7 +36156,7 @@ index b7686d5..087fe08 100644
  ')
  
  optional_policy(`
-@@ -360,3 +461,13 @@ optional_policy(`
+@@ -371,3 +471,13 @@ optional_policy(`
  	xen_append_log(ifconfig_t)
  	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
  ')
@@ -38465,7 +38286,7 @@ index 0000000..f758960
 +read_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
 +read_lnk_files_pattern(systemd_domain, systemd_home_t, systemd_home_t)
 diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
-index 40928d8..49fd32e 100644
+index f41857e..49fd32e 100644
 --- a/policy/modules/system/udev.fc
 +++ b/policy/modules/system/udev.fc
 @@ -1,6 +1,8 @@
@@ -38496,7 +38317,7 @@ index 40928d8..49fd32e 100644
 -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 -
 -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
--/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+-/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 +/usr/bin/udevadm  --	gen_context(system_u:object_r:udev_exec_t,s0)
 +
 +/usr/sbin/start_udev 	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -38518,7 +38339,7 @@ index 40928d8..49fd32e 100644
  ifdef(`distro_debian',`
  /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
 diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
-index 0f64692..d7e8a01 100644
+index 9a1650d..d7e8a01 100644
 --- a/policy/modules/system/udev.if
 +++ b/policy/modules/system/udev.if
 @@ -34,6 +34,7 @@ interface(`udev_domtrans',`
@@ -38723,7 +38544,7 @@ index 0f64692..d7e8a01 100644
 +		role system_r;
  	')
  
--	files_search_var_lib($1)
+-	files_search_pids($1)
 -	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 +	allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
 +')
@@ -38762,7 +38583,7 @@ index 0f64692..d7e8a01 100644
  
  ########################################
 diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index a5ec88b..de9d585 100644
+index 39f185f..ef4c635 100644
 --- a/policy/modules/system/udev.te
 +++ b/policy/modules/system/udev.te
 @@ -17,16 +17,17 @@ init_daemon_domain(udev_t, udev_exec_t)
@@ -38786,7 +38607,7 @@ index a5ec88b..de9d585 100644
  ifdef(`enable_mcs',`
  	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
  	init_ranged_daemon_domain(udev_t, udev_exec_t, s0 - mcs_systemhigh)
-@@ -37,9 +38,11 @@ ifdef(`enable_mcs',`
+@@ -37,10 +38,10 @@ ifdef(`enable_mcs',`
  # Local policy
  #
  
@@ -38794,13 +38615,13 @@ index a5ec88b..de9d585 100644
 +allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
 +allow udev_t self:capability2 { block_suspend compromise_kernel };
  dontaudit udev_t self:capability sys_tty_config;
+-allow udev_t self:capability2 block_suspend;
 -allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-+
 +allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow udev_t self:process { execmem setfscreate };
  allow udev_t self:fd use;
  allow udev_t self:fifo_file rw_fifo_file_perms;
-@@ -53,6 +56,7 @@ allow udev_t self:unix_dgram_socket sendto;
+@@ -54,6 +55,7 @@ allow udev_t self:unix_dgram_socket sendto;
  allow udev_t self:unix_stream_socket connectto;
  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
  allow udev_t self:rawip_socket create_socket_perms;
@@ -38808,11 +38629,10 @@ index a5ec88b..de9d585 100644
  
  allow udev_t udev_exec_t:file write;
  can_exec(udev_t, udev_exec_t)
-@@ -63,31 +67,40 @@ can_exec(udev_t, udev_helper_exec_t)
+@@ -64,31 +66,40 @@ can_exec(udev_t, udev_helper_exec_t)
  # read udev config
  allow udev_t udev_etc_t:file read_file_perms;
  
--# create udev database in /dev/.udevdb
 -allow udev_t udev_tbl_t:file manage_file_perms;
 -dev_filetrans(udev_t, udev_tbl_t, file)
 +allow udev_t udev_tmp_t:dir manage_dir_perms;
@@ -38825,11 +38645,10 @@ index a5ec88b..de9d585 100644
 +manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
  
  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
  manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
--files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
-+files_pid_filetrans(udev_t, udev_var_run_t, { file dir })
+ manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+ files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
 +allow udev_t udev_var_run_t:file mounton;
 +allow udev_t udev_var_run_t:lnk_file relabel_lnk_file_perms;
 +dev_filetrans(udev_t, udev_var_run_t, { file lnk_file } )
@@ -38855,7 +38674,7 @@ index a5ec88b..de9d585 100644
  
  #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
  kernel_rw_net_sysctls(udev_t)
-@@ -98,6 +111,7 @@ corecmd_exec_all_executables(udev_t)
+@@ -99,6 +110,7 @@ corecmd_exec_all_executables(udev_t)
  
  dev_rw_sysfs(udev_t)
  dev_manage_all_dev_nodes(udev_t)
@@ -38863,7 +38682,7 @@ index a5ec88b..de9d585 100644
  dev_rw_generic_files(udev_t)
  dev_delete_generic_files(udev_t)
  dev_search_usbfs(udev_t)
-@@ -106,23 +120,31 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -107,23 +119,31 @@ dev_relabel_all_dev_nodes(udev_t)
  # preserved, instead of short circuiting the relabel
  dev_relabel_generic_symlinks(udev_t)
  dev_manage_generic_symlinks(udev_t)
@@ -38899,7 +38718,7 @@ index a5ec88b..de9d585 100644
  
  mls_file_read_all_levels(udev_t)
  mls_file_write_all_levels(udev_t)
-@@ -144,17 +166,20 @@ auth_use_nsswitch(udev_t)
+@@ -145,17 +165,20 @@ auth_use_nsswitch(udev_t)
  init_read_utmp(udev_t)
  init_dontaudit_write_utmp(udev_t)
  init_getattr_initctl(udev_t)
@@ -38921,7 +38740,7 @@ index a5ec88b..de9d585 100644
  
  seutil_read_config(udev_t)
  seutil_read_default_contexts(udev_t)
-@@ -168,7 +193,11 @@ sysnet_read_dhcpc_pid(udev_t)
+@@ -169,7 +192,11 @@ sysnet_read_dhcpc_pid(udev_t)
  sysnet_delete_dhcpc_pid(udev_t)
  sysnet_signal_dhcpc(udev_t)
  sysnet_manage_config(udev_t)
@@ -38934,7 +38753,7 @@ index a5ec88b..de9d585 100644
  
  userdom_dontaudit_search_user_home_content(udev_t)
  
-@@ -179,16 +208,9 @@ ifdef(`distro_gentoo',`
+@@ -195,16 +222,9 @@ ifdef(`distro_gentoo',`
  ')
  
  ifdef(`distro_redhat',`
@@ -38953,7 +38772,7 @@ index a5ec88b..de9d585 100644
  
  	# for arping used for static IP addresses on PCMCIA ethernet
  	netutils_domtrans(udev_t)
-@@ -226,19 +248,34 @@ optional_policy(`
+@@ -242,6 +262,7 @@ optional_policy(`
  
  optional_policy(`
  	cups_domtrans_config(udev_t)
@@ -38961,11 +38780,14 @@ index a5ec88b..de9d585 100644
  ')
  
  optional_policy(`
- 	dbus_system_bus_client(udev_t)
-+
-+	optional_policy(`
+@@ -249,17 +270,27 @@ optional_policy(`
+ 	dbus_use_system_bus_fds(udev_t)
+ 
+ 	optional_policy(`
+-		consolekit_dbus_chat(udev_t)
+-	')
 +		systemd_dbus_chat_logind(udev_t)
-+	')
++    ')
  ')
  
  optional_policy(`
@@ -38988,7 +38810,7 @@ index a5ec88b..de9d585 100644
  ')
  
  optional_policy(`
-@@ -264,6 +301,10 @@ optional_policy(`
+@@ -289,6 +320,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -38999,7 +38821,7 @@ index a5ec88b..de9d585 100644
  	openct_read_pid_files(udev_t)
  	openct_domtrans(udev_t)
  ')
-@@ -278,6 +319,15 @@ optional_policy(`
+@@ -303,6 +338,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -39015,7 +38837,7 @@ index a5ec88b..de9d585 100644
  	unconfined_signal(udev_t)
  ')
  
-@@ -290,6 +340,7 @@ optional_policy(`
+@@ -315,6 +359,7 @@ optional_policy(`
  	kernel_read_xen_state(udev_t)
  	xen_manage_log(udev_t)
  	xen_read_image_files(udev_t)
@@ -39050,7 +38872,7 @@ index 0abaf84..8b34dbc 100644
 -/usr/lib/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 -')
 diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
-index db7aabb..01e03ec 100644
+index 5ca20a9..01e03ec 100644
 --- a/policy/modules/system/unconfined.if
 +++ b/policy/modules/system/unconfined.if
 @@ -12,53 +12,57 @@
@@ -39128,15 +38950,16 @@ index db7aabb..01e03ec 100644
  #		auditallow $1 self:process execstack;
  	')
  
-@@ -69,6 +73,7 @@ interface(`unconfined_domain_noaudit',`
- 	optional_policy(`
- 		# Communicate via dbusd.
- 		dbus_system_bus_unconfined($1)
-+		dbus_unconfined($1)
+@@ -67,6 +71,8 @@ interface(`unconfined_domain_noaudit',`
  	')
  
  	optional_policy(`
-@@ -122,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
++		# Communicate via dbusd.
++		dbus_system_bus_unconfined($1)
+ 		dbus_unconfined($1)
+ 	')
+ 
+@@ -121,9 +127,13 @@ interface(`unconfined_domain_noaudit',`
  ## </param>
  #
  interface(`unconfined_domain',`
@@ -39151,7 +38974,7 @@ index db7aabb..01e03ec 100644
  		auditallow $1 self:process execheap;
  	')
  ')
-@@ -150,7 +159,7 @@ interface(`unconfined_domain',`
+@@ -149,7 +159,7 @@ interface(`unconfined_domain',`
  ## </param>
  #
  interface(`unconfined_alias_domain',`
@@ -39160,7 +38983,7 @@ index db7aabb..01e03ec 100644
  ')
  
  ########################################
-@@ -176,414 +185,5 @@ interface(`unconfined_alias_domain',`
+@@ -175,414 +185,5 @@ interface(`unconfined_alias_domain',`
  ## </param>
  #
  interface(`unconfined_execmem_alias_program',`
@@ -39577,10 +39400,14 @@ index db7aabb..01e03ec 100644
 +	refpolicywarn(`$0() has been deprecated.')
  ')
 diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
-index 0280b32..61f19e9 100644
+index 5fe902d..61f19e9 100644
 --- a/policy/modules/system/unconfined.te
 +++ b/policy/modules/system/unconfined.te
-@@ -4,237 +4,4 @@ policy_module(unconfined, 3.5.0)
+@@ -1,207 +1,7 @@
+-policy_module(unconfined, 3.5.1)
++policy_module(unconfined, 3.5.0)
+ 
+ ########################################
  #
  # Declarations
  #
@@ -39656,40 +39483,6 @@ index 0280b32..61f19e9 100644
 -')
 -
 -optional_policy(`
--	init_dbus_chat_script(unconfined_t)
--
--	dbus_stub(unconfined_t)
--
--	optional_policy(`
--		avahi_dbus_chat(unconfined_t)
--	')
--
--	optional_policy(`
--		bluetooth_dbus_chat(unconfined_t)
--	')
--
--	optional_policy(`
--		consolekit_dbus_chat(unconfined_t)
--	')
--
--	optional_policy(`
--		cups_dbus_chat_config(unconfined_t)
--	')
--
--	optional_policy(`
--		hal_dbus_chat(unconfined_t)
--	')
--
--	optional_policy(`
--		networkmanager_dbus_chat(unconfined_t)
--	')
--
--	optional_policy(`
--		oddjob_dbus_chat(unconfined_t)
--	')
--')
--
--optional_policy(`
 -	firstboot_run(unconfined_t, unconfined_r)
 -')
 -
@@ -39759,6 +39552,10 @@ index 0280b32..61f19e9 100644
 -')
 -
 -optional_policy(`
+-	rtkit_scheduled(unconfined_t)
+-')
+-
+-optional_policy(`
 -	rpm_run(unconfined_t, unconfined_r)
 -')
 -
@@ -39781,6 +39578,10 @@ index 0280b32..61f19e9 100644
 -')
 -
 -optional_policy(`
+-	unconfined_dbus_chat(unconfined_t)
+-')
+-
+-optional_policy(`
 -	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
 -')
 -
@@ -39809,14 +39610,7 @@ index 0280b32..61f19e9 100644
 -unconfined_domain_noaudit(unconfined_execmem_t)
 -
 -optional_policy(`
--	dbus_stub(unconfined_execmem_t)
--
--	init_dbus_chat_script(unconfined_execmem_t)
 -	unconfined_dbus_chat(unconfined_execmem_t)
--
--	optional_policy(`
--		hal_dbus_chat(unconfined_execmem_t)
--	')
 -')
 +attribute unconfined_services;
 diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
@@ -39847,7 +39641,7 @@ index db75976..65191bd 100644
 +
 +/var/run/user(/.*)?	gen_context(system_u:object_r:user_tmp_t,s0)
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 3c5dba7..2890de8 100644
+index 9dc60c6..b8ac8d9 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,9 +30,11 @@ template(`userdom_base_user_template',`
@@ -40968,7 +40762,7 @@ index 3c5dba7..2890de8 100644
  	##############################
  	#
  	# Local policy
-@@ -907,42 +1155,99 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -907,38 +1155,98 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  	# Local policy
  	#
@@ -41028,7 +40822,6 @@ index 3c5dba7..2890de8 100644
 +	 # bug: #682499
 +	 optional_policy(`
 +	 	gnome_read_usr_config($1_usertype)
-+		gnome_role_gkeyringd($1, $1_r, $1_usertype)
 +		# cjp: telepathy F15 bugs
 +		telepathy_role($1_r, $1_t, $1)
 +	')
@@ -41062,52 +40855,57 @@ index 3c5dba7..2890de8 100644
 +			cups_dbus_chat($1_usertype)
 +			cups_dbus_chat_config($1_usertype)
 +		')
- 
- 		optional_policy(`
--			consolekit_dbus_chat($1_t)
++
++		optional_policy(`
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
- 		')
++		')
  
  		optional_policy(`
--			cups_dbus_chat($1_t)
+-			consolekit_dbus_chat($1_t)
 +			fprintd_dbus_chat($1_t)
  		')
  
  		optional_policy(`
--			gnome_role_template($1, $1_r, $1_t)
+-			cups_dbus_chat($1_t)
 +			realmd_dbus_chat($1_t)
  		')
  
  		optional_policy(`
-@@ -951,15 +1256,36 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -948,20 +1256,41 @@ template(`userdom_restricted_xwindows_user_template',`
  	')
  
  	optional_policy(`
 -		java_role($1_r, $1_t)
 +		policykit_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		setroubleshoot_dontaudit_stream_connect($1_t)
 +		pulseaudio_role($1_r, $1_usertype)
 +		pulseaudio_filetrans_admin_home_content($1_usertype)
-+	')
-+
+ 	')
+-')
+ 
+-#######################################
+-## <summary>
+-##	The template for creating a unprivileged user roughly
+-##	equivalent to a regular linux user.
+-## </summary>
+-## <desc>
 +	optional_policy(`
 +		rtkit_scheduled($1_usertype)
 +	')
 +
 +	optional_policy(`
 +		systemd_filetrans_home_content($1_usertype)
- 	')
- 
- 	optional_policy(`
- 		setroubleshoot_dontaudit_stream_connect($1_t)
- 	')
--')
- 
--#######################################
++	')
++
++	optional_policy(`
++		setroubleshoot_dontaudit_stream_connect($1_t)
++	')
++
 +	optional_policy(`
 +		udev_read_db($1_usertype)
 +	')
@@ -41118,10 +40916,15 @@ index 3c5dba7..2890de8 100644
 +')
 +
 +#######################################
- ## <summary>
++## <summary>
++##	The template for creating a unprivileged user roughly
++##	equivalent to a regular linux user.
++## </summary>
++## <desc>
+ ##	<p>
  ##	The template for creating a unprivileged user roughly
  ##	equivalent to a regular linux user.
-@@ -990,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
+@@ -987,27 +1316,33 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -41159,7 +40962,7 @@ index 3c5dba7..2890de8 100644
  			fs_manage_noxattr_fs_files($1_t)
  			fs_manage_noxattr_fs_dirs($1_t)
  			# Write floppies
-@@ -1021,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
+@@ -1018,23 +1353,60 @@ template(`userdom_unpriv_user_template', `
  		')
  	')
  
@@ -41207,9 +41010,11 @@ index 3c5dba7..2890de8 100644
 +		systemd_dbus_chat_timedated($1_t)
 +		systemd_dbus_chat_hostnamed($1_t)
 +		systemd_dbus_chat_localed($1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		netutils_run_ping_cond($1_t, $1_r)
+-		netutils_run_traceroute_cond($1_t, $1_r)
 +		gpm_stream_connect($1_usertype)
 +	')
 +
@@ -41220,17 +41025,15 @@ index 3c5dba7..2890de8 100644
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
- 	')
- 
- 	optional_policy(`
--		netutils_run_ping_cond($1_t, $1_r)
--		netutils_run_traceroute_cond($1_t, $1_r)
++	')
++
++	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
 +		postfix_search_spool($1_t)
  	')
  
  	# Run pppd in pppd_t by default for user
-@@ -1046,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1043,7 +1415,9 @@ template(`userdom_unpriv_user_template', `
  	')
  
  	optional_policy(`
@@ -41241,7 +41044,7 @@ index 3c5dba7..2890de8 100644
  	')
  ')
  
-@@ -1082,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
+@@ -1079,7 +1453,9 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -41252,7 +41055,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	##############################
-@@ -1098,6 +1471,7 @@ template(`userdom_admin_user_template',`
+@@ -1095,6 +1471,7 @@ template(`userdom_admin_user_template',`
  	role system_r types $1_t;
  
  	typeattribute $1_t admindomain;
@@ -41260,7 +41063,7 @@ index 3c5dba7..2890de8 100644
  
  	ifdef(`direct_sysadm_daemon',`
  		domain_system_change_exemption($1_t)
-@@ -1109,6 +1483,7 @@ template(`userdom_admin_user_template',`
+@@ -1106,6 +1483,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -41268,7 +41071,7 @@ index 3c5dba7..2890de8 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1117,6 +1492,9 @@ template(`userdom_admin_user_template',`
+@@ -1114,6 +1492,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -41278,7 +41081,7 @@ index 3c5dba7..2890de8 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1131,6 +1509,7 @@ template(`userdom_admin_user_template',`
+@@ -1128,6 +1509,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -41286,7 +41089,7 @@ index 3c5dba7..2890de8 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1148,10 +1527,14 @@ template(`userdom_admin_user_template',`
+@@ -1145,10 +1527,14 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -41301,7 +41104,7 @@ index 3c5dba7..2890de8 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1162,29 +1545,38 @@ template(`userdom_admin_user_template',`
+@@ -1159,29 +1545,38 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -41344,7 +41147,7 @@ index 3c5dba7..2890de8 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1194,6 +1586,8 @@ template(`userdom_admin_user_template',`
+@@ -1191,6 +1586,8 @@ template(`userdom_admin_user_template',`
  	# But presently necessary for installing the file_contexts file.
  	seutil_manage_bin_policy($1_t)
  
@@ -41353,7 +41156,7 @@ index 3c5dba7..2890de8 100644
  	userdom_manage_user_home_content_dirs($1_t)
  	userdom_manage_user_home_content_files($1_t)
  	userdom_manage_user_home_content_symlinks($1_t)
-@@ -1201,13 +1595,17 @@ template(`userdom_admin_user_template',`
+@@ -1198,13 +1595,17 @@ template(`userdom_admin_user_template',`
  	userdom_manage_user_home_content_sockets($1_t)
  	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
  
@@ -41372,7 +41175,7 @@ index 3c5dba7..2890de8 100644
  	optional_policy(`
  		postgresql_unconfined($1_t)
  	')
-@@ -1243,7 +1641,7 @@ template(`userdom_admin_user_template',`
+@@ -1240,7 +1641,7 @@ template(`userdom_admin_user_template',`
  ##	</summary>
  ## </param>
  #
@@ -41381,7 +41184,7 @@ index 3c5dba7..2890de8 100644
  	allow $1 self:capability { dac_read_search dac_override };
  
  	corecmd_exec_shell($1)
-@@ -1253,6 +1651,8 @@ template(`userdom_security_admin_template',`
+@@ -1250,6 +1651,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -41390,7 +41193,7 @@ index 3c5dba7..2890de8 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1265,8 +1665,10 @@ template(`userdom_security_admin_template',`
+@@ -1262,8 +1665,10 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -41402,7 +41205,7 @@ index 3c5dba7..2890de8 100644
  	auth_relabel_shadow($1)
  
  	init_exec($1)
-@@ -1277,29 +1679,31 @@ template(`userdom_security_admin_template',`
+@@ -1274,29 +1679,31 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -41445,7 +41248,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	optional_policy(`
-@@ -1360,14 +1764,17 @@ interface(`userdom_user_home_content',`
+@@ -1357,14 +1764,17 @@ interface(`userdom_user_home_content',`
  	gen_require(`
  		attribute user_home_content_type;
  		type user_home_t;
@@ -41464,7 +41267,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1408,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
+@@ -1405,6 +1815,51 @@ interface(`userdom_user_tmpfs_file',`
  ## <summary>
  ##	Allow domain to attach to TUN devices created by administrative users.
  ## </summary>
@@ -41516,7 +41319,7 @@ index 3c5dba7..2890de8 100644
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
-@@ -1512,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1509,11 +1964,31 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -41548,7 +41351,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to search user home directories.
  ## </summary>
  ## <desc>
-@@ -1558,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1555,6 +2030,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -41563,7 +41366,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1573,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1570,9 +2053,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -41575,7 +41378,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1632,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1629,6 +2114,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -41618,7 +41421,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1711,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1708,6 +2229,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -41627,7 +41430,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1744,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
+@@ -1741,10 +2264,12 @@ interface(`userdom_list_all_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -41642,7 +41445,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1772,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1769,7 +2294,25 @@ interface(`userdom_manage_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -41669,7 +41472,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1782,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
+@@ -1779,53 +2322,70 @@ interface(`userdom_manage_user_home_content_dirs',`
  #
  interface(`userdom_delete_all_user_home_content_dirs',`
  	gen_require(`
@@ -41752,7 +41555,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1848,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+@@ -1845,6 +2405,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41778,7 +41581,7 @@ index 3c5dba7..2890de8 100644
  ##	Mmap user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1878,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
+@@ -1875,14 +2454,36 @@ interface(`userdom_mmap_user_home_content_files',`
  interface(`userdom_read_user_home_content_files',`
  	gen_require(`
  		type user_home_dir_t, user_home_t;
@@ -41816,7 +41619,7 @@ index 3c5dba7..2890de8 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1896,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1893,11 +2494,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -41834,7 +41637,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -1941,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1938,7 +2542,7 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41843,7 +41646,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1949,19 +2550,17 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
+@@ -1946,10 +2550,9 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -41855,10 +41658,8 @@ index 3c5dba7..2890de8 100644
 +		type user_home_t;
  	')
  
--	userdom_search_user_home_content($1)
--	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
-+	allow $1 user_home_t:file delete_file_perms;
- ')
+ 	userdom_search_user_home_content($1)
+@@ -1958,7 +2561,7 @@ interface(`userdom_delete_all_user_home_content_files',`
  
  ########################################
  ## <summary>
@@ -41867,7 +41668,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1969,35 +2568,35 @@ interface(`userdom_delete_all_user_home_content_files',`
+@@ -1966,12 +2569,66 @@ interface(`userdom_delete_all_user_home_content_files',`
  ##	</summary>
  ## </param>
  #
@@ -41880,102 +41681,29 @@ index 3c5dba7..2890de8 100644
  
 -	allow $1 user_home_t:file delete_file_perms;
 +	allow $1 user_home_type:file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Do not audit attempts to write user home files.
-+##	Delete sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
--##	Domain to not audit.
-+##	Domain allowed access.
- ##	</summary>
- ## </param>
- #
--interface(`userdom_dontaudit_relabel_user_home_content_files',`
-+interface(`userdom_delete_user_home_content_sock_files',`
- 	gen_require(`
- 		type user_home_t;
- 	')
- 
--	dontaudit $1 user_home_t:file relabel_file_perms;
-+	allow $1 user_home_t:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read user home subdirectory symbolic links.
-+##	Delete all sock files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -2005,45 +2604,92 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',`
- ##	</summary>
- ## </param>
- #
--interface(`userdom_read_user_home_content_symlinks',`
-+interface(`userdom_delete_all_user_home_content_sock_files',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
--	files_search_home($1)
-+	allow $1 user_home_type:sock_file delete_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Execute user home files.
-+##	Delete all files in a user home subdirectory.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
--## <rolecap/>
- #
--interface(`userdom_exec_user_home_content_files',`
-+interface(`userdom_delete_all_user_home_content',`
- 	gen_require(`
--		type user_home_dir_t, user_home_t;
-+		attribute user_home_type;
- 	')
- 
--	files_search_home($1)
--	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
-+	allow $1 user_home_type:dir_file_class_set delete_file_perms;
 +')
- 
--	tunable_policy(`use_nfs_home_dirs',`
--		fs_exec_nfs_files($1)
++
 +########################################
 +## <summary>
-+##	Do not audit attempts to write user home files.
++##	Delete sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
-+##	Domain to not audit.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_dontaudit_relabel_user_home_content_files',`
++interface(`userdom_delete_user_home_content_sock_files',`
 +	gen_require(`
 +		type user_home_t;
- 	')
- 
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
-+	dontaudit $1 user_home_t:file relabel_file_perms;
++	')
++
++	allow $1 user_home_t:sock_file delete_file_perms;
 +')
 +
 +########################################
 +## <summary>
-+##	Read user home subdirectory symbolic links.
++##	Delete all sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -41983,42 +41711,70 @@ index 3c5dba7..2890de8 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_read_user_home_content_symlinks',`
++interface(`userdom_delete_all_user_home_content_sock_files',`
 +	gen_require(`
-+		type user_home_dir_t, user_home_t;
- 	')
++		attribute user_home_type;
++	')
 +
-+	allow $1 { user_home_dir_t user_home_t }:lnk_file  read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
-+##	Execute user home files.
++	allow $1 user_home_type:sock_file delete_file_perms;
++')
++
++########################################
++## <summary>
++##	Delete all files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
-+interface(`userdom_exec_user_home_content_files',`
++interface(`userdom_delete_all_user_home_content',`
 +	gen_require(`
-+		type user_home_dir_t;
 +		attribute user_home_type;
 +	')
 +
-+	files_search_home($1)
++	allow $1 user_home_type:dir_file_class_set delete_file_perms;
+ ')
+ 
+ ########################################
+@@ -2007,8 +2664,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+ 		type user_home_dir_t, user_home_t;
+ 	')
+ 
+-	read_lnk_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-	files_search_home($1)
++	allow $1 { user_home_dir_t user_home_t }:lnk_file  read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -2024,21 +2680,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+ #
+ interface(`userdom_exec_user_home_content_files',`
+ 	gen_require(`
+-		type user_home_dir_t, user_home_t;
++		type user_home_dir_t;
++		attribute user_home_type;
+ 	')
+ 
+ 	files_search_home($1)
+-	exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
+-
+-	tunable_policy(`use_nfs_home_dirs',`
+-		fs_exec_nfs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
-+	')
-+
-+########################################
-+## <summary>
+ 	')
+ 
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
+-	')
+-')
+-
+ ########################################
+ ## <summary>
  ##	Do not audit attempts to execute user home files.
- ## </summary>
- ## <param name="domain">
-@@ -2123,7 +2769,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2120,7 +2770,7 @@ interface(`userdom_manage_user_home_content_symlinks',`
  
  ########################################
  ## <summary>
@@ -42027,7 +41783,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2131,19 +2777,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
+@@ -2128,19 +2778,17 @@ interface(`userdom_manage_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42051,7 +41807,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2151,12 +2795,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
+@@ -2148,12 +2796,12 @@ interface(`userdom_delete_all_user_home_content_symlinks',`
  ##	</summary>
  ## </param>
  #
@@ -42067,7 +41823,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2393,11 +3037,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
+@@ -2390,11 +3038,11 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
  #
  interface(`userdom_read_user_tmp_files',`
  	gen_require(`
@@ -42082,7 +41838,7 @@ index 3c5dba7..2890de8 100644
  	files_search_tmp($1)
  ')
  
-@@ -2417,7 +3061,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2414,7 +3062,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -42091,7 +41847,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2664,6 +3308,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
+@@ -2661,6 +3309,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
  	files_tmp_filetrans($1, user_tmp_t, $2, $3)
  ')
  
@@ -42117,7 +41873,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Read user tmpfs files.
-@@ -2680,13 +3343,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2677,13 +3344,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -42133,7 +41889,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2707,7 +3371,7 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2704,7 +3372,7 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -42142,7 +41898,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2715,14 +3379,30 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2712,14 +3380,30 @@ interface(`userdom_rw_user_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -42177,7 +41933,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2817,6 +3497,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2814,6 +3498,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -42202,7 +41958,7 @@ index 3c5dba7..2890de8 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2835,22 +3533,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2832,22 +3534,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -42245,7 +42001,7 @@ index 3c5dba7..2890de8 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2859,14 +3569,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2856,14 +3570,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -42283,7 +42039,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2885,8 +3614,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
+@@ -2882,8 +3615,27 @@ interface(`userdom_dontaudit_use_user_terminals',`
  		type user_tty_device_t, user_devpts_t;
  	')
  
@@ -42313,7 +42069,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -2958,69 +3706,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
+@@ -2955,69 +3707,68 @@ interface(`userdom_spec_domtrans_unpriv_users',`
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
@@ -42414,7 +42170,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3028,12 +3775,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
+@@ -3025,12 +3776,12 @@ interface(`userdom_manage_unpriv_user_semaphores',`
  ##	</summary>
  ## </param>
  #
@@ -42429,7 +42185,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3097,7 +3844,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3094,7 +3845,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -42438,7 +42194,7 @@ index 3c5dba7..2890de8 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -3113,29 +3860,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -3110,29 +3861,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -42472,7 +42228,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3217,7 +3948,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -3214,7 +3949,25 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -42499,7 +42255,7 @@ index 3c5dba7..2890de8 100644
  ')
  
  ########################################
-@@ -3272,12 +4021,13 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3269,12 +4022,13 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -42515,7 +42271,7 @@ index 3c5dba7..2890de8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -3285,46 +4035,122 @@ interface(`userdom_write_user_tmp_files',`
+@@ -3282,46 +4036,122 @@ interface(`userdom_write_user_tmp_files',`
  ##	</summary>
  ## </param>
  #
@@ -42651,7 +42407,7 @@ index 3c5dba7..2890de8 100644
  	')
  
  	allow $1 userdomain:process getattr;
-@@ -3385,6 +4211,42 @@ interface(`userdom_signal_all_users',`
+@@ -3382,6 +4212,42 @@ interface(`userdom_signal_all_users',`
  	allow $1 userdomain:process signal;
  ')
  
@@ -42694,7 +42450,7 @@ index 3c5dba7..2890de8 100644
  ########################################
  ## <summary>
  ##	Send a SIGCHLD signal to all user domains.
-@@ -3405,6 +4267,24 @@ interface(`userdom_sigchld_all_users',`
+@@ -3402,6 +4268,24 @@ interface(`userdom_sigchld_all_users',`
  
  ########################################
  ## <summary>
@@ -42719,7 +42475,7 @@ index 3c5dba7..2890de8 100644
  ##	Create keys for all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3438,4 +4318,1630 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3435,4 +4319,1630 @@ interface(`userdom_dbus_send_all_users',`
  	')
  
  	allow $1 userdomain:dbus send_msg;
@@ -44351,10 +44107,10 @@ index 3c5dba7..2890de8 100644
 +')
 +
 diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
-index e2b538b..e0c6eeb 100644
+index f4ac38d..ce05b4f 100644
 --- a/policy/modules/system/userdomain.te
 +++ b/policy/modules/system/userdomain.te
-@@ -7,48 +7,43 @@ policy_module(userdomain, 4.8.5)
+@@ -7,48 +7,43 @@ policy_module(userdomain, 4.9.1)
  
  ## <desc>
  ## <p>
diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch
index 9d9f59d..5e63791 100644
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@@ -1,8 +1,8 @@
 diff --git a/abrt.fc b/abrt.fc
-index e4f84de..2ed712d 100644
+index 1a93dc5..40dda9e 100644
 --- a/abrt.fc
 +++ b/abrt.fc
-@@ -1,30 +1,42 @@
+@@ -1,31 +1,41 @@
 -/etc/abrt(/.*)?	gen_context(system_u:object_r:abrt_etc_t,s0)
 -/etc/rc\.d/init\.d/abrt	--	gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
 +/etc/abrt(/.*)?				gen_context(system_u:object_r:abrt_etc_t,s0)
@@ -14,16 +14,19 @@ index e4f84de..2ed712d 100644
 -/usr/bin/retrace-server-worker	--	gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
 +/usr/lib/systemd/system/abrt.*	--	gen_context(system_u:object_r:abrt_unit_file_t,s0)
 +
-+/usr/bin/abrt-dump-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
++/usr/bin/abrt-dump-oops 	    --	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-uefioops-oops 	--	gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
 +/usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
-+/usr/bin/abrt-watch-log         --      gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
-+
-+/usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-dbus		--	gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-harvest.*	--	gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/bin/abrt-retrace-worker	--  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/abrt-watch-log         --  gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
++/usr/bin/retrace-server-worker  --  gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
++/usr/bin/coredump2packages      --  gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
++
++/usr/sbin/abrtd			        --	gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-dbus		        --	gen_context(system_u:object_r:abrt_exec_t,s0)
++/usr/sbin/abrt-harvest.*	    --	gen_context(system_u:object_r:abrt_exec_t,s0)
 +/usr/sbin/abrt-install-ccpp-hook --	gen_context(system_u:object_r:abrt_exec_t,s0)
-+/usr/sbin/abrt-upload-watch --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
++/usr/sbin/abrt-upload-watch     --  gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
  
 -/usr/libexec/abrt-pyhook-helper	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
  /usr/libexec/abrt-handle-event	--	gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
@@ -31,44 +34,41 @@ index e4f84de..2ed712d 100644
  
 -/usr/sbin/abrtd	--	gen_context(system_u:object_r:abrt_exec_t,s0)
 -/usr/sbin/abrt-dbus	--	gen_context(system_u:object_r:abrt_exec_t,s0)
-+/var/cache/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/cache/abrt-di(/.*)?		gen_context(system_u:object_r:abrt_var_cache_t,s0)
+-/usr/sbin/abrt-upload-watch	--	gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
++/var/cache/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-di(/.*)?            gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/cache/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
++/var/cache/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 +
 +/var/log/abrt-logger.*		--	gen_context(system_u:object_r:abrt_var_log_t,s0)
 +
-+/var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrt\.pid		    --	gen_context(system_u:object_r:abrt_var_run_t,s0)
 +/var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 +/var/run/abrtd?\.socket		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/run/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_run_t,s0)
++/var/run/abrt(/.*)?		    	gen_context(system_u:object_r:abrt_var_run_t,s0)
++
++/var/spool/abrt(/.*)?			    gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/spool/abrt-retrace(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
++/var/spool/retrace-server(/.*)?		gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
  
 -/var/cache/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/cache/abrt-di(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/cache/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
 -/var/cache/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt(/.*)?			gen_context(system_u:object_r:abrt_var_cache_t,s0)
-+/var/tmp/abrt(/.*)?           gen_context(system_u:object_r:abrt_var_cache_t,s0)
++/var/tmp/abrt(/.*)?             gen_context(system_u:object_r:abrt_var_cache_t,s0)
  
 -/var/log/abrt-logger.*	--	gen_context(system_u:object_r:abrt_var_log_t,s0)
-+# ABRT retrace server
-+/usr/bin/abrt-retrace-worker				--      gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/usr/bin/coredump2packages					--		gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
  
 -/var/run/abrt\.pid	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrtd?\.lock	--	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrtd?\.socket	-s	gen_context(system_u:object_r:abrt_var_run_t,s0)
 -/var/run/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_run_t,s0)
-+/var/cache/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/abrt-retrace(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
  
 -/var/spool/abrt(/.*)?	gen_context(system_u:object_r:abrt_var_cache_t,s0)
 -/var/spool/abrt-retrace(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 -/var/spool/retrace-server(/.*)?	gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
-+# cjp: new version
-+/usr/bin/retrace-server-worker				--      gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
-+/var/cache/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
-+/var/spool/retrace-server(/.*)?						gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
 diff --git a/abrt.if b/abrt.if
-index 058d908..702b716 100644
+index 058d908..9d57403 100644
 --- a/abrt.if
 +++ b/abrt.if
 @@ -1,4 +1,26 @@
@@ -160,21 +160,12 @@ index 058d908..702b716 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -154,17 +174,35 @@ interface(`abrt_domtrans_helper',`
- #
- interface(`abrt_run_helper',`
- 	gen_require(`
--		attribute_role abrt_helper_roles;
-+		type abrt_helper_t;
- 	')
+@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
  
- 	abrt_domtrans_helper($1)
--	roleattribute $2 abrt_helper_roles;
-+	role $2 types abrt_helper_t;
-+')
-+
-+########################################
-+## <summary>
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	abrt cache files.
 +##	Read abrt cache
 +## </summary>
 +## <param name="domain">
@@ -190,12 +181,10 @@ index 058d908..702b716 100644
 +
 +	read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
 +	read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	abrt cache files.
++')
++
++########################################
++## <summary>
 +##	Append abrt cache
  ## </summary>
  ## <param name="domain">
@@ -520,16 +509,10 @@ index 058d908..702b716 100644
 +')
 +
 diff --git a/abrt.te b/abrt.te
-index cc43d25..924daba 100644
+index eb50f07..6ba0357 100644
 --- a/abrt.te
 +++ b/abrt.te
-@@ -1,4 +1,4 @@
--policy_module(abrt, 1.3.4)
-+policy_module(abrt, 1.2.0)
- 
- ########################################
- #
-@@ -6,105 +6,131 @@ policy_module(abrt, 1.3.4)
+@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
  #
  
  ## <desc>
@@ -545,32 +528,10 @@ index cc43d25..924daba 100644
  ## </desc>
  gen_tunable(abrt_anon_write, false)
  
- ## <desc>
--##	<p>
--##	Determine whether ABRT can run in
--##	the abrt_handle_event_t domain to
--##	handle ABRT event scripts.
--##	</p>
-+## <p>
-+## Allow abrt-handle-upload to modify public files
-+## used for public file transfer services in /var/spool/abrt-upload/.
-+## </p>
-+## </desc>
-+gen_tunable(abrt_upload_watch_anon_write, true)
-+
-+## <desc>
-+##  <p>
-+##  Allow ABRT to run in abrt_handle_event_t domain
-+##  to handle ABRT event scripts
-+##  </p>
- ## </desc>
- gen_tunable(abrt_handle_event, false)
- 
- attribute abrt_domain;
+@@ -37,13 +36,15 @@ attribute abrt_domain;
+ attribute_role abrt_helper_roles;
+ roleattribute system_r abrt_helper_roles;
  
--attribute_role abrt_helper_roles;
--roleattribute system_r abrt_helper_roles;
--
 -type abrt_t, abrt_domain;
 -type abrt_exec_t;
 +abrt_basic_types_template(abrt)
@@ -582,24 +543,16 @@ index cc43d25..924daba 100644
 +type abrt_unit_file_t;
 +systemd_unit_file(abrt_unit_file_t)
 +
-+# etc files
  type abrt_etc_t;
  files_config_file(abrt_etc_t)
  
-+# log files
- type abrt_var_log_t;
- logging_log_file(abrt_var_log_t)
- 
- type abrt_tmp_t;
- files_tmp_file(abrt_tmp_t)
+@@ -55,69 +56,75 @@ files_tmp_file(abrt_tmp_t)
  
-+# var/cache files
  type abrt_var_cache_t;
  files_type(abrt_var_cache_t)
 +files_tmp_file(abrt_var_cache_t)
 +userdom_user_tmp_content(abrt_var_cache_t)
  
-+# pid files
  type abrt_var_run_t;
  files_pid_file(abrt_var_run_t)
  
@@ -612,8 +565,6 @@ index cc43d25..924daba 100644
 -type abrt_handle_event_exec_t;
 -domain_type(abrt_handle_event_t)
 -domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
-+# type for abrt-handle-event to handle
-+# ABRT event scripts
 +abrt_basic_types_template(abrt_handle_event)
 +application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
  role system_r types abrt_handle_event_t;
@@ -626,26 +577,18 @@ index cc43d25..924daba 100644
 +# to handle /var/cache/abrt
 +abrt_basic_types_template(abrt_helper)
  application_domain(abrt_helper_t, abrt_helper_exec_t)
--role abrt_helper_roles types abrt_helper_t;
-+role system_r types abrt_helper_t;
+ role abrt_helper_roles types abrt_helper_t;
  
 -type abrt_retrace_coredump_t, abrt_domain;
 -type abrt_retrace_coredump_exec_t;
 -domain_type(abrt_retrace_coredump_t)
 -domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
 -role system_r types abrt_retrace_coredump_t;
-+ifdef(`enable_mcs',`
-+	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
-+')
-+
-+#
-+# Support for ABRT retrace server
- 
+-
 -type abrt_retrace_worker_t, abrt_domain;
 -type abrt_retrace_worker_exec_t;
 -domain_type(abrt_retrace_worker_t)
 -domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
-+#
 +abrt_basic_types_template(abrt_retrace_worker)
 +application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
  role system_r types abrt_retrace_worker_t;
@@ -663,19 +606,21 @@ index cc43d25..924daba 100644
  
 -type abrt_watch_log_t, abrt_domain;
 -type abrt_watch_log_exec_t;
-+# Support abrt-watch log
 +abrt_basic_types_template(abrt_watch_log)
  init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
  
--ifdef(`enable_mcs',`
--	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
--')
-+# Support for abrt-upload-watch
+-type abrt_upload_watch_t, abrt_domain;
+-type abrt_upload_watch_exec_t;
 +abrt_basic_types_template(abrt_upload_watch)
-+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
-+
+ init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+ 
 +type abrt_upload_watch_tmp_t;
 +files_tmp_file(abrt_upload_watch_tmp_t)
++
++
+ ifdef(`enable_mcs',`
+ 	init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
+ ')
  
  ########################################
  #
@@ -705,7 +650,7 @@ index cc43d25..924daba 100644
  manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
  logging_log_filetrans(abrt_t, abrt_var_log_t, file)
  
-@@ -112,23 +138,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
+@@ -125,23 +132,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
  files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -737,7 +682,7 @@ index cc43d25..924daba 100644
  kernel_request_load_module(abrt_t)
  kernel_rw_kernel_sysctl(abrt_t)
  
-@@ -137,16 +169,14 @@ corecmd_exec_shell(abrt_t)
+@@ -150,16 +163,14 @@ corecmd_exec_shell(abrt_t)
  corecmd_read_all_executables(abrt_t)
  
  corenet_all_recvfrom_netlabel(abrt_t)
@@ -756,7 +701,7 @@ index cc43d25..924daba 100644
  
  dev_getattr_all_chr_files(abrt_t)
  dev_getattr_all_blk_files(abrt_t)
-@@ -163,29 +193,37 @@ files_getattr_all_files(abrt_t)
+@@ -176,29 +187,37 @@ files_getattr_all_files(abrt_t)
  files_read_config_files(abrt_t)
  files_read_etc_runtime_files(abrt_t)
  files_read_var_symlinks(abrt_t)
@@ -797,7 +742,7 @@ index cc43d25..924daba 100644
  
  tunable_policy(`abrt_anon_write',`
  	miscfiles_manage_public_files(abrt_t)
-@@ -193,15 +231,11 @@ tunable_policy(`abrt_anon_write',`
+@@ -206,15 +225,11 @@ tunable_policy(`abrt_anon_write',`
  
  optional_policy(`
  	apache_list_modules(abrt_t)
@@ -814,7 +759,7 @@ index cc43d25..924daba 100644
  ')
  
  optional_policy(`
-@@ -209,6 +243,16 @@ optional_policy(`
+@@ -222,6 +237,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -831,7 +776,7 @@ index cc43d25..924daba 100644
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
  	policykit_read_reload(abrt_t)
-@@ -220,6 +264,7 @@ optional_policy(`
+@@ -233,6 +258,7 @@ optional_policy(`
  	corecmd_exec_all_executables(abrt_t)
  ')
  
@@ -839,7 +784,7 @@ index cc43d25..924daba 100644
  optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
-@@ -230,6 +275,7 @@ optional_policy(`
+@@ -243,6 +269,7 @@ optional_policy(`
  	rpm_signull(abrt_t)
  ')
  
@@ -847,7 +792,7 @@ index cc43d25..924daba 100644
  optional_policy(`
  	sendmail_domtrans(abrt_t)
  ')
-@@ -240,9 +286,17 @@ optional_policy(`
+@@ -253,9 +280,17 @@ optional_policy(`
  	sosreport_delete_tmp_files(abrt_t)
  ')
  
@@ -866,7 +811,7 @@ index cc43d25..924daba 100644
  #
  
  allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
-@@ -253,9 +307,13 @@ tunable_policy(`abrt_handle_event',`
+@@ -266,9 +301,13 @@ tunable_policy(`abrt_handle_event',`
  	can_exec(abrt_t, abrt_handle_event_exec_t)
  ')
  
@@ -881,7 +826,7 @@ index cc43d25..924daba 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -268,6 +326,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
+@@ -281,6 +320,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
  files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
@@ -889,7 +834,7 @@ index cc43d25..924daba 100644
  
  read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
-@@ -276,15 +335,20 @@ corecmd_read_all_executables(abrt_helper_t)
+@@ -289,15 +329,20 @@ corecmd_read_all_executables(abrt_helper_t)
  
  domain_read_all_domains_state(abrt_helper_t)
  
@@ -910,7 +855,7 @@ index cc43d25..924daba 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -292,11 +356,25 @@ ifdef(`hide_broken_symptoms',`
+@@ -305,11 +350,25 @@ ifdef(`hide_broken_symptoms',`
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -937,7 +882,7 @@ index cc43d25..924daba 100644
  #
  
  allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
-@@ -314,10 +392,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
+@@ -327,10 +386,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
  
  dev_read_urand(abrt_retrace_coredump_t)
  
@@ -951,7 +896,7 @@ index cc43d25..924daba 100644
  optional_policy(`
  	rpm_exec(abrt_retrace_coredump_t)
  	rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
-@@ -330,10 +410,11 @@ optional_policy(`
+@@ -343,10 +404,11 @@ optional_policy(`
  
  #######################################
  #
@@ -965,7 +910,7 @@ index cc43d25..924daba 100644
  allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
  
  domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
-@@ -352,46 +433,56 @@ corecmd_exec_shell(abrt_retrace_worker_t)
+@@ -365,38 +427,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
  
  dev_read_urand(abrt_retrace_worker_t)
  
@@ -1017,8 +962,7 @@ index cc43d25..924daba 100644
  
  #######################################
  #
--# Watch log local policy
-+# abrt_watch_log local policy
+@@ -404,7 +476,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
  #
  
  allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
@@ -1027,26 +971,23 @@ index cc43d25..924daba 100644
  
  read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
  
-@@ -400,16 +491,50 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
+@@ -413,16 +485,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
  corecmd_exec_bin(abrt_watch_log_t)
  
  logging_read_all_logs(abrt_watch_log_t)
 +logging_send_syslog_msg(abrt_watch_log_t)
 +
-+#optional_policy(`
-+#	unconfined_domain(abrt_watch_log_t)
-+#')
++tunable_policy(`abrt_upload_watch_anon_write',`
++	miscfiles_manage_public_files(abrt_upload_watch_t)
++')
  
  #######################################
  #
--# Global local policy
-+# abrt-upload-watch local policy
+ # Upload watch local policy
  #
  
--kernel_read_system_state(abrt_domain)
 +allow abrt_upload_watch_t self:capability dac_override;
- 
--files_read_etc_files(abrt_domain)
++
 +manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 +manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
 +manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
@@ -1055,34 +996,38 @@ index cc43d25..924daba 100644
 +read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
 +
 +manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
- 
--logging_send_syslog_msg(abrt_domain)
-+corecmd_exec_bin(abrt_upload_watch_t)
 +
+ corecmd_exec_bin(abrt_upload_watch_t)
+ 
 +dev_read_urand(abrt_upload_watch_t)
 +
 +files_search_spool(abrt_upload_watch_t)
 +
 +auth_read_passwd(abrt_upload_watch_t)
 +
-+tunable_policy(`abrt_upload_watch_anon_write',`
+ tunable_policy(`abrt_upload_watch_anon_write',`
+-	miscfiles_manage_public_files(abrt_upload_watch_t)
 +    miscfiles_manage_public_files(abrt_upload_watch_t)
 +')
- 
--miscfiles_read_localization(abrt_domain)
++
 +optional_policy(`
 +    dbus_system_bus_client(abrt_upload_watch_t)
-+')
-+
-+#######################################
-+#
-+# Local policy for all abrt domain
-+#
-+
+ ')
+ 
+ #######################################
+@@ -430,10 +528,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
+ # Global local policy
+ #
+ 
+-kernel_read_system_state(abrt_domain)
 +allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
 +allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
-+
-+files_read_etc_files(abrt_domain)
+ 
+ files_read_etc_files(abrt_domain)
+-
+-logging_send_syslog_msg(abrt_domain)
+-
+-miscfiles_read_localization(abrt_domain)
 diff --git a/accountsd.fc b/accountsd.fc
 index f9d8d7a..0682710 100644
 --- a/accountsd.fc
@@ -1154,7 +1099,7 @@ index bd5ec9a..a5ed692 100644
 +	allow $1 accountsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/accountsd.te b/accountsd.te
-index 313b33f..6e0a894 100644
+index 3593510..b6a0f70 100644
 --- a/accountsd.te
 +++ b/accountsd.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -1193,18 +1138,16 @@ index 313b33f..6e0a894 100644
  
  fs_getattr_xattr_fs(accountsd_t)
  fs_list_inotifyfs(accountsd_t)
-@@ -48,8 +55,9 @@ auth_use_nsswitch(accountsd_t)
+@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
  auth_read_login_records(accountsd_t)
  auth_read_shadow(accountsd_t)
  
 -miscfiles_read_localization(accountsd_t)
 +init_dbus_chat(accountsd_t)
  
-+logging_list_logs(accountsd_t)
+ logging_list_logs(accountsd_t)
  logging_send_syslog_msg(accountsd_t)
- logging_set_loginuid(accountsd_t)
- 
-@@ -65,9 +73,16 @@ optional_policy(`
+@@ -66,9 +73,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -1266,7 +1209,7 @@ index 81280d0..bc4038b 100644
  	domain_system_change_exemption($1)
  	role_transition $2 acct_initrc_exec_t system_r;
 diff --git a/acct.te b/acct.te
-index 1a1c91a..d538827 100644
+index 8b9ad83..f4f2486 100644
 --- a/acct.te
 +++ b/acct.te
 @@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
@@ -1296,7 +1239,7 @@ index 1a1c91a..d538827 100644
  userdom_dontaudit_use_unpriv_user_fds(acct_t)
  
 diff --git a/ada.te b/ada.te
-index 8b5ad06..8ce8f26 100644
+index 8d42c97..2377f8f 100644
 --- a/ada.te
 +++ b/ada.te
 @@ -20,7 +20,7 @@ role ada_roles types ada_t;
@@ -1359,7 +1302,7 @@ index 3b41be6..97d99f9 100644
  	afs_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/afs.te b/afs.te
-index 6690cdf..7726644 100644
+index 90ce637..2e9f5d9 100644
 --- a/afs.te
 +++ b/afs.te
 @@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
@@ -1535,7 +1478,7 @@ index 3b5dcb9..fbe187f 100644
  	domain_system_change_exemption($1)
  	role_transition $2 aiccu_initrc_exec_t system_r;
 diff --git a/aiccu.te b/aiccu.te
-index 72c33c2..6e4206c 100644
+index 5d2b90e..f1cf098 100644
 --- a/aiccu.te
 +++ b/aiccu.te
 @@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
@@ -1580,7 +1523,7 @@ index 01cbb67..94a4a24 100644
  
  	files_list_etc($1)
 diff --git a/aide.te b/aide.te
-index 4b28ab3..f781a7a 100644
+index 03831e6..cfc9115 100644
 --- a/aide.te
 +++ b/aide.te
 @@ -10,6 +10,7 @@ attribute_role aide_roles;
@@ -1647,7 +1590,7 @@ index a2997fa..861cebd 100644
  	domain_system_change_exemption($1)
  	role_transition $2 aisexec_initrc_exec_t system_r;
 diff --git a/aisexec.te b/aisexec.te
-index 196f7cf..3b5354f 100644
+index 4e4f063..808e067 100644
 --- a/aisexec.te
 +++ b/aisexec.te
 @@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
@@ -1854,10 +1797,10 @@ index 0000000..a95a4ad
 +')
 +
 diff --git a/alsa.fc b/alsa.fc
-index 5de1e01..e5ab7ff 100644
+index 33d9d31..03a150d 100644
 --- a/alsa.fc
 +++ b/alsa.fc
-@@ -19,4 +19,8 @@ HOME_DIR/\.asoundrc	--	gen_context(system_u:object_r:alsa_home_t,s0)
+@@ -23,4 +23,8 @@ ifdef(`distro_debian',`
  /usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
  /usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
  
@@ -1868,7 +1811,7 @@ index 5de1e01..e5ab7ff 100644
 +
 +/var/run/alsactl\.pid		--	gen_context(system_u:object_r:alsa_var_run_t,s0)
 diff --git a/alsa.if b/alsa.if
-index 708b743..cc78465 100644
+index ca8d8cf..2cc5ce6 100644
 --- a/alsa.if
 +++ b/alsa.if
 @@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
@@ -1879,7 +1822,7 @@ index 708b743..cc78465 100644
  ')
  
  ########################################
-@@ -210,49 +211,85 @@ interface(`alsa_relabel_home_files',`
+@@ -210,51 +211,87 @@ interface(`alsa_relabel_home_files',`
  
  ########################################
  ## <summary>
@@ -1980,11 +1923,13 @@ index 708b743..cc78465 100644
 +
 +	ps_process_pattern($1, alsa_t)
  ')
+ 
+ #########################################
 diff --git a/alsa.te b/alsa.te
-index cda6d20..443ce3c 100644
+index 4b153f1..2403849 100644
 --- a/alsa.te
 +++ b/alsa.te
-@@ -21,16 +21,23 @@ files_tmp_file(alsa_tmp_t)
+@@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t)
  type alsa_var_lib_t;
  files_type(alsa_var_lib_t)
  
@@ -2010,7 +1955,7 @@ index cda6d20..443ce3c 100644
  allow alsa_t self:sem create_sem_perms;
  allow alsa_t self:shm create_shm_perms;
  allow alsa_t self:unix_stream_socket { accept listen };
-@@ -51,6 +58,11 @@ userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
+@@ -57,6 +64,11 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
  manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
  
@@ -2022,15 +1967,15 @@ index cda6d20..443ce3c 100644
  kernel_read_system_state(alsa_t)
  
  corecmd_exec_bin(alsa_t)
-@@ -59,7 +71,6 @@ dev_read_sound(alsa_t)
- dev_read_sysfs(alsa_t)
+@@ -67,7 +79,6 @@ dev_read_sysfs(alsa_t)
+ dev_read_urand(alsa_t)
  dev_write_sound(alsa_t)
  
 -files_read_usr_files(alsa_t)
  files_search_var_lib(alsa_t)
  
  term_dontaudit_use_console(alsa_t)
-@@ -72,8 +83,6 @@ init_use_fds(alsa_t)
+@@ -80,8 +91,6 @@ init_use_fds(alsa_t)
  
  logging_send_syslog_msg(alsa_t)
  
@@ -2060,7 +2005,7 @@ index 7f4dfbc..e5c9f45 100644
  /usr/sbin/amrecover	--	gen_context(system_u:object_r:amanda_recover_exec_t,s0)
  
 diff --git a/amanda.te b/amanda.te
-index ed45974..ec7bb41 100644
+index 519051c..52f2c41 100644
 --- a/amanda.te
 +++ b/amanda.te
 @@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
@@ -2221,7 +2166,7 @@ index 60d4f8c..18ef077 100644
   	domain_system_change_exemption($1)
   	role_transition $2 amavis_initrc_exec_t system_r;
 diff --git a/amavis.te b/amavis.te
-index ab55ba7..a95b541 100644
+index 91fa72a..0b1afd6 100644
 --- a/amavis.te
 +++ b/amavis.te
 @@ -39,7 +39,7 @@ type amavis_quarantine_t;
@@ -2307,7 +2252,7 @@ index ab55ba7..a95b541 100644
  	postfix_list_spool(amavis_t)
  ')
 diff --git a/amtu.te b/amtu.te
-index c960f92..486e9ed 100644
+index 16d0d66..60abfd0 100644
 --- a/amtu.te
 +++ b/amtu.te
 @@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
@@ -2324,7 +2269,7 @@ index c960f92..486e9ed 100644
  optional_policy(`
  	nscd_dontaudit_search_pid(amtu_t)
 diff --git a/anaconda.te b/anaconda.te
-index 6f1384c..9f23456 100644
+index aa44abf..16a6342 100644
 --- a/anaconda.te
 +++ b/anaconda.te
 @@ -4,6 +4,10 @@ gen_require(`
@@ -3007,10 +2952,10 @@ index 0000000..8ba9c95
 +	spamassassin_read_pid_files(antivirus_domain)
 +')
 diff --git a/apache.fc b/apache.fc
-index 550a69e..66ba451 100644
+index 7caefc3..ddfe9a9 100644
 --- a/apache.fc
 +++ b/apache.fc
-@@ -1,161 +1,200 @@
+@@ -1,162 +1,189 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)?	gen_context(system_u:object_r:httpd_user_content_t,s0)
 -HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)?	gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
 +HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -3215,6 +3160,7 @@ index 550a69e..66ba451 100644
 +/var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/moodle(/.*)?		    gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/mod_security(/.*)?     gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/nginx(/.*)?            gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/php/session(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -3239,6 +3185,8 @@ index 550a69e..66ba451 100644
 +/var/lib/openshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 +/var/lib/openshift/\.log/httpd(/.*)?		  gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/lib/owncloud(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
 +/var/lib/stickshift/\.httpd\.d(/.*)?         gen_context(system_u:object_r:httpd_config_t,s0)
 +/var/lib/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/lib/trac(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -3260,32 +3208,6 @@ index 550a69e..66ba451 100644
 +ifdef(`distro_debian', `
 +/var/log/horde2(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +')
-+
-+/var/lib/pootle/po(/.*)? 		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/lib/rt(3|4)/data/RT-Shredder(/.*)?	gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+
-+/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
-+/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
-+
-+/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
-+/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+
-+/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
-+/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-+/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  
 -/var/run/apache.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 -/var/run/cherokee\.pid	--	gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -3302,45 +3224,57 @@ index 550a69e..66ba451 100644
 -/var/spool/viewvc(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 -
 -/var/www(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
--/var/www(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
+-/var/www(/.*)?/logs(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 -/var/www/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 -/var/www/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 -/var/www/gallery/albums(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/run/apache.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/cherokee\.pid		--	gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/lighttpd(/.*)?			gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/mod_.*				gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/nginx.*            gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/php-fpm(/.*)?      gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/wsgi.*			-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/user/apache(/.*)?		gen_context(system_u:object_r:httpd_tmp_t,s0)
++
++/var/spool/gosa(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
++/var/spool/squirrelmail(/.*)?		gen_context(system_u:object_r:squirrelmail_spool_t,s0)
++/var/spool/viewvc(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
++
++/var/www(/.*)?				gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www(/.*)?/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www/[^/]*/cgi-bin(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
++/var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/html/[^/]*/cgi-bin(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 -/var/www/html/[^/]*/sites/default/settings\.php	--	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 -/var/www/html/[^/]*/sites/default/files(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 -/var/www/html/configuration\.php	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/var/www/html/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/var/www/icons(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
+-/var/www/miq/vmdb/log(/.*)?	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 -/var/www/moodledata(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/var/www/perl(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 -/var/www/svn(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 -/var/www/svn/conf(/.*)?	gen_context(system_u:object_r:httpd_sys_content_t,s0)
 -/var/www/svn/hooks(/.*)?	gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-+
 +/var/www/html(/.*)?/sites/default/settings\.php	-- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 +/var/www/html(/.*)?/sites/default/files(/.*)? 	gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
-+
 +/var/www/html/configuration\.php 	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
 +/var/www/html(/.*)?/wp-content(/.*)?	gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
 +/var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
++/var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
++/var/www/miq/vmdb/log(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
 +/var/www/moodle/data(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
-+/var/lib/moodle(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-+
 +/var/www/openshift/console/tmp(/.*)?    gen_context(system_u:object_r:httpd_tmp_t,s0)
 +/var/www/openshift/console/log(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
-+
 +/var/www/openshift/broker/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/www/openshift/console/httpd/logs(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/www/openshift/broker/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/var/www/openshift/console/httpd/run(/.*)?	gen_context(system_u:object_r:httpd_var_run_t,s0)
-+
++/var/www/perl(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/var/www/stickshift/[^/]*/log(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 +/var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -3349,8 +3283,9 @@ index 550a69e..66ba451 100644
 +/var/log/dirsrv/admin-serv(/.*)?	gen_context(system_u:object_r:httpd_log_t,s0)
 +/var/run/dirsrv/admin-serv.*	gen_context(system_u:object_r:httpd_var_run_t,s0)
 +/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)?       gen_context(system_u:object_r:httpd_var_run_t,s0)
++
 diff --git a/apache.if b/apache.if
-index 83e899c..fac6fe5 100644
+index f6eb485..fac6fe5 100644
 --- a/apache.if
 +++ b/apache.if
 @@ -1,9 +1,9 @@
@@ -3917,10 +3852,11 @@ index 83e899c..fac6fe5 100644
  	apache_domtrans_helper($1)
 -	roleattribute $2 httpd_helper_roles;
 +	role $2 types httpd_helper_t;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read httpd log files.
 +##	dontaudit attempts to read
 +##	apache log files.
 +## </summary>
@@ -3938,11 +3874,10 @@ index 83e899c..fac6fe5 100644
 +
 +	dontaudit $1 httpd_log_t:file read_file_perms;
 +	dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Read httpd log files.
++')
++
++########################################
++## <summary>
 +##	Allow the specified domain to read
 +##	apache log files.
  ## </summary>
@@ -4203,12 +4138,14 @@ index 83e899c..fac6fe5 100644
  ##	</summary>
  ## </param>
 +## <rolecap/>
-+#
+ #
+-interface(`apache_manage_sys_rw_content',`
 +interface(`apache_read_sys_content_rw_files',`
-+	gen_require(`
-+		type httpd_sys_rw_content_t;
-+	')
-+
+ 	gen_require(`
+ 		type httpd_sys_rw_content_t;
+ 	')
+ 
+-	apache_search_sys_content($1)
 +	read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 +')
 +
@@ -4243,14 +4180,12 @@ index 83e899c..fac6fe5 100644
 +##	</summary>
 +## </param>
 +## <rolecap/>
- #
--interface(`apache_manage_sys_rw_content',`
++#
 +interface(`apache_manage_sys_content_rw',`
- 	gen_require(`
- 		type httpd_sys_rw_content_t;
- 	')
- 
--	apache_search_sys_content($1)
++	gen_require(`
++		type httpd_sys_rw_content_t;
++	')
++
 +	files_search_var($1)
  	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 -	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -4409,16 +4344,18 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1070,13 +1230,22 @@ interface(`apache_search_sys_scripts',`
- ## <rolecap/>
+@@ -1071,18 +1231,21 @@ interface(`apache_search_sys_scripts',`
  #
  interface(`apache_manage_all_user_content',`
--	refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
--	apache_manage_all_content($1)
-+	gen_require(`
+ 	gen_require(`
+-		type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
+-		type httpd_user_htaccess_t, httpd_user_script_exec_t;
 +		attribute httpd_user_content_type, httpd_user_script_exec_type;
-+	')
-+
+ 	')
+ 
+-	manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
+-	manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
+-	manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
 +	manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
 +	manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
 +	manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
@@ -4435,7 +4372,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1094,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
+@@ -1100,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
  
  ########################################
  ## <summary>
@@ -4445,7 +4382,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1111,10 +1281,29 @@ interface(`apache_read_tmp_files',`
+@@ -1117,10 +1281,29 @@ interface(`apache_read_tmp_files',`
  	read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
  ')
  
@@ -4477,7 +4414,7 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1127,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1133,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
  		type httpd_tmp_t;
  	')
  
@@ -4486,7 +4423,7 @@ index 83e899c..fac6fe5 100644
  ')
  
  ########################################
-@@ -1136,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
+@@ -1142,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
  ## </summary>
  ##	<desc>
  ##	<p>
@@ -4496,7 +4433,7 @@ index 83e899c..fac6fe5 100644
  ##	This is an interface to support third party modules
  ##	and its use is not allowed in upstream reference
  ##	policy.
-@@ -1165,8 +1357,30 @@ interface(`apache_cgi_domain',`
+@@ -1171,8 +1357,30 @@ interface(`apache_cgi_domain',`
  
  ########################################
  ## <summary>
@@ -4529,16 +4466,16 @@ index 83e899c..fac6fe5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1183,18 +1397,19 @@ interface(`apache_cgi_domain',`
+@@ -1189,18 +1397,19 @@ interface(`apache_cgi_domain',`
  interface(`apache_admin',`
  	gen_require(`
  		attribute httpdcontent, httpd_script_exec_type;
 -		attribute httpd_script_domains, httpd_htaccess_type;
  		type httpd_t, httpd_config_t, httpd_log_t;
 -		type httpd_modules_t, httpd_lock_t, httpd_helper_t;
--		type httpd_var_run_t, httpd_keytab_t, httpd_passwd_t;
+-		type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
 -		type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
--		type httpd_initrc_exec_t, httpd_suexec_t;
+-		type httpd_initrc_exec_t, httpd_keytab_t;
 +		type httpd_modules_t, httpd_lock_t, httpd_bool_t;
 +		type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
 +		type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -4558,12 +4495,12 @@ index 83e899c..fac6fe5 100644
  
  	init_labeled_script_domtrans($1, httpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -1204,10 +1419,10 @@ interface(`apache_admin',`
+@@ -1210,10 +1419,10 @@ interface(`apache_admin',`
  	apache_manage_all_content($1)
  	miscfiles_manage_public_files($1)
  
 -	files_search_etc($1)
--	admin_pattern($1, { httpd_config_t httpd_keytab_t })
+-	admin_pattern($1, { httpd_keytab_t httpd_config_t })
 +	files_list_etc($1)
 +	admin_pattern($1, httpd_config_t)
  
@@ -4572,7 +4509,7 @@ index 83e899c..fac6fe5 100644
  	admin_pattern($1, httpd_log_t)
  
  	admin_pattern($1, httpd_modules_t)
-@@ -1218,9 +1433,129 @@ interface(`apache_admin',`
+@@ -1224,9 +1433,129 @@ interface(`apache_admin',`
  	admin_pattern($1, httpd_var_run_t)
  	files_pid_filetrans($1, httpd_var_run_t, file)
  
@@ -4707,28 +4644,10 @@ index 83e899c..fac6fe5 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
  ')
 diff --git a/apache.te b/apache.te
-index 1a82e29..bfe87eb 100644
+index 6649962..0e09bca 100644
 --- a/apache.te
 +++ b/apache.te
-@@ -1,297 +1,367 @@
--policy_module(apache, 2.6.10)
-+policy_module(apache, 2.4.0)
-+
-+#
-+# NOTES:
-+#  This policy will work with SUEXEC enabled as part of the Apache
-+#  configuration. However, the user CGI scripts will run under the
-+#  system_u:system_r:httpd_user_script_t.
-+#
-+#  The user CGI scripts must be labeled with the httpd_user_script_exec_t
-+#  type, and the directory containing the scripts should also be labeled
-+#  with these types. This policy allows the user role to perform that
-+#  relabeling. If it is desired that only admin role should be able to relabel
-+#  the user CGI scripts, then relabel rule for user roles should be removed.
-+#
- 
- ########################################
- #
+@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
  # Declarations
  #
  
@@ -5194,6 +5113,9 @@ index 1a82e29..bfe87eb 100644
  
  type httpd_initrc_exec_t;
  init_script_file(httpd_initrc_exec_t)
+@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
+ type httpd_keytab_t;
+ files_type(httpd_keytab_t)
  
 +type httpd_unit_file_t;
 +ifdef(`distro_redhat',`
@@ -5227,7 +5149,7 @@ index 1a82e29..bfe87eb 100644
  type httpd_rotatelogs_t;
  type httpd_rotatelogs_exec_t;
  init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
-@@ -299,10 +369,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
+@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
  type httpd_squirrelmail_t;
  files_type(httpd_squirrelmail_t)
  
@@ -5240,7 +5162,7 @@ index 1a82e29..bfe87eb 100644
  type httpd_suexec_exec_t;
  domain_type(httpd_suexec_t)
  domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
-@@ -311,9 +379,19 @@ role system_r types httpd_suexec_t;
+@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
  type httpd_suexec_tmp_t;
  files_tmp_file(httpd_suexec_tmp_t)
  
@@ -5262,7 +5184,7 @@ index 1a82e29..bfe87eb 100644
  
  type httpd_tmp_t;
  files_tmp_file(httpd_tmp_t)
-@@ -323,12 +401,19 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -326,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
  
  apache_content_template(user)
  ubac_constrained(httpd_user_script_t)
@@ -5282,7 +5204,7 @@ index 1a82e29..bfe87eb 100644
  typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
  typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
  typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -343,33 +428,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
+@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
  typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
  typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
  
@@ -5333,7 +5255,7 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow httpd_t self:fd use;
  allow httpd_t self:sock_file read_sock_file_perms;
-@@ -378,28 +470,36 @@ allow httpd_t self:shm create_shm_perms;
+@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
  allow httpd_t self:sem create_sem_perms;
  allow httpd_t self:msgq create_msgq_perms;
  allow httpd_t self:msg { send receive };
@@ -5360,6 +5282,8 @@ index 1a82e29..bfe87eb 100644
  
 +can_exec(httpd_t, httpd_exec_t)
 +
+ allow httpd_t httpd_keytab_t:file read_file_perms;
+ 
  allow httpd_t httpd_lock_t:file manage_file_perms;
  files_lock_filetrans(httpd_t, httpd_lock_t, file)
  
@@ -5375,7 +5299,7 @@ index 1a82e29..bfe87eb 100644
  logging_log_filetrans(httpd_t, httpd_log_t, file)
  
  allow httpd_t httpd_modules_t:dir list_dir_perms;
-@@ -407,6 +507,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
+@@ -412,6 +499,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
  
@@ -5384,7 +5308,7 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t httpd_rotatelogs_t:process signal_perms;
  
  manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-@@ -415,6 +517,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+@@ -420,6 +509,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
  
  allow httpd_t httpd_suexec_exec_t:file read_file_perms;
  
@@ -5395,7 +5319,7 @@ index 1a82e29..bfe87eb 100644
  allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
  
  manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -445,140 +551,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -450,140 +543,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
  
@@ -5628,7 +5552,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -589,28 +722,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -594,28 +714,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
  	fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
  ')
  
@@ -5688,7 +5612,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -619,68 +774,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +766,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
  	fs_read_nfs_symlinks(httpd_t)
  ')
  
@@ -5740,8 +5664,12 @@ index 1a82e29..bfe87eb 100644
 -	tunable_policy(`httpd_can_network_connect_zabbix',`
 -		zabbix_tcp_connect(httpd_t)
 -	')
--')
--
++tunable_policy(`httpd_use_cifs',`
++	fs_manage_cifs_dirs(httpd_t)
++	fs_manage_cifs_files(httpd_t)
++	fs_manage_cifs_symlinks(httpd_t)
+ ')
+ 
 -optional_policy(`
 -	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
 -		spamassassin_domtrans_client(httpd_t)
@@ -5764,12 +5692,8 @@ index 1a82e29..bfe87eb 100644
 -	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
 -		samba_domtrans_winbind_helper(httpd_t)
 -	')
-+tunable_policy(`httpd_use_cifs',`
-+	fs_manage_cifs_dirs(httpd_t)
-+	fs_manage_cifs_files(httpd_t)
-+	fs_manage_cifs_symlinks(httpd_t)
- ')
- 
+-')
+-
 -tunable_policy(`httpd_read_user_content',`
 -	userdom_read_user_home_content_files(httpd_t)
 +tunable_policy(`httpd_use_fusefs',`
@@ -5779,7 +5703,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_setrlimit',`
-@@ -690,49 +821,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
  
  tunable_policy(`httpd_ssi_exec',`
  	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@@ -5860,7 +5784,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  optional_policy(`
-@@ -743,14 +873,6 @@ optional_policy(`
+@@ -748,14 +865,6 @@ optional_policy(`
  	ccs_read_config(httpd_t)
  ')
  
@@ -5875,7 +5799,7 @@ index 1a82e29..bfe87eb 100644
  
  optional_policy(`
  	cron_system_entry(httpd_t, httpd_exec_t)
-@@ -765,6 +887,23 @@ optional_policy(`
+@@ -770,6 +879,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5899,39 +5823,43 @@ index 1a82e29..bfe87eb 100644
  	dbus_system_bus_client(httpd_t)
  
  	tunable_policy(`httpd_dbus_avahi',`
-@@ -781,34 +920,46 @@ optional_policy(`
+@@ -786,35 +912,48 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	kerberos_manage_host_rcache(httpd_t)
+-	kerberos_read_keytab(httpd_t)
+-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
+-	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
+-	kerberos_use(httpd_t)
 +	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
 +		gpg_domtrans_web(httpd_t)
 +	')
+ ')
+ 
+ optional_policy(`
+-	ldap_stream_connect(httpd_t)
++	gssproxy_stream_connect(httpd_t)
 +')
-+
+ 
+-	tunable_policy(`httpd_can_network_connect_ldap',`
+-		ldap_tcp_connect(httpd_t)
+-	')
 +optional_policy(`
-+	gssproxy_stream_connect(httpd_t)
++	jetty_admin(httpd_t)
 +')
 +
 +optional_policy(`
-+	jetty_admin(httpd_t)
++    kerberos_manage_host_rcache(httpd_t)
++    kerberos_read_keytab(httpd_t)
++    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
++    kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
++    kerberos_use(httpd_t)
 +')
 +
 +optional_policy(`
- 	kerberos_keytab_template(httpd, httpd_t)
--	kerberos_manage_host_rcache(httpd_t)
--	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
--	kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
-+	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
-+	kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
- ')
- 
- optional_policy(`
 +	# needed by FreeIPA
- 	ldap_stream_connect(httpd_t)
--
--	tunable_policy(`httpd_can_network_connect_ldap',`
--		ldap_tcp_connect(httpd_t)
--	')
++	ldap_stream_connect(httpd_t)
  ')
  
  optional_policy(`
@@ -5957,7 +5885,7 @@ index 1a82e29..bfe87eb 100644
  
  	tunable_policy(`httpd_manage_ipa',`
  		memcached_manage_pid_files(httpd_t)
-@@ -816,8 +967,18 @@ optional_policy(`
+@@ -822,8 +961,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -5976,7 +5904,7 @@ index 1a82e29..bfe87eb 100644
  
  	tunable_policy(`httpd_can_network_connect_db',`
  		mysql_tcp_connect(httpd_t)
-@@ -826,6 +987,7 @@ optional_policy(`
+@@ -832,6 +981,7 @@ optional_policy(`
  
  optional_policy(`
  	nagios_read_config(httpd_t)
@@ -5984,7 +5912,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  optional_policy(`
-@@ -836,20 +998,39 @@ optional_policy(`
+@@ -842,20 +992,39 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6030,7 +5958,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  optional_policy(`
-@@ -857,19 +1038,35 @@ optional_policy(`
+@@ -863,19 +1032,35 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -6066,7 +5994,7 @@ index 1a82e29..bfe87eb 100644
  	udev_read_db(httpd_t)
  ')
  
-@@ -877,65 +1074,173 @@ optional_policy(`
+@@ -883,65 +1068,173 @@ optional_policy(`
  	yam_read_content(httpd_t)
  ')
  
@@ -6139,10 +6067,11 @@ index 1a82e29..bfe87eb 100644
 -',`
 -	userdom_dontaudit_use_user_terminals(httpd_helper_t)
 +	userdom_use_inherited_user_terminals(httpd_helper_t)
-+')
-+
-+########################################
-+#
+ ')
+ 
+ ########################################
+ #
+-# Suexec local policy
 +# Apache PHP script local policy
 +#
 +
@@ -6201,11 +6130,10 @@ index 1a82e29..bfe87eb 100644
 +	tunable_policy(`httpd_can_network_connect_db',`
 +		postgresql_tcp_connect(httpd_php_t)
 +	')
- ')
- 
- ########################################
- #
--# Suexec local policy
++')
++
++########################################
++#
 +# Apache suexec local policy
  #
  
@@ -6262,7 +6190,7 @@ index 1a82e29..bfe87eb 100644
  files_dontaudit_search_pids(httpd_suexec_t)
  files_search_home(httpd_suexec_t)
  
-@@ -944,123 +1249,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
  logging_search_logs(httpd_suexec_t)
  logging_send_syslog_msg(httpd_suexec_t)
  
@@ -6417,7 +6345,7 @@ index 1a82e29..bfe87eb 100644
  	mysql_read_config(httpd_suexec_t)
  
  	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1077,172 +1333,106 @@ optional_policy(`
+@@ -1083,172 +1327,106 @@ optional_policy(`
  	')
  ')
  
@@ -6439,11 +6367,11 @@ index 1a82e29..bfe87eb 100644
 -allow httpd_script_domains self:unix_stream_socket connectto;
 -
 -allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
--
--append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
--read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
 +allow httpd_sys_script_t self:process getsched;
  
+-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
+-
 -kernel_dontaudit_search_sysctl(httpd_script_domains)
 -kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
 -
@@ -6599,7 +6527,8 @@ index 1a82e29..bfe87eb 100644
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
 -
 -fs_search_auto_mountpoints(httpd_sys_script_t)
--
++corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -files_read_var_symlinks(httpd_sys_script_t)
 -files_search_var_lib(httpd_sys_script_t)
 -files_search_spool(httpd_sys_script_t)
@@ -6615,8 +6544,7 @@ index 1a82e29..bfe87eb 100644
 -	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
 -	corenet_tcp_connect_pop_port(httpd_sys_script_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -	mta_send_mail(httpd_sys_script_t)
 -	mta_signal_system_mail(httpd_sys_script_t)
 +tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
@@ -6654,7 +6582,7 @@ index 1a82e29..bfe87eb 100644
  ')
  
  tunable_policy(`httpd_read_user_content',`
-@@ -1250,64 +1440,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
  ')
  
  tunable_policy(`httpd_use_cifs',`
@@ -6751,7 +6679,7 @@ index 1a82e29..bfe87eb 100644
  
  ########################################
  #
-@@ -1315,8 +1515,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
  #
  
  optional_policy(`
@@ -6768,14 +6696,15 @@ index 1a82e29..bfe87eb 100644
  ')
  
  ########################################
-@@ -1324,49 +1531,38 @@ optional_policy(`
+@@ -1330,49 +1525,38 @@ optional_policy(`
  # User content local policy
  #
  
 -tunable_policy(`httpd_enable_homedirs',`
 -	userdom_search_user_home_dirs(httpd_user_script_t)
 -')
--
++auth_use_nsswitch(httpd_user_script_t)
+ 
 -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 -	fs_list_auto_mountpoints(httpd_user_script_t)
 -	fs_read_cifs_files(httpd_user_script_t)
@@ -6785,8 +6714,7 @@ index 1a82e29..bfe87eb 100644
 -tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
 -	fs_exec_cifs_files(httpd_user_script_t)
 -')
-+auth_use_nsswitch(httpd_user_script_t)
- 
+-
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 -	fs_list_auto_mountpoints(httpd_user_script_t)
 -	fs_read_nfs_files(httpd_user_script_t)
@@ -6833,7 +6761,7 @@ index 1a82e29..bfe87eb 100644
  kernel_read_system_state(httpd_passwd_t)
  
  corecmd_exec_bin(httpd_passwd_t)
-@@ -1376,38 +1572,99 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
  
  domain_use_interactive_fds(httpd_passwd_t)
  
@@ -6851,7 +6779,8 @@ index 1a82e29..bfe87eb 100644
 +systemd_manage_passwd_run(httpd_passwd_t)
 +systemd_manage_passwd_run(httpd_t)
 +#systemd_passwd_agent_dev_template(httpd)
-+
+ 
+-allow httpd_gpg_t self:process setrlimit;
 +domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
 +dontaudit httpd_passwd_t httpd_config_t:file read;
 +
@@ -6885,8 +6814,7 @@ index 1a82e29..bfe87eb 100644
 +
 +miscfiles_read_fonts(httpd_script_type)
 +miscfiles_read_public_files(httpd_script_type)
- 
--allow httpd_gpg_t self:process setrlimit;
++
 +allow httpd_t httpd_script_type:unix_stream_socket connectto;
  
 -allow httpd_gpg_t httpd_t:fd use;
@@ -7053,7 +6981,7 @@ index f3c0aba..b6afc90 100644
 +	allow $1 apcupsd_unit_file_t:service all_service_perms;
  ')
 diff --git a/apcupsd.te b/apcupsd.te
-index b236327..7b2142b 100644
+index 080bc4d..b4c43c7 100644
 --- a/apcupsd.te
 +++ b/apcupsd.te
 @@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
@@ -7191,7 +7119,7 @@ index 1a7a97e..1d29dce 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 7fd431b..7ac00c5 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7280,10 +7208,10 @@ index 3590e2f..e1494bd 100644
  
  optional_policy(`
 diff --git a/apt.if b/apt.if
-index e2414c4..970736b 100644
+index cde81d2..2fe0201 100644
 --- a/apt.if
 +++ b/apt.if
-@@ -152,7 +152,7 @@ interface(`apt_read_cache',`
+@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
  
  	files_search_var($1)
  	allow $1 apt_var_cache_t:dir list_dir_perms;
@@ -7293,10 +7221,10 @@ index e2414c4..970736b 100644
  ')
  
 diff --git a/apt.te b/apt.te
-index e2d8d52..d82403c 100644
+index efa8530..f928b63 100644
 --- a/apt.te
 +++ b/apt.te
-@@ -83,7 +83,6 @@ kernel_read_kernel_sysctls(apt_t)
+@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
  corecmd_exec_bin(apt_t)
  corecmd_exec_shell(apt_t)
  
@@ -7304,7 +7232,7 @@ index e2d8d52..d82403c 100644
  corenet_all_recvfrom_netlabel(apt_t)
  corenet_tcp_sendrecv_generic_if(apt_t)
  corenet_tcp_sendrecv_generic_node(apt_t)
-@@ -98,27 +97,24 @@ domain_getattr_all_domains(apt_t)
+@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
  domain_use_interactive_fds(apt_t)
  
  files_exec_usr_files(apt_t)
@@ -7333,7 +7261,7 @@ index e2d8d52..d82403c 100644
 +userdom_use_inherited_user_terminals(apt_t)
  
  optional_policy(`
- 	cron_system_entry(apt_t, apt_exec_t)
+ 	backup_manage_store_files(apt_t)
 diff --git a/arpwatch.fc b/arpwatch.fc
 index 9ca0d0f..9a1a61f 100644
 --- a/arpwatch.fc
@@ -7408,7 +7336,7 @@ index 50c9b9c..51c8cc0 100644
 +	allow $1 arpwatch_unit_file_t:service all_service_perms;
  ')
 diff --git a/arpwatch.te b/arpwatch.te
-index fa18c76..fd6911a 100644
+index 2d7bf34..2927585 100644
 --- a/arpwatch.te
 +++ b/arpwatch.te
 @@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
@@ -7471,36 +7399,10 @@ index fa18c76..fd6911a 100644
  userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
  
 diff --git a/asterisk.if b/asterisk.if
-index 7268a04..6ffd87d 100644
+index 2077053..198a02a 100644
 --- a/asterisk.if
 +++ b/asterisk.if
-@@ -19,6 +19,25 @@ interface(`asterisk_domtrans',`
- 	domtrans_pattern($1, asterisk_exec_t, asterisk_t)
- ')
- 
-+######################################
-+## <summary>
-+##	Execute asterisk in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`asterisk_exec',`
-+	gen_require(`
-+		type asterisk_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	can_exec($1, asterisk_exec_t)
-+')
-+
- #####################################
- ## <summary>
- ##	Connect to asterisk over a unix domain.
-@@ -105,9 +124,13 @@ interface(`asterisk_admin',`
+@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
  		type asterisk_var_lib_t, asterisk_initrc_exec_t;
  	')
  
@@ -7516,7 +7418,7 @@ index 7268a04..6ffd87d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 asterisk_initrc_exec_t system_r;
 diff --git a/asterisk.te b/asterisk.te
-index 5439f1c..4f8a8a5 100644
+index 7e41350..1076937 100644
 --- a/asterisk.te
 +++ b/asterisk.te
 @@ -19,7 +19,7 @@ type asterisk_log_t;
@@ -7528,25 +7430,7 @@ index 5439f1c..4f8a8a5 100644
  
  type asterisk_tmp_t;
  files_tmp_file(asterisk_tmp_t)
-@@ -52,13 +52,14 @@ allow asterisk_t asterisk_etc_t:dir list_dir_perms;
- read_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
- read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t)
- 
--append_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
--create_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
--setattr_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-+manage_dirs_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-+manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t)
-+logging_log_filetrans(asterisk_t, asterisk_log_t, {file dir})
- 
- manage_dirs_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
- manage_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
- manage_lnk_files_pattern(asterisk_t, asterisk_spool_t, asterisk_spool_t)
-+files_spool_file(asterisk_t, asterisk_spool_t, {dir file})
- 
- manage_dirs_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
- manage_files_pattern(asterisk_t, asterisk_tmp_t, asterisk_tmp_t)
-@@ -72,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
+@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
  
  manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
  
@@ -7560,7 +7444,7 @@ index 5439f1c..4f8a8a5 100644
  can_exec(asterisk_t, asterisk_exec_t)
  
  kernel_read_kernel_sysctls(asterisk_t)
-@@ -87,7 +88,6 @@ kernel_request_load_module(asterisk_t)
+@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
  corecmd_exec_bin(asterisk_t)
  corecmd_exec_shell(asterisk_t)
  
@@ -7568,7 +7452,7 @@ index 5439f1c..4f8a8a5 100644
  corenet_all_recvfrom_netlabel(asterisk_t)
  corenet_tcp_sendrecv_generic_if(asterisk_t)
  corenet_udp_sendrecv_generic_if(asterisk_t)
-@@ -135,7 +135,6 @@ dev_read_urand(asterisk_t)
+@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
  
  domain_use_interactive_fds(asterisk_t)
  
@@ -7576,8 +7460,8 @@ index 5439f1c..4f8a8a5 100644
  files_search_spool(asterisk_t)
  files_dontaudit_search_home(asterisk_t)
  
-@@ -148,8 +147,6 @@ auth_use_nsswitch(asterisk_t)
- 
+@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
+ logging_search_logs(asterisk_t)
  logging_send_syslog_msg(asterisk_t)
  
 -miscfiles_read_localization(asterisk_t)
@@ -7779,7 +7663,7 @@ index 92adb37..0a2ffc6 100644
  
  /var/lock/subsys/autofs	--	gen_context(system_u:object_r:automount_lock_t,s0)
 diff --git a/automount.if b/automount.if
-index 089430a..b0bed70 100644
+index f24e369..9bce868 100644
 --- a/automount.if
 +++ b/automount.if
 @@ -29,7 +29,6 @@ interface(`automount_domtrans',`
@@ -7846,11 +7730,12 @@ index 089430a..b0bed70 100644
  ##	All of the rules required to
  ##	administrate an automount environment.
  ## </summary>
-@@ -153,11 +194,16 @@ interface(`automount_admin',`
+@@ -153,12 +194,16 @@ interface(`automount_admin',`
  	gen_require(`
  		type automount_t, automount_lock_t, automount_tmp_t;
  		type automount_var_run_t, automount_initrc_exec_t;
-+		type automount_unit_file_t;
+-		type automount_keytab_t;
++		type automount_unit_file_t, automount_keytab_t;
  	')
  
 -	allow $1 automount_t:process { ptrace signal_perms };
@@ -7864,7 +7749,7 @@ index 089430a..b0bed70 100644
  	init_labeled_script_domtrans($1, automount_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 automount_initrc_exec_t system_r;
-@@ -171,4 +217,8 @@ interface(`automount_admin',`
+@@ -175,4 +220,8 @@ interface(`automount_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, automount_var_run_t)
@@ -7874,18 +7759,20 @@ index 089430a..b0bed70 100644
 +	allow $1 automount_unit_file_t:service all_service_perms;
  ')
 diff --git a/automount.te b/automount.te
-index a579c3b..294b5f4 100644
+index 27d2f40..1268d7d 100644
 --- a/automount.te
 +++ b/automount.te
-@@ -22,12 +22,16 @@ type automount_tmp_t;
+@@ -22,6 +22,9 @@ type automount_tmp_t;
  files_tmp_file(automount_tmp_t)
  files_mountpoint(automount_tmp_t)
  
 +type automount_unit_file_t;
 +systemd_unit_file(automount_unit_file_t)
 +
- ########################################
- #
+ type automount_var_run_t;
+ files_pid_file(automount_var_run_t)
+ 
+@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
  # Local policy
  #
  
@@ -7895,7 +7782,7 @@ index a579c3b..294b5f4 100644
  dontaudit automount_t self:capability sys_tty_config;
  allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
  allow automount_t self:fifo_file rw_fifo_file_perms;
-@@ -62,7 +66,6 @@ kernel_dontaudit_search_xen_state(automount_t)
+@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
  corecmd_exec_bin(automount_t)
  corecmd_exec_shell(automount_t)
  
@@ -7903,7 +7790,7 @@ index a579c3b..294b5f4 100644
  corenet_all_recvfrom_netlabel(automount_t)
  corenet_tcp_sendrecv_generic_if(automount_t)
  corenet_udp_sendrecv_generic_if(automount_t)
-@@ -96,7 +99,6 @@ files_mount_all_file_type_fs(automount_t)
+@@ -101,7 +104,6 @@ files_mount_all_file_type_fs(automount_t)
  files_mounton_all_mountpoints(automount_t)
  files_mounton_mnt(automount_t)
  files_read_etc_runtime_files(automount_t)
@@ -7911,7 +7798,7 @@ index a579c3b..294b5f4 100644
  files_search_boot(automount_t)
  files_search_all(automount_t)
  files_unmount_all_file_type_fs(automount_t)
-@@ -130,15 +132,18 @@ auth_use_nsswitch(automount_t)
+@@ -135,15 +137,18 @@ auth_use_nsswitch(automount_t)
  logging_send_syslog_msg(automount_t)
  logging_search_logs(automount_t)
  
@@ -7934,7 +7821,7 @@ index a579c3b..294b5f4 100644
  	fstools_domtrans(automount_t)
  ')
  
-@@ -160,3 +165,8 @@ optional_policy(`
+@@ -166,3 +171,8 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(automount_t)
  ')
@@ -7956,19 +7843,10 @@ index e9fe2ca..4c2d076 100644
  /usr/sbin/avahi-dnsconfd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
  /usr/sbin/avahi-autoipd	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 diff --git a/avahi.if b/avahi.if
-index aebe7cb..33fe57b 100644
+index 9078c3d..bca0ac9 100644
 --- a/avahi.if
 +++ b/avahi.if
-@@ -97,7 +97,7 @@ interface(`avahi_dbus_chat',`
- ########################################
- ## <summary>
- ##	Connect to avahi using a unix
--$$	stream socket.
-+##	stream socket.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -135,6 +135,29 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -211,6 +211,29 @@ interface(`avahi_dontaudit_search_pid',`
  
  ########################################
  ## <summary>
@@ -7995,10 +7873,10 @@ index aebe7cb..33fe57b 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to
- ##	administrate an avahi environment.
+ ##	Create specified objects in generic
+ ##	pid directories with the avahi pid file type.
  ## </summary>
-@@ -153,12 +176,17 @@ interface(`avahi_dontaudit_search_pid',`
+@@ -258,12 +281,17 @@ interface(`avahi_filetrans_pid',`
  interface(`avahi_admin',`
  	gen_require(`
  		type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
@@ -8014,10 +7892,10 @@ index aebe7cb..33fe57b 100644
 +		allow $1 avahi_t:process ptrace;
 +	')
 +
- 	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+ 	avahi_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 avahi_initrc_exec_t system_r;
-@@ -169,4 +197,8 @@ interface(`avahi_admin',`
+@@ -274,4 +302,8 @@ interface(`avahi_admin',`
  
  	files_search_var_lib($1)
  	admin_pattern($1, avahi_var_lib_t)
@@ -8027,7 +7905,7 @@ index aebe7cb..33fe57b 100644
 +	allow $1 avahi_unit_file_t:service all_service_perms;
  ')
 diff --git a/avahi.te b/avahi.te
-index 60e76be..0730647 100644
+index b8355b3..844e45b 100644
 --- a/avahi.te
 +++ b/avahi.te
 @@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
@@ -8077,7 +7955,7 @@ index 60e76be..0730647 100644
  userdom_dontaudit_search_user_home_dirs(avahi_t)
  
 diff --git a/awstats.te b/awstats.te
-index d6ab824..116176d 100644
+index c1b16c3..c222135 100644
 --- a/awstats.te
 +++ b/awstats.te
 @@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
@@ -8115,7 +7993,7 @@ index d6ab824..116176d 100644
 -
 -apache_read_log(httpd_awstats_script_t)
 diff --git a/backup.te b/backup.te
-index d6ceef4..c10d39c 100644
+index 7811450..d8a8bd6 100644
 --- a/backup.te
 +++ b/backup.te
 @@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
@@ -8136,7 +8014,7 @@ index d6ceef4..c10d39c 100644
  optional_policy(`
  	cron_system_entry(backup_t, backup_exec_t)
 diff --git a/bacula.te b/bacula.te
-index 3beba2f..7ca4480 100644
+index f16b000..ed47057 100644
 --- a/bacula.te
 +++ b/bacula.te
 @@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
@@ -8230,7 +8108,7 @@ index ec95d36..7132e1e 100644
 +	')
  ')
 diff --git a/bcfg2.te b/bcfg2.te
-index 536ec3c..271b976 100644
+index c3fd7b1..e189593 100644
 --- a/bcfg2.te
 +++ b/bcfg2.te
 @@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
@@ -8373,7 +8251,7 @@ index 2b9a3a1..1742ebf 100644
 +/var/named/dynamic(/.*)?		gen_context(system_u:object_r:named_cache_t,s0)
 +')
 diff --git a/bind.if b/bind.if
-index 866a1e2..6c2dbe4 100644
+index 531a8f2..0df9341 100644
 --- a/bind.if
 +++ b/bind.if
 @@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
@@ -8468,16 +8346,12 @@ index 866a1e2..6c2dbe4 100644
  ##	Create, read, write, and delete
  ##	bind zone files.
  ## </summary>
-@@ -362,12 +426,20 @@ interface(`bind_udp_chat_named',`
- interface(`bind_admin',`
- 	gen_require(`
+@@ -364,11 +428,17 @@ interface(`bind_admin',`
  		type named_t, named_tmp_t, named_log_t;
--		type named_cache_t, named_zone_t, named_initrc_exec_t;
--		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
-+		type named_conf_t, named_var_run_t, named_cache_t;
-+		type named_zone_t, named_initrc_exec_t;
-+		type dnssec_t, ndc_t, named_keytab_t;
-+		type named_unit_file_t;
+ 		type named_cache_t, named_zone_t, named_initrc_exec_t;
+ 		type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
+-		type named_keytab_t;
++		type named_keytab_t, named_unit_file_t;
  	')
  
 -	allow $1 { named_t ndc_t }:process { ptrace signal_perms };
@@ -8493,9 +8367,9 @@ index 866a1e2..6c2dbe4 100644
  
  	init_labeled_script_domtrans($1, named_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -383,11 +455,15 @@ interface(`bind_admin',`
+@@ -384,11 +454,15 @@ interface(`bind_admin',`
  	files_list_etc($1)
- 	admin_pattern($1, named_conf_t)
+ 	admin_pattern($1, { named_keytab_t named_conf_t })
  
 +	admin_pattern($1, named_keytab_t)
 +
@@ -8511,7 +8385,7 @@ index 866a1e2..6c2dbe4 100644
 +	allow $1 named_unit_file_t:service all_service_perms;
  ')
 diff --git a/bind.te b/bind.te
-index 076ffee..1672ca4 100644
+index 1241123..ad2dccc 100644
 --- a/bind.te
 +++ b/bind.te
 @@ -34,7 +34,7 @@ type named_checkconf_exec_t;
@@ -8530,10 +8404,10 @@ index 076ffee..1672ca4 100644
 +type named_unit_file_t;
 +systemd_unit_file(named_unit_file_t)
 +
- type named_log_t;
- logging_log_file(named_log_t)
+ type named_keytab_t;
+ files_type(named_keytab_t)
  
-@@ -68,8 +71,9 @@ role ndc_roles types ndc_t;
+@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
  # Local policy
  #
  
@@ -8544,9 +8418,9 @@ index 076ffee..1672ca4 100644
  allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
  allow named_t self:fifo_file rw_fifo_file_perms;
  allow named_t self:unix_stream_socket { accept listen };
-@@ -86,9 +90,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
+@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
  
- can_exec(named_t, named_exec_t)
+ allow named_t named_keytab_t:file read_file_perms;
  
 -append_files_pattern(named_t, named_log_t, named_log_t)
 -create_files_pattern(named_t, named_log_t, named_log_t)
@@ -8555,7 +8429,7 @@ index 076ffee..1672ca4 100644
  logging_log_filetrans(named_t, named_log_t, file)
  
  manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
-@@ -110,7 +112,6 @@ kernel_read_network_state(named_t)
+@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
  
  corecmd_search_bin(named_t)
  
@@ -8563,7 +8437,7 @@ index 076ffee..1672ca4 100644
  corenet_all_recvfrom_netlabel(named_t)
  corenet_tcp_sendrecv_generic_if(named_t)
  corenet_udp_sendrecv_generic_if(named_t)
-@@ -139,6 +140,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
+@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
  dev_read_sysfs(named_t)
  dev_read_rand(named_t)
  dev_read_urand(named_t)
@@ -8571,7 +8445,7 @@ index 076ffee..1672ca4 100644
  
  domain_use_interactive_fds(named_t)
  
-@@ -170,6 +172,15 @@ tunable_policy(`named_write_master_zones',`
+@@ -175,6 +177,15 @@ tunable_policy(`named_write_master_zones',`
  ')
  
  optional_policy(`
@@ -8587,15 +8461,7 @@ index 076ffee..1672ca4 100644
  	dbus_system_domain(named_t, named_exec_t)
  
  	init_dbus_chat_script(named_t)
-@@ -183,6 +194,7 @@ optional_policy(`
- 
- optional_policy(`
- 	kerberos_keytab_template(named, named_t)
-+	kerberos_tmp_filetrans_host_rcache(named_t, "DNS_25")
- ')
- 
- optional_policy(`
-@@ -209,7 +221,8 @@ optional_policy(`
+@@ -215,7 +226,8 @@ optional_policy(`
  #
  
  allow ndc_t self:capability { dac_override net_admin };
@@ -8605,7 +8471,7 @@ index 076ffee..1672ca4 100644
  allow ndc_t self:fifo_file rw_fifo_file_perms;
  allow ndc_t self:unix_stream_socket { accept listen };
  
-@@ -223,10 +236,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
+@@ -229,10 +241,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
@@ -8617,7 +8483,7 @@ index 076ffee..1672ca4 100644
  corenet_all_recvfrom_netlabel(ndc_t)
  corenet_tcp_sendrecv_generic_if(ndc_t)
  corenet_tcp_sendrecv_generic_node(ndc_t)
-@@ -251,7 +263,7 @@ init_use_script_ptys(ndc_t)
+@@ -257,7 +268,7 @@ init_use_script_ptys(ndc_t)
  
  logging_send_syslog_msg(ndc_t)
  
@@ -8627,7 +8493,7 @@ index 076ffee..1672ca4 100644
  userdom_use_user_terminals(ndc_t)
  
 diff --git a/bird.te b/bird.te
-index d4d71ec..f53b135 100644
+index 1d60c27..f8bb700 100644
 --- a/bird.te
 +++ b/bird.te
 @@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
@@ -8658,7 +8524,7 @@ index e73fb79..2badfc0 100644
  	domain_system_change_exemption($1)
  	role_transition $2 bitlbee_initrc_exec_t system_r;
 diff --git a/bitlbee.te b/bitlbee.te
-index ac8c91e..80ecd7e 100644
+index f5c1a48..49eff68 100644
 --- a/bitlbee.te
 +++ b/bitlbee.te
 @@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
@@ -8733,10 +8599,10 @@ index 16ec525..1dd4059 100644
  
  ########################################
 diff --git a/blueman.te b/blueman.te
-index bc5c984..63a4b1d 100644
+index 3a5032e..2097425 100644
 --- a/blueman.te
 +++ b/blueman.te
-@@ -7,7 +7,7 @@ policy_module(blueman, 1.0.4)
+@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
  
  type blueman_t;
  type blueman_exec_t;
@@ -8948,7 +8814,7 @@ index c723a0a..3e8a553 100644
 +	allow $1 bluetooth_unit_file_t:service all_service_perms;
  ')
 diff --git a/bluetooth.te b/bluetooth.te
-index 6f09d24..231de05 100644
+index 851769e..055c97c 100644
 --- a/bluetooth.te
 +++ b/bluetooth.te
 @@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
@@ -9014,7 +8880,7 @@ index 6f09d24..231de05 100644
  miscfiles_read_fonts(bluetooth_t)
  miscfiles_read_hwdata(bluetooth_t)
  
-@@ -130,8 +142,13 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
+@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
  userdom_dontaudit_use_user_terminals(bluetooth_t)
  userdom_dontaudit_search_user_home_dirs(bluetooth_t)
  
@@ -9024,11 +8890,8 @@ index 6f09d24..231de05 100644
 +
  optional_policy(`
  	dbus_system_bus_client(bluetooth_t)
-+	dbus_connect_system_bus(bluetooth_t)
- 
- 	optional_policy(`
- 		cups_dbus_chat(bluetooth_t)
-@@ -199,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
+ 	dbus_connect_system_bus(bluetooth_t)
+@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
  domain_read_all_domains_state(bluetooth_helper_t)
  
  files_read_etc_runtime_files(bluetooth_helper_t)
@@ -9279,33 +9142,21 @@ index 02fefaa..fbcef10 100644
 +	')
  ')
 diff --git a/boinc.te b/boinc.te
-index 7c92aa1..47619ff 100644
+index 687d4c4..28c35c1 100644
 --- a/boinc.te
 +++ b/boinc.te
-@@ -1,11 +1,20 @@
--policy_module(boinc, 1.0.3)
-+policy_module(boinc, 1.0.0)
- 
- ########################################
- #
- # Declarations
- #
+@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
+ ## </desc>
+ gen_tunable(boinc_execmem, true)
  
 -type boinc_t;
-+## <desc>
-+##	<p>
-+##	Allow boinc_domain execmem/execstack.
-+##	</p>
-+## </desc>
-+gen_tunable(boinc_execmem, true)
-+
 +attribute boinc_domain;
 +
 +type boinc_t, boinc_domain;
  type boinc_exec_t;
  init_daemon_domain(boinc_t, boinc_exec_t)
  
-@@ -21,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
+@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
  type boinc_var_lib_t;
  files_type(boinc_var_lib_t)
  
@@ -9384,7 +9235,7 @@ index 7c92aa1..47619ff 100644
  
  manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
  manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
-@@ -54,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
+@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
  manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
  fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
  
@@ -9481,7 +9332,7 @@ index 7c92aa1..47619ff 100644
  
  term_getattr_all_ptys(boinc_t)
  term_getattr_unallocated_ttys(boinc_t)
-@@ -130,55 +151,67 @@ init_read_utmp(boinc_t)
+@@ -137,8 +151,7 @@ init_read_utmp(boinc_t)
  
  logging_send_syslog_msg(boinc_t)
  
@@ -9489,7 +9340,9 @@ index 7c92aa1..47619ff 100644
 -miscfiles_read_localization(boinc_t)
 +xserver_stream_connect(boinc_t)
  
- optional_policy(`
+ tunable_policy(`boinc_execmem',`
+ 	allow boinc_t self:process { execstack execmem };
+@@ -148,48 +161,61 @@ optional_policy(`
  	mta_send_mail(boinc_t)
  ')
  
@@ -9569,7 +9422,7 @@ index 7c92aa1..47619ff 100644
 +	unconfined_domain(boinc_project_t)
 +')
 diff --git a/brctl.te b/brctl.te
-index bcd1e87..6294955 100644
+index c5a9113..6ad8ccb 100644
 --- a/brctl.te
 +++ b/brctl.te
 @@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
@@ -9646,10 +9499,10 @@ index 1b22262..bf0cefa 100644
 +	')
  ')
 diff --git a/bugzilla.te b/bugzilla.te
-index 41f8251..57f094e 100644
+index 18623e3..d9f3061 100644
 --- a/bugzilla.te
 +++ b/bugzilla.te
-@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.0.4)
+@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
  
  apache_content_template(bugzilla)
  
@@ -9799,31 +9652,11 @@ index 8de2ab9..3b41945 100644
 +	domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
  ')
 diff --git a/cachefilesd.te b/cachefilesd.te
-index 581c8ef..2c71b1d 100644
+index a3760bc..a570048 100644
 --- a/cachefilesd.te
 +++ b/cachefilesd.te
-@@ -1,52 +1,143 @@
--policy_module(cachefilesd, 1.0.1)
-+###############################################################################
-+#
-+# Copyright (C) 2006, 2010 Red Hat, Inc. All Rights Reserved.
-+# Written by David Howells (dhowells@redhat.com)
-+#            Karl MacMillan (kmacmill@redhat.com)
-+#
-+# This program is free software; you can redistribute it and/or
-+# modify it under the terms of the GNU General Public License
-+# as published by the Free Software Foundation; either version
-+# 2 of the License, or (at your option) any later version.
-+#
-+###############################################################################
-+
-+#
-+# This security policy governs access by the CacheFiles kernel module and
-+# userspace management daemon to the files and directories in the on-disk
-+# cache, on behalf of the processes accessing the cache through a network
-+# filesystem such as NFS
-+#
-+policy_module(cachefilesd, 1.0.17)
+@@ -1,52 +1,124 @@
+ policy_module(cachefilesd, 1.1.0)
  
 -########################################
 +###############################################################################
@@ -9868,14 +9701,14 @@ index 581c8ef..2c71b1d 100644
 -# Local policy
 +# The CacheFiles kernel module causes processes accessing the cache files to do
 +# so acting as security ID cachefiles_kernel_t
- #
++#
 +type cachefiles_kernel_t;
 +domain_type(cachefiles_kernel_t)
 +domain_obj_id_change_exemption(cachefiles_kernel_t)
 +role system_r types cachefiles_kernel_t;
 +
 +###############################################################################
-+#
+ #
 +# Permit RPM to deal with files in the cache
 +#
 +optional_policy(`
@@ -9969,7 +9802,7 @@ index 581c8ef..2c71b1d 100644
 +
 +init_sigchld_script(cachefiles_kernel_t)
 diff --git a/calamaris.te b/calamaris.te
-index f4f21d3..de28437 100644
+index 7e57460..b0cf254 100644
 --- a/calamaris.te
 +++ b/calamaris.te
 @@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
@@ -10002,7 +9835,7 @@ index f4f21d3..de28437 100644
  
  optional_policy(`
 diff --git a/callweaver.te b/callweaver.te
-index 528051e..44e5b7d 100644
+index 0e5be4c..b9a407f 100644
 --- a/callweaver.te
 +++ b/callweaver.te
 @@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
@@ -10030,7 +9863,7 @@ index 400db07..f416e22 100644
  	domain_system_change_exemption($1)
  	role_transition $2 canna_initrc_exec_t system_r;
 diff --git a/canna.te b/canna.te
-index 4ec0626..88e7e89 100644
+index 9fe6162..2245f3b 100644
 --- a/canna.te
 +++ b/canna.te
 @@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
@@ -10091,7 +9924,7 @@ index 5ded72d..cb94e5e 100644
  	files_search_var_lib($1)
  	admin_pattern($1, ccs_var_lib_t)
 diff --git a/ccs.te b/ccs.te
-index b85b53b..476aaa3 100644
+index 658134d..58deece 100644
 --- a/ccs.te
 +++ b/ccs.te
 @@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
@@ -10154,7 +9987,7 @@ index fbc20f6..4de4a00 100644
  	ps_process_pattern($2, cdrecord_t)
  ')
 diff --git a/cdrecord.te b/cdrecord.te
-index 55fb26a..a7555c0 100644
+index 16883c9..0f4ccb0 100644
 --- a/cdrecord.te
 +++ b/cdrecord.te
 @@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
@@ -10216,7 +10049,7 @@ index 0c53b18..ef29f6e 100644
  	domain_system_change_exemption($1)
  	role_transition $2 certmaster_initrc_exec_t system_r;
 diff --git a/certmaster.te b/certmaster.te
-index bf82163..2b571c7 100644
+index 4a87873..113f3b3 100644
 --- a/certmaster.te
 +++ b/certmaster.te
 @@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
@@ -10275,7 +10108,7 @@ index 008f8ef..144c074 100644
  	admin_pattern($1, certmonger_var_run_t)
  ')
 diff --git a/certmonger.te b/certmonger.te
-index 2354e21..fb8c9ed 100644
+index 550b287..6e8a513 100644
 --- a/certmonger.te
 +++ b/certmonger.te
 @@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
@@ -10405,7 +10238,7 @@ index 2354e21..fb8c9ed 100644
 +	')
 +')
 diff --git a/certwatch.te b/certwatch.te
-index 403af41..1a4bd9c 100644
+index 171fafb..e88a026 100644
 --- a/certwatch.te
 +++ b/certwatch.te
 @@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
@@ -10560,7 +10393,7 @@ index a731122..5279d4e 100644
  ')
 +
 diff --git a/cfengine.te b/cfengine.te
-index 8af5bbe..168f01f 100644
+index fbe3ad9..ffde263 100644
 --- a/cfengine.te
 +++ b/cfengine.te
 @@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
@@ -10617,7 +10450,7 @@ index 85ca63f..1d1c99c 100644
  	admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
  	files_list_etc($1)
 diff --git a/cgroup.te b/cgroup.te
-index fdee107..7a38b63 100644
+index 80a88a2..1a33de9 100644
 --- a/cgroup.te
 +++ b/cgroup.te
 @@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
@@ -11270,7 +11103,7 @@ index 32e8265..0de4af3 100644
 +	allow $1 chronyd_unit_file_t:service all_service_perms;
  ')
 diff --git a/chronyd.te b/chronyd.te
-index 914ee2d..7d723c0 100644
+index e5b621c..2ec82ae 100644
 --- a/chronyd.te
 +++ b/chronyd.te
 @@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
@@ -11327,7 +11160,7 @@ index 914ee2d..7d723c0 100644
 -	mta_send_mail(chronyd_t)
 -')
 diff --git a/cipe.te b/cipe.te
-index 28c8475..9b86dd1 100644
+index a0aa693..af571ed 100644
 --- a/cipe.te
 +++ b/cipe.te
 @@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
@@ -11618,7 +11451,7 @@ index 4cc4a5c..99c5cca 100644
 +
  ')
 diff --git a/clamav.te b/clamav.te
-index 8e1fef9..c8c9a5a 100644
+index ce3836a..94aa8a6 100644
 --- a/clamav.te
 +++ b/clamav.te
 @@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
@@ -11761,7 +11594,7 @@ index 8e1fef9..c8c9a5a 100644
  ')
  
 diff --git a/clockspeed.te b/clockspeed.te
-index b59c592..4b8cddc 100644
+index d3e2a67..f5b330c 100644
 --- a/clockspeed.te
 +++ b/clockspeed.te
 @@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
@@ -11804,7 +11637,7 @@ index b59c592..4b8cddc 100644
  optional_policy(`
  	daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
 diff --git a/clogd.te b/clogd.te
-index 29782b8..685edff 100644
+index 4a5b3d1..cd146bd 100644
 --- a/clogd.te
 +++ b/clogd.te
 @@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
@@ -12236,7 +12069,7 @@ index cc4e7cb..f348d27 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cmirrord_initrc_exec_t system_r;
 diff --git a/cmirrord.te b/cmirrord.te
-index d8e9958..d2303a4 100644
+index bbdd396..fddf8f4 100644
 --- a/cmirrord.te
 +++ b/cmirrord.te
 @@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
@@ -12352,7 +12185,7 @@ index c223f81..8b567c1 100644
 -	admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
  ')
 diff --git a/cobbler.te b/cobbler.te
-index 2a71346..8c4ac39 100644
+index 5f306dd..9a5087b 100644
 --- a/cobbler.te
 +++ b/cobbler.te
 @@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
@@ -12727,10 +12560,10 @@ index 6471fa8..dc0423c 100644
 +
 +auth_read_passwd(httpd_collectd_script_t)
 diff --git a/colord.fc b/colord.fc
-index 717ea0b..22e0385 100644
+index 71639eb..08ab891 100644
 --- a/colord.fc
 +++ b/colord.fc
-@@ -4,5 +4,7 @@
+@@ -7,5 +7,7 @@
  /usr/libexec/colord	--	gen_context(system_u:object_r:colord_exec_t,s0)
  /usr/libexec/colord-sane	--	gen_context(system_u:object_r:colord_exec_t,s0)
  
@@ -12792,10 +12625,10 @@ index 8e27a37..825f537 100644
 +	ps_process_pattern($1, colord_t)
 +')
 diff --git a/colord.te b/colord.te
-index 09f18e2..3547d05 100644
+index 9f2dfb2..5425ddf 100644
 --- a/colord.te
 +++ b/colord.te
-@@ -8,6 +8,7 @@ policy_module(colord, 1.0.2)
+@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
  type colord_t;
  type colord_exec_t;
  dbus_system_domain(colord_t, colord_exec_t)
@@ -12855,7 +12688,7 @@ index 09f18e2..3547d05 100644
  
  storage_getattr_fixed_disk_dev(colord_t)
  storage_getattr_removable_dev(colord_t)
-@@ -98,25 +104,29 @@ storage_write_scsi_generic(colord_t)
+@@ -100,19 +106,16 @@ init_read_state(colord_t)
  
  auth_use_nsswitch(colord_t)
  
@@ -12882,7 +12715,8 @@ index 09f18e2..3547d05 100644
  
  optional_policy(`
  	cups_read_config(colord_t)
- 	cups_read_rw_config(colord_t)
+@@ -120,6 +123,13 @@ optional_policy(`
+ 	cups_read_state(colord_t)
  	cups_stream_connect(colord_t)
  	cups_dbus_chat(colord_t)
 +	cups_read_state(colord_t)
@@ -12895,9 +12729,9 @@ index 09f18e2..3547d05 100644
  ')
  
  optional_policy(`
-@@ -133,3 +143,16 @@ optional_policy(`
- optional_policy(`
+@@ -137,3 +147,16 @@ optional_policy(`
  	udev_read_db(colord_t)
+ 	udev_read_pid_files(colord_t)
  ')
 +
 +optional_policy(`
@@ -12913,7 +12747,7 @@ index 09f18e2..3547d05 100644
 +	zoneminder_rw_tmpfs_files(colord_t)
 +')
 diff --git a/comsat.te b/comsat.te
-index 3f6e4dc..88c4f19 100644
+index c63cf85..dc6998b 100644
 --- a/comsat.te
 +++ b/comsat.te
 @@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
@@ -12940,29 +12774,22 @@ index 3f6e4dc..88c4f19 100644
  
  mta_getattr_spool(comsat_t)
 diff --git a/condor.fc b/condor.fc
-index 23dc348..c4450f7 100644
+index ad2b696..28d1af0 100644
 --- a/condor.fc
 +++ b/condor.fc
-@@ -1,4 +1,5 @@
+@@ -1,6 +1,7 @@
+ /etc/condor(/.*)?	gen_context(system_u:object_r:condor_conf_t,s0)
+ 
  /etc/rc\.d/init\.d/condor	--	gen_context(system_u:object_r:condor_initrc_exec_t,s0)
 +/usr/lib/systemd/system/condor.*        --  gen_context(system_u:object_r:condor_unit_file_t,s0)
  
  /usr/sbin/condor_collector	--	gen_context(system_u:object_r:condor_collector_exec_t,s0)
  /usr/sbin/condor_master	--	gen_context(system_u:object_r:condor_master_exec_t,s0)
-@@ -8,6 +9,8 @@
- /usr/sbin/condor_startd	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
- /usr/sbin/condor_starter	--	gen_context(system_u:object_r:condor_startd_exec_t,s0)
- 
-+/etc/condor(/.*)?       gen_context(system_u:object_r:condor_etc_rw_t,s0)
-+
- /var/lib/condor(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
- 
- /var/lib/condor/execute(/.*)?	gen_context(system_u:object_r:condor_var_lib_t,s0)
 diff --git a/condor.if b/condor.if
-index 3fe3cb8..5fe84a6 100644
+index 881d92f..eb35613 100644
 --- a/condor.if
 +++ b/condor.if
-@@ -1,81 +1,397 @@
+@@ -1,75 +1,390 @@
 -## <summary>High-Throughput Computing System.</summary>
 +
 +## <summary>policy for condor</summary>
@@ -13203,10 +13030,15 @@ index 3fe3cb8..5fe84a6 100644
  #
 -interface(`condor_admin',`
 +interface(`condor_read_lib_files',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute condor_domain;
+-		type condor_initrc_exec_config_t, condor_log_t;
+-		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
+-		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 +		type condor_var_lib_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 condor_domain:process { ptrace signal_perms };
 +	files_search_var_lib($1)
 +	read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
 +')
@@ -13279,15 +13111,10 @@ index 3fe3cb8..5fe84a6 100644
 +## </param>
 +#
 +interface(`condor_read_pid_files',`
- 	gen_require(`
--		attribute condor_domain;
--		type condor_initrc_exec_config_t, condor_log_t;
--		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
--		type condor_var_run_t, condor_startd_tmp_t;
++	gen_require(`
 +		type condor_var_run_t;
- 	')
- 
--	allow $1 condor_domain:process { ptrace signal_perms };
++	')
++
 +	files_search_pids($1)
 +	allow $1 condor_var_run_t:file read_file_perms;
 +')
@@ -13316,7 +13143,6 @@ index 3fe3cb8..5fe84a6 100644
 +	ps_process_pattern($1, condor_t)
 +')
 +
-+
 +#######################################
 +## <summary>
 +##  Read and write condor_startd server TCP sockets.
@@ -13372,7 +13198,7 @@ index 3fe3cb8..5fe84a6 100644
 +interface(`condor_admin',`
 +    gen_require(`
 +        attribute condor_domain;
-+        type condor_initrc_exec_t, condor_log_t;
++        type condor_initrc_exec_t, condor_log_t, condor_conf_t;
 +        type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
 +        type condor_var_run_t, condor_startd_tmp_t;
 +		type condor_unit_file_t;
@@ -13390,6 +13216,9 @@ index 3fe3cb8..5fe84a6 100644
 +    role_transition $2 condor_initrc_exec_t system_r;
 +    allow $2 system_r;
  
+ 	files_search_etc($1)
+ 	admin_pattern($1, condor_conf_t)
+@@ -77,8 +392,8 @@ interface(`condor_admin',`
  	logging_search_logs($1)
  	admin_pattern($1, condor_log_t)
  
@@ -13400,7 +13229,7 @@ index 3fe3cb8..5fe84a6 100644
  
  	files_search_var_lib($1)
  	admin_pattern($1, condor_var_lib_t)
-@@ -85,4 +401,13 @@ interface(`condor_admin',`
+@@ -88,4 +403,13 @@ interface(`condor_admin',`
  
  	files_search_tmp($1)
  	admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
@@ -13415,20 +13244,19 @@ index 3fe3cb8..5fe84a6 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index 3f2b672..ff94f23 100644
+index ce9f040..ae5517a 100644
 --- a/condor.te
 +++ b/condor.te
-@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
+@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
  type condor_startd_tmpfs_t;
  files_tmpfs_file(condor_startd_tmpfs_t)
  
-+type condor_etc_rw_t;
-+files_config_file(condor_etc_rw_t)
-+
- type condor_log_t;
- logging_log_file(condor_log_t)
+-type condor_conf_t;
++type condor_conf_t alias condor_etc_rw_t;
+ files_config_file(condor_conf_t)
  
-@@ -46,6 +49,9 @@ files_lock_file(condor_var_lock_t)
+ type condor_log_t;
+@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
  type condor_var_run_t;
  files_pid_file(condor_var_run_t)
  
@@ -13438,7 +13266,7 @@ index 3f2b672..ff94f23 100644
  condor_domain_template(collector)
  condor_domain_template(negotiator)
  condor_domain_template(procd)
-@@ -57,15 +63,21 @@ condor_domain_template(startd)
+@@ -60,10 +63,18 @@ condor_domain_template(startd)
  # Global local policy
  #
  
@@ -13457,15 +13285,9 @@ index 3f2b672..ff94f23 100644
 +allow condor_domain condor_etc_rw_t:dir list_dir_perms;
 +rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
  
- manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
--append_files_pattern(condor_domain, condor_log_t, condor_log_t)
--create_files_pattern(condor_domain, condor_log_t, condor_log_t)
--getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
-+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
- logging_log_filetrans(condor_domain, condor_log_t, { dir file })
+ rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
  
- manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -89,13 +100,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
  
  kernel_read_kernel_sysctls(condor_domain)
  kernel_read_network_state(condor_domain)
@@ -13479,7 +13301,7 @@ index 3f2b672..ff94f23 100644
  corenet_tcp_sendrecv_generic_if(condor_domain)
  corenet_tcp_sendrecv_generic_node(condor_domain)
  
-@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
+@@ -109,9 +117,9 @@ dev_read_rand(condor_domain)
  dev_read_sysfs(condor_domain)
  dev_read_urand(condor_domain)
  
@@ -13489,9 +13311,9 @@ index 3f2b672..ff94f23 100644
 -miscfiles_read_localization(condor_domain)
 +sysnet_dns_name_resolve(condor_domain)
  
- tunable_policy(`condor_tcp_network_connect',`
- 	corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +134,7 @@ optional_policy(`
+ sysnet_dns_name_resolve(condor_domain)
+ 
+@@ -130,7 +138,7 @@ optional_policy(`
  # Master local policy
  #
  
@@ -13500,7 +13322,7 @@ index 3f2b672..ff94f23 100644
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -138,6 +146,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
@@ -13511,7 +13333,7 @@ index 3f2b672..ff94f23 100644
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -157,6 +169,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -13520,7 +13342,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -174,6 +188,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -13529,7 +13351,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Negotiator local policy
-@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -183,6 +199,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -13538,17 +13360,7 @@ index 3f2b672..ff94f23 100644
  ######################################
  #
  # Procd local policy
-@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
- 
- allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
- 
--allow condor_procd_t condor_startd_t:process sigkill;
-+allow condor_procd_t condor_domain:process sigkill;
-+
- 
- domain_read_all_domains_state(condor_procd_t)
- 
-@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -206,6 +224,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -13557,7 +13369,7 @@ index 3f2b672..ff94f23 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -214,6 +234,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -13566,7 +13378,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Startd local policy
-@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -238,11 +260,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -13579,7 +13391,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -249,3 +272,7 @@ optional_policy(`
+@@ -254,3 +275,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -13720,7 +13532,7 @@ index 5b830ec..0647a3b 100644
 +	ps_process_pattern($1, consolekit_t)
 +')
 diff --git a/consolekit.te b/consolekit.te
-index 5f0c793..d11e25b 100644
+index bd18063..926e314 100644
 --- a/consolekit.te
 +++ b/consolekit.te
 @@ -19,12 +19,16 @@ type consolekit_var_run_t;
@@ -13740,14 +13552,14 @@ index 5f0c793..d11e25b 100644
  allow consolekit_t self:process { getsched signal };
  allow consolekit_t self:fifo_file rw_fifo_file_perms;
  allow consolekit_t self:unix_stream_socket { accept listen };
-@@ -54,37 +58,36 @@ dev_read_sysfs(consolekit_t)
+@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
  
  domain_read_all_domains_state(consolekit_t)
  domain_use_interactive_fds(consolekit_t)
 -domain_dontaudit_ptrace_all_domains(consolekit_t)
  
 -files_read_usr_files(consolekit_t)
- # needs to read /var/lib/dbus/machine-id
++# needs to read /var/lib/dbus/machine-id
  files_read_var_lib_files(consolekit_t)
  files_search_all_mountpoints(consolekit_t)
  
@@ -13760,9 +13572,11 @@ index 5f0c793..d11e25b 100644
  auth_use_nsswitch(consolekit_t)
  auth_manage_pam_console_data(consolekit_t)
  auth_write_login_records(consolekit_t)
- 
-+init_read_utmp(consolekit_t)
+ auth_create_pam_console_data_dirs(consolekit_t)
+-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
 +
++init_read_utmp(consolekit_t)
+ 
  logging_send_syslog_msg(consolekit_t)
  logging_send_audit_msgs(consolekit_t)
  
@@ -13786,8 +13600,8 @@ index 5f0c793..d11e25b 100644
 +	cron_read_system_job_lib_files(consolekit_t)
  ')
  
- ifdef(`distro_debian',`
-@@ -112,13 +115,6 @@ optional_policy(`
+ optional_policy(`
+@@ -109,13 +112,6 @@ optional_policy(`
  	')
  ')
  
@@ -13934,7 +13748,7 @@ index 694a037..b836c07 100644
 +	allow $1 corosync_unit_file_t:service all_service_perms;
  ')
 diff --git a/corosync.te b/corosync.te
-index eeea48d..691ca11 100644
+index d5aa1e4..e827567 100644
 --- a/corosync.te
 +++ b/corosync.te
 @@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
@@ -14017,33 +13831,50 @@ index c086302..4f33119 100644
  
  /etc/rc\.d/init\.d/couchdb	--	gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
 diff --git a/couchdb.if b/couchdb.if
-index 83d6744..afa2f78 100644
+index 715a826..afa2f78 100644
 --- a/couchdb.if
 +++ b/couchdb.if
-@@ -2,6 +2,44 @@
+@@ -2,7 +2,7 @@
  
  ########################################
  ## <summary>
+-##	Read couchdb log files.
 +##	Allow to read couchdb log files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`couchdb_read_log_files',`
-+	gen_require(`
-+		type couchdb_log_t;
-+	')
-+
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
+ 		type couchdb_log_t;
+ 	')
+ 
+-	logging_search_logs($1)
 +	files_search_var_lib($1)
-+	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
-+')
-+
-+########################################
-+## <summary>
+ 	read_files_pattern($1, couchdb_log_t, couchdb_log_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read, write, and create couchdb lib files.
 +##	Allow to read couchdb lib files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`couchdb_manage_lib_files',`
++interface(`couchdb_read_lib_files',`
+ 	gen_require(`
+ 		type couchdb_var_lib_t;
+ 	')
+@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
+ 
+ ########################################
+ ## <summary>
+-##	Read couchdb config files.
++##	All of the rules required to
++##	administrate an couchdb environment.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -14051,25 +13882,6 @@ index 83d6744..afa2f78 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`couchdb_read_lib_files',`
-+	gen_require(`
-+		type couchdb_var_lib_t;
-+	')
-+
-+	files_search_var_lib($1)
-+	read_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
- ##	All of the rules required to
- ##	administrate an couchdb environment.
- ## </summary>
-@@ -10,6 +48,127 @@
- ##	Domain allowed access.
- ##	</summary>
- ## </param>
-+#
 +interface(`couchdb_manage_lib_files',`
 +	gen_require(`
 +		type couchdb_var_lib_t;
@@ -14101,38 +13913,30 @@ index 83d6744..afa2f78 100644
 +########################################
 +## <summary>
 +##	Allow to read couchdb conf files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`couchdb_read_conf_files',`
-+	gen_require(`
-+		type couchdb_conf_t;
-+	')
-+
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
+ 		type couchdb_conf_t;
+ 	')
+ 
+-	files_search_etc($1)
 +	files_search_var_lib($1)
-+	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
-+')
-+
-+########################################
-+## <summary>
+ 	read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Read couchdb pid files.
 +##	Read couchdb PID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`couchdb_read_pid_files',`
-+	gen_require(`
-+		type couchdb_var_run_t;
-+	')
-+
-+	files_search_pids($1)
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -73,19 +112,63 @@ interface(`couchdb_read_pid_files',`
+ 	')
+ 
+ 	files_search_pids($1)
+-	read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
 +	allow $1 couchdb_var_run_t:file read_file_perms;
 +')
 +
@@ -14153,17 +13957,20 @@ index 83d6744..afa2f78 100644
 +
 +        files_search_pids($1)
 +        allow $1 couchdb_var_run_t:dir search_dir_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an couchdb environment.
 +##	Execute couchdb server in the couchdb domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain allowed to transition.
-+##	</summary>
-+## </param>
+ ##	</summary>
+ ## </param>
 +#
 +interface(`couchdb_systemctl',`
 +	gen_require(`
@@ -14193,7 +14000,7 @@ index 83d6744..afa2f78 100644
  ## <param name="role">
  ##	<summary>
  ##	Role allowed access.
-@@ -19,14 +178,19 @@
+@@ -95,14 +178,19 @@ interface(`couchdb_read_pid_files',`
  #
  interface(`couchdb_admin',`
  	gen_require(`
@@ -14214,7 +14021,7 @@ index 83d6744..afa2f78 100644
  	init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 couchdb_initrc_exec_t system_r;
-@@ -46,4 +210,13 @@ interface(`couchdb_admin',`
+@@ -122,4 +210,13 @@ interface(`couchdb_admin',`
  
  	files_search_pids($1)
  	admin_pattern($1, couchdb_var_run_t)
@@ -14229,7 +14036,7 @@ index 83d6744..afa2f78 100644
 +	')
  ')
 diff --git a/couchdb.te b/couchdb.te
-index 503adab..046fe9b 100644
+index ae1c1b1..89e5702 100644
 --- a/couchdb.te
 +++ b/couchdb.te
 @@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
@@ -14254,11 +14061,11 @@ index 503adab..046fe9b 100644
  
 -miscfiles_read_localization(couchdb_t)
 diff --git a/courier.fc b/courier.fc
-index 8a4b596..cbecde8 100644
+index 2f017a0..defdc87 100644
 --- a/courier.fc
 +++ b/courier.fc
-@@ -9,17 +9,18 @@
- /usr/sbin/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
+@@ -11,17 +11,18 @@
+ /usr/sbin/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
  
  /usr/lib/courier/authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
 -/usr/lib/courier/courier-authlib/.*	--	gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
@@ -14461,7 +14268,7 @@ index 10f820f..acdb179 100644
  	allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
  ')
 diff --git a/courier.te b/courier.te
-index 77bb077..1499c3f 100644
+index ae3bc70..9090d75 100644
 --- a/courier.te
 +++ b/courier.te
 @@ -18,7 +18,7 @@ type courier_etc_t;
@@ -14542,7 +14349,7 @@ index 77bb077..1499c3f 100644
  ########################################
  #
 diff --git a/cpucontrol.te b/cpucontrol.te
-index 2f1aad6..155a337 100644
+index af72c4e..afab036 100644
 --- a/cpucontrol.te
 +++ b/cpucontrol.te
 @@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
@@ -14579,7 +14386,7 @@ index 2f1aad6..155a337 100644
 -miscfiles_read_localization(cpuspeed_t)
 +logging_send_syslog_msg(cpuspeed_t)
 diff --git a/cpufreqselector.te b/cpufreqselector.te
-index a3bbc21..7fd7d8f 100644
+index 6cedb87..530e250 100644
 --- a/cpufreqselector.te
 +++ b/cpufreqselector.te
 @@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
@@ -14616,41 +14423,94 @@ index a3bbc21..7fd7d8f 100644
 +	xserver_dbus_chat_xdm(cpufreqselector_t)
 +')
 diff --git a/cron.fc b/cron.fc
-index 6e76215..224142a 100644
+index ad0bae9..72c2cda 100644
 --- a/cron.fc
 +++ b/cron.fc
-@@ -3,6 +3,9 @@
- /etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
- /etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+@@ -1,66 +1,79 @@
+-/etc/rc\.d/init\.d/(anacron|atd)	--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/atd		--	gen_context(system_u:object_r:crond_initrc_exec_t,s0)
+ 
+-/etc/cron\.d(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/etc/crontab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/cron\.d(/.*)?			gen_context(system_u:object_r:system_cron_spool_t,s0)
++/etc/crontab			--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  
+-/usr/bin/at	--	gen_context(system_u:object_r:crontab_exec_t,s0)
+-/usr/bin/(f)?crontab	--	gen_context(system_u:object_r:crontab_exec_t,s0)
 +/usr/lib/systemd/system/atd.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
 +/usr/lib/systemd/system/crond.*	--	gen_context(system_u:object_r:crond_unit_file_t,s0)
-+
- /usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
- /usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
  
-@@ -12,9 +15,6 @@
- /usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
- /usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
- 
--/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
--
--/var/log/cron.*				gen_context(system_u:object_r:cron_log_t,s0)
- /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
+-/usr/libexec/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/libexec/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/at			--	gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/bin/(f)?crontab		--	gen_context(system_u:object_r:crontab_exec_t,s0)
+ 
+-/usr/sbin/anacron	--	gen_context(system_u:object_r:anacron_exec_t,s0)
+-/usr/sbin/atd	--	gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/cron(d)?	--	gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcron	--	gen_context(system_u:object_r:crond_exec_t,s0)
+-/usr/sbin/fcronsighup	--	gen_context(system_u:object_r:crontab_exec_t,s0)
++/usr/libexec/fcron  --  gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/libexec/fcronsighup    --  gen_context(system_u:object_r:crontab_exec_t,s0)
+ 
+-/var/lib/glpi/files(/.*)?	gen_context(system_u:object_r:cron_var_lib_t,s0)
++/usr/sbin/anacron		--	gen_context(system_u:object_r:anacron_exec_t,s0)
++/usr/sbin/atd			--	gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/cron(d)?		--	gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcron			--	gen_context(system_u:object_r:crond_exec_t,s0)
++/usr/sbin/fcronsighup		--	gen_context(system_u:object_r:crontab_exec_t,s0)
+ 
+-/var/log/cron.*	gen_context(system_u:object_r:cron_log_t,s0)
+-/var/log/rpmpkgs.*	--	gen_context(system_u:object_r:cron_log_t,s0)
++/var/lib/glpi/files(/.*)?   gen_context(system_u:object_r:cron_var_lib_t,s0)
+ 
+-/var/run/anacron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/atd\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/cron(d)?\.reboot	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.fifo	-s	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/fcron\.pid	--	gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/run/.*cron.*	--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/log/cron.*             gen_context(system_u:object_r:cron_log_t,s0)
++/var/log/rpmpkgs.*		--	gen_context(system_u:object_r:cron_log_t,s0)
+ 
+-/var/spool/anacron(/.*)?	gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/at(/.*)?	gen_context(system_u:object_r:user_cron_spool_t,s0)
+-/var/spool/at/atspool(/.*)?	gen_context(system_u:object_r:user_cron_spool_log_t,s0)
++/var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/atd\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/crond?\.reboot		--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
++/var/run/.*cron.*		--	gen_context(system_u:object_r:crond_var_run_t,s0)
+ 
+-/var/spool/cron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-#/var/spool/cron/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+-/var/spool/cron/[^/]*	--	<<none>>
++/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
  
- /var/run/anacron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
-@@ -27,13 +27,23 @@
- 
- /var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/at(/.*)?			gen_context(system_u:object_r:user_cron_spool_t,s0)
--/var/spool/at/atspool(/.*)?		gen_context(system_u:object_r:user_cron_spool_log_t,s0)
- 
--/var/spool/cron			-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/crontabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/spool/cron			-d	gen_context(system_u:object_r:user_cron_spool_t,s0)
- #/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
- /var/spool/cron/[^/]*		--	<<none>>
++#/var/spool/cron/root		--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
++/var/spool/cron/[^/]*		--	<<none>>
++
++/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+ /var/spool/cron/crontabs/.*	--	<<none>>
+ #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
  
--/var/spool/cron/crontabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/fcron	-d	gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/fcron/.*	<<none>>
++/var/spool/fcron		-d	gen_context(system_u:object_r:cron_spool_t,s0)
++/var/spool/fcron/.*			<<none>>
+ /var/spool/fcron/systab\.orig	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/systab\.tmp	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+ /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
+-/var/spool/fcron/rm\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
++
 +ifdef(`distro_gentoo',`
 +/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 +/var/spool/cron/lastrun/[^/]*	--	<<none>>
@@ -14661,43 +14521,33 @@ index 6e76215..224142a 100644
 +/var/spool/cron/lastrun/[^/]*	--	<<none>>
 +/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +')
-+
-+/var/spool/cron/crontabs 	-d	gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/cron/crontabs/.*	--	<<none>>
- #/var/spool/cron/crontabs/root	--	gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
- 
-@@ -43,19 +53,23 @@
- /var/spool/fcron/systab		--	gen_context(system_u:object_r:system_cron_spool_t,s0)
- /var/spool/fcron/new\.systab	--	gen_context(system_u:object_r:system_cron_spool_t,s0)
  
-+/var/lib/glpi/files(/.*)?		gen_context(system_u:object_r:cron_var_lib_t,s0)
-+
  ifdef(`distro_debian',`
--/var/spool/cron/atjobs	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atjobs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/log/prelink.log.*		--	gen_context(system_u:object_r:cron_log_t,s0)
 +
 +/var/spool/cron/atjobs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
  /var/spool/cron/atjobs/[^/]*	--	<<none>>
--/var/spool/cron/atspool	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/atspool	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/spool/cron/atspool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
  ')
  
  ifdef(`distro_gentoo',`
--/var/spool/cron/lastrun	-d		gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 +/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
  /var/spool/cron/lastrun/[^/]*	--	<<none>>
  ')
  
 -ifdef(`distro_suse',`
--/var/spool/cron/lastrun	-d		gen_context(system_u:object_r:crond_tmp_t,s0)
+-/var/spool/cron/lastrun	-d	gen_context(system_u:object_r:crond_tmp_t,s0)
 +ifdef(`distro_suse', `
 +/var/spool/cron/lastrun		-d	gen_context(system_u:object_r:crond_tmp_t,s0)
  /var/spool/cron/lastrun/[^/]*	--	<<none>>
--/var/spool/cron/tabs	-d		gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/cron/tabs	-d	gen_context(system_u:object_r:cron_spool_t,s0)
 +/var/spool/cron/tabs		-d	gen_context(system_u:object_r:cron_spool_t,s0)
  ')
 diff --git a/cron.if b/cron.if
-index 1303b30..058864e 100644
+index 1303b30..72481a7 100644
 --- a/cron.if
 +++ b/cron.if
 @@ -2,11 +2,12 @@
@@ -14749,47 +14599,52 @@ index 1303b30..058864e 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -60,57 +68,37 @@ interface(`cron_role',`
+@@ -60,56 +68,66 @@ interface(`cron_role',`
  	gen_require(`
  		type cronjob_t, crontab_t, crontab_exec_t;
  		type user_cron_spool_t, crond_t;
 -		bool cron_userdomain_transition;
++        bool cron_userdomain_transition;
  	')
  
 -	##############################
 -	#
 -	# Declarations
 -	#
--
++    ##############################
++    #
++    # Declarations
++    #
+ 
  	role $1 types { cronjob_t crontab_t };
  
 -	##############################
 -	#
 -	# Local policy
 -	#
-+	# cronjob shows up in user ps
-+	ps_process_pattern($2, cronjob_t)
++    ##############################
++    #
++    # Local policy
++    #
  
 +	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, crontab_t)
  
-+	allow crond_t $2:process transition;
  	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
  	allow $2 crond_t:process sigchld;
  
 -	allow $2 user_cron_spool_t:file { getattr read write ioctl };
-+	# needs to be authorized SELinux context for cron
-+	allow $2 user_cron_spool_t:file { getattr read write ioctl entrypoint };
++    allow $2 user_cron_spool_t:file { getattr read write ioctl };
  
 -	allow $2 crontab_t:process { ptrace signal_perms };
 +	# crontab shows up in user ps
- 	ps_process_pattern($2, crontab_t)
 +	allow $2 crontab_t:process signal_perms;
-+
+ 	ps_process_pattern($2, crontab_t)
+ 
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $2 crontab_t:process ptrace;
 +	')
- 
++
 +	# Run helper programs as the user domain
 +	#corecmd_bin_domtrans(crontab_t, $2)
 +	#corecmd_shell_domtrans(crontab_t, $2)
@@ -14800,29 +14655,45 @@ index 1303b30..058864e 100644
 -		allow crond_t $2:process transition;
 -		allow crond_t $2:fd use;
 -		allow crond_t $2:key manage_key_perms;
--
++    tunable_policy(`cron_userdomain_transition',`
++        allow crond_t $2:process transition;
++        allow crond_t $2:fd use;
++        allow crond_t $2:key manage_key_perms;
+ 
 -		allow $2 user_cron_spool_t:file entrypoint;
--
++	    # needs to be authorized SELinux context for cron
++	    allow $2 user_cron_spool_t:file entrypoint;
++        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ 
 -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
--
++        allow $2 cronjob_t:process { signal_perms };
+ 
 -		allow $2 cronjob_t:process { ptrace signal_perms };
 -		ps_process_pattern($2, cronjob_t)
 -	',`
 -		dontaudit crond_t $2:process transition;
 -		dontaudit crond_t $2:fd use;
 -		dontaudit crond_t $2:key manage_key_perms;
--
++        ps_process_pattern($2, cronjob_t)
++    ',`
++        dontaudit crond_t $2:process transition;
++        dontaudit crond_t $2:fd use;
++        dontaudit crond_t $2:key manage_key_perms;
+ 
 -		dontaudit $2 user_cron_spool_t:file entrypoint;
--
++        dontaudit $2 user_cron_spool_t:file entrypoint;
+ 
 -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
--
++        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
+ 
 -		dontaudit $2 cronjob_t:process { ptrace signal_perms };
 -	')
--
++        dontaudit $2 cronjob_t:process { signal_perms };
++    ')
+ 
  	optional_policy(`
  		gen_require(`
- 			class dbus send_msg;
-@@ -119,78 +107,38 @@ interface(`cron_role',`
+@@ -119,78 +137,87 @@ interface(`cron_role',`
  		dbus_stub(cronjob_t)
  
  		allow cronjob_t $2:dbus send_msg;
@@ -14851,70 +14722,105 @@ index 1303b30..058864e 100644
  #
  interface(`cron_unconfined_role',`
  	gen_require(`
--		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
+ 		type unconfined_cronjob_t, crontab_t, crontab_exec_t;
 -		type crond_t, user_cron_spool_t;
 -		bool cron_userdomain_transition;
-+		type unconfined_cronjob_t;
++        type crond_t, user_cron_spool_t;
++        bool cron_userdomain_transition;
  	')
  
 -	##############################
 -	#
 -	# Declarations
 -	#
--
++    ##############################
++    #
++    # Declarations
++    #
++    
++    role $1 types { unconfined_cronjob_t crontab_t };
+ 
 -	role $1 types { unconfined_cronjob_t crontab_t };
-+	role $1 types unconfined_cronjob_t;
++    ##############################
++    #
++    # Local policy
++    #
  
 -	##############################
 -	#
 -	# Local policy
 -	#
--
++    domtrans_pattern($2, crontab_exec_t, crontab_t)
+ 
 -	domtrans_pattern($2, crontab_exec_t, crontab_t)
--
++    dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ 
 -	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 -	allow $2 crond_t:process sigchld;
--
++    allow $2 crond_t:process sigchld;
+ 
 -	allow $2 user_cron_spool_t:file { getattr read write ioctl };
--
++    allow $2 user_cron_spool_t:file { getattr read write ioctl };
+ 
 -	allow $2 crontab_t:process { ptrace signal_perms };
 -	ps_process_pattern($2, crontab_t)
--
++    allow $2 crontab_t:process { signal_perms };
++    ps_process_pattern($2, crontab_t)
+ 
 -	corecmd_exec_bin(crontab_t)
 -	corecmd_exec_shell(crontab_t)
--
++	tunable_policy(`deny_ptrace',`',`
++        allow $2 crontab_t:process ptrace;
++    ')
+ 
 -	tunable_policy(`cron_userdomain_transition',`
 -		allow crond_t $2:process transition;
 -		allow crond_t $2:fd use;
 -		allow crond_t $2:key manage_key_perms;
--
++	# cronjob shows up in user ps
++	ps_process_pattern($2, unconfined_cronjob_t)
++	allow $2 unconfined_cronjob_t:process signal_perms;
+ 
 -		allow $2 user_cron_spool_t:file entrypoint;
--
++	tunable_policy(`deny_ptrace',`',`
++		allow $2 unconfined_cronjob_t:process ptrace;
++	')
+ 
 -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
--
++    corecmd_exec_bin(crontab_t)
++    corecmd_exec_shell(crontab_t)
+ 
 -		allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
 -		ps_process_pattern($2, unconfined_cronjob_t)
 -	',`
 -		dontaudit crond_t $2:process transition;
 -		dontaudit crond_t $2:fd use;
 -		dontaudit crond_t $2:key manage_key_perms;
--
++    tunable_policy(`cron_userdomain_transition',`
++        allow crond_t $2:process transition;
++        allow crond_t $2:fd use;
++        allow crond_t $2:key manage_key_perms;
+ 
 -		dontaudit $2 user_cron_spool_t:file entrypoint;
--
++        allow $2 user_cron_spool_t:file entrypoint;
+ 
 -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
--
++        allow $2 crond_t:fifo_file rw_fifo_file_perms;
++    ',`
++        dontaudit crond_t $2:process transition;
++        dontaudit crond_t $2:fd use;
++        dontaudit crond_t $2:key manage_key_perms;
+ 
 -		dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
 -')
-+	# cronjob shows up in user ps
-+	ps_process_pattern($2, unconfined_cronjob_t)
-+	allow $2 unconfined_cronjob_t:process signal_perms;
-+	tunable_policy(`deny_ptrace',`',`
-+		allow $2 unconfined_cronjob_t:process ptrace;
-+	')
++        dontaudit $2 user_cron_spool_t:file entrypoint;
++
++        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++    ')
  
  	optional_policy(`
  		gen_require(`
-@@ -198,85 +146,65 @@ interface(`cron_unconfined_role',`
+@@ -198,55 +225,60 @@ interface(`cron_unconfined_role',`
  		')
  
  		dbus_stub(unconfined_cronjob_t)
@@ -14950,53 +14856,51 @@ index 1303b30..058864e 100644
  		class passwd crontab;
 -		type crond_t, user_cron_spool_t;
 -		bool cron_userdomain_transition;
++        bool cron_userdomain_transition;
  	')
  
 -	##############################
 -	#
 -	# Declarations
 -	#
-+	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
++    ##############################
++    #
++    # Declarations
++    #
  
 -	role $1 types { cronjob_t admin_crontab_t };
-+	# cronjob shows up in user ps
-+	ps_process_pattern($2, cronjob_t)
++	role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
  
 -	##############################
 -	#
 -	# Local policy
 -	#
-+	# Manipulate other users crontab.
-+	allow $2 self:passwd crontab;
++    ##############################
++    #
++    # Local policy
++    #
  
 +	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
  
--	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
+ 	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
 -	allow $2 crond_t:process sigchld;
-+	# crontab shows up in user ps
-+	ps_process_pattern($2, admin_crontab_t)
-+	allow $2 admin_crontab_t:process signal_perms;
-+	tunable_policy(`deny_ptrace',`',`
-+		allow $2 admin_crontab_t:process ptrace;
-+	')
  
 -	allow $2 user_cron_spool_t:file { getattr read write ioctl };
 +	allow $2 crond_t:process sigchld;
-+	allow crond_t $2:process transition;
  
 -	allow $2 admin_crontab_t:process { ptrace signal_perms };
--	ps_process_pattern($2, admin_crontab_t)
-+	dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
- 
--	# Manipulate other users crontab.
--	allow $2 self:passwd crontab;
-+	# needs to be authorized SELinux context for cron
-+	allow $2 user_cron_spool_t:file entrypoint;
++	# crontab shows up in user ps
+ 	ps_process_pattern($2, admin_crontab_t)
++	allow $2 admin_crontab_t:process signal_perms;
++
++	tunable_policy(`deny_ptrace',`',`
++		allow $2 admin_crontab_t:process ptrace;
++	')
  
-+	# Run helper programs as the user domain
-+	#corecmd_bin_domtrans(admin_crontab_t, $2)
-+	#corecmd_shell_domtrans(admin_crontab_t, $2)
+ 	# Manipulate other users crontab.
+ 	allow $2 self:passwd crontab;
+@@ -254,28 +286,26 @@ interface(`cron_admin_role',`
  	corecmd_exec_bin(admin_crontab_t)
  	corecmd_exec_shell(admin_crontab_t)
  
@@ -15004,29 +14908,44 @@ index 1303b30..058864e 100644
 -		allow crond_t $2:process transition;
 -		allow crond_t $2:fd use;
 -		allow crond_t $2:key manage_key_perms;
--
++    tunable_policy(`cron_userdomain_transition',`
++        allow crond_t $2:process transition;
++        allow crond_t $2:fd use;
++        allow crond_t $2:key manage_key_perms;
+ 
 -		allow $2 user_cron_spool_t:file entrypoint;
--
++        allow $2 user_cron_spool_t:file entrypoint;
+ 
 -		allow $2 crond_t:fifo_file rw_fifo_file_perms;
--
++        allow $2 crond_t:fifo_file rw_fifo_file_perms;
+ 
 -		allow $2 cronjob_t:process { ptrace signal_perms };
 -		ps_process_pattern($2, cronjob_t)
 -	',`
 -		dontaudit crond_t $2:process transition;
 -		dontaudit crond_t $2:fd use;
 -		dontaudit crond_t $2:key manage_key_perms;
--
++        allow $2 cronjob_t:process { signal_perms };
++        ps_process_pattern($2, cronjob_t)
++    ',`
++        dontaudit crond_t $2:process transition;
++        dontaudit crond_t $2:fd use;
++        dontaudit crond_t $2:key manage_key_perms;
+ 
 -		dontaudit $2 user_cron_spool_t:file entrypoint;
 -
 -		dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
 -
 -		dontaudit $2 cronjob_t:process { ptrace signal_perms };
 -	')
--
++        dontaudit $2 user_cron_spool_t:file entrypoint;
++        dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
++        dontaudit $2 cronjob_t:process { signal_perms };
++    ')
+ 
  	optional_policy(`
  		gen_require(`
- 			class dbus send_msg;
-@@ -285,13 +213,13 @@ interface(`cron_admin_role',`
+@@ -285,13 +315,13 @@ interface(`cron_admin_role',`
  		dbus_stub(admin_cronjob_t)
  
  		allow cronjob_t $2:dbus send_msg;
@@ -15043,7 +14962,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -307,15 +235,15 @@ interface(`cron_admin_role',`
+@@ -307,15 +337,15 @@ interface(`cron_admin_role',`
  interface(`cron_system_entry',`
  	gen_require(`
  		type crond_t, system_cronjob_t;
@@ -15062,7 +14981,7 @@ index 1303b30..058864e 100644
  ')
  
  ########################################
-@@ -333,13 +261,12 @@ interface(`cron_domtrans',`
+@@ -333,13 +363,12 @@ interface(`cron_domtrans',`
  		type system_cronjob_t, crond_exec_t;
  	')
  
@@ -15077,7 +14996,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -352,7 +279,6 @@ interface(`cron_exec',`
+@@ -352,7 +381,6 @@ interface(`cron_exec',`
  		type crond_exec_t;
  	')
  
@@ -15085,7 +15004,7 @@ index 1303b30..058864e 100644
  	can_exec($1, crond_exec_t)
  ')
  
-@@ -376,7 +302,31 @@ interface(`cron_initrc_domtrans',`
+@@ -376,7 +404,31 @@ interface(`cron_initrc_domtrans',`
  
  ########################################
  ## <summary>
@@ -15118,7 +15037,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -394,7 +344,7 @@ interface(`cron_use_fds',`
+@@ -394,7 +446,7 @@ interface(`cron_use_fds',`
  
  ########################################
  ## <summary>
@@ -15127,7 +15046,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -412,7 +362,7 @@ interface(`cron_sigchld',`
+@@ -412,7 +464,7 @@ interface(`cron_sigchld',`
  
  ########################################
  ## <summary>
@@ -15136,7 +15055,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -420,17 +370,17 @@ interface(`cron_sigchld',`
+@@ -420,17 +472,17 @@ interface(`cron_sigchld',`
  ##	</summary>
  ## </param>
  #
@@ -15158,7 +15077,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -438,17 +388,17 @@ interface(`cron_setattr_log_files',`
+@@ -438,17 +490,17 @@ interface(`cron_setattr_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -15180,7 +15099,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -456,18 +406,20 @@ interface(`cron_create_log_files',`
+@@ -456,18 +508,20 @@ interface(`cron_create_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -15206,7 +15125,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -475,48 +427,37 @@ interface(`cron_write_log_files',`
+@@ -475,48 +529,37 @@ interface(`cron_write_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -15266,7 +15185,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -524,36 +465,35 @@ interface(`cron_generic_log_filetrans_log',`
+@@ -524,36 +567,35 @@ interface(`cron_generic_log_filetrans_log',`
  ##	</summary>
  ## </param>
  #
@@ -15311,7 +15230,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -561,17 +501,17 @@ interface(`cron_dontaudit_write_pipes',`
+@@ -561,17 +603,17 @@ interface(`cron_dontaudit_write_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -15333,7 +15252,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -589,8 +529,7 @@ interface(`cron_rw_tcp_sockets',`
+@@ -589,8 +631,7 @@ interface(`cron_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -15343,7 +15262,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -608,7 +547,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
+@@ -608,7 +649,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -15352,7 +15271,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -627,8 +566,26 @@ interface(`cron_search_spool',`
+@@ -627,8 +668,26 @@ interface(`cron_search_spool',`
  
  ########################################
  ## <summary>
@@ -15381,7 +15300,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -641,13 +598,13 @@ interface(`cron_manage_pid_files',`
+@@ -641,13 +700,13 @@ interface(`cron_manage_pid_files',`
  		type crond_var_run_t;
  	')
  
@@ -15397,7 +15316,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -660,13 +617,13 @@ interface(`cron_anacron_domtrans_system_job',`
+@@ -660,13 +719,13 @@ interface(`cron_anacron_domtrans_system_job',`
  		type system_cronjob_t, anacron_exec_t;
  	')
  
@@ -15413,7 +15332,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -684,7 +641,7 @@ interface(`cron_use_system_job_fds',`
+@@ -684,7 +743,7 @@ interface(`cron_use_system_job_fds',`
  
  ########################################
  ## <summary>
@@ -15422,7 +15341,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -692,19 +649,17 @@ interface(`cron_use_system_job_fds',`
+@@ -692,19 +751,17 @@ interface(`cron_use_system_job_fds',`
  ##	</summary>
  ## </param>
  #
@@ -15446,7 +15365,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -712,18 +667,17 @@ interface(`cron_read_system_job_lib_files',`
+@@ -712,18 +769,17 @@ interface(`cron_read_system_job_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -15469,7 +15388,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -731,18 +685,17 @@ interface(`cron_manage_system_job_lib_files',`
+@@ -731,18 +787,17 @@ interface(`cron_manage_system_job_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -15491,7 +15410,7 @@ index 1303b30..058864e 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -750,86 +703,142 @@ interface(`cron_write_system_job_pipes',`
+@@ -750,86 +805,142 @@ interface(`cron_write_system_job_pipes',`
  ##	</summary>
  ## </param>
  #
@@ -15661,16 +15580,10 @@ index 1303b30..058864e 100644
 +    logging_log_filetrans($1, cron_log_t, $2, $3)
  ')
 diff --git a/cron.te b/cron.te
-index 28e1b86..f871609 100644
+index 7de3859..c4abac0 100644
 --- a/cron.te
 +++ b/cron.te
-@@ -1,4 +1,4 @@
--policy_module(cron, 2.5.10)
-+policy_module(cron, 2.2.1)
- 
- gen_require(`
- 	class passwd rootok;
-@@ -11,46 +11,37 @@ gen_require(`
+@@ -11,46 +11,46 @@ gen_require(`
  
  ## <desc>
  ##	<p>
@@ -15684,16 +15597,21 @@ index 28e1b86..f871609 100644
  gen_tunable(cron_can_relabel, false)
  
  ## <desc>
- ##	<p>
+-##	<p>
 -##	Determine whether crond can execute jobs
 -##	in the user domain as opposed to the
 -##	the generic cronjob domain.
 -##	</p>
--## </desc>
--gen_tunable(cron_userdomain_transition, false)
--
--## <desc>
--##	<p>
++##  <p>
++##  Determine whether crond can execute jobs
++##  in the user domain as opposed to the
++##  the generic cronjob domain.
++##  </p>
+ ## </desc>
+ gen_tunable(cron_userdomain_transition, false)
+ 
+ ## <desc>
+ ##	<p>
 -##	Determine whether extra rules
 -##	should be enabled to support fcron.
 +##	Enable extra rules in the cron domain
@@ -15725,7 +15643,7 @@ index 28e1b86..f871609 100644
  type cron_log_t;
  logging_log_file(cron_log_t)
  
-@@ -71,6 +62,9 @@ domain_cron_exemption_source(crond_t)
+@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
  type crond_initrc_exec_t;
  init_script_file(crond_initrc_exec_t)
  
@@ -15735,7 +15653,7 @@ index 28e1b86..f871609 100644
  type crond_tmp_t;
  files_tmp_file(crond_tmp_t)
  files_poly_parent(crond_tmp_t)
-@@ -92,15 +86,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
+@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
  typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
  typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
  typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
@@ -15755,7 +15673,7 @@ index 28e1b86..f871609 100644
  
  type system_cronjob_lock_t alias system_crond_lock_t;
  files_lock_file(system_cronjob_lock_t)
-@@ -108,94 +103,38 @@ files_lock_file(system_cronjob_lock_t)
+@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
  type system_cronjob_tmp_t alias system_crond_tmp_t;
  files_tmp_file(system_cronjob_tmp_t)
  
@@ -15764,10 +15682,7 @@ index 28e1b86..f871609 100644
 -
 -type system_cronjob_var_run_t;
 -files_pid_file(system_cronjob_var_run_t)
-+type unconfined_cronjob_t;
-+domain_type(unconfined_cronjob_t)
-+domain_cron_exemption_target(unconfined_cronjob_t)
- 
+-
 +# Type of user crontabs once moved to cron spool.
  type user_cron_spool_t, cron_spool_type;
  typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
@@ -15865,7 +15780,7 @@ index 28e1b86..f871609 100644
  selinux_get_fs_mount(admin_crontab_t)
  selinux_validate_context(admin_crontab_t)
  selinux_compute_access_vector(admin_crontab_t)
-@@ -204,12 +143,14 @@ selinux_compute_relabel_context(admin_crontab_t)
+@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
  selinux_compute_user_contexts(admin_crontab_t)
  
  tunable_policy(`fcron_crond',`
@@ -15881,7 +15796,7 @@ index 28e1b86..f871609 100644
  #
  
  allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
-@@ -218,8 +159,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
+@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
  allow crond_t self:process { setexec setfscreate };
  allow crond_t self:fd use;
  allow crond_t self:fifo_file rw_fifo_file_perms;
@@ -15893,7 +15808,7 @@ index 28e1b86..f871609 100644
  allow crond_t self:shm create_shm_perms;
  allow crond_t self:sem create_sem_perms;
  allow crond_t self:msgq create_msgq_perms;
-@@ -227,7 +170,7 @@ allow crond_t self:msg { send receive };
+@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
  allow crond_t self:key { search write link };
  dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
  
@@ -15902,7 +15817,7 @@ index 28e1b86..f871609 100644
  logging_log_filetrans(crond_t, cron_log_t, file)
  
  manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
-@@ -237,72 +180,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
+@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
  
  manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
  manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
@@ -15973,7 +15888,7 @@ index 28e1b86..f871609 100644
 +# Read from /var/spool/cron.
  files_search_var_lib(crond_t)
  files_search_default(crond_t)
-+files_read_all_locks(crond_t)
+ files_read_all_locks(crond_t)
  
 -mls_fd_share_all_levels(crond_t)
 +fs_manage_cgroup_dirs(crond_t)
@@ -16006,7 +15921,7 @@ index 28e1b86..f871609 100644
  auth_use_nsswitch(crond_t)
  
  logging_send_audit_msgs(crond_t)
-@@ -311,41 +250,46 @@ logging_set_loginuid(crond_t)
+@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
  
  seutil_read_config(crond_t)
  seutil_read_default_contexts(crond_t)
@@ -16069,7 +15984,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -353,102 +297,136 @@ optional_policy(`
+@@ -354,103 +302,135 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16167,6 +16082,7 @@ index 28e1b86..f871609 100644
  allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
 +
  allow system_cronjob_t self:process { signal_perms getsched setsched };
+ allow system_cronjob_t self:fd use;
  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
  allow system_cronjob_t self:passwd rootok;
  
@@ -16186,8 +16102,6 @@ index 28e1b86..f871609 100644
  
 +allow system_cronjob_t system_cron_spool_t:file read_file_perms;
 +
-+mls_file_read_to_clearance(system_cronjob_t)
-+
 +# anacron forces the following
  manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
  
@@ -16237,7 +16151,7 @@ index 28e1b86..f871609 100644
  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
  allow system_cronjob_t cron_spool_t:file rw_file_perms;
  
-@@ -457,11 +435,11 @@ kernel_read_network_state(system_cronjob_t)
+@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
  kernel_read_software_raid_state(system_cronjob_t)
  
@@ -16250,7 +16164,7 @@ index 28e1b86..f871609 100644
  corenet_all_recvfrom_netlabel(system_cronjob_t)
  corenet_tcp_sendrecv_generic_if(system_cronjob_t)
  corenet_udp_sendrecv_generic_if(system_cronjob_t)
-@@ -481,6 +459,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
+@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
  fs_getattr_all_pipes(system_cronjob_t)
  fs_getattr_all_sockets(system_cronjob_t)
  
@@ -16258,7 +16172,7 @@ index 28e1b86..f871609 100644
  domain_dontaudit_read_all_domains_state(system_cronjob_t)
  
  files_exec_etc_files(system_cronjob_t)
-@@ -491,15 +470,19 @@ files_getattr_all_files(system_cronjob_t)
+@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
  files_getattr_all_symlinks(system_cronjob_t)
  files_getattr_all_pipes(system_cronjob_t)
  files_getattr_all_sockets(system_cronjob_t)
@@ -16271,17 +16185,19 @@ index 28e1b86..f871609 100644
  files_manage_generic_spool(system_cronjob_t)
  files_create_boot_flag(system_cronjob_t)
  
--mls_file_read_to_clearance(system_cronjob_t)
--
+ mls_file_read_to_clearance(system_cronjob_t)
+ 
+ init_domtrans_script(system_cronjob_t)
+-init_read_utmp(system_cronjob_t)
  init_use_script_fds(system_cronjob_t)
 +init_read_utmp(system_cronjob_t)
 +init_dontaudit_rw_utmp(system_cronjob_t)
 +# prelink tells init to restart it self, we either need to allow or dontaudit
 +init_telinit(system_cronjob_t)
- init_domtrans_script(system_cronjob_t)
  
  auth_use_nsswitch(system_cronjob_t)
-@@ -511,20 +494,26 @@ logging_read_generic_logs(system_cronjob_t)
+ 
+@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
  logging_send_audit_msgs(system_cronjob_t)
  logging_send_syslog_msg(system_cronjob_t)
  
@@ -16311,7 +16227,7 @@ index 28e1b86..f871609 100644
  	selinux_validate_context(system_cronjob_t)
  	selinux_compute_access_vector(system_cronjob_t)
  	selinux_compute_create_context(system_cronjob_t)
-@@ -534,10 +523,17 @@ tunable_policy(`cron_can_relabel',`
+@@ -539,10 +531,17 @@ tunable_policy(`cron_can_relabel',`
  ')
  
  optional_policy(`
@@ -16329,7 +16245,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -546,10 +542,6 @@ optional_policy(`
+@@ -551,10 +550,6 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_bus_client(system_cronjob_t)
@@ -16340,7 +16256,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -581,6 +573,7 @@ optional_policy(`
+@@ -591,6 +586,7 @@ optional_policy(`
  optional_policy(`
  	mta_read_config(system_cronjob_t)
  	mta_send_mail(system_cronjob_t)
@@ -16348,29 +16264,27 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -588,15 +581,19 @@ optional_policy(`
+@@ -598,7 +594,19 @@ optional_policy(`
  ')
  
  optional_policy(`
--	postfix_read_config(system_cronjob_t)
 +	networkmanager_dbus_chat(system_cronjob_t)
- ')
- 
- optional_policy(`
-+	postfix_read_config(system_cronjob_t)
++')
++
++optional_policy(`
+ 	postfix_read_config(system_cronjob_t)
 +')	
 +
 +optional_policy(`
- 	prelink_delete_cache(system_cronjob_t)
- 	prelink_manage_lib(system_cronjob_t)
- 	prelink_manage_log(system_cronjob_t)
- 	prelink_read_cache(system_cronjob_t)
--	prelink_relabelfrom_lib(system_cronjob_t)
++	prelink_delete_cache(system_cronjob_t)
++	prelink_manage_lib(system_cronjob_t)
++	prelink_manage_log(system_cronjob_t)
++	prelink_read_cache(system_cronjob_t)
 +	prelink_relabel_lib(system_cronjob_t)
  ')
  
  optional_policy(`
-@@ -606,6 +603,7 @@ optional_policy(`
+@@ -608,6 +616,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -16378,7 +16292,7 @@ index 28e1b86..f871609 100644
  ')
  
  optional_policy(`
-@@ -613,12 +611,24 @@ optional_policy(`
+@@ -615,12 +624,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -16405,7 +16319,7 @@ index 28e1b86..f871609 100644
  #
  
  allow cronjob_t self:process { signal_perms setsched };
-@@ -626,12 +636,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
+@@ -628,12 +649,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
  allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
  allow cronjob_t self:unix_dgram_socket create_socket_perms;
  
@@ -16439,7 +16353,7 @@ index 28e1b86..f871609 100644
  corenet_all_recvfrom_netlabel(cronjob_t)
  corenet_tcp_sendrecv_generic_if(cronjob_t)
  corenet_udp_sendrecv_generic_if(cronjob_t)
-@@ -639,84 +669,148 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
+@@ -641,66 +682,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
  corenet_udp_sendrecv_generic_node(cronjob_t)
  corenet_tcp_sendrecv_all_ports(cronjob_t)
  corenet_udp_sendrecv_all_ports(cronjob_t)
@@ -16523,37 +16437,6 @@ index 28e1b86..f871609 100644
  	nis_use_ypbind(cronjob_t)
  ')
  
- ########################################
- #
--# Unconfined local policy
-+# Unconfined cronjobs local policy
- #
- 
- optional_policy(`
--	type unconfined_cronjob_t;
--	domain_type(unconfined_cronjob_t)
--	domain_cron_exemption_target(unconfined_cronjob_t)
--
-+	# Permit a transition from the crond_t domain to this domain.
-+	# The transition is requested explicitly by the modified crond 
-+	# via setexeccon.  There is no way to set up an automatic
-+	# transition, since crontabs are configuration files, not executables.
-+	allow crond_t unconfined_cronjob_t:process transition;
- 	dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh };
-+	allow crond_t unconfined_cronjob_t:fd use;
- 
- 	unconfined_domain(unconfined_cronjob_t)
-+')
- 
--	tunable_policy(`cron_userdomain_transition',`
--		dontaudit crond_t unconfined_cronjob_t:process transition;
--		dontaudit crond_t unconfined_cronjob_t:fd use;
--		dontaudit crond_t unconfined_cronjob_t:key manage_key_perms;
--	',`
--		allow crond_t unconfined_cronjob_t:process transition;
--		allow crond_t unconfined_cronjob_t:fd use;
--		allow crond_t unconfined_cronjob_t:key manage_key_perms;
--	')
 +##############################
 +#
 +# crontab common policy
@@ -16621,7 +16504,15 @@ index 28e1b86..f871609 100644
 +optional_policy(`
 +	openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
 +	openshift_transition(system_cronjob_t)
- ')
++')
++
+ ########################################
+ #
+-# Unconfined local policy
++# Unconfined cronjobs local policy
+ #
+ 
+ type unconfined_cronjob_t;
 diff --git a/ctdb.fc b/ctdb.fc
 index 8401fe6..507804b 100644
 --- a/ctdb.fc
@@ -16926,7 +16817,7 @@ index b25b01d..e99c5c6 100644
  ')
 +
 diff --git a/ctdb.te b/ctdb.te
-index 6ce66e7..03bc338 100644
+index 001b502..fa6a022 100644
 --- a/ctdb.te
 +++ b/ctdb.te
 @@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
@@ -17143,7 +17034,7 @@ index 949011e..afe482b 100644
 +/etc/opt/brother/Printers/(.*/)?inf(/.*)?        gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 +/opt/brother/Printers(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
 diff --git a/cups.if b/cups.if
-index 06da9a0..c7834c8 100644
+index 3023be7..20e370b 100644
 --- a/cups.if
 +++ b/cups.if
 @@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
@@ -17188,10 +17079,10 @@ index 06da9a0..c7834c8 100644
 +
 +########################################
 +## <summary>
- ##	All of the rules required to
- ##	administrate an cups environment.
+ ##	Read the process state (/proc/pid) of cupsd.
  ## </summary>
-@@ -324,18 +350,23 @@ interface(`cups_stream_connect_ptal',`
+ ## <param name="domain">
+@@ -344,18 +370,23 @@ interface(`cups_read_state',`
  interface(`cups_admin',`
  	gen_require(`
  		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
@@ -17220,7 +17111,7 @@ index 06da9a0..c7834c8 100644
  
  	init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -348,13 +379,63 @@ interface(`cups_admin',`
+@@ -368,13 +399,44 @@ interface(`cups_admin',`
  	logging_list_logs($1)
  	admin_pattern($1, cupsd_log_t)
  
@@ -17269,31 +17160,12 @@ index 06da9a0..c7834c8 100644
 +	files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
 +	corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
-+')
-+
-+########################################
-+## <summary>
-+##	Allow the domain to read cups state files in /proc.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`cups_read_state',`
-+	gen_require(`
-+		type cupsd_t;
-+	')
-+
-+	kernel_search_proc($1)
-+	ps_process_pattern($1, cupsd_t)
  ')
 diff --git a/cups.te b/cups.te
-index 9f34c2e..d084359 100644
+index c91813c..f31fa44 100644
 --- a/cups.te
 +++ b/cups.te
-@@ -5,19 +5,24 @@ policy_module(cups, 1.15.9)
+@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
  # Declarations
  #
  
@@ -17451,15 +17323,8 @@ index 9f34c2e..d084359 100644
  
  allow cupsd_t cupsd_exec_t:dir search_dir_perms;
  allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
-@@ -133,28 +158,26 @@ allow cupsd_t cupsd_lock_t:file manage_file_perms;
- files_lock_filetrans(cupsd_t, cupsd_lock_t, file)
- 
- manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--append_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--create_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--read_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
--setattr_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
-+manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
+ manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
  logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
  
 +manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
@@ -17486,7 +17351,7 @@ index 9f34c2e..d084359 100644
  
  stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
  allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
-@@ -162,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
+@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
  can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
  
  kernel_read_system_state(cupsd_t)
@@ -17498,7 +17363,7 @@ index 9f34c2e..d084359 100644
  corenet_all_recvfrom_netlabel(cupsd_t)
  corenet_tcp_sendrecv_generic_if(cupsd_t)
  corenet_udp_sendrecv_generic_if(cupsd_t)
-@@ -189,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
+@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
  corenet_tcp_bind_all_rpc_ports(cupsd_t)
  corenet_tcp_connect_all_ports(cupsd_t)
  
@@ -17523,7 +17388,7 @@ index 9f34c2e..d084359 100644
  dev_rw_input_dev(cupsd_t)
  dev_rw_generic_usb_dev(cupsd_t)
  dev_rw_usbfs(cupsd_t)
-@@ -206,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
+@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
  files_getattr_boot_dirs(cupsd_t)
  files_list_spool(cupsd_t)
  files_read_etc_runtime_files(cupsd_t)
@@ -17531,7 +17396,7 @@ index 9f34c2e..d084359 100644
  files_exec_usr_files(cupsd_t)
  # for /var/lib/defoma
  files_read_var_lib_files(cupsd_t)
-@@ -215,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
+@@ -212,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
  files_read_world_readable_symlinks(cupsd_t)
  files_read_var_files(cupsd_t)
  files_read_var_symlinks(cupsd_t)
@@ -17551,7 +17416,7 @@ index 9f34c2e..d084359 100644
  
  mls_fd_use_all_levels(cupsd_t)
  mls_file_downgrade(cupsd_t)
-@@ -235,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
+@@ -232,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
  
  term_search_ptys(cupsd_t)
  term_use_unallocated_ttys(cupsd_t)
@@ -17560,7 +17425,7 @@ index 9f34c2e..d084359 100644
  
  selinux_compute_access_vector(cupsd_t)
  selinux_validate_context(cupsd_t)
-@@ -247,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
+@@ -244,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
  auth_rw_faillog(cupsd_t)
  auth_use_nsswitch(cupsd_t)
  
@@ -17586,7 +17451,7 @@ index 9f34c2e..d084359 100644
  userdom_dontaudit_search_user_home_content(cupsd_t)
  
  optional_policy(`
-@@ -275,6 +305,8 @@ optional_policy(`
+@@ -272,6 +305,8 @@ optional_policy(`
  optional_policy(`
  	dbus_system_bus_client(cupsd_t)
  
@@ -17595,7 +17460,7 @@ index 9f34c2e..d084359 100644
  	userdom_dbus_send_all_users(cupsd_t)
  
  	optional_policy(`
-@@ -285,8 +317,10 @@ optional_policy(`
+@@ -282,8 +317,10 @@ optional_policy(`
  		hal_dbus_chat(cupsd_t)
  	')
  
@@ -17606,7 +17471,7 @@ index 9f34c2e..d084359 100644
  	')
  ')
  
-@@ -299,8 +333,8 @@ optional_policy(`
+@@ -296,8 +333,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17616,7 +17481,7 @@ index 9f34c2e..d084359 100644
  ')
  
  optional_policy(`
-@@ -309,7 +343,6 @@ optional_policy(`
+@@ -306,7 +343,6 @@ optional_policy(`
  
  optional_policy(`
  	lpd_exec_lpr(cupsd_t)
@@ -17624,7 +17489,7 @@ index 9f34c2e..d084359 100644
  	lpd_read_config(cupsd_t)
  	lpd_relabel_spool(cupsd_t)
  ')
-@@ -337,7 +370,11 @@ optional_policy(`
+@@ -334,7 +370,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17637,7 +17502,7 @@ index 9f34c2e..d084359 100644
  ')
  
  ########################################
-@@ -345,12 +382,11 @@ optional_policy(`
+@@ -342,12 +382,11 @@ optional_policy(`
  # Configuration daemon local policy
  #
  
@@ -17653,7 +17518,7 @@ index 9f34c2e..d084359 100644
  allow cupsd_config_t cupsd_t:process signal;
  ps_process_pattern(cupsd_config_t, cupsd_t)
  
-@@ -375,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
+@@ -372,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
  manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
  files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
  
@@ -17674,7 +17539,7 @@ index 9f34c2e..d084359 100644
  corenet_all_recvfrom_netlabel(cupsd_config_t)
  corenet_tcp_sendrecv_generic_if(cupsd_config_t)
  corenet_tcp_sendrecv_generic_node(cupsd_config_t)
-@@ -395,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
+@@ -392,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
  corenet_sendrecv_all_client_packets(cupsd_config_t)
  corenet_tcp_connect_all_ports(cupsd_config_t)
  
@@ -17695,7 +17560,7 @@ index 9f34c2e..d084359 100644
  fs_search_auto_mountpoints(cupsd_config_t)
  
  domain_use_interactive_fds(cupsd_config_t)
-@@ -420,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
+@@ -417,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
  
  logging_send_syslog_msg(cupsd_config_t)
  
@@ -17707,7 +17572,7 @@ index 9f34c2e..d084359 100644
  userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
  userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
  userdom_read_all_users_state(cupsd_config_t)
-@@ -452,9 +473,12 @@ optional_policy(`
+@@ -449,9 +473,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -17721,7 +17586,7 @@ index 9f34c2e..d084359 100644
  ')
  
  optional_policy(`
-@@ -490,10 +514,6 @@ optional_policy(`
+@@ -487,10 +514,6 @@ optional_policy(`
  # Lpd local policy
  #
  
@@ -17732,7 +17597,7 @@ index 9f34c2e..d084359 100644
  allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  
  allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
-@@ -511,31 +531,23 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
+@@ -508,15 +531,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
  
  kernel_read_kernel_sysctls(cupsd_lpd_t)
  kernel_read_system_state(cupsd_lpd_t)
@@ -17749,14 +17614,8 @@ index 9f34c2e..d084359 100644
 +corenet_tcp_connect_printer_port(cupsd_lpd_t)
  corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
  
--dev_read_urand(cupsd_lpd_t)
--dev_read_rand(cupsd_lpd_t)
--
--fs_getattr_xattr_fs(cupsd_lpd_t)
--
- files_search_home(cupsd_lpd_t)
- 
- auth_use_nsswitch(cupsd_lpd_t)
+ corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
+@@ -537,9 +560,6 @@ auth_use_nsswitch(cupsd_lpd_t)
  
  logging_send_syslog_msg(cupsd_lpd_t)
  
@@ -17766,7 +17625,7 @@ index 9f34c2e..d084359 100644
  optional_policy(`
  	inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
  ')
-@@ -546,7 +558,6 @@ optional_policy(`
+@@ -550,7 +570,6 @@ optional_policy(`
  #
  
  allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
@@ -17774,7 +17633,7 @@ index 9f34c2e..d084359 100644
  allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
  
  append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
-@@ -562,148 +573,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
+@@ -566,148 +585,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
  
  kernel_read_system_state(cups_pdf_t)
  
@@ -17926,7 +17785,7 @@ index 9f34c2e..d084359 100644
  
  ########################################
  #
-@@ -731,7 +617,6 @@ kernel_read_kernel_sysctls(ptal_t)
+@@ -735,7 +629,6 @@ kernel_read_kernel_sysctls(ptal_t)
  kernel_list_proc(ptal_t)
  kernel_read_proc_symlinks(ptal_t)
  
@@ -17934,7 +17793,7 @@ index 9f34c2e..d084359 100644
  corenet_all_recvfrom_netlabel(ptal_t)
  corenet_tcp_sendrecv_generic_if(ptal_t)
  corenet_tcp_sendrecv_generic_node(ptal_t)
-@@ -741,13 +626,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
+@@ -745,13 +638,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
  corenet_tcp_bind_ptal_port(ptal_t)
  corenet_tcp_sendrecv_ptal_port(ptal_t)
  
@@ -17948,7 +17807,7 @@ index 9f34c2e..d084359 100644
  files_read_etc_runtime_files(ptal_t)
  
  fs_getattr_all_fs(ptal_t)
-@@ -755,8 +638,6 @@ fs_search_auto_mountpoints(ptal_t)
+@@ -759,8 +650,6 @@ fs_search_auto_mountpoints(ptal_t)
  
  logging_send_syslog_msg(ptal_t)
  
@@ -17957,13 +17816,13 @@ index 9f34c2e..d084359 100644
  sysnet_read_config(ptal_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-@@ -769,3 +650,4 @@ optional_policy(`
+@@ -773,3 +662,4 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(ptal_t)
  ')
 +
 diff --git a/cvs.if b/cvs.if
-index 9fa7ffb..fd3262c 100644
+index 64775fd..bff3111 100644
 --- a/cvs.if
 +++ b/cvs.if
 @@ -1,5 +1,23 @@
@@ -17991,7 +17850,7 @@ index 9fa7ffb..fd3262c 100644
  ## <summary>
  ##	Read CVS data and metadata content.
 @@ -62,9 +80,14 @@ interface(`cvs_admin',`
- 		type cvs_data_t, cvs_var_run_t;
+ 		type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
  	')
  
 -	allow $1 cvs_t:process { ptrace signal_perms };
@@ -18007,10 +17866,10 @@ index 9fa7ffb..fd3262c 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cvs_initrc_exec_t system_r;
 diff --git a/cvs.te b/cvs.te
-index 53fc3af..897ad64 100644
+index 0f77550..f98a932 100644
 --- a/cvs.te
 +++ b/cvs.te
-@@ -11,11 +11,12 @@ policy_module(cvs, 1.9.1)
+@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
  ##	password files.
  ##	</p>
  ## </desc>
@@ -18019,12 +17878,7 @@ index 53fc3af..897ad64 100644
  
  type cvs_t;
  type cvs_exec_t;
- inetd_tcp_service_domain(cvs_t, cvs_exec_t)
-+init_domain(cvs_t, cvs_exec_t)
- application_executable_file(cvs_exec_t)
- 
- type cvs_data_t; # customizable
-@@ -58,6 +59,15 @@ kernel_read_network_state(cvs_t)
+@@ -74,6 +74,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
  corecmd_exec_bin(cvs_t)
  corecmd_exec_shell(cvs_t)
  
@@ -18040,7 +17894,7 @@ index 53fc3af..897ad64 100644
  dev_read_urand(cvs_t)
  
  files_read_etc_runtime_files(cvs_t)
-@@ -70,18 +80,18 @@ auth_use_nsswitch(cvs_t)
+@@ -86,18 +95,18 @@ auth_use_nsswitch(cvs_t)
  
  init_read_utmp(cvs_t)
  
@@ -18062,14 +17916,14 @@ index 53fc3af..897ad64 100644
  	allow cvs_t self:capability dac_override;
  	auth_tunable_read_shadow(cvs_t)
  ')
-@@ -103,4 +113,5 @@ optional_policy(`
+@@ -120,4 +129,5 @@ optional_policy(`
  	read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
  	manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
  	manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
 +	files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
  ')
 diff --git a/cyphesis.te b/cyphesis.te
-index 916427f..556f1ac 100644
+index 77ffc73..86e11f5 100644
 --- a/cyphesis.te
 +++ b/cyphesis.te
 @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
@@ -18095,7 +17949,7 @@ index 916427f..556f1ac 100644
  
  optional_policy(`
 diff --git a/cyrus.if b/cyrus.if
-index 6508280..a2860e3 100644
+index 83bfda6..92d9fb2 100644
 --- a/cyrus.if
 +++ b/cyrus.if
 @@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
@@ -18124,8 +17978,8 @@ index 6508280..a2860e3 100644
  ########################################
  ## <summary>
  ##	Connect to Cyrus using a unix
-@@ -63,9 +82,13 @@ interface(`cyrus_admin',`
- 		type cyrus_var_run_t, cyrus_initrc_exec_t;
+@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
+ 		type cyrus_keytab_t;
  	')
  
 -	allow $1 cyrus_t:process { ptrace signal_perms };
@@ -18140,10 +17994,10 @@ index 6508280..a2860e3 100644
  	domain_system_change_exemption($1)
  	role_transition $2 cyrus_initrc_exec_t system_r;
 diff --git a/cyrus.te b/cyrus.te
-index 395f97c..bf8db3c 100644
+index 4283f2d..0632ef7 100644
 --- a/cyrus.te
 +++ b/cyrus.te
-@@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t)
+@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
  # Local policy
  #
  
@@ -18152,7 +18006,7 @@ index 395f97c..bf8db3c 100644
  dontaudit cyrus_t self:capability sys_tty_config;
  allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow cyrus_t self:process setrlimit;
-@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(cyrus_t)
+@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t)
  kernel_read_system_state(cyrus_t)
  kernel_read_all_sysctls(cyrus_t)
  
@@ -18160,7 +18014,7 @@ index 395f97c..bf8db3c 100644
  corenet_all_recvfrom_netlabel(cyrus_t)
  corenet_tcp_sendrecv_generic_if(cyrus_t)
  corenet_tcp_sendrecv_generic_node(cyrus_t)
-@@ -71,6 +70,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
+@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
  corenet_sendrecv_lmtp_server_packets(cyrus_t)
  corenet_tcp_bind_lmtp_port(cyrus_t)
  
@@ -18170,7 +18024,7 @@ index 395f97c..bf8db3c 100644
  corenet_sendrecv_pop_server_packets(cyrus_t)
  corenet_tcp_bind_pop_port(cyrus_t)
  
-@@ -90,8 +92,6 @@ domain_use_interactive_fds(cyrus_t)
+@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t)
  
  files_list_var_lib(cyrus_t)
  files_read_etc_runtime_files(cyrus_t)
@@ -18179,7 +18033,7 @@ index 395f97c..bf8db3c 100644
  
  fs_getattr_all_fs(cyrus_t)
  fs_search_auto_mountpoints(cyrus_t)
-@@ -102,7 +102,6 @@ libs_exec_lib_files(cyrus_t)
+@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t)
  
  logging_send_syslog_msg(cyrus_t)
  
@@ -18187,7 +18041,7 @@ index 395f97c..bf8db3c 100644
  miscfiles_read_generic_certs(cyrus_t)
  
  userdom_use_unpriv_users_fds(cyrus_t)
-@@ -116,6 +115,10 @@ optional_policy(`
+@@ -121,6 +120,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18195,10 +18049,10 @@ index 395f97c..bf8db3c 100644
 +')
 +
 +optional_policy(`
- 	kerberos_keytab_template(cyrus, cyrus_t)
+ 	kerberos_read_keytab(cyrus_t)
+ 	kerberos_use(cyrus_t)
  ')
- 
-@@ -128,8 +131,8 @@ optional_policy(`
+@@ -134,8 +137,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -18219,7 +18073,7 @@ index 3b3d9a0..6c8106a 100644
  ')
 +
 diff --git a/daemontools.te b/daemontools.te
-index 0165962..2569147 100644
+index ee1b4aa..2fd746e 100644
 --- a/daemontools.te
 +++ b/daemontools.te
 @@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
@@ -18269,7 +18123,7 @@ index 0165962..2569147 100644
 -
 -miscfiles_read_localization(svc_start_t)
 diff --git a/dante.te b/dante.te
-index 98a2d6a..fff0987 100644
+index 5a5e290..6321a1d 100644
 --- a/dante.te
 +++ b/dante.te
 @@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
@@ -18281,7 +18135,7 @@ index 98a2d6a..fff0987 100644
  
  fs_getattr_all_fs(dante_t)
 diff --git a/dbadm.te b/dbadm.te
-index a67870a..f7c0e61 100644
+index b60c464..3a5246a 100644
 --- a/dbadm.te
 +++ b/dbadm.te
 @@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
@@ -18318,7 +18172,7 @@ index a67870a..f7c0e61 100644
 +	sudo_role_template(dbadm, dbadm_r, dbadm_t)
 +')
 diff --git a/dbskk.te b/dbskk.te
-index 188e2e6..719583e 100644
+index f55c420..e9d64ab 100644
 --- a/dbskk.te
 +++ b/dbskk.te
 @@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
@@ -18383,7 +18237,7 @@ index dda905b..31f269b 100644
  /var/named/chroot/var/run/dbus(/.*)?	gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
 +')
 diff --git a/dbus.if b/dbus.if
-index afcf3a2..e6ecc4d 100644
+index 62d22cb..fefd4b4 100644
 --- a/dbus.if
 +++ b/dbus.if
 @@ -1,4 +1,4 @@
@@ -18735,7 +18589,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -380,69 +264,32 @@ interface(`dbus_manage_lib_files',`
+@@ -381,69 +265,32 @@ interface(`dbus_manage_lib_files',`
  
  ########################################
  ## <summary>
@@ -18816,7 +18670,7 @@ index afcf3a2..e6ecc4d 100644
  ##	</summary>
  ## </param>
  ## <param name="domain">
-@@ -457,20 +304,21 @@ interface(`dbus_all_session_domain',`
+@@ -458,20 +305,21 @@ interface(`dbus_all_session_domain',`
  ##	</summary>
  ## </param>
  #
@@ -18842,7 +18696,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -489,7 +337,7 @@ interface(`dbus_connect_system_bus',`
+@@ -490,7 +338,7 @@ interface(`dbus_connect_system_bus',`
  
  ########################################
  ## <summary>
@@ -18851,7 +18705,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -508,7 +356,7 @@ interface(`dbus_send_system_bus',`
+@@ -509,7 +357,7 @@ interface(`dbus_send_system_bus',`
  
  ########################################
  ## <summary>
@@ -18860,7 +18714,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -527,8 +375,8 @@ interface(`dbus_system_bus_unconfined',`
+@@ -528,8 +376,8 @@ interface(`dbus_system_bus_unconfined',`
  
  ########################################
  ## <summary>
@@ -18871,7 +18725,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -543,33 +391,24 @@ interface(`dbus_system_bus_unconfined',`
+@@ -544,33 +392,24 @@ interface(`dbus_system_bus_unconfined',`
  #
  interface(`dbus_system_domain',`
  	gen_require(`
@@ -18909,7 +18763,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -587,26 +426,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -588,26 +427,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -18942,7 +18796,7 @@ index afcf3a2..e6ecc4d 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -614,10 +452,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -615,10 +453,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -19038,14 +18892,10 @@ index afcf3a2..e6ecc4d 100644
 +	dontaudit system_bus_type $1:dbus send_msg;
  ')
 diff --git a/dbus.te b/dbus.te
-index 2c2e7e1..493ab48 100644
+index c9998c8..fa4f188 100644
 --- a/dbus.te
 +++ b/dbus.te
-@@ -1,20 +1,18 @@
--policy_module(dbus, 1.18.8)
-+policy_module(dbus, 1.17.0)
- 
- gen_require(`
+@@ -4,17 +4,15 @@ gen_require(`
  	class dbus all_dbus_perms;
  ')
  
@@ -19416,8 +19266,8 @@ index 2c2e7e1..493ab48 100644
  # Unconfined access to this module
  #
  
--allow dbusd_unconfined { dbusd_session_bus_client dbusd_system_bus_client }:dbus send_msg;
--allow dbusd_unconfined { system_dbusd_t session_bus_type }:dbus all_dbus_perms;
+-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
+-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
 +allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
 +allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
 +allow session_bus_type dbusd_unconfined:dbus send_msg;
@@ -19447,7 +19297,7 @@ index a5c21e0..4639421 100644
  	stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
  ')
 diff --git a/dcc.te b/dcc.te
-index 15d908f..cecb0da 100644
+index 353fa4a..a5e912f 100644
 --- a/dcc.te
 +++ b/dcc.te
 @@ -45,7 +45,7 @@ type dcc_var_t;
@@ -19619,7 +19469,7 @@ index 5606b40..cd18cf2 100644
  	domain_system_change_exemption($1)
  	role_transition $2 ddclient_initrc_exec_t system_r;
 diff --git a/ddclient.te b/ddclient.te
-index 0b4b8b9..2efb435 100644
+index a4caa1b..42f3066 100644
 --- a/ddclient.te
 +++ b/ddclient.te
 @@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
@@ -19674,7 +19524,7 @@ index 0b4b8b9..2efb435 100644
  sysnet_exec_ifconfig(ddclient_t)
  sysnet_dns_name_resolve(ddclient_t)
 diff --git a/ddcprobe.te b/ddcprobe.te
-index ceb9bf4..2496e02 100644
+index 8fa4bb9..8f5ffb0 100644
 --- a/ddcprobe.te
 +++ b/ddcprobe.te
 @@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
@@ -19729,7 +19579,7 @@ index a7326da..c87b5b7 100644
  	admin_pattern($1, denyhosts_var_lock_t)
  ')
 diff --git a/denyhosts.te b/denyhosts.te
-index bcb9770..b53e611 100644
+index 583a527..bb77017 100644
 --- a/denyhosts.te
 +++ b/denyhosts.te
 @@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
@@ -19773,7 +19623,7 @@ index bcb9770..b53e611 100644
 +	gnome_dontaudit_search_config(denyhosts_t)
 +')
 diff --git a/devicekit.if b/devicekit.if
-index d294865..3b4f593 100644
+index 8ce99ff..0819898 100644
 --- a/devicekit.if
 +++ b/devicekit.if
 @@ -1,4 +1,4 @@
@@ -19827,56 +19677,141 @@ index d294865..3b4f593 100644
  ')
  
  ########################################
-@@ -83,7 +99,46 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
  
  ########################################
  ## <summary>
 -##	Send generic signals to devicekit power.
 +##	Use file descriptors for devicekit_disk.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`devicekit_signal_power',`
 +interface(`devicekit_use_fds_disk',`
-+	gen_require(`
+ 	gen_require(`
+-		type devicekit_power_t;
 +		type devicekit_disk_t;
+ 	')
+ 
+-	allow $1 devicekit_power_t:process signal;
++	allow $1 devicekit_disk_t:fd use; 
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Send and receive messages from
+-##	devicekit power over dbus.
++##	Dontaudit Send and receive messages from
++##	devicekit disk over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
++##	Domain to not audit.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`devicekit_dbus_chat_power',`
++interface(`devicekit_dontaudit_dbus_chat_disk',`
+ 	gen_require(`
+-		type devicekit_power_t;
++		type devicekit_disk_t;
+ 		class dbus send_msg;
+ 	')
+ 
+-	allow $1 devicekit_power_t:dbus send_msg;
+-	allow devicekit_power_t $1:dbus send_msg;
++	dontaudit $1 devicekit_disk_t:dbus send_msg;
++	dontaudit devicekit_disk_t $1:dbus send_msg;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Use and inherit devicekit power
+-##	file descriptors.
++##	Send signal devicekit power
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`devicekit_use_fds_power',`
++interface(`devicekit_signal_power',`
+ 	gen_require(`
+ 		type devicekit_power_t;
+ 	')
+ 
+-	allow $1 devicekit_power_t:fd use;
++	allow $1 devicekit_power_t:process signal;
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Append inherited devicekit log files.
++##	Send and receive messages from
++##	devicekit power over dbus.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -149,40 +165,78 @@ interface(`devicekit_use_fds_power',`
+ ##	</summary>
+ ## </param>
+ #
++interface(`devicekit_dbus_chat_power',`
++	gen_require(`
++		type devicekit_power_t;
++		class dbus send_msg;
 +	')
 +
-+	allow $1 devicekit_disk_t:fd use; 
++	allow $1 devicekit_power_t:dbus send_msg;
++	allow devicekit_power_t $1:dbus send_msg;
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Dontaudit Send and receive messages from
-+##	devicekit disk over dbus.
++##  Use and inherit devicekit power
++##  file descriptors.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
++##  <summary>
++##  Domain allowed access.
++##  </summary>
 +## </param>
 +#
-+interface(`devicekit_dontaudit_dbus_chat_disk',`
-+	gen_require(`
-+		type devicekit_disk_t;
-+		class dbus send_msg;
-+	')
++interface(`devicekit_use_fds_power',`
++    gen_require(`
++        type devicekit_power_t;
++    ')
 +
-+	dontaudit $1 devicekit_disk_t:dbus send_msg;
-+	dontaudit devicekit_disk_t $1:dbus send_msg;
++        allow $1 devicekit_power_t:fd use;
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Send signal devicekit power
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -120,29 +175,46 @@ interface(`devicekit_dbus_chat_power',`
- 	allow devicekit_power_t $1:dbus send_msg;
++##  Append inherited devicekit log files.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
++#
+ interface(`devicekit_append_inherited_log_files',`
+ 	gen_require(`
+ 		type devicekit_var_log_t;
+ 	')
+ 
+ 	logging_search_logs($1)
+-	allow $1 devicekit_var_log_t:file { getattr_file_perms append };
++	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
+ 
+ 	devicekit_use_fds_power($1)
  ')
  
 -########################################
@@ -19884,44 +19819,26 @@ index d294865..3b4f593 100644
  ## <summary>
 -##	Create, read, write, and delete
 -##	devicekit log files.
-+##  Append inherited devicekit log files.
++##  Do not audit attempts to write the devicekit
++##  log files.
  ## </summary>
  ## <param name="domain">
 -##	<summary>
 -##	Domain allowed access.
 -##	</summary>
 +##  <summary>
-+##  Domain allowed access.
++##  Domain to not audit.
 +##  </summary>
  ## </param>
  #
 -interface(`devicekit_manage_log_files',`
-+interface(`devicekit_append_inherited_log_files',`
++interface(`devicekit_dontaudit_rw_log',`
  	gen_require(`
  		type devicekit_var_log_t;
  	')
  
 -	logging_search_logs($1)
 -	manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
-+	allow $1 devicekit_var_log_t:file append_inherited_file_perms;
-+')
-+
-+#######################################
-+## <summary>
-+##  Do not audit attempts to write the devicekit
-+##  log files.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain to not audit.
-+##  </summary>
-+## </param>
-+#
-+interface(`devicekit_dontaudit_rw_log',`
-+	gen_require(`
-+		type devicekit_var_log_t;
-+	')
-+
 +	dontaudit $1 devicekit_var_log_t:file rw_file_perms;
  ')
  
@@ -19932,7 +19849,7 @@ index d294865..3b4f593 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -150,13 +222,13 @@ interface(`devicekit_manage_log_files',`
+@@ -190,13 +244,13 @@ interface(`devicekit_manage_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -19950,7 +19867,7 @@ index d294865..3b4f593 100644
  ')
  
  ########################################
-@@ -180,11 +252,30 @@ interface(`devicekit_read_pid_files',`
+@@ -220,11 +274,30 @@ interface(`devicekit_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -19982,7 +19899,7 @@ index d294865..3b4f593 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
-@@ -195,22 +286,59 @@ interface(`devicekit_manage_pid_files',`
+@@ -235,22 +308,59 @@ interface(`devicekit_manage_pid_files',`
  	')
  
  	files_search_pids($1)
@@ -20046,7 +19963,7 @@ index d294865..3b4f593 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -219,21 +347,48 @@ interface(`devicekit_admin',`
+@@ -259,21 +369,48 @@ interface(`devicekit_admin',`
  	gen_require(`
  		type devicekit_t, devicekit_disk_t, devicekit_power_t;
  		type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
@@ -20105,10 +20022,10 @@ index d294865..3b4f593 100644
 +	logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
  ')
 diff --git a/devicekit.te b/devicekit.te
-index ff933af..cd1d88d 100644
+index 77a5003..2728ee6 100644
 --- a/devicekit.te
 +++ b/devicekit.te
-@@ -7,15 +7,15 @@ policy_module(devicekit, 1.2.1)
+@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
  
  type devicekit_t;
  type devicekit_exec_t;
@@ -20163,7 +20080,7 @@ index ff933af..cd1d88d 100644
  kernel_read_fs_sysctls(devicekit_disk_t)
  kernel_read_network_state(devicekit_disk_t)
  kernel_read_software_raid_state(devicekit_disk_t)
-@@ -98,6 +97,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
+@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
  
  dev_getattr_all_chr_files(devicekit_disk_t)
  dev_getattr_mtrr_dev(devicekit_disk_t)
@@ -20172,7 +20089,7 @@ index ff933af..cd1d88d 100644
  dev_getattr_usbfs_dirs(devicekit_disk_t)
  dev_manage_generic_files(devicekit_disk_t)
  dev_read_urand(devicekit_disk_t)
-@@ -116,8 +117,8 @@ files_getattr_all_pipes(devicekit_disk_t)
+@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
  files_manage_boot_dirs(devicekit_disk_t)
  files_manage_isid_type_dirs(devicekit_disk_t)
  files_manage_mnt_dirs(devicekit_disk_t)
@@ -20182,7 +20099,7 @@ index ff933af..cd1d88d 100644
  
  fs_getattr_all_fs(devicekit_disk_t)
  fs_list_inotifyfs(devicekit_disk_t)
-@@ -134,16 +135,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
+@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
  storage_raw_read_removable_device(devicekit_disk_t)
  storage_raw_write_removable_device(devicekit_disk_t)
  
@@ -20191,9 +20108,10 @@ index ff933af..cd1d88d 100644
  
  auth_use_nsswitch(devicekit_disk_t)
  
--miscfiles_read_localization(devicekit_disk_t)
-+logging_send_syslog_msg(devicekit_disk_t)
+ logging_send_syslog_msg(devicekit_disk_t)
  
+-miscfiles_read_localization(devicekit_disk_t)
+-
  userdom_read_all_users_state(devicekit_disk_t)
  userdom_search_user_home_dirs(devicekit_disk_t)
 +userdom_manage_user_tmp_dirs(devicekit_disk_t)
@@ -20203,7 +20121,7 @@ index ff933af..cd1d88d 100644
  	dbus_system_bus_client(devicekit_disk_t)
  
  	allow devicekit_disk_t devicekit_t:dbus send_msg;
-@@ -167,6 +170,7 @@ optional_policy(`
+@@ -170,6 +171,7 @@ optional_policy(`
  
  optional_policy(`
  	mount_domtrans(devicekit_disk_t)
@@ -20211,7 +20129,7 @@ index ff933af..cd1d88d 100644
  ')
  
  optional_policy(`
-@@ -180,6 +184,11 @@ optional_policy(`
+@@ -183,6 +185,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20222,8 +20140,8 @@ index ff933af..cd1d88d 100644
 +optional_policy(`
  	udev_domtrans(devicekit_disk_t)
  	udev_read_db(devicekit_disk_t)
- ')
-@@ -188,12 +197,19 @@ optional_policy(`
+ 	udev_read_pid_files(devicekit_disk_t)
+@@ -192,12 +199,19 @@ optional_policy(`
  	virt_manage_images(devicekit_disk_t)
  ')
  
@@ -20244,7 +20162,7 @@ index ff933af..cd1d88d 100644
  allow devicekit_power_t self:process { getsched signal_perms };
  allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
  allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
-@@ -207,9 +223,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
+@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
  files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
  
@@ -20255,7 +20173,7 @@ index ff933af..cd1d88d 100644
  logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
  
  manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
-@@ -242,17 +256,16 @@ domain_read_all_domains_state(devicekit_power_t)
+@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
  
  files_read_kernel_img(devicekit_power_t)
  files_read_etc_runtime_files(devicekit_power_t)
@@ -20270,24 +20188,28 @@ index ff933af..cd1d88d 100644
  
  auth_use_nsswitch(devicekit_power_t)
  
--miscfiles_read_localization(devicekit_power_t)
-+seutil_exec_setfiles(devicekit_power_t)
+ init_all_labeled_script_domtrans(devicekit_power_t)
+ init_read_utmp(devicekit_power_t)
  
+-miscfiles_read_localization(devicekit_power_t)
+-
  sysnet_domtrans_ifconfig(devicekit_power_t)
  sysnet_domtrans_dhcpc(devicekit_power_t)
-@@ -269,9 +282,11 @@ optional_policy(`
  
- optional_policy(`
- 	cron_initrc_domtrans(devicekit_power_t)
-+	cron_systemctl(devicekit_power_t)
+@@ -277,6 +286,12 @@ optional_policy(`
  ')
  
  optional_policy(`
++	cron_initrc_domtrans(devicekit_power_t)
++	cron_systemctl(devicekit_power_t)
++')
++
++optional_policy(`
 +	dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
  	dbus_system_bus_client(devicekit_power_t)
  
  	allow devicekit_power_t devicekit_t:dbus send_msg;
-@@ -302,8 +317,11 @@ optional_policy(`
+@@ -307,8 +322,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -20300,7 +20222,7 @@ index ff933af..cd1d88d 100644
  	hal_manage_pid_dirs(devicekit_power_t)
  	hal_manage_pid_files(devicekit_power_t)
  ')
-@@ -341,3 +359,9 @@ optional_policy(`
+@@ -347,3 +365,9 @@ optional_policy(`
  optional_policy(`
  	vbetool_domtrans(devicekit_power_t)
  ')
@@ -20311,14 +20233,14 @@ index ff933af..cd1d88d 100644
 +')
 +
 diff --git a/dhcp.fc b/dhcp.fc
-index 7956248..5fee161 100644
+index 8182c48..74d8d39 100644
 --- a/dhcp.fc
 +++ b/dhcp.fc
 @@ -1,4 +1,5 @@
  /etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
 +/usr/lib/systemd/system/dhcpcd.*	--	gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
  
- /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
+ /usr/sbin/dhcpd.*	--	gen_context(system_u:object_r:dhcpd_exec_t,s0)
  
 diff --git a/dhcp.if b/dhcp.if
 index c697edb..31d45bf 100644
@@ -20392,7 +20314,7 @@ index c697edb..31d45bf 100644
 +	allow $1 dhcpd_unit_file_t:service all_service_perms;
  ')
 diff --git a/dhcp.te b/dhcp.te
-index c93c3db..cdb4d60 100644
+index 98a24b9..36e32aa 100644
 --- a/dhcp.te
 +++ b/dhcp.te
 @@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
@@ -20469,7 +20391,7 @@ index 3cc3494..cb0a1f4 100644
  	init_labeled_script_domtrans($1, dictd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/dictd.te b/dictd.te
-index fd4a602..43b800a 100644
+index 433d3c5..0dccebf 100644
 --- a/dictd.te
 +++ b/dictd.te
 @@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
@@ -21290,7 +21212,7 @@ index 24d8c74..1790ec5 100644
  	')
  
 diff --git a/distcc.te b/distcc.te
-index b441a4d..83fb340 100644
+index 898b2f4..8a1725b 100644
 --- a/distcc.te
 +++ b/distcc.te
 @@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
@@ -21339,7 +21261,7 @@ index 671d3c0..6d36c95 100644
  
  #####################################
 diff --git a/djbdns.te b/djbdns.te
-index 463d290..df50e4c 100644
+index 87ca536..ebd327a 100644
 --- a/djbdns.te
 +++ b/djbdns.te
 @@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
@@ -21396,10 +21318,10 @@ index 41c3f67..653a1ec 100644
  ## <summary>
  ##	Execute dmidecode in the dmidecode
 diff --git a/dmidecode.te b/dmidecode.te
-index c947c2c..8d4d843 100644
+index aa0ef6e..02bdb68 100644
 --- a/dmidecode.te
 +++ b/dmidecode.te
-@@ -29,4 +29,8 @@ files_list_usr(dmidecode_t)
+@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
  
  locallogin_use_fds(dmidecode_t)
  
@@ -21669,7 +21591,7 @@ index 19aa0b8..1e8b244 100644
 +	allow $1 dnsmasq_unit_file_t:service all_service_perms;
  ')
 diff --git a/dnsmasq.te b/dnsmasq.te
-index ba14bcf..a3e6c7c 100644
+index 37a3b7b..83a8692 100644
 --- a/dnsmasq.te
 +++ b/dnsmasq.te
 @@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
@@ -21892,7 +21814,7 @@ index 0000000..7f715f8
 +
 +
 diff --git a/dnssectrigger.te b/dnssectrigger.te
-index ef36d73..fddd51f 100644
+index c7bb4e7..e6fe2f40 100644
 --- a/dnssectrigger.te
 +++ b/dnssectrigger.te
 @@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
@@ -22346,7 +22268,7 @@ index c880070..4448055 100644
 -/var/spool/dovecot(/.*)?	gen_context(system_u:object_r:dovecot_spool_t,s0)
 +/var/spool/dovecot(/.*)?		gen_context(system_u:object_r:dovecot_spool_t,s0)
 diff --git a/dovecot.if b/dovecot.if
-index dbcac59..66d42bb 100644
+index d5badb7..b093baa 100644
 --- a/dovecot.if
 +++ b/dovecot.if
 @@ -1,29 +1,49 @@
@@ -22484,7 +22406,7 @@ index dbcac59..66d42bb 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -132,21 +148,24 @@ interface(`dovecot_write_inherited_tmp_files',`
+@@ -132,7 +148,7 @@ interface(`dovecot_write_inherited_tmp_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -22493,31 +22415,24 @@ index dbcac59..66d42bb 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
- #
- interface(`dovecot_admin',`
- 	gen_require(`
--		type dovecot_t, dovecot_etc_t, dovecot_var_log_t;
--		type dovecot_spool_t, dovecot_var_lib_t, dovecot_initrc_exec_t;
--		type dovecot_var_run_t, dovecot_cert_t, dovecot_passwd_t;
--		type dovecot_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t;
-+		type dovecot_t, dovecot_etc_t, dovecot_auth_tmp_t;
-+		type dovecot_spool_t, dovecot_var_lib_t, dovecot_var_log_t;
-+		type dovecot_var_run_t, dovecot_tmp_t, dovecot_keytab_t;
-+		type dovecot_cert_t, dovecot_passwd_t, dovecot_initrc_exec_t;
+@@ -146,9 +162,13 @@ interface(`dovecot_admin',`
+ 		type dovecot_keytab_t;
  	')
  
 -	allow $1 dovecot_t:process { ptrace signal_perms };
 +	allow $1 dovecot_t:process signal_perms;
  	ps_process_pattern($1, dovecot_t)
+ 
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 dovecot_t:process ptrace;
 +	')
- 
++
  	init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -156,20 +175,25 @@ interface(`dovecot_admin',`
+ 	role_transition $2 dovecot_initrc_exec_t system_r;
+@@ -157,20 +177,25 @@ interface(`dovecot_admin',`
  	files_list_etc($1)
- 	admin_pattern($1, dovecot_etc_t)
+ 	admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
  
 -	logging_list_logs($1)
 -	admin_pattern($1, dovecot_var_log_t)
@@ -22548,16 +22463,10 @@ index dbcac59..66d42bb 100644
 +	admin_pattern($1, dovecot_passwd_t)
  ')
 diff --git a/dovecot.te b/dovecot.te
-index a7bfaf0..d4a79a1 100644
+index 0aabc7e..2290915 100644
 --- a/dovecot.te
 +++ b/dovecot.te
-@@ -1,4 +1,4 @@
--policy_module(dovecot, 1.15.6)
-+policy_module(dovecot, 1.14.0)
- 
- ########################################
- #
-@@ -7,12 +7,10 @@ policy_module(dovecot, 1.15.6)
+@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
  
  attribute dovecot_domain;
  
@@ -22582,7 +22491,7 @@ index a7bfaf0..d4a79a1 100644
  domain_type(dovecot_deliver_t)
  domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
  role system_r types dovecot_deliver_t;
-@@ -42,11 +39,12 @@ type dovecot_passwd_t;
+@@ -45,11 +42,12 @@ type dovecot_passwd_t;
  files_type(dovecot_passwd_t)
  
  type dovecot_spool_t;
@@ -22596,7 +22505,7 @@ index a7bfaf0..d4a79a1 100644
  type dovecot_var_lib_t;
  files_type(dovecot_var_lib_t)
  
-@@ -56,20 +54,18 @@ logging_log_file(dovecot_var_log_t)
+@@ -59,20 +57,18 @@ logging_log_file(dovecot_var_log_t)
  type dovecot_var_run_t;
  files_pid_file(dovecot_var_run_t)
  
@@ -22622,7 +22531,7 @@ index a7bfaf0..d4a79a1 100644
  
  corecmd_exec_bin(dovecot_domain)
  corecmd_exec_shell(dovecot_domain)
-@@ -78,37 +74,46 @@ dev_read_sysfs(dovecot_domain)
+@@ -81,26 +77,34 @@ dev_read_sysfs(dovecot_domain)
  dev_read_rand(dovecot_domain)
  dev_read_urand(dovecot_domain)
  
@@ -22665,7 +22574,9 @@ index a7bfaf0..d4a79a1 100644
 +
 +can_exec(dovecot_t, dovecot_exec_t)
  
- manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
+ allow dovecot_t dovecot_keytab_t:file read_file_perms;
+ 
+@@ -108,12 +112,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
  manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
  files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
  
@@ -22682,7 +22593,7 @@ index a7bfaf0..d4a79a1 100644
  logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
  
  manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
-@@ -120,45 +125,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
+@@ -125,45 +130,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
  manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
@@ -22739,7 +22650,7 @@ index a7bfaf0..d4a79a1 100644
  
  init_getattr_utmp(dovecot_t)
  
-@@ -166,44 +161,42 @@ auth_use_nsswitch(dovecot_t)
+@@ -171,45 +166,44 @@ auth_use_nsswitch(dovecot_t)
  
  miscfiles_read_generic_certs(dovecot_t)
  
@@ -22771,10 +22682,11 @@ index a7bfaf0..d4a79a1 100644
  ')
  
  optional_policy(`
- 	kerberos_keytab_template(dovecot, dovecot_t)
--	kerberos_manage_host_rcache(dovecot_t)
+ 	kerberos_manage_host_rcache(dovecot_t)
+ 	kerberos_read_keytab(dovecot_t)
 -	kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
 +	kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
+ 	kerberos_use(dovecot_t)
  ')
  
  optional_policy(`
@@ -22802,7 +22714,7 @@ index a7bfaf0..d4a79a1 100644
  	sendmail_domtrans(dovecot_t)
  ')
  
-@@ -221,46 +214,65 @@ optional_policy(`
+@@ -227,46 +221,65 @@ optional_policy(`
  
  ########################################
  #
@@ -22877,7 +22789,7 @@ index a7bfaf0..d4a79a1 100644
  	mysql_stream_connect(dovecot_auth_t)
  	mysql_read_config(dovecot_auth_t)
  	mysql_tcp_connect(dovecot_auth_t)
-@@ -271,15 +283,30 @@ optional_policy(`
+@@ -277,15 +290,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -22909,7 +22821,7 @@ index a7bfaf0..d4a79a1 100644
  allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
  
  append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
-@@ -289,35 +316,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
+@@ -295,35 +323,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
  files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
  
  allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
@@ -22970,7 +22882,7 @@ index a7bfaf0..d4a79a1 100644
  	mta_read_queue(dovecot_deliver_t)
  ')
  
-@@ -326,5 +361,6 @@ optional_policy(`
+@@ -332,5 +368,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23120,7 +23032,7 @@ index 9a21639..26c5986 100644
  ')
 +
 diff --git a/drbd.te b/drbd.te
-index 8e5ee54..6e11edb 100644
+index f2516cc..8975946 100644
 --- a/drbd.te
 +++ b/drbd.te
 @@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
@@ -23438,7 +23350,7 @@ index 18f2452..a446210 100644
 +
  ')
 diff --git a/dspam.te b/dspam.te
-index 266cb8f..b619351 100644
+index ef62363..37c844b 100644
 --- a/dspam.te
 +++ b/dspam.te
 @@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
@@ -23515,7 +23427,7 @@ index 266cb8f..b619351 100644
 +    procmail_domtrans(dspam_t)
 +')
 diff --git a/entropyd.te b/entropyd.te
-index a0da189..d8bc9d5 100644
+index b8b8328..4608c0c 100644
 --- a/entropyd.te
 +++ b/entropyd.te
 @@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
@@ -23549,7 +23461,7 @@ index 597f305..8520653 100644
  /tmp/\.exchange-USER(/.*)?	gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
  
 diff --git a/evolution.te b/evolution.te
-index 94fb625..3742ee1 100644
+index c99e07c..ab9dd9f 100644
 --- a/evolution.te
 +++ b/evolution.te
 @@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
@@ -23594,7 +23506,7 @@ index 94fb625..3742ee1 100644
  fs_search_auto_mountpoints(evolution_server_t)
  
 diff --git a/exim.if b/exim.if
-index 6041113..ef3b449 100644
+index 9bbc690..4a8d053 100644
 --- a/exim.if
 +++ b/exim.if
 @@ -21,35 +21,51 @@ interface(`exim_domtrans',`
@@ -23719,18 +23631,7 @@ index 6041113..ef3b449 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -225,8 +241,8 @@ interface(`exim_manage_spool_files',`
- 
- ########################################
- ## <summary>
--##	All of the rules required to
--##	administrate an exim environment.
-+##	All of the rules required to administrate
-+##	an exim environment.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -238,18 +254,21 @@ interface(`exim_manage_spool_files',`
+@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
  ##	Role allowed access.
  ##	</summary>
  ## </param>
@@ -23738,10 +23639,8 @@ index 6041113..ef3b449 100644
  #
  interface(`exim_admin',`
  	gen_require(`
--		type exim_t, exim_spool_t, exim_log_t;
--		type exim_var_run_t, exim_initrc_exec_t, exim_tmp_t;
-+		type exim_t, exim_initrc_exec_t, exim_log_t;
-+		type exim_tmp_t, exim_spool_t, exim_var_run_t;
+@@ -285,10 +300,14 @@ interface(`exim_admin',`
+ 		type exim_keytab_t;
  	')
  
 -	allow $1 exim_t:process { ptrace signal_perms };
@@ -23758,10 +23657,10 @@ index 6041113..ef3b449 100644
  	role_transition $2 exim_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/exim.te b/exim.te
-index 19325ce..3e86b12 100644
+index 4086c51..28105d6 100644
 --- a/exim.te
 +++ b/exim.te
-@@ -49,7 +49,7 @@ type exim_log_t;
+@@ -55,7 +55,7 @@ type exim_log_t;
  logging_log_file(exim_log_t)
  
  type exim_spool_t;
@@ -23770,8 +23669,8 @@ index 19325ce..3e86b12 100644
  
  type exim_tmp_t;
  files_tmp_file(exim_tmp_t)
-@@ -90,11 +90,10 @@ can_exec(exim_t, exim_exec_t)
- 
+@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
+ kernel_read_crypto_sysctls(exim_t)
  kernel_read_kernel_sysctls(exim_t)
  kernel_read_network_state(exim_t)
 -kernel_dontaudit_read_system_state(exim_t)
@@ -23783,7 +23682,7 @@ index 19325ce..3e86b12 100644
  corenet_all_recvfrom_netlabel(exim_t)
  corenet_tcp_sendrecv_generic_if(exim_t)
  corenet_udp_sendrecv_generic_if(exim_t)
-@@ -138,7 +137,6 @@ auth_use_nsswitch(exim_t)
+@@ -154,7 +153,6 @@ auth_use_nsswitch(exim_t)
  
  logging_send_syslog_msg(exim_t)
  
@@ -23791,7 +23690,7 @@ index 19325ce..3e86b12 100644
  miscfiles_read_generic_certs(exim_t)
  
  userdom_dontaudit_search_user_home_dirs(exim_t)
-@@ -154,9 +152,9 @@ tunable_policy(`exim_can_connect_db',`
+@@ -170,9 +168,9 @@ tunable_policy(`exim_can_connect_db',`
  	corenet_sendrecv_mssql_client_packets(exim_t)
  	corenet_tcp_connect_mssql_port(exim_t)
  	corenet_tcp_sendrecv_mssql_port(exim_t)
@@ -23804,7 +23703,7 @@ index 19325ce..3e86b12 100644
  ')
  
  tunable_policy(`exim_read_user_files',`
-@@ -170,8 +168,8 @@ tunable_policy(`exim_manage_user_files',`
+@@ -186,8 +184,8 @@ tunable_policy(`exim_manage_user_files',`
  ')
  
  optional_policy(`
@@ -23815,7 +23714,7 @@ index 19325ce..3e86b12 100644
  ')
  
  optional_policy(`
-@@ -192,11 +190,6 @@ optional_policy(`
+@@ -210,11 +208,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23827,7 +23726,7 @@ index 19325ce..3e86b12 100644
  	nagios_search_spool(exim_t)
  ')
  
-@@ -218,6 +211,7 @@ optional_policy(`
+@@ -236,6 +229,7 @@ optional_policy(`
  
  optional_policy(`
  	procmail_domtrans(exim_t)
@@ -23836,7 +23735,7 @@ index 19325ce..3e86b12 100644
  
  optional_policy(`
 diff --git a/fail2ban.if b/fail2ban.if
-index 50d0084..6565422 100644
+index 50d0084..94e1936 100644
 --- a/fail2ban.if
 +++ b/fail2ban.if
 @@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
@@ -23926,61 +23825,99 @@ index 50d0084..6565422 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -102,51 +102,12 @@ interface(`fail2ban_rw_inherited_tmp_files',`
+@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
  	')
  
  	files_search_tmp($1)
 -	allow $1 fail2ban_tmp_t:file { read write };
--')
--
--########################################
--## <summary>
++	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
+ ')
+ 
+ ########################################
+ ## <summary>
 -##	Do not audit attempts to use
 -##	fail2ban file descriptors.
--## </summary>
--## <param name="domain">
--##	<summary>
++##	Read and write to an fail2ba unix stream socket.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain to not audit.
--##	</summary>
--## </param>
--#
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
 -interface(`fail2ban_dontaudit_use_fds',`
--	gen_require(`
--		type fail2ban_t;
--	')
--
++interface(`fail2ban_rw_stream_sockets',`
+ 	gen_require(`
+ 		type fail2ban_t;
+ 	')
+ 
 -	dontaudit $1 fail2ban_t:fd use;
--')
--
++	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+ ')
+ 
 -########################################
--## <summary>
++#######################################
+ ## <summary>
 -##	Do not audit attempts to read and
 -##	write fail2ban unix stream sockets
--## </summary>
--## <param name="domain">
++##  Do not audit attempts to use
++##  fail2ban file descriptors.
+ ## </summary>
+ ## <param name="domain">
 -##	<summary>
 -##	Domain to not audit.
 -##	</summary>
--## </param>
--#
++##  <summary>
++##  Domain to not audit.
++##  </summary>
+ ## </param>
+ #
 -interface(`fail2ban_dontaudit_rw_stream_sockets',`
 -	gen_require(`
 -		type fail2ban_t;
 -	')
--
++interface(`fail2ban_dontaudit_use_fds',`
++    gen_require(`
++        type fail2ban_t;
++    ')
+ 
 -	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
-+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
++    dontaudit $1 fail2ban_t:fd use;
  ')
  
- ########################################
+-########################################
++#######################################
  ## <summary>
 -##	Read and write fail2ban unix
 -##	stream sockets.
-+##	Read and write to an fail2ba unix stream socket.
++##  Do not audit attempts to read and
++##  write fail2ban unix stream sockets
  ## </summary>
  ## <param name="domain">
- ##	<summary>
-@@ -178,12 +139,12 @@ interface(`fail2ban_read_lib_files',`
+-##	<summary>
+-##	Domain allowed access.
+-##	</summary>
++##  <summary>
++##  Domain to not audit.
++##  </summary>
+ ## </param>
+ #
+-interface(`fail2ban_rw_stream_sockets',`
+-	gen_require(`
+-		type fail2ban_t;
+-	')
++interface(`fail2ban_dontaudit_rw_stream_sockets',`
++    gen_require(`
++        type fail2ban_t;
++    ')
+ 
+-	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
++    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ ')
+ 
+ ########################################
+@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
  	')
  
  	files_search_var_lib($1)
@@ -23995,7 +23932,7 @@ index 50d0084..6565422 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -198,12 +159,14 @@ interface(`fail2ban_read_log',`
+@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
  	')
  
  	logging_search_logs($1)
@@ -24011,7 +23948,7 @@ index 50d0084..6565422 100644
  ## </summary>
  ## <param name="domain">
  ## 	<summary>
-@@ -217,12 +180,13 @@ interface(`fail2ban_append_log',`
+@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
  	')
  
  	logging_search_logs($1)
@@ -24026,7 +23963,7 @@ index 50d0084..6565422 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -241,8 +205,28 @@ interface(`fail2ban_read_pid_files',`
+@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -24057,7 +23994,7 @@ index 50d0084..6565422 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -251,21 +235,25 @@ interface(`fail2ban_read_pid_files',`
+@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -24088,7 +24025,7 @@ index 50d0084..6565422 100644
  	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 fail2ban_initrc_exec_t system_r;
-@@ -277,10 +265,10 @@ interface(`fail2ban_admin',`
+@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
  	files_list_pids($1)
  	admin_pattern($1, fail2ban_var_run_t)
  
@@ -24102,7 +24039,7 @@ index 50d0084..6565422 100644
  
  	fail2ban_run_client($1, $2)
 diff --git a/fail2ban.te b/fail2ban.te
-index 0872e50..95bb886 100644
+index cf0e567..91d4dfb 100644
 --- a/fail2ban.te
 +++ b/fail2ban.te
 @@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
@@ -24114,7 +24051,7 @@ index 0872e50..95bb886 100644
  allow fail2ban_t self:fifo_file rw_fifo_file_perms;
  allow fail2ban_t self:unix_stream_socket { accept connectto listen };
  allow fail2ban_t self:tcp_socket { accept listen };
-@@ -65,7 +65,6 @@ kernel_read_system_state(fail2ban_t)
+@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
  corecmd_exec_bin(fail2ban_t)
  corecmd_exec_shell(fail2ban_t)
  
@@ -24122,7 +24059,7 @@ index 0872e50..95bb886 100644
  corenet_all_recvfrom_netlabel(fail2ban_t)
  corenet_tcp_sendrecv_generic_if(fail2ban_t)
  corenet_tcp_sendrecv_generic_node(fail2ban_t)
-@@ -80,7 +79,6 @@ domain_use_interactive_fds(fail2ban_t)
+@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
  domain_dontaudit_read_all_domains_state(fail2ban_t)
  
  files_read_etc_runtime_files(fail2ban_t)
@@ -24130,7 +24067,7 @@ index 0872e50..95bb886 100644
  files_list_var(fail2ban_t)
  files_dontaudit_list_tmp(fail2ban_t)
  
-@@ -92,22 +90,33 @@ auth_use_nsswitch(fail2ban_t)
+@@ -94,22 +92,33 @@ auth_use_nsswitch(fail2ban_t)
  logging_read_all_logs(fail2ban_t)
  logging_send_syslog_msg(fail2ban_t)
  
@@ -24168,7 +24105,7 @@ index 0872e50..95bb886 100644
  	iptables_domtrans(fail2ban_t)
  ')
  
-@@ -116,6 +125,10 @@ optional_policy(`
+@@ -118,6 +127,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24179,7 +24116,7 @@ index 0872e50..95bb886 100644
  	shorewall_domtrans(fail2ban_t)
  ')
  
-@@ -129,22 +142,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
  
  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
  
@@ -24210,7 +24147,7 @@ index 0872e50..95bb886 100644
  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
  userdom_use_user_terminals(fail2ban_client_t)
 diff --git a/fcoe.te b/fcoe.te
-index 79b9273..76b7ed5 100644
+index ce358fb..90e08d8 100644
 --- a/fcoe.te
 +++ b/fcoe.te
 @@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
@@ -24239,7 +24176,7 @@ index 79b9273..76b7ed5 100644
  logging_send_syslog_msg(fcoemon_t)
  
 diff --git a/fetchmail.fc b/fetchmail.fc
-index 2486e2a..fef9bff 100644
+index 133b8ee..a47a12f 100644
 --- a/fetchmail.fc
 +++ b/fetchmail.fc
 @@ -1,4 +1,5 @@
@@ -24248,12 +24185,6 @@ index 2486e2a..fef9bff 100644
  
  /etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)
  
-@@ -12,4 +13,4 @@ HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)
- 
- /var/mail/\.fetchmail-UIDL-cache	--	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
- 
--/var/run/fetchmail/.*	--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)
-+/var/run/fetchmail.*	    gen_context(system_u:object_r:fetchmail_var_run_t,s0)
 diff --git a/fetchmail.if b/fetchmail.if
 index c3f7916..cab3954 100644
 --- a/fetchmail.if
@@ -24279,10 +24210,10 @@ index c3f7916..cab3954 100644
  	admin_pattern($1, fetchmail_etc_t)
  
 diff --git a/fetchmail.te b/fetchmail.te
-index f0388cb..2e94f0e 100644
+index 742559a..a6c5c24 100644
 --- a/fetchmail.te
 +++ b/fetchmail.te
-@@ -32,15 +32,13 @@ files_type(fetchmail_uidl_cache_t)
+@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t)
  #
  # Local policy
  #
@@ -24294,25 +24225,13 @@ index f0388cb..2e94f0e 100644
  
  allow fetchmail_t fetchmail_etc_t:file read_file_perms;
  
--read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
--
- manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
- append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
- create_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
-@@ -52,7 +50,12 @@ mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
- 
- manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
- manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
--files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
-+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, {file dir})
-+
 +list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
-+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
+ read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
 +userdom_search_user_home_dirs(fetchmail_t)
 +userdom_search_admin_dir(fetchmail_t)
  
- kernel_read_kernel_sysctls(fetchmail_t)
- kernel_list_proc(fetchmail_t)
+ manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
+ append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 @@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
  corecmd_exec_bin(fetchmail_t)
  corecmd_exec_shell(fetchmail_t)
@@ -24349,7 +24268,7 @@ index f0388cb..2e94f0e 100644
  optional_policy(`
  	procmail_domtrans(fetchmail_t)
 diff --git a/finger.te b/finger.te
-index af4b6d7..92245bf 100644
+index 35da09d..85f1e03 100644
 --- a/finger.te
 +++ b/finger.te
 @@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
@@ -24396,32 +24315,31 @@ index 21d7b84..0e272bd 100644
  
  /etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
 diff --git a/firewalld.if b/firewalld.if
-index 5cf6ac6..0fc685b 100644
+index c62c567..0fc685b 100644
 --- a/firewalld.if
 +++ b/firewalld.if
-@@ -2,6 +2,66 @@
+@@ -2,7 +2,7 @@
  
  ########################################
  ## <summary>
+-##	Read firewalld configuration files.
 +##	Read firewalld config
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed access.
-+## </summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -10,7 +10,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`firewalld_read_config_files',`
 +interface(`firewalld_read_config',`
-+	gen_require(`
-+		type firewalld_etc_rw_t;
-+	')
-+
-+	files_search_etc($1)
-+	read_files_pattern($1, firewalld_etc_rw_t, firewalld_etc_rw_t)
-+')
-+
-+########################################
-+## <summary>
+ 	gen_require(`
+ 		type firewalld_etc_rw_t;
+ 	')
+@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
+ 
+ ########################################
+ ## <summary>
 +##	Execute firewalld server in the firewalld domain.
 +## </summary>
 +## <param name="domain">
@@ -24466,37 +24384,41 @@ index 5cf6ac6..0fc685b 100644
  ##	Send and receive messages from
  ##	firewalld over dbus.
  ## </summary>
-@@ -23,8 +83,27 @@ interface(`firewalld_dbus_chat',`
+@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
  
  ########################################
  ## <summary>
--##	All of the rules required to
--##	administrate an firewalld environment.
+-##	Do not audit attempts to read, snd
+-##	write firewalld temporary files.
 +##	Dontaudit attempts to write
 +##	firewalld tmp files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain to not audit.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`firewalld_dontaudit_rw_tmp_files',`
 +interface(`firewalld_dontaudit_write_tmp_files',`
-+	gen_require(`
-+		type firewalld_tmp_t;
-+	')
-+
+ 	gen_require(`
+ 		type firewalld_tmp_t;
+ 	')
+ 
+-	dontaudit $1 firewalld_tmp_t:file { read write };
 +	dontaudit $1 firewalld_tmp_t:file write;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an firewalld environment.
 +##	All of the rules required to administrate
 +##	an firewalld environment
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -45,10 +124,14 @@ interface(`firewalld_admin',`
+@@ -83,10 +124,14 @@ interface(`firewalld_admin',`
  		type firewalld_var_log_t;
  	')
  
@@ -24513,7 +24435,7 @@ index 5cf6ac6..0fc685b 100644
  	domain_system_change_exemption($1)
  	role_transition $2 firewalld_initrc_exec_t system_r;
  	allow $2 system_r;
-@@ -59,6 +142,9 @@ interface(`firewalld_admin',`
+@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
  	logging_search_logs($1)
  	admin_pattern($1, firewalld_var_log_t)
  
@@ -24525,32 +24447,26 @@ index 5cf6ac6..0fc685b 100644
 +	allow $1 firewalld_unit_file_t:service all_service_perms;
  ')
 diff --git a/firewalld.te b/firewalld.te
-index c8014f8..bacc80c 100644
+index 98072a3..cbaf309 100644
 --- a/firewalld.te
 +++ b/firewalld.te
-@@ -21,11 +21,20 @@ logging_log_file(firewalld_var_log_t)
+@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
+ type firewalld_tmp_t;
+ files_tmp_file(firewalld_tmp_t)
+ 
++type firewalld_tmpfs_t;
++files_tmpfs_file(firewalld_tmpfs_t)
++
  type firewalld_var_run_t;
  files_pid_file(firewalld_var_run_t)
  
 +type firewalld_unit_file_t;
 +systemd_unit_file(firewalld_unit_file_t)
 +
-+type firewalld_tmp_t;
-+files_tmp_file(firewalld_tmp_t)
-+
-+type firewalld_tmpfs_t;
-+files_tmpfs_file(firewalld_tmpfs_t)
-+
  ########################################
  #
  # Local policy
- #
--
-+allow firewalld_t self:capability { dac_override net_admin };
- dontaudit firewalld_t self:capability sys_tty_config;
- allow firewalld_t self:fifo_file rw_fifo_file_perms;
- allow firewalld_t self:unix_stream_socket { accept listen };
-@@ -33,6 +42,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
+@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
  
  manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
  manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
@@ -24558,17 +24474,13 @@ index c8014f8..bacc80c 100644
  
  allow firewalld_t firewalld_var_log_t:file append_file_perms;
  allow firewalld_t firewalld_var_log_t:file create_file_perms;
-@@ -40,11 +50,21 @@ allow firewalld_t firewalld_var_log_t:file read_file_perms;
- allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
- logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
+@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
+ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
+ allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
  
-+manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
-+files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
-+allow firewalld_t firewalld_tmp_t:file execute;
-+
 +manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
 +fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
-+allow firewalld_t firewalld_tmpfs_t:file execute;
++allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
 +
  manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
  files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
@@ -24576,11 +24488,7 @@ index c8014f8..bacc80c 100644
  
  kernel_read_network_state(firewalld_t)
  kernel_read_system_state(firewalld_t)
-+kernel_rw_net_sysctls(firewalld_t)
- 
- corecmd_exec_bin(firewalld_t)
- corecmd_exec_shell(firewalld_t)
-@@ -53,20 +73,17 @@ dev_read_urand(firewalld_t)
+@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t)
  
  domain_use_interactive_fds(firewalld_t)
  
@@ -24606,7 +24514,7 @@ index c8014f8..bacc80c 100644
  
  optional_policy(`
  	dbus_system_domain(firewalld_t, firewalld_exec_t)
-@@ -85,9 +102,17 @@ optional_policy(`
+@@ -95,6 +104,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -24617,13 +24525,6 @@ index c8014f8..bacc80c 100644
  	iptables_domtrans(firewalld_t)
  ')
  
- optional_policy(`
- 	modutils_domtrans_insmod(firewalld_t)
- ')
-+
-+optional_policy(`
-+    NetworkManager_read_state(firewalld_t)
-+')
 diff --git a/firewallgui.if b/firewallgui.if
 index e6866d1..941f4ef 100644
 --- a/firewallgui.if
@@ -24636,7 +24537,7 @@ index e6866d1..941f4ef 100644
 +	dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
  ')
 diff --git a/firewallgui.te b/firewallgui.te
-index c5ceab1..86b8098 100644
+index 2094546..2481a97 100644
 --- a/firewallgui.te
 +++ b/firewallgui.te
 @@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
@@ -24806,12 +24707,11 @@ index 280f875..f3a67c9 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/firstboot.te b/firstboot.te
-index c12c067..a415012 100644
+index 5010f04..928215f 100644
 --- a/firstboot.te
 +++ b/firstboot.te
 @@ -1,7 +1,7 @@
--policy_module(firstboot, 1.12.3)
-+policy_module(firstboot, 1.12.0)
+ policy_module(firstboot, 1.13.0)
  
  gen_require(`
 -	class passwd { passwd chfn chsh rootok };
@@ -24943,7 +24843,7 @@ index c12c067..a415012 100644
  
  optional_policy(`
 diff --git a/fprintd.te b/fprintd.te
-index c81b6e8..34e1f1c 100644
+index 92a6479..989f63a 100644
 --- a/fprintd.te
 +++ b/fprintd.te
 @@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
@@ -25001,7 +24901,7 @@ index ddb75c1..44f74e6 100644
  
  /etc/rc\.d/init\.d/vsftpd	--	gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
 diff --git a/ftp.if b/ftp.if
-index d062080..97fb494 100644
+index 4498143..77bbcef 100644
 --- a/ftp.if
 +++ b/ftp.if
 @@ -1,5 +1,66 @@
@@ -25071,8 +24971,8 @@ index d062080..97fb494 100644
  #######################################
  ## <summary>
  ##	Execute a dyntransition to run anon sftpd.
-@@ -178,8 +239,11 @@ interface(`ftp_admin',`
- 		type ftpd_initrc_exec_t, ftpdctl_tmp_t;
+@@ -179,8 +240,11 @@ interface(`ftp_admin',`
+ 		type ftpd_keytab_t;
  	')
  
 -	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
@@ -25084,7 +24984,7 @@ index d062080..97fb494 100644
  
  	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
  	domain_system_change_exemption($1)
-@@ -203,5 +267,9 @@ interface(`ftp_admin',`
+@@ -204,5 +268,9 @@ interface(`ftp_admin',`
  	logging_list_logs($1)
  	admin_pattern($1, xferlog_t)
  
@@ -25095,10 +24995,10 @@ index d062080..97fb494 100644
  	ftp_run_ftpdctl($1, $2)
  ')
 diff --git a/ftp.te b/ftp.te
-index e50f33c..6edd471 100644
+index 36838c2..ab0eccc 100644
 --- a/ftp.te
 +++ b/ftp.te
-@@ -13,7 +13,7 @@ policy_module(ftp, 1.14.1)
+@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
  ##	be labeled public_content_rw_t.
  ##	</p>
  ## </desc>
@@ -25148,10 +25048,10 @@ index e50f33c..6edd471 100644
 +type ftpd_unit_file_t;
 +systemd_unit_file(ftpd_unit_file_t)
 +
- type ftpd_lock_t;
- files_lock_file(ftpd_lock_t)
+ type ftpd_keytab_t;
+ files_type(ftpd_keytab_t)
  
-@@ -179,6 +189,9 @@ allow ftpd_t ftpd_etc_t:file read_file_perms;
+@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
  allow ftpd_t ftpd_lock_t:file manage_file_perms;
  files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
  
@@ -25161,7 +25061,7 @@ index e50f33c..6edd471 100644
  manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
  manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
-@@ -201,14 +214,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
+@@ -206,14 +219,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
  
  kernel_read_kernel_sysctls(ftpd_t)
  kernel_read_system_state(ftpd_t)
@@ -25177,7 +25077,7 @@ index e50f33c..6edd471 100644
  corenet_all_recvfrom_netlabel(ftpd_t)
  corenet_tcp_sendrecv_generic_if(ftpd_t)
  corenet_udp_sendrecv_generic_if(ftpd_t)
-@@ -224,9 +236,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
+@@ -229,9 +241,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
  corenet_sendrecv_ftp_data_server_packets(ftpd_t)
  corenet_tcp_bind_ftp_data_port(ftpd_t)
  
@@ -25191,7 +25091,7 @@ index e50f33c..6edd471 100644
  files_read_etc_runtime_files(ftpd_t)
  files_search_var_lib(ftpd_t)
  
-@@ -245,7 +260,6 @@ logging_send_audit_msgs(ftpd_t)
+@@ -250,7 +265,6 @@ logging_send_audit_msgs(ftpd_t)
  logging_send_syslog_msg(ftpd_t)
  logging_set_loginuid(ftpd_t)
  
@@ -25199,7 +25099,7 @@ index e50f33c..6edd471 100644
  miscfiles_read_public_files(ftpd_t)
  
  seutil_dontaudit_search_config(ftpd_t)
-@@ -254,32 +268,49 @@ sysnet_use_ldap(ftpd_t)
+@@ -259,32 +273,49 @@ sysnet_use_ldap(ftpd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
  userdom_dontaudit_search_user_home_dirs(ftpd_t)
@@ -25256,7 +25156,7 @@ index e50f33c..6edd471 100644
  ')
  
  tunable_policy(`ftpd_use_passive_mode',`
-@@ -299,22 +330,19 @@ tunable_policy(`ftpd_connect_db',`
+@@ -304,22 +335,19 @@ tunable_policy(`ftpd_connect_db',`
  	corenet_sendrecv_mssql_client_packets(ftpd_t)
  	corenet_tcp_connect_mssql_port(ftpd_t)
  	corenet_tcp_sendrecv_mssql_port(ftpd_t)
@@ -25284,16 +25184,18 @@ index e50f33c..6edd471 100644
  	userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
  ')
  
-@@ -360,7 +388,7 @@ optional_policy(`
- 	selinux_validate_context(ftpd_t)
+@@ -363,9 +391,8 @@ optional_policy(`
  
- 	kerberos_keytab_template(ftpd, ftpd_t)
+ optional_policy(`
+ 	selinux_validate_context(ftpd_t)
+-
+ 	kerberos_read_keytab(ftpd_t)
 -	kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
-+    kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
++	kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
+ 	kerberos_use(ftpd_t)
  ')
  
- optional_policy(`
-@@ -410,21 +438,20 @@ optional_policy(`
+@@ -416,21 +443,20 @@ optional_policy(`
  #
  
  stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
@@ -25317,7 +25219,7 @@ index e50f33c..6edd471 100644
  
  miscfiles_read_public_files(anon_sftpd_t)
  
-@@ -437,23 +464,34 @@ tunable_policy(`sftpd_anon_write',`
+@@ -443,23 +469,34 @@ tunable_policy(`sftpd_anon_write',`
  # Sftpd local policy
  #
  
@@ -25358,7 +25260,7 @@ index e50f33c..6edd471 100644
  ')
  
  tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -475,21 +513,11 @@ tunable_policy(`sftpd_anon_write',`
+@@ -481,21 +518,11 @@ tunable_policy(`sftpd_anon_write',`
  tunable_policy(`sftpd_full_access',`
  	allow sftpd_t self:capability { dac_override dac_read_search };
  	fs_read_noxattr_fs_files(sftpd_t)
@@ -25384,7 +25286,7 @@ index e50f33c..6edd471 100644
 -	fs_read_nfs_symlinks(ftpd_t)
 -')
 diff --git a/games.te b/games.te
-index 572fb12..879c59a 100644
+index e5b15fb..220622e 100644
 --- a/games.te
 +++ b/games.te
 @@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
@@ -25431,7 +25333,7 @@ index 572fb12..879c59a 100644
  ')
  
 diff --git a/gatekeeper.te b/gatekeeper.te
-index fc3b036..10a1bbe 100644
+index 2820368..88c98f4 100644
 --- a/gatekeeper.te
 +++ b/gatekeeper.te
 @@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
@@ -25459,7 +25361,7 @@ index fc3b036..10a1bbe 100644
  
  userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
 diff --git a/gift.te b/gift.te
-index 395238e..af76abb 100644
+index 8a820fa..996b30c 100644
 --- a/gift.te
 +++ b/gift.te
 @@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
@@ -25553,7 +25455,7 @@ index 1e29af1..6c64f55 100644
 +		userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
 +')
 diff --git a/git.te b/git.te
-index 93b0301..ad8eb38 100644
+index dc49c71..2609364 100644
 --- a/git.te
 +++ b/git.te
 @@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
@@ -25571,7 +25473,7 @@ index 93b0301..ad8eb38 100644
  ##	Determine whether Git system daemon
  ##	can search home directories.
  ##	</p>
-@@ -92,10 +84,10 @@ type git_session_t, git_daemon;
+@@ -93,10 +85,10 @@ type git_session_t, git_daemon;
  userdom_user_application_domain(git_session_t, gitd_exec_t)
  role git_session_roles types git_session_t;
  
@@ -25584,7 +25486,7 @@ index 93b0301..ad8eb38 100644
  userdom_user_home_content(git_user_content_t)
  
  ########################################
-@@ -109,6 +101,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
+@@ -110,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
  read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
  userdom_search_user_home_dirs(git_session_t)
  
@@ -25593,7 +25495,7 @@ index 93b0301..ad8eb38 100644
  corenet_all_recvfrom_netlabel(git_session_t)
  corenet_all_recvfrom_unlabeled(git_session_t)
  corenet_tcp_bind_generic_node(git_session_t)
-@@ -129,9 +123,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
+@@ -130,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
  	corenet_tcp_sendrecv_all_ports(git_session_t)
  ')
  
@@ -25604,19 +25506,17 @@ index 93b0301..ad8eb38 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_getattr_nfs(git_session_t)
-@@ -157,6 +149,11 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -158,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
  list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
  read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
  
 +kernel_read_network_state(git_system_t)
 +kernel_read_system_state(git_system_t)
 +
-+corenet_tcp_bind_git_port(git_system_t)
-+
- files_search_var_lib(git_system_t)
- 
- auth_use_nsswitch(git_system_t)
-@@ -255,12 +252,9 @@ tunable_policy(`git_cgi_use_nfs',`
+ corenet_all_recvfrom_unlabeled(git_system_t)
+ corenet_all_recvfrom_netlabel(git_system_t)
+ corenet_tcp_sendrecv_generic_if(git_system_t)
+@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
  
  allow git_daemon self:fifo_file rw_fifo_file_perms;
  
@@ -25631,7 +25531,7 @@ index 93b0301..ad8eb38 100644
  
 -miscfiles_read_localization(git_daemon)
 diff --git a/gitosis.te b/gitosis.te
-index 3194b76..d3acb1a 100644
+index 582db0a..d77a1a5 100644
 --- a/gitosis.te
 +++ b/gitosis.te
 @@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
@@ -25711,10 +25611,10 @@ index 9eacb2c..229782f 100644
  	init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
  	domain_system_change_exemption($1)
 diff --git a/glance.te b/glance.te
-index e0a4f46..16dcb5b 100644
+index 5cd0909..337e872 100644
 --- a/glance.te
 +++ b/glance.te
-@@ -7,8 +7,7 @@ policy_module(glance, 1.0.2)
+@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
  
  attribute glance_domain;
  
@@ -26000,11 +25900,11 @@ index 0000000..1ed97fe
 +
 diff --git a/glusterd.te b/glusterd.te
 new file mode 100644
-index 0000000..ac74fc9
+index 0000000..a3bdd8d
 --- /dev/null
 +++ b/glusterd.te
-@@ -0,0 +1,188 @@
-+policy_module(glusterfs, 1.0.1)
+@@ -0,0 +1,189 @@
++policy_module(glusterfs, 1.1.2)
 +
 +## <desc>
 +## <p>
@@ -26094,6 +25994,7 @@ index 0000000..ac74fc9
 +manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
++relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 +
 +can_exec(glusterd_t, glusterd_exec_t)
 +
@@ -26293,11 +26194,11 @@ index 05233c8..0000000
 -')
 diff --git a/glusterfs.te b/glusterfs.te
 deleted file mode 100644
-index fd02acc..0000000
+index 4e95c7e..0000000
 --- a/glusterfs.te
 +++ /dev/null
-@@ -1,102 +0,0 @@
--policy_module(glusterfs, 1.0.1)
+@@ -1,105 +0,0 @@
+-policy_module(glusterfs, 1.1.2)
 -
 -########################################
 -#
@@ -26324,7 +26225,7 @@ index fd02acc..0000000
 -files_pid_file(glusterd_var_run_t)
 -
 -type glusterd_var_lib_t;
--files_type(glusterd_var_lib_t);
+-files_type(glusterd_var_lib_t)
 -
 -########################################
 -#
@@ -26354,7 +26255,8 @@ index fd02acc..0000000
 -
 -manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
 -manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
--files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
+-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
 -
 -manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 -manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
@@ -26390,6 +26292,8 @@ index fd02acc..0000000
 -dev_read_sysfs(glusterd_t)
 -dev_read_urand(glusterd_t)
 -
+-domain_read_all_domains_state(glusterd_t)
+-
 -domain_use_interactive_fds(glusterd_t)
 -
 -files_read_usr_files(glusterd_t)
@@ -26472,25 +26376,25 @@ index e39de43..5818f74 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
-index d03fd43..0e04529 100644
+index ab09d61..4b2e5f6 100644
 --- a/gnome.if
 +++ b/gnome.if
-@@ -1,123 +1,157 @@
+@@ -1,52 +1,77 @@
 -## <summary>GNU network object model environment.</summary>
 +## <summary>GNU network object model environment (GNOME)</summary>
  
 -########################################
-+###########################################################
++#######################################
  ## <summary>
 -##	Role access for gnome.  (Deprecated)
-+##  Role access for gnome
++##  Role access for gnome.  (Deprecated)
  ## </summary>
  ## <param name="role">
 -##	<summary>
 -##	Role allowed access.
 -##	</summary>
 +##  <summary>
-+##  Role allowed access
++##  Role allowed access.
 +##  </summary>
  ## </param>
  ## <param name="domain">
@@ -26498,181 +26402,166 @@ index d03fd43..0e04529 100644
 -##	User domain for the role.
 -##	</summary>
 +##  <summary>
-+##  User domain for the role
++##  User domain for the role.
 +##  </summary>
  ## </param>
  #
  interface(`gnome_role',`
 -	refpolicywarn(`$0($*) has been deprecated')
-+    gen_require(`
-+        type gconfd_t, gconfd_exec_t;
-+        type gconf_tmp_t;
++    refpolicywarn(`$0($*) has been deprecated')
 +    ')
 +
-+    role $1 types gconfd_t;
-+
-+    domain_auto_trans($2, gconfd_exec_t, gconfd_t)
-+    allow gconfd_t $2:fd use;
-+    allow gconfd_t $2:fifo_file write;
-+    allow gconfd_t $2:unix_stream_socket connectto;
-+
-+    ps_process_pattern($2, gconfd_t)
-+
-+	#gnome_stream_connect_gconf_template($1, $2)
-+	read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
-+	allow $2 gconfd_t:unix_stream_socket connectto;
++######################################
++## <summary>
++##      The role template for the gnome-keyring-daemon.
++## </summary>
++## <param name="user_prefix">
++##      <summary>
++##      The user prefix.
++##      </summary>
++## </param>
++## <param name="user_role">
++##      <summary>
++##      The user role.
++##      </summary>
++## </param>
++## <param name="user_domain">
++##      <summary>
++##      The user domain associated with the role.
++##      </summary>
++## </param>
++#
++interface(`gnome_role_gkeyringd',`
++    refpolicywarn(`$0($*) has been deprecated')
  ')
  
 -#######################################
 +######################################
  ## <summary>
 -##	The role template for gnome.
-+##      The role template for the gnome-keyring-daemon.
++##  The role template for gnome.
  ## </summary>
--## <param name="role_prefix">
+ ## <param name="role_prefix">
 -##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
 -##	</summary>
-+## <param name="user_prefix">
-+##      <summary>
-+##      The user prefix.
-+##      </summary>
++##  <summary>
++##  The prefix of the user domain (e.g., user
++##  is the prefix for user_t).
++##  </summary>
  ## </param>
  ## <param name="user_role">
 -##	<summary>
 -##	The role associated with the user domain.
 -##	</summary>
-+##      <summary>
-+##      The user role.
-+##      </summary>
++##  <summary>
++##  The role associated with the user domain.
++##  </summary>
  ## </param>
  ## <param name="user_domain">
 -##	<summary>
 -##	The type of the user domain.
 -##	</summary>
-+##      <summary>
-+##      The user domain associated with the role.
-+##      </summary>
++##  <summary>
++##  The type of the user domain.
++##  </summary>
  ## </param>
  #
--template(`gnome_role_template',`
+ template(`gnome_role_template',`
 -	gen_require(`
--		attribute gnomedomain, gkeyringd_domain;
--		attribute_role gconfd_roles;
++    gen_require(`
+ 		attribute gnomedomain, gkeyringd_domain;
+ 		attribute_role gconfd_roles;
 -		type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
--		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
--		type gconf_home_t;
--	')
--
--	########################################
--	#
--	# Gconf declarations
--	#
--
--	roleattribute $2 gconfd_roles;
--
--	########################################
--	#
--	# Gkeyringd declarations
--	#
-+interface(`gnome_role_gkeyringd',`
-+        gen_require(`
-+                attribute gkeyringd_domain;
-+                attribute gnomedomain;
-+                type gnome_home_t;
-+                type gkeyringd_exec_t, gkeyringd_tmp_t, gkeyringd_gnome_home_t;
-+		class dbus send_msg;
-+        ')
- 
- 	type $1_gkeyringd_t, gnomedomain, gkeyringd_domain;
--	userdom_user_application_domain($1_gkeyringd_t, gkeyringd_exec_t)
-+	typealias $1_gkeyringd_t alias gkeyringd_$1_t;
-+	application_domain($1_gkeyringd_t, gkeyringd_exec_t)
-+	ubac_constrained($1_gkeyringd_t)
- 	domain_user_exemption_target($1_gkeyringd_t)
- 
-+	userdom_home_manager($1_gkeyringd_t)
-+
- 	role $2 types $1_gkeyringd_t;
- 
--	########################################
--	#
--	# Gconf policy
--	#
-+	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- 
--	domtrans_pattern($3, gconfd_exec_t, gconfd_t)
-+	allow $3 gkeyringd_gnome_home_t:dir { relabel_dir_perms manage_dir_perms };
-+	allow $3 gkeyringd_gnome_home_t:file { relabel_file_perms manage_file_perms };
++		type gkeyringd_exec_t, gkeyring_gnome_home_t, gkeyring_tmp_t;
+ 		type gconfd_t, gconfd_exec_t, gconf_tmp_t;
+ 		type gconf_home_t;
++        class dbus send_msg;
+ 	')
  
--	allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
--	allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms };
--	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
--	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
-+	allow $3 gkeyringd_tmp_t:dir { relabel_dir_perms manage_dir_perms };
-+	allow $3 gkeyringd_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
+ 	########################################
+@@ -79,9 +104,11 @@ template(`gnome_role_template',`
+ 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
+ 	userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
  
 -	allow $3 gconfd_t:process { ptrace signal_perms };
--	ps_process_pattern($3, gconfd_t)
-+	corecmd_bin_domtrans($1_gkeyringd_t, $1_t)
-+	corecmd_shell_domtrans($1_gkeyringd_t, $1_t)
-+	allow $1_gkeyringd_t $3:process sigkill;
-+	allow $3 $1_gkeyringd_t:fd use;
-+	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
-+	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
++	allow $3 gconfd_t:process { signal_perms };
++    allow $3 gconfd_t:unix_stream_socket connectto;
+ 	ps_process_pattern($3, gconfd_t)
  
--	########################################
--	#
--	# Gkeyringd policy
--	#
++
+ 	########################################
+ 	#
+ 	# Gkeyringd policy
+@@ -89,37 +116,91 @@ template(`gnome_role_template',`
  
--	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
-+	kernel_read_system_state($1_gkeyringd_t)
+ 	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
  
 -	allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
 -	allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
-+	ps_process_pattern($1_gkeyringd_t, $3)
++	allow $3 { gnome_home_t gkeyring_gnome_home_t gkeyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
++	allow $3 { gnome_home_t gkeyring_gnome_home_t }:file { relabel_file_perms manage_file_perms };
  
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
 -	userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
--	
++	userdom_home_manager($1_gkeyringd_t)
+ 	
 -	gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
-+	auth_use_nsswitch($1_gkeyringd_t)
++    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome")
++    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2")
++    gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2_private")
++	gnome_home_dir_filetrans($3, gkeyring_gnome_home_t, "keyrings")
  
 -	allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
-+	logging_send_syslog_msg($1_gkeyringd_t)
++	allow $3 gkeyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
  
  	ps_process_pattern($3, $1_gkeyringd_t)
 -	allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
--
--	corecmd_bin_domtrans($1_gkeyringd_t, $3)
--	corecmd_shell_domtrans($1_gkeyringd_t, $3)
 +	allow $3 $1_gkeyringd_t:process signal_perms;
 +	dontaudit $3 gkeyringd_exec_t:file entrypoint;
- 
--	gnome_stream_connect_gkeyringd($1, $3)
++
++	allow $1_gkeyringd_t $3:process sigkill;
++	allow $3 $1_gkeyringd_t:fd use;
++	allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
++
++	dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
 +	stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
++
++	kernel_read_system_state($1_gkeyringd_t)
+ 
+ 	corecmd_bin_domtrans($1_gkeyringd_t, $3)
+ 	corecmd_shell_domtrans($1_gkeyringd_t, $3)
  
+-	gnome_stream_connect_gkeyringd($1, $3)
++	gnome_stream_connect_gkeyringd($3)
++
++	ps_process_pattern($1_gkeyringd_t, $3)
++
++	auth_use_nsswitch($1_gkeyringd_t)
++
++	logging_send_syslog_msg($1_gkeyringd_t)
++
 +	allow $1_gkeyringd_t $3:dbus send_msg;
 +	allow $3 $1_gkeyringd_t:dbus send_msg;
+ 
  	optional_policy(`
 -		dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
-+	       	dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
++        dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 +		dbus_session_bus_client($1_gkeyringd_t)
 +		gnome_manage_generic_home_dirs($1_gkeyringd_t)
 +		gnome_read_generic_data_home_files($1_gkeyringd_t)
 +		gnome_read_generic_data_home_dirs($1_gkeyringd_t)
-+
-+		optional_policy(`
+ 
+ 		optional_policy(`
+-			gnome_dbus_chat_gkeyringd($1, $3)
 +			telepathy_mission_control_read_state($1_gkeyringd_t)
 +            telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
-+		')
-+	')
-+')
+ 		')
+ 	')
+ ')
  
--		gnome_dbus_chat_gkeyringd($1, $3)
 +#######################################
 +## <summary>
 +##  Allow domain to run gkeyring in the $1_gkeyringd_t domain.
@@ -26697,11 +26586,11 @@ index d03fd43..0e04529 100644
 +    gen_require(`
 +		type $1_gkeyringd_t;
 +		type gkeyringd_exec_t;
- 	')
++	')
 +	role $2 types $1_gkeyringd_t;
 +	domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
- ')
- 
++')
++
  ########################################
  ## <summary>
 -##	Execute gconf in the caller domain.
@@ -26709,7 +26598,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -125,18 +159,18 @@ template(`gnome_role_template',`
+@@ -127,18 +208,18 @@ template(`gnome_role_template',`
  ##	</summary>
  ## </param>
  #
@@ -26733,7 +26622,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -144,119 +178,114 @@ interface(`gnome_exec_gconf',`
+@@ -146,119 +227,114 @@ interface(`gnome_exec_gconf',`
  ##	</summary>
  ## </param>
  #
@@ -26890,7 +26779,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -264,15 +293,21 @@ interface(`gnome_create_generic_home_dirs',`
+@@ -266,15 +342,21 @@ interface(`gnome_create_generic_home_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -26917,7 +26806,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -280,57 +315,89 @@ interface(`gnome_setattr_config_dirs',`
+@@ -282,57 +364,89 @@ interface(`gnome_setattr_config_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -27025,7 +26914,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -338,15 +405,18 @@ interface(`gnome_read_generic_home_content',`
+@@ -340,15 +454,18 @@ interface(`gnome_read_generic_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -27049,7 +26938,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -354,22 +424,18 @@ interface(`gnome_manage_config',`
+@@ -356,22 +473,18 @@ interface(`gnome_manage_config',`
  ##	</summary>
  ## </param>
  #
@@ -27077,7 +26966,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -377,53 +443,37 @@ interface(`gnome_manage_generic_home_content',`
+@@ -379,53 +492,37 @@ interface(`gnome_manage_generic_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -27139,7 +27028,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -431,17 +481,18 @@ interface(`gnome_home_filetrans',`
+@@ -433,17 +530,18 @@ interface(`gnome_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -27162,7 +27051,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -449,23 +500,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
+@@ -451,23 +549,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -27190,7 +27079,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -473,82 +519,73 @@ interface(`gnome_read_generic_gconf_home_content',`
+@@ -475,82 +568,73 @@ interface(`gnome_read_generic_gconf_home_content',`
  ##	</summary>
  ## </param>
  #
@@ -27297,7 +27186,7 @@ index d03fd43..0e04529 100644
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -557,52 +594,77 @@ interface(`gnome_home_filetrans_gconf_home',`
+@@ -559,52 +643,77 @@ interface(`gnome_home_filetrans_gconf_home',`
  ##	</summary>
  ## </param>
  #
@@ -27396,7 +27285,7 @@ index d03fd43..0e04529 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -610,93 +672,126 @@ interface(`gnome_gconf_home_filetrans',`
+@@ -612,93 +721,86 @@ interface(`gnome_gconf_home_filetrans',`
  ##	</summary>
  ## </param>
  #
@@ -27489,41 +27378,52 @@ index d03fd43..0e04529 100644
 +##	inherited gconf config files.
  ## </summary>
 -## <param name="role_prefix">
-+## <param name="domain">
- ##	<summary>
+-##	<summary>
 -##	The prefix of the user domain (e.g., user
 -##	is the prefix for user_t).
+-##	</summary>
+-## </param>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain allowed access.
 +##	Domain to not audit.
  ##	</summary>
  ## </param>
-+#
+ #
+-interface(`gnome_stream_connect_gkeyringd',`
 +interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
-+	gen_require(`
+ 	gen_require(`
+-		type $1_gkeyringd_t, gnome_keyring_tmp_t;
 +		type gconf_etc_t;
-+	')
-+
+ 	')
+ 
+-	files_search_tmp($2)
+-	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
 +	dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Connect to all gnome keyring daemon
+-##	with a unix stream socket.
 +##	read gconf config files
-+## </summary>
+ ## </summary>
  ## <param name="domain">
  ##	<summary>
- ##	Domain allowed access.
+@@ -706,12 +808,912 @@ interface(`gnome_stream_connect_gkeyringd',`
  ##	</summary>
  ## </param>
  #
--interface(`gnome_stream_connect_gkeyringd',`
+-interface(`gnome_stream_connect_all_gkeyringd',`
 +interface(`gnome_read_gconf_config',`
  	gen_require(`
--		type $1_gkeyringd_t, gnome_keyring_tmp_t;
+-		attribute gkeyringd_domain;
+-		type gnome_keyring_tmp_t;
 +		type gconf_etc_t;
  	')
  
--	files_search_tmp($2)
--	stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
+-	files_search_tmp($1)
+-	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
 +	allow $1 gconf_etc_t:dir list_dir_perms;
 +	read_files_pattern($1, gconf_etc_t, gconf_etc_t)
 +	files_search_etc($1)
@@ -27546,22 +27446,19 @@ index d03fd43..0e04529 100644
 +
 +        allow $1 gconf_etc_t:dir list_dir_perms;
 +        manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
- ')
- 
- ########################################
- ## <summary>
--##	Connect to all gnome keyring daemon
--##	with a unix stream socket.
++')
++
++########################################
++## <summary>
 +##	Execute gconf programs in 
 +##	in the caller domain.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -704,12 +799,872 @@ interface(`gnome_stream_connect_gkeyringd',`
- ##	</summary>
- ## </param>
- #
--interface(`gnome_stream_connect_all_gkeyringd',`
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
 +interface(`gnome_exec_gconf',`
 +	gen_require(`
 +		type gconfd_exec_t;
@@ -28156,14 +28053,11 @@ index d03fd43..0e04529 100644
 +## </param>
 +#
 +interface(`gnome_dbus_chat_gkeyringd',`
- 	gen_require(`
- 		attribute gkeyringd_domain;
--		type gnome_keyring_tmp_t;
++	gen_require(`
++		attribute gkeyringd_domain;
 +		class dbus send_msg;
- 	')
- 
--	files_search_tmp($1)
--	stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
++	')
++
 +	allow $1 gkeyringd_domain:dbus send_msg;
 +	allow gkeyringd_domain $1:dbus send_msg;
 +')
@@ -28435,23 +28329,18 @@ index d03fd43..0e04529 100644
 +    type_transition $1 gkeyringd_exec_t:process $2;
  ')
 diff --git a/gnome.te b/gnome.te
-index 20f726b..c6ff2a1 100644
+index 63893eb..3b275e6 100644
 --- a/gnome.te
 +++ b/gnome.te
-@@ -1,18 +1,36 @@
--policy_module(gnome, 2.2.5)
-+policy_module(gnome, 2.2.0)
- 
- ##############################
- #
+@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
  # Declarations
  #
  
 -attribute gkeyringd_domain;
  attribute gnomedomain;
--attribute_role gconfd_roles;
 +attribute gnome_home_type;
 +attribute gkeyringd_domain;
+ attribute_role gconfd_roles;
  
  type gconf_etc_t;
  files_config_file(gconf_etc_t)
@@ -28479,11 +28368,9 @@ index 20f726b..c6ff2a1 100644
  typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
  typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
  typealias gconf_home_t alias unconfined_gconf_home_t;
-@@ -29,107 +47,226 @@ type gconfd_exec_t;
- typealias gconfd_t alias { user_gconfd_t staff_gconfd_t sysadm_gconfd_t };
- typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
+@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
  userdom_user_application_domain(gconfd_t, gconfd_exec_t)
--role gconfd_roles types gconfd_t;
+ role gconfd_roles types gconfd_t;
  
 -type gnome_home_t;
 +type gnome_home_t, gnome_home_type;
@@ -28755,21 +28642,22 @@ index 20f726b..c6ff2a1 100644
 +
 +userdom_use_inherited_user_terminals(gnomedomain)
 diff --git a/gnomeclock.fc b/gnomeclock.fc
-index b687443..e4c1b83 100644
+index f9ba8cd..6906301 100644
 --- a/gnomeclock.fc
 +++ b/gnomeclock.fc
-@@ -1,5 +1,9 @@
+@@ -1,7 +1,10 @@
 +/usr/lib/systemd/systemd-timedated		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +
  /usr/libexec/gnome-clock-applet-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
  
 -/usr/libexec/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +/usr/libexec/gsd-datetime-mechanism		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
-+
+ 
+-/usr/libexec/kde(3|4)/kcmdatetimehelper	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +/usr/libexec/kde3/kcmdatetimehelper		--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 +/usr/libexec/kde4/kcmdatetimehelper     --  gen_context(system_u:object_r:gnomeclock_exec_t,s0)
  
--/usr/libexec/kde(3|4)/kcmdatetimehelper	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
+ /usr/lib/gnome-settings-daemon/gsd-datetime-mechanism	--	gen_context(system_u:object_r:gnomeclock_exec_t,s0)
 diff --git a/gnomeclock.if b/gnomeclock.if
 index 3f55702..25c7ab8 100644
 --- a/gnomeclock.if
@@ -28829,15 +28717,10 @@ index 3f55702..25c7ab8 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/gnomeclock.te b/gnomeclock.te
-index 6d79eb5..c728009 100644
+index 7cd7435..79bff0d 100644
 --- a/gnomeclock.te
 +++ b/gnomeclock.te
-@@ -1,86 +1,99 @@
--policy_module(gnomeclock, 1.0.5)
-+policy_module(gnomeclock, 1.0.0)
- 
- ########################################
- #
+@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
  # Declarations
  #
  
@@ -28986,10 +28869,10 @@ index 888cd2c..c02fa56 100644
 -/usr/lib/gnupg/gpgkeys.*	--	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 +/usr/lib/gnupg/gpgkeys.* --	gen_context(system_u:object_r:gpg_helper_exec_t,s0)
 diff --git a/gpg.if b/gpg.if
-index 180f1b7..951b790 100644
+index 180f1b7..3c8757e 100644
 --- a/gpg.if
 +++ b/gpg.if
-@@ -2,57 +2,75 @@
+@@ -2,57 +2,79 @@
  
  ############################################################
  ## <summary>
@@ -29015,6 +28898,7 @@ index 180f1b7..951b790 100644
 -		type gpg_t, gpg_exec_t, gpg_agent_t;
 -		type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
 -		type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
++        attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
 +		type gpg_t, gpg_exec_t;
 +		type gpg_agent_t, gpg_agent_exec_t;
 +		type gpg_agent_tmp_t;
@@ -29026,7 +28910,10 @@ index 180f1b7..951b790 100644
 -	roleattribute $1 gpg_agent_roles;
 -	roleattribute $1 gpg_helper_roles;
 -	roleattribute $1 gpg_pinentry_roles;
-+	role $1 types { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t };
++    roleattribute $1 gpg_roles;
++    roleattribute $1 gpg_agent_roles;
++    roleattribute $1 gpg_helper_roles;
++    roleattribute $1 gpg_pinentry_roles;
  
 +	# transition from the userdomain to the derived domain
  	domtrans_pattern($2, gpg_exec_t, gpg_t)
@@ -29088,7 +28975,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -65,13 +83,12 @@ interface(`gpg_domtrans',`
+@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
  		type gpg_t, gpg_exec_t;
  	')
  
@@ -29104,7 +28991,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -88,76 +105,46 @@ interface(`gpg_exec',`
+@@ -88,76 +109,46 @@ interface(`gpg_exec',`
  	can_exec($1, gpg_exec_t)
  ')
  
@@ -29200,7 +29087,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -175,7 +162,7 @@ interface(`gpg_signal',`
+@@ -175,7 +166,7 @@ interface(`gpg_signal',`
  
  ########################################
  ## <summary>
@@ -29209,7 +29096,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -184,6 +171,7 @@ interface(`gpg_signal',`
+@@ -184,6 +175,7 @@ interface(`gpg_signal',`
  ## </param>
  #
  interface(`gpg_rw_agent_pipes',`
@@ -29217,7 +29104,7 @@ index 180f1b7..951b790 100644
  	gen_require(`
  		type gpg_agent_t;
  	')
-@@ -193,8 +181,8 @@ interface(`gpg_rw_agent_pipes',`
+@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
  
  ########################################
  ## <summary>
@@ -29228,7 +29115,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -214,7 +202,7 @@ interface(`gpg_pinentry_dbus_chat',`
+@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -29237,7 +29124,7 @@ index 180f1b7..951b790 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -230,3 +218,39 @@ interface(`gpg_list_user_secrets',`
+@@ -230,3 +222,39 @@ interface(`gpg_list_user_secrets',`
  	list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
  	userdom_search_user_home_dirs($1)
  ')
@@ -29278,41 +29165,39 @@ index 180f1b7..951b790 100644
 +	userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
 +')
 diff --git a/gpg.te b/gpg.te
-index 44cf341..8aa9dd9 100644
+index 0e97e82..edabe2e 100644
 --- a/gpg.te
 +++ b/gpg.te
-@@ -1,47 +1,47 @@
--policy_module(gpg, 2.7.3)
-+policy_module(gpg, 2.6.0)
- 
- ########################################
+@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
  #
  # Declarations
  #
-+attribute gpgdomain;
- 
- ## <desc>
+-
+-## <desc>
 -##	<p>
 -##	Determine whether GPG agent can manage
 -##	generic user home content files. This is
 -##	required by the --write-env-file option.
 -##	</p>
+-## </desc>
+-gen_tunable(gpg_agent_env_file, false)
++attribute gpgdomain;
+ 
+ attribute_role gpg_roles;
+ roleattribute system_r gpg_roles;
+@@ -24,7 +16,23 @@ roleattribute system_r gpg_helper_roles;
+ 
+ attribute_role gpg_pinentry_roles;
+ 
+-type gpg_t;
++## <desc>
 +## <p>
 +## Allow usage of the gpg-agent --write-env-file option.
 +## This also allows gpg-agent to manage user files.
 +## </p>
- ## </desc>
- gen_tunable(gpg_agent_env_file, false)
- 
--attribute_role gpg_roles;
--roleattribute system_r gpg_roles;
--
--attribute_role gpg_agent_roles;
--
--attribute_role gpg_helper_roles;
--roleattribute system_r gpg_helper_roles;
--
--attribute_role gpg_pinentry_roles;
++## </desc>
++gen_tunable(gpg_agent_env_file, false)
++
 +## <desc>
 +## <p>
 +## Allow gpg web domain to modify public files
@@ -29320,73 +29205,24 @@ index 44cf341..8aa9dd9 100644
 +## </p>
 +## </desc>
 +gen_tunable(gpg_web_anon_write, false)
- 
--type gpg_t;
++
 +type gpg_t, gpgdomain;
  type gpg_exec_t;
  typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
  typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
--userdom_user_application_domain(gpg_t, gpg_exec_t)
--role gpg_roles types gpg_t;
-+application_domain(gpg_t, gpg_exec_t)
-+ubac_constrained(gpg_t)
-+role system_r types gpg_t;
- 
- type gpg_agent_t;
- type gpg_agent_exec_t;
- typealias gpg_agent_t alias { user_gpg_agent_t staff_gpg_agent_t sysadm_gpg_agent_t };
- typealias gpg_agent_t alias { auditadm_gpg_agent_t secadm_gpg_agent_t };
--userdom_user_application_domain(gpg_agent_t, gpg_agent_exec_t)
--role gpg_agent_roles types gpg_agent_t;
-+application_domain(gpg_agent_t, gpg_agent_exec_t)
-+ubac_constrained(gpg_agent_t)
- 
- type gpg_agent_tmp_t;
- typealias gpg_agent_tmp_t alias { user_gpg_agent_tmp_t staff_gpg_agent_tmp_t sysadm_gpg_agent_tmp_t };
- typealias gpg_agent_tmp_t alias { auditadm_gpg_agent_tmp_t secadm_gpg_agent_tmp_t };
--userdom_user_tmp_file(gpg_agent_tmp_t)
-+files_tmp_file(gpg_agent_tmp_t)
-+ubac_constrained(gpg_agent_tmp_t)
- 
- type gpg_secret_t;
- typealias gpg_secret_t alias { user_gpg_secret_t staff_gpg_secret_t sysadm_gpg_secret_t };
-@@ -52,112 +52,116 @@ type gpg_helper_t;
- type gpg_helper_exec_t;
- typealias gpg_helper_t alias { user_gpg_helper_t staff_gpg_helper_t sysadm_gpg_helper_t };
- typealias gpg_helper_t alias { auditadm_gpg_helper_t secadm_gpg_helper_t };
--userdom_user_application_domain(gpg_helper_t, gpg_helper_exec_t)
--role gpg_helper_roles types gpg_helper_t;
-+application_domain(gpg_helper_t, gpg_helper_exec_t)
-+ubac_constrained(gpg_helper_t)
-+role system_r types gpg_helper_t;
- 
- type gpg_pinentry_t;
- type pinentry_exec_t;
- typealias gpg_pinentry_t alias { user_gpg_pinentry_t staff_gpg_pinentry_t sysadm_gpg_pinentry_t };
- typealias gpg_pinentry_t alias { auditadm_gpg_pinentry_t secadm_gpg_pinentry_t };
--userdom_user_application_domain(gpg_pinentry_t, pinentry_exec_t)
--role gpg_pinentry_roles types gpg_pinentry_t;
-+application_domain(gpg_pinentry_t, pinentry_exec_t)
-+ubac_constrained(gpg_pinentry_t)
- 
- type gpg_pinentry_tmp_t;
--userdom_user_tmp_file(gpg_pinentry_tmp_t)
-+files_tmp_file(gpg_pinentry_tmp_t)
-+ubac_constrained(gpg_pinentry_tmp_t)
- 
- type gpg_pinentry_tmpfs_t;
--userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
-+files_tmpfs_file(gpg_pinentry_tmpfs_t)
-+ubac_constrained(gpg_pinentry_tmpfs_t)
+@@ -69,95 +77,100 @@ type gpg_pinentry_tmpfs_t;
+ userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
  
--optional_policy(`
+ optional_policy(`
 -	pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
--')
++    pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
+ ')
+ 
 +type gpg_web_t;
 +domain_type(gpg_web_t)
 +gpg_entry_type(gpg_web_t)
 +role system_r types gpg_web_t;
- 
++
  ########################################
  #
 -# Local policy
@@ -29516,7 +29352,7 @@ index 44cf341..8aa9dd9 100644
  ')
  
  optional_policy(`
-@@ -165,37 +169,51 @@ optional_policy(`
+@@ -165,37 +178,51 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -29579,7 +29415,7 @@ index 44cf341..8aa9dd9 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_dontaudit_rw_nfs_files(gpg_helper_t)
-@@ -207,29 +225,35 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -207,29 +234,35 @@ tunable_policy(`use_samba_home_dirs',`
  
  ########################################
  #
@@ -29621,7 +29457,7 @@ index 44cf341..8aa9dd9 100644
  corecmd_exec_shell(gpg_agent_t)
  
  dev_read_rand(gpg_agent_t)
-@@ -239,37 +263,40 @@ domain_use_interactive_fds(gpg_agent_t)
+@@ -239,37 +272,40 @@ domain_use_interactive_fds(gpg_agent_t)
  
  fs_dontaudit_list_inotifyfs(gpg_agent_t)
  
@@ -29674,7 +29510,7 @@ index 44cf341..8aa9dd9 100644
  ##############################
  #
  # Pinentry local policy
-@@ -277,8 +304,17 @@ optional_policy(`
+@@ -277,8 +313,17 @@ optional_policy(`
  
  allow gpg_pinentry_t self:process { getcap getsched setsched signal };
  allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
@@ -29693,7 +29529,7 @@ index 44cf341..8aa9dd9 100644
  
  manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
  userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
-@@ -287,53 +323,89 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
+@@ -287,53 +332,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
  fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
  
@@ -29765,11 +29601,8 @@ index 44cf341..8aa9dd9 100644
 +')
 +
 +optional_policy(`
-+	pulseaudio_exec(gpg_pinentry_t)
-+	pulseaudio_rw_home_files(gpg_pinentry_t)
-+	pulseaudio_setattr_home_dir(gpg_pinentry_t)
++    pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
 +	pulseaudio_stream_connect(gpg_pinentry_t)
-+	pulseaudio_signull(gpg_pinentry_t)
  ')
  
  optional_policy(`
@@ -29798,7 +29631,7 @@ index 44cf341..8aa9dd9 100644
 +    miscfiles_manage_public_files(gpg_web_t)
  ')
 diff --git a/gpm.te b/gpm.te
-index 3226f52..68b2eb8 100644
+index 69734fd..d99009a 100644
 --- a/gpm.te
 +++ b/gpm.te
 @@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
@@ -29832,7 +29665,7 @@ index 3226f52..68b2eb8 100644
  optional_policy(`
  	seutil_sigchld_newrole(gpm_t)
 diff --git a/gpsd.te b/gpsd.te
-index 25f09ae..3085534 100644
+index fe3895e..a820546 100644
 --- a/gpsd.te
 +++ b/gpsd.te
 @@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
@@ -30156,7 +29989,7 @@ index 0000000..5044e7b
 +	kerberos_manage_host_rcache(gssproxy_t)
 +')
 diff --git a/guest.te b/guest.te
-index d928711..93d2d83 100644
+index 19cdbe1..0605776 100644
 --- a/guest.te
 +++ b/guest.te
 @@ -20,4 +20,4 @@ optional_policy(`
@@ -30166,7 +29999,7 @@ index d928711..93d2d83 100644
 -#gen_user(guest_u, user, guest_r, s0, s0)
 +gen_user(guest_u, user, guest_r, s0, s0)
 diff --git a/hadoop.te b/hadoop.te
-index e62bcb7..f44ad99 100644
+index e151378..04d173d 100644
 --- a/hadoop.te
 +++ b/hadoop.te
 @@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
@@ -30203,7 +30036,7 @@ index e62bcb7..f44ad99 100644
  fs_getattr_xattr_fs(zookeeper_server_t)
  
 diff --git a/hal.te b/hal.te
-index 0801fe1..85b6f3e 100644
+index bbccc79..6c6524a 100644
 --- a/hal.te
 +++ b/hal.te
 @@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
@@ -30242,7 +30075,7 @@ index 1728071..77e71ea 100644
  	domain_system_change_exemption($1)
  	role_transition $2 hddtemp_initrc_exec_t system_r;
 diff --git a/hddtemp.te b/hddtemp.te
-index 18d76bb..588c964 100644
+index 9e11b98..29065e6 100644
 --- a/hddtemp.te
 +++ b/hddtemp.te
 @@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
@@ -30269,7 +30102,7 @@ index 18d76bb..588c964 100644
  
 -miscfiles_read_localization(hddtemp_t)
 diff --git a/howl.te b/howl.te
-index e207823..4e0f8ba 100644
+index b9e60ec..0477728 100644
 --- a/howl.te
 +++ b/howl.te
 @@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
@@ -30290,13 +30123,14 @@ index e207823..4e0f8ba 100644
  userdom_dontaudit_search_user_home_dirs(howl_t)
  
 diff --git a/hypervkvp.fc b/hypervkvp.fc
-new file mode 100644
-index 0000000..e2ae3b2
---- /dev/null
+index b46130e..e2ae3b2 100644
+--- a/hypervkvp.fc
 +++ b/hypervkvp.fc
-@@ -0,0 +1,10 @@
+@@ -1,3 +1,10 @@
+-/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/hypervkvpd	--	gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
-+
+ 
+-/usr/sbin/hv_kvp_daemon	--	gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
 +/usr/lib/systemd/system/hypervvssd.*      --  gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
 +
 +/usr/sbin/hv_kvp_daemon		--	gen_context(system_u:object_r:hypervkvp_exec_t,s0)
@@ -30306,11 +30140,11 @@ index 0000000..e2ae3b2
 +
 +/var/lib/hyperv(/.*)?		gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
 diff --git a/hypervkvp.if b/hypervkvp.if
-new file mode 100644
-index 0000000..17c3627
---- /dev/null
+index 6517fad..17c3627 100644
+--- a/hypervkvp.if
 +++ b/hypervkvp.if
-@@ -0,0 +1,111 @@
+@@ -1,32 +1,111 @@
+-## <summary>HyperV key value pair (KVP).</summary>
 +
 +## <summary>policy for hypervkvp</summary>
 +
@@ -30351,16 +30185,19 @@ index 0000000..17c3627
 +	allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
 +	files_search_var_lib($1)
 +')
-+
-+########################################
-+## <summary>
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an hypervkvp environment.
 +##	Read hypervkvp lib files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`hypervkvp_read_lib_files',`
 +	gen_require(`
@@ -30398,13 +30235,16 @@ index 0000000..17c3627
 +##	an hypervkvp environment
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`hypervkvp_admin',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+-## <rolecap/>
+ #
+ interface(`hypervkvp_admin',`
+ 	gen_require(`
+-		type hypervkvpd_t, hypervkvpd_initrc_exec_t;
 +		type hypervkvp_t;
 +		type hypervkvp_unit_file_t;
 +	')
@@ -30414,29 +30254,35 @@ index 0000000..17c3627
 +
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 hypervkvp_t:process ptrace;
-+	')
-+
+ 	')
+ 
+-	allow $1 hypervkvpd_t:process { ptrace signal_perms };
+-	ps_process_pattern($1, hypervkvpd_t)
 +	hypervkvp_manage_lib_files($1)
-+
+ 
+-	init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+-	domain_system_change_exemption($1)
+-	role_transition $2 hypervkvpd_initrc_exec_t system_r;
+-	allow $2 system_r;
 +	hypervkvp_systemctl($1)
 +	admin_pattern($1, hypervkvp_unit_file_t)
 +	allow $1 hypervkvp_unit_file_t:service all_service_perms;
-+')
+ ')
 diff --git a/hypervkvp.te b/hypervkvp.te
-new file mode 100644
-index 0000000..d2ad022
---- /dev/null
+index 4eb7041..d2ad022 100644
+--- a/hypervkvp.te
 +++ b/hypervkvp.te
-@@ -0,0 +1,59 @@
-+policy_module(hypervkvp, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
+@@ -5,24 +5,55 @@ policy_module(hypervkvp, 1.0.0)
+ # Declarations
+ #
+ 
+-type hypervkvpd_t;
+-type hypervkvpd_exec_t;
+-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
 +attribute hyperv_domain;
-+
+ 
+-type hypervkvpd_initrc_exec_t;
+-init_script_file(hypervkvpd_initrc_exec_t)
 +type hypervkvp_t, hyperv_domain;
 +type hypervkvp_exec_t;
 +init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
@@ -30456,9 +30302,10 @@ index 0000000..d2ad022
 +
 +type hypervvssd_unit_file_t;
 +systemd_unit_file(hypervvssd_unit_file_t)
-+
-+########################################
-+#
+ 
+ ########################################
+ #
+-# Local policy
 +# hyperv domain local policy
 +#
 +
@@ -30469,26 +30316,31 @@ index 0000000..d2ad022
 +allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
 +
 +########################################
-+#
+ #
 +# hypervkvp local policy
-+#
-+
+ #
+ 
+-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
 +manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
 +files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
 +
 +logging_send_syslog_msg(hypervkvp_t)
-+
+ 
+-logging_send_syslog_msg(hypervkvpd_t)
 +sysnet_dns_name_resolve(hypervkvp_t)
-+
+ 
+-miscfiles_read_localization(hypervkvpd_t)
 +########################################
 +#
 +# hypervvssd local policy
 +#
-+
+ 
+-sysnet_dns_name_resolve(hypervkvpd_t)
 +logging_send_syslog_msg(hypervvssd_t)
 diff --git a/i18n_input.te b/i18n_input.te
-index 3bed8fa..a738d7f 100644
+index 369a056..65fde93 100644
 --- a/i18n_input.te
 +++ b/i18n_input.te
 @@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
@@ -30549,7 +30401,7 @@ index 580b533..c267cea 100644
  	domain_system_change_exemption($1)
  	role_transition $2 icecast_initrc_exec_t system_r;
 diff --git a/icecast.te b/icecast.te
-index ac6f9d5..6097225 100644
+index a9e573a..d375214 100644
 --- a/icecast.te
 +++ b/icecast.te
 @@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
@@ -30579,7 +30431,7 @@ index 8999899..96909ae 100644
  
  	init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
 diff --git a/ifplugd.te b/ifplugd.te
-index 6910e49..c4a9fcb 100644
+index b0546b4..98d7326 100644
 --- a/ifplugd.te
 +++ b/ifplugd.te
 @@ -10,7 +10,7 @@ type ifplugd_exec_t;
@@ -30607,7 +30459,7 @@ index 6910e49..c4a9fcb 100644
  
  sysnet_domtrans_ifconfig(ifplugd_t)
 diff --git a/imaze.te b/imaze.te
-index 05387d1..08a489c 100644
+index 1eb24d8..b320d51 100644
 --- a/imaze.te
 +++ b/imaze.te
 @@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
@@ -30645,7 +30497,7 @@ index fbb54e7..05c3777 100644
  
  ########################################
 diff --git a/inetd.te b/inetd.te
-index 1a5ed62..420305b 100644
+index c6450df..ea5acd7 100644
 --- a/inetd.te
 +++ b/inetd.te
 @@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
@@ -30797,7 +30649,7 @@ index eb87f23..d3d32c3 100644
  
  	init_labeled_script_domtrans($1, innd_initrc_exec_t)
 diff --git a/inn.te b/inn.te
-index 5aab5d0..5967395 100644
+index d39f0cc..cb277f0 100644
 --- a/inn.te
 +++ b/inn.te
 @@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
@@ -30891,7 +30743,7 @@ index a0bfbd0..47f7c75 100644
  ##	administrate an iodined environment
  ## </summary>
 diff --git a/iodine.te b/iodine.te
-index 94ec5f8..8556c27 100644
+index d443fee..475b7f4 100644
 --- a/iodine.te
 +++ b/iodine.te
 @@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
@@ -30988,7 +30840,7 @@ index ac00fb0..36ef2e5 100644
 +		userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
  ')
 diff --git a/irc.te b/irc.te
-index ecad9c7..e413e5a 100644
+index 2636503..7e29d1d 100644
 --- a/irc.te
 +++ b/irc.te
 @@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
@@ -31062,13 +30914,15 @@ index ecad9c7..e413e5a 100644
  
  fs_getattr_all_fs(irc_t)
  fs_search_auto_mountpoints(irc_t)
-@@ -106,15 +120,18 @@ auth_use_nsswitch(irc_t)
+@@ -106,14 +120,16 @@ auth_use_nsswitch(irc_t)
  init_read_utmp(irc_t)
  init_dontaudit_lock_utmp(irc_t)
  
+-miscfiles_read_generic_certs(irc_t)
 -miscfiles_read_localization(irc_t)
- 
- userdom_use_user_terminals(irc_t)
+-
+-userdom_use_user_terminals(irc_t)
++userdom_use_inherited_user_terminals(irc_t)
  
  userdom_manage_user_home_content_dirs(irc_t)
  userdom_manage_user_home_content_files(irc_t)
@@ -31077,13 +30931,12 @@ index ecad9c7..e413e5a 100644
 +
 +# Write to the user domain tty.
 +userdom_use_inherited_user_terminals(irc_t)
++
++userdom_home_manager(irc_t)
  
  tunable_policy(`irc_use_any_tcp_ports',`
-+	allow irc_t self:tcp_socket create_stream_socket_perms;
- 	corenet_sendrecv_all_server_packets(irc_t)
- 	corenet_tcp_bind_all_unreserved_ports(irc_t)
- 	corenet_sendrecv_all_client_packets(irc_t)
-@@ -122,18 +139,71 @@ tunable_policy(`irc_use_any_tcp_ports',`
+ 	allow irc_t self:tcp_socket { accept listen };
+@@ -124,18 +140,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
  	corenet_tcp_sendrecv_all_ports(irc_t)
  ')
  
@@ -31091,8 +30944,6 @@ index ecad9c7..e413e5a 100644
 -	fs_manage_nfs_dirs(irc_t)
 -	fs_manage_nfs_files(irc_t)
 -	fs_manage_nfs_symlinks(irc_t)
-+userdom_home_manager(irc_t)
-+
 +optional_policy(`
 +	nis_use_ypbind(irc_t)
  ')
@@ -31179,7 +31030,7 @@ index ade9803..3620c9a 100644
  
  	files_search_var_lib($1)
 diff --git a/ircd.te b/ircd.te
-index e9f746e..40e440c 100644
+index efaf4b1..bd1a132 100644
 --- a/ircd.te
 +++ b/ircd.te
 @@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
@@ -31200,23 +31051,10 @@ index e9f746e..40e440c 100644
  userdom_dontaudit_search_user_home_dirs(ircd_t)
  
 diff --git a/irqbalance.te b/irqbalance.te
-index c5a8112..947efe0 100644
+index e1f302d..1e5418a 100644
 --- a/irqbalance.te
 +++ b/irqbalance.te
-@@ -22,6 +22,12 @@ files_pid_file(irqbalance_var_run_t)
- 
- allow irqbalance_t self:capability { setpcap net_admin };
- dontaudit irqbalance_t self:capability sys_tty_config;
-+
-+ifdef(`hide_broken_symptoms',`
-+	# caused by some bogus kernel code
-+	dontaudit irqbalance_t self:capability sys_module;
-+')
-+
- allow irqbalance_t self:process { getcap setcap signal_perms };
- allow irqbalance_t self:udp_socket create_socket_perms;
- 
-@@ -35,7 +41,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
+@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
  
  dev_read_sysfs(irqbalance_t)
  
@@ -31224,7 +31062,7 @@ index c5a8112..947efe0 100644
  files_read_etc_runtime_files(irqbalance_t)
  
  fs_getattr_all_fs(irqbalance_t)
-@@ -45,8 +50,6 @@ domain_use_interactive_fds(irqbalance_t)
+@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
  
  logging_send_syslog_msg(irqbalance_t)
  
@@ -31324,7 +31162,7 @@ index 1a35420..4b9b978 100644
  	logging_search_logs($1)
  	admin_pattern($1, iscsi_log_t)
 diff --git a/iscsi.te b/iscsi.te
-index 57304e4..46e5e3d 100644
+index ca020fa..775dd9f 100644
 --- a/iscsi.te
 +++ b/iscsi.te
 @@ -9,8 +9,8 @@ type iscsid_t;
@@ -31456,7 +31294,7 @@ index 59ad3b3..bd02cc8 100644
 +
 +/var/spool/pyicq-t(/.*)?			gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
 diff --git a/jabber.if b/jabber.if
-index 16b1666..01673a4 100644
+index 7eb3811..b52a6ae 100644
 --- a/jabber.if
 +++ b/jabber.if
 @@ -1,29 +1,76 @@
@@ -31614,7 +31452,7 @@ index 16b1666..01673a4 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -66,38 +137,32 @@ interface(`jabber_tcp_connect',`
+@@ -66,20 +137,26 @@ interface(`jabber_tcp_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -31647,35 +31485,18 @@ index 16b1666..01673a4 100644
  
  	init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
  	domain_system_change_exemption($1)
- 	role_transition $2 jabberd_initrc_exec_t system_r;
- 	allow $2 system_r;
+@@ -97,7 +174,4 @@ interface(`jabber_admin',`
  
--	files_search_locks($1))
--	admin_pattern($1, jabberd_lock_t)
--
--	logging_search_logs($1)
--	admin_pattern($1, jabberd_log_t)
--
--	files_search_spool($1)
--	admin_pattern($1, jabberd_spool_t)
--
--	files_search_var_lib($1)
-+	files_list_var_lib($1)
+ 	files_search_var_lib($1)
  	admin_pattern($1, jabberd_var_lib_t)
 -
 -	files_search_pids($1)
 -	admin_pattern($1, jabberd_var_run_t)
  ')
 diff --git a/jabber.te b/jabber.te
-index bb12c90..62d511b 100644
+index af67c36..aa88a0a 100644
 --- a/jabber.te
 +++ b/jabber.te
-@@ -1,4 +1,4 @@
--policy_module(jabber, 1.9.1)
-+policy_module(jabber, 1.8.0)
- 
- ########################################
- #
 @@ -9,129 +9,133 @@ attribute jabberd_domain;
  
  jabber_domain_template(jabberd)
@@ -31887,10 +31708,10 @@ index bb12c90..62d511b 100644
 -auth_use_nsswitch(jabberd_router_t)
 +sysnet_read_config(jabberd_domain)
 diff --git a/java.te b/java.te
-index b3fcfbb..5459aa3 100644
+index a7ae153..6341e31 100644
 --- a/java.te
 +++ b/java.te
-@@ -11,7 +11,7 @@ policy_module(java, 2.6.3)
+@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
  ##	its stack executable.
  ##	</p>
  ## </desc>
@@ -32912,15 +32733,9 @@ index 3a00b3a..21efcc4 100644
 +	allow $1 kdump_unit_file_t:service all_service_perms;
  ')
 diff --git a/kdump.te b/kdump.te
-index 70f3007..f8b68bf 100644
+index 715fc21..f6a381c 100644
 --- a/kdump.te
 +++ b/kdump.te
-@@ -1,4 +1,4 @@
--policy_module(kdump, 1.2.3)
-+policy_module(kdump, 1.2.0)
- 
- #######################################
- #
 @@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
  type kdump_etc_t;
  files_config_file(kdump_etc_t)
@@ -33117,15 +32932,10 @@ index 182ab8b..8b1d9c2 100644
 +')
 +
 diff --git a/kdumpgui.te b/kdumpgui.te
-index e7f5c81..8c75bc8 100644
+index 2990962..c153d15 100644
 --- a/kdumpgui.te
 +++ b/kdumpgui.te
-@@ -1,83 +1,92 @@
--policy_module(kdumpgui, 1.1.4)
-+policy_module(kdumpgui, 1.1.0)
- 
- ########################################
- #
+@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0)
  # Declarations
  #
  
@@ -33332,7 +33142,7 @@ index 4fe75fd..8c702c9 100644
 +/var/tmp/ldap_487		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/ldap_55		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/kerberos.if b/kerberos.if
-index f9de9fc..11e6268 100644
+index f6c00d8..c0946cf 100644
 --- a/kerberos.if
 +++ b/kerberos.if
 @@ -1,27 +1,29 @@
@@ -33658,34 +33468,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="prefix">
  ##	<summary>
-@@ -354,21 +255,15 @@ interface(`kerberos_etc_filetrans_keytab',`
- ## </param>
- #
- template(`kerberos_keytab_template',`
--
--	########################################
--	#
--	# Declarations
--	#
--
- 	type $1_keytab_t;
- 	files_type($1_keytab_t)
- 
--	########################################
--	#
--	# Policy
--	#
-+	allow $2 self:process setfscreate;
-+ 	allow $2 $1_keytab_t:file read_file_perms;
- 
--	allow $2 $1_keytab_t:file read_file_perms;
-+	seutil_read_file_contexts($2)
-+	seutil_read_config($2)
-+	selinux_get_enforce_mode($2)
- 
- 	kerberos_read_keytab($2)
- 	kerberos_use($2)
-@@ -376,7 +271,7 @@ template(`kerberos_keytab_template',`
+@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
  
  ########################################
  ## <summary>
@@ -33694,7 +33477,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -396,8 +291,7 @@ interface(`kerberos_read_kdc_config',`
+@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',`
  
  ########################################
  ## <summary>
@@ -33704,7 +33487,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -411,34 +305,99 @@ interface(`kerberos_manage_host_rcache',`
+@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -33744,8 +33527,7 @@ index f9de9fc..11e6268 100644
  ## </param>
 -## <param name="object_class">
 +## <param name="role">
- ##	<summary>
--##	Class of the object being created.
++##	<summary>
 +##	The role to be allowed to manage the kerberos domain.
 +##	</summary>
 +## </param>
@@ -33807,12 +33589,13 @@ index f9de9fc..11e6268 100644
 +##	to the krb5_host_rcache type.
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Class of the object being created.
 +##	Domain allowed access.
  ##	</summary>
  ## </param>
  ## <param name="name" optional="true">
-@@ -452,12 +411,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  		type krb5_host_rcache_t;
  	')
  
@@ -33828,7 +33611,7 @@ index f9de9fc..11e6268 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -465,82 +425,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
+@@ -450,82 +416,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
  ##	</summary>
  ## </param>
  #
@@ -33969,16 +33752,10 @@ index f9de9fc..11e6268 100644
 +	kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
  ')
 diff --git a/kerberos.te b/kerberos.te
-index 3465a9a..353c4ce 100644
+index 8833d59..2242f4d 100644
 --- a/kerberos.te
 +++ b/kerberos.te
-@@ -1,4 +1,4 @@
--policy_module(kerberos, 1.11.7)
-+policy_module(kerberos, 1.11.0)
- 
- ########################################
- #
-@@ -6,11 +6,11 @@ policy_module(kerberos, 1.11.7)
+@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
  #
  
  ## <desc>
@@ -34333,7 +34110,7 @@ index 714448f..fa0c994 100644
  	domain_system_change_exemption($1)
  	role_transition $2 kerneloops_initrc_exec_t system_r;
 diff --git a/kerneloops.te b/kerneloops.te
-index 1101985..7f1061d 100644
+index bcdb295..f6e3736 100644
 --- a/kerneloops.te
 +++ b/kerneloops.te
 @@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
@@ -34406,7 +34183,7 @@ index 8982b91..6134ef2 100644
 +    allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
  ')
 diff --git a/keyboardd.te b/keyboardd.te
-index adfe3dc..a60b664 100644
+index 628b78b..fe65617 100644
 --- a/keyboardd.te
 +++ b/keyboardd.te
 @@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
@@ -34427,7 +34204,7 @@ index b273d80..186cd86 100644
  
  /usr/bin/keystone-all	--	gen_context(system_u:object_r:keystone_exec_t,s0)
 diff --git a/keystone.if b/keystone.if
-index d3e7fc9..f20248c 100644
+index e88fb16..f20248c 100644
 --- a/keystone.if
 +++ b/keystone.if
 @@ -1,42 +1,218 @@
@@ -34651,8 +34428,7 @@ index d3e7fc9..f20248c 100644
  	logging_search_logs($1)
  	admin_pattern($1, keystone_log_t)
  
--	files_search_var_lib($1
-+	files_search_var_lib($1)
+ 	files_search_var_lib($1)
  	admin_pattern($1, keystone_var_lib_t)
  
 -	files_search_tmp($1)
@@ -34666,7 +34442,7 @@ index d3e7fc9..f20248c 100644
 +	')
  ')
 diff --git a/keystone.te b/keystone.te
-index 3494d9b..a82637c 100644
+index 9929647..b7873e1 100644
 --- a/keystone.te
 +++ b/keystone.te
 @@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
@@ -34744,7 +34520,7 @@ index aa2a337..7ff229f 100644
  	files_search_var_lib($1)
  	admin_pattern($1, kismet_var_lib_t)
 diff --git a/kismet.te b/kismet.te
-index ea64ed5..e60f701 100644
+index 8ad0d4d..c070420 100644
 --- a/kismet.te
 +++ b/kismet.te
 @@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
@@ -34794,7 +34570,7 @@ index e736c45..4b1e1e4 100644
  
  /var/log/ksmtuned.*	gen_context(system_u:object_r:ksmtuned_log_t,s0)
 diff --git a/ksmtuned.if b/ksmtuned.if
-index c530214..3ac0b8b 100644
+index 93a64bc..3ac0b8b 100644
 --- a/ksmtuned.if
 +++ b/ksmtuned.if
 @@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
@@ -34850,15 +34626,15 @@ index c530214..3ac0b8b 100644
 -	domain_system_change_exemption($1)
 -	role_transition $2 ksmtuned_initrc_exec_t system_r;
 -	allow $2 system_r;
+-
+-	allow $1 ksmtuned_t:process { ptrace signal_perms };
 +	allow $1 ksmtuned_t:process signal_perms;
-+	ps_process_pattern($1, ksmtuned_t)
+ 	ps_process_pattern($1, ksmtuned_t)
  
--	allow $1 ksmtuned_t:process { ptrace signal_perms };
--	ps_process_pattern(ksmtumed_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 ksmtuned_t:process ptrace;
 +	')
- 
++
  	files_list_pids($1)
  	admin_pattern($1, ksmtuned_var_run_t)
  
@@ -34870,10 +34646,10 @@ index c530214..3ac0b8b 100644
 +	allow $1 ksmtuned_unit_file_t:service all_service_perms;
  ')
 diff --git a/ksmtuned.te b/ksmtuned.te
-index c1539b5..fd0a17f 100644
+index 8eef134..a2ca1a0 100644
 --- a/ksmtuned.te
 +++ b/ksmtuned.te
-@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.0.1)
+@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
  # Declarations
  #
  
@@ -35015,16 +34791,10 @@ index 19777b8..55d1556 100644
 +	')
 +')
 diff --git a/ktalk.te b/ktalk.te
-index 2cf3815..a43a4f6 100644
+index c5548c5..bb979b1 100644
 --- a/ktalk.te
 +++ b/ktalk.te
-@@ -7,11 +7,15 @@ policy_module(ktalk, 1.8.1)
- 
- type ktalkd_t;
- type ktalkd_exec_t;
-+init_domain(ktalkd_t, ktalkd_exec_t)
- inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
- 
+@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
  type ktalkd_log_t;
  logging_log_file(ktalkd_log_t)
  
@@ -35034,20 +34804,7 @@ index 2cf3815..a43a4f6 100644
  type ktalkd_tmp_t;
  files_tmp_file(ktalkd_tmp_t)
  
-@@ -35,16 +39,24 @@ kernel_read_kernel_sysctls(ktalkd_t)
- kernel_read_system_state(ktalkd_t)
- kernel_read_network_state(ktalkd_t)
- 
-+corenet_all_recvfrom_netlabel(ktalkd_t)
-+corenet_tcp_sendrecv_generic_if(ktalkd_t)
-+corenet_udp_sendrecv_generic_if(ktalkd_t)
-+corenet_tcp_sendrecv_generic_node(ktalkd_t)
-+corenet_udp_sendrecv_generic_node(ktalkd_t)
-+corenet_tcp_sendrecv_all_ports(ktalkd_t)
-+corenet_udp_sendrecv_all_ports(ktalkd_t)
-+corenet_udp_bind_ktalkd_port(ktalkd_t)
-+
- dev_read_urand(ktalkd_t)
+@@ -50,12 +53,11 @@ dev_read_urand(ktalkd_t)
  
  fs_getattr_xattr_fs(ktalkd_t)
  
@@ -35082,7 +34839,7 @@ index 5297064..6ba8108 100644
  	domain_system_change_exemption($1)
  	role_transition $2 kudzu_initrc_exec_t system_r;
 diff --git a/kudzu.te b/kudzu.te
-index 9725f1a..34aa63b 100644
+index 1664036..214a4fb 100644
 --- a/kudzu.te
 +++ b/kudzu.te
 @@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
@@ -35367,7 +35124,7 @@ index 73e2803..2fc7570 100644
  	files_search_pids($1)
  	admin_pattern($1, l2tpd_var_run_t)
 diff --git a/l2tp.te b/l2tp.te
-index 19f2b97..bbbda10 100644
+index bb06a7f..5546de2 100644
 --- a/l2tp.te
 +++ b/l2tp.te
 @@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
@@ -35437,7 +35194,7 @@ index 19f2b97..bbbda10 100644
  	ppp_signal(l2tpd_t)
  	ppp_kill(l2tpd_t)
 diff --git a/ldap.fc b/ldap.fc
-index bc25c95..6692d91 100644
+index b7e5679..c93db33 100644
 --- a/ldap.fc
 +++ b/ldap.fc
 @@ -1,8 +1,11 @@
@@ -35454,7 +35211,7 @@ index bc25c95..6692d91 100644
  
  /usr/sbin/slapd	--	gen_context(system_u:object_r:slapd_exec_t,s0)
  
-@@ -17,8 +20,7 @@
+@@ -22,8 +25,7 @@
  /var/log/ldap.*	gen_context(system_u:object_r:slapd_log_t,s0)
  /var/log/slapd.*	gen_context(system_u:object_r:slapd_log_t,s0)
  
@@ -35468,7 +35225,7 @@ index bc25c95..6692d91 100644
 +/var/run/slapd\.args    --      gen_context(system_u:object_r:slapd_var_run_t,s0)
 +/var/run/slapd\.pid     --      gen_context(system_u:object_r:slapd_var_run_t,s0)
 diff --git a/ldap.if b/ldap.if
-index ee0c7cc..c54e3d2 100644
+index 3602712..517bfbf 100644
 --- a/ldap.if
 +++ b/ldap.if
 @@ -1,8 +1,68 @@
@@ -35668,13 +35425,10 @@ index ee0c7cc..c54e3d2 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -115,28 +191,28 @@ interface(`ldap_admin',`
- 	gen_require(`
- 		type slapd_t, slapd_tmp_t, slapd_replog_t;
+@@ -117,11 +193,16 @@ interface(`ldap_admin',`
  		type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
--		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
--		type slapd_db_t;
-+		type slapd_initrc_exec_t;
+ 		type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+ 		type slapd_db_t, slapd_keytab_t;
 +		type slapd_unit_file_t;
  	')
  
@@ -35689,11 +35443,9 @@ index ee0c7cc..c54e3d2 100644
  	init_labeled_script_domtrans($1, slapd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 slapd_initrc_exec_t system_r;
- 	allow $2 system_r;
- 
+@@ -130,13 +211,9 @@ interface(`ldap_admin',`
  	files_list_etc($1)
--	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t })
-+	admin_pattern($1, slapd_etc_t)
+ 	admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
  
 -	files_list_locks($1)
  	admin_pattern($1, slapd_lock_t)
@@ -35706,7 +35458,7 @@ index ee0c7cc..c54e3d2 100644
  	admin_pattern($1, slapd_replog_t)
  
  	files_list_tmp($1)
-@@ -144,4 +220,8 @@ interface(`ldap_admin',`
+@@ -144,4 +221,8 @@ interface(`ldap_admin',`
  
  	files_list_pids($1)
  	admin_pattern($1, slapd_var_run_t)
@@ -35716,7 +35468,7 @@ index ee0c7cc..c54e3d2 100644
 +	allow $1 slapd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ldap.te b/ldap.te
-index d7d9b09..562c288 100644
+index 4c2b111..8915138 100644
 --- a/ldap.te
 +++ b/ldap.te
 @@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
@@ -35726,10 +35478,10 @@ index d7d9b09..562c288 100644
 +type slapd_unit_file_t;
 +systemd_unit_file(slapd_unit_file_t)
 +
- type slapd_lock_t;
- files_lock_file(slapd_lock_t)
+ type slapd_keytab_t;
+ files_type(slapd_keytab_t)
  
-@@ -88,7 +91,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
+@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
  kernel_read_system_state(slapd_t)
  kernel_read_kernel_sysctls(slapd_t)
  
@@ -35737,7 +35489,7 @@ index d7d9b09..562c288 100644
  corenet_all_recvfrom_netlabel(slapd_t)
  corenet_tcp_sendrecv_generic_if(slapd_t)
  corenet_tcp_sendrecv_generic_node(slapd_t)
-@@ -110,25 +112,23 @@ fs_getattr_all_fs(slapd_t)
+@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t)
  fs_search_auto_mountpoints(slapd_t)
  
  files_read_etc_runtime_files(slapd_t)
@@ -35754,19 +35506,19 @@ index d7d9b09..562c288 100644
  
  userdom_dontaudit_use_unpriv_user_fds(slapd_t)
  userdom_dontaudit_search_user_home_dirs(slapd_t)
- 
+@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
  optional_policy(`
- 	kerberos_keytab_template(slapd, slapd_t)
--	kerberos_manage_host_rcache(slapd_t)
+ 	kerberos_manage_host_rcache(slapd_t)
+ 	kerberos_read_keytab(slapd_t)
 -	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
 -	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
 -	kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
 +	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
 +	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
 +	kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
+ 	kerberos_use(slapd_t)
  ')
  
- optional_policy(`
 diff --git a/lightsquid.if b/lightsquid.if
 index 33a28b9..33ffe24 100644
 --- a/lightsquid.if
@@ -35781,7 +35533,7 @@ index 33a28b9..33ffe24 100644
 +	')
  ')
 diff --git a/lightsquid.te b/lightsquid.te
-index 40a2607..308accb 100644
+index 09c4f27..75854ed 100644
 --- a/lightsquid.te
 +++ b/lightsquid.te
 @@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
@@ -35939,7 +35691,7 @@ index bd20e8c..3393a01 100644
 -	admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
 -')
 diff --git a/likewise.te b/likewise.te
-index 408fbe3..e86ead6 100644
+index d8c2442..ef30d42 100644
 --- a/likewise.te
 +++ b/likewise.te
 @@ -26,7 +26,7 @@ type likewise_var_lib_t;
@@ -36006,7 +35758,7 @@ index dff21a7..b6981c8 100644
  	init_labeled_script_domtrans($1, lircd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/lircd.te b/lircd.te
-index 98b5405..7d982bb 100644
+index 483c87b..af0698b 100644
 --- a/lircd.te
 +++ b/lircd.te
 @@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
@@ -36075,7 +35827,7 @@ index e354181..c6b2383 100644
  
  ########################################
 diff --git a/livecd.te b/livecd.te
-index 33f64b5..a920c08 100644
+index 2f974bf..54f10e4 100644
 --- a/livecd.te
 +++ b/livecd.te
 @@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
@@ -36158,7 +35910,7 @@ index d18c960..fb5b674 100644
  	domain_system_change_exemption($1)
  	role_transition $2 lldpad_initrc_exec_t system_r;
 diff --git a/lldpad.te b/lldpad.te
-index 648def0..b17392a 100644
+index 2a491d9..db979c3 100644
 --- a/lldpad.te
 +++ b/lldpad.te
 @@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
@@ -36184,7 +35936,7 @@ index 648def0..b17392a 100644
  optional_policy(`
  	fcoe_dgram_send_fcoemon(lldpad_t)
 diff --git a/loadkeys.te b/loadkeys.te
-index 6cbb977..bd5406a 100644
+index d2f4643..c8e6b37 100644
 --- a/loadkeys.te
 +++ b/loadkeys.te
 @@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
@@ -36242,7 +35994,7 @@ index 4313b8b..cd1435c 100644
  ## <summary>
  ##	Role access for lockdev.
 diff --git a/lockdev.te b/lockdev.te
-index db87831..30bfb76 100644
+index 61db5a0..9d5d255 100644
 --- a/lockdev.te
 +++ b/lockdev.te
 @@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
@@ -36324,15 +36076,10 @@ index dd8e01a..9cd6b0b 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/logrotate.te b/logrotate.te
-index 7bab8e5..b88bbf3 100644
+index be0ab84..4a75f6b 100644
 --- a/logrotate.te
 +++ b/logrotate.te
-@@ -1,20 +1,18 @@
--policy_module(logrotate, 1.14.5)
-+policy_module(logrotate, 1.14.0)
- 
- ########################################
- #
+@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
  # Declarations
  #
  
@@ -36386,7 +36133,7 @@ index 7bab8e5..b88bbf3 100644
  allow logrotate_t self:shm create_shm_perms;
  allow logrotate_t self:sem create_sem_perms;
  allow logrotate_t self:msgq create_msgq_perms;
-@@ -48,79 +52,94 @@ allow logrotate_t self:msg { send receive };
+@@ -48,36 +52,52 @@ allow logrotate_t self:msg { send receive };
  allow logrotate_t logrotate_lock_t:file manage_file_perms;
  files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
  
@@ -36422,9 +36169,6 @@ index 7bab8e5..b88bbf3 100644
 +selinux_get_fs_mount(logrotate_t)
 +selinux_get_enforce_mode(logrotate_t)
 +
-+auth_manage_login_records(logrotate_t)
-+auth_use_nsswitch(logrotate_t)
-+
 +# Run helper programs.
  corecmd_exec_bin(logrotate_t)
  corecmd_exec_shell(logrotate_t)
@@ -36447,26 +36191,7 @@ index 7bab8e5..b88bbf3 100644
  files_manage_generic_spool(logrotate_t)
  files_manage_generic_spool_dirs(logrotate_t)
  files_getattr_generic_locks(logrotate_t)
- files_dontaudit_list_mnt(logrotate_t)
- 
--fs_search_auto_mountpoints(logrotate_t)
--fs_getattr_xattr_fs(logrotate_t)
--fs_list_inotifyfs(logrotate_t)
--
--mls_file_read_all_levels(logrotate_t)
--mls_file_write_all_levels(logrotate_t)
--mls_file_upgrade(logrotate_t)
--mls_process_write_to_clearance(logrotate_t)
--
--selinux_get_fs_mount(logrotate_t)
--selinux_get_enforce_mode(logrotate_t)
--
--auth_manage_login_records(logrotate_t)
--auth_use_nsswitch(logrotate_t)
--
-+# cjp: why is this needed?
- init_domtrans_script(logrotate_t)
- 
+@@ -103,24 +123,34 @@ init_all_labeled_script_domtrans(logrotate_t)
  logging_manage_all_logs(logrotate_t)
  logging_send_syslog_msg(logrotate_t)
  logging_send_audit_msgs(logrotate_t)
@@ -36508,7 +36233,7 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -135,16 +154,17 @@ optional_policy(`
+@@ -135,16 +165,17 @@ optional_policy(`
  
  optional_policy(`
  	apache_read_config(logrotate_t)
@@ -36528,7 +36253,7 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -178,7 +198,7 @@ optional_policy(`
+@@ -178,7 +209,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36537,7 +36262,7 @@ index 7bab8e5..b88bbf3 100644
  ')
  
  optional_policy(`
-@@ -198,21 +218,26 @@ optional_policy(`
+@@ -198,21 +229,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36551,24 +36276,24 @@ index 7bab8e5..b88bbf3 100644
 -	openvswitch_read_pid_files(logrotate_t)
 -	openvswitch_domtrans(logrotate_t)
 +	polipo_named_filetrans_log_files(logrotate_t)
-+')
-+
-+optional_policy(`
-+	psad_domtrans(logrotate_t)
  ')
  
  optional_policy(`
 -	polipo_log_filetrans_log(logrotate_t, file, "polipo")
-+    rabbitmq_domtrans_beam(logrotate_t)
++	psad_domtrans(logrotate_t)
  ')
  
  optional_policy(`
 -	psad_domtrans(logrotate_t)
++    rabbitmq_domtrans_beam(logrotate_t)
++')
++
++optional_policy(`
 +	raid_domtrans_mdadm(logrotate_t)
  ')
  
  optional_policy(`
-@@ -228,10 +253,20 @@ optional_policy(`
+@@ -228,10 +264,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36589,7 +36314,7 @@ index 7bab8e5..b88bbf3 100644
  	su_exec(logrotate_t)
  ')
  
-@@ -241,13 +276,11 @@ optional_policy(`
+@@ -241,13 +287,11 @@ optional_policy(`
  
  #######################################
  #
@@ -36609,20 +36334,25 @@ index 7bab8e5..b88bbf3 100644
  logging_read_all_logs(logrotate_mail_t)
 +manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
 diff --git a/logwatch.te b/logwatch.te
-index 4256a4c..30e3cd2 100644
+index ab65034..ca924b3 100644
 --- a/logwatch.te
 +++ b/logwatch.te
-@@ -5,9 +5,17 @@ policy_module(logwatch, 1.11.6)
- # Declarations
+@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
  #
  
-+## <desc>
+ ## <desc>
 +## <p>
 +## Allow epylog to send mail
 +## </p>
 +## </desc>
 +gen_tunable(logwatch_can_sendmail, false)
 +
++## <desc>
+ ##	<p>
+ ##	Determine whether logwatch can connect
+ ##	to mail over the network.
+@@ -15,7 +22,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
+ 
  type logwatch_t;
  type logwatch_exec_t;
 -init_system_domain(logwatch_t, logwatch_exec_t)
@@ -36631,7 +36361,7 @@ index 4256a4c..30e3cd2 100644
  
  type logwatch_cache_t;
  files_type(logwatch_cache_t)
-@@ -37,7 +45,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
+@@ -45,7 +53,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
  manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
  manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
  
@@ -36641,7 +36371,19 @@ index 4256a4c..30e3cd2 100644
  files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
  
  manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
-@@ -67,10 +76,11 @@ files_list_var(logwatch_t)
+@@ -61,6 +70,11 @@ kernel_read_system_state(logwatch_t)
+ kernel_read_net_sysctls(logwatch_t)
+ kernel_read_network_state(logwatch_t)
+ 
++corenet_all_recvfrom_unlabeled(logwatch_t)
++corenet_all_recvfrom_netlabel(logwatch_t)
++corenet_tcp_sendrecv_generic_if(logwatch_t)
++corenet_tcp_sendrecv_generic_node(logwatch_t)
++
+ corecmd_exec_bin(logwatch_t)
+ corecmd_exec_shell(logwatch_t)
+ 
+@@ -75,10 +89,11 @@ files_list_var(logwatch_t)
  files_search_all(logwatch_t)
  files_read_var_symlinks(logwatch_t)
  files_read_etc_runtime_files(logwatch_t)
@@ -36654,7 +36396,7 @@ index 4256a4c..30e3cd2 100644
  fs_dontaudit_list_auto_mountpoints(logwatch_t)
  fs_list_inotifyfs(logwatch_t)
  
-@@ -92,13 +102,12 @@ libs_read_lib_files(logwatch_t)
+@@ -100,23 +115,17 @@ libs_read_lib_files(logwatch_t)
  logging_read_all_logs(logwatch_t)
  logging_send_syslog_msg(logwatch_t) 
  
@@ -36669,7 +36411,17 @@ index 4256a4c..30e3cd2 100644
  
  mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
  mta_getattr_spool(logwatch_t)
-@@ -137,6 +146,11 @@ optional_policy(`
+ 
+ tunable_policy(`logwatch_can_network_connect_mail',`
+-	corenet_all_recvfrom_unlabeled(logwatch_t)
+-	corenet_all_recvfrom_netlabel(logwatch_t)
+-	corenet_tcp_sendrecv_generic_if(logwatch_t)
+-	corenet_tcp_sendrecv_generic_node(logwatch_t)
+-
+ 	corenet_sendrecv_smtp_client_packets(logwatch_t)
+ 	corenet_tcp_connect_smtp_port(logwatch_t)
+ 	corenet_tcp_sendrecv_smtp_port(logwatch_t)
+@@ -160,6 +169,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -36681,21 +36433,7 @@ index 4256a4c..30e3cd2 100644
  	rpc_search_nfs_state_data(logwatch_t)
  ')
  
-@@ -145,6 +159,13 @@ optional_policy(`
- 	samba_read_share_files(logwatch_t)
- ')
- 
-+tunable_policy(`logwatch_can_sendmail',`
-+    corenet_tcp_connect_smtp_port(logwatch_t)
-+    corenet_sendrecv_smtp_client_packets(logwatch_t)
-+    corenet_tcp_connect_pop_port(logwatch_t)
-+    corenet_sendrecv_pop_client_packets(logwatch_t)
-+')
-+
- ########################################
- #
- # Mail local policy
-@@ -164,6 +185,12 @@ dev_read_sysfs(logwatch_mail_t)
+@@ -187,6 +201,12 @@ dev_read_sysfs(logwatch_mail_t)
  
  logging_read_all_logs(logwatch_mail_t)
  
@@ -36896,7 +36634,7 @@ index 6256371..7826e38 100644
  	can_exec($1, lpr_exec_t)
  ')
 diff --git a/lpd.te b/lpd.te
-index b9270f7..15f3748 100644
+index 39d3164..4b1b70c 100644
 --- a/lpd.te
 +++ b/lpd.te
 @@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
@@ -37050,27 +36788,28 @@ index b9270f7..15f3748 100644
 +	mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
  ')
 diff --git a/lsm.fc b/lsm.fc
-new file mode 100644
-index 0000000..81cd4e0
---- /dev/null
+index c455730..4b40274 100644
+--- a/lsm.fc
 +++ b/lsm.fc
-@@ -0,0 +1,5 @@
-+/usr/bin/lsmd		--	gen_context(system_u:object_r:lsmd_exec_t,s0)
-+
+@@ -1,3 +1,5 @@
+ /usr/bin/lsmd	--	gen_context(system_u:object_r:lsmd_exec_t,s0)
+ 
 +/usr/lib/systemd/system/libstoragemgmt.*		--	gen_context(system_u:object_r:lsmd_unit_file_t,s0)
 +
-+/var/run/lsm(/.*)?	    gen_context(system_u:object_r:lsmd_var_run_t,s0)
+ /var/run/lsm(/.*)?	gen_context(system_u:object_r:lsmd_var_run_t,s0)
 diff --git a/lsm.if b/lsm.if
-new file mode 100644
-index 0000000..da30c5d
---- /dev/null
+index d314333..da30c5d 100644
+--- a/lsm.if
 +++ b/lsm.if
-@@ -0,0 +1,99 @@
+@@ -1,25 +1,85 @@
+-## <summary>Storage array management library.</summary>
 +
 +## <summary>libStorageMgmt  plug-in  daemon </summary>
-+
-+########################################
-+## <summary>
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to administrate
+-##	an lsmd environment.
 +##	Execute TEMPLATE in the lsmd domin.
 +## </summary>
 +## <param name="domain">
@@ -37090,12 +36829,13 @@ index 0000000..da30c5d
 +########################################
 +## <summary>
 +##	Read lsmd PID files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+ ##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-## <param name="role">
 +#
 +interface(`lsmd_read_pid_files',`
 +	gen_require(`
@@ -37137,24 +36877,26 @@ index 0000000..da30c5d
 +##	an lsmd environment
 +## </summary>
 +## <param name="domain">
-+##	<summary>
+ ##	<summary>
+-##	Role allowed access.
 +##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`lsmd_admin',`
-+	gen_require(`
+ ##	</summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`lsmd_admin',`
+ 	gen_require(`
+-		type lsmd_t, type lsmd_var_run_t;
 +		type lsmd_t;
 +		type lsmd_var_run_t;
 +		type lsmd_unit_file_t;
-+	')
-+
-+	allow $1 lsmd_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, lsmd_t)
-+
-+	files_search_pids($1)
-+	admin_pattern($1, lsmd_var_run_t)
+ 	')
+ 
+ 	allow $1 lsmd_t:process { ptrace signal_perms };
+@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, lsmd_var_run_t)
 +
 +	lsmd_systemctl($1)
 +	admin_pattern($1, lsmd_unit_file_t)
@@ -37164,52 +36906,33 @@ index 0000000..da30c5d
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
-+')
+ ')
 diff --git a/lsm.te b/lsm.te
-new file mode 100644
-index 0000000..6611d9f
---- /dev/null
+index 4ec0eea..bc7d239 100644
+--- a/lsm.te
 +++ b/lsm.te
-@@ -0,0 +1,34 @@
-+policy_module(lsm, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type lsmd_t;
-+type lsmd_exec_t;
-+init_daemon_domain(lsmd_t, lsmd_exec_t)
-+
-+type lsmd_var_run_t;
-+files_pid_file(lsmd_var_run_t)
-+
+@@ -12,6 +12,9 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
+ type lsmd_var_run_t;
+ files_pid_file(lsmd_var_run_t)
+ 
 +type lsmd_unit_file_t;
 +systemd_unit_file(lsmd_unit_file_t)
 +
-+########################################
-+#
-+# lsmd local policy
-+#
-+allow lsmd_t self:capability { setgid  };
-+allow lsmd_t self:process { fork };
-+allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
-+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
-+
+ ########################################
+ #
+ # Local policy
+@@ -26,4 +29,6 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+ manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+ files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
+ 
 +corecmd_exec_bin(lsmd_t)
 +
-+logging_send_syslog_msg(lsmd_t)
+ logging_send_syslog_msg(lsmd_t)
 diff --git a/mailman.fc b/mailman.fc
-index 7fa381b..bbe6b01 100644
+index 995d0a5..3d40d59 100644
 --- a/mailman.fc
 +++ b/mailman.fc
-@@ -3,10 +3,12 @@
+@@ -2,10 +2,12 @@
  
  /etc/mailman.*	gen_context(system_u:object_r:mailman_data_t,s0)
  
@@ -37534,10 +37257,10 @@ index 108c0f1..a248501 100644
  	domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
  ')
 diff --git a/mailman.te b/mailman.te
-index 8eaf51b..a057913 100644
+index ac81c7f..7041046 100644
 --- a/mailman.te
 +++ b/mailman.te
-@@ -4,6 +4,12 @@ policy_module(mailman, 1.9.4)
+@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
  #
  # Declarations
  #
@@ -37628,7 +37351,7 @@ index 8eaf51b..a057913 100644
 +	fs_manage_fusefs_symlinks(mailman_domain)
 +')
 diff --git a/mailscanner.if b/mailscanner.if
-index 0293f34..bd1d48e 100644
+index 214cb44..bd1d48e 100644
 --- a/mailscanner.if
 +++ b/mailscanner.if
 @@ -2,29 +2,27 @@
@@ -37701,7 +37424,7 @@ index 0293f34..bd1d48e 100644
  	admin_pattern($1, mscan_etc_t)
 +	files_list_etc($1)
  
--	files_search_pids($1
+-	files_search_pids($1)
  	admin_pattern($1, mscan_var_run_t)
 -
 -	files_search_spool($1)
@@ -37709,7 +37432,7 @@ index 0293f34..bd1d48e 100644
 +	files_list_pids($1)
  ')
 diff --git a/mailscanner.te b/mailscanner.te
-index 725ba32..cec64d0 100644
+index 6b6e2e1..9889cef 100644
 --- a/mailscanner.te
 +++ b/mailscanner.te
 @@ -34,6 +34,7 @@ allow mscan_t self:process signal;
@@ -37919,11 +37642,13 @@ index e08c55d..9e634bd 100644
 +
 +')
 diff --git a/mandb.fc b/mandb.fc
-index 2de0f64..3c24286 100644
+index 8ae78b5..16e55cd 100644
 --- a/mandb.fc
 +++ b/mandb.fc
-@@ -1 +1,10 @@
- /etc/cron.daily/man-db\.cron	--	gen_context(system_u:object_r:mandb_exec_t,s0)
+@@ -1 +1,11 @@
++HOME_DIR/\.manpath	--	gen_context(system_u:object_r:mandb_home_t,s0)
++
+ /etc/cron\.(daily|weekly)/man-db.*	--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
 +/usr/bin/mandb		--	gen_context(system_u:object_r:mandb_exec_t,s0)
 +
@@ -37932,7 +37657,6 @@ index 2de0f64..3c24286 100644
 +
 +/var/lock/man-db\.lock	--	gen_context(system_u:object_r:mandb_lock_t,s0)
 +
-+HOME_DIR/\.manpath	--	gen_context(system_u:object_r:mandb_home_t,s0)
 diff --git a/mandb.if b/mandb.if
 index 327f3f7..4f61561 100644
 --- a/mandb.if
@@ -38172,10 +37896,10 @@ index 327f3f7..4f61561 100644
 +	')
  ')
 diff --git a/mandb.te b/mandb.te
-index 5a414e0..7fee444 100644
+index e6136fd..f5203f5 100644
 --- a/mandb.te
 +++ b/mandb.te
-@@ -10,28 +10,51 @@ roleattribute system_r mandb_roles;
+@@ -10,9 +10,18 @@ roleattribute system_r mandb_roles;
  
  type mandb_t;
  type mandb_exec_t;
@@ -38195,10 +37919,7 @@ index 5a414e0..7fee444 100644
  ########################################
  #
  # Local policy
- #
- 
--allow mandb_t self:process signal;
-+allow mandb_t self:process { setsched signal };
+@@ -23,6 +32,18 @@ allow mandb_t self:process { setsched signal };
  allow mandb_t self:fifo_file rw_fifo_file_perms;
  allow mandb_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -38214,9 +37935,10 @@ index 5a414e0..7fee444 100644
 +allow mandb_t mandb_lock_t:file manage_file_perms;
 +files_lock_filetrans(mandb_t, mandb_lock_t, file)
 +
+ kernel_read_kernel_sysctls(mandb_t)
  kernel_read_system_state(mandb_t)
  
- corecmd_exec_bin(mandb_t)
+@@ -33,11 +54,11 @@ dev_search_sysfs(mandb_t)
  
  domain_use_interactive_fds(mandb_t)
  
@@ -38225,25 +37947,13 @@ index 5a414e0..7fee444 100644
  
  miscfiles_manage_man_cache(mandb_t)
 +miscfiles_setattr_man_pages(mandb_t)
+ miscfiles_read_man_pages(mandb_t)
+-miscfiles_read_localization(mandb_t)
  
- optional_policy(`
- 	cron_system_entry(mandb_t, mandb_exec_t)
- ')
-+
-diff --git a/mcelog.if b/mcelog.if
-index 9dbe694..f89651e 100644
---- a/mcelog.if
-+++ b/mcelog.if
-@@ -56,6 +56,6 @@ interface(`mcelog_admin',`
- 	logging_search_logs($1)
- 	admin_pattern($1, mcelog_log_t)
- 
--	files_search_pids($1
-+	files_search_pids($1)
- 	admin_pattern($1, mcelog_var_run_t)
- ')
+ ifdef(`distro_debian',`
+ 	optional_policy(`
 diff --git a/mcelog.te b/mcelog.te
-index 13ea191..c146d9c 100644
+index 59b3b3d..064c4fd 100644
 --- a/mcelog.te
 +++ b/mcelog.te
 @@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
@@ -38661,7 +38371,7 @@ index 1d4eb19..650014e 100644
  	admin_pattern($1, memcached_var_run_t)
  ')
 diff --git a/memcached.te b/memcached.te
-index 4926208..4396320 100644
+index 29b7521..68ec663 100644
 --- a/memcached.te
 +++ b/memcached.te
 @@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
@@ -38673,15 +38383,7 @@ index 4926208..4396320 100644
  dontaudit memcached_t self:capability sys_tty_config;
  allow memcached_t self:process { setrlimit signal_perms };
  allow memcached_t self:tcp_socket { accept listen };
-@@ -51,10 +51,11 @@ corenet_tcp_sendrecv_all_ports(memcached_t)
- corenet_udp_bind_memcache_port(memcached_t)
- corenet_udp_sendrecv_all_ports(memcached_t)
- 
-+dev_read_sysfs(memcached_t)
-+
- term_dontaudit_use_all_ptys(memcached_t)
- term_dontaudit_use_all_ttys(memcached_t)
- term_dontaudit_use_console(memcached_t)
+@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
  
  auth_use_nsswitch(memcached_t)
  
@@ -38869,15 +38571,10 @@ index cba62db..562833a 100644
 +	delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
 +')
 diff --git a/milter.te b/milter.te
-index 92508b2..db83591 100644
+index 4dc99f4..4385417 100644
 --- a/milter.te
 +++ b/milter.te
-@@ -1,77 +1,110 @@
--policy_module(milter, 1.4.2)
-+policy_module(milter, 1.4.0)
- 
- ########################################
- #
+@@ -5,73 +5,106 @@ policy_module(milter, 1.5.0)
  # Declarations
  #
  
@@ -39061,6 +38758,23 @@ index 92508b2..db83591 100644
  optional_policy(`
  	spamassassin_domtrans_client(spamass_milter_t)
  ')
+diff --git a/minissdpd.if b/minissdpd.if
+index b330161..5450937 100644
+--- a/minissdpd.if
++++ b/minissdpd.if
+@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
+ interface(`minissdpd_admin',`
+ 	gen_require(`
+ 		type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
+-		type minissdpd_var_run_t
++		type minissdpd_var_run_t;
+ 	')
+ 
+-	allow $1 minissdpd_t:process { ptrace signal_perms };
++	allow $1 minissdpd_t:process { signal_perms };
+ 	ps_process_pattern($1, minissdpd_t)
+ 
+ 	init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
 diff --git a/mock.fc b/mock.fc
 new file mode 100644
 index 0000000..8d0e473
@@ -39746,7 +39460,7 @@ index b1ac8b5..9b22bea 100644
 +	')
 +')
 diff --git a/modemmanager.te b/modemmanager.te
-index cb4c13d..ab6fb25 100644
+index d15eb5b..a0dae5e 100644
 --- a/modemmanager.te
 +++ b/modemmanager.te
 @@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
@@ -39787,10 +39501,10 @@ index 73952f4..b19a6ee 100644
  interface(`mojomojo_admin',`
  	refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
 diff --git a/mojomojo.te b/mojomojo.te
-index 7e534cf..3652584 100644
+index b94102e..9556487 100644
 --- a/mojomojo.te
 +++ b/mojomojo.te
-@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.0.1)
+@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.1.0)
  # Declarations
  #
  
@@ -39841,7 +39555,7 @@ index 7e534cf..3652584 100644
 +	')
 +')
 diff --git a/mongodb.te b/mongodb.te
-index 4de8949..7bd7e35 100644
+index 169f236..9faddc2 100644
 --- a/mongodb.te
 +++ b/mongodb.te
 @@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
@@ -39860,7 +39574,7 @@ index 4de8949..7bd7e35 100644
  
 -miscfiles_read_localization(mongod_t)
 diff --git a/mono.te b/mono.te
-index d287fe9..3dc493c 100644
+index a6a8643..c0f6cf5 100644
 --- a/mono.te
 +++ b/mono.te
 @@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
@@ -39886,7 +39600,7 @@ index 8fdaece..5440757 100644
  
  	files_search_pids($1)
 diff --git a/monop.te b/monop.te
-index 4462c0e..84944d1 100644
+index 5f93763..8596763 100644
 --- a/monop.te
 +++ b/monop.te
 @@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
@@ -41080,16 +40794,10 @@ index 6194b80..ada96f0 100644
  ')
 +
 diff --git a/mozilla.te b/mozilla.te
-index 6a306ee..b236449 100644
+index 11ac8e4..7655da0 100644
 --- a/mozilla.te
 +++ b/mozilla.te
-@@ -1,4 +1,4 @@
--policy_module(mozilla, 2.7.4)
-+policy_module(mozilla, 2.6.0)
- 
- ########################################
- #
-@@ -6,17 +6,41 @@ policy_module(mozilla, 2.7.4)
+@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
  #
  
  ## <desc>
@@ -42173,10 +41881,10 @@ index 5fa77c7..2e01c7d 100644
  	domain_system_change_exemption($1)
  	role_transition $2 mpd_initrc_exec_t system_r;
 diff --git a/mpd.te b/mpd.te
-index 7c8afcc..33b18c8 100644
+index fe72523..92632e8 100644
 --- a/mpd.te
 +++ b/mpd.te
-@@ -62,18 +62,25 @@ files_type(mpd_var_lib_t)
+@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
  type mpd_user_data_t;
  userdom_user_home_content(mpd_user_data_t) # customizable
  
@@ -42189,13 +41897,7 @@ index 7c8afcc..33b18c8 100644
  ########################################
  #
  # Local policy
- #
- 
- allow mpd_t self:capability { dac_override kill setgid setuid };
--allow mpd_t self:process { getsched setsched setrlimit signal signull };
-+allow mpd_t self:process { getsched setsched setrlimit signal signull setcap };
- allow mpd_t self:fifo_file rw_fifo_file_perms;
- allow mpd_t self:unix_stream_socket { accept connectto listen };
+@@ -74,6 +80,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
  allow mpd_t self:unix_dgram_socket sendto;
  allow mpd_t self:tcp_socket { accept listen };
  allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -42322,10 +42024,10 @@ index 861d5e9..1c3d5a5 100644
 +    userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
 +')
 diff --git a/mplayer.te b/mplayer.te
-index 9aca704..f92829c 100644
+index 0f03cd9..e3ed393 100644
 --- a/mplayer.te
 +++ b/mplayer.te
-@@ -11,7 +11,7 @@ policy_module(mplayer, 2.4.4)
+@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
  ##	its stack executable.
  ##	</p>
  ## </desc>
@@ -42371,7 +42073,7 @@ index 9aca704..f92829c 100644
  	allow mencoder_t self:process { execmem execstack };
  ')
  
-@@ -173,7 +172,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
+@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
  files_read_non_security_files(mplayer_t)
  files_list_home(mplayer_t)
  files_read_etc_runtime_files(mplayer_t)
@@ -42379,7 +42081,7 @@ index 9aca704..f92829c 100644
  
  fs_getattr_all_fs(mplayer_t)
  fs_search_auto_mountpoints(mplayer_t)
-@@ -194,7 +192,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
+@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
  
  userdom_manage_user_home_content_dirs(mplayer_t)
  userdom_manage_user_home_content_files(mplayer_t)
@@ -42388,7 +42090,7 @@ index 9aca704..f92829c 100644
  
  userdom_write_user_tmp_sockets(mplayer_t)
  
-@@ -211,15 +209,15 @@ ifndef(`enable_mls',`
+@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
  	fs_read_iso9660_files(mplayer_t)
  ')
  
@@ -42408,7 +42110,7 @@ index 9aca704..f92829c 100644
  	allow mplayer_t self:process { execmem execstack };
  ')
  
-@@ -235,7 +233,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
  	fs_manage_cifs_symlinks(mplayer_t)
  ')
  
@@ -42418,7 +42120,7 @@ index 9aca704..f92829c 100644
  ')
  
 diff --git a/mrtg.te b/mrtg.te
-index c97c177..9411154 100644
+index 65a246a..fa86320 100644
 --- a/mrtg.te
 +++ b/mrtg.te
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
@@ -42515,7 +42217,7 @@ index f42896c..cb2791a 100644
 -/var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
 +/var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/mta.if b/mta.if
-index ed81cac..566684a 100644
+index ed81cac..e3840c1 100644
 --- a/mta.if
 +++ b/mta.if
 @@ -1,4 +1,4 @@
@@ -42566,7 +42268,7 @@ index ed81cac..566684a 100644
  	#
  
  	type $1_mail_t, user_mail_domain;
-@@ -43,17 +57,16 @@ template(`mta_base_mail_template',`
+@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
  	type $1_mail_tmp_t;
  	files_tmp_file($1_mail_tmp_t)
  
@@ -42581,6 +42283,8 @@ index ed81cac..566684a 100644
  
 +	kernel_read_system_state($1_mail_t)
 +
++    corenet_all_recvfrom_netlabel($1_mail_t)
++
  	auth_use_nsswitch($1_mail_t)
  
 +	logging_send_syslog_msg($1_mail_t)
@@ -42588,7 +42292,7 @@ index ed81cac..566684a 100644
  	optional_policy(`
  		postfix_domtrans_user_mail_handler($1_mail_t)
  	')
-@@ -61,61 +74,41 @@ template(`mta_base_mail_template',`
+@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
  
  ########################################
  ## <summary>
@@ -42660,7 +42364,7 @@ index ed81cac..566684a 100644
  	')
  ')
  
-@@ -163,125 +156,23 @@ interface(`mta_agent_executable',`
+@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
  	application_executable_file($1)
  ')
  
@@ -42793,7 +42497,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -334,7 +225,6 @@ interface(`mta_sendmail_mailserver',`
+@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
  	')
  
  	init_system_domain($1, sendmail_exec_t)
@@ -42801,7 +42505,7 @@ index ed81cac..566684a 100644
  	typeattribute $1 mailserver_domain;
  ')
  
-@@ -374,6 +264,15 @@ interface(`mta_mailserver_delivery',`
+@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
  	')
  
  	typeattribute $1 mailserver_delivery;
@@ -42817,7 +42521,7 @@ index ed81cac..566684a 100644
  ')
  
  #######################################
-@@ -394,6 +293,12 @@ interface(`mta_mailserver_user_agent',`
+@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
  	')
  
  	typeattribute $1 mta_user_agent;
@@ -42830,7 +42534,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -408,14 +313,19 @@ interface(`mta_mailserver_user_agent',`
+@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
  #
  interface(`mta_send_mail',`
  	gen_require(`
@@ -42852,7 +42556,7 @@ index ed81cac..566684a 100644
  ')
  
  ########################################
-@@ -445,18 +355,24 @@ interface(`mta_send_mail',`
+@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -42882,7 +42586,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -464,7 +380,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -42890,7 +42594,7 @@ index ed81cac..566684a 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -475,7 +390,43 @@ interface(`mta_signal_system_mail',`
+@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -42935,7 +42639,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -506,13 +457,32 @@ interface(`mta_sendmail_exec',`
+@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
  		type sendmail_exec_t;
  	')
  
@@ -42970,7 +42674,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -528,13 +498,13 @@ interface(`mta_read_config',`
+@@ -528,13 +500,13 @@ interface(`mta_read_config',`
  
  	files_search_etc($1)
  	allow $1 etc_mail_t:dir list_dir_perms;
@@ -42987,7 +42691,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -548,33 +518,31 @@ interface(`mta_write_config',`
+@@ -548,33 +520,31 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -43027,7 +42731,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -582,84 +550,66 @@ interface(`mta_read_aliases',`
+@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
  ##	</summary>
  ## </param>
  #
@@ -43128,7 +42832,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -674,14 +624,13 @@ interface(`mta_rw_aliases',`
+@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -43146,7 +42850,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -697,6 +646,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
+@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
  	dontaudit $1 mailserver_delivery:tcp_socket { read write };
  ')
  
@@ -43172,7 +42876,7 @@ index ed81cac..566684a 100644
  #######################################
  ## <summary>
  ##	Connect to all mail servers over TCP.  (Deprecated)
-@@ -713,8 +681,8 @@ interface(`mta_tcp_connect_all_mailservers',`
+@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
  
  #######################################
  ## <summary>
@@ -43183,7 +42887,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -732,7 +700,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
+@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
  
  ########################################
  ## <summary>
@@ -43192,7 +42896,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -753,8 +721,8 @@ interface(`mta_getattr_spool',`
+@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
  
  ########################################
  ## <summary>
@@ -43203,7 +42907,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -775,9 +743,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  #######################################
  ## <summary>
@@ -43215,7 +42919,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -811,7 +778,7 @@ interface(`mta_spool_filetrans',`
+@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
  
  #######################################
  ## <summary>
@@ -43224,7 +42928,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##  <summary>
-@@ -819,10 +786,10 @@ interface(`mta_spool_filetrans',`
+@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
  ##  </summary>
  ## </param>
  #
@@ -43239,7 +42943,7 @@ index ed81cac..566684a 100644
  
  	files_search_spool($1)
  	read_files_pattern($1, mail_spool_t, mail_spool_t)
-@@ -830,7 +797,7 @@ interface(`mta_read_spool_files',`
+@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
  
  ########################################
  ## <summary>
@@ -43248,7 +42952,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -845,13 +812,14 @@ interface(`mta_rw_spool',`
+@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -43266,7 +42970,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -866,13 +834,14 @@ interface(`mta_append_spool',`
+@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -43284,7 +42988,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -891,8 +860,7 @@ interface(`mta_delete_spool',`
+@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
  
  ########################################
  ## <summary>
@@ -43294,7 +42998,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -911,45 +879,9 @@ interface(`mta_manage_spool',`
+@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
  	manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
@@ -43341,7 +43045,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -968,7 +900,7 @@ interface(`mta_search_queue',`
+@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
  
  #######################################
  ## <summary>
@@ -43350,7 +43054,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -981,13 +913,13 @@ interface(`mta_list_queue',`
+@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -43366,7 +43070,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1000,14 +932,14 @@ interface(`mta_read_queue',`
+@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
  		type mqueue_spool_t;
  	')
  
@@ -43383,7 +43087,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1027,7 +959,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
  ########################################
  ## <summary>
  ##	Create, read, write, and delete
@@ -43392,7 +43096,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1047,6 +979,41 @@ interface(`mta_manage_queue',`
+@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
  
  #######################################
  ## <summary>
@@ -43434,7 +43138,7 @@ index ed81cac..566684a 100644
  ##	Read sendmail binary.
  ## </summary>
  ## <param name="domain">
-@@ -1055,6 +1022,7 @@ interface(`mta_manage_queue',`
+@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
  ##	</summary>
  ## </param>
  #
@@ -43442,7 +43146,7 @@ index ed81cac..566684a 100644
  interface(`mta_read_sendmail_bin',`
  	gen_require(`
  		type sendmail_exec_t;
-@@ -1065,8 +1033,8 @@ interface(`mta_read_sendmail_bin',`
+@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
  
  #######################################
  ## <summary>
@@ -43453,7 +43157,7 @@ index ed81cac..566684a 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1081,3 +1049,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -43630,15 +43334,9 @@ index ed81cac..566684a 100644
 +	mta_filetrans_admin_home_content($1)
 +')
 diff --git a/mta.te b/mta.te
-index afd2fad..09ebbbe 100644
+index ff1d68c..e61560a 100644
 --- a/mta.te
 +++ b/mta.te
-@@ -1,4 +1,4 @@
--policy_module(mta, 2.6.5)
-+policy_module(mta, 2.5.0)
- 
- ########################################
- #
 @@ -14,8 +14,6 @@ attribute mailserver_sender;
  
  attribute user_mail_domain;
@@ -43660,7 +43358,7 @@ index afd2fad..09ebbbe 100644
  
  type sendmail_exec_t;
  mta_agent_executable(sendmail_exec_t)
-@@ -43,178 +43,79 @@ role system_r types system_mail_t;
+@@ -43,11 +43,9 @@ role system_r types system_mail_t;
  mta_base_mail_template(user)
  typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
  typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
@@ -43673,123 +43371,55 @@ index afd2fad..09ebbbe 100644
  userdom_user_tmp_file(user_mail_tmp_t)
  
  ########################################
- #
--# Common base mail policy
--#
--
--allow user_mail_domain self:capability { setuid setgid chown };
--allow user_mail_domain self:process { signal_perms setrlimit };
--allow user_mail_domain self:fifo_file rw_fifo_file_perms;
--
--allow user_mail_domain mta_exec_type:file entrypoint;
--
--allow user_mail_domain mail_home_t:file { append_file_perms read_file_perms };
--
--manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
--manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
--manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
--userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
--userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
--
--read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
--
--manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
--read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
--
--allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
--
--can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
--
+@@ -79,12 +77,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
+ can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
+ 
+ kernel_read_crypto_sysctls(user_mail_domain)
 -kernel_read_system_state(user_mail_domain)
--kernel_read_kernel_sysctls(user_mail_domain)
--kernel_read_network_state(user_mail_domain)
--kernel_request_load_module(user_mail_domain)
--
+ kernel_read_kernel_sysctls(user_mail_domain)
+ kernel_read_network_state(user_mail_domain)
+ kernel_request_load_module(user_mail_domain)
+ 
 -corenet_all_recvfrom_netlabel(user_mail_domain)
--corenet_tcp_sendrecv_generic_if(user_mail_domain)
--corenet_tcp_sendrecv_generic_node(user_mail_domain)
--
--corenet_sendrecv_all_client_packets(user_mail_domain)
--corenet_tcp_connect_all_ports(user_mail_domain)
--corenet_tcp_sendrecv_all_ports(user_mail_domain)
--
--corecmd_exec_bin(user_mail_domain)
--
--dev_read_urand(user_mail_domain)
--
--domain_use_interactive_fds(user_mail_domain)
--
--files_read_etc_runtime_files(user_mail_domain)
--files_read_usr_files(user_mail_domain)
--files_search_spool(user_mail_domain)
--files_dontaudit_search_pids(user_mail_domain)
--
--fs_getattr_all_fs(user_mail_domain)
--
--init_dontaudit_rw_utmp(user_mail_domain)
--
+ corenet_tcp_sendrecv_generic_if(user_mail_domain)
+ corenet_tcp_sendrecv_generic_node(user_mail_domain)
+ 
+@@ -107,10 +103,6 @@ fs_getattr_all_fs(user_mail_domain)
+ 
+ init_dontaudit_rw_utmp(user_mail_domain)
+ 
 -logging_send_syslog_msg(user_mail_domain)
 -
 -miscfiles_read_localization(user_mail_domain)
 -
--tunable_policy(`use_samba_home_dirs',`
--	fs_manage_cifs_dirs(user_mail_domain)
--	fs_manage_cifs_files(user_mail_domain)
--	fs_read_cifs_symlinks(user_mail_domain)
--')
--
--tunable_policy(`use_nfs_home_dirs',`
--	fs_manage_nfs_dirs(user_mail_domain)
--	fs_manage_nfs_files(user_mail_domain)
--	fs_read_nfs_symlinks(user_mail_domain)
--')
--
--optional_policy(`
--	courier_manage_spool_dirs(user_mail_domain)
--	courier_manage_spool_files(user_mail_domain)
--	courier_rw_spool_pipes(user_mail_domain)
--')
--
--optional_policy(`
--	exim_domtrans(user_mail_domain)
--	exim_manage_log(user_mail_domain)
--	exim_manage_spool_files(user_mail_domain)
--')
--
--optional_policy(`
--	files_getattr_tmp_dirs(user_mail_domain)
--
--	postfix_exec_master(user_mail_domain)
--	postfix_read_config(user_mail_domain)
--	postfix_search_spool(user_mail_domain)
--	postfix_rw_inherited_master_pipes(user_mail_domain)
--
--	ifdef(`distro_redhat',`
--		postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
--	')
--')
--
--optional_policy(`
--	procmail_exec(user_mail_domain)
--')
--
--optional_policy(`
--	qmail_domtrans_inject(user_mail_domain)
--')
--
--optional_policy(`
--	sendmail_manage_log(user_mail_domain)
--	sendmail_log_filetrans_sendmail_log(user_mail_domain, file)
--')
--
--optional_policy(`
--	uucp_manage_spool(user_mail_domain)
--')
--
--########################################
--#
--# System local policy
-+# System mail local policy
+ tunable_policy(`use_samba_home_dirs',`
+ 	fs_manage_cifs_dirs(user_mail_domain)
+ 	fs_manage_cifs_files(user_mail_domain)
+@@ -124,6 +116,11 @@ tunable_policy(`use_nfs_home_dirs',`
+ ')
+ 
+ optional_policy(`
++	antivirus_stream_connect(user_mail_domain)
++	antivirus_stream_connect(mta_user_agent)
++')
++
++optional_policy(`
+ 	courier_manage_spool_dirs(user_mail_domain)
+ 	courier_manage_spool_files(user_mail_domain)
+ 	courier_rw_spool_pipes(user_mail_domain)
+@@ -150,6 +147,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	openshift_rw_inherited_content(mta_user_agent)
++')
++
++optional_policy(`
+ 	procmail_exec(user_mail_domain)
+ ')
+ 
+@@ -171,52 +172,69 @@ optional_policy(`
+ # System local policy
  #
  
 +# newalias required this, not sure if it is needed in 'if' file
@@ -43831,7 +43461,8 @@ index afd2fad..09ebbbe 100644
 +userdom_use_inherited_user_terminals(system_mail_t)
 +userdom_dontaudit_list_user_home_dirs(system_mail_t)
 +userdom_dontaudit_list_admin_dir(system_mail_t)
-+
+ 
+-userdom_use_user_terminals(system_mail_t)
 +manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
 +
@@ -43840,8 +43471,7 @@ index afd2fad..09ebbbe 100644
 +
 +
 +logging_append_all_logs(system_mail_t)
- 
--userdom_use_user_terminals(system_mail_t)
++
 +logging_send_syslog_msg(system_mail_t)
  
  optional_policy(`
@@ -43876,7 +43506,7 @@ index afd2fad..09ebbbe 100644
  ')
  
  optional_policy(`
-@@ -223,18 +124,18 @@ optional_policy(`
+@@ -225,17 +243,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43894,26 +43524,21 @@ index afd2fad..09ebbbe 100644
  ')
  
  optional_policy(`
--	courier_stream_connect_authdaemon(system_mail_t)
- 	courier_manage_spool_dirs(system_mail_t)
- 	courier_manage_spool_files(system_mail_t)
- 	courier_rw_spool_pipes(system_mail_t)
-@@ -245,13 +146,8 @@ optional_policy(`
++	courier_manage_spool_dirs(system_mail_t)
++	courier_manage_spool_files(system_mail_t)
++	courier_rw_spool_pipes(system_mail_t)
+ 	courier_stream_connect_authdaemon(system_mail_t)
  ')
  
+@@ -246,6 +268,7 @@ optional_policy(`
  optional_policy(`
--	exim_domtrans(system_mail_t)
--	exim_manage_log(system_mail_t)
--')
--
--optional_policy(`
--	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
+ 	fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
  	fail2ban_append_log(system_mail_t)
 +	fail2ban_dontaudit_leaks(system_mail_t)
  	fail2ban_rw_inherited_tmp_files(system_mail_t)
  ')
  
-@@ -264,10 +160,15 @@ optional_policy(`
+@@ -258,10 +281,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43929,7 +43554,7 @@ index afd2fad..09ebbbe 100644
  	nagios_read_tmp_files(system_mail_t)
  ')
  
-@@ -278,6 +179,15 @@ optional_policy(`
+@@ -272,6 +300,15 @@ optional_policy(`
  	manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
  	files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
@@ -43945,7 +43570,7 @@ index afd2fad..09ebbbe 100644
  ')
  
  optional_policy(`
-@@ -293,42 +203,36 @@ optional_policy(`
+@@ -287,42 +324,36 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43998,7 +43623,7 @@ index afd2fad..09ebbbe 100644
  
  allow mailserver_delivery mail_spool_t:dir list_dir_perms;
  create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
-@@ -337,40 +241,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
+@@ -331,40 +362,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
  
@@ -44047,7 +43672,21 @@ index afd2fad..09ebbbe 100644
  	files_search_var_lib(mailserver_delivery)
  
  	mailman_domtrans(mailserver_delivery)
-@@ -387,24 +277,173 @@ optional_policy(`
+@@ -372,6 +389,13 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	mailman_manage_data_files(mailserver_domain)
++	mailman_domtrans(mailserver_domain)
++	mailman_append_log(mailserver_domain)
++	mailman_read_log(mailserver_domain)
++')
++
++optional_policy(`
+ 	postfix_rw_inherited_master_pipes(mailserver_delivery)
+ ')
+ 
+@@ -381,24 +405,49 @@ optional_policy(`
  
  ########################################
  #
@@ -44103,130 +43742,6 @@ index afd2fad..09ebbbe 100644
  	postfix_list_spool(user_mail_t)
  ')
 +
-+########################################
-+#
-+# Comman user_mail_domain policy
-+#
-+
-+allow user_mail_domain self:capability { setuid setgid chown };
-+allow user_mail_domain self:process { signal_perms setrlimit };
-+allow user_mail_domain self:tcp_socket create_socket_perms;
-+allow user_mail_domain self:fifo_file rw_fifo_file_perms;
-+allow user_mail_domain mta_exec_type:file entrypoint;
-+
-+append_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
-+read_files_pattern(user_mail_domain, mail_home_t, mail_home_t)
-+
-+manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-+manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
-+
-+read_files_pattern(user_mail_domain, etc_aliases_t, etc_aliases_t)
-+
-+can_exec(user_mail_domain, mta_exec_type)
-+
-+allow system_mail_t user_mail_domain:file read_file_perms;
-+
-+read_files_pattern(user_mail_domain, etc_mail_t, etc_mail_t)
-+
-+kernel_read_network_state(user_mail_domain)
-+kernel_request_load_module(user_mail_domain)
-+
-+dev_read_urand(user_mail_domain)
-+
-+
-+# Write to /var/spool/mail and /var/spool/mqueue.
-+manage_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
-+manage_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
-+read_lnk_files_pattern(user_mail_domain, mail_spool_t, mail_spool_t)
-+read_lnk_files_pattern(user_mail_domain, mqueue_spool_t, mqueue_spool_t)
-+
-+# re-exec itself
-+can_exec(user_mail_domain, sendmail_exec_t)
-+allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
-+
-+kernel_read_kernel_sysctls(user_mail_domain)
-+
-+corenet_tcp_sendrecv_generic_if(user_mail_domain)
-+corenet_tcp_sendrecv_generic_node(user_mail_domain)
-+corenet_tcp_sendrecv_all_ports(user_mail_domain)
-+corenet_tcp_connect_all_ports(user_mail_domain)
-+corenet_tcp_connect_smtp_port(user_mail_domain)
-+corenet_sendrecv_smtp_client_packets(user_mail_domain)
-+
-+corecmd_exec_bin(user_mail_domain)
-+
-+files_search_spool(user_mail_domain)
-+# It wants to check for nscd
-+files_dontaudit_search_pids(user_mail_domain)
-+allow user_mail_domain etc_mail_t:dir search_dir_perms;
-+
-+files_read_etc_runtime_files(user_mail_domain)
-+
-+# Check available space.
-+fs_getattr_xattr_fs(user_mail_domain)
-+
-+init_dontaudit_rw_utmp(user_mail_domain)
-+
-+optional_policy(`
-+	courier_manage_spool_dirs(user_mail_domain)
-+	courier_manage_spool_files(user_mail_domain)
-+	courier_rw_spool_pipes(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	exim_domtrans(user_mail_domain)
-+	exim_manage_log(user_mail_domain)
-+	exim_manage_spool_files(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	# postfix needs this for newaliases
-+	files_getattr_tmp_dirs(user_mail_domain)
-+
-+	postfix_exec_master(user_mail_domain)
-+	postfix_read_config(user_mail_domain)
-+	postfix_search_spool(user_mail_domain)
-+	postfix_rw_inherited_master_pipes(user_mail_domain)
-+
-+	ifdef(`distro_redhat',`
-+		# compatability for old default main.cf
-+		postfix_config_filetrans(user_mail_domain, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
-+	')
-+')
-+
-+optional_policy(`
-+	openshift_rw_inherited_content(mta_user_agent)
-+')
-+
-+optional_policy(`
-+	procmail_exec(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	qmail_domtrans_inject(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	# Write to /var/log/sendmail.st
-+	sendmail_manage_log(user_mail_domain)
-+	sendmail_create_log(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	uucp_manage_spool(user_mail_domain)
-+')
-+
-+optional_policy(`
-+	antivirus_stream_connect(user_mail_domain)
-+	antivirus_stream_connect(mta_user_agent)
-+')
-+
-+optional_policy(`
-+	mailman_manage_data_files(mailserver_domain)
-+	mailman_domtrans(mailserver_domain)
-+	mailman_append_log(mailserver_domain)
-+	mailman_read_log(mailserver_domain)
-+')
 +
 diff --git a/munin.fc b/munin.fc
 index eb4b72a..4968324 100644
@@ -44520,17 +44035,10 @@ index b744fe3..4c1b6a8 100644
  	init_labeled_script_domtrans($1, munin_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/munin.te b/munin.te
-index 97370e4..3549b8f 100644
+index b708708..cead88c 100644
 --- a/munin.te
 +++ b/munin.te
-@@ -37,15 +37,22 @@ munin_plugin_template(disk)
- munin_plugin_template(mail)
- munin_plugin_template(selinux)
- munin_plugin_template(services)
-+
-+type services_munin_plugin_tmpfs_t;
-+files_tmpfs_file(services_munin_plugin_tmpfs_t)
-+
+@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
  munin_plugin_template(system)
  munin_plugin_template(unconfined)
  
@@ -44547,7 +44055,7 @@ index 97370e4..3549b8f 100644
  allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
  
  allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
-@@ -58,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
+@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
  
  manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
  
@@ -44572,7 +44080,7 @@ index 97370e4..3549b8f 100644
  
  optional_policy(`
  	nscd_use(munin_plugin_domain)
-@@ -114,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
+@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -44581,7 +44089,7 @@ index 97370e4..3549b8f 100644
  
  manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
  manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
-@@ -130,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
+@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
  corecmd_exec_bin(munin_t)
  corecmd_exec_shell(munin_t)
  
@@ -44589,7 +44097,7 @@ index 97370e4..3549b8f 100644
  corenet_all_recvfrom_netlabel(munin_t)
  corenet_tcp_sendrecv_generic_if(munin_t)
  corenet_tcp_sendrecv_generic_node(munin_t)
-@@ -153,7 +153,6 @@ domain_use_interactive_fds(munin_t)
+@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t)
  domain_read_all_domains_state(munin_t)
  
  files_read_etc_runtime_files(munin_t)
@@ -44597,7 +44105,7 @@ index 97370e4..3549b8f 100644
  files_list_spool(munin_t)
  
  fs_getattr_all_fs(munin_t)
-@@ -165,7 +164,6 @@ logging_send_syslog_msg(munin_t)
+@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t)
  logging_read_all_logs(munin_t)
  
  miscfiles_read_fonts(munin_t)
@@ -44605,7 +44113,7 @@ index 97370e4..3549b8f 100644
  miscfiles_setattr_fonts_cache_dirs(munin_t)
  
  sysnet_exec_ifconfig(munin_t)
-@@ -173,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
+@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_user_home_dirs(munin_t)
  
@@ -44619,7 +44127,7 @@ index 97370e4..3549b8f 100644
  
  optional_policy(`
  	cron_system_entry(munin_t, munin_exec_t)
-@@ -213,7 +204,6 @@ optional_policy(`
+@@ -217,7 +204,6 @@ optional_policy(`
  
  optional_policy(`
  	postfix_list_spool(munin_t)
@@ -44627,7 +44135,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -242,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
+@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
  
  rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
  
@@ -44655,7 +44163,7 @@ index 97370e4..3549b8f 100644
  
  sysnet_read_config(disk_munin_plugin_t)
  
-@@ -268,6 +260,10 @@ optional_policy(`
+@@ -272,6 +260,10 @@ optional_policy(`
  	fstools_exec(disk_munin_plugin_t)
  ')
  
@@ -44666,7 +44174,7 @@ index 97370e4..3549b8f 100644
  ####################################
  #
  # Mail local policy
-@@ -275,27 +271,36 @@ optional_policy(`
+@@ -279,27 +271,36 @@ optional_policy(`
  
  allow mail_munin_plugin_t self:capability dac_override;
  
@@ -44707,17 +44215,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -320,6 +325,9 @@ allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
- allow services_munin_plugin_t self:udp_socket create_socket_perms;
- allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
- 
-+manage_files_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
-+manage_dirs_pattern(services_munin_plugin_t, services_munin_plugin_tmpfs_t, services_munin_plugin_tmpfs_t)
-+
- corenet_sendrecv_all_client_packets(services_munin_plugin_t)
- corenet_tcp_connect_all_ports(services_munin_plugin_t)
- corenet_tcp_connect_http_port(services_munin_plugin_t)
-@@ -331,7 +339,7 @@ dev_read_rand(services_munin_plugin_t)
+@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t)
  sysnet_read_config(services_munin_plugin_t)
  
  optional_policy(`
@@ -44726,7 +44224,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -353,7 +361,11 @@ optional_policy(`
+@@ -361,7 +362,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44739,7 +44237,7 @@ index 97370e4..3549b8f 100644
  ')
  
  optional_policy(`
-@@ -385,6 +397,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
+@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
  
  kernel_read_network_state(system_munin_plugin_t)
  kernel_read_all_sysctls(system_munin_plugin_t)
@@ -44747,7 +44245,7 @@ index 97370e4..3549b8f 100644
  
  dev_read_sysfs(system_munin_plugin_t)
  dev_read_urand(system_munin_plugin_t)
-@@ -413,3 +426,31 @@ optional_policy(`
+@@ -421,3 +427,31 @@ optional_policy(`
  optional_policy(`
  	unconfined_domain(unconfined_munin_plugin_t)
  ')
@@ -44780,13 +44278,14 @@ index 97370e4..3549b8f 100644
 +	apache_search_sys_content(munin_t)
 +')
 diff --git a/mysql.fc b/mysql.fc
-index c48dc17..43d56e3 100644
+index 06f8666..7ef9c78 100644
 --- a/mysql.fc
 +++ b/mysql.fc
-@@ -1,11 +1,24 @@
+@@ -1,12 +1,24 @@
 -HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 -
 -/etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
+-/etc/my\.cnf\.d(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
 -/etc/mysql(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)
 -
 -/etc/rc\.d/init\.d/mysqld?	--	gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
@@ -44816,7 +44315,7 @@ index c48dc17..43d56e3 100644
  /usr/bin/mysqld_safe	--	gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
  /usr/bin/mysql_upgrade	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  
-@@ -13,13 +26,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+@@ -14,14 +26,17 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
  
  /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
  /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
@@ -44831,9 +44330,8 @@ index c48dc17..43d56e3 100644
 +/var/lib/mysql(/.*)?		gen_context(system_u:object_r:mysqld_db_t,s0)
 +/var/lib/mysql/mysql\.sock -s	gen_context(system_u:object_r:mysqld_var_run_t,s0)
  
--/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
-+/var/log/mariadb(/.*)?   gen_context(system_u:object_r:mysqld_log_t,s0)
-+/var/log/mysql.*		gen_context(system_u:object_r:mysqld_log_t,s0)
+ /var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)
+ /var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
  
 -/var/run/mysqld.*	gen_context(system_u:object_r:mysqld_var_run_t,s0)
 -/var/run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
@@ -45373,16 +44871,10 @@ index 687af38..404ed6d 100644
 +	mysql_stream_connect($1)
  ')
 diff --git a/mysql.te b/mysql.te
-index 9f6179e..4383f87 100644
+index 7584bbe..3d9035c 100644
 --- a/mysql.te
 +++ b/mysql.te
-@@ -1,4 +1,4 @@
--policy_module(mysql, 1.13.5)
-+policy_module(mysql, 1.13.0)
- 
- ########################################
- #
-@@ -6,20 +6,15 @@ policy_module(mysql, 1.13.5)
+@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
  #
  
  ## <desc>
@@ -45424,7 +44916,7 @@ index 9f6179e..4383f87 100644
  type mysqld_initrc_exec_t;
  init_script_file(mysqld_initrc_exec_t)
  
-@@ -62,27 +59,29 @@ files_pid_file(mysqlmanagerd_var_run_t)
+@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t)
  # Local policy
  #
  
@@ -45454,16 +44946,9 @@ index 9f6179e..4383f87 100644
  allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
 +allow mysqld_t mysqld_etc_t:dir list_dir_perms;
  
--allow mysqld_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
--logging_log_filetrans(mysqld_t, mysqld_log_t, file)
-+manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
-+logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
- 
- manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
- manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-@@ -93,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
+ manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+ manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
+@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
  files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
  
@@ -45535,7 +45020,7 @@ index 9f6179e..4383f87 100644
  ')
  
  optional_policy(`
-@@ -144,6 +147,10 @@ optional_policy(`
+@@ -146,6 +147,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -45546,7 +45031,7 @@ index 9f6179e..4383f87 100644
  	seutil_sigchld_newrole(mysqld_t)
  ')
  
-@@ -153,29 +160,24 @@ optional_policy(`
+@@ -155,21 +160,17 @@ optional_policy(`
  
  #######################################
  #
@@ -45570,11 +45055,10 @@ index 9f6179e..4383f87 100644
 -allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
 +domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
  
--allow mysqld_safe_t mysqld_log_t:file { append_file_perms create_file_perms setattr_file_perms };
--logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-+list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-+manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
-+manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+ list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+ manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
+ logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
  
  manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
 -delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
@@ -45584,7 +45068,7 @@ index 9f6179e..4383f87 100644
  
  kernel_read_system_state(mysqld_safe_t)
  kernel_read_kernel_sysctls(mysqld_safe_t)
-@@ -183,21 +185,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
+@@ -187,21 +186,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
  corecmd_exec_bin(mysqld_safe_t)
  corecmd_exec_shell(mysqld_safe_t)
  
@@ -45618,7 +45102,7 @@ index 9f6179e..4383f87 100644
  
  optional_policy(`
  	hostname_exec(mysqld_safe_t)
-@@ -205,7 +213,7 @@ optional_policy(`
+@@ -209,7 +214,7 @@ optional_policy(`
  
  ########################################
  #
@@ -45627,7 +45111,7 @@ index 9f6179e..4383f87 100644
  #
  
  allow mysqlmanagerd_t self:capability { dac_override kill };
-@@ -214,11 +222,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
+@@ -218,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
  allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
  allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
  
@@ -45645,7 +45129,7 @@ index 9f6179e..4383f87 100644
  
  domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
  
-@@ -226,31 +235,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
+@@ -230,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
  filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
  
@@ -46293,7 +45777,7 @@ index 0641e97..d7d9a79 100644
 +	admin_pattern($1, nrpe_etc_t)
  ')
 diff --git a/nagios.te b/nagios.te
-index 44ad3b7..a0488ea 100644
+index 7b3e682..f565a0e 100644
 --- a/nagios.te
 +++ b/nagios.te
 @@ -27,7 +27,7 @@ type nagios_var_run_t;
@@ -46691,7 +46175,7 @@ index db9578f..4309e3d 100644
  ')
 +
 diff --git a/ncftool.te b/ncftool.te
-index b13c0b1..c8baed2 100644
+index 71f30ba..d20f048 100644
 --- a/ncftool.te
 +++ b/ncftool.te
 @@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
@@ -46742,7 +46226,7 @@ index b13c0b1..c8baed2 100644
  
  optional_policy(`
 diff --git a/nessus.te b/nessus.te
-index 56c0fbd..173a2c0 100644
+index fe1068b..98166ee 100644
 --- a/nessus.te
 +++ b/nessus.te
 @@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
@@ -46771,10 +46255,10 @@ index 56c0fbd..173a2c0 100644
  
  userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
 diff --git a/networkmanager.fc b/networkmanager.fc
-index a1fb3c3..2b818b9 100644
+index 94b9734..485f368 100644
 --- a/networkmanager.fc
 +++ b/networkmanager.fc
-@@ -1,43 +1,45 @@
+@@ -1,44 +1,44 @@
 -/etc/rc\.d/init\.d/wicd	--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/wicd		--	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
@@ -46805,28 +46289,25 @@ index a1fb3c3..2b818b9 100644
 -/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 +/usr/libexec/nm-dispatcher.action --	gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
  
--/usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
--/usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/sbin/wpa_cli			--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-+/sbin/wpa_supplicant		--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/bin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
+ /usr/bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
  
--/usr/sbin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/sbin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/sbin/NetworkManagerDispatcher	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/s?bin/NetworkManager	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/s?bin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
- /usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+-/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/sbin/wicd	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
 -/usr/sbin/wpa_cli	--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
-+/usr/sbin/wicd 			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
-+/usr/sbin/wpa_cli		--	gen_context(system_u:object_r:wpa_cli_exec_t,s0)
  /usr/sbin/wpa_supplicant	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/NetworkManagerDispatcher --	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/nm-system-settings	--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/wicd 			--	gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++
++/var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
++/var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
  
 -/var/lib/wicd(/.*)?	gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
 -/var/lib/NetworkManager(/.*)?	gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-+/var/lib/wicd(/.*)?			gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-+/var/lib/NetworkManager(/.*)?		gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
-+
 +/var/log/wicd.*				--	gen_context(system_u:object_r:NetworkManager_log_t,s0)
  
 -/var/log/wicd(/.*)?	gen_context(system_u:object_r:NetworkManager_log_t,s0)
@@ -46844,7 +46325,7 @@ index a1fb3c3..2b818b9 100644
 +/var/run/wpa_supplicant(/.*)?		gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
  /var/run/wpa_supplicant-global	-s	gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
 diff --git a/networkmanager.if b/networkmanager.if
-index 0e8508c..ee2e3de 100644
+index 86dc29d..5b73942 100644
 --- a/networkmanager.if
 +++ b/networkmanager.if
 @@ -2,7 +2,7 @@
@@ -46997,7 +46478,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -135,7 +178,29 @@ interface(`networkmanager_dbus_chat',`
+@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',`
  
  ########################################
  ## <summary>
@@ -47028,16 +46509,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -153,7 +218,7 @@ interface(`networkmanager_signal',`
- 
- ########################################
- ## <summary>
--##	Read networkmanager lib files.
-+##	Read NetworkManager lib files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
-@@ -171,9 +236,28 @@ interface(`networkmanager_read_lib_files',`
+@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',`
  	read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
  ')
  
@@ -47067,7 +46539,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -181,19 +265,18 @@ interface(`networkmanager_read_lib_files',`
+@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',`
  ##	</summary>
  ## </param>
  #
@@ -47092,7 +46564,7 @@ index 0e8508c..ee2e3de 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -201,23 +284,23 @@ interface(`networkmanager_append_log_files',`
+@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',`
  ##	</summary>
  ## </param>
  #
@@ -47107,6 +46579,9 @@ index 0e8508c..ee2e3de 100644
 +	manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
  ')
  
+ ####################################
+@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',`
+ 
  ########################################
  ## <summary>
 -##	All of the rules required to
@@ -47121,7 +46596,7 @@ index 0e8508c..ee2e3de 100644
  ##	</summary>
  ## </param>
  ## <param name="role">
-@@ -227,33 +310,133 @@ interface(`networkmanager_read_pid_files',`
+@@ -287,33 +370,113 @@ interface(`networkmanager_stream_connect',`
  ## </param>
  ## <rolecap/>
  #
@@ -47192,26 +46667,6 @@ index 0e8508c..ee2e3de 100644
 +    manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
 +')
 +
-+####################################
-+## <summary>
-+##  Connect to NM over a unix domain
-+##  stream socket.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`networkmanager_stream_connect',`
-+    gen_require(`
-+        type NetworkManager_t, NetworkManager_var_run_t;
-+    ')
-+
-+    files_search_pids($1)
-+    stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
-+')
-+
 +#######################################
 +## <summary>
 +##      Read the process state (/proc/pid) of NetworkManager.
@@ -47276,15 +46731,9 @@ index 0e8508c..ee2e3de 100644
 +	logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
  ')
 diff --git a/networkmanager.te b/networkmanager.te
-index 0b48a30..b5c140b 100644
+index 55f2009..7c661ce 100644
 --- a/networkmanager.te
 +++ b/networkmanager.te
-@@ -1,4 +1,4 @@
--policy_module(networkmanager, 1.14.7)
-+policy_module(networkmanager, 1.14.0)
- 
- ########################################
- #
 @@ -9,15 +9,18 @@ type NetworkManager_t;
  type NetworkManager_exec_t;
  init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
@@ -47307,22 +46756,25 @@ index 0b48a30..b5c140b 100644
  type NetworkManager_log_t;
  logging_log_file(NetworkManager_log_t)
  
-@@ -39,25 +42,44 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
+@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
  # Local policy
  #
  
--allow NetworkManager_t self:capability { chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
+-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
 -dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
 -allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
 +# networkmanager will ptrace itself if gdb is installed
 +# and it receives a unexpected signal (rh bug #204161)
 +allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
 +dontaudit NetworkManager_t self:capability sys_tty_config;
++
 +ifdef(`hide_broken_symptoms',`
 +	# caused by some bogus kernel code
 +	dontaudit NetworkManager_t self:capability sys_module;
 +')
++
 +allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
++
 +tunable_policy(`deny_ptrace',`',`
 +	allow NetworkManager_t self:capability sys_ptrace;
 +	allow NetworkManager_t self:process ptrace;
@@ -47352,16 +46804,16 @@ index 0b48a30..b5c140b 100644
 +can_exec(NetworkManager_t, NetworkManager_exec_t)
 +#wicd
 +can_exec(NetworkManager_t, wpa_cli_exec_t)
- 
++
 +list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
-+
+ 
 +read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
  filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
-@@ -68,6 +90,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
+@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
  setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
  logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
  
@@ -47369,7 +46821,7 @@ index 0b48a30..b5c140b 100644
  manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
  files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
-@@ -81,17 +104,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
+@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
  
@@ -47388,7 +46840,7 @@ index 0b48a30..b5c140b 100644
  corenet_all_recvfrom_netlabel(NetworkManager_t)
  corenet_tcp_sendrecv_generic_if(NetworkManager_t)
  corenet_udp_sendrecv_generic_if(NetworkManager_t)
-@@ -102,22 +122,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
+@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
  corenet_tcp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_sendrecv_all_ports(NetworkManager_t)
  corenet_udp_bind_generic_node(NetworkManager_t)
@@ -47414,7 +46866,7 @@ index 0b48a30..b5c140b 100644
  dev_rw_sysfs(NetworkManager_t)
  dev_read_rand(NetworkManager_t)
  dev_read_urand(NetworkManager_t)
-@@ -125,13 +138,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
+@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
  dev_getattr_all_chr_files(NetworkManager_t)
  dev_rw_wireless(NetworkManager_t)
  
@@ -47428,7 +46880,7 @@ index 0b48a30..b5c140b 100644
  fs_getattr_all_fs(NetworkManager_t)
  fs_search_auto_mountpoints(NetworkManager_t)
  fs_list_inotifyfs(NetworkManager_t)
-@@ -140,6 +146,17 @@ mls_file_read_all_levels(NetworkManager_t)
+@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t)
  
  selinux_dontaudit_search_fs(NetworkManager_t)
  
@@ -47446,7 +46898,7 @@ index 0b48a30..b5c140b 100644
  storage_getattr_fixed_disk_dev(NetworkManager_t)
  
  init_read_utmp(NetworkManager_t)
-@@ -148,10 +165,11 @@ init_domtrans_script(NetworkManager_t)
+@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t)
  
  auth_use_nsswitch(NetworkManager_t)
  
@@ -47459,7 +46911,7 @@ index 0b48a30..b5c140b 100644
  
  seutil_read_config(NetworkManager_t)
  
-@@ -166,21 +184,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
+@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
  sysnet_read_dhcpc_state(NetworkManager_t)
  sysnet_delete_dhcpc_state(NetworkManager_t)
  sysnet_search_dhcp_state(NetworkManager_t)
@@ -47496,7 +46948,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -196,10 +225,6 @@ optional_policy(`
+@@ -196,10 +228,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47507,7 +46959,7 @@ index 0b48a30..b5c140b 100644
  	consoletype_exec(NetworkManager_t)
  ')
  
-@@ -210,16 +235,11 @@ optional_policy(`
+@@ -210,16 +238,11 @@ optional_policy(`
  optional_policy(`
  	dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
  
@@ -47526,7 +46978,7 @@ index 0b48a30..b5c140b 100644
  	')
  ')
  
-@@ -231,18 +251,19 @@ optional_policy(`
+@@ -231,18 +254,19 @@ optional_policy(`
  	dnsmasq_kill(NetworkManager_t)
  	dnsmasq_signal(NetworkManager_t)
  	dnsmasq_signull(NetworkManager_t)
@@ -47549,7 +47001,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -250,6 +271,10 @@ optional_policy(`
+@@ -250,6 +274,10 @@ optional_policy(`
  	ipsec_kill_mgmt(NetworkManager_t)
  	ipsec_signal_mgmt(NetworkManager_t)
  	ipsec_signull_mgmt(NetworkManager_t)
@@ -47560,7 +47012,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -257,11 +282,10 @@ optional_policy(`
+@@ -257,11 +285,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47576,7 +47028,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -274,10 +298,17 @@ optional_policy(`
+@@ -274,10 +301,17 @@ optional_policy(`
  	nscd_signull(NetworkManager_t)
  	nscd_kill(NetworkManager_t)
  	nscd_initrc_domtrans(NetworkManager_t)
@@ -47594,7 +47046,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -289,6 +320,7 @@ optional_policy(`
+@@ -289,6 +323,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47602,7 +47054,7 @@ index 0b48a30..b5c140b 100644
  	policykit_domtrans_auth(NetworkManager_t)
  	policykit_read_lib(NetworkManager_t)
  	policykit_read_reload(NetworkManager_t)
-@@ -296,7 +328,7 @@ optional_policy(`
+@@ -296,7 +331,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47611,7 +47063,7 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -307,6 +339,7 @@ optional_policy(`
+@@ -307,6 +342,7 @@ optional_policy(`
  	ppp_signal(NetworkManager_t)
  	ppp_signull(NetworkManager_t)
  	ppp_read_config(NetworkManager_t)
@@ -47619,31 +47071,33 @@ index 0b48a30..b5c140b 100644
  ')
  
  optional_policy(`
-@@ -320,13 +353,19 @@ optional_policy(`
+@@ -320,14 +356,20 @@ optional_policy(`
  ')
  
  optional_policy(`
 -	udev_exec(NetworkManager_t)
 -	udev_read_db(NetworkManager_t)
+-	udev_read_pid_files(NetworkManager_t)
 +	systemd_write_inhibit_pipes(NetworkManager_t)
 +	systemd_read_logind_sessions_files(NetworkManager_t)
 +	systemd_dbus_chat_logind(NetworkManager_t)
 +	systemd_hostnamed_read_config(NetworkManager_t)
++')
++
++optional_policy(`
++    ssh_exec(NetworkManager_t)
  ')
  
  optional_policy(`
 -	# unconfined_dgram_send(NetworkManager_t)
 -	unconfined_stream_connect(NetworkManager_t)
-+    ssh_exec(NetworkManager_t)
-+')
-+
-+optional_policy(`
 +	udev_exec(NetworkManager_t)
 +	udev_read_db(NetworkManager_t)
++	udev_read_pid_files(NetworkManager_t)
  ')
  
  optional_policy(`
-@@ -356,6 +395,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
+@@ -357,6 +399,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
  init_dontaudit_use_fds(wpa_cli_t)
  init_use_script_ptys(wpa_cli_t)
  
@@ -47954,15 +47408,10 @@ index 46e55c3..6e4e061 100644
 +	allow $1 nis_unit_file_t:service all_service_perms;
  ')
 diff --git a/nis.te b/nis.te
-index 3e4a31c..eea788e 100644
+index 3a6b035..1a181ad 100644
 --- a/nis.te
 +++ b/nis.te
-@@ -1,12 +1,10 @@
--policy_module(nis, 1.11.1)
-+policy_module(nis, 1.11.0)
- 
- ########################################
- #
+@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
  # Declarations
  #
  
@@ -49013,14 +48462,10 @@ index 8f2ab09..6ab4ea1 100644
 +	allow $1 nscd_unit_file_t:service all_service_perms;
  ')
 diff --git a/nscd.te b/nscd.te
-index df4c10f..8c09c68 100644
+index bcd7d0a..3878d3c 100644
 --- a/nscd.te
 +++ b/nscd.te
-@@ -1,36 +1,37 @@
--policy_module(nscd, 1.10.3)
-+policy_module(nscd, 1.10.0)
- 
- gen_require(`
+@@ -4,33 +4,34 @@ gen_require(`
  	class nscd all_nscd_perms;
  ')
  
@@ -49319,15 +48764,9 @@ index a9c60ff..ad4f14a 100644
 +	refpolicywarn(`$0($*) has been deprecated.')
  ')
 diff --git a/nsd.te b/nsd.te
-index dde7f42..b3662dd 100644
+index 47bb1d2..a97c60f 100644
 --- a/nsd.te
 +++ b/nsd.te
-@@ -1,4 +1,4 @@
--policy_module(nsd, 1.7.1)
-+policy_module(nsd, 1.7.0)
- 
- ########################################
- #
 @@ -9,9 +9,7 @@ type nsd_t;
  type nsd_exec_t;
  init_daemon_domain(nsd_t, nsd_exec_t)
@@ -49618,15 +49057,9 @@ index 97df768..852d1c6 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/nslcd.te b/nslcd.te
-index a3e56f0..2c5b389 100644
+index 421bf1a..b80dbe5 100644
 --- a/nslcd.te
 +++ b/nslcd.te
-@@ -1,4 +1,4 @@
--policy_module(nslcd, 1.3.1)
-+policy_module(nslcd, 1.3.0)
- 
- ########################################
- #
 @@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
  
  ########################################
@@ -49660,9 +49093,9 @@ index a3e56f0..2c5b389 100644
 -corenet_tcp_sendrecv_ldap_port(nslcd_t)
 +corenet_sendrecv_ldap_client_packets(nslcd_t)
  
- files_read_usr_symlinks(nslcd_t)
- files_list_tmp(nslcd_t)
-@@ -52,10 +50,14 @@ auth_use_nsswitch(nslcd_t)
+ dev_read_sysfs(nslcd_t)
+ 
+@@ -54,10 +52,14 @@ auth_use_nsswitch(nslcd_t)
  
  logging_send_syslog_msg(nslcd_t)
  
@@ -50500,7 +49933,7 @@ index 0000000..7d839fe
 +	pulseaudio_setattr_home_dir(nsplugin_t)
 +')
 diff --git a/ntop.te b/ntop.te
-index 52757d8..0f7f5e4 100644
+index 8ec7859..719cffd 100644
 --- a/ntop.te
 +++ b/ntop.te
 @@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
@@ -50546,7 +49979,7 @@ index af3c91e..6882a3f 100644
  /var/lib/sntp-kod(/.*)?	gen_context(system_u:object_r:ntp_drift_t,s0)
  
 diff --git a/ntp.if b/ntp.if
-index b59196f..017b36f 100644
+index e96a309..c6d1b01 100644
 --- a/ntp.if
 +++ b/ntp.if
 @@ -1,4 +1,4 @@
@@ -50643,8 +50076,8 @@ index b59196f..017b36f 100644
 +
  ########################################
  ## <summary>
- ##	Read and write ntpd shared memory.
-@@ -122,8 +183,27 @@ interface(`ntp_rw_shm',`
+ ##	Read ntp drift files.
+@@ -141,8 +202,27 @@ interface(`ntp_rw_shm',`
  
  ########################################
  ## <summary>
@@ -50674,7 +50107,7 @@ index b59196f..017b36f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -132,7 +212,7 @@ interface(`ntp_rw_shm',`
+@@ -151,28 +231,32 @@ interface(`ntp_rw_shm',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -50683,12 +50116,13 @@ index b59196f..017b36f 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -140,20 +220,22 @@ interface(`ntp_rw_shm',`
+ #
  interface(`ntp_admin',`
  	gen_require(`
- 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
+-		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
 -		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
 -		type ntpd_initrc_exec_t, ntp_drift_t;
++		type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
 +		type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
 +		type ntpd_unit_file_t;
  	')
@@ -50696,22 +50130,23 @@ index b59196f..017b36f 100644
 -	allow $1 ntpd_t:process { ptrace signal_perms };
 +	allow $1 ntpd_t:process signal_perms;
  	ps_process_pattern($1, ntpd_t)
+ 
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 ntpd_t:process ptrace;
 +	')
- 
++
  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 ntpd_initrc_exec_t system_r;
  	allow $2 system_r;
  
--	files_list_etc($1)
--	admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
+ 	files_list_etc($1)
+-	admin_pattern($1, { ntpd_key_t ntp_conf_t })
 +	admin_pattern($1, ntpd_key_t)
  
  	logging_list_logs($1)
  	admin_pattern($1, ntpd_log_t)
-@@ -164,5 +246,28 @@ interface(`ntp_admin',`
+@@ -186,5 +270,28 @@ interface(`ntp_admin',`
  	files_list_pids($1)
  	admin_pattern($1, ntpd_var_run_t)
  
@@ -50742,7 +50177,7 @@ index b59196f..017b36f 100644
 +	files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
  ')
 diff --git a/ntp.te b/ntp.te
-index b90e343..8369b61 100644
+index f81b113..8d889d8 100644
 --- a/ntp.te
 +++ b/ntp.te
 @@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
@@ -50929,16 +50364,10 @@ index 0d3c270..709dda1 100644
 +	')
  ')
 diff --git a/numad.te b/numad.te
-index f5d145d..97e1148 100644
+index b0a1be4..239f27a 100644
 --- a/numad.te
 +++ b/numad.te
-@@ -1,4 +1,4 @@
--policy_module(numad, 1.0.3)
-+policy_module(numad, 1.0.0)
- 
- ########################################
- #
-@@ -8,29 +8,29 @@ policy_module(numad, 1.0.3)
+@@ -8,29 +8,29 @@ policy_module(numad, 1.1.0)
  type numad_t;
  type numad_exec_t;
  init_daemon_domain(numad_t, numad_exec_t)
@@ -51088,15 +50517,9 @@ index 57c0161..54bd4d7 100644
 +    ps_process_pattern($1, swift_t)
  ')
 diff --git a/nut.te b/nut.te
-index 0c9deb7..76988d6 100644
+index 5b2cb0d..1701352 100644
 --- a/nut.te
 +++ b/nut.te
-@@ -1,4 +1,4 @@
--policy_module(nut, 1.2.4)
-+policy_module(nut, 1.2.0)
- 
- ########################################
- #
 @@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
  type nut_upsdrvctl_exec_t;
  init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
@@ -51356,7 +50779,7 @@ index 251d681..50ae2a9 100644
 +	filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
 +')
 diff --git a/nx.te b/nx.te
-index b1832ca..d181d03 100644
+index 091f872..62a0b12 100644
 --- a/nx.te
 +++ b/nx.te
 @@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
@@ -51401,7 +50824,7 @@ index b1832ca..d181d03 100644
  sysnet_read_config(nx_server_t)
  
 diff --git a/oav.te b/oav.te
-index 75fdf58..1a9e754 100644
+index b09c4c4..995c3f6 100644
 --- a/oav.te
 +++ b/oav.te
 @@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
@@ -51835,15 +51258,10 @@ index c87bd2a..7de054a 100644
 +	')
  ')
 diff --git a/oddjob.te b/oddjob.te
-index 296a1d3..edc3e32 100644
+index e403097..868981b 100644
 --- a/oddjob.te
 +++ b/oddjob.te
-@@ -1,12 +1,10 @@
--policy_module(oddjob, 1.9.2)
-+policy_module(oddjob, 1.9.0)
- 
- ########################################
- #
+@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
  # Declarations
  #
  
@@ -51937,17 +51355,10 @@ index 296a1d3..edc3e32 100644
 +userdom_stream_connect(oddjob_mkhomedir_t)
 +
 diff --git a/openct.te b/openct.te
-index 8467596..428ae48 100644
+index 3b6920e..3e9b17f 100644
 --- a/openct.te
 +++ b/openct.te
-@@ -22,18 +22,19 @@ files_pid_file(openct_var_run_t)
- 
- dontaudit openct_t self:capability sys_tty_config;
- allow openct_t self:process signal_perms;
-+allow openct_t self:netlink_kobject_uevent_socket create_socket_perms;
- 
- manage_dirs_pattern(openct_t, openct_var_run_t, openct_var_run_t)
- manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
+@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
  manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
  files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
  
@@ -51962,7 +51373,7 @@ index 8467596..428ae48 100644
  dev_read_sysfs(openct_t)
  dev_rw_usbfs(openct_t)
  dev_rw_smartcard(openct_t)
-@@ -41,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
+@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
  
  domain_use_interactive_fds(openct_t)
  
@@ -51979,7 +51390,7 @@ index 8467596..428ae48 100644
  userdom_dontaudit_search_user_home_dirs(openct_t)
  
 diff --git a/openhpi.te b/openhpi.te
-index 7f398c0..e66751b 100644
+index 8de6191..13fa6d2 100644
 --- a/openhpi.te
 +++ b/openhpi.te
 @@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
@@ -53618,10 +53029,10 @@ index 6837e9a..21e6dae 100644
  	domain_system_change_exemption($1)
  	role_transition $2 openvpn_initrc_exec_t system_r;
 diff --git a/openvpn.te b/openvpn.te
-index 3270ff9..5b046fe 100644
+index 63957a3..0e675ab 100644
 --- a/openvpn.te
 +++ b/openvpn.te
-@@ -6,6 +6,13 @@ policy_module(openvpn, 1.11.3)
+@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
  #
  
  ## <desc>
@@ -53635,41 +53046,17 @@ index 3270ff9..5b046fe 100644
  ##	<p>
  ##	Determine whether openvpn can
  ##	read generic user home content files.
-@@ -13,6 +20,14 @@ policy_module(openvpn, 1.11.3)
- ## </desc>
- gen_tunable(openvpn_enable_homedirs, false)
- 
-+## <desc>
-+##  <p>
-+##  Determine whether openvpn can
-+##  connect to the TCP network.
-+##  </p>
-+## </desc>
-+gen_tunable(openvpn_can_network_connect, false)
-+
- attribute_role openvpn_roles;
- 
- type openvpn_t;
-@@ -26,12 +41,18 @@ files_config_file(openvpn_etc_t)
- type openvpn_etc_rw_t;
- files_config_file(openvpn_etc_rw_t)
- 
-+type openvpn_tmp_t;
-+files_tmp_file(openvpn_tmp_t)
-+
- type openvpn_initrc_exec_t;
- init_script_file(openvpn_initrc_exec_t)
- 
+@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
  type openvpn_status_t;
  logging_log_file(openvpn_status_t)
  
 +type openvpn_var_lib_t;
 +files_type(openvpn_var_lib_t)
 +
- type openvpn_var_log_t;
- logging_log_file(openvpn_var_log_t)
+ type openvpn_tmp_t;
+ files_tmp_file(openvpn_tmp_t)
  
-@@ -43,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
+@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
  # Local policy
  #
  
@@ -53678,7 +53065,7 @@ index 3270ff9..5b046fe 100644
  allow openvpn_t self:process { signal getsched setsched };
  allow openvpn_t self:fifo_file rw_fifo_file_perms;
  allow openvpn_t self:unix_dgram_socket sendto;
-@@ -62,10 +83,14 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
+@@ -73,13 +83,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
  allow openvpn_t openvpn_status_t:file manage_file_perms;
  logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
  
@@ -53688,6 +53075,9 @@ index 3270ff9..5b046fe 100644
 +manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
 +files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
 +
+ allow openvpn_t openvpn_tmp_t:file manage_file_perms;
+ files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
+ 
  manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 -append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
 -create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
@@ -53696,7 +53086,7 @@ index 3270ff9..5b046fe 100644
  logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
  
  manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
-@@ -83,7 +108,6 @@ kernel_request_load_module(openvpn_t)
+@@ -97,7 +111,6 @@ kernel_request_load_module(openvpn_t)
  corecmd_exec_bin(openvpn_t)
  corecmd_exec_shell(openvpn_t)
  
@@ -53704,7 +53094,7 @@ index 3270ff9..5b046fe 100644
  corenet_all_recvfrom_netlabel(openvpn_t)
  corenet_tcp_sendrecv_generic_if(openvpn_t)
  corenet_udp_sendrecv_generic_if(openvpn_t)
-@@ -103,13 +127,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
+@@ -117,13 +130,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
  corenet_sendrecv_http_server_packets(openvpn_t)
  corenet_tcp_bind_http_port(openvpn_t)
  corenet_sendrecv_http_client_packets(openvpn_t)
@@ -53721,7 +53111,7 @@ index 3270ff9..5b046fe 100644
  corenet_rw_tun_tap_dev(openvpn_t)
  
  dev_read_rand(openvpn_t)
-@@ -121,18 +147,24 @@ fs_search_auto_mountpoints(openvpn_t)
+@@ -135,18 +150,24 @@ fs_search_auto_mountpoints(openvpn_t)
  
  auth_use_pam(openvpn_t)
  
@@ -53749,18 +53139,18 @@ index 3270ff9..5b046fe 100644
  ')
  
  tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
-@@ -143,6 +175,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
- 	fs_read_cifs_files(openvpn_t)
+@@ -164,6 +185,10 @@ tunable_policy(`openvpn_can_network_connect',`
  ')
  
-+tunable_policy(`openvpn_can_network_connect',`
-+    corenet_tcp_connect_all_ports(openvpn_t)
+ optional_policy(`
++	brctl_domtrans(openvpn_t)
 +')
 +
- optional_policy(`
++optional_policy(`
  	daemontools_service_domain(openvpn_t, openvpn_exec_t)
  ')
-@@ -155,3 +191,27 @@ optional_policy(`
+ 
+@@ -175,3 +200,27 @@ optional_policy(`
  		networkmanager_dbus_chat(openvpn_t)
  	')
  ')
@@ -54089,15 +53479,9 @@ index 9b15730..eedd136 100644
 +	')
  ')
 diff --git a/openvswitch.te b/openvswitch.te
-index 508fedf..a499612 100644
+index 44dbc99..128ff1f 100644
 --- a/openvswitch.te
 +++ b/openvswitch.te
-@@ -1,4 +1,4 @@
--policy_module(openvswitch, 1.0.1)
-+policy_module(openvswitch, 1.0.0)
- 
- ########################################
- #
 @@ -9,11 +9,8 @@ type openvswitch_t;
  type openvswitch_exec_t;
  init_daemon_domain(openvswitch_t, openvswitch_exec_t)
@@ -54112,13 +53496,7 @@ index 508fedf..a499612 100644
  
  type openvswitch_var_lib_t;
  files_type(openvswitch_var_lib_t)
-@@ -21,23 +18,33 @@ files_type(openvswitch_var_lib_t)
- type openvswitch_log_t;
- logging_log_file(openvswitch_log_t)
- 
-+type openvswitch_tmp_t;
-+files_tmp_file(openvswitch_tmp_t)
-+
+@@ -27,20 +24,27 @@ files_tmp_file(openvswitch_tmp_t)
  type openvswitch_var_run_t;
  files_pid_file(openvswitch_var_run_t)
  
@@ -54142,19 +53520,19 @@ index 508fedf..a499612 100644
 +allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow openvswitch_t self:netlink_socket create_socket_perms;
 +allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
++
++can_exec(openvswitch_t, openvswitch_exec_t)
  
 -manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
 -manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
-+can_exec(openvswitch_t, openvswitch_exec_t)
-+
 +manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
 +manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
  
  manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
  manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
-@@ -45,45 +52,53 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
+@@ -48,9 +52,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
  files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
  
  manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
@@ -54165,14 +53543,7 @@ index 508fedf..a499612 100644
  manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
  logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
  
-+manage_dirs_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+manage_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+manage_lnk_files_pattern(openvswitch_t, openvswitch_tmp_t, openvswitch_tmp_t)
-+files_tmp_filetrans(openvswitch_t, openvswitch_tmp_t, { file dir })
-+
- manage_dirs_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
- manage_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
- manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
+@@ -65,33 +67,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
  manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
  files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
  
@@ -54572,10 +53943,10 @@ index 9682d9a..d47f913 100644
 +	')
  ')
 diff --git a/pacemaker.te b/pacemaker.te
-index 3dd8ada..993c92c 100644
+index 6e6efb6..3dc917d 100644
 --- a/pacemaker.te
 +++ b/pacemaker.te
-@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.0.2)
+@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
  # Declarations
  #
  
@@ -54698,7 +54069,7 @@ index 6e097c9..503c97a 100644
  	domain_system_change_exemption($1)
  	role_transition $2 pads_initrc_exec_t system_r;
 diff --git a/pads.te b/pads.te
-index 29a7364..446e5ca 100644
+index 078adc4..77513a4 100644
 --- a/pads.te
 +++ b/pads.te
 @@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
@@ -54910,15 +54281,9 @@ index bf59ef7..0ec51d4 100644
 +	manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
  ')
 diff --git a/passenger.te b/passenger.te
-index 4e114ff..1b1cb71 100644
+index 08ec33b..24ce7e8 100644
 --- a/passenger.te
 +++ b/passenger.te
-@@ -1,4 +1,4 @@
--policy_module(passanger, 1.0.3)
-+policy_module(passanger, 1.0.0)
- 
- ########################################
- #
 @@ -14,6 +14,9 @@ role system_r types passenger_t;
  type passenger_log_t;
  logging_log_file(passenger_log_t)
@@ -54961,7 +54326,7 @@ index 4e114ff..1b1cb71 100644
  
  manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
  manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
-@@ -45,19 +50,22 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
+@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
  manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
  files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
  
@@ -54974,8 +54339,8 @@ index 4e114ff..1b1cb71 100644
  
  kernel_read_system_state(passenger_t)
  kernel_read_kernel_sysctls(passenger_t)
-+kernel_read_network_state(passenger_t)
-+kernel_read_net_sysctls(passenger_t)
+@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
+ kernel_read_net_sysctls(passenger_t)
  
  corenet_all_recvfrom_netlabel(passenger_t)
 -corenet_all_recvfrom_unlabeled(passenger_t)
@@ -54989,7 +54354,7 @@ index 4e114ff..1b1cb71 100644
  
  corecmd_exec_bin(passenger_t)
  corecmd_exec_shell(passenger_t)
-@@ -66,14 +74,14 @@ dev_read_urand(passenger_t)
+@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
  
  domain_read_all_domains_state(passenger_t)
  
@@ -54998,15 +54363,7 @@ index 4e114ff..1b1cb71 100644
  auth_use_nsswitch(passenger_t)
  
  logging_send_syslog_msg(passenger_t)
- 
- miscfiles_read_localization(passenger_t)
- 
-+sysnet_exec_ifconfig(passenger_t)
-+
- userdom_dontaudit_use_user_terminals(passenger_t)
- 
- optional_policy(`
-@@ -90,14 +98,21 @@ optional_policy(`
+@@ -94,14 +98,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -55035,7 +54392,7 @@ index 4e114ff..1b1cb71 100644
 +    rpm_read_db(passenger_t)
  ')
 diff --git a/pcmcia.te b/pcmcia.te
-index 3ad10b5..49baca5 100644
+index 8176e4a..2df1789 100644
 --- a/pcmcia.te
 +++ b/pcmcia.te
 @@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
@@ -55074,7 +54431,7 @@ index 43d50f9..7f77d32 100644
  
  ########################################
 diff --git a/pcscd.te b/pcscd.te
-index 96db654..ff3aadd 100644
+index 1fb1964..f92c71a 100644
 --- a/pcscd.te
 +++ b/pcscd.te
 @@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
@@ -55262,15 +54619,10 @@ index d2fc677..ded726f 100644
  ')
 +
 diff --git a/pegasus.te b/pegasus.te
-index 7bcf327..22a5b66 100644
+index 608f454..1e7f218 100644
 --- a/pegasus.te
 +++ b/pegasus.te
-@@ -1,17 +1,16 @@
--policy_module(pegasus, 1.8.3)
-+policy_module(pegasus, 1.8.0)
- 
- ########################################
- #
+@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
  # Declarations
  #
  
@@ -55898,7 +55250,7 @@ index 21a6ecb..b99e4cb 100644
  	domain_system_change_exemption($1)
  	role_transition $2 pingd_initrc_exec_t system_r;
 diff --git a/pingd.te b/pingd.te
-index 0f77942..0e3f230 100644
+index ab01060..3817823 100644
 --- a/pingd.te
 +++ b/pingd.te
 @@ -10,7 +10,7 @@ type pingd_exec_t;
@@ -56437,383 +55789,47 @@ index 0000000..a989aea
 +corecmd_exec_shell(piranha_domain)
 +
 +sysnet_read_config(piranha_domain)
-diff --git a/pkcs.fc b/pkcs.fc
-deleted file mode 100644
-index f9dc0be..0000000
---- a/pkcs.fc
-+++ /dev/null
-@@ -1,7 +0,0 @@
--/etc/rc\.d/init\.d/pkcsslotd	--	gen_context(system_u:object_r:pkcs_slotd_initrc_exec_t,s0)
--
--/usr/sbin/pkcsslotd	--	gen_context(system_u:object_r:pkcs_slotd_exec_t,s0)
--
--/var/lib/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcs_slotd_var_lib_t,s0)
--
--/var/run/pkcsslotd\.pid	--	gen_context(system_u:object_r:pkcs_slotd_var_run_t,s0)
-diff --git a/pkcs.if b/pkcs.if
-deleted file mode 100644
-index 69be2aa..0000000
---- a/pkcs.if
-+++ /dev/null
-@@ -1,45 +0,0 @@
--## <summary>Implementations of the Cryptoki specification.</summary>
--
--########################################
--## <summary>
--##	All of the rules required to
--##	administrate an pkcs slotd environment.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="role">
--##	<summary>
--##	Role allowed access.
--##	</summary>
--## </param>
--## <rolecap/>
--#
--interface(`pkcs_admin_slotd',`
--	gen_require(`
--		type pkcs_slotd_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_var_lib_t;
--		type pkcs_slotd_var_run_t, pkcs_slotd_tmp_t, pkcs_slotd_tmpfs_t;
--	')
--
--	allow $1 pkcs_slotd_t:process { ptrace signal_perms };
--	ps_process_pattern($1, pkcs_slotd_t)
--
--	init_labeled_script_domtrans($1, pkcs_slotd_initrc_exec_t)
--	domain_system_change_exemption($1)
--	role_transition $2 pkcs_slotd_initrc_exec_t system_r;
--	allow $2 system_r;
--
--	files_search_var_lib($1)
--	admin_pattern($1, pkcs_slotd_var_lib_t)
--
--	files_search_pids($1)
--	admin_pattern($1, pkcs_slotd_var_run_t)
--
--	files_search_tmp($1)
--	admin_pattern($1, pkcs_slotd_tmp_t)
--
--	fs_search_tmpfs($1)
--	admin_pattern($1, pkcs_slotd_tmpfs_t)
--')
 diff --git a/pkcs.te b/pkcs.te
-deleted file mode 100644
-index 977b972..0000000
+index 8eb3f7b..7c08f64 100644
 --- a/pkcs.te
-+++ /dev/null
-@@ -1,58 +0,0 @@
--policy_module(pkcs, 1.0.0)
--
--########################################
--#
--# Declarations
--#
--
--type pkcs_slotd_t;
--type pkcs_slotd_exec_t;
--init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
--
--type pkcs_slotd_initrc_exec_t;
--init_script_file(pkcs_slotd_initrc_exec_t)
--
--type pkcs_slotd_var_lib_t;
--files_type(pkcs_slotd_var_lib_t)
--
--type pkcs_slotd_var_run_t;
--files_pid_file(pkcs_slotd_var_run_t)
--
--type pkcs_slotd_tmp_t;
--files_tmp_file(pkcs_slotd_tmp_t)
--
--type pkcs_slotd_tmpfs_t;
--files_tmpfs_file(pkcs_slotd_tmpfs_t)
--
--########################################
--#
--# Local policy
--#
--
--allow pkcs_slotd_t self:capability kill;
--allow pkcs_slotd_t self:fifo_file rw_fifo_file_perms;
--allow pkcs_slotd_t self:sem create_sem_perms;
--allow pkcs_slotd_t self:shm create_shm_perms;
--allow pkcs_slotd_t self:unix_stream_socket { accept listen };
--
--manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
--manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
--manage_lnk_files_pattern(pkcs_slotd_t, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t)
--files_var_lib_filetrans(pkcs_slotd_t, pkcs_slotd_var_lib_t, dir)
--
--manage_files_pattern(pkcs_slotd_t, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t)
--files_pid_filetrans(pkcs_slotd_t, pkcs_slotd_var_run_t, file)
--
--manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
--manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmp_t, pkcs_slotd_tmp_t)
--files_tmp_filetrans(pkcs_slotd_t, pkcs_slotd_tmp_t, dir)
--
--manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
--manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
--fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
--
++++ b/pkcs.te
+@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
+ 
+ type pkcs_slotd_t;
+ type pkcs_slotd_exec_t;
++typealias pkcs_slotd_t alias pkcsslotd_t;
++typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
+ init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
+ 
+ type pkcs_slotd_initrc_exec_t;
+ init_script_file(pkcs_slotd_initrc_exec_t)
+ 
+ type pkcs_slotd_var_lib_t;
++typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
+ files_type(pkcs_slotd_var_lib_t)
+ 
+ type pkcs_slotd_var_run_t;
++typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
+ files_pid_file(pkcs_slotd_var_run_t)
+ 
+ type pkcs_slotd_tmp_t;
++typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
+ files_tmp_file(pkcs_slotd_tmp_t)
+ 
+ type pkcs_slotd_tmpfs_t;
++typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
+ files_tmpfs_file(pkcs_slotd_tmpfs_t)
+ 
+ ########################################
+@@ -53,8 +59,5 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+ manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
+ fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
+ 
 -files_read_etc_files(pkcs_slotd_t)
 -
--logging_send_syslog_msg(pkcs_slotd_t)
--
+ logging_send_syslog_msg(pkcs_slotd_t)
+ 
 -miscfiles_read_localization(pkcs_slotd_t)
-diff --git a/pkcsslotd.fc b/pkcsslotd.fc
-new file mode 100644
-index 0000000..29d7c1c
---- /dev/null
-+++ b/pkcsslotd.fc
-@@ -0,0 +1,9 @@
-+/usr/lib/systemd/system/pkcsslotd.*		--	gen_context(system_u:object_r:pkcsslotd_unit_file_t,s0)
-+
-+/usr/sbin/pkcsslotd		--	gen_context(system_u:object_r:pkcsslotd_exec_t,s0)
-+
-+/var/lib/opencryptoki(/.*)?		gen_context(system_u:object_r:pkcsslotd_var_lib_t,s0)
-+
-+/var/lock/opencryptoki(/.*)?	gen_context(system_u:object_r:pkcsslotd_lock_t,s0)
-+
-+/var/run/pkcsslotd.*    --  gen_context(system_u:object_r:pkcsslotd_var_run_t,s0)
-diff --git a/pkcsslotd.if b/pkcsslotd.if
-new file mode 100644
-index 0000000..848ddc9
---- /dev/null
-+++ b/pkcsslotd.if
-@@ -0,0 +1,155 @@
-+
-+## <summary>policy for pkcsslotd</summary>
-+
-+########################################
-+## <summary>
-+##	Transition to pkcsslotd.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+##	Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`pkcsslotd_domtrans',`
-+	gen_require(`
-+		type pkcsslotd_t, pkcsslotd_exec_t;
-+	')
-+
-+	corecmd_search_bin($1)
-+	domtrans_pattern($1, pkcsslotd_exec_t, pkcsslotd_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Search pkcsslotd lib directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_search_lib',`
-+	gen_require(`
-+		type pkcsslotd_var_lib_t;
-+	')
-+
-+	allow $1 pkcsslotd_var_lib_t:dir search_dir_perms;
-+	files_search_var_lib($1)
-+')
-+
-+########################################
-+## <summary>
-+##	Read pkcsslotd lib files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_read_lib_files',`
-+	gen_require(`
-+		type pkcsslotd_var_lib_t;
-+	')
-+
-+	files_search_var_lib($1)
-+	read_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Manage pkcsslotd lib files.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_manage_lib_files',`
-+	gen_require(`
-+		type pkcsslotd_var_lib_t;
-+	')
-+
-+	files_search_var_lib($1)
-+	manage_files_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Manage pkcsslotd lib directories.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_manage_lib_dirs',`
-+	gen_require(`
-+		type pkcsslotd_var_lib_t;
-+	')
-+
-+	files_search_var_lib($1)
-+	manage_dirs_pattern($1, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+')
-+
-+########################################
-+## <summary>
-+##	Execute pkcsslotd server in the pkcsslotd domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed to transition.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_systemctl',`
-+	gen_require(`
-+		type pkcsslotd_t;
-+		type pkcsslotd_unit_file_t;
-+	')
-+
-+	systemd_exec_systemctl($1)
-+	allow $1 pkcsslotd_unit_file_t:file read_file_perms;
-+	allow $1 pkcsslotd_unit_file_t:service manage_service_perms;
-+
-+	ps_process_pattern($1, pkcsslotd_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+##	All of the rules required to administrate
-+##	an pkcsslotd environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`pkcsslotd_admin',`
-+	gen_require(`
-+		type pkcsslotd_t;
-+		type pkcsslotd_var_lib_t;
-+		type pkcsslotd_unit_file_t;
-+	')
-+
-+	allow $1 pkcsslotd_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, pkcsslotd_t)
-+
-+	files_search_var_lib($1)
-+	admin_pattern($1, pkcsslotd_var_lib_t)
-+
-+	pkcsslotd_systemctl($1)
-+	admin_pattern($1, pkcsslotd_unit_file_t)
-+	allow $1 pkcsslotd_unit_file_t:service all_service_perms;
-+
-+	optional_policy(`
-+		systemd_passwd_agent_exec($1)
-+		systemd_read_fifo_file_passwd_run($1)
-+	')
-+')
-diff --git a/pkcsslotd.te b/pkcsslotd.te
-new file mode 100644
-index 0000000..2ce92e0
---- /dev/null
-+++ b/pkcsslotd.te
-@@ -0,0 +1,67 @@
-+policy_module(pkcsslotd, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type pkcsslotd_t;
-+type pkcsslotd_exec_t;
-+init_daemon_domain(pkcsslotd_t, pkcsslotd_exec_t)
-+
-+type pkcsslotd_var_lib_t;
-+files_type(pkcsslotd_var_lib_t)
-+
-+type pkcsslotd_lock_t;
-+files_lock_file(pkcsslotd_lock_t)
-+
-+type pkcsslotd_unit_file_t;
-+systemd_unit_file(pkcsslotd_unit_file_t)
-+
-+type pkcsslotd_tmp_t;
-+files_tmp_file(pkcsslotd_tmp_t)
-+
-+type pkcsslotd_tmpfs_t;
-+files_tmpfs_file(pkcsslotd_tmpfs_t)
-+
-+type pkcsslotd_var_run_t;
-+files_pid_file(pkcsslotd_var_run_t)
-+
-+########################################
-+#
-+# pkcsslotd local policy
-+#
-+
-+allow pkcsslotd_t self:capability { fsetid chown kill };
-+
-+allow pkcsslotd_t self:fifo_file rw_fifo_file_perms;
-+allow pkcsslotd_t self:sem create_sem_perms;
-+allow pkcsslotd_t self:shm create_shm_perms;
-+allow pkcsslotd_t self:unix_stream_socket create_stream_socket_perms;
-+
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_lock_t, pkcsslotd_lock_t)
-+files_lock_filetrans(pkcsslotd_t, pkcsslotd_lock_t, file)
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmp_t, pkcsslotd_tmp_t)
-+files_tmp_filetrans(pkcsslotd_t, pkcsslotd_tmp_t, { file dir })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_tmpfs_t, pkcsslotd_tmpfs_t)
-+fs_tmpfs_filetrans(pkcsslotd_t, pkcsslotd_tmpfs_t, { dir file })
-+
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+manage_lnk_files_pattern(pkcsslotd_t, pkcsslotd_var_lib_t, pkcsslotd_var_lib_t)
-+files_var_lib_filetrans(pkcsslotd_t, pkcsslotd_var_lib_t, { dir file lnk_file })
-+
-+manage_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t, pkcsslotd_var_run_t)
-+manage_dirs_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+manage_sock_files_pattern(pkcsslotd_t, pkcsslotd_var_run_t,pkcsslotd_var_run_t)
-+files_pid_filetrans(pkcsslotd_t, pkcsslotd_var_run_t, { sock_file file  dir })
-+
-+domain_use_interactive_fds(pkcsslotd_t)
-+
-+auth_read_passwd(pkcsslotd_t)
-+
-+logging_send_syslog_msg(pkcsslotd_t)
 diff --git a/pki.fc b/pki.fc
 new file mode 100644
 index 0000000..726d992
@@ -57789,15 +56805,9 @@ index 30e751f..3985ff9 100644
  	admin_pattern($1, plymouthd_var_run_t)
  ')
 diff --git a/plymouthd.te b/plymouthd.te
-index b1f412b..3a3249a 100644
+index 3078ce9..c1a1267 100644
 --- a/plymouthd.te
 +++ b/plymouthd.te
-@@ -1,4 +1,4 @@
--policy_module(plymouthd, 1.1.4)
-+policy_module(plymouthd, 1.0.1)
- 
- ########################################
- #
 @@ -15,7 +15,7 @@ type plymouthd_exec_t;
  init_daemon_domain(plymouthd_t, plymouthd_exec_t)
  
@@ -57909,7 +56919,7 @@ index b1f412b..3a3249a 100644
  		hal_dontaudit_write_log(plymouth_t)
  		hal_dontaudit_rw_pipes(plymouth_t)
 diff --git a/podsleuth.te b/podsleuth.te
-index a14b3bc..b196183 100644
+index 9123f71..5bf10ce 100644
 --- a/podsleuth.te
 +++ b/podsleuth.te
 @@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
@@ -58225,16 +57235,10 @@ index 032a84d..be00a65 100644
 +	allow $1 policykit_auth_t:process signal;
  ')
 diff --git a/policykit.te b/policykit.te
-index 49694e8..a1497cd 100644
+index ee91778..9baeb1b 100644
 --- a/policykit.te
 +++ b/policykit.te
-@@ -1,4 +1,4 @@
--policy_module(policykit, 1.2.8)
-+policy_module(policykit, 1.1.0)
- 
- ########################################
- #
-@@ -7,9 +7,6 @@ policy_module(policykit, 1.2.8)
+@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
  
  attribute policykit_domain;
  
@@ -58825,16 +57829,10 @@ index ae27bb7..d00f6ba 100644
 +	allow $1 polipo_unit_file_t:service all_service_perms;
  ')
 diff --git a/polipo.te b/polipo.te
-index 316d53a..35d9018 100644
+index 9764bfe..2d8d495 100644
 --- a/polipo.te
 +++ b/polipo.te
-@@ -1,4 +1,4 @@
--policy_module(polipo, 1.0.4)
-+policy_module(polipo, 1.0.0)
- 
- ########################################
- #
-@@ -7,19 +7,27 @@ policy_module(polipo, 1.0.4)
+@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
  
  ## <desc>
  ##	<p>
@@ -58901,7 +57899,7 @@ index 316d53a..35d9018 100644
  
  type polipo_cache_t;
  files_type(polipo_cache_t)
-@@ -56,112 +63,97 @@ files_type(polipo_cache_t)
+@@ -56,116 +63,102 @@ files_type(polipo_cache_t)
  type polipo_log_t;
  logging_log_file(polipo_log_t)
  
@@ -59056,17 +58054,22 @@ index 316d53a..35d9018 100644
 -corenet_tcp_bind_http_cache_port(polipo_daemon)
 +userdom_use_user_terminals(polipo_session_t)
  
+ corenet_sendrecv_tor_client_packets(polipo_daemon)
+ corenet_tcp_sendrecv_tor_port(polipo_daemon)
+ corenet_tcp_connect_tor_port(polipo_daemon)
+ 
 -files_read_usr_files(polipo_daemon)
++logging_send_syslog_msg(polipo_session_t)
+ 
+-fs_search_auto_mountpoints(polipo_daemon)
++userdom_home_manager(polipo_session_t)
++
 +tunable_policy(`polipo_session_bind_all_unreserved_ports',`
 +	corenet_tcp_sendrecv_all_ports(polipo_session_t)
 +	corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
 +')
  
--fs_search_auto_mountpoints(polipo_daemon)
-+logging_send_syslog_msg(polipo_session_t)
- 
 -miscfiles_read_localization(polipo_daemon)
-+userdom_home_manager(polipo_session_t)
 diff --git a/portage.if b/portage.if
 index 67e8c12..18b89d7 100644
 --- a/portage.if
@@ -59080,7 +58083,7 @@ index 67e8c12..18b89d7 100644
  
  	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
 diff --git a/portage.te b/portage.te
-index a95fc4a..b9b5418 100644
+index b410c67..2713b26 100644
 --- a/portage.te
 +++ b/portage.te
 @@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
@@ -59119,7 +58122,7 @@ index cd45831..69406ee 100644
  /var/run/portmap\.upgrade-state	--	gen_context(system_u:object_r:portmap_var_run_t,s0)
  /var/run/portmap_mapping	--	gen_context(system_u:object_r:portmap_var_run_t,s0)
 diff --git a/portmap.te b/portmap.te
-index 738c13b..04a202e 100644
+index 18b255e..e75c4ec 100644
 --- a/portmap.te
 +++ b/portmap.te
 @@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
@@ -59190,7 +58193,7 @@ index 5ad5291..7f1ae2a 100644
  	portreserve_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/portreserve.te b/portreserve.te
-index a38b57a..aa9d604 100644
+index 00b01e2..ffbfcee 100644
 --- a/portreserve.te
 +++ b/portreserve.te
 @@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
@@ -59209,7 +58212,7 @@ index a38b57a..aa9d604 100644
  
  userdom_dontaudit_search_user_home_content(portreserve_t)
 diff --git a/portslave.te b/portslave.te
-index e85e33d..a7d7c55 100644
+index cbe36c1..8ebeb87 100644
 --- a/portslave.te
 +++ b/portslave.te
 @@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
@@ -59322,7 +58325,7 @@ index c0e8785..c0e0959 100644
 +/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
  /var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)
 diff --git a/postfix.if b/postfix.if
-index 2e23946..0b76d72 100644
+index ded95ec..0b76d72 100644
 --- a/postfix.if
 +++ b/postfix.if
 @@ -1,4 +1,4 @@
@@ -60043,7 +59046,7 @@ index 2e23946..0b76d72 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -710,37 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
+@@ -710,38 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
  #
  interface(`postfix_admin',`
  	gen_require(`
@@ -60051,6 +59054,7 @@ index 2e23946..0b76d72 100644
 -		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
 -		type postfix_data_t, postfix_var_run_t, postfix_public_t;
 -		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
+-		type postfix_keytab_t;
 +		attribute postfix_spool_type;
 +		type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
 +		type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
@@ -60104,7 +59108,7 @@ index 2e23946..0b76d72 100644
  	allow $2 system_r;
  
 -	files_search_etc($1)
--	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t })
+-	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
 +	admin_pattern($1, postfix_data_t) 
  
 -	files_search_spool($1)
@@ -60202,16 +59206,10 @@ index 2e23946..0b76d72 100644
 +	postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
  ')
 diff --git a/postfix.te b/postfix.te
-index 191a66f..f19bca4 100644
+index 5cfb83e..a18b985 100644
 --- a/postfix.te
 +++ b/postfix.te
-@@ -1,4 +1,4 @@
--policy_module(postfix, 1.14.10)
-+policy_module(postfix, 1.14.0)
- 
- ########################################
- #
-@@ -6,27 +6,23 @@ policy_module(postfix, 1.14.10)
+@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
  #
  
  ## <desc>
@@ -60245,7 +59243,7 @@ index 191a66f..f19bca4 100644
  
  postfix_server_domain_template(cleanup)
  
-@@ -39,16 +35,19 @@ application_executable_file(postfix_exec_t)
+@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
  postfix_server_domain_template(local)
  mta_mailserver_delivery(postfix_local_t)
  
@@ -60266,7 +59264,7 @@ index 191a66f..f19bca4 100644
  mta_mailserver(postfix_t, postfix_master_exec_t)
  
  type postfix_initrc_exec_t;
-@@ -60,6 +59,7 @@ postfix_server_domain_template(pipe)
+@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
  
  postfix_user_domain_template(postdrop)
  mta_mailserver_user_agent(postfix_postdrop_t)
@@ -60274,7 +59272,7 @@ index 191a66f..f19bca4 100644
  
  postfix_user_domain_template(postqueue)
  mta_mailserver_user_agent(postfix_postqueue_t)
-@@ -80,13 +80,13 @@ mta_mailserver_sender(postfix_smtp_t)
+@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
  postfix_server_domain_template(smtpd)
  
  type postfix_spool_t, postfix_spool_type;
@@ -60291,7 +59289,7 @@ index 191a66f..f19bca4 100644
  
  type postfix_public_t;
  files_type(postfix_public_t)
-@@ -94,6 +94,7 @@ files_type(postfix_public_t)
+@@ -97,6 +97,7 @@ files_type(postfix_public_t)
  type postfix_var_run_t;
  files_pid_file(postfix_var_run_t)
  
@@ -60299,7 +59297,7 @@ index 191a66f..f19bca4 100644
  type postfix_data_t;
  files_type(postfix_data_t)
  
-@@ -102,160 +103,61 @@ mta_mailserver_delivery(postfix_virtual_t)
+@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t)
  
  ########################################
  #
@@ -60384,9 +59382,8 @@ index 191a66f..f19bca4 100644
 -########################################
 -#
 -# Common postfix user domain local policy
-+# Postfix master process local policy
- #
- 
+-#
+-
 -allow postfix_user_domains self:capability dac_override;
 -
 -domain_use_interactive_fds(postfix_user_domains)
@@ -60394,8 +59391,9 @@ index 191a66f..f19bca4 100644
 -########################################
 -#
 -# Master local policy
--#
--
++# Postfix master process local policy
+ #
+ 
 -allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
 +# chown is to set the correct ownership of queue dirs
 +allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
@@ -60416,11 +59414,9 @@ index 191a66f..f19bca4 100644
  
  allow postfix_master_t postfix_data_t:dir manage_dir_perms;
  allow postfix_master_t postfix_data_t:file manage_file_perms;
+@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
  
--allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
-+allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms lock };
-+
-+allow postfix_master_t postfix_postdrop_exec_t:file getattr_file_perms;
+ allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
  
 -allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
 +allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
@@ -60464,12 +59460,11 @@ index 191a66f..f19bca4 100644
 -setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
 -filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
  
--create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
--delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--setattr_dirs_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
--filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
-+manage_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+ create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
+ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
+@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
+ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
+ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
  
 -create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
 -setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
@@ -60485,7 +59480,7 @@ index 191a66f..f19bca4 100644
  corenet_all_recvfrom_netlabel(postfix_master_t)
  corenet_tcp_sendrecv_generic_if(postfix_master_t)
  corenet_udp_sendrecv_generic_if(postfix_master_t)
-@@ -263,64 +165,50 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
+@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
  corenet_udp_sendrecv_generic_node(postfix_master_t)
  corenet_tcp_sendrecv_all_ports(postfix_master_t)
  corenet_udp_sendrecv_all_ports(postfix_master_t)
@@ -60545,30 +59540,31 @@ index 191a66f..f19bca4 100644
  mta_read_sendmail_bin(postfix_master_t)
  mta_getattr_spool(postfix_master_t)
  
--optional_policy(`
--	cyrus_stream_connect(postfix_master_t)
--')
--
--optional_policy(`
--	kerberos_keytab_template(postfix, postfix_t)
 +ifdef(`distro_redhat',`
 +	# for newer main.cf that uses /etc/aliases
 +	mta_manage_aliases(postfix_master_t)
 +	mta_etc_filetrans_aliases(postfix_master_t)
- ')
- 
++')
++
  optional_policy(`
--	mailman_manage_data_files(postfix_master_t)
-+	cyrus_stream_connect(postfix_master_t)
+ 	cyrus_stream_connect(postfix_master_t)
+ ')
+@@ -324,14 +222,6 @@ optional_policy(`
  ')
  
  optional_policy(`
+-	mailman_manage_data_files(postfix_master_t)
+-')
+-
+-optional_policy(`
 -	mysql_stream_connect(postfix_master_t)
-+	kerberos_keytab_template(postfix, postfix_t)
+-')
+-
+-optional_policy(`
+ 	postgrey_search_spool(postfix_master_t)
  ')
  
- optional_policy(`
-@@ -333,12 +221,14 @@ optional_policy(`
+@@ -341,12 +231,14 @@ optional_policy(`
  
  ########################################
  #
@@ -60585,7 +59581,7 @@ index 191a66f..f19bca4 100644
  
  manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
  manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
-@@ -355,37 +245,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
+@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
  
  ########################################
  #
@@ -60632,7 +59628,7 @@ index 191a66f..f19bca4 100644
  
  optional_policy(`
  	mailman_read_data_files(postfix_cleanup_t)
-@@ -393,36 +280,50 @@ optional_policy(`
+@@ -401,36 +290,50 @@ optional_policy(`
  
  ########################################
  #
@@ -60692,7 +59688,7 @@ index 191a66f..f19bca4 100644
  ')
  
  optional_policy(`
-@@ -434,6 +335,7 @@ optional_policy(`
+@@ -442,6 +345,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60700,7 +59696,7 @@ index 191a66f..f19bca4 100644
  	mailman_manage_data_files(postfix_local_t)
  	mailman_append_log(postfix_local_t)
  	mailman_read_log(postfix_local_t)
-@@ -444,6 +346,10 @@ optional_policy(`
+@@ -452,6 +356,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -60711,7 +59707,7 @@ index 191a66f..f19bca4 100644
  	procmail_domtrans(postfix_local_t)
  ')
  
-@@ -458,15 +364,17 @@ optional_policy(`
+@@ -466,15 +374,17 @@ optional_policy(`
  
  ########################################
  #
@@ -60735,7 +59731,7 @@ index 191a66f..f19bca4 100644
  
  manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
  manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
-@@ -476,14 +384,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
+@@ -484,14 +394,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
  kernel_dontaudit_list_proc(postfix_map_t)
  kernel_dontaudit_read_system_state(postfix_map_t)
  
@@ -60755,7 +59751,7 @@ index 191a66f..f19bca4 100644
  
  corecmd_list_bin(postfix_map_t)
  corecmd_read_bin_symlinks(postfix_map_t)
-@@ -492,7 +401,6 @@ corecmd_read_bin_pipes(postfix_map_t)
+@@ -500,7 +411,6 @@ corecmd_read_bin_pipes(postfix_map_t)
  corecmd_read_bin_sockets(postfix_map_t)
  
  files_list_home(postfix_map_t)
@@ -60763,7 +59759,7 @@ index 191a66f..f19bca4 100644
  files_read_etc_runtime_files(postfix_map_t)
  files_dontaudit_search_var(postfix_map_t)
  
-@@ -500,21 +408,22 @@ auth_use_nsswitch(postfix_map_t)
+@@ -508,21 +418,22 @@ auth_use_nsswitch(postfix_map_t)
  
  logging_send_syslog_msg(postfix_map_t)
  
@@ -60789,7 +59785,7 @@ index 191a66f..f19bca4 100644
  stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
-@@ -524,16 +433,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
+@@ -532,16 +443,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
  read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
  
@@ -60809,7 +59805,7 @@ index 191a66f..f19bca4 100644
  #
  
  allow postfix_pipe_t self:process setrlimit;
-@@ -576,19 +484,26 @@ optional_policy(`
+@@ -584,19 +494,26 @@ optional_policy(`
  
  ########################################
  #
@@ -60841,7 +59837,7 @@ index 191a66f..f19bca4 100644
  
  term_dontaudit_use_all_ptys(postfix_postdrop_t)
  term_dontaudit_use_all_ttys(postfix_postdrop_t)
-@@ -603,10 +518,7 @@ optional_policy(`
+@@ -611,10 +528,7 @@ optional_policy(`
  	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
  ')
  
@@ -60853,7 +59849,7 @@ index 191a66f..f19bca4 100644
  optional_policy(`
  	fstools_read_pipes(postfix_postdrop_t)
  ')
-@@ -621,17 +533,24 @@ optional_policy(`
+@@ -629,17 +543,24 @@ optional_policy(`
  
  #######################################
  #
@@ -60881,7 +59877,7 @@ index 191a66f..f19bca4 100644
  
  init_sigchld_script(postfix_postqueue_t)
  init_use_script_fds(postfix_postqueue_t)
-@@ -647,67 +566,77 @@ optional_policy(`
+@@ -655,69 +576,78 @@ optional_policy(`
  
  ########################################
  #
@@ -60962,22 +59958,23 @@ index 191a66f..f19bca4 100644
  
  rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
  
+ corenet_tcp_bind_generic_node(postfix_smtp_t)
 +# for spampd
 +corenet_tcp_connect_spamd_port(postfix_master_t)
 +
 +files_search_all_mountpoints(postfix_smtp_t)
-+
+ 
  optional_policy(`
  	cyrus_stream_connect(postfix_smtp_t)
  ')
  
  optional_policy(`
 -	dovecot_stream_connect(postfix_smtp_t)
-+	   dovecot_stream_connect(postfix_smtp_t)
++    dovecot_stream_connect(postfix_smtp_t)
  ')
  
  optional_policy(`
-@@ -720,29 +649,30 @@ optional_policy(`
+@@ -730,29 +660,30 @@ optional_policy(`
  
  ########################################
  #
@@ -61016,7 +60013,7 @@ index 191a66f..f19bca4 100644
  optional_policy(`
  	dovecot_stream_connect_auth(postfix_smtpd_t)
  	dovecot_stream_connect(postfix_smtpd_t)
-@@ -754,6 +684,7 @@ optional_policy(`
+@@ -764,6 +695,7 @@ optional_policy(`
  
  optional_policy(`
  	milter_stream_connect_all(postfix_smtpd_t)
@@ -61024,7 +60021,7 @@ index 191a66f..f19bca4 100644
  ')
  
  optional_policy(`
-@@ -764,31 +695,99 @@ optional_policy(`
+@@ -774,31 +706,99 @@ optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -61156,7 +60153,7 @@ index 5de8173..985b877 100644
  	init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/postfixpolicyd.te b/postfixpolicyd.te
-index 70f0533..77d4cd9 100644
+index ea1582a..0c1a059 100644
 --- a/postfixpolicyd.te
 +++ b/postfixpolicyd.te
 @@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
@@ -61217,7 +60214,7 @@ index b9e71b5..a7502cd 100644
  	domain_system_change_exemption($1)
  	role_transition $2 postgrey_initrc_exec_t system_r;
 diff --git a/postgrey.te b/postgrey.te
-index 3b11496..04e3809 100644
+index fd58805..3b2474d 100644
 --- a/postgrey.te
 +++ b/postgrey.te
 @@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
@@ -61820,16 +60817,10 @@ index cd8b8b9..6c73980 100644
 +	allow $1 pppd_unit_file_t:service all_service_perms;
  ')
 diff --git a/ppp.te b/ppp.te
-index b2b5dba..9bc465c 100644
+index d616ca3..fd72341 100644
 --- a/ppp.te
 +++ b/ppp.te
-@@ -1,4 +1,4 @@
--policy_module(ppp, 1.13.5)
-+policy_module(ppp, 1.13.0)
- 
- ########################################
- #
-@@ -6,41 +6,47 @@ policy_module(ppp, 1.13.5)
+@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
  #
  
  ## <desc>
@@ -62335,16 +61326,10 @@ index 20d4697..e6605c1 100644
 +	files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
 +')
 diff --git a/prelink.te b/prelink.te
-index c0f047a..e04bdd6 100644
+index 8e26216..d59dc50 100644
 --- a/prelink.te
 +++ b/prelink.te
-@@ -1,4 +1,4 @@
--policy_module(prelink, 1.10.2)
-+policy_module(prelink, 1.10.0)
- 
- ########################################
- #
-@@ -6,13 +6,10 @@ policy_module(prelink, 1.10.2)
+@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
  
  attribute prelink_object;
  
@@ -62709,7 +61694,7 @@ index c83a838..f41a4f7 100644
  	admin_pattern($1, prelude_lml_tmp_t)
  ')
 diff --git a/prelude.te b/prelude.te
-index db864df..f7eb5e0 100644
+index 8f44609..509fd0a 100644
 --- a/prelude.te
 +++ b/prelude.te
 @@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
@@ -62829,7 +61814,7 @@ index bdcee30..34f3143 100644
  	init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/privoxy.te b/privoxy.te
-index 85b1c9a..072d425 100644
+index ec21f80..a9f650a 100644
 --- a/privoxy.te
 +++ b/privoxy.te
 @@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
@@ -63030,15 +62015,9 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..73c437c 100644
+index cc426e6..3bbf1d7 100644
 --- a/procmail.te
 +++ b/procmail.te
-@@ -1,4 +1,4 @@
--policy_module(procmail, 1.12.2)
-+policy_module(procmail, 1.12.0)
- 
- ########################################
- #
 @@ -14,7 +14,7 @@ type procmail_home_t;
  userdom_user_home_content(procmail_home_t)
  
@@ -63065,7 +62044,7 @@ index d447152..73c437c 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,83 +44,96 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -63198,18 +62177,16 @@ index d447152..73c437c 100644
  	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
  	postfix_dontaudit_use_fds(procmail_t)
  	postfix_read_spool_files(procmail_t)
- 	postfix_read_local_state(procmail_t)
- 	postfix_read_master_state(procmail_t)
--	postfix_rw_master_pipes(procmail_t)
-+	postfix_rw_inherited_master_pipes(procmail_t)
-+')
-+
-+optional_policy(`
-+	nagios_search_spool(procmail_t)
+@@ -126,11 +143,17 @@ optional_policy(`
  ')
  
  optional_policy(`
-@@ -131,6 +152,8 @@ optional_policy(`
++	nagios_search_spool(procmail_t)
++')
++
++optional_policy(`
+ 	pyzor_domtrans(procmail_t)
+ 	pyzor_signal(procmail_t)
  ')
  
  optional_policy(`
@@ -63713,7 +62690,7 @@ index d4dcf78..3cce82e 100644
  	admin_pattern($1, psad_tmp_t)
  ')
 diff --git a/psad.te b/psad.te
-index 5427bb6..718c847 100644
+index b5d717b..0de086e 100644
 --- a/psad.te
 +++ b/psad.te
 @@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
@@ -63742,7 +62719,7 @@ index 5427bb6..718c847 100644
  
  optional_policy(`
 diff --git a/ptchown.te b/ptchown.te
-index d67905e..2da9eca 100644
+index 28d2abc..c2cfb5e 100644
 --- a/ptchown.te
 +++ b/ptchown.te
 @@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
@@ -63783,10 +62760,10 @@ index 6864479..0e7d875 100644
 +/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 +/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
 diff --git a/pulseaudio.if b/pulseaudio.if
-index fa3dc8e..99cfa95 100644
+index 45843b5..116be8a 100644
 --- a/pulseaudio.if
 +++ b/pulseaudio.if
-@@ -2,47 +2,44 @@
+@@ -2,43 +2,48 @@
  
  ########################################
  ## <summary>
@@ -63811,35 +62788,33 @@ index fa3dc8e..99cfa95 100644
 -		attribute pulseaudio_tmpfsfile;
 -		type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
 -		type pulseaudio_tmp_t;
-+		type pulseaudio_t, pulseaudio_exec_t;
++        attribute pulseaudio_tmpfsfile;
++		type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
 +		class dbus { acquire_svc send_msg };
  	')
  
 -	pulseaudio_run($2, $1)
 +	role $1 types pulseaudio_t;
- 
--	allow $2 pulseaudio_t:process { ptrace signal_perms };
--	ps_process_pattern($2, pulseaudio_t)
++
 +	# Transition from the user domain to the derived domain.
 +	domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
  
+-	allow $2 pulseaudio_t:process { ptrace signal_perms };
+ 	ps_process_pattern($2, pulseaudio_t)
+ 
 -	allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
 -	allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-+	ps_process_pattern($2, pulseaudio_t)
- 
--	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, dir, ".pulse")
--	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".esd_auth")
--	userdom_user_home_dir_filetrans($2, pulseaudio_home_t, file, ".pulse-cookie")
 +	allow pulseaudio_t $2:process { signal signull };
 +	allow $2 pulseaudio_t:process { signal signull sigkill };
 +	ps_process_pattern(pulseaudio_t, $2)
- 
--	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
--	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
++
 +	allow pulseaudio_t $2:unix_stream_socket connectto;
 +	allow $2 pulseaudio_t:unix_stream_socket connectto;
  
+ 	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
+ 	allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+ 
 -	allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 -	allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
 -	allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
@@ -63852,7 +62827,7 @@ index fa3dc8e..99cfa95 100644
  ')
  
  ########################################
-@@ -69,9 +66,8 @@ interface(`pulseaudio_domtrans',`
+@@ -65,9 +70,8 @@ interface(`pulseaudio_domtrans',`
  
  ########################################
  ## <summary>
@@ -63864,7 +62839,7 @@ index fa3dc8e..99cfa95 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -86,16 +82,16 @@ interface(`pulseaudio_domtrans',`
+@@ -82,16 +86,16 @@ interface(`pulseaudio_domtrans',`
  #
  interface(`pulseaudio_run',`
  	gen_require(`
@@ -63884,7 +62859,7 @@ index fa3dc8e..99cfa95 100644
  ## </summary>
  ## <param name="domain">
  ## <summary>
-@@ -108,13 +104,12 @@ interface(`pulseaudio_exec',`
+@@ -104,13 +108,12 @@ interface(`pulseaudio_exec',`
  		type pulseaudio_exec_t;
  	')
  
@@ -63899,7 +62874,7 @@ index fa3dc8e..99cfa95 100644
  ## </summary>
  ## <param name="domain">
  ## <summary>
-@@ -132,7 +127,7 @@ interface(`pulseaudio_dontaudit_exec',`
+@@ -128,7 +131,7 @@ interface(`pulseaudio_dontaudit_exec',`
  
  ########################################
  ## <summary>
@@ -63908,7 +62883,7 @@ index fa3dc8e..99cfa95 100644
  ##	processes.
  ## </summary>
  ## <param name="domain">
-@@ -151,8 +146,8 @@ interface(`pulseaudio_signull',`
+@@ -147,8 +150,8 @@ interface(`pulseaudio_signull',`
  
  #####################################
  ## <summary>
@@ -63919,7 +62894,7 @@ index fa3dc8e..99cfa95 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -162,11 +157,15 @@ interface(`pulseaudio_signull',`
+@@ -158,11 +161,15 @@ interface(`pulseaudio_signull',`
  #
  interface(`pulseaudio_stream_connect',`
  	gen_require(`
@@ -63937,7 +62912,7 @@ index fa3dc8e..99cfa95 100644
  ')
  
  ########################################
-@@ -192,9 +191,9 @@ interface(`pulseaudio_dbus_chat',`
+@@ -188,9 +195,9 @@ interface(`pulseaudio_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -63949,7 +62924,7 @@ index fa3dc8e..99cfa95 100644
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
-@@ -205,148 +204,190 @@ interface(`pulseaudio_setattr_home_dir',`
+@@ -201,148 +208,190 @@ interface(`pulseaudio_setattr_home_dir',`
  		type pulseaudio_home_t;
  	')
  
@@ -64188,16 +63163,10 @@ index fa3dc8e..99cfa95 100644
 +	ps_process_pattern($1, pulseaudio_t)
  ')
 diff --git a/pulseaudio.te b/pulseaudio.te
-index e31bbe1..822ab6c 100644
+index 6643b49..1d2470f 100644
 --- a/pulseaudio.te
 +++ b/pulseaudio.te
-@@ -1,4 +1,4 @@
--policy_module(pulseaudio, 1.5.4)
-+policy_module(pulseaudio, 1.5.0)
- 
- ########################################
- #
-@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.5.4)
+@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
  attribute pulseaudio_client;
  attribute pulseaudio_tmpfsfile;
  
@@ -64205,7 +63174,7 @@ index e31bbe1..822ab6c 100644
 -
  type pulseaudio_t;
  type pulseaudio_exec_t;
- init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+ # init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
  userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
 -role pulseaudio_roles types pulseaudio_t;
 +role system_r types pulseaudio_t;
@@ -64288,7 +63257,7 @@ index e31bbe1..822ab6c 100644
  
  can_exec(pulseaudio_t, pulseaudio_exec_t)
  
-@@ -85,60 +70,51 @@ kernel_read_kernel_sysctls(pulseaudio_t)
+@@ -85,62 +70,56 @@ kernel_read_kernel_sysctls(pulseaudio_t)
  
  corecmd_exec_bin(pulseaudio_t)
  
@@ -64341,9 +63310,11 @@ index e31bbe1..822ab6c 100644
  
 -miscfiles_read_localization(pulseaudio_t)
 -
--userdom_search_user_home_dirs(pulseaudio_t)
--userdom_write_user_tmp_sockets(pulseaudio_t)
--
+ userdom_read_user_tmpfs_files(pulseaudio_t)
+ 
+ userdom_search_user_home_dirs(pulseaudio_t)
+ userdom_write_user_tmp_sockets(pulseaudio_t)
+ 
  tunable_policy(`use_nfs_home_dirs',`
 +	fs_mount_nfs(pulseaudio_t)
 +	fs_mounton_nfs(pulseaudio_t)
@@ -64365,7 +63336,7 @@ index e31bbe1..822ab6c 100644
  ')
  
  optional_policy(`
-@@ -151,8 +127,9 @@ optional_policy(`
+@@ -153,8 +132,9 @@ optional_policy(`
  
  optional_policy(`
  	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
@@ -64377,7 +63348,7 @@ index e31bbe1..822ab6c 100644
  
  	optional_policy(`
  		consolekit_dbus_chat(pulseaudio_t)
-@@ -172,16 +149,33 @@ optional_policy(`
+@@ -174,16 +154,33 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64411,7 +63382,7 @@ index e31bbe1..822ab6c 100644
  	udev_read_state(pulseaudio_t)
  	udev_read_db(pulseaudio_t)
  ')
-@@ -194,7 +188,11 @@ optional_policy(`
+@@ -196,7 +193,11 @@ optional_policy(`
  	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
  ')
  
@@ -64424,7 +63395,7 @@ index e31bbe1..822ab6c 100644
  #
  # Client local policy
  #
-@@ -208,8 +206,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
+@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
  
  fs_getattr_tmpfs(pulseaudio_client)
  
@@ -64433,7 +63404,7 @@ index e31bbe1..822ab6c 100644
  corenet_tcp_sendrecv_generic_if(pulseaudio_client)
  corenet_tcp_sendrecv_generic_node(pulseaudio_client)
  
-@@ -218,36 +214,31 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
+@@ -220,38 +219,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
  corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
  
  pulseaudio_stream_connect(pulseaudio_client)
@@ -64481,11 +63452,13 @@ index e31bbe1..822ab6c 100644
 -	rtkit_scheduled(pulseaudio_client)
 +    rtkit_scheduled(pulseaudio_client)
  ')
+ 
+ optional_policy(`
 diff --git a/puppet.fc b/puppet.fc
-index 4ecda09..8c0b242 100644
+index d68e26d..8d566fb 100644
 --- a/puppet.fc
 +++ b/puppet.fc
-@@ -1,14 +1,12 @@
+@@ -1,7 +1,7 @@
 -/etc/puppet(/.*)?	gen_context(system_u:object_r:puppet_etc_t,s0)
 +/etc/puppet(/.*)?			gen_context(system_u:object_r:puppet_etc_t,s0)
  
@@ -64493,12 +63466,11 @@ index 4ecda09..8c0b242 100644
 -/etc/rc\.d/init\.d/puppetmaster	--	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
 +/etc/rc\.d/init\.d/puppetmaster --	gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
  
--/usr/sbin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
--/usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
--/usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
-+/usr/sbin/puppetca		--	gen_context(system_u:object_r:puppetca_exec_t,s0)
-+/usr/sbin/puppetd		--	gen_context(system_u:object_r:puppet_exec_t,s0)
-+/usr/sbin/puppetmasterd		--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+ /usr/bin/puppetca	--	gen_context(system_u:object_r:puppetca_exec_t,s0)
+ /usr/bin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
+@@ -11,8 +11,6 @@
+ /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
+ /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
  
 -/var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 -
@@ -64850,16 +63822,10 @@ index 7cb8b1f..9422c90 100644
 +    allow $1 puppet_var_run_t:dir search_dir_perms;
  ')
 diff --git a/puppet.te b/puppet.te
-index f2309f4..a375475 100644
+index 618dcfe..f81c59f 100644
 --- a/puppet.te
 +++ b/puppet.te
-@@ -1,4 +1,4 @@
--policy_module(puppet, 1.3.7)
-+policy_module(puppet, 1.3.0)
- 
- ########################################
- #
-@@ -6,15 +6,19 @@ policy_module(puppet, 1.3.7)
+@@ -6,15 +6,19 @@ policy_module(puppet, 1.4.0)
  #
  
  ## <desc>
@@ -65455,7 +64421,7 @@ index 3078e34..215df88 100644
 -
 -miscfiles_read_localization(pwauth_t)
 diff --git a/pxe.te b/pxe.te
-index 72db707..6dae5e5 100644
+index 06bec9b..1b32632 100644
 --- a/pxe.te
 +++ b/pxe.te
 @@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
@@ -65544,11 +64510,11 @@ index 0ccea82..0000000
 -')
 diff --git a/pyicqt.te b/pyicqt.te
 deleted file mode 100644
-index 99bebbd..0000000
+index f2863de..0000000
 --- a/pyicqt.te
 +++ /dev/null
 @@ -1,92 +0,0 @@
--policy_module(pyicqt, 1.0.1)
+-policy_module(pyicqt, 1.1.0)
 -
 -########################################
 -#
@@ -65796,15 +64762,10 @@ index 593c03d..2c411af 100644
 +	admin_pattern($1, pyzor_var_lib_t)
  ')
 diff --git a/pyzor.te b/pyzor.te
-index 6c456d2..86daaba 100644
+index 2439d13..d7bd6e9 100644
 --- a/pyzor.te
 +++ b/pyzor.te
-@@ -1,61 +1,82 @@
--policy_module(pyzor, 2.2.1)
-+policy_module(pyzor, 2.1.0)
- 
- ########################################
- #
+@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
  # Declarations
  #
  
@@ -66041,16 +65002,15 @@ index 6c456d2..86daaba 100644
 +	logging_send_syslog_msg(pyzord_t)
 +')
 diff --git a/qemu.fc b/qemu.fc
-index 6b53fa4..64d877e 100644
+index 86ea53c..a2dcf7b 100644
 --- a/qemu.fc
 +++ b/qemu.fc
-@@ -1,5 +1,4 @@
+@@ -1,4 +1,4 @@
 -/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
 +/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
  /usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
  /usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
--
- /usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+ /usr/bin/kvm		--	gen_context(system_u:object_r:qemu_exec_t,s0)
 diff --git a/qemu.if b/qemu.if
 index eaf56b8..580f9ee 100644
 --- a/qemu.if
@@ -66421,16 +65381,10 @@ index eaf56b8..580f9ee 100644
  #
  interface(`qemu_entry_type',`
 diff --git a/qemu.te b/qemu.te
-index 2e824eb..695c857 100644
+index 4f90743..8c1e989 100644
 --- a/qemu.te
 +++ b/qemu.te
-@@ -1,4 +1,4 @@
--policy_module(qemu, 1.7.4)
-+policy_module(qemu, 1.7.0)
- 
- ########################################
- #
-@@ -6,28 +6,58 @@ policy_module(qemu, 1.7.4)
+@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
  #
  
  ## <desc>
@@ -66839,15 +65793,10 @@ index e4f0000..05e219e 100644
 +        allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
 +')
 diff --git a/qmail.te b/qmail.te
-index 1bef513..af2850e 100644
+index 8742944..53a2fe5 100644
 --- a/qmail.te
 +++ b/qmail.te
-@@ -1,11 +1,11 @@
--policy_module(qmail, 1.5.1)
-+policy_module(qmail, 1.5.0)
- 
- ########################################
- #
+@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
  # Declarations
  #
  
@@ -66865,7 +65814,7 @@ index 1bef513..af2850e 100644
  type qmail_inject_exec_t;
  domain_type(qmail_inject_t)
  domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
-@@ -32,18 +32,22 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
  mta_mailserver_delivery(qmail_lspawn_t)
  
  qmail_child_domain_template(qmail_queue, qmail_inject_t)
@@ -66883,13 +65832,16 @@ index 1bef513..af2850e 100644
 +
  qmail_child_domain_template(qmail_splogger, qmail_start_t)
  
+ type qmail_keytab_t;
+ files_type(qmail_keytab_t)
+ 
  type qmail_spool_t;
 -files_type(qmail_spool_t)
 +files_spool_file(qmail_spool_t)
  
  type qmail_start_t;
  type qmail_start_exec_t;
-@@ -55,28 +59,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
  
  ########################################
  #
@@ -66920,7 +65872,7 @@ index 1bef513..af2850e 100644
  #
  
  read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
-@@ -84,11 +68,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
+@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
  
  ########################################
  #
@@ -66935,7 +65887,7 @@ index 1bef513..af2850e 100644
  
  allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
  
-@@ -96,18 +81,18 @@ corecmd_search_bin(qmail_inject_t)
+@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
  
  files_search_var(qmail_inject_t)
  
@@ -66958,7 +65910,7 @@ index 1bef513..af2850e 100644
  
  manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
  manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-@@ -134,12 +119,17 @@ mta_append_spool(qmail_local_t)
+@@ -137,12 +122,17 @@ mta_append_spool(qmail_local_t)
  qmail_domtrans_queue(qmail_local_t)
  
  optional_policy(`
@@ -66977,7 +65929,7 @@ index 1bef513..af2850e 100644
  #
  
  allow qmail_lspawn_t self:capability { setuid setgid };
-@@ -153,21 +143,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
+@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
  
  read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
  
@@ -67004,7 +65956,7 @@ index 1bef513..af2850e 100644
  
  manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
  manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-@@ -183,28 +175,34 @@ optional_policy(`
+@@ -186,28 +178,34 @@ optional_policy(`
  
  ########################################
  #
@@ -67046,7 +65998,7 @@ index 1bef513..af2850e 100644
  #
  
  allow qmail_rspawn_t self:process signal_perms;
-@@ -214,9 +212,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
+@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
  
  rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
  
@@ -67060,7 +66012,7 @@ index 1bef513..af2850e 100644
  #
  
  allow qmail_send_t self:process signal_perms;
-@@ -234,7 +235,8 @@ optional_policy(`
+@@ -237,7 +238,8 @@ optional_policy(`
  
  ########################################
  #
@@ -67070,7 +66022,7 @@ index 1bef513..af2850e 100644
  #
  
  allow qmail_smtpd_t self:process signal_perms;
-@@ -262,26 +264,26 @@ optional_policy(`
+@@ -268,26 +270,26 @@ optional_policy(`
  
  ########################################
  #
@@ -67102,7 +66054,7 @@ index 1bef513..af2850e 100644
  
  can_exec(qmail_start_t, qmail_start_exec_t)
  
-@@ -298,7 +300,8 @@ optional_policy(`
+@@ -304,7 +306,8 @@ optional_policy(`
  
  ########################################
  #
@@ -67113,7 +66065,7 @@ index 1bef513..af2850e 100644
  
  allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
 diff --git a/qpid.if b/qpid.if
-index cd51b96..f7e9c70 100644
+index fe2adf8..f7e9c70 100644
 --- a/qpid.if
 +++ b/qpid.if
 @@ -1,4 +1,4 @@
@@ -67381,7 +66333,7 @@ index cd51b96..f7e9c70 100644
 +        allow $1 qpidd_t:process ptrace;
 +    ')
  
--	files_search_var_lib($1(
+-	files_search_var_lib($1)
 -	admin_pattern($1, qpidd_var_lib_t)
 +    qpidd_initrc_domtrans($1)
 +    domain_system_change_exemption($1)
@@ -67397,7 +66349,7 @@ index cd51b96..f7e9c70 100644
 +    admin_pattern($1, qpidd_var_run_t)
  ')
 diff --git a/qpid.te b/qpid.te
-index 76f5b39..8bb80a2 100644
+index 83eb09e..b48c931 100644
 --- a/qpid.te
 +++ b/qpid.te
 @@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
@@ -67827,15 +66779,10 @@ index afc0068..3105104 100644
 +	')
  ')
 diff --git a/quantum.te b/quantum.te
-index 769d1fd..acee489 100644
+index 8644d8b..d850703 100644
 --- a/quantum.te
 +++ b/quantum.te
-@@ -1,96 +1,109 @@
--policy_module(quantum, 1.0.2)
-+policy_module(quantum, 1.0.3)
- 
- ########################################
- #
+@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
  # Declarations
  #
  
@@ -68278,15 +67225,10 @@ index da64218..3fb8575 100644
 +    domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
  ')
 diff --git a/quota.te b/quota.te
-index 4b2c272..1aee969 100644
+index f47c8e8..a0251fe 100644
 --- a/quota.te
 +++ b/quota.te
-@@ -1,16 +1,14 @@
--policy_module(quota, 1.5.2)
-+policy_module(quota, 1.5.0)
- 
- ########################################
- #
+@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
  # Declarations
  #
  
@@ -68441,7 +67383,7 @@ index 2c3d338..cf3e5ad 100644
  
  ########################################
 diff --git a/rabbitmq.te b/rabbitmq.te
-index 3698b51..136b017 100644
+index dc3b0ed..750df0e 100644
 --- a/rabbitmq.te
 +++ b/rabbitmq.te
 @@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
@@ -68463,7 +67405,7 @@ index 3698b51..136b017 100644
  allow rabbitmq_beam_t self:process { setsched signal signull };
  allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_beam_t self:tcp_socket { accept listen };
-@@ -38,27 +43,35 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
+@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
  
  manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
@@ -68484,10 +67426,7 @@ index 3698b51..136b017 100644
  can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
  
  domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
- 
- kernel_read_system_state(rabbitmq_beam_t)
-+kernel_read_fs_sysctls(rabbitmq_beam_t)
- 
+@@ -55,11 +64,14 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
  corecmd_exec_bin(rabbitmq_beam_t)
  corecmd_exec_shell(rabbitmq_beam_t)
  
@@ -68502,39 +67441,48 @@ index 3698b51..136b017 100644
  
  corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
  corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
-@@ -68,20 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
+@@ -69,37 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
  corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
  
+-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
+ corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
+-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
+ 
 -dev_read_sysfs(rabbitmq_beam_t)
-+corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
-+
+-dev_read_urand(rabbitmq_beam_t)
 +corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
 +corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
 +
 +domain_read_all_domains_state(rabbitmq_beam_t)
 +
-+auth_read_passwd(rabbitmq_beam_t)
-+auth_use_pam(rabbitmq_beam_t)
- 
--files_read_etc_files(rabbitmq_beam_t)
 +files_getattr_all_mountpoints(rabbitmq_beam_t)
  
--miscfiles_read_localization(rabbitmq_beam_t)
-+fs_getattr_all_fs(rabbitmq_beam_t)
+ fs_getattr_all_fs(rabbitmq_beam_t)
 +fs_getattr_all_dirs(rabbitmq_beam_t)
 +fs_getattr_cgroup(rabbitmq_beam_t)
-+fs_search_cgroup_dirs(rabbitmq_beam_t)
-+
+ fs_search_cgroup_dirs(rabbitmq_beam_t)
+ 
+-files_read_etc_files(rabbitmq_beam_t)
 +corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
 +
 +dev_read_sysfs(rabbitmq_beam_t)
 +dev_read_urand(rabbitmq_beam_t)
-+
-+storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
+ 
+ storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
+ 
+-miscfiles_read_localization(rabbitmq_beam_t)
++auth_read_passwd(rabbitmq_beam_t)
++auth_use_pam(rabbitmq_beam_t)
  
  sysnet_dns_name_resolve(rabbitmq_beam_t)
  
+- optional_policy(`
+-	couchdb_manage_lib_files(rabbitmq_beam_t)
+-	couchdb_read_conf_files(rabbitmq_beam_t)
+-	couchdb_read_log_files(rabbitmq_beam_t)
+-	couchdb_read_pid_files(rabbitmq_beam_t)
+- ')
 +logging_send_syslog_msg(rabbitmq_beam_t)
 +
 +optional_policy(`
@@ -68547,7 +67495,7 @@ index 3698b51..136b017 100644
 +optional_policy(`
 +    dbus_system_bus_client(rabbitmq_beam_t)
 +')
-+
+ 
  ########################################
  #
  # Epmd local policy
@@ -68557,7 +67505,7 @@ index 3698b51..136b017 100644
  allow rabbitmq_epmd_t self:process signal;
  allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
  allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
-@@ -99,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
+@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
  corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
  corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
  
@@ -68567,7 +67515,7 @@ index 3698b51..136b017 100644
  
 -miscfiles_read_localization(rabbitmq_epmd_t)
 diff --git a/radius.fc b/radius.fc
-index c84b7ae..29c453e 100644
+index d447e85..008ee02 100644
 --- a/radius.fc
 +++ b/radius.fc
 @@ -9,6 +9,8 @@
@@ -68641,7 +67589,7 @@ index 4460582..60cf556 100644
 +
  ')
 diff --git a/radius.te b/radius.te
-index 1e7927f..eb72458 100644
+index 403a4fe..0ae6dc6 100644
 --- a/radius.te
 +++ b/radius.te
 @@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
@@ -68747,7 +67695,7 @@ index ac7058d..48739ac 100644
  	init_labeled_script_domtrans($1, radvd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/radvd.te b/radvd.te
-index b31f2d7..046f5b8 100644
+index 6d162e4..889c0ed 100644
 --- a/radvd.te
 +++ b/radvd.te
 @@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
@@ -68979,7 +67927,7 @@ index 951db7f..98a0758 100644
 +    files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
  ')
 diff --git a/raid.te b/raid.te
-index 2c1730b..4699a1e 100644
+index c99753f..5e27523 100644
 --- a/raid.te
 +++ b/raid.te
 @@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
@@ -69037,7 +67985,7 @@ index 2c1730b..4699a1e 100644
  
  corecmd_exec_bin(mdadm_t)
  corecmd_exec_shell(mdadm_t)
-@@ -49,19 +69,29 @@ corecmd_exec_shell(mdadm_t)
+@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
  dev_rw_sysfs(mdadm_t)
  dev_dontaudit_getattr_all_blk_files(mdadm_t)
  dev_dontaudit_getattr_all_chr_files(mdadm_t)
@@ -69061,7 +68009,7 @@ index 2c1730b..4699a1e 100644
 -files_dontaudit_getattr_all_files(mdadm_t)
 +files_dontaudit_getattr_tmpfs_files(mdadm_t)
  
-+fs_getattr_all_fs(mdadm_t)
+ fs_getattr_all_fs(mdadm_t)
  fs_list_auto_mountpoints(mdadm_t)
  fs_list_hugetlbfs(mdadm_t)
  fs_rw_cgroup_files(mdadm_t)
@@ -69070,7 +68018,7 @@ index 2c1730b..4699a1e 100644
  
  mls_file_read_all_levels(mdadm_t)
  mls_file_write_all_levels(mdadm_t)
-@@ -70,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
+@@ -71,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
  storage_manage_fixed_disk(mdadm_t)
  storage_read_scsi_generic(mdadm_t)
  storage_write_scsi_generic(mdadm_t)
@@ -69092,7 +68040,7 @@ index 2c1730b..4699a1e 100644
  
  userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
  userdom_dontaudit_search_user_home_content(mdadm_t)
-@@ -93,13 +128,30 @@ optional_policy(`
+@@ -94,13 +128,30 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -69372,15 +68320,10 @@ index 1e4b523..fee3b7c 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/razor.te b/razor.te
-index 5ddedbc..4e15f29 100644
+index 68455f9..38f6968 100644
 --- a/razor.te
 +++ b/razor.te
-@@ -1,139 +1,128 @@
--policy_module(razor, 2.3.2)
-+policy_module(razor, 2.3.0)
- 
- ########################################
- #
+@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
  # Declarations
  #
  
@@ -69658,10 +68601,10 @@ index 9196c1d..3dac4d9 100644
  
  userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
 diff --git a/readahead.fc b/readahead.fc
-index f307db4..0428aee 100644
+index f01b32f..46279e8 100644
 --- a/readahead.fc
 +++ b/readahead.fc
-@@ -1,7 +1,10 @@
+@@ -1,7 +1,11 @@
 -/sbin/readahead.*	--	gen_context(system_u:object_r:readahead_exec_t,s0)
 +/dev/\.systemd/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_run_t,s0)
  
@@ -69672,8 +68615,8 @@ index f307db4..0428aee 100644
 +
  /var/lib/readahead(/.*)?	gen_context(system_u:object_r:readahead_var_lib_t,s0)
  
--/var/run/readahead,*	gen_context(system_u:object_r:readahead_var_run_t,s0)
 +/var/run/systemd/readahead(/.*)?  gen_context(system_u:object_r:readahead_var_run_t,s0)
+ /var/run/readahead.*	gen_context(system_u:object_r:readahead_var_run_t,s0)
 diff --git a/readahead.if b/readahead.if
 index 661bb88..06f69c4 100644
 --- a/readahead.if
@@ -69707,7 +68650,7 @@ index 661bb88..06f69c4 100644
 +')
 +
 diff --git a/readahead.te b/readahead.te
-index f1512d6..8ee7e70 100644
+index c0b02c9..af81d71 100644
 --- a/readahead.te
 +++ b/readahead.te
 @@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
@@ -69924,16 +68867,10 @@ index bff31df..3b2a829 100644
 +')
 +
 diff --git a/realmd.te b/realmd.te
-index 9a8f052..3baa71a 100644
+index 5bc878b..5736203 100644
 --- a/realmd.te
 +++ b/realmd.te
-@@ -1,4 +1,4 @@
--policy_module(realmd, 1.0.2)
-+policy_module(realmd, 1.0.0)
- 
- ########################################
- #
-@@ -7,47 +7,89 @@ policy_module(realmd, 1.0.2)
+@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
  
  type realmd_t;
  type realmd_exec_t;
@@ -70109,34 +69046,38 @@ index 9a8f052..3baa71a 100644
 +	unconfined_domain_noaudit(realmd_consolehelper_t)
  ')
 diff --git a/redis.fc b/redis.fc
-new file mode 100644
-index 0000000..638d6b4
---- /dev/null
+index e240ac9..638d6b4 100644
+--- a/redis.fc
 +++ b/redis.fc
-@@ -0,0 +1,11 @@
-+/etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-+
+@@ -1,9 +1,11 @@
+ /etc/rc\.d/init\.d/redis	--	gen_context(system_u:object_r:redis_initrc_exec_t,s0)
+ 
+-/usr/sbin/redis-server	--	gen_context(system_u:object_r:redis_exec_t,s0)
 +/usr/lib/systemd/system/redis.*		--	gen_context(system_u:object_r:redis_unit_file_t,s0)
-+
+ 
+-/var/lib/redis(/.*)?	gen_context(system_u:object_r:redis_var_lib_t,s0)
 +/usr/sbin/redis-server		--	gen_context(system_u:object_r:redis_exec_t,s0)
-+
+ 
+-/var/log/redis(/.*)?	gen_context(system_u:object_r:redis_log_t,s0)
 +/var/lib/redis(/.*)?		gen_context(system_u:object_r:redis_var_lib_t,s0)
-+
+ 
+-/var/run/redis(/.*)?	gen_context(system_u:object_r:redis_var_run_t,s0)
 +/var/log/redis(/.*)?		gen_context(system_u:object_r:redis_log_t,s0)
 +
 +/var/run/redis(/.*)?		gen_context(system_u:object_r:redis_var_run_t,s0)
 diff --git a/redis.if b/redis.if
-new file mode 100644
-index 0000000..72a2d7b
---- /dev/null
+index 16c8ecb..9fc0cb9 100644
+--- a/redis.if
 +++ b/redis.if
-@@ -0,0 +1,271 @@
-+
-+## <summary>redis-server SELinux policy</summary>
-+
-+########################################
-+## <summary>
-+##	Execute TEMPLATE in the redis domin.
+@@ -1,9 +1,224 @@
+-## <summary>Advanced key-value store.</summary>
++## <summary>Advanced key-value store</summary>
+ 
+ ########################################
+ ## <summary>
+-##	All of the rules required to
+-##	administrate an redis environment.
++##	Execute redis server in the redis domin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
@@ -70170,6 +69111,7 @@ index 0000000..72a2d7b
 +
 +	init_labeled_script_domtrans($1, redis_initrc_exec_t)
 +')
++
 +########################################
 +## <summary>
 +##	Read redis's log files.
@@ -70179,7 +69121,6 @@ index 0000000..72a2d7b
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
-+## <rolecap/>
 +#
 +interface(`redis_read_log',`
 +	gen_require(`
@@ -70342,134 +69283,72 @@ index 0000000..72a2d7b
 +	')
 +
 +	systemd_exec_systemctl($1)
-+        systemd_read_fifo_file_password_run($1)
++    systemd_read_fifo_file_password_run($1)
 +	allow $1 redis_unit_file_t:file read_file_perms;
 +	allow $1 redis_unit_file_t:service manage_service_perms;
 +
 +	ps_process_pattern($1, redis_t)
 +')
 +
-+
 +########################################
 +## <summary>
 +##	All of the rules required to administrate
 +##	an redis environment
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+## <param name="role">
-+##	<summary>
-+##	Role allowed access.
-+##	</summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`redis_admin',`
-+	gen_require(`
-+		type redis_t;
-+		type redis_initrc_exec_t;
-+		type redis_log_t;
-+		type redis_var_lib_t;
-+		type redis_var_run_t;
-+	type redis_unit_file_t;
-+	')
-+
-+	allow $1 redis_t:process { ptrace signal_perms };
-+	ps_process_pattern($1, redis_t)
-+
-+	redis_initrc_domtrans($1)
-+	domain_system_change_exemption($1)
-+	role_transition $2 redis_initrc_exec_t system_r;
-+	allow $2 system_r;
-+
-+	logging_search_logs($1)
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -20,7 +235,7 @@
+ interface(`redis_admin',`
+ 	gen_require(`
+ 		type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+-		type redis_log_t, redis_var_run_t;
++		type redis_log_t, redis_var_run_t, redis_unit_file_t;
+ 	')
+ 
+ 	allow $1 redis_t:process { ptrace signal_perms };
+@@ -32,11 +247,20 @@ interface(`redis_admin',`
+ 	allow $2 system_r;
+ 
+ 	logging_search_logs($1)
+-	admin_pattern($!, redis_log_t)
 +	admin_pattern($1, redis_log_t)
-+
-+	files_search_var_lib($1)
-+	admin_pattern($1, redis_var_lib_t)
-+
-+	files_search_pids($1)
-+	admin_pattern($1, redis_var_run_t)
+ 
+ 	files_search_var_lib($1)
+ 	admin_pattern($1, redis_var_lib_t)
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, redis_var_run_t)
 +
 +	redis_systemctl($1)
 +	admin_pattern($1, redis_unit_file_t)
 +	allow $1 redis_unit_file_t:service all_service_perms;
++
 +	optional_policy(`
 +		systemd_passwd_agent_exec($1)
 +		systemd_read_fifo_file_passwd_run($1)
 +	')
-+')
+ ')
 diff --git a/redis.te b/redis.te
-new file mode 100644
-index 0000000..e5e9cf7
---- /dev/null
+index 25cd417..178198b 100644
+--- a/redis.te
 +++ b/redis.te
-@@ -0,0 +1,62 @@
-+policy_module(redis, 1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type redis_t;
-+type redis_exec_t;
-+init_daemon_domain(redis_t, redis_exec_t)
-+
-+type redis_initrc_exec_t;
-+init_script_file(redis_initrc_exec_t)
-+
-+type redis_log_t;
-+logging_log_file(redis_log_t)
-+
-+type redis_var_lib_t;
-+files_type(redis_var_lib_t)
-+
-+type redis_var_run_t;
-+files_pid_file(redis_var_run_t)
-+
+@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
+ type redis_var_run_t;
+ files_pid_file(redis_var_run_t)
+ 
 +type redis_unit_file_t;
 +systemd_unit_file(redis_unit_file_t)
 +
-+########################################
-+#
-+# redis local policy
-+#
-+
-+allow redis_t self:process { setrlimit signal_perms };
-+allow redis_t self:fifo_file rw_fifo_file_perms;
-+allow redis_t self:unix_stream_socket create_stream_socket_perms;
-+allow redis_t self:tcp_socket create_stream_socket_perms;
-+
-+manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
-+manage_files_pattern(redis_t, redis_log_t, redis_log_t)
-+manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
-+
-+manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
-+
-+manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
-+manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
-+manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
-+
-+kernel_read_system_state(redis_t)
-+
-+corenet_tcp_bind_generic_node(redis_t)
-+corenet_tcp_bind_redis_port(redis_t)
-+
-+dev_read_sysfs(redis_t)
-+dev_read_urand(redis_t)
-+
-+logging_send_syslog_msg(redis_t)
-+
-+miscfiles_read_localization(redis_t)
-+
-+sysnet_dns_name_resolve(redis_t)
-+
+ ########################################
+ #
+ # Local policy
+@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
+ 
+ logging_send_syslog_msg(redis_t)
+ 
+-miscfiles_read_localization(redis_t)
+-
+ sysnet_dns_name_resolve(redis_t)
 diff --git a/remotelogin.fc b/remotelogin.fc
 index 327baf0..d8691bd 100644
 --- a/remotelogin.fc
@@ -70548,15 +69427,9 @@ index a9ce68e..31be971 100644
 -	allow $1 remote_login_tmp_t:file relabel_file_perms;
 -')
 diff --git a/remotelogin.te b/remotelogin.te
-index c51a32c..bef8238 100644
+index ae30871..43fd6e8 100644
 --- a/remotelogin.te
 +++ b/remotelogin.te
-@@ -1,4 +1,4 @@
--policy_module(remotelogin, 1.7.2)
-+policy_module(remotelogin, 1.7.0)
- 
- ########################################
- #
 @@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t)
  auth_login_pgm_domain(remote_login_t)
  auth_login_entry_type(remote_login_t)
@@ -70669,7 +69542,7 @@ index c51a32c..bef8238 100644
  ')
  
 diff --git a/resmgr.te b/resmgr.te
-index 6f219b3..6bef328 100644
+index f6eb358..e4fc73d 100644
 --- a/resmgr.te
 +++ b/resmgr.te
 @@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
@@ -70916,16 +69789,10 @@ index 1c2f9aa..a4133dc 100644
 +    allow $1 rgmanager_var_lib_t:dir search_dir_perms;
 +')
 diff --git a/rgmanager.te b/rgmanager.te
-index b418d1c..1ad9c12 100644
+index c8a1e16..2d409bf 100644
 --- a/rgmanager.te
 +++ b/rgmanager.te
-@@ -1,4 +1,4 @@
--policy_module(rgmanager, 1.2.2)
-+policy_module(rgmanager, 1.2.0)
- 
- ########################################
- #
-@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.2.2)
+@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
  #
  
  ## <desc>
@@ -71253,7 +70120,7 @@ index 47de2d6..98a4280 100644
 +/var/log/cluster/rgmanager\.log.*       --  gen_context(system_u:object_r:cluster_var_log_t,s0)
 +/var/log/pcsd(/.*)?     gen_context(system_u:object_r:cluster_var_log_t,s0)
 diff --git a/rhcs.if b/rhcs.if
-index 56bc01f..2e4d698 100644
+index c8bdea2..2e4d698 100644
 --- a/rhcs.if
 +++ b/rhcs.if
 @@ -1,19 +1,19 @@
@@ -71297,7 +70164,7 @@ index 56bc01f..2e4d698 100644
  	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  	manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
  	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
--	files_pid_filetrans($1_t, $1_var_run_t, { dir file fifo_file })
+-	files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
 +	files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
  
 -	optional_policy(`
@@ -71998,7 +70865,7 @@ index 56bc01f..2e4d698 100644
 +    allow $1 cluster_unit_file_t:service all_service_perms;
  ')
 diff --git a/rhcs.te b/rhcs.te
-index 2c2de9a..26fba30 100644
+index 6cf79c4..d4169cb 100644
 --- a/rhcs.te
 +++ b/rhcs.te
 @@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
@@ -73248,7 +72115,7 @@ index 6dbc905..78746ef 100644
 -	admin_pattern($1, rhsmcertd_lock_t)
  ')
 diff --git a/rhsmcertd.te b/rhsmcertd.te
-index 1cedd70..0369e30 100644
+index d32e1a2..73051fc 100644
 --- a/rhsmcertd.te
 +++ b/rhsmcertd.te
 @@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
@@ -73269,7 +72136,7 @@ index 1cedd70..0369e30 100644
  
  manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
  files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
-@@ -52,21 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
+@@ -52,23 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
  kernel_read_network_state(rhsmcertd_t)
  kernel_read_system_state(rhsmcertd_t)
  
@@ -73291,10 +72158,10 @@ index 1cedd70..0369e30 100644
 +
 +auth_read_passwd(rhsmcertd_t)
  
+ init_read_state(rhsmcertd_t)
+ 
 -miscfiles_read_localization(rhsmcertd_t)
 -miscfiles_read_generic_certs(rhsmcertd_t)
-+init_read_state(rhsmcertd_t)
-+
 +logging_send_syslog_msg(rhsmcertd_t)
 +
 +miscfiles_manage_cert_files(rhsmcertd_t)
@@ -73547,7 +72414,7 @@ index 2ab3ed1..23d579c 100644
  	role_transition $2 ricci_initrc_exec_t system_r;
  	allow $2 system_r;
 diff --git a/ricci.te b/ricci.te
-index 9702ed2..a265af9 100644
+index 0ba2569..64a0237 100644
 --- a/ricci.te
 +++ b/ricci.te
 @@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
@@ -73730,10 +72597,10 @@ index 050479d..0e1b364 100644
  		type rlogind_home_t;
  	')
 diff --git a/rlogin.te b/rlogin.te
-index d34cdec..15d7ca6 100644
+index ee27948..2a5413a 100644
 --- a/rlogin.te
 +++ b/rlogin.te
-@@ -30,7 +30,9 @@ files_pid_file(rlogind_var_run_t)
+@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
  allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
  allow rlogind_t self:process signal_perms;
  allow rlogind_t self:fifo_file rw_fifo_file_perms;
@@ -73744,7 +72611,7 @@ index d34cdec..15d7ca6 100644
  
  allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
  term_create_pty(rlogind_t, rlogind_devpts_t)
-@@ -39,7 +41,6 @@ allow rlogind_t rlogind_home_t:file read_file_perms;
+@@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms;
  
  manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
  manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
@@ -73752,24 +72619,15 @@ index d34cdec..15d7ca6 100644
  
  manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
  files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
-@@ -50,7 +51,6 @@ kernel_read_kernel_sysctls(rlogind_t)
+@@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t)
  kernel_read_system_state(rlogind_t)
  kernel_read_network_state(rlogind_t)
  
 -corenet_all_recvfrom_unlabeled(rlogind_t)
  corenet_all_recvfrom_netlabel(rlogind_t)
  corenet_tcp_sendrecv_generic_if(rlogind_t)
- corenet_udp_sendrecv_generic_if(rlogind_t)
-@@ -58,6 +58,8 @@ corenet_tcp_sendrecv_generic_node(rlogind_t)
- corenet_udp_sendrecv_generic_node(rlogind_t)
- corenet_tcp_sendrecv_all_ports(rlogind_t)
- corenet_udp_sendrecv_all_ports(rlogind_t)
-+corenet_tcp_bind_rlogin_port(rlogind_t)
-+corenet_tcp_bind_rlogind_port(rlogind_t)
- 
- dev_read_urand(rlogind_t)
- 
-@@ -67,6 +69,7 @@ fs_getattr_all_fs(rlogind_t)
+ corenet_tcp_sendrecv_generic_node(rlogind_t)
+@@ -73,6 +73,7 @@ fs_getattr_all_fs(rlogind_t)
  fs_search_auto_mountpoints(rlogind_t)
  
  auth_domtrans_chk_passwd(rlogind_t)
@@ -73777,7 +72635,7 @@ index d34cdec..15d7ca6 100644
  auth_rw_login_records(rlogind_t)
  auth_use_nsswitch(rlogind_t)
  
-@@ -77,30 +80,23 @@ init_rw_utmp(rlogind_t)
+@@ -83,29 +84,23 @@ init_rw_utmp(rlogind_t)
  
  logging_send_syslog_msg(rlogind_t)
  
@@ -73809,25 +72667,26 @@ index d34cdec..15d7ca6 100644
 +rlogin_read_home_content(rlogind_t)
  
  optional_policy(`
- 	kerberos_keytab_template(rlogind, rlogind_t)
+ 	kerberos_read_keytab(rlogind_t)
 -	kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
--	kerberos_manage_host_rcache(rlogind_t)
 +	kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
+ 	kerberos_manage_host_rcache(rlogind_t)
+ 	kerberos_use(rlogind_t)
  ')
- 
- optional_policy(`
 diff --git a/rngd.fc b/rngd.fc
-index 5dd779e..276eb3a 100644
+index fa19aa8..90eb481 100644
 --- a/rngd.fc
 +++ b/rngd.fc
-@@ -1,3 +1,5 @@
+@@ -1,5 +1,7 @@
  /etc/rc\.d/init\.d/rngd	--	gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
  
 +/usr/lib/systemd/system/rngd.*    --  gen_context(system_u:object_r:rngd_unit_file_t,s0)
 +
  /usr/sbin/rngd	--	gen_context(system_u:object_r:rngd_exec_t,s0)
+ 
+ /var/run/rngd\.pid	--	gen_context(system_u:object_r:rngd_var_run_t,s0)
 diff --git a/rngd.if b/rngd.if
-index 0e759a2..9c83bc9 100644
+index 13f788f..e01572a 100644
 --- a/rngd.if
 +++ b/rngd.if
 @@ -2,6 +2,28 @@
@@ -73859,15 +72718,15 @@ index 0e759a2..9c83bc9 100644
  ##	All of the rules required to
  ##	administrate an rng environment.
  ## </summary>
-@@ -17,16 +39,24 @@
+@@ -17,14 +39,18 @@
  ## </param>
  ## <rolecap/>
  #
 -interface(`rngd_admin',`
 +interface(`rng_admin',`
  	gen_require(`
--		type rngd_t, rngd_initrc_exec_t;
-+		type rngd_t, rngd_initrc_exec_t, rngd_unit_file_t;
+-		type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
++		type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
  	')
  
 -	allow $1 rngd_t:process { ptrace signal_perms };
@@ -73881,14 +72740,17 @@ index 0e759a2..9c83bc9 100644
  	init_labeled_script_domtrans($1, rngd_initrc_exec_t)
  	domain_system_change_exemption($1)
  	role_transition $2 rngd_initrc_exec_t system_r;
- 	allow $2 system_r;
+@@ -32,4 +58,8 @@ interface(`rngd_admin',`
+ 
+ 	files_search_pids($1)
+ 	admin_pattern($1, rngd_var_run_t)
 +
 +	rng_systemctl_rngd($1)
 +	admin_pattern($1, rngd_unit_file_t)
 +	allow $1 rngd_unit_file_t:service all_service_perms;
  ')
 diff --git a/rngd.te b/rngd.te
-index 35c1427..2519caa 100644
+index a7b7717..861aa31 100644
 --- a/rngd.te
 +++ b/rngd.te
 @@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
@@ -73898,10 +72760,10 @@ index 35c1427..2519caa 100644
 +type rngd_unit_file_t;
 +systemd_unit_file(rngd_unit_file_t)
 +
- ########################################
- #
- # Local policy
-@@ -29,8 +32,5 @@ dev_read_urand(rngd_t)
+ type rngd_var_run_t;
+ files_pid_file(rngd_var_run_t)
+ 
+@@ -35,8 +38,5 @@ dev_read_urand(rngd_t)
  dev_rw_tpm(rngd_t)
  dev_write_rand(rngd_t)
  
@@ -73928,7 +72790,7 @@ index 975bb6a..ce4f5ea 100644
  	init_labeled_script_domtrans($1, roundup_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/roundup.te b/roundup.te
-index 353960c..3b74aae 100644
+index ccb5991..189ac01 100644
 --- a/roundup.te
 +++ b/roundup.te
 @@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
@@ -74005,7 +72867,7 @@ index a6fb30c..b0c22f7 100644
 +/var/run/rpc\.statd\.pid --	gen_context(system_u:object_r:rpcd_var_run_t,s0)
 +
 diff --git a/rpc.if b/rpc.if
-index 3bd6446..eec0a35 100644
+index 0bf13c2..d59aef7 100644
 --- a/rpc.if
 +++ b/rpc.if
 @@ -1,4 +1,4 @@
@@ -74035,19 +72897,12 @@ index 3bd6446..eec0a35 100644
  template(`rpc_domain_template',`
  	gen_require(`
 -		attribute rpc_domain;
-+		type var_lib_nfs_t;
++        attribute rpc_domain;
  	')
  
  	########################################
-@@ -36,18 +42,86 @@ template(`rpc_domain_template',`
- 	# Declarations
- 	#
+@@ -42,12 +48,19 @@ template(`rpc_domain_template',`
  
--	type $1_t, rpc_domain;
-+	type $1_t;
- 	type $1_exec_t;
- 	init_daemon_domain($1_t, $1_exec_t)
--
  	domain_use_interactive_fds($1_t)
  
 -	########################################
@@ -74057,80 +72912,18 @@ index 3bd6446..eec0a35 100644
 +	# Local Policy
  	#
  
-+	dontaudit $1_t self:capability { net_admin sys_tty_config };
-+	allow $1_t self:capability net_bind_service;
-+	allow $1_t self:process signal_perms;
-+	allow $1_t self:unix_dgram_socket create_socket_perms;
-+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-+	allow $1_t self:tcp_socket create_stream_socket_perms;
-+	allow $1_t self:udp_socket create_socket_perms;
-+
-+	manage_dirs_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-+	manage_files_pattern($1_t, var_lib_nfs_t, var_lib_nfs_t)
-+
-+	kernel_list_proc($1_t)
-+	kernel_read_proc_symlinks($1_t)
-+	kernel_read_kernel_sysctls($1_t)
-+	# bind to arbitary unused ports
-+	kernel_rw_rpc_sysctls($1_t)
-+
-+	dev_read_sysfs($1_t)
-+	dev_read_urand($1_t)
-+	dev_read_rand($1_t)
-+
-+	corenet_all_recvfrom_netlabel($1_t)
-+	corenet_tcp_sendrecv_generic_if($1_t)
-+	corenet_udp_sendrecv_generic_if($1_t)
-+	corenet_tcp_sendrecv_generic_node($1_t)
-+	corenet_udp_sendrecv_generic_node($1_t)
-+	corenet_tcp_sendrecv_all_ports($1_t)
-+	corenet_udp_sendrecv_all_ports($1_t)
-+	corenet_tcp_bind_generic_node($1_t)
-+	corenet_udp_bind_generic_node($1_t)
-+	corenet_tcp_bind_reserved_port($1_t)
-+	corenet_tcp_connect_all_ports($1_t)
-+	corenet_sendrecv_portmap_client_packets($1_t)
-+	# do not log when it tries to bind to a port belonging to another domain
-+	corenet_dontaudit_tcp_bind_all_ports($1_t)
-+	corenet_dontaudit_udp_bind_all_ports($1_t)
-+	# bind to arbitary unused ports
-+	corenet_tcp_bind_generic_port($1_t)
-+	corenet_udp_bind_generic_port($1_t)
-+	corenet_tcp_bind_all_rpc_ports($1_t)
-+	corenet_udp_bind_all_rpc_ports($1_t)
-+	corenet_sendrecv_generic_server_packets($1_t)
-+
-+	fs_rw_rpc_named_pipes($1_t)
-+	fs_search_auto_mountpoints($1_t)
++    kernel_read_system_state($1_t)
 +
-+	files_read_etc_files($1_t)
-+	files_read_etc_runtime_files($1_t)
-+	files_search_var($1_t)
-+	files_search_var_lib($1_t)
-+	files_list_home($1_t)
++    corenet_all_recvfrom_unlabeled($1_t)
++    corenet_all_recvfrom_netlabel($1_t)
 +
  	auth_use_nsswitch($1_t)
 +
 +	logging_send_syslog_msg($1_t)
-+
-+
-+	userdom_dontaudit_use_unpriv_user_fds($1_t)
-+
-+	optional_policy(`
-+		rpcbind_stream_connect($1_t)
-+	')
-+
-+	optional_policy(`
-+		seutil_sigchld_newrole($1_t)
-+	')
-+
-+	optional_policy(`
-+		udev_read_db($1_t)
-+	')
  ')
  
  ########################################
-@@ -66,8 +140,8 @@ interface(`rpc_udp_send',`
+@@ -66,8 +79,8 @@ interface(`rpc_udp_send',`
  
  ########################################
  ## <summary>
@@ -74141,7 +72934,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -80,12 +154,12 @@ interface(`rpc_dontaudit_getattr_exports',`
+@@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',`
  		type exports_t;
  	')
  
@@ -74156,7 +72949,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -103,7 +177,7 @@ interface(`rpc_read_exports',`
+@@ -103,7 +116,7 @@ interface(`rpc_read_exports',`
  
  ########################################
  ## <summary>
@@ -74165,7 +72958,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -116,12 +190,12 @@ interface(`rpc_write_exports',`
+@@ -116,12 +129,12 @@ interface(`rpc_write_exports',`
  		type exports_t;
  	')
  
@@ -74180,7 +72973,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -134,14 +208,12 @@ interface(`rpc_domtrans_nfsd',`
+@@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',`
  		type nfsd_t, nfsd_exec_t;
  	')
  
@@ -74196,7 +72989,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -159,7 +231,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
  
  ########################################
  ## <summary>
@@ -74205,7 +72998,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -167,120 +239,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
+@@ -167,120 +178,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
  ##	</summary>
  ## </param>
  #
@@ -74375,7 +73168,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -312,7 +390,7 @@ interface(`rpc_udp_send_nfs',`
+@@ -312,7 +329,7 @@ interface(`rpc_udp_send_nfs',`
  
  ########################################
  ## <summary>
@@ -74384,7 +73177,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -326,12 +404,12 @@ interface(`rpc_search_nfs_state_data',`
+@@ -326,12 +343,12 @@ interface(`rpc_search_nfs_state_data',`
  	')
  
  	files_search_var_lib($1)
@@ -74399,7 +73192,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -339,19 +417,18 @@ interface(`rpc_search_nfs_state_data',`
+@@ -339,19 +356,18 @@ interface(`rpc_search_nfs_state_data',`
  ##	</summary>
  ## </param>
  #
@@ -74422,7 +73215,7 @@ index 3bd6446..eec0a35 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -359,62 +436,31 @@ interface(`rpc_read_nfs_state_data',`
+@@ -359,34 +375,54 @@ interface(`rpc_read_nfs_state_data',`
  ##	</summary>
  ## </param>
  #
@@ -74448,62 +73241,48 @@ index 3bd6446..eec0a35 100644
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="role">
--##	<summary>
--##	Role allowed access.
--##	</summary>
--## </param>
--## <rolecap/>
- #
--interface(`rpc_admin',`
++#
 +interface(`rpc_manage_nfs_state_data',`
- 	gen_require(`
--		attribute rpc_domain;
--		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
--		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
--		type nfsd_ro_t, nfsd_rw_t;
++	gen_require(`
 +		type var_lib_nfs_t;
- 	')
- 
--	allow $1 rpc_domain:process { ptrace signal_perms };
--	ps_process_pattern($1, rpc_domain)
--
--	init_labeled_script_domtrans($1, { nfsd_initrc_exec_t rpcd_initrc_exec_t })
-- 	domain_system_change_exemption($1)
-- 	role_transition $2 { nfsd_initrc_exec_t rpcd_initrc_exec_t } system_r;
-- 	allow $2 system_r;
--
--	files_list_etc($1)
--	admin_pattern($1, exports_t)
--
--	files_list_var_lib($1)
--	admin_pattern($1, var_lib_nfs_t)
--
--	files_list_pids($1)
--	admin_pattern($1, rpcd_var_run_t)
--
--	files_list_all($1)
--	admin_pattern($1, { nfsd_ro_t nfsd_rw_t })
--
--	files_list_tmp($1)
--	admin_pattern($1, gssd_tmp_t)
--
--	fs_search_nfsd_fs($1)
++	')
++
 +	files_search_var_lib($1)
 +	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
 +	allow $1 var_lib_nfs_t:file relabel_file_perms;
- ')
++')
++
++#######################################
++## <summary>
++##  All of the rules required to
++##  administrate an rpc environment.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
+ ## <param name="role">
+-##	<summary>
+-##	Role allowed access.
+-##	</summary>
++##  <summary>
++##  Role allowed access.
++##  </summary>
+ ## </param>
+ ## <rolecap/>
+ #
+ interface(`rpc_admin',`
+-	gen_require(`
++    gen_require(`
+ 		attribute rpc_domain;
+ 		type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
+ 		type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
 diff --git a/rpc.te b/rpc.te
-index e5212e6..022f7fc 100644
+index 2da9fca..b96da60 100644
 --- a/rpc.te
 +++ b/rpc.te
-@@ -1,4 +1,4 @@
--policy_module(rpc, 1.14.6)
-+policy_module(rpc, 1.14.0)
- 
- ########################################
- #
-@@ -6,24 +6,20 @@ policy_module(rpc, 1.14.6)
+@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
  #
  
  ## <desc>
@@ -74532,13 +73311,11 @@ index e5212e6..022f7fc 100644
 +## </p>
  ## </desc>
 -gen_tunable(allow_nfsd_anon_write, false)
--
--attribute rpc_domain;
 +gen_tunable(nfsd_anon_write, false)
  
- type exports_t;
- files_config_file(exports_t)
-@@ -36,110 +32,49 @@ files_tmp_file(gssd_tmp_t)
+ attribute rpc_domain;
+ 
+@@ -39,21 +37,23 @@ files_tmp_file(gssd_tmp_t)
  type rpcd_var_run_t;
  files_pid_file(rpcd_var_run_t)
  
@@ -74567,77 +73344,50 @@ index e5212e6..022f7fc 100644
  
  type var_lib_nfs_t;
  files_mountpoint(var_lib_nfs_t)
+@@ -71,7 +71,6 @@ allow rpc_domain self:tcp_socket { accept listen };
+ manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
+ manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
  
- ########################################
- #
--# Common rpc domain local policy
--#
--
--dontaudit rpc_domain self:capability { net_admin sys_tty_config };
--allow rpc_domain self:process signal_perms;
--allow rpc_domain self:unix_stream_socket { accept listen };
--allow rpc_domain self:tcp_socket { accept listen };
--
--manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
--manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
--
 -kernel_read_system_state(rpc_domain)
--kernel_read_kernel_sysctls(rpc_domain)
--kernel_rw_rpc_sysctls(rpc_domain)
--
--dev_read_sysfs(rpc_domain)
--dev_read_urand(rpc_domain)
--dev_read_rand(rpc_domain)
--
+ kernel_read_kernel_sysctls(rpc_domain)
+ kernel_rw_rpc_sysctls(rpc_domain)
+ 
+@@ -79,8 +78,6 @@ dev_read_sysfs(rpc_domain)
+ dev_read_urand(rpc_domain)
+ dev_read_rand(rpc_domain)
+ 
 -corenet_all_recvfrom_unlabeled(rpc_domain)
 -corenet_all_recvfrom_netlabel(rpc_domain)
--corenet_tcp_sendrecv_generic_if(rpc_domain)
--corenet_udp_sendrecv_generic_if(rpc_domain)
--corenet_tcp_sendrecv_generic_node(rpc_domain)
--corenet_udp_sendrecv_generic_node(rpc_domain)
--corenet_tcp_sendrecv_all_ports(rpc_domain)
--corenet_udp_sendrecv_all_ports(rpc_domain)
--corenet_tcp_bind_generic_node(rpc_domain)
--corenet_udp_bind_generic_node(rpc_domain)
--
--corenet_sendrecv_all_server_packets(rpc_domain)
--corenet_tcp_bind_reserved_port(rpc_domain)
--corenet_tcp_connect_all_ports(rpc_domain)
--corenet_sendrecv_portmap_client_packets(rpc_domain)
--corenet_dontaudit_tcp_bind_all_ports(rpc_domain)
--corenet_dontaudit_udp_bind_all_ports(rpc_domain)
--corenet_tcp_bind_generic_port(rpc_domain)
--corenet_udp_bind_generic_port(rpc_domain)
--corenet_tcp_bind_all_rpc_ports(rpc_domain)
--corenet_udp_bind_all_rpc_ports(rpc_domain)
--
--fs_rw_rpc_named_pipes(rpc_domain)
--fs_search_auto_mountpoints(rpc_domain)
--
--files_read_etc_runtime_files(rpc_domain)
--files_read_usr_files(rpc_domain)
--files_list_home(rpc_domain)
--
+ corenet_tcp_sendrecv_generic_if(rpc_domain)
+ corenet_udp_sendrecv_generic_if(rpc_domain)
+ corenet_tcp_sendrecv_generic_node(rpc_domain)
+@@ -108,41 +105,42 @@ files_read_etc_runtime_files(rpc_domain)
+ files_read_usr_files(rpc_domain)
+ files_list_home(rpc_domain)
+ 
 -logging_send_syslog_msg(rpc_domain)
 -
 -miscfiles_read_localization(rpc_domain)
 -
--userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
--
--optional_policy(`
+ userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
+ 
+ optional_policy(`
 -	rpcbind_stream_connect(rpc_domain)
--')
--
--optional_policy(`
++    rpcbind_stream_connect(rpc_domain)
+ ')
+ 
+ optional_policy(`
 -	seutil_sigchld_newrole(rpc_domain)
--')
--
--optional_policy(`
++    seutil_sigchld_newrole(rpc_domain)
+ ')
+ 
+ optional_policy(`
 -	udev_read_db(rpc_domain)
--')
--
--########################################
--#
++    udev_read_db(rpc_domain)
+ ')
+ 
+ ########################################
+ #
 -# Local policy
 +# RPC local policy
  #
@@ -74662,7 +73412,7 @@ index e5212e6..022f7fc 100644
  kernel_read_sysctl(rpcd_t)
  kernel_rw_fs_sysctls(rpcd_t)
  kernel_dontaudit_getattr_core_if(rpcd_t)
-@@ -160,13 +95,14 @@ fs_getattr_all_fs(rpcd_t)
+@@ -163,13 +161,14 @@ fs_getattr_all_fs(rpcd_t)
  
  storage_getattr_fixed_disk_dev(rpcd_t)
  
@@ -74678,9 +73428,9 @@ index e5212e6..022f7fc 100644
 +userdom_signal_unpriv_users(rpcd_t)
 +userdom_read_user_home_content_files(rpcd_t)
  
- optional_policy(`
- 	automount_signal(rpcd_t)
-@@ -174,19 +110,23 @@ optional_policy(`
+ ifdef(`distro_debian',`
+ 	term_dontaudit_use_unallocated_ttys(rpcd_t)
+@@ -181,19 +180,23 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -74708,7 +73458,7 @@ index e5212e6..022f7fc 100644
  ')
  
  ########################################
-@@ -195,41 +135,56 @@ optional_policy(`
+@@ -202,41 +205,56 @@ optional_policy(`
  #
  
  allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
@@ -74773,7 +73523,7 @@ index e5212e6..022f7fc 100644
  	miscfiles_manage_public_files(nfsd_t)
  ')
  
-@@ -238,7 +193,6 @@ tunable_policy(`nfs_export_all_rw',`
+@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
  	dev_getattr_all_chr_files(nfsd_t)
  
  	fs_read_noxattr_fs_files(nfsd_t)
@@ -74781,7 +73531,7 @@ index e5212e6..022f7fc 100644
  ')
  
  tunable_policy(`nfs_export_all_ro',`
-@@ -250,12 +204,12 @@ tunable_policy(`nfs_export_all_ro',`
+@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
  
  	fs_read_noxattr_fs_files(nfsd_t)
  
@@ -74796,7 +73546,7 @@ index e5212e6..022f7fc 100644
  ')
  
  ########################################
-@@ -271,6 +225,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
  files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
  
@@ -74804,7 +73554,7 @@ index e5212e6..022f7fc 100644
  kernel_read_network_state(gssd_t)
  kernel_read_network_state_symlinks(gssd_t)
  kernel_request_load_module(gssd_t)
-@@ -279,25 +234,29 @@ kernel_signal(gssd_t)
+@@ -288,25 +306,29 @@ kernel_signal(gssd_t)
  
  corecmd_exec_bin(gssd_t)
  
@@ -74837,20 +73587,20 @@ index e5212e6..022f7fc 100644
  ')
  
  optional_policy(`
-@@ -306,8 +265,11 @@ optional_policy(`
+@@ -314,9 +336,12 @@ optional_policy(`
+ ')
  
  optional_policy(`
- 	kerberos_keytab_template(gssd, gssd_t)
--	kerberos_manage_host_rcache(gssd_t)
--	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
-+	kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
++	gssproxy_stream_connect(gssd_t)
 +')
-+
 +optional_policy(`
-+	gssproxy_stream_connect(gssd_t)
+ 	kerberos_manage_host_rcache(gssd_t)
+ 	kerberos_read_keytab(gssd_t)
+-	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
++	kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
+ 	kerberos_use(gssd_t)
  ')
  
- optional_policy(`
 diff --git a/rpcbind.if b/rpcbind.if
 index 3b5e9ee..ff1163f 100644
 --- a/rpcbind.if
@@ -75006,7 +73756,7 @@ index 3b5e9ee..ff1163f 100644
 +	admin_pattern($1, rpcbind_var_run_t)
  ')
 diff --git a/rpcbind.te b/rpcbind.te
-index c49828c..56cb0c2 100644
+index 54de77c..cb05fbf 100644
 --- a/rpcbind.te
 +++ b/rpcbind.te
 @@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
@@ -75017,21 +73767,19 @@ index c49828c..56cb0c2 100644
  corenet_all_recvfrom_netlabel(rpcbind_t)
  corenet_tcp_sendrecv_generic_if(rpcbind_t)
  corenet_udp_sendrecv_generic_if(rpcbind_t)
-@@ -62,12 +61,11 @@ corecmd_exec_shell(rpcbind_t)
- 
- domain_use_interactive_fds(rpcbind_t)
- 
--files_read_etc_files(rpcbind_t)
- files_read_etc_runtime_files(rpcbind_t)
+@@ -68,7 +67,11 @@ auth_use_nsswitch(rpcbind_t)
  
--logging_send_syslog_msg(rpcbind_t)
-+auth_use_nsswitch(rpcbind_t)
+ logging_send_syslog_msg(rpcbind_t)
  
 -miscfiles_read_localization(rpcbind_t)
-+logging_send_syslog_msg(rpcbind_t)
- 
- sysnet_dns_name_resolve(rpcbind_t)
++sysnet_dns_name_resolve(rpcbind_t)
++
++optional_policy(`
++	nis_use_ypbind(rpcbind_t)
++')
  
+ ifdef(`distro_debian',`
+ 	term_dontaudit_use_unallocated_ttys(rpcbind_t)
 diff --git a/rpm.fc b/rpm.fc
 index ebe91fc..6392cad 100644
 --- a/rpm.fc
@@ -75154,7 +73902,7 @@ index ebe91fc..6392cad 100644
 +/sbin/cpio			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  ')
 diff --git a/rpm.if b/rpm.if
-index 0628d50..cafc027 100644
+index ef3b225..fbef499 100644
 --- a/rpm.if
 +++ b/rpm.if
 @@ -1,8 +1,8 @@
@@ -75385,12 +74133,10 @@ index 0628d50..cafc027 100644
 -	logging_search_logs($1)
 -	append_files_pattern($1, rpm_log_t, rpm_log_t)
 +	allow $1 rpm_log_t:file append_inherited_file_perms;
- ')
- 
- ########################################
- ## <summary>
--##	Create, read, write, and delete
--##	rpm log files.
++')
++
++########################################
++## <summary>
 +##	Create, read, write, and delete the RPM log.
 +## </summary>
 +## <param name="domain">
@@ -75405,10 +74151,12 @@ index 0628d50..cafc027 100644
 +	')
 +
 +    read_files_pattern($1, rpm_log_t, rpm_log_t)
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create, read, write, and delete
+-##	rpm log files.
 +##	Create, read, write, and delete the RPM log.
  ## </summary>
  ## <param name="domain">
@@ -75595,7 +74343,7 @@ index 0628d50..cafc027 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -573,94 +670,72 @@ interface(`rpm_manage_pid_files',`
+@@ -573,66 +670,104 @@ interface(`rpm_manage_pid_files',`
  ## </param>
  #
  interface(`rpm_pid_filetrans',`
@@ -75625,119 +74373,120 @@ index 0628d50..cafc027 100644
 -##	</summary>
 -## </param>
 -## <param name="name" optional="true">
--##	<summary>
++#
++interface(`rpm_inherited_fifo',`
++	gen_require(`
++		attribute rpm_transition_domain;
++	')
++
++	allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++')
++
++
++########################################
++## <summary>
++##	Make rpm_exec_t an entry point for
++##	the specified domain.
++## </summary>
++## <param name="domain">
+ ##	<summary>
 -##	The name of the object being created.
--##	</summary>
--## </param>
- #
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+-#
 -interface(`rpm_pid_filetrans_rpm_pid',`
-+interface(`rpm_inherited_fifo',`
++# 
++interface(`rpm_entry_type',`
  	gen_require(`
 -		type rpm_var_run_t;
-+		attribute rpm_transition_domain;
++		type rpm_exec_t;
  	')
  
 -	files_pid_filetrans($1, rpm_var_run_t, $3, $4)
-+	allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
++	domain_entry_file($1, rpm_exec_t)
  ')
  
-+
  ########################################
  ## <summary>
 -##	All of the rules required to
 -##	administrate an rpm environment.
-+##	Make rpm_exec_t an entry point for
-+##	the specified domain.
++##	Allow application to transition to rpm_script domain.
  ## </summary>
  ## <param name="domain">
  ##	<summary>
  ##	Domain allowed access.
  ##	</summary>
  ## </param>
--## <param name="role">
-+# 
-+interface(`rpm_entry_type',`
++#
++interface(`rpm_transition_script',`
 +	gen_require(`
-+		type rpm_exec_t;
++		type rpm_script_t;
++		attribute rpm_transition_domain;
 +	')
 +
-+	domain_entry_file($1, rpm_exec_t)
++	typeattribute $1 rpm_transition_domain;
++	allow $1 rpm_script_t:process transition;
++
++	allow $1 rpm_script_t:fd use;
++	allow rpm_script_t $1:fd use;
++	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
++	allow rpm_script_t $1:process sigchld;
 +')
 +
-+########################################
++#######################################
 +## <summary>
-+##	Allow application to transition to rpm_script domain.
++##  All of the rules required to
++##  administrate an rpm environment.
 +## </summary>
 +## <param name="domain">
- ##	<summary>
++##  <summary>
++##  Domain allowed access.
++##  </summary>
++## </param>
+ ## <param name="role">
+-##	<summary>
 -##	Role allowed access.
-+##	Domain allowed access.
- ##	</summary>
+-##	</summary>
++##  <summary>
++##  Role allowed access.
++##  </summary>
  ## </param>
--## <rolecap/>
+ ## <rolecap/>
  #
--interface(`rpm_admin',`
-+interface(`rpm_transition_script',`
- 	gen_require(`
+ interface(`rpm_admin',`
+-	gen_require(`
 -		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
 -		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
 -		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
 -		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
-+		type rpm_script_t;
-+		attribute rpm_transition_domain;
- 	')
+-	')
++    gen_require(`
++        type rpm_t, rpm_script_t, rpm_initrc_exec_t;
++        type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
++
++        type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
++        type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
++    ')
  
 -	allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
 -	ps_process_pattern($1, { rpm_t rpm_script_t })
-+	typeattribute $1 rpm_transition_domain;
-+	allow $1 rpm_script_t:process transition;
++    allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
++    ps_process_pattern($1, { rpm_t rpm_script_t })
  
--	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
--	domain_system_change_exemption($1)
--	role_transition $2 rpm_initrc_exec_t system_r;
--	allow $2 system_r;
--
--	admin_pattern($1, rpm_file_t)
--
--	files_list_var($1)
--	admin_pattern($1, rpm_cache_t)
--
--	files_list_tmp($1)
--	admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
--
--	files_list_var_lib($1)
--	admin_pattern($1, rpm_var_lib_t)
--
--	files_search_locks($1)
--	admin_pattern($1, rpm_lock_t)
--
--	logging_list_logs($1)
--	admin_pattern($1, rpm_log_t)
--
--	files_list_pids($1)
--	admin_pattern($1, rpm_var_run_t)
--
--	fs_search_tmpfs($1)
--	admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t }
--
--	rpm_run($1, $2)
-+	allow $1 rpm_script_t:fd use;
-+	allow rpm_script_t $1:fd use;
-+	allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
-+	allow rpm_script_t $1:process sigchld;
- ')
+ 	init_labeled_script_domtrans($1, rpm_initrc_exec_t)
+ 	domain_system_change_exemption($1)
 diff --git a/rpm.te b/rpm.te
-index 5cbe81c..5b28e97 100644
+index 6fc360e..dfa0f04 100644
 --- a/rpm.te
 +++ b/rpm.te
 @@ -1,15 +1,13 @@
--policy_module(rpm, 1.15.3)
-+policy_module(rpm, 1.15.0)
-+
+ policy_module(rpm, 1.16.0)
+ 
 +attribute rpm_transition_domain;
 +attribute_role rpm_script_roles;
 +roleattribute system_r rpm_script_roles;
- 
++
  ########################################
  #
  # Declarations
@@ -76238,14 +74987,10 @@ index 7ad29c0..2e87d76 100644
  	domtrans_pattern($1, rshd_exec_t, rshd_t)
  ')
 diff --git a/rshd.te b/rshd.te
-index f842825..24cf46d 100644
+index 864e089..925203c 100644
 --- a/rshd.te
 +++ b/rshd.te
-@@ -1,62 +1,75 @@
--policy_module(rshd, 1.7.1)
-+policy_module(rshd, 1.7.0)
- 
- ########################################
+@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
  #
  # Declarations
  #
@@ -76258,7 +75003,9 @@ index f842825..24cf46d 100644
 +domain_role_change_exemption(rshd_t)
 +role system_r types rshd_t;
  
- ########################################
+ type rshd_keytab_t;
+ files_type(rshd_keytab_t)
+@@ -17,9 +18,8 @@ files_type(rshd_keytab_t)
  #
  # Local policy
  #
@@ -76269,6 +75016,8 @@ index f842825..24cf46d 100644
  allow rshd_t self:fifo_file rw_fifo_file_perms;
  allow rshd_t self:tcp_socket create_stream_socket_perms;
  
+@@ -27,41 +27,56 @@ allow rshd_t rshd_keytab_t:file read_file_perms;
+ 
  kernel_read_kernel_sysctls(rshd_t)
  
 -corenet_all_recvfrom_unlabeled(rshd_t)
@@ -76330,14 +75079,15 @@ index f842825..24cf46d 100644
 +userdom_home_reader(rshd_t)
  
  optional_policy(`
- 	kerberos_keytab_template(rshd, rshd_t)
--	kerberos_manage_host_rcache(rshd_t)
+ 	kerberos_manage_host_rcache(rshd_t)
+ 	kerberos_read_keytab(rshd_t)
 -	kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
++	kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0")
+ 	kerberos_use(rshd_t)
  ')
  
- optional_policy(`
 diff --git a/rssh.te b/rssh.te
-index d1fd97f..7ee8502 100644
+index 5c5465f..6005932 100644
 --- a/rssh.te
 +++ b/rssh.te
 @@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
@@ -76381,7 +75131,7 @@ index d25301b..f3eeec7 100644
  /var/run/rsyncd\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
 +/var/run/swift_server\.lock	--	gen_context(system_u:object_r:rsync_var_run_t,s0)
 diff --git a/rsync.if b/rsync.if
-index f1140ef..8afe362 100644
+index f1140ef..642e062 100644
 --- a/rsync.if
 +++ b/rsync.if
 @@ -1,16 +1,32 @@
@@ -76398,10 +75148,10 @@ index f1140ef..8afe362 100644
 +##      </summary>
 +## </param>
 +#
-+interface(`sendmail_stub',`
-+gen_require(`
-+type sendmail_t;
-+')
++interface(`rsync_stub',`
++    gen_require(`
++        type rsync_t;
++    ')
 +')
  
  ########################################
@@ -76659,16 +75409,10 @@ index f1140ef..8afe362 100644
 +	files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
  ')
 diff --git a/rsync.te b/rsync.te
-index e3e7c96..ec50426 100644
+index abeb302..382a1bf 100644
 --- a/rsync.te
 +++ b/rsync.te
-@@ -1,4 +1,4 @@
--policy_module(rsync, 1.12.2)
-+policy_module(rsync, 1.12.0)
- 
- ########################################
- #
-@@ -6,67 +6,45 @@ policy_module(rsync, 1.12.2)
+@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
  #
  
  ## <desc>
@@ -77173,7 +75917,7 @@ index 0000000..4e6663f
 +logging_read_generic_logs(rtas_errd_t)
 +
 diff --git a/rtkit.if b/rtkit.if
-index bd35afe..051addd 100644
+index e904ec4..e0dd20e 100644
 --- a/rtkit.if
 +++ b/rtkit.if
 @@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
@@ -77184,7 +75928,7 @@ index bd35afe..051addd 100644
  	domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
  ')
  
-@@ -42,55 +41,43 @@ interface(`rtkit_daemon_dbus_chat',`
+@@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -77208,6 +75952,7 @@ index bd35afe..051addd 100644
  
 -	allow rtkit_daemon_t $1:process { getsched setsched };
 -
+-	kernel_search_proc($1)
 -	ps_process_pattern(rtkit_daemon_t, $1)
 -
 -	optional_policy(`
@@ -77245,18 +75990,21 @@ index bd35afe..051addd 100644
  
 -	allow $1 rtkit_daemon_t:process { ptrace signal_perms };
 -	ps_process_pattern($1, rtkit_daemon_t)
--
++	allow rtkit_daemon_t $1:process { getsched setsched };
++
++	kernel_search_proc($1)
++	ps_process_pattern(rtkit_daemon_t, $1)
+ 
 -	init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
 -	domain_system_change_exemption($1)
 -	role_transition $2 rtkit_daemon_initrc_exec_t system_r;
 -	allow $2 system_r;
-+	kernel_search_proc($1)
-+	ps_process_pattern(rtkit_daemon_t, $1)
-+	allow rtkit_daemon_t $1:process { getsched setsched };
-+	rtkit_daemon_dbus_chat($1)
++	optional_policy(`
++		rtkit_daemon_dbus_chat($1)
++	')
  ')
 diff --git a/rtkit.te b/rtkit.te
-index 3f5a8ef..29a8e9e 100644
+index 7eea21f..7140646 100644
 --- a/rtkit.te
 +++ b/rtkit.te
 @@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
@@ -77286,7 +76034,7 @@ index 0360ff0..e6cb34f 100644
  	init_labeled_script_domtrans($1, rwho_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/rwho.te b/rwho.te
-index 9927d29..6746952 100644
+index 7fb75f4..27f5e22 100644
 --- a/rwho.te
 +++ b/rwho.te
 @@ -16,7 +16,7 @@ type rwho_log_t;
@@ -77425,7 +76173,7 @@ index b8b66ff..2ccac49 100644
 +/var/lib/samba/scripts(/.*)?		gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
 +')
 diff --git a/samba.if b/samba.if
-index aee75af..a6bab06 100644
+index 50d07fb..bada62f 100644
 --- a/samba.if
 +++ b/samba.if
 @@ -1,8 +1,12 @@
@@ -78090,33 +76838,25 @@ index aee75af..a6bab06 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -684,41 +840,71 @@ interface(`samba_stream_connect_winbind',`
- interface(`samba_admin',`
- 	gen_require(`
- 		type nmbd_t, nmbd_var_run_t, smbd_var_run_t;
--		type smbd_t, smbd_tmp_t, smbd_spool_t;
--		type samba_log_t, samba_var_t, samba_secrets_t;
--		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
--		type swat_var_run_t, swat_tmp_t, winbind_log_t;
--		type winbind_var_run_t, winbind_tmp_t;
-+		type smbd_t, smbd_tmp_t, samba_secrets_t;
-+		type samba_initrc_exec_t, samba_log_t, samba_var_t;
-+		type samba_etc_t, samba_share_t, winbind_log_t;
-+		type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t;
-+		type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t;
-+		type samba_unit_file_t;
- 	')
- 
--	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
--	ps_process_pattern($1, { nmbd_t smbd_t })
+@@ -689,11 +845,28 @@ interface(`samba_admin',`
+ 		type samba_etc_t, samba_share_t, samba_initrc_exec_t;
+ 		type swat_var_run_t, swat_tmp_t, winbind_log_t;
+ 		type winbind_var_run_t, winbind_tmp_t;
+-		type smbd_keytab_t;
++		type smbd_keytab_t, samba_unit_file_t;
++	')
++
 +	allow $1 smbd_t:process signal_perms;
 +	ps_process_pattern($1, smbd_t)
++
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 smbd_t:process ptrace;
 +		allow $1 nmbd_t:process ptrace;
 +		allow $1 samba_unconfined_script_t:process ptrace;
-+	')
-+
+ 	')
+ 
+-	allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
+-	ps_process_pattern($1, { nmbd_t smbd_t })
 +	allow $1 nmbd_t:process signal_perms;
 +	ps_process_pattern($1, nmbd_t)
 +
@@ -78130,14 +76870,9 @@ index aee75af..a6bab06 100644
  
  	init_labeled_script_domtrans($1, samba_initrc_exec_t)
  	domain_system_change_exemption($1)
- 	role_transition $2 samba_initrc_exec_t system_r;
- 	allow $2 system_r;
- 
--	files_list_etc($1)
-+	admin_pattern($1, nmbd_var_run_t)
-+
- 	admin_pattern($1, samba_etc_t)
-+	files_list_etc($1)
+@@ -703,23 +876,34 @@ interface(`samba_admin',`
+ 	files_list_etc($1)
+ 	admin_pattern($1, { samba_etc_t smbd_keytab_t })
  
 +	admin_pattern($1, samba_log_t)
  	logging_list_logs($1)
@@ -78182,16 +76917,10 @@ index aee75af..a6bab06 100644
 +	allow $1 samba_unit_file_t:service all_service_perms;
  ')
 diff --git a/samba.te b/samba.te
-index 57c034b..9e91107 100644
+index 2b7c441..d768a98 100644
 --- a/samba.te
 +++ b/samba.te
-@@ -1,4 +1,4 @@
--policy_module(samba, 1.15.7)
-+policy_module(samba, 1.15.0)
- 
- #################################
- #
-@@ -6,100 +6,80 @@ policy_module(samba, 1.15.7)
+@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
  #
  
  ## <desc>
@@ -78355,7 +77084,7 @@ index 57c034b..9e91107 100644
  
  type smbd_t;
  type smbd_exec_t;
-@@ -149,9 +132,10 @@ type smbd_var_run_t;
+@@ -152,9 +135,10 @@ type smbd_var_run_t;
  files_pid_file(smbd_var_run_t)
  
  type smbmount_t;
@@ -78368,7 +77097,7 @@ index 57c034b..9e91107 100644
  
  type swat_t;
  type swat_exec_t;
-@@ -170,27 +154,29 @@ type winbind_exec_t;
+@@ -173,28 +157,29 @@ type winbind_exec_t;
  init_daemon_domain(winbind_t, winbind_exec_t)
  
  type winbind_helper_t;
@@ -78396,7 +77125,7 @@ index 57c034b..9e91107 100644
  #
 -
  allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
-+allow samba_net_t self:capability2 block_suspend;
+ allow samba_net_t self:capability2 block_suspend;
  allow samba_net_t self:process { getsched setsched };
 -allow samba_net_t self:unix_stream_socket { accept listen };
 +allow samba_net_t self:unix_dgram_socket create_socket_perms;
@@ -78406,7 +77135,7 @@ index 57c034b..9e91107 100644
  
  allow samba_net_t samba_etc_t:file read_file_perms;
  
-@@ -206,17 +192,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
  files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
  
@@ -78433,7 +77162,7 @@ index 57c034b..9e91107 100644
  
  dev_read_urand(samba_net_t)
  
-@@ -229,15 +220,16 @@ auth_manage_cache(samba_net_t)
+@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
  
  logging_send_syslog_msg(samba_net_t)
  
@@ -78454,7 +77183,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -245,44 +237,56 @@ optional_policy(`
+@@ -249,46 +240,58 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78494,16 +77223,18 @@ index 57c034b..9e91107 100644
 +allow smbd_t self:udp_socket create_socket_perms;
 +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
 +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
++
++allow smbd_t nmbd_t:process { signal signull };
  
 -allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
-+allow smbd_t nmbd_t:process { signal signull };
-+
 +allow smbd_t nmbd_var_run_t:file rw_file_perms;
 +stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
  
 -allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
 +allow smbd_t samba_etc_t:file { rw_file_perms setattr };
  
+ allow smbd_t smbd_keytab_t:file read_file_perms;
+ 
  manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
 -append_files_pattern(smbd_t, samba_log_t, samba_log_t)
 -create_files_pattern(smbd_t, samba_log_t, samba_log_t)
@@ -78523,7 +77254,7 @@ index 57c034b..9e91107 100644
  manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
  allow smbd_t samba_share_t:filesystem { getattr quotaget };
  
-@@ -292,6 +296,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
+@@ -298,6 +301,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
  manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
  
@@ -78532,7 +77263,7 @@ index 57c034b..9e91107 100644
  manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
  files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
-@@ -301,11 +307,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
+@@ -307,11 +312,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
  files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
  
@@ -78548,7 +77279,7 @@ index 57c034b..9e91107 100644
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -315,43 +321,33 @@ kernel_read_kernel_sysctls(smbd_t)
+@@ -321,43 +326,33 @@ kernel_read_kernel_sysctls(smbd_t)
  kernel_read_software_raid_state(smbd_t)
  kernel_read_system_state(smbd_t)
  
@@ -78603,7 +77334,7 @@ index 57c034b..9e91107 100644
  fs_getattr_all_fs(smbd_t)
  fs_getattr_all_dirs(smbd_t)
  fs_get_xattr_fs_quotas(smbd_t)
-@@ -360,44 +356,54 @@ fs_getattr_rpc_dirs(smbd_t)
+@@ -366,44 +361,54 @@ fs_getattr_rpc_dirs(smbd_t)
  fs_list_inotifyfs(smbd_t)
  fs_get_all_fs_quotas(smbd_t)
  
@@ -78669,7 +77400,7 @@ index 57c034b..9e91107 100644
  ')
  
  tunable_policy(`samba_domain_controller',`
-@@ -413,20 +419,10 @@ tunable_policy(`samba_domain_controller',`
+@@ -419,20 +424,10 @@ tunable_policy(`samba_domain_controller',`
  ')
  
  tunable_policy(`samba_enable_home_dirs',`
@@ -78692,7 +77423,7 @@ index 57c034b..9e91107 100644
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
-@@ -435,6 +431,7 @@ tunable_policy(`samba_share_nfs',`
+@@ -441,6 +436,7 @@ tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_named_sockets(smbd_t)
  ')
  
@@ -78700,7 +77431,7 @@ index 57c034b..9e91107 100644
  tunable_policy(`samba_share_fusefs',`
  	fs_manage_fusefs_dirs(smbd_t)
  	fs_manage_fusefs_files(smbd_t)
-@@ -442,17 +439,6 @@ tunable_policy(`samba_share_fusefs',`
+@@ -448,17 +444,6 @@ tunable_policy(`samba_share_fusefs',`
  	fs_search_fusefs(smbd_t)
  ')
  
@@ -78718,7 +77449,7 @@ index 57c034b..9e91107 100644
  optional_policy(`
  	ccs_read_config(smbd_t)
  ')
-@@ -460,6 +446,7 @@ optional_policy(`
+@@ -466,6 +451,7 @@ optional_policy(`
  optional_policy(`
  	ctdbd_stream_connect(smbd_t)
  	ctdbd_manage_lib_files(smbd_t)
@@ -78726,7 +77457,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -473,6 +460,11 @@ optional_policy(`
+@@ -479,6 +465,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -78738,7 +77469,7 @@ index 57c034b..9e91107 100644
  	lpd_exec_lpr(smbd_t)
  ')
  
-@@ -493,9 +485,33 @@ optional_policy(`
+@@ -499,9 +490,33 @@ optional_policy(`
  	udev_read_db(smbd_t)
  ')
  
@@ -78773,7 +77504,7 @@ index 57c034b..9e91107 100644
  #
  
  dontaudit nmbd_t self:capability sys_tty_config;
-@@ -506,9 +522,11 @@ allow nmbd_t self:msg { send receive };
+@@ -512,9 +527,11 @@ allow nmbd_t self:msg { send receive };
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -78788,7 +77519,7 @@ index 57c034b..9e91107 100644
  
  manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
  manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
-@@ -520,20 +538,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
+@@ -526,20 +543,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
  
  manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -78812,7 +77543,7 @@ index 57c034b..9e91107 100644
  
  kernel_getattr_core_if(nmbd_t)
  kernel_getattr_message_if(nmbd_t)
-@@ -542,52 +555,41 @@ kernel_read_network_state(nmbd_t)
+@@ -548,52 +560,41 @@ kernel_read_network_state(nmbd_t)
  kernel_read_software_raid_state(nmbd_t)
  kernel_read_system_state(nmbd_t)
  
@@ -78878,7 +77609,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -600,19 +602,26 @@ optional_policy(`
+@@ -606,16 +607,22 @@ optional_policy(`
  
  ########################################
  #
@@ -78903,20 +77634,15 @@ index 57c034b..9e91107 100644
 +read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
 +allow smbcontrol_t winbind_t:process { signal signull };
  
-+files_search_var_lib(smbcontrol_t)
- samba_read_config(smbcontrol_t)
--samba_rw_var_files(smbcontrol_t)
-+manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
- samba_search_var(smbcontrol_t)
- samba_read_winbind_pid(smbcontrol_t)
+ manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
  
-@@ -620,16 +629,12 @@ domain_use_interactive_fds(smbcontrol_t)
+@@ -627,16 +634,11 @@ domain_use_interactive_fds(smbcontrol_t)
  
  dev_read_urand(smbcontrol_t)
  
 -files_read_etc_files(smbcontrol_t)
 -files_search_var_lib(smbcontrol_t)
- 
+-
  term_use_console(smbcontrol_t)
  
 -miscfiles_read_localization(smbcontrol_t)
@@ -78928,7 +77654,7 @@ index 57c034b..9e91107 100644
  
  optional_policy(`
  	ctdbd_stream_connect(smbcontrol_t)
-@@ -637,22 +642,23 @@ optional_policy(`
+@@ -644,22 +646,23 @@ optional_policy(`
  
  ########################################
  #
@@ -78960,7 +77686,7 @@ index 57c034b..9e91107 100644
  
  allow smbmount_t samba_secrets_t:file manage_file_perms;
  
-@@ -661,26 +667,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
+@@ -668,26 +671,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
  files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
  
@@ -78996,7 +77722,7 @@ index 57c034b..9e91107 100644
  
  fs_getattr_cifs(smbmount_t)
  fs_mount_cifs(smbmount_t)
-@@ -692,58 +694,77 @@ fs_read_cifs_files(smbmount_t)
+@@ -699,58 +698,77 @@ fs_read_cifs_files(smbmount_t)
  storage_raw_read_fixed_disk(smbmount_t)
  storage_raw_write_fixed_disk(smbmount_t)
  
@@ -79088,7 +77814,7 @@ index 57c034b..9e91107 100644
  
  manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
  manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -752,17 +773,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
+@@ -759,17 +777,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
  manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
  files_pid_filetrans(swat_t, swat_var_run_t, file)
  
@@ -79112,7 +77838,7 @@ index 57c034b..9e91107 100644
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -770,36 +787,25 @@ kernel_read_network_state(swat_t)
+@@ -777,36 +791,25 @@ kernel_read_network_state(swat_t)
  
  corecmd_search_bin(swat_t)
  
@@ -79155,7 +77881,7 @@ index 57c034b..9e91107 100644
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -811,10 +817,11 @@ logging_send_syslog_msg(swat_t)
+@@ -818,10 +821,11 @@ logging_send_syslog_msg(swat_t)
  logging_send_audit_msgs(swat_t)
  logging_search_logs(swat_t)
  
@@ -79169,7 +77895,7 @@ index 57c034b..9e91107 100644
  optional_policy(`
  	cups_read_rw_config(swat_t)
  	cups_stream_connect(swat_t)
-@@ -834,16 +841,19 @@ optional_policy(`
+@@ -841,16 +845,19 @@ optional_policy(`
  #
  
  allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
@@ -79193,7 +77919,7 @@ index 57c034b..9e91107 100644
  
  allow winbind_t samba_etc_t:dir list_dir_perms;
  read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
-@@ -853,9 +863,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
+@@ -860,9 +867,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
  filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
  
  manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
@@ -79204,7 +77930,7 @@ index 57c034b..9e91107 100644
  manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
  
  manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
-@@ -866,23 +874,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
+@@ -873,23 +878,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
  
  rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
  
@@ -79234,7 +77960,7 @@ index 57c034b..9e91107 100644
  manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
  
  kernel_read_network_state(winbind_t)
-@@ -891,13 +897,17 @@ kernel_read_system_state(winbind_t)
+@@ -898,13 +901,17 @@ kernel_read_system_state(winbind_t)
  
  corecmd_exec_bin(winbind_t)
  
@@ -79255,7 +77981,7 @@ index 57c034b..9e91107 100644
  corenet_tcp_connect_smbd_port(winbind_t)
  corenet_tcp_connect_epmap_port(winbind_t)
  corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -905,10 +915,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
+@@ -912,10 +919,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
  dev_read_sysfs(winbind_t)
  dev_read_urand(winbind_t)
  
@@ -79266,7 +77992,7 @@ index 57c034b..9e91107 100644
  
  fs_getattr_all_fs(winbind_t)
  fs_search_auto_mountpoints(winbind_t)
-@@ -917,26 +923,39 @@ auth_domtrans_chk_passwd(winbind_t)
+@@ -924,26 +927,39 @@ auth_domtrans_chk_passwd(winbind_t)
  auth_use_nsswitch(winbind_t)
  auth_manage_cache(winbind_t)
  
@@ -79308,7 +78034,7 @@ index 57c034b..9e91107 100644
  ')
  
  optional_policy(`
-@@ -952,31 +971,29 @@ optional_policy(`
+@@ -959,31 +975,29 @@ optional_policy(`
  # Winbind helper local policy
  #
  
@@ -79346,7 +78072,7 @@ index 57c034b..9e91107 100644
  
  optional_policy(`
  	apache_append_log(winbind_helper_t)
-@@ -990,25 +1007,38 @@ optional_policy(`
+@@ -997,25 +1011,38 @@ optional_policy(`
  
  ########################################
  #
@@ -79399,7 +78125,7 @@ index 57c034b..9e91107 100644
 +	can_exec(smbd_t, samba_unconfined_script_exec_t)
  ')
 diff --git a/sambagui.te b/sambagui.te
-index d9f8784..9c40dbd 100644
+index e18b0a2..463e207 100644
 --- a/sambagui.te
 +++ b/sambagui.te
 @@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
@@ -79442,7 +78168,7 @@ index f0236d6..78a792a 100644
  
  ########################################
 diff --git a/samhain.te b/samhain.te
-index 931312b..bd9a4c7 100644
+index c41ce4b..8837e4c 100644
 --- a/samhain.te
 +++ b/samhain.te
 @@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
@@ -80648,16 +79374,10 @@ index cd6c213..34b861a 100644
 +	allow $1 sanlock_unit_file_t:service all_service_perms;
  ')
 diff --git a/sanlock.te b/sanlock.te
-index a34eac4..b144d40 100644
+index 0045465..7d3129e 100644
 --- a/sanlock.te
 +++ b/sanlock.te
-@@ -1,4 +1,4 @@
--policy_module(sanlock, 1.0.2)
-+policy_module(sanlock,1.0.0)
- 
- ########################################
- #
-@@ -6,21 +6,26 @@ policy_module(sanlock, 1.0.2)
+@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
  #
  
  ## <desc>
@@ -80813,7 +79533,7 @@ index 54f41c2..7e58679 100644
 +/var/lib/sasl2(/.*)?		gen_context(system_u:object_r:saslauthd_var_run_t,s0)
  /var/run/saslauthd(/.*)?	gen_context(system_u:object_r:saslauthd_var_run_t,s0)
 diff --git a/sasl.if b/sasl.if
-index b2f388a..3e6a93f 100644
+index 8c3c151..93b7227 100644
 --- a/sasl.if
 +++ b/sasl.if
 @@ -1,4 +1,4 @@
@@ -80833,35 +79553,26 @@ index b2f388a..3e6a93f 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -38,11 +38,15 @@ interface(`sasl_connect',`
- #
- interface(`sasl_admin',`
- 	gen_require(`
--		type saslauthd_t, saslauthd_var_run_t, saslauthd_initrc_exec_t;
-+		type saslauthd_t, saslauthd_var_run_t;
-+		type saslauthd_initrc_exec_t;
+@@ -42,9 +42,13 @@ interface(`sasl_admin',`
+ 		type saslauthd_keytab_t;
  	')
  
 -	allow $1 saslauthd_t:process { ptrace signal_perms };
 +	allow $1 saslauthd_t:process signal_perms;
  	ps_process_pattern($1, saslauthd_t)
+ 
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 saslauthd_t:process ptrace;
 +	')
- 
++
  	init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
  	domain_system_change_exemption($1)
+ 	role_transition $2 saslauthd_initrc_exec_t system_r;
 diff --git a/sasl.te b/sasl.te
-index a63b875..1c9e41b 100644
+index 6c3bc20..14e8575 100644
 --- a/sasl.te
 +++ b/sasl.te
-@@ -1,4 +1,4 @@
--policy_module(sasl, 1.14.3)
-+policy_module(sasl, 1.14.0)
- 
- ########################################
- #
-@@ -6,12 +6,11 @@ policy_module(sasl, 1.14.3)
+@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
  #
  
  ## <desc>
@@ -80878,7 +79589,7 @@ index a63b875..1c9e41b 100644
  
  type saslauthd_t;
  type saslauthd_exec_t;
-@@ -32,7 +31,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
+@@ -35,7 +34,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
  dontaudit saslauthd_t self:capability sys_tty_config;
  allow saslauthd_t self:process { setsched signal_perms };
  allow saslauthd_t self:fifo_file rw_fifo_file_perms;
@@ -80887,9 +79598,9 @@ index a63b875..1c9e41b 100644
 +allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
 +allow saslauthd_t self:tcp_socket create_socket_perms;
  
- manage_dirs_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
- manage_files_pattern(saslauthd_t, saslauthd_var_run_t, saslauthd_var_run_t)
-@@ -43,29 +44,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
+ allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
+ 
+@@ -48,29 +49,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
  kernel_read_system_state(saslauthd_t)
  kernel_rw_afs_state(saslauthd_t)
  
@@ -80925,7 +79636,7 @@ index a63b875..1c9e41b 100644
  fs_getattr_all_fs(saslauthd_t)
  fs_search_auto_mountpoints(saslauthd_t)
  
-@@ -73,33 +65,37 @@ selinux_compute_access_vector(saslauthd_t)
+@@ -78,20 +70,25 @@ selinux_compute_access_vector(saslauthd_t)
  
  auth_use_pam(saslauthd_t)
  
@@ -80955,12 +79666,13 @@ index a63b875..1c9e41b 100644
  	allow saslauthd_t self:capability dac_override;
  	auth_tunable_read_shadow(saslauthd_t) 
  ')
- 
+@@ -99,13 +96,13 @@ tunable_policy(`allow_saslauthd_read_shadow',`
  optional_policy(`
-+	kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
- 	kerberos_keytab_template(saslauthd, saslauthd_t)
--	kerberos_manage_host_rcache(saslauthd_t)
+ 	kerberos_read_keytab(saslauthd_t)
+ 	kerberos_manage_host_rcache(saslauthd_t)
 -	kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
++	kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
+ 	kerberos_use(saslauthd_t)
  ')
  
  optional_policy(`
@@ -81087,10 +79799,10 @@ index 98c9e0a..df51942 100644
  	files_search_pids($1)
  	admin_pattern($1, sblim_var_run_t)
 diff --git a/sblim.te b/sblim.te
-index 4a23d84..62df1db 100644
+index 299756b..d252327 100644
 --- a/sblim.te
 +++ b/sblim.te
-@@ -7,13 +7,11 @@ policy_module(sblim, 1.0.3)
+@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
  
  attribute sblim_domain;
  
@@ -81221,17 +79933,12 @@ index 4a23d84..62df1db 100644
 +domain_read_all_domains_state(sblim_sfcbd_t)
 +domain_use_interactive_fds(sblim_sfcbd_t)
 diff --git a/screen.fc b/screen.fc
-index ac04d27..b73334e 100644
+index e7c2cf7..435aaa6 100644
 --- a/screen.fc
 +++ b/screen.fc
-@@ -1,8 +1,19 @@
--HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
--HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
-+#
-+# /home
-+#
-+HOME_DIR/\.screenrc		--	gen_context(system_u:object_r:screen_home_t,s0)
-+HOME_DIR/\.screen(/.*)?			gen_context(system_u:object_r:screen_home_t,s0)
+@@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)?	gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.screenrc	--	gen_context(system_u:object_r:screen_home_t,s0)
+ HOME_DIR/\.tmux\.conf	--	gen_context(system_u:object_r:screen_home_t,s0)
  
 -/usr/bin/screen	--	gen_context(system_u:object_r:screen_exec_t,s0)
 -/usr/bin/tmux	--	gen_context(system_u:object_r:screen_exec_t,s0)
@@ -81239,19 +79946,13 @@ index ac04d27..b73334e 100644
  
 -/var/run/screen(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
 -/var/run/tmux(/.*)?	gen_context(system_u:object_r:screen_var_run_t,s0)
-+#
-+# /usr
-+#
 +/usr/bin/screen			--	gen_context(system_u:object_r:screen_exec_t,s0)
 +/usr/bin/tmux			--	gen_context(system_u:object_r:screen_exec_t,s0)
 +
-+#
-+# /var
-+#
 +/var/run/screen(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 +/var/run/tmux(/.*)?			gen_context(system_u:object_r:screen_var_run_t,s0)
 diff --git a/screen.if b/screen.if
-index c21ddcc..4dd623e 100644
+index be5cce2..a7a8a67 100644
 --- a/screen.if
 +++ b/screen.if
 @@ -1,4 +1,4 @@
@@ -81272,7 +79973,7 @@ index c21ddcc..4dd623e 100644
  	')
  
  	########################################
-@@ -35,49 +34,48 @@ template(`screen_role_template',`
+@@ -35,50 +34,52 @@ template(`screen_role_template',`
  	#
  
  	type $1_screen_t, screen_domain;
@@ -81313,9 +80014,6 @@ index c21ddcc..4dd623e 100644
 -	allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
 -	allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 -	allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
--
--	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
--	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
 +	manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
 +	manage_dirs_pattern($3, screen_home_t, screen_home_t)
 +	manage_files_pattern($3, screen_home_t, screen_home_t)
@@ -81324,6 +80022,10 @@ index c21ddcc..4dd623e 100644
 +	relabel_files_pattern($3, screen_home_t, screen_home_t)
 +	relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
  
+ 	userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
+ 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
+ 	userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
+ 
  	manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
 -	manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
 -	manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
@@ -81346,7 +80048,7 @@ index c21ddcc..4dd623e 100644
  
  	tunable_policy(`use_samba_home_dirs',`
  		fs_cifs_domtrans($1_screen_t, $3)
-@@ -87,3 +85,41 @@ template(`screen_role_template',`
+@@ -88,3 +89,41 @@ template(`screen_role_template',`
  		fs_nfs_domtrans($1_screen_t, $3)
  	')
  ')
@@ -81389,15 +80091,10 @@ index c21ddcc..4dd623e 100644
 +')
 +
 diff --git a/screen.te b/screen.te
-index f095081..ee69aa7 100644
+index 5466a73..ba26a6a 100644
 --- a/screen.te
 +++ b/screen.te
-@@ -1,13 +1,11 @@
--policy_module(screen, 2.5.3)
-+policy_module(screen, 2.5.0)
- 
- ########################################
- #
+@@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
  # Declarations
  #
  
@@ -81420,7 +80117,7 @@ index f095081..ee69aa7 100644
  type screen_var_run_t;
  typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
  typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
-@@ -30,33 +23,35 @@ ubac_constrained(screen_var_run_t)
+@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
  
  ########################################
  #
@@ -81435,12 +80132,13 @@ index f095081..ee69aa7 100644
 -allow screen_domain self:fd use;
  allow screen_domain self:fifo_file rw_fifo_file_perms;
 -allow screen_domain self:tcp_socket { accept listen };
--allow screen_domain self:unix_stream_socket connectto;
+-allow screen_domain self:unix_stream_socket { accept connectto listen };
 -
 -manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 -manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 -manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
 -files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
+-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
 +allow screen_domain self:tcp_socket create_stream_socket_perms;
 +allow screen_domain self:udp_socket create_socket_perms;
 +# Internal screen networking
@@ -81469,7 +80167,7 @@ index f095081..ee69aa7 100644
  kernel_read_kernel_sysctls(screen_domain)
  
  corecmd_list_bin(screen_domain)
-@@ -65,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
+@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
  corecmd_read_bin_pipes(screen_domain)
  corecmd_read_bin_sockets(screen_domain)
  
@@ -81577,16 +80275,10 @@ index c78a569..9007451 100644
 -	allow sectoolm_t $2:unix_dgram_socket sendto;
 -')
 diff --git a/sectoolm.te b/sectoolm.te
-index 8193bf1..b6a0bbd 100644
+index 4bc8c13..726ef2c 100644
 --- a/sectoolm.te
 +++ b/sectoolm.te
-@@ -1,4 +1,4 @@
--policy_module(sectoolm, 1.0.1)
-+policy_module(sectoolm, 1.0.0)
- 
- ########################################
- #
-@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.0.1)
+@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
  
  type sectoolm_t;
  type sectoolm_exec_t;
@@ -81694,7 +80386,7 @@ index d14b6bf..da5d41d 100644
 +/var/run/sendmail\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 +/var/run/sm-client\.pid		--	gen_context(system_u:object_r:sendmail_var_run_t,s0)
 diff --git a/sendmail.if b/sendmail.if
-index 88e753f..133d993 100644
+index 35ad2a7..6f947f6 100644
 --- a/sendmail.if
 +++ b/sendmail.if
 @@ -1,4 +1,4 @@
@@ -81703,15 +80395,6 @@ index 88e753f..133d993 100644
  
  ########################################
  ## <summary>
-@@ -10,7 +10,7 @@
- ##	</summary>
- ## </param>
- #
--interface(`sendmail_stub',`
-+interface(`rsync_stub',`
- 	gen_require(`
- 		type sendmail_t;
- 	')
 @@ -18,7 +18,8 @@ interface(`sendmail_stub',`
  
  ########################################
@@ -81738,10 +80421,7 @@ index 88e753f..133d993 100644
 -	corecmd_search_bin($1)
  	mta_sendmail_domtrans($1, sendmail_t)
 +')
- 
--	allow sendmail_t $1:fd use;
--	allow sendmail_t $1:fifo_file rw_fifo_file_perms;
--	allow sendmail_t $1:process sigchld;
++
 +#######################################
 +## <summary>
 +##  Execute sendmail in the sendmail domain.
@@ -81756,7 +80436,10 @@ index 88e753f..133d993 100644
 +	gen_require(`
 +		type sendmail_initrc_exec_t;
 +	')
-+
+ 
+-	allow sendmail_t $1:fd use;
+-	allow sendmail_t $1:fifo_file rw_fifo_file_perms;
+-	allow sendmail_t $1:process sigchld;
 +	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
  ')
  
@@ -81769,7 +80452,7 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -70,18 +82,18 @@ interface(`sendmail_domtrans',`
+@@ -70,7 +82,7 @@ interface(`sendmail_domtrans',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -81778,20 +80461,51 @@ index 88e753f..133d993 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
- #
- interface(`sendmail_run',`
- 	gen_require(`
--		attribute_role sendmail_roles;
-+		type sendmail_t;
+@@ -81,7 +93,7 @@ interface(`sendmail_run',`
  	')
  
  	sendmail_domtrans($1)
 -	roleattribute $2 sendmail_roles;
-+	role $2 types sendmail_t;
++    roleattribute $2 sendmail_roles;
  ')
  
  ########################################
-@@ -141,8 +153,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
+@@ -102,6 +114,34 @@ interface(`sendmail_signal',`
+ 	allow $1 sendmail_t:process signal;
+ ')
+ 
++#######################################
++## <summary>
++##  Execute sendmail in the unconfined
++##  sendmail domain, and allow the
++##  specified role the unconfined
++##  sendmail domain.
++## </summary>
++## <param name="domain">
++##  <summary>
++##  Domain allowed to transition.
++##  </summary>
++## </param>
++## <param name="role">
++##  <summary>
++##  Role allowed access.
++##  </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sendmail_run_unconfined',`
++    gen_require(`
++        attribute_role sendmail_unconfined_roles;
++    ')
++
++    sendmail_domtrans_unconfined($1)
++    roleattribute $2 sendmail_unconfined_roles;
++')
++
+ ########################################
+ ## <summary>
+ ##	Read and write sendmail TCP sockets.
+@@ -141,8 +181,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
  
  ########################################
  ## <summary>
@@ -81801,7 +80515,7 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -179,7 +190,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
+@@ -179,7 +218,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
  
  ########################################
  ## <summary>
@@ -81810,7 +80524,7 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -199,8 +210,7 @@ interface(`sendmail_read_log',`
+@@ -199,8 +238,7 @@ interface(`sendmail_read_log',`
  
  ########################################
  ## <summary>
@@ -81820,7 +80534,7 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -220,8 +230,7 @@ interface(`sendmail_manage_log',`
+@@ -220,8 +258,7 @@ interface(`sendmail_manage_log',`
  
  ########################################
  ## <summary>
@@ -81830,43 +80544,7 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -230,43 +239,16 @@ interface(`sendmail_manage_log',`
- ## </param>
- #
- interface(`sendmail_create_log',`
--	refpolicywarn(`$0($*) has been deprecated, use sendmail_log_filetrans_sendmail_log() instead.')
--	sendmail_log_filetrans_sendmail_log($1, $2, $3)
--')
--
--########################################
--## <summary>
--##	Create specified objects in generic
--##	log directories sendmail log file type.
--## </summary>
--## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
--## </param>
--## <param name="object_class">
--##	<summary>
--##	Class of the object being created.
--##	</summary>
--## </param>
--## <param name="name" optional="true">
--##	<summary>
--##	The name of the object being created.
--##	</summary>
--## </param>
--#
--interface(`sendmail_log_filetrans_sendmail_log',`
- 	gen_require(`
- 		type sendmail_log_t;
- 	')
- 
--	logging_log_filetrans($1, sendmail_log_t, $2, $3)
-+	logging_log_filetrans($1, sendmail_log_t, file)
- ')
+@@ -265,8 +302,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
  
  ########################################
  ## <summary>
@@ -81876,14 +80554,15 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -285,58 +267,27 @@ interface(`sendmail_manage_tmp_files',`
+@@ -285,58 +321,27 @@ interface(`sendmail_manage_tmp_files',`
  
  ########################################
  ## <summary>
 -##	Execute sendmail in the unconfined sendmail domain.
--## </summary>
--## <param name="domain">
--##	<summary>
++##	Set the attributes of sendmail pid files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
 -##	Domain allowed to transition.
 -##	</summary>
 -## </param>
@@ -81906,10 +80585,9 @@ index 88e753f..133d993 100644
 -##	sendmail domain, and allow the
 -##	specified role the unconfined
 -##	sendmail domain.
-+##	Set the attributes of sendmail pid files.
- ## </summary>
- ## <param name="domain">
- ##	<summary>
+-## </summary>
+-## <param name="domain">
+-##	<summary>
 -##	Domain allowed to transition.
 -##	</summary>
 -## </param>
@@ -81943,12 +80621,10 @@ index 88e753f..133d993 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -353,13 +304,17 @@ interface(`sendmail_run_unconfined',`
- interface(`sendmail_admin',`
- 	gen_require(`
+@@ -355,12 +360,17 @@ interface(`sendmail_admin',`
  		type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
--		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
-+		type sendmail_tmp_t, sendmail_var_run_t;
+ 		type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
+ 		type sendmail_keytab_t;
 +		type mail_spool_t;
  	')
  
@@ -81956,16 +80632,17 @@ index 88e753f..133d993 100644
 -	ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
 +	allow $1 sendmail_t:process signal_perms;
 +	ps_process_pattern($1, sendmail_t)
+ 
+-	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
 +	tunable_policy(`deny_ptrace',`',`
 +		allow $1 sendmail_t:process ptrace;
 +	')
- 
--	init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
++
 +	sendmail_initrc_domtrans($1)
  	domain_system_change_exemption($1)
  	role_transition $2 sendmail_initrc_exec_t system_r;
  
-@@ -372,6 +327,6 @@ interface(`sendmail_admin',`
+@@ -376,6 +386,6 @@ interface(`sendmail_admin',`
  	files_list_pids($1)
  	admin_pattern($1, sendmail_var_run_t)
  
@@ -81975,40 +80652,10 @@ index 88e753f..133d993 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..d4003d0 100644
+index 12700b4..fde3c8d 100644
 --- a/sendmail.te
 +++ b/sendmail.te
-@@ -1,18 +1,10 @@
--policy_module(sendmail, 1.11.5)
-+policy_module(sendmail, 1.11.0)
- 
- ########################################
- #
- # Declarations
- #
- 
--attribute_role sendmail_roles;
--
--attribute_role sendmail_unconfined_roles;
--roleattribute system_r sendmail_unconfined_roles;
--
--type sendmail_initrc_exec_t;
--init_script_file(sendmail_initrc_exec_t)
--
- type sendmail_log_t;
- logging_log_file(sendmail_log_t)
- 
-@@ -26,27 +18,26 @@ type sendmail_t;
- mta_sendmail_mailserver(sendmail_t)
- mta_mailserver_delivery(sendmail_t)
- mta_mailserver_sender(sendmail_t)
--role sendmail_roles types sendmail_t;
- 
--type unconfined_sendmail_t;
--application_domain(unconfined_sendmail_t, sendmail_exec_t)
--role sendmail_unconfined_roles types unconfined_sendmail_t;
-+type sendmail_initrc_exec_t;
-+init_script_file(sendmail_initrc_exec_t)
+@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
  
  ########################################
  #
@@ -82019,6 +80666,7 @@ index 5f35d78..d4003d0 100644
 -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
 +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
 +dontaudit sendmail_t self:capability net_admin;
++dontaudit sendmail_t self:capability2 block_suspend;
  allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
  allow sendmail_t self:fifo_file rw_fifo_file_perms;
 -allow sendmail_t self:unix_stream_socket { accept listen };
@@ -82028,16 +80676,18 @@ index 5f35d78..d4003d0 100644
 +allow sendmail_t self:tcp_socket create_stream_socket_perms;
 +allow sendmail_t self:udp_socket create_socket_perms;
  
++allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
++manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
+ allow sendmail_t sendmail_keytab_t:file read_file_perms;
+ 
 -allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
 -append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
 -create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
 -setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
-+allow sendmail_t sendmail_log_t:dir setattr;
-+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
  logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
  
  manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -58,33 +49,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -63,33 +65,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
  
  kernel_read_network_state(sendmail_t)
  kernel_read_kernel_sysctls(sendmail_t)
@@ -82075,7 +80725,7 @@ index 5f35d78..d4003d0 100644
  
  fs_getattr_all_fs(sendmail_t)
  fs_search_auto_mountpoints(sendmail_t)
-@@ -93,35 +72,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -98,35 +88,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
  term_dontaudit_use_console(sendmail_t)
  term_dontaudit_use_generic_ptys(sendmail_t)
  
@@ -82131,7 +80781,7 @@ index 5f35d78..d4003d0 100644
  ')
  
  optional_policy(`
-@@ -129,8 +122,8 @@ optional_policy(`
+@@ -134,8 +138,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82142,7 +80792,7 @@ index 5f35d78..d4003d0 100644
  ')
  
  optional_policy(`
-@@ -158,6 +151,10 @@ optional_policy(`
+@@ -164,6 +168,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82153,7 +80803,7 @@ index 5f35d78..d4003d0 100644
  	milter_stream_connect_all(sendmail_t)
  ')
  
-@@ -166,6 +163,11 @@ optional_policy(`
+@@ -172,6 +180,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82165,30 +80815,29 @@ index 5f35d78..d4003d0 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +189,13 @@ optional_policy(`
+@@ -193,6 +206,10 @@ optional_policy(`
  ')
  
  optional_policy(`
--	udev_read_db(sendmail_t)
 +	spamd_stream_connect(sendmail_t)
++')
++
++optional_policy(`
+ 	udev_read_db(sendmail_t)
  ')
  
- optional_policy(`
--	uucp_domtrans_uux(sendmail_t)
-+	udev_read_db(sendmail_t)
- ')
+@@ -206,8 +223,8 @@ optional_policy(`
+ #
  
--########################################
--#
--# Unconfined local policy
--#
--
  optional_policy(`
 -	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
 -	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
 -	mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
 -	unconfined_domain(unconfined_sendmail_t)
-+	uucp_domtrans_uux(sendmail_t)
++    mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases")
++    mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases.db")
++    mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliasesdb-stamp")
++    unconfined_domain(unconfined_sendmail_t)
  ')
 diff --git a/sensord.fc b/sensord.fc
 index 8185d5a..719ac47 100644
@@ -82413,16 +81062,10 @@ index 3a9a70b..039b0c8 100644
  	logging_list_logs($1)
  	admin_pattern($1, setroubleshoot_var_log_t)
 diff --git a/setroubleshoot.te b/setroubleshoot.te
-index 49b12ae..d686e4a 100644
+index ce67935..b58792f 100644
 --- a/setroubleshoot.te
 +++ b/setroubleshoot.te
-@@ -1,4 +1,4 @@
--policy_module(setroubleshoot, 1.11.2)
-+policy_module(setroubleshoot, 1.11.0)
- 
- ########################################
- #
-@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.11.2)
+@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.12.1)
  
  type setroubleshootd_t alias setroubleshoot_t;
  type setroubleshootd_exec_t;
@@ -82514,15 +81157,7 @@ index 49b12ae..d686e4a 100644
  files_list_all(setroubleshootd_t)
  files_getattr_all_files(setroubleshootd_t)
  files_getattr_all_pipes(setroubleshootd_t)
-@@ -101,33 +106,32 @@ selinux_read_policy(setroubleshootd_t)
- term_dontaudit_use_all_ptys(setroubleshootd_t)
- term_dontaudit_use_all_ttys(setroubleshootd_t)
- 
-+mls_dbus_recv_all_levels(setroubleshootd_t)
-+
- auth_use_nsswitch(setroubleshootd_t)
- 
- init_read_utmp(setroubleshootd_t)
+@@ -109,27 +114,24 @@ init_read_utmp(setroubleshootd_t)
  init_dontaudit_write_utmp(setroubleshootd_t)
  
  libs_exec_ld_so(setroubleshootd_t)
@@ -82555,7 +81190,7 @@ index 49b12ae..d686e4a 100644
  ')
  
  optional_policy(`
-@@ -135,10 +139,18 @@ optional_policy(`
+@@ -137,10 +139,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -82574,7 +81209,7 @@ index 49b12ae..d686e4a 100644
  	rpm_exec(setroubleshootd_t)
  	rpm_signull(setroubleshootd_t)
  	rpm_read_db(setroubleshootd_t)
-@@ -148,26 +160,36 @@ optional_policy(`
+@@ -150,26 +160,36 @@ optional_policy(`
  
  ########################################
  #
@@ -82613,7 +81248,7 @@ index 49b12ae..d686e4a 100644
  files_list_tmp(setroubleshoot_fixit_t)
  
  auth_use_nsswitch(setroubleshoot_fixit_t)
-@@ -175,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
+@@ -177,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
  logging_send_audit_msgs(setroubleshoot_fixit_t)
  logging_send_syslog_msg(setroubleshoot_fixit_t)
  
@@ -83074,7 +81709,7 @@ index 1aeef8a..d5ce40a 100644
  	admin_pattern($1, shorewall_etc_t)
  
 diff --git a/shorewall.te b/shorewall.te
-index ca03de6..c3b5559 100644
+index 7710b9f..76a2c97 100644
 --- a/shorewall.te
 +++ b/shorewall.te
 @@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
@@ -83288,7 +81923,7 @@ index d1706bf..87ab4a7 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/shutdown.te b/shutdown.te
-index 7880d1f..8804935 100644
+index e2544e1..d3fbd78 100644
 --- a/shutdown.te
 +++ b/shutdown.te
 @@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
@@ -83328,10 +81963,10 @@ index 7880d1f..8804935 100644
 +	xserver_xdm_append_log(shutdown_t)
  ')
 diff --git a/slocate.te b/slocate.te
-index ba26427..83d21aa 100644
+index 7292dc0..41c780f 100644
 --- a/slocate.te
 +++ b/slocate.te
-@@ -53,7 +53,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
+@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
  
  auth_use_nsswitch(locate_t)
  
@@ -83408,7 +82043,7 @@ index ca32e89..98278dd 100644
 +
  ')
 diff --git a/slpd.te b/slpd.te
-index 66ac42a..1a4c952 100644
+index 731512a..645dad6 100644
 --- a/slpd.te
 +++ b/slpd.te
 @@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
@@ -83424,7 +82059,7 @@ index 66ac42a..1a4c952 100644
 -miscfiles_read_localization(slpd_t)
 +sysnet_dns_name_resolve(slpd_t)
 diff --git a/slrnpull.te b/slrnpull.te
-index 5437237..3dfc982 100644
+index 59eb07f..4626942 100644
 --- a/slrnpull.te
 +++ b/slrnpull.te
 @@ -13,7 +13,7 @@ type slrnpull_var_run_t;
@@ -83473,7 +82108,7 @@ index e0644b5..ea347cc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 fsdaemon_initrc_exec_t system_r;
 diff --git a/smartmon.te b/smartmon.te
-index 9ade9c5..60d6c41 100644
+index 9cf6582..bc33dd7 100644
 --- a/smartmon.te
 +++ b/smartmon.te
 @@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
@@ -83562,7 +82197,7 @@ index 1fa51c1..82e111c 100644
  	smokeping_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/smokeping.te b/smokeping.te
-index a8b1aaf..fc0a2be 100644
+index ec031a0..ebf575f 100644
 --- a/smokeping.te
 +++ b/smokeping.te
 @@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
@@ -83600,7 +82235,7 @@ index a8b1aaf..fc0a2be 100644
  
  	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
 diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index b3f2c6f..68f17c1 100644
 --- a/smoltclient.te
 +++ b/smoltclient.te
 @@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -84150,11 +82785,11 @@ index 0000000..ad232be
 +    mount_domtrans(snapperd_t)
 +')
 diff --git a/snmp.fc b/snmp.fc
-index c73fa24..408ff61 100644
+index 2f0a2f2..77bdf95 100644
 --- a/snmp.fc
 +++ b/snmp.fc
 @@ -1,6 +1,6 @@
- /etc/rc\.d/init\.d/((snmpd)|(snmptrapd))	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
+ /etc/rc\.d/init\.d/(snmpd|snmptrapd)	--	gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
  
 -/usr/sbin/snmptrap	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
 +/usr/sbin/snmpd	--	gen_context(system_u:object_r:snmpd_exec_t,s0)
@@ -84290,7 +82925,7 @@ index 7a9cc9d..86cbca9 100644
  	init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/snmp.te b/snmp.te
-index 81864ce..4b6b771 100644
+index 9dcaeb8..4b11846 100644
 --- a/snmp.te
 +++ b/snmp.te
 @@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
@@ -84406,7 +83041,7 @@ index 7d86b34..5f58180 100644
 +	files_list_pids($1)
  ')
 diff --git a/snort.te b/snort.te
-index ccd28bb..80106ac 100644
+index 1af72df..f63015b 100644
 --- a/snort.te
 +++ b/snort.te
 @@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
@@ -84467,10 +83102,19 @@ index 634c6b4..e1edfd9 100644
  
  ########################################
 diff --git a/sosreport.te b/sosreport.te
-index 703efa3..9610be1 100644
+index f2f507d..3669dac 100644
 --- a/sosreport.te
 +++ b/sosreport.te
-@@ -19,6 +19,9 @@ files_tmp_file(sosreport_tmp_t)
+@@ -13,15 +13,15 @@ type sosreport_exec_t;
+ application_domain(sosreport_t, sosreport_exec_t)
+ role sosreport_roles types sosreport_t;
+ 
+-type sosreport_var_run_t;
+-files_pid_file(sosreport_var_run_t)
+-
+ type sosreport_tmp_t;
+ files_tmp_file(sosreport_tmp_t)
+ 
  type sosreport_tmpfs_t;
  files_tmpfs_file(sosreport_tmpfs_t)
  
@@ -84480,12 +83124,7 @@ index 703efa3..9610be1 100644
  optional_policy(`
  	pulseaudio_tmpfs_content(sosreport_tmpfs_t)
  ')
-@@ -29,10 +32,13 @@ optional_policy(`
- #
- 
- allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override };
-+dontaudit sosreport_t self:capability { sys_ptrace };
- allow sosreport_t self:process { setsched signull };
+@@ -37,6 +37,8 @@ allow sosreport_t self:process { setsched signull };
  allow sosreport_t self:fifo_file rw_fifo_file_perms;
  allow sosreport_t self:tcp_socket { accept listen };
  allow sosreport_t self:unix_stream_socket { accept listen };
@@ -84494,7 +83133,7 @@ index 703efa3..9610be1 100644
  
  manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
  manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
-@@ -40,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
+@@ -44,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
  files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
  files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
  
@@ -84507,24 +83146,16 @@ index 703efa3..9610be1 100644
  manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
  fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
  
-@@ -58,6 +70,9 @@ dev_read_rand(sosreport_t)
- dev_read_urand(sosreport_t)
+@@ -69,6 +77,8 @@ dev_read_urand(sosreport_t)
  dev_read_raw_memory(sosreport_t)
  dev_read_sysfs(sosreport_t)
-+dev_rw_generic_usb_dev(sosreport_t)
+ dev_rw_generic_usb_dev(sosreport_t)
 +dev_getattr_all_chr_files(sosreport_t)
 +dev_getattr_all_blk_files(sosreport_t)
  
  domain_getattr_all_domains(sosreport_t)
  domain_read_all_domains_state(sosreport_t)
-@@ -65,12 +80,13 @@ domain_getattr_all_sockets(sosreport_t)
- domain_getattr_all_pipes(sosreport_t)
- 
- files_getattr_all_sockets(sosreport_t)
-+files_getattr_all_files(sosreport_t)
-+files_getattr_all_pipes(sosreport_t)
- files_exec_etc_files(sosreport_t)
- files_list_all(sosreport_t)
+@@ -83,7 +93,6 @@ files_list_all(sosreport_t)
  files_read_config_files(sosreport_t)
  files_read_generic_tmp_files(sosreport_t)
  files_read_non_auth_files(sosreport_t)
@@ -84532,7 +83163,7 @@ index 703efa3..9610be1 100644
  files_read_var_lib_files(sosreport_t)
  files_read_var_symlinks(sosreport_t)
  files_read_kernel_modules(sosreport_t)
-@@ -79,27 +95,42 @@ files_manage_etc_runtime_files(sosreport_t)
+@@ -92,25 +101,32 @@ files_manage_etc_runtime_files(sosreport_t)
  files_etc_filetrans_etc_runtime(sosreport_t, file)
  
  fs_getattr_all_fs(sosreport_t)
@@ -84544,8 +83175,8 @@ index 703efa3..9610be1 100644
  
 +term_getattr_pty_fs(sosreport_t)
 +term_getattr_all_ptys(sosreport_t)
-+term_use_generic_ptys(sosreport_t)
-+
+ term_use_generic_ptys(sosreport_t)
+ 
 +# some config files do not have configfile attribute
 +# sosreport needs to read various files on system
 +files_read_non_security_files(sosreport_t)
@@ -84562,22 +83193,24 @@ index 703efa3..9610be1 100644
  logging_send_syslog_msg(sosreport_t)
  
 -miscfiles_read_localization(sosreport_t)
-+sysnet_read_config(sosreport_t)
- 
+-
 -modutils_read_module_deps(sosreport_t)
++sysnet_read_config(sosreport_t)
  
  optional_policy(`
  	abrt_manage_pid_files(sosreport_t)
- 	abrt_manage_cache(sosreport_t)
-+	abrt_stream_connect(sosreport_t)
+@@ -119,6 +135,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	brctl_domtrans(sosreport_t)
 +')
 +
 +optional_policy(`
-+	brctl_domtrans(sosreport_t)
+ 	cups_stream_connect(sosreport_t)
  ')
  
- optional_policy(`
-@@ -111,6 +142,11 @@ optional_policy(`
+@@ -127,6 +147,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -84609,7 +83242,7 @@ index a5abc5a..b9eff74 100644
  	domain_system_change_exemption($1)
  	role_transition $2 soundd_initrc_exec_t system_r;
 diff --git a/soundserver.te b/soundserver.te
-index db1bc6f..b6c0d16 100644
+index 0919e0c..56a984b 100644
 --- a/soundserver.te
 +++ b/soundserver.te
 @@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
@@ -85157,16 +83790,10 @@ index 1499b0b..6950cab 100644
 -	spamassassin_role($2, $1)
  ')
 diff --git a/spamassassin.te b/spamassassin.te
-index 4faa7e0..4babad1 100644
+index cc58e35..ecd30f3 100644
 --- a/spamassassin.te
 +++ b/spamassassin.te
-@@ -1,4 +1,4 @@
--policy_module(spamassassin, 2.5.8)
-+policy_module(spamassassin, 2.5.0)
- 
- ########################################
- #
-@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.5.8)
+@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
  
  ## <desc>
  ##	<p>
@@ -85589,7 +84216,7 @@ index 4faa7e0..4babad1 100644
  	evolution_stream_connect(spamc_t)
  ')
  
-@@ -251,52 +343,55 @@ optional_policy(`
+@@ -251,10 +343,16 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85605,17 +84232,10 @@ index 4faa7e0..4babad1 100644
  	mta_read_queue(spamc_t)
 -	sendmail_rw_pipes(spamc_t)
  	sendmail_stub(spamc_t)
--')
--
--optional_policy(`
--	postfix_domtrans_postdrop(spamc_t)
--	postfix_search_spool(spamc_t)
--	postfix_rw_local_pipes(spamc_t)
--	postfix_rw_master_pipes(spamc_t)
-+	sendmail_rw_pipes(spamc_t)
-+	sendmail_dontaudit_rw_tcp_sockets(spamc_t)
  ')
  
+@@ -267,36 +365,38 @@ optional_policy(`
+ 
  ########################################
  #
 -# Daemon local policy
@@ -85670,7 +84290,7 @@ index 4faa7e0..4babad1 100644
  logging_log_filetrans(spamd_t, spamd_log_t, file)
  
  manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
-@@ -308,7 +403,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
+@@ -308,7 +408,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
  files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
  
@@ -85680,7 +84300,7 @@ index 4faa7e0..4babad1 100644
  manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
  
-@@ -317,12 +413,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -317,12 +418,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
  files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
  
@@ -85696,7 +84316,7 @@ index 4faa7e0..4babad1 100644
  corenet_all_recvfrom_netlabel(spamd_t)
  corenet_tcp_sendrecv_generic_if(spamd_t)
  corenet_udp_sendrecv_generic_if(spamd_t)
-@@ -331,78 +428,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
+@@ -331,78 +433,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
  corenet_tcp_sendrecv_all_ports(spamd_t)
  corenet_udp_sendrecv_all_ports(spamd_t)
  corenet_tcp_bind_generic_node(spamd_t)
@@ -85799,7 +84419,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -421,21 +498,13 @@ optional_policy(`
+@@ -421,21 +503,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85823,7 +84443,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -443,8 +512,8 @@ optional_policy(`
+@@ -443,8 +517,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85833,7 +84453,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -455,7 +524,12 @@ optional_policy(`
+@@ -455,7 +529,12 @@ optional_policy(`
  optional_policy(`
  	razor_domtrans(spamd_t)
  	razor_read_lib_files(spamd_t)
@@ -85847,7 +84467,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -463,9 +537,9 @@ optional_policy(`
+@@ -463,9 +542,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -85858,7 +84478,7 @@ index 4faa7e0..4babad1 100644
  ')
  
  optional_policy(`
-@@ -474,32 +548,32 @@ optional_policy(`
+@@ -474,32 +553,32 @@ optional_policy(`
  
  ########################################
  #
@@ -85901,7 +84521,7 @@ index 4faa7e0..4babad1 100644
  
  corecmd_exec_bin(spamd_update_t)
  corecmd_exec_shell(spamd_update_t)
-@@ -508,25 +582,21 @@ dev_read_urand(spamd_update_t)
+@@ -508,25 +587,21 @@ dev_read_urand(spamd_update_t)
  
  domain_use_interactive_fds(spamd_update_t)
  
@@ -85934,7 +84554,7 @@ index 4faa7e0..4babad1 100644
  ')
 +
 diff --git a/speedtouch.te b/speedtouch.te
-index 9025dbd..388ce0a 100644
+index b38b8b1..eb36653 100644
 --- a/speedtouch.te
 +++ b/speedtouch.te
 @@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
@@ -86024,7 +84644,7 @@ index 5e1f053..e7820bc 100644
  	domain_system_change_exemption($1)
  	role_transition $2 squid_initrc_exec_t system_r;
 diff --git a/squid.te b/squid.te
-index 221c560..fcf6da0 100644
+index 03472ed..7cb8bec 100644
 --- a/squid.te
 +++ b/squid.te
 @@ -29,7 +29,7 @@ type squid_cache_t;
@@ -86061,14 +84681,7 @@ index 221c560..fcf6da0 100644
  ########################################
  #
  # Local policy
-@@ -74,19 +80,17 @@ allow squid_t squid_conf_t:file read_file_perms;
- allow squid_t squid_conf_t:lnk_file read_lnk_file_perms;
- 
- manage_dirs_pattern(squid_t, squid_log_t, squid_log_t)
--append_files_pattern(squid_t, squid_log_t, squid_log_t)
--create_files_pattern(squid_t, squid_log_t, squid_log_t)
--setattr_files_pattern(squid_t, squid_log_t, squid_log_t)
-+manage_files_pattern(squid_t, squid_log_t, squid_log_t)
+@@ -78,13 +84,13 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
  manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
  logging_log_filetrans(squid_t, squid_log_t, { file dir })
  
@@ -86085,7 +84698,7 @@ index 221c560..fcf6da0 100644
  manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
  files_pid_filetrans(squid_t, squid_var_run_t, file)
  
-@@ -96,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
+@@ -94,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
  kernel_read_system_state(squid_t)
  kernel_read_network_state(squid_t)
  
@@ -86093,7 +84706,7 @@ index 221c560..fcf6da0 100644
  corenet_all_recvfrom_netlabel(squid_t)
  corenet_tcp_sendrecv_generic_if(squid_t)
  corenet_udp_sendrecv_generic_if(squid_t)
-@@ -134,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
+@@ -132,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
  corenet_udp_sendrecv_gopher_port(squid_t)
  
  corenet_sendrecv_squid_server_packets(squid_t)
@@ -86101,7 +84714,7 @@ index 221c560..fcf6da0 100644
  corenet_tcp_bind_squid_port(squid_t)
  corenet_udp_bind_squid_port(squid_t)
  corenet_tcp_sendrecv_squid_port(squid_t)
-@@ -156,7 +160,6 @@ dev_read_urand(squid_t)
+@@ -154,7 +160,6 @@ dev_read_urand(squid_t)
  domain_use_interactive_fds(squid_t)
  
  files_read_etc_runtime_files(squid_t)
@@ -86109,7 +84722,7 @@ index 221c560..fcf6da0 100644
  files_search_spool(squid_t)
  files_dontaudit_getattr_tmp_dirs(squid_t)
  files_getattr_home_dir(squid_t)
-@@ -178,7 +181,6 @@ libs_exec_lib_files(squid_t)
+@@ -176,7 +181,6 @@ libs_exec_lib_files(squid_t)
  logging_send_syslog_msg(squid_t)
  
  miscfiles_read_generic_certs(squid_t)
@@ -86117,7 +84730,7 @@ index 221c560..fcf6da0 100644
  
  userdom_use_unpriv_users_fds(squid_t)
  userdom_dontaudit_search_user_home_dirs(squid_t)
-@@ -200,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
+@@ -198,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
  optional_policy(`
  	apache_content_template(squid)
  
@@ -86126,7 +84739,7 @@ index 221c560..fcf6da0 100644
  	corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
  	corenet_all_recvfrom_netlabel(httpd_squid_script_t)
  	corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
-@@ -209,18 +213,18 @@ optional_policy(`
+@@ -207,18 +213,18 @@ optional_policy(`
  	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
  	corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
  
@@ -86152,7 +84765,7 @@ index 221c560..fcf6da0 100644
  ')
  
  optional_policy(`
-@@ -238,3 +242,24 @@ optional_policy(`
+@@ -236,3 +242,24 @@ optional_policy(`
  optional_policy(`
  	udev_read_db(squid_t)
  ')
@@ -86206,7 +84819,7 @@ index dbb005a..45291bb 100644
 -/var/run/sssd\.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 +/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
 diff --git a/sssd.if b/sssd.if
-index a240455..02ad8a9 100644
+index a240455..16a04bf 100644
 --- a/sssd.if
 +++ b/sssd.if
 @@ -1,21 +1,21 @@
@@ -86386,7 +84999,7 @@ index a240455..02ad8a9 100644
  ')
  
  ########################################
-@@ -131,33 +170,32 @@ interface(`sssd_read_public_files',`
+@@ -131,14 +170,13 @@ interface(`sssd_read_public_files',`
  	')
  
  	sssd_search_lib($1)
@@ -86395,31 +85008,45 @@ index a240455..02ad8a9 100644
  	read_files_pattern($1, sssd_public_t, sssd_public_t)
  ')
  
- #######################################
+-#######################################
++########################################
  ## <summary>
 -##	Create, read, write, and delete
 -##	sssd public files.
-+##  Manage sssd public files.
++##	Dontaudit read sssd public files.
  ## </summary>
  ## <param name="domain">
--##	<summary>
--##	Domain allowed access.
--##	</summary>
+ ##	<summary>
+@@ -146,18 +184,36 @@ interface(`sssd_read_public_files',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`sssd_manage_public_files',`
++interface(`sssd_dontaudit_read_public_files',`
+ 	gen_require(`
+ 		type sssd_public_t;
+ 	')
+ 
+-	sssd_search_lib($1)
+-	manage_files_pattern($1, sssd_public_t, sssd_public_t)
++	dontaudit $1 sssd_public_t:file read_file_perms;
++')
++
++#######################################
++## <summary>
++##  Manage sssd public files.
++## </summary>
++## <param name="domain">
 +##  <summary>
 +##  Domain allowed access.
 +##  </summary>
- ## </param>
- #
- interface(`sssd_manage_public_files',`
--	gen_require(`
--		type sssd_public_t;
--	')
++## </param>
++#
++interface(`sssd_manage_public_files',`
 +    gen_require(`
 +        type sssd_public_t;
 +    ')
- 
--	sssd_search_lib($1)
--	manage_files_pattern($1, sssd_public_t, sssd_public_t)
++
 +    sssd_search_lib($1)
 +    manage_files_pattern($1, sssd_public_t, sssd_public_t)
  ')
@@ -86431,7 +85058,7 @@ index a240455..02ad8a9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -176,8 +214,7 @@ interface(`sssd_read_pid_files',`
+@@ -176,8 +232,7 @@ interface(`sssd_read_pid_files',`
  
  ########################################
  ## <summary>
@@ -86441,7 +85068,7 @@ index a240455..02ad8a9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -216,8 +253,7 @@ interface(`sssd_search_lib',`
+@@ -216,8 +271,7 @@ interface(`sssd_search_lib',`
  
  ########################################
  ## <summary>
@@ -86451,7 +85078,7 @@ index a240455..02ad8a9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -235,6 +271,24 @@ interface(`sssd_dontaudit_search_lib',`
+@@ -235,6 +289,24 @@ interface(`sssd_dontaudit_search_lib',`
  
  ########################################
  ## <summary>
@@ -86476,7 +85103,7 @@ index a240455..02ad8a9 100644
  ##	Read sssd lib files.
  ## </summary>
  ## <param name="domain">
-@@ -297,8 +351,7 @@ interface(`sssd_dbus_chat',`
+@@ -297,8 +369,7 @@ interface(`sssd_dbus_chat',`
  
  ########################################
  ## <summary>
@@ -86486,7 +85113,7 @@ index a240455..02ad8a9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -317,8 +370,27 @@ interface(`sssd_stream_connect',`
+@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
  
  ########################################
  ## <summary>
@@ -86516,7 +85143,7 @@ index a240455..02ad8a9 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -327,7 +399,7 @@ interface(`sssd_stream_connect',`
+@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
  ## </param>
  ## <param name="role">
  ##	<summary>
@@ -86525,7 +85152,7 @@ index a240455..02ad8a9 100644
  ##	</summary>
  ## </param>
  ## <rolecap/>
-@@ -335,27 +407,29 @@ interface(`sssd_stream_connect',`
+@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
  interface(`sssd_admin',`
  	gen_require(`
  		type sssd_t, sssd_public_t, sssd_initrc_exec_t;
@@ -86567,15 +85194,9 @@ index a240455..02ad8a9 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 2d8db1f..49327eb 100644
 --- a/sssd.te
 +++ b/sssd.te
-@@ -1,4 +1,4 @@
--policy_module(sssd, 1.1.4)
-+policy_module(sssd, 1.1.0)
- 
- ########################################
- #
 @@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
  type sssd_var_run_t;
  files_pid_file(sssd_var_run_t)
@@ -86864,11 +85485,11 @@ index 0000000..80c6480
 +')
 diff --git a/stapserver.te b/stapserver.te
 new file mode 100644
-index 0000000..e472397
+index 0000000..2540ebd
 --- /dev/null
 +++ b/stapserver.te
 @@ -0,0 +1,113 @@
-+policy_module(stapserver, 1.0.0)
++policy_module(systemtap, 1.1.0)
 +
 +########################################
 +#
@@ -86982,7 +85603,7 @@ index 0000000..e472397
 +')
 +
 diff --git a/stunnel.te b/stunnel.te
-index 9992e62..47f1802 100644
+index 27a8480..88f7dc8 100644
 --- a/stunnel.te
 +++ b/stunnel.te
 @@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
@@ -87167,7 +85788,7 @@ index 2ac91b6..dd2ac36 100644
  ')
 +
 diff --git a/svnserve.te b/svnserve.te
-index c6aaac7..a5600a8 100644
+index 49d688d..f1c6367 100644
 --- a/svnserve.te
 +++ b/svnserve.te
 @@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
@@ -87500,7 +86121,7 @@ index 0000000..6e39c4f
 +
 +
 diff --git a/sxid.te b/sxid.te
-index c9824cb..1973f71 100644
+index 01a9d0a..154872e 100644
 --- a/sxid.te
 +++ b/sxid.te
 @@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
@@ -87530,7 +86151,7 @@ index c9824cb..1973f71 100644
  
  userdom_dontaudit_use_unpriv_user_fds(sxid_t)
 diff --git a/sysstat.te b/sysstat.te
-index c8b80b2..c81d332 100644
+index b92f677..6dc2de3 100644
 --- a/sysstat.te
 +++ b/sysstat.te
 @@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
@@ -87650,11 +86271,11 @@ index c755e2d..0000000
 -')
 diff --git a/systemtap.te b/systemtap.te
 deleted file mode 100644
-index 6c06a84..0000000
+index ffde368..0000000
 --- a/systemtap.te
 +++ /dev/null
 @@ -1,101 +0,0 @@
--policy_module(systemtap, 1.0.2)
+-policy_module(systemtap, 1.1.0)
 -
 -########################################
 -#
@@ -87756,7 +86377,7 @@ index 6c06a84..0000000
 -	rpm_exec(stapserver_t)
 -')
 diff --git a/tcpd.te b/tcpd.te
-index f388db3..1e1a075 100644
+index 2d6d2c2..db18a80 100644
 --- a/tcpd.te
 +++ b/tcpd.te
 @@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
@@ -87802,10 +86423,10 @@ index b42ec1d..91b8f71 100644
  	tcsd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/tcsd.te b/tcsd.te
-index ac8213a..14da480 100644
+index b26d44a..5ab05dc 100644
 --- a/tcsd.te
 +++ b/tcsd.te
-@@ -41,10 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
+@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
  dev_read_urand(tcsd_t)
  dev_rw_tpm(tcsd_t)
  
@@ -87813,19 +86434,20 @@ index ac8213a..14da480 100644
 -
  auth_use_nsswitch(tcsd_t)
  
--logging_send_syslog_msg(tcsd_t)
-+init_read_utmp(tcsd_t)
+ init_read_utmp(tcsd_t)
  
+ logging_send_syslog_msg(tcsd_t)
+-
 -miscfiles_read_localization(tcsd_t)
-+logging_send_syslog_msg(tcsd_t)
 diff --git a/telepathy.fc b/telepathy.fc
-index c7de0cf..03fc880 100644
+index 6c7f8f8..107300a 100644
 --- a/telepathy.fc
 +++ b/telepathy.fc
-@@ -1,34 +1,23 @@
+@@ -1,35 +1,24 @@
 -HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
 +HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
  HOME_DIR/\.cache/telepathy(/.*)?	gen_context(system_u:object_r:telepathy_cache_home_t, s0)
+ HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
  HOME_DIR/\.cache/telepathy/logger(/.*)?	gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
 -HOME_DIR/\.cache/telepathy/gabble(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
 -HOME_DIR/\.cache/wocky(/.*)?	gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
@@ -88294,12 +86916,10 @@ index 42946bc..9f70e4c 100644
 +	can_exec($1, telepathy_executable)
  ')
 diff --git a/telepathy.te b/telepathy.te
-index e9c0964..5a41683 100644
+index 9afcbc9..1664384 100644
 --- a/telepathy.te
 +++ b/telepathy.te
-@@ -1,29 +1,28 @@
--policy_module(telepathy, 1.3.5)
-+policy_module(telepathy, 1.3.0)
+@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
  
  ########################################
  #
@@ -88337,7 +86957,7 @@ index e9c0964..5a41683 100644
  
  telepathy_domain_template(gabble)
  
-@@ -67,176 +66,147 @@ userdom_user_home_content(telepathy_sunshine_home_t)
+@@ -67,179 +66,150 @@ userdom_user_home_content(telepathy_sunshine_home_t)
  
  #######################################
  #
@@ -88545,6 +87165,9 @@ index e9c0964..5a41683 100644
 +	gnome_manage_home_config(telepathy_mission_control_t)
 +')
  
+ manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
+ 
  dev_read_rand(telepathy_mission_control_t)
  
 -files_list_tmp(telepathy_mission_control_t)
@@ -88565,7 +87188,7 @@ index e9c0964..5a41683 100644
  
  optional_policy(`
  	dbus_system_bus_client(telepathy_mission_control_t)
-@@ -245,59 +215,51 @@ optional_policy(`
+@@ -248,59 +218,51 @@ optional_policy(`
  		devicekit_dbus_chat_power(telepathy_mission_control_t)
  	')
  	optional_policy(`
@@ -88640,7 +87263,7 @@ index e9c0964..5a41683 100644
  
  init_read_state(telepathy_msn_t)
  
-@@ -307,18 +269,19 @@ logging_send_syslog_msg(telepathy_msn_t)
+@@ -310,18 +272,19 @@ logging_send_syslog_msg(telepathy_msn_t)
  
  miscfiles_read_all_certs(telepathy_msn_t)
  
@@ -88665,7 +87288,7 @@ index e9c0964..5a41683 100644
  ')
  
  optional_policy(`
-@@ -329,43 +292,33 @@ optional_policy(`
+@@ -332,43 +295,33 @@ optional_policy(`
  	')
  ')
  
@@ -88714,7 +87337,7 @@ index e9c0964..5a41683 100644
  ')
  
  optional_policy(`
-@@ -378,73 +331,53 @@ optional_policy(`
+@@ -381,73 +334,53 @@ optional_policy(`
  
  #######################################
  #
@@ -88798,7 +87421,7 @@ index e9c0964..5a41683 100644
  optional_policy(`
  	xserver_read_xdm_pid(telepathy_sunshine_t)
  	xserver_stream_connect(telepathy_sunshine_t)
-@@ -452,31 +385,49 @@ optional_policy(`
+@@ -455,31 +388,49 @@ optional_policy(`
  
  #######################################
  #
@@ -88856,13 +87479,14 @@ index e9c0964..5a41683 100644
  ')
 +
 diff --git a/telnet.te b/telnet.te
-index 9f89916..1bdef51 100644
+index d7c8633..a91c027 100644
 --- a/telnet.te
 +++ b/telnet.te
-@@ -26,13 +26,17 @@ files_pid_file(telnetd_var_run_t)
+@@ -30,16 +30,19 @@ files_pid_file(telnetd_var_run_t)
  allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
  allow telnetd_t self:process signal_perms;
  allow telnetd_t self:fifo_file rw_fifo_file_perms;
+-allow telnetd_t self:tcp_socket { accept listen };
 +allow telnetd_t self:tcp_socket connected_stream_socket_perms;
 +allow telnetd_t self:udp_socket create_socket_perms;
 +# for identd; cjp: this should probably only be inetd_child rules?
@@ -88872,29 +87496,23 @@ index 9f89916..1bdef51 100644
 +
  term_create_pty(telnetd_t, telnetd_devpts_t)
  
+ allow telnetd_t telnetd_keytab_t:file read_file_perms;
+ 
  manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
  manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
 -files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
  
  manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
  files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
-@@ -41,7 +45,6 @@ kernel_read_kernel_sysctls(telnetd_t)
+@@ -48,7 +51,6 @@ kernel_read_kernel_sysctls(telnetd_t)
  kernel_read_system_state(telnetd_t)
  kernel_read_network_state(telnetd_t)
  
 -corenet_all_recvfrom_unlabeled(telnetd_t)
  corenet_all_recvfrom_netlabel(telnetd_t)
  corenet_tcp_sendrecv_generic_if(telnetd_t)
- corenet_udp_sendrecv_generic_if(telnetd_t)
-@@ -49,6 +52,7 @@ corenet_tcp_sendrecv_generic_node(telnetd_t)
- corenet_udp_sendrecv_generic_node(telnetd_t)
- corenet_tcp_sendrecv_all_ports(telnetd_t)
- corenet_udp_sendrecv_all_ports(telnetd_t)
-+corenet_tcp_bind_telnetd_port(telnetd_t)
- 
- corecmd_search_bin(telnetd_t)
- 
-@@ -56,7 +60,6 @@ dev_read_urand(telnetd_t)
+ corenet_tcp_sendrecv_generic_node(telnetd_t)
+@@ -63,7 +65,6 @@ dev_read_urand(telnetd_t)
  
  domain_interactive_fd(telnetd_t)
  
@@ -88902,7 +87520,7 @@ index 9f89916..1bdef51 100644
  files_read_etc_runtime_files(telnetd_t)
  files_search_home(telnetd_t)
  
-@@ -69,12 +72,12 @@ init_rw_utmp(telnetd_t)
+@@ -76,12 +77,12 @@ init_rw_utmp(telnetd_t)
  
  logging_send_syslog_msg(telnetd_t)
  
@@ -88917,22 +87535,22 @@ index 9f89916..1bdef51 100644
  
  tunable_policy(`use_nfs_home_dirs',`
  	fs_search_nfs(telnetd_t)
-@@ -86,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -93,7 +94,7 @@ tunable_policy(`use_samba_home_dirs',`
  
  optional_policy(`
- 	kerberos_keytab_template(telnetd, telnetd_t)
+ 	kerberos_read_keytab(telnetd_t)
 -	kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
 +	kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
  	kerberos_manage_host_rcache(telnetd_t)
+ 	kerberos_use(telnetd_t)
  ')
- 
 diff --git a/tftp.fc b/tftp.fc
-index 93a5bf4..621f343 100644
+index 3dd87da..0d13384 100644
 --- a/tftp.fc
 +++ b/tftp.fc
 @@ -1,9 +1,9 @@
--/etc/xinetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_conf_t,s0)
-+/etc/xinetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_etc_t,s0)
+-/etc/(x)?inetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_conf_t,s0)
++/etc/(x)?inetd\.d/tftp	--	gen_context(system_u:object_r:tftpd_etc_t,s0)
  
  /usr/sbin/atftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
  /usr/sbin/in\.tftpd	--	gen_context(system_u:object_r:tftpd_exec_t,s0)
@@ -89181,16 +87799,10 @@ index 9957e30..cf0b925 100644
 +	tftp_manage_config($1)
  ')
 diff --git a/tftp.te b/tftp.te
-index f455e70..a3b440c 100644
+index cfaa2a1..a9bc6f1 100644
 --- a/tftp.te
 +++ b/tftp.te
-@@ -1,4 +1,4 @@
--policy_module(tftp, 1.12.4)
-+policy_module(tftp, 1.12.0)
- 
- ########################################
- #
-@@ -6,30 +6,24 @@ policy_module(tftp, 1.12.4)
+@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
  #
  
  ## <desc>
@@ -89383,7 +87995,7 @@ index 5406b6e..dc5b46e 100644
  	admin_pattern($1, tgtd_tmpfs_t)
  ')
 diff --git a/tgtd.te b/tgtd.te
-index c93c973..60f4ce9 100644
+index d010963..5ecc3bf 100644
 --- a/tgtd.te
 +++ b/tgtd.te
 @@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
@@ -89395,7 +88007,7 @@ index c93c973..60f4ce9 100644
  allow tgtd_t self:capability2 block_suspend;
  allow tgtd_t self:process { setrlimit signal };
  allow tgtd_t self:fifo_file rw_fifo_file_perms;
-@@ -58,27 +58,27 @@ kernel_read_system_state(tgtd_t)
+@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
  kernel_read_fs_sysctls(tgtd_t)
  
  corenet_all_recvfrom_netlabel(tgtd_t)
@@ -89409,6 +88021,9 @@ index c93c973..60f4ce9 100644
 +corenet_tcp_connect_isns_port(tgtd_t)
  corenet_tcp_sendrecv_iscsi_port(tgtd_t)
  
+ corenet_sendrecv_iscsi_client_packets(tgtd_t)
+@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
+ 
  dev_read_sysfs(tgtd_t)
  
 -files_read_etc_files(tgtd_t)
@@ -89955,7 +88570,7 @@ index 0000000..b57cc3c
 +	corenet_dontaudit_udp_bind_generic_node(thumb_t)
 +')
 diff --git a/thunderbird.te b/thunderbird.te
-index 4257ede..fc265b8 100644
+index 5e867da..b25ea6e 100644
 --- a/thunderbird.te
 +++ b/thunderbird.te
 @@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
@@ -90010,7 +88625,7 @@ index 4257ede..fc265b8 100644
  ifndef(`enable_mls',`
  	fs_search_removable(thunderbird_t)
 diff --git a/timidity.te b/timidity.te
-index 67ca5c5..a1ef2d2 100644
+index 97cd155..49321a5 100644
 --- a/timidity.te
 +++ b/timidity.te
 @@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
@@ -90031,10 +88646,10 @@ index 67ca5c5..a1ef2d2 100644
  
  fs_search_auto_mountpoints(timidity_t)
 diff --git a/tmpreaper.te b/tmpreaper.te
-index a4a949c..9ae28c6 100644
+index 585a77f..10d7105 100644
 --- a/tmpreaper.te
 +++ b/tmpreaper.te
-@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.6.3)
+@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1)
  type tmpreaper_t;
  type tmpreaper_exec_t;
  init_system_domain(tmpreaper_t, tmpreaper_exec_t)
@@ -90042,7 +88657,7 @@ index a4a949c..9ae28c6 100644
  
  ########################################
  #
-@@ -18,20 +19,25 @@ allow tmpreaper_t self:capability { dac_override dac_read_search fowner };
+@@ -19,6 +20,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
  
  kernel_list_unlabeled(tmpreaper_t)
  kernel_read_system_state(tmpreaper_t)
@@ -90050,6 +88665,8 @@ index a4a949c..9ae28c6 100644
  
  dev_read_urand(tmpreaper_t)
  
+@@ -27,15 +29,19 @@ corecmd_exec_shell(tmpreaper_t)
+ 
  fs_getattr_xattr_fs(tmpreaper_t)
  fs_list_all(tmpreaper_t)
 +fs_setattr_tmpfs_dirs(tmpreaper_t)
@@ -90072,13 +88689,17 @@ index a4a949c..9ae28c6 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -39,14 +45,16 @@ auth_use_nsswitch(tmpreaper_t)
+@@ -45,7 +51,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
  
  logging_send_syslog_msg(tmpreaper_t)
  
 -miscfiles_read_localization(tmpreaper_t)
  miscfiles_delete_man_pages(tmpreaper_t)
  
+ ifdef(`distro_debian',`
+@@ -53,10 +58,13 @@ ifdef(`distro_debian',`
+ ')
+ 
  ifdef(`distro_redhat',`
 -	userdom_list_all_user_home_content(tmpreaper_t)
 +	userdom_list_user_home_content(tmpreaper_t)
@@ -90091,7 +88712,7 @@ index a4a949c..9ae28c6 100644
  ')
  
  optional_policy(`
-@@ -54,6 +62,7 @@ optional_policy(`
+@@ -64,6 +72,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90099,7 +88720,7 @@ index a4a949c..9ae28c6 100644
  	apache_list_cache(tmpreaper_t)
  	apache_delete_cache_dirs(tmpreaper_t)
  	apache_delete_cache_files(tmpreaper_t)
-@@ -69,7 +78,19 @@ optional_policy(`
+@@ -79,7 +88,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -90614,11 +89235,11 @@ index 0000000..5a263b2
 +	tomcat_search_lib(tomcat_domain)
 +')
 diff --git a/tor.fc b/tor.fc
-index 6b9d449..ac02092 100644
+index dce42ec..b6b67bf 100644
 --- a/tor.fc
 +++ b/tor.fc
-@@ -6,6 +6,8 @@
- 
+@@ -5,6 +5,8 @@
+ /usr/bin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
  /usr/sbin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
  
 +/usr/lib/systemd/system/tor.*         --      gen_context(system_u:object_r:tor_unit_file_t,s0)
@@ -90696,10 +89317,10 @@ index 61c2e07..5e1df41 100644
 +	')
  ')
 diff --git a/tor.te b/tor.te
-index 964a395..78962c4 100644
+index 5ceacde..5fde651 100644
 --- a/tor.te
 +++ b/tor.te
-@@ -13,6 +13,13 @@ policy_module(tor, 1.8.4)
+@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
  ## </desc>
  gen_tunable(tor_bind_all_unreserved_ports, false)
  
@@ -90758,7 +89379,7 @@ index 964a395..78962c4 100644
  	seutil_sigchld_newrole(tor_t)
  ')
 diff --git a/transproxy.te b/transproxy.te
-index 20d1a28..494a46d 100644
+index 34973ee..1c9a4c6 100644
 --- a/transproxy.te
 +++ b/transproxy.te
 @@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
@@ -90786,7 +89407,7 @@ index 20d1a28..494a46d 100644
  
  userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
 diff --git a/tripwire.te b/tripwire.te
-index 2e1110d..2c989b4 100644
+index 03aa6b7..a9ff883 100644
 --- a/tripwire.te
 +++ b/tripwire.te
 @@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
@@ -90848,7 +89469,7 @@ index e29db63..061fb98 100644
  	domain_system_change_exemption($1)
  	role_transition $2 tuned_initrc_exec_t system_r;
 diff --git a/tuned.te b/tuned.te
-index 7116181..6b315d8 100644
+index 393a330..90924a4 100644
 --- a/tuned.te
 +++ b/tuned.te
 @@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
@@ -90998,7 +89619,7 @@ index 1bb0f7c..372be2f 100644
  ## <summary>
  ##	Role access for tvtime
 diff --git a/tvtime.te b/tvtime.te
-index 3292fcc..20099b0 100644
+index afd2d6c..3ce900e 100644
 --- a/tvtime.te
 +++ b/tvtime.te
 @@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
@@ -91044,7 +89665,7 @@ index 3292fcc..20099b0 100644
  optional_policy(`
  	xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
 diff --git a/tzdata.te b/tzdata.te
-index aa6ae96..9f86987 100644
+index 221c43b..2b9c49a 100644
 --- a/tzdata.te
 +++ b/tzdata.te
 @@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
@@ -91061,7 +89682,7 @@ index aa6ae96..9f86987 100644
  optional_policy(`
  	postfix_search_spool(tzdata_t)
 diff --git a/ucspitcp.te b/ucspitcp.te
-index 5e365c2..0fbc46e 100644
+index 7745b72..329c3d8 100644
 --- a/ucspitcp.te
 +++ b/ucspitcp.te
 @@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
@@ -91098,15 +89719,12 @@ index 9b95c3e..a892845 100644
  	init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/ulogd.te b/ulogd.te
-index c6acbbe..bd23e7f 100644
+index de35e5f..436d24c 100644
 --- a/ulogd.te
 +++ b/ulogd.te
-@@ -27,10 +27,12 @@ logging_log_file(ulogd_var_log_t)
- #
- 
- allow ulogd_t self:capability { net_admin sys_nice };
--allow ulogd_t self:process setsched;
-+allow ulogd_t self:process { setsched };
+@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
+ allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
+ allow ulogd_t self:process setsched;
  allow ulogd_t self:netlink_nflog_socket create_socket_perms;
 +allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
  allow ulogd_t self:netlink_socket create_socket_perms;
@@ -91141,7 +89759,7 @@ index ab5c1d0..d13105e 100644
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/uml.te b/uml.te
-index dc03cc5..423afe4 100644
+index b68bd49..da0c691 100644
 --- a/uml.te
 +++ b/uml.te
 @@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
@@ -91188,7 +89806,7 @@ index dc03cc5..423afe4 100644
  userdom_dontaudit_search_user_home_dirs(uml_switch_t)
  
 diff --git a/updfstab.te b/updfstab.te
-index 2d871b8..acbf304 100644
+index 5ceb912..dfec9ac 100644
 --- a/updfstab.te
 +++ b/updfstab.te
 @@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
@@ -91226,7 +89844,7 @@ index 01a3234..19f4724 100644
  	')
  
 diff --git a/uptime.te b/uptime.te
-index 09741f6..8e5b35c 100644
+index 58397dc..e6b6a34 100644
 --- a/uptime.te
 +++ b/uptime.te
 @@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
@@ -91248,7 +89866,7 @@ index 09741f6..8e5b35c 100644
  userdom_dontaudit_search_user_home_dirs(uptimed_t)
  
 diff --git a/usbmodules.te b/usbmodules.te
-index cb9b5bb..3aa7952 100644
+index 279e511..4f79ad6 100644
 --- a/usbmodules.te
 +++ b/usbmodules.te
 @@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
@@ -91358,7 +89976,7 @@ index 1ec5e99..88e287d 100644
 +	allow $1 usbmuxd_unit_file_t:service all_service_perms;
 +')
 diff --git a/usbmuxd.te b/usbmuxd.te
-index 8840be6..d2c7596 100644
+index 34a8917..120d801 100644
 --- a/usbmuxd.te
 +++ b/usbmuxd.te
 @@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
@@ -91420,7 +90038,7 @@ index c416a83..cd83b89 100644
 +/usr/sbin/userhelper		--	gen_context(system_u:object_r:userhelper_exec_t,s0)
 +/usr/bin/consolehelper		--	gen_context(system_u:object_r:consolehelper_exec_t,s0)
 diff --git a/userhelper.if b/userhelper.if
-index cf118fd..cd80e83 100644
+index 98b51fd..35d784a 100644
 --- a/userhelper.if
 +++ b/userhelper.if
 @@ -1,4 +1,4 @@
@@ -91483,52 +90101,46 @@ index cf118fd..cd80e83 100644
 +	allow $1_userhelper_t self:unix_dgram_socket sendto;
 +	allow $1_userhelper_t self:unix_stream_socket connectto;
 +	allow $1_userhelper_t self:sock_file read_sock_file_perms;
- 
--	allow $1_consolehelper_t $3:unix_stream_socket connectto;
++
 +	#Transition to the derived domain.
 +	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
  
--	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
+-	allow $1_consolehelper_t $3:unix_stream_socket connectto;
 +	allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
 +	rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
  
--	allow $3 $1_consolehelper_t:process { ptrace signal_perms };
--	ps_process_pattern($3, $1_consolehelper_t)
+-	domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
 +	can_exec($1_userhelper_t, userhelper_exec_t)
  
--	auth_use_pam($1_consolehelper_t)
+-	allow $3 $1_consolehelper_t:process { ptrace signal_perms };
+-	ps_process_pattern($3, $1_consolehelper_t)
 +	dontaudit $3 $1_userhelper_t:process signal;
  
--	optional_policy(`
--		dbus_connect_all_session_bus($1_consolehelper_t)
+-	auth_use_pam($1_consolehelper_t)
 +	kernel_read_all_sysctls($1_userhelper_t)
 +	kernel_getattr_debugfs($1_userhelper_t)
 +	kernel_read_system_state($1_userhelper_t)
  
--		optional_policy(`
--			userhelper_dbus_chat_all_consolehelper($3)
--		')
--	')
+-	optional_policy(`
+-		dbus_connect_all_session_bus($1_consolehelper_t)
 +	# Execute shells
 +	corecmd_exec_shell($1_userhelper_t)
 +	# By default, revert to the calling domain when a program is executed
 +	corecmd_bin_domtrans($1_userhelper_t, $3)
  
--	########################################
--	#
--	# Userhelper local policy
--	#
+-		optional_policy(`
+-			userhelper_dbus_chat_all_consolehelper($3)
+-		')
+-	')
 +	# Inherit descriptors from the current session.
 +	domain_use_interactive_fds($1_userhelper_t)
 +	# for when the user types "exec userhelper" at the command line
 +	domain_sigchld_interactive_fds($1_userhelper_t)
- 
--	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
++
 +	dev_read_urand($1_userhelper_t)
 +	# Read /dev directories and any symbolic links.
 +	dev_list_all_dev_nodes($1_userhelper_t)
- 
--	dontaudit $3 $1_userhelper_t:process signal;
++
 +	files_list_var_lib($1_userhelper_t)
 +	# Read the /etc/security/default_type file
 +	files_read_etc_files($1_userhelper_t)
@@ -91537,8 +90149,7 @@ index cf118fd..cd80e83 100644
 +	files_read_var_symlinks($1_userhelper_t)
 +	# for some PAM modules and for cwd
 +	files_search_home($1_userhelper_t)
- 
--	corecmd_bin_domtrans($1_userhelper_t, $3)
++
 +	fs_search_auto_mountpoints($1_userhelper_t)
 +	fs_read_nfs_files($1_userhelper_t)
 +	fs_read_nfs_symlinks($1_userhelper_t)
@@ -91560,24 +90171,33 @@ index cf118fd..cd80e83 100644
 +	term_use_all_ttys($1_userhelper_t)
 +	term_use_all_ptys($1_userhelper_t)
  
- 	auth_domtrans_chk_passwd($1_userhelper_t)
+-	########################################
+-	#
+-	# Userhelper local policy
+-	#
++	auth_domtrans_chk_passwd($1_userhelper_t)
 +	auth_manage_pam_pid($1_userhelper_t)
 +	auth_manage_var_auth($1_userhelper_t)
 +	auth_search_pam_console_data($1_userhelper_t)
- 	auth_use_nsswitch($1_userhelper_t)
++	auth_use_nsswitch($1_userhelper_t)
  
+-	domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
 +	logging_send_syslog_msg($1_userhelper_t)
-+
+ 
+-	dontaudit $3 $1_userhelper_t:process signal;
 +	# Inherit descriptors from the current session.
 +	init_use_fds($1_userhelper_t)
 +	# Write to utmp.
 +	init_manage_utmp($1_userhelper_t)
 +	init_pid_filetrans_utmp($1_userhelper_t)
-+
-+
+ 
+-	corecmd_bin_domtrans($1_userhelper_t, $3)
+ 
+-	auth_domtrans_chk_passwd($1_userhelper_t)
+-	auth_use_nsswitch($1_userhelper_t)
 +	seutil_read_config($1_userhelper_t)
 +	seutil_read_default_contexts($1_userhelper_t)
-+
+ 
 +	# Allow $1_userhelper_t to transition to user domains.
  	userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
  	userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
@@ -91658,14 +90278,14 @@ index cf118fd..cd80e83 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -206,6 +263,93 @@ interface(`userhelper_exec',`
+@@ -206,10 +263,79 @@ interface(`userhelper_exec',`
  		type userhelper_exec_t;
  	')
  
 -	corecmd_search_bin($1)
  	can_exec($1, userhelper_exec_t)
  ')
-+
+ 
 +#######################################
 +## <summary>
 +##	The role template for the consolehelper module.
@@ -91736,33 +90356,14 @@ index cf118fd..cd80e83 100644
 +	')
 +')
 +
-+########################################
-+## <summary>
-+##	Execute the consolehelper program in the caller domain.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userhelper_exec_console',`
-+	gen_require(`
-+		type consolehelper_exec_t;
-+	')
-+
-+	can_exec($1, consolehelper_exec_t)
-+')
+ ########################################
+ ## <summary>
+ ##	Execute the consolehelper program
 diff --git a/userhelper.te b/userhelper.te
-index 274ed9c..cc18d6f 100644
+index 42cfce0..1733490 100644
 --- a/userhelper.te
 +++ b/userhelper.te
-@@ -1,15 +1,12 @@
--policy_module(userhelper, 1.7.3)
-+policy_module(userhelper, 1.7.0)
- 
- ########################################
- #
+@@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
  # Declarations
  #
  
@@ -91978,10 +90579,10 @@ index 7deec55..c542887 100644
  	')
  
 diff --git a/usernetctl.te b/usernetctl.te
-index dd3f01e..465c661 100644
+index f973af8..de458c2 100644
 --- a/usernetctl.te
 +++ b/usernetctl.te
-@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.6.1)
+@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0)
  #
  
  attribute_role usernetctl_roles;
@@ -92072,7 +90673,7 @@ index af9acc0..cdaf82e 100644
  	admin_pattern($1, uucpd_log_t)
  
 diff --git a/uucp.te b/uucp.te
-index 380902c..75545d6 100644
+index 849f607..d7c8ed8 100644
 --- a/uucp.te
 +++ b/uucp.te
 @@ -31,7 +31,7 @@ type uucpd_ro_t;
@@ -92172,7 +90773,7 @@ index 6e48653..6abf74a 100644
  	uuidd_initrc_domtrans($1)
  	domain_system_change_exemption($1)
 diff --git a/uuidd.te b/uuidd.te
-index e670f55..2b332c5 100644
+index f8e52fc..b283c25 100644
 --- a/uuidd.te
 +++ b/uuidd.te
 @@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
@@ -92183,7 +90784,7 @@ index e670f55..2b332c5 100644
  
 -miscfiles_read_localization(uuidd_t)
 diff --git a/uwimap.te b/uwimap.te
-index b81e5c8..d120c52 100644
+index acdc78a..7a18090 100644
 --- a/uwimap.te
 +++ b/uwimap.te
 @@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
@@ -92298,7 +90899,7 @@ index 9d4d8cb..f50c3ff 100644
  tunable_policy(`varnishd_connect_any',`
  	corenet_sendrecv_all_client_packets(varnishd_t)
 diff --git a/vbetool.te b/vbetool.te
-index 14e1eec..b33d259 100644
+index 2a61f75..02a87c0 100644
 --- a/vbetool.te
 +++ b/vbetool.te
 @@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
@@ -92415,7 +91016,7 @@ index 31c752e..ef52235 100644
  	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/vdagent.te b/vdagent.te
-index 77be35a..0e9a7d1 100644
+index 87da8a2..9148a0d 100644
 --- a/vdagent.te
 +++ b/vdagent.te
 @@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
@@ -92426,25 +91027,26 @@ index 77be35a..0e9a7d1 100644
  allow vdagent_t self:fifo_file rw_fifo_file_perms;
  allow vdagent_t self:unix_stream_socket { accept listen };
  
-@@ -39,17 +40,20 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
+@@ -39,20 +40,21 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
  logging_log_filetrans(vdagent_t, vdagent_log_t, file)
  
 +kernel_request_load_module(vdagent_t)
 +
  dev_rw_input_dev(vdagent_t)
+ dev_rw_mtrr(vdagent_t)
  dev_read_sysfs(vdagent_t)
  dev_dontaudit_write_mtrr(vdagent_t)
  
 -files_read_etc_files(vdagent_t)
 -
+ term_use_virtio_console(vdagent_t)
+ 
  init_read_state(vdagent_t)
  
 -logging_send_syslog_msg(vdagent_t)
 +systemd_read_logind_sessions_files(vdagent_t)
 +systemd_login_read_pid_files(vdagent_t)
-+
-+term_use_virtio_console(vdagent_t)
  
 -miscfiles_read_localization(vdagent_t)
 +logging_send_syslog_msg(vdagent_t)
@@ -92471,7 +91073,7 @@ index 22edd58..c3a5364 100644
  	domain_system_change_exemption($1)
  	role_transition $2 vhostmd_initrc_exec_t system_r;
 diff --git a/vhostmd.te b/vhostmd.te
-index 0be8535..b96e329 100644
+index 3d11c6a..b19a117 100644
 --- a/vhostmd.te
 +++ b/vhostmd.te
 @@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
@@ -92498,10 +91100,10 @@ index 0be8535..b96e329 100644
  
  optional_policy(`
 diff --git a/virt.fc b/virt.fc
-index c30da4c..9bad8b9 100644
+index a4f20bc..9bad8b9 100644
 --- a/virt.fc
 +++ b/virt.fc
-@@ -1,52 +1,92 @@
+@@ -1,51 +1,92 @@
 -HOME_DIR/\.libvirt(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
 -HOME_DIR/\.libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_home_t,s0)
 -HOME_DIR/\.virtinst(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
@@ -92532,8 +91134,7 @@ index c30da4c..9bad8b9 100644
 +/etc/xen/[^/]*		-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 +/etc/xen/.*/.*			gen_context(system_u:object_r:virt_etc_rw_t,s0)
  
--/etc/rc\.d/init\.d/libvirt-bin	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
--/etc/rc\.d/init\.d/libvirtd	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
+-/etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 +/usr/libexec/libvirt_lxc --	gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
 +/usr/libexec/qemu-bridge-helper		gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
  
@@ -92570,32 +91171,24 @@ index c30da4c..9bad8b9 100644
 +/var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
 +/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
- 
--/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
--/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
--
--/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
--
--/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
++
 +/var/lock/xl		--	gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/log(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 +/var/log/vdsm(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
- /var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
- /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
--/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
--/var/run/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
--/var/run/user/[^/]*/libguestfs(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
--/var/run/vdsm(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
++/var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
 +/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 +/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
 +/var/run/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
-+
+ 
+-/var/log/log(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/libvirt(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
+-/var/log/vdsm(/.*)?	gen_context(system_u:object_r:virt_log_t,s0)
 +/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
-+
+ 
+-/var/vdsm(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
 +# support for AEOLUS project
 +/usr/bin/imagefactory		--			gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/imgfac\.py		--			gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -92604,7 +91197,15 @@ index c30da4c..9bad8b9 100644
 +/var/lib/oz(/.*)?					gen_context(system_u:object_r:virt_var_lib_t,s0)
 +/var/lib/oz/isos(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
 +/var/lib/vdsm(/.*)?				gen_context(system_u:object_r:virt_content_t,s0)
-+
+ 
+-/var/run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
+-/var/run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
+-/var/run/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
+-/var/run/user/[^/]*/libguestfs(/.*)?	gen_context(system_u:object_r:virt_home_t,s0)
+-/var/run/vdsm(/.*)?	gen_context(system_u:object_r:virt_var_run_t,s0)
 +# add support vios-proxy-*
 +/usr/bin/vios-proxy-host	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 +/usr/bin/vios-proxy-guest	--  gen_context(system_u:object_r:virtd_exec_t,s0)
@@ -92634,7 +91235,7 @@ index c30da4c..9bad8b9 100644
 +/var/log/qemu-ga\.log           --      gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 +/var/log/qemu-ga(/.*)?		gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
 diff --git a/virt.if b/virt.if
-index 9dec06c..73549fd 100644
+index facdee8..73549fd 100644
 --- a/virt.if
 +++ b/virt.if
 @@ -1,120 +1,51 @@
@@ -94242,7 +92843,7 @@ index 9dec06c..73549fd 100644
 -		type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
 -		type virt_var_run_t, virt_tmp_t, virt_log_t;
 -		type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
--		type virt_etc_t, svirt_cache_t;
+-		type virt_etc_t, svirt_cache_t, virtd_keytab_t;
 +		attribute virt_domain;
 +		attribute virt_system_domain;
 +		attribute svirt_file_type;
@@ -94275,7 +92876,7 @@ index 9dec06c..73549fd 100644
 -	admin_pattern($1, { virt_tmp_type virt_tmp_t })
 -
 -	files_search_etc($1)
--	admin_pattern($1, { virt_etc_t virt_etc_rw_t })
+-	admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
 -
 -	logging_search_logs($1)
 -	admin_pattern($1, virt_log_t)
@@ -94304,17 +92905,23 @@ index 9dec06c..73549fd 100644
 +	virt_stream_connect($1)
  ')
 diff --git a/virt.te b/virt.te
-index 1f22fba..62390bf 100644
+index f03dcf5..007e3ca 100644
 --- a/virt.te
 +++ b/virt.te
-@@ -1,147 +1,167 @@
--policy_module(virt, 1.6.10)
+@@ -1,150 +1,176 @@
+-policy_module(virt, 1.7.4)
 +policy_module(virt, 1.5.0)
  
  ########################################
  #
  # Declarations
  #
+ 
++gen_require(`
++    class passwd rootok;
++    class passwd passwd;
++    ')
++
 +attribute virsh_transition_domain;
 +attribute virt_ptynode;
 +attribute virt_system_domain;
@@ -94335,7 +92942,7 @@ index 1f22fba..62390bf 100644
 +files_type(svirt_image_t)
 +dev_node(svirt_image_t)
 +dev_associate_sysfs(svirt_image_t)
- 
++
  ## <desc>
 -##	<p>
 -##	Determine whether confined virtual guests
@@ -94540,6 +93147,9 @@ index 1f22fba..62390bf 100644
 +type virtd_initrc_exec_t, virt_file_type;
  init_script_file(virtd_initrc_exec_t)
  
+ type virtd_keytab_t;
+ files_type(virtd_keytab_t)
+ 
 +type qemu_var_run_t, virt_file_type;
 +typealias qemu_var_run_t alias svirt_var_run_t;
 +files_pid_file(qemu_var_run_t)
@@ -94548,7 +93158,7 @@ index 1f22fba..62390bf 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -150,295 +170,141 @@ ifdef(`enable_mls',`
+@@ -153,299 +179,144 @@ ifdef(`enable_mls',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
  ')
  
@@ -94610,6 +93220,7 @@ index 1f22fba..62390bf 100644
  
 -allow virt_domain self:process { signal getsched signull };
 -allow virt_domain self:fifo_file rw_fifo_file_perms;
+-allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
 -allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
 -allow virt_domain self:shm create_shm_perms;
 -allow virt_domain self:tcp_socket create_stream_socket_perms;
@@ -94765,6 +93376,7 @@ index 1f22fba..62390bf 100644
 -tunable_policy(`virt_use_usb',`
 -	dev_rw_usbfs(virt_domain)
 -	dev_read_sysfs(virt_domain)
+-	fs_getattr_dos_fs(virt_domain)
 -	fs_manage_dos_dirs(virt_domain)
 -	fs_manage_dos_files(virt_domain)
 -')
@@ -94807,6 +93419,7 @@ index 1f22fba..62390bf 100644
 -	xen_rw_image_files(virt_domain)
 +	sssd_dontaudit_stream_connect(svirt_t)
 +	sssd_dontaudit_read_lib(svirt_t)
++	sssd_dontaudit_read_public_files(svirt_t)
  ')
  
 -########################################
@@ -94846,13 +93459,13 @@ index 1f22fba..62390bf 100644
 -corenet_udp_sendrecv_all_ports(svirt_t)
 -corenet_tcp_bind_generic_node(svirt_t)
 -corenet_udp_bind_generic_node(svirt_t)
--
--corenet_sendrecv_all_server_packets(svirt_t)
--corenet_udp_bind_all_ports(svirt_t)
--corenet_tcp_bind_all_ports(svirt_t)
 +allow svirt_tcg_t self:process { execmem execstack };
 +allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
  
+-corenet_sendrecv_all_server_packets(svirt_t)
+-corenet_udp_bind_all_ports(svirt_t)
+-corenet_tcp_bind_all_ports(svirt_t)
+-
 -corenet_sendrecv_all_client_packets(svirt_t)
 -corenet_tcp_connect_all_ports(svirt_t)
 +corenet_udp_sendrecv_generic_if(svirt_tcg_t)
@@ -94878,7 +93491,7 @@ index 1f22fba..62390bf 100644
 +')
 +
  allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
--allow virtd_t self:unix_stream_socket { accept connectto listen };
+-allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
 -allow virtd_t self:tcp_socket { accept listen };
 +allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
 +allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -94906,6 +93519,8 @@ index 1f22fba..62390bf 100644
  manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
 -filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
  
+ allow virtd_t virtd_keytab_t:file read_file_perms;
+ 
 -allow virtd_t svirt_var_run_t:file relabel_file_perms;
 -manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 -manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
@@ -94929,7 +93544,7 @@ index 1f22fba..62390bf 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -448,42 +314,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
+@@ -455,42 +326,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
  filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
@@ -94976,7 +93591,7 @@ index 1f22fba..62390bf 100644
  logging_log_filetrans(virtd_t, virt_log_t, { file dir })
  
  manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
-@@ -496,16 +349,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -503,16 +361,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
  files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  
@@ -94998,7 +93613,7 @@ index 1f22fba..62390bf 100644
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
-@@ -513,6 +362,7 @@ kernel_read_kernel_sysctls(virtd_t)
+@@ -520,6 +374,7 @@ kernel_read_kernel_sysctls(virtd_t)
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  kernel_setsched(virtd_t)
@@ -95006,7 +93621,7 @@ index 1f22fba..62390bf 100644
  
  corecmd_exec_bin(virtd_t)
  corecmd_exec_shell(virtd_t)
-@@ -520,24 +370,16 @@ corecmd_exec_shell(virtd_t)
+@@ -527,24 +382,16 @@ corecmd_exec_shell(virtd_t)
  corenet_all_recvfrom_netlabel(virtd_t)
  corenet_tcp_sendrecv_generic_if(virtd_t)
  corenet_tcp_sendrecv_generic_node(virtd_t)
@@ -95034,7 +93649,7 @@ index 1f22fba..62390bf 100644
  dev_rw_sysfs(virtd_t)
  dev_read_urand(virtd_t)
  dev_read_rand(virtd_t)
-@@ -548,22 +390,27 @@ dev_rw_vhost(virtd_t)
+@@ -555,22 +402,27 @@ dev_rw_vhost(virtd_t)
  dev_setattr_generic_usb_dev(virtd_t)
  dev_relabel_generic_usb_dev(virtd_t)
  
@@ -95067,7 +93682,7 @@ index 1f22fba..62390bf 100644
  fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
-@@ -594,15 +441,18 @@ term_use_ptmx(virtd_t)
+@@ -601,15 +453,18 @@ term_use_ptmx(virtd_t)
  
  auth_use_nsswitch(virtd_t)
  
@@ -95087,7 +93702,7 @@ index 1f22fba..62390bf 100644
  
  selinux_validate_context(virtd_t)
  
-@@ -613,18 +463,26 @@ seutil_read_file_contexts(virtd_t)
+@@ -620,18 +475,26 @@ seutil_read_file_contexts(virtd_t)
  sysnet_signull_ifconfig(virtd_t)
  sysnet_signal_ifconfig(virtd_t)
  sysnet_domtrans_ifconfig(virtd_t)
@@ -95124,7 +93739,7 @@ index 1f22fba..62390bf 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -633,7 +491,7 @@ tunable_policy(`virt_use_nfs',`
+@@ -640,7 +503,7 @@ tunable_policy(`virt_use_nfs',`
  ')
  
  tunable_policy(`virt_use_samba',`
@@ -95133,7 +93748,7 @@ index 1f22fba..62390bf 100644
  	fs_manage_cifs_files(virtd_t)
  	fs_read_cifs_symlinks(virtd_t)
  ')
-@@ -658,20 +516,12 @@ optional_policy(`
+@@ -665,20 +528,12 @@ optional_policy(`
  	')
  
  	optional_policy(`
@@ -95154,7 +93769,7 @@ index 1f22fba..62390bf 100644
  ')
  
  optional_policy(`
-@@ -684,14 +534,20 @@ optional_policy(`
+@@ -691,20 +546,26 @@ optional_policy(`
  	dnsmasq_kill(virtd_t)
  	dnsmasq_signull(virtd_t)
  	dnsmasq_create_pid_dirs(virtd_t)
@@ -95177,7 +93792,15 @@ index 1f22fba..62390bf 100644
  	iptables_manage_config(virtd_t)
  ')
  
-@@ -704,11 +560,13 @@ optional_policy(`
+ optional_policy(`
+-	kerberos_read_keytab(virtd_t)
+-	kerberos_use(virtd_t)
++    kerberos_read_keytab(virtd_t)
++    kerberos_use(virtd_t)
+ ')
+ 
+ optional_policy(`
+@@ -712,11 +573,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95191,7 +93814,7 @@ index 1f22fba..62390bf 100644
  	policykit_domtrans_auth(virtd_t)
  	policykit_domtrans_resolve(virtd_t)
  	policykit_read_lib(virtd_t)
-@@ -719,10 +577,18 @@ optional_policy(`
+@@ -727,10 +590,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95210,8 +93833,8 @@ index 1f22fba..62390bf 100644
  	kernel_read_xen_state(virtd_t)
  	kernel_write_xen_state(virtd_t)
  
-@@ -737,44 +603,264 @@ optional_policy(`
- 	udev_read_db(virtd_t)
+@@ -746,44 +617,264 @@ optional_policy(`
+ 	udev_read_pid_files(virtd_t)
  ')
  
 +optional_policy(`
@@ -95263,15 +93886,14 @@ index 1f22fba..62390bf 100644
 +manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
 +filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
 +stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
- 
--manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
--filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
++
 +manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
 +files_var_filetrans(virt_domain, virt_cache_t, { file dir })
  
--dontaudit virsh_t virt_var_lib_t:file read_file_perms;
+-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
+-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 +read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
 +
 +manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
@@ -95303,12 +93925,13 @@ index 1f22fba..62390bf 100644
 +
 +dontaudit virtd_t virt_domain:process  { siginh noatsecure rlimitinh };
  
--allow virsh_t svirt_lxc_domain:process transition;
+-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
 +dontaudit virt_domain virt_tmpfs_type:file { read write };
  
--can_exec(virsh_t, virsh_exec_t)
+-allow virsh_t svirt_lxc_domain:process transition;
 +append_files_pattern(virt_domain, virt_log_t, virt_log_t)
-+
+ 
+-can_exec(virsh_t, virsh_exec_t)
 +append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
 +
 +corecmd_exec_bin(virt_domain)
@@ -95322,7 +93945,7 @@ index 1f22fba..62390bf 100644
 +corenet_tcp_bind_virt_migration_port(virt_domain)
 +corenet_tcp_connect_virt_migration_port(virt_domain)
 +corenet_rw_inherited_tun_tap_dev(virt_domain)
-+
+ 
 +dev_list_sysfs(virt_domain)
 +dev_getattr_fs(virt_domain)
 +dev_dontaudit_getattr_all(virt_domain)
@@ -95411,7 +94034,7 @@ index 1f22fba..62390bf 100644
 +	fs_read_nfs_symlinks(virt_domain)
 +	fs_getattr_nfs(virt_domain)
 +')
- 
++
 +tunable_policy(`virt_use_samba',`
 +	fs_manage_cifs_dirs(virt_domain)
 +	fs_manage_cifs_files(virt_domain)
@@ -95497,7 +94120,7 @@ index 1f22fba..62390bf 100644
  kernel_read_system_state(virsh_t)
  kernel_read_network_state(virsh_t)
  kernel_read_kernel_sysctls(virsh_t)
-@@ -785,25 +871,18 @@ kernel_write_xen_state(virsh_t)
+@@ -794,25 +885,18 @@ kernel_write_xen_state(virsh_t)
  corecmd_exec_bin(virsh_t)
  corecmd_exec_shell(virsh_t)
  
@@ -95524,7 +94147,7 @@ index 1f22fba..62390bf 100644
  
  fs_getattr_all_fs(virsh_t)
  fs_manage_xenfs_dirs(virsh_t)
-@@ -812,23 +891,23 @@ fs_search_auto_mountpoints(virsh_t)
+@@ -821,23 +905,23 @@ fs_search_auto_mountpoints(virsh_t)
  
  storage_raw_read_fixed_disk(virsh_t)
  
@@ -95557,7 +94180,7 @@ index 1f22fba..62390bf 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virsh_t)
-@@ -847,14 +926,20 @@ optional_policy(`
+@@ -856,14 +940,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -95579,7 +94202,7 @@ index 1f22fba..62390bf 100644
  	xen_stream_connect(virsh_t)
  	xen_stream_connect_xenstore(virsh_t)
  ')
-@@ -879,49 +964,65 @@ optional_policy(`
+@@ -888,49 +978,65 @@ optional_policy(`
  	kernel_read_xen_state(virsh_ssh_t)
  	kernel_write_xen_state(virsh_ssh_t)
  
@@ -95663,7 +94286,7 @@ index 1f22fba..62390bf 100644
  
  corecmd_exec_bin(virtd_lxc_t)
  corecmd_exec_shell(virtd_lxc_t)
-@@ -933,17 +1034,16 @@ dev_read_urand(virtd_lxc_t)
+@@ -942,17 +1048,16 @@ dev_read_urand(virtd_lxc_t)
  
  domain_use_interactive_fds(virtd_lxc_t)
  
@@ -95683,7 +94306,7 @@ index 1f22fba..62390bf 100644
  fs_getattr_all_fs(virtd_lxc_t)
  fs_manage_tmpfs_dirs(virtd_lxc_t)
  fs_manage_tmpfs_chr_files(virtd_lxc_t)
-@@ -955,8 +1055,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
+@@ -964,8 +1069,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
  fs_unmount_all_fs(virtd_lxc_t)
  fs_relabelfrom_tmpfs(virtd_lxc_t)
  
@@ -95707,7 +94330,7 @@ index 1f22fba..62390bf 100644
  selinux_get_enforce_mode(virtd_lxc_t)
  selinux_get_fs_mount(virtd_lxc_t)
  selinux_validate_context(virtd_lxc_t)
-@@ -965,194 +1080,238 @@ selinux_compute_create_context(virtd_lxc_t)
+@@ -974,194 +1094,239 @@ selinux_compute_create_context(virtd_lxc_t)
  selinux_compute_relabel_context(virtd_lxc_t)
  selinux_compute_user_contexts(virtd_lxc_t)
  
@@ -95759,7 +94382,7 @@ index 1f22fba..62390bf 100644
 +allow svirt_sandbox_domain self:msgq create_msgq_perms;
 +allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
 +allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
-+
++allow svirt_sandbox_domain self:passwd rootok;
 +
 +allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
 +allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
@@ -95805,6 +94428,7 @@ index 1f22fba..62390bf 100644
 +files_read_config_files(svirt_sandbox_domain)
 +files_read_usr_symlinks(svirt_sandbox_domain)
 +files_search_locks(svirt_sandbox_domain)
++files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
 +
 +fs_getattr_all_fs(svirt_sandbox_domain)
 +fs_list_inotifyfs(svirt_sandbox_domain)
@@ -95838,10 +94462,6 @@ index 1f22fba..62390bf 100644
 +	apache_exec_modules(svirt_sandbox_domain)
 +	apache_read_sys_content(svirt_sandbox_domain)
 +')
-+
-+optional_policy(`
-+	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
-+')
  
 -allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
 -allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
@@ -95926,17 +94546,21 @@ index 1f22fba..62390bf 100644
 -
 -mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
 +optional_policy(`
-+	ssh_use_ptys(svirt_sandbox_domain)
++	mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
 +')
  
  optional_policy(`
 -	udev_read_pid_files(svirt_lxc_domain)
-+	udev_read_pid_files(svirt_sandbox_domain)
++	ssh_use_ptys(svirt_sandbox_domain)
  ')
  
  optional_policy(`
 -	apache_exec_modules(svirt_lxc_domain)
 -	apache_read_sys_content(svirt_lxc_domain)
++	udev_read_pid_files(svirt_sandbox_domain)
++')
++
++optional_policy(`
 +	userhelper_dontaudit_write_config(svirt_sandbox_domain)
  ')
  
@@ -95965,9 +94589,7 @@ index 1f22fba..62390bf 100644
  
 -kernel_read_network_state(svirt_lxc_net_t)
 -kernel_read_irq_sysctls(svirt_lxc_net_t)
-+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
-+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
- 
+-
 -corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
 -corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
 -corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
@@ -95978,7 +94600,9 @@ index 1f22fba..62390bf 100644
 -corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_generic_node(svirt_lxc_net_t)
 -corenet_udp_bind_generic_node(svirt_lxc_net_t)
--
++allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
++allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
+ 
 -corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
 -corenet_udp_bind_all_ports(svirt_lxc_net_t)
 -corenet_tcp_bind_all_ports(svirt_lxc_net_t)
@@ -96049,15 +94673,15 @@ index 1f22fba..62390bf 100644
 +dev_getattr_mtrr_dev(svirt_qemu_net_t)
 +dev_read_rand(svirt_qemu_net_t)
 +dev_read_urand(svirt_qemu_net_t)
-+
+ 
+-allow svirt_prot_exec_t self:process { execmem execstack };
 +files_read_kernel_modules(svirt_qemu_net_t)
 +
 +fs_noxattr_type(svirt_sandbox_file_t)
 +fs_mount_cgroup(svirt_qemu_net_t)
 +fs_manage_cgroup_dirs(svirt_qemu_net_t)
 +fs_manage_cgroup_files(svirt_qemu_net_t)
- 
--allow svirt_prot_exec_t self:process { execmem execstack };
++
 +term_pty(svirt_sandbox_file_t)
 +
 +auth_use_nsswitch(svirt_qemu_net_t)
@@ -96082,7 +94706,7 @@ index 1f22fba..62390bf 100644
  allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
  allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
  
-@@ -1165,12 +1324,12 @@ dev_read_sysfs(virt_qmf_t)
+@@ -1174,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
  dev_read_rand(virt_qmf_t)
  dev_read_urand(virt_qmf_t)
  
@@ -96097,7 +94721,7 @@ index 1f22fba..62390bf 100644
  sysnet_read_config(virt_qmf_t)
  
  optional_policy(`
-@@ -1183,9 +1342,8 @@ optional_policy(`
+@@ -1192,9 +1357,8 @@ optional_policy(`
  
  ########################################
  #
@@ -96108,7 +94732,7 @@ index 1f22fba..62390bf 100644
  allow virt_bridgehelper_t self:process { setcap getcap };
  allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
  allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
-@@ -1198,5 +1356,194 @@ kernel_read_network_state(virt_bridgehelper_t)
+@@ -1207,5 +1371,194 @@ kernel_read_network_state(virt_bridgehelper_t)
  
  corenet_rw_tun_tap_dev(virt_bridgehelper_t)
  
@@ -96306,7 +94930,7 @@ index 1f22fba..62390bf 100644
 +corenet_tcp_connect_all_ports(sandbox_net_domain)
 +
 diff --git a/vlock.te b/vlock.te
-index 9ead775..b5285e7 100644
+index 6b72968..de409cc 100644
 --- a/vlock.te
 +++ b/vlock.te
 @@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
@@ -96337,7 +94961,7 @@ index 20a1fb2..470ea95 100644
  	allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
  	allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
 diff --git a/vmware.te b/vmware.te
-index 3a56513..d7ec42b 100644
+index 4ad1894..d72037f 100644
 --- a/vmware.te
 +++ b/vmware.te
 @@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
@@ -96457,7 +95081,7 @@ index 137ac44..b644854 100644
  	domain_system_change_exemption($1)
  	role_transition $2 vnstatd_initrc_exec_t system_r;
 diff --git a/vnstatd.te b/vnstatd.te
-index febc3e5..ff18188 100644
+index e2220ae..0dcf5f6 100644
 --- a/vnstatd.te
 +++ b/vnstatd.te
 @@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
@@ -96608,16 +95232,10 @@ index 7a7f342..afedcba 100644
  ## <param name="domain">
  ##	<summary>
 diff --git a/vpn.te b/vpn.te
-index 9329eae..824e86f 100644
+index 95b26d1..55557cb 100644
 --- a/vpn.te
 +++ b/vpn.te
-@@ -1,4 +1,4 @@
--policy_module(vpn, 1.15.1)
-+policy_module(vpn, 1.15.0)
- 
- ########################################
- #
-@@ -6,6 +6,7 @@ policy_module(vpn, 1.15.1)
+@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
  #
  
  attribute_role vpnc_roles;
@@ -96744,7 +95362,7 @@ index eecd0e0..8df2e8c 100644
  
  /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)
 diff --git a/watchdog.te b/watchdog.te
-index 29f79e8..45b3926 100644
+index 3548317..d8655b2 100644
 --- a/watchdog.te
 +++ b/watchdog.te
 @@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
@@ -96986,7 +95604,7 @@ index 1e3aec0..d17ff39 100644
 +
  ')
 diff --git a/wdmd.te b/wdmd.te
-index ebbdaf6..144c0e7 100644
+index 4815a93..24dcf51 100644
 --- a/wdmd.te
 +++ b/wdmd.te
 @@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
@@ -97011,7 +95629,7 @@ index ebbdaf6..144c0e7 100644
 +	rhcs_rw_cluster_tmpfs(wdmd_t)
  ')
 diff --git a/webadm.te b/webadm.te
-index 708254f..d26f598 100644
+index 2a6cae7..6d0a2a1 100644
 --- a/webadm.te
 +++ b/webadm.te
 @@ -25,6 +25,9 @@ role webadm_r;
@@ -97049,7 +95667,7 @@ index 708254f..d26f598 100644
  tunable_policy(`webadm_manage_user_files',`
  	userdom_manage_user_home_content_files(webadm_t)
 diff --git a/webalizer.te b/webalizer.te
-index cdca8c7..3c09628 100644
+index ae919b9..e0b1983 100644
 --- a/webalizer.te
 +++ b/webalizer.te
 @@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
@@ -97243,10 +95861,10 @@ index fd2b6cc..52a2e72 100644
  
  ########################################
 diff --git a/wine.te b/wine.te
-index b51923c..8e47110 100644
+index 491b87b..689460b 100644
 --- a/wine.te
 +++ b/wine.te
-@@ -14,10 +14,11 @@ policy_module(wine, 1.10.1)
+@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
  ## </desc>
  gen_tunable(wine_mmap_zero_ignore, false)
  
@@ -97342,7 +95960,7 @@ index b51923c..8e47110 100644
 +	xserver_rw_shm(wine_domain)
  ')
 diff --git a/wireshark.te b/wireshark.te
-index cf5cab6..a2d910f 100644
+index ff6ef38..436d3bf 100644
 --- a/wireshark.te
 +++ b/wireshark.te
 @@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
@@ -97407,7 +96025,7 @@ index 304ae09..c1d10a1 100644
 -/usr/bin/twm	--	gen_context(system_u:object_r:wm_exec_t,s0)
 +/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
 diff --git a/wm.if b/wm.if
-index 25b702d..36b2f81 100644
+index 95f888d..36b2f81 100644
 --- a/wm.if
 +++ b/wm.if
 @@ -1,4 +1,4 @@
@@ -97416,7 +96034,7 @@ index 25b702d..36b2f81 100644
  
  #######################################
  ## <summary>
-@@ -29,54 +29,46 @@
+@@ -29,69 +29,59 @@
  #
  template(`wm_role_template',`
  	gen_require(`
@@ -97477,6 +96095,9 @@ index 25b702d..36b2f81 100644
  
 -	auth_use_nsswitch($1_wm_t)
 -
+-	xserver_role($2, $1_wm_t)
+-	xserver_manage_core_devices($1_wm_t)
+-
 -	optional_policy(`
 -		dbus_spec_session_bus_client($1, $1_wm_t)
 -		dbus_system_bus_client($1_wm_t)
@@ -97487,9 +96108,16 @@ index 25b702d..36b2f81 100644
 -	')
 -
  	optional_policy(`
- 		pulseaudio_run($1_wm_t, $2)
+-		gnome_stream_connect_gkeyringd($1, $1_wm_t)
++		pulseaudio_run($1_wm_t, $2)
  	')
-@@ -89,7 +81,7 @@ template(`wm_role_template',`
+ 
+ 	optional_policy(`
+-		pulseaudio_run($1_wm_t, $2)
++		xserver_role($2, $1_wm_t)
++		xserver_manage_core_devices($1_wm_t)
+ 	')
+ ')
  
  ########################################
  ## <summary>
@@ -97498,7 +96126,7 @@ index 25b702d..36b2f81 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -102,33 +94,5 @@ interface(`wm_exec',`
+@@ -104,33 +94,5 @@ interface(`wm_exec',`
  		type wm_exec_t;
  	')
  
@@ -97533,15 +96161,14 @@ index 25b702d..36b2f81 100644
 -	allow $1_wm_t $2:dbus send_msg;
 -')
 diff --git a/wm.te b/wm.te
-index 7c7f7fa..20ce90b 100644
+index 638d10f..5fb9960 100644
 --- a/wm.te
 +++ b/wm.te
-@@ -1,36 +1,88 @@
--policy_module(wm, 1.2.5)
-+policy_module(wm, 1.2.0)
-+
-+attribute wm_domain;
+@@ -1,12 +1,12 @@
+ policy_module(wm, 1.3.3)
  
++attribute wm_domain;
++
  ########################################
  #
  # Declarations
@@ -97550,58 +96177,65 @@ index 7c7f7fa..20ce90b 100644
 -attribute wm_domain;
 -
  type wm_exec_t;
--
--########################################
--#
--# Common wm domain local policy
--#
-+corecmd_executable_file(wm_exec_t)
+ corecmd_executable_file(wm_exec_t)
  
+@@ -18,11 +18,11 @@ corecmd_executable_file(wm_exec_t)
  allow wm_domain self:fifo_file rw_fifo_file_perms;
--allow wm_domain self:process getsched;
-+allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
-+allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
+ allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
+ allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
 +
  allow wm_domain self:shm create_shm_perms;
  allow wm_domain self:unix_dgram_socket create_socket_perms;
  
 -kernel_read_system_state(wm_domain)
 -
- dev_read_urand(wm_domain)
-+dev_read_sound(wm_domain)
-+dev_write_sound(wm_domain)
-+dev_rw_wireless(wm_domain)
-+dev_read_sysfs(wm_domain)
-+
-+fs_getattr_all_fs(wm_domain)
-+
 +corecmd_dontaudit_access_all_executables(wm_domain)
-+corecmd_getattr_all_executables(wm_domain)
+ corecmd_getattr_all_executables(wm_domain)
+ 
+ dev_read_sound(wm_domain)
+@@ -31,12 +31,18 @@ dev_read_urand(wm_domain)
+ dev_rw_wireless(wm_domain)
+ dev_write_sound(wm_domain)
  
 -files_read_usr_files(wm_domain)
+-
+ fs_getattr_all_fs(wm_domain)
+ 
 +application_signull(wm_domain)
 +
 +init_read_state(wm_domain)
- 
++
  miscfiles_read_fonts(wm_domain)
 -miscfiles_read_localization(wm_domain)
- 
--userdom_manage_user_tmp_sockets(wm_domain)
--userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
++
 +systemd_dbus_chat_logind(wm_domain)
 +systemd_read_logind_sessions_files(wm_domain)
 +systemd_write_inhibit_pipes(wm_domain)
 +systemd_login_read_pid_files(wm_domain)
-+
-+userdom_read_user_home_content_files(wm_domain)
-+
+ 
+ userdom_manage_user_tmp_sockets(wm_domain)
+ userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+@@ -45,24 +51,38 @@ userdom_manage_user_home_content_dirs(wm_domain)
+ userdom_manage_user_home_content_files(wm_domain)
+ userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+ 
+-optional_policy(`
+-	accountsd_dbus_chat(wm_domain)
+-')
+-	
+-optional_policy(`
+-	bluetooth_dbus_chat(wm_domain)
+-')		
 +udev_read_pid_files(wm_domain)
-+
-+optional_policy(`
+ 
+ optional_policy(`
+-	devicekit_dbus_chat_power(wm_domain)
 +	gnome_stream_connect_gkeyringd(wm_domain)
-+')
-+
-+optional_policy(`
+ ')
+ 
+ optional_policy(`
+-	networkmanager_dbus_chat(wm_domain)
+-')
 +	dbus_system_bus_client(wm_domain)
 +	dbus_session_bus_client(wm_domain)
 +	optional_policy(`
@@ -97611,7 +96245,9 @@ index 7c7f7fa..20ce90b 100644
 +	optional_policy(`
 +		bluetooth_dbus_chat(wm_domain)
 +	')		
-+
+ 
+-optional_policy(`
+-	policykit_dbus_chat(wm_domain)
 +	optional_policy(`
 +		devicekit_dbus_chat_power(wm_domain)
 +	')
@@ -97627,19 +96263,14 @@ index 7c7f7fa..20ce90b 100644
 +	optional_policy(`
 +		systemd_dbus_chat_logind(wm_domain)
 +	')
-+')
-+
-+optional_policy(`
-+	pulseaudio_stream_connect(wm_domain)
-+')
-+
-+optional_policy(`
-+	userhelper_exec_console(wm_domain)
-+')
+ ')
  
--userdom_manage_user_home_content_dirs(wm_domain)
--userdom_manage_user_home_content_files(wm_domain)
--userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+ optional_policy(`
+@@ -72,3 +92,7 @@ optional_policy(`
+ optional_policy(`
+ 	userhelper_exec_consolehelper(wm_domain)
+ ')
++
 +optional_policy(`
 +	xserver_manage_core_devices(wm_domain)
 +')
@@ -97974,14 +96605,10 @@ index f93558c..16e29c1 100644
  
  	files_search_pids($1)
 diff --git a/xen.te b/xen.te
-index ed40676..3fe3e35 100644
+index 6f736a9..0fa964c 100644
 --- a/xen.te
 +++ b/xen.te
-@@ -1,42 +1,34 @@
--policy_module(xen, 1.12.5)
-+policy_module(xen, 1.12.0)
- 
- ########################################
+@@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
  #
  # Declarations
  #
@@ -98670,7 +97297,7 @@ index ed40676..3fe3e35 100644
 -	fs_manage_xenfs_files(xm_ssh_t)
 -')
 diff --git a/xfs.te b/xfs.te
-index 0cea2cd..7668014 100644
+index 0928c5d..d270a72 100644
 --- a/xfs.te
 +++ b/xfs.te
 @@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
@@ -98698,16 +97325,10 @@ index 0cea2cd..7668014 100644
  
  userdom_dontaudit_use_unpriv_user_fds(xfs_t)
 diff --git a/xguest.te b/xguest.te
-index 2882821..8cf4841 100644
+index a64aad3..0f7c96d 100644
 --- a/xguest.te
 +++ b/xguest.te
-@@ -1,4 +1,4 @@
--policy_module(xguest, 1.1.2)
-+policy_module(xguest, 1.1.0)
- 
- ########################################
- #
-@@ -6,46 +6,47 @@ policy_module(xguest, 1.1.2)
+@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
  #
  
  ## <desc>
@@ -98829,7 +97450,7 @@ index 2882821..8cf4841 100644
  ')
  
  optional_policy(`
-@@ -97,75 +115,82 @@ optional_policy(`
+@@ -97,75 +115,78 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -98839,19 +97460,15 @@ index 2882821..8cf4841 100644
  
  optional_policy(`
 -	mozilla_role(xguest_r, xguest_t)
-+	gnome_role(xguest_r, xguest_t)
++	mozilla_run_plugin(xguest_t, xguest_r)
  ')
  
  optional_policy(`
 -	tunable_policy(`xguest_connect_network',`
 -		kernel_read_network_state(xguest_t)
-+	mozilla_run_plugin(xguest_t, xguest_r)
-+')
- 
-+optional_policy(`
 +	mount_run_fusermount(xguest_t, xguest_r)
 +')
-+
+ 
 +optional_policy(`
 +	pcscd_read_pid_files(xguest_t)
 +	pcscd_stream_connect(xguest_t)
@@ -98986,7 +97603,7 @@ index 3c44d84..ce5e69d 100644
  sysnet_read_config(xprint_t)
  
 diff --git a/xscreensaver.te b/xscreensaver.te
-index c9c9650..485e77d 100644
+index 04096a0..98a8205 100644
 --- a/xscreensaver.te
 +++ b/xscreensaver.te
 @@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
@@ -99010,7 +97627,7 @@ index c9c9650..485e77d 100644
  
  xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
 diff --git a/yam.te b/yam.te
-index d837e88..910aeec 100644
+index 2695db2..123c042 100644
 --- a/yam.te
 +++ b/yam.te
 @@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
@@ -99029,7 +97646,7 @@ index d837e88..910aeec 100644
  userdom_search_user_home_dirs(yam_t)
  
 diff --git a/zabbix.fc b/zabbix.fc
-index ce10cb1..3181728 100644
+index c3b5a81..7d8b570 100644
 --- a/zabbix.fc
 +++ b/zabbix.fc
 @@ -4,11 +4,15 @@
@@ -99212,10 +97829,10 @@ index dd63de0..38ce620 100644
 -	admin_pattern($1, zabbix_tmpfs_t)
  ')
 diff --git a/zabbix.te b/zabbix.te
-index 46e4cd3..79317e6 100644
+index 7f496c6..16f1ab6 100644
 --- a/zabbix.te
 +++ b/zabbix.te
-@@ -6,21 +6,23 @@ policy_module(zabbix, 1.5.3)
+@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0)
  #
  
  ## <desc>
@@ -99654,15 +98271,10 @@ index 36e32df..3d08962 100644
 +    manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
  ')
 diff --git a/zarafa.te b/zarafa.te
-index a4479b1..a40d580 100644
+index 3fded1c..5729b83 100644
 --- a/zarafa.te
 +++ b/zarafa.te
-@@ -1,13 +1,18 @@
--policy_module(zarafa, 1.1.4)
-+policy_module(zarafa, 1.1.0)
- 
- ########################################
- #
+@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
  # Declarations
  #
  
@@ -100007,16 +98619,10 @@ index 3416401..ef64e73 100644
  	init_labeled_script_domtrans($1, zebra_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/zebra.te b/zebra.te
-index b0803c2..f1fa5f7 100644
+index 2e80d04..dd1513f 100644
 --- a/zebra.te
 +++ b/zebra.te
-@@ -1,4 +1,4 @@
--policy_module(zebra, 1.12.1)
-+policy_module(zebra, 1.12.0)
- 
- ########################################
- #
-@@ -6,19 +6,19 @@ policy_module(zebra, 1.12.1)
+@@ -6,19 +6,19 @@ policy_module(zebra, 1.13.0)
  #
  
  ## <desc>
@@ -100758,7 +99364,7 @@ index b14698c..16e1581 100644
  interface(`zosremote_run',`
  	gen_require(`
 diff --git a/zosremote.te b/zosremote.te
-index 9ba9f81..983b6c8 100644
+index bc6a5db..0abdceb 100644
 --- a/zosremote.te
 +++ b/zosremote.te
 @@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b7ea883..132a927 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -573,6 +573,9 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Wed Nov 13 2013 Miroslav Grepl <mgrepl@redhat.com> 3.13.1-1
+- Update to upstream
+
 * Tue Nov 12 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-100
 - Fix passenger_stream_connect interface
 - setroubleshoot_fixit wants to read network state