diff --git a/policy-F16.patch b/policy-F16.patch
index f4b4dfe..94909b5 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -3875,7 +3875,7 @@ index 00a19e3..55075f9 100644
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..c9f63b0 100644
+index f5afe78..bf930fc 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,623 @@
@@ -4642,7 +4642,7 @@ index f5afe78..c9f63b0 100644
##
##
##
-@@ -140,51 +719,335 @@ interface(`gnome_domtrans_gconfd',`
+@@ -140,51 +719,378 @@ interface(`gnome_domtrans_gconfd',`
##
##
#
@@ -4992,6 +4992,49 @@ index f5afe78..c9f63b0 100644
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-10)
+ userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-12)
+')
++######################################
++##
++## Execute gnome-keyring executable
++## in the specified domain.
++##
++##
++##
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`gnome_command_domtrans_gkeyringd', `
++ gen_require(`
++ type gkeyringd_exec_t;
++ ')
++
++ allow $2 gkeyringd_exec_t:file entrypoint;
++ domain_transition_pattern($1, gkeyringd_exec_t, $2)
++ type_transition $1 gkeyringd_exec_t:process $2;
++')
diff --git a/policy/modules/apps/gnome.te b/policy/modules/apps/gnome.te
index 2505654..93e68ff 100644
--- a/policy/modules/apps/gnome.te
@@ -7364,10 +7407,10 @@ index 0000000..37449c0
+')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644
-index 0000000..6cc919e
+index 0000000..d3500a4
--- /dev/null
+++ b/policy/modules/apps/nsplugin.te
-@@ -0,0 +1,323 @@
+@@ -0,0 +1,324 @@
+policy_module(nsplugin, 1.0.0)
+
+########################################
@@ -7605,6 +7648,7 @@ index 0000000..6cc919e
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++dev_search_sysfs(nsplugin_config_t)
+dev_read_urand(nsplugin_config_t)
+dev_dontaudit_read_rand(nsplugin_config_t)
+dev_dontaudit_rw_dri(nsplugin_config_t)
@@ -8740,10 +8784,10 @@ index 0000000..0fedd57
+')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644
-index 0000000..fc0e3f7
+index 0000000..c06a38c
--- /dev/null
+++ b/policy/modules/apps/sandbox.te
-@@ -0,0 +1,483 @@
+@@ -0,0 +1,484 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -8804,6 +8848,7 @@ index 0000000..fc0e3f7
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
++kernel_read_system_state(sandbox_xserver_t)
+
+corecmd_exec_bin(sandbox_xserver_t)
+corecmd_exec_shell(sandbox_xserver_t)
@@ -8821,7 +8866,9 @@ index 0000000..fc0e3f7
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
+
++dev_search_sysfs(sandbox_xserver_t)
+dev_rwx_zero(sandbox_xserver_t)
++dev_read_urand(sandbox_xserver_t)
+
+files_read_config_files(sandbox_xserver_t)
+files_read_usr_files(sandbox_xserver_t)
@@ -8833,8 +8880,6 @@ index 0000000..fc0e3f7
+miscfiles_read_fonts(sandbox_xserver_t)
+miscfiles_read_localization(sandbox_xserver_t)
+
-+kernel_read_system_state(sandbox_xserver_t)
-+
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
@@ -8888,6 +8933,10 @@ index 0000000..fc0e3f7
+ attribute exec_type, configfile;
+')
+
++kernel_dontaudit_read_system_state(sandbox_domain)
++
++corecmd_exec_all_executables(sandbox_domain)
++
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
+files_entrypoint_all_files(sandbox_domain)
+
@@ -8898,9 +8947,6 @@ index 0000000..fc0e3f7
+
+miscfiles_read_localization(sandbox_domain)
+
-+kernel_dontaudit_read_system_state(sandbox_domain)
-+corecmd_exec_all_executables(sandbox_domain)
-+
+userdom_dontaudit_use_user_terminals(sandbox_domain)
+
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
@@ -8940,21 +8986,20 @@ index 0000000..fc0e3f7
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
+
-+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
-+
-+files_search_home(sandbox_x_domain)
-+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
-+
+kernel_getattr_proc(sandbox_x_domain)
+kernel_read_network_state(sandbox_x_domain)
+kernel_read_system_state(sandbox_x_domain)
+
++domain_dontaudit_read_all_domains_state(sandbox_x_domain)
++
+corecmd_exec_all_executables(sandbox_x_domain)
+
+dev_read_urand(sandbox_x_domain)
+dev_dontaudit_read_rand(sandbox_x_domain)
+dev_read_sysfs(sandbox_x_domain)
+
++files_search_home(sandbox_x_domain)
++files_dontaudit_list_all_mountpoints(sandbox_x_domain)
+files_entrypoint_all_files(sandbox_x_domain)
+files_read_config_files(sandbox_x_domain)
+files_read_usr_files(sandbox_x_domain)
@@ -9466,10 +9511,10 @@ index 0000000..8a7ed4f
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
new file mode 100644
-index 0000000..f6acf24
+index 0000000..6d94c9b
--- /dev/null
+++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,191 @@
+@@ -0,0 +1,266 @@
+
+## Telepathy framework.
+
@@ -9521,6 +9566,22 @@ index 0000000..f6acf24
+template(`telepathy_dbus_session_role', `
+ gen_require(`
+ attribute telepathy_domain;
++ type telepathy_gabble_t;
++ type telepathy_sofiasip_t;
++ type telepathy_idle_t;
++ type telepathy_mission_control_t;
++ type telepathy_salut_t;
++ type telepathy_sunshine_t;
++ type telepathy_stream_engine_t;
++ type telepathy_msn_t;
++ type telepathy_gabble_exec_t;
++ type telepathy_sofiasip_exec_t;
++ type telepathy_idle_exec_t;
++ type telepathy_mission_control_exec_t;
++ type telepathy_salut_exec_t;
++ type telepathy_sunshine_exec_t;
++ type telepathy_stream_engine_exec_t;
++ type telepathy_msn_exec_t;
+ ')
+
+ role $1 types telepathy_domain;
@@ -9535,6 +9596,16 @@ index 0000000..f6acf24
+ telepathy_gabble_stream_connect($2)
+ telepathy_msn_stream_connect($2)
+ telepathy_salut_stream_connect($2)
++
++ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
++ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
++ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
++ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
++ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
++ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
++ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
++ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
++
+')
+
+########################################
@@ -9661,12 +9732,61 @@ index 0000000..f6acf24
+ ps_process_pattern($1, telepathy_mission_control_t)
+')
+
++#######################################
++##
++## Execute telepathy executable
++## in the specified domain.
++##
++##
++##
++## Execute a telepathy executable
++## in the specified domain. This allows
++## the specified domain to execute any file
++## on these filesystems in the specified
++## domain.
++##
++##
++## No interprocess communication (signals, pipes,
++## etc.) is provided by this interface since
++## the domains are not owned by this module.
++##
++##
++## This interface was added to handle
++## the ssh-agent policy.
++##
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++##
++##
++## The type of the new process.
++##
++##
++#
++interface(`telepathy_command_domtrans', `
++ gen_require(`
++ attribute telepathy_executable;
++ ')
++
++ allow $2 telepathy_executable:file entrypoint;
++ domain_transition_pattern($1, telepathy_executable, $2)
++ type_transition $1 telepathy_executable:process $2;
++
++ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
++ optional_policy(`
++ telepathy_dbus_chat($1)
++ telepathy_dbus_chat($2)
++ ')
++')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
new file mode 100644
-index 0000000..a6cb11d
+index 0000000..6b89128
--- /dev/null
+++ b/policy/modules/apps/telepathy.te
-@@ -0,0 +1,336 @@
+@@ -0,0 +1,346 @@
+
+policy_module(telepathy, 1.0.0)
+
@@ -10003,6 +10123,16 @@ index 0000000..a6cb11d
+optional_policy(`
+ xserver_rw_xdm_pipes(telepathy_domain)
+')
++
++
++# Just for F15
++optional_policy(`
++ gen_require(`
++ role unconfined_r;
++ ')
++
++ role unconfined_r types telepathy_domain;
++')
diff --git a/policy/modules/apps/tvtime.te b/policy/modules/apps/tvtime.te
index 11fe4f2..98bfbf3 100644
--- a/policy/modules/apps/tvtime.te
@@ -11144,7 +11274,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..ddb84e0 100644
+index e9313fb..1d51170 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -11680,7 +11810,7 @@ index e9313fb..ddb84e0 100644
## Write to watchdog devices.
##
##
-@@ -4748,3 +5034,752 @@ interface(`dev_unconfined',`
+@@ -4748,3 +5034,772 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -11915,6 +12045,16 @@ index e9313fb..ddb84e0 100644
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw7)
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw8)
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, fw9)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 000)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 001)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 002)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 003)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 004)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 005)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 006)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 007)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 008)
++ filetrans_pattern($1, device_t, usb_device_t, chr_file, 009)
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, gfx)
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, graphics)
+ filetrans_pattern($1, device_t, clock_device_t, chr_file, gtrsc0)
@@ -11984,6 +12124,16 @@ index e9313fb..ddb84e0 100644
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js7)
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js8)
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, js9)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse0)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse1)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse2)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse3)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse4)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse5)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse6)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse7)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse8)
++ filetrans_pattern($1, device_t, mouse_device_t, chr_file, mouse9)
+ filetrans_pattern($1, device_t, memory_device_t, chr_file, kmem)
+ filetrans_pattern($1, device_t, kmsg_device_t, chr_file, kmsg)
+ filetrans_pattern($1, device_t, qemu_device_t, chr_file, kqemu)
@@ -12586,7 +12736,7 @@ index aad8c52..53b0624 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..b70ea07 100644
+index bc534c1..6190297 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
@@ -12599,7 +12749,7 @@ index bc534c1..b70ea07 100644
+##
+##
+#
-+gen_tunable(allow_domain_fd_use, true)
++gen_tunable(allow_domain_fd_use, false)
+
+##
+##
@@ -15666,7 +15816,7 @@ index a9b8982..57c4a6a 100644
+/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 3723150..097a2cc 100644
+index 3723150..8320396 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -15756,7 +15906,7 @@ index 3723150..097a2cc 100644
## Set attributes of the device nodes
## for the SCSI generic inerface.
##
-@@ -807,3 +865,265 @@ interface(`storage_unconfined',`
+@@ -807,3 +865,304 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -15857,6 +16007,39 @@ index 3723150..097a2cc 100644
+ dev_filetrans($1, removable_device_t, blk_file, cm207)
+ dev_filetrans($1, removable_device_t, blk_file, cm208)
+ dev_filetrans($1, removable_device_t, blk_file, cm209)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sda9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdb9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc0)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc1)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc2)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc3)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc4)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc5)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc6)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc7)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc8)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, sdc9)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-0)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-1)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, dm-2)
@@ -15965,6 +16148,12 @@ index 3723150..097a2cc 100644
+ dev_filetrans($1, fixed_disk_device_t, blk_file, ram7)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, ram8)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, ram9)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram10)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram11)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram12)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram13)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram14)
++ dev_filetrans($1, fixed_disk_device_t, blk_file, ram15)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, rd0)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, rd1)
+ dev_filetrans($1, fixed_disk_device_t, blk_file, rd2)
@@ -16049,7 +16238,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..5260651 100644
+index f3acfee..7691aff 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -16307,7 +16496,7 @@ index f3acfee..5260651 100644
##
##
#
-@@ -1475,3 +1578,382 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1578,392 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -16658,6 +16847,16 @@ index f3acfee..5260651 100644
+ dev_filetrans($1, tty_device_t, chr_file, slamr7)
+ dev_filetrans($1, tty_device_t, chr_file, slamr8)
+ dev_filetrans($1, tty_device_t, chr_file, slamr9)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS0)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS1)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS2)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS3)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS4)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS5)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS6)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS7)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS8)
++ dev_filetrans($1, tty_device_t, chr_file, ttyS9)
+ dev_filetrans($1, tty_device_t, chr_file, ttySG0)
+ dev_filetrans($1, tty_device_t, chr_file, ttySG1)
+ dev_filetrans($1, tty_device_t, chr_file, ttySG2)
@@ -16816,7 +17015,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..1663532 100644
+index 2be17d2..7f56ac0 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@@ -16986,9 +17185,9 @@ index 2be17d2..1663532 100644
+ sudo_role_template(staff, staff_r, staff_t)
+')
+
-+optional_policy(`
-+ telepathy_dbus_session_role(staff_r, staff_t)
-+')
++#optional_policy(`
++# telepathy_dbus_session_role(staff_r, staff_t)
++#')
+
+optional_policy(`
+ userhelper_console_role_template(staff, staff_r, staff_usertype)
@@ -18123,10 +18322,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..4cf791b
+index 0000000..b3b2479
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,525 @@
+@@ -0,0 +1,526 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -18429,6 +18628,7 @@ index 0000000..4cf791b
+ gnomeclock_dbus_chat(unconfined_usertype)
+ gnome_dbus_chat_gconfdefault(unconfined_usertype)
+ gnome_filetrans_admin_home_content(unconfined_usertype)
++ gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
+ ')
+
+ optional_policy(`
@@ -18440,6 +18640,10 @@ index 0000000..4cf791b
+ ')
+
+ optional_policy(`
++ telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
++ ')
++
++ optional_policy(`
+ oddjob_dbus_chat(unconfined_usertype)
+ ')
+
@@ -18565,10 +18769,6 @@ index 0000000..4cf791b
+')
+
+optional_policy(`
-+ telepathy_dbus_session_role(unconfined_r, unconfined_t)
-+')
-+
-+optional_policy(`
+ vbetool_run(unconfined_t, unconfined_r)
+')
+
@@ -18773,7 +18973,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..9d37855 100644
+index e88b95f..4b5f106 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -18862,9 +19062,10 @@ index e88b95f..9d37855 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- mozilla_role(xguest_r, xguest_t)
+ gnomeclock_dontaudit_dbus_chat(xguest_t)
+')
+
@@ -18874,10 +19075,9 @@ index e88b95f..9d37855 100644
+
+optional_policy(`
+ mono_role_template(xguest, xguest_r, xguest_t)
- ')
-
- optional_policy(`
-- mozilla_role(xguest_r, xguest_t)
++')
++
++optional_policy(`
+ mozilla_run_plugin(xguest_t, xguest_r)
+')
+
@@ -18932,9 +19132,9 @@ index e88b95f..9d37855 100644
+ corenet_tcp_connect_transproxy_port(xguest_usertype)
')
+
-+ optional_policy(`
-+ telepathy_dbus_session_role(xguest_r, xguest_t)
-+ ')
++ #optional_policy(`
++ # telepathy_dbus_session_role(xguest_r, xguest_t)
++ #')
+')
+
+optional_policy(`
@@ -20786,7 +20986,7 @@ index 6480167..1440827 100644
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, web)
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..26669be 100644
+index 3136c6a..5bbc3c3 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -18,130 +18,195 @@ policy_module(apache, 2.2.1)
@@ -21166,18 +21366,20 @@ index 3136c6a..26669be 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,6 +492,10 @@ files_read_etc_files(httpd_t)
+@@ -402,6 +492,12 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
++manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
libs_read_lib_files(httpd_t)
-@@ -416,34 +510,74 @@ seutil_dontaudit_search_config(httpd_t)
+@@ -416,34 +512,74 @@ seutil_dontaudit_search_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -21254,7 +21456,7 @@ index 3136c6a..26669be 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -456,6 +590,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -456,6 +592,10 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -21265,7 +21467,7 @@ index 3136c6a..26669be 100644
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -466,15 +604,27 @@ tunable_policy(`httpd_enable_ftp_server',`
+@@ -466,15 +606,27 @@ tunable_policy(`httpd_enable_ftp_server',`
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -21295,7 +21497,7 @@ index 3136c6a..26669be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +634,16 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +636,16 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -21312,7 +21514,7 @@ index 3136c6a..26669be 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +658,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +660,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -21333,7 +21535,7 @@ index 3136c6a..26669be 100644
')
optional_policy(`
-@@ -513,7 +682,13 @@ optional_policy(`
+@@ -513,7 +684,13 @@ optional_policy(`
')
optional_policy(`
@@ -21348,7 +21550,7 @@ index 3136c6a..26669be 100644
')
optional_policy(`
-@@ -528,7 +703,18 @@ optional_policy(`
+@@ -528,7 +705,18 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -21368,7 +21570,7 @@ index 3136c6a..26669be 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +723,13 @@ optional_policy(`
+@@ -537,8 +725,13 @@ optional_policy(`
')
optional_policy(`
@@ -21383,7 +21585,7 @@ index 3136c6a..26669be 100644
')
')
-@@ -556,7 +747,13 @@ optional_policy(`
+@@ -556,7 +749,13 @@ optional_policy(`
')
optional_policy(`
@@ -21397,7 +21599,7 @@ index 3136c6a..26669be 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +764,7 @@ optional_policy(`
+@@ -567,6 +766,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -21405,7 +21607,7 @@ index 3136c6a..26669be 100644
')
optional_policy(`
-@@ -577,6 +775,16 @@ optional_policy(`
+@@ -577,6 +777,16 @@ optional_policy(`
')
optional_policy(`
@@ -21422,7 +21624,7 @@ index 3136c6a..26669be 100644
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
postgresql_unpriv_client(httpd_t)
-@@ -591,6 +799,11 @@ optional_policy(`
+@@ -591,6 +801,11 @@ optional_policy(`
')
optional_policy(`
@@ -21434,7 +21636,7 @@ index 3136c6a..26669be 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +816,11 @@ optional_policy(`
+@@ -603,6 +818,11 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -21446,7 +21648,7 @@ index 3136c6a..26669be 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +834,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +836,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -21459,7 +21661,7 @@ index 3136c6a..26669be 100644
########################################
#
-@@ -654,28 +876,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +878,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -21503,7 +21705,7 @@ index 3136c6a..26669be 100644
')
########################################
-@@ -699,17 +923,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +925,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -21529,7 +21731,7 @@ index 3136c6a..26669be 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +969,27 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +971,27 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -21558,7 +21760,7 @@ index 3136c6a..26669be 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1012,25 @@ optional_policy(`
+@@ -769,6 +1014,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -21584,7 +21786,7 @@ index 3136c6a..26669be 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1051,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1053,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -21602,7 +21804,7 @@ index 3136c6a..26669be 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1070,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1072,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -21659,7 +21861,7 @@ index 3136c6a..26669be 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1121,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1123,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -21690,7 +21892,7 @@ index 3136c6a..26669be 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1156,20 @@ optional_policy(`
+@@ -842,10 +1158,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -21711,7 +21913,7 @@ index 3136c6a..26669be 100644
')
########################################
-@@ -891,11 +1215,21 @@ optional_policy(`
+@@ -891,11 +1217,21 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -24806,10 +25008,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..d8c9b6e
+index 0000000..c0e81e5
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,106 @@
+@@ -0,0 +1,107 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -24834,6 +25036,7 @@ index 0000000..d8c9b6e
+#
+# colord local policy
+#
++allow colord_t self:capability { dac_read_search dac_override };
+allow colord_t self:process signal;
+allow colord_t self:fifo_file rw_fifo_file_perms;
+allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -26517,7 +26720,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..a0c951e 100644
+index 0d5711c..1564a13 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -26697,7 +26900,7 @@ index 0d5711c..a0c951e 100644
')
########################################
-@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
+@@ -431,14 +473,29 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -26708,7 +26911,8 @@ index 0d5711c..a0c951e 100644
+ init_stream_connect($1)
+ init_dgram_send($1)
-+
++ init_use_fds($1)
++
ps_process_pattern(system_dbusd_t, $1)
+ userdom_dontaudit_search_admin_dir($1)
@@ -26727,7 +26931,7 @@ index 0d5711c..a0c951e 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -497,3 +553,23 @@ interface(`dbus_unconfined',`
+@@ -497,3 +554,23 @@ interface(`dbus_unconfined',`
typeattribute $1 dbusd_unconfined;
')
@@ -27065,10 +27269,17 @@ index 8ba9425..b10da2c 100644
+ gnome_dontaudit_search_config(denyhosts_t)
+')
diff --git a/policy/modules/services/devicekit.fc b/policy/modules/services/devicekit.fc
-index 418a5a0..28d9e41 100644
+index 418a5a0..c25fbdc 100644
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
-@@ -8,7 +8,12 @@
+@@ -2,13 +2,19 @@
+ /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+ /usr/libexec/devkit-power-daemon -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+ /usr/libexec/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
++/lib/udev/udisks-part-id -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+ /usr/libexec/upowerd -- gen_context(system_u:object_r:devicekit_power_exec_t,s0)
+
+ /var/lib/DeviceKit-.* gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/upower(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
/var/lib/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_lib_t,s0)
@@ -27082,7 +27293,7 @@ index 418a5a0..28d9e41 100644
/var/run/udisks(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
/var/run/upower(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff --git a/policy/modules/services/devicekit.if b/policy/modules/services/devicekit.if
-index f706b99..30954ba 100644
+index f706b99..f0c629f 100644
--- a/policy/modules/services/devicekit.if
+++ b/policy/modules/services/devicekit.if
@@ -5,9 +5,9 @@
@@ -27097,7 +27308,32 @@ index f706b99..30954ba 100644
##
#
interface(`devicekit_domtrans',`
-@@ -81,6 +81,27 @@ interface(`devicekit_dbus_chat_disk',`
+@@ -20,6 +20,24 @@ interface(`devicekit_domtrans',`
+
+ ########################################
+ ##
++## Execute a domain transition to run devicekit_disk.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`devicekit_domtrans_disk',`
++ gen_require(`
++ type devicekit_disk_t, devicekit_disk_exec_t;
++ ')
++
++ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
++')
++
++########################################
++##
+ ## Send to devicekit over a unix domain
+ ## datagram socket.
+ ##
+@@ -81,6 +99,27 @@ interface(`devicekit_dbus_chat_disk',`
########################################
##
@@ -27125,7 +27361,7 @@ index f706b99..30954ba 100644
## Send signal devicekit power
##
##
-@@ -118,6 +139,44 @@ interface(`devicekit_dbus_chat_power',`
+@@ -118,6 +157,44 @@ interface(`devicekit_dbus_chat_power',`
allow devicekit_power_t $1:dbus send_msg;
')
@@ -27170,7 +27406,7 @@ index f706b99..30954ba 100644
########################################
##
## Read devicekit PID files.
-@@ -139,22 +198,52 @@ interface(`devicekit_read_pid_files',`
+@@ -139,22 +216,52 @@ interface(`devicekit_read_pid_files',`
########################################
##
@@ -27230,7 +27466,7 @@ index f706b99..30954ba 100644
##
##
##
-@@ -165,21 +254,21 @@ interface(`devicekit_admin',`
+@@ -165,21 +272,21 @@ interface(`devicekit_admin',`
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
')
@@ -30381,7 +30617,7 @@ index 671d8fd..25c7ab8 100644
+ dontaudit gnomeclock_t $1:dbus send_msg;
+')
diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te
-index 4fde46b..6ee7b93 100644
+index 4fde46b..4417f4e 100644
--- a/policy/modules/services/gnomeclock.te
+++ b/policy/modules/services/gnomeclock.te
@@ -9,24 +9,31 @@ type gnomeclock_t;
@@ -30419,7 +30655,7 @@ index 4fde46b..6ee7b93 100644
miscfiles_read_localization(gnomeclock_t)
miscfiles_manage_localization(gnomeclock_t)
-@@ -35,12 +42,50 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
+@@ -35,12 +42,51 @@ miscfiles_etc_filetrans_localization(gnomeclock_t)
userdom_read_all_users_state(gnomeclock_t)
optional_policy(`
@@ -30464,6 +30700,7 @@ index 4fde46b..6ee7b93 100644
+# needed by systemctl
+init_stream_connect(gnomeclock_systemctl_t)
+init_read_state(gnomeclock_systemctl_t)
++init_list_pid_dirs(gnomeclock_systemctl_t)
+
+systemd_dontaudit_read_unit_files(gnomeclock_systemctl_t)
+
@@ -31267,6 +31504,22 @@ index 9fab1dc..dc7dd01 100644
mta_send_mail(innd_t)
+diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
+index 9aeeaf9..28fdfc5 100644
+--- a/policy/modules/services/irqbalance.te
++++ b/policy/modules/services/irqbalance.te
+@@ -19,6 +19,11 @@ files_pid_file(irqbalance_var_run_t)
+
+ allow irqbalance_t self:capability { setpcap net_admin };
+ dontaudit irqbalance_t self:capability sys_tty_config;
++ifdef(`hide_broken_symptoms',`
++ # caused by some bogus kernel code
++ dontaudit irqbalance_t self:capability sys_module;
++')
++
+ allow irqbalance_t self:process { getcap setcap signal_perms };
+ allow irqbalance_t self:udp_socket create_socket_perms;
+
diff --git a/policy/modules/services/jabber.fc b/policy/modules/services/jabber.fc
index 4c9acec..deef4c7 100644
--- a/policy/modules/services/jabber.fc
@@ -41482,10 +41735,31 @@ index 852840b..4427b21 100644
+ ')
')
diff --git a/policy/modules/services/remotelogin.te b/policy/modules/services/remotelogin.te
-index 0a76027..7083808 100644
+index 0a76027..adc198d 100644
--- a/policy/modules/services/remotelogin.te
+++ b/policy/modules/services/remotelogin.te
-@@ -49,6 +49,8 @@ fs_getattr_xattr_fs(remote_login_t)
+@@ -10,9 +10,6 @@ domain_interactive_fd(remote_login_t)
+ auth_login_pgm_domain(remote_login_t)
+ auth_login_entry_type(remote_login_t)
+
+-type remote_login_tmp_t;
+-files_tmp_file(remote_login_tmp_t)
+-
+ ########################################
+ #
+ # Remote login remote policy
+@@ -34,10 +31,6 @@ allow remote_login_t self:msgq create_msgq_perms;
+ allow remote_login_t self:msg { send receive };
+ allow remote_login_t self:key write;
+
+-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
+-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
+-
+ kernel_read_system_state(remote_login_t)
+ kernel_read_kernel_sysctls(remote_login_t)
+
+@@ -49,6 +42,8 @@ fs_getattr_xattr_fs(remote_login_t)
fs_search_auto_mountpoints(remote_login_t)
term_relabel_all_ptys(remote_login_t)
@@ -41494,7 +41768,7 @@ index 0a76027..7083808 100644
auth_rw_login_records(remote_login_t)
auth_rw_faillog(remote_login_t)
-@@ -77,7 +79,7 @@ files_list_mnt(remote_login_t)
+@@ -77,7 +72,7 @@ files_list_mnt(remote_login_t)
# for when /var/mail is a sym-link
files_read_var_symlinks(remote_login_t)
@@ -41503,19 +41777,21 @@ index 0a76027..7083808 100644
miscfiles_read_localization(remote_login_t)
-@@ -87,9 +89,8 @@ userdom_search_user_home_content(remote_login_t)
+@@ -87,9 +82,11 @@ userdom_search_user_home_content(remote_login_t)
# since very weak authentication is used.
userdom_signal_unpriv_users(remote_login_t)
userdom_spec_domtrans_unpriv_users(remote_login_t)
--
++userdom_use_user_ptys(remote_login_t)
+
-# Search for mail spool file.
-mta_getattr_spool(remote_login_t)
-+userdom_use_user_ptys(remote_login_t)
-+userdom_rw_user_tmp_files(remote_login_t)
++userdom_manage_user_tmp_dirs(remote_login_t)
++userdom_manage_user_tmp_files(remote_login_t)
++userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(remote_login_t)
-@@ -106,15 +107,15 @@ optional_policy(`
+@@ -106,15 +103,15 @@ optional_policy(`
')
optional_policy(`
@@ -42674,7 +42950,7 @@ index 63e78c6..ffa4f37 100644
##
#
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
-index 779fa44..13556c1 100644
+index 779fa44..4bcaacc 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -27,15 +27,14 @@ files_pid_file(rlogind_var_run_t)
@@ -42714,7 +42990,7 @@ index 779fa44..13556c1 100644
files_read_etc_files(rlogind_t)
files_read_etc_runtime_files(rlogind_t)
-@@ -88,9 +88,9 @@ seutil_read_config(rlogind_t)
+@@ -88,9 +88,10 @@ seutil_read_config(rlogind_t)
userdom_setattr_user_ptys(rlogind_t)
# cjp: this is egregious
userdom_read_user_home_content_files(rlogind_t)
@@ -42724,10 +43000,11 @@ index 779fa44..13556c1 100644
+userdom_search_admin_dir(rlogind_t)
+userdom_manage_user_tmp_files(rlogind_t)
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
++userdom_use_user_terminals(rlogind_t)
rlogin_read_home_content(rlogind_t)
-@@ -112,5 +112,10 @@ optional_policy(`
+@@ -112,5 +113,10 @@ optional_policy(`
')
optional_policy(`
@@ -44361,16 +44638,17 @@ index 740994a..a92ba26 100644
allow smokeping_t self:udp_socket create_socket_perms;
allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
diff --git a/policy/modules/services/snmp.fc b/policy/modules/services/snmp.fc
-index 623c8fa..ac10740 100644
+index 623c8fa..0a802f7 100644
--- a/policy/modules/services/snmp.fc
+++ b/policy/modules/services/snmp.fc
-@@ -18,7 +18,7 @@
+@@ -18,7 +18,8 @@
/var/log/snmpd\.log -- gen_context(system_u:object_r:snmpd_log_t,s0)
-/var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
++/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff --git a/policy/modules/services/snmp.if b/policy/modules/services/snmp.if
@@ -52540,7 +52818,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..e4f13ca 100644
+index cc83689..48662f1 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -52886,7 +53164,7 @@ index cc83689..e4f13ca 100644
')
')
-@@ -800,19 +962,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +962,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -52909,11 +53187,11 @@ index cc83689..e4f13ca 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+##
+ ')
+ ')
+
+ ########################################
+ ##
+## Execute a file in a bin directory
+## in the initrc_t domain
+##
@@ -52926,12 +53204,16 @@ index cc83689..e4f13ca 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
++')
++
++########################################
++##
+ ## Execute a init script in a specified domain.
+ ##
+ ##
@@ -868,9 +1052,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
@@ -53074,7 +53356,7 @@ index cc83689..e4f13ca 100644
')
########################################
-@@ -1715,6 +1975,74 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1975,92 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -53093,6 +53375,24 @@ index cc83689..e4f13ca 100644
+ type init_var_run_t;
+ ')
+
++ allow $1 init_var_run_t:dir search_dir_perms;
++')
++
++######################################
++##
++## Allow listing of the /run/systemd directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`init_list_pid_dirs',`
++ gen_require(`
++ type init_var_run_t;
++ ')
++
+ allow $1 init_var_run_t:dir list_dir_perms;
+')
+
@@ -53149,7 +53449,7 @@ index cc83689..e4f13ca 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2077,139 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2095,139 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -56516,10 +56816,10 @@ index a0eef20..7a8241b 100644
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
-index 72c746e..9f9124f 100644
+index 72c746e..704d2d7 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
-@@ -1,4 +1,15 @@
+@@ -1,4 +1,16 @@
+/bin/fusermount -- gen_context(system_u:object_r:fusermount_exec_t,s0)
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
@@ -56536,6 +56836,7 @@ index 72c746e..9f9124f 100644
+
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
++/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8b5c196..f66d272 100644
--- a/policy/modules/system/mount.if
@@ -58543,7 +58844,7 @@ index ff80d0a..95e705c 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index df32316..e372b51 100644
+index df32316..0c5f46e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.1)
@@ -58735,7 +59036,7 @@ index df32316..e372b51 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,6 +361,10 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +361,15 @@ ifdef(`distro_ubuntu',`
')
')
@@ -58744,9 +59045,14 @@ index df32316..e372b51 100644
+')
+
ifdef(`hide_broken_symptoms',`
++
++ # caused by some bogus kernel code
++ dontaudit ifconfig_t self:capability sys_module;
++
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
-@@ -325,12 +376,31 @@ ifdef(`hide_broken_symptoms',`
+ ')
+@@ -325,12 +380,31 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -58778,7 +59084,7 @@ index df32316..e372b51 100644
')
optional_policy(`
-@@ -355,3 +425,9 @@ optional_policy(`
+@@ -355,3 +429,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -59454,7 +59760,7 @@ index 025348a..4e2ca03 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..7f59b32 100644
+index d88f7c3..a90decc 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -59528,7 +59834,7 @@ index d88f7c3..7f59b32 100644
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -95,8 +101,17 @@ kernel_read_software_raid_state(udev_t)
+@@ -95,8 +101,19 @@ kernel_read_software_raid_state(udev_t)
corecmd_exec_all_executables(udev_t)
@@ -59544,10 +59850,12 @@ index d88f7c3..7f59b32 100644
+dev_create_all_chr_dev_nodes(udev_t)
+dev_setattr_all_chr_dev_nodes(udev_t)
+dev_setattr_all_blk_dev_nodes(udev_t)
++dev_rw_generic_usb_dev(udev_t)
++
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +120,27 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +122,27 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -59576,7 +59884,7 @@ index d88f7c3..7f59b32 100644
mcs_ptrace_all(udev_t)
-@@ -136,6 +157,13 @@ selinux_compute_create_context(udev_t)
+@@ -136,6 +159,13 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
@@ -59590,7 +59898,7 @@ index d88f7c3..7f59b32 100644
auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
-@@ -143,6 +171,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +173,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -59598,7 +59906,7 @@ index d88f7c3..7f59b32 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -186,15 +215,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +217,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -59619,7 +59927,7 @@ index d88f7c3..7f59b32 100644
')
optional_policy(`
-@@ -216,11 +246,16 @@ optional_policy(`
+@@ -216,11 +248,16 @@ optional_policy(`
')
optional_policy(`
@@ -59636,22 +59944,23 @@ index d88f7c3..7f59b32 100644
')
optional_policy(`
-@@ -233,6 +268,14 @@ optional_policy(`
- ')
-
+@@ -230,6 +267,15 @@ optional_policy(`
optional_policy(`
-+ gnome_read_home_config(udev_t)
+ devicekit_read_pid_files(udev_t)
+ devicekit_dgram_send(udev_t)
++ devicekit_domtrans_disk(udev_t)
+')
+
+optional_policy(`
-+ gpsd_domtrans(udev_t)
++ gnome_read_home_config(udev_t)
+')
+
+optional_policy(`
- lvm_domtrans(udev_t)
++ gpsd_domtrans(udev_t)
')
-@@ -259,6 +302,10 @@ optional_policy(`
+ optional_policy(`
+@@ -259,6 +305,10 @@ optional_policy(`
')
optional_policy(`
@@ -59662,7 +59971,7 @@ index d88f7c3..7f59b32 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +320,11 @@ optional_policy(`
+@@ -273,6 +323,11 @@ optional_policy(`
')
optional_policy(`
@@ -60446,7 +60755,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..d933851 100644
+index 28b88de..73fd082 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -60460,7 +60769,7 @@ index 28b88de..d933851 100644
domain_type($1_t)
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
-@@ -43,69 +44,101 @@ template(`userdom_base_user_template',`
+@@ -43,69 +44,103 @@ template(`userdom_base_user_template',`
term_user_pty($1_t, user_devpts_t)
term_user_tty($1_t, user_tty_device_t)
@@ -60591,8 +60900,7 @@ index 28b88de..d933851 100644
+ storage_rw_fuse($1_usertype)
+
+ auth_use_nsswitch($1_usertype)
-
-- libs_exec_ld_so($1_t)
++
+ init_stream_connect($1_usertype)
+ # The library functions always try to open read-write first,
+ # then fall back to read-only if it fails.
@@ -60600,6 +60908,9 @@ index 28b88de..d933851 100644
+
+ libs_exec_ld_so($1_usertype)
+- libs_exec_ld_so($1_t)
++ logging_send_audit_msgs($1_t)
+
miscfiles_read_localization($1_t)
miscfiles_read_generic_certs($1_t)
@@ -60611,7 +60922,7 @@ index 28b88de..d933851 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +149,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +151,16 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -60628,7 +60939,7 @@ index 28b88de..d933851 100644
')
#######################################
-@@ -149,6 +192,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +194,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -60637,7 +60948,7 @@ index 28b88de..d933851 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +211,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +213,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -60665,7 +60976,7 @@ index 28b88de..d933851 100644
')
#######################################
-@@ -218,8 +242,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +244,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -60677,7 +60988,7 @@ index 28b88de..d933851 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +255,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +257,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -60709,7 +61020,7 @@ index 28b88de..d933851 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +277,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +279,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -60739,7 +61050,7 @@ index 28b88de..d933851 100644
')
')
-@@ -289,6 +318,8 @@ interface(`userdom_manage_tmp_role',`
+@@ -289,6 +320,8 @@ interface(`userdom_manage_tmp_role',`
type user_tmp_t;
')
@@ -60748,7 +61059,7 @@ index 28b88de..d933851 100644
files_poly_member_tmp($2, user_tmp_t)
manage_dirs_pattern($2, user_tmp_t, user_tmp_t)
-@@ -297,6 +328,45 @@ interface(`userdom_manage_tmp_role',`
+@@ -297,6 +330,45 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
@@ -60794,7 +61105,7 @@ index 28b88de..d933851 100644
')
#######################################
-@@ -316,6 +386,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +388,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -60802,7 +61113,7 @@ index 28b88de..d933851 100644
files_search_tmp($1)
')
-@@ -350,6 +421,8 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -350,6 +423,8 @@ interface(`userdom_manage_tmpfs_role',`
type user_tmpfs_t;
')
@@ -60811,7 +61122,7 @@ index 28b88de..d933851 100644
manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
-@@ -360,46 +433,41 @@ interface(`userdom_manage_tmpfs_role',`
+@@ -360,46 +435,41 @@ interface(`userdom_manage_tmpfs_role',`
#######################################
##
@@ -60880,7 +61191,7 @@ index 28b88de..d933851 100644
')
#######################################
-@@ -430,6 +498,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +500,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -60888,7 +61199,7 @@ index 28b88de..d933851 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +559,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +561,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -60897,7 +61208,7 @@ index 28b88de..d933851 100644
##############################
#
-@@ -500,73 +569,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +571,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -61018,7 +61329,7 @@ index 28b88de..d933851 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +651,123 @@ template(`userdom_common_user_template',`
+@@ -574,67 +653,123 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -61036,19 +61347,19 @@ index 28b88de..d933851 100644
+
+ optional_policy(`
+ canna_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
++ colord_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -61080,40 +61391,42 @@ index 28b88de..d933851 100644
+ evolution_dbus_chat($1_usertype)
+ evolution_alarm_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ gnome_dbus_chat_gconfdefault($1_usertype)
++ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ hal_dbus_chat($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
- ')
-+
-+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- inetd_use_fds($1_t)
+- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
+ ')
+
@@ -61123,22 +61436,20 @@ index 28b88de..d933851 100644
')
optional_policy(`
-- inetd_use_fds($1_t)
-- inetd_rw_tcp_sockets($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
- ')
-
- optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ lircd_stream_connect($1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
++ lircd_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -61160,7 +61471,7 @@ index 28b88de..d933851 100644
')
optional_policy(`
-@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +785,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -61222,7 +61533,7 @@ index 28b88de..d933851 100644
')
#######################################
-@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +856,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
@@ -61236,9 +61547,7 @@ index 28b88de..d933851 100644
- userdom_manage_tmpfs_role($1_r, $1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -61246,7 +61555,9 @@ index 28b88de..d933851 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -61254,7 +61565,7 @@ index 28b88de..d933851 100644
userdom_change_password_template($1)
-@@ -736,72 +891,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +893,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -61363,7 +61674,7 @@ index 28b88de..d933851 100644
')
')
-@@ -833,6 +987,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +989,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -61373,7 +61684,7 @@ index 28b88de..d933851 100644
##############################
#
# Local policy
-@@ -874,45 +1031,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1033,116 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -61431,6 +61742,9 @@ index 28b88de..d933851 100644
+ # bug: #682499
+ optional_policy(`
+ gnome_read_usr_config($1_usertype)
++ gnome_role_gkeyringd($1, $1_r, $1_t)
++ # cjp: telepathy F15 bugs
++ telepathy_dbus_session_role($1_r, $1_t, $1)
')
optional_policy(`
@@ -61449,39 +61763,39 @@ index 28b88de..d933851 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- consolekit_dbus_chat($1_t)
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
-+ ')
+ ')
optional_policy(`
-- consolekit_dbus_chat($1_t)
+- cups_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-
- optional_policy(`
-- cups_dbus_chat($1_t)
++
++ optional_policy(`
+ fprintd_dbus_chat($1_t)
- ')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
++ ')
+ ')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
-+ pulseaudio_role($1_r, $1_usertype)
++ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
++ pulseaudio_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ rtkit_scheduled($1_usertype)
')
@@ -61498,7 +61812,7 @@ index 28b88de..d933851 100644
')
')
-@@ -947,7 +1172,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1177,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -61507,7 +61821,7 @@ index 28b88de..d933851 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1181,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1186,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -61597,31 +61911,31 @@ index 28b88de..d933851 100644
+
+ optional_policy(`
+ mono_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
-+ ')
-+
-+ optional_policy(`
-+ wine_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ postfix_run_postdrop($1_t, $1_r)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
')
-+ # Run pppd in pppd_t by default for user
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ wine_role_template($1, $1_r, $1_t)
++ ')
++
++ optional_policy(`
++ postfix_run_postdrop($1_t, $1_r)
++ ')
++
++ # Run pppd in pppd_t by default for user
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1293,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1298,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -61630,7 +61944,7 @@ index 28b88de..d933851 100644
')
##############################
-@@ -1066,6 +1320,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1325,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -61638,7 +61952,7 @@ index 28b88de..d933851 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1329,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1334,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -61648,7 +61962,7 @@ index 28b88de..d933851 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1346,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1351,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -61656,7 +61970,7 @@ index 28b88de..d933851 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1364,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1369,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -61670,7 +61984,7 @@ index 28b88de..d933851 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1381,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1386,21 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -61693,7 +62007,7 @@ index 28b88de..d933851 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1407,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1412,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -61705,7 +62019,7 @@ index 28b88de..d933851 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1479,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1484,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -61714,7 +62028,7 @@ index 28b88de..d933851 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1493,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1498,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -61722,7 +62036,7 @@ index 28b88de..d933851 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1509,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1514,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -61730,7 +62044,7 @@ index 28b88de..d933851 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1552,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1557,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -61768,7 +62082,7 @@ index 28b88de..d933851 100644
ubac_constrained($1)
')
-@@ -1395,6 +1694,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1699,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -61776,7 +62090,7 @@ index 28b88de..d933851 100644
files_search_home($1)
')
-@@ -1441,6 +1741,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1746,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -61791,7 +62105,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1456,9 +1764,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1769,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -61803,7 +62117,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1515,10 +1825,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1830,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -61816,7 +62130,7 @@ index 28b88de..d933851 100644
##
##
##
-@@ -1526,22 +1836,58 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,19 +1841,55 @@ interface(`userdom_relabelto_user_home_dirs',`
##
##
#
@@ -61837,9 +62151,7 @@ index 28b88de..d933851 100644
-## domain when executing a program in the
-## user home directory.
+## Relabel user home files.
- ##
--##
--##
++##
+##
+##
+## Domain allowed access.
@@ -61878,13 +62190,10 @@ index 28b88de..d933851 100644
+## Do a domain transition to the specified
+## domain when executing a program in the
+## user home directory.
-+##
-+##
-+##
- ## Do a domain transition to the specified
- ## domain when executing a program in the
- ## user home directory.
-@@ -1589,6 +1935,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ##
+ ##
+ ##
+@@ -1589,6 +1940,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -61893,7 +62202,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1603,10 +1951,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1956,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -61908,7 +62217,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1649,6 +1999,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2004,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
@@ -61934,7 +62243,7 @@ index 28b88de..d933851 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2069,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2074,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -61967,7 +62276,7 @@ index 28b88de..d933851 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2105,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2110,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -61985,7 +62294,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1779,6 +2171,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2176,24 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
@@ -62010,7 +62319,7 @@ index 28b88de..d933851 100644
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2220,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2225,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -62020,7 +62329,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -1827,21 +2236,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2241,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -62034,19 +62343,18 @@ index 28b88de..d933851 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
##
- ## Do not audit attempts to execute user home files.
-@@ -2008,7 +2411,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -2008,7 +2416,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -62055,7 +62363,7 @@ index 28b88de..d933851 100644
files_search_home($1)
')
-@@ -2182,7 +2585,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2590,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -62064,7 +62372,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -2435,13 +2838,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2843,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -62080,7 +62388,7 @@ index 28b88de..d933851 100644
##
##
##
-@@ -2462,26 +2866,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2871,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -62107,7 +62415,7 @@ index 28b88de..d933851 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2572,6 +2956,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2961,24 @@ interface(`userdom_use_user_ttys',`
########################################
##
@@ -62132,7 +62440,7 @@ index 28b88de..d933851 100644
## Read and write a user domain pty.
##
##
-@@ -2590,22 +2992,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2997,34 @@ interface(`userdom_use_user_ptys',`
########################################
##
@@ -62175,7 +62483,7 @@ index 28b88de..d933851 100644
##
##
##
-@@ -2614,14 +3028,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3033,33 @@ interface(`userdom_use_user_ptys',`
##
##
#
@@ -62213,7 +62521,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -2815,7 +3248,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3253,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -62222,7 +62530,7 @@ index 28b88de..d933851 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3264,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3269,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -62238,7 +62546,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -2917,7 +3352,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3357,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -62247,7 +62555,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -2972,7 +3407,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3412,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -62294,7 +62602,7 @@ index 28b88de..d933851 100644
')
########################################
-@@ -3009,6 +3482,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3487,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -62302,7 +62610,7 @@ index 28b88de..d933851 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3561,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3566,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -62327,7 +62635,7 @@ index 28b88de..d933851 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3631,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3636,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1921a1e..147db60 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,12 @@ exit 0
%endif
%changelog
+* Mon May 9 2011 Miroslav Grepl 3.9.16-21
+- Dontaudit sys_module for ifconfig
+- Make telepathy and gkeyringd daemon working with confined users
+- colord wants to read files in users homedir
+- Remote login should be creating user_tmp_t not its own tmp files
+
* Thu May 5 2011 Miroslav Grepl 3.9.16-20
- Fix label for /usr/share/munin/plugins/munin_* plugins
- Add support for zarafa-indexer