diff --git a/policy-F16.patch b/policy-F16.patch
index 221fa48..1b5e1ca 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2873,7 +2873,7 @@ index d5aaf0e..689b2fd 100644
  optional_policy(`
  	mta_send_mail(sxid_t)
 diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..1ef8f1c 100644
+index 6a5004b..de58aeb 100644
 --- a/policy/modules/admin/tmpreaper.te
 +++ b/policy/modules/admin/tmpreaper.te
 @@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2901,7 +2901,7 @@ index 6a5004b..1ef8f1c 100644
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
  
-@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
  miscfiles_read_localization(tmpreaper_t)
  miscfiles_delete_man_pages(tmpreaper_t)
  
@@ -2912,13 +2912,18 @@ index 6a5004b..1ef8f1c 100644
  
  ifdef(`distro_redhat',`
  	userdom_list_user_home_content(tmpreaper_t)
- 	userdom_delete_user_home_content_dirs(tmpreaper_t)
- 	userdom_delete_user_home_content_files(tmpreaper_t)
-+	userdom_delete_user_home_content_sock_files(tmpreaper_t)
- 	userdom_delete_user_home_content_symlinks(tmpreaper_t)
+-	userdom_delete_user_home_content_dirs(tmpreaper_t)
+-	userdom_delete_user_home_content_files(tmpreaper_t)
+-	userdom_delete_user_home_content_symlinks(tmpreaper_t)
++	userdom_delete_all_user_home_content_dirs(tmpreaper_t)
++	userdom_delete_all_user_home_content_files(tmpreaper_t)
++	userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
++	userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
++	userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
  ')
  
-@@ -52,7 +61,9 @@ optional_policy(`
+ optional_policy(`
+@@ -52,7 +62,9 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -2928,7 +2933,7 @@ index 6a5004b..1ef8f1c 100644
  	apache_delete_cache_files(tmpreaper_t)
  	apache_setattr_cache_dirs(tmpreaper_t)
  ')
-@@ -66,9 +77,17 @@ optional_policy(`
+@@ -66,9 +78,17 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3543,10 +3548,10 @@ index 0000000..7b1047f
 +')
 diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
 new file mode 100644
-index 0000000..41336ff
+index 0000000..0fbe8cc
 --- /dev/null
 +++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
 +policy_module(chrome,1.0.0)
 +
 +########################################
@@ -3645,13 +3650,17 @@ index 0000000..41336ff
 +
 +tunable_policy(`use_nfs_home_dirs',`
 +	fs_search_nfs(chrome_sandbox_t)
-+	fs_read_inherited_nfs_files(chrome_sandbox_t)
++	fs_exec_nfs_files(chrome_sandbox_t)
++	fs_read_nfs_files(chrome_sandbox_t)
 +	fs_read_nfs_symlinks(chrome_sandbox_t)
++	fs_dontaudit_append_nfs_files(chrome_sandbox_t)
 +')
 +
 +tunable_policy(`use_samba_home_dirs',`
 +	fs_search_cifs(chrome_sandbox_t)
-+	fs_read_inherited_cifs_files(chrome_sandbox_t)
++	fs_exec_cifs_files(chrome_sandbox_t)
++	fs_read_cifs_files(chrome_sandbox_t)
++	fs_read_cifs_symlinks(chrome_sandbox_t)
 +	fs_dontaudit_append_cifs_files(chrome_sandbox_t)
 +')
 +
@@ -6564,14 +6573,14 @@ index 93ac529..35b51ab 100644
 +/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
 +/usr/lib/xulrunner[^/]*/plugin-container		--	gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
 diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..5298652 100644
+index 9a6d67d..319aac2 100644
 --- a/policy/modules/apps/mozilla.if
 +++ b/policy/modules/apps/mozilla.if
 @@ -29,6 +29,8 @@ interface(`mozilla_role',`
  	allow mozilla_t $2:process { sigchld signull };
  	allow mozilla_t $2:unix_stream_socket connectto;
  
-+	mozilla_run_plugin(mozilla_t, $2)
++	mozilla_run_plugin(mozilla_t, $1)
 +
  	# Allow the user domain to signal/ps.
  	ps_process_pattern($2, mozilla_t)
@@ -6717,7 +6726,7 @@ index 9a6d67d..5298652 100644
 +
 +########################################
 +## <summary>
-+##	Delete mozilla_plugin tmpf  files
++##	Delete mozilla_plugin tmpfs files
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -6730,7 +6739,7 @@ index 9a6d67d..5298652 100644
 +		type mozilla_plugin_tmpfs_t;
 +	')
 +
-+	allow $1 mozilla_plugin_tmpfs_t:file unlink;
++	allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
 +')
 +
 +########################################
@@ -6769,7 +6778,7 @@ index 9a6d67d..5298652 100644
 +	dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
 +')
 diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..b231fab 100644
+index 2a91fa8..50e279c 100644
 --- a/policy/modules/apps/mozilla.te
 +++ b/policy/modules/apps/mozilla.te
 @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -6857,7 +6866,7 @@ index 2a91fa8..b231fab 100644
  	pulseaudio_exec(mozilla_t)
  	pulseaudio_stream_connect(mozilla_t)
  	pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +288,198 @@ optional_policy(`
+@@ -266,3 +288,214 @@ optional_policy(`
  optional_policy(`
  	thunderbird_domtrans(mozilla_t)
  ')
@@ -6878,6 +6887,7 @@ index 2a91fa8..b231fab 100644
 +allow mozilla_plugin_t self:sem create_sem_perms;
 +allow mozilla_plugin_t self:shm create_shm_perms;
 +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_dgram_socket sendto;
 +allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
 +
 +can_exec(mozilla_plugin_t, mozilla_home_t)
@@ -6886,8 +6896,9 @@ index 2a91fa8..b231fab 100644
 +manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
 +manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
 +can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
 +
 +manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -6991,6 +7002,11 @@ index 2a91fa8..b231fab 100644
 +')
 +
 +optional_policy(`
++	consolekit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
++	dbus_connect_session_bus(mozilla_plugin_t)
 +	dbus_system_bus_client(mozilla_plugin_t)
 +	dbus_session_bus_client(mozilla_plugin_t)
 +	dbus_read_lib_files(mozilla_plugin_t)
@@ -7030,6 +7046,7 @@ index 2a91fa8..b231fab 100644
 +	pulseaudio_stream_connect(mozilla_plugin_t)
 +	pulseaudio_setattr_home_dir(mozilla_plugin_t)
 +	pulseaudio_manage_home_files(mozilla_plugin_t)
++	pulseaudio_manage_home_symlinks(mozilla_plugin_t)
 +')
 +
 +optional_policy(`
@@ -7037,6 +7054,14 @@ index 2a91fa8..b231fab 100644
 +')
 +
 +optional_policy(`
++	rtkit_scheduled(mozilla_plugin_t)
++')
++
++optional_policy(`
++	udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
 +	xserver_read_xdm_pid(mozilla_plugin_t)
 +	xserver_stream_connect(mozilla_plugin_t)
 +	xserver_use_user_fonts(mozilla_plugin_t)
@@ -8309,7 +8334,7 @@ index 84f23dc..af5b87d 100644
  
  /var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
 diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..fe1284b 100644
+index 2ba7787..9a5e99c 100644
 --- a/policy/modules/apps/pulseaudio.if
 +++ b/policy/modules/apps/pulseaudio.if
 @@ -17,7 +17,7 @@
@@ -8348,13 +8373,33 @@ index 2ba7787..fe1284b 100644
  	userdom_search_user_home_dirs($1)
  ')
  
-@@ -256,3 +262,43 @@ interface(`pulseaudio_manage_home_files',`
+@@ -256,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
  	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
  	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
  ')
 +
 +########################################
 +## <summary>
++##	Create, read, write, and delete pulseaudio
++##	home directory symlinks.
++## </summary>
++## <param name="user_domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`pulseaudio_manage_home_symlinks',`
++	gen_require(`
++		type pulseaudio_home_t;
++	')
++
++	userdom_search_user_home_dirs($1)
++	manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++')
++
++########################################
++## <summary>
 +##	Create pulseaudio content in the user home directory
 +##	with an correct label.
 +## </summary>
@@ -8393,7 +8438,7 @@ index 2ba7787..fe1284b 100644
 +	userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
 +')
 diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..e5d85d1 100644
+index c2d20a2..8610868 100644
 --- a/policy/modules/apps/pulseaudio.te
 +++ b/policy/modules/apps/pulseaudio.te
 @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -8438,7 +8483,7 @@ index c2d20a2..e5d85d1 100644
  
  optional_policy(`
  	bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +127,23 @@ optional_policy(`
+@@ -127,10 +127,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -8451,6 +8496,7 @@ index c2d20a2..e5d85d1 100644
  ')
  
  optional_policy(`
++	mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
 +	mozilla_plugin_read_tmpfs_files(pulseaudio_t)
 +')
 +
@@ -8462,7 +8508,7 @@ index c2d20a2..e5d85d1 100644
  	policykit_domtrans_auth(pulseaudio_t)
  	policykit_read_lib(pulseaudio_t)
  	policykit_read_reload(pulseaudio_t)
-@@ -148,3 +161,7 @@ optional_policy(`
+@@ -148,3 +162,7 @@ optional_policy(`
  	xserver_read_xdm_pid(pulseaudio_t)
  	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
  ')
@@ -14242,7 +14288,7 @@ index aad8c52..53b0624 100644
 +	dontaudit $1 domain:socket_class_set { read write };
  ')
 diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..6190297 100644
+index bc534c1..0ffb0e4 100644
 --- a/policy/modules/kernel/domain.te
 +++ b/policy/modules/kernel/domain.te
 @@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
@@ -14335,7 +14381,7 @@ index bc534c1..6190297 100644
  # Act upon any other process.
  allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
  
-@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *;
  
  # receive from all domains over labeled networking
  domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -14367,7 +14413,6 @@ index bc534c1..6190297 100644
 +	abrt_read_pid_files(domain)
 +	abrt_read_state(domain)
 +	abrt_signull(domain)
-+	abrt_stream_connect(domain)
 +')
 +
 +optional_policy(`
@@ -14568,7 +14613,7 @@ index 16108f6..d993f7e 100644
 +/nsr(/.*)?			gen_context(system_u:object_r:var_t,s0)
 +/nsr/logs(/.*)?			gen_context(system_u:object_r:var_log_t,s0)
 diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..473eacc 100644
+index 958ca84..62352ec 100644
 --- a/policy/modules/kernel/files.if
 +++ b/policy/modules/kernel/files.if
 @@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -15635,7 +15680,7 @@ index 958ca84..473eacc 100644
  ')
  
  ########################################
-@@ -5542,6 +6166,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6166,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
  
  ########################################
  ## <summary>
@@ -15665,7 +15710,7 @@ index 958ca84..473eacc 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`files_unlink_all_pid_sockets',`
++interface(`files_delete_all_pid_sockets',`
 +	gen_require(`
 +		attribute pidfile;
 +	')
@@ -15675,6 +15720,24 @@ index 958ca84..473eacc 100644
 +
 +########################################
 +## <summary>
++##	Delete all pid named pipes
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`files_delete_all_pid_pipes',`
++	gen_require(`
++		attribute pidfile;
++	')
++
++	allow $1 pidfile:fifo_file delete_fifo_file_perms;
++')
++
++########################################
++## <summary>
 +##	manage all pidfile directories
 +##	in the /var/run directory.
 +## </summary>
@@ -15698,7 +15761,7 @@ index 958ca84..473eacc 100644
  ##	Read all process ID files.
  ## </summary>
  ## <param name="domain">
-@@ -5559,6 +6239,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6257,44 @@ interface(`files_read_all_pids',`
  
  	list_dirs_pattern($1, var_t, pidfile)
  	read_files_pattern($1, pidfile, pidfile)
@@ -15743,7 +15806,7 @@ index 958ca84..473eacc 100644
  ')
  
  ########################################
-@@ -5769,7 +6487,7 @@ interface(`files_spool_filetrans',`
+@@ -5769,7 +6505,7 @@ interface(`files_spool_filetrans',`
  	')
  
  	allow $1 var_t:dir search_dir_perms;
@@ -15752,7 +15815,7 @@ index 958ca84..473eacc 100644
  ')
  
  ########################################
-@@ -5844,3 +6562,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6580,284 @@ interface(`files_unconfined',`
  
  	typeattribute $1 files_unconfined_type;
  ')
@@ -17364,7 +17427,7 @@ index 0e5b661..3168d72 100644
 +attribute mcsuntrustedproc;
 +attribute mcsnetwrite;
 diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 786449a..15368b1 100644
+index 786449a..23a065c 100644
 --- a/policy/modules/kernel/selinux.if
 +++ b/policy/modules/kernel/selinux.if
 @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17416,16 +17479,15 @@ index 786449a..15368b1 100644
  	allow $1 security_t:filesystem unmount;
  ')
  
-@@ -220,6 +225,8 @@ interface(`selinux_search_fs',`
+@@ -220,6 +225,7 @@ interface(`selinux_search_fs',`
  		type security_t;
  	')
  
-+	fs_getattr_xattr_fs($1)
 +	dev_search_sysfs($1)
  	allow $1 security_t:dir search_dir_perms;
  ')
  
-@@ -243,6 +250,26 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -243,6 +249,26 @@ interface(`selinux_dontaudit_search_fs',`
  
  ########################################
  ## <summary>
@@ -17452,7 +17514,7 @@ index 786449a..15368b1 100644
  ##	Do not audit attempts to read
  ##	generic selinuxfs entries
  ## </summary>
-@@ -257,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -257,6 +283,7 @@ interface(`selinux_dontaudit_read_fs',`
  		type security_t;
  	')
  
@@ -17460,7 +17522,7 @@ index 786449a..15368b1 100644
  	dontaudit $1 security_t:dir search_dir_perms;
  	dontaudit $1 security_t:file read_file_perms;
  ')
-@@ -278,6 +306,7 @@ interface(`selinux_get_enforce_mode',`
+@@ -278,6 +305,7 @@ interface(`selinux_get_enforce_mode',`
  		type security_t;
  	')
  
@@ -17468,7 +17530,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file read_file_perms;
  ')
-@@ -311,6 +340,7 @@ interface(`selinux_set_enforce_mode',`
+@@ -311,6 +339,7 @@ interface(`selinux_set_enforce_mode',`
  		bool secure_mode_policyload;
  	')
  
@@ -17476,7 +17538,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	typeattribute $1 can_setenforce;
-@@ -342,6 +372,7 @@ interface(`selinux_load_policy',`
+@@ -342,6 +371,7 @@ interface(`selinux_load_policy',`
  		bool secure_mode_policyload;
  	')
  
@@ -17484,7 +17546,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	typeattribute $1 can_load_policy;
-@@ -358,6 +389,27 @@ interface(`selinux_load_policy',`
+@@ -358,6 +388,27 @@ interface(`selinux_load_policy',`
  
  ########################################
  ## <summary>
@@ -17512,7 +17574,7 @@ index 786449a..15368b1 100644
  ##	Allow caller to set the state of Booleans to
  ##	enable or disable conditional portions of the policy.  (Deprecated)
  ## </summary>
-@@ -416,6 +468,7 @@ interface(`selinux_set_generic_booleans',`
+@@ -416,6 +467,7 @@ interface(`selinux_set_generic_booleans',`
  		bool secure_mode_policyload;
  	')
  
@@ -17520,7 +17582,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  
-@@ -458,7 +511,9 @@ interface(`selinux_set_all_booleans',`
+@@ -458,7 +510,9 @@ interface(`selinux_set_all_booleans',`
  		bool secure_mode_policyload;
  	')
  
@@ -17530,7 +17592,7 @@ index 786449a..15368b1 100644
  	allow $1 boolean_type:file rw_file_perms;
  
  	if(!secure_mode_policyload) {
-@@ -499,6 +554,7 @@ interface(`selinux_set_parameters',`
+@@ -499,6 +553,7 @@ interface(`selinux_set_parameters',`
  		attribute can_setsecparam;
  	')
  
@@ -17538,7 +17600,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security setsecparam;
-@@ -522,6 +578,7 @@ interface(`selinux_validate_context',`
+@@ -522,6 +577,7 @@ interface(`selinux_validate_context',`
  		type security_t;
  	')
  
@@ -17546,7 +17608,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security check_context;
-@@ -564,6 +621,7 @@ interface(`selinux_compute_access_vector',`
+@@ -564,6 +620,7 @@ interface(`selinux_compute_access_vector',`
  		type security_t;
  	')
  
@@ -17554,7 +17616,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_av;
-@@ -585,6 +643,7 @@ interface(`selinux_compute_create_context',`
+@@ -585,6 +642,7 @@ interface(`selinux_compute_create_context',`
  		type security_t;
  	')
  
@@ -17562,7 +17624,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_create;
-@@ -606,6 +665,7 @@ interface(`selinux_compute_member',`
+@@ -606,6 +664,7 @@ interface(`selinux_compute_member',`
  		type security_t;
  	')
  
@@ -17570,7 +17632,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_member;
-@@ -635,6 +695,7 @@ interface(`selinux_compute_relabel_context',`
+@@ -635,6 +694,7 @@ interface(`selinux_compute_relabel_context',`
  		type security_t;
  	')
  
@@ -17578,7 +17640,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_relabel;
-@@ -655,6 +716,7 @@ interface(`selinux_compute_user_contexts',`
+@@ -655,6 +715,7 @@ interface(`selinux_compute_user_contexts',`
  		type security_t;
  	')
  
@@ -17586,7 +17648,7 @@ index 786449a..15368b1 100644
  	allow $1 security_t:dir list_dir_perms;
  	allow $1 security_t:file rw_file_perms;
  	allow $1 security_t:security compute_user;
-@@ -677,3 +739,24 @@ interface(`selinux_unconfined',`
+@@ -677,3 +738,24 @@ interface(`selinux_unconfined',`
  
  	typeattribute $1 selinux_unconfined_type;
  ')
@@ -18040,7 +18102,7 @@ index 3994e57..a1923fe 100644
 +
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..70c384c 100644
+index f3acfee..590c2c0 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -18079,7 +18141,7 @@ index f3acfee..70c384c 100644
  #
  interface(`term_use_console',`
  	gen_require(`
-@@ -299,9 +319,11 @@ interface(`term_use_console',`
+@@ -299,9 +319,12 @@ interface(`term_use_console',`
  interface(`term_dontaudit_use_console',`
  	gen_require(`
  		type console_device_t;
@@ -18087,12 +18149,13 @@ index f3acfee..70c384c 100644
  	')
  
 -	dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++	init_dontaudit_use_fds($1)
 +	dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
 +	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
  ')
  
  ########################################
-@@ -341,7 +363,7 @@ interface(`term_relabel_console',`
+@@ -341,7 +364,7 @@ interface(`term_relabel_console',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -18101,7 +18164,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -462,6 +484,24 @@ interface(`term_list_ptys',`
+@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
  
  ########################################
  ## <summary>
@@ -18126,7 +18189,15 @@ index f3acfee..70c384c 100644
  ##	Do not audit attempts to read the
  ##	/dev/pts directory.
  ## </summary>
-@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',`
+@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+ 		type devpts_t;
+ 	')
+ 
++	init_dontaudit_use_fds($1)
+ 	dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+ 
+@@ -658,6 +700,25 @@ interface(`term_use_controlling_term',`
  	allow $1 devtty_t:chr_file { rw_term_perms lock append };
  ')
  
@@ -18152,7 +18223,7 @@ index f3acfee..70c384c 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to get attributes
-@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',`
+@@ -842,6 +903,26 @@ interface(`term_use_all_ptys',`
  
  ########################################
  ## <summary>
@@ -18179,7 +18250,7 @@ index f3acfee..70c384c 100644
  ##	Do not audit attempts to read or write any ptys.
  ## </summary>
  ## <param name="domain">
-@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +936,7 @@ interface(`term_dontaudit_use_all_ptys',`
  		attribute ptynode;
  	')
  
@@ -18188,7 +18259,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -903,7 +984,7 @@ interface(`term_getattr_all_user_ptys',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18197,7 +18268,7 @@ index f3acfee..70c384c 100644
  ##	</summary>
  ## </param>
  #
-@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1204,7 @@ interface(`term_relabel_unallocated_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -18206,16 +18277,17 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1303,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  		type tty_device_t;
  	')
  
 -	dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++	init_dontaudit_use_fds($1)
 +	dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
  ')
  
  ########################################
-@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1320,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  #
  interface(`term_getattr_all_ttys',`
  	gen_require(`
@@ -18229,7 +18301,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1343,12 @@ interface(`term_getattr_all_ttys',`
  interface(`term_dontaudit_getattr_all_ttys',`
  	gen_require(`
  		attribute ttynode;
@@ -18242,7 +18314,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1387,7 @@ interface(`term_relabel_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -18251,7 +18323,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',`
+@@ -1340,7 +1426,27 @@ interface(`term_use_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -18280,7 +18352,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1465,7 @@ interface(`term_dontaudit_use_all_ttys',`
  		attribute ttynode;
  	')
  
@@ -18289,7 +18361,7 @@ index f3acfee..70c384c 100644
  ')
  
  ########################################
-@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1467,7 +1573,7 @@ interface(`term_use_all_user_ttys',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -18298,7 +18370,7 @@ index f3acfee..70c384c 100644
  ##	</summary>
  ## </param>
  #
-@@ -1475,3 +1578,392 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1581,393 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
  	term_dontaudit_use_all_ttys($1)
  ')
@@ -18628,6 +18700,7 @@ index f3acfee..70c384c 100644
 +	dev_filetrans($1, tty_device_t, chr_file, "isdn7")
 +	dev_filetrans($1, tty_device_t, chr_file, "isdn8")
 +	dev_filetrans($1, tty_device_t, chr_file, "isdn9")
++	#filetrans_pattern($1, devpts_t, chr_file, "ptmx")
 +	dev_filetrans($1, ptmx_t, chr_file, "ptmx")
 +	dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
 +	dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
@@ -21055,10 +21128,21 @@ index e88b95f..4b5f106 100644
 -#gen_user(xguest_u,, xguest_r, s0, s0)
 +gen_user(xguest_u, user, xguest_r, s0, s0)
 diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..b4d006a 100644
+index 1bd5812..7112560 100644
 --- a/policy/modules/services/abrt.fc
 +++ b/policy/modules/services/abrt.fc
-@@ -15,6 +15,21 @@
+@@ -3,8 +3,9 @@
+ 
+ /usr/bin/abrt-pyhook-helper 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ 
+-/usr/libexec/abrt-pyhook-helper --	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-hook-ccpp 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ /usr/libexec/abrt-hook-python 	--	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-pyhook-helper --	gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ 
+ /usr/sbin/abrtd			--	gen_context(system_u:object_r:abrt_exec_t,s0)
+ 
+@@ -15,6 +16,21 @@
  
  /var/run/abrt\.pid		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
  /var/run/abrtd?\.lock		--	gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -21280,7 +21364,7 @@ index 0b827c5..7382308 100644
 +    read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
 +')
 diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..2f6627b 100644
+index 30861ec..28604d3 100644
 --- a/policy/modules/services/abrt.te
 +++ b/policy/modules/services/abrt.te
 @@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -21331,7 +21415,7 @@ index 30861ec..2f6627b 100644
  #
  
 -allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
  dontaudit abrt_t self:capability sys_rawio;
 -allow abrt_t self:process { signal signull setsched getsched };
 +allow abrt_t self:process { sigkill signal signull setsched getsched };
@@ -21363,7 +21447,15 @@ index 30861ec..2f6627b 100644
  
  kernel_read_ring_buffer(abrt_t)
  kernel_read_system_state(abrt_t)
-@@ -113,7 +146,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+ corenet_sendrecv_http_client_packets(abrt_t)
+ 
+ dev_getattr_all_chr_files(abrt_t)
++dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_raw_memory(abrt_t)
+@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t)
  domain_signull_all_domains(abrt_t)
  
  files_getattr_all_files(abrt_t)
@@ -21373,7 +21465,7 @@ index 30861ec..2f6627b 100644
  files_read_var_symlinks(abrt_t)
  files_read_var_lib_files(abrt_t)
  files_read_usr_files(abrt_t)
-@@ -121,6 +155,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t)
  files_read_kernel_modules(abrt_t)
  files_dontaudit_list_default(abrt_t)
  files_dontaudit_read_default_files(abrt_t)
@@ -21382,7 +21474,7 @@ index 30861ec..2f6627b 100644
  
  fs_list_inotifyfs(abrt_t)
  fs_getattr_all_fs(abrt_t)
-@@ -131,7 +167,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t)
  fs_read_nfs_symlinks(abrt_t)
  fs_search_all(abrt_t)
  
@@ -21391,7 +21483,7 @@ index 30861ec..2f6627b 100644
  
  logging_read_generic_logs(abrt_t)
  logging_send_syslog_msg(abrt_t)
-@@ -140,6 +176,15 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t)
  miscfiles_read_localization(abrt_t)
  
  userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -21402,12 +21494,13 @@ index 30861ec..2f6627b 100644
 +')
 +
 +optional_policy(`
++	apache_list_modules(abrt_t)
 +	apache_read_modules(abrt_t)
 +')
  
  optional_policy(`
  	dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +195,11 @@ optional_policy(`
+@@ -150,6 +197,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21419,7 +21512,7 @@ index 30861ec..2f6627b 100644
  	policykit_dbus_chat(abrt_t)
  	policykit_domtrans_auth(abrt_t)
  	policykit_read_lib(abrt_t)
-@@ -167,6 +217,7 @@ optional_policy(`
+@@ -167,6 +219,7 @@ optional_policy(`
  	rpm_exec(abrt_t)
  	rpm_dontaudit_manage_db(abrt_t)
  	rpm_manage_cache(abrt_t)
@@ -21427,7 +21520,7 @@ index 30861ec..2f6627b 100644
  	rpm_manage_pid_files(abrt_t)
  	rpm_read_db(abrt_t)
  	rpm_signull(abrt_t)
-@@ -178,12 +229,18 @@ optional_policy(`
+@@ -178,12 +231,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -21447,7 +21540,7 @@ index 30861ec..2f6627b 100644
  #
  
  allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +260,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
  domain_read_all_domains_state(abrt_helper_t)
  
  files_read_etc_files(abrt_helper_t)
@@ -21455,7 +21548,7 @@ index 30861ec..2f6627b 100644
  
  fs_list_inotifyfs(abrt_helper_t)
  fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +274,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t)
  term_dontaudit_use_all_ttys(abrt_helper_t)
  term_dontaudit_use_all_ptys(abrt_helper_t)
  
@@ -21465,7 +21558,7 @@ index 30861ec..2f6627b 100644
  	userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
  	userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
  	dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +283,100 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', `
  	dev_dontaudit_write_all_chr_files(abrt_helper_t)
  	dev_dontaudit_write_all_blk_files(abrt_helper_t)
  	fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24443,10 +24536,10 @@ index 44a1e3d..7e9d2fb 100644
  	files_list_pids($1)
  	admin_pattern($1, named_var_run_t)
 diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..256bd70 100644
+index 4deca04..be16209 100644
 --- a/policy/modules/services/bind.te
 +++ b/policy/modules/services/bind.te
-@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
+@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
  #
  
  ## <desc>
@@ -24468,7 +24561,14 @@ index 4deca04..256bd70 100644
  ## </desc>
  gen_tunable(named_write_master_zones, false)
  
-@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+ # for DNSSEC key files
+ type dnssec_t;
+ files_security_file(dnssec_t)
++files_mountpoint(dnssec_t)
+ 
+ type named_t;
+ type named_exec_t;
+@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
  
  # A type for configuration files of named.
  type named_conf_t;
@@ -24477,7 +24577,7 @@ index 4deca04..256bd70 100644
  files_mountpoint(named_conf_t)
  
  # for secondary zone files
-@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
  manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
  files_tmp_filetrans(named_t, named_tmp_t, { file dir })
  
@@ -24489,7 +24589,7 @@ index 4deca04..256bd70 100644
  
  # read zone files
  allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t)
  userdom_dontaudit_use_unpriv_user_fds(named_t)
  userdom_dontaudit_search_user_home_dirs(named_t)
  
@@ -24500,7 +24600,7 @@ index 4deca04..256bd70 100644
  tunable_policy(`named_write_master_zones',`
  	manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
  	manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
  allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
  
  allow ndc_t dnssec_t:file read_file_perms;
@@ -24515,7 +24615,7 @@ index 4deca04..256bd70 100644
  
  allow ndc_t named_zone_t:dir search_dir_perms;
  
-@@ -238,13 +250,13 @@ miscfiles_read_localization(ndc_t)
+@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t)
  sysnet_read_config(ndc_t)
  sysnet_dns_name_resolve(ndc_t)
  
@@ -27575,10 +27675,10 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..760d092
+index 0000000..08d2de0
 --- /dev/null
 +++ b/policy/modules/services/colord.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
 +policy_module(colord,1.0.0)
 +
 +########################################
@@ -27681,6 +27781,10 @@ index 0000000..760d092
 +')
 +
 +optional_policy(`
++	gnome_read_home_icc_data_content(colord_t)
++')
++
++optional_policy(`
 +	policykit_dbus_chat(colord_t)
 +	policykit_domtrans_auth(colord_t)
 +	policykit_read_lib(colord_t)
@@ -29323,7 +29427,7 @@ index 81eba14..d0ab56c 100644
  /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
  /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..6e35cb2 100644
+index 0d5711c..5a0ca9f 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
 @@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -29503,7 +29607,7 @@ index 0d5711c..6e35cb2 100644
  ')
  
  ########################################
-@@ -431,14 +473,29 @@ interface(`dbus_system_domain',`
+@@ -431,14 +473,33 @@ interface(`dbus_system_domain',`
  
  	domtrans_pattern(system_dbusd_t, $2, $1)
  
@@ -29523,6 +29627,10 @@ index 0d5711c..6e35cb2 100644
  
 -	ifdef(`hide_broken_symptoms', `
 +	optional_policy(`
++		abrt_stream_connect($1)
++	')
++
++	optional_policy(`
 +		rpm_script_dbus_chat($1)
 +	')
 +
@@ -29534,7 +29642,7 @@ index 0d5711c..6e35cb2 100644
  		dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
  	')
  ')
-@@ -463,26 +520,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -463,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
  
  ########################################
  ## <summary>
@@ -29567,7 +29675,7 @@ index 0d5711c..6e35cb2 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -490,10 +546,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -490,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
  ##	</summary>
  ## </param>
  #
@@ -34525,10 +34633,21 @@ index 978c32f..3b96342 100644
  type ifplugd_initrc_exec_t;
  init_script_file(ifplugd_initrc_exec_t)
 diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
-index df48e5e..6985546 100644
+index df48e5e..878d9df 100644
 --- a/policy/modules/services/inetd.if
 +++ b/policy/modules/services/inetd.if
-@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+ 
+ 	domtrans_pattern(inetd_t, $2, $1)
+ 	allow inetd_t $1:process { siginh sigkill };
++
++	optional_policy(`
++		abrt_stream_connect($1)
++	')
+ ')
+ 
+ ########################################
+@@ -55,7 +59,6 @@ interface(`inetd_core_service_domain',`
  ## </param>
  #
  interface(`inetd_tcp_service_domain',`
@@ -35155,7 +35274,7 @@ index 3525d24..923e979 100644
  /var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 +/var/tmp/HTTP_23		-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
 diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..b80c8f0 100644
+index 604f67b..be8a805 100644
 --- a/policy/modules/services/kerberos.if
 +++ b/policy/modules/services/kerberos.if
 @@ -26,9 +26,9 @@
@@ -35318,7 +35437,7 @@ index 604f67b..b80c8f0 100644
 +##	</summary>
 +## </param>
 +#
-+template(`kerberos_read_home_content',`
++interface(`kerberos_read_home_content',`
 +	gen_require(`
 +		type krb5_home_t;
 +	')
@@ -36226,7 +36345,7 @@ index 0000000..6463cee
 +
 diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
 new file mode 100644
-index 0000000..a91120c
+index 0000000..e231877
 --- /dev/null
 +++ b/policy/modules/services/lldpad.te
 @@ -0,0 +1,64 @@
@@ -36262,7 +36381,7 @@ index 0000000..a91120c
 +
 +allow lldpad_t self:capability { net_admin net_raw };
 +
-+allow lldpad_t self:shm rw_shm_perms;
++allow lldpad_t self:shm create_shm_perms;
 +allow lldpad_t self:fifo_file rw_fifo_file_perms;
 +
 +allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
@@ -38331,7 +38450,7 @@ index 256166a..6321a93 100644
 +/var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
  /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..0c22d93 100644
+index 343cee3..5e792cc 100644
 --- a/policy/modules/services/mta.if
 +++ b/policy/modules/services/mta.if
 @@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -38439,12 +38558,13 @@ index 343cee3..0c22d93 100644
  ')
  
  ########################################
-@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +408,17 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
 -		type sendmail_exec_t;
 +		attribute mta_exec_type;
++		attribute mta_user_agent;
  	')
  
  	files_search_usr($1)
@@ -38454,10 +38574,11 @@ index 343cee3..0c22d93 100644
 +
 +	allow $2 mta_exec_type:file entrypoint;
 +	domtrans_pattern($1, mta_exec_type, $2)
++	allow mta_user_agent $1:fifo_file { read write };
  ')
  
  ########################################
-@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -38465,7 +38586,7 @@ index 343cee3..0c22d93 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -38490,7 +38611,7 @@ index 343cee3..0c22d93 100644
  ##	Execute sendmail in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -438,6 +475,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',`
  
  ########################################
  ## <summary>
@@ -38517,7 +38638,7 @@ index 343cee3..0c22d93 100644
  ##	Read mail server configuration.
  ## </summary>
  ## <param name="domain">
-@@ -474,7 +531,8 @@ interface(`mta_write_config',`
+@@ -474,7 +533,8 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -38527,7 +38648,7 @@ index 343cee3..0c22d93 100644
  ')
  
  ########################################
-@@ -494,6 +552,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +554,7 @@ interface(`mta_read_aliases',`
  
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file read_file_perms;
@@ -38535,7 +38656,7 @@ index 343cee3..0c22d93 100644
  ')
  
  ########################################
-@@ -532,7 +591,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',`
  		type etc_aliases_t;
  	')
  
@@ -38544,7 +38665,7 @@ index 343cee3..0c22d93 100644
  ')
  
  ########################################
-@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -38553,7 +38674,7 @@ index 343cee3..0c22d93 100644
  ')
  
  #######################################
-@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  	files_dontaudit_search_spool($1)
  	dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -38564,7 +38685,7 @@ index 343cee3..0c22d93 100644
  ')
  
  #######################################
-@@ -697,8 +756,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +758,8 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -38575,7 +38696,7 @@ index 343cee3..0c22d93 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',`
  	')
  
  	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -38584,7 +38705,7 @@ index 343cee3..0c22d93 100644
  ')
  
  ########################################
-@@ -899,3 +958,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -42844,7 +42965,7 @@ index 55e62d2..f2674e8 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..398a32d 100644
+index 46bee12..c22af86 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -42880,7 +43001,7 @@ index 46bee12..398a32d 100644
  	files_tmp_file(postfix_$1_tmp_t)
  
 -	allow postfix_$1_t self:capability { setuid setgid dac_override };
-+	allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override };
++	allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
  	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
  	allow postfix_$1_t self:tcp_socket create_socket_perms;
  	allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -43185,7 +43306,7 @@ index 46bee12..398a32d 100644
 +	role $2 types postfix_postdrop_t;
 +')
 diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..fda5e3f 100644
+index 06e37d4..ea5feb2 100644
 --- a/policy/modules/services/postfix.te
 +++ b/policy/modules/services/postfix.te
 @@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -43469,16 +43590,20 @@ index 06e37d4..fda5e3f 100644
  stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
  
  rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +579,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +579,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
  
  allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
  allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
 -allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
 +allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
++
++allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
  
  corecmd_exec_bin(postfix_qmgr_t)
  
-@@ -539,7 +599,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +603,9 @@ postfix_list_spool(postfix_showq_t)
  
  allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
  allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -43489,7 +43614,7 @@ index 06e37d4..fda5e3f 100644
  
  # to write the mailq output, it really should not need read access!
  term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +627,10 @@ optional_policy(`
+@@ -565,6 +631,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -43500,7 +43625,7 @@ index 06e37d4..fda5e3f 100644
  	milter_stream_connect_all(postfix_smtp_t)
  ')
  
-@@ -588,10 +654,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
  
  # for OpenSSL certificates
  files_read_usr_files(postfix_smtpd_t)
@@ -43517,7 +43642,7 @@ index 06e37d4..fda5e3f 100644
  ')
  
  optional_policy(`
-@@ -611,8 +683,8 @@ optional_policy(`
+@@ -611,8 +687,8 @@ optional_policy(`
  # Postfix virtual local policy
  #
  
@@ -43527,7 +43652,7 @@ index 06e37d4..fda5e3f 100644
  
  allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
  
-@@ -630,3 +702,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -44161,7 +44286,7 @@ index b1bc02c..8f0b07e 100644
  
  dev_read_rand(prelude_lml_t)
 diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 2dbf4d4..3625895 100644
+index 2dbf4d4..28d7fe5 100644
 --- a/policy/modules/services/privoxy.te
 +++ b/policy/modules/services/privoxy.te
 @@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
@@ -44179,7 +44304,18 @@ index 2dbf4d4..3625895 100644
  ## </desc>
  gen_tunable(privoxy_connect_any, false)
  
-@@ -87,7 +87,7 @@ miscfiles_read_localization(privoxy_t)
+@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+ 
+-kernel_read_system_state(privoxy_t)
+ kernel_read_kernel_sysctls(privoxy_t)
++kernel_read_network_state(privoxy_t)
++kernel_read_system_state(privoxy_t)
+ 
+ corenet_all_recvfrom_unlabeled(privoxy_t)
+ corenet_all_recvfrom_netlabel(privoxy_t)
+@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
  userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
  userdom_dontaudit_search_user_home_dirs(privoxy_t)
  # cjp: this should really not be needed
@@ -46677,10 +46813,10 @@ index 0000000..88f6a9e
 +')
 diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
 new file mode 100644
-index 0000000..988f82c
+index 0000000..bc97a21
 --- /dev/null
 +++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,84 @@
 +policy_module(rhev,1.0)
 +
 +########################################
@@ -46758,9 +46894,12 @@ index 0000000..988f82c
 +')
 +
 +optional_policy(`
-+   xserver_dbus_chat_xdm(rhev_agentd_t)
++	userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
 +')
 +
++optional_policy(`
++   xserver_dbus_chat_xdm(rhev_agentd_t)
++')
 +
 diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
 index 96efae7..793a29f 100644
@@ -47003,7 +47142,7 @@ index f7826f9..3128dd8 100644
 +	admin_pattern($1, ricci_var_run_t)
 +')
 diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..b71d193 100644
+index 33e72e8..a61bb94 100644
 --- a/policy/modules/services/ricci.te
 +++ b/policy/modules/services/ricci.te
 @@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -47060,16 +47199,17 @@ index 33e72e8..b71d193 100644
  	unconfined_use_fds(ricci_t)
  ')
  
-@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t)
+@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t)
  corecmd_exec_bin(ricci_modcluster_t)
  
  corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
 -corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
 +corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
++corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
  
  domain_read_all_domains_state(ricci_modcluster_t)
  
-@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
  
  miscfiles_read_localization(ricci_modcluster_t)
  
@@ -47086,7 +47226,7 @@ index 33e72e8..b71d193 100644
  
  optional_policy(`
  	aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,6 +238,18 @@ optional_policy(`
+@@ -233,6 +239,18 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47105,7 +47245,7 @@ index 33e72e8..b71d193 100644
  	nscd_socket_use(ricci_modcluster_t)
  ')
  
-@@ -241,8 +258,7 @@ optional_policy(`
+@@ -241,8 +259,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47115,7 +47255,7 @@ index 33e72e8..b71d193 100644
  ')
  
  ########################################
-@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
  allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
  allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
  
@@ -47126,7 +47266,7 @@ index 33e72e8..b71d193 100644
  allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
  manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
  manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
  
  kernel_read_kernel_sysctls(ricci_modclusterd_t)
  kernel_read_system_state(ricci_modclusterd_t)
@@ -47134,7 +47274,7 @@ index 33e72e8..b71d193 100644
  
  corecmd_exec_bin(ricci_modclusterd_t)
  
-@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
  # Needed for running chkconfig
  files_manage_etc_symlinks(ricci_modservice_t)
  
@@ -47143,7 +47283,7 @@ index 33e72e8..b71d193 100644
  init_domtrans_script(ricci_modservice_t)
  
  miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +424,10 @@ optional_policy(`
+@@ -405,6 +425,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47154,7 +47294,7 @@ index 33e72e8..b71d193 100644
  	nscd_dontaudit_search_pid(ricci_modservice_t)
  ')
  
-@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
  files_read_usr_files(ricci_modstorage_t)
  files_read_kernel_modules(ricci_modstorage_t)
  
@@ -47183,7 +47323,7 @@ index 33e72e8..b71d193 100644
  optional_policy(`
  	aisexec_stream_connect(ricci_modstorage_t)
  	corosync_stream_connect(ricci_modstorage_t)
-@@ -471,11 +492,27 @@ optional_policy(`
+@@ -471,11 +493,27 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -48471,15 +48611,17 @@ index 150c85d..71e9315 100644
  #
 diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc
 new file mode 100644
-index 0000000..19d7347
+index 0000000..630960e
 --- /dev/null
 +++ b/policy/modules/services/sanlock.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
 +
 +/etc/rc\.d/init\.d/sanlock	--	gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
 +
 +/var/run/sanlock(/.*)?			gen_context(system_u:object_r:sanlock_var_run_t,s0)
 +
++/var/log/sanlock\.log			gen_context(system_u:object_r:sanlock_log_t,s0)
++
 +/usr/sbin/sanlock		--	gen_context(system_u:object_r:sanlock_exec_t,s0)
 diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
 new file mode 100644
@@ -48599,10 +48741,10 @@ index 0000000..486d53d
 +')
 diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
 new file mode 100644
-index 0000000..f7cfc54
+index 0000000..f050bc5
 --- /dev/null
 +++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,61 @@
 +policy_module(sanlock,1.0.0)
 +
 +########################################
@@ -48619,6 +48761,9 @@ index 0000000..f7cfc54
 +type sanlock_var_run_t;
 +files_pid_file(sanlock_var_run_t)
 +
++type sanlock_log_t;
++logging_log_file(sanlock_log_t)
++
 +type sanlock_initrc_exec_t;
 +init_script_file(sanlock_initrc_exec_t)
 +
@@ -48632,6 +48777,9 @@ index 0000000..f7cfc54
 +allow sanlock_t self:fifo_file rw_fifo_file_perms;
 +allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
 +
++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
++logging_log_filetrans(sanlock_t, sanlock_log_t, file)
++
 +manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
 +manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
 +manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -53748,7 +53896,7 @@ index 6f1e3c7..ade9046 100644
 +/var/lib/pqsql/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 +
 diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..cb751f8 100644
+index 130ced9..ea8077d 100644
 --- a/policy/modules/services/xserver.if
 +++ b/policy/modules/services/xserver.if
 @@ -19,9 +19,10 @@
@@ -53833,12 +53981,14 @@ index 130ced9..cb751f8 100644
  	xserver_xsession_entry_type($2)
  	xserver_dontaudit_write_log($2)
  	xserver_stream_connect_xdm($2)
-@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',`
  	xserver_create_xdm_tmp_sockets($2)
  	# Needed for escd, remove if we get escd policy
  	xserver_manage_xdm_tmp_files($2)
 +	xserver_read_xdm_etc_files($2)
 +
++	modutils_run_insmod(xserver_t, $1)
++
 +	ifdef(`hide_broken_symptoms',`
 +		dontaudit iceauth_t $2:socket_class_set { read write };
 +	')
@@ -53859,7 +54009,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -143,13 +166,15 @@ interface(`xserver_role',`
+@@ -143,13 +168,15 @@ interface(`xserver_role',`
  	allow $2 xserver_tmpfs_t:file rw_file_perms;
  
  	allow $2 iceauth_home_t:file manage_file_perms;
@@ -53877,7 +54027,7 @@ index 130ced9..cb751f8 100644
  	relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
  	relabel_files_pattern($2, user_fonts_t, user_fonts_t)
  
-@@ -162,7 +187,6 @@ interface(`xserver_role',`
+@@ -162,7 +189,6 @@ interface(`xserver_role',`
  	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
  	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -53885,7 +54035,7 @@ index 130ced9..cb751f8 100644
  ')
  
  #######################################
-@@ -197,7 +221,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +223,7 @@ interface(`xserver_ro_session',`
  	allow $1 xserver_t:process signal;
  
  	# Read /tmp/.X0-lock
@@ -53894,7 +54044,7 @@ index 130ced9..cb751f8 100644
  
  	# Client read xserver shm
  	allow $1 xserver_t:fd use;
-@@ -227,7 +251,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +253,7 @@ interface(`xserver_rw_session',`
  		type xserver_t, xserver_tmpfs_t;
  	')
  
@@ -53903,7 +54053,7 @@ index 130ced9..cb751f8 100644
  	allow $1 xserver_t:shm rw_shm_perms;
  	allow $1 xserver_tmpfs_t:file rw_file_perms;
  ')
-@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',`
  
  	allow $1 self:x_gc { create setattr };
  
@@ -53912,7 +54062,7 @@ index 130ced9..cb751f8 100644
  	allow $1 xserver_t:unix_stream_socket connectto;
  
  	allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +315,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +317,13 @@ interface(`xserver_user_client',`
  	allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
  
  	# Read .Xauthority file
@@ -53930,7 +54080,7 @@ index 130ced9..cb751f8 100644
  	allow $1 xdm_tmp_t:sock_file { read write };
  	dontaudit $1 xdm_t:tcp_socket { read write };
  
-@@ -342,19 +366,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +368,23 @@ interface(`xserver_user_client',`
  #
  template(`xserver_common_x_domain_template',`
  	gen_require(`
@@ -53957,7 +54107,7 @@ index 130ced9..cb751f8 100644
  	')
  
  	##############################
-@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',`
  	allow $2 xevent_t:{ x_event x_synthetic_event } receive;
  	# dont audit send failures
  	dontaudit $2 input_xevent_type:x_event send;
@@ -53973,7 +54123,7 @@ index 130ced9..cb751f8 100644
  ')
  
  #######################################
-@@ -444,8 +481,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +483,9 @@ template(`xserver_object_types_template',`
  #
  template(`xserver_user_x_domain_template',`
  	gen_require(`
@@ -53985,7 +54135,7 @@ index 130ced9..cb751f8 100644
  	')
  
  	allow $2 self:shm create_shm_perms;
-@@ -456,11 +494,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',`
  	allow $2 xauth_home_t:file read_file_perms;
  	allow $2 iceauth_home_t:file read_file_perms;
  
@@ -54006,7 +54156,7 @@ index 130ced9..cb751f8 100644
  	dontaudit $2 xdm_t:tcp_socket { read write };
  
  	# Allow connections to X server.
-@@ -472,20 +517,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',`
  	# for .xsession-errors
  	userdom_dontaudit_write_user_home_content_files($2)
  
@@ -54034,7 +54184,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
  	# Read per user fonts
  	allow $1 user_fonts_t:dir list_dir_perms;
  	allow $1 user_fonts_t:file read_file_perms;
@@ -54042,7 +54192,7 @@ index 130ced9..cb751f8 100644
  
  	# Manipulate the global font cache
  	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +596,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',`
  	')
  
  	domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -54071,7 +54221,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
  
  	allow $1 xauth_home_t:file read_file_perms;
  	userdom_search_user_home_dirs($1)
@@ -54079,7 +54229,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
  		type xconsole_device_t;
  	')
  
@@ -54088,7 +54238,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -651,7 +725,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +727,7 @@ interface(`xserver_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -54097,7 +54247,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -670,7 +744,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +746,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
  		type xdm_t;
  	')
  
@@ -54106,7 +54256,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -688,7 +762,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +764,7 @@ interface(`xserver_rw_xdm_pipes',`
  		type xdm_t;
  	')
  
@@ -54115,7 +54265,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -703,12 +777,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +779,11 @@ interface(`xserver_rw_xdm_pipes',`
  ## </param>
  #
  interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -54129,7 +54279,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -724,11 +797,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +799,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
  #
  interface(`xserver_stream_connect_xdm',`
  	gen_require(`
@@ -54163,7 +54313,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -765,7 +858,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +860,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
  		type xdm_tmp_t;
  	')
  
@@ -54172,7 +54322,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -805,7 +898,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +900,26 @@ interface(`xserver_read_xdm_pid',`
  	')
  
  	files_search_pids($1)
@@ -54200,7 +54350,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -897,7 +1009,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1011,7 @@ interface(`xserver_getattr_log',`
  	')
  
  	logging_search_logs($1)
@@ -54209,7 +54359,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -916,7 +1028,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1030,7 @@ interface(`xserver_dontaudit_write_log',`
  		type xserver_log_t;
  	')
  
@@ -54218,7 +54368,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -963,6 +1075,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1077,45 @@ interface(`xserver_read_xkb_libs',`
  
  ########################################
  ## <summary>
@@ -54264,7 +54414,7 @@ index 130ced9..cb751f8 100644
  ##	Read xdm temporary files.
  ## </summary>
  ## <param name="domain">
-@@ -976,7 +1127,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1129,7 @@ interface(`xserver_read_xdm_tmp_files',`
  		type xdm_tmp_t;
  	')
  
@@ -54273,7 +54423,7 @@ index 130ced9..cb751f8 100644
  	read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
  ')
  
-@@ -1038,6 +1189,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1191,42 @@ interface(`xserver_manage_xdm_tmp_files',`
  
  ########################################
  ## <summary>
@@ -54316,7 +54466,7 @@ index 130ced9..cb751f8 100644
  ##	Do not audit attempts to get the attributes of
  ##	xdm temporary named sockets.
  ## </summary>
-@@ -1052,7 +1239,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1241,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
  		type xdm_tmp_t;
  	')
  
@@ -54325,7 +54475,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -1070,8 +1257,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1259,10 @@ interface(`xserver_domtrans',`
  		type xserver_t, xserver_exec_t;
  	')
  
@@ -54337,7 +54487,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -1185,6 +1374,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1376,26 @@ interface(`xserver_stream_connect',`
  
  	files_search_tmp($1)
  	stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -54364,7 +54514,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -1210,7 +1419,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1421,7 @@ interface(`xserver_read_tmp_files',`
  ## <summary>
  ##	Interface to provide X object permissions on a given X server to
  ##	an X client domain.  Gives the domain permission to read the
@@ -54373,7 +54523,7 @@ index 130ced9..cb751f8 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1220,13 +1429,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1431,23 @@ interface(`xserver_read_tmp_files',`
  #
  interface(`xserver_manage_core_devices',`
  	gen_require(`
@@ -54398,7 +54548,7 @@ index 130ced9..cb751f8 100644
  ')
  
  ########################################
-@@ -1243,10 +1462,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1464,458 @@ interface(`xserver_manage_core_devices',`
  #
  interface(`xserver_unconfined',`
  	gen_require(`
@@ -57695,7 +57845,7 @@ index 354ce93..b8b14b9 100644
  ')
 +/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..7947c80 100644
+index cc83689..6569096 100644
 --- a/policy/modules/system/init.if
 +++ b/policy/modules/system/init.if
 @@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -57854,7 +58004,7 @@ index cc83689..7947c80 100644
  
  	ifdef(`hide_broken_symptoms',`
  		# RHEL4 systems seem to have a stray
-@@ -353,6 +432,37 @@ interface(`init_system_domain',`
+@@ -353,6 +432,41 @@ interface(`init_system_domain',`
  			kernel_dontaudit_use_fds($1)
  		')
  	')
@@ -57875,6 +58025,10 @@ index cc83689..7947c80 100644
 +	logging_inherit_append_all_logs($1)
 +
 +	optional_policy(`
++		abrt_stream_connect($1)
++	')
++
++	optional_policy(`
 +		cron_rw_pipes($1)
 +	')
 +
@@ -57892,7 +58046,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -401,16 +511,19 @@ interface(`init_system_domain',`
+@@ -401,16 +515,19 @@ interface(`init_system_domain',`
  interface(`init_ranged_system_domain',`
  	gen_require(`
  		type initrc_t;
@@ -57912,7 +58066,7 @@ index cc83689..7947c80 100644
  		mls_rangetrans_target($1)
  	')
  ')
-@@ -451,6 +564,10 @@ interface(`init_exec',`
+@@ -451,6 +568,10 @@ interface(`init_exec',`
  
  	corecmd_search_bin($1)
  	can_exec($1, init_exec_t)
@@ -57923,7 +58077,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -509,6 +626,24 @@ interface(`init_sigchld',`
+@@ -509,6 +630,24 @@ interface(`init_sigchld',`
  
  ########################################
  ## <summary>
@@ -57948,7 +58102,7 @@ index cc83689..7947c80 100644
  ##	Connect to init with a unix socket.
  ## </summary>
  ## <param name="domain">
-@@ -519,10 +654,29 @@ interface(`init_sigchld',`
+@@ -519,10 +658,29 @@ interface(`init_sigchld',`
  #
  interface(`init_stream_connect',`
  	gen_require(`
@@ -57980,7 +58134,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -688,19 +842,25 @@ interface(`init_telinit',`
+@@ -688,19 +846,25 @@ interface(`init_telinit',`
  		type initctl_t;
  	')
  
@@ -58007,7 +58161,7 @@ index cc83689..7947c80 100644
  	')
  ')
  
-@@ -730,7 +890,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +894,7 @@ interface(`init_rw_initctl',`
  ## </summary>
  ## <param name="domain">
  ##	<summary>
@@ -58016,7 +58170,7 @@ index cc83689..7947c80 100644
  ##	</summary>
  ## </param>
  #
-@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',`
  #
  interface(`init_spec_domtrans_script',`
  	gen_require(`
@@ -58040,7 +58194,7 @@ index cc83689..7947c80 100644
  	')
  ')
  
-@@ -800,19 +961,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',`
  #
  interface(`init_domtrans_script',`
  	gen_require(`
@@ -58086,7 +58240,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',`
  interface(`init_labeled_script_domtrans',`
  	gen_require(`
  		type initrc_t;
@@ -58101,7 +58255,7 @@ index cc83689..7947c80 100644
  	files_search_etc($1)
  ')
  
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',`
  
  #######################################
  ## <summary>
@@ -58126,7 +58280,7 @@ index cc83689..7947c80 100644
  ##	Dontaudit read all init script files.
  ## </summary>
  ## <param name="domain">
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',`
  	')
  
  	kernel_search_proc($1)
@@ -58140,7 +58294,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',`
  ########################################
  ## <summary>
  ##	Send and receive messages from
@@ -58168,7 +58322,7 @@ index cc83689..7947c80 100644
  ##	init scripts over dbus.
  ## </summary>
  ## <param name="domain">
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',`
  
  ########################################
  ## <summary>
@@ -58194,7 +58348,7 @@ index cc83689..7947c80 100644
  ##	Do not audit attempts to read init script
  ##	status files.
  ## </summary>
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',`
  
  ########################################
  ## <summary>
@@ -58219,7 +58373,7 @@ index cc83689..7947c80 100644
  ##	Create files in a init script
  ##	temporary data directory.
  ## </summary>
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',`
  		type initrc_var_run_t;
  	')
  
@@ -58228,7 +58382,7 @@ index cc83689..7947c80 100644
  ')
  
  ########################################
-@@ -1715,6 +1974,92 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',`
  	files_pid_filetrans($1, initrc_var_run_t, file)
  ')
  
@@ -58321,7 +58475,7 @@ index cc83689..7947c80 100644
  ########################################
  ## <summary>
  ##	Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2094,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',`
  	')
  	corenet_udp_recvfrom_labeled($1, daemon)
  ')
@@ -58479,7 +58633,7 @@ index cc83689..7947c80 100644
 +	read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
 +')
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..822d7a0 100644
+index ea29513..34ac96c 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -58654,7 +58808,7 @@ index ea29513..822d7a0 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,121 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,122 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -58705,7 +58859,7 @@ index ea29513..822d7a0 100644
 +	files_manage_all_pid_dirs(init_t)
 +	files_relabel_all_pid_dirs(init_t)
 +	files_relabel_all_pid_files(init_t)
-+	files_unlink_all_pid_sockets(init_t)
++	files_delete_all_pid_sockets(init_t)
 +	files_manage_urandom_seed(init_t)
 +	files_list_locks(init_t)
 +	files_create_lock_dirs(init_t)
@@ -58718,7 +58872,8 @@ index ea29513..822d7a0 100644
 +	fs_relabel_tmpfs_dirs(init_t)
 +	fs_relabel_tmpfs_files(init_t)
 +	fs_mount_all_fs(init_t)
-+	fs_remount_autofs(init_t)
++	fs_unmount_all_fs(init_t)
++	fs_remount_all_fs(init_t)
 +	fs_list_auto_mountpoints(init_t)
 +	fs_relabel_cgroup_dirs(init_t)
 +	fs_search_cgroup_dirs(daemon)
@@ -58776,7 +58931,7 @@ index ea29513..822d7a0 100644
  ')
  
  optional_policy(`
-@@ -199,10 +366,26 @@ optional_policy(`
+@@ -199,10 +367,26 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -58803,7 +58958,7 @@ index ea29513..822d7a0 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +395,7 @@ optional_policy(`
+@@ -212,7 +396,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -58812,7 +58967,7 @@ index ea29513..822d7a0 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +424,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +425,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -58828,7 +58983,7 @@ index ea29513..822d7a0 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +444,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +445,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -58865,7 +59020,7 @@ index ea29513..822d7a0 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +477,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +478,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -58873,7 +59028,7 @@ index ea29513..822d7a0 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -289,8 +488,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +489,10 @@ dev_write_framebuffer(initrc_t)
  dev_read_realtime_clock(initrc_t)
  dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
@@ -58884,7 +59039,7 @@ index ea29513..822d7a0 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +499,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +500,14 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -58901,7 +59056,7 @@ index ea29513..822d7a0 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +518,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +519,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -58909,7 +59064,7 @@ index ea29513..822d7a0 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +526,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +527,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -58921,7 +59076,7 @@ index ea29513..822d7a0 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +545,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +546,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -58935,7 +59090,7 @@ index ea29513..822d7a0 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +560,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +561,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -58944,7 +59099,7 @@ index ea29513..822d7a0 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +574,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +575,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -58952,7 +59107,7 @@ index ea29513..822d7a0 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +586,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +587,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -58960,7 +59115,7 @@ index ea29513..822d7a0 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +607,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +608,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -58982,7 +59137,7 @@ index ea29513..822d7a0 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +670,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +671,10 @@ ifdef(`distro_gentoo',`
  	sysnet_setattr_config(initrc_t)
  
  	optional_policy(`
@@ -58993,7 +59148,7 @@ index ea29513..822d7a0 100644
  		alsa_read_lib(initrc_t)
  	')
  
-@@ -478,7 +694,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +695,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -59002,7 +59157,7 @@ index ea29513..822d7a0 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +709,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +710,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -59010,12 +59165,12 @@ index ea29513..822d7a0 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -522,8 +739,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +740,33 @@ ifdef(`distro_redhat',`
  	')
  
  	optional_policy(`
-+        abrt_manage_pid_files(initrc_t)
-+    ')
++	        abrt_manage_pid_files(initrc_t)
++	')
 +
 +	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
@@ -59044,7 +59199,7 @@ index ea29513..822d7a0 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +773,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +774,22 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -59067,7 +59222,7 @@ index ea29513..822d7a0 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +803,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +804,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -59107,7 +59262,7 @@ index ea29513..822d7a0 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +848,8 @@ optional_policy(`
+@@ -561,6 +849,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -59116,7 +59271,7 @@ index ea29513..822d7a0 100644
  ')
  
  optional_policy(`
-@@ -577,6 +866,7 @@ optional_policy(`
+@@ -577,6 +867,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -59124,7 +59279,7 @@ index ea29513..822d7a0 100644
  ')
  
  optional_policy(`
-@@ -589,6 +879,11 @@ optional_policy(`
+@@ -589,6 +880,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59136,7 +59291,7 @@ index ea29513..822d7a0 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +900,13 @@ optional_policy(`
+@@ -605,9 +901,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -59150,7 +59305,7 @@ index ea29513..822d7a0 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +948,11 @@ optional_policy(`
+@@ -649,6 +949,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59162,7 +59317,7 @@ index ea29513..822d7a0 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +1010,13 @@ optional_policy(`
+@@ -706,7 +1011,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59176,7 +59331,7 @@ index ea29513..822d7a0 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +1039,10 @@ optional_policy(`
+@@ -729,6 +1040,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59187,7 +59342,7 @@ index ea29513..822d7a0 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1052,20 @@ optional_policy(`
+@@ -738,10 +1053,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59208,7 +59363,7 @@ index ea29513..822d7a0 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1074,10 @@ optional_policy(`
+@@ -750,6 +1075,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59219,7 +59374,7 @@ index ea29513..822d7a0 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1099,6 @@ optional_policy(`
+@@ -771,8 +1100,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -59228,7 +59383,7 @@ index ea29513..822d7a0 100644
  ')
  
  optional_policy(`
-@@ -781,14 +1107,21 @@ optional_policy(`
+@@ -781,14 +1108,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59250,7 +59405,7 @@ index ea29513..822d7a0 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1133,6 @@ optional_policy(`
+@@ -800,7 +1134,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59258,7 +59413,7 @@ index ea29513..822d7a0 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -810,11 +1142,24 @@ optional_policy(`
+@@ -810,11 +1143,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59284,7 +59439,7 @@ index ea29513..822d7a0 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1169,25 @@ optional_policy(`
+@@ -824,6 +1170,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -59310,7 +59465,7 @@ index ea29513..822d7a0 100644
  ')
  
  optional_policy(`
-@@ -839,6 +1203,10 @@ optional_policy(`
+@@ -839,6 +1204,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -59321,7 +59476,7 @@ index ea29513..822d7a0 100644
  	# Set device ownerships/modes.
  	xserver_setattr_console_pipes(initrc_t)
  
-@@ -849,3 +1217,42 @@ optional_policy(`
+@@ -849,3 +1218,45 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -59351,6 +59506,10 @@ index ea29513..822d7a0 100644
 +init_rw_script_stream_sockets(daemon)
 +
 +optional_policy(`
++	abrt_stream_connect(daemon)
++')
++
++optional_policy(`
 +	fail2ban_read_lib_files(daemon)
 +')
 +
@@ -59363,7 +59522,6 @@ index ea29513..822d7a0 100644
 +allow init_t var_run_t:dir relabelto;
 +
 +init_stream_connect(initrc_t)
-+
 diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
 index 07eba2b..a75297a 100644
 --- a/policy/modules/system/ipsec.fc
@@ -60941,7 +61099,7 @@ index c7cfb62..ee89659 100644
  	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
  	domain_system_change_exemption($1)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..e3f0566 100644
+index 9b5a9ed..41ee997 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
 @@ -19,6 +19,11 @@ type auditd_log_t;
@@ -61085,7 +61243,7 @@ index 9b5a9ed..e3f0566 100644
  # setpgid for metalog
  # setrlimit for syslog-ng
 -allow syslogd_t self:process { signal_perms setpgid setrlimit };
-+allow syslogd_t self:process { signal_perms setpgid setsched setrlimit };
++allow syslogd_t self:process { signal_perms setpgid setsched setrlimit setcap getcap };
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -64350,10 +64508,10 @@ index 0000000..c59c37c
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..c777159
+index 0000000..747aa58
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,191 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@@ -64459,7 +64617,8 @@ index 0000000..c777159
 +files_manage_all_pid_dirs(systemd_tmpfiles_t)
 +files_manage_all_locks(systemd_tmpfiles_t)
 +files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_unlink_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
 +files_delete_boot_flag(systemd_tmpfiles_t)
 +files_purge_tmp(systemd_tmpfiles_t)
 +files_manage_generic_tmp_files(systemd_tmpfiles_t)
@@ -65735,7 +65894,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..35793ae 100644
+index 28b88de..240fa6c 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -65902,12 +66061,16 @@ index 28b88de..35793ae 100644
  
  	tunable_policy(`allow_execmem',`
  		# Allow loading DSOs that require executable stack.
-@@ -116,6 +151,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +151,20 @@ template(`userdom_base_user_template',`
  		# Allow making the stack executable via mprotect.
  		allow $1_t self:process execstack;
  	')
 +
 +	optional_policy(`
++		abrt_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
 +		fs_list_cgroup_dirs($1_usertype)
 +	')
 +	
@@ -65919,7 +66082,7 @@ index 28b88de..35793ae 100644
  ')
  
  #######################################
-@@ -149,6 +194,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',`
  		type user_home_t, user_home_dir_t;
  	')
  
@@ -65928,7 +66091,7 @@ index 28b88de..35793ae 100644
  	##############################
  	#
  	# Domain access to home dir
-@@ -166,27 +213,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',`
  	read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
  	files_list_home($2)
  
@@ -65956,7 +66119,7 @@ index 28b88de..35793ae 100644
  ')
  
  #######################################
-@@ -218,8 +244,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',`
  interface(`userdom_manage_home_role',`
  	gen_require(`
  		type user_home_t, user_home_dir_t;
@@ -65968,7 +66131,7 @@ index 28b88de..35793ae 100644
  	##############################
  	#
  	# Domain access to home dir
-@@ -228,17 +257,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',`
  	type_member $2 user_home_dir_t:dir user_home_dir_t;
  
  	# full control of the home directory
@@ -66000,7 +66163,7 @@ index 28b88de..35793ae 100644
  	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
  	files_list_home($2)
  
-@@ -246,25 +279,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',`
  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
  
  	tunable_policy(`use_nfs_home_dirs',`
@@ -66030,7 +66193,7 @@ index 28b88de..35793ae 100644
  	')
  ')
  
-@@ -286,17 +317,63 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',`
  #
  interface(`userdom_manage_tmp_role',`
  	gen_require(`
@@ -66099,7 +66262,7 @@ index 28b88de..35793ae 100644
  ')
  
  #######################################
-@@ -316,6 +393,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',`
  	')
  
  	exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -66107,7 +66270,7 @@ index 28b88de..35793ae 100644
  	files_search_tmp($1)
  ')
  
-@@ -347,59 +425,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',`
  #
  interface(`userdom_manage_tmpfs_role',`
  	gen_require(`
@@ -66202,7 +66365,7 @@ index 28b88de..35793ae 100644
  ')
  
  #######################################
-@@ -430,6 +511,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',`
  	dev_dontaudit_rw_dri($1_t)
  	# GNOME checks for usb and other devices:
  	dev_rw_usbfs($1_t)
@@ -66210,7 +66373,7 @@ index 28b88de..35793ae 100644
  
  	xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
  	xserver_xsession_entry_type($1_t)
-@@ -490,7 +572,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +576,7 @@ template(`userdom_common_user_template',`
  		attribute unpriv_userdomain;
  	')
  
@@ -66219,7 +66382,7 @@ index 28b88de..35793ae 100644
  
  	##############################
  	#
-@@ -500,73 +582,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +586,81 @@ template(`userdom_common_user_template',`
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -66241,27 +66404,27 @@ index 28b88de..35793ae 100644
 +	kernel_get_sysvipc_info($1_usertype)
  	# Find CDROM devices:
 -	kernel_read_device_sysctls($1_t)
--
--	corecmd_exec_bin($1_t)
 +	kernel_read_device_sysctls($1_usertype)
 +	kernel_request_load_module($1_usertype)
  
--	corenet_udp_bind_generic_node($1_t)
--	corenet_udp_bind_generic_port($1_t)
+-	corecmd_exec_bin($1_t)
 +	corenet_udp_bind_generic_node($1_usertype)
 +	corenet_udp_bind_generic_port($1_usertype)
  
--	dev_read_rand($1_t)
--	dev_write_sound($1_t)
--	dev_read_sound($1_t)
--	dev_read_sound_mixer($1_t)
--	dev_write_sound_mixer($1_t)
+-	corenet_udp_bind_generic_node($1_t)
+-	corenet_udp_bind_generic_port($1_t)
 +	dev_read_rand($1_usertype)
 +	dev_write_sound($1_usertype)
 +	dev_read_sound($1_usertype)
 +	dev_read_sound_mixer($1_usertype)
 +	dev_write_sound_mixer($1_usertype)
  
+-	dev_read_rand($1_t)
+-	dev_write_sound($1_t)
+-	dev_read_sound($1_t)
+-	dev_read_sound_mixer($1_t)
+-	dev_write_sound_mixer($1_t)
+-
 -	files_exec_etc_files($1_t)
 -	files_search_locks($1_t)
 +	files_exec_etc_files($1_usertype)
@@ -66285,10 +66448,10 @@ index 28b88de..35793ae 100644
 +	fs_read_noxattr_fs_files($1_usertype)
 +	fs_read_noxattr_fs_symlinks($1_usertype)
 +	fs_rw_cgroup_files($1_usertype)
++
++	application_getattr_socket($1_usertype)
  
 -	fs_rw_cgroup_files($1_t)
-+	application_getattr_socket($1_usertype)
-+
 +	logging_send_syslog_msg($1_usertype)
 +	logging_send_audit_msgs($1_usertype)
 +	selinux_get_enforce_mode($1_usertype)
@@ -66340,7 +66503,7 @@ index 28b88de..35793ae 100644
  	')
  
  	tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +664,123 @@ template(`userdom_common_user_template',`
+@@ -574,67 +668,123 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -66358,19 +66521,19 @@ index 28b88de..35793ae 100644
 +
 +	optional_policy(`
 +		canna_stream_connect($1_usertype)
++	')
++
++	optional_policy(`
++		chrome_role($1_r, $1_usertype)
  	')
  
  	optional_policy(`
 -		canna_stream_connect($1_t)
-+		chrome_role($1_r, $1_usertype)
++		colord_read_lib_files($1_usertype)
  	')
  
  	optional_policy(`
 -		dbus_system_bus_client($1_t)
-+		colord_read_lib_files($1_usertype)
-+	')
-+
-+	optional_policy(`
 +		dbus_system_bus_client($1_usertype)
 +
 +		allow $1_usertype $1_usertype:dbus  send_msg;
@@ -66439,24 +66602,24 @@ index 28b88de..35793ae 100644
 -		inetd_use_fds($1_t)
 -		inetd_rw_tcp_sockets($1_t)
 +		git_session_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
-+		inetd_use_fds($1_usertype)
-+		inetd_rw_tcp_sockets($1_usertype)
  	')
  
  	optional_policy(`
 -		inn_read_config($1_t)
 -		inn_read_news_lib($1_t)
 -		inn_read_news_spool($1_t)
-+		inn_read_config($1_usertype)
-+		inn_read_news_lib($1_usertype)
-+		inn_read_news_spool($1_usertype)
++		inetd_use_fds($1_usertype)
++		inetd_rw_tcp_sockets($1_usertype)
  	')
  
  	optional_policy(`
 -		locate_read_lib_files($1_t)
++		inn_read_config($1_usertype)
++		inn_read_news_lib($1_usertype)
++		inn_read_news_spool($1_usertype)
++	')
++
++	optional_policy(`
 +		lircd_stream_connect($1_usertype)
 +	')
 +
@@ -66482,7 +66645,7 @@ index 28b88de..35793ae 100644
  	')
  
  	optional_policy(`
-@@ -650,41 +796,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +800,50 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -66514,48 +66677,50 @@ index 28b88de..35793ae 100644
 +	optional_policy(`
 +		rpc_dontaudit_getattr_exports($1_usertype)
 +		rpc_manage_nfs_rw_content($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		sandbox_transition($1_usertype, $1_r)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		seunshare_role_template($1, $1_r, $1_t)
++		sandbox_transition($1_usertype, $1_r)
  	')
  
  	optional_policy(`
 -		usernetctl_run($1_t,$1_r)
-+		slrnpull_search_spool($1_usertype)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
 +
++	optional_policy(`
++		slrnpull_search_spool($1_usertype)
++	')
++
  ')
  
  #######################################
-@@ -712,13 +867,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +871,26 @@ template(`userdom_login_user_template', `
  
  	userdom_base_user_template($1)
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_manage_home_role($1_r, $1_usertype)
-+
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
 +
@@ -66566,9 +66731,7 @@ index 28b88de..35793ae 100644
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -66576,7 +66739,7 @@ index 28b88de..35793ae 100644
  
  	userdom_change_password_template($1)
  
-@@ -736,72 +904,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +908,71 @@ template(`userdom_login_user_template', `
  
  	allow $1_t self:context contains;
  
@@ -66643,10 +66806,10 @@ index 28b88de..35793ae 100644
 -	miscfiles_exec_tetex_data($1_t)
 +	miscfiles_read_tetex_data($1_usertype)
 +	miscfiles_exec_tetex_data($1_usertype)
-+
-+	seutil_read_config($1_usertype)
  
 -	seutil_read_config($1_t)
++	seutil_read_config($1_usertype)
++
 +	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
@@ -66685,7 +66848,7 @@ index 28b88de..35793ae 100644
  	')
  ')
  
-@@ -833,6 +1000,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1004,9 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -66695,7 +66858,7 @@ index 28b88de..35793ae 100644
  	##############################
  	#
  	# Local policy
-@@ -874,45 +1044,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1048,118 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  
  	auth_role($1_r, $1_t)
@@ -66774,26 +66937,27 @@ index 28b88de..35793ae 100644
 +			consolekit_dontaudit_read_log($1_usertype)
 +			consolekit_dbus_chat($1_usertype)
 +		')
- 
- 		optional_policy(`
--			consolekit_dbus_chat($1_t)
++
++		optional_policy(`
 +			cups_dbus_chat($1_usertype)
 +			cups_dbus_chat_config($1_usertype)
- 		')
++		')
  
  		optional_policy(`
--			cups_dbus_chat($1_t)
+-			consolekit_dbus_chat($1_t)
 +			devicekit_dbus_chat($1_usertype)
 +			devicekit_dbus_chat_disk($1_usertype)
 +			devicekit_dbus_chat_power($1_usertype)
  		')
-+
-+		optional_policy(`
+ 
+ 		optional_policy(`
+-			cups_dbus_chat($1_t)
 +			fprintd_dbus_chat($1_t)
-+		')
-+	')
-+
-+	optional_policy(`
+ 		')
+ 	')
+ 
+ 	optional_policy(`
+-		java_role($1_r, $1_t)
 +		openoffice_role_template($1, $1_r, $1_usertype)
 +	')
 +
@@ -66805,10 +66969,9 @@ index 28b88de..35793ae 100644
 +		pulseaudio_role($1_r, $1_usertype)
 +		pulseaudio_filetrans_admin_home_content($1_usertype)
 +		pulseaudio_filetrans_home_content($1_usertype)
- 	')
- 
- 	optional_policy(`
--		java_role($1_r, $1_t)
++	')
++
++	optional_policy(`
 +		rtkit_scheduled($1_usertype)
  	')
  
@@ -66825,7 +66988,7 @@ index 28b88de..35793ae 100644
  	')
  ')
  
-@@ -947,7 +1190,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1194,7 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -66834,7 +66997,7 @@ index 28b88de..35793ae 100644
  	userdom_common_user_template($1)
  
  	##############################
-@@ -956,54 +1199,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1203,83 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -66920,21 +67083,21 @@ index 28b88de..35793ae 100644
 +
 +	optional_policy(`
 +		java_role_template($1, $1_r, $1_t)
-+	')
-+
-+	optional_policy(`
-+		mono_role_template($1, $1_r, $1_t)
  	')
  
 -	# Run pppd in pppd_t by default for user
  	optional_policy(`
 -		ppp_run_cond($1_t,$1_r)
-+		mount_run_fusermount($1_t, $1_r)
-+		mount_read_pid_files($1_t)
++		mono_role_template($1, $1_r, $1_t)
  	')
  
  	optional_policy(`
 -		setroubleshoot_stream_connect($1_t)
++		mount_run_fusermount($1_t, $1_r)
++		mount_read_pid_files($1_t)
++	')
++
++	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
 +	')
 +
@@ -66948,7 +67111,7 @@ index 28b88de..35793ae 100644
  	')
  ')
  
-@@ -1039,7 +1311,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1315,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -66957,7 +67120,7 @@ index 28b88de..35793ae 100644
  	')
  
  	##############################
-@@ -1066,6 +1338,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1342,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -66965,7 +67128,7 @@ index 28b88de..35793ae 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1074,6 +1347,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1351,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -66975,7 +67138,7 @@ index 28b88de..35793ae 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1364,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1368,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -66983,7 +67146,7 @@ index 28b88de..35793ae 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1105,10 +1382,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1386,13 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -66997,7 +67160,7 @@ index 28b88de..35793ae 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,17 +1399,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1403,22 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -67021,7 +67184,7 @@ index 28b88de..35793ae 100644
  
  	auth_getattr_shadow($1_t)
  	# Manage almost all files
-@@ -1141,7 +1426,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1430,10 @@ template(`userdom_admin_user_template',`
  
  	logging_send_syslog_msg($1_t)
  
@@ -67033,7 +67196,7 @@ index 28b88de..35793ae 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1498,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1502,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -67042,7 +67205,7 @@ index 28b88de..35793ae 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,6 +1512,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1516,7 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -67050,7 +67213,7 @@ index 28b88de..35793ae 100644
  
  	auth_relabel_all_files_except_shadow($1)
  	auth_relabel_shadow($1)
-@@ -1234,11 +1525,22 @@ template(`userdom_security_admin_template',`
+@@ -1234,11 +1529,22 @@ template(`userdom_security_admin_template',`
  	logging_read_audit_config($1)
  
  	seutil_manage_bin_policy($1)
@@ -67073,7 +67236,7 @@ index 28b88de..35793ae 100644
  	optional_policy(`
  		aide_run($1,$2)
  	')
-@@ -1279,11 +1581,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1585,66 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -67082,59 +67245,129 @@ index 28b88de..35793ae 100644
  
  	allow $1 user_home_t:filesystem associate;
  	files_type($1)
-+	ubac_constrained($1)
+-	files_poly_member($1)
+ 	ubac_constrained($1)
 +
- 	files_poly_member($1)
++	files_poly_member($1)
 +	typeattribute $1  user_home_type;
-+')
-+
-+########################################
-+## <summary>
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Allow domain to attach to TUN devices created by administrative users.
 +##	Make the specified type usable in a
 +##	generic temporary directory.
-+## </summary>
+ ## </summary>
+-## <param name="domain">
 +## <param name="type">
-+##	<summary>
+ ##	<summary>
+-##	Domain allowed access.
 +##	Type to be used as a file in the
 +##	generic temporary directory.
-+##	</summary>
-+## </param>
-+#
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_attach_admin_tun_iface',`
 +interface(`userdom_user_tmp_content',`
-+	gen_require(`
+ 	gen_require(`
+-		attribute admindomain;
 +		attribute user_tmp_type;
-+	')
-+
+ 	')
+ 
+-	allow $1 admindomain:tun_socket relabelfrom;
+-	allow $1 self:tun_socket relabelto;
 +	typeattribute $1 user_tmp_type;
 +
 +	files_tmp_file($1)
 +	ubac_constrained($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Set the attributes of a user pty.
++##	Make the specified type usable in a
++##	generic tmpfs_t directory.
+ ## </summary>
+-## <param name="domain">
++## <param name="type">
+ ##	<summary>
+-##	Domain allowed access.
++##	Type to be used as a file in the
++##	generic temporary directory.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmpfs_content',`
+ 	gen_require(`
+-		type user_devpts_t;
++		attribute user_tmpfs_type;
+ 	')
+ 
+-	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++	typeattribute $1 user_tmpfs_type;
++
++	files_tmpfs_file($1)
++	ubac_constrained($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Create a user pty.
++##	Allow domain to attach to TUN devices created by administrative users.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -1334,9 +1652,46 @@ interface(`userdom_setattr_user_ptys',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_create_user_pty',`
++interface(`userdom_attach_admin_tun_iface',`
+ 	gen_require(`
+-		type user_devpts_t;
++		attribute admindomain;
++	')
++
++	allow $1 admindomain:tun_socket relabelfrom;
++	allow $1 self:tun_socket relabelto;
 +')
 +
 +########################################
 +## <summary>
-+##	Make the specified type usable in a
-+##	generic tmpfs_t directory.
++##	Set the attributes of a user pty.
 +## </summary>
-+## <param name="type">
++## <param name="domain">
 +##	<summary>
-+##	Type to be used as a file in the
-+##	generic temporary directory.
++##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
-+interface(`userdom_user_tmpfs_content',`
++interface(`userdom_setattr_user_ptys',`
 +	gen_require(`
-+		attribute user_tmpfs_type;
++		type user_devpts_t;
 +	')
 +
-+	typeattribute $1 user_tmpfs_type;
++	allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++')
 +
-+	files_tmpfs_file($1)
- 	ubac_constrained($1)
- ')
++########################################
++## <summary>
++##	Create a user pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_create_user_pty',`
++	gen_require(`
++		type user_devpts_t;
+ 	')
  
-@@ -1395,6 +1746,7 @@ interface(`userdom_search_user_home_dirs',`
+ 	term_create_pty($1, user_devpts_t)
+@@ -1395,6 +1750,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -67142,7 +67375,7 @@ index 28b88de..35793ae 100644
  	files_search_home($1)
  ')
  
-@@ -1441,6 +1793,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1797,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -67157,7 +67390,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1456,9 +1816,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1820,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -67169,7 +67402,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1515,6 +1877,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1881,42 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -67212,7 +67445,7 @@ index 28b88de..35793ae 100644
  ########################################
  ## <summary>
  ##	Create directories in the home dir root with
-@@ -1589,6 +1987,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1991,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -67221,7 +67454,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1603,10 +2003,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2007,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -67236,10 +67469,28 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1649,6 +2051,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2055,43 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
++##	Delete all directories in a user home subdirectory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content_dirs',`
++	gen_require(`
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:dir delete_dir_perms;
++')
++
++########################################
++## <summary>
 +##	Set the attributes of user home files.
 +## </summary>
 +## <param name="domain">
@@ -67262,7 +67513,33 @@ index 28b88de..35793ae 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1700,12 +2121,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1668,6 +2111,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+ 
+ ########################################
+ ## <summary>
++##	Set the attributes of all user home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_setattr_all_user_home_content_dirs',`
++	gen_require(`
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:dir setattr_dir_perms;
++')
++
++########################################
++## <summary>
+ ##	Mmap user home files.
+ ## </summary>
+ ## <param name="domain">
+@@ -1700,12 +2162,32 @@ interface(`userdom_read_user_home_content_files',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -67295,7 +67572,7 @@ index 28b88de..35793ae 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2157,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2198,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -67313,10 +67590,28 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1779,6 +2223,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2264,60 @@ interface(`userdom_delete_user_home_content_files',`
  
  ########################################
  ## <summary>
++##	Delete all files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content_files',`
++	gen_require(`
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:file delete_file_perms;
++')
++
++########################################
++## <summary>
 +##	Delete sock files in a user home subdirectory.
 +## </summary>
 +## <param name="domain">
@@ -67335,10 +67630,28 @@ index 28b88de..35793ae 100644
 +
 +########################################
 +## <summary>
++##	Delete all sock files in a user home subdirectory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content_sock_files',`
++	gen_require(`
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:sock_file delete_file_perms;
++')
++
++########################################
++## <summary>
  ##	Do not audit attempts to write user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1810,8 +2272,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2349,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -67348,7 +67661,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -1827,20 +2288,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2365,14 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -67373,7 +67686,32 @@ index 28b88de..35793ae 100644
  
  ########################################
  ## <summary>
-@@ -2008,7 +2463,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -1941,6 +2473,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+ 
+ ########################################
+ ## <summary>
++##	Delete all symbolic links in a user home directory.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_user_home_content_symlinks',`
++	gen_require(`
++		attribute user_home_type;
++	')
++
++	allow $1 user_home_type:lnk_file delete_lnk_file_perms;
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete named pipes
+ ##	in a user home subdirectory.
+ ## </summary>
+@@ -2008,7 +2558,7 @@ interface(`userdom_user_home_dir_filetrans',`
  		type user_home_dir_t;
  	')
  
@@ -67382,7 +67720,7 @@ index 28b88de..35793ae 100644
  	files_search_home($1)
  ')
  
-@@ -2182,7 +2637,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2732,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -67391,7 +67729,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -2435,13 +2890,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2985,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -67407,7 +67745,7 @@ index 28b88de..35793ae 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,26 +2918,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3013,6 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -67434,87 +67772,118 @@ index 28b88de..35793ae 100644
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2572,6 +3008,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3103,7 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
+-##	Read and write a user domain pty.
 +##	Read and write a inherited user domain tty.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -2580,70 +3111,138 @@ interface(`userdom_use_user_ttys',`
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_use_user_ptys',`
 +interface(`userdom_use_inherited_user_ttys',`
-+	gen_require(`
+ 	gen_require(`
+-		type user_devpts_t;
 +		type user_tty_device_t;
-+	')
-+
+ 	')
+ 
+-	allow $1 user_devpts_t:chr_file rw_term_perms;
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+## <summary>
- ##	Read and write a user domain pty.
- ## </summary>
- ## <param name="domain">
-@@ -2590,22 +3044,34 @@ interface(`userdom_use_user_ptys',`
+ ')
  
  ########################################
  ## <summary>
 -##	Read and write a user TTYs and PTYs.
-+##	Read and write a inherited user domain pty.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`userdom_use_inherited_user_ptys',`
-+	gen_require(`
-+		type user_devpts_t;
-+	')
-+
-+	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+## <summary>
-+##	Read and write a inherited user TTYs and PTYs.
++##	Read and write a user domain pty.
  ## </summary>
- ## <desc>
- ##	<p>
+-## <desc>
+-##	<p>
 -##	Allow the specified domain to read and write user
-+##	Allow the specified domain to read and write inherited user
- ##	TTYs and PTYs. This will allow the domain to
- ##	interact with the user via the terminal. Typically
- ##	all interactive applications will require this
- ##	access.
- ##	</p>
+-##	TTYs and PTYs. This will allow the domain to
+-##	interact with the user via the terminal. Typically
+-##	all interactive applications will require this
+-##	access.
+-##	</p>
 -##	<p>
 -##	However, this also allows the applications to spy
 -##	on user sessions or inject information into the
 -##	user session.  Thus, this access should likely
 -##	not be allowed for non-interactive domains.
 -##	</p>
- ## </desc>
+-## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2614,14 +3080,33 @@ interface(`userdom_use_user_ptys',`
+ ##	Domain allowed access.
+ ##	</summary>
  ## </param>
- ## <infoflow type="both" weight="10"/>
+-## <infoflow type="both" weight="10"/>
  #
 -interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_inherited_user_terminals',`
++interface(`userdom_use_user_ptys',`
  	gen_require(`
- 		type user_tty_device_t, user_devpts_t;
+-		type user_tty_device_t, user_devpts_t;
++		type user_devpts_t;
  	')
  
 -	allow $1 user_tty_device_t:chr_file rw_term_perms;
--	allow $1 user_devpts_t:chr_file rw_term_perms;
+ 	allow $1 user_devpts_t:chr_file rw_term_perms;
 -	term_list_ptys($1)
+ ')
+ 
+ ########################################
+ ## <summary>
+-##	Do not audit attempts to read and write
+-##	a user domain tty and pty.
++##	Read and write a inherited user domain pty.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+-##	Domain to not audit.
++##	Domain allowed access.
+ ##	</summary>
+ ## </param>
+ #
+-interface(`userdom_dontaudit_use_user_terminals',`
++interface(`userdom_use_inherited_user_ptys',`
+ 	gen_require(`
+-		type user_tty_device_t, user_devpts_t;
++		type user_devpts_t;
+ 	')
+ 
+-	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++## <summary>
++##	Read and write a inherited user TTYs and PTYs.
++## </summary>
++## <desc>
++##	<p>
++##	Allow the specified domain to read and write inherited user
++##	TTYs and PTYs. This will allow the domain to
++##	interact with the user via the terminal. Typically
++##	all interactive applications will require this
++##	access.
++##	</p>
++## </desc>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <infoflow type="both" weight="10"/>
++#
++interface(`userdom_use_inherited_user_terminals',`
++	gen_require(`
++		type user_tty_device_t, user_devpts_t;
++	')
++
 +	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
 +	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
 +')
@@ -67537,10 +67906,25 @@ index 28b88de..35793ae 100644
 +
 +    allow $1 user_tty_device_t:chr_file rw_term_perms;
 +    allow $1 user_devpts_t:chr_file rw_term_perms;
- ')
- 
- ########################################
-@@ -2644,6 +3129,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
++')
++
++########################################
++## <summary>
++##	Do not audit attempts to read and write
++##	a user domain tty and pty.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`userdom_dontaudit_use_user_terminals',`
++	gen_require(`
++		type user_tty_device_t, user_devpts_t;
++	')
++
++	dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
  	dontaudit $1 user_devpts_t:chr_file rw_term_perms;
  ')
  
@@ -67566,7 +67950,7 @@ index 28b88de..35793ae 100644
  ########################################
  ## <summary>
  ##	Execute a shell in all user domains.  This
-@@ -2815,7 +3319,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3414,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -67575,7 +67959,7 @@ index 28b88de..35793ae 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2831,11 +3335,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3430,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -67591,7 +67975,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -2917,7 +3423,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3518,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -67600,7 +67984,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -2972,7 +3478,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3573,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -67647,7 +68031,7 @@ index 28b88de..35793ae 100644
  ')
  
  ########################################
-@@ -3009,6 +3553,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3648,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -67655,7 +68039,7 @@ index 28b88de..35793ae 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3087,6 +3632,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3727,24 @@ interface(`userdom_signal_all_users',`
  
  ########################################
  ## <summary>
@@ -67680,7 +68064,7 @@ index 28b88de..35793ae 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3139,3 +3702,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3797,1058 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ab91b44..e3ae491 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 29.1%{?dist}
+Release: 30%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,10 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Mon Jun 27 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-30
+- More fixes
+  * http://git.fedorahosted.org/git/?p=selinux-policy.git
+
 * Thu Jun 16 2011 Dan Walsh <dwalsh@redhat.com> 3.9.16-29.1
 - Fix spec file to not report Verify errors