diff --git a/policy-F16.patch b/policy-F16.patch
index 221fa48..1b5e1ca 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -2873,7 +2873,7 @@ index d5aaf0e..689b2fd 100644
optional_policy(`
mta_send_mail(sxid_t)
diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te
-index 6a5004b..1ef8f1c 100644
+index 6a5004b..de58aeb 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -7,6 +7,7 @@ policy_module(tmpreaper, 1.5.0)
@@ -2901,7 +2901,7 @@ index 6a5004b..1ef8f1c 100644
mls_file_read_all_levels(tmpreaper_t)
mls_file_write_all_levels(tmpreaper_t)
-@@ -38,12 +44,15 @@ logging_send_syslog_msg(tmpreaper_t)
+@@ -38,13 +44,17 @@ logging_send_syslog_msg(tmpreaper_t)
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -2912,13 +2912,18 @@ index 6a5004b..1ef8f1c 100644
ifdef(`distro_redhat',`
userdom_list_user_home_content(tmpreaper_t)
- userdom_delete_user_home_content_dirs(tmpreaper_t)
- userdom_delete_user_home_content_files(tmpreaper_t)
-+ userdom_delete_user_home_content_sock_files(tmpreaper_t)
- userdom_delete_user_home_content_symlinks(tmpreaper_t)
+- userdom_delete_user_home_content_dirs(tmpreaper_t)
+- userdom_delete_user_home_content_files(tmpreaper_t)
+- userdom_delete_user_home_content_symlinks(tmpreaper_t)
++ userdom_delete_all_user_home_content_dirs(tmpreaper_t)
++ userdom_delete_all_user_home_content_files(tmpreaper_t)
++ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
++ userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
++ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
')
-@@ -52,7 +61,9 @@ optional_policy(`
+ optional_policy(`
+@@ -52,7 +62,9 @@ optional_policy(`
')
optional_policy(`
@@ -2928,7 +2933,7 @@ index 6a5004b..1ef8f1c 100644
apache_delete_cache_files(tmpreaper_t)
apache_setattr_cache_dirs(tmpreaper_t)
')
-@@ -66,9 +77,17 @@ optional_policy(`
+@@ -66,9 +78,17 @@ optional_policy(`
')
optional_policy(`
@@ -3543,10 +3548,10 @@ index 0000000..7b1047f
+')
diff --git a/policy/modules/apps/chrome.te b/policy/modules/apps/chrome.te
new file mode 100644
-index 0000000..41336ff
+index 0000000..0fbe8cc
--- /dev/null
+++ b/policy/modules/apps/chrome.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
+policy_module(chrome,1.0.0)
+
+########################################
@@ -3645,13 +3650,17 @@ index 0000000..41336ff
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_search_nfs(chrome_sandbox_t)
-+ fs_read_inherited_nfs_files(chrome_sandbox_t)
++ fs_exec_nfs_files(chrome_sandbox_t)
++ fs_read_nfs_files(chrome_sandbox_t)
+ fs_read_nfs_symlinks(chrome_sandbox_t)
++ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_search_cifs(chrome_sandbox_t)
-+ fs_read_inherited_cifs_files(chrome_sandbox_t)
++ fs_exec_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_files(chrome_sandbox_t)
++ fs_read_cifs_symlinks(chrome_sandbox_t)
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
+')
+
@@ -6564,14 +6573,14 @@ index 93ac529..35b51ab 100644
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
-index 9a6d67d..5298652 100644
+index 9a6d67d..319aac2 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -29,6 +29,8 @@ interface(`mozilla_role',`
allow mozilla_t $2:process { sigchld signull };
allow mozilla_t $2:unix_stream_socket connectto;
-+ mozilla_run_plugin(mozilla_t, $2)
++ mozilla_run_plugin(mozilla_t, $1)
+
# Allow the user domain to signal/ps.
ps_process_pattern($2, mozilla_t)
@@ -6717,7 +6726,7 @@ index 9a6d67d..5298652 100644
+
+########################################
+##
-+## Delete mozilla_plugin tmpf files
++## Delete mozilla_plugin tmpfs files
+##
+##
+##
@@ -6730,7 +6739,7 @@ index 9a6d67d..5298652 100644
+ type mozilla_plugin_tmpfs_t;
+ ')
+
-+ allow $1 mozilla_plugin_tmpfs_t:file unlink;
++ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
+')
+
+########################################
@@ -6769,7 +6778,7 @@ index 9a6d67d..5298652 100644
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
+')
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
-index 2a91fa8..b231fab 100644
+index 2a91fa8..50e279c 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0)
@@ -6857,7 +6866,7 @@ index 2a91fa8..b231fab 100644
pulseaudio_exec(mozilla_t)
pulseaudio_stream_connect(mozilla_t)
pulseaudio_manage_home_files(mozilla_t)
-@@ -266,3 +288,198 @@ optional_policy(`
+@@ -266,3 +288,214 @@ optional_policy(`
optional_policy(`
thunderbird_domtrans(mozilla_t)
')
@@ -6878,6 +6887,7 @@ index 2a91fa8..b231fab 100644
+allow mozilla_plugin_t self:sem create_sem_perms;
+allow mozilla_plugin_t self:shm create_shm_perms;
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
++allow mozilla_plugin_t self:unix_dgram_socket sendto;
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+
+can_exec(mozilla_plugin_t, mozilla_home_t)
@@ -6886,8 +6896,9 @@ index 2a91fa8..b231fab 100644
+manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
-+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
-+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
++manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
++files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
++userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
+
+manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
@@ -6991,6 +7002,11 @@ index 2a91fa8..b231fab 100644
+')
+
+optional_policy(`
++ consolekit_dbus_chat(mozilla_plugin_t)
++')
++
++optional_policy(`
++ dbus_connect_session_bus(mozilla_plugin_t)
+ dbus_system_bus_client(mozilla_plugin_t)
+ dbus_session_bus_client(mozilla_plugin_t)
+ dbus_read_lib_files(mozilla_plugin_t)
@@ -7030,6 +7046,7 @@ index 2a91fa8..b231fab 100644
+ pulseaudio_stream_connect(mozilla_plugin_t)
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
+ pulseaudio_manage_home_files(mozilla_plugin_t)
++ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
+')
+
+optional_policy(`
@@ -7037,6 +7054,14 @@ index 2a91fa8..b231fab 100644
+')
+
+optional_policy(`
++ rtkit_scheduled(mozilla_plugin_t)
++')
++
++optional_policy(`
++ udev_read_db(mozilla_plugin_t)
++')
++
++optional_policy(`
+ xserver_read_xdm_pid(mozilla_plugin_t)
+ xserver_stream_connect(mozilla_plugin_t)
+ xserver_use_user_fonts(mozilla_plugin_t)
@@ -8309,7 +8334,7 @@ index 84f23dc..af5b87d 100644
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
-index 2ba7787..fe1284b 100644
+index 2ba7787..9a5e99c 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -17,7 +17,7 @@
@@ -8348,13 +8373,33 @@ index 2ba7787..fe1284b 100644
userdom_search_user_home_dirs($1)
')
-@@ -256,3 +262,43 @@ interface(`pulseaudio_manage_home_files',`
+@@ -256,3 +262,63 @@ interface(`pulseaudio_manage_home_files',`
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
+
+########################################
+##
++## Create, read, write, and delete pulseaudio
++## home directory symlinks.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`pulseaudio_manage_home_symlinks',`
++ gen_require(`
++ type pulseaudio_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
++')
++
++########################################
++##
+## Create pulseaudio content in the user home directory
+## with an correct label.
+##
@@ -8393,7 +8438,7 @@ index 2ba7787..fe1284b 100644
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..e5d85d1 100644
+index c2d20a2..8610868 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -8438,7 +8483,7 @@ index c2d20a2..e5d85d1 100644
optional_policy(`
bluetooth_stream_connect(pulseaudio_t)
-@@ -127,10 +127,23 @@ optional_policy(`
+@@ -127,10 +127,24 @@ optional_policy(`
')
optional_policy(`
@@ -8451,6 +8496,7 @@ index c2d20a2..e5d85d1 100644
')
optional_policy(`
++ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
+')
+
@@ -8462,7 +8508,7 @@ index c2d20a2..e5d85d1 100644
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -148,3 +161,7 @@ optional_policy(`
+@@ -148,3 +162,7 @@ optional_policy(`
xserver_read_xdm_pid(pulseaudio_t)
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
@@ -14242,7 +14288,7 @@ index aad8c52..53b0624 100644
+ dontaudit $1 domain:socket_class_set { read write };
')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
-index bc534c1..6190297 100644
+index bc534c1..0ffb0e4 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -4,6 +4,21 @@ policy_module(domain, 1.9.0)
@@ -14335,7 +14381,7 @@ index bc534c1..6190297 100644
# Act upon any other process.
allow unconfined_domain_type domain:process ~{ transition dyntransition execmem execstack execheap };
-@@ -160,3 +197,89 @@ allow unconfined_domain_type domain:key *;
+@@ -160,3 +197,88 @@ allow unconfined_domain_type domain:key *;
# receive from all domains over labeled networking
domain_all_recvfrom_all_domains(unconfined_domain_type)
@@ -14367,7 +14413,6 @@ index bc534c1..6190297 100644
+ abrt_read_pid_files(domain)
+ abrt_read_state(domain)
+ abrt_signull(domain)
-+ abrt_stream_connect(domain)
+')
+
+optional_policy(`
@@ -14568,7 +14613,7 @@ index 16108f6..d993f7e 100644
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index 958ca84..473eacc 100644
+index 958ca84..62352ec 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1053,10 +1053,8 @@ interface(`files_relabel_all_files',`
@@ -15635,7 +15680,7 @@ index 958ca84..473eacc 100644
')
########################################
-@@ -5542,6 +6166,62 @@ interface(`files_dontaudit_ioctl_all_pids',`
+@@ -5542,6 +6166,80 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
##
@@ -15665,7 +15710,7 @@ index 958ca84..473eacc 100644
+##
+##
+#
-+interface(`files_unlink_all_pid_sockets',`
++interface(`files_delete_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
@@ -15675,6 +15720,24 @@ index 958ca84..473eacc 100644
+
+########################################
+##
++## Delete all pid named pipes
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`files_delete_all_pid_pipes',`
++ gen_require(`
++ attribute pidfile;
++ ')
++
++ allow $1 pidfile:fifo_file delete_fifo_file_perms;
++')
++
++########################################
++##
+## manage all pidfile directories
+## in the /var/run directory.
+##
@@ -15698,7 +15761,7 @@ index 958ca84..473eacc 100644
## Read all process ID files.
##
##
-@@ -5559,6 +6239,44 @@ interface(`files_read_all_pids',`
+@@ -5559,6 +6257,44 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -15743,7 +15806,7 @@ index 958ca84..473eacc 100644
')
########################################
-@@ -5769,7 +6487,7 @@ interface(`files_spool_filetrans',`
+@@ -5769,7 +6505,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -15752,7 +15815,7 @@ index 958ca84..473eacc 100644
')
########################################
-@@ -5844,3 +6562,284 @@ interface(`files_unconfined',`
+@@ -5844,3 +6580,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -17364,7 +17427,7 @@ index 0e5b661..3168d72 100644
+attribute mcsuntrustedproc;
+attribute mcsnetwrite;
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
-index 786449a..15368b1 100644
+index 786449a..23a065c 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
@@ -17416,16 +17479,15 @@ index 786449a..15368b1 100644
allow $1 security_t:filesystem unmount;
')
-@@ -220,6 +225,8 @@ interface(`selinux_search_fs',`
+@@ -220,6 +225,7 @@ interface(`selinux_search_fs',`
type security_t;
')
-+ fs_getattr_xattr_fs($1)
+ dev_search_sysfs($1)
allow $1 security_t:dir search_dir_perms;
')
-@@ -243,6 +250,26 @@ interface(`selinux_dontaudit_search_fs',`
+@@ -243,6 +249,26 @@ interface(`selinux_dontaudit_search_fs',`
########################################
##
@@ -17452,7 +17514,7 @@ index 786449a..15368b1 100644
## Do not audit attempts to read
## generic selinuxfs entries
##
-@@ -257,6 +284,7 @@ interface(`selinux_dontaudit_read_fs',`
+@@ -257,6 +283,7 @@ interface(`selinux_dontaudit_read_fs',`
type security_t;
')
@@ -17460,7 +17522,7 @@ index 786449a..15368b1 100644
dontaudit $1 security_t:dir search_dir_perms;
dontaudit $1 security_t:file read_file_perms;
')
-@@ -278,6 +306,7 @@ interface(`selinux_get_enforce_mode',`
+@@ -278,6 +305,7 @@ interface(`selinux_get_enforce_mode',`
type security_t;
')
@@ -17468,7 +17530,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file read_file_perms;
')
-@@ -311,6 +340,7 @@ interface(`selinux_set_enforce_mode',`
+@@ -311,6 +339,7 @@ interface(`selinux_set_enforce_mode',`
bool secure_mode_policyload;
')
@@ -17476,7 +17538,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_setenforce;
-@@ -342,6 +372,7 @@ interface(`selinux_load_policy',`
+@@ -342,6 +371,7 @@ interface(`selinux_load_policy',`
bool secure_mode_policyload;
')
@@ -17484,7 +17546,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
typeattribute $1 can_load_policy;
-@@ -358,6 +389,27 @@ interface(`selinux_load_policy',`
+@@ -358,6 +388,27 @@ interface(`selinux_load_policy',`
########################################
##
@@ -17512,7 +17574,7 @@ index 786449a..15368b1 100644
## Allow caller to set the state of Booleans to
## enable or disable conditional portions of the policy. (Deprecated)
##
-@@ -416,6 +468,7 @@ interface(`selinux_set_generic_booleans',`
+@@ -416,6 +467,7 @@ interface(`selinux_set_generic_booleans',`
bool secure_mode_policyload;
')
@@ -17520,7 +17582,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
-@@ -458,7 +511,9 @@ interface(`selinux_set_all_booleans',`
+@@ -458,7 +510,9 @@ interface(`selinux_set_all_booleans',`
bool secure_mode_policyload;
')
@@ -17530,7 +17592,7 @@ index 786449a..15368b1 100644
allow $1 boolean_type:file rw_file_perms;
if(!secure_mode_policyload) {
-@@ -499,6 +554,7 @@ interface(`selinux_set_parameters',`
+@@ -499,6 +553,7 @@ interface(`selinux_set_parameters',`
attribute can_setsecparam;
')
@@ -17538,7 +17600,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security setsecparam;
-@@ -522,6 +578,7 @@ interface(`selinux_validate_context',`
+@@ -522,6 +577,7 @@ interface(`selinux_validate_context',`
type security_t;
')
@@ -17546,7 +17608,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security check_context;
-@@ -564,6 +621,7 @@ interface(`selinux_compute_access_vector',`
+@@ -564,6 +620,7 @@ interface(`selinux_compute_access_vector',`
type security_t;
')
@@ -17554,7 +17616,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;
-@@ -585,6 +643,7 @@ interface(`selinux_compute_create_context',`
+@@ -585,6 +642,7 @@ interface(`selinux_compute_create_context',`
type security_t;
')
@@ -17562,7 +17624,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_create;
-@@ -606,6 +665,7 @@ interface(`selinux_compute_member',`
+@@ -606,6 +664,7 @@ interface(`selinux_compute_member',`
type security_t;
')
@@ -17570,7 +17632,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_member;
-@@ -635,6 +695,7 @@ interface(`selinux_compute_relabel_context',`
+@@ -635,6 +694,7 @@ interface(`selinux_compute_relabel_context',`
type security_t;
')
@@ -17578,7 +17640,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_relabel;
-@@ -655,6 +716,7 @@ interface(`selinux_compute_user_contexts',`
+@@ -655,6 +715,7 @@ interface(`selinux_compute_user_contexts',`
type security_t;
')
@@ -17586,7 +17648,7 @@ index 786449a..15368b1 100644
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_user;
-@@ -677,3 +739,24 @@ interface(`selinux_unconfined',`
+@@ -677,3 +738,24 @@ interface(`selinux_unconfined',`
typeattribute $1 selinux_unconfined_type;
')
@@ -18040,7 +18102,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..70c384c 100644
+index f3acfee..590c2c0 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -18079,7 +18141,7 @@ index f3acfee..70c384c 100644
#
interface(`term_use_console',`
gen_require(`
-@@ -299,9 +319,11 @@ interface(`term_use_console',`
+@@ -299,9 +319,12 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@@ -18087,12 +18149,13 @@ index f3acfee..70c384c 100644
')
- dontaudit $1 console_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
+ dontaudit $1 console_device_t:chr_file rw_inherited_chr_file_perms;
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
-@@ -341,7 +363,7 @@ interface(`term_relabel_console',`
+@@ -341,7 +364,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@@ -18101,7 +18164,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -462,6 +484,24 @@ interface(`term_list_ptys',`
+@@ -462,6 +485,24 @@ interface(`term_list_ptys',`
########################################
##
@@ -18126,7 +18189,15 @@ index f3acfee..70c384c 100644
## Do not audit attempts to read the
## /dev/pts directory.
##
-@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',`
+@@ -616,6 +657,7 @@ interface(`term_dontaudit_use_generic_ptys',`
+ type devpts_t;
+ ')
+
++ init_dontaudit_use_fds($1)
+ dontaudit $1 devpts_t:chr_file { getattr read write ioctl };
+ ')
+
+@@ -658,6 +700,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@@ -18152,7 +18223,7 @@ index f3acfee..70c384c 100644
########################################
##
## Do not audit attempts to get attributes
-@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',`
+@@ -842,6 +903,26 @@ interface(`term_use_all_ptys',`
########################################
##
@@ -18179,7 +18250,7 @@ index f3acfee..70c384c 100644
## Do not audit attempts to read or write any ptys.
##
##
-@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +936,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -18188,7 +18259,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -903,7 +982,7 @@ interface(`term_getattr_all_user_ptys',`
+@@ -903,7 +984,7 @@ interface(`term_getattr_all_user_ptys',`
##
##
##
@@ -18197,7 +18268,7 @@ index f3acfee..70c384c 100644
##
##
#
-@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1204,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18206,16 +18277,17 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1303,8 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
- dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
++ init_dontaudit_use_fds($1)
+ dontaudit $1 tty_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
-@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1320,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -18229,7 +18301,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1343,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -18242,7 +18314,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1387,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18251,7 +18323,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',`
+@@ -1340,7 +1426,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -18280,7 +18352,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1465,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -18289,7 +18361,7 @@ index f3acfee..70c384c 100644
')
########################################
-@@ -1467,7 +1570,7 @@ interface(`term_use_all_user_ttys',`
+@@ -1467,7 +1573,7 @@ interface(`term_use_all_user_ttys',`
##
##
##
@@ -18298,7 +18370,7 @@ index f3acfee..70c384c 100644
##
##
#
-@@ -1475,3 +1578,392 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1581,393 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -18628,6 +18700,7 @@ index f3acfee..70c384c 100644
+ dev_filetrans($1, tty_device_t, chr_file, "isdn7")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn8")
+ dev_filetrans($1, tty_device_t, chr_file, "isdn9")
++ #filetrans_pattern($1, devpts_t, chr_file, "ptmx")
+ dev_filetrans($1, ptmx_t, chr_file, "ptmx")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm0")
+ dev_filetrans($1, tty_device_t, chr_file, "rfcomm1")
@@ -21055,10 +21128,21 @@ index e88b95f..4b5f106 100644
-#gen_user(xguest_u,, xguest_r, s0, s0)
+gen_user(xguest_u, user, xguest_r, s0, s0)
diff --git a/policy/modules/services/abrt.fc b/policy/modules/services/abrt.fc
-index 1bd5812..b4d006a 100644
+index 1bd5812..7112560 100644
--- a/policy/modules/services/abrt.fc
+++ b/policy/modules/services/abrt.fc
-@@ -15,6 +15,21 @@
+@@ -3,8 +3,9 @@
+
+ /usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-hook-ccpp -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+ /usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
++/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
+
+ /usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+
+@@ -15,6 +16,21 @@
/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
@@ -21280,7 +21364,7 @@ index 0b827c5..7382308 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..2f6627b 100644
+index 30861ec..28604d3 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
@@ -21331,7 +21415,7 @@ index 30861ec..2f6627b 100644
#
-allow abrt_t self:capability { chown kill setuid setgid sys_nice dac_override };
-+allow abrt_t self:capability { fowner chown kill setuid setgid sys_nice dac_override };
++allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
dontaudit abrt_t self:capability sys_rawio;
-allow abrt_t self:process { signal signull setsched getsched };
+allow abrt_t self:process { sigkill signal signull setsched getsched };
@@ -21363,7 +21447,15 @@ index 30861ec..2f6627b 100644
kernel_read_ring_buffer(abrt_t)
kernel_read_system_state(abrt_t)
-@@ -113,7 +146,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -104,6 +137,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+ corenet_sendrecv_http_client_packets(abrt_t)
+
+ dev_getattr_all_chr_files(abrt_t)
++dev_read_rand(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_raw_memory(abrt_t)
+@@ -113,7 +147,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -21373,7 +21465,7 @@ index 30861ec..2f6627b 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +155,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +156,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -21382,7 +21474,7 @@ index 30861ec..2f6627b 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +167,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,7 +168,7 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -21391,7 +21483,7 @@ index 30861ec..2f6627b 100644
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-@@ -140,6 +176,15 @@ miscfiles_read_generic_certs(abrt_t)
+@@ -140,6 +177,16 @@ miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
@@ -21402,12 +21494,13 @@ index 30861ec..2f6627b 100644
+')
+
+optional_policy(`
++ apache_list_modules(abrt_t)
+ apache_read_modules(abrt_t)
+')
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +195,11 @@ optional_policy(`
+@@ -150,6 +197,11 @@ optional_policy(`
')
optional_policy(`
@@ -21419,7 +21512,7 @@ index 30861ec..2f6627b 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +217,7 @@ optional_policy(`
+@@ -167,6 +219,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -21427,7 +21520,7 @@ index 30861ec..2f6627b 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +229,18 @@ optional_policy(`
+@@ -178,12 +231,18 @@ optional_policy(`
')
optional_policy(`
@@ -21447,7 +21540,7 @@ index 30861ec..2f6627b 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -203,6 +260,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
+@@ -203,6 +262,7 @@ read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
domain_read_all_domains_state(abrt_helper_t)
files_read_etc_files(abrt_helper_t)
@@ -21455,7 +21548,7 @@ index 30861ec..2f6627b 100644
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +274,8 @@ miscfiles_read_localization(abrt_helper_t)
+@@ -216,7 +276,8 @@ miscfiles_read_localization(abrt_helper_t)
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -21465,7 +21558,7 @@ index 30861ec..2f6627b 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +283,100 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +285,100 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -24443,10 +24536,10 @@ index 44a1e3d..7e9d2fb 100644
files_list_pids($1)
admin_pattern($1, named_var_run_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
-index 4deca04..256bd70 100644
+index 4deca04..be16209 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
-@@ -6,10 +6,17 @@ policy_module(bind, 1.11.0)
+@@ -6,16 +6,24 @@ policy_module(bind, 1.11.0)
#
##
@@ -24468,7 +24561,14 @@ index 4deca04..256bd70 100644
##
gen_tunable(named_write_master_zones, false)
-@@ -27,7 +34,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
+ # for DNSSEC key files
+ type dnssec_t;
+ files_security_file(dnssec_t)
++files_mountpoint(dnssec_t)
+
+ type named_t;
+ type named_exec_t;
+@@ -27,7 +35,7 @@ init_system_domain(named_t, named_checkconf_exec_t)
# A type for configuration files of named.
type named_conf_t;
@@ -24477,7 +24577,7 @@ index 4deca04..256bd70 100644
files_mountpoint(named_conf_t)
# for secondary zone files
-@@ -89,9 +96,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
+@@ -89,9 +97,10 @@ manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
manage_files_pattern(named_t, named_tmp_t, named_tmp_t)
files_tmp_filetrans(named_t, named_tmp_t, { file dir })
@@ -24489,7 +24589,7 @@ index 4deca04..256bd70 100644
# read zone files
allow named_t named_zone_t:dir list_dir_perms;
-@@ -147,6 +155,10 @@ miscfiles_read_generic_certs(named_t)
+@@ -147,6 +156,10 @@ miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
@@ -24500,7 +24600,7 @@ index 4deca04..256bd70 100644
tunable_policy(`named_write_master_zones',`
manage_dirs_pattern(named_t, named_zone_t, named_zone_t)
manage_files_pattern(named_t, named_zone_t, named_zone_t)
-@@ -201,12 +213,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
+@@ -201,12 +214,12 @@ allow ndc_t self:tcp_socket create_socket_perms;
allow ndc_t self:netlink_route_socket r_netlink_socket_perms;
allow ndc_t dnssec_t:file read_file_perms;
@@ -24515,7 +24615,7 @@ index 4deca04..256bd70 100644
allow ndc_t named_zone_t:dir search_dir_perms;
-@@ -238,13 +250,13 @@ miscfiles_read_localization(ndc_t)
+@@ -238,13 +251,13 @@ miscfiles_read_localization(ndc_t)
sysnet_read_config(ndc_t)
sysnet_dns_name_resolve(ndc_t)
@@ -27575,10 +27675,10 @@ index 0000000..939d76e
+')
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
new file mode 100644
-index 0000000..760d092
+index 0000000..08d2de0
--- /dev/null
+++ b/policy/modules/services/colord.te
-@@ -0,0 +1,111 @@
+@@ -0,0 +1,115 @@
+policy_module(colord,1.0.0)
+
+########################################
@@ -27681,6 +27781,10 @@ index 0000000..760d092
+')
+
+optional_policy(`
++ gnome_read_home_icc_data_content(colord_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(colord_t)
+ policykit_domtrans_auth(colord_t)
+ policykit_read_lib(colord_t)
@@ -29323,7 +29427,7 @@ index 81eba14..d0ab56c 100644
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..6e35cb2 100644
+index 0d5711c..5a0ca9f 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@@ -29503,7 +29607,7 @@ index 0d5711c..6e35cb2 100644
')
########################################
-@@ -431,14 +473,29 @@ interface(`dbus_system_domain',`
+@@ -431,14 +473,33 @@ interface(`dbus_system_domain',`
domtrans_pattern(system_dbusd_t, $2, $1)
@@ -29523,6 +29627,10 @@ index 0d5711c..6e35cb2 100644
- ifdef(`hide_broken_symptoms', `
+ optional_policy(`
++ abrt_stream_connect($1)
++ ')
++
++ optional_policy(`
+ rpm_script_dbus_chat($1)
+ ')
+
@@ -29534,7 +29642,7 @@ index 0d5711c..6e35cb2 100644
dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
')
')
-@@ -463,26 +520,25 @@ interface(`dbus_use_system_bus_fds',`
+@@ -463,26 +524,25 @@ interface(`dbus_use_system_bus_fds',`
########################################
##
@@ -29567,7 +29675,7 @@ index 0d5711c..6e35cb2 100644
##
##
##
-@@ -490,10 +546,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
+@@ -490,10 +550,12 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
##
##
#
@@ -34525,10 +34633,21 @@ index 978c32f..3b96342 100644
type ifplugd_initrc_exec_t;
init_script_file(ifplugd_initrc_exec_t)
diff --git a/policy/modules/services/inetd.if b/policy/modules/services/inetd.if
-index df48e5e..6985546 100644
+index df48e5e..878d9df 100644
--- a/policy/modules/services/inetd.if
+++ b/policy/modules/services/inetd.if
-@@ -55,7 +55,6 @@ interface(`inetd_core_service_domain',`
+@@ -37,6 +37,10 @@ interface(`inetd_core_service_domain',`
+
+ domtrans_pattern(inetd_t, $2, $1)
+ allow inetd_t $1:process { siginh sigkill };
++
++ optional_policy(`
++ abrt_stream_connect($1)
++ ')
+ ')
+
+ ########################################
+@@ -55,7 +59,6 @@ interface(`inetd_core_service_domain',`
##
#
interface(`inetd_tcp_service_domain',`
@@ -35155,7 +35274,7 @@ index 3525d24..923e979 100644
/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..b80c8f0 100644
+index 604f67b..be8a805 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -35318,7 +35437,7 @@ index 604f67b..b80c8f0 100644
+##
+##
+#
-+template(`kerberos_read_home_content',`
++interface(`kerberos_read_home_content',`
+ gen_require(`
+ type krb5_home_t;
+ ')
@@ -36226,7 +36345,7 @@ index 0000000..6463cee
+
diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
new file mode 100644
-index 0000000..a91120c
+index 0000000..e231877
--- /dev/null
+++ b/policy/modules/services/lldpad.te
@@ -0,0 +1,64 @@
@@ -36262,7 +36381,7 @@ index 0000000..a91120c
+
+allow lldpad_t self:capability { net_admin net_raw };
+
-+allow lldpad_t self:shm rw_shm_perms;
++allow lldpad_t self:shm create_shm_perms;
+allow lldpad_t self:fifo_file rw_fifo_file_perms;
+
+allow lldpad_t self:unix_stream_socket create_stream_socket_perms;
@@ -38331,7 +38450,7 @@ index 256166a..6321a93 100644
+/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..0c22d93 100644
+index 343cee3..5e792cc 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -38439,12 +38558,13 @@ index 343cee3..0c22d93 100644
')
########################################
-@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +408,17 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
- type sendmail_exec_t;
+ attribute mta_exec_type;
++ attribute mta_user_agent;
')
files_search_usr($1)
@@ -38454,10 +38574,11 @@ index 343cee3..0c22d93 100644
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
++ allow mta_user_agent $1:fifo_file { read write };
')
########################################
-@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +431,6 @@ interface(`mta_sendmail_domtrans',`
##
##
#
@@ -38465,7 +38586,7 @@ index 343cee3..0c22d93 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +441,24 @@ interface(`mta_signal_system_mail',`
########################################
##
@@ -38490,7 +38611,7 @@ index 343cee3..0c22d93 100644
## Execute sendmail in the caller domain.
##
##
-@@ -438,6 +475,26 @@ interface(`mta_sendmail_exec',`
+@@ -438,6 +477,26 @@ interface(`mta_sendmail_exec',`
########################################
##
@@ -38517,7 +38638,7 @@ index 343cee3..0c22d93 100644
## Read mail server configuration.
##
##
-@@ -474,7 +531,8 @@ interface(`mta_write_config',`
+@@ -474,7 +533,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -38527,7 +38648,7 @@ index 343cee3..0c22d93 100644
')
########################################
-@@ -494,6 +552,7 @@ interface(`mta_read_aliases',`
+@@ -494,6 +554,7 @@ interface(`mta_read_aliases',`
files_search_etc($1)
allow $1 etc_aliases_t:file read_file_perms;
@@ -38535,7 +38656,7 @@ index 343cee3..0c22d93 100644
')
########################################
-@@ -532,7 +591,7 @@ interface(`mta_etc_filetrans_aliases',`
+@@ -532,7 +593,7 @@ interface(`mta_etc_filetrans_aliases',`
type etc_aliases_t;
')
@@ -38544,7 +38665,7 @@ index 343cee3..0c22d93 100644
')
########################################
-@@ -552,7 +611,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +613,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -38553,7 +38674,7 @@ index 343cee3..0c22d93 100644
')
#######################################
-@@ -646,8 +705,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +707,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -38564,7 +38685,7 @@ index 343cee3..0c22d93 100644
')
#######################################
-@@ -697,8 +756,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +758,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -38575,7 +38696,7 @@ index 343cee3..0c22d93 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +897,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +899,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -38584,7 +38705,7 @@ index 343cee3..0c22d93 100644
')
########################################
-@@ -899,3 +958,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +960,112 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -42844,7 +42965,7 @@ index 55e62d2..f2674e8 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..398a32d 100644
+index 46bee12..c22af86 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -42880,7 +43001,7 @@ index 46bee12..398a32d 100644
files_tmp_file(postfix_$1_tmp_t)
- allow postfix_$1_t self:capability { setuid setgid dac_override };
-+ allow postfix_$1_t $self:capability { setuid setgid sys_chroot dac_override };
++ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
allow postfix_$1_t self:udp_socket create_socket_perms;
@@ -43185,7 +43306,7 @@ index 46bee12..398a32d 100644
+ role $2 types postfix_postdrop_t;
+')
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
-index 06e37d4..fda5e3f 100644
+index 06e37d4..ea5feb2 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -5,6 +5,14 @@ policy_module(postfix, 1.12.0)
@@ -43469,16 +43590,20 @@ index 06e37d4..fda5e3f 100644
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
-@@ -519,7 +579,7 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
+@@ -519,7 +579,11 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
++
++allow postfix_qmgr_t postfix_spool_maildrop_t:dir list_dir_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:file read_file_perms;
++allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
corecmd_exec_bin(postfix_qmgr_t)
-@@ -539,7 +599,9 @@ postfix_list_spool(postfix_showq_t)
+@@ -539,7 +603,9 @@ postfix_list_spool(postfix_showq_t)
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
@@ -43489,7 +43614,7 @@ index 06e37d4..fda5e3f 100644
# to write the mailq output, it really should not need read access!
term_use_all_ptys(postfix_showq_t)
-@@ -565,6 +627,10 @@ optional_policy(`
+@@ -565,6 +631,10 @@ optional_policy(`
')
optional_policy(`
@@ -43500,7 +43625,7 @@ index 06e37d4..fda5e3f 100644
milter_stream_connect_all(postfix_smtp_t)
')
-@@ -588,10 +654,16 @@ corecmd_exec_bin(postfix_smtpd_t)
+@@ -588,10 +658,16 @@ corecmd_exec_bin(postfix_smtpd_t)
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -43517,7 +43642,7 @@ index 06e37d4..fda5e3f 100644
')
optional_policy(`
-@@ -611,8 +683,8 @@ optional_policy(`
+@@ -611,8 +687,8 @@ optional_policy(`
# Postfix virtual local policy
#
@@ -43527,7 +43652,7 @@ index 06e37d4..fda5e3f 100644
allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
-@@ -630,3 +702,8 @@ mta_delete_spool(postfix_virtual_t)
+@@ -630,3 +706,8 @@ mta_delete_spool(postfix_virtual_t)
# For reading spamassasin
mta_read_config(postfix_virtual_t)
mta_manage_spool(postfix_virtual_t)
@@ -44161,7 +44286,7 @@ index b1bc02c..8f0b07e 100644
dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
-index 2dbf4d4..3625895 100644
+index 2dbf4d4..28d7fe5 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -6,10 +6,10 @@ policy_module(privoxy, 1.11.0)
@@ -44179,7 +44304,18 @@ index 2dbf4d4..3625895 100644
##
gen_tunable(privoxy_connect_any, false)
-@@ -87,7 +87,7 @@ miscfiles_read_localization(privoxy_t)
+@@ -46,8 +46,9 @@ logging_log_filetrans(privoxy_t, privoxy_log_t, file)
+ manage_files_pattern(privoxy_t, privoxy_var_run_t, privoxy_var_run_t)
+ files_pid_filetrans(privoxy_t, privoxy_var_run_t, file)
+
+-kernel_read_system_state(privoxy_t)
+ kernel_read_kernel_sysctls(privoxy_t)
++kernel_read_network_state(privoxy_t)
++kernel_read_system_state(privoxy_t)
+
+ corenet_all_recvfrom_unlabeled(privoxy_t)
+ corenet_all_recvfrom_netlabel(privoxy_t)
+@@ -87,7 +88,7 @@ miscfiles_read_localization(privoxy_t)
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
userdom_dontaudit_search_user_home_dirs(privoxy_t)
# cjp: this should really not be needed
@@ -46677,10 +46813,10 @@ index 0000000..88f6a9e
+')
diff --git a/policy/modules/services/rhev.te b/policy/modules/services/rhev.te
new file mode 100644
-index 0000000..988f82c
+index 0000000..bc97a21
--- /dev/null
+++ b/policy/modules/services/rhev.te
-@@ -0,0 +1,81 @@
+@@ -0,0 +1,84 @@
+policy_module(rhev,1.0)
+
+########################################
@@ -46758,9 +46894,12 @@ index 0000000..988f82c
+')
+
+optional_policy(`
-+ xserver_dbus_chat_xdm(rhev_agentd_t)
++ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
+')
+
++optional_policy(`
++ xserver_dbus_chat_xdm(rhev_agentd_t)
++')
+
diff --git a/policy/modules/services/rhgb.if b/policy/modules/services/rhgb.if
index 96efae7..793a29f 100644
@@ -47003,7 +47142,7 @@ index f7826f9..3128dd8 100644
+ admin_pattern($1, ricci_var_run_t)
+')
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
-index 33e72e8..b71d193 100644
+index 33e72e8..a61bb94 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -7,9 +7,11 @@ policy_module(ricci, 1.7.0)
@@ -47060,16 +47199,17 @@ index 33e72e8..b71d193 100644
unconfined_use_fds(ricci_t)
')
-@@ -193,7 +202,7 @@ corecmd_exec_shell(ricci_modcluster_t)
+@@ -193,7 +202,8 @@ corecmd_exec_shell(ricci_modcluster_t)
corecmd_exec_bin(ricci_modcluster_t)
corenet_tcp_bind_cluster_port(ricci_modclusterd_t)
-corenet_tcp_bind_reserved_port(ricci_modclusterd_t)
+corenet_tcp_bind_all_rpc_ports(ricci_modclusterd_t)
++corenet_tcp_connect_cluster_port(ricci_modclusterd_t)
domain_read_all_domains_state(ricci_modcluster_t)
-@@ -209,13 +218,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
+@@ -209,13 +219,9 @@ logging_send_syslog_msg(ricci_modcluster_t)
miscfiles_read_localization(ricci_modcluster_t)
@@ -47086,7 +47226,7 @@ index 33e72e8..b71d193 100644
optional_policy(`
aisexec_stream_connect(ricci_modcluster_t)
-@@ -233,6 +238,18 @@ optional_policy(`
+@@ -233,6 +239,18 @@ optional_policy(`
')
optional_policy(`
@@ -47105,7 +47245,7 @@ index 33e72e8..b71d193 100644
nscd_socket_use(ricci_modcluster_t)
')
-@@ -241,8 +258,7 @@ optional_policy(`
+@@ -241,8 +259,7 @@ optional_policy(`
')
optional_policy(`
@@ -47115,7 +47255,7 @@ index 33e72e8..b71d193 100644
')
########################################
-@@ -261,6 +277,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
+@@ -261,6 +278,10 @@ allow ricci_modclusterd_t self:socket create_socket_perms;
allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
@@ -47126,7 +47266,7 @@ index 33e72e8..b71d193 100644
allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t)
-@@ -272,6 +292,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
+@@ -272,6 +293,7 @@ files_pid_filetrans(ricci_modclusterd_t, ricci_modcluster_var_run_t, { file sock
kernel_read_kernel_sysctls(ricci_modclusterd_t)
kernel_read_system_state(ricci_modclusterd_t)
@@ -47134,7 +47274,7 @@ index 33e72e8..b71d193 100644
corecmd_exec_bin(ricci_modclusterd_t)
-@@ -394,8 +415,6 @@ files_search_usr(ricci_modservice_t)
+@@ -394,8 +416,6 @@ files_search_usr(ricci_modservice_t)
# Needed for running chkconfig
files_manage_etc_symlinks(ricci_modservice_t)
@@ -47143,7 +47283,7 @@ index 33e72e8..b71d193 100644
init_domtrans_script(ricci_modservice_t)
miscfiles_read_localization(ricci_modservice_t)
-@@ -405,6 +424,10 @@ optional_policy(`
+@@ -405,6 +425,10 @@ optional_policy(`
')
optional_policy(`
@@ -47154,7 +47294,7 @@ index 33e72e8..b71d193 100644
nscd_dontaudit_search_pid(ricci_modservice_t)
')
-@@ -444,22 +467,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
+@@ -444,22 +468,20 @@ files_read_etc_runtime_files(ricci_modstorage_t)
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -47183,7 +47323,7 @@ index 33e72e8..b71d193 100644
optional_policy(`
aisexec_stream_connect(ricci_modstorage_t)
corosync_stream_connect(ricci_modstorage_t)
-@@ -471,11 +492,27 @@ optional_policy(`
+@@ -471,11 +493,27 @@ optional_policy(`
')
optional_policy(`
@@ -48471,15 +48611,17 @@ index 150c85d..71e9315 100644
#
diff --git a/policy/modules/services/sanlock.fc b/policy/modules/services/sanlock.fc
new file mode 100644
-index 0000000..19d7347
+index 0000000..630960e
--- /dev/null
+++ b/policy/modules/services/sanlock.fc
-@@ -0,0 +1,6 @@
+@@ -0,0 +1,8 @@
+
+/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
+
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
+
++/var/log/sanlock\.log gen_context(system_u:object_r:sanlock_log_t,s0)
++
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
diff --git a/policy/modules/services/sanlock.if b/policy/modules/services/sanlock.if
new file mode 100644
@@ -48599,10 +48741,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..f7cfc54
+index 0000000..f050bc5
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,61 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -48619,6 +48761,9 @@ index 0000000..f7cfc54
+type sanlock_var_run_t;
+files_pid_file(sanlock_var_run_t)
+
++type sanlock_log_t;
++logging_log_file(sanlock_log_t)
++
+type sanlock_initrc_exec_t;
+init_script_file(sanlock_initrc_exec_t)
+
@@ -48632,6 +48777,9 @@ index 0000000..f7cfc54
+allow sanlock_t self:fifo_file rw_fifo_file_perms;
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
+
++manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
++logging_log_filetrans(sanlock_t, sanlock_log_t, file)
++
+manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
@@ -53748,7 +53896,7 @@ index 6f1e3c7..ade9046 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..cb751f8 100644
+index 130ced9..ea8077d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -53833,12 +53981,14 @@ index 130ced9..cb751f8 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,25 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,27 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
+
++ modutils_run_insmod(xserver_t, $1)
++
+ ifdef(`hide_broken_symptoms',`
+ dontaudit iceauth_t $2:socket_class_set { read write };
+ ')
@@ -53859,7 +54009,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -143,13 +166,15 @@ interface(`xserver_role',`
+@@ -143,13 +168,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -53877,7 +54027,7 @@ index 130ced9..cb751f8 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +187,6 @@ interface(`xserver_role',`
+@@ -162,7 +189,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -53885,7 +54035,7 @@ index 130ced9..cb751f8 100644
')
#######################################
-@@ -197,7 +221,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +223,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -53894,7 +54044,7 @@ index 130ced9..cb751f8 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +251,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +253,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -53903,7 +54053,7 @@ index 130ced9..cb751f8 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +279,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +281,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -53912,7 +54062,7 @@ index 130ced9..cb751f8 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +315,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +317,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -53930,7 +54080,7 @@ index 130ced9..cb751f8 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +366,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +368,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -53957,7 +54107,7 @@ index 130ced9..cb751f8 100644
')
##############################
-@@ -386,6 +414,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +416,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -53973,7 +54123,7 @@ index 130ced9..cb751f8 100644
')
#######################################
-@@ -444,8 +481,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +483,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -53985,7 +54135,7 @@ index 130ced9..cb751f8 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +494,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +496,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -54006,7 +54156,7 @@ index 130ced9..cb751f8 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +517,25 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +519,25 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -54034,7 +54184,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -54042,7 +54192,7 @@ index 130ced9..cb751f8 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -545,6 +596,28 @@ interface(`xserver_domtrans_xauth',`
+@@ -545,6 +598,28 @@ interface(`xserver_domtrans_xauth',`
')
domtrans_pattern($1, xauth_exec_t, xauth_t)
@@ -54071,7 +54221,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -598,6 +671,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +673,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -54079,7 +54229,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -615,7 +689,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +691,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -54088,7 +54238,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -651,7 +725,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +727,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -54097,7 +54247,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -670,7 +744,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +746,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -54106,7 +54256,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -688,7 +762,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +764,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -54115,7 +54265,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -703,12 +777,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +779,11 @@ interface(`xserver_rw_xdm_pipes',`
##
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -54129,7 +54279,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -724,11 +797,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +799,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -54163,7 +54313,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -765,7 +858,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +860,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -54172,7 +54322,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -805,7 +898,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +900,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -54200,7 +54350,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -897,7 +1009,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1011,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -54209,7 +54359,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -916,7 +1028,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1030,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -54218,7 +54368,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -963,6 +1075,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1077,45 @@ interface(`xserver_read_xkb_libs',`
########################################
##
@@ -54264,7 +54414,7 @@ index 130ced9..cb751f8 100644
## Read xdm temporary files.
##
##
-@@ -976,7 +1127,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1129,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -54273,7 +54423,7 @@ index 130ced9..cb751f8 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1189,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1191,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
##
@@ -54316,7 +54466,7 @@ index 130ced9..cb751f8 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
##
-@@ -1052,7 +1239,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1241,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -54325,7 +54475,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -1070,8 +1257,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1259,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -54337,7 +54487,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -1185,6 +1374,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1376,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -54364,7 +54514,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -1210,7 +1419,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1421,7 @@ interface(`xserver_read_tmp_files',`
##
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -54373,7 +54523,7 @@ index 130ced9..cb751f8 100644
##
##
##
-@@ -1220,13 +1429,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1431,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -54398,7 +54548,7 @@ index 130ced9..cb751f8 100644
')
########################################
-@@ -1243,10 +1462,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1464,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -57695,7 +57845,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index cc83689..7947c80 100644
+index cc83689..6569096 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,41 @@ interface(`init_script_domain',`
@@ -57854,7 +58004,7 @@ index cc83689..7947c80 100644
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
-@@ -353,6 +432,37 @@ interface(`init_system_domain',`
+@@ -353,6 +432,41 @@ interface(`init_system_domain',`
kernel_dontaudit_use_fds($1)
')
')
@@ -57875,6 +58025,10 @@ index cc83689..7947c80 100644
+ logging_inherit_append_all_logs($1)
+
+ optional_policy(`
++ abrt_stream_connect($1)
++ ')
++
++ optional_policy(`
+ cron_rw_pipes($1)
+ ')
+
@@ -57892,7 +58046,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -401,16 +511,19 @@ interface(`init_system_domain',`
+@@ -401,16 +515,19 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -57912,7 +58066,7 @@ index cc83689..7947c80 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +564,10 @@ interface(`init_exec',`
+@@ -451,6 +568,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -57923,7 +58077,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -509,6 +626,24 @@ interface(`init_sigchld',`
+@@ -509,6 +630,24 @@ interface(`init_sigchld',`
########################################
##
@@ -57948,7 +58102,7 @@ index cc83689..7947c80 100644
## Connect to init with a unix socket.
##
##
-@@ -519,10 +654,29 @@ interface(`init_sigchld',`
+@@ -519,10 +658,29 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -57980,7 +58134,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -688,19 +842,25 @@ interface(`init_telinit',`
+@@ -688,19 +846,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -58007,7 +58161,7 @@ index cc83689..7947c80 100644
')
')
-@@ -730,7 +890,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +894,7 @@ interface(`init_rw_initctl',`
##
##
##
@@ -58016,7 +58170,7 @@ index cc83689..7947c80 100644
##
##
#
-@@ -773,18 +933,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +937,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -58040,7 +58194,7 @@ index cc83689..7947c80 100644
')
')
-@@ -800,19 +961,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,19 +965,41 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -58086,7 +58240,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -868,9 +1051,14 @@ interface(`init_script_file_domtrans',`
+@@ -868,9 +1055,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -58101,7 +58255,7 @@ index cc83689..7947c80 100644
files_search_etc($1)
')
-@@ -1079,6 +1267,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1271,24 @@ interface(`init_read_all_script_files',`
#######################################
##
@@ -58126,7 +58280,7 @@ index cc83689..7947c80 100644
## Dontaudit read all init script files.
##
##
-@@ -1130,12 +1336,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1340,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -58140,7 +58294,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -1375,6 +1576,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1580,27 @@ interface(`init_dbus_send_script',`
########################################
##
## Send and receive messages from
@@ -58168,7 +58322,7 @@ index cc83689..7947c80 100644
## init scripts over dbus.
##
##
-@@ -1461,6 +1683,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1687,25 @@ interface(`init_getattr_script_status_files',`
########################################
##
@@ -58194,7 +58348,7 @@ index cc83689..7947c80 100644
## Do not audit attempts to read init script
## status files.
##
-@@ -1519,6 +1760,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1764,24 @@ interface(`init_rw_script_tmp_files',`
########################################
##
@@ -58219,7 +58373,7 @@ index cc83689..7947c80 100644
## Create files in a init script
## temporary data directory.
##
-@@ -1674,7 +1933,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1937,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -58228,7 +58382,7 @@ index cc83689..7947c80 100644
')
########################################
-@@ -1715,6 +1974,92 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1978,92 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -58321,7 +58475,7 @@ index cc83689..7947c80 100644
########################################
##
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2094,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2098,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -58479,7 +58633,7 @@ index cc83689..7947c80 100644
+ read_fifo_files_pattern($1, initrc_var_run_t, initrc_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..822d7a0 100644
+index ea29513..34ac96c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -58654,7 +58808,7 @@ index ea29513..822d7a0 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +244,121 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +244,122 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -58705,7 +58859,7 @@ index ea29513..822d7a0 100644
+ files_manage_all_pid_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
-+ files_unlink_all_pid_sockets(init_t)
++ files_delete_all_pid_sockets(init_t)
+ files_manage_urandom_seed(init_t)
+ files_list_locks(init_t)
+ files_create_lock_dirs(init_t)
@@ -58718,7 +58872,8 @@ index ea29513..822d7a0 100644
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ fs_mount_all_fs(init_t)
-+ fs_remount_autofs(init_t)
++ fs_unmount_all_fs(init_t)
++ fs_remount_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
@@ -58776,7 +58931,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -199,10 +366,26 @@ optional_policy(`
+@@ -199,10 +367,26 @@ optional_policy(`
')
optional_policy(`
@@ -58803,7 +58958,7 @@ index ea29513..822d7a0 100644
unconfined_domain(init_t)
')
-@@ -212,7 +395,7 @@ optional_policy(`
+@@ -212,7 +396,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -58812,7 +58967,7 @@ index ea29513..822d7a0 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +424,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +425,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -58828,7 +58983,7 @@ index ea29513..822d7a0 100644
init_write_initctl(initrc_t)
-@@ -258,20 +444,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +445,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -58865,7 +59020,7 @@ index ea29513..822d7a0 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +477,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +478,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -58873,7 +59028,7 @@ index ea29513..822d7a0 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +488,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +489,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -58884,7 +59039,7 @@ index ea29513..822d7a0 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +499,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +500,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -58901,7 +59056,7 @@ index ea29513..822d7a0 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +518,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +519,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -58909,7 +59064,7 @@ index ea29513..822d7a0 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +526,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +527,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -58921,7 +59076,7 @@ index ea29513..822d7a0 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +545,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +546,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -58935,7 +59090,7 @@ index ea29513..822d7a0 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +560,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +561,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -58944,7 +59099,7 @@ index ea29513..822d7a0 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +574,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +575,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -58952,7 +59107,7 @@ index ea29513..822d7a0 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +586,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +587,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -58960,7 +59115,7 @@ index ea29513..822d7a0 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +607,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +608,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -58982,7 +59137,7 @@ index ea29513..822d7a0 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +670,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +671,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -58993,7 +59148,7 @@ index ea29513..822d7a0 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +694,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +695,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -59002,7 +59157,7 @@ index ea29513..822d7a0 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +709,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +710,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -59010,12 +59165,12 @@ index ea29513..822d7a0 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +739,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +740,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
-+ abrt_manage_pid_files(initrc_t)
-+ ')
++ abrt_manage_pid_files(initrc_t)
++ ')
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
@@ -59044,7 +59199,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -531,10 +773,22 @@ ifdef(`distro_redhat',`
+@@ -531,10 +774,22 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -59067,7 +59222,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -549,6 +803,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +804,39 @@ ifdef(`distro_suse',`
')
')
@@ -59107,7 +59262,7 @@ index ea29513..822d7a0 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +848,8 @@ optional_policy(`
+@@ -561,6 +849,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -59116,7 +59271,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -577,6 +866,7 @@ optional_policy(`
+@@ -577,6 +867,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -59124,7 +59279,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -589,6 +879,11 @@ optional_policy(`
+@@ -589,6 +880,11 @@ optional_policy(`
')
optional_policy(`
@@ -59136,7 +59291,7 @@ index ea29513..822d7a0 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +900,13 @@ optional_policy(`
+@@ -605,9 +901,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -59150,7 +59305,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -649,6 +948,11 @@ optional_policy(`
+@@ -649,6 +949,11 @@ optional_policy(`
')
optional_policy(`
@@ -59162,7 +59317,7 @@ index ea29513..822d7a0 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +1010,13 @@ optional_policy(`
+@@ -706,7 +1011,13 @@ optional_policy(`
')
optional_policy(`
@@ -59176,7 +59331,7 @@ index ea29513..822d7a0 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1039,10 @@ optional_policy(`
+@@ -729,6 +1040,10 @@ optional_policy(`
')
optional_policy(`
@@ -59187,7 +59342,7 @@ index ea29513..822d7a0 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1052,20 @@ optional_policy(`
+@@ -738,10 +1053,20 @@ optional_policy(`
')
optional_policy(`
@@ -59208,7 +59363,7 @@ index ea29513..822d7a0 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1074,10 @@ optional_policy(`
+@@ -750,6 +1075,10 @@ optional_policy(`
')
optional_policy(`
@@ -59219,7 +59374,7 @@ index ea29513..822d7a0 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1099,6 @@ optional_policy(`
+@@ -771,8 +1100,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -59228,7 +59383,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -781,14 +1107,21 @@ optional_policy(`
+@@ -781,14 +1108,21 @@ optional_policy(`
')
optional_policy(`
@@ -59250,7 +59405,7 @@ index ea29513..822d7a0 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1133,6 @@ optional_policy(`
+@@ -800,7 +1134,6 @@ optional_policy(`
')
optional_policy(`
@@ -59258,7 +59413,7 @@ index ea29513..822d7a0 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1142,24 @@ optional_policy(`
+@@ -810,11 +1143,24 @@ optional_policy(`
')
optional_policy(`
@@ -59284,7 +59439,7 @@ index ea29513..822d7a0 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1169,25 @@ optional_policy(`
+@@ -824,6 +1170,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -59310,7 +59465,7 @@ index ea29513..822d7a0 100644
')
optional_policy(`
-@@ -839,6 +1203,10 @@ optional_policy(`
+@@ -839,6 +1204,10 @@ optional_policy(`
')
optional_policy(`
@@ -59321,7 +59476,7 @@ index ea29513..822d7a0 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -849,3 +1217,42 @@ optional_policy(`
+@@ -849,3 +1218,45 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -59351,6 +59506,10 @@ index ea29513..822d7a0 100644
+init_rw_script_stream_sockets(daemon)
+
+optional_policy(`
++ abrt_stream_connect(daemon)
++')
++
++optional_policy(`
+ fail2ban_read_lib_files(daemon)
+')
+
@@ -59363,7 +59522,6 @@ index ea29513..822d7a0 100644
+allow init_t var_run_t:dir relabelto;
+
+init_stream_connect(initrc_t)
-+
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 07eba2b..a75297a 100644
--- a/policy/modules/system/ipsec.fc
@@ -60941,7 +61099,7 @@ index c7cfb62..ee89659 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..e3f0566 100644
+index 9b5a9ed..41ee997 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -19,6 +19,11 @@ type auditd_log_t;
@@ -61085,7 +61243,7 @@ index 9b5a9ed..e3f0566 100644
# setpgid for metalog
# setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit };
-+allow syslogd_t self:process { signal_perms setpgid setsched setrlimit };
++allow syslogd_t self:process { signal_perms setpgid setsched setrlimit setcap getcap };
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -64350,10 +64508,10 @@ index 0000000..c59c37c
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..c777159
+index 0000000..747aa58
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,190 @@
+@@ -0,0 +1,191 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -64459,7 +64617,8 @@ index 0000000..c777159
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_manage_all_locks(systemd_tmpfiles_t)
+files_setattr_all_tmp_dirs(systemd_tmpfiles_t)
-+files_unlink_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_sockets(systemd_tmpfiles_t)
++files_delete_all_pid_pipes(systemd_tmpfiles_t)
+files_delete_boot_flag(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
+files_manage_generic_tmp_files(systemd_tmpfiles_t)
@@ -65735,7 +65894,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <>
+HOME_DIR/\.debug(/.*)? <>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..35793ae 100644
+index 28b88de..240fa6c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -65902,12 +66061,16 @@ index 28b88de..35793ae 100644
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -116,6 +151,16 @@ template(`userdom_base_user_template',`
+@@ -116,6 +151,20 @@ template(`userdom_base_user_template',`
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
+
+ optional_policy(`
++ abrt_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ fs_list_cgroup_dirs($1_usertype)
+ ')
+
@@ -65919,7 +66082,7 @@ index 28b88de..35793ae 100644
')
#######################################
-@@ -149,6 +194,8 @@ interface(`userdom_ro_home_role',`
+@@ -149,6 +198,8 @@ interface(`userdom_ro_home_role',`
type user_home_t, user_home_dir_t;
')
@@ -65928,7 +66091,7 @@ index 28b88de..35793ae 100644
##############################
#
# Domain access to home dir
-@@ -166,27 +213,6 @@ interface(`userdom_ro_home_role',`
+@@ -166,27 +217,6 @@ interface(`userdom_ro_home_role',`
read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
files_list_home($2)
@@ -65956,7 +66119,7 @@ index 28b88de..35793ae 100644
')
#######################################
-@@ -218,8 +244,11 @@ interface(`userdom_ro_home_role',`
+@@ -218,8 +248,11 @@ interface(`userdom_ro_home_role',`
interface(`userdom_manage_home_role',`
gen_require(`
type user_home_t, user_home_dir_t;
@@ -65968,7 +66131,7 @@ index 28b88de..35793ae 100644
##############################
#
# Domain access to home dir
-@@ -228,17 +257,21 @@ interface(`userdom_manage_home_role',`
+@@ -228,17 +261,21 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
@@ -66000,7 +66163,7 @@ index 28b88de..35793ae 100644
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
files_list_home($2)
-@@ -246,25 +279,23 @@ interface(`userdom_manage_home_role',`
+@@ -246,25 +283,23 @@ interface(`userdom_manage_home_role',`
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
tunable_policy(`use_nfs_home_dirs',`
@@ -66030,7 +66193,7 @@ index 28b88de..35793ae 100644
')
')
-@@ -286,17 +317,63 @@ interface(`userdom_manage_home_role',`
+@@ -286,17 +321,63 @@ interface(`userdom_manage_home_role',`
#
interface(`userdom_manage_tmp_role',`
gen_require(`
@@ -66099,7 +66262,7 @@ index 28b88de..35793ae 100644
')
#######################################
-@@ -316,6 +393,7 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -316,6 +397,7 @@ interface(`userdom_exec_user_tmp_files',`
')
exec_files_pattern($1, user_tmp_t, user_tmp_t)
@@ -66107,7 +66270,7 @@ index 28b88de..35793ae 100644
files_search_tmp($1)
')
-@@ -347,59 +425,62 @@ interface(`userdom_exec_user_tmp_files',`
+@@ -347,59 +429,62 @@ interface(`userdom_exec_user_tmp_files',`
#
interface(`userdom_manage_tmpfs_role',`
gen_require(`
@@ -66202,7 +66365,7 @@ index 28b88de..35793ae 100644
')
#######################################
-@@ -430,6 +511,7 @@ template(`userdom_xwindows_client_template',`
+@@ -430,6 +515,7 @@ template(`userdom_xwindows_client_template',`
dev_dontaudit_rw_dri($1_t)
# GNOME checks for usb and other devices:
dev_rw_usbfs($1_t)
@@ -66210,7 +66373,7 @@ index 28b88de..35793ae 100644
xserver_user_x_domain_template($1, $1_t, user_tmpfs_t)
xserver_xsession_entry_type($1_t)
-@@ -490,7 +572,7 @@ template(`userdom_common_user_template',`
+@@ -490,7 +576,7 @@ template(`userdom_common_user_template',`
attribute unpriv_userdomain;
')
@@ -66219,7 +66382,7 @@ index 28b88de..35793ae 100644
##############################
#
-@@ -500,73 +582,81 @@ template(`userdom_common_user_template',`
+@@ -500,73 +586,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -66241,27 +66404,27 @@ index 28b88de..35793ae 100644
+ kernel_get_sysvipc_info($1_usertype)
# Find CDROM devices:
- kernel_read_device_sysctls($1_t)
--
-- corecmd_exec_bin($1_t)
+ kernel_read_device_sysctls($1_usertype)
+ kernel_request_load_module($1_usertype)
-- corenet_udp_bind_generic_node($1_t)
-- corenet_udp_bind_generic_port($1_t)
+- corecmd_exec_bin($1_t)
+ corenet_udp_bind_generic_node($1_usertype)
+ corenet_udp_bind_generic_port($1_usertype)
-- dev_read_rand($1_t)
-- dev_write_sound($1_t)
-- dev_read_sound($1_t)
-- dev_read_sound_mixer($1_t)
-- dev_write_sound_mixer($1_t)
+- corenet_udp_bind_generic_node($1_t)
+- corenet_udp_bind_generic_port($1_t)
+ dev_read_rand($1_usertype)
+ dev_write_sound($1_usertype)
+ dev_read_sound($1_usertype)
+ dev_read_sound_mixer($1_usertype)
+ dev_write_sound_mixer($1_usertype)
+- dev_read_rand($1_t)
+- dev_write_sound($1_t)
+- dev_read_sound($1_t)
+- dev_read_sound_mixer($1_t)
+- dev_write_sound_mixer($1_t)
+-
- files_exec_etc_files($1_t)
- files_search_locks($1_t)
+ files_exec_etc_files($1_usertype)
@@ -66285,10 +66448,10 @@ index 28b88de..35793ae 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
-+ application_getattr_socket($1_usertype)
-+
+ logging_send_syslog_msg($1_usertype)
+ logging_send_audit_msgs($1_usertype)
+ selinux_get_enforce_mode($1_usertype)
@@ -66340,7 +66503,7 @@ index 28b88de..35793ae 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +664,123 @@ template(`userdom_common_user_template',`
+@@ -574,67 +668,123 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -66358,19 +66521,19 @@ index 28b88de..35793ae 100644
+
+ optional_policy(`
+ canna_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
++ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ chrome_role($1_r, $1_usertype)
++ colord_read_lib_files($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
-+ colord_read_lib_files($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -66439,24 +66602,24 @@ index 28b88de..35793ae 100644
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
+ git_session_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
++ ')
++
++ optional_policy(`
+ lircd_stream_connect($1_usertype)
+ ')
+
@@ -66482,7 +66645,7 @@ index 28b88de..35793ae 100644
')
optional_policy(`
-@@ -650,41 +796,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +800,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -66514,48 +66677,50 @@ index 28b88de..35793ae 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
+
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
')
#######################################
-@@ -712,13 +867,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +871,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
@@ -66566,9 +66731,7 @@ index 28b88de..35793ae 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -66576,7 +66739,7 @@ index 28b88de..35793ae 100644
userdom_change_password_template($1)
-@@ -736,72 +904,71 @@ template(`userdom_login_user_template', `
+@@ -736,72 +908,71 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -66643,10 +66806,10 @@ index 28b88de..35793ae 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -66685,7 +66848,7 @@ index 28b88de..35793ae 100644
')
')
-@@ -833,6 +1000,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +1004,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -66695,7 +66858,7 @@ index 28b88de..35793ae 100644
##############################
#
# Local policy
-@@ -874,45 +1044,118 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1048,118 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -66774,26 +66937,27 @@ index 28b88de..35793ae 100644
+ consolekit_dontaudit_read_log($1_usertype)
+ consolekit_dbus_chat($1_usertype)
+ ')
-
- optional_policy(`
-- consolekit_dbus_chat($1_t)
++
++ optional_policy(`
+ cups_dbus_chat($1_usertype)
+ cups_dbus_chat_config($1_usertype)
- ')
++ ')
optional_policy(`
-- cups_dbus_chat($1_t)
+- consolekit_dbus_chat($1_t)
+ devicekit_dbus_chat($1_usertype)
+ devicekit_dbus_chat_disk($1_usertype)
+ devicekit_dbus_chat_power($1_usertype)
')
-+
-+ optional_policy(`
+
+ optional_policy(`
+- cups_dbus_chat($1_t)
+ fprintd_dbus_chat($1_t)
-+ ')
-+ ')
-+
-+ optional_policy(`
+ ')
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
@@ -66805,10 +66969,9 @@ index 28b88de..35793ae 100644
+ pulseaudio_role($1_r, $1_usertype)
+ pulseaudio_filetrans_admin_home_content($1_usertype)
+ pulseaudio_filetrans_home_content($1_usertype)
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
++ ')
++
++ optional_policy(`
+ rtkit_scheduled($1_usertype)
')
@@ -66825,7 +66988,7 @@ index 28b88de..35793ae 100644
')
')
-@@ -947,7 +1190,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1194,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -66834,7 +66997,7 @@ index 28b88de..35793ae 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1199,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1203,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -66920,21 +67083,21 @@ index 28b88de..35793ae 100644
+
+ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
-+ ')
-+
-+ optional_policy(`
-+ mono_role_template($1, $1_r, $1_t)
')
- # Run pppd in pppd_t by default for user
optional_policy(`
- ppp_run_cond($1_t,$1_r)
-+ mount_run_fusermount($1_t, $1_r)
-+ mount_read_pid_files($1_t)
++ mono_role_template($1, $1_r, $1_t)
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ mount_run_fusermount($1_t, $1_r)
++ mount_read_pid_files($1_t)
++ ')
++
++ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
+ ')
+
@@ -66948,7 +67111,7 @@ index 28b88de..35793ae 100644
')
')
-@@ -1039,7 +1311,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1315,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -66957,7 +67120,7 @@ index 28b88de..35793ae 100644
')
##############################
-@@ -1066,6 +1338,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1342,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -66965,7 +67128,7 @@ index 28b88de..35793ae 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1347,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1351,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -66975,7 +67138,7 @@ index 28b88de..35793ae 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1364,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1368,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -66983,7 +67146,7 @@ index 28b88de..35793ae 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1382,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1386,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -66997,7 +67160,7 @@ index 28b88de..35793ae 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1399,22 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1403,22 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -67021,7 +67184,7 @@ index 28b88de..35793ae 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1426,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1430,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -67033,7 +67196,7 @@ index 28b88de..35793ae 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1498,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1502,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -67042,7 +67205,7 @@ index 28b88de..35793ae 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1512,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1516,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -67050,7 +67213,7 @@ index 28b88de..35793ae 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1234,11 +1525,22 @@ template(`userdom_security_admin_template',`
+@@ -1234,11 +1529,22 @@ template(`userdom_security_admin_template',`
logging_read_audit_config($1)
seutil_manage_bin_policy($1)
@@ -67073,7 +67236,7 @@ index 28b88de..35793ae 100644
optional_policy(`
aide_run($1,$2)
')
-@@ -1279,11 +1581,60 @@ template(`userdom_security_admin_template',`
+@@ -1279,54 +1585,66 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -67082,59 +67245,129 @@ index 28b88de..35793ae 100644
allow $1 user_home_t:filesystem associate;
files_type($1)
-+ ubac_constrained($1)
+- files_poly_member($1)
+ ubac_constrained($1)
+
- files_poly_member($1)
++ files_poly_member($1)
+ typeattribute $1 user_home_type;
-+')
-+
-+########################################
-+##
+ ')
+
+ ########################################
+ ##
+-## Allow domain to attach to TUN devices created by administrative users.
+## Make the specified type usable in a
+## generic temporary directory.
-+##
+ ##
+-##
+##
-+##
+ ##
+-## Domain allowed access.
+## Type to be used as a file in the
+## generic temporary directory.
-+##
-+##
-+#
+ ##
+ ##
+ #
+-interface(`userdom_attach_admin_tun_iface',`
+interface(`userdom_user_tmp_content',`
-+ gen_require(`
+ gen_require(`
+- attribute admindomain;
+ attribute user_tmp_type;
-+ ')
-+
+ ')
+
+- allow $1 admindomain:tun_socket relabelfrom;
+- allow $1 self:tun_socket relabelto;
+ typeattribute $1 user_tmp_type;
+
+ files_tmp_file($1)
+ ubac_constrained($1)
+ ')
+
+ ########################################
+ ##
+-## Set the attributes of a user pty.
++## Make the specified type usable in a
++## generic tmpfs_t directory.
+ ##
+-##
++##
+ ##
+-## Domain allowed access.
++## Type to be used as a file in the
++## generic temporary directory.
+ ##
+ ##
+ #
+-interface(`userdom_setattr_user_ptys',`
++interface(`userdom_user_tmpfs_content',`
+ gen_require(`
+- type user_devpts_t;
++ attribute user_tmpfs_type;
+ ')
+
+- allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++ typeattribute $1 user_tmpfs_type;
++
++ files_tmpfs_file($1)
++ ubac_constrained($1)
+ ')
+
+ ########################################
+ ##
+-## Create a user pty.
++## Allow domain to attach to TUN devices created by administrative users.
+ ##
+ ##
+ ##
+@@ -1334,9 +1652,46 @@ interface(`userdom_setattr_user_ptys',`
+ ##
+ ##
+ #
+-interface(`userdom_create_user_pty',`
++interface(`userdom_attach_admin_tun_iface',`
+ gen_require(`
+- type user_devpts_t;
++ attribute admindomain;
++ ')
++
++ allow $1 admindomain:tun_socket relabelfrom;
++ allow $1 self:tun_socket relabelto;
+')
+
+########################################
+##
-+## Make the specified type usable in a
-+## generic tmpfs_t directory.
++## Set the attributes of a user pty.
+##
-+##
++##
+##
-+## Type to be used as a file in the
-+## generic temporary directory.
++## Domain allowed access.
+##
+##
+#
-+interface(`userdom_user_tmpfs_content',`
++interface(`userdom_setattr_user_ptys',`
+ gen_require(`
-+ attribute user_tmpfs_type;
++ type user_devpts_t;
+ ')
+
-+ typeattribute $1 user_tmpfs_type;
++ allow $1 user_devpts_t:chr_file setattr_chr_file_perms;
++')
+
-+ files_tmpfs_file($1)
- ubac_constrained($1)
- ')
++########################################
++##
++## Create a user pty.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_create_user_pty',`
++ gen_require(`
++ type user_devpts_t;
+ ')
-@@ -1395,6 +1746,7 @@ interface(`userdom_search_user_home_dirs',`
+ term_create_pty($1, user_devpts_t)
+@@ -1395,6 +1750,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -67142,7 +67375,7 @@ index 28b88de..35793ae 100644
files_search_home($1)
')
-@@ -1441,6 +1793,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1797,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -67157,7 +67390,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1456,9 +1816,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1820,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -67169,7 +67402,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1515,6 +1877,42 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,6 +1881,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -67212,7 +67445,7 @@ index 28b88de..35793ae 100644
########################################
##
## Create directories in the home dir root with
-@@ -1589,6 +1987,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1991,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -67221,7 +67454,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1603,10 +2003,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +2007,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -67236,10 +67469,28 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1649,6 +2051,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +2055,43 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
##
++## Delete all directories in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_dirs',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir delete_dir_perms;
++')
++
++########################################
++##
+## Set the attributes of user home files.
+##
+##
@@ -67262,7 +67513,33 @@ index 28b88de..35793ae 100644
## Do not audit attempts to set the
## attributes of user home files.
##
-@@ -1700,12 +2121,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1668,6 +2111,25 @@ interface(`userdom_dontaudit_setattr_user_home_content_files',`
+
+ ########################################
+ ##
++## Set the attributes of all user home directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_setattr_all_user_home_content_dirs',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:dir setattr_dir_perms;
++')
++
++########################################
++##
+ ## Mmap user home files.
+ ##
+ ##
+@@ -1700,12 +2162,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -67295,7 +67572,7 @@ index 28b88de..35793ae 100644
## Do not audit attempts to read user home files.
##
##
-@@ -1716,11 +2157,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2198,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -67313,10 +67590,28 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1779,6 +2223,24 @@ interface(`userdom_delete_user_home_content_files',`
+@@ -1779,6 +2264,60 @@ interface(`userdom_delete_user_home_content_files',`
########################################
##
++## Delete all files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:file delete_file_perms;
++')
++
++########################################
++##
+## Delete sock files in a user home subdirectory.
+##
+##
@@ -67335,10 +67630,28 @@ index 28b88de..35793ae 100644
+
+########################################
+##
++## Delete all sock files in a user home subdirectory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_sock_files',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:sock_file delete_file_perms;
++')
++
++########################################
++##
## Do not audit attempts to write user home files.
##
##
-@@ -1810,8 +2272,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2349,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -67348,7 +67661,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -1827,20 +2288,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2365,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -67373,7 +67686,32 @@ index 28b88de..35793ae 100644
########################################
##
-@@ -2008,7 +2463,7 @@ interface(`userdom_user_home_dir_filetrans',`
+@@ -1941,6 +2473,24 @@ interface(`userdom_delete_user_home_content_symlinks',`
+
+ ########################################
+ ##
++## Delete all symbolic links in a user home directory.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`userdom_delete_all_user_home_content_symlinks',`
++ gen_require(`
++ attribute user_home_type;
++ ')
++
++ allow $1 user_home_type:lnk_file delete_lnk_file_perms;
++')
++
++########################################
++##
+ ## Create, read, write, and delete named pipes
+ ## in a user home subdirectory.
+ ##
+@@ -2008,7 +2558,7 @@ interface(`userdom_user_home_dir_filetrans',`
type user_home_dir_t;
')
@@ -67382,7 +67720,7 @@ index 28b88de..35793ae 100644
files_search_home($1)
')
-@@ -2182,7 +2637,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2732,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -67391,7 +67729,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -2435,13 +2890,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2985,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -67407,7 +67745,7 @@ index 28b88de..35793ae 100644
##
##
##
-@@ -2462,26 +2918,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +3013,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
##
@@ -67434,87 +67772,118 @@ index 28b88de..35793ae 100644
## Get the attributes of a user domain tty.
##
##
-@@ -2572,6 +3008,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,7 +3103,7 @@ interface(`userdom_use_user_ttys',`
########################################
##
+-## Read and write a user domain pty.
+## Read and write a inherited user domain tty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
+ ##
+ ##
+ ##
+@@ -2580,70 +3111,138 @@ interface(`userdom_use_user_ttys',`
+ ##
+ ##
+ #
+-interface(`userdom_use_user_ptys',`
+interface(`userdom_use_inherited_user_ttys',`
-+ gen_require(`
+ gen_require(`
+- type user_devpts_t;
+ type user_tty_device_t;
-+ ')
-+
+ ')
+
+- allow $1 user_devpts_t:chr_file rw_term_perms;
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
- ## Read and write a user domain pty.
- ##
- ##
-@@ -2590,22 +3044,34 @@ interface(`userdom_use_user_ptys',`
+ ')
########################################
##
-## Read and write a user TTYs and PTYs.
-+## Read and write a inherited user domain pty.
-+##
-+##
-+##
-+## Domain allowed access.
-+##
-+##
-+#
-+interface(`userdom_use_inherited_user_ptys',`
-+ gen_require(`
-+ type user_devpts_t;
-+ ')
-+
-+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
-+')
-+
-+########################################
-+##
-+## Read and write a inherited user TTYs and PTYs.
++## Read and write a user domain pty.
##
- ##
- ##
+-##
+-##
-## Allow the specified domain to read and write user
-+## Allow the specified domain to read and write inherited user
- ## TTYs and PTYs. This will allow the domain to
- ## interact with the user via the terminal. Typically
- ## all interactive applications will require this
- ## access.
- ##
+-## TTYs and PTYs. This will allow the domain to
+-## interact with the user via the terminal. Typically
+-## all interactive applications will require this
+-## access.
+-##
-##
-## However, this also allows the applications to spy
-## on user sessions or inject information into the
-## user session. Thus, this access should likely
-## not be allowed for non-interactive domains.
-##
- ##
+-##
##
##
-@@ -2614,14 +3080,33 @@ interface(`userdom_use_user_ptys',`
+ ## Domain allowed access.
+ ##
##
- ##
+-##
#
-interface(`userdom_use_user_terminals',`
-+interface(`userdom_use_inherited_user_terminals',`
++interface(`userdom_use_user_ptys',`
gen_require(`
- type user_tty_device_t, user_devpts_t;
+- type user_tty_device_t, user_devpts_t;
++ type user_devpts_t;
')
- allow $1 user_tty_device_t:chr_file rw_term_perms;
-- allow $1 user_devpts_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
- term_list_ptys($1)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to read and write
+-## a user domain tty and pty.
++## Read and write a inherited user domain pty.
+ ##
+ ##
+ ##
+-## Domain to not audit.
++## Domain allowed access.
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_terminals',`
++interface(`userdom_use_inherited_user_ptys',`
+ gen_require(`
+- type user_tty_device_t, user_devpts_t;
++ type user_devpts_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
++ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++########################################
++##
++## Read and write a inherited user TTYs and PTYs.
++##
++##
++##
++## Allow the specified domain to read and write inherited user
++## TTYs and PTYs. This will allow the domain to
++## interact with the user via the terminal. Typically
++## all interactive applications will require this
++## access.
++##
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++#
++interface(`userdom_use_inherited_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
@@ -67537,10 +67906,25 @@ index 28b88de..35793ae 100644
+
+ allow $1 user_tty_device_t:chr_file rw_term_perms;
+ allow $1 user_devpts_t:chr_file rw_term_perms;
- ')
-
- ########################################
-@@ -2644,6 +3129,25 @@ interface(`userdom_dontaudit_use_user_terminals',`
++')
++
++########################################
++##
++## Do not audit attempts to read and write
++## a user domain tty and pty.
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`userdom_dontaudit_use_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_term_perms;
dontaudit $1 user_devpts_t:chr_file rw_term_perms;
')
@@ -67566,7 +67950,7 @@ index 28b88de..35793ae 100644
########################################
##
## Execute a shell in all user domains. This
-@@ -2815,7 +3319,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3414,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -67575,7 +67959,7 @@ index 28b88de..35793ae 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3335,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3430,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -67591,7 +67975,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -2917,7 +3423,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3518,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -67600,7 +67984,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -2972,7 +3478,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3573,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -67647,7 +68031,7 @@ index 28b88de..35793ae 100644
')
########################################
-@@ -3009,6 +3553,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3648,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -67655,7 +68039,7 @@ index 28b88de..35793ae 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3632,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3727,24 @@ interface(`userdom_signal_all_users',`
########################################
##
@@ -67680,7 +68064,7 @@ index 28b88de..35793ae 100644
## Send a SIGCHLD signal to all user domains.
##
##
-@@ -3139,3 +3702,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3797,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ab91b44..e3ae491 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 29.1%{?dist}
+Release: 30%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,10 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Mon Jun 27 2011 Miroslav Grepl 3.9.16-30
+- More fixes
+ * http://git.fedorahosted.org/git/?p=selinux-policy.git
+
* Thu Jun 16 2011 Dan Walsh 3.9.16-29.1
- Fix spec file to not report Verify errors