diff --git a/modules-targeted.conf b/modules-targeted.conf
index 770508a..e3b5d24 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -2437,3 +2437,10 @@ ctdbd = module
# fcoemon
#
fcoemon = module
+
+# Layer: services
+# Module: sblim
+#
+# sblim
+#
+sblim = module
diff --git a/policy-F16.patch b/policy-F16.patch
index 93056ad..f9db5f9 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -6147,7 +6147,7 @@ index 4f9dc90..8dc8a5f 100644
+ relabel_lnk_files_pattern($2, irssi_home_t, irssi_home_t)
')
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
-index 66beb80..702a727 100644
+index 66beb80..b69a628 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -24,6 +24,30 @@ userdom_user_home_content(irc_tmp_t)
@@ -6190,7 +6190,7 @@ index 66beb80..702a727 100644
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(irc_t)
-@@ -101,3 +125,73 @@ tunable_policy(`use_samba_home_dirs',`
+@@ -101,3 +125,78 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
nis_use_ypbind(irc_t)
')
@@ -6221,6 +6221,11 @@ index 66beb80..702a727 100644
+corenet_tcp_sendrecv_ircd_port(irssi_t)
+corenet_sendrecv_ircd_client_packets(irssi_t)
+
++# tcp:7000 is often used for SSL irc
++corenet_tcp_connect_gatekeeper_port(irssi_t)
++corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
++corenet_sendrecv_gatekeeper_client_packets(irssi_t)
++
+# Privoxy
+corenet_tcp_connect_http_cache_port(irssi_t)
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
@@ -6491,10 +6496,19 @@ index 0000000..bb02f40
+')
+
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
-index 2dde73a..12281bb 100644
+index 2dde73a..e4ccac2 100644
--- a/policy/modules/apps/kdumpgui.te
+++ b/policy/modules/apps/kdumpgui.te
-@@ -47,6 +47,12 @@ miscfiles_read_localization(kdumpgui_t)
+@@ -36,6 +36,8 @@ files_manage_etc_runtime_files(kdumpgui_t)
+ files_etc_filetrans_etc_runtime(kdumpgui_t, file)
+ files_read_usr_files(kdumpgui_t)
+
++fs_read_dos_files(kdumpgui_t)
++
+ storage_raw_read_fixed_disk(kdumpgui_t)
+ storage_raw_write_fixed_disk(kdumpgui_t)
+
+@@ -47,6 +49,12 @@ miscfiles_read_localization(kdumpgui_t)
init_dontaudit_read_all_script_files(kdumpgui_t)
@@ -11876,7 +11890,7 @@ index 4f3b542..5a41e58 100644
corenet_udp_recvfrom_labeled($1, $2)
corenet_raw_recvfrom_labeled($1, $2)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 99b71cb..7345e5f 100644
+index 99b71cb..fd75b96 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -11,11 +11,14 @@ attribute netif_type;
@@ -11921,7 +11935,19 @@ index 99b71cb..7345e5f 100644
type client_packet_t, packet_type, client_packet_type;
#
-@@ -65,22 +81,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
+@@ -50,6 +66,11 @@ type port_t, port_type;
+ sid port gen_context(system_u:object_r:port_t,s0)
+
+ #
++# port_t is the default type of INET port numbers.
++#
++type unreserved_port_t, unreserved_port_type;
++
++#
+ # reserved_port_t is the type of INET port numbers below 1024.
+ #
+ type reserved_port_t, port_type, reserved_port_type;
+@@ -65,22 +86,26 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@@ -11949,7 +11975,7 @@ index 99b71cb..7345e5f 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
-@@ -88,7 +108,9 @@ network_port(clamd, tcp,3310,s0)
+@@ -88,7 +113,9 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@@ -11959,7 +11985,7 @@ index 99b71cb..7345e5f 100644
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
network_port(daap, tcp,3689,s0, udp,3689,s0)
-@@ -99,9 +121,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+@@ -99,9 +126,14 @@ network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -11974,7 +12000,7 @@ index 99b71cb..7345e5f 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -129,20 +156,25 @@ network_port(iscsi, tcp,3260,s0)
+@@ -129,20 +161,25 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@@ -12003,7 +12029,7 @@ index 99b71cb..7345e5f 100644
network_port(mpd, tcp,6600,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0)
-@@ -155,13 +187,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
+@@ -155,13 +192,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0)
network_port(ntp, udp,123,s0)
@@ -12017,7 +12043,7 @@ index 99b71cb..7345e5f 100644
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
+network_port(piranha, tcp,3636,s0)
-+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443-9446, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
+network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
@@ -12026,7 +12052,12 @@ index 99b71cb..7345e5f 100644
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -183,25 +223,29 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
+@@ -179,29 +224,34 @@ network_port(radacct, udp,1646,s0, udp,1813,s0)
+ network_port(radius, udp,1645,s0, udp,1812,s0)
+ network_port(radsec, tcp,2083,s0)
+ network_port(razor, tcp,2703,s0)
++network_port(repository, tcp, 6363, s0)
+ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -12059,7 +12090,7 @@ index 99b71cb..7345e5f 100644
network_port(syslogd, udp,514,s0)
network_port(tcs, tcp, 30003, s0)
network_port(telnetd, tcp,23,s0)
-@@ -215,7 +259,7 @@ network_port(uucpd, tcp,540,s0)
+@@ -215,7 +265,7 @@ network_port(uucpd, tcp,540,s0)
network_port(varnishd, tcp,6081-6082,s0)
network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
network_port(virt_migration, tcp,49152-49216,s0)
@@ -12068,7 +12099,7 @@ index 99b71cb..7345e5f 100644
network_port(wccp, udp,2048,s0)
network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 )
network_port(xdmcp, udp,177,s0, tcp,177,s0)
-@@ -229,6 +273,7 @@ network_port(zookeeper_client, tcp,2181,s0)
+@@ -229,6 +279,7 @@ network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
@@ -12076,7 +12107,16 @@ index 99b71cb..7345e5f 100644
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
-@@ -282,9 +327,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
+@@ -238,6 +289,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+ portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+ portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
++portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
++portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+
+ ########################################
+ #
+@@ -282,9 +335,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
allow corenet_unconfined_type node_type:node *;
allow corenet_unconfined_type netif_type:netif *;
allow corenet_unconfined_type packet_type:packet *;
@@ -13651,7 +13691,7 @@ index fae1ab1..da927bb 100644
+dontaudit can_change_object_identity can_change_object_identity:key link;
+
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index c19518a..ba08cfe 100644
+index c19518a..b630279c 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -13662,7 +13702,12 @@ index c19518a..ba08cfe 100644
')
ifdef(`distro_suse',`
-@@ -57,6 +58,13 @@ ifdef(`distro_suse',`
+@@ -53,10 +54,18 @@ ifdef(`distro_suse',`
+ /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
++/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13676,7 +13721,7 @@ index c19518a..ba08cfe 100644
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
-@@ -68,7 +76,10 @@ ifdef(`distro_suse',`
+@@ -68,7 +77,10 @@ ifdef(`distro_suse',`
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -13688,7 +13733,7 @@ index c19518a..ba08cfe 100644
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -102,10 +113,9 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -102,10 +114,9 @@ HOME_ROOT/lost\+found/.* <<none>>
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
@@ -13700,7 +13745,7 @@ index c19518a..ba08cfe 100644
#
# /lost+found
-@@ -146,7 +156,7 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -146,7 +157,7 @@ HOME_ROOT/lost\+found/.* <<none>>
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
@@ -13709,7 +13754,7 @@ index c19518a..ba08cfe 100644
#
# /proc
-@@ -154,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -154,6 +165,12 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -13722,7 +13767,7 @@ index c19518a..ba08cfe 100644
#
# /run
#
-@@ -214,7 +230,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -214,7 +231,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -13730,7 +13775,7 @@ index c19518a..ba08cfe 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -230,17 +245,20 @@ ifndef(`distro_redhat',`
+@@ -230,17 +246,20 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -13752,14 +13797,14 @@ index c19518a..ba08cfe 100644
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
-@@ -257,3 +275,5 @@ ifndef(`distro_redhat',`
+@@ -257,3 +276,5 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
-index ff006ea..a049775 100644
+index ff006ea..367d234 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -55,6 +55,7 @@
@@ -14713,7 +14758,7 @@ index ff006ea..a049775 100644
## Read all process ID files.
## </summary>
## <param name="domain">
-@@ -5832,6 +6344,44 @@ interface(`files_read_all_pids',`
+@@ -5832,6 +6344,62 @@ interface(`files_read_all_pids',`
list_dirs_pattern($1, var_t, pidfile)
read_files_pattern($1, pidfile, pidfile)
@@ -14740,6 +14785,24 @@ index ff006ea..a049775 100644
+
+########################################
+## <summary>
++## Execute generic programs in /var/run in the caller domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_exec_generic_pid_files',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ exec_files_pattern($1, var_run_t, var_run_t)
++')
++
++########################################
++## <summary>
+## manage all pidfiles
+## in the /var/run directory.
+## </summary>
@@ -14758,7 +14821,7 @@ index ff006ea..a049775 100644
')
########################################
-@@ -5900,6 +6450,90 @@ interface(`files_delete_all_pid_dirs',`
+@@ -5900,6 +6468,90 @@ interface(`files_delete_all_pid_dirs',`
########################################
## <summary>
@@ -14849,7 +14912,7 @@ index ff006ea..a049775 100644
## Search the contents of generic spool
## directories (/var/spool).
## </summary>
-@@ -6042,7 +6676,7 @@ interface(`files_spool_filetrans',`
+@@ -6042,7 +6694,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
@@ -14858,7 +14921,7 @@ index ff006ea..a049775 100644
')
########################################
-@@ -6117,3 +6751,284 @@ interface(`files_unconfined',`
+@@ -6117,3 +6769,284 @@ interface(`files_unconfined',`
typeattribute $1 files_unconfined_type;
')
@@ -15941,7 +16004,7 @@ index 6346378..edbe041 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index d91c62f..2860a62 100644
+index d91c62f..9740613 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@@ -15981,7 +16044,7 @@ index d91c62f..2860a62 100644
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
-@@ -269,19 +276,40 @@ files_list_root(kernel_t)
+@@ -269,25 +276,47 @@ files_list_root(kernel_t)
files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -16022,7 +16085,14 @@ index d91c62f..2860a62 100644
optional_policy(`
hotplug_search_config(kernel_t)
')
-@@ -297,6 +325,19 @@ optional_policy(`
+
+ optional_policy(`
+ init_sigchld(kernel_t)
++ init_dyntrans(kernel_t)
+ ')
+
+ optional_policy(`
+@@ -297,6 +326,19 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(kernel_t)
@@ -16042,7 +16112,7 @@ index d91c62f..2860a62 100644
')
optional_policy(`
-@@ -334,9 +375,7 @@ optional_policy(`
+@@ -334,9 +376,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16053,7 +16123,7 @@ index d91c62f..2860a62 100644
')
tunable_policy(`nfs_export_all_rw',`
-@@ -345,7 +384,7 @@ optional_policy(`
+@@ -345,7 +385,7 @@ optional_policy(`
fs_read_noxattr_fs_files(kernel_t)
fs_read_noxattr_fs_symlinks(kernel_t)
@@ -16062,7 +16132,7 @@ index d91c62f..2860a62 100644
')
')
-@@ -358,6 +397,15 @@ optional_policy(`
+@@ -358,6 +398,15 @@ optional_policy(`
unconfined_domain_noaudit(kernel_t)
')
@@ -16377,7 +16447,7 @@ index ca7e808..23a065c 100644
+')
+
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
-index 1700ef2..02ff02d7 100644
+index 1700ef2..6b7eabb 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -101,6 +101,8 @@ interface(`storage_raw_read_fixed_disk',`
@@ -16397,7 +16467,7 @@ index 1700ef2..02ff02d7 100644
dev_add_entry_generic_dirs($1)
')
-@@ -808,3 +811,358 @@ interface(`storage_unconfined',`
+@@ -808,3 +811,368 @@ interface(`storage_unconfined',`
typeattribute $1 storage_unconfined_type;
')
@@ -16498,6 +16568,16 @@ index 1700ef2..02ff02d7 100644
+ dev_filetrans($1, removable_device_t, blk_file, "cm207")
+ dev_filetrans($1, removable_device_t, blk_file, "cm208")
+ dev_filetrans($1, removable_device_t, blk_file, "cm209")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md0")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md1")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md2")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md3")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md4")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md5")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md6")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md7")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md8")
++ dev_filetrans($1, fixed_disk_device_t, blk_file, "md9")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda0")
+ dev_filetrans($1, fixed_disk_device_t, blk_file, "sda1")
@@ -17771,7 +17851,7 @@ index 2be17d2..1a6d9d1 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index e14b961..a9aeb68 100644
+index e14b961..9db59b0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,55 @@ ifndef(`enable_mls',`
@@ -17946,7 +18026,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -225,12 +278,20 @@ optional_policy(`
+@@ -225,17 +278,29 @@ optional_policy(`
')
optional_policy(`
@@ -17967,7 +18047,16 @@ index e14b961..a9aeb68 100644
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')
-@@ -253,19 +314,19 @@ optional_policy(`
+
+ optional_policy(`
++ nx_filetrans_named_content(sysadm_t)
++')
++
++optional_policy(`
+ oav_run_update(sysadm_t, sysadm_r)
+ ')
+
+@@ -253,19 +318,19 @@ optional_policy(`
')
optional_policy(`
@@ -17991,7 +18080,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -274,10 +335,7 @@ optional_policy(`
+@@ -274,10 +339,7 @@ optional_policy(`
optional_policy(`
rpm_run(sysadm_t, sysadm_r)
@@ -18003,7 +18092,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -302,12 +360,18 @@ optional_policy(`
+@@ -302,12 +364,18 @@ optional_policy(`
')
optional_policy(`
@@ -18023,7 +18112,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -332,7 +396,7 @@ optional_policy(`
+@@ -332,7 +400,7 @@ optional_policy(`
')
optional_policy(`
@@ -18032,7 +18121,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -343,19 +407,15 @@ optional_policy(`
+@@ -343,19 +411,15 @@ optional_policy(`
')
optional_policy(`
@@ -18054,7 +18143,7 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -367,45 +427,45 @@ optional_policy(`
+@@ -367,45 +431,45 @@ optional_policy(`
')
optional_policy(`
@@ -18111,7 +18200,7 @@ index e14b961..a9aeb68 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -439,6 +499,7 @@ ifndef(`distro_redhat',`
+@@ -439,6 +503,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role(sysadm_r, sysadm_t)
@@ -18119,20 +18208,20 @@ index e14b961..a9aeb68 100644
')
optional_policy(`
-@@ -446,11 +507,62 @@ ifndef(`distro_redhat',`
+@@ -446,11 +511,62 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- irc_role(sysadm_r, sysadm_t)
+ java_role(sysadm_r, sysadm_t)
++ ')
++
++ optional_policy(`
++ lockdev_role(sysadm_r, sysadm_t)
')
optional_policy(`
- java_role(sysadm_r, sysadm_t)
-+ lockdev_role(sysadm_r, sysadm_t)
-+ ')
-+
-+ optional_policy(`
+ mozilla_role(sysadm_r, sysadm_t)
+ ')
+
@@ -18894,10 +18983,10 @@ index 0000000..8b2cdf3
+
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
new file mode 100644
-index 0000000..f35e36b
+index 0000000..fc2c9ec
--- /dev/null
+++ b/policy/modules/roles/unconfineduser.te
-@@ -0,0 +1,549 @@
+@@ -0,0 +1,553 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -19307,6 +19396,10 @@ index 0000000..f35e36b
+')
+
+optional_policy(`
++ nx_filetrans_named_content(unconfined_t)
++')
++
++optional_policy(`
+ oddjob_run_mkhomedir(unconfined_t, unconfined_r)
+')
+
@@ -19991,13 +20084,14 @@ index 0b827c5..e03a970 100644
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
+')
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
-index 30861ec..ced411a 100644
+index 30861ec..5f4db0c 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
-@@ -5,6 +5,14 @@ policy_module(abrt, 1.2.0)
+@@ -5,7 +5,17 @@ policy_module(abrt, 1.2.0)
# Declarations
#
+-type abrt_t;
+## <desc>
+## <p>
+## Allow ABRT to modify public files
@@ -20006,14 +20100,17 @@ index 30861ec..ced411a 100644
+## </desc>
+gen_tunable(abrt_anon_write, false)
+
- type abrt_t;
++attribute abrt_domain;
++
++type abrt_t, abrt_domain;
type abrt_exec_t;
init_daemon_domain(abrt_t, abrt_exec_t)
-@@ -32,6 +40,12 @@ files_type(abrt_var_cache_t)
+
+@@ -32,9 +42,15 @@ files_type(abrt_var_cache_t)
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
-+type abrt_dump_oops_t;
++type abrt_dump_oops_t, abrt_domain;
+type abrt_dump_oops_exec_t;
+init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
+
@@ -20021,8 +20118,12 @@ index 30861ec..ced411a 100644
+
# type needed to allow all domains
# to handle /var/cache/abrt
- type abrt_helper_t;
-@@ -43,14 +57,37 @@ ifdef(`enable_mcs',`
+-type abrt_helper_t;
++type abrt_helper_t, abrt_domain;
+ type abrt_helper_exec_t;
+ application_domain(abrt_helper_t, abrt_helper_exec_t)
+ role system_r types abrt_helper_t;
+@@ -43,14 +59,37 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -20030,12 +20131,12 @@ index 30861ec..ced411a 100644
+# Support for ABRT retrace server
+#
+
-+type abrt_retrace_worker_t;
++type abrt_retrace_worker_t, abrt_domain;
+type abrt_retrace_worker_exec_t;
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+role system_r types abrt_retrace_worker_t;
+
-+type abrt_retrace_coredump_t;
++type abrt_retrace_coredump_t, abrt_domain;
+type abrt_retrace_coredump_exec_t;
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
+role system_r types abrt_retrace_coredump_t;
@@ -20062,7 +20163,7 @@ index 30861ec..ced411a 100644
allow abrt_t self:fifo_file rw_fifo_file_perms;
allow abrt_t self:tcp_socket create_stream_socket_perms;
-@@ -59,6 +96,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
+@@ -59,6 +98,7 @@ allow abrt_t self:unix_dgram_socket create_socket_perms;
allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
# abrt etc files
@@ -20070,7 +20171,7 @@ index 30861ec..ced411a 100644
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
# log file
-@@ -69,6 +107,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
+@@ -69,6 +109,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file)
manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
@@ -20078,7 +20179,7 @@ index 30861ec..ced411a 100644
# abrt var/cache files
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
-@@ -82,7 +121,7 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
+@@ -82,10 +123,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
@@ -20086,8 +20187,11 @@ index 30861ec..ced411a 100644
+files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
kernel_read_ring_buffer(abrt_t)
- kernel_read_system_state(abrt_t)
-@@ -104,6 +143,7 @@ corenet_tcp_connect_all_ports(abrt_t)
+-kernel_read_system_state(abrt_t)
+ kernel_rw_kernel_sysctl(abrt_t)
+
+ corecmd_exec_bin(abrt_t)
+@@ -104,6 +144,7 @@ corenet_tcp_connect_all_ports(abrt_t)
corenet_sendrecv_http_client_packets(abrt_t)
dev_getattr_all_chr_files(abrt_t)
@@ -20095,7 +20199,7 @@ index 30861ec..ced411a 100644
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
dev_dontaudit_read_raw_memory(abrt_t)
-@@ -113,7 +153,8 @@ domain_read_all_domains_state(abrt_t)
+@@ -113,7 +154,8 @@ domain_read_all_domains_state(abrt_t)
domain_signull_all_domains(abrt_t)
files_getattr_all_files(abrt_t)
@@ -20105,7 +20209,7 @@ index 30861ec..ced411a 100644
files_read_var_symlinks(abrt_t)
files_read_var_lib_files(abrt_t)
files_read_usr_files(abrt_t)
-@@ -121,6 +162,8 @@ files_read_generic_tmp_files(abrt_t)
+@@ -121,6 +163,8 @@ files_read_generic_tmp_files(abrt_t)
files_read_kernel_modules(abrt_t)
files_dontaudit_list_default(abrt_t)
files_dontaudit_read_default_files(abrt_t)
@@ -20114,7 +20218,7 @@ index 30861ec..ced411a 100644
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
-@@ -131,7 +174,7 @@ fs_read_nfs_files(abrt_t)
+@@ -131,15 +175,23 @@ fs_read_nfs_files(abrt_t)
fs_read_nfs_symlinks(abrt_t)
fs_search_all(abrt_t)
@@ -20122,9 +20226,10 @@ index 30861ec..ced411a 100644
+sysnet_dns_name_resolve(abrt_t)
logging_read_generic_logs(abrt_t)
- logging_send_syslog_msg(abrt_t)
-@@ -140,6 +183,16 @@ miscfiles_read_generic_certs(abrt_t)
- miscfiles_read_localization(abrt_t)
+-logging_send_syslog_msg(abrt_t)
+
+ miscfiles_read_generic_certs(abrt_t)
+-miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
+userdom_dontaudit_read_admin_home_files(abrt_t)
@@ -20140,7 +20245,7 @@ index 30861ec..ced411a 100644
optional_policy(`
dbus_system_domain(abrt_t, abrt_exec_t)
-@@ -150,6 +203,11 @@ optional_policy(`
+@@ -150,6 +202,11 @@ optional_policy(`
')
optional_policy(`
@@ -20152,7 +20257,7 @@ index 30861ec..ced411a 100644
policykit_dbus_chat(abrt_t)
policykit_domtrans_auth(abrt_t)
policykit_read_lib(abrt_t)
-@@ -167,6 +225,7 @@ optional_policy(`
+@@ -167,6 +224,7 @@ optional_policy(`
rpm_exec(abrt_t)
rpm_dontaudit_manage_db(abrt_t)
rpm_manage_cache(abrt_t)
@@ -20160,7 +20265,7 @@ index 30861ec..ced411a 100644
rpm_manage_pid_files(abrt_t)
rpm_read_db(abrt_t)
rpm_signull(abrt_t)
-@@ -178,12 +237,18 @@ optional_policy(`
+@@ -178,12 +236,18 @@ optional_policy(`
')
optional_policy(`
@@ -20180,7 +20285,7 @@ index 30861ec..ced411a 100644
#
allow abrt_helper_t self:capability { chown setgid sys_nice };
-@@ -200,9 +265,12 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
+@@ -200,23 +264,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
@@ -20188,12 +20293,18 @@ index 30861ec..ced411a 100644
+
domain_read_all_domains_state(abrt_helper_t)
- files_read_etc_files(abrt_helper_t)
+-files_read_etc_files(abrt_helper_t)
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
fs_list_inotifyfs(abrt_helper_t)
fs_getattr_all_fs(abrt_helper_t)
-@@ -216,7 +284,8 @@ miscfiles_read_localization(abrt_helper_t)
+
+ auth_use_nsswitch(abrt_helper_t)
+
+-logging_send_syslog_msg(abrt_helper_t)
+-
+-miscfiles_read_localization(abrt_helper_t)
+-
term_dontaudit_use_all_ttys(abrt_helper_t)
term_dontaudit_use_all_ptys(abrt_helper_t)
@@ -20203,7 +20314,7 @@ index 30861ec..ced411a 100644
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
dev_dontaudit_read_all_blk_files(abrt_helper_t)
-@@ -224,4 +293,131 @@ ifdef(`hide_broken_symptoms', `
+@@ -224,4 +287,124 @@ ifdef(`hide_broken_symptoms', `
dev_dontaudit_write_all_chr_files(abrt_helper_t)
dev_dontaudit_write_all_blk_files(abrt_helper_t)
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
@@ -20211,7 +20322,7 @@ index 30861ec..ced411a 100644
+ optional_policy(`
+ rpm_dontaudit_leaks(abrt_helper_t)
+ ')
- ')
++')
+
+ifdef(`hide_broken_symptoms',`
+ gen_require(`
@@ -20221,7 +20332,7 @@ index 30861ec..ced411a 100644
+ allow abrt_t self:capability sys_resource;
+ allow abrt_t domain:file write;
+ allow abrt_t domain:process setrlimit;
-+')
+ ')
+
+#######################################
+#
@@ -20238,20 +20349,13 @@ index 30861ec..ced411a 100644
+read_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+read_lnk_files_pattern(abrt_retrace_coredump_t, abrt_retrace_spool_t, abrt_retrace_spool_t)
+
-+kernel_read_system_state(abrt_retrace_coredump_t)
-+
+corecmd_exec_bin(abrt_retrace_coredump_t)
+corecmd_exec_shell(abrt_retrace_coredump_t)
+
+dev_read_urand(abrt_retrace_coredump_t)
+
-+files_read_etc_files(abrt_retrace_coredump_t)
+files_read_usr_files(abrt_retrace_coredump_t)
+
-+logging_send_syslog_msg(abrt_retrace_coredump_t)
-+
-+miscfiles_read_localization(abrt_retrace_coredump_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_coredump_t)
+
+# to install debuginfo packages
@@ -20285,20 +20389,13 @@ index 30861ec..ced411a 100644
+
+can_exec(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
+
-+kernel_read_system_state(abrt_retrace_worker_t)
-+
+corecmd_exec_bin(abrt_retrace_worker_t)
+corecmd_exec_shell(abrt_retrace_worker_t)
+
+dev_read_urand(abrt_retrace_worker_t)
+
-+files_read_etc_files(abrt_retrace_worker_t)
+files_read_usr_files(abrt_retrace_worker_t)
+
-+logging_send_syslog_msg(abrt_retrace_worker_t)
-+
-+miscfiles_read_localization(abrt_retrace_worker_t)
-+
+sysnet_dns_name_resolve(abrt_retrace_worker_t)
+
+optional_policy(`
@@ -20325,16 +20422,23 @@ index 30861ec..ced411a 100644
+
+kernel_read_kernel_sysctls(abrt_dump_oops_t)
+kernel_read_ring_buffer(abrt_dump_oops_t)
-+kernel_read_system_state(abrt_dump_oops_t)
+
+domain_use_interactive_fds(abrt_dump_oops_t)
+
-+files_read_etc_files(abrt_dump_oops_t)
-+
+logging_read_generic_logs(abrt_dump_oops_t)
-+logging_send_syslog_msg(abrt_dump_oops_t)
+
-+miscfiles_read_localization(abrt_dump_oops_t)
++#######################################
++#
++# Local policy for all abrt domain
++#
++
++kernel_read_system_state(abrt_domain)
++
++files_read_etc_files(abrt_domain)
++
++logging_send_syslog_msg(abrt_domain)
++
++miscfiles_read_localization(abrt_domain)
diff --git a/policy/modules/services/accountsd.if b/policy/modules/services/accountsd.if
index c0f858d..d639ae0 100644
--- a/policy/modules/services/accountsd.if
@@ -23155,7 +23259,7 @@ index 0197980..f8bce2c 100644
+/var/run/bitlbee\.pid -- gen_context(system_u:object_r:bitlbee_var_run_t,s0)
+/var/run/bitlbee\.sock -s gen_context(system_u:object_r:bitlbee_var_run_t,s0)
diff --git a/policy/modules/services/bitlbee.te b/policy/modules/services/bitlbee.te
-index f4e7ad3..68aebc4 100644
+index f4e7ad3..2faf42a 100644
--- a/policy/modules/services/bitlbee.te
+++ b/policy/modules/services/bitlbee.te
@@ -22,29 +22,40 @@ files_tmp_file(bitlbee_tmp_t)
@@ -23172,7 +23276,7 @@ index f4e7ad3..68aebc4 100644
-allow bitlbee_t self:capability { setgid setuid };
-allow bitlbee_t self:process signal;
-+allow bitlbee_t self:capability { setgid setuid sys_nice };
++allow bitlbee_t self:capability { dac_override setgid setuid sys_nice };
+allow bitlbee_t self:process { setsched signal };
+
+allow bitlbee_t self:fifo_file rw_fifo_file_perms;
@@ -23211,6 +23315,16 @@ index f4e7ad3..68aebc4 100644
# Allow bitlbee to connect to jabber servers
corenet_tcp_connect_jabber_client_port(bitlbee_t)
corenet_tcp_sendrecv_jabber_client_port(bitlbee_t)
+@@ -69,6 +81,9 @@ corenet_tcp_connect_http_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_port(bitlbee_t)
+ corenet_tcp_connect_http_cache_port(bitlbee_t)
+ corenet_tcp_sendrecv_http_cache_port(bitlbee_t)
++corenet_tcp_bind_ircd_port(bitlbee_t)
++corenet_tcp_sendrecv_ircd_port(bitlbee_t)
++corenet_sendrecv_ircd_server_packets(bitlbee_t)
+
+ dev_read_rand(bitlbee_t)
+ dev_read_urand(bitlbee_t)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 3e45431..4aa8fb1 100644
--- a/policy/modules/services/bluetooth.if
@@ -26353,7 +26467,7 @@ index 5220c9d..a2e6830 100644
## <summary>
## Allow the specified domain to read corosync's log files.
diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
-index 04969e5..4e1d434 100644
+index 04969e5..f0f7e1a 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -32,8 +32,8 @@ files_pid_file(corosync_var_run_t)
@@ -26396,7 +26510,7 @@ index 04969e5..4e1d434 100644
auth_use_nsswitch(corosync_t)
-@@ -83,19 +89,37 @@ logging_send_syslog_msg(corosync_t)
+@@ -83,19 +89,42 @@ logging_send_syslog_msg(corosync_t)
miscfiles_read_localization(corosync_t)
@@ -26417,13 +26531,17 @@ index 04969e5..4e1d434 100644
- rhcs_rw_dlm_controld_semaphores(corosync_t)
+ cmirrord_rw_shm(corosync_t)
+')
-
-- rhcs_rw_fenced_semaphores(corosync_t)
++
+optional_policy(`
-+ drbd_domtrans(corosync_t)
++ dbus_system_bus_client(corosync_t)
+')
+
+optional_policy(`
++ drbd_domtrans(corosync_t)
++')
+
+- rhcs_rw_fenced_semaphores(corosync_t)
++optional_policy(`
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
+')
@@ -26435,6 +26553,7 @@ index 04969e5..4e1d434 100644
+ rhcs_rw_cluster_semaphores(corosync_t)
+ rhcs_stream_connect_cluster(corosync_t)
+ rhcs_read_cluster_lib_files(corosync_t)
++ rhcs_manage_cluster_lib_files(corosync_t)
')
optional_policy(`
@@ -27476,24 +27595,27 @@ index f7583ab..3c9cf5a 100644
diff --git a/policy/modules/services/ctdbd.fc b/policy/modules/services/ctdbd.fc
new file mode 100644
-index 0000000..e490a2a
+index 0000000..2db6b61
--- /dev/null
+++ b/policy/modules/services/ctdbd.fc
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,18 @@
+
+/etc/rc\.d/init\.d/ctdb -- gen_context(system_u:object_r:ctdbd_initrc_exec_t,s0)
+
-+/var/log/log.ctdb gen_context(system_u:object_r:ctdbd_log_t,s0)
++/etc/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++
++/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
++
++/var/log/log\.ctdb -- gen_context(system_u:object_r:ctdbd_log_t,s0)
+
+/var/spool/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_spool_t,s0)
+
+/var/run/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_run_t,s0)
+
-+/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
+
+/var/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
-+/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
++/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
+
diff --git a/policy/modules/services/ctdbd.if b/policy/modules/services/ctdbd.if
new file mode 100644
@@ -27758,7 +27880,7 @@ index 0000000..9146ef1
+
diff --git a/policy/modules/services/ctdbd.te b/policy/modules/services/ctdbd.te
new file mode 100644
-index 0000000..5e2a4bd
+index 0000000..579e420
--- /dev/null
+++ b/policy/modules/services/ctdbd.te
@@ -0,0 +1,114 @@
@@ -27835,11 +27957,13 @@ index 0000000..5e2a4bd
+kernel_read_system_state(ctdbd_t)
+
+corenet_tcp_bind_generic_node(ctdbd_t)
++corenet_tcp_bind_ctdb_port(ctdbd_t)
+
+corecmd_exec_bin(ctdbd_t)
+corecmd_exec_shell(ctdbd_t)
+
+dev_read_sysfs(ctdbd_t)
++dev_read_urand(ctdbd_t)
+
+domain_use_interactive_fds(ctdbd_t)
+domain_dontaudit_read_all_domains_state(ctdbd_t)
@@ -27852,8 +27976,6 @@ index 0000000..5e2a4bd
+miscfiles_read_localization(ctdbd_t)
+miscfiles_read_public_files(ctdbd_t)
+
-+#corenet_tcp_bind_ctdbd_cache_port(traffic_manager_t)
-+#corenet_tcp_connect_ctdbd_cache_port(traffic_manager_t)
+
+optional_policy(`
+ consoletype_exec(ctdbd_t)
@@ -27870,7 +27992,7 @@ index 0000000..5e2a4bd
+optional_policy(`
+ samba_initrc_domtrans(ctdbd_t)
+ samba_domtrans_net(ctdbd_t)
-+ samba_read_var_files(ctdbd_t)
++ samba_rw_var_files(ctdbd_t)
+')
+
+optional_policy(`
@@ -36210,10 +36332,10 @@ index 0000000..e2cda9b
+
diff --git a/policy/modules/services/lldpad.te b/policy/modules/services/lldpad.te
new file mode 100644
-index 0000000..1c74e98
+index 0000000..b5ba929
--- /dev/null
+++ b/policy/modules/services/lldpad.te
-@@ -0,0 +1,68 @@
+@@ -0,0 +1,70 @@
+policy_module(lldpad, 1.0.0)
+
+########################################
@@ -36279,6 +36401,8 @@ index 0000000..1c74e98
+
+miscfiles_read_localization(lldpad_t)
+
++userdom_dgram_send(lldpad_t)
++
+optional_policy(`
+ fcoemon_dgram_send(lldpad_t)
+')
@@ -40365,7 +40489,7 @@ index ff962dd..c856c64 100644
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
diff --git a/policy/modules/services/nx.if b/policy/modules/services/nx.if
-index 79a225c..cbb2bce 100644
+index 79a225c..d82b231 100644
--- a/policy/modules/services/nx.if
+++ b/policy/modules/services/nx.if
@@ -33,8 +33,10 @@ interface(`nx_read_home_files',`
@@ -40387,13 +40511,31 @@ index 79a225c..cbb2bce 100644
allow $1 nx_server_var_lib_t:dir search_dir_perms;
')
-@@ -81,5 +84,6 @@ interface(`nx_var_lib_filetrans',`
+@@ -81,5 +84,24 @@ interface(`nx_var_lib_filetrans',`
type nx_server_var_lib_t;
')
+ files_search_var_lib($1)
filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
')
++
++########################################
++## <summary>
++## Transition to nx named content
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nx_filetrans_named_content',`
++ gen_require(`
++ type nx_server_home_ssh_t, nx_server_var_lib_t;
++ ')
++
++ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
++')
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ebb9582..1c72c6e 100644
--- a/policy/modules/services/nx.te
@@ -44224,7 +44366,7 @@ index 2855a44..c71fa1e 100644
type puppet_tmp_t;
')
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..81cc685 100644
+index 64c5f95..313f77d 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -5,13 +5,23 @@ policy_module(puppet, 1.0.0)
@@ -44346,7 +44488,7 @@ index 64c5f95..81cc685 100644
#
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
-@@ -171,29 +239,34 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
+@@ -171,29 +239,35 @@ allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
allow puppetmaster_t self:socket create;
allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
@@ -44365,6 +44507,7 @@ index 64c5f95..81cc685 100644
manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
++allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
@@ -44384,7 +44527,7 @@ index 64c5f95..81cc685 100644
corecmd_exec_bin(puppetmaster_t)
corecmd_exec_shell(puppetmaster_t)
-@@ -206,21 +279,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
+@@ -206,21 +280,46 @@ corenet_tcp_bind_generic_node(puppetmaster_t)
corenet_tcp_bind_puppet_port(puppetmaster_t)
corenet_sendrecv_puppet_server_packets(puppetmaster_t)
@@ -44434,7 +44577,7 @@ index 64c5f95..81cc685 100644
optional_policy(`
hostname_exec(puppetmaster_t)
')
-@@ -231,3 +329,9 @@ optional_policy(`
+@@ -231,3 +330,9 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
@@ -45882,7 +46025,7 @@ index c2ba53b..853eeb5 100644
/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
diff --git a/policy/modules/services/rhcs.if b/policy/modules/services/rhcs.if
-index de37806..229a3c7 100644
+index de37806..175c89b 100644
--- a/policy/modules/services/rhcs.if
+++ b/policy/modules/services/rhcs.if
@@ -13,7 +13,7 @@
@@ -46007,7 +46150,7 @@ index de37806..229a3c7 100644
######################################
## <summary>
## Execute a domain transition to run qdiskd.
-@@ -353,3 +410,41 @@ interface(`rhcs_domtrans_qdiskd',`
+@@ -353,3 +410,60 @@ interface(`rhcs_domtrans_qdiskd',`
corecmd_search_bin($1)
domtrans_pattern($1, qdiskd_exec_t, qdiskd_t)
')
@@ -46049,6 +46192,25 @@ index de37806..229a3c7 100644
+ files_search_var_lib($1)
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
+')
++
++#####################################
++## <summary>
++## Allow domain to manage cluster lib files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rhcs_manage_cluster_lib_files',`
++ gen_require(`
++ type cluster_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
++')
diff --git a/policy/modules/services/rhcs.te b/policy/modules/services/rhcs.te
index 93c896a..2331615 100644
--- a/policy/modules/services/rhcs.te
@@ -48313,7 +48475,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..a23112b 100644
+index e30bb63..2977339 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -48410,17 +48572,18 @@ index e30bb63..a23112b 100644
')
# Support Samba sharing of NFS mount points
-@@ -410,6 +407,9 @@ tunable_policy(`samba_share_fusefs',`
+@@ -410,6 +407,10 @@ tunable_policy(`samba_share_fusefs',`
fs_search_fusefs(smbd_t)
')
+optional_policy(`
+ ctdbd_stream_connect(smbd_t)
++ ctdbd_manage_lib_files(smbd_t)
+')
optional_policy(`
cups_read_rw_config(smbd_t)
-@@ -445,26 +445,25 @@ optional_policy(`
+@@ -445,26 +446,25 @@ optional_policy(`
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -48454,7 +48617,7 @@ index e30bb63..a23112b 100644
########################################
#
# nmbd Local policy
-@@ -484,8 +483,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
+@@ -484,8 +484,9 @@ allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -48465,7 +48628,7 @@ index e30bb63..a23112b 100644
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
-@@ -560,13 +560,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
+@@ -560,13 +561,13 @@ allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
allow smbcontrol_t nmbd_t:process { signal signull };
@@ -48483,7 +48646,7 @@ index e30bb63..a23112b 100644
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -578,7 +578,7 @@ files_read_etc_files(smbcontrol_t)
+@@ -578,7 +579,7 @@ files_read_etc_files(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
@@ -48492,7 +48655,7 @@ index e30bb63..a23112b 100644
########################################
#
-@@ -644,19 +644,21 @@ auth_use_nsswitch(smbmount_t)
+@@ -644,19 +645,21 @@ auth_use_nsswitch(smbmount_t)
miscfiles_read_localization(smbmount_t)
@@ -48517,7 +48680,7 @@ index e30bb63..a23112b 100644
########################################
#
# SWAT Local policy
-@@ -677,7 +679,7 @@ samba_domtrans_nmbd(swat_t)
+@@ -677,7 +680,7 @@ samba_domtrans_nmbd(swat_t)
allow swat_t nmbd_t:process { signal signull };
allow nmbd_t swat_t:process signal;
@@ -48526,7 +48689,7 @@ index e30bb63..a23112b 100644
allow swat_t smbd_port_t:tcp_socket name_bind;
-@@ -692,12 +694,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
+@@ -692,12 +695,14 @@ manage_files_pattern(swat_t, samba_log_t, samba_log_t)
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
@@ -48541,7 +48704,7 @@ index e30bb63..a23112b 100644
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
-@@ -710,6 +714,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
+@@ -710,6 +715,7 @@ allow swat_t winbind_exec_t:file mmap_file_perms;
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
@@ -48549,7 +48712,7 @@ index e30bb63..a23112b 100644
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -754,6 +759,8 @@ logging_search_logs(swat_t)
+@@ -754,6 +760,8 @@ logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
@@ -48558,7 +48721,7 @@ index e30bb63..a23112b 100644
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -806,15 +813,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
+@@ -806,15 +814,16 @@ rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@@ -48580,7 +48743,7 @@ index e30bb63..a23112b 100644
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
-@@ -833,6 +841,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
+@@ -833,6 +842,7 @@ corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -48588,7 +48751,7 @@ index e30bb63..a23112b 100644
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
-@@ -904,7 +913,7 @@ logging_send_syslog_msg(winbind_helper_t)
+@@ -904,7 +914,7 @@ logging_send_syslog_msg(winbind_helper_t)
miscfiles_read_localization(winbind_helper_t)
@@ -48597,7 +48760,7 @@ index e30bb63..a23112b 100644
optional_policy(`
apache_append_log(winbind_helper_t)
-@@ -922,6 +931,18 @@ optional_policy(`
+@@ -922,6 +932,18 @@ optional_policy(`
#
optional_policy(`
@@ -48616,7 +48779,7 @@ index e30bb63..a23112b 100644
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -932,9 +953,12 @@ optional_policy(`
+@@ -932,9 +954,12 @@ optional_policy(`
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -48775,10 +48938,10 @@ index 0000000..486d53d
+')
diff --git a/policy/modules/services/sanlock.te b/policy/modules/services/sanlock.te
new file mode 100644
-index 0000000..f050bc5
+index 0000000..dae577a
--- /dev/null
+++ b/policy/modules/services/sanlock.te
-@@ -0,0 +1,61 @@
+@@ -0,0 +1,65 @@
+policy_module(sanlock,1.0.0)
+
+########################################
@@ -48819,12 +48982,16 @@ index 0000000..f050bc5
+manage_sock_files_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
+files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
+
++kernel_read_system_state(sanlock_t)
++
+domain_use_interactive_fds(sanlock_t)
+
+files_read_etc_files(sanlock_t)
+
+storage_raw_rw_fixed_disk(sanlock_t)
+
++dev_read_urand(sanlock_t)
++
+logging_send_syslog_msg(sanlock_t)
+
+init_read_utmp(sanlock_t)
@@ -48914,6 +49081,205 @@ index cfc60dd..53a9d2d 100644
')
optional_policy(`
+diff --git a/policy/modules/services/sblim.fc b/policy/modules/services/sblim.fc
+new file mode 100644
+index 0000000..d5c3c3f
+--- /dev/null
++++ b/policy/modules/services/sblim.fc
+@@ -0,0 +1,6 @@
++
++/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
++
++/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
++
++/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
+diff --git a/policy/modules/services/sblim.if b/policy/modules/services/sblim.if
+new file mode 100644
+index 0000000..8aef188
+--- /dev/null
++++ b/policy/modules/services/sblim.if
+@@ -0,0 +1,78 @@
++
++## <summary> policy for SBLIM Gatherer </summary>
++
++########################################
++## <summary>
++## Transition to gatherd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`sblim_gatherd_domtrans',`
++ gen_require(`
++ type sblim_gatherd_t, sblim_gatherd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, sblim_gatherd_exec_t, sblim_gatherd_t)
++')
++
++
++########################################
++## <summary>
++## Read gatherd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`sblim_read_pid_files',`
++ gen_require(`
++ type sblim_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 gatherd_var_run_t:file read_file_perms;
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an gatherd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`sblim_admin',`
++ gen_require(`
++ type sblim_gatherd_t;
++ type sblim_reposd_t;
++ type sblim_var_run_t;
++ ')
++
++ allow $1 sblim_gatherd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sblim_gatherd_t)
++
++ allow $1 sblim_reposd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, sblim_reposd_t)
++
++ files_search_pids($1)
++ admin_pattern($1, sblim_var_run_t)
++
++')
++
+diff --git a/policy/modules/services/sblim.te b/policy/modules/services/sblim.te
+new file mode 100644
+index 0000000..3ced316
+--- /dev/null
++++ b/policy/modules/services/sblim.te
+@@ -0,0 +1,97 @@
++policy_module(sblim, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++attribute sblim_domain;
++
++type sblim_gatherd_t, sblim_domain;
++type sblim_gatherd_exec_t;
++init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
++
++permissive sblim_gatherd_t;
++
++type sblim_reposd_t, sblim_domain;
++type sblim_reposd_exec_t;
++init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
++
++permissive sblim_gatherd_t;
++
++type sblim_var_run_t;
++files_pid_file(sblim_var_run_t)
++
++########################################
++#
++# sblim_gatherd local policy
++#
++
++#needed by ps
++allow sblim_gatherd_t self:capability { sys_ptrace kill dac_override };
++
++allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
++allow sblim_gatherd_t self:unix_stream_socket create_stream_socket_perms;
++
++kernel_read_fs_sysctls(sblim_gatherd_t)
++kernel_read_kernel_sysctls(sblim_gatherd_t)
++
++corecmd_exec_bin(sblim_gatherd_t)
++corecmd_exec_shell(sblim_gatherd_t)
++
++corenet_tcp_connect_repository_port(sblim_gatherd_t)
++
++domain_read_all_domains_state(sblim_gatherd_t)
++
++fs_getattr_all_fs(sblim_gatherd_t)
++
++term_getattr_pty_fs(sblim_gatherd_t)
++
++init_read_utmp(sblim_gatherd_t)
++
++userdom_signull_unpriv_users(sblim_gatherd_t)
++
++optional_policy(`
++ sysnet_dns_name_resolve(sblim_gatherd_t)
++')
++
++optional_policy(`
++ virt_stream_connect(sblim_gatherd_t)
++')
++
++optional_policy(`
++ xen_stream_connect(sblim_gatherd_t)
++ xen_stream_connect_xenstore(sblim_gatherd_t)
++')
++
++#######################################
++#
++# sblim_reposd local policy
++#
++
++domtrans_pattern(sblim_gatherd_t, sblim_reposd_exec_t, sblim_reposd_t)
++
++corenet_tcp_bind_all_nodes(sblim_reposd_t)
++corenet_tcp_bind_repository_port(sblim_reposd_t)
++
++######################################
++#
++# sblim_domain local policy
++#
++
++allow sblim_domain self:tcp_socket create_stream_socket_perms;
++
++manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
++
++kernel_read_network_state(sblim_domain)
++kernel_read_system_state(sblim_domain)
++
++dev_read_sysfs(sblim_domain)
++
++logging_send_syslog_msg(sblim_domain)
++
++files_read_etc_files(sblim_domain)
++
++miscfiles_read_localization(sblim_domain)
diff --git a/policy/modules/services/sendmail.fc b/policy/modules/services/sendmail.fc
index a86ec50..ef4199b 100644
--- a/policy/modules/services/sendmail.fc
@@ -51987,6 +52353,270 @@ index d4349e9..f14d337 100644
- nscd_socket_use(uux_t)
+ postfix_rw_master_pipes(uux_t)
')
+diff --git a/policy/modules/services/uuidd.fc b/policy/modules/services/uuidd.fc
+new file mode 100644
+index 0000000..c184667
+--- /dev/null
++++ b/policy/modules/services/uuidd.fc
+@@ -0,0 +1,9 @@
++
++/etc/rc\.d/init\.d/uuidd -- gen_context(system_u:object_r:uuidd_initrc_exec_t,s0)
++
++
++/usr/sbin/uuidd -- gen_context(system_u:object_r:uuidd_exec_t,s0)
++
++/var/lib/libuuid(/.*)? gen_context(system_u:object_r:uuidd_var_lib_t,s0)
++
++/var/run/uuidd(/.*)? gen_context(system_u:object_r:uuidd_var_run_t,s0)
+diff --git a/policy/modules/services/uuidd.if b/policy/modules/services/uuidd.if
+new file mode 100644
+index 0000000..5a2fd4c
+--- /dev/null
++++ b/policy/modules/services/uuidd.if
+@@ -0,0 +1,193 @@
++## <summary>policy for uuidd</summary>
++
++########################################
++## <summary>
++## Transition to uuidd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`uuidd_domtrans',`
++ gen_require(`
++ type uuidd_t, uuidd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, uuidd_exec_t, uuidd_t)
++')
++
++########################################
++## <summary>
++## Execute uuidd server in the uuidd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_initrc_domtrans',`
++ gen_require(`
++ type uuidd_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, uuidd_initrc_exec_t)
++')
++
++########################################
++## <summary>
++## Search uuidd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_search_lib',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ allow $1 uuidd_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++## <summary>
++## Read uuidd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_read_lib_files',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage uuidd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_manage_lib_files',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++########################################
++## <summary>
++## Manage uuidd lib directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_manage_lib_dirs',`
++ gen_require(`
++ type uuidd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_dirs_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t)
++')
++
++
++########################################
++## <summary>
++## Read uuidd PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_read_pid_files',`
++ gen_require(`
++ type uuidd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 uuidd_var_run_t:file read_file_perms;
++')
++
++########################################
++## <summary>
++## Connect to uuidd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`uuidd_stream_connect_manager',`
++ gen_require(`
++ type uuidd_t, uuidd_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate
++## an uuidd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`uuidd_admin',`
++ gen_require(`
++ type uuidd_t;
++ type uuidd_initrc_exec_t;
++ type uuidd_var_lib_t;
++ type uuidd_var_run_t;
++ ')
++
++ allow $1 uuidd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, uuidd_t)
++
++ uuidd_initrc_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 uuidd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_var_lib($1)
++ admin_pattern($1, uuidd_var_lib_t)
++
++ files_search_pids($1)
++ admin_pattern($1, uuidd_var_run_t)
++')
+diff --git a/policy/modules/services/uuidd.te b/policy/modules/services/uuidd.te
+new file mode 100644
+index 0000000..1adb81a
+--- /dev/null
++++ b/policy/modules/services/uuidd.te
+@@ -0,0 +1,44 @@
++policy_module(uuidd, 1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type uuidd_t;
++type uuidd_exec_t;
++init_daemon_domain(uuidd_t, uuidd_exec_t)
++
++permissive uuidd_t;
++
++type uuidd_initrc_exec_t;
++init_script_file(uuidd_initrc_exec_t)
++
++type uuidd_var_lib_t;
++files_type(uuidd_var_lib_t)
++
++type uuidd_var_run_t;
++files_pid_file(uuidd_var_run_t)
++
++########################################
++#
++# uuidd local policy
++#
++allow uuidd_t self:capability { kill setuid };
++allow uuidd_t self:process { signal };
++
++allow uuidd_t self:fifo_file rw_fifo_file_perms;
++allow uuidd_t self:unix_stream_socket create_stream_socket_perms;
++
++manage_dirs_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
++manage_files_pattern(uuidd_t, uuidd_var_lib_t, uuidd_var_lib_t)
++
++manage_dirs_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++manage_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++manage_sock_files_pattern(uuidd_t, uuidd_var_run_t, uuidd_var_run_t)
++
++domain_use_interactive_fds(uuidd_t)
++
++files_read_etc_files(uuidd_t)
++
++miscfiles_read_localization(uuidd_t)
diff --git a/policy/modules/services/varnishd.te b/policy/modules/services/varnishd.te
index f9310f3..064171e 100644
--- a/policy/modules/services/varnishd.te
@@ -52801,7 +53431,7 @@ index 7c5d8d8..4feaf88 100644
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..5a0c2ce 100644
+index 3eca020..e18ede2 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -5,56 +5,67 @@ policy_module(virt, 1.4.0)
@@ -52976,7 +53606,12 @@ index 3eca020..5a0c2ce 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +170,8 @@ dev_list_sysfs(svirt_t)
+@@ -130,9 +167,13 @@ corenet_tcp_connect_all_ports(svirt_t)
+
+ dev_list_sysfs(svirt_t)
+
++fs_getattr_xattr_fs(svirt_t)
++
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -52985,7 +53620,7 @@ index 3eca020..5a0c2ce 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +186,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +188,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -53001,7 +53636,7 @@ index 3eca020..5a0c2ce 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +203,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +205,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -53024,7 +53659,7 @@ index 3eca020..5a0c2ce 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +228,35 @@ optional_policy(`
+@@ -174,21 +230,35 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -53065,7 +53700,7 @@ index 3eca020..5a0c2ce 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +268,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +270,15 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -53083,7 +53718,7 @@ index 3eca020..5a0c2ce 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -217,9 +292,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
+@@ -217,9 +294,15 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
@@ -53099,7 +53734,7 @@ index 3eca020..5a0c2ce 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +320,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +322,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -53132,7 +53767,7 @@ index 3eca020..5a0c2ce 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +352,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +354,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -53151,14 +53786,14 @@ index 3eca020..5a0c2ce 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +387,29 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +389,29 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
+logging_send_audit_msgs(virtd_t)
-+
-+selinux_validate_context(virtd_t)
++selinux_validate_context(virtd_t)
++
+seutil_read_config(virtd_t)
seutil_read_default_contexts(virtd_t)
+seutil_read_file_contexts(virtd_t)
@@ -53181,7 +53816,7 @@ index 3eca020..5a0c2ce 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +428,10 @@ optional_policy(`
+@@ -313,6 +430,10 @@ optional_policy(`
')
optional_policy(`
@@ -53192,7 +53827,7 @@ index 3eca020..5a0c2ce 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,11 +448,17 @@ optional_policy(`
+@@ -329,11 +450,17 @@ optional_policy(`
')
optional_policy(`
@@ -53210,7 +53845,7 @@ index 3eca020..5a0c2ce 100644
')
optional_policy(`
-@@ -365,6 +490,12 @@ optional_policy(`
+@@ -365,6 +492,12 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -53223,7 +53858,7 @@ index 3eca020..5a0c2ce 100644
')
optional_policy(`
-@@ -385,23 +516,37 @@ optional_policy(`
+@@ -385,29 +518,45 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -53266,7 +53901,15 @@ index 3eca020..5a0c2ce 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -418,10 +563,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
+
+ kernel_read_system_state(virt_domain)
+
++fs_getattr_xattr_fs(virt_domain)
++
+ corecmd_exec_bin(virt_domain)
+ corecmd_exec_shell(virt_domain)
+
+@@ -418,10 +567,11 @@ corenet_tcp_sendrecv_generic_node(virt_domain)
corenet_tcp_sendrecv_all_ports(virt_domain)
corenet_tcp_bind_generic_node(virt_domain)
corenet_tcp_bind_vnc_port(virt_domain)
@@ -53279,7 +53922,7 @@ index 3eca020..5a0c2ce 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +575,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +579,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -53292,7 +53935,7 @@ index 3eca020..5a0c2ce 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,14 +588,20 @@ files_search_all(virt_domain)
+@@ -440,14 +592,20 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -53300,12 +53943,12 @@ index 3eca020..5a0c2ce 100644
+fs_rw_inherited_nfs_files(virt_domain)
+fs_rw_inherited_cifs_files(virt_domain)
+fs_rw_inherited_noxattr_fs_files(virt_domain)
-+
+
+-term_use_all_terms(virt_domain)
+# I think we need these for now.
+miscfiles_read_public_files(virt_domain)
+storage_raw_read_removable_device(virt_domain)
-
--term_use_all_terms(virt_domain)
++
+term_use_all_inherited_terms(virt_domain)
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
@@ -53316,7 +53959,7 @@ index 3eca020..5a0c2ce 100644
logging_send_syslog_msg(virt_domain)
miscfiles_read_localization(virt_domain)
-@@ -457,8 +611,176 @@ optional_policy(`
+@@ -457,8 +615,176 @@ optional_policy(`
')
optional_policy(`
@@ -53913,7 +54556,7 @@ index 4966c94..cb2e1a3 100644
+/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
-index 130ced9..1772fa2 100644
+index 130ced9..b6fb17a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -19,9 +19,10 @@
@@ -53998,11 +54641,12 @@ index 130ced9..1772fa2 100644
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
-@@ -106,12 +116,23 @@ interface(`xserver_restricted_role',`
+@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',`
xserver_create_xdm_tmp_sockets($2)
# Needed for escd, remove if we get escd policy
xserver_manage_xdm_tmp_files($2)
+ xserver_read_xdm_etc_files($2)
++ xserver_xdm_append_log($2)
+
+ modutils_run_insmod(xserver_t, $1)
@@ -54022,7 +54666,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -143,13 +164,15 @@ interface(`xserver_role',`
+@@ -143,13 +165,15 @@ interface(`xserver_role',`
allow $2 xserver_tmpfs_t:file rw_file_perms;
allow $2 iceauth_home_t:file manage_file_perms;
@@ -54040,7 +54684,7 @@ index 130ced9..1772fa2 100644
relabel_dirs_pattern($2, user_fonts_t, user_fonts_t)
relabel_files_pattern($2, user_fonts_t, user_fonts_t)
-@@ -162,7 +185,6 @@ interface(`xserver_role',`
+@@ -162,7 +186,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
@@ -54048,7 +54692,7 @@ index 130ced9..1772fa2 100644
')
#######################################
-@@ -197,7 +219,7 @@ interface(`xserver_ro_session',`
+@@ -197,7 +220,7 @@ interface(`xserver_ro_session',`
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -54057,7 +54701,7 @@ index 130ced9..1772fa2 100644
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -227,7 +249,7 @@ interface(`xserver_rw_session',`
+@@ -227,7 +250,7 @@ interface(`xserver_rw_session',`
type xserver_t, xserver_tmpfs_t;
')
@@ -54066,7 +54710,7 @@ index 130ced9..1772fa2 100644
allow $1 xserver_t:shm rw_shm_perms;
allow $1 xserver_tmpfs_t:file rw_file_perms;
')
-@@ -255,7 +277,7 @@ interface(`xserver_non_drawing_client',`
+@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',`
allow $1 self:x_gc { create setattr };
@@ -54075,7 +54719,7 @@ index 130ced9..1772fa2 100644
allow $1 xserver_t:unix_stream_socket connectto;
allow $1 xextension_t:x_extension { query use };
-@@ -291,13 +313,13 @@ interface(`xserver_user_client',`
+@@ -291,13 +314,13 @@ interface(`xserver_user_client',`
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -54093,7 +54737,7 @@ index 130ced9..1772fa2 100644
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -342,19 +364,23 @@ interface(`xserver_user_client',`
+@@ -342,19 +365,23 @@ interface(`xserver_user_client',`
#
template(`xserver_common_x_domain_template',`
gen_require(`
@@ -54120,7 +54764,7 @@ index 130ced9..1772fa2 100644
')
##############################
-@@ -386,6 +412,15 @@ template(`xserver_common_x_domain_template',`
+@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',`
allow $2 xevent_t:{ x_event x_synthetic_event } receive;
# dont audit send failures
dontaudit $2 input_xevent_type:x_event send;
@@ -54136,7 +54780,7 @@ index 130ced9..1772fa2 100644
')
#######################################
-@@ -444,8 +479,9 @@ template(`xserver_object_types_template',`
+@@ -444,8 +480,9 @@ template(`xserver_object_types_template',`
#
template(`xserver_user_x_domain_template',`
gen_require(`
@@ -54148,7 +54792,7 @@ index 130ced9..1772fa2 100644
')
allow $2 self:shm create_shm_perms;
-@@ -456,11 +492,18 @@ template(`xserver_user_x_domain_template',`
+@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',`
allow $2 xauth_home_t:file read_file_perms;
allow $2 iceauth_home_t:file read_file_perms;
@@ -54169,7 +54813,7 @@ index 130ced9..1772fa2 100644
dontaudit $2 xdm_t:tcp_socket { read write };
# Allow connections to X server.
-@@ -472,20 +515,26 @@ template(`xserver_user_x_domain_template',`
+@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',`
# for .xsession-errors
userdom_dontaudit_write_user_home_content_files($2)
@@ -54198,7 +54842,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -517,6 +566,7 @@ interface(`xserver_use_user_fonts',`
+@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',`
# Read per user fonts
allow $1 user_fonts_t:dir list_dir_perms;
allow $1 user_fonts_t:file read_file_perms;
@@ -54206,7 +54850,7 @@ index 130ced9..1772fa2 100644
# Manipulate the global font cache
manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
-@@ -549,6 +599,24 @@ interface(`xserver_domtrans_xauth',`
+@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',`
########################################
## <summary>
@@ -54231,7 +54875,7 @@ index 130ced9..1772fa2 100644
## Create a Xauthority file in the user home directory.
## </summary>
## <param name="domain">
-@@ -598,6 +666,7 @@ interface(`xserver_read_user_xauth',`
+@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',`
allow $1 xauth_home_t:file read_file_perms;
userdom_search_user_home_dirs($1)
@@ -54239,7 +54883,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -615,7 +684,7 @@ interface(`xserver_setattr_console_pipes',`
+@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',`
type xconsole_device_t;
')
@@ -54248,7 +54892,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -638,6 +707,25 @@ interface(`xserver_rw_console',`
+@@ -638,6 +708,25 @@ interface(`xserver_rw_console',`
########################################
## <summary>
@@ -54274,7 +54918,7 @@ index 130ced9..1772fa2 100644
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
-@@ -651,7 +739,7 @@ interface(`xserver_use_xdm_fds',`
+@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',`
type xdm_t;
')
@@ -54283,7 +54927,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -670,7 +758,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
+@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',`
type xdm_t;
')
@@ -54292,7 +54936,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -688,7 +776,7 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',`
type xdm_t;
')
@@ -54301,7 +54945,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -703,12 +791,11 @@ interface(`xserver_rw_xdm_pipes',`
+@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',`
## </param>
#
interface(`xserver_dontaudit_rw_xdm_pipes',`
@@ -54315,7 +54959,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -724,11 +811,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
+@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
#
interface(`xserver_stream_connect_xdm',`
gen_require(`
@@ -54349,7 +54993,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -752,6 +859,25 @@ interface(`xserver_read_xdm_rw_config',`
+@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',`
########################################
## <summary>
@@ -54375,7 +55019,7 @@ index 130ced9..1772fa2 100644
## Set the attributes of XDM temporary directories.
## </summary>
## <param name="domain">
-@@ -765,7 +891,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
+@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',`
type xdm_tmp_t;
')
@@ -54384,7 +55028,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -805,7 +931,26 @@ interface(`xserver_read_xdm_pid',`
+@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',`
')
files_search_pids($1)
@@ -54412,7 +55056,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -828,6 +973,24 @@ interface(`xserver_read_xdm_lib_files',`
+@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',`
########################################
## <summary>
@@ -54437,7 +55081,7 @@ index 130ced9..1772fa2 100644
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -897,7 +1060,7 @@ interface(`xserver_getattr_log',`
+@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',`
')
logging_search_logs($1)
@@ -54446,7 +55090,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -916,7 +1079,7 @@ interface(`xserver_dontaudit_write_log',`
+@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',`
type xserver_log_t;
')
@@ -54455,7 +55099,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -963,6 +1126,45 @@ interface(`xserver_read_xkb_libs',`
+@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
@@ -54501,7 +55145,7 @@ index 130ced9..1772fa2 100644
## Read xdm temporary files.
## </summary>
## <param name="domain">
-@@ -976,7 +1178,7 @@ interface(`xserver_read_xdm_tmp_files',`
+@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',`
type xdm_tmp_t;
')
@@ -54510,7 +55154,7 @@ index 130ced9..1772fa2 100644
read_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
')
-@@ -1038,6 +1240,42 @@ interface(`xserver_manage_xdm_tmp_files',`
+@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',`
########################################
## <summary>
@@ -54553,7 +55197,7 @@ index 130ced9..1772fa2 100644
## Do not audit attempts to get the attributes of
## xdm temporary named sockets.
## </summary>
-@@ -1052,7 +1290,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
+@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
type xdm_tmp_t;
')
@@ -54562,7 +55206,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1070,8 +1308,10 @@ interface(`xserver_domtrans',`
+@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',`
type xserver_t, xserver_exec_t;
')
@@ -54574,7 +55218,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1185,6 +1425,26 @@ interface(`xserver_stream_connect',`
+@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',`
files_search_tmp($1)
stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t)
@@ -54601,7 +55245,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1210,7 +1470,7 @@ interface(`xserver_read_tmp_files',`
+@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',`
## <summary>
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain permission to read the
@@ -54610,7 +55254,7 @@ index 130ced9..1772fa2 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1220,13 +1480,23 @@ interface(`xserver_read_tmp_files',`
+@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',`
#
interface(`xserver_manage_core_devices',`
gen_require(`
@@ -54635,7 +55279,7 @@ index 130ced9..1772fa2 100644
')
########################################
-@@ -1243,10 +1513,458 @@ interface(`xserver_manage_core_devices',`
+@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',`
#
interface(`xserver_unconfined',`
gen_require(`
@@ -57556,7 +58200,7 @@ index 354ce93..b8b14b9 100644
')
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
-index 94fd8dd..354e39c 100644
+index 94fd8dd..417ec32 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -79,6 +79,42 @@ interface(`init_script_domain',`
@@ -57724,7 +58368,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -401,16 +428,19 @@ interface(`init_system_domain',`
+@@ -401,20 +428,41 @@ interface(`init_system_domain',`
interface(`init_ranged_system_domain',`
gen_require(`
type initrc_t;
@@ -57744,7 +58388,29 @@ index 94fd8dd..354e39c 100644
mls_rangetrans_target($1)
')
')
-@@ -451,6 +481,10 @@ interface(`init_exec',`
+
++######################################
++## <summary>
++## Allow domain dyntransition to init_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`init_dyntrans',`
++ gen_require(`
++ type anon_sftpd_t;
++ ')
++
++ dyntrans_pattern($1, init_t)
++')
++
+ ########################################
+ ## <summary>
+ ## Execute init (/sbin/init) with a domain transition.
+@@ -451,6 +499,10 @@ interface(`init_exec',`
corecmd_search_bin($1)
can_exec($1, init_exec_t)
@@ -57755,7 +58421,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -509,6 +543,24 @@ interface(`init_sigchld',`
+@@ -509,6 +561,24 @@ interface(`init_sigchld',`
########################################
## <summary>
@@ -57780,7 +58446,7 @@ index 94fd8dd..354e39c 100644
## Connect to init with a unix socket.
## </summary>
## <param name="domain">
-@@ -519,10 +571,29 @@ interface(`init_sigchld',`
+@@ -519,10 +589,29 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
@@ -57812,7 +58478,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -688,19 +759,25 @@ interface(`init_telinit',`
+@@ -688,19 +777,25 @@ interface(`init_telinit',`
type initctl_t;
')
@@ -57839,7 +58505,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -730,7 +807,7 @@ interface(`init_rw_initctl',`
+@@ -730,7 +825,7 @@ interface(`init_rw_initctl',`
## </summary>
## <param name="domain">
## <summary>
@@ -57848,7 +58514,7 @@ index 94fd8dd..354e39c 100644
## </summary>
## </param>
#
-@@ -773,18 +850,19 @@ interface(`init_script_file_entry_type',`
+@@ -773,18 +868,19 @@ interface(`init_script_file_entry_type',`
#
interface(`init_spec_domtrans_script',`
gen_require(`
@@ -57872,7 +58538,7 @@ index 94fd8dd..354e39c 100644
')
')
-@@ -800,19 +878,41 @@ interface(`init_spec_domtrans_script',`
+@@ -800,23 +896,45 @@ interface(`init_spec_domtrans_script',`
#
interface(`init_domtrans_script',`
gen_require(`
@@ -57895,11 +58561,11 @@ index 94fd8dd..354e39c 100644
ifdef(`enable_mls',`
- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
-+ ')
-+')
-+
-+########################################
-+## <summary>
+ ')
+ ')
+
+ ########################################
+ ## <summary>
+## Execute a file in a bin directory
+## in the initrc_t domain
+## </summary>
@@ -57912,13 +58578,17 @@ index 94fd8dd..354e39c 100644
+interface(`init_bin_domtrans_spec',`
+ gen_require(`
+ type initrc_t;
- ')
++ ')
+
+ corecmd_bin_domtrans($1, initrc_t)
- ')
-
- ########################################
-@@ -868,9 +968,14 @@ interface(`init_script_file_domtrans',`
++')
++
++########################################
++## <summary>
+ ## Execute a init script in a specified domain.
+ ## </summary>
+ ## <desc>
+@@ -868,9 +986,14 @@ interface(`init_script_file_domtrans',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
@@ -57933,7 +58603,7 @@ index 94fd8dd..354e39c 100644
files_search_etc($1)
')
-@@ -1079,6 +1184,24 @@ interface(`init_read_all_script_files',`
+@@ -1079,6 +1202,24 @@ interface(`init_read_all_script_files',`
#######################################
## <summary>
@@ -57958,7 +58628,7 @@ index 94fd8dd..354e39c 100644
## Dontaudit read all init script files.
## </summary>
## <param name="domain">
-@@ -1130,12 +1253,7 @@ interface(`init_read_script_state',`
+@@ -1130,12 +1271,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
@@ -57972,7 +58642,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -1375,6 +1493,27 @@ interface(`init_dbus_send_script',`
+@@ -1375,6 +1511,27 @@ interface(`init_dbus_send_script',`
########################################
## <summary>
## Send and receive messages from
@@ -58000,7 +58670,7 @@ index 94fd8dd..354e39c 100644
## init scripts over dbus.
## </summary>
## <param name="domain">
-@@ -1461,6 +1600,25 @@ interface(`init_getattr_script_status_files',`
+@@ -1461,6 +1618,25 @@ interface(`init_getattr_script_status_files',`
########################################
## <summary>
@@ -58026,7 +58696,7 @@ index 94fd8dd..354e39c 100644
## Do not audit attempts to read init script
## status files.
## </summary>
-@@ -1519,6 +1677,24 @@ interface(`init_rw_script_tmp_files',`
+@@ -1519,6 +1695,24 @@ interface(`init_rw_script_tmp_files',`
########################################
## <summary>
@@ -58051,7 +58721,7 @@ index 94fd8dd..354e39c 100644
## Create files in a init script
## temporary data directory.
## </summary>
-@@ -1674,7 +1850,7 @@ interface(`init_dontaudit_rw_utmp',`
+@@ -1674,7 +1868,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
@@ -58060,7 +58730,7 @@ index 94fd8dd..354e39c 100644
')
########################################
-@@ -1715,6 +1891,128 @@ interface(`init_pid_filetrans_utmp',`
+@@ -1715,6 +1909,128 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file)
')
@@ -58189,7 +58859,7 @@ index 94fd8dd..354e39c 100644
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
-@@ -1749,3 +2047,156 @@ interface(`init_udp_recvfrom_all_daemons',`
+@@ -1749,3 +2065,156 @@ interface(`init_udp_recvfrom_all_daemons',`
')
corenet_udp_recvfrom_labeled($1, daemon)
')
@@ -58347,7 +59017,7 @@ index 94fd8dd..354e39c 100644
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index 29a9565..de6dda5 100644
+index 29a9565..4d20828 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -58525,7 +59195,7 @@ index 29a9565..de6dda5 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,16 +246,135 @@ tunable_policy(`init_upstart',`
+@@ -186,16 +246,136 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -58578,9 +59248,9 @@ index 29a9565..de6dda5 100644
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_create_all_pid_sockets(init_t)
-+ files_delete_all_pid_sockets(init_t)
++ files_delete_all_pids(init_t)
++ files_exec_generic_pid_files(init_t)
+ files_create_all_pid_pipes(init_t)
-+ files_delete_all_pid_pipes(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_manage_urandom_seed(init_t)
@@ -58629,9 +59299,6 @@ index 29a9565..de6dda5 100644
+
+ create_sock_files_pattern(init_t, init_sock_file_type, init_sock_file_type)
+
-+# miscfiles_delete_man_pages(init_t)
-+# miscfiles_relabel_man_pages(init_t)
-+
+')
+
+auth_use_nsswitch(init_t)
@@ -58639,10 +59306,14 @@ index 29a9565..de6dda5 100644
+
optional_policy(`
- auth_rw_login_records(init_t)
-+ consolekit_manage_log(init_t)
++ lvm_rw_pipes(init_t)
')
optional_policy(`
++ consolekit_manage_log(init_t)
++')
++
++optional_policy(`
+ dbus_connect_system_bus(init_t)
dbus_system_bus_client(init_t)
+ dbus_delete_pid_files(init_t)
@@ -58663,7 +59334,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -203,6 +382,17 @@ optional_policy(`
+@@ -203,6 +383,17 @@ optional_policy(`
')
optional_policy(`
@@ -58681,7 +59352,7 @@ index 29a9565..de6dda5 100644
unconfined_domain(init_t)
')
-@@ -212,7 +402,7 @@ optional_policy(`
+@@ -212,7 +403,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -58690,7 +59361,7 @@ index 29a9565..de6dda5 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +431,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +432,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -58706,7 +59377,7 @@ index 29a9565..de6dda5 100644
init_write_initctl(initrc_t)
-@@ -258,20 +451,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +452,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -58743,7 +59414,7 @@ index 29a9565..de6dda5 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +484,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +485,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -58751,7 +59422,7 @@ index 29a9565..de6dda5 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -289,8 +495,10 @@ dev_write_framebuffer(initrc_t)
+@@ -289,8 +496,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
@@ -58762,7 +59433,7 @@ index 29a9565..de6dda5 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +506,14 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +507,14 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -58779,7 +59450,7 @@ index 29a9565..de6dda5 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +525,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +526,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -58787,7 +59458,7 @@ index 29a9565..de6dda5 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +533,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +534,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -58799,7 +59470,7 @@ index 29a9565..de6dda5 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +552,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +553,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -58813,7 +59484,7 @@ index 29a9565..de6dda5 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +567,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +568,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -58822,7 +59493,7 @@ index 29a9565..de6dda5 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +581,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +582,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -58830,7 +59501,7 @@ index 29a9565..de6dda5 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +593,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +594,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -58838,7 +59509,7 @@ index 29a9565..de6dda5 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +614,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +615,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -58860,7 +59531,7 @@ index 29a9565..de6dda5 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -458,6 +677,10 @@ ifdef(`distro_gentoo',`
+@@ -458,6 +678,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
@@ -58871,7 +59542,7 @@ index 29a9565..de6dda5 100644
alsa_read_lib(initrc_t)
')
-@@ -478,7 +701,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +702,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -58880,7 +59551,7 @@ index 29a9565..de6dda5 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +716,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +717,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -58888,7 +59559,7 @@ index 29a9565..de6dda5 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -522,8 +746,33 @@ ifdef(`distro_redhat',`
+@@ -522,8 +747,33 @@ ifdef(`distro_redhat',`
')
optional_policy(`
@@ -58922,7 +59593,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -531,10 +780,26 @@ ifdef(`distro_redhat',`
+@@ -531,10 +781,26 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -58949,7 +59620,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -549,6 +814,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +815,39 @@ ifdef(`distro_suse',`
')
')
@@ -58989,7 +59660,7 @@ index 29a9565..de6dda5 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +859,8 @@ optional_policy(`
+@@ -561,6 +860,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -58998,7 +59669,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -577,6 +877,7 @@ optional_policy(`
+@@ -577,6 +878,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -59006,7 +59677,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -589,6 +890,11 @@ optional_policy(`
+@@ -589,6 +891,11 @@ optional_policy(`
')
optional_policy(`
@@ -59018,7 +59689,7 @@ index 29a9565..de6dda5 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +911,13 @@ optional_policy(`
+@@ -605,9 +912,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -59032,7 +59703,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -649,6 +959,11 @@ optional_policy(`
+@@ -649,6 +960,11 @@ optional_policy(`
')
optional_policy(`
@@ -59044,7 +59715,7 @@ index 29a9565..de6dda5 100644
inn_exec_config(initrc_t)
')
-@@ -689,6 +1004,7 @@ optional_policy(`
+@@ -689,6 +1005,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
@@ -59052,7 +59723,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -706,7 +1022,13 @@ optional_policy(`
+@@ -706,7 +1023,13 @@ optional_policy(`
')
optional_policy(`
@@ -59066,7 +59737,7 @@ index 29a9565..de6dda5 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +1051,10 @@ optional_policy(`
+@@ -729,6 +1052,10 @@ optional_policy(`
')
optional_policy(`
@@ -59077,7 +59748,7 @@ index 29a9565..de6dda5 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1064,20 @@ optional_policy(`
+@@ -738,10 +1065,20 @@ optional_policy(`
')
optional_policy(`
@@ -59098,7 +59769,7 @@ index 29a9565..de6dda5 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1086,10 @@ optional_policy(`
+@@ -750,6 +1087,10 @@ optional_policy(`
')
optional_policy(`
@@ -59109,7 +59780,7 @@ index 29a9565..de6dda5 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1111,6 @@ optional_policy(`
+@@ -771,8 +1112,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -59118,7 +59789,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -790,10 +1128,12 @@ optional_policy(`
+@@ -790,10 +1129,12 @@ optional_policy(`
squid_manage_logs(initrc_t)
')
@@ -59131,7 +59802,7 @@ index 29a9565..de6dda5 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -805,7 +1145,6 @@ optional_policy(`
+@@ -805,7 +1146,6 @@ optional_policy(`
')
optional_policy(`
@@ -59139,7 +59810,7 @@ index 29a9565..de6dda5 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -815,11 +1154,24 @@ optional_policy(`
+@@ -815,11 +1155,24 @@ optional_policy(`
')
optional_policy(`
@@ -59165,7 +59836,7 @@ index 29a9565..de6dda5 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -829,6 +1181,25 @@ optional_policy(`
+@@ -829,6 +1182,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -59191,7 +59862,7 @@ index 29a9565..de6dda5 100644
')
optional_policy(`
-@@ -844,6 +1215,10 @@ optional_policy(`
+@@ -844,6 +1216,10 @@ optional_policy(`
')
optional_policy(`
@@ -59202,7 +59873,7 @@ index 29a9565..de6dda5 100644
# Set device ownerships/modes.
xserver_setattr_console_pipes(initrc_t)
-@@ -854,3 +1229,149 @@ optional_policy(`
+@@ -854,3 +1230,149 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -59296,7 +59967,7 @@ index 29a9565..de6dda5 100644
+
+tunable_policy(`init_systemd',`
+ # Handle upstart/systemd direct transition to a executable
-+ allow init_t systemprocess:process siginh;
++ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+ allow systemprocess init_t:unix_dgram_socket sendto;
@@ -60306,7 +60977,7 @@ index e5836d3..b32b945 100644
+#')
+
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
-index a0b379d..7d88511 100644
+index a0b379d..2a55eab 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@@ -60369,7 +61040,7 @@ index a0b379d..7d88511 100644
unconfined_shell_domtrans(local_login_t)
')
-@@ -225,6 +226,7 @@ files_read_etc_files(sulogin_t)
+@@ -225,11 +226,14 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@@ -60377,7 +61048,14 @@ index a0b379d..7d88511 100644
init_getpgid_script(sulogin_t)
-@@ -238,14 +240,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
+ logging_send_syslog_msg(sulogin_t)
+
++miscfiles_read_localization(sulogin_t)
++
+ seutil_read_config(sulogin_t)
+ seutil_read_default_contexts(sulogin_t)
+
+@@ -238,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@@ -60403,7 +61081,7 @@ index a0b379d..7d88511 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
-@@ -256,11 +267,3 @@ ifdef(`sulogin_no_pam', `
+@@ -256,11 +269,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@@ -60599,7 +61277,7 @@ index 831b909..57064ad 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index b6ec597..fa034d6 100644
+index b6ec597..2674701 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -20,6 +20,7 @@ files_security_file(auditd_log_t)
@@ -60759,7 +61437,7 @@ index b6ec597..fa034d6 100644
# for sending messages to logged in users
init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
-@@ -496,6 +535,10 @@ optional_policy(`
+@@ -496,11 +535,20 @@ optional_policy(`
')
optional_policy(`
@@ -60770,17 +61448,16 @@ index b6ec597..fa034d6 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -504,6 +547,10 @@ optional_policy(`
- ')
-
optional_policy(`
-+ daemontools_search_svc_dir(syslogd_t)
+ seutil_sigchld_newrole(syslogd_t)
++ snmp_read_snmp_var_lib_files(syslogd_t)
+')
+
+optional_policy(`
- udev_read_db(syslogd_t)
++ daemontools_search_svc_dir(syslogd_t)
')
+ optional_policy(`
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e..7b22111 100644
--- a/policy/modules/system/lvm.fc
@@ -60820,10 +61497,10 @@ index 879bb1e..7b22111 100644
+/var/run/clvmd\.pid -- gen_context(system_u:object_r:clvmd_var_run_t,s0)
/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
-index 58bc27f..bcc0758 100644
+index 58bc27f..51e9872 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
-@@ -123,3 +123,77 @@ interface(`lvm_domtrans_clvmd',`
+@@ -123,3 +123,94 @@ interface(`lvm_domtrans_clvmd',`
corecmd_search_bin($1)
domtrans_pattern($1, clvmd_exec_t, clvmd_t)
')
@@ -60901,8 +61578,25 @@ index 58bc27f..bcc0758 100644
+ allow $1 lvm_t:unix_dgram_socket sendto;
+')
+
++########################################
++## <summary>
++## Read and write a lvm unnamed pipe.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`lvm_rw_pipes',`
++ gen_require(`
++ type lvm_var_run_t;
++ ')
++
++ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
++')
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
-index a0a0ebf..895cc10 100644
+index a0a0ebf..4513ab9 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -12,6 +12,9 @@ init_daemon_domain(clvmd_t, clvmd_exec_t)
@@ -60978,16 +61672,18 @@ index a0a0ebf..895cc10 100644
manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-@@ -201,7 +215,7 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+@@ -200,8 +214,9 @@ files_var_lib_filetrans(lvm_t, lvm_var_lib_t, { dir file })
+
manage_dirs_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
++manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
-files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
-+files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file sock_file })
++files_pid_filetrans(lvm_t, lvm_var_run_t, { dir file fifo_file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-@@ -213,11 +227,13 @@ files_search_mnt(lvm_t)
+@@ -213,11 +228,13 @@ files_search_mnt(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
@@ -61001,7 +61697,7 @@ index a0a0ebf..895cc10 100644
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
-@@ -228,6 +244,7 @@ dev_delete_generic_dirs(lvm_t)
+@@ -228,6 +245,7 @@ dev_delete_generic_dirs(lvm_t)
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
@@ -61009,7 +61705,7 @@ index a0a0ebf..895cc10 100644
dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
-@@ -244,6 +261,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
+@@ -244,6 +262,7 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -61017,7 +61713,7 @@ index a0a0ebf..895cc10 100644
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
-@@ -253,17 +271,21 @@ files_read_etc_files(lvm_t)
+@@ -253,17 +272,21 @@ files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
# for when /usr is not mounted:
files_dontaudit_search_isid_type_dirs(lvm_t)
@@ -61040,7 +61736,7 @@ index a0a0ebf..895cc10 100644
selinux_get_fs_mount(lvm_t)
selinux_validate_context(lvm_t)
-@@ -283,7 +305,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
+@@ -283,7 +306,7 @@ storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -61049,7 +61745,7 @@ index a0a0ebf..895cc10 100644
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -292,6 +314,8 @@ init_read_script_state(lvm_t)
+@@ -292,6 +315,8 @@ init_read_script_state(lvm_t)
logging_send_syslog_msg(lvm_t)
@@ -61058,7 +61754,7 @@ index a0a0ebf..895cc10 100644
miscfiles_read_localization(lvm_t)
seutil_read_config(lvm_t)
-@@ -299,15 +323,23 @@ seutil_read_file_contexts(lvm_t)
+@@ -299,15 +324,23 @@ seutil_read_file_contexts(lvm_t)
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -61085,7 +61781,7 @@ index a0a0ebf..895cc10 100644
')
optional_policy(`
-@@ -331,14 +363,26 @@ optional_policy(`
+@@ -331,14 +364,26 @@ optional_policy(`
')
optional_policy(`
@@ -63485,7 +64181,7 @@ index ff80d0a..752e031 100644
+ role_transition $1 dhcpc_exec_t system_r;
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
-index 34d0ec5..0cdb0be 100644
+index 34d0ec5..ba27f13 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.11.2)
@@ -63638,7 +64334,7 @@ index 34d0ec5..0cdb0be 100644
nis_read_ypbind_pid(dhcpc_t)
')
-@@ -213,6 +253,10 @@ optional_policy(`
+@@ -213,6 +253,11 @@ optional_policy(`
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -63646,10 +64342,11 @@ index 34d0ec5..0cdb0be 100644
+')
+optional_policy(`
+ systemd_passwd_agent_domtrans(dhcpc_t)
++ systemd_signal_passwd_agent(dhcpc_t)
')
optional_policy(`
-@@ -255,6 +299,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
+@@ -255,6 +300,7 @@ allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -63657,7 +64354,7 @@ index 34d0ec5..0cdb0be 100644
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-@@ -276,8 +321,11 @@ dev_read_urand(ifconfig_t)
+@@ -276,8 +322,11 @@ dev_read_urand(ifconfig_t)
domain_use_interactive_fds(ifconfig_t)
@@ -63669,7 +64366,7 @@ index 34d0ec5..0cdb0be 100644
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
-@@ -301,11 +349,12 @@ logging_send_syslog_msg(ifconfig_t)
+@@ -301,11 +350,12 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
@@ -63684,7 +64381,7 @@ index 34d0ec5..0cdb0be 100644
userdom_use_all_users_fds(ifconfig_t)
ifdef(`distro_ubuntu',`
-@@ -314,7 +363,14 @@ ifdef(`distro_ubuntu',`
+@@ -314,7 +364,18 @@ ifdef(`distro_ubuntu',`
')
')
@@ -63692,6 +64389,10 @@ index 34d0ec5..0cdb0be 100644
+ brctl_domtrans(ifconfig_t)
+')
+
++optional_policy(`
++ ctdbd_read_lib_files(ifconfig_t)
++')
++
ifdef(`hide_broken_symptoms',`
+ # caused by some bogus kernel code
+ dontaudit ifconfig_t self:capability sys_module;
@@ -63699,7 +64400,7 @@ index 34d0ec5..0cdb0be 100644
optional_policy(`
dev_dontaudit_rw_cardmgr(ifconfig_t)
')
-@@ -325,8 +381,14 @@ ifdef(`hide_broken_symptoms',`
+@@ -325,8 +386,14 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
@@ -63714,7 +64415,7 @@ index 34d0ec5..0cdb0be 100644
')
optional_policy(`
-@@ -335,6 +397,18 @@ optional_policy(`
+@@ -335,6 +402,18 @@ optional_policy(`
')
optional_policy(`
@@ -63733,7 +64434,7 @@ index 34d0ec5..0cdb0be 100644
nis_use_ypbind(ifconfig_t)
')
-@@ -356,3 +430,9 @@ optional_policy(`
+@@ -356,3 +435,9 @@ optional_policy(`
xen_append_log(ifconfig_t)
xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
')
@@ -63770,10 +64471,10 @@ index 0000000..3248032
+
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
-index 0000000..11fbd0f
+index 0000000..7501ef8
--- /dev/null
+++ b/policy/modules/system/systemd.if
-@@ -0,0 +1,360 @@
+@@ -0,0 +1,377 @@
+## <summary>SELinux policy for systemd components</summary>
+
+#######################################
@@ -64063,6 +64764,23 @@ index 0000000..11fbd0f
+ allow $2 systemd_passwd_agent_t:process signal;
+')
+
++########################################
++## <summary>
++## Send generic signals to systemd_passwd_agent processes.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`systemd_signal_passwd_agent',`
++ gen_require(`
++ type systemd_passwd_agent_t;
++ ')
++
++ allow $1 systemd_passwd_agent_t:process signal;
++')
+
+######################################
+## <summary>
@@ -64081,12 +64799,12 @@ index 0000000..11fbd0f
+ type systemd_passwd_agent_t;
+ ')
+
-+ type systemd_$1_device_t;
++ type systemd_$1_device_t;
+ files_type(systemd_$1_device_t)
+ dev_associate(systemd_$1_device_t)
+
-+ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
-+ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ dev_filetrans($1_t, systemd_$1_device_t, { file sock_file })
++ init_pid_filetrans($1_t, systemd_$1_device_t, { file sock_file })
+ allow $1_t systemd_$1_device_t:file manage_file_perms;
+ allow $1_t systemd_$1_device_t:sock_file manage_sock_file_perms;
+
@@ -64136,10 +64854,10 @@ index 0000000..11fbd0f
+
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..4936451
+index 0000000..0185280
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,317 @@
+@@ -0,0 +1,319 @@
+policy_module(systemd, 1.0.0)
+
+#######################################
@@ -64164,11 +64882,11 @@ index 0000000..4936451
+
+# /run/systemd/sessions
+type systemd_logind_sessions_t;
-+files_type(systemd_logind_sessions_t)
++files_pid_file(systemd_logind_sessions_t)
+
+# /run/systemd/{seats, users}
+type systemd_logind_var_run_t;
-+files_type(systemd_logind_var_run_t)
++files_pid_file(systemd_logind_var_run_t)
+
+# domain for systemd-tty-ask-password-agent and systemd-gnome-ask-password-agent
+# systemd components
@@ -64219,6 +64937,8 @@ index 0000000..4936451
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir)
+
+dev_read_sysfs(systemd_logind_t)
++dev_setattr_input_dev(systemd_logind_t)
++dev_setattr_mouse_dev(systemd_logind_t)
+
+dev_getattr_all_chr_files(systemd_logind_t)
+dev_getattr_all_blk_files(systemd_logind_t)
@@ -64679,7 +65399,7 @@ index 025348a..c15e57c 100644
+')
+
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
-index d88f7c3..d26f45a 100644
+index d88f7c3..4485816 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -14,17 +14,17 @@ domain_entry_file(udev_t, udev_helper_exec_t)
@@ -64761,7 +65481,7 @@ index d88f7c3..d26f45a 100644
dev_rw_generic_files(udev_t)
dev_delete_generic_files(udev_t)
dev_search_usbfs(udev_t)
-@@ -105,21 +112,27 @@ dev_relabel_all_dev_nodes(udev_t)
+@@ -105,21 +112,28 @@ dev_relabel_all_dev_nodes(udev_t)
# preserved, instead of short circuiting the relabel
dev_relabel_generic_symlinks(udev_t)
dev_manage_generic_symlinks(udev_t)
@@ -64773,6 +65493,7 @@ index d88f7c3..d26f45a 100644
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
++files_read_system_conf_files(udev_t)
+
+# console_init manages files in /etc/sysconfig
+files_manage_etc_files(udev_t)
@@ -64790,7 +65511,7 @@ index d88f7c3..d26f45a 100644
mcs_ptrace_all(udev_t)
-@@ -143,6 +156,7 @@ auth_use_nsswitch(udev_t)
+@@ -143,6 +157,7 @@ auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
@@ -64798,7 +65519,7 @@ index d88f7c3..d26f45a 100644
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
-@@ -169,6 +183,8 @@ sysnet_signal_dhcpc(udev_t)
+@@ -169,6 +184,8 @@ sysnet_signal_dhcpc(udev_t)
sysnet_manage_config(udev_t)
sysnet_etc_filetrans_config(udev_t)
@@ -64807,7 +65528,7 @@ index d88f7c3..d26f45a 100644
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_gentoo',`
-@@ -186,15 +202,16 @@ ifdef(`distro_redhat',`
+@@ -186,15 +203,16 @@ ifdef(`distro_redhat',`
fs_manage_tmpfs_chr_files(udev_t)
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
@@ -64828,7 +65549,7 @@ index d88f7c3..d26f45a 100644
')
optional_policy(`
-@@ -216,11 +233,16 @@ optional_policy(`
+@@ -216,11 +234,16 @@ optional_policy(`
')
optional_policy(`
@@ -64846,7 +65567,7 @@ index d88f7c3..d26f45a 100644
')
optional_policy(`
-@@ -230,10 +252,20 @@ optional_policy(`
+@@ -230,10 +253,20 @@ optional_policy(`
optional_policy(`
devicekit_read_pid_files(udev_t)
devicekit_dgram_send(udev_t)
@@ -64867,7 +65588,7 @@ index d88f7c3..d26f45a 100644
')
optional_policy(`
-@@ -259,6 +291,10 @@ optional_policy(`
+@@ -259,6 +292,10 @@ optional_policy(`
')
optional_policy(`
@@ -64878,7 +65599,7 @@ index d88f7c3..d26f45a 100644
openct_read_pid_files(udev_t)
openct_domtrans(udev_t)
')
-@@ -273,6 +309,11 @@ optional_policy(`
+@@ -273,6 +310,11 @@ optional_policy(`
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index b498729..1d7c776 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 11%{?dist}
+Release: 13%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -452,6 +452,15 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Aug 2 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-13
+- Add abrt_domain attribute
+- Allow corosync to manage cluster lib files
+- Allow corosync to connect to the system DBUS
+
+* Mon Aug 1 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-12
+- Add sblim, uuidd policies
+- Allow kernel_t dyntrasition to init_t
+
* Fri Jul 29 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-11
- More fixes of rules which cause an explosion in rules by Dan Walsh