diff --git a/policy-F16.patch b/policy-F16.patch
index 7290094..2da558c 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1,8 +1,16 @@
diff --git a/Makefile b/Makefile
-index b8486a0..bec48d7 100644
+index b8486a0..72a53cc 100644
--- a/Makefile
+++ b/Makefile
-@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers
+@@ -61,6 +61,7 @@ SEMODULE ?= $(tc_usrsbindir)/semodule
+ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package
+ SEMOD_LNK ?= $(tc_usrbindir)/semodule_link
+ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
++SEPOLGEN ?= $(tc_usrbindir)/sepolgen-ifgen
+ LOADPOLICY ?= $(tc_usrsbindir)/load_policy
+ SETFILES ?= $(tc_sbindir)/setfiles
+ XMLLINT ?= $(BINDIR)/xmllint
+@@ -248,7 +249,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
@@ -11,6 +19,18 @@ index b8486a0..bec48d7 100644
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
+diff --git a/Rules.modular b/Rules.modular
+index 168a14f..c2bf491 100644
+--- a/Rules.modular
++++ b/Rules.modular
+@@ -207,6 +207,7 @@ validate: $(base_pkg) $(mod_pkgs)
+ @echo "Validating policy linking."
+ $(verbose) $(SEMOD_LNK) -o $(tmpdir)/test.lnk $^
+ $(verbose) $(SEMOD_EXP) $(tmpdir)/test.lnk $(tmpdir)/policy.bin
++ $(verbose) $(SEPOLGEN) -p $(tmpdir)/policy.bin -i $(poldir) -o $(tmpdir)/output
+ @echo "Success."
+
+ ########################################
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 16e8b13..87925e6 100644
--- a/man/man8/httpd_selinux.8
@@ -2471,7 +2491,7 @@ index fe1c377..7660180 100644
')
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
-index 8c5fa3c..5fdb122 100644
+index 8c5fa3c..1a46f56 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -210,7 +210,7 @@ template(`su_role_template',`
@@ -2483,12 +2503,9 @@ index 8c5fa3c..5fdb122 100644
auth_rw_faillog($1_su_t)
corecmd_search_bin($1_su_t)
-@@ -232,8 +232,9 @@ template(`su_role_template',`
+@@ -234,6 +234,7 @@ template(`su_role_template',`
- miscfiles_read_localization($1_su_t)
-
-- userdom_use_user_terminals($1_su_t)
-+ userdom_use_inherited_user_terminals($1_su_t)
+ userdom_use_user_terminals($1_su_t)
userdom_search_user_home_dirs($1_su_t)
+ userdom_search_admin_dir($1_su_t)
@@ -2504,7 +2521,7 @@ index 7bddc02..2b59ed0 100644
+
+/var/db/sudo(/.*)? gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
-index 975af1a..37d1013 100644
+index 975af1a..bae65ee 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
@@ -2550,12 +2567,10 @@ index 975af1a..37d1013 100644
init_rw_utmp($1_sudo_t)
logging_send_audit_msgs($1_sudo_t)
-@@ -134,14 +143,19 @@ template(`sudo_role_template',`
- userdom_manage_user_home_content_symlinks($1_sudo_t)
+@@ -135,13 +144,18 @@ template(`sudo_role_template',`
userdom_manage_user_tmp_files($1_sudo_t)
userdom_manage_user_tmp_symlinks($1_sudo_t)
-- userdom_use_user_terminals($1_sudo_t)
-+ userdom_use_inherited_user_terminals($1_sudo_t)
+ userdom_use_user_terminals($1_sudo_t)
+ userdom_signal_all_users($1_sudo_t)
# for some PAM modules and for cwd
- userdom_dontaudit_search_user_home_content($1_sudo_t)
@@ -5455,6 +5470,92 @@ index 167950d..ef63b20 100644
+ wine_domtrans(unconfined_java_t)
+ ')
')
+diff --git a/policy/modules/apps/kde.fc b/policy/modules/apps/kde.fc
+new file mode 100644
+index 0000000..25e4b68
+--- /dev/null
++++ b/policy/modules/apps/kde.fc
+@@ -0,0 +1 @@
++#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
+diff --git a/policy/modules/apps/kde.if b/policy/modules/apps/kde.if
+new file mode 100644
+index 0000000..cf65577
+--- /dev/null
++++ b/policy/modules/apps/kde.if
+@@ -0,0 +1,22 @@
++## <summary> Policy for KDE components </summary>
++
++#######################################
++## <summary>
++## Send and receive messages from
++## firewallgui over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kde_dbus_chat_backlighthelper',`
++ gen_require(`
++ type kdebacklighthelper_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 kdebacklighthelper_t:dbus send_msg;
++ allow kdebacklighthelper_t $1:dbus send_msg;
++')
+diff --git a/policy/modules/apps/kde.te b/policy/modules/apps/kde.te
+new file mode 100644
+index 0000000..bb02f40
+--- /dev/null
++++ b/policy/modules/apps/kde.te
+@@ -0,0 +1,45 @@
++policy_module(kde,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type kdebacklighthelper_t;
++type kdebacklighthelper_exec_t;
++dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
++
++permissive kdebacklighthelper_t;
++
++########################################
++#
++# backlighthelper local policy
++#
++
++dontaudit kdebacklighthelper_t self:capability sys_ptrace;
++
++allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
++
++kernel_read_system_state(kdebacklighthelper_t)
++
++# r/w brightness values
++dev_rw_sysfs(kdebacklighthelper_t)
++
++files_read_etc_files(kdebacklighthelper_t)
++files_read_etc_runtime_files(kdebacklighthelper_t)
++files_read_usr_files(kdebacklighthelper_t)
++
++fs_getattr_all_fs(kdebacklighthelper_t)
++
++logging_send_syslog_msg(kdebacklighthelper_t)
++
++miscfiles_read_localization(kdebacklighthelper_t)
++
++optional_policy(`
++ consolekit_dbus_chat(kdebacklighthelper_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(kdebacklighthelper_t)
++')
++
diff --git a/policy/modules/apps/kdumpgui.te b/policy/modules/apps/kdumpgui.te
index f63c4c2..bf59895 100644
--- a/policy/modules/apps/kdumpgui.te
@@ -11191,7 +11292,7 @@ index bc534c1..b70ea07 100644
+# broken kernel
+dontaudit can_change_object_identity can_change_object_identity:key link;
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
-index 16108f6..33ea07b 100644
+index 16108f6..0f1470f 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -18,6 +18,7 @@ ifdef(`distro_redhat',`
@@ -11237,7 +11338,7 @@ index 16108f6..33ea07b 100644
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
-@@ -153,6 +164,12 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -153,6 +164,17 @@ HOME_ROOT/lost\+found/.* <<none>>
/proc -d <<none>>
/proc/.* <<none>>
@@ -11247,10 +11348,15 @@ index 16108f6..33ea07b 100644
+/rhev/[^/]*/.* <<none>>
+')
+
++/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
++/run/.* gen_context(system_u:object_r:var_run_t,s0)
++/run/.*\.*pid <<none>>
++/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
++
#
# /selinux
#
-@@ -166,12 +183,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -166,12 +188,6 @@ HOME_ROOT/lost\+found/.* <<none>>
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
@@ -11263,7 +11369,7 @@ index 16108f6..33ea07b 100644
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
-@@ -211,7 +222,6 @@ HOME_ROOT/lost\+found/.* <<none>>
+@@ -211,7 +227,6 @@ HOME_ROOT/lost\+found/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
@@ -11271,7 +11377,7 @@ index 16108f6..33ea07b 100644
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
-@@ -227,6 +237,8 @@ ifndef(`distro_redhat',`
+@@ -227,6 +242,8 @@ ifndef(`distro_redhat',`
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -11280,7 +11386,7 @@ index 16108f6..33ea07b 100644
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
-@@ -243,7 +255,7 @@ ifndef(`distro_redhat',`
+@@ -243,7 +260,7 @@ ifndef(`distro_redhat',`
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -11289,12 +11395,12 @@ index 16108f6..33ea07b 100644
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
-@@ -252,3 +264,7 @@ ifndef(`distro_redhat',`
+@@ -252,3 +269,7 @@ ifndef(`distro_redhat',`
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
-+/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
-+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/nsr(/.*)? gen_context(system_u:object_r:var_t,s0)
++/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/usr/lib/debug(/.*)? <<none>>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
@@ -15906,10 +16012,10 @@ index 0000000..77c513d
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..df42caf 100644
+index e5bfdd4..10d03a3 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,68 @@ role user_r;
+@@ -12,15 +12,67 @@ role user_r;
userdom_unpriv_user_template(user)
@@ -15933,7 +16039,6 @@ index e5bfdd4..df42caf 100644
+
+optional_policy(`
+ gnome_role(user_r, user_t)
-+ #gnome_role_gkeyringd(user, user_r, user_t)
+')
+
+optional_policy(`
@@ -15978,7 +16083,7 @@ index e5bfdd4..df42caf 100644
vlock_run(user_t, user_r)
')
-@@ -62,10 +115,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +114,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15989,7 +16094,7 @@ index e5bfdd4..df42caf 100644
gpg_role(user_r, user_t)
')
-@@ -118,7 +167,7 @@ ifndef(`distro_redhat',`
+@@ -118,7 +166,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -15998,7 +16103,7 @@ index e5bfdd4..df42caf 100644
')
optional_policy(`
-@@ -157,3 +206,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +205,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@@ -16016,7 +16121,7 @@ index 0ecc786..dbf2710 100644
userdom_dontaudit_search_user_home_dirs(webadm_t)
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
-index e88b95f..95e5a6e 100644
+index e88b95f..9d37855 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -14,14 +14,14 @@ gen_tunable(xguest_mount_media, true)
@@ -16087,7 +16192,7 @@ index e88b95f..95e5a6e 100644
')
')
-@@ -76,23 +87,99 @@ optional_policy(`
+@@ -76,23 +87,98 @@ optional_policy(`
')
optional_policy(`
@@ -16105,7 +16210,6 @@ index e88b95f..95e5a6e 100644
+
+optional_policy(`
+ gnome_role(xguest_r, xguest_t)
-+ #gnome_role_gkeyringd(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
@@ -28221,7 +28325,7 @@ index 3525d24..e5db539 100644
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
-index 604f67b..74d0c2a 100644
+index 604f67b..9026661 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -26,9 +26,9 @@
@@ -28342,7 +28446,7 @@ index 604f67b..74d0c2a 100644
')
allow $1 kadmind_t:process { ptrace signal_perms };
-@@ -378,3 +373,22 @@ interface(`kerberos_admin',`
+@@ -378,3 +373,41 @@ interface(`kerberos_admin',`
admin_pattern($1, krb5kdc_var_run_t)
')
@@ -28365,6 +28469,25 @@ index 604f67b..74d0c2a 100644
+
+ files_tmp_filetrans($1, krb5_host_rcache_t, file)
+')
++
++########################################
++## <summary>
++## read kerberos homedir content (.k5login)
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`kerberos_read_home_content',`
++ gen_require(`
++ type krb5_home_t;
++ ')
++
++ userdom_search_user_home_dirs($1)
++ read_files_pattern($1, krb5_home_t, krb5_home_t)
++')
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 8edc29b..09dac65 100644
--- a/policy/modules/services/kerberos.te
@@ -38780,6 +38903,31 @@ index 2785337..c3c2775 100644
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
+diff --git a/policy/modules/services/rlogin.if b/policy/modules/services/rlogin.if
+index 63e78c6..ffa4f37 100644
+--- a/policy/modules/services/rlogin.if
++++ b/policy/modules/services/rlogin.if
+@@ -21,17 +21,11 @@ interface(`rlogin_domtrans',`
+
+ ########################################
+ ## <summary>
+-## read rlogin homedir content (.config)
++## read rlogin homedir content (.rlogin)
+ ## </summary>
+-## <param name="userdomain_prefix">
+-## <summary>
+-## The prefix of the user domain (e.g., user
+-## is the prefix for user_t).
+-## </summary>
+-## </param>
+-## <param name="user_domain">
++## <param name="domain">
+ ## <summary>
+-## The type of the user domain.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index 779fa44..cdfebe3 100644
--- a/policy/modules/services/rlogin.te
@@ -40293,7 +40441,7 @@ index bcdd16c..7c379a8 100644
files_list_var_lib($1)
admin_pattern($1, setroubleshoot_var_lib_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
-index 086cd5f..43350e6 100644
+index 086cd5f..610a762 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -32,6 +32,8 @@ files_pid_file(setroubleshoot_var_run_t)
@@ -40305,7 +40453,7 @@ index 086cd5f..43350e6 100644
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -49,14 +51,17 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
+@@ -49,17 +51,21 @@ manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setrouble
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
# pid file
@@ -40324,7 +40472,11 @@ index 086cd5f..43350e6 100644
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -112,8 +117,6 @@ logging_send_audit_msgs(setroubleshootd_t)
++corecmd_read_all_executables(setroubleshootd_t)
+
+ corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+ corenet_all_recvfrom_netlabel(setroubleshootd_t)
+@@ -112,8 +118,6 @@ logging_send_audit_msgs(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
logging_stream_connect_dispatcher(setroubleshootd_t)
@@ -40333,7 +40485,7 @@ index 086cd5f..43350e6 100644
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
seutil_read_bin_policy(setroubleshootd_t)
-@@ -121,6 +124,18 @@ seutil_read_bin_policy(setroubleshootd_t)
+@@ -121,6 +125,18 @@ seutil_read_bin_policy(setroubleshootd_t)
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
optional_policy(`
@@ -40352,7 +40504,7 @@ index 086cd5f..43350e6 100644
dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
')
-@@ -152,6 +167,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
+@@ -152,6 +168,7 @@ corecmd_exec_bin(setroubleshoot_fixit_t)
corecmd_exec_shell(setroubleshoot_fixit_t)
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
@@ -40360,7 +40512,7 @@ index 086cd5f..43350e6 100644
files_read_usr_files(setroubleshoot_fixit_t)
files_read_etc_files(setroubleshoot_fixit_t)
-@@ -164,6 +180,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
+@@ -164,6 +181,13 @@ logging_send_syslog_msg(setroubleshoot_fixit_t)
miscfiles_read_localization(setroubleshoot_fixit_t)
@@ -42139,7 +42291,7 @@ index 941380a..6dbfc01 100644
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
-index 8ffa257..44cbef4 100644
+index 8ffa257..4ecf377 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -28,9 +28,11 @@ files_pid_file(sssd_var_run_t)
@@ -42208,10 +42360,12 @@ index 8ffa257..44cbef4 100644
optional_policy(`
dbus_system_bus_client(sssd_t)
-@@ -88,3 +101,11 @@ optional_policy(`
+@@ -87,4 +100,28 @@ optional_policy(`
+
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
- ')
++ kerberos_read_home_content(sssd_t)
++')
+
+optional_policy(`
+ dirsrv_stream_connect(sssd_t)
@@ -42219,7 +42373,22 @@ index 8ffa257..44cbef4 100644
+
+optional_policy(`
+ ldap_stream_connect(sssd_t)
+ ')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sssd_t)
+')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sssd_t)
++')
++
++tunable_policy(`use_fusefs_home_dirs',`
++ fs_read_fusefs_files(sssd_t)
++')
++
++
++
diff --git a/policy/modules/services/stunnel.if b/policy/modules/services/stunnel.if
index 6073656..eaf49b2 100644
--- a/policy/modules/services/stunnel.if
@@ -48829,7 +48998,7 @@ index cc83689..84c0fb7 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..9ebc12e 100644
+index ea29513..25c25b3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49263,12 +49432,7 @@ index ea29513..9ebc12e 100644
selinux_get_enforce_mode(initrc_t)
-@@ -370,10 +553,11 @@ storage_getattr_fixed_disk_dev(initrc_t)
- storage_setattr_fixed_disk_dev(initrc_t)
- storage_setattr_removable_dev(initrc_t)
-
--term_use_all_terms(initrc_t)
-+term_use_all_inherited_terms(initrc_t)
+@@ -374,6 +557,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -50698,7 +50862,7 @@ index 2b7e5f3..76b4ce1 100644
- nscd_socket_use(sulogin_t)
-')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index 571599b..9effaeb 100644
+index 571599b..ddaf246 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,13 @@
@@ -50739,7 +50903,7 @@ index 571599b..9effaeb 100644
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-@@ -54,18 +63,24 @@ ifdef(`distro_redhat',`
+@@ -54,18 +63,25 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -50764,9 +50928,10 @@ index 571599b..9effaeb 100644
-/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
-
-+/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
++/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
+
++/var/stockmaniac/templates_cache(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+
+/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -50918,10 +51083,22 @@ index c7cfb62..6160239 100644
init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
domain_system_change_exemption($1)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b5a9ed..5ce2b02 100644
+index 9b5a9ed..13d15e0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
-@@ -55,11 +55,12 @@ type klogd_var_run_t;
+@@ -19,6 +19,11 @@ type auditd_log_t;
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+
++type audit_spool_t;
++files_type(audit_spool_t)
++files_security_file(audit_spool_t)
++files_security_mountpoint(audit_spool_t)
++
+ type auditd_t;
+ type auditd_exec_t;
+ init_daemon_domain(auditd_t, auditd_exec_t)
+@@ -55,11 +60,12 @@ type klogd_var_run_t;
files_pid_file(klogd_var_run_t)
type syslog_conf_t;
@@ -50935,7 +51112,7 @@ index 9b5a9ed..5ce2b02 100644
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
-@@ -107,7 +108,7 @@ domain_use_interactive_fds(auditctl_t)
+@@ -107,7 +113,7 @@ domain_use_interactive_fds(auditctl_t)
mls_file_read_all_levels(auditctl_t)
@@ -50944,7 +51121,7 @@ index 9b5a9ed..5ce2b02 100644
init_dontaudit_use_fds(auditctl_t)
-@@ -179,6 +180,8 @@ logging_send_syslog_msg(auditd_t)
+@@ -179,6 +185,8 @@ logging_send_syslog_msg(auditd_t)
logging_domtrans_dispatcher(auditd_t)
logging_signal_dispatcher(auditd_t)
@@ -50953,7 +51130,7 @@ index 9b5a9ed..5ce2b02 100644
miscfiles_read_localization(auditd_t)
mls_file_read_all_levels(auditd_t)
-@@ -188,7 +191,7 @@ seutil_dontaudit_read_config(auditd_t)
+@@ -188,7 +196,7 @@ seutil_dontaudit_read_config(auditd_t)
sysnet_dns_name_resolve(auditd_t)
@@ -50962,7 +51139,7 @@ index 9b5a9ed..5ce2b02 100644
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_user_home_dirs(auditd_t)
-@@ -234,7 +237,12 @@ domain_use_interactive_fds(audisp_t)
+@@ -234,7 +242,12 @@ domain_use_interactive_fds(audisp_t)
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -50975,7 +51152,7 @@ index 9b5a9ed..5ce2b02 100644
logging_send_syslog_msg(audisp_t)
-@@ -244,14 +252,22 @@ sysnet_dns_name_resolve(audisp_t)
+@@ -244,14 +257,26 @@ sysnet_dns_name_resolve(audisp_t)
optional_policy(`
dbus_system_bus_client(audisp_t)
@@ -50995,11 +51172,15 @@ index 9b5a9ed..5ce2b02 100644
allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:dir search_dir_perms;
+
++manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
++files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
++
+corecmd_exec_bin(audisp_remote_t)
corenet_all_recvfrom_unlabeled(audisp_remote_t)
corenet_all_recvfrom_netlabel(audisp_remote_t)
-@@ -266,9 +282,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
+@@ -266,9 +291,16 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
files_read_etc_files(audisp_remote_t)
logging_send_syslog_msg(audisp_remote_t)
@@ -51016,7 +51197,7 @@ index 9b5a9ed..5ce2b02 100644
sysnet_dns_name_resolve(audisp_remote_t)
########################################
-@@ -338,11 +361,12 @@ optional_policy(`
+@@ -338,11 +370,12 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# cjp: why net_admin!
@@ -51031,7 +51212,7 @@ index 9b5a9ed..5ce2b02 100644
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -360,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+@@ -360,6 +393,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -51039,7 +51220,7 @@ index 9b5a9ed..5ce2b02 100644
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -369,9 +394,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+@@ -369,9 +403,15 @@ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
@@ -51055,7 +51236,7 @@ index 9b5a9ed..5ce2b02 100644
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
-@@ -412,6 +443,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
+@@ -412,6 +452,9 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
@@ -51065,7 +51246,7 @@ index 9b5a9ed..5ce2b02 100644
domain_use_interactive_fds(syslogd_t)
-@@ -480,6 +514,10 @@ optional_policy(`
+@@ -480,6 +523,10 @@ optional_policy(`
')
optional_policy(`
@@ -51076,7 +51257,7 @@ index 9b5a9ed..5ce2b02 100644
postgresql_stream_connect(syslogd_t)
')
-@@ -488,6 +526,10 @@ optional_policy(`
+@@ -488,6 +535,10 @@ optional_policy(`
')
optional_policy(`
@@ -55198,7 +55379,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..c68006d 100644
+index 28b88de..59d7c2d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -55769,7 +55950,7 @@ index 28b88de..c68006d 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +650,118 @@ template(`userdom_common_user_template',`
+@@ -574,67 +650,122 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -55845,47 +56026,51 @@ index 28b88de..c68006d 100644
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ kde_dbus_chat_backlighthelper($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ networkmanager_dbus_chat($1_usertype)
-+ networkmanager_read_lib_files($1_usertype)
++ modemmanager_dbus_chat($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
-+ vpn_dbus_chat($1_usertype)
++ networkmanager_dbus_chat($1_usertype)
++ networkmanager_read_lib_files($1_usertype)
')
++
++ optional_policy(`
++ vpn_dbus_chat($1_usertype)
++ ')
++ ')
++
++ optional_policy(`
++ git_session_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ inetd_use_fds($1_usertype)
++ inetd_rw_tcp_sockets($1_usertype)
')
optional_policy(`
- inetd_use_fds($1_t)
- inetd_rw_tcp_sockets($1_t)
-+ git_session_role($1_r, $1_usertype)
++ inn_read_config($1_usertype)
++ inn_read_news_lib($1_usertype)
++ inn_read_news_spool($1_usertype)
')
optional_policy(`
- inn_read_config($1_t)
- inn_read_news_lib($1_t)
- inn_read_news_spool($1_t)
-+ inetd_use_fds($1_usertype)
-+ inetd_rw_tcp_sockets($1_usertype)
++ lircd_stream_connect($1_usertype)
')
optional_policy(`
- locate_read_lib_files($1_t)
-+ inn_read_config($1_usertype)
-+ inn_read_news_lib($1_usertype)
-+ inn_read_news_spool($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ lircd_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
+ locate_read_lib_files($1_usertype)
')
@@ -55906,7 +56091,7 @@ index 28b88de..c68006d 100644
')
optional_policy(`
-@@ -650,41 +777,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +781,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -55938,53 +56123,53 @@ index 28b88de..c68006d 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
++ ')
++
++ optional_policy(`
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ rpcbind_stream_connect($1_usertype)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ seunshare_role_template($1, $1_r, $1_t)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ seunshare_role_template($1, $1_r, $1_t)
- ')
-+
-+ optional_policy(`
+ slrnpull_search_spool($1_usertype)
-+ ')
+ ')
+
')
#######################################
-@@ -712,13 +848,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +852,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
++
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
++ ifelse(`$1',`unconfined',`',`
++ gen_tunable(allow_$1_exec_content, true)
- userdom_exec_user_tmp_files($1_t)
- userdom_exec_user_home_content_files($1_t)
-+ ifelse(`$1',`unconfined',`',`
-+ gen_tunable(allow_$1_exec_content, true)
-+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -56000,7 +56185,7 @@ index 28b88de..c68006d 100644
userdom_change_password_template($1)
-@@ -736,72 +885,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +889,70 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -56067,10 +56252,10 @@ index 28b88de..c68006d 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
++
++ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
-+ seutil_read_config($1_usertype)
-+
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -56108,7 +56293,7 @@ index 28b88de..c68006d 100644
')
')
-@@ -833,6 +980,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -56118,7 +56303,7 @@ index 28b88de..c68006d 100644
##############################
#
# Local policy
-@@ -874,45 +1024,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -56243,7 +56428,7 @@ index 28b88de..c68006d 100644
')
')
-@@ -947,7 +1165,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -56252,7 +56437,7 @@ index 28b88de..c68006d 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1174,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -56366,7 +56551,7 @@ index 28b88de..c68006d 100644
')
')
-@@ -1039,7 +1286,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -56375,7 +56560,7 @@ index 28b88de..c68006d 100644
')
##############################
-@@ -1066,6 +1313,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -56383,7 +56568,7 @@ index 28b88de..c68006d 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1322,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -56393,7 +56578,7 @@ index 28b88de..c68006d 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1339,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -56401,7 +56586,7 @@ index 28b88de..c68006d 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1357,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -56415,7 +56600,7 @@ index 28b88de..c68006d 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1374,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1378,21 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -56438,7 +56623,7 @@ index 28b88de..c68006d 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1400,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -56450,7 +56635,7 @@ index 28b88de..c68006d 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1472,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -56459,7 +56644,7 @@ index 28b88de..c68006d 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1486,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -56467,7 +56652,7 @@ index 28b88de..c68006d 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1502,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -56475,7 +56660,7 @@ index 28b88de..c68006d 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1545,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -56513,7 +56698,7 @@ index 28b88de..c68006d 100644
ubac_constrained($1)
')
-@@ -1395,6 +1687,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -56521,7 +56706,7 @@ index 28b88de..c68006d 100644
files_search_home($1)
')
-@@ -1441,6 +1734,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -56536,7 +56721,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1456,9 +1757,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -56548,7 +56733,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1515,10 +1818,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -56561,7 +56746,7 @@ index 28b88de..c68006d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,25 +1829,61 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -56585,9 +56770,6 @@ index 28b88de..c68006d 100644
## </summary>
-## <desc>
-## <p>
--## Do a domain transition to the specified
--## domain when executing a program in the
--## user home directory.
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -56629,13 +56811,10 @@ index 28b88de..c68006d 100644
+## </summary>
+## <desc>
+## <p>
-+## Do a domain transition to the specified
-+## domain when executing a program in the
-+## user home directory.
- ## </p>
- ## <p>
- ## No interprocess communication (signals, pipes,
-@@ -1589,6 +1928,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+ ## Do a domain transition to the specified
+ ## domain when executing a program in the
+ ## user home directory.
+@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -56644,7 +56823,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1603,10 +1944,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -56659,7 +56838,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1649,6 +1992,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -56685,7 +56864,7 @@ index 28b88de..c68006d 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2062,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -56718,7 +56897,7 @@ index 28b88de..c68006d 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2098,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -56736,7 +56915,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1810,8 +2195,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -56746,7 +56925,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -1827,21 +2211,15 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -56760,19 +56939,18 @@ index 28b88de..c68006d 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
+- ')
+-
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
-
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
-- ')
-')
--
+
########################################
## <summary>
- ## Do not audit attempts to execute user home files.
-@@ -2182,7 +2560,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -56781,7 +56959,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -2435,13 +2813,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -56797,7 +56975,7 @@ index 28b88de..c68006d 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2841,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -56824,7 +57002,7 @@ index 28b88de..c68006d 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,6 +2931,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -56849,7 +57027,7 @@ index 28b88de..c68006d 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +2967,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -56892,7 +57070,7 @@ index 28b88de..c68006d 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3003,13 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -56907,10 +57085,30 @@ index 28b88de..c68006d 100644
- term_list_ptys($1)
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
++')
++
++#######################################
++## <summary>
++## Allow attempts to read and write
++## a user domain tty and pty.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_use_user_terminals',`
++ gen_require(`
++ type user_tty_device_t, user_devpts_t;
++ ')
++
++ allow $1 user_tty_device_t:chr_file rw_term_perms;
++ allow $1 user_devpts_t:chr_file rw_term_perms;
')
########################################
-@@ -2815,7 +3203,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -56919,7 +57117,7 @@ index 28b88de..c68006d 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3219,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -56935,7 +57133,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -2917,7 +3307,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -56944,7 +57142,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -2972,7 +3362,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -56991,7 +57189,7 @@ index 28b88de..c68006d 100644
')
########################################
-@@ -3009,6 +3437,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -56999,7 +57197,7 @@ index 28b88de..c68006d 100644
kernel_search_proc($1)
')
-@@ -3139,3 +3568,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3592,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ba5a03d..4938235 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -472,6 +472,22 @@ exit 0
%endif
%changelog
+* Fri Mar 25 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-7
+- Allow $1_sudo_t and $1_su_t open access to user terminals
+- Allow initrc_t to use generic terminals
+- Make Makefile/Rules.modular run sepolgen-ifgen during build to check if files for bugs
+-systemd is going to be useing /run and /run/lock for early bootup files.
+- Fix some comments in rlogin.if
+- Add policy for KDE backlighthelper
+- sssd needs to read ~/.k5login in nfs, cifs or fusefs file systems
+- sssd wants to read .k5login file in users homedir
+- setroubleshoot reads executables to see if they have TEXTREL
+- Add /var/spool/audit support for new version of audit
+- Remove kerberos_connect_524() interface calling
+- Combine kerberos_master_port_t and kerberos_port_t
+- systemd has setup /dev/kmsg as stderr for apps it executes
+- Need these access so that init can impersonate sockets on unix_dgram_socket
+
* Wed Mar 23 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-6
- Remove some unconfined domains
- Remove permissive domains