diff --git a/file_contexts.subs b/file_contexts.subs
index 7499c75..f8d0cb3 100644
--- a/file_contexts.subs
+++ b/file_contexts.subs
@@ -1,2 +1,3 @@
 /run /var/run
 /run/lock /var/lock
+/var/run/lock /var/lock
diff --git a/policy-F16.patch b/policy-F16.patch
index 2e87799..ca4da59 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1476,7 +1476,7 @@ index c633aea..d1e56f6 100644
  
  ifdef(`hide_broken_symptoms',`
 diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..f30119e 100644
+index af55369..2718561 100644
 --- a/policy/modules/admin/prelink.te
 +++ b/policy/modules/admin/prelink.te
 @@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1561,7 +1561,7 @@ index af55369..f30119e 100644
  
  	domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
  	allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,7 +163,7 @@ optional_policy(`
+@@ -148,17 +163,26 @@ optional_policy(`
  	files_read_etc_files(prelink_cron_system_t)
  	files_search_var_lib(prelink_cron_system_t)
  
@@ -1570,7 +1570,11 @@ index af55369..f30119e 100644
  
  	libs_exec_ld_so(prelink_cron_system_t)
  
-@@ -158,7 +173,14 @@ optional_policy(`
+ 	logging_search_logs(prelink_cron_system_t)
+ 
++	init_stream_connect(prelink_cron_system_t)
++
+ 	miscfiles_read_localization(prelink_cron_system_t)
  
  	cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
  
@@ -7600,7 +7604,7 @@ index 2ba7787..9f12b51 100644
  ')
  
 diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..be062b9 100644
+index c2d20a2..ae14a7d 100644
 --- a/policy/modules/apps/pulseaudio.te
 +++ b/policy/modules/apps/pulseaudio.te
 @@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7662,10 +7666,10 @@ index c2d20a2..be062b9 100644
  ')
 +
 +optional_policy(`
-+	qemu_manage_tmpfs_files(pulseaudio_t)
++	virt_manage_tmpfs_files(pulseaudio_t)
 +')
 diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..9e34fbd 100644
+index c1d5f50..6c7a005 100644
 --- a/policy/modules/apps/qemu.if
 +++ b/policy/modules/apps/qemu.if
 @@ -76,7 +76,7 @@ template(`qemu_domain_template',`
@@ -7760,7 +7764,7 @@ index c1d5f50..9e34fbd 100644
  #
  interface(`qemu_run',`
  	gen_require(`
-@@ -177,10 +157,6 @@ interface(`qemu_run',`
+@@ -177,10 +157,8 @@ interface(`qemu_run',`
  
  	qemu_domtrans($1)
  	role $2 types qemu_t;
@@ -7768,10 +7772,12 @@ index c1d5f50..9e34fbd 100644
 -	optional_policy(`
 -		samba_run_smb(qemu_t, $2, $3)
 -	')
++	allow qemu_t $1:process signull;
++	allow $1 qemu_t:process signull;
  ')
  
  ########################################
-@@ -275,6 +251,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -275,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
  
  ########################################
  ## <summary>
@@ -7839,7 +7845,7 @@ index c1d5f50..9e34fbd 100644
  ##	Manage qemu temporary dirs.
  ## </summary>
  ## <param name="domain">
-@@ -308,3 +345,42 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
  
  	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
  ')
@@ -7862,28 +7868,8 @@ index c1d5f50..9e34fbd 100644
 +
 +	domain_entry_file($1, qemu_exec_t)
 +')
-+
-+########################################
-+## <summary>
-+##	allow domain to manage
-+##	qemu tmpfs files
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access
-+##	</summary>
-+## </param>
-+#
-+interface(`qemu_manage_tmpfs_files',`
-+	gen_require(`
-+		attribute qemu_tmpfs_type;
-+	')
-+
-+	allow $1 qemu_tmpfs_type:file manage_file_perms;
-+')
-+
 diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..c01d37c 100644
+index 5ef2f7d..13057b7 100644
 --- a/policy/modules/apps/qemu.te
 +++ b/policy/modules/apps/qemu.te
 @@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -7914,17 +7900,21 @@ index 5ef2f7d..c01d37c 100644
  	corenet_udp_bind_all_ports(qemu_t)
  	corenet_tcp_bind_all_ports(qemu_t)
  	corenet_tcp_connect_all_ports(qemu_t)
-@@ -90,10 +91,18 @@ tunable_policy(`qemu_use_usb',`
+@@ -90,10 +91,22 @@ tunable_policy(`qemu_use_usb',`
  ')
  
  optional_policy(`
 -	samba_domtrans_smbd(qemu_t)
-+	tunable_policy(`qemu_use_cifs',`
-+		samba_domtrans_smbd(qemu_t)
-+	')
++	dbus_read_lib_files(qemu_t)
  ')
  
  optional_policy(`
++	tunable_policy(`qemu_use_cifs',`
++		samba_domtrans_smbd(qemu_t)
++	')
++')
++
++optional_policy(`
 +	pulseaudio_manage_home_files(qemu_t)
 +	pulseaudio_stream_connect(qemu_t)
 +')
@@ -7934,7 +7924,7 @@ index 5ef2f7d..c01d37c 100644
  	virt_manage_images(qemu_t)
  	virt_append_log(qemu_t)
  ')
-@@ -102,6 +111,11 @@ optional_policy(`
+@@ -102,6 +115,11 @@ optional_policy(`
  	xen_rw_image_files(qemu_t)
  ')
  
@@ -7946,7 +7936,7 @@ index 5ef2f7d..c01d37c 100644
  ########################################
  #
  # Unconfined qemu local policy
-@@ -112,6 +126,8 @@ optional_policy(`
+@@ -112,6 +130,8 @@ optional_policy(`
  	typealias unconfined_qemu_t alias qemu_unconfined_t;
  	application_type(unconfined_qemu_t)
  	unconfined_domain(unconfined_qemu_t)
@@ -10673,7 +10663,7 @@ index 6cf8784..5b25039 100644
 +#
 +/sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
 diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..c4607c9 100644
+index e9313fb..60437ca 100644
 --- a/policy/modules/kernel/devices.if
 +++ b/policy/modules/kernel/devices.if
 @@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10947,10 +10937,28 @@ index e9313fb..c4607c9 100644
  ##	Read hardware state information.
  ## </summary>
  ## <desc>
-@@ -3954,6 +4026,24 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',`
  
  ########################################
  ## <summary>
++##	Relabel hardware state directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`dev_relabel_sysfs_dirs',`
++	gen_require(`
++		type sysfs_t;
++	')
++
++	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
 +##	Allow caller to modify hardware state information.
 +## </summary>
 +## <param name="domain">
@@ -10972,7 +10980,7 @@ index e9313fb..c4607c9 100644
  ##	Read and write the TPM device.
  ## </summary>
  ## <param name="domain">
-@@ -4514,6 +4604,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',`
  
  ########################################
  ## <summary>
@@ -10997,7 +11005,7 @@ index e9313fb..c4607c9 100644
  ##	Write to watchdog devices.
  ## </summary>
  ## <param name="domain">
-@@ -4748,3 +4856,23 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',`
  
  	typeattribute $1 devices_unconfined_type;
  ')
@@ -12800,7 +12808,7 @@ index 59bae6a..2e55e71 100644
 +/dev/hugepages	-d	gen_context(system_u:object_r:hugetlbfs_t,s0)
 +/dev/hugepages(/.*)?		<<none>>
 diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..5da5ee1 100644
+index dfe361a..be9572b 100644
 --- a/policy/modules/kernel/filesystem.if
 +++ b/policy/modules/kernel/filesystem.if
 @@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12821,13 +12829,13 @@ index dfe361a..5da5ee1 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_relabelto_cgroup_dirs',`
++interface(`fs_relabel_cgroup_dirs',`
 +	gen_require(`
 +		type cgroup_t;
 +
 +	')
 +
-+	relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
++	relabel_dirs_pattern($1, cgroup_t, cgroup_t)
 +')
 +
 +########################################
@@ -13371,11 +13379,11 @@ index dfe361a..5da5ee1 100644
  	manage_lnk_files_pattern($1, nfs_t, nfs_t)
  ')
  
-@@ -3989,6 +4334,78 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',`
  
  ########################################
  ## <summary>
-+##	dontaudit Read and write block nodes on tmpfs filesystems.
++##	Relabel directory  on tmpfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -13383,53 +13391,24 @@ index dfe361a..5da5ee1 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++interface(`fs_relabel_tmpfs_dirs',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
-+')
-+
-+######################################
-+## <summary>
-+##  Allow setattr on directory on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`fs_setattr_tmpfs_dir',`
-+    gen_require(`
-+        type tmpfs_t;
-+    ')
-+
-+    setattr_dirs_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+#######################################
-+## <summary>
-+##  Create directory  on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+##  <summary>
-+##  Domain allowed access.
-+##  </summary>
-+## </param>
-+#
-+interface(`fs_create_tmpfs_dir',`
-+    gen_require(`
-+        type tmpfs_t;
-+    ')
-+
-+    create_dirs_pattern($1, tmpfs_t, tmpfs_t)
++	relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
 +')
 +
 +########################################
 +## <summary>
-+##	Relabelfrom directory  on tmpfs filesystems.
+ ##	Create, read, write, and delete
+ ##	tmpfs directories
+ ## </summary>
+@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+ 
+ ########################################
+ ## <summary>
++##	dontaudit Read and write block nodes on tmpfs filesystems.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@@ -13437,12 +13416,12 @@ index dfe361a..5da5ee1 100644
 +##	</summary>
 +## </param>
 +#
-+interface(`fs_relabelfrom_tmpfs_dir',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
 +	gen_require(`
 +		type tmpfs_t;
 +	')
 +
-+	relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
++	dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
 +')
 +
 +########################################
@@ -13450,7 +13429,7 @@ index dfe361a..5da5ee1 100644
  ##	Relabel character nodes on tmpfs filesystems.
  ## </summary>
  ## <param name="domain">
-@@ -4271,6 +4688,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
  	')
  
  	allow $1 filesystem_type:filesystem mount;
@@ -13459,7 +13438,7 @@ index dfe361a..5da5ee1 100644
  ')
  
  ########################################
-@@ -4681,3 +5100,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
  
  	typeattribute $1 filesystem_unconfined_type;
  ')
@@ -14059,7 +14038,7 @@ index 3994e57..a1923fe 100644
 +
 +/lib/udev/devices/pts	-d	gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
 diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..eceb42d 100644
+index f3acfee..59ea6ae 100644
 --- a/policy/modules/kernel/terminal.if
 +++ b/policy/modules/kernel/terminal.if
 @@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -14120,7 +14099,32 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -658,6 +680,25 @@ interface(`term_use_controlling_term',`
+@@ -462,6 +484,24 @@ interface(`term_list_ptys',`
+ 
+ ########################################
+ ## <summary>
++##	Relabel the /dev/pts directory
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`term_relabel_ptys_dirs',`
++	gen_require(`
++		type devpts_t;
++	')
++
++	allow $1 devpts_t:dir relabel_dirs_perms;
++')
++
++########################################
++## <summary>
+ ##	Do not audit attempts to read the
+ ##	/dev/pts directory.
+ ## </summary>
+@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',`
  	allow $1 devtty_t:chr_file { rw_term_perms lock append };
  ')
  
@@ -14146,7 +14150,7 @@ index f3acfee..eceb42d 100644
  ########################################
  ## <summary>
  ##	Do not audit attempts to get attributes
-@@ -842,6 +883,26 @@ interface(`term_use_all_ptys',`
+@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',`
  
  ########################################
  ## <summary>
@@ -14173,7 +14177,7 @@ index f3acfee..eceb42d 100644
  ##	Do not audit attempts to read or write any ptys.
  ## </summary>
  ## <param name="domain">
-@@ -855,7 +916,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',`
  		attribute ptynode;
  	')
  
@@ -14182,7 +14186,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1123,7 +1184,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -14191,7 +14195,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1222,7 +1283,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  		type tty_device_t;
  	')
  
@@ -14200,7 +14204,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1238,11 +1299,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
  #
  interface(`term_getattr_all_ttys',`
  	gen_require(`
@@ -14214,7 +14218,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1259,10 +1322,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',`
  interface(`term_dontaudit_getattr_all_ttys',`
  	gen_require(`
  		attribute ttynode;
@@ -14227,7 +14231,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1301,7 +1366,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -14236,7 +14240,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1340,7 +1405,27 @@ interface(`term_use_all_ttys',`
+@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',`
  	')
  
  	dev_list_all_dev_nodes($1)
@@ -14265,7 +14269,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1359,7 +1444,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',`
  		attribute ttynode;
  	')
  
@@ -14274,7 +14278,7 @@ index f3acfee..eceb42d 100644
  ')
  
  ########################################
-@@ -1475,3 +1560,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1578,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
  	refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
  	term_dontaudit_use_all_ttys($1)
  ')
@@ -14423,7 +14427,7 @@ index be4de58..cce681a 100644
  ########################################
  #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..9440b5f 100644
+index 2be17d2..7ccb554 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
 @@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -14475,7 +14479,7 @@ index 2be17d2..9440b5f 100644
  optional_policy(`
  	apache_role(staff_r, staff_t)
  ')
-@@ -27,25 +63,138 @@ optional_policy(`
+@@ -27,25 +63,139 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14548,6 +14552,7 @@ index 2be17d2..9440b5f 100644
  
  optional_policy(`
 +	qemu_run(staff_t, staff_r)
++	virt_manage_tmpfs_files(staff_t)
 +')
 +
 +optional_policy(`
@@ -14616,7 +14621,7 @@ index 2be17d2..9440b5f 100644
  
  optional_policy(`
  	vlock_run(staff_t, staff_r)
-@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +239,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -14627,7 +14632,7 @@ index 2be17d2..9440b5f 100644
  		gpg_role(staff_r, staff_t)
  	')
  
-@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +283,6 @@ ifndef(`distro_redhat',`
  	')
  
  	optional_policy(`
@@ -14638,7 +14643,7 @@ index 2be17d2..9440b5f 100644
  		spamassassin_role(staff_r, staff_t)
  	')
  
-@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +314,7 @@ ifndef(`distro_redhat',`
  		wireshark_role(staff_r, staff_t)
  	')
  ')
@@ -14647,10 +14652,10 @@ index 2be17d2..9440b5f 100644
 +	userdom_execmod_user_home_files(staff_usertype)
 +')
 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..d721e34 100644
+index 4a8d146..6b0999e 100644
 --- a/policy/modules/roles/sysadm.te
 +++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
  #
  # Local policy
  #
@@ -14665,6 +14670,8 @@ index 4a8d146..d721e34 100644
  mls_process_read_up(sysadm_t)
 +mls_file_read_to_clearance(sysadm_t)
 +mls_process_write_to_clearance(sysadm_t)
++
++storage_setattr_fixed_disk_dev(sysadm_t)
  
  ubac_process_exempt(sysadm_t)
  ubac_file_exempt(sysadm_t)
@@ -14677,7 +14684,6 @@ index 4a8d146..d721e34 100644
 +init_dbus_chat(sysadm_t)
 +init_script_role_transition(sysadm_r)
 +
-+
 +miscfiles_read_hwdata(sysadm_t)
  
  # Add/remove user home directories
@@ -14691,7 +14697,7 @@ index 4a8d146..d721e34 100644
  
  ifdef(`direct_sysadm_daemon',`
  	optional_policy(`
-@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
  	logging_manage_audit_log(sysadm_t)
  	logging_manage_audit_config(sysadm_t)
  	logging_run_auditctl(sysadm_t, sysadm_r)
@@ -14699,7 +14705,7 @@ index 4a8d146..d721e34 100644
  ')
  
  tunable_policy(`allow_ptrace',`
-@@ -69,7 +90,6 @@ optional_policy(`
+@@ -69,7 +91,6 @@ optional_policy(`
  	apache_run_helper(sysadm_t, sysadm_r)
  	#apache_run_all_scripts(sysadm_t, sysadm_r)
  	#apache_domtrans_sys_script(sysadm_t)
@@ -14707,7 +14713,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -98,6 +118,10 @@ optional_policy(`
+@@ -98,6 +119,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14718,7 +14724,7 @@ index 4a8d146..d721e34 100644
  	certwatch_run(sysadm_t, sysadm_r)
  ')
  
-@@ -114,7 +138,7 @@ optional_policy(`
+@@ -114,7 +139,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14727,7 +14733,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -124,6 +148,10 @@ optional_policy(`
+@@ -124,6 +149,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14738,7 +14744,7 @@ index 4a8d146..d721e34 100644
  	ddcprobe_run(sysadm_t, sysadm_r)
  ')
  
-@@ -163,6 +191,13 @@ optional_policy(`
+@@ -163,6 +192,13 @@ optional_policy(`
  	ipsec_stream_connect(sysadm_t)
  	# for lsof
  	ipsec_getattr_key_sockets(sysadm_t)
@@ -14752,7 +14758,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -170,15 +205,15 @@ optional_policy(`
+@@ -170,15 +206,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14771,7 +14777,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -198,18 +233,12 @@ optional_policy(`
+@@ -198,18 +234,12 @@ optional_policy(`
  	modutils_run_depmod(sysadm_t, sysadm_r)
  	modutils_run_insmod(sysadm_t, sysadm_r)
  	modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -14792,7 +14798,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -225,6 +254,10 @@ optional_policy(`
+@@ -225,6 +255,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14803,7 +14809,7 @@ index 4a8d146..d721e34 100644
  	netutils_run(sysadm_t, sysadm_r)
  	netutils_run_ping(sysadm_t, sysadm_r)
  	netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +286,7 @@ optional_policy(`
+@@ -253,7 +287,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14812,7 +14818,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -265,20 +298,14 @@ optional_policy(`
+@@ -265,20 +299,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14834,7 +14840,7 @@ index 4a8d146..d721e34 100644
  
  optional_policy(`
  	rsync_exec(sysadm_t)
-@@ -307,7 +334,7 @@ optional_policy(`
+@@ -307,7 +335,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14843,7 +14849,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -332,10 +359,6 @@ optional_policy(`
+@@ -332,10 +360,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14854,7 +14860,7 @@ index 4a8d146..d721e34 100644
  	tripwire_run_siggen(sysadm_t, sysadm_r)
  	tripwire_run_tripwire(sysadm_t, sysadm_r)
  	tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +366,15 @@ optional_policy(`
+@@ -343,19 +367,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14876,7 +14882,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -367,17 +386,14 @@ optional_policy(`
+@@ -367,17 +387,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14896,7 +14902,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -389,7 +405,7 @@ optional_policy(`
+@@ -389,7 +406,7 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -14905,7 +14911,7 @@ index 4a8d146..d721e34 100644
  ')
  
  optional_policy(`
-@@ -404,8 +420,15 @@ optional_policy(`
+@@ -404,8 +421,15 @@ optional_policy(`
  	yam_run(sysadm_t, sysadm_r)
  ')
  
@@ -14921,7 +14927,7 @@ index 4a8d146..d721e34 100644
  		auth_role(sysadm_r, sysadm_t)
  	')
  
-@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
  	optional_policy(`
  		java_role(sysadm_r, sysadm_t)
  	')
@@ -22798,7 +22804,7 @@ index 35241ed..b6c4cc9 100644
 +	manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
  ')
 diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..9941737 100644
+index f7583ab..220ba1b 100644
 --- a/policy/modules/services/cron.te
 +++ b/policy/modules/services/cron.te
 @@ -10,18 +10,18 @@ gen_require(`
@@ -22940,13 +22946,14 @@ index f7583ab..9941737 100644
  
  files_read_usr_files(crond_t)
  files_read_etc_runtime_files(crond_t)
-@@ -203,11 +220,16 @@ files_list_usr(crond_t)
+@@ -203,11 +220,17 @@ files_list_usr(crond_t)
  files_search_var_lib(crond_t)
  files_search_default(crond_t)
  
 +fs_manage_cgroup_dirs(crond_t)
 +fs_manage_cgroup_files(crond_t)
 +
++init_read_state(crond_t)
  init_rw_utmp(crond_t)
  init_spec_domtrans_script(crond_t)
  
@@ -22957,7 +22964,7 @@ index f7583ab..9941737 100644
  logging_send_syslog_msg(crond_t)
  logging_set_loginuid(crond_t)
  
-@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t)
  userdom_use_unpriv_users_fds(crond_t)
  # Not sure why this is needed
  userdom_list_user_home_dirs(crond_t)
@@ -22968,7 +22975,7 @@ index f7583ab..9941737 100644
  
  ifdef(`distro_debian',`
  	# pam_limits is used
-@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +258,7 @@ ifdef(`distro_debian',`
  	')
  ')
  
@@ -22977,7 +22984,7 @@ index f7583ab..9941737 100644
  	# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
  	# via redirection of standard out.
  	optional_policy(`
-@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', `
  ')
  
  optional_policy(`
@@ -23008,7 +23015,7 @@ index f7583ab..9941737 100644
  	amanda_search_var_lib(crond_t)
  ')
  
-@@ -264,6 +307,8 @@ optional_policy(`
+@@ -264,6 +308,8 @@ optional_policy(`
  
  optional_policy(`
  	hal_dbus_chat(crond_t)
@@ -23017,7 +23024,7 @@ index f7583ab..9941737 100644
  ')
  
  optional_policy(`
-@@ -289,12 +334,18 @@ optional_policy(`
+@@ -289,12 +335,18 @@ optional_policy(`
  	udev_read_db(crond_t)
  ')
  
@@ -23036,7 +23043,7 @@ index f7583ab..9941737 100644
  allow system_cronjob_t self:process { signal_perms getsched setsched };
  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
  allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +358,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
  
  # This is to handle /var/lib/misc directory.  Used currently
  # by prelink var/lib files for cron 
@@ -23057,7 +23064,7 @@ index f7583ab..9941737 100644
  # The entrypoint interface is not used as this is not
  # a regular entrypoint.  Since crontab files are
  # not directly executed, crond must ensure that
-@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +390,7 @@ allow crond_t system_cronjob_t:fd use;
  allow system_cronjob_t crond_t:fd use;
  allow system_cronjob_t crond_t:fifo_file rw_file_perms;
  allow system_cronjob_t crond_t:process sigchld;
@@ -23065,7 +23072,7 @@ index f7583ab..9941737 100644
  
  # Write /var/lock/makewhatis.lock.
  allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +402,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
  files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
  
@@ -23080,7 +23087,7 @@ index f7583ab..9941737 100644
  
  kernel_read_kernel_sysctls(system_cronjob_t)
  kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +431,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
  dev_getattr_all_blk_files(system_cronjob_t)
  dev_getattr_all_chr_files(system_cronjob_t)
  dev_read_urand(system_cronjob_t)
@@ -23088,7 +23095,7 @@ index f7583ab..9941737 100644
  
  fs_getattr_all_fs(system_cronjob_t)
  fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +458,7 @@ files_dontaudit_search_pids(system_cronjob_t)
  # Access other spool directories like
  # /var/spool/anacron and /var/spool/slrnpull.
  files_manage_generic_spool(system_cronjob_t)
@@ -23096,7 +23103,7 @@ index f7583ab..9941737 100644
  
  init_use_script_fds(system_cronjob_t)
  init_read_utmp(system_cronjob_t)
-@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +481,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
  
  seutil_read_config(system_cronjob_t)
  
@@ -23108,7 +23115,7 @@ index f7583ab..9941737 100644
  	# via redirection of standard out.
  	optional_policy(`
  		rpm_manage_log(system_cronjob_t)
-@@ -439,6 +508,8 @@ optional_policy(`
+@@ -439,6 +509,8 @@ optional_policy(`
  	apache_read_config(system_cronjob_t)
  	apache_read_log(system_cronjob_t)
  	apache_read_sys_content(system_cronjob_t)
@@ -23117,7 +23124,7 @@ index f7583ab..9941737 100644
  ')
  
  optional_policy(`
-@@ -446,6 +517,14 @@ optional_policy(`
+@@ -446,6 +518,14 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23132,7 +23139,7 @@ index f7583ab..9941737 100644
  	ftp_read_log(system_cronjob_t)
  ')
  
-@@ -456,15 +535,24 @@ optional_policy(`
+@@ -456,15 +536,24 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23157,7 +23164,7 @@ index f7583ab..9941737 100644
  ')
  
  optional_policy(`
-@@ -480,7 +568,7 @@ optional_policy(`
+@@ -480,7 +569,7 @@ optional_policy(`
  	prelink_manage_lib(system_cronjob_t)
  	prelink_manage_log(system_cronjob_t)
  	prelink_read_cache(system_cronjob_t)
@@ -23166,7 +23173,7 @@ index f7583ab..9941737 100644
  ')
  
  optional_policy(`
-@@ -495,6 +583,7 @@ optional_policy(`
+@@ -495,6 +584,7 @@ optional_policy(`
  
  optional_policy(`
  	spamassassin_manage_lib_files(system_cronjob_t)
@@ -23174,7 +23181,7 @@ index f7583ab..9941737 100644
  ')
  
  optional_policy(`
-@@ -502,7 +591,13 @@ optional_policy(`
+@@ -502,7 +592,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -23188,7 +23195,7 @@ index f7583ab..9941737 100644
  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
  ')
  
-@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
  #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
  
  list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -31109,7 +31116,7 @@ index 256166a..15daf47 100644
  
  /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..2f948ad 100644
+index 343cee3..3d7edf0 100644
 --- a/policy/modules/services/mta.if
 +++ b/policy/modules/services/mta.if
 @@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -31123,7 +31130,15 @@ index 343cee3..2f948ad 100644
  	gen_require(`
  		attribute user_mail_domain;
  		type sendmail_exec_t;
-@@ -158,6 +158,7 @@ template(`mta_base_mail_template',`
+@@ -104,6 +104,7 @@ template(`mta_base_mail_template',`
+ 
+ 	optional_policy(`
+ 		postfix_domtrans_user_mail_handler($1_mail_t)
++		postfix_rw_master_pipes($1_mail_t)
+ 	')
+ 
+ 	optional_policy(`
+@@ -158,6 +159,7 @@ template(`mta_base_mail_template',`
  ##	User domain for the role
  ##	</summary>
  ## </param>
@@ -31131,7 +31146,7 @@ index 343cee3..2f948ad 100644
  #
  interface(`mta_role',`
  	gen_require(`
-@@ -169,7 +170,7 @@ interface(`mta_role',`
+@@ -169,7 +171,7 @@ interface(`mta_role',`
  
  	# Transition from the user domain to the derived domain.
  	domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -31140,7 +31155,7 @@ index 343cee3..2f948ad 100644
  
  	allow mta_user_agent $2:fd use;
  	allow mta_user_agent $2:process sigchld;
-@@ -220,6 +221,25 @@ interface(`mta_agent_executable',`
+@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
  	application_executable_file($1)
  ')
  
@@ -31166,7 +31181,7 @@ index 343cee3..2f948ad 100644
  ########################################
  ## <summary>
  ##	Make the specified type by a system MTA.
-@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
  interface(`mta_mailserver_delivery',`
  	gen_require(`
  		attribute mailserver_delivery;
@@ -31174,7 +31189,7 @@ index 343cee3..2f948ad 100644
  	')
  
  	typeattribute $1 mailserver_delivery;
-@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
  	')
  
  	typeattribute $1 mta_user_agent;
@@ -31187,7 +31202,7 @@ index 343cee3..2f948ad 100644
  ')
  
  ########################################
-@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
  #
  interface(`mta_send_mail',`
  	gen_require(`
@@ -31198,7 +31213,7 @@ index 343cee3..2f948ad 100644
  	')
  
  	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +374,10 @@ interface(`mta_send_mail',`
+@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
  	allow mta_user_agent $1:fd use;
  	allow mta_user_agent $1:process sigchld;
  	allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -31209,7 +31224,7 @@ index 343cee3..2f948ad 100644
  ')
  
  ########################################
-@@ -391,12 +407,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
  #
  interface(`mta_sendmail_domtrans',`
  	gen_require(`
@@ -31227,7 +31242,7 @@ index 343cee3..2f948ad 100644
  ')
  
  ########################################
-@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
  ##	</summary>
  ## </param>
  #
@@ -31235,7 +31250,7 @@ index 343cee3..2f948ad 100644
  interface(`mta_signal_system_mail',`
  	gen_require(`
  		type system_mail_t;
-@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
  
  ########################################
  ## <summary>
@@ -31260,7 +31275,7 @@ index 343cee3..2f948ad 100644
  ##	Execute sendmail in the caller domain.
  ## </summary>
  ## <param name="domain">
-@@ -474,7 +510,8 @@ interface(`mta_write_config',`
+@@ -474,7 +511,8 @@ interface(`mta_write_config',`
  		type etc_mail_t;
  	')
  
@@ -31270,7 +31285,7 @@ index 343cee3..2f948ad 100644
  ')
  
  ########################################
-@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',`
  	')
  
  	files_search_etc($1)
@@ -31279,7 +31294,7 @@ index 343cee3..2f948ad 100644
  ')
  
  #######################################
-@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
  
  	files_dontaudit_search_spool($1)
  	dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -31290,7 +31305,7 @@ index 343cee3..2f948ad 100644
  ')
  
  #######################################
-@@ -697,8 +734,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +735,8 @@ interface(`mta_rw_spool',`
  
  	files_search_spool($1)
  	allow $1 mail_spool_t:dir list_dir_perms;
@@ -31301,7 +31316,7 @@ index 343cee3..2f948ad 100644
  	read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
  ')
  
-@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
  	')
  
  	dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -31310,7 +31325,7 @@ index 343cee3..2f948ad 100644
  ')
  
  ########################################
-@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
  
  	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
  ')
@@ -32958,7 +32973,7 @@ index 23c769c..be5a5b4 100644
 +	admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
  ')
 diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..5b9cf6d 100644
+index 4e28d58..1835068 100644
 --- a/policy/modules/services/nslcd.te
 +++ b/policy/modules/services/nslcd.te
 @@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -32979,11 +32994,12 @@ index 4e28d58..5b9cf6d 100644
  allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
  
  allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,9 +37,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
  kernel_read_system_state(nslcd_t)
  
  files_read_etc_files(nslcd_t)
 +files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
  
  auth_use_nsswitch(nslcd_t)
  
@@ -35243,7 +35259,7 @@ index 55e62d2..6082184 100644
  /var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
  /var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
 diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..9b8c3eb 100644
+index 46bee12..37bd751 100644
 --- a/policy/modules/services/postfix.if
 +++ b/policy/modules/services/postfix.if
 @@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -35345,7 +35361,7 @@ index 46bee12..9b8c3eb 100644
 +		type postfix_master_t;
 +	')
 +
-+	allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++	allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
 +')
 +
 +########################################
@@ -36489,7 +36505,7 @@ index b64b02f..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
 +')
 diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..2a70dd1 100644
+index 29b9295..609ff86 100644
 --- a/policy/modules/services/procmail.te
 +++ b/policy/modules/services/procmail.te
 @@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -36538,17 +36554,18 @@ index 29b9295..2a70dd1 100644
  
  mta_manage_spool(procmail_t)
  mta_read_queue(procmail_t)
-@@ -128,6 +137,10 @@ optional_policy(`
- ')
- 
- optional_policy(`
-+	nagios_search_spool(procmail_t)
+@@ -125,6 +134,11 @@ optional_policy(`
+ 	postfix_read_spool_files(procmail_t)
+ 	postfix_read_local_state(procmail_t)
+ 	postfix_read_master_state(procmail_t)
++	postfix_rw_master_pipes(procmail_t)
 +')
 +
 +optional_policy(`
- 	pyzor_domtrans(procmail_t)
- 	pyzor_signal(procmail_t)
++	nagios_search_spool(procmail_t)
  ')
+ 
+ optional_policy(`
 diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
 index bc329d1..0589f97 100644
 --- a/policy/modules/services/psad.if
@@ -42103,7 +42120,7 @@ index 22adaca..68ad7a7 100644
 +	allow $1 sshd_t:process signull;
 +')
 diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..594aa01 100644
+index 2dad3c8..efa5535 100644
 --- a/policy/modules/services/ssh.te
 +++ b/policy/modules/services/ssh.te
 @@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -42432,7 +42449,7 @@ index 2dad3c8..594aa01 100644
  ') dnl endif TODO
  
  ########################################
-@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',`
  # ssh_keygen_t is the type of the ssh-keygen program when run at install time
  # and by sysadm_t
  
@@ -42453,7 +42470,13 @@ index 2dad3c8..594aa01 100644
  kernel_read_kernel_sysctls(ssh_keygen_t)
  
  fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+ 
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+ 
+ term_dontaudit_use_console(ssh_keygen_t)
+@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t)
  userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
  
  optional_policy(`
@@ -43618,10 +43641,10 @@ index 2124b6a..6546d6e 100644
  
  /var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
 diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..d885f6b 100644
+index 7c5d8d8..9b24cb5 100644
 --- a/policy/modules/services/virt.if
 +++ b/policy/modules/services/virt.if
-@@ -13,14 +13,14 @@
+@@ -13,14 +13,15 @@
  #
  template(`virt_domain_template',`
  	gen_require(`
@@ -43629,6 +43652,7 @@ index 7c5d8d8..d885f6b 100644
 -		attribute virt_image_type;
 -		attribute virt_domain;
 +		attribute virt_image_type, virt_domain;
++		attribute virt_tmpfs_type;
  	')
  
  	type $1_t, virt_domain;
@@ -43639,7 +43663,14 @@ index 7c5d8d8..d885f6b 100644
  	role system_r types $1_t;
  
  	type $1_devpts_t;
-@@ -35,17 +35,18 @@ template(`virt_domain_template',`
+@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+ 	type $1_tmp_t;
+ 	files_tmp_file($1_tmp_t)
+ 
+-	type $1_tmpfs_t;
++	type $1_tmpfs_t, virt_tmpfs_type;
+ 	files_tmpfs_file($1_tmpfs_t)
+ 
  	type $1_image_t, virt_image_type;
  	files_type($1_image_t)
  	dev_node($1_image_t)
@@ -43662,7 +43693,7 @@ index 7c5d8d8..d885f6b 100644
  
  	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
  	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@ template(`virt_domain_template',`
+@@ -57,18 +59,6 @@ template(`virt_domain_template',`
  	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
  	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
  
@@ -43681,7 +43712,7 @@ index 7c5d8d8..d885f6b 100644
  	optional_policy(`
  		xserver_rw_shm($1_t)
  	')
-@@ -101,9 +90,9 @@ interface(`virt_image',`
+@@ -101,9 +91,9 @@ interface(`virt_image',`
  ##	Execute a domain transition to run virt.
  ## </summary>
  ## <param name="domain">
@@ -43693,7 +43724,7 @@ index 7c5d8d8..d885f6b 100644
  ## </param>
  #
  interface(`virt_domtrans',`
-@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
  #
  interface(`virt_read_config',`
  	gen_require(`
@@ -43709,7 +43740,7 @@ index 7c5d8d8..d885f6b 100644
  ')
  
  ########################################
-@@ -185,13 +174,13 @@ interface(`virt_read_config',`
+@@ -185,13 +175,13 @@ interface(`virt_read_config',`
  #
  interface(`virt_manage_config',`
  	gen_require(`
@@ -43725,7 +43756,7 @@ index 7c5d8d8..d885f6b 100644
  ')
  
  ########################################
-@@ -231,6 +220,24 @@ interface(`virt_read_content',`
+@@ -231,6 +221,24 @@ interface(`virt_read_content',`
  
  ########################################
  ## <summary>
@@ -43750,7 +43781,7 @@ index 7c5d8d8..d885f6b 100644
  ##	Read virt PID files.
  ## </summary>
  ## <param name="domain">
-@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
  
  ########################################
  ## <summary>
@@ -43787,7 +43818,7 @@ index 7c5d8d8..d885f6b 100644
  ##	Search virt lib directories.
  ## </summary>
  ## <param name="domain">
-@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
  
  ########################################
  ## <summary>
@@ -43812,7 +43843,7 @@ index 7c5d8d8..d885f6b 100644
  ##	Create, read, write, and delete
  ##	virt lib files.
  ## </summary>
-@@ -352,9 +407,9 @@ interface(`virt_read_log',`
+@@ -352,9 +408,9 @@ interface(`virt_read_log',`
  ##	virt log files.
  ## </summary>
  ## <param name="domain">
@@ -43824,7 +43855,7 @@ index 7c5d8d8..d885f6b 100644
  ## </param>
  #
  interface(`virt_append_log',`
-@@ -424,6 +479,24 @@ interface(`virt_read_images',`
+@@ -424,6 +480,24 @@ interface(`virt_read_images',`
  
  ########################################
  ## <summary>
@@ -43849,7 +43880,7 @@ index 7c5d8d8..d885f6b 100644
  ##	Create, read, write, and delete
  ##	svirt cache files.
  ## </summary>
-@@ -433,15 +506,15 @@ interface(`virt_read_images',`
+@@ -433,15 +507,15 @@ interface(`virt_read_images',`
  ##	</summary>
  ## </param>
  #
@@ -43870,7 +43901,7 @@ index 7c5d8d8..d885f6b 100644
  ')
  
  ########################################
-@@ -516,3 +589,107 @@ interface(`virt_admin',`
+@@ -516,3 +590,144 @@ interface(`virt_admin',`
  
  	virt_manage_log($1)
  ')
@@ -43978,11 +44009,48 @@ index 7c5d8d8..d885f6b 100644
 +	manage_files_pattern($1, virt_home_t, virt_home_t)
 +')
 +
++########################################
++## <summary>
++##	allow domain to read
++##	virt tmpfs files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++	gen_require(`
++		attribute virt_tmpfs_type;
++	')
++
++	allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++##	allow domain to manage
++##	virt tmpfs files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access
++##	</summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++	gen_require(`
++		attribute virt_tmpfs_type;
++	')
++
++	allow $1 virt_tmpfs_type:file manage_file_perms;
++')
 diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..72132fe 100644
+index 3eca020..f715498 100644
 --- a/policy/modules/services/virt.te
 +++ b/policy/modules/services/virt.te
-@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
  # Declarations
  #
  
@@ -44063,13 +44131,14 @@ index 3eca020..72132fe 100644
 -
  attribute virt_domain;
  attribute virt_image_type;
- 
++attribute virt_tmpfs_type;
++
 +type virt_cache_t alias svirt_cache_t;
 +files_type(virt_cache_t)
-+
+ 
  type virt_etc_t;
  files_config_file(virt_etc_t)
- 
+@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
  type virt_etc_rw_t;
  files_type(virt_etc_rw_t)
  
@@ -44102,7 +44171,7 @@ index 3eca020..72132fe 100644
  
  type virtd_t;
  type virtd_exec_t;
-@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
  type virtd_initrc_exec_t;
  init_script_file(virtd_initrc_exec_t)
  
@@ -44114,7 +44183,7 @@ index 3eca020..72132fe 100644
  ifdef(`enable_mcs',`
  	init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
  ')
-@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
  
  allow svirt_t self:udp_socket create_socket_perms;
  
@@ -44131,7 +44200,7 @@ index 3eca020..72132fe 100644
  fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
  
  list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +152,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
  userdom_search_user_home_content(svirt_t)
  userdom_read_user_home_content_symlinks(svirt_t)
  userdom_read_all_users_state(svirt_t)
@@ -44140,7 +44209,7 @@ index 3eca020..72132fe 100644
  
  tunable_policy(`virt_use_comm',`
  	term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +168,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(svirt_t)
  	fs_manage_nfs_files(svirt_t)
@@ -44156,7 +44225,7 @@ index 3eca020..72132fe 100644
  ')
  
  tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +185,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
  
  tunable_policy(`virt_use_usb',`
  	dev_rw_usbfs(svirt_t)
@@ -44179,7 +44248,7 @@ index 3eca020..72132fe 100644
  	xen_rw_image_files(svirt_t)
  ')
  
-@@ -174,21 +210,33 @@ optional_policy(`
+@@ -174,21 +211,33 @@ optional_policy(`
  #
  
  allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -44217,7 +44286,7 @@ index 3eca020..72132fe 100644
  
  read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
  read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +248,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
  
  manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
  manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -44234,7 +44303,7 @@ index 3eca020..72132fe 100644
  
  manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
  manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +274,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
  kernel_read_system_state(virtd_t)
  kernel_read_network_state(virtd_t)
  kernel_rw_net_sysctls(virtd_t)
@@ -44242,7 +44311,7 @@ index 3eca020..72132fe 100644
  kernel_request_load_module(virtd_t)
  kernel_search_debugfs(virtd_t)
  
-@@ -239,22 +294,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
  corenet_rw_tun_tap_dev(virtd_t)
  
  dev_rw_sysfs(virtd_t)
@@ -44275,7 +44344,7 @@ index 3eca020..72132fe 100644
  
  fs_list_auto_mountpoints(virtd_t)
  fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +326,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t)
  fs_list_inotifyfs(virtd_t)
  fs_manage_cgroup_dirs(virtd_t)
  fs_rw_cgroup_files(virtd_t)
@@ -44294,7 +44363,7 @@ index 3eca020..72132fe 100644
  
  mcs_process_set_categories(virtd_t)
  
-@@ -285,16 +361,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t)
  modutils_manage_module_config(virtd_t)
  
  logging_send_syslog_msg(virtd_t)
@@ -44325,7 +44394,7 @@ index 3eca020..72132fe 100644
  
  tunable_policy(`virt_use_nfs',`
  	fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +403,10 @@ optional_policy(`
+@@ -313,6 +404,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44336,7 +44405,7 @@ index 3eca020..72132fe 100644
  	dbus_system_bus_client(virtd_t)
  
  	optional_policy(`
-@@ -329,6 +423,10 @@ optional_policy(`
+@@ -329,6 +424,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -44347,7 +44416,7 @@ index 3eca020..72132fe 100644
  	dnsmasq_domtrans(virtd_t)
  	dnsmasq_signal(virtd_t)
  	dnsmasq_kill(virtd_t)
-@@ -365,6 +463,8 @@ optional_policy(`
+@@ -365,6 +464,8 @@ optional_policy(`
  	qemu_signal(virtd_t)
  	qemu_kill(virtd_t)
  	qemu_setsched(virtd_t)
@@ -44356,7 +44425,7 @@ index 3eca020..72132fe 100644
  ')
  
  optional_policy(`
-@@ -385,23 +485,35 @@ optional_policy(`
+@@ -385,23 +486,35 @@ optional_policy(`
  	udev_read_db(virtd_t)
  ')
  
@@ -44397,7 +44466,7 @@ index 3eca020..72132fe 100644
  append_files_pattern(virt_domain, virt_log_t, virt_log_t)
  
  append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +534,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain)
  corenet_tcp_bind_virt_migration_port(virt_domain)
  corenet_tcp_connect_virt_migration_port(virt_domain)
  
@@ -44405,7 +44474,7 @@ index 3eca020..72132fe 100644
  dev_read_rand(virt_domain)
  dev_read_sound(virt_domain)
  dev_read_urand(virt_domain)
-@@ -429,10 +542,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +543,12 @@ dev_write_sound(virt_domain)
  dev_rw_ksm(virt_domain)
  dev_rw_kvm(virt_domain)
  dev_rw_qemu(virt_domain)
@@ -44418,7 +44487,7 @@ index 3eca020..72132fe 100644
  files_read_usr_files(virt_domain)
  files_read_var_files(virt_domain)
  files_search_all(virt_domain)
-@@ -440,8 +555,16 @@ files_search_all(virt_domain)
+@@ -440,8 +556,16 @@ files_search_all(virt_domain)
  fs_getattr_tmpfs(virt_domain)
  fs_rw_anon_inodefs_files(virt_domain)
  fs_rw_tmpfs_files(virt_domain)
@@ -44436,7 +44505,7 @@ index 3eca020..72132fe 100644
  term_getattr_pty_fs(virt_domain)
  term_use_generic_ptys(virt_domain)
  term_use_ptmx(virt_domain)
-@@ -457,8 +580,117 @@ optional_policy(`
+@@ -457,8 +581,117 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -47576,10 +47645,10 @@ index f9a06d2..3d407c6 100644
  
  files_read_etc_files(zos_remote_t)
 diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..9017b02 100644
+index ac50333..b784a12 100644
 --- a/policy/modules/system/application.if
 +++ b/policy/modules/system/application.if
-@@ -130,3 +130,75 @@ interface(`application_signull',`
+@@ -130,3 +130,93 @@ interface(`application_signull',`
  
  	allow $1 application_domain_type:process signull;
  ')
@@ -47655,6 +47724,24 @@ index ac50333..9017b02 100644
 +
 +	allow $1 application_domain_type:process signal;
 +')
++
++########################################
++## <summary>
++##	Getattr all application sockets.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`application_getattr_socket',`
++	gen_require(`
++		attribute application_domain_type;
++	')
++
++	allow $1 application_domain_type:socket_class_set getattr;
++')
 diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
 index 88df85d..2fa3974 100644
 --- a/policy/modules/system/application.te
@@ -47711,7 +47798,7 @@ index 2952cef..d845132 100644
  /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
  /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..3c1892d 100644
+index 42b4f0f..3e15a8c 100644
 --- a/policy/modules/system/authlogin.if
 +++ b/policy/modules/system/authlogin.if
 @@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -47892,10 +47979,14 @@ index 42b4f0f..3c1892d 100644
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
  
-@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',`
- 	allow $1 faillog_t:file rw_file_perms;
- ')
+@@ -733,7 +809,47 @@ interface(`auth_rw_faillog',`
+ 	')
  
+ 	logging_search_logs($1)
+-	allow $1 faillog_t:file rw_file_perms;
++	rw_files_pattern($1, faillog_t, faillog_t)
++')
++
 +########################################
 +## <summary>
 +##	Relabel the login failure log.
@@ -47934,11 +48025,9 @@ index 42b4f0f..3c1892d 100644
 +	files_search_pids($1)
 +	allow $1 faillog_t:dir manage_dir_perms;
 +	allow $1 faillog_t:file manage_file_perms;
-+')
-+
+ ')
+ 
  #######################################
- ## <summary>
- ##	Read the last logins log.
 @@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
  
  ########################################
@@ -49370,7 +49459,7 @@ index cc83689..3388f34 100644
 +')
 +
 diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..819a8d5 100644
+index ea29513..b4fdd42 100644
 --- a/policy/modules/system/init.te
 +++ b/policy/modules/system/init.te
 @@ -16,6 +16,34 @@ gen_require(`
@@ -49536,7 +49625,7 @@ index ea29513..819a8d5 100644
  	corecmd_shell_domtrans(init_t, initrc_t)
  ',`
  	# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,109 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,113 @@ tunable_policy(`init_upstart',`
  	sysadm_shell_domtrans(init_t)
  ')
  
@@ -49553,6 +49642,7 @@ index ea29513..819a8d5 100644
 +	allow init_t self:netlink_kobject_uevent_socket create_socket_perms; 
 +	# Until systemd is fixed
 +	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++	allow init_t self:udp_socket create_socket_perms;
 +	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 +
 +	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
@@ -49578,6 +49668,7 @@ index ea29513..819a8d5 100644
 +	dev_relabel_all_dev_nodes(init_t)
 +	dev_relabel_all_dev_files(init_t)
 +	dev_manage_sysfs_dirs(init_t)
++	dev_relabel_sysfs_dirs(init_t)
 +
 +	files_mounton_all_mountpoints(init_t)
 +	files_unmount_all_file_type_fs(init_t)
@@ -49591,13 +49682,13 @@ index ea29513..819a8d5 100644
 +	fs_manage_cgroup_dirs(init_t)
 +	fs_manage_hugetlbfs_dirs(init_t)
 +	fs_manage_tmpfs_dirs(init_t)
-+	fs_relabelfrom_tmpfs_dir(init_t)
++	fs_relabel_tmpfs_dirs(init_t)
 +	fs_mount_all_fs(init_t)
 +	fs_remount_autofs(init_t)
 +	fs_list_auto_mountpoints(init_t)
 +	fs_read_cgroup_files(init_t)
 +	fs_write_cgroup_files(init_t)
-+	fs_relabelto_cgroup_dirs(init_t)
++	fs_relabel_cgroup_dirs(init_t)
 +	fs_search_cgroup_dirs(daemon)
 +
 +	selinux_compute_create_context(init_t)
@@ -49606,6 +49697,8 @@ index ea29513..819a8d5 100644
 +
 +	storage_getattr_removable_dev(init_t)
 +
++	term_relabel_ptys_dirs(init_t)
++
 +	auth_relabel_login_records(init_t)
 +	auth_relabel_pam_console_data_dirs(init_t)
 +
@@ -49646,7 +49739,7 @@ index ea29513..819a8d5 100644
  ')
  
  optional_policy(`
-@@ -199,10 +346,25 @@ optional_policy(`
+@@ -199,10 +350,25 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49672,7 +49765,7 @@ index ea29513..819a8d5 100644
  	unconfined_domain(init_t)
  ')
  
-@@ -212,7 +374,7 @@ optional_policy(`
+@@ -212,7 +378,7 @@ optional_policy(`
  #
  
  allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49681,7 +49774,7 @@ index ea29513..819a8d5 100644
  dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
  allow initrc_t self:passwd rootok;
  allow initrc_t self:key manage_key_perms;
-@@ -241,12 +403,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +407,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
  
  allow initrc_t initrc_var_run_t:file manage_file_perms;
  files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49697,7 +49790,7 @@ index ea29513..819a8d5 100644
  
  init_write_initctl(initrc_t)
  
-@@ -258,20 +423,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +427,32 @@ kernel_change_ring_buffer_level(initrc_t)
  kernel_clear_ring_buffer(initrc_t)
  kernel_get_sysvipc_info(initrc_t)
  kernel_read_all_sysctls(initrc_t)
@@ -49734,7 +49827,7 @@ index ea29513..819a8d5 100644
  corenet_tcp_sendrecv_all_ports(initrc_t)
  corenet_udp_sendrecv_all_ports(initrc_t)
  corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +456,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +460,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
  
  dev_read_rand(initrc_t)
  dev_read_urand(initrc_t)
@@ -49742,7 +49835,7 @@ index ea29513..819a8d5 100644
  dev_write_kmsg(initrc_t)
  dev_write_rand(initrc_t)
  dev_write_urand(initrc_t)
-@@ -291,6 +469,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +473,7 @@ dev_read_sound_mixer(initrc_t)
  dev_write_sound_mixer(initrc_t)
  dev_setattr_all_chr_files(initrc_t)
  dev_rw_lvm_control(initrc_t)
@@ -49750,7 +49843,7 @@ index ea29513..819a8d5 100644
  dev_delete_lvm_control_dev(initrc_t)
  dev_manage_generic_symlinks(initrc_t)
  dev_manage_generic_files(initrc_t)
-@@ -298,13 +477,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +481,13 @@ dev_manage_generic_files(initrc_t)
  dev_delete_generic_symlinks(initrc_t)
  dev_getattr_all_blk_files(initrc_t)
  dev_getattr_all_chr_files(initrc_t)
@@ -49766,7 +49859,7 @@ index ea29513..819a8d5 100644
  domain_sigchld_all_domains(initrc_t)
  domain_read_all_domains_state(initrc_t)
  domain_getattr_all_domains(initrc_t)
-@@ -316,6 +495,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +499,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
  domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
  domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
  domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49774,7 +49867,7 @@ index ea29513..819a8d5 100644
  
  files_getattr_all_dirs(initrc_t)
  files_getattr_all_files(initrc_t)
-@@ -323,8 +503,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +507,10 @@ files_getattr_all_symlinks(initrc_t)
  files_getattr_all_pipes(initrc_t)
  files_getattr_all_sockets(initrc_t)
  files_purge_tmp(initrc_t)
@@ -49786,7 +49879,7 @@ index ea29513..819a8d5 100644
  files_delete_all_pids(initrc_t)
  files_delete_all_pid_dirs(initrc_t)
  files_read_etc_files(initrc_t)
-@@ -340,8 +522,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +526,12 @@ files_list_isid_type_dirs(initrc_t)
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
  files_mounton_default(initrc_t)
@@ -49800,7 +49893,7 @@ index ea29513..819a8d5 100644
  fs_list_inotifyfs(initrc_t)
  fs_register_binary_executable_type(initrc_t)
  # rhgb-console writes to ramfs
-@@ -351,6 +537,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +541,8 @@ fs_mount_all_fs(initrc_t)
  fs_unmount_all_fs(initrc_t)
  fs_remount_all_fs(initrc_t)
  fs_getattr_all_fs(initrc_t)
@@ -49809,7 +49902,7 @@ index ea29513..819a8d5 100644
  
  # initrc_t needs to do a pidof which requires ptrace
  mcs_ptrace_all(initrc_t)
-@@ -363,6 +551,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +555,7 @@ mls_process_read_up(initrc_t)
  mls_process_write_down(initrc_t)
  mls_rangetrans_source(initrc_t)
  mls_fd_share_all_levels(initrc_t)
@@ -49817,7 +49910,7 @@ index ea29513..819a8d5 100644
  
  selinux_get_enforce_mode(initrc_t)
  
-@@ -374,6 +563,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +567,7 @@ term_use_all_terms(initrc_t)
  term_reset_tty_labels(initrc_t)
  
  auth_rw_login_records(initrc_t)
@@ -49825,7 +49918,7 @@ index ea29513..819a8d5 100644
  auth_setattr_login_records(initrc_t)
  auth_rw_lastlog(initrc_t)
  auth_read_pam_pid(initrc_t)
-@@ -394,18 +584,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +588,17 @@ logging_read_audit_config(initrc_t)
  
  miscfiles_read_localization(initrc_t)
  # slapd needs to read cert files from its initscript
@@ -49847,7 +49940,7 @@ index ea29513..819a8d5 100644
  
  ifdef(`distro_debian',`
  	dev_setattr_generic_dirs(initrc_t)
-@@ -478,7 +667,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +671,7 @@ ifdef(`distro_redhat',`
  
  	# Red Hat systems seem to have a stray
  	# fd open from the initrd
@@ -49856,7 +49949,7 @@ index ea29513..819a8d5 100644
  	files_dontaudit_read_root_files(initrc_t)
  
  	# These seem to be from the initrd
-@@ -493,6 +682,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +686,7 @@ ifdef(`distro_redhat',`
  	files_create_boot_dirs(initrc_t)
  	files_create_boot_flag(initrc_t)
  	files_rw_boot_symlinks(initrc_t)
@@ -49864,7 +49957,7 @@ index ea29513..819a8d5 100644
  	# wants to read /.fonts directory
  	files_read_default_files(initrc_t)
  	files_mountpoint(initrc_tmp_t)
-@@ -524,6 +714,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +718,23 @@ ifdef(`distro_redhat',`
  	optional_policy(`
  		bind_manage_config_dirs(initrc_t)
  		bind_write_config(initrc_t)
@@ -49888,7 +49981,7 @@ index ea29513..819a8d5 100644
  	')
  
  	optional_policy(`
-@@ -531,10 +738,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +742,17 @@ ifdef(`distro_redhat',`
  		rpc_write_exports(initrc_t)
  		rpc_manage_nfs_state_data(initrc_t)
  	')
@@ -49906,7 +49999,7 @@ index ea29513..819a8d5 100644
  	')
  
  	optional_policy(`
-@@ -549,6 +763,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +767,39 @@ ifdef(`distro_suse',`
  	')
  ')
  
@@ -49946,7 +50039,7 @@ index ea29513..819a8d5 100644
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +808,8 @@ optional_policy(`
+@@ -561,6 +812,8 @@ optional_policy(`
  optional_policy(`
  	apache_read_config(initrc_t)
  	apache_list_modules(initrc_t)
@@ -49955,7 +50048,7 @@ index ea29513..819a8d5 100644
  ')
  
  optional_policy(`
-@@ -577,6 +826,7 @@ optional_policy(`
+@@ -577,6 +830,7 @@ optional_policy(`
  
  optional_policy(`
  	cgroup_stream_connect_cgred(initrc_t)
@@ -49963,7 +50056,7 @@ index ea29513..819a8d5 100644
  ')
  
  optional_policy(`
-@@ -589,6 +839,11 @@ optional_policy(`
+@@ -589,6 +843,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -49975,7 +50068,7 @@ index ea29513..819a8d5 100644
  	dev_getattr_printer_dev(initrc_t)
  
  	cups_read_log(initrc_t)
-@@ -605,9 +860,13 @@ optional_policy(`
+@@ -605,9 +864,13 @@ optional_policy(`
  	dbus_connect_system_bus(initrc_t)
  	dbus_system_bus_client(initrc_t)
  	dbus_read_config(initrc_t)
@@ -49989,7 +50082,7 @@ index ea29513..819a8d5 100644
  	')
  
  	optional_policy(`
-@@ -649,6 +908,11 @@ optional_policy(`
+@@ -649,6 +912,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50001,7 +50094,7 @@ index ea29513..819a8d5 100644
  	inn_exec_config(initrc_t)
  ')
  
-@@ -706,7 +970,13 @@ optional_policy(`
+@@ -706,7 +974,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50015,7 +50108,7 @@ index ea29513..819a8d5 100644
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
  
-@@ -729,6 +999,10 @@ optional_policy(`
+@@ -729,6 +1003,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50026,7 +50119,7 @@ index ea29513..819a8d5 100644
  	postgresql_manage_db(initrc_t)
  	postgresql_read_config(initrc_t)
  ')
-@@ -738,10 +1012,20 @@ optional_policy(`
+@@ -738,10 +1016,20 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50047,7 +50140,7 @@ index ea29513..819a8d5 100644
  	quota_manage_flags(initrc_t)
  ')
  
-@@ -750,6 +1034,10 @@ optional_policy(`
+@@ -750,6 +1038,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50058,7 +50151,7 @@ index ea29513..819a8d5 100644
  	fs_write_ramfs_sockets(initrc_t)
  	fs_search_ramfs(initrc_t)
  
-@@ -771,8 +1059,6 @@ optional_policy(`
+@@ -771,8 +1063,6 @@ optional_policy(`
  	# bash tries ioctl for some reason
  	files_dontaudit_ioctl_all_pids(initrc_t)
  
@@ -50067,7 +50160,7 @@ index ea29513..819a8d5 100644
  ')
  
  optional_policy(`
-@@ -781,14 +1067,21 @@ optional_policy(`
+@@ -781,14 +1071,21 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50089,7 +50182,7 @@ index ea29513..819a8d5 100644
  
  optional_policy(`
  	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1093,6 @@ optional_policy(`
+@@ -800,7 +1097,6 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50097,7 +50190,7 @@ index ea29513..819a8d5 100644
  	udev_manage_pid_files(initrc_t)
  	udev_manage_rules_files(initrc_t)
  ')
-@@ -810,11 +1102,19 @@ optional_policy(`
+@@ -810,11 +1106,19 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -50118,7 +50211,7 @@ index ea29513..819a8d5 100644
  
  	ifdef(`distro_redhat',`
  		# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1124,25 @@ optional_policy(`
+@@ -824,6 +1128,25 @@ optional_policy(`
  	optional_policy(`
  		mono_domtrans(initrc_t)
  	')
@@ -50144,7 +50237,7 @@ index ea29513..819a8d5 100644
  ')
  
  optional_policy(`
-@@ -849,3 +1168,42 @@ optional_policy(`
+@@ -849,3 +1172,42 @@ optional_policy(`
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -54620,10 +54713,10 @@ index 0000000..aabfb0d
 +')
 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
 new file mode 100644
-index 0000000..1e5b954
+index 0000000..d5b6aff
 --- /dev/null
 +++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,162 @@
 +
 +policy_module(systemd, 1.0.0)
 +
@@ -54700,9 +54793,8 @@ index 0000000..1e5b954
 +dev_write_kmsg(systemd_tmpfiles_t)
 +
 +# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-+fs_create_tmpfs_dir(systemd_tmpfiles_t)
-+fs_relabelfrom_tmpfs_dir(systemd_tmpfiles_t)
-+fs_setattr_tmpfs_dir(systemd_tmpfiles_t)
++fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
 +
 +files_read_etc_files(systemd_tmpfiles_t)
 +files_getattr_all_dirs(systemd_tmpfiles_t)
@@ -55938,7 +56030,7 @@ index db75976..392d1ee 100644
 +HOME_DIR/\.gvfs(/.*)?	<<none>>
 +HOME_DIR/\.debug(/.*)?	<<none>>
 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..d0697c5 100644
+index 28b88de..d514493 100644
 --- a/policy/modules/system/userdomain.if
 +++ b/policy/modules/system/userdomain.if
 @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56390,7 +56482,7 @@ index 28b88de..d0697c5 100644
  
  	##############################
  	#
-@@ -500,73 +570,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +570,81 @@ template(`userdom_common_user_template',`
  	# evolution and gnome-session try to create a netlink socket
  	dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
  	dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -56456,6 +56548,8 @@ index 28b88de..d0697c5 100644
 +	fs_read_noxattr_fs_files($1_usertype)
 +	fs_read_noxattr_fs_symlinks($1_usertype)
 +	fs_rw_cgroup_files($1_usertype)
++
++	application_getattr_socket($1_usertype)
  
 -	fs_rw_cgroup_files($1_t)
 +	logging_send_syslog_msg($1_usertype)
@@ -56509,7 +56603,7 @@ index 28b88de..d0697c5 100644
  	')
  
  	tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +650,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +652,122 @@ template(`userdom_common_user_template',`
  	')
  
  	optional_policy(`
@@ -56523,23 +56617,23 @@ index 28b88de..d0697c5 100644
  		# Allow graphical boot to check battery lifespan
 -		apm_stream_connect($1_t)
 +		apm_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		canna_stream_connect($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		chrome_role($1_r, $1_usertype)
  	')
  
  	optional_policy(`
 -		canna_stream_connect($1_t)
-+		colord_read_lib_files($1_usertype)
++		canna_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		dbus_system_bus_client($1_t)
++		chrome_role($1_r, $1_usertype)
++	')
++
++	optional_policy(`
++		colord_read_lib_files($1_usertype)
++	')
++
++	optional_policy(`
 +		dbus_system_bus_client($1_usertype)
 +
 +		allow $1_usertype $1_usertype:dbus  send_msg;
@@ -56555,49 +56649,49 @@ index 28b88de..d0697c5 100644
 +		optional_policy(`
 +			bluetooth_dbus_chat($1_usertype)
 +		')
-+
-+		optional_policy(`
-+			consolekit_dbus_chat($1_usertype)
-+			consolekit_read_log($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			evolution_dbus_chat($1_usertype)
-+			evolution_alarm_dbus_chat($1_usertype)
-+		')
  
  		optional_policy(`
 -			bluetooth_dbus_chat($1_t)
-+			gnome_dbus_chat_gconfdefault($1_usertype)
++			consolekit_dbus_chat($1_usertype)
++			consolekit_read_log($1_usertype)
  		')
  
  		optional_policy(`
 -			evolution_dbus_chat($1_t)
 -			evolution_alarm_dbus_chat($1_t)
-+			hal_dbus_chat($1_usertype)
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat_config($1_t)
-+			kde_dbus_chat_backlighthelper($1_usertype)
++			evolution_dbus_chat($1_usertype)
++			evolution_alarm_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			hal_dbus_chat($1_t)
-+			modemmanager_dbus_chat($1_usertype)
++			gnome_dbus_chat_gconfdefault($1_usertype)
  		')
  
  		optional_policy(`
 -			networkmanager_dbus_chat($1_t)
++			hal_dbus_chat($1_usertype)
+ 		')
++
++		optional_policy(`
++			kde_dbus_chat_backlighthelper($1_usertype)
++		')
++
++		optional_policy(`
++			modemmanager_dbus_chat($1_usertype)
++		')
++
++		optional_policy(`
 +			networkmanager_dbus_chat($1_usertype)
 +			networkmanager_read_lib_files($1_usertype)
- 		')
++		')
 +
 +		optional_policy(`
 +			vpn_dbus_chat($1_usertype)
@@ -56650,7 +56744,7 @@ index 28b88de..d0697c5 100644
  	')
  
  	optional_policy(`
-@@ -650,41 +781,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
  
  	optional_policy(`
  		# to allow monitoring of pcmcia status
@@ -56682,53 +56776,51 @@ index 28b88de..d0697c5 100644
 +	optional_policy(`
 +		rpc_dontaudit_getattr_exports($1_usertype)
 +		rpc_manage_nfs_rw_content($1_usertype)
-+	')
-+
-+	optional_policy(`
-+		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		rpc_dontaudit_getattr_exports($1_t)
 -		rpc_manage_nfs_rw_content($1_t)
-+		samba_stream_connect_winbind($1_usertype)
++		rpcbind_stream_connect($1_usertype)
  	')
  
  	optional_policy(`
 -		samba_stream_connect_winbind($1_t)
-+		sandbox_transition($1_usertype, $1_r)
++		samba_stream_connect_winbind($1_usertype)
  	')
  
  	optional_policy(`
 -		slrnpull_search_spool($1_t)
-+		seunshare_role_template($1, $1_r, $1_t)
++		sandbox_transition($1_usertype, $1_r)
  	')
  
  	optional_policy(`
 -		usernetctl_run($1_t,$1_r)
-+		slrnpull_search_spool($1_usertype)
++		seunshare_role_template($1, $1_r, $1_t)
  	')
 +
++	optional_policy(`
++		slrnpull_search_spool($1_usertype)
++	')
++
  ')
  
  #######################################
-@@ -712,13 +852,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
  
  	userdom_base_user_template($1)
  
 -	userdom_manage_home_role($1_r, $1_t)
 +	userdom_manage_home_role($1_r, $1_usertype)
-+
-+	userdom_manage_tmp_role($1_r, $1_usertype)
-+	userdom_manage_tmpfs_role($1_r, $1_usertype)
  
 -	userdom_manage_tmp_role($1_r, $1_t)
 -	userdom_manage_tmpfs_role($1_r, $1_t)
++	userdom_manage_tmp_role($1_r, $1_usertype)
++	userdom_manage_tmpfs_role($1_r, $1_usertype)
++
 +	ifelse(`$1',`unconfined',`',`
 +		gen_tunable(allow_$1_exec_content, true)
- 
--	userdom_exec_user_tmp_files($1_t)
--	userdom_exec_user_home_content_files($1_t)
++
 +		tunable_policy(`allow_$1_exec_content',`
 +			userdom_exec_user_tmp_files($1_usertype)
 +			userdom_exec_user_home_content_files($1_usertype)
@@ -56736,7 +56828,9 @@ index 28b88de..d0697c5 100644
 +		tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
 +                        fs_exec_nfs_files($1_usertype)
 +		')
-+
+ 
+-	userdom_exec_user_tmp_files($1_t)
+-	userdom_exec_user_home_content_files($1_t)
 +		tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
 +			fs_exec_cifs_files($1_usertype)
 +		')
@@ -56744,7 +56838,7 @@ index 28b88de..d0697c5 100644
  
  	userdom_change_password_template($1)
  
-@@ -736,72 +889,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +891,70 @@ template(`userdom_login_user_template', `
  
  	allow $1_t self:context contains;
  
@@ -56811,10 +56905,10 @@ index 28b88de..d0697c5 100644
 -	miscfiles_exec_tetex_data($1_t)
 +	miscfiles_read_tetex_data($1_usertype)
 +	miscfiles_exec_tetex_data($1_usertype)
-+
-+	seutil_read_config($1_usertype)
  
 -	seutil_read_config($1_t)
++	seutil_read_config($1_usertype)
++
 +	optional_policy(`
 +		cups_read_config($1_usertype)
 +		cups_stream_connect($1_usertype)
@@ -56852,7 +56946,7 @@ index 28b88de..d0697c5 100644
  	')
  ')
  
-@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',`
  	typeattribute $1_t unpriv_userdomain;
  	domain_interactive_fd($1_t)
  
@@ -56862,7 +56956,7 @@ index 28b88de..d0697c5 100644
  	##############################
  	#
  	# Local policy
-@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
  	#
  
  	auth_role($1_r, $1_t)
@@ -56933,40 +57027,40 @@ index 28b88de..d0697c5 100644
 +			abrt_dbus_chat($1_usertype)
 +			abrt_run_helper($1_usertype, $1_r)
 +		')
-+
-+		optional_policy(`
-+			consolekit_dontaudit_read_log($1_usertype)
-+			consolekit_dbus_chat($1_usertype)
-+		')
-+
-+		optional_policy(`
-+			cups_dbus_chat($1_usertype)
-+			cups_dbus_chat_config($1_usertype)
-+		')
  
  		optional_policy(`
 -			consolekit_dbus_chat($1_t)
-+			devicekit_dbus_chat($1_usertype)
-+			devicekit_dbus_chat_disk($1_usertype)
-+			devicekit_dbus_chat_power($1_usertype)
++			consolekit_dontaudit_read_log($1_usertype)
++			consolekit_dbus_chat($1_usertype)
  		')
  
  		optional_policy(`
 -			cups_dbus_chat($1_t)
-+			fprintd_dbus_chat($1_t)
++			cups_dbus_chat($1_usertype)
++			cups_dbus_chat_config($1_usertype)
  		')
- 	')
- 
- 	optional_policy(`
--		java_role($1_r, $1_t)
-+		openoffice_role_template($1, $1_r, $1_usertype)
++
++		optional_policy(`
++			devicekit_dbus_chat($1_usertype)
++			devicekit_dbus_chat_disk($1_usertype)
++			devicekit_dbus_chat_power($1_usertype)
++		')
++
++		optional_policy(`
++			fprintd_dbus_chat($1_t)
++		')
 +	')
 +
 +	optional_policy(`
-+		policykit_role($1_r, $1_usertype)
++		openoffice_role_template($1, $1_r, $1_usertype)
 +	')
 +
 +	optional_policy(`
++		policykit_role($1_r, $1_usertype)
+ 	')
+ 
+ 	optional_policy(`
+-		java_role($1_r, $1_t)
 +		pulseaudio_role($1_r, $1_usertype)
 +	')
 +
@@ -56987,7 +57081,7 @@ index 28b88de..d0697c5 100644
  	')
  ')
  
-@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# Inherit rules for ordinary users.
@@ -56996,7 +57090,7 @@ index 28b88de..d0697c5 100644
  	userdom_common_user_template($1)
  
  	##############################
-@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
  	#
  
  	# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -57066,13 +57160,16 @@ index 28b88de..d0697c5 100644
 +
 +	optional_policy(`
 +		gpg_role($1_r, $1_usertype)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+-	# Run pppd in pppd_t by default for user
+ 	optional_policy(`
+-		ppp_run_cond($1_t,$1_r)
 +		gnomeclock_dbus_chat($1_t)
-+	')
-+
-+	optional_policy(`
+ 	')
+ 
+ 	optional_policy(`
+-		setroubleshoot_stream_connect($1_t)
 +		gpm_stream_connect($1_usertype)
 +	')
 +
@@ -57095,22 +57192,19 @@ index 28b88de..d0697c5 100644
 +
 +	optional_policy(`
 +		wine_role_template($1, $1_r, $1_t)
- 	')
- 
--	# Run pppd in pppd_t by default for user
- 	optional_policy(`
--		ppp_run_cond($1_t,$1_r)
++	')
++
++	optional_policy(`
 +		postfix_run_postdrop($1_t, $1_r)
- 	')
- 
++	')
++
 +	# Run pppd in pppd_t by default for user
- 	optional_policy(`
--		setroubleshoot_stream_connect($1_t)
++	optional_policy(`
 +		ppp_run_cond($1_t, $1_r)
  	')
  ')
  
-@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
  template(`userdom_admin_user_template',`
  	gen_require(`
  		attribute admindomain;
@@ -57119,7 +57213,7 @@ index 28b88de..d0697c5 100644
  	')
  
  	##############################
-@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
  	#
  
  	allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57127,7 +57221,7 @@ index 28b88de..d0697c5 100644
  	allow $1_t self:process { setexec setfscreate };
  	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
  	allow $1_t self:tun_socket create;
-@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
  	# Skip authentication when pam_rootok is specified.
  	allow $1_t self:passwd rootok;
  
@@ -57137,7 +57231,7 @@ index 28b88de..d0697c5 100644
  	kernel_read_software_raid_state($1_t)
  	kernel_getattr_core_if($1_t)
  	kernel_getattr_message_if($1_t)
-@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
  	kernel_sigstop_unlabeled($1_t)
  	kernel_signull_unlabeled($1_t)
  	kernel_sigchld_unlabeled($1_t)
@@ -57145,7 +57239,7 @@ index 28b88de..d0697c5 100644
  
  	corenet_tcp_bind_generic_port($1_t)
  	# allow setting up tunnels
-@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
  	dev_rename_all_blk_files($1_t)
  	dev_rename_all_chr_files($1_t)
  	dev_create_generic_symlinks($1_t)
@@ -57159,7 +57253,7 @@ index 28b88de..d0697c5 100644
  	domain_dontaudit_ptrace_all_domains($1_t)
  	# signal all domains:
  	domain_kill_all_domains($1_t)
-@@ -1119,17 +1378,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1380,21 @@ template(`userdom_admin_user_template',`
  	domain_sigchld_all_domains($1_t)
  	# for lsof
  	domain_getattr_all_sockets($1_t)
@@ -57182,7 +57276,7 @@ index 28b88de..d0697c5 100644
  
  	auth_getattr_shadow($1_t)
  	# Manage almost all files
-@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
  
  	logging_send_syslog_msg($1_t)
  
@@ -57194,7 +57288,7 @@ index 28b88de..d0697c5 100644
  
  	# The following rule is temporary until such time that a complete
  	# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
  	dev_relabel_all_dev_nodes($1)
  
  	files_create_boot_flag($1)
@@ -57203,7 +57297,7 @@ index 28b88de..d0697c5 100644
  
  	# Necessary for managing /boot/efi
  	fs_manage_dos_files($1)
-@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
  	selinux_set_enforce_mode($1)
  	selinux_set_all_booleans($1)
  	selinux_set_parameters($1)
@@ -57211,7 +57305,7 @@ index 28b88de..d0697c5 100644
  
  	auth_relabel_all_files_except_shadow($1)
  	auth_relabel_shadow($1)
-@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
  	seutil_run_checkpolicy($1,$2)
  	seutil_run_loadpolicy($1,$2)
  	seutil_run_semanage($1,$2)
@@ -57219,7 +57313,7 @@ index 28b88de..d0697c5 100644
  	seutil_run_setfiles($1, $2)
  
  	optional_policy(`
-@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
  interface(`userdom_user_home_content',`
  	gen_require(`
  		type user_home_t;
@@ -57257,7 +57351,7 @@ index 28b88de..d0697c5 100644
  	ubac_constrained($1)
  ')
  
-@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
  	')
  
  	allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57265,7 +57359,7 @@ index 28b88de..d0697c5 100644
  	files_search_home($1)
  ')
  
-@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
  
  	allow $1 user_home_dir_t:dir list_dir_perms;
  	files_search_home($1)
@@ -57280,7 +57374,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
  interface(`userdom_dontaudit_list_user_home_dirs',`
  	gen_require(`
  		type user_home_dir_t;
@@ -57292,7 +57386,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
  	allow $1 user_home_dir_t:dir relabelto;
  ')
  
@@ -57305,7 +57399,7 @@ index 28b88de..d0697c5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
  ##	</summary>
  ## </param>
  #
@@ -57328,7 +57422,6 @@ index 28b88de..d0697c5 100644
 +##	Relabel user home files.
  ## </summary>
 -## <desc>
--##	<p>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
@@ -57369,11 +57462,10 @@ index 28b88de..d0697c5 100644
 +##	user home directory.
 +## </summary>
 +## <desc>
-+##	<p>
+ ##	<p>
  ##	Do a domain transition to the specified
  ##	domain when executing a program in the
- ##	user home directory.
-@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
  	')
  
  	dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57382,7 +57474,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
  #
  interface(`userdom_list_user_home_content',`
  	gen_require(`
@@ -57397,7 +57489,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
  
  ########################################
  ## <summary>
@@ -57423,7 +57515,7 @@ index 28b88de..d0697c5 100644
  ##	Do not audit attempts to set the
  ##	attributes of user home files.
  ## </summary>
-@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -57456,7 +57548,7 @@ index 28b88de..d0697c5 100644
  ##	Do not audit attempts to read user home files.
  ## </summary>
  ## <param name="domain">
-@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
  #
  interface(`userdom_dontaudit_read_user_home_content_files',`
  	gen_require(`
@@ -57474,7 +57566,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
  		type user_home_dir_t, user_home_t;
  	')
  
@@ -57484,7 +57576,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
  #
  interface(`userdom_exec_user_home_content_files',`
  	gen_require(`
@@ -57498,18 +57590,19 @@ index 28b88de..d0697c5 100644
 -
 -	tunable_policy(`use_nfs_home_dirs',`
 -		fs_exec_nfs_files($1)
--	')
--
--	tunable_policy(`use_samba_home_dirs',`
--		fs_exec_cifs_files($1)
 +	exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
 +	dontaudit $1 user_home_type:sock_file execute;
  	')
--')
  
+-	tunable_policy(`use_samba_home_dirs',`
+-		fs_exec_cifs_files($1)
+-	')
+-')
+-
  ########################################
  ## <summary>
-@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ##	Do not audit attempts to execute user home files.
+@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -57518,7 +57611,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
  	')
  
  	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57534,7 +57627,7 @@ index 28b88de..d0697c5 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
  
  ########################################
  ## <summary>
@@ -57561,7 +57654,7 @@ index 28b88de..d0697c5 100644
  ##	Get the attributes of a user domain tty.
  ## </summary>
  ## <param name="domain">
-@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',`
  
  ########################################
  ## <summary>
@@ -57586,7 +57679,7 @@ index 28b88de..d0697c5 100644
  ##	Read and write a user domain pty.
  ## </summary>
  ## <param name="domain">
-@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',`
  
  ########################################
  ## <summary>
@@ -57629,7 +57722,7 @@ index 28b88de..d0697c5 100644
  ## </desc>
  ## <param name="domain">
  ##	<summary>
-@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',`
  ## </param>
  ## <infoflow type="both" weight="10"/>
  #
@@ -57667,7 +57760,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  
  	domain_entry_file_spec_domtrans($1, unpriv_userdomain)
  	allow unpriv_userdomain $1:fd use;
@@ -57676,7 +57769,7 @@ index 28b88de..d0697c5 100644
  	allow unpriv_userdomain $1:process sigchld;
  ')
  
-@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
  #
  interface(`userdom_search_user_home_content',`
  	gen_require(`
@@ -57692,7 +57785,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
  		type user_devpts_t;
  	')
  
@@ -57701,7 +57794,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',`
  		type user_tmp_t;
  	')
  
@@ -57748,7 +57841,7 @@ index 28b88de..d0697c5 100644
  ')
  
  ########################################
-@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',`
  	')
  
  	read_files_pattern($1, userdomain, userdomain)
@@ -57756,7 +57849,7 @@ index 28b88de..d0697c5 100644
  	kernel_search_proc($1)
  ')
  
-@@ -3087,6 +3540,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',`
  
  ########################################
  ## <summary>
@@ -57781,7 +57874,7 @@ index 28b88de..d0697c5 100644
  ##	Send a SIGCHLD signal to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -3139,3 +3610,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',`
  
  	allow $1 userdomain:dbus send_msg;
  ')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fd0ac3..9b6dd51 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,16 @@ exit 0
 %endif
 
 %changelog
+* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-12
+- Add /var/run/lock /var/lock definition to file_contexts.subs
+- nslcd_t is looking for kerberos cc files
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow sysadm_t to set attributes on fixed disks
+- allow user domains to execute lsof and look at application sockets
+- prelink_cron job calls telinit -u if init is rewritten
+- Fixes to run qemu_t from staff_t
+
 * Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
 - Fix label for /var/run/udev to udev_var_run_t
 - Mock needs to be able to read network state