diff --git a/file_contexts.subs b/file_contexts.subs
index 7499c75..f8d0cb3 100644
--- a/file_contexts.subs
+++ b/file_contexts.subs
@@ -1,2 +1,3 @@
/run /var/run
/run/lock /var/lock
+/var/run/lock /var/lock
diff --git a/policy-F16.patch b/policy-F16.patch
index 2e87799..ca4da59 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1476,7 +1476,7 @@ index c633aea..d1e56f6 100644
ifdef(`hide_broken_symptoms',`
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
-index af55369..f30119e 100644
+index af55369..2718561 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -36,7 +36,7 @@ files_type(prelink_var_lib_t)
@@ -1561,7 +1561,7 @@ index af55369..f30119e 100644
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
-@@ -148,7 +163,7 @@ optional_policy(`
+@@ -148,17 +163,26 @@ optional_policy(`
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
@@ -1570,7 +1570,11 @@ index af55369..f30119e 100644
libs_exec_ld_so(prelink_cron_system_t)
-@@ -158,7 +173,14 @@ optional_policy(`
+ logging_search_logs(prelink_cron_system_t)
+
++ init_stream_connect(prelink_cron_system_t)
++
+ miscfiles_read_localization(prelink_cron_system_t)
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
@@ -7600,7 +7604,7 @@ index 2ba7787..9f12b51 100644
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
-index c2d20a2..be062b9 100644
+index c2d20a2..ae14a7d 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -44,6 +44,7 @@ allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7662,10 +7666,10 @@ index c2d20a2..be062b9 100644
')
+
+optional_policy(`
-+ qemu_manage_tmpfs_files(pulseaudio_t)
++ virt_manage_tmpfs_files(pulseaudio_t)
+')
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
-index c1d5f50..9e34fbd 100644
+index c1d5f50..6c7a005 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -76,7 +76,7 @@ template(`qemu_domain_template',`
@@ -7760,7 +7764,7 @@ index c1d5f50..9e34fbd 100644
#
interface(`qemu_run',`
gen_require(`
-@@ -177,10 +157,6 @@ interface(`qemu_run',`
+@@ -177,10 +157,8 @@ interface(`qemu_run',`
qemu_domtrans($1)
role $2 types qemu_t;
@@ -7768,10 +7772,12 @@ index c1d5f50..9e34fbd 100644
- optional_policy(`
- samba_run_smb(qemu_t, $2, $3)
- ')
++ allow qemu_t $1:process signull;
++ allow $1 qemu_t:process signull;
')
########################################
-@@ -275,6 +251,67 @@ interface(`qemu_domtrans_unconfined',`
+@@ -275,6 +253,67 @@ interface(`qemu_domtrans_unconfined',`
########################################
## <summary>
@@ -7839,7 +7845,7 @@ index c1d5f50..9e34fbd 100644
## Manage qemu temporary dirs.
## </summary>
## <param name="domain">
-@@ -308,3 +345,42 @@ interface(`qemu_manage_tmp_files',`
+@@ -308,3 +347,22 @@ interface(`qemu_manage_tmp_files',`
manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
')
@@ -7862,28 +7868,8 @@ index c1d5f50..9e34fbd 100644
+
+ domain_entry_file($1, qemu_exec_t)
+')
-+
-+########################################
-+## <summary>
-+## allow domain to manage
-+## qemu tmpfs files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access
-+## </summary>
-+## </param>
-+#
-+interface(`qemu_manage_tmpfs_files',`
-+ gen_require(`
-+ attribute qemu_tmpfs_type;
-+ ')
-+
-+ allow $1 qemu_tmpfs_type:file manage_file_perms;
-+')
-+
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
-index 5ef2f7d..c01d37c 100644
+index 5ef2f7d..13057b7 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -21,7 +21,7 @@ gen_tunable(qemu_use_cifs, true)
@@ -7914,17 +7900,21 @@ index 5ef2f7d..c01d37c 100644
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
-@@ -90,10 +91,18 @@ tunable_policy(`qemu_use_usb',`
+@@ -90,10 +91,22 @@ tunable_policy(`qemu_use_usb',`
')
optional_policy(`
- samba_domtrans_smbd(qemu_t)
-+ tunable_policy(`qemu_use_cifs',`
-+ samba_domtrans_smbd(qemu_t)
-+ ')
++ dbus_read_lib_files(qemu_t)
')
optional_policy(`
++ tunable_policy(`qemu_use_cifs',`
++ samba_domtrans_smbd(qemu_t)
++ ')
++')
++
++optional_policy(`
+ pulseaudio_manage_home_files(qemu_t)
+ pulseaudio_stream_connect(qemu_t)
+')
@@ -7934,7 +7924,7 @@ index 5ef2f7d..c01d37c 100644
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
-@@ -102,6 +111,11 @@ optional_policy(`
+@@ -102,6 +115,11 @@ optional_policy(`
xen_rw_image_files(qemu_t)
')
@@ -7946,7 +7936,7 @@ index 5ef2f7d..c01d37c 100644
########################################
#
# Unconfined qemu local policy
-@@ -112,6 +126,8 @@ optional_policy(`
+@@ -112,6 +130,8 @@ optional_policy(`
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
@@ -10673,7 +10663,7 @@ index 6cf8784..5b25039 100644
+#
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
-index e9313fb..c4607c9 100644
+index e9313fb..60437ca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -146,14 +146,33 @@ interface(`dev_relabel_all_dev_nodes',`
@@ -10947,10 +10937,28 @@ index e9313fb..c4607c9 100644
## Read hardware state information.
## </summary>
## <desc>
-@@ -3954,6 +4026,24 @@ interface(`dev_rw_sysfs',`
+@@ -3954,6 +4026,42 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
++## Relabel hardware state directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_relabel_sysfs_dirs',`
++ gen_require(`
++ type sysfs_t;
++ ')
++
++ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
++')
++
++########################################
++## <summary>
+## Allow caller to modify hardware state information.
+## </summary>
+## <param name="domain">
@@ -10972,7 +10980,7 @@ index e9313fb..c4607c9 100644
## Read and write the TPM device.
## </summary>
## <param name="domain">
-@@ -4514,6 +4604,24 @@ interface(`dev_rwx_vmware',`
+@@ -4514,6 +4622,24 @@ interface(`dev_rwx_vmware',`
########################################
## <summary>
@@ -10997,7 +11005,7 @@ index e9313fb..c4607c9 100644
## Write to watchdog devices.
## </summary>
## <param name="domain">
-@@ -4748,3 +4856,23 @@ interface(`dev_unconfined',`
+@@ -4748,3 +4874,23 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -12800,7 +12808,7 @@ index 59bae6a..2e55e71 100644
+/dev/hugepages -d gen_context(system_u:object_r:hugetlbfs_t,s0)
+/dev/hugepages(/.*)? <<none>>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
-index dfe361a..5da5ee1 100644
+index dfe361a..be9572b 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -646,11 +646,31 @@ interface(`fs_search_cgroup_dirs',`
@@ -12821,13 +12829,13 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_relabelto_cgroup_dirs',`
++interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+
+ ')
+
-+ relabelto_dirs_pattern($1, cgroup_t, cgroup_t)
++ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
@@ -13371,11 +13379,11 @@ index dfe361a..5da5ee1 100644
manage_lnk_files_pattern($1, nfs_t, nfs_t)
')
-@@ -3989,6 +4334,78 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+@@ -3772,6 +4117,24 @@ interface(`fs_dontaudit_list_tmpfs',`
########################################
## <summary>
-+## dontaudit Read and write block nodes on tmpfs filesystems.
++## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13383,53 +13391,24 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_dontaudit_read_tmpfs_blk_dev',`
++interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
-+')
-+
-+######################################
-+## <summary>
-+## Allow setattr on directory on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_setattr_tmpfs_dir',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ setattr_dirs_pattern($1, tmpfs_t, tmpfs_t)
-+')
-+
-+#######################################
-+## <summary>
-+## Create directory on tmpfs filesystems.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`fs_create_tmpfs_dir',`
-+ gen_require(`
-+ type tmpfs_t;
-+ ')
-+
-+ create_dirs_pattern($1, tmpfs_t, tmpfs_t)
++ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
-+## Relabelfrom directory on tmpfs filesystems.
+ ## Create, read, write, and delete
+ ## tmpfs directories
+ ## </summary>
+@@ -3989,6 +4352,24 @@ interface(`fs_dontaudit_use_tmpfs_chr_dev',`
+
+ ########################################
+ ## <summary>
++## dontaudit Read and write block nodes on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -13437,12 +13416,12 @@ index dfe361a..5da5ee1 100644
+## </summary>
+## </param>
+#
-+interface(`fs_relabelfrom_tmpfs_dir',`
++interface(`fs_dontaudit_read_tmpfs_blk_dev',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
-+ relabelfrom_dirs_pattern($1, tmpfs_t, tmpfs_t)
++ dontaudit $1 tmpfs_t:blk_file read_blk_file_perms;
+')
+
+########################################
@@ -13450,7 +13429,7 @@ index dfe361a..5da5ee1 100644
## Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
-@@ -4271,6 +4688,8 @@ interface(`fs_mount_all_fs',`
+@@ -4271,6 +4652,8 @@ interface(`fs_mount_all_fs',`
')
allow $1 filesystem_type:filesystem mount;
@@ -13459,7 +13438,7 @@ index dfe361a..5da5ee1 100644
')
########################################
-@@ -4681,3 +5100,24 @@ interface(`fs_unconfined',`
+@@ -4681,3 +5064,24 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
@@ -14059,7 +14038,7 @@ index 3994e57..a1923fe 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
-index f3acfee..eceb42d 100644
+index f3acfee..59ea6ae 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -208,6 +208,27 @@ interface(`term_use_all_terms',`
@@ -14120,7 +14099,32 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -658,6 +680,25 @@ interface(`term_use_controlling_term',`
+@@ -462,6 +484,24 @@ interface(`term_list_ptys',`
+
+ ########################################
+ ## <summary>
++## Relabel the /dev/pts directory
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`term_relabel_ptys_dirs',`
++ gen_require(`
++ type devpts_t;
++ ')
++
++ allow $1 devpts_t:dir relabel_dirs_perms;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read the
+ ## /dev/pts directory.
+ ## </summary>
+@@ -658,6 +698,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@@ -14146,7 +14150,7 @@ index f3acfee..eceb42d 100644
########################################
## <summary>
## Do not audit attempts to get attributes
-@@ -842,6 +883,26 @@ interface(`term_use_all_ptys',`
+@@ -842,6 +901,26 @@ interface(`term_use_all_ptys',`
########################################
## <summary>
@@ -14173,7 +14177,7 @@ index f3acfee..eceb42d 100644
## Do not audit attempts to read or write any ptys.
## </summary>
## <param name="domain">
-@@ -855,7 +916,7 @@ interface(`term_dontaudit_use_all_ptys',`
+@@ -855,7 +934,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@@ -14182,7 +14186,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1123,7 +1184,7 @@ interface(`term_relabel_unallocated_ttys',`
+@@ -1123,7 +1202,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -14191,7 +14195,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1222,7 +1283,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1222,7 +1301,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@@ -14200,7 +14204,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1238,11 +1299,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
+@@ -1238,11 +1317,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@@ -14214,7 +14218,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1259,10 +1322,12 @@ interface(`term_getattr_all_ttys',`
+@@ -1259,10 +1340,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@@ -14227,7 +14231,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1301,7 +1366,7 @@ interface(`term_relabel_all_ttys',`
+@@ -1301,7 +1384,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -14236,7 +14240,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1340,7 +1405,27 @@ interface(`term_use_all_ttys',`
+@@ -1340,7 +1423,27 @@ interface(`term_use_all_ttys',`
')
dev_list_all_dev_nodes($1)
@@ -14265,7 +14269,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1359,7 +1444,7 @@ interface(`term_dontaudit_use_all_ttys',`
+@@ -1359,7 +1462,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@@ -14274,7 +14278,7 @@ index f3acfee..eceb42d 100644
')
########################################
-@@ -1475,3 +1560,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
+@@ -1475,3 +1578,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@@ -14423,7 +14427,7 @@ index be4de58..cce681a 100644
########################################
#
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..9440b5f 100644
+index 2be17d2..7ccb554 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -8,12 +8,48 @@ policy_module(staff, 2.2.0)
@@ -14475,7 +14479,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
apache_role(staff_r, staff_t)
')
-@@ -27,25 +63,138 @@ optional_policy(`
+@@ -27,25 +63,139 @@ optional_policy(`
')
optional_policy(`
@@ -14548,6 +14552,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
+ qemu_run(staff_t, staff_r)
++ virt_manage_tmpfs_files(staff_t)
+')
+
+optional_policy(`
@@ -14616,7 +14621,7 @@ index 2be17d2..9440b5f 100644
optional_policy(`
vlock_run(staff_t, staff_r)
-@@ -89,10 +238,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +239,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14627,7 +14632,7 @@ index 2be17d2..9440b5f 100644
gpg_role(staff_r, staff_t)
')
-@@ -137,10 +282,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +283,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@@ -14638,7 +14643,7 @@ index 2be17d2..9440b5f 100644
spamassassin_role(staff_r, staff_t)
')
-@@ -172,3 +313,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +314,7 @@ ifndef(`distro_redhat',`
wireshark_role(staff_r, staff_t)
')
')
@@ -14647,10 +14652,10 @@ index 2be17d2..9440b5f 100644
+ userdom_execmod_user_home_files(staff_usertype)
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
-index 4a8d146..d721e34 100644
+index 4a8d146..6b0999e 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
-@@ -24,20 +24,40 @@ ifndef(`enable_mls',`
+@@ -24,20 +24,41 @@ ifndef(`enable_mls',`
#
# Local policy
#
@@ -14665,6 +14670,8 @@ index 4a8d146..d721e34 100644
mls_process_read_up(sysadm_t)
+mls_file_read_to_clearance(sysadm_t)
+mls_process_write_to_clearance(sysadm_t)
++
++storage_setattr_fixed_disk_dev(sysadm_t)
ubac_process_exempt(sysadm_t)
ubac_file_exempt(sysadm_t)
@@ -14677,7 +14684,6 @@ index 4a8d146..d721e34 100644
+init_dbus_chat(sysadm_t)
+init_script_role_transition(sysadm_r)
+
-+
+miscfiles_read_hwdata(sysadm_t)
# Add/remove user home directories
@@ -14691,7 +14697,7 @@ index 4a8d146..d721e34 100644
ifdef(`direct_sysadm_daemon',`
optional_policy(`
-@@ -55,6 +75,7 @@ ifndef(`enable_mls',`
+@@ -55,6 +76,7 @@ ifndef(`enable_mls',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
logging_run_auditctl(sysadm_t, sysadm_r)
@@ -14699,7 +14705,7 @@ index 4a8d146..d721e34 100644
')
tunable_policy(`allow_ptrace',`
-@@ -69,7 +90,6 @@ optional_policy(`
+@@ -69,7 +91,6 @@ optional_policy(`
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -14707,7 +14713,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -98,6 +118,10 @@ optional_policy(`
+@@ -98,6 +119,10 @@ optional_policy(`
')
optional_policy(`
@@ -14718,7 +14724,7 @@ index 4a8d146..d721e34 100644
certwatch_run(sysadm_t, sysadm_r)
')
-@@ -114,7 +138,7 @@ optional_policy(`
+@@ -114,7 +139,7 @@ optional_policy(`
')
optional_policy(`
@@ -14727,7 +14733,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -124,6 +148,10 @@ optional_policy(`
+@@ -124,6 +149,10 @@ optional_policy(`
')
optional_policy(`
@@ -14738,7 +14744,7 @@ index 4a8d146..d721e34 100644
ddcprobe_run(sysadm_t, sysadm_r)
')
-@@ -163,6 +191,13 @@ optional_policy(`
+@@ -163,6 +192,13 @@ optional_policy(`
ipsec_stream_connect(sysadm_t)
# for lsof
ipsec_getattr_key_sockets(sysadm_t)
@@ -14752,7 +14758,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -170,15 +205,15 @@ optional_policy(`
+@@ -170,15 +206,15 @@ optional_policy(`
')
optional_policy(`
@@ -14771,7 +14777,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -198,18 +233,12 @@ optional_policy(`
+@@ -198,18 +234,12 @@ optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
@@ -14792,7 +14798,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -225,6 +254,10 @@ optional_policy(`
+@@ -225,6 +255,10 @@ optional_policy(`
')
optional_policy(`
@@ -14803,7 +14809,7 @@ index 4a8d146..d721e34 100644
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
-@@ -253,7 +286,7 @@ optional_policy(`
+@@ -253,7 +287,7 @@ optional_policy(`
')
optional_policy(`
@@ -14812,7 +14818,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -265,20 +298,14 @@ optional_policy(`
+@@ -265,20 +299,14 @@ optional_policy(`
')
optional_policy(`
@@ -14834,7 +14840,7 @@ index 4a8d146..d721e34 100644
optional_policy(`
rsync_exec(sysadm_t)
-@@ -307,7 +334,7 @@ optional_policy(`
+@@ -307,7 +335,7 @@ optional_policy(`
')
optional_policy(`
@@ -14843,7 +14849,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -332,10 +359,6 @@ optional_policy(`
+@@ -332,10 +360,6 @@ optional_policy(`
')
optional_policy(`
@@ -14854,7 +14860,7 @@ index 4a8d146..d721e34 100644
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
-@@ -343,19 +366,15 @@ optional_policy(`
+@@ -343,19 +367,15 @@ optional_policy(`
')
optional_policy(`
@@ -14876,7 +14882,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -367,17 +386,14 @@ optional_policy(`
+@@ -367,17 +387,14 @@ optional_policy(`
')
optional_policy(`
@@ -14896,7 +14902,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -389,7 +405,7 @@ optional_policy(`
+@@ -389,7 +406,7 @@ optional_policy(`
')
optional_policy(`
@@ -14905,7 +14911,7 @@ index 4a8d146..d721e34 100644
')
optional_policy(`
-@@ -404,8 +420,15 @@ optional_policy(`
+@@ -404,8 +421,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r)
')
@@ -14921,7 +14927,7 @@ index 4a8d146..d721e34 100644
auth_role(sysadm_r, sysadm_t)
')
-@@ -452,5 +475,60 @@ ifndef(`distro_redhat',`
+@@ -452,5 +476,60 @@ ifndef(`distro_redhat',`
optional_policy(`
java_role(sysadm_r, sysadm_t)
')
@@ -22798,7 +22804,7 @@ index 35241ed..b6c4cc9 100644
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
')
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
-index f7583ab..9941737 100644
+index f7583ab..220ba1b 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -10,18 +10,18 @@ gen_require(`
@@ -22940,13 +22946,14 @@ index f7583ab..9941737 100644
files_read_usr_files(crond_t)
files_read_etc_runtime_files(crond_t)
-@@ -203,11 +220,16 @@ files_list_usr(crond_t)
+@@ -203,11 +220,17 @@ files_list_usr(crond_t)
files_search_var_lib(crond_t)
files_search_default(crond_t)
+fs_manage_cgroup_dirs(crond_t)
+fs_manage_cgroup_files(crond_t)
+
++init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
@@ -22957,7 +22964,7 @@ index f7583ab..9941737 100644
logging_send_syslog_msg(crond_t)
logging_set_loginuid(crond_t)
-@@ -220,8 +242,10 @@ miscfiles_read_localization(crond_t)
+@@ -220,8 +243,10 @@ miscfiles_read_localization(crond_t)
userdom_use_unpriv_users_fds(crond_t)
# Not sure why this is needed
userdom_list_user_home_dirs(crond_t)
@@ -22968,7 +22975,7 @@ index f7583ab..9941737 100644
ifdef(`distro_debian',`
# pam_limits is used
-@@ -233,7 +257,7 @@ ifdef(`distro_debian',`
+@@ -233,7 +258,7 @@ ifdef(`distro_debian',`
')
')
@@ -22977,7 +22984,7 @@ index f7583ab..9941737 100644
# Run the rpm program in the rpm_t domain. Allow creation of RPM log files
# via redirection of standard out.
optional_policy(`
-@@ -250,11 +274,30 @@ tunable_policy(`fcron_crond', `
+@@ -250,11 +275,30 @@ tunable_policy(`fcron_crond', `
')
optional_policy(`
@@ -23008,7 +23015,7 @@ index f7583ab..9941737 100644
amanda_search_var_lib(crond_t)
')
-@@ -264,6 +307,8 @@ optional_policy(`
+@@ -264,6 +308,8 @@ optional_policy(`
optional_policy(`
hal_dbus_chat(crond_t)
@@ -23017,7 +23024,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -289,12 +334,18 @@ optional_policy(`
+@@ -289,12 +335,18 @@ optional_policy(`
udev_read_db(crond_t)
')
@@ -23036,7 +23043,7 @@ index f7583ab..9941737 100644
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-@@ -306,10 +357,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+@@ -306,10 +358,19 @@ logging_log_filetrans(system_cronjob_t, cron_log_t, file)
# This is to handle /var/lib/misc directory. Used currently
# by prelink var/lib files for cron
@@ -23057,7 +23064,7 @@ index f7583ab..9941737 100644
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -329,6 +389,7 @@ allow crond_t system_cronjob_t:fd use;
+@@ -329,6 +390,7 @@ allow crond_t system_cronjob_t:fd use;
allow system_cronjob_t crond_t:fd use;
allow system_cronjob_t crond_t:fifo_file rw_file_perms;
allow system_cronjob_t crond_t:process sigchld;
@@ -23065,7 +23072,7 @@ index f7583ab..9941737 100644
# Write /var/lock/makewhatis.lock.
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
-@@ -340,9 +401,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
+@@ -340,9 +402,13 @@ manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -23080,7 +23087,7 @@ index f7583ab..9941737 100644
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -365,6 +430,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
+@@ -365,6 +431,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
dev_read_urand(system_cronjob_t)
@@ -23088,7 +23095,7 @@ index f7583ab..9941737 100644
fs_getattr_all_fs(system_cronjob_t)
fs_getattr_all_files(system_cronjob_t)
-@@ -391,6 +457,7 @@ files_dontaudit_search_pids(system_cronjob_t)
+@@ -391,6 +458,7 @@ files_dontaudit_search_pids(system_cronjob_t)
# Access other spool directories like
# /var/spool/anacron and /var/spool/slrnpull.
files_manage_generic_spool(system_cronjob_t)
@@ -23096,7 +23103,7 @@ index f7583ab..9941737 100644
init_use_script_fds(system_cronjob_t)
init_read_utmp(system_cronjob_t)
-@@ -413,8 +480,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
+@@ -413,8 +481,10 @@ miscfiles_manage_man_pages(system_cronjob_t)
seutil_read_config(system_cronjob_t)
@@ -23108,7 +23115,7 @@ index f7583ab..9941737 100644
# via redirection of standard out.
optional_policy(`
rpm_manage_log(system_cronjob_t)
-@@ -439,6 +508,8 @@ optional_policy(`
+@@ -439,6 +509,8 @@ optional_policy(`
apache_read_config(system_cronjob_t)
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
@@ -23117,7 +23124,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -446,6 +517,14 @@ optional_policy(`
+@@ -446,6 +518,14 @@ optional_policy(`
')
optional_policy(`
@@ -23132,7 +23139,7 @@ index f7583ab..9941737 100644
ftp_read_log(system_cronjob_t)
')
-@@ -456,15 +535,24 @@ optional_policy(`
+@@ -456,15 +536,24 @@ optional_policy(`
')
optional_policy(`
@@ -23157,7 +23164,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -480,7 +568,7 @@ optional_policy(`
+@@ -480,7 +569,7 @@ optional_policy(`
prelink_manage_lib(system_cronjob_t)
prelink_manage_log(system_cronjob_t)
prelink_read_cache(system_cronjob_t)
@@ -23166,7 +23173,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -495,6 +583,7 @@ optional_policy(`
+@@ -495,6 +584,7 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
@@ -23174,7 +23181,7 @@ index f7583ab..9941737 100644
')
optional_policy(`
-@@ -502,7 +591,13 @@ optional_policy(`
+@@ -502,7 +592,13 @@ optional_policy(`
')
optional_policy(`
@@ -23188,7 +23195,7 @@ index f7583ab..9941737 100644
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
')
-@@ -595,9 +690,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
+@@ -595,9 +691,12 @@ userdom_manage_user_home_content_sockets(cronjob_t)
#userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
@@ -31109,7 +31116,7 @@ index 256166a..15daf47 100644
/usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
-index 343cee3..2f948ad 100644
+index 343cee3..3d7edf0 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -37,9 +37,9 @@ interface(`mta_stub',`
@@ -31123,7 +31130,15 @@ index 343cee3..2f948ad 100644
gen_require(`
attribute user_mail_domain;
type sendmail_exec_t;
-@@ -158,6 +158,7 @@ template(`mta_base_mail_template',`
+@@ -104,6 +104,7 @@ template(`mta_base_mail_template',`
+
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
++ postfix_rw_master_pipes($1_mail_t)
+ ')
+
+ optional_policy(`
+@@ -158,6 +159,7 @@ template(`mta_base_mail_template',`
## User domain for the role
## </summary>
## </param>
@@ -31131,7 +31146,7 @@ index 343cee3..2f948ad 100644
#
interface(`mta_role',`
gen_require(`
-@@ -169,7 +170,7 @@ interface(`mta_role',`
+@@ -169,7 +171,7 @@ interface(`mta_role',`
# Transition from the user domain to the derived domain.
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
@@ -31140,7 +31155,7 @@ index 343cee3..2f948ad 100644
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
-@@ -220,6 +221,25 @@ interface(`mta_agent_executable',`
+@@ -220,6 +222,25 @@ interface(`mta_agent_executable',`
application_executable_file($1)
')
@@ -31166,7 +31181,7 @@ index 343cee3..2f948ad 100644
########################################
## <summary>
## Make the specified type by a system MTA.
-@@ -306,7 +326,6 @@ interface(`mta_mailserver_sender',`
+@@ -306,7 +327,6 @@ interface(`mta_mailserver_sender',`
interface(`mta_mailserver_delivery',`
gen_require(`
attribute mailserver_delivery;
@@ -31174,7 +31189,7 @@ index 343cee3..2f948ad 100644
')
typeattribute $1 mailserver_delivery;
-@@ -330,12 +349,6 @@ interface(`mta_mailserver_user_agent',`
+@@ -330,12 +350,6 @@ interface(`mta_mailserver_user_agent',`
')
typeattribute $1 mta_user_agent;
@@ -31187,7 +31202,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -350,9 +363,8 @@ interface(`mta_mailserver_user_agent',`
+@@ -350,9 +364,8 @@ interface(`mta_mailserver_user_agent',`
#
interface(`mta_send_mail',`
gen_require(`
@@ -31198,7 +31213,7 @@ index 343cee3..2f948ad 100644
')
allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
-@@ -362,6 +374,10 @@ interface(`mta_send_mail',`
+@@ -362,6 +375,10 @@ interface(`mta_send_mail',`
allow mta_user_agent $1:fd use;
allow mta_user_agent $1:process sigchld;
allow mta_user_agent $1:fifo_file rw_fifo_file_perms;
@@ -31209,7 +31224,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -391,12 +407,15 @@ interface(`mta_send_mail',`
+@@ -391,12 +408,15 @@ interface(`mta_send_mail',`
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@@ -31227,7 +31242,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -409,7 +428,6 @@ interface(`mta_sendmail_domtrans',`
+@@ -409,7 +429,6 @@ interface(`mta_sendmail_domtrans',`
## </summary>
## </param>
#
@@ -31235,7 +31250,7 @@ index 343cee3..2f948ad 100644
interface(`mta_signal_system_mail',`
gen_require(`
type system_mail_t;
-@@ -420,6 +438,24 @@ interface(`mta_signal_system_mail',`
+@@ -420,6 +439,24 @@ interface(`mta_signal_system_mail',`
########################################
## <summary>
@@ -31260,7 +31275,7 @@ index 343cee3..2f948ad 100644
## Execute sendmail in the caller domain.
## </summary>
## <param name="domain">
-@@ -474,7 +510,8 @@ interface(`mta_write_config',`
+@@ -474,7 +511,8 @@ interface(`mta_write_config',`
type etc_mail_t;
')
@@ -31270,7 +31285,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -552,7 +589,7 @@ interface(`mta_rw_aliases',`
+@@ -552,7 +590,7 @@ interface(`mta_rw_aliases',`
')
files_search_etc($1)
@@ -31279,7 +31294,7 @@ index 343cee3..2f948ad 100644
')
#######################################
-@@ -646,8 +683,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
+@@ -646,8 +684,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
files_dontaudit_search_spool($1)
dontaudit $1 mail_spool_t:dir search_dir_perms;
@@ -31290,7 +31305,7 @@ index 343cee3..2f948ad 100644
')
#######################################
-@@ -697,8 +734,8 @@ interface(`mta_rw_spool',`
+@@ -697,8 +735,8 @@ interface(`mta_rw_spool',`
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
@@ -31301,7 +31316,7 @@ index 343cee3..2f948ad 100644
read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
-@@ -838,7 +875,7 @@ interface(`mta_dontaudit_rw_queue',`
+@@ -838,7 +876,7 @@ interface(`mta_dontaudit_rw_queue',`
')
dontaudit $1 mqueue_spool_t:dir search_dir_perms;
@@ -31310,7 +31325,7 @@ index 343cee3..2f948ad 100644
')
########################################
-@@ -899,3 +936,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
+@@ -899,3 +937,50 @@ interface(`mta_rw_user_mail_stream_sockets',`
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
')
@@ -32958,7 +32973,7 @@ index 23c769c..be5a5b4 100644
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
-index 4e28d58..5b9cf6d 100644
+index 4e28d58..1835068 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -16,7 +16,7 @@ type nslcd_var_run_t;
@@ -32979,11 +32994,12 @@ index 4e28d58..5b9cf6d 100644
allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
allow nslcd_t nslcd_conf_t:file read_file_perms;
-@@ -37,9 +37,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+@@ -37,9 +37,13 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
kernel_read_system_state(nslcd_t)
files_read_etc_files(nslcd_t)
+files_read_usr_symlinks(nslcd_t)
++files_list_tmp(nslcd_t)
auth_use_nsswitch(nslcd_t)
@@ -35243,7 +35259,7 @@ index 55e62d2..6082184 100644
/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
-index 46bee12..9b8c3eb 100644
+index 46bee12..37bd751 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -34,8 +34,9 @@ template(`postfix_domain_template',`
@@ -35345,7 +35361,7 @@ index 46bee12..9b8c3eb 100644
+ type postfix_master_t;
+ ')
+
-+ allow $1 postfix_master_t:fifo_file rw_fifo_file_perms;
++ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
@@ -36489,7 +36505,7 @@ index b64b02f..166e9c3 100644
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
+')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
-index 29b9295..2a70dd1 100644
+index 29b9295..609ff86 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -10,6 +10,9 @@ type procmail_exec_t;
@@ -36538,17 +36554,18 @@ index 29b9295..2a70dd1 100644
mta_manage_spool(procmail_t)
mta_read_queue(procmail_t)
-@@ -128,6 +137,10 @@ optional_policy(`
- ')
-
- optional_policy(`
-+ nagios_search_spool(procmail_t)
+@@ -125,6 +134,11 @@ optional_policy(`
+ postfix_read_spool_files(procmail_t)
+ postfix_read_local_state(procmail_t)
+ postfix_read_master_state(procmail_t)
++ postfix_rw_master_pipes(procmail_t)
+')
+
+optional_policy(`
- pyzor_domtrans(procmail_t)
- pyzor_signal(procmail_t)
++ nagios_search_spool(procmail_t)
')
+
+ optional_policy(`
diff --git a/policy/modules/services/psad.if b/policy/modules/services/psad.if
index bc329d1..0589f97 100644
--- a/policy/modules/services/psad.if
@@ -42103,7 +42120,7 @@ index 22adaca..68ad7a7 100644
+ allow $1 sshd_t:process signull;
+')
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
-index 2dad3c8..594aa01 100644
+index 2dad3c8..efa5535 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -6,26 +6,32 @@ policy_module(ssh, 2.2.0)
@@ -42432,7 +42449,7 @@ index 2dad3c8..594aa01 100644
') dnl endif TODO
########################################
-@@ -322,14 +369,19 @@ tunable_policy(`ssh_sysadm_login',`
+@@ -322,19 +369,25 @@ tunable_policy(`ssh_sysadm_login',`
# ssh_keygen_t is the type of the ssh-keygen program when run at install time
# and by sysadm_t
@@ -42453,7 +42470,13 @@ index 2dad3c8..594aa01 100644
kernel_read_kernel_sysctls(ssh_keygen_t)
fs_search_auto_mountpoints(ssh_keygen_t)
-@@ -353,7 +405,7 @@ logging_send_syslog_msg(ssh_keygen_t)
+
+ dev_read_sysfs(ssh_keygen_t)
++dev_read_rand(ssh_keygen_t)
+ dev_read_urand(ssh_keygen_t)
+
+ term_dontaudit_use_console(ssh_keygen_t)
+@@ -353,7 +406,7 @@ logging_send_syslog_msg(ssh_keygen_t)
userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
optional_policy(`
@@ -43618,10 +43641,10 @@ index 2124b6a..6546d6e 100644
/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
-index 7c5d8d8..d885f6b 100644
+index 7c5d8d8..9b24cb5 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
-@@ -13,14 +13,14 @@
+@@ -13,14 +13,15 @@
#
template(`virt_domain_template',`
gen_require(`
@@ -43629,6 +43652,7 @@ index 7c5d8d8..d885f6b 100644
- attribute virt_image_type;
- attribute virt_domain;
+ attribute virt_image_type, virt_domain;
++ attribute virt_tmpfs_type;
')
type $1_t, virt_domain;
@@ -43639,7 +43663,14 @@ index 7c5d8d8..d885f6b 100644
role system_r types $1_t;
type $1_devpts_t;
-@@ -35,17 +35,18 @@ template(`virt_domain_template',`
+@@ -29,23 +30,24 @@ template(`virt_domain_template',`
+ type $1_tmp_t;
+ files_tmp_file($1_tmp_t)
+
+- type $1_tmpfs_t;
++ type $1_tmpfs_t, virt_tmpfs_type;
+ files_tmpfs_file($1_tmpfs_t)
+
type $1_image_t, virt_image_type;
files_type($1_image_t)
dev_node($1_image_t)
@@ -43662,7 +43693,7 @@ index 7c5d8d8..d885f6b 100644
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
-@@ -57,18 +58,6 @@ template(`virt_domain_template',`
+@@ -57,18 +59,6 @@ template(`virt_domain_template',`
manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
@@ -43681,7 +43712,7 @@ index 7c5d8d8..d885f6b 100644
optional_policy(`
xserver_rw_shm($1_t)
')
-@@ -101,9 +90,9 @@ interface(`virt_image',`
+@@ -101,9 +91,9 @@ interface(`virt_image',`
## Execute a domain transition to run virt.
## </summary>
## <param name="domain">
@@ -43693,7 +43724,7 @@ index 7c5d8d8..d885f6b 100644
## </param>
#
interface(`virt_domtrans',`
-@@ -164,13 +153,13 @@ interface(`virt_attach_tun_iface',`
+@@ -164,13 +154,13 @@ interface(`virt_attach_tun_iface',`
#
interface(`virt_read_config',`
gen_require(`
@@ -43709,7 +43740,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -185,13 +174,13 @@ interface(`virt_read_config',`
+@@ -185,13 +175,13 @@ interface(`virt_read_config',`
#
interface(`virt_manage_config',`
gen_require(`
@@ -43725,7 +43756,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -231,6 +220,24 @@ interface(`virt_read_content',`
+@@ -231,6 +221,24 @@ interface(`virt_read_content',`
########################################
## <summary>
@@ -43750,7 +43781,7 @@ index 7c5d8d8..d885f6b 100644
## Read virt PID files.
## </summary>
## <param name="domain">
-@@ -269,6 +276,36 @@ interface(`virt_manage_pid_files',`
+@@ -269,6 +277,36 @@ interface(`virt_manage_pid_files',`
########################################
## <summary>
@@ -43787,7 +43818,7 @@ index 7c5d8d8..d885f6b 100644
## Search virt lib directories.
## </summary>
## <param name="domain">
-@@ -308,6 +345,24 @@ interface(`virt_read_lib_files',`
+@@ -308,6 +346,24 @@ interface(`virt_read_lib_files',`
########################################
## <summary>
@@ -43812,7 +43843,7 @@ index 7c5d8d8..d885f6b 100644
## Create, read, write, and delete
## virt lib files.
## </summary>
-@@ -352,9 +407,9 @@ interface(`virt_read_log',`
+@@ -352,9 +408,9 @@ interface(`virt_read_log',`
## virt log files.
## </summary>
## <param name="domain">
@@ -43824,7 +43855,7 @@ index 7c5d8d8..d885f6b 100644
## </param>
#
interface(`virt_append_log',`
-@@ -424,6 +479,24 @@ interface(`virt_read_images',`
+@@ -424,6 +480,24 @@ interface(`virt_read_images',`
########################################
## <summary>
@@ -43849,7 +43880,7 @@ index 7c5d8d8..d885f6b 100644
## Create, read, write, and delete
## svirt cache files.
## </summary>
-@@ -433,15 +506,15 @@ interface(`virt_read_images',`
+@@ -433,15 +507,15 @@ interface(`virt_read_images',`
## </summary>
## </param>
#
@@ -43870,7 +43901,7 @@ index 7c5d8d8..d885f6b 100644
')
########################################
-@@ -516,3 +589,107 @@ interface(`virt_admin',`
+@@ -516,3 +590,144 @@ interface(`virt_admin',`
virt_manage_log($1)
')
@@ -43978,11 +44009,48 @@ index 7c5d8d8..d885f6b 100644
+ manage_files_pattern($1, virt_home_t, virt_home_t)
+')
+
++########################################
++## <summary>
++## allow domain to read
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_read_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file read_file_perms;
++')
++
++########################################
++## <summary>
++## allow domain to manage
++## virt tmpfs files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access
++## </summary>
++## </param>
++#
++interface(`virt_manage_tmpfs_files',`
++ gen_require(`
++ attribute virt_tmpfs_type;
++ ')
++
++ allow $1 virt_tmpfs_type:file manage_file_perms;
++')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
-index 3eca020..72132fe 100644
+index 3eca020..f715498 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
-@@ -5,80 +5,97 @@ policy_module(virt, 1.4.0)
+@@ -5,56 +5,66 @@ policy_module(virt, 1.4.0)
# Declarations
#
@@ -44063,13 +44131,14 @@ index 3eca020..72132fe 100644
-
attribute virt_domain;
attribute virt_image_type;
-
++attribute virt_tmpfs_type;
++
+type virt_cache_t alias svirt_cache_t;
+files_type(virt_cache_t)
-+
+
type virt_etc_t;
files_config_file(virt_etc_t)
-
+@@ -62,23 +72,31 @@ files_config_file(virt_etc_t)
type virt_etc_rw_t;
files_type(virt_etc_rw_t)
@@ -44102,7 +44171,7 @@ index 3eca020..72132fe 100644
type virtd_t;
type virtd_exec_t;
-@@ -89,6 +106,11 @@ domain_subj_id_change_exemption(virtd_t)
+@@ -89,6 +107,11 @@ domain_subj_id_change_exemption(virtd_t)
type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t)
@@ -44114,7 +44183,7 @@ index 3eca020..72132fe 100644
ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
')
-@@ -104,15 +126,12 @@ ifdef(`enable_mls',`
+@@ -104,15 +127,12 @@ ifdef(`enable_mls',`
allow svirt_t self:udp_socket create_socket_perms;
@@ -44131,7 +44200,7 @@ index 3eca020..72132fe 100644
fs_hugetlbfs_filetrans(svirt_t, svirt_image_t, file)
list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
-@@ -133,6 +152,8 @@ dev_list_sysfs(svirt_t)
+@@ -133,6 +153,8 @@ dev_list_sysfs(svirt_t)
userdom_search_user_home_content(svirt_t)
userdom_read_user_home_content_symlinks(svirt_t)
userdom_read_all_users_state(svirt_t)
@@ -44140,7 +44209,7 @@ index 3eca020..72132fe 100644
tunable_policy(`virt_use_comm',`
term_use_unallocated_ttys(svirt_t)
-@@ -147,11 +168,15 @@ tunable_policy(`virt_use_fusefs',`
+@@ -147,11 +169,15 @@ tunable_policy(`virt_use_fusefs',`
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(svirt_t)
fs_manage_nfs_files(svirt_t)
@@ -44156,7 +44225,7 @@ index 3eca020..72132fe 100644
')
tunable_policy(`virt_use_sysfs',`
-@@ -160,11 +185,22 @@ tunable_policy(`virt_use_sysfs',`
+@@ -160,11 +186,22 @@ tunable_policy(`virt_use_sysfs',`
tunable_policy(`virt_use_usb',`
dev_rw_usbfs(svirt_t)
@@ -44179,7 +44248,7 @@ index 3eca020..72132fe 100644
xen_rw_image_files(svirt_t)
')
-@@ -174,21 +210,33 @@ optional_policy(`
+@@ -174,21 +211,33 @@ optional_policy(`
#
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
@@ -44217,7 +44286,7 @@ index 3eca020..72132fe 100644
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
-@@ -200,8 +248,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
+@@ -200,8 +249,14 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
@@ -44234,7 +44303,7 @@ index 3eca020..72132fe 100644
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
-@@ -220,6 +274,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
+@@ -220,6 +275,7 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
kernel_read_system_state(virtd_t)
kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t)
@@ -44242,7 +44311,7 @@ index 3eca020..72132fe 100644
kernel_request_load_module(virtd_t)
kernel_search_debugfs(virtd_t)
-@@ -239,22 +294,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
+@@ -239,22 +295,31 @@ corenet_tcp_connect_soundd_port(virtd_t)
corenet_rw_tun_tap_dev(virtd_t)
dev_rw_sysfs(virtd_t)
@@ -44275,7 +44344,7 @@ index 3eca020..72132fe 100644
fs_list_auto_mountpoints(virtd_t)
fs_getattr_xattr_fs(virtd_t)
-@@ -262,6 +326,18 @@ fs_rw_anon_inodefs_files(virtd_t)
+@@ -262,6 +327,18 @@ fs_rw_anon_inodefs_files(virtd_t)
fs_list_inotifyfs(virtd_t)
fs_manage_cgroup_dirs(virtd_t)
fs_rw_cgroup_files(virtd_t)
@@ -44294,7 +44363,7 @@ index 3eca020..72132fe 100644
mcs_process_set_categories(virtd_t)
-@@ -285,16 +361,30 @@ modutils_read_module_config(virtd_t)
+@@ -285,16 +362,30 @@ modutils_read_module_config(virtd_t)
modutils_manage_module_config(virtd_t)
logging_send_syslog_msg(virtd_t)
@@ -44325,7 +44394,7 @@ index 3eca020..72132fe 100644
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t)
-@@ -313,6 +403,10 @@ optional_policy(`
+@@ -313,6 +404,10 @@ optional_policy(`
')
optional_policy(`
@@ -44336,7 +44405,7 @@ index 3eca020..72132fe 100644
dbus_system_bus_client(virtd_t)
optional_policy(`
-@@ -329,6 +423,10 @@ optional_policy(`
+@@ -329,6 +424,10 @@ optional_policy(`
')
optional_policy(`
@@ -44347,7 +44416,7 @@ index 3eca020..72132fe 100644
dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t)
-@@ -365,6 +463,8 @@ optional_policy(`
+@@ -365,6 +464,8 @@ optional_policy(`
qemu_signal(virtd_t)
qemu_kill(virtd_t)
qemu_setsched(virtd_t)
@@ -44356,7 +44425,7 @@ index 3eca020..72132fe 100644
')
optional_policy(`
-@@ -385,23 +485,35 @@ optional_policy(`
+@@ -385,23 +486,35 @@ optional_policy(`
udev_read_db(virtd_t)
')
@@ -44397,7 +44466,7 @@ index 3eca020..72132fe 100644
append_files_pattern(virt_domain, virt_log_t, virt_log_t)
append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
-@@ -422,6 +534,7 @@ corenet_rw_tun_tap_dev(virt_domain)
+@@ -422,6 +535,7 @@ corenet_rw_tun_tap_dev(virt_domain)
corenet_tcp_bind_virt_migration_port(virt_domain)
corenet_tcp_connect_virt_migration_port(virt_domain)
@@ -44405,7 +44474,7 @@ index 3eca020..72132fe 100644
dev_read_rand(virt_domain)
dev_read_sound(virt_domain)
dev_read_urand(virt_domain)
-@@ -429,10 +542,12 @@ dev_write_sound(virt_domain)
+@@ -429,10 +543,12 @@ dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
dev_rw_qemu(virt_domain)
@@ -44418,7 +44487,7 @@ index 3eca020..72132fe 100644
files_read_usr_files(virt_domain)
files_read_var_files(virt_domain)
files_search_all(virt_domain)
-@@ -440,8 +555,16 @@ files_search_all(virt_domain)
+@@ -440,8 +556,16 @@ files_search_all(virt_domain)
fs_getattr_tmpfs(virt_domain)
fs_rw_anon_inodefs_files(virt_domain)
fs_rw_tmpfs_files(virt_domain)
@@ -44436,7 +44505,7 @@ index 3eca020..72132fe 100644
term_getattr_pty_fs(virt_domain)
term_use_generic_ptys(virt_domain)
term_use_ptmx(virt_domain)
-@@ -457,8 +580,117 @@ optional_policy(`
+@@ -457,8 +581,117 @@ optional_policy(`
')
optional_policy(`
@@ -47576,10 +47645,10 @@ index f9a06d2..3d407c6 100644
files_read_etc_files(zos_remote_t)
diff --git a/policy/modules/system/application.if b/policy/modules/system/application.if
-index ac50333..9017b02 100644
+index ac50333..b784a12 100644
--- a/policy/modules/system/application.if
+++ b/policy/modules/system/application.if
-@@ -130,3 +130,75 @@ interface(`application_signull',`
+@@ -130,3 +130,93 @@ interface(`application_signull',`
allow $1 application_domain_type:process signull;
')
@@ -47655,6 +47724,24 @@ index ac50333..9017b02 100644
+
+ allow $1 application_domain_type:process signal;
+')
++
++########################################
++## <summary>
++## Getattr all application sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`application_getattr_socket',`
++ gen_require(`
++ attribute application_domain_type;
++ ')
++
++ allow $1 application_domain_type:socket_class_set getattr;
++')
diff --git a/policy/modules/system/application.te b/policy/modules/system/application.te
index 88df85d..2fa3974 100644
--- a/policy/modules/system/application.te
@@ -47711,7 +47798,7 @@ index 2952cef..d845132 100644
/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 42b4f0f..3c1892d 100644
+index 42b4f0f..3e15a8c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -47892,10 +47979,14 @@ index 42b4f0f..3c1892d 100644
typeattribute $1 can_relabelto_shadow_passwords;
')
-@@ -736,6 +812,46 @@ interface(`auth_rw_faillog',`
- allow $1 faillog_t:file rw_file_perms;
- ')
+@@ -733,7 +809,47 @@ interface(`auth_rw_faillog',`
+ ')
+ logging_search_logs($1)
+- allow $1 faillog_t:file rw_file_perms;
++ rw_files_pattern($1, faillog_t, faillog_t)
++')
++
+########################################
+## <summary>
+## Relabel the login failure log.
@@ -47934,11 +48025,9 @@ index 42b4f0f..3c1892d 100644
+ files_search_pids($1)
+ allow $1 faillog_t:dir manage_dir_perms;
+ allow $1 faillog_t:file manage_file_perms;
-+')
-+
+ ')
+
#######################################
- ## <summary>
- ## Read the last logins log.
@@ -874,6 +990,46 @@ interface(`auth_exec_pam',`
########################################
@@ -49370,7 +49459,7 @@ index cc83689..3388f34 100644
+')
+
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
-index ea29513..819a8d5 100644
+index ea29513..b4fdd42 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,6 +16,34 @@ gen_require(`
@@ -49536,7 +49625,7 @@ index ea29513..819a8d5 100644
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
-@@ -186,12 +236,109 @@ tunable_policy(`init_upstart',`
+@@ -186,12 +236,113 @@ tunable_policy(`init_upstart',`
sysadm_shell_domtrans(init_t)
')
@@ -49553,6 +49642,7 @@ index ea29513..819a8d5 100644
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
++ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
@@ -49578,6 +49668,7 @@ index ea29513..819a8d5 100644
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
++ dev_relabel_sysfs_dirs(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_unmount_all_file_type_fs(init_t)
@@ -49591,13 +49682,13 @@ index ea29513..819a8d5 100644
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
-+ fs_relabelfrom_tmpfs_dir(init_t)
++ fs_relabel_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_autofs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_write_cgroup_files(init_t)
-+ fs_relabelto_cgroup_dirs(init_t)
++ fs_relabel_cgroup_dirs(init_t)
+ fs_search_cgroup_dirs(daemon)
+
+ selinux_compute_create_context(init_t)
@@ -49606,6 +49697,8 @@ index ea29513..819a8d5 100644
+
+ storage_getattr_removable_dev(init_t)
+
++ term_relabel_ptys_dirs(init_t)
++
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
+
@@ -49646,7 +49739,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -199,10 +346,25 @@ optional_policy(`
+@@ -199,10 +350,25 @@ optional_policy(`
')
optional_policy(`
@@ -49672,7 +49765,7 @@ index ea29513..819a8d5 100644
unconfined_domain(init_t)
')
-@@ -212,7 +374,7 @@ optional_policy(`
+@@ -212,7 +378,7 @@ optional_policy(`
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -49681,7 +49774,7 @@ index ea29513..819a8d5 100644
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
-@@ -241,12 +403,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
+@@ -241,12 +407,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@@ -49697,7 +49790,7 @@ index ea29513..819a8d5 100644
init_write_initctl(initrc_t)
-@@ -258,20 +423,32 @@ kernel_change_ring_buffer_level(initrc_t)
+@@ -258,20 +427,32 @@ kernel_change_ring_buffer_level(initrc_t)
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@@ -49734,7 +49827,7 @@ index ea29513..819a8d5 100644
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -279,6 +456,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
+@@ -279,6 +460,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
@@ -49742,7 +49835,7 @@ index ea29513..819a8d5 100644
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
-@@ -291,6 +469,7 @@ dev_read_sound_mixer(initrc_t)
+@@ -291,6 +473,7 @@ dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
@@ -49750,7 +49843,7 @@ index ea29513..819a8d5 100644
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -298,13 +477,13 @@ dev_manage_generic_files(initrc_t)
+@@ -298,13 +481,13 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@@ -49766,7 +49859,7 @@ index ea29513..819a8d5 100644
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-@@ -316,6 +495,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
+@@ -316,6 +499,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
@@ -49774,7 +49867,7 @@ index ea29513..819a8d5 100644
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
-@@ -323,8 +503,10 @@ files_getattr_all_symlinks(initrc_t)
+@@ -323,8 +507,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@@ -49786,7 +49879,7 @@ index ea29513..819a8d5 100644
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
-@@ -340,8 +522,12 @@ files_list_isid_type_dirs(initrc_t)
+@@ -340,8 +526,12 @@ files_list_isid_type_dirs(initrc_t)
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -49800,7 +49893,7 @@ index ea29513..819a8d5 100644
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
-@@ -351,6 +537,8 @@ fs_mount_all_fs(initrc_t)
+@@ -351,6 +541,8 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@@ -49809,7 +49902,7 @@ index ea29513..819a8d5 100644
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
-@@ -363,6 +551,7 @@ mls_process_read_up(initrc_t)
+@@ -363,6 +555,7 @@ mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@@ -49817,7 +49910,7 @@ index ea29513..819a8d5 100644
selinux_get_enforce_mode(initrc_t)
-@@ -374,6 +563,7 @@ term_use_all_terms(initrc_t)
+@@ -374,6 +567,7 @@ term_use_all_terms(initrc_t)
term_reset_tty_labels(initrc_t)
auth_rw_login_records(initrc_t)
@@ -49825,7 +49918,7 @@ index ea29513..819a8d5 100644
auth_setattr_login_records(initrc_t)
auth_rw_lastlog(initrc_t)
auth_read_pam_pid(initrc_t)
-@@ -394,18 +584,17 @@ logging_read_audit_config(initrc_t)
+@@ -394,18 +588,17 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@@ -49847,7 +49940,7 @@ index ea29513..819a8d5 100644
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
-@@ -478,7 +667,7 @@ ifdef(`distro_redhat',`
+@@ -478,7 +671,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
@@ -49856,7 +49949,7 @@ index ea29513..819a8d5 100644
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
-@@ -493,6 +682,7 @@ ifdef(`distro_redhat',`
+@@ -493,6 +686,7 @@ ifdef(`distro_redhat',`
files_create_boot_dirs(initrc_t)
files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t)
@@ -49864,7 +49957,7 @@ index ea29513..819a8d5 100644
# wants to read /.fonts directory
files_read_default_files(initrc_t)
files_mountpoint(initrc_tmp_t)
-@@ -524,6 +714,23 @@ ifdef(`distro_redhat',`
+@@ -524,6 +718,23 @@ ifdef(`distro_redhat',`
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@@ -49888,7 +49981,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -531,10 +738,17 @@ ifdef(`distro_redhat',`
+@@ -531,10 +742,17 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@@ -49906,7 +49999,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -549,6 +763,39 @@ ifdef(`distro_suse',`
+@@ -549,6 +767,39 @@ ifdef(`distro_suse',`
')
')
@@ -49946,7 +50039,7 @@ index ea29513..819a8d5 100644
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -561,6 +808,8 @@ optional_policy(`
+@@ -561,6 +812,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@@ -49955,7 +50048,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -577,6 +826,7 @@ optional_policy(`
+@@ -577,6 +830,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
@@ -49963,7 +50056,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -589,6 +839,11 @@ optional_policy(`
+@@ -589,6 +843,11 @@ optional_policy(`
')
optional_policy(`
@@ -49975,7 +50068,7 @@ index ea29513..819a8d5 100644
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
-@@ -605,9 +860,13 @@ optional_policy(`
+@@ -605,9 +864,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@@ -49989,7 +50082,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -649,6 +908,11 @@ optional_policy(`
+@@ -649,6 +912,11 @@ optional_policy(`
')
optional_policy(`
@@ -50001,7 +50094,7 @@ index ea29513..819a8d5 100644
inn_exec_config(initrc_t)
')
-@@ -706,7 +970,13 @@ optional_policy(`
+@@ -706,7 +974,13 @@ optional_policy(`
')
optional_policy(`
@@ -50015,7 +50108,7 @@ index ea29513..819a8d5 100644
mta_dontaudit_read_spool_symlinks(initrc_t)
')
-@@ -729,6 +999,10 @@ optional_policy(`
+@@ -729,6 +1003,10 @@ optional_policy(`
')
optional_policy(`
@@ -50026,7 +50119,7 @@ index ea29513..819a8d5 100644
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
-@@ -738,10 +1012,20 @@ optional_policy(`
+@@ -738,10 +1016,20 @@ optional_policy(`
')
optional_policy(`
@@ -50047,7 +50140,7 @@ index ea29513..819a8d5 100644
quota_manage_flags(initrc_t)
')
-@@ -750,6 +1034,10 @@ optional_policy(`
+@@ -750,6 +1038,10 @@ optional_policy(`
')
optional_policy(`
@@ -50058,7 +50151,7 @@ index ea29513..819a8d5 100644
fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t)
-@@ -771,8 +1059,6 @@ optional_policy(`
+@@ -771,8 +1063,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@@ -50067,7 +50160,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -781,14 +1067,21 @@ optional_policy(`
+@@ -781,14 +1071,21 @@ optional_policy(`
')
optional_policy(`
@@ -50089,7 +50182,7 @@ index ea29513..819a8d5 100644
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -800,7 +1093,6 @@ optional_policy(`
+@@ -800,7 +1097,6 @@ optional_policy(`
')
optional_policy(`
@@ -50097,7 +50190,7 @@ index ea29513..819a8d5 100644
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
')
-@@ -810,11 +1102,19 @@ optional_policy(`
+@@ -810,11 +1106,19 @@ optional_policy(`
')
optional_policy(`
@@ -50118,7 +50211,7 @@ index ea29513..819a8d5 100644
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
-@@ -824,6 +1124,25 @@ optional_policy(`
+@@ -824,6 +1128,25 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
@@ -50144,7 +50237,7 @@ index ea29513..819a8d5 100644
')
optional_policy(`
-@@ -849,3 +1168,42 @@ optional_policy(`
+@@ -849,3 +1172,42 @@ optional_policy(`
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -54620,10 +54713,10 @@ index 0000000..aabfb0d
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
-index 0000000..1e5b954
+index 0000000..d5b6aff
--- /dev/null
+++ b/policy/modules/system/systemd.te
-@@ -0,0 +1,163 @@
+@@ -0,0 +1,162 @@
+
+policy_module(systemd, 1.0.0)
+
@@ -54700,9 +54793,8 @@ index 0000000..1e5b954
+dev_write_kmsg(systemd_tmpfiles_t)
+
+# systemd-tmpfiles relabel /run/lock and creates /run/lock/lockdev
-+fs_create_tmpfs_dir(systemd_tmpfiles_t)
-+fs_relabelfrom_tmpfs_dir(systemd_tmpfiles_t)
-+fs_setattr_tmpfs_dir(systemd_tmpfiles_t)
++fs_manage_tmpfs_dirs(systemd_tmpfiles_t)
++fs_relabel_tmpfs_dirs(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_getattr_all_dirs(systemd_tmpfiles_t)
@@ -55938,7 +56030,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
-index 28b88de..d0697c5 100644
+index 28b88de..d514493 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@@ -56390,7 +56482,7 @@ index 28b88de..d0697c5 100644
##############################
#
-@@ -500,73 +570,79 @@ template(`userdom_common_user_template',`
+@@ -500,73 +570,81 @@ template(`userdom_common_user_template',`
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -56456,6 +56548,8 @@ index 28b88de..d0697c5 100644
+ fs_read_noxattr_fs_files($1_usertype)
+ fs_read_noxattr_fs_symlinks($1_usertype)
+ fs_rw_cgroup_files($1_usertype)
++
++ application_getattr_socket($1_usertype)
- fs_rw_cgroup_files($1_t)
+ logging_send_syslog_msg($1_usertype)
@@ -56509,7 +56603,7 @@ index 28b88de..d0697c5 100644
')
tunable_policy(`user_ttyfile_stat',`
-@@ -574,67 +650,122 @@ template(`userdom_common_user_template',`
+@@ -574,67 +652,122 @@ template(`userdom_common_user_template',`
')
optional_policy(`
@@ -56523,23 +56617,23 @@ index 28b88de..d0697c5 100644
# Allow graphical boot to check battery lifespan
- apm_stream_connect($1_t)
+ apm_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ canna_stream_connect($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ chrome_role($1_r, $1_usertype)
')
optional_policy(`
- canna_stream_connect($1_t)
-+ colord_read_lib_files($1_usertype)
++ canna_stream_connect($1_usertype)
')
optional_policy(`
- dbus_system_bus_client($1_t)
++ chrome_role($1_r, $1_usertype)
++ ')
++
++ optional_policy(`
++ colord_read_lib_files($1_usertype)
++ ')
++
++ optional_policy(`
+ dbus_system_bus_client($1_usertype)
+
+ allow $1_usertype $1_usertype:dbus send_msg;
@@ -56555,49 +56649,49 @@ index 28b88de..d0697c5 100644
+ optional_policy(`
+ bluetooth_dbus_chat($1_usertype)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dbus_chat($1_usertype)
-+ consolekit_read_log($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ evolution_dbus_chat($1_usertype)
-+ evolution_alarm_dbus_chat($1_usertype)
-+ ')
optional_policy(`
- bluetooth_dbus_chat($1_t)
-+ gnome_dbus_chat_gconfdefault($1_usertype)
++ consolekit_dbus_chat($1_usertype)
++ consolekit_read_log($1_usertype)
')
optional_policy(`
- evolution_dbus_chat($1_t)
- evolution_alarm_dbus_chat($1_t)
-+ hal_dbus_chat($1_usertype)
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
')
optional_policy(`
- cups_dbus_chat_config($1_t)
-+ kde_dbus_chat_backlighthelper($1_usertype)
++ evolution_dbus_chat($1_usertype)
++ evolution_alarm_dbus_chat($1_usertype)
')
optional_policy(`
- hal_dbus_chat($1_t)
-+ modemmanager_dbus_chat($1_usertype)
++ gnome_dbus_chat_gconfdefault($1_usertype)
')
optional_policy(`
- networkmanager_dbus_chat($1_t)
++ hal_dbus_chat($1_usertype)
+ ')
++
++ optional_policy(`
++ kde_dbus_chat_backlighthelper($1_usertype)
++ ')
++
++ optional_policy(`
++ modemmanager_dbus_chat($1_usertype)
++ ')
++
++ optional_policy(`
+ networkmanager_dbus_chat($1_usertype)
+ networkmanager_read_lib_files($1_usertype)
- ')
++ ')
+
+ optional_policy(`
+ vpn_dbus_chat($1_usertype)
@@ -56650,7 +56744,7 @@ index 28b88de..d0697c5 100644
')
optional_policy(`
-@@ -650,41 +781,50 @@ template(`userdom_common_user_template',`
+@@ -650,41 +783,50 @@ template(`userdom_common_user_template',`
optional_policy(`
# to allow monitoring of pcmcia status
@@ -56682,53 +56776,51 @@ index 28b88de..d0697c5 100644
+ optional_policy(`
+ rpc_dontaudit_getattr_exports($1_usertype)
+ rpc_manage_nfs_rw_content($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- rpc_dontaudit_getattr_exports($1_t)
- rpc_manage_nfs_rw_content($1_t)
-+ samba_stream_connect_winbind($1_usertype)
++ rpcbind_stream_connect($1_usertype)
')
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_usertype, $1_r)
++ samba_stream_connect_winbind($1_usertype)
')
optional_policy(`
- slrnpull_search_spool($1_t)
-+ seunshare_role_template($1, $1_r, $1_t)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
- usernetctl_run($1_t,$1_r)
-+ slrnpull_search_spool($1_usertype)
++ seunshare_role_template($1, $1_r, $1_t)
')
+
++ optional_policy(`
++ slrnpull_search_spool($1_usertype)
++ ')
++
')
#######################################
-@@ -712,13 +852,26 @@ template(`userdom_login_user_template', `
+@@ -712,13 +854,26 @@ template(`userdom_login_user_template', `
userdom_base_user_template($1)
- userdom_manage_home_role($1_r, $1_t)
+ userdom_manage_home_role($1_r, $1_usertype)
-+
-+ userdom_manage_tmp_role($1_r, $1_usertype)
-+ userdom_manage_tmpfs_role($1_r, $1_usertype)
- userdom_manage_tmp_role($1_r, $1_t)
- userdom_manage_tmpfs_role($1_r, $1_t)
++ userdom_manage_tmp_role($1_r, $1_usertype)
++ userdom_manage_tmpfs_role($1_r, $1_usertype)
++
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
-
-- userdom_exec_user_tmp_files($1_t)
-- userdom_exec_user_home_content_files($1_t)
++
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
@@ -56736,7 +56828,9 @@ index 28b88de..d0697c5 100644
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
-+
+
+- userdom_exec_user_tmp_files($1_t)
+- userdom_exec_user_home_content_files($1_t)
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
@@ -56744,7 +56838,7 @@ index 28b88de..d0697c5 100644
userdom_change_password_template($1)
-@@ -736,72 +889,70 @@ template(`userdom_login_user_template', `
+@@ -736,72 +891,70 @@ template(`userdom_login_user_template', `
allow $1_t self:context contains;
@@ -56811,10 +56905,10 @@ index 28b88de..d0697c5 100644
- miscfiles_exec_tetex_data($1_t)
+ miscfiles_read_tetex_data($1_usertype)
+ miscfiles_exec_tetex_data($1_usertype)
-+
-+ seutil_read_config($1_usertype)
- seutil_read_config($1_t)
++ seutil_read_config($1_usertype)
++
+ optional_policy(`
+ cups_read_config($1_usertype)
+ cups_stream_connect($1_usertype)
@@ -56852,7 +56946,7 @@ index 28b88de..d0697c5 100644
')
')
-@@ -833,6 +984,9 @@ template(`userdom_restricted_user_template',`
+@@ -833,6 +986,9 @@ template(`userdom_restricted_user_template',`
typeattribute $1_t unpriv_userdomain;
domain_interactive_fd($1_t)
@@ -56862,7 +56956,7 @@ index 28b88de..d0697c5 100644
##############################
#
# Local policy
-@@ -874,45 +1028,113 @@ template(`userdom_restricted_xwindows_user_template',`
+@@ -874,45 +1030,113 @@ template(`userdom_restricted_xwindows_user_template',`
#
auth_role($1_r, $1_t)
@@ -56933,40 +57027,40 @@ index 28b88de..d0697c5 100644
+ abrt_dbus_chat($1_usertype)
+ abrt_run_helper($1_usertype, $1_r)
+ ')
-+
-+ optional_policy(`
-+ consolekit_dontaudit_read_log($1_usertype)
-+ consolekit_dbus_chat($1_usertype)
-+ ')
-+
-+ optional_policy(`
-+ cups_dbus_chat($1_usertype)
-+ cups_dbus_chat_config($1_usertype)
-+ ')
optional_policy(`
- consolekit_dbus_chat($1_t)
-+ devicekit_dbus_chat($1_usertype)
-+ devicekit_dbus_chat_disk($1_usertype)
-+ devicekit_dbus_chat_power($1_usertype)
++ consolekit_dontaudit_read_log($1_usertype)
++ consolekit_dbus_chat($1_usertype)
')
optional_policy(`
- cups_dbus_chat($1_t)
-+ fprintd_dbus_chat($1_t)
++ cups_dbus_chat($1_usertype)
++ cups_dbus_chat_config($1_usertype)
')
- ')
-
- optional_policy(`
-- java_role($1_r, $1_t)
-+ openoffice_role_template($1, $1_r, $1_usertype)
++
++ optional_policy(`
++ devicekit_dbus_chat($1_usertype)
++ devicekit_dbus_chat_disk($1_usertype)
++ devicekit_dbus_chat_power($1_usertype)
++ ')
++
++ optional_policy(`
++ fprintd_dbus_chat($1_t)
++ ')
+ ')
+
+ optional_policy(`
-+ policykit_role($1_r, $1_usertype)
++ openoffice_role_template($1, $1_r, $1_usertype)
+ ')
+
+ optional_policy(`
++ policykit_role($1_r, $1_usertype)
+ ')
+
+ optional_policy(`
+- java_role($1_r, $1_t)
+ pulseaudio_role($1_r, $1_usertype)
+ ')
+
@@ -56987,7 +57081,7 @@ index 28b88de..d0697c5 100644
')
')
-@@ -947,7 +1169,7 @@ template(`userdom_unpriv_user_template', `
+@@ -947,7 +1171,7 @@ template(`userdom_unpriv_user_template', `
#
# Inherit rules for ordinary users.
@@ -56996,7 +57090,7 @@ index 28b88de..d0697c5 100644
userdom_common_user_template($1)
##############################
-@@ -956,54 +1178,83 @@ template(`userdom_unpriv_user_template', `
+@@ -956,54 +1180,83 @@ template(`userdom_unpriv_user_template', `
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@@ -57066,13 +57160,16 @@ index 28b88de..d0697c5 100644
+
+ optional_policy(`
+ gpg_role($1_r, $1_usertype)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+- # Run pppd in pppd_t by default for user
+ optional_policy(`
+- ppp_run_cond($1_t,$1_r)
+ gnomeclock_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
+ ')
+
+ optional_policy(`
+- setroubleshoot_stream_connect($1_t)
+ gpm_stream_connect($1_usertype)
+ ')
+
@@ -57095,22 +57192,19 @@ index 28b88de..d0697c5 100644
+
+ optional_policy(`
+ wine_role_template($1, $1_r, $1_t)
- ')
-
-- # Run pppd in pppd_t by default for user
- optional_policy(`
-- ppp_run_cond($1_t,$1_r)
++ ')
++
++ optional_policy(`
+ postfix_run_postdrop($1_t, $1_r)
- ')
-
++ ')
++
+ # Run pppd in pppd_t by default for user
- optional_policy(`
-- setroubleshoot_stream_connect($1_t)
++ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
')
')
-@@ -1039,7 +1290,7 @@ template(`userdom_unpriv_user_template', `
+@@ -1039,7 +1292,7 @@ template(`userdom_unpriv_user_template', `
template(`userdom_admin_user_template',`
gen_require(`
attribute admindomain;
@@ -57119,7 +57213,7 @@ index 28b88de..d0697c5 100644
')
##############################
-@@ -1066,6 +1317,7 @@ template(`userdom_admin_user_template',`
+@@ -1066,6 +1319,7 @@ template(`userdom_admin_user_template',`
#
allow $1_t self:capability ~{ sys_module audit_control audit_write };
@@ -57127,7 +57221,7 @@ index 28b88de..d0697c5 100644
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:tun_socket create;
-@@ -1074,6 +1326,9 @@ template(`userdom_admin_user_template',`
+@@ -1074,6 +1328,9 @@ template(`userdom_admin_user_template',`
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -57137,7 +57231,7 @@ index 28b88de..d0697c5 100644
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1088,6 +1343,7 @@ template(`userdom_admin_user_template',`
+@@ -1088,6 +1345,7 @@ template(`userdom_admin_user_template',`
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -57145,7 +57239,7 @@ index 28b88de..d0697c5 100644
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1105,10 +1361,13 @@ template(`userdom_admin_user_template',`
+@@ -1105,10 +1363,13 @@ template(`userdom_admin_user_template',`
dev_rename_all_blk_files($1_t)
dev_rename_all_chr_files($1_t)
dev_create_generic_symlinks($1_t)
@@ -57159,7 +57253,7 @@ index 28b88de..d0697c5 100644
domain_dontaudit_ptrace_all_domains($1_t)
# signal all domains:
domain_kill_all_domains($1_t)
-@@ -1119,17 +1378,21 @@ template(`userdom_admin_user_template',`
+@@ -1119,17 +1380,21 @@ template(`userdom_admin_user_template',`
domain_sigchld_all_domains($1_t)
# for lsof
domain_getattr_all_sockets($1_t)
@@ -57182,7 +57276,7 @@ index 28b88de..d0697c5 100644
auth_getattr_shadow($1_t)
# Manage almost all files
-@@ -1141,7 +1404,10 @@ template(`userdom_admin_user_template',`
+@@ -1141,7 +1406,10 @@ template(`userdom_admin_user_template',`
logging_send_syslog_msg($1_t)
@@ -57194,7 +57288,7 @@ index 28b88de..d0697c5 100644
# The following rule is temporary until such time that a complete
# policy management infrastructure is in place so that an administrator
-@@ -1210,6 +1476,8 @@ template(`userdom_security_admin_template',`
+@@ -1210,6 +1478,8 @@ template(`userdom_security_admin_template',`
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -57203,7 +57297,7 @@ index 28b88de..d0697c5 100644
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1222,6 +1490,7 @@ template(`userdom_security_admin_template',`
+@@ -1222,6 +1492,7 @@ template(`userdom_security_admin_template',`
selinux_set_enforce_mode($1)
selinux_set_all_booleans($1)
selinux_set_parameters($1)
@@ -57211,7 +57305,7 @@ index 28b88de..d0697c5 100644
auth_relabel_all_files_except_shadow($1)
auth_relabel_shadow($1)
-@@ -1237,6 +1506,7 @@ template(`userdom_security_admin_template',`
+@@ -1237,6 +1508,7 @@ template(`userdom_security_admin_template',`
seutil_run_checkpolicy($1,$2)
seutil_run_loadpolicy($1,$2)
seutil_run_semanage($1,$2)
@@ -57219,7 +57313,7 @@ index 28b88de..d0697c5 100644
seutil_run_setfiles($1, $2)
optional_policy(`
-@@ -1279,11 +1549,37 @@ template(`userdom_security_admin_template',`
+@@ -1279,11 +1551,37 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -57257,7 +57351,7 @@ index 28b88de..d0697c5 100644
ubac_constrained($1)
')
-@@ -1395,6 +1691,7 @@ interface(`userdom_search_user_home_dirs',`
+@@ -1395,6 +1693,7 @@ interface(`userdom_search_user_home_dirs',`
')
allow $1 user_home_dir_t:dir search_dir_perms;
@@ -57265,7 +57359,7 @@ index 28b88de..d0697c5 100644
files_search_home($1)
')
-@@ -1441,6 +1738,14 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1441,6 +1740,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -57280,7 +57374,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1456,9 +1761,11 @@ interface(`userdom_list_user_home_dirs',`
+@@ -1456,9 +1763,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -57292,7 +57386,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1515,10 +1822,10 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1515,10 +1824,10 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto;
')
@@ -57305,7 +57399,7 @@ index 28b88de..d0697c5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -1526,22 +1833,58 @@ interface(`userdom_relabelto_user_home_dirs',`
+@@ -1526,21 +1835,57 @@ interface(`userdom_relabelto_user_home_dirs',`
## </summary>
## </param>
#
@@ -57328,7 +57422,6 @@ index 28b88de..d0697c5 100644
+## Relabel user home files.
## </summary>
-## <desc>
--## <p>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
@@ -57369,11 +57462,10 @@ index 28b88de..d0697c5 100644
+## user home directory.
+## </summary>
+## <desc>
-+## <p>
+ ## <p>
## Do a domain transition to the specified
## domain when executing a program in the
- ## user home directory.
-@@ -1589,6 +1932,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1589,6 +1934,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -57382,7 +57474,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1603,10 +1948,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
+@@ -1603,10 +1950,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
#
interface(`userdom_list_user_home_content',`
gen_require(`
@@ -57397,7 +57489,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1649,6 +1996,25 @@ interface(`userdom_delete_user_home_content_dirs',`
+@@ -1649,6 +1998,25 @@ interface(`userdom_delete_user_home_content_dirs',`
########################################
## <summary>
@@ -57423,7 +57515,7 @@ index 28b88de..d0697c5 100644
## Do not audit attempts to set the
## attributes of user home files.
## </summary>
-@@ -1700,12 +2066,32 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1700,12 +2068,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t;
')
@@ -57456,7 +57548,7 @@ index 28b88de..d0697c5 100644
## Do not audit attempts to read user home files.
## </summary>
## <param name="domain">
-@@ -1716,11 +2102,14 @@ interface(`userdom_read_user_home_content_files',`
+@@ -1716,11 +2104,14 @@ interface(`userdom_read_user_home_content_files',`
#
interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -57474,7 +57566,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1810,8 +2199,7 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1810,8 +2201,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t;
')
@@ -57484,7 +57576,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -1827,20 +2215,14 @@ interface(`userdom_read_user_home_content_symlinks',`
+@@ -1827,21 +2217,15 @@ interface(`userdom_read_user_home_content_symlinks',`
#
interface(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -57498,18 +57590,19 @@ index 28b88de..d0697c5 100644
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_exec_nfs_files($1)
-- ')
--
-- tunable_policy(`use_samba_home_dirs',`
-- fs_exec_cifs_files($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
+ dontaudit $1 user_home_type:sock_file execute;
')
--')
+- tunable_policy(`use_samba_home_dirs',`
+- fs_exec_cifs_files($1)
+- ')
+-')
+-
########################################
## <summary>
-@@ -2182,7 +2564,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
+ ## Do not audit attempts to execute user home files.
+@@ -2182,7 +2566,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t;
')
@@ -57518,7 +57611,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2435,13 +2817,14 @@ interface(`userdom_read_user_tmpfs_files',`
+@@ -2435,13 +2819,14 @@ interface(`userdom_read_user_tmpfs_files',`
')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@@ -57534,7 +57627,7 @@ index 28b88de..d0697c5 100644
## </summary>
## <param name="domain">
## <summary>
-@@ -2462,26 +2845,6 @@ interface(`userdom_rw_user_tmpfs_files',`
+@@ -2462,26 +2847,6 @@ interface(`userdom_rw_user_tmpfs_files',`
########################################
## <summary>
@@ -57561,7 +57654,7 @@ index 28b88de..d0697c5 100644
## Get the attributes of a user domain tty.
## </summary>
## <param name="domain">
-@@ -2572,6 +2935,24 @@ interface(`userdom_use_user_ttys',`
+@@ -2572,6 +2937,24 @@ interface(`userdom_use_user_ttys',`
########################################
## <summary>
@@ -57586,7 +57679,7 @@ index 28b88de..d0697c5 100644
## Read and write a user domain pty.
## </summary>
## <param name="domain">
-@@ -2590,22 +2971,34 @@ interface(`userdom_use_user_ptys',`
+@@ -2590,22 +2973,34 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
@@ -57629,7 +57722,7 @@ index 28b88de..d0697c5 100644
## </desc>
## <param name="domain">
## <summary>
-@@ -2614,14 +3007,33 @@ interface(`userdom_use_user_ptys',`
+@@ -2614,14 +3009,33 @@ interface(`userdom_use_user_ptys',`
## </param>
## <infoflow type="both" weight="10"/>
#
@@ -57667,7 +57760,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2815,7 +3227,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2815,7 +3229,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -57676,7 +57769,7 @@ index 28b88de..d0697c5 100644
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2831,11 +3243,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
+@@ -2831,11 +3245,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -57692,7 +57785,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2917,7 +3331,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
+@@ -2917,7 +3333,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t;
')
@@ -57701,7 +57794,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -2972,7 +3386,45 @@ interface(`userdom_write_user_tmp_files',`
+@@ -2972,7 +3388,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t;
')
@@ -57748,7 +57841,7 @@ index 28b88de..d0697c5 100644
')
########################################
-@@ -3009,6 +3461,7 @@ interface(`userdom_read_all_users_state',`
+@@ -3009,6 +3463,7 @@ interface(`userdom_read_all_users_state',`
')
read_files_pattern($1, userdomain, userdomain)
@@ -57756,7 +57849,7 @@ index 28b88de..d0697c5 100644
kernel_search_proc($1)
')
-@@ -3087,6 +3540,24 @@ interface(`userdom_signal_all_users',`
+@@ -3087,6 +3542,24 @@ interface(`userdom_signal_all_users',`
########################################
## <summary>
@@ -57781,7 +57874,7 @@ index 28b88de..d0697c5 100644
## Send a SIGCHLD signal to all user domains.
## </summary>
## <param name="domain">
-@@ -3139,3 +3610,1058 @@ interface(`userdom_dbus_send_all_users',`
+@@ -3139,3 +3612,1058 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9fd0ac3..9b6dd51 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.16
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,16 @@ exit 0
%endif
%changelog
+* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-12
+- Add /var/run/lock /var/lock definition to file_contexts.subs
+- nslcd_t is looking for kerberos cc files
+- SSH_USE_STRONG_RNG is 1 which requires /dev/random
+- Fix auth_rw_faillog definition
+- Allow sysadm_t to set attributes on fixed disks
+- allow user domains to execute lsof and look at application sockets
+- prelink_cron job calls telinit -u if init is rewritten
+- Fixes to run qemu_t from staff_t
+
* Mon Apr 4 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-11
- Fix label for /var/run/udev to udev_var_run_t
- Mock needs to be able to read network state